Hello Team
I have some questions : 1°) I need your help, to find the better way to upgrade my 3 servers linked (replicat). I want to upgrade servers from CentOS 7.6 to CentOS7.7 with update in same time the IPAServer (or separately ?)
After searching on Freeipa.org and other site, i find : #ipactl stop #ipa-server-upgrade #ipactl start
I not need to delete first the replication link before ? What is the better solution ways ?
2°) Is not better to migrate my IPAServers's to 4.7 or 4.8 version ? Or i need steps too ?
Thanks you for your help
Best Regard Bien à vous Mr Karim Bourenane +33686464439 +32 493 86 63 54
Hi,
On Sun, Jun 7, 2020 at 11:13 PM Karim Bourenane via FreeIPA-users freeipa-users@lists.fedorahosted.org wrote:
Hello Team
I have some questions : 1°) I need your help, to find the better way to upgrade my 3 servers linked (replicat). I want to upgrade servers from CentOS 7.6 to CentOS7.7 with update in same time the IPAServer (or separately ?)
Not at the same time. The upgrade logic is bound to update some data in LDAP. It is best to wait until the first update is done, and the resulting replication traffic has subsided. Then do the other replica one at a time.
After searching on Freeipa.org and other site, i find : #ipactl stop #ipa-server-upgrade #ipactl start
You do not need to do that. "yum update" is enough.
I not need to delete first the replication link before ?
Certainly not.
What is the better solution ways ?
See above.
2°) Is not better to migrate my IPAServers's to 4.7 or 4.8 version ? Or i need steps too ?
You would need to migrate to RHEL8 / CentOS8 to have ipa-4-8. https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/htm...
Best regards, François
Thanks you for your help
Best Regard Bien à vous Mr Karim Bourenane +33686464439 +32 493 86 63 54
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
Hello François, All
Thanks you for your answer / update
Here's what I did: All process RUNNING with : ipactl status yum update
*I have several error into the yum update command *: 2020-06-08T09:39:42Z ERROR IPA server upgrade failed: Inspect /var/log/ipaupgrade.log and run command ipa-server-upgrade manually. 2020-06-08T09:39:42Z DEBUG File "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 178, in execute return_value = self.run() File "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_server_upgrade.py", line 54, in run server.upgrade() File "/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py", line 2146, in upgrade upgrade_configuration() File "/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py", line 2018, in upgrade_configuration ca_enable_ldap_profile_subsystem(ca) File "/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py", line 406, in ca_enable_ldap_profile_subsystem cainstance.migrate_profiles_to_ldap() File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line 1990, in migrate_profiles_to_ldap api.Backend.ra_certprofile.override_port = 8443 File "/usr/lib/python2.7/site-packages/ipalib/base.py", line 134, in __setattr__ SET_ERROR % (self.__class__.__name__, name, value)
2020-06-08T09:39:42Z DEBUG The ipa-server-upgrade command failed, exception: AttributeError: locked: cannot set ra_certprofile.override_port to 8443 2020-06-08T09:39:42Z ERROR Unexpected error - see /var/log/ipaupgrade.log for details: AttributeError: locked: cannot set ra_certprofile.override_port to 8443 2020-06-08T09:39:42Z ERROR The ipa-server-upgrade command failed. See /var/log/ipaupgrade.log for more information
Regards
Bien à vous Mr Karim Bourenane +33686464439 +32 493 86 63 54
Le lun. 8 juin 2020 à 08:56, François Cami fcami@redhat.com a écrit :
Hi,
On Sun, Jun 7, 2020 at 11:13 PM Karim Bourenane via FreeIPA-users freeipa-users@lists.fedorahosted.org wrote:
Hello Team
I have some questions : 1°) I need your help, to find the better way to upgrade my 3 servers
linked (replicat).
I want to upgrade servers from CentOS 7.6 to CentOS7.7 with update in
same time the IPAServer (or separately ?)
Not at the same time. The upgrade logic is bound to update some data in LDAP. It is best to wait until the first update is done, and the resulting replication traffic has subsided. Then do the other replica one at a time.
After searching on Freeipa.org and other site, i find : #ipactl stop #ipa-server-upgrade #ipactl start
You do not need to do that. "yum update" is enough.
I not need to delete first the replication link before ?
Certainly not.
What is the better solution ways ?
See above.
2°) Is not better to migrate my IPAServers's to 4.7 or 4.8 version ? Or i need steps too ?
You would need to migrate to RHEL8 / CentOS8 to have ipa-4-8.
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/htm...
Best regards, François
Thanks you for your help
Best Regard Bien à vous Mr Karim Bourenane +33686464439 +32 493 86 63 54
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to
freeipa-users-leave@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
Hello François, Florence, All
After checking and disabling my local firewall. I have the same problem: .... [Ensurung CA is using LDAPProfileSubsustem) [Migration certificat profiles to LDAP] IPA server upgrade failed : Inspect /var/log/ipaupgrade.log and run command ipa-upgrade manually. Unexpected error - see /var/log/ipaupgrade.log for details: AttributeError: locked cannot see ra_certprofile.override_port to 8443
Regard
Bien à vous Mr Karim Bourenane +33686464439 +32 493 86 63 54
Le lun. 8 juin 2020 à 11:54, Karim Bourenane karim.bourenane@gmail.com a écrit :
Hello François, All
Thanks you for your answer / update
Here's what I did: All process RUNNING with : ipactl status yum update
*I have several error into the yum update command *: 2020-06-08T09:39:42Z ERROR IPA server upgrade failed: Inspect /var/log/ipaupgrade.log and run command ipa-server-upgrade manually. 2020-06-08T09:39:42Z DEBUG File "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 178, in execute return_value = self.run() File "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_server_upgrade.py", line 54, in run server.upgrade() File "/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py", line 2146, in upgrade upgrade_configuration() File "/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py", line 2018, in upgrade_configuration ca_enable_ldap_profile_subsystem(ca) File "/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py", line 406, in ca_enable_ldap_profile_subsystem cainstance.migrate_profiles_to_ldap() File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line 1990, in migrate_profiles_to_ldap api.Backend.ra_certprofile.override_port = 8443 File "/usr/lib/python2.7/site-packages/ipalib/base.py", line 134, in __setattr__ SET_ERROR % (self.__class__.__name__, name, value)
2020-06-08T09:39:42Z DEBUG The ipa-server-upgrade command failed, exception: AttributeError: locked: cannot set ra_certprofile.override_port to 8443 2020-06-08T09:39:42Z ERROR Unexpected error - see /var/log/ipaupgrade.log for details: AttributeError: locked: cannot set ra_certprofile.override_port to 8443 2020-06-08T09:39:42Z ERROR The ipa-server-upgrade command failed. See /var/log/ipaupgrade.log for more information
Regards
Bien à vous Mr Karim Bourenane +33686464439 +32 493 86 63 54
Le lun. 8 juin 2020 à 08:56, François Cami fcami@redhat.com a écrit :
Hi,
On Sun, Jun 7, 2020 at 11:13 PM Karim Bourenane via FreeIPA-users freeipa-users@lists.fedorahosted.org wrote:
Hello Team
I have some questions : 1°) I need your help, to find the better way to upgrade my 3 servers
linked (replicat).
I want to upgrade servers from CentOS 7.6 to CentOS7.7 with update in
same time the IPAServer (or separately ?)
Not at the same time. The upgrade logic is bound to update some data in LDAP. It is best to wait until the first update is done, and the resulting replication traffic has subsided. Then do the other replica one at a time.
After searching on Freeipa.org and other site, i find : #ipactl stop #ipa-server-upgrade #ipactl start
You do not need to do that. "yum update" is enough.
I not need to delete first the replication link before ?
Certainly not.
What is the better solution ways ?
See above.
2°) Is not better to migrate my IPAServers's to 4.7 or 4.8 version ? Or i need steps too ?
You would need to migrate to RHEL8 / CentOS8 to have ipa-4-8.
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/htm...
Best regards, François
Thanks you for your help
Best Regard Bien à vous Mr Karim Bourenane +33686464439 +32 493 86 63 54
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to
freeipa-users-leave@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
Hello
I found a track, its appear that the JAVA dont want to leave the TCPV6 port connexion: #netstat -plten | grep 8433 tcp6 0 0 :::8443 :::* LISTEN 17 178055 25551/java
And also http with tcp6 443
This connexion launched if the command : yum update (come in libcc ) or when i launch ipa-server-update
How i can correct this behavior ?
Bien à vous Mr Karim Bourenane +33686464439 +32 493 86 63 54
Le lun. 8 juin 2020 à 13:10, Karim Bourenane karim.bourenane@gmail.com a écrit :
Hello François, Florence, All
After checking and disabling my local firewall. I have the same problem: .... [Ensurung CA is using LDAPProfileSubsustem) [Migration certificat profiles to LDAP] IPA server upgrade failed : Inspect /var/log/ipaupgrade.log and run command ipa-upgrade manually. Unexpected error - see /var/log/ipaupgrade.log for details: AttributeError: locked cannot see ra_certprofile.override_port to 8443
Regard
Bien à vous Mr Karim Bourenane +33686464439 +32 493 86 63 54
Le lun. 8 juin 2020 à 11:54, Karim Bourenane karim.bourenane@gmail.com a écrit :
Hello François, All
Thanks you for your answer / update
Here's what I did: All process RUNNING with : ipactl status yum update
*I have several error into the yum update command *: 2020-06-08T09:39:42Z ERROR IPA server upgrade failed: Inspect /var/log/ipaupgrade.log and run command ipa-server-upgrade manually. 2020-06-08T09:39:42Z DEBUG File "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 178, in execute return_value = self.run() File "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_server_upgrade.py", line 54, in run server.upgrade() File "/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py", line 2146, in upgrade upgrade_configuration() File "/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py", line 2018, in upgrade_configuration ca_enable_ldap_profile_subsystem(ca) File "/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py", line 406, in ca_enable_ldap_profile_subsystem cainstance.migrate_profiles_to_ldap() File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line 1990, in migrate_profiles_to_ldap api.Backend.ra_certprofile.override_port = 8443 File "/usr/lib/python2.7/site-packages/ipalib/base.py", line 134, in __setattr__ SET_ERROR % (self.__class__.__name__, name, value)
2020-06-08T09:39:42Z DEBUG The ipa-server-upgrade command failed, exception: AttributeError: locked: cannot set ra_certprofile.override_port to 8443 2020-06-08T09:39:42Z ERROR Unexpected error - see /var/log/ipaupgrade.log for details: AttributeError: locked: cannot set ra_certprofile.override_port to 8443 2020-06-08T09:39:42Z ERROR The ipa-server-upgrade command failed. See /var/log/ipaupgrade.log for more information
Regards
Bien à vous Mr Karim Bourenane +33686464439 +32 493 86 63 54
Le lun. 8 juin 2020 à 08:56, François Cami fcami@redhat.com a écrit :
Hi,
On Sun, Jun 7, 2020 at 11:13 PM Karim Bourenane via FreeIPA-users freeipa-users@lists.fedorahosted.org wrote:
Hello Team
I have some questions : 1°) I need your help, to find the better way to upgrade my 3 servers
linked (replicat).
I want to upgrade servers from CentOS 7.6 to CentOS7.7 with update in
same time the IPAServer (or separately ?)
Not at the same time. The upgrade logic is bound to update some data in LDAP. It is best to wait until the first update is done, and the resulting replication traffic has subsided. Then do the other replica one at a time.
After searching on Freeipa.org and other site, i find : #ipactl stop #ipa-server-upgrade #ipactl start
You do not need to do that. "yum update" is enough.
I not need to delete first the replication link before ?
Certainly not.
What is the better solution ways ?
See above.
2°) Is not better to migrate my IPAServers's to 4.7 or 4.8 version ? Or i need steps too ?
You would need to migrate to RHEL8 / CentOS8 to have ipa-4-8.
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/htm...
Best regards, François
Thanks you for your help
Best Regard Bien à vous Mr Karim Bourenane +33686464439 +32 493 86 63 54
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to
freeipa-users-leave@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
This process number : 25551, its launched by pkiuser for pki-tomcat service.
Bien à vous Mr Karim Bourenane +33686464439 +32 493 86 63 54
Le lun. 8 juin 2020 à 16:25, Karim Bourenane karim.bourenane@gmail.com a écrit :
Hello
I found a track, its appear that the JAVA dont want to leave the TCPV6 port connexion: #netstat -plten | grep 8433 tcp6 0 0 :::8443 :::* LISTEN 17 178055 25551/java
And also http with tcp6 443
This connexion launched if the command : yum update (come in libcc ) or when i launch ipa-server-update
How i can correct this behavior ?
Bien à vous Mr Karim Bourenane +33686464439 +32 493 86 63 54
Le lun. 8 juin 2020 à 13:10, Karim Bourenane karim.bourenane@gmail.com a écrit :
Hello François, Florence, All
After checking and disabling my local firewall. I have the same problem: .... [Ensurung CA is using LDAPProfileSubsustem) [Migration certificat profiles to LDAP] IPA server upgrade failed : Inspect /var/log/ipaupgrade.log and run command ipa-upgrade manually. Unexpected error - see /var/log/ipaupgrade.log for details: AttributeError: locked cannot see ra_certprofile.override_port to 8443
Regard
Bien à vous Mr Karim Bourenane +33686464439 +32 493 86 63 54
Le lun. 8 juin 2020 à 11:54, Karim Bourenane karim.bourenane@gmail.com a écrit :
Hello François, All
Thanks you for your answer / update
Here's what I did: All process RUNNING with : ipactl status yum update
*I have several error into the yum update command *: 2020-06-08T09:39:42Z ERROR IPA server upgrade failed: Inspect /var/log/ipaupgrade.log and run command ipa-server-upgrade manually. 2020-06-08T09:39:42Z DEBUG File "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 178, in execute return_value = self.run() File "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_server_upgrade.py", line 54, in run server.upgrade() File "/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py", line 2146, in upgrade upgrade_configuration() File "/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py", line 2018, in upgrade_configuration ca_enable_ldap_profile_subsystem(ca) File "/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py", line 406, in ca_enable_ldap_profile_subsystem cainstance.migrate_profiles_to_ldap() File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line 1990, in migrate_profiles_to_ldap api.Backend.ra_certprofile.override_port = 8443 File "/usr/lib/python2.7/site-packages/ipalib/base.py", line 134, in __setattr__ SET_ERROR % (self.__class__.__name__, name, value)
2020-06-08T09:39:42Z DEBUG The ipa-server-upgrade command failed, exception: AttributeError: locked: cannot set ra_certprofile.override_port to 8443 2020-06-08T09:39:42Z ERROR Unexpected error - see /var/log/ipaupgrade.log for details: AttributeError: locked: cannot set ra_certprofile.override_port to 8443 2020-06-08T09:39:42Z ERROR The ipa-server-upgrade command failed. See /var/log/ipaupgrade.log for more information
Regards
Bien à vous Mr Karim Bourenane +33686464439 +32 493 86 63 54
Le lun. 8 juin 2020 à 08:56, François Cami fcami@redhat.com a écrit :
Hi,
On Sun, Jun 7, 2020 at 11:13 PM Karim Bourenane via FreeIPA-users freeipa-users@lists.fedorahosted.org wrote:
Hello Team
I have some questions : 1°) I need your help, to find the better way to upgrade my 3 servers
linked (replicat).
I want to upgrade servers from CentOS 7.6 to CentOS7.7 with update in
same time the IPAServer (or separately ?)
Not at the same time. The upgrade logic is bound to update some data in LDAP. It is best to wait until the first update is done, and the resulting replication traffic has subsided. Then do the other replica one at a time.
After searching on Freeipa.org and other site, i find : #ipactl stop #ipa-server-upgrade #ipactl start
You do not need to do that. "yum update" is enough.
I not need to delete first the replication link before ?
Certainly not.
What is the better solution ways ?
See above.
2°) Is not better to migrate my IPAServers's to 4.7 or 4.8 version ? Or i need steps too ?
You would need to migrate to RHEL8 / CentOS8 to have ipa-4-8.
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/htm...
Best regards, François
Thanks you for your help
Best Regard Bien à vous Mr Karim Bourenane +33686464439 +32 493 86 63 54
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to
freeipa-users-leave@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
Karim Bourenane via FreeIPA-users wrote:
Hello François, All
Thanks you for your answer / update
Here's what I did: All process RUNNING with : ipactl status yum update
*I have several error into the yum update command *: 2020-06-08T09:39:42Z ERROR IPA server upgrade failed: Inspect /var/log/ipaupgrade.log and run command ipa-server-upgrade manually. 2020-06-08T09:39:42Z DEBUG File "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 178, in execute return_value = self.run() File "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_server_upgrade.py", line 54, in run server.upgrade() File "/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py", line 2146, in upgrade upgrade_configuration() File "/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py", line 2018, in upgrade_configuration ca_enable_ldap_profile_subsystem(ca) File "/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py", line 406, in ca_enable_ldap_profile_subsystem cainstance.migrate_profiles_to_ldap() File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line 1990, in migrate_profiles_to_ldap api.Backend.ra_certprofile.override_port = 8443 File "/usr/lib/python2.7/site-packages/ipalib/base.py", line 134, in __setattr__ SET_ERROR % (self.__class__.__name__, name, value)
2020-06-08T09:39:42Z DEBUG The ipa-server-upgrade command failed, exception: AttributeError: locked: cannot set ra_certprofile.override_port to 8443 2020-06-08T09:39:42Z ERROR Unexpected error - see /var/log/ipaupgrade.log for details: AttributeError: locked: cannot set ra_certprofile.override_port to 8443 2020-06-08T09:39:42Z ERROR The ipa-server-upgrade command failed. See /var/log/ipaupgrade.log for more information
Note that this has nothing to do with anything listening on port 8443.
This is trying to change the IPA runtime environment for some reason and it's in a locked state. I don't know this code very well so I'm not sure what the remediation is. It seems like something that should have either always or never worked but it could be it was affected by some later change, I don't know.
It thinks it needs to migrate your disk-based profiles into LDAP and that's not something that should be skipped.
rob
Regards
Bien à vous Mr Karim Bourenane +33686464439 +32 493 86 63 54
Le lun. 8 juin 2020 à 08:56, François Cami <fcami@redhat.com mailto:fcami@redhat.com> a écrit :
Hi, On Sun, Jun 7, 2020 at 11:13 PM Karim Bourenane via FreeIPA-users <freeipa-users@lists.fedorahosted.org <mailto:freeipa-users@lists.fedorahosted.org>> wrote: > > Hello Team > > I have some questions : > 1°) I need your help, to find the better way to upgrade my 3 servers linked (replicat). > I want to upgrade servers from CentOS 7.6 to CentOS7.7 with update in same time the IPAServer (or separately ?) Not at the same time. The upgrade logic is bound to update some data in LDAP. It is best to wait until the first update is done, and the resulting replication traffic has subsided. Then do the other replica one at a time. > After searching on Freeipa.org and other site, i find : > #ipactl stop > #ipa-server-upgrade > #ipactl start You do not need to do that. "yum update" is enough. > I not need to delete first the replication link before ? Certainly not. > What is the better solution ways ? See above. > 2°) Is not better to migrate my IPAServers's to 4.7 or 4.8 version ? > Or i need steps too ? You would need to migrate to RHEL8 / CentOS8 to have ipa-4-8. https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/installing_identity_management/migrate-7-to-8_migrating Best regards, François > Thanks you for your help > > Best Regard > Bien à vous > Mr Karim Bourenane > +33686464439 > +32 493 86 63 54 > > _______________________________________________ > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org <mailto:freeipa-users@lists.fedorahosted.org> > To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org <mailto:freeipa-users-leave@lists.fedorahosted.org> > Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
Thank you for your update
As Florence says too, i have also only update ipa-*, but i have several Error: .... [Ensurung CA is using LDAPProfileSubsustem) [Migration certificat profiles to LDAP] IPA server upgrade failed : Inspect /var/log/ipaupgrade.log and run command ipa-upgrade manually. Unexpected error - see /var/log/ipaupgrade.log for details: AttributeError: locked cannot see ra_certprofile.override_port to 8443
ipa: DEBUG : File /usr/lib/python2.7/site-packages/ipaserver/install/installutils.py at line 1015, in run_script return_value = main_function ()
File /usr/sbin/ipactl, line 598, in main ipa_start (options)
File /usr/sbin/ipactl, line 288, in main version_check ()
File /usr/sbin/ipactl, line161, in version_ckeck raise IpactlError ("Abording ipactl")
Bien à vous Mr Karim Bourenane +33686464439 +32 493 86 63 54
Le lun. 8 juin 2020 à 19:36, Rob Crittenden rcritten@redhat.com a écrit :
Karim Bourenane via FreeIPA-users wrote:
Hello François, All
Thanks you for your answer / update
Here's what I did: All process RUNNING with : ipactl status yum update
*I have several error into the yum update command *: 2020-06-08T09:39:42Z ERROR IPA server upgrade failed: Inspect /var/log/ipaupgrade.log and run command ipa-server-upgrade manually. 2020-06-08T09:39:42Z DEBUG File "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 178, in execute return_value = self.run() File
"/usr/lib/python2.7/site-packages/ipaserver/install/ipa_server_upgrade.py",
line 54, in run server.upgrade() File "/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py", line 2146, in upgrade upgrade_configuration() File "/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py", line 2018, in upgrade_configuration ca_enable_ldap_profile_subsystem(ca) File "/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py", line 406, in ca_enable_ldap_profile_subsystem cainstance.migrate_profiles_to_ldap() File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line 1990, in migrate_profiles_to_ldap api.Backend.ra_certprofile.override_port = 8443 File "/usr/lib/python2.7/site-packages/ipalib/base.py", line 134, in __setattr__ SET_ERROR % (self.__class__.__name__, name, value)
2020-06-08T09:39:42Z DEBUG The ipa-server-upgrade command failed, exception: AttributeError: locked: cannot set ra_certprofile.override_port to 8443 2020-06-08T09:39:42Z ERROR Unexpected error - see /var/log/ipaupgrade.log for details: AttributeError: locked: cannot set ra_certprofile.override_port to 8443 2020-06-08T09:39:42Z ERROR The ipa-server-upgrade command failed. See /var/log/ipaupgrade.log for more information
Note that this has nothing to do with anything listening on port 8443.
This is trying to change the IPA runtime environment for some reason and it's in a locked state. I don't know this code very well so I'm not sure what the remediation is. It seems like something that should have either always or never worked but it could be it was affected by some later change, I don't know.
It thinks it needs to migrate your disk-based profiles into LDAP and that's not something that should be skipped.
rob
Regards
Bien à vous Mr Karim Bourenane +33686464439 +32 493 86 63 54
Le lun. 8 juin 2020 à 08:56, François Cami <fcami@redhat.com mailto:fcami@redhat.com> a écrit :
Hi, On Sun, Jun 7, 2020 at 11:13 PM Karim Bourenane via FreeIPA-users <freeipa-users@lists.fedorahosted.org <mailto:freeipa-users@lists.fedorahosted.org>> wrote: > > Hello Team > > I have some questions : > 1°) I need your help, to find the better way to upgrade my 3 servers linked (replicat). > I want to upgrade servers from CentOS 7.6 to CentOS7.7 with update in same time the IPAServer (or separately ?) Not at the same time. The upgrade logic is bound to update some data in LDAP. It is best to wait until the first update is done, and the resulting replication traffic has subsided. Then do the other replica one at a time. > After searching on Freeipa.org and other site, i find : > #ipactl stop > #ipa-server-upgrade > #ipactl start You do not need to do that. "yum update" is enough. > I not need to delete first the replication link before ? Certainly not. > What is the better solution ways ? See above. > 2°) Is not better to migrate my IPAServers's to 4.7 or 4.8 version?
> Or i need steps too ? You would need to migrate to RHEL8 / CentOS8 to have ipa-4-8.https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/htm...
Best regards, François > Thanks you for your help > > Best Regard > Bien à vous > Mr Karim Bourenane > +33686464439 > +32 493 86 63 54 > > _______________________________________________ > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org <mailto:freeipa-users@lists.fedorahosted.org> > To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org <mailto:freeipa-users-leave@lists.fedorahosted.org> > Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives:https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to
freeipa-users-leave@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
On 6/6/20 11:42 AM, Karim Bourenane via FreeIPA-users wrote:
Hello Team
I have some questions : 1°) I need your help, to find the better way to upgrade my 3 servers linked (replicat). I want to upgrade servers from CentOS 7.6 to CentOS7.7 with update in same time the IPAServer (or separately ?)
Hi,
in order to upgrade each server from centOS 7.6 to CentOS 7.7, you need to run "yum update". This command will also update ipa-* packages and internally call ipa-server-upgrade, meaning you don't need to manually call ipa-server-upgrade. Please find more information in "Updating Identity Management" [1].
For multiple servers upgrade, keep in mind that the upgrade needs to be done sequentially, i.e upgrade server 1, wait a few minutes for replication to propagate changes, upgrade server 2, etc...
HTH, flo
[1] https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/htm...
After searching on Freeipa.org and other site, i find : #ipactl stop #ipa-server-upgrade #ipactl start
I not need to delete first the replication link before ? What is the better solution ways ?
2°) Is not better to migrate my IPAServers's to 4.7 or 4.8 version ? Or i need steps too ?
Thanks you for your help
Best Regard Bien à vous Mr Karim Bourenane +33686464439 +32 493 86 63 54
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
Hello Florence, all
I have also only update ipa-*, but i have same Error. Its appears that unable to unlink the port 8433 TCPV6 by pki-tomcat used by FreeIPA. Im actually blocked with this minor update.
.... [Ensurung CA is using LDAPProfileSubsustem) [Migration certificat profiles to LDAP] IPA server upgrade failed : Inspect /var/log/ipaupgrade.log and run command ipa-upgrade manually. Unexpected error - see /var/log/ipaupgrade.log for details: AttributeError: locked cannot see ra_certprofile.override_port to 8443
ipa: DEBUG : File /usr/lib/python2.7/site-packages/ipaserver/install/installutils.py at line 1015, in run_script return_value = main_function ()
File /usr/sbin/ipactl, line 598, in main ipa_start (options)
File /usr/sbin/ipactl, line 288, in main version_check ()
File /usr/sbin/ipactl, line161, in version_ckeck raise IpactlError ("Abording ipactl")
Regard Karim
Le lun. 8 juin 2020 à 08:58, Florence Blanc-Renaud flo@redhat.com a écrit :
On 6/6/20 11:42 AM, Karim Bourenane via FreeIPA-users wrote:
Hello Team
I have some questions : 1°) I need your help, to find the better way to upgrade my 3 servers linked (replicat). I want to upgrade servers from CentOS 7.6 to CentOS7.7 with update in same time the IPAServer (or separately ?)
Hi,
in order to upgrade each server from centOS 7.6 to CentOS 7.7, you need to run "yum update". This command will also update ipa-* packages and internally call ipa-server-upgrade, meaning you don't need to manually call ipa-server-upgrade. Please find more information in "Updating Identity Management" [1].
For multiple servers upgrade, keep in mind that the upgrade needs to be done sequentially, i.e upgrade server 1, wait a few minutes for replication to propagate changes, upgrade server 2, etc...
HTH, flo
[1]
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/htm...
After searching on Freeipa.org and other site, i find : #ipactl stop #ipa-server-upgrade #ipactl start
I not need to delete first the replication link before ? What is the better solution ways ?
2°) Is not better to migrate my IPAServers's to 4.7 or 4.8 version ? Or i need steps too ?
Thanks you for your help
Best Regard Bien à vous Mr Karim Bourenane +33686464439 +32 493 86 63 54
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to
freeipa-users-leave@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
On 6/9/20 10:04 AM, Karim Bourenane via FreeIPA-users wrote:
Hello Florence, all
I have also only update ipa-*, but i have same Error. Its appears that unable to unlink the port 8433 TCPV6 by pki-tomcat used by FreeIPA. Im actually blocked with this minor update.
Hi, do you mean that you ran # yum update ipa-* instead of # yum update ?
The recommendation is to upgrade all the packages when upgrading the OS version, not only the ipa ones. Also please post the content of /var/log/ipaupgrade.log for us to understand the exact issue.
flo
.... [Ensurung CA is using LDAPProfileSubsustem) [Migration certificat profiles to LDAP] IPA server upgrade failed : Inspect /var/log/ipaupgrade.log and run command ipa-upgrade manually. Unexpected error - see /var/log/ipaupgrade.log for details: AttributeError: locked cannot see ra_certprofile.override_port to 8443
ipa: DEBUG : File /usr/lib/python2.7/site-packages/ipaserver/install/installutils.py at line 1015, in run_script return_value = main_function ()
File /usr/sbin/ipactl, line 598, in main ipa_start (options)
File /usr/sbin/ipactl, line 288, in main version_check ()
File /usr/sbin/ipactl, line161, in version_ckeck raise IpactlError ("Abording ipactl")
Regard Karim
Le lun. 8 juin 2020 à 08:58, Florence Blanc-Renaud <flo@redhat.com mailto:flo@redhat.com> a écrit :
On 6/6/20 11:42 AM, Karim Bourenane via FreeIPA-users wrote: > Hello Team > > I have some questions : > 1°) I need your help, to find the better way to upgrade my 3 servers > linked (replicat). > I want to upgrade servers from CentOS 7.6 to CentOS7.7 with update in > same time the IPAServer (or separately ?) Hi, in order to upgrade each server from centOS 7.6 to CentOS 7.7, you need to run "yum update". This command will also update ipa-* packages and internally call ipa-server-upgrade, meaning you don't need to manually call ipa-server-upgrade. Please find more information in "Updating Identity Management" [1]. For multiple servers upgrade, keep in mind that the upgrade needs to be done sequentially, i.e upgrade server 1, wait a few minutes for replication to propagate changes, upgrade server 2, etc... HTH, flo [1] https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/linux_domain_identity_authentication_and_policy_guide/updating-migrating#update-ipa > > After searching on Freeipa.org and other site, i find : > #ipactl stop > #ipa-server-upgrade > #ipactl start > > I not need to delete first the replication link before ? > What is the better solution ways ? > > 2°) Is not better to migrate my IPAServers's to 4.7 or 4.8 version ? > Or i need steps too ? > > Thanks you for your help > > Best Regard > Bien à vous > Mr Karim Bourenane > +33686464439 > +32 493 86 63 54 > > _______________________________________________ > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org <mailto:freeipa-users@lists.fedorahosted.org> > To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org <mailto:freeipa-users-leave@lists.fedorahosted.org> > Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org >
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
freeipa-users@lists.fedorahosted.org
-
Florence Blanc-Renaud -
François Cami -
Karim Bourenane -
Rob Crittenden