Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.
Bug 1577805
Summary: | 4.5.0 -> 4.5.4 upgrade breaks in ipa-server-upgrade: No such file or directory: '/var/lib/pki/pki-tomcat/conf/ca/CS.cfg' | |||
---|---|---|---|---|
Product: | Red Hat Enterprise Linux 7 | Reporter: | Alexander Bokovoy <abokovoy> | |
Component: | ipa | Assignee: | IPA Maintainers <ipa-maint> | |
Status: | CLOSED ERRATA | QA Contact: | ipa-qe <ipa-qe> | |
Severity: | urgent | Docs Contact: | ||
Priority: | urgent | |||
Version: | 7.5 | CC: | abokovoy, amore, extras-qa, frenaud, ipa-maint, james, jcholast, jhrozek, ksiddiqu, ndehadra, pasik, pvoborni, rcritten, ssorce, tscherf | |
Target Milestone: | rc | Keywords: | Reopened, ZStream | |
Target Release: | --- | |||
Hardware: | Unspecified | |||
OS: | Unspecified | |||
Whiteboard: | ||||
Fixed In Version: | ipa-4.6.4-1.el7 | Doc Type: | If docs needed, set a value | |
Doc Text: | Story Points: | --- | ||
Clone Of: | 1550555 | |||
: | 1579203 (view as bug list) | Environment: | ||
Last Closed: | 2018-10-30 10:58:39 UTC | Type: | Bug | |
Regression: | --- | Mount Type: | --- | |
Documentation: | --- | CRM: | ||
Verified Versions: | Category: | --- | ||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
Cloudforms Team: | --- | Target Upstream Version: | ||
Embargoed: | ||||
Bug Depends On: | 1550555 | |||
Bug Blocks: | 1579203 |
Description
Alexander Bokovoy
2018-05-14 07:37:30 UTC
Hi, I don't think this is the same issue as Bug #1550555 because the problem happens at a different moment. Following a discussion on IRC with joko, he provided the following logs: -------------------- 2018-05-14T19:53:07Z DEBUG Executing upgrade plugin: update_ca_renewal_master 2018-05-14T19:53:07Z DEBUG raw: update_ca_renewal_master 2018-05-14T19:53:07Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' 2018-05-14T19:53:07Z DEBUG Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' 2018-05-14T19:53:07Z DEBUG certmonger request for RA cert not found 2018-05-14T19:53:07Z DEBUG Destroyed connection context.ldap2_140692280089040 2018-05-14T19:53:07Z ERROR Upgrade failed with [Errno 2] No such file or directory: '/var/lib/pki/pki-tomcat/conf/ca/CS.cfg' 2018-05-14T19:53:07Z DEBUG Traceback (most recent call last): File "/usr/lib/python2.7/site-packages/ipaserver/install/upgradeinstance.py", line 220, in __upgrade self.modified = (ld.update(self.files) or self.modified) File "/usr/lib/python2.7/site-packages/ipaserver/install/ldapupdate.py", line 911, in update self._run_updates(all_updates) File "/usr/lib/python2.7/site-packages/ipaserver/install/ldapupdate.py", line 883, in _run_updates self._run_update_plugin(update['plugin']) File "/usr/lib/python2.7/site-packages/ipaserver/install/ldapupdate.py", line 859, in _run_update_plugin restart_ds, updates = self.api.Updater[plugin_name]() File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 1470, in __call__ return self.execute(**options) File "/usr/lib/python2.7/site-packages/ipaserver/install/plugins/ca_renewal_master.py", line 106, in execute paths.CA_CS_CFG_PATH, 'subsystem.select', '=') File "/usr/lib/python2.7/site-packages/ipaserver/install/installutils.py", line 578, in get_directive fd = open(filename, "r") IOError: [Errno 2] No such file or directory: '/var/lib/pki/pki-tomcat/conf/ca/CS.cfg' 2018-05-14T19:53:07Z DEBUG Traceback (most recent call last): File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 504, in start_creation run_step(full_msg, method) File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 494, in run_step method() File "/usr/lib/python2.7/site-packages/ipaserver/install/upgradeinstance.py", line 228, in __upgrade raise RuntimeError(e) RuntimeError: [Errno 2] No such file or directory: '/var/lib/pki/pki-tomcat/conf/ca/CS.cfg' 2018-05-14T19:53:07Z DEBUG [error] RuntimeError: [Errno 2] No such file or directory: '/var/lib/pki/pki-tomcat/conf/ca/CS.cfg' 2018-05-14T19:53:07Z DEBUG [cleanup]: stopping directory server 2018-05-14T19:53:07Z DEBUG Destroyed connection context.ldap2_140692311895056 2018-05-14T19:53:07Z DEBUG Starting external process 2018-05-14T19:53:07Z DEBUG args=/bin/systemctl stop dirsrv 2018-05-14T19:53:08Z DEBUG Process finished, return code=0 2018-05-14T19:53:08Z DEBUG stdout= 2018-05-14T19:53:08Z DEBUG stderr= 2018-05-14T19:53:08Z DEBUG duration: 1 seconds 2018-05-14T19:53:08Z DEBUG [cleanup]: restoring configuration 2018-05-14T19:53:08Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' 2018-05-14T19:53:08Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' 2018-05-14T19:53:08Z DEBUG Saving StateFile to '/var/lib/ipa/sysrestore/sysrestore.state' 2018-05-14T19:53:08Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' 2018-05-14T19:53:08Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' 2018-05-14T19:53:08Z DEBUG Saving StateFile to '/var/lib/ipa/sysrestore/sysrestore.state' 2018-05-14T19:53:08Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' 2018-05-14T19:53:08Z DEBUG duration: 0 seconds 2018-05-14T19:53:08Z ERROR IPA server upgrade failed: Inspect /var/log/ipaupgrade.log and run command ipa-server-upgrade manually. 2018-05-14T19:53:08Z DEBUG File "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 172, in execute return_value = self.run() File "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_server_upgrade.py", line 48, in run raise admintool.ScriptError(str(e)) 2018-05-14T19:53:08Z DEBUG The ipa-server-upgrade command failed, exception: ScriptError: ('IPA upgrade failed.', 1) 2018-05-14T19:53:08Z ERROR ('IPA upgrade failed.', 1) 2018-05-14T19:53:08Z ERROR The ipa-server-upgrade command failed. See /var/log/ipaupgrade.log for more information ---------- It looks like the upgrade plugin update_ca_renewal_master is executed even though there is no CA installed. One of the first steps of the plugin is to check if ca.is_configured(), which is equivalent to looking for a [pki-tomcatd] section in /var/lib/ipa/sysrestore/sysrestore.state. The plugin should be skipped when the CA is not configured, but the logs show that it gets executed. I asked the user to provide the sysrestore.state content, we'll be able to know more when we have this information available. Note: the logs confirm he's using IPA version 4.5.4-10.el7.centos. sysrestore.state contains [pki-tomcatd] installed = true which means that the CA was installed on the host. It's probable that CA installation went wrong (or some files were manually deleted) and this is a different issue from 1550555. After discussion with ab, we agreed to backport the fix for 1550555 to 4.5 anyway because the upgrade would show a WARNING that may be misleading. Fixed upstream ipa-4-5: https://pagure.io/freeipa/c/035f1cb24a228ba40b3e124d78a507be22aa52bd IPA version : ipa-server-4.6.4-2.el7.x86_64 Verified the bug using following steps: 1: Install CA-less ipa-server. 2: Upgrade to RHEL 7.6. 3: tail /var/log/ipaupgrade.log, no errors mentioned in the bug are observed. Tested for following paths: 1. RHEL 75z > 7.6 2. RHEL 75-0day > 7.6 3. RHEL 74z > 7.6 Thus on the basis of above observations marking the status of bug to 'VERIFIED'. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2018:3187 |