When upgrading IPA server from 4.2.3-2 to current master and running {{{ipa-dns-install --dnssec-master}}}, the installation fails:
Configuring DNS (named) [1/8]: generating rndc key file [2/8]: setting up our own record [3/8]: adding NS record to the zones [4/8]: setting up CA record [5/8]: setting up kerberos principal [6/8]: setting up named.conf [7/8]: configuring named to start on boot [8/8]: changing resolv.conf to point to ourselves Done configuring DNS (named). Configuring DNS key synchronization service (ipa-dnskeysyncd) [1/7]: checking status [2/7]: setting up bind-dyndb-ldap working directory [3/7]: setting up kerberos principal [4/7]: setting up SoftHSM [5/7]: adding DNSSEC containers [6/7]: creating replica keys [7/7]: configuring ipa-dnskeysyncd to start on boot Done configuring DNS key synchronization service (ipa-dnskeysyncd). Configuring IPA OpenDNSSEC exporter daemon (ipa-ods-exporter) [1/6]: checking status [2/6]: setting up DNS Key Exporter [3/6]: setting up kerberos principal [4/6]: disabling default signer daemon [5/6]: starting DNS Key Exporter [6/6]: configuring DNS Key Exporter to start on boot Done configuring IPA OpenDNSSEC exporter daemon (ipa-ods-exporter). Configuring OpenDNSSEC enforcer daemon (ods-enforcerd) [1/8]: checking status [2/8]: setting up configuration files [3/8]: setting up ownership and file mode bits [4/8]: generating master key [5/8]: setting up OpenDNSSEC [6/8]: setting up ipa-dnskeysyncd [7/8]: starting OpenDNSSEC enforcer [error] CalledProcessError: Command '/bin/systemctl restart ods-enforcerd.service' returned non-zero exit status 1 Unexpected error - see /var/log/ipaserver-install.log for details: CalledProcessError: Command '/bin/systemctl restart ods-enforcerd.service' returned non-zero exit status 1
It looks like the daemon has trouble reading data from kasp.db:
Jan 07 09:52:06 master1.ipa.test systemd[1]: Starting OpenDNSSEC Enforcer daemon... -- Subject: Unit ods-enforcerd.service has begun start-up -- Defined-By: systemd -- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel -- -- Unit ods-enforcerd.service has begun starting up. Jan 07 09:52:06 master1.ipa.test ods-enforcerd[24670]: opendnssec starting... Jan 07 09:52:06 master1.ipa.test ods-enforcerd[24670]: opendnssec Parent exiting... Jan 07 09:52:06 master1.ipa.test ods-enforcerd[24670]: OpenDNSSEC ods-enforcerd started (version 1.4.7), pid 24671 Jan 07 09:52:06 master1.ipa.test ods-enforcerd[24671]: opendnssec forked OK... Jan 07 09:52:06 master1.ipa.test ods-enforcerd[24671]: group set to: ods (992) Jan 07 09:52:06 master1.ipa.test ods-enforcerd[24671]: user set to: ods (995) Jan 07 09:52:06 master1.ipa.test ods-enforcerd[24671]: opendnssec started (version 1.4.7), pid 24671 Jan 07 09:52:06 master1.ipa.test ods-enforcerd[24671]: HSM opened successfully. Jan 07 09:52:06 master1.ipa.test ods-enforcerd[24671]: Checking database connection... Jan 07 09:52:06 master1.ipa.test ods-enforcerd[24671]: ERROR: error executing SQL - no such table: dbadmin Jan 07 09:52:06 master1.ipa.test ods-enforcerd[24671]: Database connection failed Jan 07 09:52:06 master1.ipa.test systemd[1]: ods-enforcerd.service: PID file /var/run/opendnssec/enforcerd.pid not readable (yet?) after start: No such file or directory Jan 07 09:52:06 master1.ipa.test systemd[1]: Failed to start OpenDNSSEC Enforcer daemon. -- Subject: Unit ods-enforcerd.service has failed -- Defined-By: systemd -- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel -- -- Unit ods-enforcerd.service has failed. -- -- The result is failed. Jan 07 09:52:06 master1.ipa.test systemd[1]: ods-enforcerd.service: Unit entered failed state.
Indeed, /var/opendnssec/kasp.db file exists, but is empty:
[root@master1 ~]# ls -l /var/opendnssec/kasp.db -rw-rw----. 1 ods ods 0 Jan 7 09:35 /var/opendnssec/kasp.db
Steps to reproduce:
1.) install 4.2.3-2 IPA master with DNS 2.) upgrade master to current git version 3.) run {{{ipa-dns-install}}} to promote server to DNSSEC keymaster
Expected result:
DNSSEC daemons are configured succesfully.
Actual result:
DNSSEC setup fails because ods-enforcerd fails to start
This is caused by the same root cause as the bug #5574
Metadata Update from @mbabinsk: - Issue assigned to someone - Issue set to the milestone: 0.0 NEEDS_TRIAGE
Login to comment on this ticket.