[Freeipa-users] Trouble installing F21 4.1.2 replica from F20 3.3.5 master

Anthony Messina amessina at messinet.com
Mon Jan 5 15:49:53 UTC 2015 

Quoting Martin Kosek <mkosek at redhat.com>:

> On 01/05/2015 02:05 PM, Anthony Messina wrote:
>>
>> Quoting Martin Kosek <mkosek at redhat.com>:
>>
>>> On 01/04/2015 12:29 AM, Anthony Messina wrote:
>>>> I was hoping to "migrate" from F20 to F21 using:
>>>> http://www.freeipa.org/page/Howto/Migration
>>>> http://www.freeipa.org/page/Howto/Promote_CA_to_Renewal_and_CRL_Master
>>>
>>> The migration procedure is only needed if you run FreeIPA server  
>>> with PKI based
>>> on Dogtag (pki-ca package) 9. Do you? Is your Fedora 20  
>>> FreeIPA&PKI instance
>>> functional? FreeIPA+Dogtag 9 is not supported since Fedora 18, so I was
>>> surprised such setup worked in Fedora 20.
>>
>> I don't use Dogtag 9.  I installed FreeIPA freshly on a F19 VM, then yum
>> upgraded to F20.  With the significant changes for Fedora.next, systemd-216,
>> and FreeIPA 4, I wanted to create a new "master" (amd retire the old) by
>> replicating the current F20 3.3.5 master to what would become an  
>> F21 4.1.2 master.
>
> Ah, makes more sense then. The PKI error below gets more serious  
> then - Fraser
> and Endi, please help Anthony.
>
>> While I use the yum upgrade procedure often with great success on a  
>> number of
>> my other servers, it can be tricky and sometimes unreliablem leaving around
>> cruft that can interfere with proper operation.  I'm one of those  
>> folks that's
>> waiting patiently for the FreeIPA-to-FreeIPA migration ;)
>
> I am just afraid everyone is just waiting and no one is willing to invest in
> this feature and code ;-) IIRC, the difficulty in implementing the migration
> tool is mostly in handling Kerberos and certificate data, which are based on
> data secret and unique to the original server.

You may be right here about everyone waiting. Unfortnuately for this  
case, I am not a programmer, but a mere sysadmin.  However, I can do  
code/design digging to look at the situation from outside the box to  
see what I might be able to find.

>> Is the proper, recommended procedure to yum upgrade the F20 FreeIPA 3.3.5 VM
>> instance to F21 FreeIPA 4.1.2?
>
> It should work, yes.
>
>> Even so, it seems like I should be able to create a 4.1.2 replica of a 3.3.5
>> master.
>
> Indeed. This looks like a bug :-(
>
>
>>>> Where the new F21 replica would become the new "master" from which I would
>>>> later create other F21 replica(s).
>>>>
>>>> F20 master:  freeipa-server-3.3.5-1.fc20.x86_64
>>>> F21 replica: freeipa-server-4.1.2-1.fc21.x86_64
>>>>
>>>> The first F21 replica installation fails when attempting to setup  
>>>> the CA and
>>>> I'm not sure where to go from here.  Any guidance is appreciated.  Thanks.
>>>
>>> CCing Fraser and Endi from PKI team to advise.
>>>
>>>> 2015-01-03T23:09:39Z DEBUG Saving StateFile to
>>>> '/var/lib/ipa/sysrestore/sysrestore.state'
>>>> 2015-01-03T23:09:39Z DEBUG Starting external process
>>>> 2015-01-03T23:09:39Z DEBUG args='/usr/sbin/pkispawn' '-s' 'CA' '-f'
>>>> '/tmp/tmpZNHZWb'
>>>> 2015-01-03T23:09:39Z DEBUG Process finished, return code=1
>>>> 2015-01-03T23:09:39Z DEBUG stdout=Loading deployment configuration from
>>>> /tmp/tmpZNHZWb.
>>>>
>>>> 2015-01-03T23:09:39Z DEBUG stderr=Traceback (most recent call last):
>>>>   File "/usr/sbin/pkispawn", line 579, in <module>
>>>>     main(sys.argv)
>>>>   File "/usr/sbin/pkispawn", line 480, in main
>>>>     info = parser.sd_get_info()
>>>>   File  
>>>> "/usr/lib/python2.7/site-packages/pki/server/deployment/pkiparser.py",
>>>> line 464, in sd_get_info
>>>>     info = sd.get_security_domain_info()
>>>>   File "/usr/lib/python2.7/site-packages/pki/system.py", line 96, in
>>>> get_security_domain_info
>>>>     info = SecurityDomainInfo.from_json(response.json())
>>>>   File "/usr/lib/python2.7/site-packages/pki/system.py", line 83,  
>>>> in from_json
>>>>     ret.name = json_value['id']
>>>> KeyError: 'id'
>>>>
>>>> 2015-01-03T23:09:39Z CRITICAL failed to configure ca instance Command
>>>> ''/usr/sbin/pkispawn' '-s' 'CA' '-f' '/tmp/tmpZNHZWb'' returned  
>>>> non-zero exit
>>>> status 1
>>>> 2015-01-03T23:09:39Z DEBUG Traceback (most recent call last):
>>>>   File  
>>>> "/usr/lib/python2.7/site-packages/ipaserver/install/service.py",  
>>>> line
>>>> 382, in start_creation
>>>>     run_step(full_msg, method)
>>>>   File  
>>>> "/usr/lib/python2.7/site-packages/ipaserver/install/service.py",  
>>>> line
>>>> 372, in run_step
>>>>     method()
>>>>   File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py",
>>>> line 671, in __spawn_instance
>>>>     raise RuntimeError('Configuration of CA failed')
>>>> RuntimeError: Configuration of CA failed
>>>>
>>>>
>>>>
>>
>>


-- 
Anthony - https://messinet.com - https://messinet.com/~amessina/gallery
8F89 5E72 8DF0 BCF0 10BE 9967 92DC 35DC B001 4A4E
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 181 bytes
Desc: PGP Digital Signature
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20150105/9767dcca/attachment.sig>

More information about the Freeipa-users mailing list