IPA Server installation with DNS fails on Oracle Linux 8.1

Avi Miller-Oracle

Sven Jansen wrote:New Security Update for bind including bind-pkcs11-9.11.13-5.el8_2.x86_64.rpm. Still broken 

Yeah, I was afraid of that. Time for me to start sending more emails.

andreas.dijkman

Any updates on this matter?

Avi Miller-Oracle

Yes, we released bind-pkcs11-9.11.13-5.0.1.el8_2 about 6 hours ago which resolves this issue. You posted about an hour before it was published.

Sven Jansen

Hi Avi,

i justed updated bind* on all my IPA Servers and i can confirm its working now! \o/

Avi Miller-Oracle

Sven Jansen wrote:i justed updated bind* on all my IPA Servers and i can confirm its working now! \o/

Awesome, glad to hear that. This took a surprising amount of time to debug, I'll be honest. It turned out to be an issue with our build environment that is configured to use our FIPS-validated OpenSSL libraries at all times, which confused the build of bind because having certain OpenSSL libraries available during build of bind-pkcs means it attempts to use those instead of its own and so-on and so-forth. We had to rebuild our build environments specifically for bind to accommodate it. Sorry about the delay!

andreas.dijkman

I can also confirm it's working. Just updated my 2 IPA-servers and running OL8.2 now.

Thanks for following up on this and getting it fixed!

Avi Miller-Oracle

You're welcome! Thanks for your patience.

andreas.dijkman

Regarding incomplete or not working IPA-packages and/or installation(s): there is something fishy about the ipa-healthcheck-package after installing OL8.2.

The package ipa-healthcheck-core in 8.2 obsoletes the package ipa-healtchcheck. But inside the (new) ipa-healthcheck 0.4 is the actual binary/script ipa-healthcheck missing. So upgrading ipa-healthcheck to 0.4 is uninstalling ipa-healtcheck (0.4) and installing ipa-healthcheck-core. But in the latter package, the actual check is missing, because it is located in ipa-healthcheck-0.4 (which is obsoleted by ipa-healthcheck-core-0.4. I guess there is missing a version in the obsoletes of ipa-healthcheck, because manually installing the ipa-healthcheck-0.4-RPM is fixing it.

So before:

ipa-healthcheck-0.3-4.module+el8.1.0+5409+d30b476c.noarch.rpm

After:

ipa-healthcheck-core-0.4-4.module+el8.2.0+5596+233bd6ae.noarch.rpm

During installation:

Installing group/module packages:

ipa-healthcheck-core                                           noarch                                0.4-4.module+el8.2.0+5596+233bd6ae                                             ol8_appstream                                     49 k

     replacing  ipa-healthcheck.noarch 0.3-4.module+el8.1.0+5409+d30b476c

Missing:

ipa-healthcheck-0.4-4.module+el8.2.0+5596+233bd6ae.noarch.rpm

Trying to install it with dnf:

dnf install ipa-healthcheck

Last metadata expiration check: 0:22:26 ago on Fri 26 Jun 2020 02:16:16 PM CEST.

Package ipa-healthcheck-core-0.4-4.module+el8.2.0+5596+233bd6ae.noarch is already installed.

But downloading the RPM manually and installing it works perfectly fine and the command ipa-healthcheck is available again. Also installing the direct binary /usr/bin/ipa-healthcheck pulls it in...

dnf install /usr/bin/ipa-healthcheck

Dependencies resolved.

============================================================================================================================================================================================================================================

Package                                                Architecture                                  Version                                                                    Repository                                            Size

============================================================================================================================================================================================================================================

Installing:

ipa-healthcheck                                        noarch                                        0.4-4.module+el8.2.0+5596+233bd6ae                                         ol8_appstream                                         85 k

Transaction Summary

============================================================================================================================================================================================================================================

Install  1 Package

Clearing the dnf cache isn't fixing it. Anybody else having this issue?

Avi Miller-Oracle

Yeah, this is something we're inheriting from upstream, it seams. Looking at the .spec file, the new ipa-healthcheck-core package obsoletes ipa-healthcheck < 0.4. I'm guessing this is meant to be installed via a module update (it's 4:50am here, so I haven't had enough coffee to work through the process).

Avi Miller-Oracle

andreas.dijkman wrote: The package ipa-healthcheck-core in 8.2 obsoletes the package ipa-healtchcheck. But inside the (new) ipa-healthcheck 0.4 is the actual binary/script ipa-healthcheck missing. So upgrading ipa-healthcheck to 0.4 is uninstalling ipa-healtcheck (0.4) and installing ipa-healthcheck-core. But in the latter package, the actual check is missing, because it is located in ipa-healthcheck-0.4 (which is obsoleted by ipa-healthcheck-core-0.4. I guess there is missing a version in the obsoletes of ipa-healthcheck, because manually installing the ipa-healthcheck-0.4-RPM is fixing it.

I'm assuming this is a weird upgrade side effect, because a new install pulls in the right packages, i.e. running the following gives me both the ipa-healthcheck and ipa-healthcheck-core packages installed:

# dnf module enable 389-ds pki-core pki-deps# dnf module install idm:DL1/server

Perhaps you need to switch streams for the idm module?