[Freeipa-devel] [PATCH, 2.1] 0021 Fedora 16 and systemd support

Alexander Bokovoy abokovoy at redhat.com
Tue Oct 18 13:42:07 UTC 2011 

On Tue, 18 Oct 2011, Martin Kosek wrote:
> 1) When ipa is not configured, it is ok that ipa.service status returns
> error. However, I still got ipa.service status error after the ipa was
> configured:
> 
> # systemctl status ipa.service
> ipa.service - Identity, Policy, Audit
> 	  Loaded: loaded (/lib/systemd/system/ipa.service; disabled)
> 	  Active: failed since Tue, 18 Oct 2011 09:04:41 -0400; 1min 50s ago
> 	Main PID: 18499 (code=exited, status=6)
> 	  CGroup: name=systemd:/system/ipa.service
> # /usr/sbin/ipactl status
> IPA is not configured (see man pages of ipa-server-install for help)
> 
> # ipa-server-install
> ...
> Applying LDAP updates
> Restarting IPA to initialize updates before performing deletes:
>   [1/2]: stopping directory server
>   [2/2]: starting directory server
> done configuring dirsrv.
> Restarting the directory server
> Restarting the KDC
> Restarting the web server
> Sample zone file for bind has been created in /tmp/sample.zone.teFbNR.db
> ==============================================================================
> Setup complete
> 
> Next steps:
> 	1. You must make sure these network ports are open:
> 		TCP Ports:
> 		  * 80, 443: HTTP/HTTPS
> 		  * 389, 636: LDAP/LDAPS
> 		  * 88, 464: kerberos
> 		UDP Ports:
> 		  * 88, 464: kerberos
> 		  * 123: ntp
> 
> 	2. You can now obtain a kerberos ticket using the command: 'kinit admin'
> 	   This ticket will allow you to use the IPA tools (e.g., ipa user-add)
> 	   and the web user interface.
> 
> Be sure to back up the CA certificate stored in /root/cacert.p12
> This file is required to create replicas. The password for this
> file is the Directory Manager password
> 
> # systemctl status ipa.service
> ipa.service - Identity, Policy, Audit
> 	  Loaded: loaded (/lib/systemd/system/ipa.service; enabled)
> 	  Active: failed since Tue, 18 Oct 2011 09:04:41 -0400; 6min ago
> 	Main PID: 18499 (code=exited, status=6)
> 	  CGroup: name=systemd:/system/ipa.service
We were discussing with Simo yesterday that perhaps we need to do 
restart of ipa.service (on systemd platform only) explicitly after 
ipa-server-install.

Right now the last action we do is ipa.enable(), i.e. just enable 
ipa.service. As all services were started before during 
ipa-server-install, we deemed not needed to do any restart in System V 
case.

systemd, however, detects status based on its own tracking of events 
and there is no way to report status of the service other than 
systemd's internal state.

So we might do implicit restart of ipa.service at the end of install. 
That would be another 5-10 seconds delay depending on the hardware.

> 2) ipactl shows stopped dirsrv and CA service even though they should be
> up (cert-show command worked):
This might be related as well -- I've seen multiple times when 
ipa_kpasswd didn't start after ipa-server-install but works after 
restart.
-- 
/ Alexander Bokovoy

More information about the Freeipa-devel mailing list