[Freeipa-users] Setup of freeipa 4.1.3 failed

Wed Apr 8 08:59:53 UTC 2015

On 04/08/2015 07:57 AM, Markus Roth wrote:
> 
>> Endi Sukma Dewata <edewata at redhat.com> hat am 1. April 2015 um 23:56
>> geschrieben:
>>
>>
>> On 4/1/2015 4:29 PM, Markus Roth wrote:
>>> Am Mittwoch, 1. April 2015, 16:04:54 schrieben Sie:
>>>> On 4/1/2015 11:56 AM, Endi Sukma Dewata wrote:
>>>>>>> On 03/31/2015 01:54 PM, Markus Roth wrote:
>>>>>>>> Hi all,
>>>>>>>>
>>>>>>>> I want setup freeipa 4.1.3 on a fresh installed fedora 21.
>>>>>
>>>>>>>> The ipa-server-install shows the following output:
>>>>> ...
>>>>>
>>>>>>>> Done configuring directory server (dirsrv).
>>>>>>>> Configuring certificate server (pki-tomcatd): Estimated time 3
>>>>>>>> minutes 30
>>>>>>>> seconds
>>>>>>>>
>>>>>>>> [1/27]: creating certificate server user
>>>>>>>> [2/27]: configuring certificate server instance
>>>>>>>> [3/27]: stopping certificate server instance to update CS.cfg
>>>>>>>> [4/27]: backing up CS.cfg
>>>>>>>> [5/27]: disabling nonces
>>>>>>>> [6/27]: set up CRL publishing
>>>>>>>> [7/27]: enable PKIX certificate path discovery and validation
>>>>>>>> [8/27]: starting certificate server instance
>>>>>>>> [error] RuntimeError: CA did not start in 300.0s
>>>>>>>>
>>>>>>>> CA did not start in 300.0s
>>>>>>>>
>>>>>>>> The ipa server install log shows this:
>>>>>>>>
>>>>>>>> 2015-03-31T17:39:35Z DEBUG The CA status is: check interrupted
>>>>>>>> 2015-03-31T17:39:35Z DEBUG Waiting for CA to start...
>>>>>
>>>>> ...
>>>>>
>>>>>>>> I uninstalled the ipa server completely several times and installed
>>>>>>>> it again.
>>>>>>>> But it always stops at the same step with the setup.
>>>>>>>>
>>>>>>>> Can anybody help?
>>>>>
>>>>> Based on the IPA install log alone it looks like the DS is already
>>>>> started, and the Dogtag is already started too in step [3/27]. It's the
>>>>> restart on step [8/27] that is failing.
>>>>>
>>>>> We will need to see the Dogtag debug log in order to know if Dogtag is
>>>>> indeed failing to restart or the installer for some reason cannot
>>>>> connect to Dogtag.
>>>>
>>>> Hi Markus,
>>>>
>>>> Based on the logs that you sent me, the Dogtag took a really long time
>>>> to start:
>>>>
>>>> INFORMATION: Server startup in 739700 ms
>>>>
>>>> More than half of that time was spent starting the CA subsystem alone:
>>>>
>>>> INFORMATION: Deployment of configuration descriptor /etc/pki
>>>> /pki-tomcat/Catalina/localhost/ca.xml has finished in 393,390 ms
>>>>
>>>> The whole (failed) IPA installation took about 38 minutes. Is this correct?
>>>>
>>>> It's possible the system was running out of entropy. You might want to
>>>> install haveged or rngd. See:
>>>> http://blog-ftweedal.rhcloud.com/2014/05/more-entropy-with-haveged/
>>>> https://www.digitalocean.com/community/tutorials/how-to-setup-additional-ent
>>>> ropy-for-cloud-servers-using-haveged
>>>>
>>>> However, the system seems to be running very slowly in general. How
>>>> powerful is this machine?
>>>
>>> Hi Endi
>>>
>>> the system is a banana pi system. Seems that this ARM CPU based system isn't
>>> suitable for FreeIPA....
>>
>> The installation might still succeed if IPA doesn't have the 300s time
>> limit. If you want to try, you probably can specify a larger
>> startup_timeout in ~/.ipa/default.conf, or change the code in
>> ipaplatform/redhat/services.py to wait indefinitely, and see what
>> happens. I don't know if it will be usable though.
>>
>> --
>> Endi S. Dewata
>>
>  
> Yersterday I did the installation of freeipa on my banana Pi with modifying the
> source file ipalib/constants.py:    ('startup_timeout', 300). I changed it to
> 900 s. And the setup process was successful! The start of the CA had a duration
> of 630s! But after the installation freeipa is usable on the banana Pi.
>  
> Thanks to Endi for help.

That's cool! Do you think that your experience from making it work could form a
nice HOWTO article on

http://www.freeipa.org/page/HowTos

? Maybe it would help others who would want to follow your example on FreeIPA
at *Pi devices :-)