Fedora directory users - Aug 2009 - [389-users] Proper upgrading procedure and the use of setup-ds-admin.pl -u

I am currently running the following:
389-admin-1.1.8-3.fc11.x86_64
389-admin-console-1.1.4-1.fc11.noarch
389-admin-console-doc-1.1.4-1.fc11.noarch
389-adminutil-1.1.8-3.fc11.x86_64
389-console-1.1.3-3.fc11.noarch
389-ds-1.1.3-4.fc11.noarch
389-ds-base-1.2.1-1.fc11.x86_64
389-ds-base-debuginfo-1.2.1-1.fc11.x86_64
389-ds-console-1.2.0-4.fc11.noarch
389-ds-console-doc-1.2.0-4.fc11.noarch
389-dsgw-1.1.4-1.fc11.x86_64

Those are the packages that were the initial group that supported the renaming 
of Fedora DS to 389 DS.  I plan to upgrade with "yum upgrade" today as
some
bugs have been fixed.

What is the proper upgrading procedure for 389 DS?

Can I simply do a "yum update" and expect everything to work or do I
always
need to merge rpmnew files and run setup-ds-admin.pl after each "yum
update"?

I ask for two reasons:

1) I was hit by https://bugzilla.redhat.com/show_bug.cgi?id=518418 and have 
since recreated my servers with the above packages

2) I noticed that while using SSL, the setup-ds-admin.pl requires me to delete 
the CA cert that was previously installed and re-import it (crazy).

I''d like to make sure don''t have these servers crap out again.

Thanks a lot.

-A
-- 
Anthony - http://messinet.com - http://messinet.com/~amessina/gallery
8F89 5E72 8DF0 BCF0 10BE 9967 92DC 35DC B001 4A4E

Anthony Joseph Messina wrote:
> I am currently running the following:
> 389-admin-1.1.8-3.fc11.x86_64
>   
the new version is 389-admin-1.1.8-4
> 389-admin-console-1.1.4-1.fc11.noarch
> 389-admin-console-doc-1.1.4-1.fc11.noarch
> 389-adminutil-1.1.8-3.fc11.x86_64
> 389-console-1.1.3-3.fc11.noarch
> 389-ds-1.1.3-4.fc11.noarch
> 389-ds-base-1.2.1-1.fc11.x86_64
>   
the new version is 389-ds-base-1.2.2-1
> 389-ds-base-debuginfo-1.2.1-1.fc11.x86_64
> 389-ds-console-1.2.0-4.fc11.noarch
> 389-ds-console-doc-1.2.0-4.fc11.noarch
> 389-dsgw-1.1.4-1.fc11.x86_64
>
> Those are the packages that were the initial group that supported the
renaming
> of Fedora DS to 389 DS.  I plan to upgrade with "yum upgrade"
today as some
> bugs have been fixed.
>   
Ok.  Do not upgrade until the new versions specified above are available 
from your repo.
> What is the proper upgrading procedure for 389 DS?
>
> Can I simply do a "yum update" and expect everything to work or
do I always
> need to merge rpmnew files and run setup-ds-admin.pl after each "yum
update"?
>   
You should do a yum upgrade instead of update so that obsoletes will be 
processed correctly.

Then do setup-ds-admin.pl -u

I don''t think there is any merging that needs to be done, but it 
wouldn''t hurt just to check the diff between file and file.rpmnew to
see
if anything has changed (that you didn''t set in your
configuration).
> I ask for two reasons:
>
> 1) I was hit by https://bugzilla.redhat.com/show_bug.cgi?id=518418 and have
> since recreated my servers with the above packages
>   
> 2) I noticed that while using SSL, the setup-ds-admin.pl requires me to
delete
> the CA cert that was previously installed and re-import it (crazy).
>   
Yes, this is a bug.  
https://bugzilla.redhat.com/show_bug.cgi?id=501846
> I''d like to make sure don''t have these servers crap out
again.
>   
Due to the rename issue, your servers will be stopped and restarted, but 
you should not lose your run level configuration.  In what other way(s) 
did they "crap out"?
> Thanks a lot.
>
> -A
>   
> ------------------------------------------------------------------------
>
> --
> 389 users mailing list
> 389-users@redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>

On Friday 28 August 2009 10:25:20 Rich Megginson wrote:
> > 2) I noticed that while using SSL, the setup-ds-admin.pl requires me
to
> > delete the CA cert that was previously installed and re-import it
> > (crazy). 
>
> Yes, this is a bug.   https://bugzilla.redhat.com/show_bug.cgi?id=501846
>
> > I''d like to make sure don''t have these servers crap
out again.
> >  
>
> Due to the rename issue, your servers will be stopped and restarted, but
> you should not lose your run level configuration.  In what other way(s)
> did they "crap out"?
well, since i had SSL in the server, the admin server and the console 
communication between both, and when the servers were stopped, the setup-ds-
admin.pl couldn''t connect to anything to do the upgrade and once i
manually
re-added (chkconfig --add dirsrv...) and restarted, the SSL issue with setup-
ds-admin.pl became a problem as i had to then uninstall certs just to 
reinstall them...  yuk!

but i''m not worried about the change between fedora-ds* and 389-ds* now
as i
removed all of fedora-ds* and installed fresh 389-ds* rpms and just simply 
started over.  -- i had just moved from OpenLDAP so that wasn''t a big
deal.

i also noticed last time that the setup-ds-admin.pl created duplicate 
instances of my servers in the console -- and i wasn''t sure how to get
rid of
those which is also part of why i just "started over."

since i''m already using the renamed packages (the first round of them),
i want
to be sure i''m ok with a yum upgrade and that the proper procedure is
to
always run a setup-ds-admin.pl -u

due to https://bugzilla.redhat.com/show_bug.cgi?id=501846, i now have standard 
ldap:// (instead of ldaps://) between the admin server and the ds so i should 
be able to avoid that issue.

i''m still learning this 389-ds, coming from OpenLDAP where i simply did
an yum
update and didn''t need to do anything else :)

i guess, basically...  what does one do if the server stops and they are not 
able to run setup-ds-admin.pl?  is it safe to restart the server services and 
then try it again?

-- 
Anthony - http://messinet.com - http://messinet.com/~amessina/gallery
8F89 5E72 8DF0 BCF0 10BE 9967 92DC 35DC B001 4A4E

On Friday 28 August 2009 10:25:20 Rich Megginson wrote:
> Anthony Joseph Messina wrote:
> > I am currently running the following:
> > 389-admin-1.1.8-3.fc11.x86_64
> >  
>
> the new version is 389-admin-1.1.8-4
i got that.
> > 389-admin-console-1.1.4-1.fc11.noarch
> > 389-admin-console-doc-1.1.4-1.fc11.noarch
> > 389-adminutil-1.1.8-3.fc11.x86_64
> > 389-console-1.1.3-3.fc11.noarch
> > 389-ds-1.1.3-4.fc11.noarch
> > 389-ds-base-1.2.1-1.fc11.x86_64
> >  
>
> the new version is 389-ds-base-1.2.2-1
i got that.
> > 389-ds-base-debuginfo-1.2.1-1.fc11.x86_64
> > 389-ds-console-1.2.0-4.fc11.noarch
> > 389-ds-console-doc-1.2.0-4.fc11.noarch
> > 389-dsgw-1.1.4-1.fc11.x86_64
> >
> > Those are the packages that were the initial group that supported the
> > renaming of Fedora DS to 389 DS.  I plan to upgrade with "yum
upgrade"
> > today as some bugs have been fixed.
> >  
>
> Ok.  Do not upgrade until the new versions specified above are available
> from your repo.
ok, i can confirm that the following works now:
1) running "yum upgrade" from the original package set that i
specified earlier
which retrieves the new 389-admin and 389-ds-base packages. (no rpmnew files 
created)

2) running setup-ds-admin.pl -u (without ldaps://... as the connection string 
between the admin server and the ds)

3) now i have:

[27/Aug/2009:20:39:13 -0500] - 389-Directory/1.2.1 B2009.224.1954 starting up
[27/Aug/2009:20:39:14 -0500] - slapd started.  Listening on All Interfaces 
port 389 for LDAP requests
[27/Aug/2009:20:39:14 -0500] - Listening on All Interfaces port 636 for LDAPS 
requests
[28/Aug/2009:11:01:47 -0500] - slapd shutting down - signaling operation 
threads
[28/Aug/2009:11:01:47 -0500] - slapd shutting down - waiting for 29 threads to 
terminate
[28/Aug/2009:11:01:47 -0500] - slapd shutting down - closing down internal 
subsystems and plugins
[28/Aug/2009:11:01:49 -0500] - Waiting for 4 database threads to stop
[28/Aug/2009:11:01:49 -0500] - All database threads now stopped
[28/Aug/2009:11:01:49 -0500] - slapd stopped.
        389-Directory/1.2.2 B2009.237.206
        ds.messinet.com:636 (/etc/dirsrv/slapd-ds)

[28/Aug/2009:11:01:50 -0500] - 389-Directory/1.2.2 B2009.237.206 starting up
[28/Aug/2009:11:01:50 -0500] - slapd started.  Listening on All Interfaces 
port 389 for LDAP requests
[28/Aug/2009:11:01:50 -0500] - Listening on All Interfaces port 636 for LDAPS 
requests

so it worked.  thank you.  i just want to keep in my brain the proper way to 
upgrade these servers.

if for example, there were *.rpmnew files created, at what point during this 
process should they be merged?
1) before running setup-ds-admin.pl -u?
2) after, but before restarting dirsrv?

thanks again.  -a
-- 
Anthony - http://messinet.com - http://messinet.com/~amessina/gallery
8F89 5E72 8DF0 BCF0 10BE 9967 92DC 35DC B001 4A4E

Anthony Joseph Messina wrote:
> On Friday 28 August 2009 10:25:20 Rich Megginson wrote:
>   
>> Anthony Joseph Messina wrote:
>>     
>>> I am currently running the following:
>>> 389-admin-1.1.8-3.fc11.x86_64
>>>  
>>>       
>> the new version is 389-admin-1.1.8-4
>>     
>
> i got that.
>
>   
>>> 389-admin-console-1.1.4-1.fc11.noarch
>>> 389-admin-console-doc-1.1.4-1.fc11.noarch
>>> 389-adminutil-1.1.8-3.fc11.x86_64
>>> 389-console-1.1.3-3.fc11.noarch
>>> 389-ds-1.1.3-4.fc11.noarch
>>> 389-ds-base-1.2.1-1.fc11.x86_64
>>>  
>>>       
>> the new version is 389-ds-base-1.2.2-1
>>     
>
> i got that.
>
>   
>>> 389-ds-base-debuginfo-1.2.1-1.fc11.x86_64
>>> 389-ds-console-1.2.0-4.fc11.noarch
>>> 389-ds-console-doc-1.2.0-4.fc11.noarch
>>> 389-dsgw-1.1.4-1.fc11.x86_64
>>>
>>> Those are the packages that were the initial group that supported
the
>>> renaming of Fedora DS to 389 DS.  I plan to upgrade with "yum
upgrade"
>>> today as some bugs have been fixed.
>>>  
>>>       
>> Ok.  Do not upgrade until the new versions specified above are
available
>> from your repo.
>>     
>
> ok, i can confirm that the following works now:
> 1) running "yum upgrade" from the original package set that i
specified earlier
> which retrieves the new 389-admin and 389-ds-base packages. (no rpmnew
files
> created)
>
> 2) running setup-ds-admin.pl -u (without ldaps://... as the connection
string
> between the admin server and the ds)
>
> 3) now i have:
>
> [27/Aug/2009:20:39:13 -0500] - 389-Directory/1.2.1 B2009.224.1954 starting
up
> [27/Aug/2009:20:39:14 -0500] - slapd started.  Listening on All Interfaces 
> port 389 for LDAP requests
> [27/Aug/2009:20:39:14 -0500] - Listening on All Interfaces port 636 for
LDAPS
> requests
> [28/Aug/2009:11:01:47 -0500] - slapd shutting down - signaling operation 
> threads
> [28/Aug/2009:11:01:47 -0500] - slapd shutting down - waiting for 29 threads
to
> terminate
> [28/Aug/2009:11:01:47 -0500] - slapd shutting down - closing down internal 
> subsystems and plugins
> [28/Aug/2009:11:01:49 -0500] - Waiting for 4 database threads to stop
> [28/Aug/2009:11:01:49 -0500] - All database threads now stopped
> [28/Aug/2009:11:01:49 -0500] - slapd stopped.
>         389-Directory/1.2.2 B2009.237.206
>         ds.messinet.com:636 (/etc/dirsrv/slapd-ds)
>
> [28/Aug/2009:11:01:50 -0500] - 389-Directory/1.2.2 B2009.237.206 starting
up
> [28/Aug/2009:11:01:50 -0500] - slapd started.  Listening on All Interfaces 
> port 389 for LDAP requests
> [28/Aug/2009:11:01:50 -0500] - Listening on All Interfaces port 636 for
LDAPS
> requests
>
> so it worked.  thank you.  i just want to keep in my brain the proper way
to
> upgrade these servers.
>
> if for example, there were *.rpmnew files created, at what point during
this
> process should they be merged?
> 1) before running setup-ds-admin.pl -u?
>   
Yes.  setup-ds-admin.pl uses the files in
/etc/dirsrv/admin-serv/
> 2) after, but before restarting dirsrv?
>
> thanks again.  -a
>   
> ------------------------------------------------------------------------
>
> --
> 389 users mailing list
> 389-users@redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>

Anthony Joseph Messina wrote:
> On Friday 28 August 2009 10:25:20 Rich Megginson wrote:
>   
>>> 2) I noticed that while using SSL, the setup-ds-admin.pl requires
me to
>>> delete the CA cert that was previously installed and re-import it
>>> (crazy). 
>>>       
>> Yes, this is a bug.  
https://bugzilla.redhat.com/show_bug.cgi?id=501846
>>
>>     
>>> I''d like to make sure don''t have these servers
crap out again.
>>>  
>>>       
>> Due to the rename issue, your servers will be stopped and restarted,
but
>> you should not lose your run level configuration.  In what other way(s)
>> did they "crap out"?
>>     
>
> well, since i had SSL in the server, the admin server and the console 
> communication between both, and when the servers were stopped, the
setup-ds-
> admin.pl couldn''t connect to anything to do the upgrade and once i
manually
> re-added (chkconfig --add dirsrv...) and restarted, the SSL issue with
setup-
> ds-admin.pl became a problem as i had to then uninstall certs just to 
> reinstall them...  yuk!
>
> but i''m not worried about the change between fedora-ds* and
389-ds* now as i
> removed all of fedora-ds* and installed fresh 389-ds* rpms and just simply 
> started over.  -- i had just moved from OpenLDAP so that wasn''t a
big deal.
>
> i also noticed last time that the setup-ds-admin.pl created duplicate 
> instances of my servers in the console -- and i wasn''t sure how to
get rid of
> those which is also part of why i just "started over."
>   
They can be removed using the console directory browser, to remove their 
entries from under o=NetscapeRoot
> since i''m already using the renamed packages (the first round of
them), i want
> to be sure i''m ok with a yum upgrade and that the proper procedure
is to
> always run a setup-ds-admin.pl -u
>   
Yes.  In the future (unless we obsolete some packages again) you can 
just use yum update.  And you must always run setup-ds-admin.pl -u after 
doing an upgrade - this will make sure the console shows the correct 
information, and in the future will do things like schema upgrade, 
adding new configuration, removing old/obsolete configuration/files,
etc.
> due to https://bugzilla.redhat.com/show_bug.cgi?id=501846, i now have
standard
> ldap:// (instead of ldaps://) between the admin server and the ds so i
should
> be able to avoid that issue.
>
> i''m still learning this 389-ds, coming from OpenLDAP where i
simply did an yum
> update and didn''t need to do anything else :)
>   
Unfortunately, there is no way to change the information that the 
console uses without asking for some sort of password or credential - 
you can''t do that with yum upgrade or rpm -U.

I''m not sure how a yum upgrade of openldap would deal with schema 
changes, config changes, etc. - perhaps it doesn''t do any of that, and 
just expects you to do that.
> i guess, basically...  what does one do if the server stops and they are
not
> able to run setup-ds-admin.pl?  is it safe to restart the server services
and
> then try it again?
>   
Yes.
>   
> ------------------------------------------------------------------------
>
> --
> 389 users mailing list
> 389-users@redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>