[Freeipa-users] WARNING: Do not upgrade FreeIPA deployments to Fedora 20 final (yet)

Sat Mar 1 10:18:11 UTC 2014

On Sunday, December 22, 2013 05:42:27 AM Alexander Bokovoy wrote:
> Hi,
> 
> an update on the issue of upgrading Fedora 19 to Fedora 20 for FreeIPA
> deployments.
> 
> An updated 389-ds-base package, 1.3.2.9-1.fc20 is in updates-testing
> repository.  Updated slapi-nis package, 0.52-1.fc20, is in updates-testing
> as well.
> 
> I've tested that using fedora-upgrade tool to upgrade from Fedora 19 to
> Fedora 20 does work if you have updates-testing repository enabled and that
> FreeIPA is continuing to work afterwards.
> 
> I've initiated move of 389-ds-base to updates stable repository. Once it
> reach out there,  I'll lift a warning on freeipa.org and publish a final
> update.
> 
> Happy holidays!
> 
> ----- Original Message -----
> 
> > From: "Alexander Bokovoy" <abokovoy at redhat.com>
> > To: freeipa-users at redhat.com
> > Sent: Tuesday, December 17, 2013 11:14:34 AM
> > Subject: [Freeipa-users] WARNING: Do not upgrade FreeIPA deployments
> > to       Fedora 20 final (yet)>
> > 
> >
> > Greetings!
> >
> > 
> >
> > As many of you are aware, Fedora Project releases Fedora 20 today,
> > Tuesday, December 17th. This post serves as a warning against upgrading
> > your FreeIPA deployments to Fedora 20 using release images. Please check
> > Fedora 20 Common Bugs page https://fedoraproject.org/wiki/Common_F20_bugs
> > for the complete list of issues.
> >
> > 
> >
> > FreeIPA relies heavily on 389-ds Directory Server. Fedora 20 introduces
> > new version series of 389-ds, 1.3.2.x. Along with multiple enhancements,
> > unfortunately, few bugs went into the version currently available in
> > Fedora 20 stable tree. These bugs are causing crashes under certain
> > conditions and we don't recommend updating your existing configurations
> > due to these consequences.
> >
> > 
> >
> > As an update to the Fedora 20 Common Bugs page, over last night fellow
> > developers from 389-ds and slapi-nis projects have fixed
> > https://bugzilla.redhat.com/show_bug.cgi?id=1043546 and
> > https://bugzilla.redhat.com/show_bug.cgi?id=1041732 but there will be
> > some delay before the builds featuring the fixes will  appear in Fedora
> > 20 updates repository. Remaining bugs are under investigation.
> >
> > 
> >
> > I'll post an update note once we'll get remaining issues fixed and
> > packages
> > pushed to Fedora 20 updates repository.
> >
> > 
> >
> > --
> > / Alexander Bokovoy

I've been waiting patiently for F20 to "settle" before upgrading my two VM 
installations of FreeIPA:

ipa1 (original master)
ipa2 (clone)

I'm considering doing a "yum upgrade" this weekend and was wondering if any 
users had found any "gotchas"?  One that I can think of is the addition of the 
following in F20's default /etc/krb5.conf:

[libdefaults]
  ...
  default_ccache_name = KEYRING:persistent:%{uid}
  ...

I've seen on some of my freshly installed F20 FreeIPA clients that this option 
is no longer present after ipa-client-install.  On those clients, I've 
manually added it post client install and things seem to work OK with the 
exception of SELinux errors reported here:

https://bugzilla.redhat.com/show_bug.cgi?id=1001703

Should I place this option in /etc/krb5.conf on the masters before/after the 
yum upgrade (or at all)?

Should I run "ipactl stop" prior to running the yum upgrade?

Of note, I'm considering the "yum upgrade" option rather than creating F20 
replicas of F19 masters due to:

https://fedorahosted.org/pki/ticket/816
https://fedorahosted.org/389/ticket/47721

Any guidance is appreciated.  Thanks, and have a good weekend.

-A

-- 
Anthony - http://messinet.com - http://messinet.com/~amessina/gallery
8F89 5E72 8DF0 BCF0 10BE 9967 92DC 35DC B001 4A4E
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: This is a digitally signed message part.
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20140301/55b4d0ba/attachment.sig>