#5232 when dirsrv is off ,upgrade from 7.1 to 7.2 fails with starting CA and named-pkcs11.service
Closed: Fixed None Opened 6 years ago by pvoborni.

Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 7): Bug 1254412

Created attachment 1064146
389-ds log

Description of problem:
when dirsrv is off ,upgrade from 7.1 to 7.2 fails with starting CA and
named-pkcs11.service

Version-Release number of selected component (if applicable):
ipa-server-4.1.0-18.el7.x86_64 -> ipa-server-4.2.0-4.el7.x86_64
pki-ca-10.1.2-7.el7.noarch -> pki-ca-10.2.5-5.el7.noarch
389-ds-base-1.3.3.1-13.el7.x86_64 -> 389-ds-base-1.3.4.0-11.el7.x86_64
bind-pkcs11-9.9.4-28.el7.x86_64

How reproducible:
Always

Steps to Reproduce:
1. 7.1 server installed
2. stop dirsrv
3. upgrade to 7.2

Actual results:
upgrade from 7.1 to 7.2 fails with starting CA and named-pkcs11.service

Expected results:
Upgrade success with no failures.

Additional info:

[root@cloud-qe-3 ~]# cat /etc/redhat-release
Red Hat Enterprise Linux Server release 7.1 (Maipo)

[root@cloud-qe-3 ~]# systemctl stop dirsrv.target
[root@cloud-qe-3 ~]# systemctl status dirsrv.target
dirsrv.target - 389 Directory Server
   Loaded: loaded (/usr/lib/systemd/system/dirsrv.target; disabled)
   Active: inactive (dead)
[root@cloud-qe-3 ~]# yum -y update 'ipa*' sssd
.
.
.
  Cleanup    : systemd-libs-208-20.el7.x86_64
134/136
  Cleanup    : libsss_idmap-1.12.2-58.el7.x86_64
135/136
  Cleanup    : slapi-nis-0.54-2.el7.x86_64
136/136
IPA server upgrade failed: Inspect /var/log/ipaupgrade.log and run command
ipa-server-upgrade manually.
CA did not start in 300.0s
MYNEWREPO1/productid
| 1.6 kB  00:00:00
  Verifying  : 32:bind-libs-lite-9.9.4-28.el7.x86_64
1/136
  Verifying  : 32:bind-utils-9.9.4-28.el7.x86_64
2/136
  Verifying  : 389-ds-base-libs-1.3.4.0-11.el7.x86_64
3/136
  Verifying  : pki-server-10.2.5-5.el7.noarch
4/136
  Verifying  : systemd-python-219-11.el7.x86_64
5/136
.
.
.


[root@cloud-qe-3 ~]# ipactl status
Directory Service: STOPPED
Directory Service must be running in order to obtain status of other services
ipa: INFO: The ipactl command was successful
[root@cloud-qe-3 ~]# ipactl restart
Starting Directory Service
Starting krb5kdc Service
Starting kadmin Service
Starting named Service
Job for named-pkcs11.service failed because the control process exited with
error code. See "systemctl status named-pkcs11.service" and "journalctl -xe"
for details.
Failed to start named Service
Shutting down
Aborting ipactl

[root@cloud-qe-3 ~]# systemctl status named-pkcs11 -l
? named-pkcs11.service - Berkeley Internet Name Domain (DNS) with native
PKCS#11
   Loaded: loaded (/usr/lib/systemd/system/named-pkcs11.service; disabled;
vendor preset: disabled)
   Active: failed (Result: exit-code) since Mon 2015-08-17 23:05:29 EDT; 34min
ago
  Process: 19865 ExecStart=/usr/sbin/named-pkcs11 -u named $OPTIONS
(code=exited, status=1/FAILURE)
  Process: 19862 ExecStartPre=/bin/bash -c if [ ! "$DISABLE_ZONE_CHECKING" ==
"yes" ]; then /usr/sbin/named-checkconf -z /etc/named.conf; else echo "Checking
of zone files is disabled"; fi (code=exited, status=0/SUCCESS)

Aug 17 23:05:29 cloud-qe-3.idmqe.lab.eng.bos.redhat.com named-pkcs11[19867]:
adjusted limit on open files from 4096 to 1048576
Aug 17 23:05:29 cloud-qe-3.idmqe.lab.eng.bos.redhat.com named-pkcs11[19867]:
found 4 CPUs, using 4 worker threads
Aug 17 23:05:29 cloud-qe-3.idmqe.lab.eng.bos.redhat.com named-pkcs11[19867]:
using 4 UDP listeners per interface
Aug 17 23:05:29 cloud-qe-3.idmqe.lab.eng.bos.redhat.com named-pkcs11[19867]:
using up to 4096 sockets
Aug 17 23:05:29 cloud-qe-3.idmqe.lab.eng.bos.redhat.com named-pkcs11[19867]:
ObjectStore.cpp(59): Failed to enumerate object store in
/var/lib/softhsm/tokens/
Aug 17 23:05:29 cloud-qe-3.idmqe.lab.eng.bos.redhat.com named-pkcs11[19867]:
SoftHSM.cpp(456): Could not load the object store
Aug 17 23:05:29 cloud-qe-3.idmqe.lab.eng.bos.redhat.com systemd[1]:
named-pkcs11.service: control process exited, code=exited status=1
Aug 17 23:05:29 cloud-qe-3.idmqe.lab.eng.bos.redhat.com systemd[1]: Failed to
start Berkeley Internet Name Domain (DNS) with native PKCS#11.
Aug 17 23:05:29 cloud-qe-3.idmqe.lab.eng.bos.redhat.com systemd[1]: Unit
named-pkcs11.service entered failed state.
Aug 17 23:05:29 cloud-qe-3.idmqe.lab.eng.bos.redhat.com systemd[1]:
named-pkcs11.service failed.

master:

  • 556e97b Server Upgrade: Start DS before CA is started.

ipa-4-2:

  • 9cb6018 Server Upgrade: Start DS before CA is started.

Metadata Update from @pvoborni:
- Issue assigned to mbasti
- Issue set to the milestone: FreeIPA 4.2.1

5 years ago

Login to comment on this ticket.

Metadata