[Freeipa-users] Re: Problem on dirsrv when updating from 4.5.0 (RHEL 7.4) to 4.5.4 (RHEL 7.5)

Thu, 03 May 2018 00:32:15 -0700 

Hi,
During indexing task we should see in the task status the periodic progression of the indexing. May be the indexing is hanging somewhere. When the problem occurs could you provide a pstack of the dirsrv server ? 

best regards
thierry

On 05/02/2018 10:27 PM, Rob Crittenden wrote:

SOLER SANGUESA Miguel via FreeIPA-users wrote:

Hello,

This is the output of the command (seems that is not complete):


# ldapsearch -H ldapi://%2fvar%2frun%2fslapd-IPA-EXAMPLE-ORG.socket 
-b 
cn=indextask_description_137444551994158920_5958,cn=index,cn=tasks,cn=config 
-s base

SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
# extended LDIF
#
# LDAPv3

# base 
<cn=indextask_description_137444551994158920_5958,cn=index,cn=tasks,cn=config> 
with scope baseObject

# filter: (objectclass=*)
# requesting: ALL
#

# indextask_description_137444551994158920_5958, index, tasks, config

dn: 
cn=indextask_description_137444551994158920_5958,cn=index,cn=tasks,cn=conf

  ig
objectClass: top
objectClass: extensibleObject
nsindexattribute: description
nsinstance: userRoot
cn: indextask_description_137444551994158920_5958
nstaskcurrentitem: 0
nstasktotalitems: 1



IPA is looking for nstaskstatus and since that isn't there it is 
looping forever.


I've cc'd a couple of the 389-ds devs to see what they think about it.

rob



# search result
search: 3
result: 0 Success

# numResponses: 2
# numEntries: 1

Thanks & Regards.
______________________________
-----Original Message-----
From: Rob Crittenden <rcrit...@redhat.com>
Sent: Tuesday, May 01, 2018 15:18
To: FreeIPA users list <freeipa-users@lists.fedorahosted.org>
Cc: SOLER SANGUESA Miguel <sol...@unicc.org>

Subject: Re: [Freeipa-users] Re: Problem on dirsrv when updating from 
4.5.0 (RHEL 7.4) to 4.5.4 (RHEL 7.5)


SOLER SANGUESA Miguel via FreeIPA-users wrote:

Hello,


Thank you for your answer, now dirsrv can start, but after running 
the "

dirsrv@IPA-UNICC-ORG.service " it hungs:

# ipa-server-upgrade

Upgrading IPA:. Estimated time: 1 minute 30 seconds

    [1/8]: saving configuration

    [2/8]: disabling listeners

    [3/8]: enabling DS global lock

    [4/8]: starting directory server

    [5/8]: updating schema

    [6/8]: upgrading server

The latest messages on the log is (there are no logs on the lasts 2h):

2018-05-01T08:13:14Z DEBUG
---------------------------------------------

2018-05-01T08:13:14Z DEBUG Final value after applying updates

2018-05-01T08:13:14Z DEBUG dn:
cn=description,cn=index,cn=userroot,cn=ldbm
database,cn=plugins,cn=config

2018-05-01T08:13:14Z DEBUG objectclass:

2018-05-01T08:13:14Z DEBUG      top

2018-05-01T08:13:14Z DEBUG      nsindex

2018-05-01T08:13:14Z DEBUG nsindextype:

2018-05-01T08:13:14Z DEBUG      eq

2018-05-01T08:13:14Z DEBUG      sub

2018-05-01T08:13:14Z DEBUG cn:

2018-05-01T08:13:14Z DEBUG      description

2018-05-01T08:13:14Z DEBUG nssystemindex:

2018-05-01T08:13:14Z DEBUG      false

2018-05-01T08:13:19Z DEBUG Creating task to index attribute:
description

2018-05-01T08:13:19Z DEBUG Task id:
cn=indextask_description_137444551994158920_5958,cn=index,cn=tasks,cn=
config

If I check the ipa services, dirsrv is the only one running:

# ipactl status

Directory Service: RUNNING

krb5kdc Service: STOPPED

kadmin Service: STOPPED

named Service: STOPPED

httpd Service: STOPPED

ipa-custodia Service: STOPPED

ntpd Service: RUNNING

pki-tomcatd Service: STOPPED

smb Service: STOPPED

winbind Service: STOPPED

ipa-otpd Service: STOPPED

ipa-dnskeysyncd Service: STOPPED

ipa: INFO: The ipactl command was successful

Should I stop the ipa-server-upgrade and start ipa services?



It depends on how many entries you have. This is an indexing task and 
while 2 hours seems a bit excessive, it depends on how much work it 
has to do.


The 389-ds access and/or error logs may provide details.

rob



Thanks.

-----Original Message-----
From: Alexander Bokovoy <aboko...@redhat.com>
Sent: Tuesday, May 01, 2018 9:56
To: FreeIPA users list <freeipa-users@lists.fedorahosted.org>
Cc: SOLER SANGUESA Miguel <sol...@unicc.org>
Subject: Re: [Freeipa-users] Problem on dirsrv when updating from
4.5.0 (RHEL 7.4) to 4.5.4 (RHEL 7.5)

On ti, 01 touko 2018, SOLER SANGUESA Miguel via FreeIPA-users wrote:

  >hello,

  >

  >I have an IPA master that updated from 4.5.0 (RHEL 7.4) to 4.5.4
(RHEL 7.5). An hour later I tried to do the same with the unique
replica I have, but after update dirsrv is not starting.

  >It says it is needed run "ipa-server-upgrade", but it also fails:

  ># ipactl start

  >Upgrade required: please run ipa-server-upgrade command Aborting
ipactl

  >

  ># ipa-server-upgrade

  >Upgrading IPA:. Estimated time: 1 minute 30 seconds

  >  [1/8]: saving configuration

  >  [2/8]: disabling listeners

  >  [3/8]: enabling DS global lock

  >  [4/8]: starting directory server

  >  [error] CalledProcessError: Command '/bin/systemctl start

  >dirsrv@IPA-EXAMOLE-ORG.service
<mailto:dirsrv@IPA-EXAMOLE-ORG.service>' returned non-zero exit status
1

  >  [cleanup]: stopping directory server

  >  [cleanup]: restoring configuration

  >IPA server upgrade failed: Inspect /var/log/ipaupgrade.log and run
command ipa-server-upgrade manually.

  >Unexpected error - see /var/log/ipaupgrade.log for details:

  >CalledProcessError: Command '/bin/systemctl start

  >dirsrv@IPA-EXAMPLE-ORG.service
<mailto:dirsrv@IPA-EXAMPLE-ORG.service>' returned non-zero exit status
1 The

  >ipa-server-upgrade command failed. See /var/log/ipaupgrade.log for
more

  >information

  >

  >On the log I can see:

  >2018-04-30T14:36:15Z DEBUG Starting external process

  >2018-04-30T14:36:15Z DEBUG args=/bin/systemctl is-active

  >dirsrv@IPA-EXAMPLE-ORG.service
<mailto:dirsrv@IPA-EXAMPLE-ORG.service>
2018-04-30T14:36:15Z DEBUG Process

  >finished, return code=3 2018-04-30T14:36:15Z DEBUG stdout=failed ...

  >2018-04-30T14:36:15Z DEBUG   [4/8]: starting directory server

  >2018-04-30T14:36:15Z DEBUG Starting external process

  >2018-04-30T14:36:15Z DEBUG args=/bin/systemctl start

  >dirsrv@IPA-EXAMPLE-ORG.service
<mailto:dirsrv@IPA-EXAMPLE-ORG.service>
2018-04-30T14:36:15Z DEBUG Process

  >finished, return code=1 2018-04-30T14:36:15Z DEBUG stdout=

  >2018-04-30T14:36:15Z DEBUG stderr=Job for
dirsrv@IPA-EXAMPLE-ORG.service <mailto:dirsrv@IPA-EXAMPLE-ORG.service>
failed because the control process exited with error code. See
"systemctl status dirsrv@IPA-EXAMPLE-ORG.service

<mailto:dirsrv@IPA-EXAMPLE-ORG.service>" and "journalctl -xe" for 
details.


  >

  >2018-04-30T14:36:15Z DEBUG Traceback (most recent call last):

  >  File
"/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line
504, in start_creation

  >    run_step(full_msg, method)

  >  File
"/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line
494, in run_step

  >    method()

  >  File
"/usr/lib/python2.7/site-packages/ipaserver/install/upgradeinstance.py
",
line 95, in __start

  >    srv.start(self.serverid, ldapi=True)

  >  File
"/usr/lib/python2.7/site-packages/ipaplatform/redhat/services.py",
line 161, in start

  >    instance_name, capture_output=capture_output, wait=wait)

  >  File
"/usr/lib/python2.7/site-packages/ipaplatform/base/services.py", line
294, in start

  >    skip_output=not capture_output)

  >  File "/usr/lib/python2.7/site-packages/ipapython/ipautil.py", line
542, in run

  >    raise CalledProcessError(p.returncode, arg_string, str(output))

  >CalledProcessError: Command '/bin/systemctl start

  >dirsrv@IPA-EXAMPLE-ORG.service
<mailto:dirsrv@IPA-EXAMPLE-ORG.service>' returned non-zero exit status
1

  >

  >2018-04-30T14:36:15Z DEBUG   [error] CalledProcessError: Command
'/bin/systemctl start dirsrv@IPA-EXAMPLE-ORG.service
<mailto:dirsrv@IPA-EXAMPLE-ORG.service>' returned non-zero exit status
1

  >

  >Checking /var/log/dirsrv/slapd-IPA-EXAMPLE-ORG/errors I show:

  >[30/Apr/2018:16:04:52.584220922 +0200] - ERR -
slapd_bootstrap_config
- The default password storage scheme could not be read or was not

found in the file /etc/dirsrv/slapd-IPA-EXAMPLE-ORG/dse.ldif. It is 
mandatory.


  >

  >Checking on internet I show that "dse.ldif" could be corrupted, so I
changed with "dse.ldif.startOK" without any change and then I changed
with "dse.ldif.bak". The problem persist but the error has changed:

  >[30/Apr/2018:16:32:13.435210918 +0200] - NOTICE - config_set_port -

  >Non-Secure Port Disabled

  >[30/Apr/2018:16:32:13.556581301 +0200] - ERR - symload_report_error
-

  >Netscape Portable Runtime error -5975:


  >/usr/lib64/dirsrv/plugins/libreplication-plugin.so: undefined 
symbol:


  >replication_legacy_plugin_init

  >[30/Apr/2018:16:32:13.561590553 +0200] - ERR - symload_report_error
-

  >Could not load symbol "replication_legacy_plugin_init" from

  >"/usr/lib64/dirsrv/plugins/libreplication-plugin.so" for plugin
Legacy

  >Replication Plugin

  >[30/Apr/2018:16:32:13.564590264 +0200] - ERR - load_plugin_entry -

Unable to load plugin "cn=Legacy Replication 
Plugin,cn=plugins,cn=config"


  >

  >I saw a bug about this problem, but it is still opened:

>https://bugzilla.redhat.com/show_bug.cgi?format=multiple&id=1529442

  >

  >Any idea how to fix the issue?

  >

  >If it is not possible to fix it, can I remove the replica from IPA
and install it again with the same name?

A quick fix could be to remove an entry for cn=Legacy Replication
Plugin,cn=plugins,cn=config from
/etc/dirsrv/slapd-IPA-EXAMPLE-ORG/dse/ldif

when dirsrv is down.

--

/ Alexander Bokovoy

Sr. Principal Software Engineer

Security / Identity Management Engineering Red Hat Limited, Finland



_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to
freeipa-users-le...@lists.fedorahosted.org


_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org

To unsubscribe send an email to 
freeipa-users-le...@lists.fedorahosted.org





_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org






















					Reply via email to