Forum Stats

  • 3,814,139 Users
  • 2,258,824 Discussions
  • 7,892,587 Comments

Discussions

IPA Server installation with DNS fails on Oracle Linux 8.1

13

Answers

  • Avi Miller-Oracle
    Avi Miller-Oracle Senior Solution Architect, Oracle Cloud Infrastructure Developer Adoption Melbourne, AustraliaPosts: 4,821 Employee
    edited Jun 8, 2020 4:14PM
    Sven Jansen wrote:New Security Update for bind including bind-pkcs11-9.11.13-5.el8_2.x86_64.rpm. Still broken 

    Yeah, I was afraid of that. Time for me to start sending more emails.

  • andreas.dijkman
    andreas.dijkman Member Posts: 84 Bronze Badge
    edited Jun 22, 2020 8:20AM

    Any updates on this matter?

  • Avi Miller-Oracle
    Avi Miller-Oracle Senior Solution Architect, Oracle Cloud Infrastructure Developer Adoption Melbourne, AustraliaPosts: 4,821 Employee
    edited Jun 22, 2020 3:40PM Answer ✓

    Yes, we released bind-pkcs11-9.11.13-5.0.1.el8_2 about 6 hours ago which resolves this issue. You posted about an hour before it was published.

    andreas.dijkmanSven Jansen
  • Sven Jansen
    Sven Jansen Member Posts: 16 Green Ribbon
    edited Jun 24, 2020 11:59AM

    Hi Avi,

    i justed updated bind* on all my IPA Servers and i can confirm its working now! \o/

  • Avi Miller-Oracle
    Avi Miller-Oracle Senior Solution Architect, Oracle Cloud Infrastructure Developer Adoption Melbourne, AustraliaPosts: 4,821 Employee
    edited Jun 24, 2020 3:48PM
    Sven Jansen wrote:i justed updated bind* on all my IPA Servers and i can confirm its working now! \o/

    Awesome, glad to hear that. This took a surprising amount of time to debug, I'll be honest. It turned out to be an issue with our build environment that is configured to use our FIPS-validated OpenSSL libraries at all times, which confused the build of bind because having certain OpenSSL libraries available during build of bind-pkcs means it attempts to use those instead of its own and so-on and so-forth. We had to rebuild our build environments specifically for bind to accommodate it. Sorry about the delay!

  • andreas.dijkman
    andreas.dijkman Member Posts: 84 Bronze Badge
    edited Jun 25, 2020 3:44AM

    I can also confirm it's working. Just updated my 2 IPA-servers and running OL8.2 now.

    Thanks for following up on this and getting it fixed!

  • Avi Miller-Oracle
    Avi Miller-Oracle Senior Solution Architect, Oracle Cloud Infrastructure Developer Adoption Melbourne, AustraliaPosts: 4,821 Employee
    edited Jun 25, 2020 2:30PM

    You're welcome! Thanks for your patience.

  • andreas.dijkman
    andreas.dijkman Member Posts: 84 Bronze Badge
    edited Jun 26, 2020 8:42AM

    Regarding incomplete or not working IPA-packages and/or installation(s): there is something fishy about the ipa-healthcheck-package after installing OL8.2.

    The package ipa-healthcheck-core in 8.2 obsoletes the package ipa-healtchcheck. But inside the (new) ipa-healthcheck 0.4 is the actual binary/script ipa-healthcheck missing. So upgrading ipa-healthcheck to 0.4 is uninstalling ipa-healtcheck (0.4) and installing ipa-healthcheck-core. But in the latter package, the actual check is missing, because it is located in ipa-healthcheck-0.4 (which is obsoleted by ipa-healthcheck-core-0.4. I guess there is missing a version in the obsoletes of ipa-healthcheck, because manually installing the ipa-healthcheck-0.4-RPM is fixing it.

    So before:

    ipa-healthcheck-0.3-4.module+el8.1.0+5409+d30b476c.noarch.rpm

    After:

    ipa-healthcheck-core-0.4-4.module+el8.2.0+5596+233bd6ae.noarch.rpm

    During installation:

    Installing group/module packages:

    ipa-healthcheck-core                                           noarch                                0.4-4.module+el8.2.0+5596+233bd6ae                                             ol8_appstream                                     49 k

         replacing  ipa-healthcheck.noarch 0.3-4.module+el8.1.0+5409+d30b476c

    Missing:

    ipa-healthcheck-0.4-4.module+el8.2.0+5596+233bd6ae.noarch.rpm

    Trying to install it with dnf:

    dnf install ipa-healthcheck

    Last metadata expiration check: 0:22:26 ago on Fri 26 Jun 2020 02:16:16 PM CEST.

    Package ipa-healthcheck-core-0.4-4.module+el8.2.0+5596+233bd6ae.noarch is already installed.

    But downloading the RPM manually and installing it works perfectly fine and the command ipa-healthcheck is available again. Also installing the direct binary /usr/bin/ipa-healthcheck pulls it in...

    dnf install /usr/bin/ipa-healthcheck

    Dependencies resolved.

    ============================================================================================================================================================================================================================================

    Package                                                Architecture                                  Version                                                                    Repository                                            Size

    ============================================================================================================================================================================================================================================

    Installing:

    ipa-healthcheck                                        noarch                                        0.4-4.module+el8.2.0+5596+233bd6ae                                         ol8_appstream                                         85 k

    Transaction Summary

    ============================================================================================================================================================================================================================================

    Install  1 Package

    Clearing the dnf cache isn't fixing it. Anybody else having this issue?

  • Avi Miller-Oracle
    Avi Miller-Oracle Senior Solution Architect, Oracle Cloud Infrastructure Developer Adoption Melbourne, AustraliaPosts: 4,821 Employee
    edited Jun 26, 2020 2:48PM

    Yeah, this is something we're inheriting from upstream, it seams. Looking at the .spec file, the new ipa-healthcheck-core package obsoletes ipa-healthcheck < 0.4. I'm guessing this is meant to be installed via a module update (it's 4:50am here, so I haven't had enough coffee to work through the process).

  • Avi Miller-Oracle
    Avi Miller-Oracle Senior Solution Architect, Oracle Cloud Infrastructure Developer Adoption Melbourne, AustraliaPosts: 4,821 Employee
    edited Jun 26, 2020 3:08PM
    andreas.dijkman wrote: The package ipa-healthcheck-core in 8.2 obsoletes the package ipa-healtchcheck. But inside the (new) ipa-healthcheck 0.4 is the actual binary/script ipa-healthcheck missing. So upgrading ipa-healthcheck to 0.4 is uninstalling ipa-healtcheck (0.4) and installing ipa-healthcheck-core. But in the latter package, the actual check is missing, because it is located in ipa-healthcheck-0.4 (which is obsoleted by ipa-healthcheck-core-0.4. I guess there is missing a version in the obsoletes of ipa-healthcheck, because manually installing the ipa-healthcheck-0.4-RPM is fixing it.

    I'm assuming this is a weird upgrade side effect, because a new install pulls in the right packages, i.e. running the following gives me both the ipa-healthcheck and ipa-healthcheck-core packages installed:

    # dnf module enable 389-ds pki-core pki-deps# dnf module install idm:DL1/server

    Perhaps you need to switch streams for the idm module?