Bug 1573671 - Upgrade to freeipa-server-4.6.90.pre1-6.1.fc28.x86_64 breaks DNS-less configuration (/etc/named.conf missing)
Summary: Upgrade to freeipa-server-4.6.90.pre1-6.1.fc28.x86_64 breaks DNS-less configu...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: freeipa
Version: 28
Hardware: Unspecified
OS: Unspecified
unspecified
urgent
Target Milestone: ---
Assignee: IPA Maintainers
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2018-05-01 22:10 UTC by James
Modified: 2018-05-16 13:07 UTC (History)
7 users (show)

Fixed In Version: freeipa-4.6.90.pre1-7.fc28
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2018-05-16 13:07:04 UTC
Type: Bug


Attachments (Terms of Use)

Description James 2018-05-01 22:10:02 UTC
Description of problem:
Upgrading to F28 with freeipa-server-4.6.90.pre1-6.1.fc28.x86_64 has broken my FreeIPA installation, which was done with out DNS, no NTP and using an external CA.

Version-Release number of selected component (if applicable):
freeipa-server-4.6.90.pre1-6.1.fc28.x86_64

How reproducible:
Always.

Steps to Reproduce:
1. Upgrade to F28.
2. Reboot.

Actual results:
Hosed FreeIPA server. krb5kdc refuses to start.

From /var/log/ipaupgrade.log:


2018-05-01T21:58:55Z INFO DNS is not configured
2018-05-01T21:58:55Z DEBUG Loading StateFile from '/var/lib/ipa/sysupgrade/sysupgrade.state'
2018-05-01T21:58:55Z ERROR IPA server upgrade failed: Inspect /var/log/ipaupgrade.log and run command ipa-server-upgrade manually.
2018-05-01T21:58:55Z DEBUG   File "/usr/lib/python3.6/site-packages/ipapython/admintool.py", line 174, in execute
    return_value = self.run()
  File "/usr/lib/python3.6/site-packages/ipaserver/install/ipa_server_upgrade.py", line 50, in run
    server.upgrade()
  File "/usr/lib/python3.6/site-packages/ipaserver/install/server/upgrade.py", line 1985, in upgrade
    upgrade_configuration()
  File "/usr/lib/python3.6/site-packages/ipaserver/install/server/upgrade.py", line 1814, in upgrade_configuration
    named_add_crypto_policy(),
  File "/usr/lib/python3.6/site-packages/ipaserver/install/server/upgrade.py", line 916, in named_add_crypto_policy
    if bindinstance.named_conf_include_exists(policy_file):
  File "/usr/lib/python3.6/site-packages/ipaserver/install/bindinstance.py", line 220, in named_conf_include_exists
    with open(paths.NAMED_CONF, 'r') as f:

2018-05-01T21:58:55Z DEBUG The ipa-server-upgrade command failed, exception: FileNotFoundError: [Errno 2] No such file or directory: '/etc/named.conf'
2018-05-01T21:58:55Z ERROR [Errno 2] No such file or directory: '/etc/named.conf'
2018-05-01T21:58:55Z ERROR The ipa-server-upgrade command failed. See /var/log/ipaupgrade.log for more information


Expected results:
FreeIPA not broken.

Comment 1 James 2018-05-01 22:26:37 UTC
OK, found the bug. Look in /usr/lib/python3.6/site-packages/ipaserver/install/server/upgrade.py at the named_add_crypto_policy() function. All its neighbour functions use bindinstance.named_conf_exists() and bind.is_configured() to first check bind is configured.

I modified named_add_crypto_policy() to read:


def named_add_crypto_policy():
    """Add crypto policy include
    """
    if not bindinstance.named_conf_exists() or not bind.is_configured():
        # DNS service may not be configured
        logger.info('DNS is not configured')
        return False
    (... rest of the function as before ...)


and the upgrade worked. FreeIPA now working as before.

Comment 2 Alexander Bokovoy 2018-05-02 07:33:38 UTC
Yes, this is fixed upstream with https://pagure.io/freeipa/issue/4853. We are planning to do another upstream freeipa release once blocker bugs in NSS and Dogtag are fixed.

Meanwhile, I'll add the patch from https://pagure.io/freeipa/issue/4853 to the F28 build as I need anyway to bump slapi-nis dependency.

Comment 3 Fedora Update System 2018-05-08 06:12:39 UTC
slapi-nis-0.56.2-6.fc28 freeipa-4.6.90.pre1-7.fc28 has been submitted as an update to Fedora 28. https://bodhi.fedoraproject.org/updates/FEDORA-2018-a22497315b

Comment 4 Fedora Update System 2018-05-10 01:28:57 UTC
freeipa-4.6.90.pre1-7.fc28, slapi-nis-0.56.2-6.fc28 has been pushed to the Fedora 28 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-a22497315b

Comment 5 Fedora Update System 2018-05-16 13:07:04 UTC
freeipa-4.6.90.pre1-7.fc28, slapi-nis-0.56.2-6.fc28 has been pushed to the Fedora 28 stable repository. If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.