[Freeipa-devel] [PATCH] 461 Update Dogtag 9 database during replica installation
Petr Viktorin
pviktori at redhat.com
Fri Mar 14 12:34:13 UTC 2014
On 03/14/2014 12:37 PM, Alexander Bokovoy wrote:
> On Fri, 14 Mar 2014, Petr Viktorin wrote:
>> On 03/14/2014 10:29 AM, Alexander Bokovoy wrote:
>>> On Thu, 13 Mar 2014, Martin Kosek wrote:
>>>> On 03/13/2014 03:15 PM, Martin Kosek wrote:
>>>>> On 03/13/2014 09:09 AM, Martin Kosek wrote:
>>>>>> When Dogtag 10 based FreeIPA replica is being installed for a
>>>>>> Dogtag 9
>>>>>> based master, the PKI database is not updated and miss several ACLs
>>>>>> which prevent some of the PKI functions, e.g. an ability to create
>>>>>> other clones.
>>>>>>
>>>>>> Add an update file to do the database update. Content is based on
>>>>>> recommendation from PKI team:
>>>>>> * https://bugzilla.redhat.com/show_bug.cgi?id=1075118#c9
>>>>>>
>>>>>> This update file can be removed when Dogtag database upgrades are
>>>>>> done
>>>>>> in PKI component. Upstream tickets:
>>>>>> * https://fedorahosted.org/pki/ticket/710 (database upgrade
>>>>>> framework)
>>>>>> * https://fedorahosted.org/pki/ticket/906 (checking database
>>>>>> version)
>>>>>>
>>>>>> https://fedorahosted.org/freeipa/ticket/4243
>>>>>
>>>>> I found few issues with the patch:
>>>>> - New update file was not added to Makefile.am
>>>>> - PKI was not restarted after LDAP updates so it did not pick up the
>>>>> ACLs and
>>>>> replica installation will crash anyway. Now the PKI is always
>>>>> restarted at the
>>>>> end of server/replica installation.
>>>>>
>>>>> Martin
>>>>
>>>> FYI - I was just confirmed that this patch finally fixed the issue
>>>> even in
>>>> automatized environment (beaker).
>>>
>>> ACK.
>>>
>>> With this patch in place, can we release 3.3.6 and update FreeIPA in
>>> Fedora 19 and Fedora 20? There are already reports on IRC from people
>>> trying to migrate via replica from CentOS to Fedora.
>>
>> I have started testing this on RHEL 6.4 (master) → f20 git master with
>> this patch (replica), but ran into
>> https://fedorahosted.org/pki/ticket/816. I don't think we should
>> release until that is fixed.
> Did you try git master or ipa-3-3 branch? It is unclear from your
> description.
I got the same problem on both. I haven't tried on f19 yet; it may be a
f20 only issue.
> For the record,
>
> https://gist.githubusercontent.com/josh-at-knoesis/9536155/raw/ef04f209e4815c7cafc4f43289c6c186d420b5ee/freeipa-error_2014-04-13a.txt
>
>
> contains dirsrv logs for the replica built from CentOS 6.5 to Fedora 19
> (FreeIPA 3.3).
>
--
Petr³
More information about the Freeipa-devel
mailing list