Ticket was cloned from Red Hat Bugzilla: Bug 1582091
Please note that this Bug is private and may not be accessible as it contains confidential Red Hat customer information.
Description of problem: ipa-restore fails on newly installed system. Version-Release number of selected component (if applicable): RHEL7.5 How reproducible: 100% # ipa-restore /var/lib/ipa/backup/ipa-full-2018-05-18-08-31-48/ --log-file /var/lib/ipa/backup/restore.log Directory Manager (existing master) password: Preparing restore from /var/lib/ipa/backup/ipa-full-2018-05-18-08-31-48/ on ipa1.example.local Performing FULL restore from FULL backup Restoring data will overwrite existing live data. Continue to restore? [no]: yes Each master will individually need to be re-initialized or re-created from this one. The replication agreements on masters running IPA 3.1 or earlier will need to be manually re-enabled. See the man page for details. Disabling all replication. Unable to get connection, skipping disabling agreements: directory server instance is not running/configured Stopping IPA services Configuring certmonger to stop tracking system certificates for CA Restoring files Systemwide CA database updated. Restoring from userRoot in EXAMPLE-LOCAL Restoring from ipaca in EXAMPLE-LOCAL Restarting GSS-proxy Starting IPA services Command 'ipactl start' returned non-zero exit status 1 The ipa-restore command failed. See /var/log/iparestore.log for more information Hence, /etc/tmpfiles.d/ipa.conf needs to be created. cat /etc/tmpfiles.d/ipa.conf d /var/run/ipa 0711 root root d /var/run/ipa/ccaches 0770 ipaapi ipaapi [root@ipa1 ~]# ls -ld /var/run/ipa /var/run/ipa/ccaches drwx--x--x. 3 root root 60 18 mei 09:03 /var/run/ipa drwxrwx---. 2 ipaapi ipaapi 40 18 mei 09:03 /var/run/ipa/ccaches [root@ipa1 ~]# ipa-restore /var/lib/ipa/backup/ipa-full-2018-05-18-08-31-48/ --log-file /var/lib/ipa/backup/restore.log Directory Manager (existing master) password: Preparing restore from /var/lib/ipa/backup/ipa-full-2018-05-18-08-31-48/ on ipa1.example.local Performing FULL restore from FULL backup Restoring data will overwrite existing live data. Continue to restore? [no]: yes Each master will individually need to be re-initialized or re-created from this one. The replication agreements on masters running IPA 3.1 or earlier will need to be manually re-enabled. See the man page for details. Disabling all replication. Unable to get connection, skipping disabling agreements: directory server instance is not running/configured Stopping IPA services Configuring certmonger to stop tracking system certificates for CA Restoring files Systemwide CA database updated. So: creating etc/tmpfiles.d/ipa.conf manually should be added to the documentation OR should be added to ipa-backup/restore Restoring from userRoot in EXAMPLE-LOCAL Restoring from ipaca in EXAMPLE-LOCAL Restarting GSS-proxy Starting IPA services Restarting SSSD The ipa-restore command was successful
Metadata Update from @frenaud: - Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1582091
This issue happens on the 4.5 release only and needs a specific fix (on 4.6 branch it was fixed by ticket https://pagure.io/freeipa/issue/7053 and commit a2de6a1).
The fix needs to ensure that /etc/tmpfiles.d/ipa.conf is backed up and restored. This file is read by systemd-tmpfiles and contains a list of directories to be created (/var/run/ipa and /var/run/ipa/ccaches) in volatile filesystems, ensuring that the dirs will be present when the services need them.
Metadata Update from @frenaud: - Issue set to the milestone: FreeIPA 4.5.5
Metadata Update from @frenaud: - Issue assigned to frenaud
Metadata Update from @frenaud: - Custom field on_review adjusted to https://github.com/freeipa/freeipa/pull/2248
ipa-4-5:
Metadata Update from @tdudlak: - Issue close_status updated to: fixed - Issue status updated to: Closed (was: Open)
Login to comment on this ticket.