#7440 ipa-restore should delete /etc/httpd/conf.d/nss.conf
Closed: fixed 6 years ago Opened 6 years ago by frenaud.

Issue

ipa-restore does not remove /etc/httpd/conf.d/nss.conf and this file prevents successful restart of IPA services (especially httpd server).

Steps to Reproduce

  1. ipa-server-install
  2. ipa-backup
  3. ipa-server-install --uninstall -U
  4. ipa-restore <path_to_backup>

Actual behavior

ipa-restore fails with the following output:

/usr/sbin/ipa-restore  /var/lib/ipa/backup/ipa-full-2018-03-12-15-13-59
Directory Manager (existing master) password: 

Preparing restore from /var/lib/ipa/backup/ipa-full-2018-03-12-15-13-59 on vm-master.example.com
Performing FULL restore from FULL backup
Temporary setting umask to 022
Restoring data will overwrite existing live data. Continue to restore? [no]: yes
Each master will individually need to be re-initialized or
re-created from this one. The replication agreements on
masters running IPA 3.1 or earlier will need to be manually
re-enabled. See the man page for details.
Disabling all replication.
Unable to get connection, skipping disabling agreements: directory server instance is not running/configured
Stopping IPA services
Configuring certmonger to stop tracking system certificates for CA
Restoring files
Systemwide CA database updated.
Restoring from userRoot in EXAMPLE-COM
Restoring from ipaca in EXAMPLE-COM
Restarting GSS-proxy
Starting IPA services
Restoring umask to 18
CalledProcessError(Command ['/usr/sbin/ipactl', 'start'] returned non-zero exit status 1: 'Existing service file detected!\nAssuming stale, cleaning and proceeding\nFailed to start httpd Service\nShutting down\nHint: You can use --ignore-service-failure option for forced start in case that a non-critical service failed\nAborting ipactl\n')
The ipa-restore command failed. See /var/log/iparestore.log for more information

and httpd fails to start with the following logs in /var/log/httpd/error_log:

[Mon Mar 12 15:52:33.823088 2018] [:error] [pid 33958:tid 139813689901056] Server user apache lacks read access to NSS key database /etc/httpd/alias/key3.db.

Expected behavior

ipa-restore should remove /etc/httpd/conf.d/nss.conf and allow IPA services restart.

Version/Release/Distribution

freeipa-master hash 5a6a762fb9d87af6752d3fcdfe309f08804a70b3


Metadata Update from @frenaud:
- Issue assigned to frenaud

6 years ago

What happens is that during uninstall, we are restoring mod_nss configuration but we're not removing it on ipa-restore.
We can remove all mod_nss conf restoring on uninstall and add mod_nss to our Conflicts in the .spec file, but that would break configuration of the people who would like to use mod_nss for their virtual host.
The other solution is just calling httpinstance.disable_nss_conf() on ipa-restore.

master:

  • 105e774 ipa-restore: remove /etc/httpd/conf.d/nss.conf

Metadata Update from @cheimes:
- Issue close_status updated to: fixed
- Issue status updated to: Closed (was: Open)

6 years ago

Login to comment on this ticket.

Metadata