1666843 – ipa-replica-manage force-sync --from keeps prompting "No status yet"

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1666843 - ipa-replica-manage force-sync --from keeps prompting "No status yet"

Summary: ipa-replica-manage force-sync --from keeps prompting "No status yet"

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	ipa
Sub Component:
Version:	7.5
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	rc
Target Release:	---
Assignee:	IPA Maintainers
QA Contact:	ipa-qe
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2019-01-16 17:48 UTC by anuja
Modified:	2019-08-06 13:09 UTC (History)
CC List:	19 users (show)
Fixed In Version:	ipa-4.6.5-2.el7
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2019-08-06 13:09:30 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)
logs. (966.05 KB, application/gzip) 2019-01-16 17:50 UTC, anuja	no flags	Details
View All

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2019:2241	0	None	None	None	2019-08-06 13:09:46 UTC

Description anuja 2019-01-16 17:48:31 UTC

Description of problem:
ipa-replica-manage force-sync --from  keeps prompting "No status yet"

Version-Release number of selected component (if applicable):

389-ds-base-1.3.7.5-28.el7_5.x86_64
sssd-ipa-1.16.0-19.el7_5.8.x86_64
ipa-server-4.5.4-10.el7_5.4.4.x86_64

How reproducible:
Always

Steps to Reproduce:
1.Install ipa-server with replica
On replica
1. ipa topologysegment-find domain
2. ipa topologysegment-reinitialize domain segment-name --right / left
3. ipa-replica-manage -p Secret123 force-sync --from ipa-server


Actual results:
Keeps prompting No status yet

Expected results:
This should be successful. 
Or it should display valid error.

Additional info:
also reproduce-able on :
ipa-server-4.6.4-10.el7.x86_64

Comment 3 anuja 2019-01-16 17:50:15 UTC

Created attachment 1521095 [details]
logs.

Comment 5 Florence Blanc-Renaud 2019-01-18 13:40:17 UTC

I was able to reproduce the same issue. Moving issue to 389-ds as it seems a replication issue.

Comment 6 mreynolds 2019-01-18 14:45:31 UTC

This is marked a regression, so what DS version was working?  Looking at the changelog for 7.5 I do not see any replication changes that were made in a very long time.

I also don't see any problems in the DS logs.  Not sure why the ipa tool is "misbehaving".  Someone more familiar with IPA needs to look into this...

Comment 7 Rob Crittenden 2019-01-18 14:56:02 UTC

What ipa does in this case is it sets the nsds5replicaupdatescheduleto 2358-2359 0 and then deletes that schedule. Then it reads the agreement and examines nsds5BeginReplicaRefresh and nsds5ReplicaLastInitStatus.

In this case there is no nsds5BeginReplicaRefresh and no nsds5ReplicaLastInitStatus so it is looping waiting for either to appear.

Comment 8 mreynolds 2019-01-18 15:58:17 UTC

(In reply to Rob Crittenden from comment #7)
> What ipa does in this case is it sets the nsds5replicaupdatescheduleto
> 2358-2359 0 and then deletes that schedule. 

What is the purpose of this?  To wake up the agreement?

> Then it reads the agreement and
> examines nsds5BeginReplicaRefresh and nsds5ReplicaLastInitStatus.
> 
> In this case there is no nsds5BeginReplicaRefresh and no
> nsds5ReplicaLastInitStatus so it is looping waiting for either to appear.

In the errors log I do see 5 successful initializations.  So it is working, but not sure why the status attributes are not updated.  

Is there a system I can look at where this currently happening?   I did try to look at the beaker boxes listed in comment 4 but I don't know the root password.

Comment 9 Rob Crittenden 2019-01-18 16:00:33 UTC

(In reply to mreynolds from comment #8)
> What is the purpose of this?  To wake up the agreement?

Exactly.

Comment 10 anuja 2019-01-21 06:54:41 UTC

(In reply to mreynolds from comment #6)
> This is marked a regression, so what DS version was working?  Looking at the
> changelog for 7.5 I do not see any replication changes that were made in a
> very long time.
> 
> I also don't see any problems in the DS logs.  Not sure why the ipa tool is
> "misbehaving".  Someone more familiar with IPA needs to look into this...

There is test which checks ipa-replica-manage force-sync works or not.  
This was randomly observed in previous version during upgrade jobs.
After rerunning we got successful run in upgrade job.
http://beaker-archive.host.prod.eng.bos.redhat.com/beaker-logs/2019/01/32915/3291597/6397118/86858538/TESTOUT.log

Additional info: 
Before running ipa-replica-manage -p force-sync --from 
Instead of ipa topologysegment-reinitialize domain --right
If we use :
ipa-replica-manage -p re-initialize --from
We got successful run with no random failures.

Comment 11 Rob Crittenden 2019-01-21 07:53:14 UTC

This is a different command though. Re-initialize drops the current database and re-loads the entire database. force-sync just forces replication to wake-up.

Comment 17 mreynolds 2019-02-28 18:17:58 UTC

I could reproduce the issue, here are my results...

On the REPLICA I ran:

    ipa topologysegment-reinitialize domain segment-name --right

This causes REPLICA to reinit MASTER, and this does set nsds5replicaLastInitStatus in REPLICA's replication agreement (but not on MASTER of course)

Then when I run:

     ipa-replica-manage -p Secret123 force-sync --from MASTER_HOSTNAME

I see the error message "No status yet", but the tool is querying MASTER - which was not initialized from the first command so it does not have the nsds5replicaLastInitStatus attribute.  Now "force-sync" would not update nsds5replicaLastInitStatus anyway from my understanding (it just wakes the agreement up), so checking nsds5replicaLastInitStatus after doing "force-sync" is not correct.

Another observation I made is that after you restart DS the attribute nsds5replicaLastInitStatus is silently stripped from the replication agreement entries.  I do not know if that is how it always worked or not (needs more testing to see if that is a change in behavior).  If it is a change in behavior then that explains why the IPA tool was accidentally working before, but it was not giving you the actual status.

So there could be bugs in both DS and IPA on this one.

Comment 18 mreynolds 2019-02-28 18:45:37 UTC

Follow up to the DS issue, turns out we do not and never did store the init and update status attributes in the agreement.  They are in memory only, and that's why they reset after a restart.  So now this just looks like a logic flaw in the IPA tool.

Comment 19 Rob Crittenden 2019-02-28 19:09:36 UTC

I don't dispute that there could be a bug in IPA but this code is more or less unchanged since 2013.

Comment 20 mreynolds 2019-02-28 20:23:49 UTC

(In reply to Rob Crittenden from comment #19)
> I don't dispute that there could be a bug in IPA but this code is more or
> less unchanged since 2013.

But, like I said if the server is restarted the last init attributes are removed.  So if the test was run "before" master was restarted the tool would have reported success (even though looking at the last init status attribute has nothing to do with forcing updates to be sent).  So the issue here is the order in which things are done.  From looking at the IPA code it looks like "force-sync" should not call check_repl_init(), but instead call check_repl_update().

Comment 25 Florence Blanc-Renaud 2019-03-18 15:51:49 UTC

The issue appeared in RHEL 7.5 but was not present on RHEL 7.4, so it is indeed a regression.

ipa-replica-manage has been modified when fixing https://pagure.io/freeipa/issue/7211, and the fix introduced a call to  repl.wait_for_repl_init in the force_sync method of install/tools/ipa-replica-manage. wait_for_repl_init is calling check_repl_init, which is reading nsds5BeginReplicaRefresh nsds5replicaUpdateInProgress nsds5ReplicaLastInitStatus nsds5ReplicaLastInitStart and nsds5ReplicaLastInitEnd on the --from node.

See commit https://pagure.io/freeipa/c/b83073d288292d2f2cc09d480bf90c7d5208111c on branch ipa-4-5, and commit https://pagure.io/freeipa/c/a3b0af387f8e3c67f1b223869d3f540989eb2f43 on branch ipa-4-6

Hence moving the BZ to ipa.

Comment 29 Florence Blanc-Renaud 2019-03-22 14:47:01 UTC

Upstream ticket:
https://pagure.io/freeipa/issue/7886

Comment 30 Christian Heimes 2019-03-25 12:57:36 UTC

Fixed upstream
master:
https://pagure.io/freeipa/c/6e8d38caa8926deedc8cfc5dc113444431d94051
ipa-4-7:
https://pagure.io/freeipa/c/6856b17fe9358a98f1bce8591d024847e4a97f21

Comment 31 Florence Blanc-Renaud 2019-03-27 08:43:26 UTC

Fixed upstream
ipa-4-6:
https://pagure.io/freeipa/c/36628f68fce364854f9789bb0339307e2e0d417a

Comment 33 Mohammad Rizwan 2019-05-15 08:41:41 UTC

Version:


Steps:
Install ipa-server with replica

On replica:
1. ipa topologysegment-find domain
2. ipa topologysegment-reinitialize domain segment-name --left
3. ipa-replica-manage -p Secret123 force-sync --from ipa-server


Actual results:
[root@master ~]# ipa topologysegment-reinitialize domain master.testrelm.test-to-replica.testrelm.test --right
-------------------------------------------------------------------------------------------
Replication refresh for segment: "master.testrelm.test-to-replica.testrelm.test" requested.
-------------------------------------------------------------------------------------------
[root@master ~]#
[root@master ~]# ipa-replica-manage -p Secret123 force-sync --from master.testrelm.test
[root@master ~]# echo $?
0

[root@master ~]# ipa topologysegment-reinitialize domain master.testrelm.test-to-replica.testrelm.test --left
-------------------------------------------------------------------------------------------
Replication refresh for segment: "master.testrelm.test-to-replica.testrelm.test" requested.
-------------------------------------------------------------------------------------------
[root@master ~]#
[root@master ~]# ipa-replica-manage -p Secret123 force-sync --from master.testrelm.test
[root@master ~]# echo $?
0

[root@master ~]# cat /var/log/ipa/cli.log
2019-05-15T08:35:07Z    7059    MainThread      ipaserver.install.replication   INFO    Setting agreement cn=meToreplica.testrelm.test,cn=replica,cn=dc\=testrelm\,dc\=test,cn=mapping tree,cn=config schedule to 2358-2359 0 to force synch
2019-05-15T08:35:08Z    7059    MainThread      ipaserver.install.replication   INFO    Deleting schedule 2358-2359 0 from agreement cn=meToreplica.testrelm.test,cn=replica,cn=dc\=testrelm\,dc\=test,cn=mapping tree,cn=config
2019-05-15T08:35:09Z    7059    MainThread      ipaserver.install.replication   INFO    Replication Update in progress: FALSE: status: Error (0) Replica acquired successfully: Incremental update succeeded: start: 0: end: 0

Command succeed, hence based on above observations, marking the bug as verified.

Comment 35 errata-xmlrpc 2019-08-06 13:09:30 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2019:2241

Note You need to log in before you can comment on or make changes to this bug.