When upgrading a pre-4.4 replica which has no IPA DNS configured (there is IPA DNS server in topology) to 4.4.2 (or ipa-4.4.0-12.el7), the upgrade erroneously tries to restart named-pkcs11 and fails:
2016-11-22T14:12:02Z DEBUG args=/bin/systemctl start named-pkcs11.service 2016-11-22T14:12:02Z DEBUG Process finished, return code=1 2016-11-22T14:12:02Z DEBUG stdout= 2016-11-22T14:12:02Z DEBUG stderr=Job for named-pkcs11.service failed because the control process exited with error code. See "systemctl status named-pkcs11.service" and "journalctl -xe" for details. 2016-11-22T14:12:02Z ERROR IPA server upgrade failed: Inspect /var/log/ipaupgrade.log and run command ipa-server-upgrade manually. 2016-11-22T14:12:02Z DEBUG File "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 172, in execute return_value = self.run() File "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_server_upgrade.py", line 46, in run server.upgrade() File "/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py", line 1867, in upgrade upgrade_configuration() File "/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py", line 1725, in upgrade_configuration bind.start() File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 345, in start self.service.start(instance_name, capture_output=capture_output, wait=wait) File "/usr/lib/python2.7/site-packages/ipaplatform/base/services.py", line 285, in start skip_output=not capture_output) File "/usr/lib/python2.7/site-packages/ipapython/ipautil.py", line 515, in run raise CalledProcessError(p.returncode, arg_string, str(output)) 2016-11-22T14:12:02Z DEBUG The ipa-server-upgrade command failed, exception: CalledProcessError: Command '/bin/systemctl start named-pkcs11.service' returned non-zero exit status 1 2016-11-22T14:12:02Z ERROR Unexpected error - see /var/log/ipaupgrade.log for details: CalledProcessError: Command '/bin/systemctl start named-pkcs11.service' returned non-zero exit status 1 2016-11-22T14:12:02Z ERROR The ipa-server-upgrade command failed. See /var/log/ipaupgrade.log for more information
Upon further inspection the failure was tracked into the following piece of code which checks whether bind is configured and running: https://git.fedorahosted.org/cgit/freeipa.git/tree/ipaserver/install/server/upgrade.py?h=ipa-4-4#n1722
The issue is that there is the following content in sysrestore.state dumped even if DNS is not configured on replica:
[named] dns_record_0_0 = SRV _ldap._tcp 0 100 389 replica1 dns_record_0_1 = SRV _kerberos._tcp 0 100 88 replica1 dns_zone_0 = ipa.test dns_record_0_3 = SRV _kerberos-master._tcp 0 100 88 replica1 dns_record_0_2 = SRV _kerberos._udp 0 100 88 replica1 dns_record_0_5 = SRV _kpasswd._tcp 0 100 464 replica1 dns_record_0_4 = SRV _kerberos-master._udp 0 100 88 replica1 dns_record_0_7 = SRV _ntp._udp 0 100 123 replica1 dns_record_0_6 = SRV _kpasswd._udp 0 100 464 replica1
Since the StateFile.has_state logic just checks for the presence of the section in the state file, it erroneously thinks that named is configured, hence the error.
StateFile.has_state
We need to either fix StateFile to actually search for enabled=True to decide whether the service was enabled, or fix BindInstance to not dump zone info into state file.
StateFile
BindInstance
Steps to reproduce:
1,) install 4.2 or 4.3 master w/ DNS
2.) create a replica from the master w/o DNS
3.) upgrade master to IPA v4.4
4.) now try to update the replica to the same version
Expected results:
The replica upgrades successfully
Actual results:
The upgrade fails with the following error:
Cleanup : freeipa-common-4.3.2-2.fc24.noarch 19/19 IPA server upgrade failed: Inspect /var/log/ipaupgrade.log and run command ipa-server-upgrade manually. Unexpected error - see /var/log/ipaupgrade.log for details: CalledProcessError: Command '/bin/systemctl start named-pkcs11.service' returned non-zero exit status 1 The ipa-server-upgrade command failed. See /var/log/ipaupgrade.log for more information
Linked to Bugzilla bug: https://bugzilla.redhat.com/show_bug.cgi?id=1401088
master:
ipa-4-4:
Metadata Update from @mbabinsk: - Issue assigned to mbabinsk - Issue set to the milestone: FreeIPA 4.4.3
Log in to comment on this ticket.