On Tue, 2018-06-12 at 12:15 -0700, Alessandro Perucchi via FreeIPA-
users wrote:
> Hello everyone,
>
> We were using Freeipa on Fedora 24. And we are in the process to upgrade to
> Fedora 28.
> We have a cluster of 2 nodes (freeipa-01 and freeipa-02).
>
> I am trying to upgrade one server after the other, from one release to the
> next.
>
> Basically:
>
> freeipa-01 Fedora 24 -> Fedora 25
>
> freeipa-02 Fedora 24 -> Fedora 25
> freeipa-02 Fedora 25 -> Fedora 26
>
> freeipa-01 Fedora 25 -> Fedora 26
> freeipa-01 Fedora 26 -> Fedora 27
>
> freeipa-02 Fedora 26 -> Fedora 27
> freeipa-02 Fedora 27 -> Fedora 28
>
> freeipa-01 Fedora 27 -> Fedora 28
>
> Since Fedora doesn’t support to jump from one version to another, except
> one release at the time.
>
> My idea is to check that once a server is upgraded, then everything is
> stable, before going to the next server, and try to be as near as possible
> from a version point of view between the 2 freeipa node cluster.
>
> Today, I could
> upgrade without problems from Fedora 24 -> Fedora 25 on both nodes
> (freeipa-01 and freeipa-02).
>
> In trying to upgrade to Fedora 26, I got some problems, the main problem is
> that the upgrade of ldap 389 is not successful, and the one from IPA either.
> After investigating a long moment, I have found that ns-slapd listen only
> to IPv6, on UDP, and NOT on IPv4 and TCP.
>
> Here is what I have:
>
> [root@freeipa-02 lib]# lsof -Pni |grep slap
> ns-slapd 21005 dirsrv 9u IPv6 1617283379 <//1617283379> 0t0
> UDP *:389
> ns-slapd 21005 dirsrv 77u IPv4 1617321218 <//1617321218> 0t0
> TCP 10.100.0.102:60646->10.100.0.101:389 (ESTABLISHED)
> ns-slapd 21005 dirsrv 81u IPv4 1617317640 <//1617317640> 0t0
> TCP 10.100.0.102:60648->10.100.0.101:389 (ESTABLISHED)
>
>
> So, I decided to look at the file dse.ldif, and found that the entry
> "nsslapd-port” was set to “0” and no “nsslapd-listenhost” was not set at
> all.
> I have then added the line
>
> nsslapd-listenhost: 0.0.0.0
>
> and changed the nsslapd-port to look like:
>
> nsslap-port: 389
>
> And after doing a
>
> systemctl stop dirsrv@DOM-LOCAL ; systemctl start dirsrv@DOM-LOCAL
>
> No changes… all modification on my dse.ldif were gone.
>
> I stopped again the dirsrv, did again my changes on dse.ldif, and run the
> following command:
>
> /usr/sbin/ns-slapd -D /etc/dirsrv/slapd-DOM-LOCAL -i
> /var/run/dirsrv/slapd-DOM-LOCAL.pid
>
> and now, I have the following:
>
> [root@freeipa-02 updates]# lsof -Pni |grep 389
> ns-slapd 78507 dirsrv 10u IPv6 1681165214 <//1681165214> 0t0
> UDP *:389
> ns-slapd 78507 dirsrv 11u IPv4 1681165216 <//1681165216> 0t0
> TCP *:389 (LISTEN)
> ns-slapd 78507 dirsrv 114u IPv4 1684131928 <//1684131928> 0t0
> TCP 10.100.0.102:389->10.100.0.110:36828 (ESTABLISHED)
>
> So my questions are:
> - how to change the dse.ldif file?
You have to stop ns-slapd before changing the file.
This is what I have done several times. or have I… maybe not…
I will try again.
> - Is there another way to ensure that the port that listen is TCP / 389 on
> IPv4?
The port was disabled during some upgrade operations, your situation
meant some upgrade failed and that old version failed to set back the
port in dse.ldif
This is a bug and shouldn't happen in recent versions.
> - Is there something that needs to be done between Fedora 25 and 26?
Is this upgrade bug repeatable ? (keep in mind that F26 is practically
EOL)
Yes, it is repeatable, since I am trying to do it since this 24 hours, and it drives me crazy… and nothing by googling seems to help!
I know this is EOL, or nearly… That’s also why we wanted to upgrade to the latest.
> Knowing that I will go to Fedora 28, is there something that I need to be
> aware of?
Yes, read this list archives before you attempt F28 upgrades, you may
have to use updates-testing as the GA bits where busted wrt replication
for upgrades.
> - Anything that can help me generally with my upgrade path?
In general your approach is ok, make backups :-)
Glad that I’m doing it right :-)
If you have any other approach, then I am also open to anything else.
Nevertheless thank you!