Hello Team I have some questions : 1°) I need your help, to find the better way to upgrade my 3 servers linked (replicat). I want to upgrade servers from CentOS 7.6 to CentOS7.7 with update in same time the IPAServer (or separately ?)

After searching on Freeipa.org and other site, i find : #ipactl stop #ipa-server-upgrade #ipactl start

I not need to delete first the replication link before ?

What is the better solution ways ?

2°) Is not better to migrate my IPAServers's to 4.7 or 4.8 version ? Or i need steps too ?

Thanks you for your help Best Regard Bien à vous Mr Karim Bourenane +33686464439 +32 493 86 63 54 _______________________________________________ FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...

Hello François, All Thanks you for your answer / update Here's what I did: All process RUNNING with : ipactl status yum update *I have several error into the yum update command *: 2020-06-08T09:39:42Z ERROR IPA server upgrade failed: Inspect /var/log/ipaupgrade.log and run command ipa-server-upgrade manually. 2020-06-08T09:39:42Z DEBUG File "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 178, in execute return_value = self.run() File "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_server_upgrade.py", line 54, in run server.upgrade() File "/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py", line 2146, in upgrade upgrade_configuration() File "/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py", line 2018, in upgrade_configuration ca_enable_ldap_profile_subsystem(ca) File "/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py", line 406, in ca_enable_ldap_profile_subsystem cainstance.migrate_profiles_to_ldap() File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line 1990, in migrate_profiles_to_ldap api.Backend.ra_certprofile.override_port = 8443 File "/usr/lib/python2.7/site-packages/ipalib/base.py", line 134, in __setattr__ SET_ERROR % (self.__class__.__name__, name, value) 2020-06-08T09:39:42Z DEBUG The ipa-server-upgrade command failed, exception: AttributeError: locked: cannot set ra_certprofile.override_port to 8443 2020-06-08T09:39:42Z ERROR Unexpected error - see /var/log/ipaupgrade.log for details: AttributeError: locked: cannot set ra_certprofile.override_port to 8443 2020-06-08T09:39:42Z ERROR The ipa-server-upgrade command failed. See /var/log/ipaupgrade.log for more information Regards Bien à vous Mr Karim Bourenane +33686464439 +32 493 86 63 54 Le lun. 8 juin 2020 à 08:56, François Cami <fcami(a)redhat.com&gt; a écrit : > Hi, > > On Sun, Jun 7, 2020 at 11:13 PM Karim Bourenane via FreeIPA-users > <freeipa-users(a)lists.fedorahosted.org&gt; wrote: > > > > Hello Team > > > > I have some questions : > > 1°) I need your help, to find the better way to upgrade my 3 servers > linked (replicat). > > I want to upgrade servers from CentOS 7.6 to CentOS7.7 with update in > same time the IPAServer (or separately ?) > > Not at the same time. The upgrade logic is bound to update some data > in LDAP. It is best to wait until the first update is done, and the > resulting replication traffic has subsided. Then do the other replica > one at a time. > > > After searching on Freeipa.org and other site, i find : > > #ipactl stop > > #ipa-server-upgrade > > #ipactl start > > You do not need to do that. "yum update" is enough. > > > I not need to delete first the replication link before ? > > Certainly not. > > > What is the better solution ways ? > > See above. > > > 2°) Is not better to migrate my IPAServers's to 4.7 or 4.8 version ? > > Or i need steps too ? > > You would need to migrate to RHEL8 / CentOS8 to have ipa-4-8. > > https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/... > > Best regards, > François > > > Thanks you for your help > > > > Best Regard > > Bien à vous > > Mr Karim Bourenane > > +33686464439 > > +32 493 86 63 54 > > > > _______________________________________________ > > FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org > > To unsubscribe send an email to > freeipa-users-leave(a)lists.fedorahosted.org > > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > > List Archives: > https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho... > >

Hello I found a track, its appear that the JAVA dont want to leave the TCPV6 port connexion: #netstat -plten | grep 8433 tcp6 0 0 :::8443 :::* LISTEN 17 178055 25551/java And also http with tcp6 443 This connexion launched if the command : yum update (come in libcc ) or when i launch ipa-server-update How i can correct this behavior ? Bien à vous Mr Karim Bourenane +33686464439 +32 493 86 63 54 Le lun. 8 juin 2020 à 13:10, Karim Bourenane <karim.bourenane(a)gmail.com&gt; a écrit : > Hello François, Florence, All > > After checking and disabling my local firewall. > I have the same problem: > .... > [Ensurung CA is using LDAPProfileSubsustem) > [Migration certificat profiles to LDAP] > IPA server upgrade failed : Inspect /var/log/ipaupgrade.log and run > command ipa-upgrade manually. > Unexpected error - see /var/log/ipaupgrade.log for details: > AttributeError: locked cannot see ra_certprofile.override_port to 8443 > > > Regard > > > Bien à vous > Mr Karim Bourenane > +33686464439 > +32 493 86 63 54 > > > > Le lun. 8 juin 2020 à 11:54, Karim Bourenane <karim.bourenane(a)gmail.com&gt; > a écrit : > >> Hello François, All >> >> Thanks you for your answer / update >> >> Here's what I did: >> All process RUNNING with : ipactl status >> yum update >> >> *I have several error into the yum update command *: >> 2020-06-08T09:39:42Z ERROR IPA server upgrade failed: Inspect >> /var/log/ipaupgrade.log and run command ipa-server-upgrade manually. >> 2020-06-08T09:39:42Z DEBUG File >> "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 178, in >> execute >> return_value = self.run() >> File >> "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_server_upgrade.py", >> line 54, in run >> server.upgrade() >> File >> "/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py", >> line 2146, in upgrade >> upgrade_configuration() >> File >> "/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py", >> line 2018, in upgrade_configuration >> ca_enable_ldap_profile_subsystem(ca) >> File >> "/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py", >> line 406, in ca_enable_ldap_profile_subsystem >> cainstance.migrate_profiles_to_ldap() >> File >> "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line >> 1990, in migrate_profiles_to_ldap >> api.Backend.ra_certprofile.override_port = 8443 >> File "/usr/lib/python2.7/site-packages/ipalib/base.py", line 134, in >> __setattr__ >> SET_ERROR % (self.__class__.__name__, name, value) >> >> 2020-06-08T09:39:42Z DEBUG The ipa-server-upgrade command failed, >> exception: AttributeError: locked: cannot set ra_certprofile.override_port >> to 8443 >> 2020-06-08T09:39:42Z ERROR Unexpected error - see >> /var/log/ipaupgrade.log for details: >> AttributeError: locked: cannot set ra_certprofile.override_port to 8443 >> 2020-06-08T09:39:42Z ERROR The ipa-server-upgrade command failed. See >> /var/log/ipaupgrade.log for more information >> >> >> Regards >> >> >> Bien à vous >> Mr Karim Bourenane >> +33686464439 >> +32 493 86 63 54 >> >> >> >> Le lun. 8 juin 2020 à 08:56, François Cami <fcami(a)redhat.com&gt; a écrit : >> >>> Hi, >>> >>> On Sun, Jun 7, 2020 at 11:13 PM Karim Bourenane via FreeIPA-users >>> <freeipa-users(a)lists.fedorahosted.org&gt; wrote: >>> > >>> > Hello Team >>> > >>> > I have some questions : >>> > 1°) I need your help, to find the better way to upgrade my 3 servers >>> linked (replicat). >>> > I want to upgrade servers from CentOS 7.6 to CentOS7.7 with update in >>> same time the IPAServer (or separately ?) >>> >>> Not at the same time. The upgrade logic is bound to update some data >>> in LDAP. It is best to wait until the first update is done, and the >>> resulting replication traffic has subsided. Then do the other replica >>> one at a time. >>> >>> > After searching on Freeipa.org and other site, i find : >>> > #ipactl stop >>> > #ipa-server-upgrade >>> > #ipactl start >>> >>> You do not need to do that. "yum update" is enough. >>> >>> > I not need to delete first the replication link before ? >>> >>> Certainly not. >>> >>> > What is the better solution ways ? >>> >>> See above. >>> >>> > 2°) Is not better to migrate my IPAServers's to 4.7 or 4.8 version ? >>> > Or i need steps too ? >>> >>> You would need to migrate to RHEL8 / CentOS8 to have ipa-4-8. >>> >>> https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/... >>> >>> Best regards, >>> François >>> >>> > Thanks you for your help >>> > >>> > Best Regard >>> > Bien à vous >>> > Mr Karim Bourenane >>> > +33686464439 >>> > +32 493 86 63 54 >>> > >>> > _______________________________________________ >>> > FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org >>> > To unsubscribe send an email to >>> freeipa-users-leave(a)lists.fedorahosted.org >>> > Fedora Code of Conduct: >>> https://docs.fedoraproject.org/en-US/project/code-of-conduct/ >>> > List Guidelines: >>> https://fedoraproject.org/wiki/Mailing_list_guidelines >>> > List Archives: >>> https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho... >>> >>>

Karim Bourenane via FreeIPA-users wrote: > Hello François, All > > Thanks you for your answer / update > > Here's what I did: > All process RUNNING with : ipactl status > yum update > > *I have several error into the yum update command *: > 2020-06-08T09:39:42Z ERROR IPA server upgrade failed: Inspect > /var/log/ipaupgrade.log and run command ipa-server-upgrade manually. > 2020-06-08T09:39:42Z DEBUG File > "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 178, in > execute > return_value = self.run() > File > "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_server_upgrade.py", > line 54, in run > server.upgrade() > File > "/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py", > line 2146, in upgrade > upgrade_configuration() > File > "/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py", > line 2018, in upgrade_configuration > ca_enable_ldap_profile_subsystem(ca) > File > "/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py", > line 406, in ca_enable_ldap_profile_subsystem > cainstance.migrate_profiles_to_ldap() > File > "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line > 1990, in migrate_profiles_to_ldap > api.Backend.ra_certprofile.override_port = 8443 > File "/usr/lib/python2.7/site-packages/ipalib/base.py", line 134, in > __setattr__ > SET_ERROR % (self.__class__.__name__, name, value) > > 2020-06-08T09:39:42Z DEBUG The ipa-server-upgrade command failed, > exception: AttributeError: locked: cannot set > ra_certprofile.override_port to 8443 > 2020-06-08T09:39:42Z ERROR Unexpected error - see > /var/log/ipaupgrade.log for details: > AttributeError: locked: cannot set ra_certprofile.override_port to 8443 > 2020-06-08T09:39:42Z ERROR The ipa-server-upgrade command failed. See > /var/log/ipaupgrade.log for more information Note that this has nothing to do with anything listening on port 8443. This is trying to change the IPA runtime environment for some reason and it's in a locked state. I don't know this code very well so I'm not sure what the remediation is. It seems like something that should have either always or never worked but it could be it was affected by some later change, I don't know. It thinks it needs to migrate your disk-based profiles into LDAP and that's not something that should be skipped. rob > > > Regards > > > Bien à vous > Mr Karim Bourenane > +33686464439 > +32 493 86 63 54 > > > > Le lun. 8 juin 2020 à 08:56, François Cami <fcami(a)redhat.com > <mailto:fcami@redhat.com>> a écrit : > > Hi, > > On Sun, Jun 7, 2020 at 11:13 PM Karim Bourenane via FreeIPA-users > <freeipa-users(a)lists.fedorahosted.org > <mailto:freeipa-users@lists.fedorahosted.org>> wrote: > > > > Hello Team > > > > I have some questions : > > 1°) I need your help, to find the better way to upgrade my 3 > servers linked (replicat). > > I want to upgrade servers from CentOS 7.6 to CentOS7.7 with update > in same time the IPAServer (or separately ?) > > Not at the same time. The upgrade logic is bound to update some data > in LDAP. It is best to wait until the first update is done, and the > resulting replication traffic has subsided. Then do the other replica > one at a time. > > > After searching on Freeipa.org and other site, i find : > > #ipactl stop > > #ipa-server-upgrade > > #ipactl start > > You do not need to do that. "yum update" is enough. > > > I not need to delete first the replication link before ? > > Certainly not. > > > What is the better solution ways ? > > See above. > > > 2°) Is not better to migrate my IPAServers's to 4.7 or 4.8 version ? > > Or i need steps too ? > > You would need to migrate to RHEL8 / CentOS8 to have ipa-4-8. > https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/... > > Best regards, > François > > > Thanks you for your help > > > > Best Regard > > Bien à vous > > Mr Karim Bourenane > > +33686464439 > > +32 493 86 63 54 > > > > _______________________________________________ > > FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org > <mailto:freeipa-users@lists.fedorahosted.org> > > To unsubscribe send an email to > freeipa-users-leave(a)lists.fedorahosted.org > <mailto:freeipa-users-leave@lists.fedorahosted.org> > > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > > List Guidelines: > https://fedoraproject.org/wiki/Mailing_list_guidelines > > List Archives: > https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho... > > > _______________________________________________ > FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org > To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org > Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho... >

On 6/6/20 11:42 AM, Karim Bourenane via FreeIPA-users wrote: > Hello Team > > I have some questions : > 1°) I need your help, to find the better way to upgrade my 3 servers > linked (replicat). > I want to upgrade servers from CentOS 7.6 to CentOS7.7 with update in > same time the IPAServer (or separately ?) Hi, in order to upgrade each server from centOS 7.6 to CentOS 7.7, you need to run "yum update". This command will also update ipa-* packages and internally call ipa-server-upgrade, meaning you don't need to manually call ipa-server-upgrade. Please find more information in "Updating Identity Management" [1]. For multiple servers upgrade, keep in mind that the upgrade needs to be done sequentially, i.e upgrade server 1, wait a few minutes for replication to propagate changes, upgrade server 2, etc... HTH, flo [1] https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/... > > After searching on Freeipa.org and other site, i find : > #ipactl stop > #ipa-server-upgrade > #ipactl start > > I not need to delete first the replication link before ? > What is the better solution ways ? > > 2°) Is not better to migrate my IPAServers's to 4.7 or 4.8 version ? > Or i need steps too ? > > Thanks you for your help > > Best Regard > Bien à vous > Mr Karim Bourenane > +33686464439 > +32 493 86 63 54 > > _______________________________________________ > FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org > To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org > Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho... >