Bug 1871990 - FreeIPA server upgrade from Fedora 32 or Fedora 31 fails with java.lang.UnsupportedClassVersionError
Summary: FreeIPA server upgrade from Fedora 32 or Fedora 31 fails with java.lang.Unsup...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: pki-core
Version: 33
Hardware: All
OS: Linux
unspecified
high
Target Milestone: ---
Assignee: Matthew Harmsen
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard: openqa AcceptedBlocker
Depends On:
Blocks: BetaBlocker, F33BetaBlocker
TreeView+ depends on / blocked
 
Reported: 2020-08-24 19:25 UTC by Adam Williamson
Modified: 2020-09-10 20:29 UTC (History)
9 users (show)

Fixed In Version: pki-core-10.9.2-3.fc33
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2020-09-10 20:29:17 UTC
Type: Bug


Attachments (Terms of Use)

Description Adam Williamson 2020-08-24 19:25:14 UTC
If you install a clean Fedora 32 and deploy it as a FreeIPA server, then upgrade to Fedora 33, ipa.service fails to start. Logs show this error:

Aug 24 09:50:33 ipa001 server[1380]: SEVERE: Begin event threw exception
Aug 24 09:50:33 ipa001 server[1380]: java.lang.UnsupportedClassVersionError: com/netscape/cms/tomcat/PKIListener has been compiled by a more recent version of the Java Runtime (class file version 55.0), this version of the Java Runtime only recognizes class file versions up to 52.0

Discussion from IRC:

<ab> looks like there is a need to change the jre link before starting?
<cipherboy> ab: Yeah saw that already. Looks like we'll have to migrate /etc/sysconfig/tomcat.conf to JDK11 on upgrade.
<ab> yeah

Proposing as a Beta blocker as a clear violation of "It must be possible to successfully complete a direct upgrade from a fully updated installation of each of the last two stable Fedora Server releases with the system configured as a FreeIPA domain controller..." - https://fedoraproject.org/wiki/Fedora_33_Beta_Release_Criteria#Server_upgrade_requirements

Comment 1 Adam Williamson 2020-08-28 17:51:45 UTC
We have +3 blocker in the ticket - https://pagure.io/fedora-qa/blocker-review/issue/34 - so marking accepted.

Comment 2 Adam Williamson 2020-08-28 21:14:04 UTC
Ping - can we please get this addressed, if we know what's needed? It's a bit annoying because this test runs in the update test set, so every single F33 update tested by openQA currently gets a failure in this test.

Comment 3 Alex Scheel 2020-08-31 13:57:03 UTC
This is currently being discussed upstream here: https://github.com/dogtagpki/pki/pull/532 

Current hold-up is addressing upgrading systemd unit files; migration currently happens at service start time, which is too late to migrate the environment files loaded by systemd. We're looking to upgrade systemd unit files instead during RPM time. The current code in that PR does so and I'm running tests before pushing to Fedora.

Comment 4 Adam Williamson 2020-09-08 17:16:05 UTC
I see this got merged upstream now; are we ready for a downstream build?

Comment 5 Alex Scheel 2020-09-08 18:24:18 UTC
We've agreed to do a f33/f34 build prior to getting final exception in Fedora for r8.3. This means we'll need to rebuild f31->f34 later with that fix, but also won't hold up f33 beta.

commit 1fd3016c39e1c0aadd4f892051417011786a0f8f (HEAD -> v10.9, upstream/v10.9, origin/v10.9)
Author: Alexander Scheel <ascheel@redhat.com>
Date:   Thu Sep 3 12:32:57 2020 -0400

    Keep JAVA_HOME in tomcat.conf
    
    Despite the name tomcat.conf, this is also the main configuration file
    loaded by instances. Instances (especially pkispawn) expect config to be
    only the Tomcat configuration, despite loading configuration from the
    environment as well. Eventually, we should migrate all of this to use
    the global configuration rather than the per-instance configuration.
    
    Signed-off-by: Alexander Scheel <ascheel@redhat.com>

commit 9f9ef6301b67c9e0b917db80c686831462d9236a
Author: Alexander Scheel <ascheel@redhat.com>
Date:   Mon Aug 24 14:54:23 2020 -0400

    Migrate JAVA_HOME in instance configuration
    
    When we upgrade from F32 to F33, we need to be able to upgrade JAVA_HOME
    to set it to the new value. This value will also change on F32 (from a
    JDK8-specific path to a generic path). This requires migration to happen
    on subsystem start.
    
    This means that the recommended way to configure JAVA_HOME to a value
    OTHER then what's shipped in /usr/.../pki.conf becomes to set it in
    /etc/.../pki.conf, and means that /etc/sysconfig/tomcat.conf gets
    rewritten each time.
    
    Signed-off-by: Alexander Scheel <ascheel@redhat.com>

Comment 6 Fedora Update System 2020-09-08 19:59:05 UTC
FEDORA-2020-2bef864cab has been submitted as an update to Fedora 33. https://bodhi.fedoraproject.org/updates/FEDORA-2020-2bef864cab

Comment 7 Alex Scheel 2020-09-08 20:35:30 UTC
Upstream also merged a commit to switch to JDK8 JAR level everywhere; this will get pulled in in a later update.

Comment 8 Adam Williamson 2020-09-08 20:46:53 UTC
What's broken without that?

Comment 9 Alex Scheel 2020-09-08 20:50:56 UTC
Perhaps any external plugins and customizations to Dogtag? Unlikely that Fedora deployments have any of those. It is mostly just an alternative way of ensuring that this problem gets addressed somehow (anyone wishing to stay on JDK8 for whatever reason theoretically could). But we did move to JDK11 so there's that. 

Since RHEL 8 still requires JDK8, it also ensures we don't ship random JDK-11 only stuff in the future without knowing it.

Comment 10 Fedora Update System 2020-09-08 20:57:49 UTC
FEDORA-2020-2bef864cab has been pushed to the Fedora 33 testing repository.
In short time you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2020-2bef864cab`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2020-2bef864cab

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.

Comment 11 Adam Williamson 2020-09-08 23:38:20 UTC
Alex: OK, thanks.

Good news, this update makes the FreeIPA 32-33 upgrade test pass reliably, so woot for that.

Comment 12 Fedora Update System 2020-09-10 20:29:17 UTC
FEDORA-2020-2bef864cab has been pushed to the Fedora 33 stable repository.
If problem still persists, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.