On 06/27/2013 12:32 PM, Jan Cholasta wrote: > On 26.6.2013 14:03, Tomas Babej wrote: >> On 06/19/2013 10:31 AM, Petr Vobornik wrote: >>> On 06/19/2013 10:13 AM, Martin Kosek wrote: >>>> Entitlements code was not tested nor supported upstream since >>>> version 3.0. Remove the associated code. >>>> >>>> https://fedorahosted.org/freeipa/ticket/3739 >>>> >>>> ---- >>>> >>>> As agreed on Triage meeting, I plan to push this patch to ipa-3-2 and >>>> master >>>> branches. >>>> >>>> Martin >>>> >>> >>> >>> ACK on Web UI part. >> >> ACK on the IPA part >> >> Tomas >> > > ipa-upgradeconfig fails for me when upgrading from version with entitlement > plugin to version without entitlement plugin: > > 2013-06-26T22:22:43Z DEBUG /usr/sbin/ipa-upgradeconfig was invoked with > options: {'debug': False, 'quiet': True} > 2013-06-26T22:22:43Z DEBUG Loading Index file from > '/var/lib/ipa/sysrestore/sysrestore.index' > 2013-06-26T22:22:43Z DEBUG importing all plugin modules in > '/usr/lib/python2.7/site-packages/ipalib/plugins'... > <snip> > 2013-06-26T22:22:43Z DEBUG importing plugin module > '/usr/lib/python2.7/site-packages/ipalib/plugins/entitle.py' > 2013-06-26T22:22:43Z DEBUG File > "/usr/lib/python2.7/site-packages/ipaserver/install/installutils.py", line > 614, > in run_script > return_value = main_function() > > File "/usr/sbin/ipa-upgradeconfig", line 872, in main > api.finalize() > > File "/usr/lib/python2.7/site-packages/ipalib/plugable.py", line 674, in > finalize > self.__do_if_not_done('load_plugins') > > File "/usr/lib/python2.7/site-packages/ipalib/plugable.py", line 454, in > __do_if_not_done > getattr(self, name)() > > File "/usr/lib/python2.7/site-packages/ipalib/plugable.py", line 613, in > load_plugins > self.import_plugins('ipalib') > > File "/usr/lib/python2.7/site-packages/ipalib/plugable.py", line 655, in > import_plugins > __import__(fullname) > > File "/usr/lib/python2.7/site-packages/ipalib/plugins/entitle.py", line 180, > in <module> > class entitle(LDAPObject): > > File "/usr/lib/python2.7/site-packages/ipalib/plugins/entitle.py", line 184, > in entitle > container_dn = api.env.container_entitlements > > 2013-06-26T22:22:43Z DEBUG The ipa-upgradeconfig command failed, exception: > AttributeError: 'Env' object has no attribute 'container_entitlements' > > Honza >
This happens because we run ipa-upgradeconfig in %post while there was still entitlements plugin. I think that clean solution for this plugin (and also for other future occurrences of this issue) is to run upgrade/server restart process only in %posttrans. In the end, I iterated to the attached patch. With this spec change, I was able to upgrade from FreeIPA 3.2 to current master version without any entitlements related upgrade error. Adding Alexander and Rob to CC to double-check this upgrade-related change, I want to be sure I didn't do something stupid. Martin
From 4c0f2dafdd24941c560ec463d92c44ff6a772196 Mon Sep 17 00:00:00 2001 From: Martin Kosek <mko...@redhat.com> Date: Thu, 27 Jun 2013 15:37:05 +0200 Subject: [PATCH] Run server upgrade and restart in posttrans Running server upgrade or restart in %post or %postun may cause issues when there are still parts of old FreeIPA software (like entitlements plugin). https://fedorahosted.org/freeipa/ticket/3739 --- freeipa.spec.in | 25 ++++++++++++++++--------- 1 file changed, 16 insertions(+), 9 deletions(-) diff --git a/freeipa.spec.in b/freeipa.spec.in index fcbad3e975108ec5b9265a05600fc3f36b6a2cd6..9f7146e4ae371cd3c55d1a9c2be7b2eb10c1aefe 100644 --- a/freeipa.spec.in +++ b/freeipa.spec.in @@ -467,13 +467,22 @@ rm -rf %{buildroot} # END if [ $1 -gt 1 ] ; then /bin/systemctl condrestart certmonger.service 2>&1 || : - /usr/sbin/ipa-upgradeconfig --quiet >/dev/null || : fi %posttrans server # This must be run in posttrans so that updates from previous # execution that may no longer be shipped are not applied. /usr/sbin/ipa-ldap-updater --upgrade --quiet >/dev/null || : +/usr/sbin/ipa-upgradeconfig --quiet >/dev/null || : + +# Restart IPA processes. This must be also run in postrans so that plugins +# and software is in consistent state +python -c "import sys; from ipaserver.install import installutils; sys.exit(0 if installutils. is_ipa_configured() else 1);" > /dev/null 2>&1 +# NOTE: systemd specific section +if [ $? -eq 0 ]; then + /bin/systemctl try-restart ipa.service >/dev/null 2>&1 || : +fi +# END %preun server if [ $1 = 0 ]; then @@ -483,14 +492,6 @@ if [ $1 = 0 ]; then # END fi -%postun server -if [ "$1" -ge "1" ]; then -# NOTE: systemd specific section - /bin/systemctl --quiet is-active ipa.service >/dev/null && \ - /bin/systemctl try-restart ipa.service >/dev/null 2>&1 || : -# END -fi - %pre server # Stop ipa_kpasswd if it exists before upgrading so we don't have a # zombie process when we're done. @@ -510,6 +511,8 @@ fi %post server-trust-ad %{_sbindir}/update-alternatives --install %{_libdir}/krb5/plugins/libkrb5/winbind_krb5_locator.so \ winbind_krb5_locator.so /dev/null 90 + +%posttrans server-trust-ad python -c "import sys; from ipaserver.install import installutils; sys.exit(0 if installutils.is_ipa_configured() else 1);" > /dev/null 2>&1 if [ $? -eq 0 ]; then # NOTE: systemd specific section @@ -815,6 +818,10 @@ fi %endif # ! %{ONLY_CLIENT} %changelog +* Thu Jun 27 2013 Martin Kosek <mko...@redhat.com> - 3.2.99-3 +- Run ipa-upgradeconfig and server restart in posttrans to avoid inconsistency + issues when there are still old parts of software (like entitlements plugin) + * Mon Jun 17 2013 Petr Viktorin <pvikt...@redhat.com> - 3.2.99-2 - Add the freeipa-tests subpackage -- 1.8.1.4
_______________________________________________ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel