Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 7): Bug 1131187
+++ This bug was initially created as a clone of Bug #1130252 +++ Description of problem: Upgrading a RHEL6.5 server to 6.6 version of IPA (and components) results in IPA not running. I also see named failure during upgrade output: Updating : ipa-server-3.0.0-42.el6.x86_64 26/45 Failed to restart named: Command '/sbin/service named restart ' returned non-zero exit status 7 Updating : ipa-server-selinux-3.0.0-42.el6.x86_64 27/45 Some digging through ipaupgrade.log shows failures to stop dirsrv as if it's already stopped: 2014-08-14T16:14:13Z DEBUG Upgrading IPA: 2014-08-14T16:14:13Z DEBUG [1/8]: stopping directory server 2014-08-14T16:14:13Z DEBUG args=/sbin/service dirsrv stop TESTRELM-TEST 2014-08-14T16:14:13Z DEBUG stdout=Shutting down dirsrv: TESTRELM-TEST... server already stopped[FAILED] *** Error: 1 instance(s) unsuccessfully stopped[FAILED] Then looking at messages for yum update and named messages shows: Aug 14 11:12:06 rhel6-1 yum[14053]: Updated: 389-ds-base-libs-1.2.11.15-39.el6.x86_64 Aug 14 11:12:12 rhel6-1 named[4089]: LDAP error: Can't contact LDAP server Aug 14 11:12:12 rhel6-1 named[4089]: connection to the LDAP server was lost Aug 14 11:12:12 rhel6-1 named[4089]: bind to LDAP server failed: Can't contact LDAP server Aug 14 11:12:12 rhel6-1 named[4089]: ldap_psearch_watcher failed to handle LDAP connection error. Recon nection in 60s Aug 14 11:12:25 rhel6-1 yum[14053]: Updated: 389-ds-base-1.2.11.15-39.el6.x86_64 And in dirsrv errors log I can see that it was stopped but I don't see anything about it being started: [14/Aug/2014:11:12:09 -0500] - slapd shutting down - signaling operation threads [14/Aug/2014:11:12:09 -0500] - slapd shutting down - closing down internal subsystems and plugins [14/Aug/2014:11:12:09 -0500] - Waiting for 4 database threads to stop [14/Aug/2014:11:12:09 -0500] - All database threads now stopped [14/Aug/2014:11:12:09 -0500] - slapd stopped. Version-Release number of selected component (if applicable): 389-ds-base-1.2.11.15-39.el6.x86_64 How reproducible: always Steps to Reproduce: 1. on RHEL6.5 host, ipa-server-install # with dns configured 2. setup RHEL6.6 yum repo configs 3. yum update 'ipa*' sssd -y Actual results: dirsrv (and thus ipa) not running after upgrade. Expected results: everything running. Additional info: ... --- Additional comment from Scott Poore on 2014-08-14 22:04:44 EDT --- If I upgrade openldap, I now get this: [root@rhel6-2 slapd-TEST-QE]# service dirsrv restart Shutting down dirsrv: PKI-IPA... [ OK ] TEST-QE... [ OK ] Starting dirsrv: PKI-IPA... [ OK ] TEST-QE...[14/Aug/2014:17:17:50 -0500] - Information: Non-Secure Port Disabled [ OK ] And I can't see the 389 port open now: [root@rhel6-2 dirsrv]# netstat -taupne |grep 389 tcp 0 0 :::7389 :::* LISTEN 0 56704 17958/ns-slapd I still can't start ipa. How can I track down why slapd isn't starting on port 389? Is there a logging level I should use? I'm changing component here to 389-ds-base since that seems to be the main piece here. ... --- Additional comment from Rob Crittenden on 2014-08-18 09:43:08 EDT --- I wonder if IPA should have a clone of this bug. There should be a failsafe in the IPA updater such that it ALWAYS resets the listeners back to their initial values (so 389 and security on) --- Additional comment from Martin Kosek on 2014-08-18 11:51:26 EDT --- Actually, this is a very good idea. We want to make upgrade process smoother. I will clone the Bugzilla.
master:
ipa-4-1:
I just noticed this does not display well with SystemExit with 0 return code as we do with --external-ca.
--external-ca
# ipa-server-install ... [29/39]: creating default Sudo bind user [30/39]: creating default Auto Member layout [31/39]: adding range check plugin [32/39]: creating default HBAC rule allow_all [33/39]: initializing group membership [34/39]: adding master entry [35/39]: configuring Posix uid/gid generation [36/39]: adding replication acis [37/39]: enabling compatibility plugin [38/39]: tuning directory server [39/39]: configuring directory to start on boot Done configuring directory server (dirsrv). Configuring certificate server (pki-tomcatd): Estimated time 3 minutes 30 seconds [1/8]: creating certificate server user [2/8]: configuring certificate server instance The next step is to get /root/ipa.csr signed by your CA and re-run /usr/sbin/ipa-server-install as: /usr/sbin/ipa-server-install --external_cert_file=/path/to/signed_certificate --external_ca_file=/path/to/external_ca_certificate [error] SystemExit: 0
Metadata Update from @mkosek: - Issue assigned to pviktori - Issue set to the milestone: FreeIPA 4.1
Login to comment on this ticket.