RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1913089 - ipaupgrade failed due to set incorrect location of ldif
Summary: ipaupgrade failed due to set incorrect location of ldif
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Red Hat Enterprise Linux 8
Classification: Red Hat
Component: ipa
Version: CentOS Stream
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: rc
: 8.0
Assignee: Thomas Woerner
QA Contact: ipa-qe
URL:
Whiteboard:
: 1917476 (view as bug list)
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2021-01-05 23:17 UTC by Takahiro HASHIMOTO
Modified: 2021-02-15 07:23 UTC (History)
9 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2021-02-15 07:23:35 UTC
Type: Bug
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)
ipactl restart command output (9.48 KB, text/plain)
2021-01-05 23:17 UTC, Takahiro HASHIMOTO
no flags Details

Description Takahiro HASHIMOTO 2021-01-05 23:17:21 UTC
Created attachment 1744731 [details]
ipactl restart command output

Created attachment 1744731 [details]
ipactl restart command output

Created attachment 1744731 [details]
ipactl restart command output

Description of problem:

"ipaupgrade" failed on CentOS Stream recent update. freeipa has been rebased from 4.8 to 4.9.

Version-Release number of selected component (if applicable):

Before: ipa-server-* 4.8.7-12.module_el8.3.0+511+8a502f20
Upgrade to: ipa-server-* 4.9.0rc3-0.5.rc3.module_el8.4.0+591+30f359c9

How reproducible:

Always

Steps to Reproduce:
1.  Set up FreeIPA sever 4.8.x on CentOS Stream
2. run "dnf update" to latest CentOS release and confirm ipa-server-* is upgraded to 4.9.x
3. run ipactl restart to run "ipaupgrade automatically"

Actual results:

ipaupgrade fails with log in /var/log/ipaupgrade.log

Expected results:

ipaupgrade succeeds and launch ipa-server successfully.

Additional info:

The ipaupgrade process specifying the directory

"/usr/share/pki/acme/database/ds/schema.ldif"

In my environment it is located to

"/usr/share/pki/acme/database/ldap/schema.ldif"

Tempolaly workaround: just create symlink of "ldap" directory named as "ds" and run ipaupgrade again. Then upgrade has been ended successfully.

Comment 1 Rob Crittenden 2021-01-05 23:30:53 UTC
Upstream ticket:
https://pagure.io/freeipa/issue/8634

Comment 2 Rob Crittenden 2021-01-06 00:31:17 UTC
It is failing trying to deploy the ACME service.

I think that is a relatively safe workaround. The downside is that ACME will be deployed but it will not work with that version of dogtag.

This affects new installations as well.

Once a version of dogtag that provides the distributed ACME service (10.10.0+) then I believe it will just start working.

Comment 3 Rob Crittenden 2021-01-06 16:36:46 UTC
I'd also strongly recommend to remove the symlink after installation/upgrade. It is only used once and when the pki-10.10.x packages land if it still exists then rpm may overwrite files.

Comment 4 Takahiro HASHIMOTO 2021-01-07 05:23:29 UTC
(In reply to Rob Crittenden from comment #3)
> I'd also strongly recommend to remove the symlink after
> installation/upgrade. It is only used once and when the pki-10.10.x packages
> land if it still exists then rpm may overwrite files.

Rob, thanks for your quick response and advice!!  I've removed it on my environment.

Comment 5 Alexander Bokovoy 2021-01-12 14:01:39 UTC
A new pki-core build is coming to CentOS Stream, it will bring pki 10.10 in a couple days -- dist-git already updated but the compose does not yet contain the builds.

Once it is done, this bug will fix itself as FreeIPA will properly require pki-acme for pki-core 10.10.

We also have a tightening PR on FreeIPA side to not configure ACME if pki-core version is below 10.10.

So please close this bug once you are able to verify that an updated pki-core 10.10 build landed in CentOS Stream.

https://git.centos.org/modules/pki-core/c/1dbc0e3ce47cccbbb08738701ea8a7f3fba41cfc?branch=c8s-stream-10.6

Comment 6 Florence Blanc-Renaud 2021-01-15 09:09:34 UTC
Fixed upstream
master:
https://pagure.io/freeipa/c/85d4f2d9c6f8ef7a9bd9a016d894ad273c58b6d2

Comment 7 Florence Blanc-Renaud 2021-01-15 13:02:23 UTC
Fixed upstream
ipa-4-9:
https://pagure.io/freeipa/c/3aeb9b8e40cc526fd5c5162158b9cc5755670f66

Comment 8 Rob Crittenden 2021-01-18 14:55:55 UTC
*** Bug 1917476 has been marked as a duplicate of this bug. ***

Comment 9 Alexander Bokovoy 2021-02-15 07:17:17 UTC
$ podman run -ti  quay.io/centos/centos:stream8 /bin/bash
[root@171ba42fee31 /]# dnf module info pki-core:10.6
Last metadata expiration check: 0:00:10 ago on Mon Feb 15 07:16:33 2021.
Name             : pki-core
Stream           : 10.6
Version          : 8040020210121175224
Context          : d4d99205
Architecture     : x86_64
Profiles         : 
Default profiles : 
Repo             : appstream
Summary          : PKI Core module for PKI 10.6 or later
Description      : A module for PKI Core packages for PKI version 10.6 or later.
Requires         : pki-deps:[10.6]
                 : platform:[el8]
Artifacts        : jss-0:4.8.1-1.module_el8.4.0+651+f152bdd4.src
                 : jss-0:4.8.1-1.module_el8.4.0+651+f152bdd4.x86_64
                 : jss-debuginfo-0:4.8.1-1.module_el8.4.0+651+f152bdd4.x86_64
                 : jss-debugsource-0:4.8.1-1.module_el8.4.0+651+f152bdd4.x86_64
                 : jss-javadoc-0:4.8.1-1.module_el8.4.0+651+f152bdd4.x86_64
                 : ldapjdk-0:4.22.0-1.module_el8.4.0+627+e8937f0b.noarch
                 : ldapjdk-0:4.22.0-1.module_el8.4.0+627+e8937f0b.src
                 : ldapjdk-javadoc-0:4.22.0-1.module_el8.4.0+627+e8937f0b.noarch
                 : pki-acme-0:10.10.3-1.module_el8.4.0+651+f152bdd4.noarch
                 : pki-base-0:10.10.3-1.module_el8.4.0+651+f152bdd4.noarch
                 : pki-base-java-0:10.10.3-1.module_el8.4.0+651+f152bdd4.noarch
                 : pki-ca-0:10.10.3-1.module_el8.4.0+651+f152bdd4.noarch
                 : pki-core-0:10.10.3-1.module_el8.4.0+651+f152bdd4.src
                 : pki-core-debuginfo-0:10.10.3-1.module_el8.4.0+651+f152bdd4.x86_64
                 : pki-core-debugsource-0:10.10.3-1.module_el8.4.0+651+f152bdd4.x86_64
                 : pki-kra-0:10.10.3-1.module_el8.4.0+651+f152bdd4.noarch
                 : pki-server-0:10.10.3-1.module_el8.4.0+651+f152bdd4.noarch
                 : pki-symkey-0:10.10.3-1.module_el8.4.0+651+f152bdd4.x86_64
                 : pki-symkey-debuginfo-0:10.10.3-1.module_el8.4.0+651+f152bdd4.x86_64
                 : pki-tools-0:10.10.3-1.module_el8.4.0+651+f152bdd4.x86_64
                 : pki-tools-debuginfo-0:10.10.3-1.module_el8.4.0+651+f152bdd4.x86_64
                 : python3-pki-0:10.10.3-1.module_el8.4.0+651+f152bdd4.noarch
                 : tomcatjss-0:7.6.1-1.module_el8.4.0+627+e8937f0b.noarch
                 : tomcatjss-0:7.6.1-1.module_el8.4.0+627+e8937f0b.src

Hint: [d]efault, [e]nabled, [x]disabled, [i]nstalled, [a]ctive
[root@171ba42fee31 /]#

Comment 10 Kaleem 2021-02-15 07:23:35 UTC
Based on the comments in https://bugzilla.redhat.com/show_bug.cgi?id=1913089#c9 and package existence in following centos 8 stream repo, moving this to closed now.

http://mirror.centos.org/centos/8-stream/AppStream/x86_64/os/Packages/pki-ca-10.10.3-1.module_el8.4.0+651+f152bdd4.noarch.rpm


Note You need to log in before you can comment on or make changes to this bug.