Upstream release FreeIPA 4.8.10
Release notes: https://www.freeipa.org/page/Releases/4.8.10
Updates may require up to 24 hours to propagate to mirrors. If the following command doesn't work, please retry later:
sudo dnf upgrade --refresh --advisory=FEDORA-2020-e9e815177e
Please login to add feedback.
This update has been submitted for testing by abbra.
This update's test gating status has been changed to 'ignored'.
This update's test gating status has been changed to 'waiting'.
This update's test gating status has been changed to 'ignored'.
Greenwave fails but OpenQA started testing this update as https://openqa.fedoraproject.org/tests/677717#. There is one failure in DNS upgrade code for which I filed upstream issue https://pagure.io/freeipa/issue/8518
abbra edited this update.
New build(s):
Removed build(s):
Karma has been reset.
A build freeipa-4.8.10-2.fc33 with PR https://github.com/freeipa/freeipa/pull/5153 succeeded in OpenQA where previous build freeipa-4.8.10-1.fc33 did fail.
This update has been pushed to testing.
abbra edited this update.
New build(s):
Removed build(s):
Karma has been reset.
This update has been submitted for testing by abbra.
This update has been pushed to testing.
FreeIPA server installation works for me.
Client-only installation does not pull in FreeIPA server packages.
systemd-resolved integration does not work correctly. resolved ignores the new drop-in configuration file.
resolvectl does neither show default DNS server 127.0.0.1 nor ipa.example default search domain.
DNS lookup of ipa-ca alias with default resolver systemd-resolved does not work either:
Bodhi is disabling automatic push to stable due to negative karma. The maintainer may push manually if they determine that the issue is not severe.
/etc/systemd/resolved.conf.d
was not accessible by systemd-resolved. PR https://github.com/freeipa/freeipa/pull/5156 fixes the problem.abbra edited this update.
New build(s):
Removed build(s):
Karma has been reset.
This update has been submitted for testing by abbra.
This update has been pushed to testing.
This is not a full fix, sadly. Restoring SELinux context on a generated config file does not work. I added details to https://pagure.io/freeipa/issue/8518
abbra edited this update.
New build(s):
Removed build(s):
Karma has been reset.
This update has been submitted for testing by abbra.
This update has been pushed to testing.
This update can be pushed to stable now if the maintainer wishes
As noted in the bug report, openQA tests passing was not indicative of the update working, because I had already put a workaround for the systemd-resolved problem in the openQA tests themselves: we simply check if systemd-resolved is enabled and disable it if so, reverting to how things worked before F33.
I've temporarily hacked the tests to skip that workaround if we're testing this specific update, and am re-running them. That should give us more useful results.
So looks like the replica test fails much the same way it did before I added the workaround :( That's with freeipa-4.8.10-5.fc33 .
Actually, the resolved support on the replica works just fine -- it is able to resolve master and communicate to it. What fails is resolution of the replica hostname from master:
Sadly, the logs we have collected from master do not include anything from
/var/log
or/etc/
so there is no way to understand what is broken.Checking through the replica logs, it seems that master itself is not capable to talk to own DNS server (connection check runs on replica and asks to run the remote check from master too), so when a connection check is executed on master, that process didn't resolve replica hostname. I wonder if this was a master upgrade and perhaps systemd-resolved did its upgrade after IPA scripts were run, so actual upgrade in IPA didn't trigger migrating configuration to resolved.
No. It's not an upgrade test. It's a fresh deployment test. This is exactly how it failed before you tried to deal with resolved. I know the failure is on the master, I think I mentioned that initially in the bug report.
Note, we have an ancillary problem now - upgrade from F32 to F33 doesn't work any more because F32's freeipa is now newer than F33's. We may have to push this anyway just to fix that problem.
Filed https://bugzilla.redhat.com/show_bug.cgi?id=1886205 for that problem. Assuming it's accepted as a blocker (as it should be) I'd suggest we should edit this update so it's marked as fixing that bug but not fixing the resolved bug, and go ahead and push it.
abbra edited this update.
+1 for Adam's last proposal. Let's land this update while we work on a new update for #1880628
This update has been submitted for stable by abbra.
I added bug 1886205 and submitted this to stable to unblock F32 to F33 situation. We'll do FreeIPA 4.8.11 release today/tomorrow that includes all fixes for systemd-resolved we done (more than this build contains).
With some tweaks to the test code (especially not touching resolv.conf) the replica tests do pass, so changing my feedback to positive. Let's just push this stable and pretend everything's fine!
This update has been pushed to stable.