Rebased:
Resubmitting the following since it didn't make it to the stable:
This update resolves an issue which caused uninstall of a FreeIPA server to fail with authselect 1.0.2, which recently appeared as an update. See the pull request for more details.
Updates may require up to 24 hours to propagate to mirrors. If the following command doesn't work, please retry later:
sudo dnf upgrade --refresh --advisory=FEDORA-2018-3241dd6a7f
Please login to add feedback.
This update has been submitted for testing by dmoluguw.
This update has been pushed to testing.
Same OpenQA issue as FreeIPA: https://openqa.fedoraproject.org/tests/314576#step/role_deploy_domain_controller/29
Bodhi is disabling automatic push to stable due to negative karma. The maintainer may push manually if they determine that the issue is not severe.
The issue that we see in OpenQA isn't reproducible in a normal dev/CI environment. We need to look why we get the following error:
We don't depend on
CMS.getLogger()
any more. We try to instantiate aslf4j
logger in its place.This is a weird error since openQA tests with a conflicting version of IPA. This new PKI package requires IPA >= 4.7.1
A specific conflict was declared in PKI: https://github.com/dogtagpki/pki/blob/master/pki.spec#L679
But, open QA tests with FreeIPA 4.7.0: https://openqa.fedoraproject.org/tests/314576#step/_advisory_update/21
Since
freeIPA 4.5.1
doesn't exist yet in bodhi, the errors occurred. Regardless, OpenQA must have reported a different error.sgallagh edited this update.
New build(s):
Removed build(s):
Karma has been reset.
This update has been submitted for testing by sgallagh.
This update has obsoleted freeipa-4.7.0-5.fc29, and has inherited its bugs and notes.
I've added updated pki-core and freeipa packages together on this Bodhi update so the conflict issues should now be resolved.
sgallagh edited this update.
New build(s):
Removed build(s):
Karma has been reset.
There is a bunch of AVCs in two failed tests:
As far as I can see, the server upgrade failure is purely AVC-related. Client upgrade failure is due to a combination of few factors: - AVCs by SSSD - Certificate for IPA master issued with the same serial as it was used on some older install by this client. Is the client re-enrolled after upgrade? It might have unclean Firefox settings then. - GSSAPI failures in SSSD, preventing to contact and authenticate to LDAP, thus failing to provide user and group infromation. Perhaps, this one is driven by AVCs.
If we could re-run this update with permissive in staging to see if AVCs are the core issue, that would be very helpful.
This update has been pushed to testing.
FreeIPA 4.7 PR-CI is passing with pki-core-10.6.8-3, https://github.com/freeipa/freeipa/pull/2646. PR-CI uses F29 while Travis CI tests on F28. I was also able to install an FreeIPA cluster with two servers on Fedora 29 successfully.
works for me
This update has reached 7 days in testing and can be pushed to stable now if the maintainer wishes
This update has been submitted for batched by sgallagh.
@abbra the AVCs seem to always happen - if you look at the same tests on other updates, they also soft-fail due to the presence of AVCs. It should be looked into, but it doesn't appear to relate to this update. No, the client is not re-enrolled after upgrade.
The serial number-related failure is an odd one that seems to just sort of happen now and again, I think I've seen it in Rawhide too. I'm not sure what the cause is.
The most recent run of the tests passed; I'm not sure if I just manually restarted to see if the failure was something transient, or if they got auto-re-run by the edit to include dogtag-pki 3.fc29.
This update has been submitted for stable by bodhi.
This update has been pushed to stable.