Hi. I want to upgrade a cluster from 4.6 to 4.9 To do this, I raised the host with EL8 and launched ipa-client-install is this the right way, without data loss and service downtime? In the logs: tail -f /var/log/dirsrv/slapd-OPENTECH-LOCAL/access [02/Sep/2021:20:09:48.282984535 +0700] conn=84 op=6 SRCH base="cn=schema" scope=0 filter="(objectClass=*)" attrs="objectClasses" [02/Sep/2021:20:09:48.366825074 +0700] conn=84 op=6 RESULT err=0 tag=101 nentries=1 wtime=0.000158968 optime=0.083844272 etime=0.083999242 [02/Sep/2021:20:09:48.368297195 +0700] conn=84 op=7 SRCH base="cn=schema" scope=0 filter="(objectClass=*)" attrs="attributeTypes" [02/Sep/2021:20:09:48.455352207 +0700] conn=84 op=7 RESULT err=0 tag=101 nentries=1 wtime=0.000181242 optime=0.087049680 etime=0.087227596 [02/Sep/2021:20:09:48.598806315 +0700] conn=84 op=8 SRCH base="cn=schema" scope=0 filter="(objectClass=*)" attrs="objectClasses" [02/Sep/2021:20:09:48.682435023 +0700] conn=84 op=8 RESULT err=0 tag=101 nentries=1 wtime=0.000253118 optime=0.083640981 etime=0.083890259 [02/Sep/2021:20:09:48.683959959 +0700] conn=84 op=9 SRCH base="cn=schema" scope=0 filter="(objectClass=*)" attrs="attributeTypes" [02/Sep/2021:20:09:48.770110056 +0700] conn=84 op=9 RESULT err=0 tag=101 nentries=1 wtime=0.000208691 optime=0.086154930 etime=0.086360171 [02/Sep/2021:20:09:48.909866069 +0700] conn=84 op=10 EXT oid="2.16.840.1.113730.3.5.5" name="replication-multimaster-extop" [02/Sep/2021:20:09:48.912490317 +0700] conn=84 op=10 RESULT err=0 tag=120 nentries=0 wtime=0.000289908 optime=0.002650238 etime=0.002936579 [02/Sep/2021:20:10:48.922904521 +0700] conn=84 op=11 UNBIND [02/Sep/2021:20:10:48.922965013 +0700] conn=84 op=11 fd=66 closed error - U1 [02/Sep/2021:20:14:48.918514584 +0700] conn=85 fd=66 slot=66 connection from 100.100.101.32 to 100.100.101.40 [02/Sep/2021:20:14:48.919643414 +0700] conn=85 op=0 BIND dn="" method=sasl version=3 mech=GSSAPI [02/Sep/2021:20:14:48.924271354 +0700] conn=85 op=0 RESULT err=14 tag=97 nentries=0 wtime=0.000226790 optime=0.004647939 etime=0.004872681, SASL bind in progress [02/Sep/2021:20:14:48.924947480 +0700] conn=85 op=1 BIND dn="" method=sasl version=3 mech=GSSAPI [02/Sep/2021:20:14:48.926146732 +0700] conn=85 op=1 RESULT err=14 tag=97 nentries=0 wtime=0.000108403 optime=0.001218993 etime=0.001325062, SASL bind in progress [02/Sep/2021:20:14:48.926456549 +0700] conn=85 op=2 BIND dn="" method=sasl version=3 mech=GSSAPI [02/Sep/2021:20:14:48.928285095 +0700] conn=85 op=2 RESULT err=0 tag=97 nentries=0 wtime=0.000100271 optime=0.001837886 etime=0.001936360 dn="cn=ldap/ipa.opentech.local@opentech.local,cn=config" [02/Sep/2021:20:14:48.928732360 +0700] conn=85 op=3 SRCH base="" scope=0 filter="(objectClass=*)" attrs="supportedControl supportedExtension" [02/Sep/2021:20:14:48.930310374 +0700] conn=85 op=3 RESULT err=0 tag=101 nentries=1 wtime=0.000268088 optime=0.001582573 etime=0.001848120 [02/Sep/2021:20:14:48.930713077 +0700] conn=85 op=4 SRCH base="" scope=0 filter="(objectClass=*)" attrs="supportedControl supportedExtension" [02/Sep/2021:20:14:48.931502374 +0700] conn=85 op=4 RESULT err=0 tag=101 nentries=1 wtime=0.000163012 optime=0.000794216 etime=0.000955217 [02/Sep/2021:20:14:48.931924135 +0700] conn=85 op=5 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [02/Sep/2021:20:14:48.932420631 +0700] conn=85 op=5 RESULT err=0 tag=120 nentries=0 wtime=0.000175640 optime=0.000511504 etime=0.000685664 [02/Sep/2021:20:14:48.933224132 +0700] conn=85 op=6 SRCH base="cn=schema" scope=0 filter="(objectClass=*)" attrs="objectClasses" [02/Sep/2021:20:14:49.020265304 +0700] conn=85 op=6 RESULT err=0 tag=101 nentries=1 wtime=0.000292725 optime=0.087050480 etime=0.087328584 [02/Sep/2021:20:14:49.021831595 +0700] conn=85 op=7 SRCH base="cn=schema" scope=0 filter="(objectClass=*)" attrs="attributeTypes" [02/Sep/2021:20:14:49.108675770 +0700] conn=85 op=7 RESULT err=0 tag=101 nentries=1 wtime=0.000198623 optime=0.086851160 etime=0.087044647 [02/Sep/2021:20:14:49.302421780 +0700] conn=85 op=8 SRCH base="cn=schema" scope=0 filter="(objectClass=*)" attrs="objectClasses" [02/Sep/2021:20:14:49.386806785 +0700] conn=85 op=8 RESULT err=0 tag=101 nentries=1 wtime=0.000241187 optime=0.084394151 etime=0.084629811 [02/Sep/2021:20:14:49.388020857 +0700] conn=85 op=9 SRCH base="cn=schema" scope=0 filter="(objectClass=*)" attrs="attributeTypes" [02/Sep/2021:20:14:49.472898588 +0700] conn=85 op=9 RESULT err=0 tag=101 nentries=1 wtime=0.000201533 optime=0.084883308 etime=0.085081048 [02/Sep/2021:20:14:49.673264389 +0700] conn=85 op=10 EXT oid="2.16.840.1.113730.3.5.5" name="replication-multimaster-extop" [02/Sep/2021:20:14:49.675188470 +0700] conn=85 op=10 RESULT err=0 tag=120 nentries=0 wtime=0.000182362 optime=0.001932648 etime=0.002112039 [02/Sep/2021:20:15:49.686722184 +0700] conn=85 op=11 UNBIND [02/Sep/2021:20:15:49.686787256 +0700] conn=85 op=11 fd=66 closed error - U1
Configuring directory server (dirsrv). Estimated time: 30 seconds [1/38]: creating directory server instance [2/38]: tune ldbm plugin [3/38]: adding default schema [4/38]: enabling memberof plugin [5/38]: enabling winsync plugin [6/38]: configure password logging [7/38]: configuring replication version plugin [8/38]: enabling IPA enrollment plugin [9/38]: configuring uniqueness plugin [10/38]: configuring uuid plugin [11/38]: configuring modrdn plugin [12/38]: configuring DNS plugin [13/38]: enabling entryUSN plugin [14/38]: configuring lockout plugin [15/38]: configuring topology plugin [16/38]: creating indices [17/38]: enabling referential integrity plugin [18/38]: configuring certmap.conf [19/38]: configure new location for managed entries [20/38]: configure dirsrv ccache and keytab [21/38]: enabling SASL mapping fallback [22/38]: restarting directory server [23/38]: creating DS keytab [24/38]: ignore time skew for initial replication [25/38]: setting up initial replication Starting replication, please wait until this has completed. Update in progress, 12194 seconds elapsed
Mikhail Kiselev via FreeIPA-users wrote:
Hi. I want to upgrade a cluster from 4.6 to 4.9 To do this, I raised the host with EL8 and launched ipa-client-install is this the right way, without data loss and service downtime?
Yes.
I can't explain why replication isn't being marked as complete during install unless you just have thousands and thousands of entries. Otherwise its that the remote (el7) side isn't sending the expected response so that IPA knows that replication is complete and without error.
You'll need to dig into the 389-ds logs on both sides looking for issues, both in access and in errors. You can use the ipareplica-install.log to help determine the approximate time to start looking in the logs to help narrow things down.
rob
Log dirsrv on master https://pastebin.com/hqSrNZQ7 Log dirsrv on new replica https://pastebin.com/cpzC2pji
Log dirsrv on master https://pastebin.com/hqSrNZQ7 Log dirsrv on new replica https://pastebin.com/cpzC2pji
Hi, Which version of 389-ds is installed on the replica? I think you're hitting https://github.com/389ds/389-ds-base/issues/4872
The problem happens because the new replica has a schema definition for entryUUID with a new syntax. When it gets installed, the schema should get replicated to the original master but the master doesn't know this new syntax, schema replication fails, and the entries with this attribute can't be replicated to the original master.
flo
On Fri, Sep 10, 2021 at 6:32 AM Mikhail Kiselev via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote:
Log dirsrv on master https://pastebin.com/hqSrNZQ7 Log dirsrv on new replica https://pastebin.com/cpzC2pji _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste... Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
I'll installed soft: [code] [root@ipael8 ~]# dnf list 389* Last metadata expiration check: 0:16:59 ago on Пт 10 сен 2021 13:26:14. Installed Packages 389-ds-base.x86_64 1.4.3.23-7.module_el8.5.0+889+90e0384f @appstream 389-ds-base-libs.x86_64 1.4.3.23-7.module_el8.5.0+889+90e0384f @appstream Available Packages 389-ds-base-devel.x86_64 1.4.3.23-7.module_el8.5.0+889+90e0384f appstream 389-ds-base-legacy-tools.x86_64 1.4.3.23-7.module_el8.5.0+889+90e0384f appstream 389-ds-base-snmp.x86_64 1.4.3.23-7.module_el8.5.0+889+90e0384f appstream [root@ipael8 ~]# dnf list ipa* Last metadata expiration check: 0:17:13 ago on Пт 10 сен 2021 13:26:14. Installed Packages ipa-client.x86_64 4.9.6-4.module_el8.5.0+921+2b5d5825 @appstream ipa-client-common.noarch 4.9.6-4.module_el8.5.0+921+2b5d5825 @appstream ipa-common.noarch 4.9.6-4.module_el8.5.0+921+2b5d5825 @appstream ipa-healthcheck-core.noarch 0.7-6.module_el8.5.0+921+2b5d5825 @appstream ipa-selinux.noarch 4.9.6-4.module_el8.5.0+921+2b5d5825 @appstream ipa-server.x86_64 4.9.6-4.module_el8.5.0+921+2b5d5825 @appstream ipa-server-common.noarch 4.9.6-4.module_el8.5.0+921+2b5d5825 @appstream ipa-server-dns.noarch 4.9.6-4.module_el8.5.0+921+2b5d5825 @appstream ipa-server-trust-ad.x86_64 4.9.6-4.module_el8.5.0+921+2b5d5825 @appstream [/code]
Hi,
the fix is included in 389-ds-base 1.4.3.23-8. flo
On Fri, Sep 10, 2021 at 8:46 AM Mikhail Kiselev via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote:
I'll installed soft: [code] [root@ipael8 ~]# dnf list 389* Last metadata expiration check: 0:16:59 ago on Пт 10 сен 2021 13:26:14. Installed Packages 389-ds-base.x86_64 1.4.3.23-7.module_el8.5.0+889+90e0384f @appstream 389-ds-base-libs.x86_64 1.4.3.23-7.module_el8.5.0+889+90e0384f @appstream Available Packages 389-ds-base-devel.x86_64 1.4.3.23-7.module_el8.5.0+889+90e0384f appstream 389-ds-base-legacy-tools.x86_64 1.4.3.23-7.module_el8.5.0+889+90e0384f appstream 389-ds-base-snmp.x86_64 1.4.3.23-7.module_el8.5.0+889+90e0384f appstream [root@ipael8 ~]# dnf list ipa* Last metadata expiration check: 0:17:13 ago on Пт 10 сен 2021 13:26:14. Installed Packages ipa-client.x86_64 4.9.6-4.module_el8.5.0+921+2b5d5825 @appstream ipa-client-common.noarch 4.9.6-4.module_el8.5.0+921+2b5d5825 @appstream ipa-common.noarch 4.9.6-4.module_el8.5.0+921+2b5d5825 @appstream ipa-healthcheck-core.noarch 0.7-6.module_el8.5.0+921+2b5d5825 @appstream ipa-selinux.noarch 4.9.6-4.module_el8.5.0+921+2b5d5825 @appstream ipa-server.x86_64 4.9.6-4.module_el8.5.0+921+2b5d5825 @appstream ipa-server-common.noarch 4.9.6-4.module_el8.5.0+921+2b5d5825 @appstream ipa-server-dns.noarch 4.9.6-4.module_el8.5.0+921+2b5d5825 @appstream ipa-server-trust-ad.x86_64 4.9.6-4.module_el8.5.0+921+2b5d5825 @appstream [/code] _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste... Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
Thanks. But this version is not yet in the repositories.
freeipa-users@lists.fedorahosted.org
-
Florence Renaud -
Mikhail Kiselev -
Rob Crittenden