Description of problem:
Upgrading to F28 with freeipa-server-4.6.90.pre1-6.1.fc28.x86_64 has broken my FreeIPA installation, which was done with out DNS, no NTP and using an external CA.
Version-Release number of selected component (if applicable):
Steps to Reproduce:
1. Upgrade to F28.
Hosed FreeIPA server. krb5kdc refuses to start.
2018-05-01T21:58:55Z INFO DNS is not configured
2018-05-01T21:58:55Z DEBUG Loading StateFile from '/var/lib/ipa/sysupgrade/sysupgrade.state'
2018-05-01T21:58:55Z ERROR IPA server upgrade failed: Inspect /var/log/ipaupgrade.log and run command ipa-server-upgrade manually.
2018-05-01T21:58:55Z DEBUG File "/usr/lib/python3.6/site-packages/ipapython/admintool.py", line 174, in execute
return_value = self.run()
File "/usr/lib/python3.6/site-packages/ipaserver/install/ipa_server_upgrade.py", line 50, in run
File "/usr/lib/python3.6/site-packages/ipaserver/install/server/upgrade.py", line 1985, in upgrade
File "/usr/lib/python3.6/site-packages/ipaserver/install/server/upgrade.py", line 1814, in upgrade_configuration
File "/usr/lib/python3.6/site-packages/ipaserver/install/server/upgrade.py", line 916, in named_add_crypto_policy
File "/usr/lib/python3.6/site-packages/ipaserver/install/bindinstance.py", line 220, in named_conf_include_exists
with open(paths.NAMED_CONF, 'r') as f:
2018-05-01T21:58:55Z DEBUG The ipa-server-upgrade command failed, exception: FileNotFoundError: [Errno 2] No such file or directory: '/etc/named.conf'
2018-05-01T21:58:55Z ERROR [Errno 2] No such file or directory: '/etc/named.conf'
2018-05-01T21:58:55Z ERROR The ipa-server-upgrade command failed. See /var/log/ipaupgrade.log for more information
FreeIPA not broken.
OK, found the bug. Look in /usr/lib/python3.6/site-packages/ipaserver/install/server/upgrade.py at the named_add_crypto_policy() function. All its neighbour functions use bindinstance.named_conf_exists() and bind.is_configured() to first check bind is configured.
I modified named_add_crypto_policy() to read:
"""Add crypto policy include
if not bindinstance.named_conf_exists() or not bind.is_configured():
# DNS service may not be configured
logger.info('DNS is not configured')
(... rest of the function as before ...)
and the upgrade worked. FreeIPA now working as before.
Yes, this is fixed upstream with https://pagure.io/freeipa/issue/4853. We are planning to do another upstream freeipa release once blocker bugs in NSS and Dogtag are fixed.
Meanwhile, I'll add the patch from https://pagure.io/freeipa/issue/4853 to the F28 build as I need anyway to bump slapi-nis dependency.
slapi-nis-0.56.2-6.fc28 freeipa-4.6.90.pre1-7.fc28 has been submitted as an update to Fedora 28. https://bodhi.fedoraproject.org/updates/FEDORA-2018-a22497315b
freeipa-4.6.90.pre1-7.fc28, slapi-nis-0.56.2-6.fc28 has been pushed to the Fedora 28 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-a22497315b
freeipa-4.6.90.pre1-7.fc28, slapi-nis-0.56.2-6.fc28 has been pushed to the Fedora 28 stable repository. If problems still persist, please make note of it in this bug report.