Bug 2005795 - bind-9.16.20-4.fc36 breaks ipa server installation
Summary: bind-9.16.20-4.fc36 breaks ipa server installation
Keywords:
Status: CLOSED RAWHIDE
Alias: None
Product: Fedora
Classification: Fedora
Component: bind
Version: rawhide
Hardware: Unspecified
OS: Unspecified
unspecified
urgent
Target Milestone: ---
Assignee: Petr Menšík
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On: 2005832
Blocks:
TreeView+ depends on / blocked
 
Reported: 2021-09-20 07:57 UTC by Florence Blanc-Renaud
Modified: 2021-09-21 20:37 UTC (History)
9 users (show)

Fixed In Version: openssl-pkcs11-0.4.11-6.fc36
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2021-09-21 20:37:59 UTC
Type: Bug

Attachments (Terms of Use)
Output of journalctl -xeu named.service (11.29 KB, text/plain)
2021-09-20 07:57 UTC, Florence Blanc-Renaud 		no flags Details
View All Add an attachment (proposed patch, testcase, etc.)

Description Florence Blanc-Renaud 2021-09-20 07:57:07 UTC 
Created attachment 1824526 [details]
Output of journalctl -xeu named.service

Description of problem:
ipa-server-install --setup-dns is broken with the recent rawhide update bind-9.16.21-1.fc36

Version-Release number of selected component (if applicable):
bind-9.16.21-1.fc36

How reproducible:
Always

Steps to Reproduce:
1. reproduced on 1minutetup rawhide machine: 1MT-Fedora-36
2. dnf update -y
3. dnf install -y freeipa-server freeipa-server-dns
4. ipa-server-install --domain ipa.test --realm IPA.TEST --setup-dns --auto-forwarders -a Secret123 -p Secret123 -U

Actual results:
ipa-server-install fails with an error starting named service

Expected results:
ipa-server-install should complete successfully

Additional info:
Extract of the journal:
Sep 20 03:49:08 server.ipa.test named[47048]: BIND 9 is maintained by Internet Systems Consortium,
Sep 20 03:49:08 server.ipa.test named[47048]: Inc. (ISC), a non-profit 501(c)(3) public-benefit
Sep 20 03:49:08 server.ipa.test named[47048]: corporation.  Support and training for BIND 9 are
Sep 20 03:49:08 server.ipa.test named[47048]: available at https://www.isc.org/support
Sep 20 03:49:08 server.ipa.test named[47048]: ----------------------------------------------------
Sep 20 03:49:08 server.ipa.test named[47048]: adjusted limit on open files from 524288 to 1048576
Sep 20 03:49:08 server.ipa.test named[47048]: found 1 CPU, using 1 worker thread
Sep 20 03:49:08 server.ipa.test named[47048]: using 1 UDP listener per interface
Sep 20 03:49:08 server.ipa.test named[47048]: using up to 21000 sockets
Sep 20 03:49:08 server.ipa.test named[47048]: initializing DST: no engine
Sep 20 03:49:08 server.ipa.test named[47048]: exiting (due to fatal error)
Sep 20 03:49:08 server.ipa.test systemd[1]: named.service: Control process exited, code=exited, status=1/FAILURE
Comment 3 Petr Menšík 2021-09-20 09:54:30 UTC 
Hmm, confirmed it does not work. Not issue on bind side however. No pkcs11 engine exists after switch to OpenSSL 3. Build of openssl-pkcs11 failed [1] on Fedora, yet it does not have own bug yet. It is still in side-tag and installed openssl-pkcs11-0.4.11-4.fc35.x86_64 is linked to OpenSSL 1.1.

# openssl engine -vv pkcs11
00AC0538E57F0000:error:12800067:DSO support routines:dlfcn_load:could not load the shared library:crypto/dso/dso_dlfcn.c:118:filename(/usr/lib64/engines-3/pkcs11.so): /usr/lib64/engines-3/pkcs11.so: cannot open shared object file: No such file or directory
00AC0538E57F0000:error:12800067:DSO support routines:DSO_load:could not load the shared library:crypto/dso/dso_lib.c:162:
00AC0538E57F0000:error:13000084:engine routines:dynamic_load:dso not found:crypto/engine/eng_dyn.c:422:
00AC0538E57F0000:error:13000074:engine routines:ENGINE_by_id:no such engine:crypto/engine/eng_list.c:343:id=pkcs11

Cannot fix it until we have working openssl-pkcs11 for OpenSSL 3.

1. https://koji.fedoraproject.org/koji/taskinfo?taskID=75717780
Comment 4 Petr Menšík 2021-09-20 10:13:14 UTC 
It is not the new version, it did not change anything related. It was OpenSSL 3.0 rebuild, which was responsible. Version bind-9.16.20-4.fc36 has the same problem, it was just discovered when testing bind-dyndb-ldap plugin rebuild was tested.

Sep 20 06:09:11 ci-vm-10-0-137-247.hosted.upshift.rdu2.redhat.com named[59588]: starting BIND 9.16.20-RH (Extended Support Version>
Sep 20 06:09:11 ci-vm-10-0-137-247.hosted.upshift.rdu2.redhat.com named[59588]: running on Linux x86_64 5.14.0-0.rc5.20210813gitf8>
Sep 20 06:09:11 ci-vm-10-0-137-247.hosted.upshift.rdu2.redhat.com named[59588]: built with '--build=x86_64-redhat-linux-gnu' '--ho>
Sep 20 06:09:11 ci-vm-10-0-137-247.hosted.upshift.rdu2.redhat.com named[59588]: running as: named -u named -c /etc/named.conf -E p>
Sep 20 06:09:11 ci-vm-10-0-137-247.hosted.upshift.rdu2.redhat.com named[59588]: compiled by GCC 11.2.1 20210728 (Red Hat 11.2.1-1)
Sep 20 06:09:11 ci-vm-10-0-137-247.hosted.upshift.rdu2.redhat.com named[59588]: compiled with OpenSSL version: OpenSSL 3.0.0 7 sep>
Sep 20 06:09:11 ci-vm-10-0-137-247.hosted.upshift.rdu2.redhat.com named[59588]: linked to OpenSSL version: OpenSSL 3.0.0 7 sep 2021
Sep 20 06:09:11 ci-vm-10-0-137-247.hosted.upshift.rdu2.redhat.com named[59588]: compiled with libxml2 version: 2.9.12
Sep 20 06:09:11 ci-vm-10-0-137-247.hosted.upshift.rdu2.redhat.com named[59588]: linked to libxml2 version: 20912
Sep 20 06:09:11 ci-vm-10-0-137-247.hosted.upshift.rdu2.redhat.com named[59588]: compiled with json-c version: 0.15
Sep 20 06:09:11 ci-vm-10-0-137-247.hosted.upshift.rdu2.redhat.com named[59588]: linked to json-c version: 0.15
Sep 20 06:09:11 ci-vm-10-0-137-247.hosted.upshift.rdu2.redhat.com named[59588]: compiled with zlib version: 1.2.11
Sep 20 06:09:11 ci-vm-10-0-137-247.hosted.upshift.rdu2.redhat.com named[59588]: linked to zlib version: 1.2.11
Sep 20 06:09:11 ci-vm-10-0-137-247.hosted.upshift.rdu2.redhat.com named[59588]: -------------------------------------------------->
Sep 20 06:09:11 ci-vm-10-0-137-247.hosted.upshift.rdu2.redhat.com named[59588]: BIND 9 is maintained by Internet Systems Consortiu>
Sep 20 06:09:11 ci-vm-10-0-137-247.hosted.upshift.rdu2.redhat.com named[59588]: Inc. (ISC), a non-profit 501(c)(3) public-benefit
Sep 20 06:09:11 ci-vm-10-0-137-247.hosted.upshift.rdu2.redhat.com named[59588]: corporation.  Support and training for BIND 9 are
Sep 20 06:09:11 ci-vm-10-0-137-247.hosted.upshift.rdu2.redhat.com named[59588]: available at https://www.isc.org/support
Sep 20 06:09:11 ci-vm-10-0-137-247.hosted.upshift.rdu2.redhat.com named[59588]: -------------------------------------------------->
Sep 20 06:09:11 ci-vm-10-0-137-247.hosted.upshift.rdu2.redhat.com named[59588]: adjusted limit on open files from 524288 to 1048576
Sep 20 06:09:11 ci-vm-10-0-137-247.hosted.upshift.rdu2.redhat.com named[59588]: found 1 CPU, using 1 worker thread
Sep 20 06:09:11 ci-vm-10-0-137-247.hosted.upshift.rdu2.redhat.com named[59588]: using 1 UDP listener per interface
Sep 20 06:09:11 ci-vm-10-0-137-247.hosted.upshift.rdu2.redhat.com named[59588]: using up to 21000 sockets
Sep 20 06:09:11 ci-vm-10-0-137-247.hosted.upshift.rdu2.redhat.com named[59588]: initializing DST: no engine
Sep 20 06:09:11 ci-vm-10-0-137-247.hosted.upshift.rdu2.redhat.com named[59588]: exiting (due to fatal error)
Comment 5 Petr Menšík 2021-09-21 20:37:59 UTC 
It seems after installation of openssl-pkcs11 built for OpenSSL 3.0, it works again just fine. Need only to wait until new package is in repositories.
Note You need to log in before you can comment on or make changes to this bug.