With Fedora-Rawhide-20201119.n.0 , the openQA FreeIPA server deployment / upgrade tests all started failing. They all show the same error from bind during startup: Nov 19 04:05:30 ipa001.domain.local named[33206]: running as: named -u named -c /etc/named.conf -E pkcs11 Nov 19 04:05:30 ipa001.domain.local named[33206]: compiled by GCC 10.2.1 20201016 (Red Hat 10.2.1-6) Nov 19 04:05:30 ipa001.domain.local named[33206]: compiled with OpenSSL version: OpenSSL 1.1.1g FIPS 21 Apr 2020 Nov 19 04:05:30 ipa001.domain.local named[33206]: linked to OpenSSL version: OpenSSL 1.1.1h FIPS 22 Sep 2020 Nov 19 04:05:30 ipa001.domain.local named[33206]: compiled with libxml2 version: 2.9.10 Nov 19 04:05:30 ipa001.domain.local named[33206]: linked to libxml2 version: 20910 Nov 19 04:05:30 ipa001.domain.local named[33206]: compiled with libjson-c version: 0.14 Nov 19 04:05:30 ipa001.domain.local named[33206]: linked to libjson-c version: 0.14 Nov 19 04:05:30 ipa001.domain.local named[33206]: compiled with zlib version: 1.2.11 Nov 19 04:05:30 ipa001.domain.local named[33206]: linked to zlib version: 1.2.11 Nov 19 04:05:30 ipa001.domain.local named[33206]: threads support is enabled Nov 19 04:05:30 ipa001.domain.local named[33206]: ---------------------------------------------------- Nov 19 04:05:30 ipa001.domain.local named[33206]: BIND 9 is maintained by Internet Systems Consortium, Nov 19 04:05:30 ipa001.domain.local named[33206]: Inc. (ISC), a non-profit 501(c)(3) public-benefit Nov 19 04:05:30 ipa001.domain.local named[33206]: corporation. Support and training for BIND 9 are Nov 19 04:05:30 ipa001.domain.local named[33206]: available at https://www.isc.org/support Nov 19 04:05:30 ipa001.domain.local named[33206]: ---------------------------------------------------- Nov 19 04:05:30 ipa001.domain.local named[33206]: adjusted limit on open files from 524288 to 1048576 Nov 19 04:05:30 ipa001.domain.local named[33206]: found 2 CPUs, using 2 worker threads Nov 19 04:05:30 ipa001.domain.local named[33206]: using 1 UDP listener per interface Nov 19 04:05:30 ipa001.domain.local named[33206]: using up to 21000 sockets Nov 19 04:05:30 ipa001.domain.local named[33206]: initializing DST: no engine Nov 19 04:05:30 ipa001.domain.local named[33206]: exiting (due to fatal error) Nov 19 04:05:30 ipa001.domain.local systemd[1]: named.service: Control process exited, code=exited, status=1/FAILURE Nov 19 04:05:30 ipa001.domain.local systemd[1]: named.service: Failed with result 'exit-code'. this results in ipa.service failing (as part of initial deployment in the deployment tests, and on first boot after upgrade in the upgrade tests). There was a bumper crop of FreeIPA-related updates in this compose: Package: bind-dyndb-ldap-11.5-1.fc34 Old package: bind-dyndb-ldap-11.3-5.fc34 Package: freeipa-4.9.0-0.rc1.fc34 Old package: freeipa-4.8.10-7.fc34 Package: krb5-1.18.3-2.fc34 Old package: krb5-1.18.2-30.fc34 Package: openldap-2.4.56-1.fc34 Old package: openldap-2.4.55-1.fc34 Package: python-ldap-3.3.1-2.fc34 Old package: python-ldap-3.3.1-1.fc34 Package: tomcat-1:9.0.40-1.fc34 Old package: tomcat-1:9.0.39-1.fc34 ...filing against bind-dyndb-ldap to start with as a guess. Proposing as a Beta blocker as a violation of Basic criterion https://fedoraproject.org/wiki/Basic_Release_Criteria#FreeIPA_server_requirements - "It must be possible to configure a Fedora Server system installed according to the above criteria as a FreeIPA domain controller, using the official deployment tools provided in the distribution FreeIPA packages."
Oh, bad me, I made an assumption that turns out wrong - the upgrade tests aren't failing on exactly this, though they're still failing on a bind problem. bind crashes on startup after the upgrade, then the clients can't resolve names. I'll file a separate bug for that crash.
I think this is due to a spec changes I did in freeipa.spec. In particular, this line is breaking %{with bind_pkcs11} logic: https://src.fedoraproject.org/rpms/freeipa/blob/master/f/freeipa.spec#_115 I addressed that in https://github.com/freeipa/freeipa/pull/5279/files#diff-79e7e776c34748018cf388f4492c4b28a4212e1ed49dfd826c34d370106233d1L110-L115 but it is not yet merged as we haven't yet completed the unification of the spec files. I'm doing a build now.
https://koji.fedoraproject.org/koji/taskinfo?taskID=55896678 should address this issue.
Filed https://bugzilla.redhat.com/show_bug.cgi?id=1899744 for the bind crash on upgrade.
With bug 1899744 fixed with bind-dyndb-ldap 11.6-1.fc34, and python3-dns downgraded to Fedora 33 version (bug 1902061), I get successful deployment of IPA master and replica on Rawhide.
Well, in openQA tests we seem to be still failing in named startup. Different error, though, and it happens slightly later than this one did: Nov 30 05:14:09 ipa001.domain.local named[33077]: unable to open directory 'dyndb-ldap', working directory is '/var/named': permission denied Nov 30 05:14:09 ipa001.domain.local named[33077]: LDAP config validation failed for database 'ipa': permission denied Nov 30 05:14:09 ipa001.domain.local named[33077]: dynamic database 'ipa' configuration failed: permission denied Nov 30 05:14:09 ipa001.domain.local named[33077]: loading configuration: permission denied Nov 30 05:14:09 ipa001.domain.local named[33077]: exiting (due to fatal error) Nov 30 05:14:09 ipa001.domain.local systemd[1]: named.service: Control process exited, code=exited, status=1/FAILURE Nov 30 05:14:09 ipa001.domain.local systemd[1]: named.service: Failed with result 'exit-code'. Nov 30 05:14:09 ipa001.domain.local systemd[1]: Failed to start Berkeley Internet Name Domain (DNS). so I think we can say this one is fixed, and I'll file a new bug.