When upgrading to 4.2.0 with ipa-server-upgrade, things go wrong because kdc proxy upgrade script doesn't expect dirsrv will be down:
2015-07-10T09:56:36Z DEBUG [7/8]: stopping directory server 2015-07-10T09:56:38Z DEBUG [8/8]: restoring configuration 2015-07-10T09:56:38Z INFO [Verifying that root certificate is published] 2015-07-10T09:56:38Z INFO [Migrate CRL publish directory] 2015-07-10T09:56:38Z INFO [Verifying that KDC configuration is using ipa-kdb backend] 2015-07-10T09:56:38Z INFO [Enabling KDC Proxy] 2015-07-10T09:56:48Z DEBUG Could not connect to the Directory Server on XXXXX: [Errno 111] Connection refused 2015-07-10T09:56:48Z ERROR IPA server upgrade failed: Inspect /var/log/ipaupgrade.log and run command ipa-server-upgrade manually. 2015-07-10T09:56:48Z DEBUG File "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 171, in execute return_value = self.run() File "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_server_upgrade.py", line 48, in run server.upgrade() File "/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py", line 1577, in upgrade upgrade_configuration() File "/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py", line 1406, in upgrade_configuration http.ldap_connect() File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 147, in ldap_connect conn.do_bind(self.dm_password, autobind=self.autobind) File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 1631, in do_bind self.do_external_bind(pw_name, timeout=timeout) File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 1621, in do_external_bind self.__bind_with_wait(self.external_bind, timeout, user_name) File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 1610, in __bind_with_wait self.__wait_for_connection(timeout) File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 1593, in __wait_for_connection wait_for_open_socket(lurl.hostport, timeout) File "/usr/lib/python2.7/site-packages/ipapython/ipautil.py", line 1200, in wait_for_open_socket raise e 2015-07-10T09:56:48Z DEBUG The ipa-server-upgrade command failed, exception: error: [Errno 111] Connection refused 2015-07-10T09:56:48Z ERROR [Errno 111] Connection refused 2015-07-10T09:57:57Z DEBUG Logging to /var/log/ipaupgrade.log
The bug is related to #3351. mbasti suggests that I make sure that dirsrv is running.
Just note: to reproduce this behavior, please shutdown the DS server before upgrade.
Actually, you don't need to shutdown -- just take 4.2.0-0.fc22 from mkosek/freeipa-4.2 COPR repo because it has issues with ipaVaultPublicKey definition and upgrades from 4.1.x will cause directory server to not start (99user.ldif will contain definitions for ipaVaultPublicKey and ipaPublicKey but in the wrong order and as order is not guaranteed, upgrade or start will always fail until you'd copy over 60basev3.ldif from /usr/share/ipa).
Ticket has been cloned to Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1242884
master:
ipa-4-2:
Metadata Update from @abbra: - Issue assigned to cheimes - Issue set to the milestone: FreeIPA 4.2.1
Login to comment on this ticket.