Proposed as a Freeze Exception for 28-beta by Fedora user mharmsen using the blocker tracking app because:

 As detailed in the bug, although NSS SQL and Python 3 functionality has been completed, the team was unable to complete full Tomcat 8.5 support in time for the Beta deadline of March 6, 2018.

Consequently, we are requesting a brief extension in order to complete this work before we build the official pki-core-10.6.0-1.fc28 packages.

I'm kind of unhappy about how we keep hitting this fire drill every cycle: FreeIPA doesn't work for months during the pre-Beta phase (or pre-Alpha, when we were doing Alphas), then - often - there's a sudden flurry of desire to land all new shiny versions of everything, often during the Beta (or Alpha, when we had Alphas) freeze.

It's difficult for QA, releng and FESCo to do their jobs properly because we just don't have a baseline: we're really not *supposed* to just blithely wave through major version updates that come well after the freeze date (let alone the date when major Changes are supposed to be 'testable', which I would suggest is a reasonable point in the cycle for major version updates like this to be landing, even if they aren't formally submitted as Changes), but we wind up doing it anyway because we just can't reasonably judge what change is appropriate and what isn't when the whole of FreeIPA hasn't worked for months, and we're essentially reduced to saying "just land whatever you want so long as it makes something work", which isn't really the way this process is supposed to work.

So, for now I'm +1, but not really happy about it. It'd be much nicer if FreeIPA work were better synced to the schedule in future, and it wasn't left in a broken state for months.

Note that part of the overall "NoMoreAlphas" change which resulted in the removal of Alphas was supposed to be that we maintain Rawhide at broadly Alpha quality all the time. Alpha quality requires that FreeIPA *work*. If we actually want to start gating Rawhide composes on Alpha quality, this is going to need sorting out, because that means FreeIPA has to work or we don't send out composes.

+1 to what Adam said. Perhaps we could identify where it goes off the rails? ie, at f27 release that worked (at least met release critera). Was rawhide working before the f27 branching point? Perhaps the problem is all the focus goes into landing the new thing in the branch and rawhide is neglected until the next branch, etc.

AFAICS, it has been broken in Rawhide since Fedora-Rawhide-20170407.n.0 . Viz https://openqa.fedoraproject.org/tests/199278?machine=64bit&test=server_role_deploy_domain_controller&version=Rawhide&distri=fedora&arch=x86_64&limit_previous=400&flavor=Server-dvd-iso#previous .

Some of those fails will be cases where Rawhide itself was broken, but plenty fail during FreeIPA deployment.

For F27, it was broken from Branch point - Fedora-27-20170817.n.3 - through to Fedora-27-20171001.n.2 , when it worked for the first time. That was two days before Beta release. I do not recall the details of what all else was going on during that period.

Discussed during the 2018-03-12 blocker review meeting: [1]

The decision to classify this bug as an AcceptedFreezeException was made as this seems the only way to get a working FreeIPA for this release. We hope to coordinate with the FreeIPA team better in the future to avoid changes like this before the Beta release.

[1] https://meetbot-raw.fedoraproject.org/fedora-blocker-review/2018-03-12/f28-blocker-review.2018-03-12-16.01.txt

To be more precise, "before the Beta release" is fine. "After the Beta freeze" is not :) What would be best is if a planned-out and agreed-upon set of major versions were landed comfortably before the freeze, and from then on, only bugfix changes were needed.

I hate to be the bringer of bad news. This ticket is just for Dogtag 10.6. Because of NSS DB change and ntpd deprecation, FreeIPA 4.6 won't work on F28 either. We haven't even filed a beta exception for FreeIPA 4.7 yet, because we cannot start testing without Dogtag 10.6. :(

Don't worry, it's not news. We already have bugs for those issues. https://bugzilla.redhat.com/show_bug.cgi?id=1496562 , https://bugzilla.redhat.com/show_bug.cgi?id=1551677 . So far as Fedora is concerned, these are all one big issue called "make FreeIPA work already".

freeipa-4.6.90.pre1-1.fc28 has been submitted as an update to Fedora 28. https://bodhi.fedoraproject.org/updates/FEDORA-2018-2fd7295cb9

dogtag-pki-10.6.0-0.2.fc28, dogtag-pki-theme-10.6.0-0.2.fc28, freeipa-4.6.90.pre1-1.fc28, pki-console-10.6.0-0.2.fc28, pki-core-10.6.0-0.2.fc28, tomcat-8.5.29-1.fc28, tomcatjss-7.3.0-0.2.fc28 has been pushed to the Fedora 28 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-2fd7295cb9

dogtag-pki-10.6.0-0.2.fc28, dogtag-pki-theme-10.6.0-0.2.fc28, freeipa-4.6.90.pre1-1.fc28, pki-console-10.6.0-0.2.fc28, pki-core-10.6.0-0.2.fc28, tomcat-8.5.29-1.fc28, tomcatjss-7.3.0-0.2.fc28 has been pushed to the Fedora 28 stable repository. If problems still persist, please make note of it in this bug report.