[Freeipa-users] ipa fails to start after centos 7.3 upgrade

Wed Dec 14 11:06:25 UTC 2016

On 12/12/2016 19:53, Rob Verduijn wrote:
> I've recently upgraded to centos 7.3.
> Didn't intend to so soon but should have checked the anounce lists 
> before launching my ansible update playbook.
>
> Most of my servers came through, and mostly also the ipa server.
> There were duplicate rpms and a failed rpm upgrade.
> After some yum magic the rpm duplicates where gone and all the updates 
> installed.
>
> Manually running ipa-server-upgrade also seems to finish properly.
>
> However
> ipactl start keeps failing on the ntpd service.
> Not a big surprise since its running chronyd.
>
> I now start the ipa server with 'ipactl start --ignore-service-failure'
>
> Is there a way to explain the script that it should check for chronyd 
> instead of ntpd ?

Aside: I also have a use case for running without ntp.  I run freeipa 
inside an lxd container (*), so ntpd is running on the outer host, not 
in the container.

However unlike you, after upgrading to CentOS 7.3 / FreeIPA 4.4.0 inside 
the container I don't see any problem:

[root at ipa-2 ~]# ipactl stop
Stopping ipa-otpd Service
Stopping pki-tomcatd Service
Stopping ntpd Service
Stopping ipa-custodia Service
Stopping httpd Service
Stopping ipa_memcached Service
Stopping kadmin Service
Stopping krb5kdc Service
Stopping Directory Service
ipa: INFO: The ipactl command was successful
[root at ipa-2 ~]# ipactl start
Starting Directory Service
Starting krb5kdc Service
Starting kadmin Service
Starting ipa_memcached Service
Starting httpd Service
Starting ipa-custodia Service
Starting ntpd Service
Starting pki-tomcatd Service
Starting ipa-otpd Service
ipa: INFO: The ipactl command was successful
[root at ipa-2 ~]#

ntpd won't run inside the container, which is expected:

[root at ipa-2 ~]# systemctl status ntpd
● ntpd.service - Network Time Service
    Loaded: loaded (/usr/lib/systemd/system/ntpd.service; disabled; 
vendor preset: disabled)
    Active: failed (Result: exit-code) since Wed 2016-12-14 10:51:09 
UTC; 2min 18s ago
   Process: 1357 ExecStart=/usr/sbin/ntpd -u ntp:ntp $OPTIONS 
(code=exited, status=0/SUCCESS)
  Main PID: 1358 (code=exited, status=255)

Dec 14 10:51:08 ipa-2.int.cityfibre.com ntpd[1358]: Listen normally on 4 
eth0:1 10.0.0.149 UDP 123
Dec 14 10:51:08 ipa-2.int.cityfibre.com ntpd[1358]: Listen normally on 5 
lo ::1 UDP 123
Dec 14 10:51:08 ipa-2.int.cityfibre.com ntpd[1358]: Listen normally on 6 
eth0 fe80::216:3eff:fef2:a083 UDP 123
Dec 14 10:51:08 ipa-2.int.cityfibre.com ntpd[1358]: Listening on routing 
socket on fd #23 for interface updates
Dec 14 10:51:09 ipa-2.int.cityfibre.com ntpd[1358]: 0.0.0.0 c016 06 restart
Dec 14 10:51:09 ipa-2.int.cityfibre.com ntpd[1358]: 0.0.0.0 c012 02 
freq_set ntpd 0.000 PPM
Dec 14 10:51:09 ipa-2.int.cityfibre.com ntpd[1358]: 0.0.0.0 c011 01 
freq_not_set
Dec 14 10:51:09 ipa-2.int.cityfibre.com systemd[1]: ntpd.service: main 
process exited, code=exited, status=255/n/a
Dec 14 10:51:09 ipa-2.int.cityfibre.com systemd[1]: Unit ntpd.service 
entered failed state.
Dec 14 10:51:09 ipa-2.int.cityfibre.com systemd[1]: ntpd.service failed.

But ipactl is not complaining, which is good. But I don't know why it 
works for me and not for you.

Anyway, I hope that for future reference this use case remains 
supported.  In a container environment like lxd or docker, you *cannot* 
run ntpd (but that doesn't mean the time isn't synced!)

Regards,

Brian.

(*) Aside: this makes snapshotting IPA a breeze.