On Thu, Jun 9, 2022 at 2:53 PM Rob Crittenden via FreeIPA-users <
[email protected]> wrote:
> Georg Seyerl via FreeIPA-users wrote:
> > Hi IPA Team,
> >
> > after an IPA upgrade from version 4.9.6 to 4.9.8 I get the following
> error when I run ipa-server-upgrad manually:
> >
> > 2022-06-09T09:24:25Z DEBUG stderr=
> > 2022-06-09T09:24:25Z DEBUG wait_for_open_ports: localhost [389] timeout
> 120
> > 2022-06-09T09:24:25Z DEBUG waiting for port: 389
> > 2022-06-09T09:24:25Z DEBUG Failed to connect to port 389 tcp on 127.0.0.1
> > 2022-06-09T09:26:25Z ERROR IPA server upgrade failed: Inspect
> /var/log/ipaupgrade.log and run command ipa-server-upgrade manua
> > lly.
> > 2022-06-09T09:26:25Z DEBUG File
> "/usr/lib/python3.6/site-packages/ipapython/admintool.py", line 180, in
> execute
> > return_value = self.run()
> > File
> "/usr/lib/python3.6/site-packages/ipaserver/install/ipa_server_upgrade.py",
> line 54, in run
> > server.upgrade()
> > File
> "/usr/lib/python3.6/site-packages/ipaserver/install/server/upgrade.py",
> line 2011, in upgrade
> > upgrade_configuration()
> > File
> "/usr/lib/python3.6/site-packages/ipaserver/install/server/upgrade.py",
> line 1632, in upgrade_configuration
> > ds.start(ds.serverid)
> > File
> "/usr/lib/python3.6/site-packages/ipaserver/install/dsinstance.py", line
> 643, in start
> > instance_name, capture_output=capture_output, wait=wait
> > File "/usr/lib/python3.6/site-packages/ipaserver/install/service.py",
> line 524, in start
> > self.service.start(instance_name, capture_output=capture_output,
> wait=wait)
> > File
> "/usr/lib/python3.6/site-packages/ipaplatform/redhat/services.py", line
> 138, in start
> > instance_name, capture_output=capture_output, wait=wait)
> > File "/usr/lib/python3.6/site-packages/ipaplatform/base/services.py",
> line 317, in start
> > self.wait_for_open_ports(self.service_instance(instance_name))
> > File "/usr/lib/python3.6/site-packages/ipaplatform/base/services.py",
> line 286, in wait_for_open_ports
> > self.api.env.startup_timeout)
> > File "/usr/lib/python3.6/site-packages/ipapython/ipautil.py", line
> 1341, in wait_for_open_ports
> > raise socket.timeout("Timeout exceeded")
> >
> > 2022-06-09T09:26:25Z DEBUG The ipa-server-upgrade command failed,
> exception: timeout: Timeout exceeded
> > 2022-06-09T09:26:25Z ERROR Timeout exceeded
> > 2022-06-09T09:26:25Z ERROR The ipa-server-upgrade command failed. See
> /var/log/ipaupgrade.log for more information
> >
> >
>
This error rings a bell but I thought we fixed the issue ( #7534
<https://pagure.io/freeipa/issue/7534> Investigate failures to restore
389-ds attriubtes on upgrade failure). The command ipa-server-upgrade
starts by disabling the LDAP port to ensure that the service is not
accessed during upgrade, then performs a bunch of operations and restores
the LDAP port. If ipa-server-upgrade command is interrupted (for instance
by CTRL-C), it's possible to end up in a situation where the LDAP port is
disabled.
To check if it's your issue, you can look for the setting nsslapd-port in
dse.ldif:
# grep nsslapd-port: /etc/dirsrv/slapd-IPA-TEST/dse.ldif
nsslapd-port: 389
If the output is 0 instead of 389, stop ipa, edit dse.ldif and restart ipa.
HTH,
flo
>
> > A subset of the upgraded packages:
> > Upgrade
> ipa-client-4.9.8-7.0.1.module+el8.6.0+20654+19b76db2.x86_64
> @ol8_x86_64_appstream
> > Upgraded
> ipa-client-4.9.6-12.0.1.module+el8.5.0+20642+b228f286.x86_64
> @@System
> > Upgrade
> ipa-client-common-4.9.8-7.0.1.module+el8.6.0+20654+19b76db2.noarch
> @ol8_x86_64_appstream
> > Upgraded
> ipa-client-common-4.9.6-12.0.1.module+el8.5.0+20642+b228f286.noarch
> @@System
> > Upgrade
> ipa-common-4.9.8-7.0.1.module+el8.6.0+20654+19b76db2.noarch
> @ol8_x86_64_appstream
> > Upgraded
> ipa-common-4.9.6-12.0.1.module+el8.5.0+20642+b228f286.noarch
> @@System
> > Upgrade
> ipa-healthcheck-core-0.7-10.module+el8.6.0+20578+18b36d36.noarch
> @ol8_x86_64_appstream
> > Upgraded
> ipa-healthcheck-core-0.7-6.module+el8.5.0+20379+1b4496cf.noarch
> @@System
> > Upgrade
> ipa-selinux-4.9.8-7.0.1.module+el8.6.0+20654+19b76db2.noarch
> @ol8_x86_64_appstream
> > Upgraded
> ipa-selinux-4.9.6-12.0.1.module+el8.5.0+20642+b228f286.noarch
> @@System
> > Upgrade
> ipa-server-4.9.8-7.0.1.module+el8.6.0+20654+19b76db2.x86_64
> @ol8_x86_64_appstream
> > Upgraded
> ipa-server-4.9.6-12.0.1.module+el8.5.0+20642+b228f286.x86_64
> @@System
> > Upgrade
> ipa-server-common-4.9.8-7.0.1.module+el8.6.0+20654+19b76db2.noarch
> @ol8_x86_64_appstream
> > Upgraded
> ipa-server-common-4.9.6-12.0.1.module+el8.5.0+20642+b228f286.noarch
> @@System
> > Upgrade
> ipa-server-trust-ad-4.9.8-7.0.1.module+el8.6.0+20654+19b76db2.x86_64
> @ol8_x86_64_appstream
> > Upgraded
> ipa-server-trust-ad-4.9.6-12.0.1.module+el8.5.0+20642+b228f286.x86_64
> @@System
> >
> >
> > We found the following error in the file /var/log/dirsrv/DOMAIN/errors
> > [09/Jun/2022:11:30:45.658955068 +0200] - ERR - set_krb5_creds - Could
> not get initial credentials for principal [ldap/fqdn-host@MYDOMAIN] in
> keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC
> for requested
> > realm)
> >
> > In comparison with other IPA Servers the entries in the ds.keytab file
> looks fine.
>
> That error is likely a red herring. The Kerberos master key is stored in
> LDAP so it has to start first but then it can obtain a ticket for itself
> because the KDC hasn't started yet. It's a transient issue.
>
> Does ipactl start bring the services up? Is there nothing else unusual?
>
> Can you manually start/restart dirsrv.target?
>
> rob
> _______________________________________________
> FreeIPA-users mailing list -- [email protected]
> To unsubscribe send an email to [email protected]
> Fedora Code of Conduct:
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
> https://lists.fedorahosted.org/archives/list/[email protected]
> Do not reply to spam on the list, report it:
> https://pagure.io/fedora-infrastructure
>
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
Do not reply to spam on the list, report it:
https://pagure.io/fedora-infrastructure
