rocky-9 update failed.

[f3rr]

Pulled new rocky-9 image, update process started and failed. The problem is that bind cannot start. as far as im using the rocky-9 tag i can only assume: old image was: freeipa/freeipa-server:rocky-9-4.10.1 new image is: freeipa/freeipa-server:rocky-9-4.10.2 Something in rocky is broken, see: https://forums.rockylinux.org/t/upgrade-to-rocky9-3-breaks-freeipa-running-instalation-bind-core-dump/13709/10 i got the same error message.

[adelton]

If I understand the thread at the forums.rockylinux.org, that issues is not container-specific as others have experienced it outside of containerized installation. Is that a fair assessment?

[abbra]

There is an update to bind to fix security issue that changes ABI and requires a corresponding bind-dyndb-ldap update. They have to be installed together.

[adelton]

The quay.io/freeipa/freeipa-server:rocky-9 currently contains

bind-9.16.23-14.el9_3.4.x86_64
bind-dyndb-ldap-11.9-8.el9_3.3.x86_64

Is this combination problematic? It passed our GitHub Action tests ...

When similar situation happened in RHEL 8 a couple of weeks ago, the GitHub Action testing caught the problem.

I remember that in the past (many years ago) we talked about releasing those in the same erratas, and ideally having rpm dependencies to avoid installations where the ABIs would be mismatched ...

[abbra]

They should be released in the dependant errata. This was tested and ensured in RHEL.

[abbra]

See https://access.redhat.com/solutions/7065748

Correct RHEL 9 versions:

• bind-9.16.23-14.el9_3.4 or newer
• bind-dyndb-ldap-11.9-8.el9_3.3 or newer

[adelton]

These are exactly the versions that are in the current quay.io/freeipa/freeipa-server:rocky-9.

@f3rr Can you run

$ podman run --rm --entrypoint rpm quay.io/freeipa/freeipa-server:rocky-9 -q bind bind-dyndb-ldap

(or equivalent) and check if you have an image with the package versions above?

[f3rr]

This is what i have in my container:

[root@ipa1 /]# rpm -qa | grep ^bind bind-license-9.16.23-14.el9_3.4.noarch bind-libs-9.16.23-14.el9_3.4.x86_64 bind-utils-9.16.23-14.el9_3.4.x86_64 bind-dnssec-doc-9.16.23-14.el9_3.4.noarch bind-dnssec-utils-9.16.23-14.el9_3.4.x86_64 bind-9.16.23-14.el9_3.4.x86_64 bind-dyndb-ldap-11.9-8.el9_3.3.x86_64 [root@ipa1 /]#

bind does start sometimes, sometimes dont. Its random. Temporary fix is to start the container and if IPA does not come up i have to start bind manually up to 2-10 times until the service starts, after that ipactl restart, and my IPA is up and running again.

No i'm confused a bit, i tought rocky-9 is based on 9.4 but it looks like its 9.3.

[abbra]

Note that versions are not enough. The packages had to be built in the this order as well. Eg first bind, then bind-dyndb-ldap against that bind build.

[adelton]

The thread at https://forums.rockylinux.org/t/upgrade-to-rocky9-3-breaks-freeipa-running-instalation-bind-core-dump/13709 indicates that the packages got updated in Rocky Linux 9.3 and will get upgraded for Rocky Linux 9.4. It is possible that the order they got built in 9.3 did not end up as a working solution.

It seems AlmaLinux now has 9.4 out so you might want to test with quay.io/freeipa/freeipa-server:almalinux-9.

In any case, since this seems to be reproduced by multiple people on multiple OSes outside of the containerized deployment, I'd conclude that it is a generic problem with bind and bind-dyndb-ldap package builds that needs to be solved in those operating system builds. It's not a FreeIPA containerization specific issue.

Hence closing this issue.