2216549 – Upgrade to 4.9.10-6.0.1 fails: attributes are managed by topology plugin

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 2216549 - Upgrade to 4.9.10-6.0.1 fails: attributes are managed by topology plugin

Summary: Upgrade to 4.9.10-6.0.1 fails: attributes are managed by topology plugin

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 9
Classification:	Red Hat
Component:	ipa
Sub Component:
Version:	9.2
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	rc
Target Release:	---
Assignee:	Florence Blanc-Renaud
QA Contact:	anuja
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	2216551
TreeView+	depends on / blocked

Reported:	2023-06-21 18:54 UTC by Florence Blanc-Renaud
Modified:	2023-11-07 09:54 UTC (History)
CC List:	4 users (show)
Fixed In Version:	ipa-4.10.2-2.el9
Doc Type:	No Doc Update
Doc Text:
Clone Of:
Clones:	2216551 (view as bug list)
Environment:
Last Closed:	2023-11-07 08:34:14 UTC
Type:	---
Target Upstream Version:
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Links
System	ID	Priority	Status	Summary	Last Updated
Fedora Pagure	freeipa issue 9385	None	None	None	2023-06-21 19:00:57 UTC
Red Hat Issue Tracker	FREEIPA-10059	None	None	None	2023-06-21 18:57:25 UTC
Red Hat Issue Tracker	RHELPLAN-160394	None	None	None	2023-06-21 18:57:30 UTC
Red Hat Product Errata	RHBA-2023:6477	None	None	None	2023-11-07 08:35:00 UTC

Description Florence Blanc-Renaud 2023-06-21 18:54:47 UTC

Cloned from upstream: https://pagure.io/freeipa/issue/9385

### Issue
ipactl start fails on a replica server

#### Steps to Reproduce
ipactl start

#### Actual behavior
Upgrade fails and rolls back.

#### Expected behavior
ipa starts

#### Version/Release/Distribution
The package freeipa-server is not installed
The package freeipa-client is not installed
ipa-server-4.9.11-5.0.1.module+el8.8.0+21013+a1d8660b.x86_64                                                                                         
ipa-client-4.9.11-5.0.1.module+el8.8.0+21013+a1d8660b.x86_64                                                                                         
389-ds-base-1.4.3.30-6.module+el8.7.0+20830+6d1ef8be.x86_64                                                                                          
The package pki-ca is not installed
krb5-server-1.18.2-22.0.1.el8_7.x86_64  

#### Additional info:
```
ipactl restart
IPA version error: data needs to be upgraded (expected version '4.9.11-5.0.1.module+el8.8.0+21013+a1d8660b', current version '4.9.10-6.0.1.module+el8.7.0+20837+581a7c1e')
Automatically running upgrade, for details see /var/log/ipaupgrade.log
Upgrading IPA:. Estimated time: 1 minute 30 seconds
  [1/9]: saving configuration
  [2/9]: disabling listeners
  [3/9]: enabling DS global lock
  [4/9]: disabling Schema Compat
  [5/9]: starting directory server
  [6/9]: updating schema
  [7/9]: upgrading server
Error caught updating nsDS5ReplicatedAttributeList: Server is unwilling to perform: Entry and attributes are managed by topology plugin.No direct mod
ifications allowed.
Error caught updating nsDS5ReplicatedAttributeListTotal: Server is unwilling to perform: Entry and attributes are managed by topology plugin.No direc
t modifications allowed.
Error caught updating nsDS5ReplicatedAttributeList: Server is unwilling to perform: Entry and attributes are managed by topology plugin.No direct mod
ifications allowed.
Error caught updating nsDS5ReplicatedAttributeListTotal: Server is unwilling to perform: Entry and attributes are managed by topology plugin.No direc
t modifications allowed.
  [8/9]: stopping directory server
  [9/9]: restoring configuration
Done.
Update complete
Upgrading IPA services
Upgrading the configuration of the IPA services
Disabled p11-kit-proxy
[Verifying that root certificate is published]
[Migrate CRL publish directory]
CRL tree already moved
[Verifying that KDC configuration is using ipa-kdb backend]
[Fix DS schema file syntax]
Syntax already fixed
[Removing RA cert from DS NSS database]
RA cert already removed
[Enable sidgen and extdom plugins by default]
[Updating HTTPD service IPA configuration]
[Updating HTTPD service IPA WSGI configuration]
Nothing to do for configure_httpd_wsgi_conf
[Migrating from mod_nss to mod_ssl]
Already migrated to mod_ssl
[Moving HTTPD service keytab to gssproxy]
[Removing self-signed CA]
[Removing Dogtag 9 CA]
[Checking for deprecated KDC configuration files]
[Checking for deprecated backups of Samba configuration files]
[Remove FILE: prefix from 'dedicated keytab file' in Samba configuration]
[Update 'max smbd processes' in Samba configuration to prevent unlimited SMBLoris attack amplification]
[Change 'server role' from 'CLASSIC PRIMARY DOMAIN CONTROLLER' to 'IPA PRIMARY DOMAIN CONTROLLER' in Samba configuration]
dnssec-validation yes
[Add missing CA DNS records]
IPA CA DNS records already processed
named user config '/etc/named/ipa-ext.conf' already exists
named user config '/etc/named/ipa-options-ext.conf' already exists
named user config '/etc/named/ipa-logging-ext.conf' already exists
[Upgrading CA schema]
CA schema update complete
[Update certmonger certificate renewal configuration]
Certmonger certificate renewal configuration already up-to-date
[Enable PKIX certificate path discovery and validation]
PKIX already enabled
[Authorizing RA Agent to modify profiles]
[Authorizing RA Agent to manage lightweight CAs]
[Ensuring Lightweight CAs container exists in Dogtag database]
[Adding default OCSP URI configuration]
[Disabling cert publishing]
[Ensuring CA is using LDAPProfileSubsystem]
[Migrating certificate profiles to LDAP]
Migrating profile 'caECServerCertWithSCT'
IPA server upgrade failed: Inspect /var/log/ipaupgrade.log and run command ipa-server-upgrade manually.
Unexpected error - see /var/log/ipaupgrade.log for details:
RemoteRetrieveError: Failed to authenticate to CA REST API
The ipa-server-upgrade command failed. See /var/log/ipaupgrade.log for more information
```

#### Workaround:
Commenting out the update in `/usr/lib/python3.6/site-packages/ipaserver/install/ipa_server_upgrade.py` line 52.

Comment 3 Florence Blanc-Renaud 2023-06-21 18:59:55 UTC

Fixed upstream
master:
https://pagure.io/freeipa/c/143c3eb1612f9bb7f015dcf2dcb496e8ef324a38
https://pagure.io/freeipa/c/ac78a84fbe90f361a4a58fb2748d539647ffea52

Comment 4 Florence Blanc-Renaud 2023-06-21 19:00:55 UTC

Upstream ticket:
https://pagure.io/freeipa/issue/9385

Comment 5 Florence Blanc-Renaud 2023-06-21 19:05:29 UTC

Upstream test added in ipatests/test_integration/test_simple_replication.py::TestSimpleReplication::test_fix_agreements

Comment 7 Florence Blanc-Renaud 2023-06-22 15:50:30 UTC

Fixed upstream
ipa-4-10:
https://pagure.io/freeipa/c/ad77c4c6512f82019d1970d910647761b60aaedb
https://pagure.io/freeipa/c/3b58487c7b2f8ac133e37e8f90f85ff2fb05bf34

Fixed upstream
ipa-4-9:
https://pagure.io/freeipa/c/d29b47512a39ada02fb371521994576cd9815a6c
https://pagure.io/freeipa/c/93d97b59600c15e5028ee39b0e98450544165158

Comment 8 anuja 2023-07-05 07:30:31 UTC

Verified Tested using test-compose:
ipa-server-4.10.2-2.el9.x86_64

test_integration/test_simple_replication.py::TestSimpleReplication::test_user_replication_to_replica PASSED [ 16%]
test_integration/test_simple_replication.py::TestSimpleReplication::test_user_replication_to_master PASSED [ 33%]
test_integration/test_simple_replication.py::TestSimpleReplication::test_replica_manage PASSED [ 50%]
test_integration/test_simple_replication.py::TestSimpleReplication::test_ipa_custodia_check PASSED [ 66%]
test_integration/test_simple_replication.py::TestSimpleReplication::test_fix_agreements PASSED [ 83%]
test_integration/test_simple_replication.py::TestSimpleReplication::test_replica_removal PASSED [100%]

=============================== warnings summary ===============================
    cls = pytest.mark.source_order(cls)
=================== 6 passed, 1 warning in 996.62s (0:16:36) ===================

Comment 11 anuja 2023-07-12 12:44:51 UTC

Verified using nightly build:
ipa-4.10.2-2.el9

============================= test session starts ==============================
platform linux -- Python 3.9.17, pytest-6.2.2, py-1.10.0, pluggy-0.13.1 -- /usr/bin/python3
cachedir: /home/cloud-user/.pytest_cache
metadata: {'Python': '3.9.17', 'Platform': 'Linux-5.14.0-333.el9.x86_64-x86_64-with-glibc2.34', 'Packages': {'pytest': '6.2.2', 'py': '1.10.0', 'pluggy': '0.13.1'}, 'Plugins': {'metadata': '1.7.0', 'multihost': '3.0', 'html': '3.1.1', 'sourceorder': '0.6.0'}}
rootdir: /usr/lib/python3.9/site-packages/ipatests
plugins: metadata-1.7.0, multihost-3.0, html-3.1.1, sourceorder-0.6.0
collecting ... collected 6 items

test_integration/test_simple_replication.py::TestSimpleReplication::test_user_replication_to_replica PASSED [ 16%]
test_integration/test_simple_replication.py::TestSimpleReplication::test_user_replication_to_master PASSED [ 33%]
test_integration/test_simple_replication.py::TestSimpleReplication::test_replica_manage PASSED [ 50%]
test_integration/test_simple_replication.py::TestSimpleReplication::test_ipa_custodia_check PASSED [ 66%]
test_integration/test_simple_replication.py::TestSimpleReplication::test_fix_agreements PASSED [ 83%]
test_integration/test_simple_replication.py::TestSimpleReplication::test_replica_removal PASSED [100%]

=================== 6 passed, 1 warning in 999.74s (0:16:39) ===================

Comment 14 errata-xmlrpc 2023-11-07 08:34:14 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (ipa bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2023:6477

Note You need to log in before you can comment on or make changes to this bug.