<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"><head> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8"/> </head><body style=""><div> > Endi Sukma Dewata <edewata@redhat.com> hat am 1. April 2015 um 23:56 geschrieben: > > > On 4/1/2015 4:29 PM, Markus Roth wrote: > > Am Mittwoch, 1. April 2015, 16:04:54 schrieben Sie: > >> On 4/1/2015 11:56 AM, Endi Sukma Dewata wrote: > >>>>> On 03/31/2015 01:54 PM, Markus Roth wrote: > >>>>>> Hi all, > >>>>>> > >>>>>> I want setup freeipa 4.1.3 on a fresh installed fedora 21. > >>> > >>>>>> The ipa-server-install shows the following output: > >>> ... > >>> > >>>>>> Done configuring directory server (dirsrv). > >>>>>> Configuring certificate server (pki-tomcatd): Estimated time 3 > >>>>>> minutes 30 > >>>>>> seconds > >>>>>> > >>>>>> [1/27]: creating certificate server user > >>>>>> [2/27]: configuring certificate server instance > >>>>>> [3/27]: stopping certificate server instance to update CS.cfg > >>>>>> [4/27]: backing up CS.cfg > >>>>>> [5/27]: disabling nonces > >>>>>> [6/27]: set up CRL publishing > >>>>>> [7/27]: enable PKIX certificate path discovery and validation > >>>>>> [8/27]: starting certificate server instance > >>>>>> [error] RuntimeError: CA did not start in 300.0s > >>>>>> > >>>>>> CA did not start in 300.0s > >>>>>> > >>>>>> The ipa server install log shows this: > >>>>>> > >>>>>> 2015-03-31T17:39:35Z DEBUG The CA status is: check interrupted > >>>>>> 2015-03-31T17:39:35Z DEBUG Waiting for CA to start... > >>> > >>> ... > >>> > >>>>>> I uninstalled the ipa server completely several times and installed > >>>>>> it again. > >>>>>> But it always stops at the same step with the setup. > >>>>>> > >>>>>> Can anybody help? > >>> > >>> Based on the IPA install log alone it looks like the DS is already > >>> started, and the Dogtag is already started too in step [3/27]. It's the > >>> restart on step [8/27] that is failing. > >>> > >>> We will need to see the Dogtag debug log in order to know if Dogtag is > >>> indeed failing to restart or the installer for some reason cannot > >>> connect to Dogtag. > >> > >> Hi Markus, > >> > >> Based on the logs that you sent me, the Dogtag took a really long time > >> to start: > >> > >> INFORMATION: Server startup in 739700 ms > >> > >> More than half of that time was spent starting the CA subsystem alone: > >> > >> INFORMATION: Deployment of configuration descriptor /etc/pki > >> /pki-tomcat/Catalina/localhost/ca.xml has finished in 393,390 ms > >> > >> The whole (failed) IPA installation took about 38 minutes. Is this correct? > >> > >> It's possible the system was running out of entropy. You might want to > >> install haveged or rngd. See: > >> http://blog-ftweedal.rhcloud.com/2014/05/more-entropy-with-haveged/ > >> https://www.digitalocean.com/community/tutorials/how-to-setup-additional-ent > >> ropy-for-cloud-servers-using-haveged > >> > >> However, the system seems to be running very slowly in general. How > >> powerful is this machine? > > > > Hi Endi > > > > the system is a banana pi system. Seems that this ARM CPU based system isn't > > suitable for FreeIPA.... > > The installation might still succeed if IPA doesn't have the 300s time > limit. If you want to try, you probably can specify a larger > startup_timeout in ~/.ipa/default.conf, or change the code in > ipaplatform/redhat/services.py to wait indefinitely, and see what > happens. I don't know if it will be usable though. > > -- > Endi S. Dewata > </div> <div> </div> <div>Yersterday I did the installation of freeipa on my banana Pi with modifying the source file ipalib/constants.py: ('startup_timeout', 300). I changed it to 900 s. And the setup process was successful! The start of the CA had a duration of 630s! But after the installation freeipa is usable on the banana Pi.</div> <div> </div> <div>Thanks to Endi for help.</div> <div> </div> <div>Markus Roth</div></body></html>