[Freeipa-users] Trouble installing F21 4.1.2 replica from F20 3.3.5 master

Martin Kosek mkosek at redhat.com
Mon Jan 5 13:53:04 UTC 2015 

On 01/05/2015 02:05 PM, Anthony Messina wrote:
> 
> Quoting Martin Kosek <mkosek at redhat.com>:
> 
>> On 01/04/2015 12:29 AM, Anthony Messina wrote:
>>> I was hoping to "migrate" from F20 to F21 using:
>>> http://www.freeipa.org/page/Howto/Migration
>>> http://www.freeipa.org/page/Howto/Promote_CA_to_Renewal_and_CRL_Master
>>
>> The migration procedure is only needed if you run FreeIPA server with PKI based
>> on Dogtag (pki-ca package) 9. Do you? Is your Fedora 20 FreeIPA&PKI instance
>> functional? FreeIPA+Dogtag 9 is not supported since Fedora 18, so I was
>> surprised such setup worked in Fedora 20.
> 
> I don't use Dogtag 9.  I installed FreeIPA freshly on a F19 VM, then yum
> upgraded to F20.  With the significant changes for Fedora.next, systemd-216,
> and FreeIPA 4, I wanted to create a new "master" (amd retire the old) by
> replicating the current F20 3.3.5 master to what would become an F21 4.1.2 master.

Ah, makes more sense then. The PKI error below gets more serious then - Fraser
and Endi, please help Anthony.

> While I use the yum upgrade procedure often with great success on a number of
> my other servers, it can be tricky and sometimes unreliablem leaving around
> cruft that can interfere with proper operation.  I'm one of those folks that's
> waiting patiently for the FreeIPA-to-FreeIPA migration ;)

I am just afraid everyone is just waiting and no one is willing to invest in
this feature and code ;-) IIRC, the difficulty in implementing the migration
tool is mostly in handling Kerberos and certificate data, which are based on
data secret and unique to the original server.

> Is the proper, recommended procedure to yum upgrade the F20 FreeIPA 3.3.5 VM
> instance to F21 FreeIPA 4.1.2?

It should work, yes.

> Even so, it seems like I should be able to create a 4.1.2 replica of a 3.3.5
> master.

Indeed. This looks like a bug :-(


>>> Where the new F21 replica would become the new "master" from which I would
>>> later create other F21 replica(s).
>>>
>>> F20 master:  freeipa-server-3.3.5-1.fc20.x86_64
>>> F21 replica: freeipa-server-4.1.2-1.fc21.x86_64
>>>
>>> The first F21 replica installation fails when attempting to setup the CA and
>>> I'm not sure where to go from here.  Any guidance is appreciated.  Thanks.
>>
>> CCing Fraser and Endi from PKI team to advise.
>>
>>> 2015-01-03T23:09:39Z DEBUG Saving StateFile to
>>> '/var/lib/ipa/sysrestore/sysrestore.state'
>>> 2015-01-03T23:09:39Z DEBUG Starting external process
>>> 2015-01-03T23:09:39Z DEBUG args='/usr/sbin/pkispawn' '-s' 'CA' '-f'
>>> '/tmp/tmpZNHZWb'
>>> 2015-01-03T23:09:39Z DEBUG Process finished, return code=1
>>> 2015-01-03T23:09:39Z DEBUG stdout=Loading deployment configuration from
>>> /tmp/tmpZNHZWb.
>>>
>>> 2015-01-03T23:09:39Z DEBUG stderr=Traceback (most recent call last):
>>>   File "/usr/sbin/pkispawn", line 579, in <module>
>>>     main(sys.argv)
>>>   File "/usr/sbin/pkispawn", line 480, in main
>>>     info = parser.sd_get_info()
>>>   File "/usr/lib/python2.7/site-packages/pki/server/deployment/pkiparser.py",
>>> line 464, in sd_get_info
>>>     info = sd.get_security_domain_info()
>>>   File "/usr/lib/python2.7/site-packages/pki/system.py", line 96, in
>>> get_security_domain_info
>>>     info = SecurityDomainInfo.from_json(response.json())
>>>   File "/usr/lib/python2.7/site-packages/pki/system.py", line 83, in from_json
>>>     ret.name = json_value['id']
>>> KeyError: 'id'
>>>
>>> 2015-01-03T23:09:39Z CRITICAL failed to configure ca instance Command
>>> ''/usr/sbin/pkispawn' '-s' 'CA' '-f' '/tmp/tmpZNHZWb'' returned non-zero exit
>>> status 1
>>> 2015-01-03T23:09:39Z DEBUG Traceback (most recent call last):
>>>   File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line
>>> 382, in start_creation
>>>     run_step(full_msg, method)
>>>   File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line
>>> 372, in run_step
>>>     method()
>>>   File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py",
>>> line 671, in __spawn_instance
>>>     raise RuntimeError('Configuration of CA failed')
>>> RuntimeError: Configuration of CA failed
>>>
>>>
>>>
> 
>

More information about the Freeipa-users mailing list