#4499 ipa-ldap-upgrade should restore Directory Server settings when upgrade fails
Closed: Fixed None Opened 9 years ago by mkosek.

Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 7): Bug 1131187

+++ This bug was initially created as a clone of Bug #1130252 +++

Description of problem:

Upgrading a RHEL6.5 server to 6.6 version of IPA (and components) results in
IPA not running.  I also see named failure during upgrade output:

  Updating   : ipa-server-3.0.0-42.el6.x86_64
26/45
Failed to restart named: Command '/sbin/service named restart ' returned
non-zero exit status 7
  Updating   : ipa-server-selinux-3.0.0-42.el6.x86_64
27/45

Some digging through ipaupgrade.log shows failures to stop dirsrv as if it's
already stopped:

2014-08-14T16:14:13Z DEBUG Upgrading IPA:
2014-08-14T16:14:13Z DEBUG   [1/8]: stopping directory server
2014-08-14T16:14:13Z DEBUG args=/sbin/service dirsrv stop TESTRELM-TEST
2014-08-14T16:14:13Z DEBUG stdout=Shutting down dirsrv:
    TESTRELM-TEST... server already stopped[FAILED]
  *** Error: 1 instance(s) unsuccessfully stopped[FAILED]

Then looking at messages for yum update and named messages shows:

Aug 14 11:12:06 rhel6-1 yum[14053]: Updated:
389-ds-base-libs-1.2.11.15-39.el6.x86_64
Aug 14 11:12:12 rhel6-1 named[4089]: LDAP error: Can't contact LDAP server
Aug 14 11:12:12 rhel6-1 named[4089]: connection to the LDAP server was lost
Aug 14 11:12:12 rhel6-1 named[4089]: bind to LDAP server failed: Can't contact
LDAP server
Aug 14 11:12:12 rhel6-1 named[4089]: ldap_psearch_watcher failed to handle LDAP
connection error. Recon
nection in 60s
Aug 14 11:12:25 rhel6-1 yum[14053]: Updated:
389-ds-base-1.2.11.15-39.el6.x86_64

And in dirsrv errors log I can see that it was stopped but I don't see anything
about it being started:

[14/Aug/2014:11:12:09 -0500] - slapd shutting down - signaling operation
threads
[14/Aug/2014:11:12:09 -0500] - slapd shutting down - closing down internal
subsystems and plugins
[14/Aug/2014:11:12:09 -0500] - Waiting for 4 database threads to stop
[14/Aug/2014:11:12:09 -0500] - All database threads now stopped
[14/Aug/2014:11:12:09 -0500] - slapd stopped.


Version-Release number of selected component (if applicable):
389-ds-base-1.2.11.15-39.el6.x86_64

How reproducible:
always

Steps to Reproduce:
1.  on RHEL6.5 host, ipa-server-install # with dns configured
2.  setup RHEL6.6 yum repo configs
3.  yum update 'ipa*' sssd -y

Actual results:
dirsrv (and thus ipa) not running after upgrade.

Expected results:
everything running.

Additional info:

...
--- Additional comment from Scott Poore on 2014-08-14 22:04:44 EDT ---

If I upgrade openldap, I now get this:

[root@rhel6-2 slapd-TEST-QE]# service dirsrv restart
Shutting down dirsrv:
    PKI-IPA...                                             [  OK  ]
    TEST-QE...                                             [  OK  ]
Starting dirsrv:
    PKI-IPA...                                             [  OK  ]
    TEST-QE...[14/Aug/2014:17:17:50 -0500] - Information: Non-Secure Port
Disabled
                                                           [  OK  ]

And I can't see the 389 port open now:

[root@rhel6-2 dirsrv]# netstat -taupne |grep 389
tcp        0      0 :::7389                     :::*
LISTEN      0          56704      17958/ns-slapd


I still can't start ipa.  How can I track down why slapd isn't starting on port
389?  Is there a logging level I should use?

I'm changing component here to 389-ds-base since that seems to be the main
piece here.

...
--- Additional comment from Rob Crittenden on 2014-08-18 09:43:08 EDT ---

I wonder if IPA should have a clone of this bug. There should be a failsafe in
the IPA updater such that it ALWAYS resets the listeners back to their initial
values (so 389 and security on)

--- Additional comment from Martin Kosek on 2014-08-18 11:51:26 EDT ---

Actually, this is a very good idea. We want to make upgrade process smoother. I
will clone the Bugzilla.

master:

  • 9a18860 upgradeinstance: Restore listeners on failure

ipa-4-1:

  • b333e7a upgradeinstance: Restore listeners on failure

I just noticed this does not display well with SystemExit with 0 return code as we do with --external-ca.

# ipa-server-install
...
  [29/39]: creating default Sudo bind user
  [30/39]: creating default Auto Member layout
  [31/39]: adding range check plugin
  [32/39]: creating default HBAC rule allow_all
  [33/39]: initializing group membership
  [34/39]: adding master entry
  [35/39]: configuring Posix uid/gid generation
  [36/39]: adding replication acis
  [37/39]: enabling compatibility plugin
  [38/39]: tuning directory server
  [39/39]: configuring directory to start on boot
Done configuring directory server (dirsrv).
Configuring certificate server (pki-tomcatd): Estimated time 3 minutes 30 seconds
  [1/8]: creating certificate server user
  [2/8]: configuring certificate server instance
The next step is to get /root/ipa.csr signed by your CA and re-run /usr/sbin/ipa-server-install as:
/usr/sbin/ipa-server-install --external_cert_file=/path/to/signed_certificate --external_ca_file=/path/to/external_ca_certificate
  [error] SystemExit: 0

master:

  • f866186 ipaserver.install.service: Don't show error message on SystemExit(0)

ipa-4-1:

  • 540f416 ipaserver.install.service: Don't show error message on SystemExit(0)

Metadata Update from @mkosek:
- Issue assigned to pviktori
- Issue set to the milestone: FreeIPA 4.1

7 years ago

Login to comment on this ticket.

Metadata