The nightly test test_caless.py::TestIPACommands::test_invoke_upgrader is failing, see for instance PR #1111 with the following logs and report:
test_caless.py::TestIPACommands::test_invoke_upgrader
self = <ipatests.test_integration.test_caless.TestIPACommands object at 0x7f61a30511c0> def test_invoke_upgrader(self): """Test that ipa-server-upgrade runs without error.""" > self.master.run_command(['ipa-server-upgrade'], raiseonerr=True) test_integration/test_caless.py:1284: _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ self = <ipatests.pytest_ipa.integration.host.Host master.ipa.test (master)> argv = ['ipa-server-upgrade'], set_env = True, stdin_text = None log_stdout = True, raiseonerr = True, cwd = None, bg = False, encoding = 'utf-8' ok_returncode = 0 def run_command(self, argv, set_env=True, stdin_text=None, log_stdout=True, raiseonerr=True, cwd=None, bg=False, encoding='utf-8', ok_returncode=0): """Wrapper around run_command to log stderr on raiseonerr=True :param ok_returncode: return code considered to be correct, you can pass an integer or sequence of integers """ result = super().run_command( argv, set_env=set_env, stdin_text=stdin_text, log_stdout=log_stdout, raiseonerr=False, cwd=cwd, bg=bg, encoding=encoding ) # in FIPS mode SSH may print noise to stderr, remove the string # "FIPS mode initialized" + optional newline. result.stderr_bytes = FIPS_NOISE_RE.sub(b'', result.stderr_bytes) try: result_ok = result.returncode in ok_returncode except TypeError: result_ok = result.returncode == ok_returncode if not result_ok and raiseonerr: result.log.error('stderr: %s', result.stderr_text) > raise subprocess.CalledProcessError( result.returncode, argv, result.stdout_text, result.stderr_text ) E subprocess.CalledProcessError: Command '['ipa-server-upgrade']' returned non-zero exit status 1. pytest_ipa/integration/host.py:202: CalledProcessError ------------------------------Captured stderr call------------------------------ ipa: ERROR: stderr: Update complete Upgrading the configuration of the IPA services [Verifying that root certificate is published] [Migrate CRL publish directory] CA is not configured [Verifying that KDC configuration is using ipa-kdb backend] [Fix DS schema file syntax] [Removing RA cert from DS NSS database] [Enable sidgen and extdom plugins by default] [Updating HTTPD service IPA configuration] [Updating HTTPD service IPA WSGI configuration] [Migrating from mod_nss to mod_ssl] Already migrated to mod_ssl [Moving HTTPD service keytab to gssproxy] [Removing self-signed CA] [Removing Dogtag 9 CA] [Set OpenSSL engine for BIND] [Checking for deprecated KDC configuration files] [Checking for deprecated backups of Samba configuration files] dnssec-validation yes [Add missing CA DNS records] named user config '/etc/named/ipa-ext.conf' already exists named user config '/etc/named/ipa-options-ext.conf' already exists named user config '/etc/named/ipa-logging-ext.conf' already exists [Upgrading CA schema] CA is not configured [Update certmonger certificate renewal configuration] CA is not configured [Enable PKIX certificate path discovery and validation] CA is not configured [Authorizing RA Agent to modify profiles] CA is not configured [Authorizing RA Agent to manage lightweight CAs] CA is not configured [Ensuring Lightweight CAs container exists in Dogtag database] CA is not configured [Adding default OCSP URI configuration] CA is not configured [Disabling cert publishing] CA is not configured [Ensuring CA is using LDAPProfileSubsystem] CA is not configured [Ensuring presence of included profiles] CA is not configured [Add default CA ACL] [Migrating to authselect profile] [Create systemd-user hbac service and rule] hbac service systemd-user already exists [Add root@IPA.TEST alias to admin account] Alias already exists IPA server upgrade failed: Inspect /var/log/ipaupgrade.log and run command ipa-server-upgrade manually. Unexpected error - see /var/log/ipaupgrade.log for details: NotFound: no such entry The ipa-server-upgrade command failed. See /var/log/ipaupgrade.log for more information
The test is installing a CA-less server and calling the upgrader. ipa-server-upgrade fails in the step add_agent_to_security_domain_admins (from ipaupgrade.log):
ipa-server-upgrade
add_agent_to_security_domain_admins
2021-08-17T00:22:08Z DEBUG add_entry_to_group: dn=uid=ipara,ou=People,o=ipaca group_dn=cn=Security Domain Administrators,ou=groups,o=ipaca member_attr=uniqueMember 2021-08-17T00:22:08Z ERROR IPA server upgrade failed: Inspect /var/log/ipaupgrade.log and run command ipa-server-upgrade manually. 2021-08-17T00:22:08Z DEBUG File "/usr/lib/python3.9/site-packages/ipapython/admintool.py", line 180, in execute return_value = self.run() File "/usr/lib/python3.9/site-packages/ipaserver/install/ipa_server_upgrade.py", line 54, in run server.upgrade() File "/usr/lib/python3.9/site-packages/ipaserver/install/server/upgrade.py", line 1975, in upgrade upgrade_configuration() File "/usr/lib/python3.9/site-packages/ipaserver/install/server/upgrade.py", line 1850, in upgrade_configuration add_agent_to_security_domain_admins() File "/usr/lib/python3.9/site-packages/ipaserver/install/server/upgrade.py", line 1165, in add_agent_to_security_domain_admins api.Backend.ldap2.add_entry_to_group(user_dn, group_dn, 'uniqueMember') File "/usr/lib/python3.9/site-packages/ipaserver/plugins/ldap2.py", line 420, in add_entry_to_group entry = self.get_entry(dn, ['']) File "/usr/lib/python3.9/site-packages/ipapython/ipaldap.py", line 1934, in get_entry return super(LDAPCache, self).get_entry( File "/usr/lib/python3.9/site-packages/ipapython/ipaldap.py", line 1644, in get_entry entries = self.get_entries( File "/usr/lib/python3.9/site-packages/ipapython/ipaldap.py", line 1455, in get_entries entries, truncated = self.find_entries( File "/usr/lib/python3.9/site-packages/ipapython/ipaldap.py", line 1596, in find_entries break File "/usr/lib64/python3.9/contextlib.py", line 135, in __exit__ self.gen.throw(type, value, traceback) File "/usr/lib/python3.9/site-packages/ipapython/ipaldap.py", line 1099, in error_handler raise errors.NotFound(reason=arg_desc or 'no such entry')
The add_agent_to_security_domain_admins upgrade plugin was added recently, in commit db69855. It does not need to be called in CA-less env.
@rcritten can you have a look? Thanks
Metadata Update from @rcritten: - Issue assigned to rcritten
https://github.com/freeipa/freeipa/pull/5980
master:
Metadata Update from @rcritten: - Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1740702
ipa-4-9:
Metadata Update from @rcritten: - Issue close_status updated to: fixed - Issue status updated to: Closed (was: Open)
Login to comment on this ticket.