[Freeipa-users] Fedora 21 and 4.0.3
Alexander Bokovoy
abokovoy at redhat.com
Tue Sep 30 13:59:46 UTC 2014
On Tue, 30 Sep 2014, Rob Crittenden wrote:
>Jan Pazdziora wrote:
>> On Tue, Sep 30, 2014 at 06:19:37AM -0700, Janelle wrote:
>>> Hi,
>>>
>>> I'm new to IPA - and was trying out the newest version of 4.0.3 with Fedora
>>> Server 21 testing -- it continues to die during the install at:
>>>
>>> Configuring certificate server (pki-tomcatd): Estimated time 3 minutes 30
>>> seconds
>>> [1/26]: creating certificate server user
>>> [2/26]: configuring certificate server instance
>>> [3/26]: stopping certificate server instance to update CS.cfg
>>> [4/26]: backing up CS.cfg
>>> [5/26]: disabling nonces
>>> [6/26]: set up CRL publishing
>>> [7/26]: starting certificate server instance <--- consistently dies at
>>> step 7
>>>
>>> and checking install log show:
>>>
>>> 2014-09-29T21:14:30Z DEBUG wait_for_open_ports: localhost [8080, 8443]
>>> timeout 300
>>
>> [...]
>>
>>> Would anyone have any ideas on finding out what is going on here? I see the
>>> timeout of 5 minutes - but why waiting on ports that are not part of IPA?
>
>But it *is* part of IPA, hence we wait for it to come up and fail if it
>doesn't. The installer would just blow up later without dogtag running.
Dogtag messes up with SELinux labels when copying CS.cfg to back it up,
then SELinux AVC prevents it to do so, then a failure to copy causes
Dogtag to complain but the code in /usr/share/pki/scripts/operations is
syntactically incorrect and shell breaks its execution. This all results
in dogtag not being able to start.
I've filed a bug for the syntax error for pki-server and SELinux policy
fix is on its way to updates-testing. With that fix
(https://admin.fedoraproject.org/updates/selinux-policy-3.13.1-84.fc21)
you can get over the issue and never trigger the syntax error in the
shell script.
--
/ Alexander Bokovoy
More information about the Freeipa-users
mailing list