1899661 – FreeIPA server deployment fails since Fedora-Rawhide-20201119.n.0 with bind "initializing DST: no engine" error

Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.

Bug 1899661 - FreeIPA server deployment fails since Fedora-Rawhide-20201119.n.0 with bind "initializing DST: no engine" error

Summary: FreeIPA server deployment fails since Fedora-Rawhide-20201119.n.0 with bind "...

Keywords:
Status:	CLOSED RAWHIDE
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	bind-dyndb-ldap
Sub Component:
Version:	rawhide
Hardware:	All
OS:	Linux
Priority:	unspecified
Severity:	high
Target Milestone:	---
Assignee:	Petr Vobornik
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:	openqa
Depends On:
Blocks:	F34BetaBlocker
TreeView+	depends on / blocked

Reported:	2020-11-19 18:14 UTC by Adam Williamson
Modified:	2020-11-30 17:29 UTC (History)
CC List:	7 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2020-11-30 17:29:20 UTC
Type:	Bug
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Adam Williamson 2020-11-19 18:14:04 UTC

With Fedora-Rawhide-20201119.n.0 , the openQA FreeIPA server deployment / upgrade tests all started failing. They all show the same error from bind during startup:

Nov 19 04:05:30 ipa001.domain.local named[33206]: running as: named -u named -c /etc/named.conf -E pkcs11
Nov 19 04:05:30 ipa001.domain.local named[33206]: compiled by GCC 10.2.1 20201016 (Red Hat 10.2.1-6)
Nov 19 04:05:30 ipa001.domain.local named[33206]: compiled with OpenSSL version: OpenSSL 1.1.1g FIPS  21 Apr 2020
Nov 19 04:05:30 ipa001.domain.local named[33206]: linked to OpenSSL version: OpenSSL 1.1.1h FIPS 22 Sep 2020
Nov 19 04:05:30 ipa001.domain.local named[33206]: compiled with libxml2 version: 2.9.10
Nov 19 04:05:30 ipa001.domain.local named[33206]: linked to libxml2 version: 20910
Nov 19 04:05:30 ipa001.domain.local named[33206]: compiled with libjson-c version: 0.14
Nov 19 04:05:30 ipa001.domain.local named[33206]: linked to libjson-c version: 0.14
Nov 19 04:05:30 ipa001.domain.local named[33206]: compiled with zlib version: 1.2.11
Nov 19 04:05:30 ipa001.domain.local named[33206]: linked to zlib version: 1.2.11
Nov 19 04:05:30 ipa001.domain.local named[33206]: threads support is enabled
Nov 19 04:05:30 ipa001.domain.local named[33206]: ----------------------------------------------------
Nov 19 04:05:30 ipa001.domain.local named[33206]: BIND 9 is maintained by Internet Systems Consortium,
Nov 19 04:05:30 ipa001.domain.local named[33206]: Inc. (ISC), a non-profit 501(c)(3) public-benefit
Nov 19 04:05:30 ipa001.domain.local named[33206]: corporation.  Support and training for BIND 9 are
Nov 19 04:05:30 ipa001.domain.local named[33206]: available at https://www.isc.org/support
Nov 19 04:05:30 ipa001.domain.local named[33206]: ----------------------------------------------------
Nov 19 04:05:30 ipa001.domain.local named[33206]: adjusted limit on open files from 524288 to 1048576
Nov 19 04:05:30 ipa001.domain.local named[33206]: found 2 CPUs, using 2 worker threads
Nov 19 04:05:30 ipa001.domain.local named[33206]: using 1 UDP listener per interface
Nov 19 04:05:30 ipa001.domain.local named[33206]: using up to 21000 sockets
Nov 19 04:05:30 ipa001.domain.local named[33206]: initializing DST: no engine
Nov 19 04:05:30 ipa001.domain.local named[33206]: exiting (due to fatal error)
Nov 19 04:05:30 ipa001.domain.local systemd[1]: named.service: Control process exited, code=exited, status=1/FAILURE
Nov 19 04:05:30 ipa001.domain.local systemd[1]: named.service: Failed with result 'exit-code'.

this results in ipa.service failing (as part of initial deployment in the deployment tests, and on first boot after upgrade in the upgrade tests).

There was a bumper crop of FreeIPA-related updates in this compose:

Package:      bind-dyndb-ldap-11.5-1.fc34
Old package:  bind-dyndb-ldap-11.3-5.fc34

Package:      freeipa-4.9.0-0.rc1.fc34
Old package:  freeipa-4.8.10-7.fc34

Package:      krb5-1.18.3-2.fc34
Old package:  krb5-1.18.2-30.fc34

Package:      openldap-2.4.56-1.fc34
Old package:  openldap-2.4.55-1.fc34

Package:      python-ldap-3.3.1-2.fc34
Old package:  python-ldap-3.3.1-1.fc34

Package:      tomcat-1:9.0.40-1.fc34
Old package:  tomcat-1:9.0.39-1.fc34

...filing against bind-dyndb-ldap to start with as a guess. Proposing as a Beta blocker as a violation of Basic criterion https://fedoraproject.org/wiki/Basic_Release_Criteria#FreeIPA_server_requirements - "It must be possible to configure a Fedora Server system installed according to the above criteria as a FreeIPA domain controller, using the official deployment tools provided in the distribution FreeIPA packages."

Comment 1 Adam Williamson 2020-11-19 18:35:59 UTC

Oh, bad me, I made an assumption that turns out wrong - the upgrade tests aren't failing on exactly this, though they're still failing on a bind problem. bind crashes on startup after the upgrade, then the clients can't resolve names. I'll file a separate bug for that crash.

Comment 2 Alexander Bokovoy 2020-11-19 18:46:04 UTC

I think this is due to a spec changes I did in freeipa.spec.

In particular, this line is breaking %{with bind_pkcs11} logic:
https://src.fedoraproject.org/rpms/freeipa/blob/master/f/freeipa.spec#_115

I addressed that in https://github.com/freeipa/freeipa/pull/5279/files#diff-79e7e776c34748018cf388f4492c4b28a4212e1ed49dfd826c34d370106233d1L110-L115 but it is not yet merged as we haven't yet completed the unification of the spec files.

I'm doing a build now.

Comment 3 Alexander Bokovoy 2020-11-19 19:11:48 UTC

https://koji.fedoraproject.org/koji/taskinfo?taskID=55896678 should address this issue.

Comment 4 Adam Williamson 2020-11-19 21:43:26 UTC

Filed https://bugzilla.redhat.com/show_bug.cgi?id=1899744 for the bind crash on upgrade.

Comment 5 Alexander Bokovoy 2020-11-27 09:13:06 UTC

With bug 1899744 fixed with bind-dyndb-ldap 11.6-1.fc34, and python3-dns downgraded to Fedora 33 version (bug 1902061), I get successful deployment of IPA master and replica on Rawhide.

Comment 6 Adam Williamson 2020-11-30 17:29:20 UTC

Well, in openQA tests we seem to be still failing in named startup. Different error, though, and it happens slightly later than this one did:

Nov 30 05:14:09 ipa001.domain.local named[33077]: unable to open directory 'dyndb-ldap', working directory is '/var/named': permission denied
Nov 30 05:14:09 ipa001.domain.local named[33077]: LDAP config validation failed for database 'ipa': permission denied
Nov 30 05:14:09 ipa001.domain.local named[33077]: dynamic database 'ipa' configuration failed: permission denied
Nov 30 05:14:09 ipa001.domain.local named[33077]: loading configuration: permission denied
Nov 30 05:14:09 ipa001.domain.local named[33077]: exiting (due to fatal error)
Nov 30 05:14:09 ipa001.domain.local systemd[1]: named.service: Control process exited, code=exited, status=1/FAILURE
Nov 30 05:14:09 ipa001.domain.local systemd[1]: named.service: Failed with result 'exit-code'.
Nov 30 05:14:09 ipa001.domain.local systemd[1]: Failed to start Berkeley Internet Name Domain (DNS).

so I think we can say this one is fixed, and I'll file a new bug.

Note You need to log in before you can comment on or make changes to this bug.