Issue #5995: full IPA restore fails due to unsuccessful client API initialization - freeipa

freeipa

#5995 full IPA restore fails due to unsuccessful client API initialization

Closed: Fixed None Opened 7 years ago by mbabinsk.

When restoring IPA server from full backup, the ipa-restore command fails with the following error being observed in the log:

2016-06-23T15:32:00Z INFO Performing FULL restore from FULL backup
2016-06-23T15:32:00Z DEBUG group dirsrv exists
2016-06-23T15:32:00Z DEBUG user dirsrv exists
2016-06-23T15:32:00Z DEBUG Starting external process
2016-06-23T15:32:00Z DEBUG args=tar --xattrs --selinux -xzf /var/lib/ipa/backup/ipa-full-2016-06-23-17-30-53/ipa-full.tar .
2016-06-23T15:32:01Z DEBUG Process finished, return code=0
2016-06-23T15:32:01Z DEBUG stdout=
2016-06-23T15:32:01Z DEBUG stderr=
2016-06-23T15:32:01Z DEBUG Starting external process
2016-06-23T15:32:01Z DEBUG args=tar --xattrs --selinux -xzf /tmp/tmp7j9PSuipa/ipa/files.tar etc/ipa/default.conf
2016-06-23T15:32:01Z DEBUG Process finished, return code=0
2016-06-23T15:32:01Z DEBUG stdout=
2016-06-23T15:32:01Z DEBUG stderr=
2016-06-23T15:32:01Z DEBUG failed to find session_cookie in persistent storage for principal 'admin@<REALM>'
2016-06-23T15:32:01Z INFO trying https://<master>/ipa/json
2016-06-23T15:32:01Z DEBUG Created connection context.rpcclient_140260207546128
2016-06-23T15:32:01Z INFO Forwarding 'schema' to json server 'https://<master>/ipa/json'
2016-06-23T15:32:01Z DEBUG NSSConnection init vm-053.abc.idm.lab.eng.brq.redhat.com
2016-06-23T15:32:01Z DEBUG Destroyed connection context.rpcclient_140260207546128
2016-06-23T15:32:01Z DEBUG   File "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 171, in execute
    return_value = self.run()
  File "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_restore.py", line 317, in run
    self.init_api(confdir=self.dir + paths.ETC_IPA)
  File "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_restore.py", line 848, in init_api
    api.finalize()
  File "/usr/lib/python2.7/site-packages/ipalib/plugable.py", line 619, in finalize
    self.__do_if_not_done('load_plugins')
  File "/usr/lib/python2.7/site-packages/ipalib/plugable.py", line 342, in __do_if_not_done
    getattr(self, name)()
  File "/usr/lib/python2.7/site-packages/ipalib/plugable.py", line 505, in load_plugins
    for package in self.packages:
  File "/usr/lib/python2.7/site-packages/ipalib/__init__.py", line 919, in packages
    ipaclient.remote_plugins.get_package(self),
  File "/usr/lib/python2.7/site-packages/ipaclient/remote_plugins/__init__.py", line 12, in get_package
    plugins = schema.get_package(api)
  File "/usr/lib/python2.7/site-packages/ipaclient/remote_plugins/schema.py", line 262, in get_package
    schema = client.forward(u'schema', version=u'2.170')['result']
  File "/usr/lib/python2.7/site-packages/ipalib/rpc.py", line 994, in forward
    raise NetworkError(uri=server, error=str(e))

2016-06-23T15:32:01Z DEBUG The ipa-restore command failed, exception: NetworkError: cannot connect to 'https://<master>/ipa/json': (SEC_ERROR_LEGACY_DATABASE) The certificate/key database is in an old, unsupported format.
2016-06-23T15:32:01Z ERROR cannot connect to 'https://<master>/ipa/json': (SEC_ERROR_LEGACY_DATABASE) The certificate/key database is in an old, unsupported format.
2016-06-23T15:32:01Z ERROR The ipa-restore command failed. See /var/log/iparestore.log for more information

At the beginning of the restore process, the following method:

    def init_api(self, **overrides):                                            
         api.bootstrap(in_server=False, context='restore', **overrides)          
         api.finalize()

         self.instances = [installutils.realm_to_serverid(api.env.realm)]        
         self.backends = ['userRoot', 'ipaca']

is called in an attempt to initialize API for use in later steps. This initialization tries to download schema from the last know server which was, however, uninstalled prior to restore, hence the crash.

This seems to be a regression caused by recently pushed thin client patches.

jcholast commented 7 years ago

Linked to Bugzilla bug: https://bugzilla.redhat.com/show_bug.cgi?id=1298242 (Red Hat Enterprise Linux 7)

pspacek commented 7 years ago

I'm unable to get integration tests to work, hopefully Milan will know better than me.

mkubik commented 7 years ago

I have ran the test successfully yesterday. The patch works.

jcholast commented 7 years ago

master:

ce93b09 backup: use in-server API in ipa-backup and ipa-restore

Metadata Update from @mbabinsk:
- Issue assigned to jcholast
- Issue set to the milestone: FreeIPA 4.4

7 years ago

Metadata

Assignee

jcholast

Tags

None

Blocking

None

Depending on

None

Priority

important

Milestone

FreeIPA 4.4

None

affects_doc

None

source

None

knownissue

None

type

defect

blockedby

None

test_case

None

component

Backup

blocking

None

on_review

keywords

None

test_coverage

reviewer

mkubik

external_tracker

None

rhbz

https://bugzilla.redhat.com/show_bug.cgi?id=1298242

tester

None

changelog

None

design

None

freeipa

Source Code

#5995 full IPA restore fails due to unsuccessful client API initialization Closed: Fixed None Opened 7 years ago by mbabinsk.

Metadata

#5995 full IPA restore fails due to unsuccessful client API initialization

Closed: Fixed None Opened 7 years ago by mbabinsk.