On 12 June 2018 at 21:22:56, Simo Sorce (s...@redhat.com) wrote: On Tue, 2018-06-12 at 12:15 -0700, Alessandro Perucchi via FreeIPA- users wrote: > Hello everyone, > > We were using Freeipa on Fedora 24. And we are in the process to upgrade to > Fedora 28. > We have a cluster of 2 nodes (freeipa-01 and freeipa-02). > > I am trying to upgrade one server after the other, from one release to the
> next. > > Basically: > > freeipa-01 Fedora 24 -> Fedora 25 > > freeipa-02 Fedora 24 -> Fedora 25 > freeipa-02 Fedora 25 -> Fedora 26 > > freeipa-01 Fedora 25 -> Fedora 26 > freeipa-01 Fedora 26 -> Fedora 27 > > freeipa-02 Fedora 26 -> Fedora 27 > freeipa-02 Fedora 27 -> Fedora 28 > > freeipa-01 Fedora 27 -> Fedora 28 > > Since Fedora doesn’t support to jump from one version to another, except > one release at the time. > > My idea is to check that once a server is upgraded, then everything is > stable, before going to the next server, and try to be as near as possible > from a version point of view between the 2 freeipa node cluster. > > Today, I could > upgrade without problems from Fedora 24 -> Fedora 25 on both nodes > (freeipa-01 and freeipa-02). > > In trying to upgrade to Fedora 26, I got some problems, the main problem is > that the upgrade of ldap 389 is not successful, and the one from IPA either. > After investigating a long moment, I have found that ns-slapd listen only > to IPv6, on UDP, and NOT on IPv4 and TCP. > > Here is what I have: > > [root@freeipa-02 lib]# lsof -Pni |grep slap > ns-slapd 21005 dirsrv 9u IPv6 1617283379 <//1617283379> 0t0 > UDP *:389 > ns-slapd 21005 dirsrv 77u IPv4 1617321218 <//1617321218> 0t0 > TCP 10.100.0.102:60646->10.100.0.101:389 (ESTABLISHED) > ns-slapd 21005 dirsrv 81u IPv4 1617317640 <//1617317640> 0t0 > TCP 10.100.0.102:60648->10.100.0.101:389 (ESTABLISHED) > > > So, I decided to look at the file dse.ldif, and found that the entry > "nsslapd-port” was set to “0” and no “nsslapd-listenhost” was not set at > all. > I have then added the line > > nsslapd-listenhost: 0.0.0.0 > > and changed the nsslapd-port to look like: > > nsslap-port: 389 > > And after doing a > > systemctl stop dirsrv@DOM-LOCAL ; systemctl start dirsrv@DOM-LOCAL > > No changes… all modification on my dse.ldif were gone. > > I stopped again the dirsrv, did again my changes on dse.ldif, and run the > following command: > > /usr/sbin/ns-slapd -D /etc/dirsrv/slapd-DOM-LOCAL -i > /var/run/dirsrv/slapd-DOM-LOCAL.pid > > and now, I have the following: > > [root@freeipa-02 updates]# lsof -Pni |grep 389 > ns-slapd 78507 dirsrv 10u IPv6 1681165214 <//1681165214> 0t0 > UDP *:389 > ns-slapd 78507 dirsrv 11u IPv4 1681165216 <//1681165216> 0t0 > TCP *:389 (LISTEN) > ns-slapd 78507 dirsrv 114u IPv4 1684131928 <//1684131928> 0t0 > TCP 10.100.0.102:389->10.100.0.110:36828 (ESTABLISHED) > > So my questions are: > - how to change the dse.ldif file? You have to stop ns-slapd before changing the file. This is what I have done several times. or have I… maybe not… I will try again. > - Is there another way to ensure that the port that listen is TCP / 389 on > IPv4? The port was disabled during some upgrade operations, your situation meant some upgrade failed and that old version failed to set back the port in dse.ldif This is a bug and shouldn't happen in recent versions. Does it means that I need to upgrade to Fedora 28, and then try to upgrade FreeIPA? > - Is there something that needs to be done between Fedora 25 and 26? Is this upgrade bug repeatable ? (keep in mind that F26 is practically EOL) Yes, it is repeatable, since I am trying to do it since this 24 hours, and it drives me crazy… and nothing by googling seems to help! I know this is EOL, or nearly… That’s also why we wanted to upgrade to the latest. > Knowing that I will go to Fedora 28, is there something that I need to be > aware of? Yes, read this list archives before you attempt F28 upgrades, you may have to use updates-testing as the GA bits where busted wrt replication for upgrades. Ok, guess I have some reading to do :-D > - Anything that can help me generally with my upgrade path? In general your approach is ok, make backups :-) Glad that I’m doing it right :-) If you have any other approach, then I am also open to anything else. Nevertheless thank you!
_______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/message/G4RWPHSQI5HXN4ORRLPLNMJUSFLAV5CF/