Giovanni Bechis via FreeIPA-users wrote:
> On 5/4/21 7:44 PM, Rob Crittenden via FreeIPA-users wrote:
>> Giovanni Bechis wrote:
>>> On Tue, May 04, 2021 at 09:31:17AM -0400, Rob Crittenden via FreeIPA-users
>>> wrote:
>>>> Giovanni Bechis via FreeIPA-users wrote:
>>>>>
>>>>> Hi,
>>>>> running latest FreeIPA upgrade I encountered an error and the freeipa
>>>>> upgrade failed.
>>>>>
>>>>> The upgrade script tries to add [ipa_server_mode] to my sssd.conf domain
>>>>> section but it fails even if /etc/sssd.conf
>>>>> has those options set.
>>>>> Atm I am running ipa-server-4.6.8-5.el7.centos.5.x86_64 and my sssd.conf
>>>>> file is the following:
>>>>>
>>>>> -------------------------------------------------------------------------------------------------------------------------
>>>>> [sssd]
>>>>> domains = domain.tld
>>>>> config_file_version = 2
>>>>> services = nss, ifp, pam, ssh
>>>>>
>>>>> [domain/domain.tld]
>>>>> id_provider = ldap
>>>>> auth_provider = ldap
>>>>> chpass_provider = ldap
>>>>> ldap_uri = ldaps://srv.domain.tld
>>>>> ldap_user_search_base = cn=users,cn=accounts,dc=domain,dc=tld
>>>>> ldap_group_search_base = cn=groups,cn=compat,dc=domain,dc=tld
>>>>> ldap_default_bind_dn = uid=ldapdn,cn=users,cn=compat,dc=domain,dc=tld
>>>>> ldap_default_authtok = XXX
>>>>> ldap_id_use_start_tls = True
>>>>> ldap_tls_cacertdir = /etc/openldap/cacerts
>>>>> ldap_tls_cacert = /etc/openldap/cacerts/ca.crt
>>>>> ldap_tls_reqcert = allow
>>>>> ldap_user_ssh_public_key = ipaSshPubKey
>>>>> cache_credentials = True
>>>>> enumerate = True
>>>>>
>>>>> [ifp]
>>>>> allowed_uids = ipaapi, root
>>>>> -------------------------------------------------------------------------------------------------------------------------
>>>>>
>>>>> I am using FreeIPA only as an ldap web gui, all my services are using
>>>>> ldaps protocol.
>>>>> By commenting the relevant lines in
>>>>> "/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py"
>>>>> the upgrade proceeds and all works fine.
>>>>>
>>>>> Is there any way to prevent the upgrade script from crashing every time ?
>>>>
>>>> We need more specific information on what you mean by crash. Seeing the
>>>> upgrade log would help.
>>>>
>>> Sorry, I forgot that part.
>>> even if I add ipa_server and ipa_server_mode to sssd.conf the error doesn't
>>> change.
>>> Commenting the following lines in upgrade.py is a workaround that makes ipa
>>> start and all services work:
>>> domain.set_option('ipa_server_mode', 'True')
>>> domain.set_option('ipa_server', api.env.host)
>>>
>>>
>>> 2021-05-04T07:46:41Z ERROR IPA server upgrade failed: Inspect
>>> /var/log/ipaupgrade.log and run command ipa-server-upgrade manually.
>>> 2021-05-04T07:46:41Z DEBUG File
>>> "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 178, in
>>> execute
>>> return_value = self.run()
>>> File
>>> "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_server_upgrade.py",
>>> line 54, in run
>>> server.upgrade()
>>> File
>>> "/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py",
>>> line 2177, in upgrade
>>> upgrade_configuration()
>>> File
>>> "/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py",
>>> line 2066, in upgrade_configuration
>>> sssd_update()
>>> File
>>> "/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py",
>>> line 1433, in sssd_update
>>> domain.set_option('ipa_server_mode', 'True')
>>> File "/usr/lib/python2.7/site-packages/SSSDConfig/__init__.py", line
>>> 1204, in set_option
>>> (self.name, option))
>>>
>>> 2021-05-04T07:46:41Z DEBUG The ipa-server-upgrade command failed,
>>> exception: NoOptionError: Section [domain.tld] has no option
>>> [ipa_server_mode]
>>> 2021-05-04T07:46:41Z ERROR Unexpected error - see /var/log/ipaupgrade.log
>>> for details:
>>> NoOptionError: Section [domain.tld] has no option [ipa_server_mode]
>>
>> It's failing because your id_provider is not ipa.
>>
> thanks,
> after setting id_provider=ipa it fails in a different way:
>
> 2021-05-05T07:24:14Z DEBUG stderr=
> 2021-05-05T07:24:14Z INFO [Verifying that CA proxy configuration is correct]
> 2021-05-05T07:24:14Z DEBUG Loading StateFile from
> '/var/lib/ipa/sysrestore/sysrestore.state'
> 2021-05-05T07:24:14Z DEBUG Proxy configuration up-to-date
> 2021-05-05T07:24:14Z DEBUG Starting external process
> 2021-05-05T07:24:14Z DEBUG args=pki-server subsystem-show kra
> 2021-05-05T07:24:14Z DEBUG Process finished, return code=1
> 2021-05-05T07:24:14Z DEBUG stdout=ERROR: No kra subsystem in instance
> pki-tomcat.
>
> 2021-05-05T07:24:14Z DEBUG stderr=
> 2021-05-05T07:24:14Z DEBUG Starting pki-tomcatd@pki-tomcat.
> 2021-05-05T07:24:14Z DEBUG Starting external process
> 2021-05-05T07:24:14Z DEBUG args=/bin/systemctl start
> [email protected]
> 2021-05-05T07:24:15Z DEBUG Process finished, return code=1
> 2021-05-05T07:24:15Z DEBUG stdout=
> 2021-05-05T07:24:15Z DEBUG stderr=Job for [email protected]
> canceled.
>
> 2021-05-05T07:24:15Z ERROR IPA server upgrade failed: Inspect
> /var/log/ipaupgrade.log and run command ipa-server-upgrade manually.
> 2021-05-05T07:24:15Z DEBUG File
> "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 178, in
> execute
> return_value = self.run()
> File
> "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_server_upgrade.py",
> line 54, in run
> server.upgrade()
> File
> "/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py", line
> 2177, in upgrade
> upgrade_configuration()
> File
> "/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py", line
> 1883, in upgrade_configuration
> logger.info('ephemeralRequest is already enabled')
> File "/usr/lib64/python2.7/contextlib.py", line 24, in __exit__
> self.gen.next()
> File "/usr/lib/python2.7/site-packages/ipaserver/install/installutils.py",
> line 1239, in stopped_service
> service_obj.start(instance_name)
> File "/usr/lib/python2.7/site-packages/ipaplatform/redhat/services.py",
> line 190, in start
> instance_name, capture_output=capture_output, wait=wait)
> File "/usr/lib/python2.7/site-packages/ipaplatform/base/services.py", line
> 304, in start
> skip_output=not capture_output)
> File "/usr/lib/python2.7/site-packages/ipapython/ipautil.py", line 563, in
> run
> raise CalledProcessError(p.returncode, arg_string, str(output))
This is unrelated. You'll need to check the system journal/logs and the
CA logs to determine why it failed to start.
rob
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
Do not reply to spam on the list, report it:
https://pagure.io/fedora-infrastructure
