[Freeipa-users] Trouble installing F21 4.1.2 replica from F20 3.3.5 master
Anthony Messina
amessina at messinet.com
Mon Jan 5 15:49:53 UTC 2015
Quoting Martin Kosek <mkosek at redhat.com>:
> On 01/05/2015 02:05 PM, Anthony Messina wrote:
>>
>> Quoting Martin Kosek <mkosek at redhat.com>:
>>
>>> On 01/04/2015 12:29 AM, Anthony Messina wrote:
>>>> I was hoping to "migrate" from F20 to F21 using:
>>>> http://www.freeipa.org/page/Howto/Migration
>>>> http://www.freeipa.org/page/Howto/Promote_CA_to_Renewal_and_CRL_Master
>>>
>>> The migration procedure is only needed if you run FreeIPA server
>>> with PKI based
>>> on Dogtag (pki-ca package) 9. Do you? Is your Fedora 20
>>> FreeIPA&PKI instance
>>> functional? FreeIPA+Dogtag 9 is not supported since Fedora 18, so I was
>>> surprised such setup worked in Fedora 20.
>>
>> I don't use Dogtag 9. I installed FreeIPA freshly on a F19 VM, then yum
>> upgraded to F20. With the significant changes for Fedora.next, systemd-216,
>> and FreeIPA 4, I wanted to create a new "master" (amd retire the old) by
>> replicating the current F20 3.3.5 master to what would become an
>> F21 4.1.2 master.
>
> Ah, makes more sense then. The PKI error below gets more serious
> then - Fraser
> and Endi, please help Anthony.
>
>> While I use the yum upgrade procedure often with great success on a
>> number of
>> my other servers, it can be tricky and sometimes unreliablem leaving around
>> cruft that can interfere with proper operation. I'm one of those
>> folks that's
>> waiting patiently for the FreeIPA-to-FreeIPA migration ;)
>
> I am just afraid everyone is just waiting and no one is willing to invest in
> this feature and code ;-) IIRC, the difficulty in implementing the migration
> tool is mostly in handling Kerberos and certificate data, which are based on
> data secret and unique to the original server.
You may be right here about everyone waiting. Unfortnuately for this
case, I am not a programmer, but a mere sysadmin. However, I can do
code/design digging to look at the situation from outside the box to
see what I might be able to find.
>> Is the proper, recommended procedure to yum upgrade the F20 FreeIPA 3.3.5 VM
>> instance to F21 FreeIPA 4.1.2?
>
> It should work, yes.
>
>> Even so, it seems like I should be able to create a 4.1.2 replica of a 3.3.5
>> master.
>
> Indeed. This looks like a bug :-(
>
>
>>>> Where the new F21 replica would become the new "master" from which I would
>>>> later create other F21 replica(s).
>>>>
>>>> F20 master: freeipa-server-3.3.5-1.fc20.x86_64
>>>> F21 replica: freeipa-server-4.1.2-1.fc21.x86_64
>>>>
>>>> The first F21 replica installation fails when attempting to setup
>>>> the CA and
>>>> I'm not sure where to go from here. Any guidance is appreciated. Thanks.
>>>
>>> CCing Fraser and Endi from PKI team to advise.
>>>
>>>> 2015-01-03T23:09:39Z DEBUG Saving StateFile to
>>>> '/var/lib/ipa/sysrestore/sysrestore.state'
>>>> 2015-01-03T23:09:39Z DEBUG Starting external process
>>>> 2015-01-03T23:09:39Z DEBUG args='/usr/sbin/pkispawn' '-s' 'CA' '-f'
>>>> '/tmp/tmpZNHZWb'
>>>> 2015-01-03T23:09:39Z DEBUG Process finished, return code=1
>>>> 2015-01-03T23:09:39Z DEBUG stdout=Loading deployment configuration from
>>>> /tmp/tmpZNHZWb.
>>>>
>>>> 2015-01-03T23:09:39Z DEBUG stderr=Traceback (most recent call last):
>>>> File "/usr/sbin/pkispawn", line 579, in <module>
>>>> main(sys.argv)
>>>> File "/usr/sbin/pkispawn", line 480, in main
>>>> info = parser.sd_get_info()
>>>> File
>>>> "/usr/lib/python2.7/site-packages/pki/server/deployment/pkiparser.py",
>>>> line 464, in sd_get_info
>>>> info = sd.get_security_domain_info()
>>>> File "/usr/lib/python2.7/site-packages/pki/system.py", line 96, in
>>>> get_security_domain_info
>>>> info = SecurityDomainInfo.from_json(response.json())
>>>> File "/usr/lib/python2.7/site-packages/pki/system.py", line 83,
>>>> in from_json
>>>> ret.name = json_value['id']
>>>> KeyError: 'id'
>>>>
>>>> 2015-01-03T23:09:39Z CRITICAL failed to configure ca instance Command
>>>> ''/usr/sbin/pkispawn' '-s' 'CA' '-f' '/tmp/tmpZNHZWb'' returned
>>>> non-zero exit
>>>> status 1
>>>> 2015-01-03T23:09:39Z DEBUG Traceback (most recent call last):
>>>> File
>>>> "/usr/lib/python2.7/site-packages/ipaserver/install/service.py",
>>>> line
>>>> 382, in start_creation
>>>> run_step(full_msg, method)
>>>> File
>>>> "/usr/lib/python2.7/site-packages/ipaserver/install/service.py",
>>>> line
>>>> 372, in run_step
>>>> method()
>>>> File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py",
>>>> line 671, in __spawn_instance
>>>> raise RuntimeError('Configuration of CA failed')
>>>> RuntimeError: Configuration of CA failed
>>>>
>>>>
>>>>
>>
>>
--
Anthony - https://messinet.com - https://messinet.com/~amessina/gallery
8F89 5E72 8DF0 BCF0 10BE 9967 92DC 35DC B001 4A4E
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 181 bytes
Desc: PGP Digital Signature
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20150105/9767dcca/attachment.sig>
More information about the Freeipa-users
mailing list