[Freeipa-users] i could use some help with installing FreeIPA

Wed Dec 18 14:47:21 UTC 2013

On Mon, 2013-12-16 at 22:30 -0500, Rob Crittenden wrote:
> Dmitri Pal wrote:
> > On 12/16/2013 06:46 PM, Galen Brownsmith wrote:
> >> My install fails on the invocation of pkispawn with a Socket Error in
> >> the pki-ca-spawn log  ; anyone have any ideas?  (It isn't the issue
> >> with special characters in the DM's password, as my Directory Manager
> >> and IPA Admin passwords may be 32 characters long, but only contain
> >> [A-Za-z0-9_] )
> >>
> >> Configuration and Error Messages follow.
> >>
> >> Target System: Fedora19 64bit LXC Container running on top of a
> >> Fedora19 64bit host.  Kernel 3.11.10, Q9550 Intel CPU.
> >> Attempting to install freeipa server 3.3.3 .  SEllinux has been set to
> >> 'disabled' on the host and container.
> >>
> >> /etc/hosts:
> >> # IP            FQDN                            Alias(es)
> >> 127.0.0.1       localhost.localdomain           localhost localhost4
> >> 192.168.253.94 woeg.marphod.net <http://woeg.marphod.net> woeg
> >>
> >> # Peers
> >> 192.168.253.99 skete.marphod.net <http://skete.marphod.net> skete
> >> wiki.marphod.net <http://wiki.marphod.net> wiki www.marphod.net
> >> <http://www.marphod.net> www
> >> [... several more machines]
> >>
> >> /etc/resolv.conf
> >> ; generated by /usr/sbin/dhclient-script
> >> search marphod.net <http://marphod.net>
> >> nameserver 192.168.253.1
> >>
> >> /etc/sysconfig/network:
> >> NETWORKING=yes
> >> HOSTNAME=woeg.marphod.net <http://woeg.marphod.net>
> >>
> >> No software firewall on the Container:
> >> # iptables -L
> >> Chain INPUT (policy ACCEPT)
> >> target     prot opt source destination
> >>
> >> Chain FORWARD (policy ACCEPT)
> >> target     prot opt source destination
> >>
> >> Chain OUTPUT (policy ACCEPT)
> >> target     prot opt source               destination
> >>
> >>
> >> Not using NetworkManager.  The machine has a virtual nic, and is
> >> connected to the bridge on the host, and can interact with the outside
> >> world.
> >>
> >> Installation commands:
> >> # ipa-server-install --uninstall -U
> >> # pkidestroy -s CA -i pki-tomcat
> >> # ipa-server-install -N -d --no-host-dns
> >>
> >> I select the defaults during the interactive install.
> >>
> >> During installation, everything seems to run fine up to the invocation
> >> of pkispawn.   I then get the errors:
> >> <text>
> >> Installing CA into /var/lib/pki/pki-tomcat.
> >> Storing deployment configuration into
> >> /etc/sysconfig/pki/tomcat/pki-tomcat/ca/deployment.cfg.
> >> Installation failed.
> >>
> >> ipa         : DEBUG    stderr=Job for pki-tomcatd at pki-tomcat.service
> >> failed. See 'systemctl status pki-tomcatd at pki-tomcat.service' and
> >> 'journalctl -xn' for details.
> >> pkispawn    : ERROR    ....... server failed to restart
> >>
> >> ipa         : CRITICAL failed to configure ca instance Command
> >> '/usr/sbin/pkispawn -s CA -f /tmp/tmpwNB5bU' returned non-zero exit
> >> status 1
> >> ipa         : DEBUG      File
> >> "/usr/lib/python2.7/site-packages/ipaserver/install/installutils.py",
> >> line 622, in run_script
> >>     return_value = main_function()
> >>
> >>   File "/usr/sbin/ipa-server-install", line 1074, in main
> >>     dm_password, subject_base=options.subject)
> >>
> >>   File
> >> "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py",
> >> line 478, in configure_instance
> >>     self.start_creation(runtime=210)
> >>
> >>   File
> >> "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line
> >> 364, in start_creation
> >>     method()
> >>
> >>   File
> >> "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py",
> >> line 604, in __spawn_instance
> >>     raise RuntimeError('Configuration of CA failed')
> >>
> >> ipa         : DEBUG    The ipa-server-install command failed,
> >> exception: RuntimeError: Configuration of CA failed
> >> Configuration of CA failed
> >> </text>
> >>
> >> the relevant errors from /var/log/pki/pki-ca-spawn.timestamp.log: (the
> >> ... skipping... is from the file)
> >> <text>
> >> ...skipping...
> >> y still be down
> >> 2013-12-16 18:12:23 pkispawn    : DEBUG    ........... No connection -
> >> exception thrown: Cannot connect to proxy. Socket error: [Errno 111]
> >> Connection refused.
> >> 2013-12-16 18:12:24 pkispawn    : DEBUG    ........... No connection -
> >> server may still be down
> >> 2013-12-16 18:12:24 pkispawn    : DEBUG    ........... No connection -
> >> exception thrown: Cannot connect to proxy. Socket error: [Errno 111]
> >> Connection refused.
> >> 2013-12-16 18:12:25 pkispawn    : DEBUG    ........... No connection -
> >> server may still be down
> >> ...
> >> (error repeated 12 more times)
> >> ...
> >> 2013-12-16 18:12:39 pkispawn    : ERROR    ....... server failed to
> >> restart
> >> 2013-12-16 18:12:39 pkispawn    : DEBUG    ....... Error Type: SystemExit
> >> 2013-12-16 18:12:39 pkispawn    : DEBUG    ....... Error Message: 1
> >> 2013-12-16 18:12:39 pkispawn    : DEBUG    .......   File
> >> "/usr/sbin/pkispawn", line 374, in main
> >>     rv = instance.spawn()
> >>   File
> >> "/usr/lib/python2.7/site-packages/pki/deployment/configuration.py",
> >> line 102, in spawn
> >>     sys.exit(1)
> >> </text>
> >>
> >
> > You are trying it in a container. I do not know whether this makes a
> > difference.
> > It might be due to the fact that underlying directory server has not
> > started.
> > Please look at the pki instance DS logs to determine whether the DS
> > instance was installed and configured correctly.
> > http://www.freeipa.org/page/Troubleshooting#Server_Installation
> > Please publish these logs here.
> 
> I'm not entirely sure that IPA works in a container. I think that 
> Nathaniel looked at this a few months ago but I can't recall his findings.

For me, it mostly just worked with
http://fedoraproject.org/wiki/Features/SystemdLightweightContainers. It
requires disabling selinux, however, so I eventually abandoned it.
Perhaps the selinux problem has been solved by now?

Nathaniel