If you install a clean Fedora 32 and deploy it as a FreeIPA server, then upgrade to Fedora 33, ipa.service fails to start. Logs show this error: Aug 24 09:50:33 ipa001 server[1380]: SEVERE: Begin event threw exception Aug 24 09:50:33 ipa001 server[1380]: java.lang.UnsupportedClassVersionError: com/netscape/cms/tomcat/PKIListener has been compiled by a more recent version of the Java Runtime (class file version 55.0), this version of the Java Runtime only recognizes class file versions up to 52.0 Discussion from IRC: <ab> looks like there is a need to change the jre link before starting? <cipherboy> ab: Yeah saw that already. Looks like we'll have to migrate /etc/sysconfig/tomcat.conf to JDK11 on upgrade. <ab> yeah Proposing as a Beta blocker as a clear violation of "It must be possible to successfully complete a direct upgrade from a fully updated installation of each of the last two stable Fedora Server releases with the system configured as a FreeIPA domain controller..." - https://fedoraproject.org/wiki/Fedora_33_Beta_Release_Criteria#Server_upgrade_requirements
We have +3 blocker in the ticket - https://pagure.io/fedora-qa/blocker-review/issue/34 - so marking accepted.
Ping - can we please get this addressed, if we know what's needed? It's a bit annoying because this test runs in the update test set, so every single F33 update tested by openQA currently gets a failure in this test.
This is currently being discussed upstream here: https://github.com/dogtagpki/pki/pull/532 Current hold-up is addressing upgrading systemd unit files; migration currently happens at service start time, which is too late to migrate the environment files loaded by systemd. We're looking to upgrade systemd unit files instead during RPM time. The current code in that PR does so and I'm running tests before pushing to Fedora.
I see this got merged upstream now; are we ready for a downstream build?
We've agreed to do a f33/f34 build prior to getting final exception in Fedora for r8.3. This means we'll need to rebuild f31->f34 later with that fix, but also won't hold up f33 beta. commit 1fd3016c39e1c0aadd4f892051417011786a0f8f (HEAD -> v10.9, upstream/v10.9, origin/v10.9) Author: Alexander Scheel <ascheel> Date: Thu Sep 3 12:32:57 2020 -0400 Keep JAVA_HOME in tomcat.conf Despite the name tomcat.conf, this is also the main configuration file loaded by instances. Instances (especially pkispawn) expect config to be only the Tomcat configuration, despite loading configuration from the environment as well. Eventually, we should migrate all of this to use the global configuration rather than the per-instance configuration. Signed-off-by: Alexander Scheel <ascheel> commit 9f9ef6301b67c9e0b917db80c686831462d9236a Author: Alexander Scheel <ascheel> Date: Mon Aug 24 14:54:23 2020 -0400 Migrate JAVA_HOME in instance configuration When we upgrade from F32 to F33, we need to be able to upgrade JAVA_HOME to set it to the new value. This value will also change on F32 (from a JDK8-specific path to a generic path). This requires migration to happen on subsystem start. This means that the recommended way to configure JAVA_HOME to a value OTHER then what's shipped in /usr/.../pki.conf becomes to set it in /etc/.../pki.conf, and means that /etc/sysconfig/tomcat.conf gets rewritten each time. Signed-off-by: Alexander Scheel <ascheel>
FEDORA-2020-2bef864cab has been submitted as an update to Fedora 33. https://bodhi.fedoraproject.org/updates/FEDORA-2020-2bef864cab
Upstream also merged a commit to switch to JDK8 JAR level everywhere; this will get pulled in in a later update.
What's broken without that?
Perhaps any external plugins and customizations to Dogtag? Unlikely that Fedora deployments have any of those. It is mostly just an alternative way of ensuring that this problem gets addressed somehow (anyone wishing to stay on JDK8 for whatever reason theoretically could). But we did move to JDK11 so there's that. Since RHEL 8 still requires JDK8, it also ensures we don't ship random JDK-11 only stuff in the future without knowing it.
FEDORA-2020-2bef864cab has been pushed to the Fedora 33 testing repository. In short time you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2020-2bef864cab` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2020-2bef864cab See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
Alex: OK, thanks. Good news, this update makes the FreeIPA 32-33 upgrade test pass reliably, so woot for that.
FEDORA-2020-2bef864cab has been pushed to the Fedora 33 stable repository. If problem still persists, please make note of it in this bug report.