[Freeipa-users] dns stops working after upgrade
Rob Crittenden
rcritten at redhat.com
Tue Oct 28 15:51:14 UTC 2014
Rob Verduijn wrote:
> Ok after some more digging :
>
> I found some warnings (see below)
>
> Is any of these the cause for the error ?
>
> Rob
>
> <snip>
<snip>
> <snip>
> 2014-10-27T13:56:28Z INFO Updating existing entry:
> cn=ipaConfig,cn=etc,dc=XXXXX,dc=XXXXX
> <snip>
> 2014-10-27T13:56:28Z WARNING remove: 'AllowLMhash' not in ipaConfigString
> <snip>
AFAICT these are all normal. It basically means the LDAP data is already
in the state we want.
> and then we get to the traceback:
> 2014-10-27T13:56:34Z ERROR Upgrade failed with cannot connect to
> 'ldapi://%2fvar%2frun%2fslapd-XXXXX-XXXXX.socket':
> 2014-10-27T13:56:34Z DEBUG Traceback (most recent call last):
> File
> "/usr/lib/python2.7/site-packages/ipaserver/install/upgradeinstance.py",
> line 152, in __upgrade
> self.modified = (ld.update(self.files, ordered=True) or
> File
> "/usr/lib/python2.7/site-packages/ipaserver/install/ldapupdate.py", line
> 874, in update
> updates = api.Backend.updateclient.update(POST_UPDATE,
> self.dm_password, self.ldapi, self.live_run)
> File
> "/usr/lib/python2.7/site-packages/ipaserver/install/plugins/updateclient.py",
> line 131, in update
> ld.update_from_dict(updates)
> File
> "/usr/lib/python2.7/site-packages/ipaserver/install/ldapupdate.py", line
> 889, in update_from_dict
> self._run_updates(updates)
> File
> "/usr/lib/python2.7/site-packages/ipaserver/install/ldapupdate.py", line
> 799, in _run_updates
> self._update_record(update)
> File
> "/usr/lib/python2.7/site-packages/ipaserver/install/ldapupdate.py", line
> 661, in _update_record
> e = self._get_entry(new_entry.dn)
> File
> "/usr/lib/python2.7/site-packages/ipaserver/install/ldapupdate.py", line
> 544, in _get_entry
> return self.conn.get_entries(dn, scope, searchfilter, sattrs)
> File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line
> 1421, in get_entries
> base_dn=base_dn, scope=scope, filter=filter, attrs_list=attrs_list)
> File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line
> 1527, in find_entries
> break
> File "/usr/lib64/python2.7/contextlib.py", line 35, in __exit__
> self.gen.throw(type, value, traceback)
> File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line
> 1206, in error_handler
> error=info)
> NetworkError: cannot connect to
> 'ldapi://%2fvar%2frun%2fslapd-XXXXX-XXXXX.socket':
I'd poke around more in the ipaupgrade.log to see if you can find a
failed dirsrv restart. Looking at the 389-ds logs might be handy too,
and I'd check (dmesg, for example) to see if it core dumped.
rob
>
>
>
> 2014-10-26 21:38 GMT+01:00 Rob Crittenden <rcritten at redhat.com
> <mailto:rcritten at redhat.com>>:
>
> Rob Verduijn wrote:
> > hmmmm....
> >
> > after some more digging (monitoring the upgrade more closely.)
> > I saw that the upgrade kept waiting for the ca to start, which it did
> > not do.
> > and after 5 minutes the upgrade gave up with the following errors
> in the
> > ipaupgrade log :
> >
> > at 85% it says :
> > 2014-10-26T15:04:35Z DEBUG retrieving schema for SchemaCache
> > url=ldapi://%2fvar%2frun%2fslapd-XXXX-XXXX.socket
> > conn=<ldap.ldapobject.SimpleLDAPObject instance at 0x2b18cb0>
> > 2014-10-26T15:04:35Z DEBUG Starting external process
> > 2014-10-26T15:04:35Z DEBUG args='/usr/bin/certutil' '-d'
> > '/etc/httpd/alias' '-L'
> > 2014-10-26T15:04:35Z DEBUG Process finished, return code=0
> > 2014-10-26T15:04:35Z DEBUG stdout=
> > Certificate Nickname Trust
> > Attributes
> >
> > SSL,S/MIME,JAR/XPI
> >
> > Signing-Cert u,u,u
> > XXXX.XXXX IPA CA CT,C,C
> > ipaCert u,u,u
> > Server-Cert u,u,u
> >
> > 2014-10-26T15:04:35Z DEBUG stderr=
> > 2014-10-26T15:04:35Z DEBUG Starting external process
> > 2014-10-26T15:04:35Z DEBUG args='/usr/bin/certutil' '-d'
> > '/etc/httpd/alias' '-L' '-n' 'TJAKO.THUIS IPA CA' '-a'
> > 2014-10-26T15:04:35Z DEBUG Process finished, return code=0
> > 2014-10-26T15:04:35Z DEBUG stdout=-----BEGIN CERTIFICATE-----
> > < certificate-removed >
> > -----END CERTIFICATE-----
> > 2014-10-26T15:04:35Z DEBUG stderr=
> > 2014-10-26T15:04:36Z ERROR Upgrade failed with cannot connect to
> > 'ldapi://%2fvar%2frun%2fslapd-XXXX-XXXX.socket':\
>
> This has nothing to do with the CA, the LDAP server didn't come up. I'd
> start with those logs or look earlier in ipaupgrade.log
>
> The CA requires 389-ds to be running so if it isn't up, then it will
> fail to start too.
>
> rob
>
>
More information about the Freeipa-users
mailing list