Bug 1393393
Summary: | Running ipa-server-install fails to start CA - Subsystem unavailable | ||||||||
---|---|---|---|---|---|---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Jan Pazdziora <jpazdziora> | ||||||
Component: | pki-core | Assignee: | Matthew Harmsen <mharmsen> | ||||||
Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> | ||||||
Severity: | unspecified | Docs Contact: | |||||||
Priority: | unspecified | ||||||||
Version: | 24 | CC: | abokovoy, alee, cfu, cheimes, dennis, edewata, extras-orphan, ftweedal, ipa-maint, jcholast, jhrozek, jmagne, jpazdziora, kwright, mbasti, mharmsen, mkosek, nkinder, pvoborni, rcritten, ssorce | ||||||
Target Milestone: | --- | ||||||||
Target Release: | --- | ||||||||
Hardware: | Unspecified | ||||||||
OS: | Unspecified | ||||||||
Whiteboard: | |||||||||
Fixed In Version: | pki-core-10.3.5-9.fc24 | Doc Type: | If docs needed, set a value | ||||||
Doc Text: | Story Points: | --- | |||||||
Clone Of: | Environment: | ||||||||
Last Closed: | 2017-08-08 19:12:32 UTC | Type: | Bug | ||||||
Regression: | --- | Mount Type: | --- | ||||||
Documentation: | --- | CRM: | |||||||
Verified Versions: | Category: | --- | |||||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||
Cloudforms Team: | --- | Target Upstream Version: | |||||||
Embargoed: | |||||||||
Attachments: |
|
Description
Jan Pazdziora
2016-11-09 12:50:09 UTC
Actually, I see the same bug with freeipa-server-4.4.2-1.fc24.x86_64 from https://copr.fedorainfracloud.org/coprs/g/freeipa/freeipa-4-4/ as well. To reproduce that, put RUN cd /etc/yum.repos.d && curl -LksO https://copr.fedorainfracloud.org/coprs/g/freeipa/freeipa-4-4/repo/fedora-24/group_freeipa-freeipa-4-4-fedora-24.repo line to the Dockerfile before that RUN dnf install line. (In reply to Jan Pazdziora from comment #1) > Actually, I see the same bug with freeipa-server-4.4.2-1.fc24.x86_64 from > https://copr.fedorainfracloud.org/coprs/g/freeipa/freeipa-4-4/ as well. To > reproduce that, put > > RUN cd /etc/yum.repos.d && curl -LksO > https://copr.fedorainfracloud.org/coprs/g/freeipa/freeipa-4-4/repo/fedora-24/ > group_freeipa-freeipa-4-4-fedora-24.repo > > line to the Dockerfile before that RUN dnf install line. Actually, with 4.4, the error message is shown in different place of the ipa-server-install output: [28/31]: importing IPA certificate profiles [29/31]: adding default CA ACL [30/31]: adding 'ipa' CA entry [31/31]: updating IPA configuration Done configuring certificate server (pki-tomcatd). Configuring directory server (dirsrv). Estimated time: 10 seconds [1/3]: configuring ssl for ds instance [2/3]: restarting directory server [3/3]: adding CA certificate entry Done configuring directory server (dirsrv). Configuring Kerberos KDC (krb5kdc). Estimated time: 30 seconds [1/9]: adding kerberos container to the directory [2/9]: configuring KDC [3/9]: initialize kerberos container WARNING: Your system is running out of entropy, you may experience long delays [4/9]: adding default ACIs [5/9]: creating a keytab for the directory [6/9]: creating a keytab for the machine [7/9]: adding the password extension to the directory [8/9]: starting the KDC [9/9]: configuring KDC to start on boot Done configuring Kerberos KDC (krb5kdc). Configuring kadmin [1/2]: starting kadmin [2/2]: configuring kadmin to start on boot Done configuring kadmin. ipa.ipapython.install.cli.install_tool(Server): ERROR CA did not start in 300.0s ipa.ipapython.install.cli.install_tool(Server): ERROR The ipa-server-install command failed. See /var/log/ipaserver-install.log for more information On host, outside container, ipa-server-install on Fedora 24 passes. I see this same error on a f24 host with master. I don't see it on a f25 host. I think it is a dogtag issue on f24, but it is not 100% reproducible, must depend on something else on the platform that is not always there. Forcing installation of Fedora 24 GA pki-server-10.3.1-1.fc24.noarch in the container does not fix the problem. Works for me with pki-ca-10.3.5-8.fc24.noarch which is in updates testing And also it works with pki-ca-10.3.5-7.fc24.noarch for me Hello, dogtag team, could you please help us to investigate what can be possible issue why dogtag subsystem is not available? I've seen it fail, with pki-ca upgraded to pki-ca-10.3.5-8.fc24.noarch. I just hit this bug on VM as with pki-ca-10.3.5-8.fc24.noarch, so it is not related to containers for sure. I found out that upgrading of NSS resolves this issue. Before: nss-softokn-3.25.0-1.0.fc24.x86_64 nss-softokn-devel-3.25.0-1.0.fc24.x86_64 nss-softokn-freebl-devel-3.25.0-1.0.fc24.x86_64 nss-util-devel-3.25.0-1.0.fc24.x86_64 nss-util-3.25.0-1.0.fc24.x86_64 nss-sysinit-3.25.0-1.2.fc24.x86_64 nss-devel-3.25.0-1.2.fc24.x86_64 nss-softokn-freebl-3.25.0-1.0.fc24.x86_64 nss-3.25.0-1.2.fc24.x86_64 nss-tools-3.25.0-1.2.fc24.x86_64 After: nss-softokn-3.27.0-1.0.fc24.x86_64 nss-devel-3.27.0-1.2.fc24.x86_64 nss-util-devel-3.27.0-1.0.fc24.x86_64 nss-3.27.0-1.2.fc24.x86_64 nss-tools-3.27.0-1.2.fc24.x86_64 nss-softokn-freebl-3.27.0-1.0.fc24.x86_64 nss-softokn-freebl-devel-3.27.0-1.0.fc24.x86_64 nss-util-3.27.0-1.0.fc24.x86_64 nss-softokn-devel-3.27.0-1.0.fc24.x86_64 nss-sysinit-3.27.0-1.2.fc24.x86_64 After NSS upgrade I was able to install master without issues, nss-3.27 is in fedora updates repo. Should IPA or PKI raise NSS dependencies? Preferably PKI, at least as fedora downstream patch (In reply to Martin Bašti from comment #11) > I found out that upgrading of NSS resolves this issue. Amazing. I confirm that prepending RUN dnf upgrade -y nss to my Dockerfile fixes the issue in container as well, upgrading from 3.23.0-1.2.fc24 to 3.27.0-1.0.fc24. Do we know what in the pki* land is upset about the older versions? Things used to work in the past ... If it's just a matter of newer pki* packages built against newer sources causing it ABI-incompatilibity, we likely need some better checks in place for these situations. Any updates from dogtag team? Hi, Could you attach the debug and selftest log files from /var/log/pki/pki-tomcat/ca folder? If NSS returns any error message, it should be in those log files. In comment 0, step 1.5: docker build -t freeipa freeipa is missing. Created attachment 1223224 [details]
Providing requested log files
Thanks for the logs. According to the debug log PKI server failed to access the DS during startup: Could not connect to LDAP server host ipa.example.test port 636 Error netscape.ldap.LDAPException: Authentication failed (48) It looks like the error happens at the same location shown in this unresolved ticket: https://fedorahosted.org/pki/ticket/2226 It's still unclear why the problem is happening, but if it's fixed by upgrading NSS and without changing PKI, it's likely that it's not a PKI issue. So we can update PKI to require NSS 3.27, which hopefully fixes the problem, but if you need someone to further investigate the exact cause of this problem please reassign the ticket to NSS. Created attachment 1227059 [details]
pki-edewata-0879-Updated-NSS-dependency-on-Fedora.patch
Comment on attachment 1227059 [details]
pki-edewata-0879-Updated-NSS-dependency-on-Fedora.patch
ACK -- after was informed that this patch was for DOGTAG_10_3_BRANCH.
Thanks for the review! Fixed in master: * f7b69b0804ddb1c80250616fff601e3573602eae Fixed in 10.3 branch: * 12921f2270d66beb6f2cbaf5ed12127ae2ac65bd Was the fix released in updates? What was the errata in bodhi? If the fix is already out via https://bodhi.fedoraproject.org/updates/FEDORA-2016-346c2e1366, the status of this bugzilla should likely no longer be MODIFIED. The problem is, the bodhi update did not have this bugzilla listed, so it did not autoclose it. This message is a reminder that Fedora 24 is nearing its end of life. Approximately 2 (two) weeks from now Fedora will stop maintaining and issuing updates for Fedora 24. It is Fedora's policy to close all bug reports from releases that are no longer maintained. At that time this bug will be closed as EOL if it remains open with a Fedora 'version' of '24'. Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a currently maintained version, simply change the 'version' to a later Fedora version. Thank you for reporting this issue and we are sorry that we were not able to fix it before Fedora 24 is end of life. If you would still like to see this bug fixed and are able to reproduce it against a later version of Fedora, you are encouraged change the 'version' to a later Fedora version prior this bug is closed as described in the policy above. Although we aim to fix as many bugs as possible during every release's lifetime, sometimes those efforts are overtaken by events. Often a more recent Fedora release includes newer upstream software that fixes bugs or makes them obsolete. Per comment 25, could you please update the status of this bugzilla? Fedora 24 changed to end-of-life (EOL) status on 2017-08-08. Fedora 24 is no longer maintained, which means that it will not receive any further security or bug fix updates. As a result we are closing this bug. If you can reproduce this bug against a currently maintained version of Fedora please feel free to reopen this bug against that version. If you are unable to reopen this bug, please file a new report against the current release. If you experience problems, please add a comment to this bug. Thank you for reporting this bug and we are sorry it could not be fixed. (In reply to Jan Pazdziora from comment #27) > Per comment 25, could you please update the status of this bugzilla? Per Comment #28 -- Fedora End Of Life appears to have done this before I got to it. |