On 12 June 2018 at 21:22:56, Simo Sorce (s...@redhat.com) wrote:
On Tue, 2018-06-12 at 12:15 -0700, Alessandro Perucchi via FreeIPA-
> Hello everyone,
> We were using Freeipa on Fedora 24. And we are in the process to upgrade
> Fedora 28.
> We have a cluster of 2 nodes (freeipa-01 and freeipa-02).
> I am trying to upgrade one server after the other, from one release to the
> freeipa-01 Fedora 24 -> Fedora 25
> freeipa-02 Fedora 24 -> Fedora 25
> freeipa-02 Fedora 25 -> Fedora 26
> freeipa-01 Fedora 25 -> Fedora 26
> freeipa-01 Fedora 26 -> Fedora 27
> freeipa-02 Fedora 26 -> Fedora 27
> freeipa-02 Fedora 27 -> Fedora 28
> freeipa-01 Fedora 27 -> Fedora 28
> Since Fedora doesn’t support to jump from one version to another, except
> one release at the time.
> My idea is to check that once a server is upgraded, then everything is
> stable, before going to the next server, and try to be as near as possible
> from a version point of view between the 2 freeipa node cluster.
> Today, I could
> upgrade without problems from Fedora 24 -> Fedora 25 on both nodes
> (freeipa-01 and freeipa-02).
> In trying to upgrade to Fedora 26, I got some problems, the main problem
> that the upgrade of ldap 389 is not successful, and the one from IPA
> After investigating a long moment, I have found that ns-slapd listen only
> to IPv6, on UDP, and NOT on IPv4 and TCP.
> Here is what I have:
> [root@freeipa-02 lib]# lsof -Pni |grep slap
> ns-slapd 21005 dirsrv 9u IPv6 1617283379 <//1617283379> 0t0
> UDP *:389
> ns-slapd 21005 dirsrv 77u IPv4 1617321218 <//1617321218> 0t0
> TCP 10.100.0.102:60646->10.100.0.101:389 (ESTABLISHED)
> ns-slapd 21005 dirsrv 81u IPv4 1617317640 <//1617317640> 0t0
> TCP 10.100.0.102:60648->10.100.0.101:389 (ESTABLISHED)
> So, I decided to look at the file dse.ldif, and found that the entry
> "nsslapd-port” was set to “0” and no “nsslapd-listenhost” was not set at
> I have then added the line
> nsslapd-listenhost: 0.0.0.0
> and changed the nsslapd-port to look like:
> nsslap-port: 389
> And after doing a
> systemctl stop dirsrv@DOM-LOCAL ; systemctl start dirsrv@DOM-LOCAL
> No changes… all modification on my dse.ldif were gone.
> I stopped again the dirsrv, did again my changes on dse.ldif, and run the
> following command:
> /usr/sbin/ns-slapd -D /etc/dirsrv/slapd-DOM-LOCAL -i
> and now, I have the following:
> [root@freeipa-02 updates]# lsof -Pni |grep 389
> ns-slapd 78507 dirsrv 10u IPv6 1681165214 <//1681165214> 0t0
> UDP *:389
> ns-slapd 78507 dirsrv 11u IPv4 1681165216 <//1681165216> 0t0
> TCP *:389 (LISTEN)
> ns-slapd 78507 dirsrv 114u IPv4 1684131928 <//1684131928> 0t0
> TCP 10.100.0.102:389->10.100.0.110:36828 (ESTABLISHED)
> So my questions are:
> - how to change the dse.ldif file?
You have to stop ns-slapd before changing the file.
This is what I have done several times. or have I… maybe not…
I will try again.
> - Is there another way to ensure that the port that listen is TCP / 389
The port was disabled during some upgrade operations, your situation
meant some upgrade failed and that old version failed to set back the
port in dse.ldif
This is a bug and shouldn't happen in recent versions.
Does it means that I need to upgrade to Fedora 28, and then try to upgrade
> - Is there something that needs to be done between Fedora 25 and 26?
Is this upgrade bug repeatable ? (keep in mind that F26 is practically
Yes, it is repeatable, since I am trying to do it since this 24 hours, and
it drives me crazy… and nothing by googling seems to help!
I know this is EOL, or nearly… That’s also why we wanted to upgrade to the
> Knowing that I will go to Fedora 28, is there something that I need to be
> aware of?
Yes, read this list archives before you attempt F28 upgrades, you may
have to use updates-testing as the GA bits where busted wrt replication
Ok, guess I have some reading to do :-D
> - Anything that can help me generally with my upgrade path?
In general your approach is ok, make backups :-)
Glad that I’m doing it right :-)
If you have any other approach, then I am also open to anything else.
Nevertheless thank you!
FreeIPA-users mailing list -- firstname.lastname@example.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines