Re: [Freeipa-devel] [PATCH 0477] upgrade: always start CA
On 05/20/2016 03:00 PM, Martin Basti wrote: On 19.05.2016 13:34, Stanislav Laznicka wrote: Also, I tried to upgrade from 4.2.4 to 4.3.1 and it seems that it might be necessary to start the service even earlier in the upgrade logic. Attached is the trace that occurred during the upgrade. I sent the whole log earlier accidentally, hopefully it will not arrive here as well. On 05/19/2016 11:10 AM, Stanislav Laznicka wrote: NACK, see my comments below +# following upgrade steps require running CA This is a nitpicky nitpick but could you please change this comment for # the following ... Took me a while to understand what you were trying to say here. +if ca_running and not ca.is_running(): +ca.stop('pki-tomcat') +elif not ca_running and ca.is_running(): +ca.start('pki-tomcat') + You should swap ca.stop and ca.start here, you're stopping the service when it's stopped and starting it when it's already running. Shame, shame, shame on me. On 05/12/2016 04:34 PM, Martin Basti wrote: Patch attached. https://fedorahosted.org/freeipa/ticket/5868 I moved starting of CA to the earlier phase and swapped start/stop to correct order. Patch attached. Seems to work as expected now. ACK. -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 0477] upgrade: always start CA
On 19.05.2016 13:34, Stanislav Laznicka wrote: Also, I tried to upgrade from 4.2.4 to 4.3.1 and it seems that it might be necessary to start the service even earlier in the upgrade logic. Attached is the trace that occurred during the upgrade. I sent the whole log earlier accidentally, hopefully it will not arrive here as well. On 05/19/2016 11:10 AM, Stanislav Laznicka wrote: NACK, see my comments below +# following upgrade steps require running CA This is a nitpicky nitpick but could you please change this comment for # the following ... Took me a while to understand what you were trying to say here. +if ca_running and not ca.is_running(): +ca.stop('pki-tomcat') +elif not ca_running and ca.is_running(): +ca.start('pki-tomcat') + You should swap ca.stop and ca.start here, you're stopping the service when it's stopped and starting it when it's already running. Shame, shame, shame on me. On 05/12/2016 04:34 PM, Martin Basti wrote: Patch attached. https://fedorahosted.org/freeipa/ticket/5868 I moved starting of CA to the earlier phase and swapped start/stop to correct order. Patch attached. From b93d3d7823cf17cb32b25ed8b374155c446743ba Mon Sep 17 00:00:00 2001 From: Martin BastiDate: Thu, 12 May 2016 15:39:30 +0200 Subject: [PATCH] Upgrade: always start CA Some CA upgrade steps in upgrader requires running CA. We have to always start CA and wait for running status using http, because systemd may return false positive result that CA is running even if CA is just starting and unable to serve. https://fedorahosted.org/freeipa/ticket/5868 --- ipaserver/install/server/upgrade.py | 11 +++ 1 file changed, 11 insertions(+) diff --git a/ipaserver/install/server/upgrade.py b/ipaserver/install/server/upgrade.py index 38fe2c3e89da55faa30c624983cb8f9c630357b3..1d5ef0b23e4afc25b44dbce3012fbbac6d68c476 100644 --- a/ipaserver/install/server/upgrade.py +++ b/ipaserver/install/server/upgrade.py @@ -1448,6 +1448,7 @@ def upgrade_configuration(): sub_dict['SUBJECT_BASE'] = subject_base ca = cainstance.CAInstance(api.env.realm, certs.NSS_DIR) +ca_running = ca.is_running() with installutils.stopped_service('pki-tomcatd', 'pki-tomcat'): # Dogtag must be stopped to be able to backup CS.cfg config @@ -1481,6 +1482,11 @@ def upgrade_configuration(): ) upgrade_pki(ca, fstore) +# several upgrade steps require running CA +# always run ca.start() because we need to wait until CA is really ready +# by checking status using http +ca.start('pki-tomcat') + certmonger_service = services.knownservices.certmonger if ca.is_configured() and not certmonger_service.is_running(): certmonger_service.start() @@ -1650,6 +1656,11 @@ def upgrade_configuration(): elif not ds_running and ds.is_running(): ds.stop(ds_serverid) +if ca_running and not ca.is_running(): +ca.start('pki-tomcat') +elif not ca_running and ca.is_running(): +ca.stop('pki-tomcat') + def upgrade_check(options): try: -- 2.5.5 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 0477] upgrade: always start CA
Also, I tried to upgrade from 4.2.4 to 4.3.1 and it seems that it might be necessary to start the service even earlier in the upgrade logic. Attached is the trace that occurred during the upgrade. I sent the whole log earlier accidentally, hopefully it will not arrive here as well. On 05/19/2016 11:10 AM, Stanislav Laznicka wrote: NACK, see my comments below +# following upgrade steps require running CA This is a nitpicky nitpick but could you please change this comment for # the following ... Took me a while to understand what you were trying to say here. +if ca_running and not ca.is_running(): +ca.stop('pki-tomcat') +elif not ca_running and ca.is_running(): +ca.start('pki-tomcat') + You should swap ca.stop and ca.start here, you're stopping the service when it's stopped and starting it when it's already running. On 05/12/2016 04:34 PM, Martin Basti wrote: Patch attached. https://fedorahosted.org/freeipa/ticket/5868 2016-05-19T09:28:31Z DEBUG stderr= 2016-05-19T09:29:12Z ERROR IPA server upgrade failed: Inspect /var/log/ipaupgrade.log and run command ipa-server-upgrade manually. 2016-05-19T09:30:11Z DEBUG File "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 171, in execute return_value = self.run() File "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_server_upgrade.py", line 48, in run server.upgrade() File "/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py", line 1719, in upgrade upgrade_configuration() File "/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py", line 1639, in upgrade_configuration certificate_renewal_update(ca, ds, http), File "/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py", line 920, in certificate_renewal_update ca.configure_renewal() File "/usr/lib/python2.7/site-packages/ipaserver/install/dogtaginstance.py", line 321, in configure_renewal profile=profile) File "/usr/lib/python2.7/site-packages/ipapython/certmonger.py", line 509, in dogtag_start_tracking cm.obj_if.add_request(params) File "/usr/lib64/python2.7/site-packages/dbus/proxies.py", line 145, in __call__ **keywords) File "/usr/lib64/python2.7/site-packages/dbus/connection.py", line 651, in call_blocking message, timeout) 2016-05-19T09:30:11Z DEBUG The ipa-server-upgrade command failed, exception: DBusException: org.freedesktop.DBus.Error.NoReply: Did not receive a reply. Possible causes include: the remote application did not send a reply, the message bus security policy blocked the reply, the reply timeout expired, or the network connection was broken. 2016-05-19T09:30:11Z ERROR Unexpected error - see /var/log/ipaupgrade.log for details: DBusException: org.freedesktop.DBus.Error.NoReply: Did not receive a reply. Possible causes include: the remote application did not send a reply, the message bus security policy blocked the reply, the reply timeout expired, or the network connection was broken. 2016-05-19T09:30:11Z ERROR The ipa-server-upgrade command failed. See /var/log/ipaupgrade.log for more information -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 0477] upgrade: always start CA
NACK, see my comments below +# following upgrade steps require running CA This is a nitpicky nitpick but could you please change this comment for # the following ... Took me a while to understand what you were trying to say here. +if ca_running and not ca.is_running(): +ca.stop('pki-tomcat') +elif not ca_running and ca.is_running(): +ca.start('pki-tomcat') + You should swap ca.stop and ca.start here, you're stopping the service when it's stopped and starting it when it's already running. On 05/12/2016 04:34 PM, Martin Basti wrote: Patch attached. https://fedorahosted.org/freeipa/ticket/5868 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code