[Freeipa-users] Setup of freeipa 4.1.3 failed
Markus Roth
markus at die5roths.de
Wed Apr 8 09:13:56 UTC 2015
> Martin Kosek <mkosek at redhat.com> hat am 8. April 2015 um 10:59 geschrieben:
>
>
> On 04/08/2015 07:57 AM, Markus Roth wrote:
> >
> >> Endi Sukma Dewata <edewata at redhat.com> hat am 1. April 2015 um 23:56
> >> geschrieben:
> >>
> >>
> >> On 4/1/2015 4:29 PM, Markus Roth wrote:
> >>> Am Mittwoch, 1. April 2015, 16:04:54 schrieben Sie:
> >>>> On 4/1/2015 11:56 AM, Endi Sukma Dewata wrote:
> >>>>>>> On 03/31/2015 01:54 PM, Markus Roth wrote:
> >>>>>>>> Hi all,
> >>>>>>>>
> >>>>>>>> I want setup freeipa 4.1.3 on a fresh installed fedora 21.
> >>>>>
> >>>>>>>> The ipa-server-install shows the following output:
> >>>>> ...
> >>>>>
> >>>>>>>> Done configuring directory server (dirsrv).
> >>>>>>>> Configuring certificate server (pki-tomcatd): Estimated time 3
> >>>>>>>> minutes 30
> >>>>>>>> seconds
> >>>>>>>>
> >>>>>>>> [1/27]: creating certificate server user
> >>>>>>>> [2/27]: configuring certificate server instance
> >>>>>>>> [3/27]: stopping certificate server instance to update CS.cfg
> >>>>>>>> [4/27]: backing up CS.cfg
> >>>>>>>> [5/27]: disabling nonces
> >>>>>>>> [6/27]: set up CRL publishing
> >>>>>>>> [7/27]: enable PKIX certificate path discovery and validation
> >>>>>>>> [8/27]: starting certificate server instance
> >>>>>>>> [error] RuntimeError: CA did not start in 300.0s
> >>>>>>>>
> >>>>>>>> CA did not start in 300.0s
> >>>>>>>>
> >>>>>>>> The ipa server install log shows this:
> >>>>>>>>
> >>>>>>>> 2015-03-31T17:39:35Z DEBUG The CA status is: check interrupted
> >>>>>>>> 2015-03-31T17:39:35Z DEBUG Waiting for CA to start...
> >>>>>
> >>>>> ...
> >>>>>
> >>>>>>>> I uninstalled the ipa server completely several times and installed
> >>>>>>>> it again.
> >>>>>>>> But it always stops at the same step with the setup.
> >>>>>>>>
> >>>>>>>> Can anybody help?
> >>>>>
> >>>>> Based on the IPA install log alone it looks like the DS is already
> >>>>> started, and the Dogtag is already started too in step [3/27]. It's the
> >>>>> restart on step [8/27] that is failing.
> >>>>>
> >>>>> We will need to see the Dogtag debug log in order to know if Dogtag is
> >>>>> indeed failing to restart or the installer for some reason cannot
> >>>>> connect to Dogtag.
> >>>>
> >>>> Hi Markus,
> >>>>
> >>>> Based on the logs that you sent me, the Dogtag took a really long time
> >>>> to start:
> >>>>
> >>>> INFORMATION: Server startup in 739700 ms
> >>>>
> >>>> More than half of that time was spent starting the CA subsystem alone:
> >>>>
> >>>> INFORMATION: Deployment of configuration descriptor /etc/pki
> >>>> /pki-tomcat/Catalina/localhost/ca.xml has finished in 393,390 ms
> >>>>
> >>>> The whole (failed) IPA installation took about 38 minutes. Is this
> >>>> correct?
> >>>>
> >>>> It's possible the system was running out of entropy. You might want to
> >>>> install haveged or rngd. See:
> >>>> http://blog-ftweedal.rhcloud.com/2014/05/more-entropy-with-haveged/
> >>>> https://www.digitalocean.com/community/tutorials/how-to-setup-additional-ent
> >>>> ropy-for-cloud-servers-using-haveged
> >>>>
> >>>> However, the system seems to be running very slowly in general. How
> >>>> powerful is this machine?
> >>>
> >>> Hi Endi
> >>>
> >>> the system is a banana pi system. Seems that this ARM CPU based system
> >>> isn't
> >>> suitable for FreeIPA....
> >>
> >> The installation might still succeed if IPA doesn't have the 300s time
> >> limit. If you want to try, you probably can specify a larger
> >> startup_timeout in ~/.ipa/default.conf, or change the code in
> >> ipaplatform/redhat/services.py to wait indefinitely, and see what
> >> happens. I don't know if it will be usable though.
> >>
> >> --
> >> Endi S. Dewata
> >>
> >
> > Yersterday I did the installation of freeipa on my banana Pi with modifying
> > the
> > source file ipalib/constants.py: ('startup_timeout', 300). I changed it to
> > 900 s. And the setup process was successful! The start of the CA had a
> > duration
> > of 630s! But after the installation freeipa is usable on the banana Pi.
> >
> > Thanks to Endi for help.
>
> That's cool! Do you think that your experience from making it work could form
> a
> nice HOWTO article on
>
> http://www.freeipa.org/page/HowTos
>
> ? Maybe it would help others who would want to follow your example on FreeIPA
> at *Pi devices :-)
>
Of course, I can write this HowTo.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20150408/69ca9b47/attachment.htm>
More information about the Freeipa-users
mailing list