[Freeipa-users] i could use some help with installing FreeIPA

Alexander Bokovoy abokovoy at redhat.com
Wed Dec 18 15:30:12 UTC 2013 

On Wed, 18 Dec 2013, Nathaniel McCallum wrote:
>On Mon, 2013-12-16 at 22:30 -0500, Rob Crittenden wrote:
>> Dmitri Pal wrote:
>> > On 12/16/2013 06:46 PM, Galen Brownsmith wrote:
>> >> My install fails on the invocation of pkispawn with a Socket Error in
>> >> the pki-ca-spawn log  ; anyone have any ideas?  (It isn't the issue
>> >> with special characters in the DM's password, as my Directory Manager
>> >> and IPA Admin passwords may be 32 characters long, but only contain
>> >> [A-Za-z0-9_] )
>> >>
>> >> Configuration and Error Messages follow.
>> >>
>> >> Target System: Fedora19 64bit LXC Container running on top of a
>> >> Fedora19 64bit host.  Kernel 3.11.10, Q9550 Intel CPU.
>> >> Attempting to install freeipa server 3.3.3 .  SEllinux has been set to
>> >> 'disabled' on the host and container.
>> >>
>> >> /etc/hosts:
>> >> # IP            FQDN                            Alias(es)
>> >> 127.0.0.1       localhost.localdomain           localhost localhost4
>> >> 192.168.253.94 woeg.marphod.net <http://woeg.marphod.net> woeg
>> >>
>> >> # Peers
>> >> 192.168.253.99 skete.marphod.net <http://skete.marphod.net> skete
>> >> wiki.marphod.net <http://wiki.marphod.net> wiki www.marphod.net
>> >> <http://www.marphod.net> www
>> >> [... several more machines]
>> >>
>> >> /etc/resolv.conf
>> >> ; generated by /usr/sbin/dhclient-script
>> >> search marphod.net <http://marphod.net>
>> >> nameserver 192.168.253.1
>> >>
>> >> /etc/sysconfig/network:
>> >> NETWORKING=yes
>> >> HOSTNAME=woeg.marphod.net <http://woeg.marphod.net>
>> >>
>> >> No software firewall on the Container:
>> >> # iptables -L
>> >> Chain INPUT (policy ACCEPT)
>> >> target     prot opt source destination
>> >>
>> >> Chain FORWARD (policy ACCEPT)
>> >> target     prot opt source destination
>> >>
>> >> Chain OUTPUT (policy ACCEPT)
>> >> target     prot opt source               destination
>> >>
>> >>
>> >> Not using NetworkManager.  The machine has a virtual nic, and is
>> >> connected to the bridge on the host, and can interact with the outside
>> >> world.
>> >>
>> >> Installation commands:
>> >> # ipa-server-install --uninstall -U
>> >> # pkidestroy -s CA -i pki-tomcat
>> >> # ipa-server-install -N -d --no-host-dns
>> >>
>> >> I select the defaults during the interactive install.
>> >>
>> >> During installation, everything seems to run fine up to the invocation
>> >> of pkispawn.   I then get the errors:
>> >> <text>
>> >> Installing CA into /var/lib/pki/pki-tomcat.
>> >> Storing deployment configuration into
>> >> /etc/sysconfig/pki/tomcat/pki-tomcat/ca/deployment.cfg.
>> >> Installation failed.
>> >>
>> >> ipa         : DEBUG    stderr=Job for pki-tomcatd at pki-tomcat.service
>> >> failed. See 'systemctl status pki-tomcatd at pki-tomcat.service' and
>> >> 'journalctl -xn' for details.
>> >> pkispawn    : ERROR    ....... server failed to restart
>> >>
>> >> ipa         : CRITICAL failed to configure ca instance Command
>> >> '/usr/sbin/pkispawn -s CA -f /tmp/tmpwNB5bU' returned non-zero exit
>> >> status 1
>> >> ipa         : DEBUG      File
>> >> "/usr/lib/python2.7/site-packages/ipaserver/install/installutils.py",
>> >> line 622, in run_script
>> >>     return_value = main_function()
>> >>
>> >>   File "/usr/sbin/ipa-server-install", line 1074, in main
>> >>     dm_password, subject_base=options.subject)
>> >>
>> >>   File
>> >> "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py",
>> >> line 478, in configure_instance
>> >>     self.start_creation(runtime=210)
>> >>
>> >>   File
>> >> "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line
>> >> 364, in start_creation
>> >>     method()
>> >>
>> >>   File
>> >> "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py",
>> >> line 604, in __spawn_instance
>> >>     raise RuntimeError('Configuration of CA failed')
>> >>
>> >> ipa         : DEBUG    The ipa-server-install command failed,
>> >> exception: RuntimeError: Configuration of CA failed
>> >> Configuration of CA failed
>> >> </text>
>> >>
>> >> the relevant errors from /var/log/pki/pki-ca-spawn.timestamp.log: (the
>> >> ... skipping... is from the file)
>> >> <text>
>> >> ...skipping...
>> >> y still be down
>> >> 2013-12-16 18:12:23 pkispawn    : DEBUG    ........... No connection -
>> >> exception thrown: Cannot connect to proxy. Socket error: [Errno 111]
>> >> Connection refused.
>> >> 2013-12-16 18:12:24 pkispawn    : DEBUG    ........... No connection -
>> >> server may still be down
>> >> 2013-12-16 18:12:24 pkispawn    : DEBUG    ........... No connection -
>> >> exception thrown: Cannot connect to proxy. Socket error: [Errno 111]
>> >> Connection refused.
>> >> 2013-12-16 18:12:25 pkispawn    : DEBUG    ........... No connection -
>> >> server may still be down
>> >> ...
>> >> (error repeated 12 more times)
>> >> ...
>> >> 2013-12-16 18:12:39 pkispawn    : ERROR    ....... server failed to
>> >> restart
>> >> 2013-12-16 18:12:39 pkispawn    : DEBUG    ....... Error Type: SystemExit
>> >> 2013-12-16 18:12:39 pkispawn    : DEBUG    ....... Error Message: 1
>> >> 2013-12-16 18:12:39 pkispawn    : DEBUG    .......   File
>> >> "/usr/sbin/pkispawn", line 374, in main
>> >>     rv = instance.spawn()
>> >>   File
>> >> "/usr/lib/python2.7/site-packages/pki/deployment/configuration.py",
>> >> line 102, in spawn
>> >>     sys.exit(1)
>> >> </text>
>> >>
>> >
>> > You are trying it in a container. I do not know whether this makes a
>> > difference.
>> > It might be due to the fact that underlying directory server has not
>> > started.
>> > Please look at the pki instance DS logs to determine whether the DS
>> > instance was installed and configured correctly.
>> > http://www.freeipa.org/page/Troubleshooting#Server_Installation
>> > Please publish these logs here.
>>
>> I'm not entirely sure that IPA works in a container. I think that
>> Nathaniel looked at this a few months ago but I can't recall his findings.
>
>For me, it mostly just worked with
>http://fedoraproject.org/wiki/Features/SystemdLightweightContainers. It
>requires disabling selinux, however, so I eventually abandoned it.
>Perhaps the selinux problem has been solved by now?
It is not, unfortunately. Audit code in the kernel is still unaware
about lightweight containers.


-- 
/ Alexander Bokovoy

More information about the Freeipa-users mailing list