Bug 1733501

Summary: ipa-server-install fails with latest ipa-container image
Product: Red Hat Enterprise Linux 7 Reporter: Nikhil Dehadrai <ndehadra>
Component: ipa-server-containerAssignee: Tibor Dudlák <tdudlak>
Status: CLOSED NOTABUG QA Contact: Nikhil Dehadrai <ndehadra>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 7.7CC: ksiddiqu, pvoborni, slaznick, tdudlak
Target Milestone: rcKeywords: Regression, TestBlocker
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: ipa-server-container-4.6.5-11 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-08-28 06:41:35 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Nikhil Dehadrai 2019-07-26 09:57:04 UTC
Description of problem:
ipa-server-install fails with latest ipa-container image for RHEL77

Version-Release number of selected component (if applicable):
Atomic host: Version: 7.7.0 (2019-07-24 14:14:04)
Ipa-container image:  ipa-server-container-4.6.5-6


Steps to Reproduce:
1. Setup Atomic host (Version: 7.7.0 (2019-07-24 14:14:04))
2. Pull the latest RHEL77 ipa-container image to this host (ipa-server-container-4.6.5-6)
# curl -O <image download path>
3. Load the image to atomic host
# docker load -i docker-image-sha256\:d0d945e3ba1bb0da66ed363eb2cc001e4471068a279c8d0774028bea295230fd.x86_64.tar.gz
4. run the ipa-server installation command
# atomic install --name ipadocker rhel7/ipa-server net-host --hostname=`hostname` --setup-dns --ip-address=$addr --forwarder=10.x.x.x -r NDTEST77RC.TEST -a Secret123 -p Secret123 --no-ntp -U

Actual results:
ipa-server installation using RHEL 77 ipa-container image FAILS


[root@master cloud-user]# atomic install --name ipadocker rhel7/ipa-server net-host --hostname=`hostname` --setup-dns --ip-address=$addr --forwarder=10.x.x.x -r NDTEST77RC.TEST -a Secret123 -p Secret123 --no-ntp -U
docker run -ti --rm --privileged -v /:/host -e HOST=/host -e DATADIR=/var/lib/ipadocker -e NAME=ipadocker -e IMAGE=rhel7/ipa-server rhel7/ipa-server /bin/install.sh net-host --hostname=master.ndtest77rc.test --setup-dns --ip-address=10.x.x.x --forwarder=10.x.x.x -r NDTEST77RC.TEST -a Secret123 -p Secret123 --no-ntp -U
+ chroot /host /usr/bin/docker run -ti --rm --name ipadocker -e NAME=ipadocker -e IMAGE=rhel7/ipa-server -v /var/lib/ipadocker:/data:Z -v /sys/fs/cgroup:/sys/fs/cgroup:ro -v /dev/urandom:/dev/random:ro --tmpfs /run --tmpfs /tmp -h master.ndtest77rc.test --net=host rhel7/ipa-server exit-on-finished --setup-dns --ip-address=10.x.x.x --forwarder=10.x.x.x -r NDTEST77RC.TEST -a Secret123 -p Secret123 --no-ntp -U
systemd 219 running in system mode. (+PAM +AUDIT +SELINUX +IMA -APPARMOR +SMACK +SYSVINIT +UTMP +LIBCRYPTSETUP +GCRYPT +GNUTLS +ACL +XZ +LZ4 -SECCOMP +BLKID +ELFUTILS +KMOD +IDN)
Detected virtualization other.
Detected architecture x86-64.
Set hostname to <master.ndtest77rc.test>.
Fri Jul 26 09:42:01 UTC 2019 /usr/sbin/ipa-server-configure-first 

The log file for this installation can be found in /var/log/ipaserver-install.log
==============================================================================
This program will set up the IPA Server.

This includes:
  * Configure a stand-alone CA (dogtag) for certificate management
  * Create and configure an instance of Directory Server
  * Create and configure a Kerberos Key Distribution Center (KDC)
  * Configure Apache (httpd)
  * Configure DNS (bind)
  * Configure the KDC to enable PKINIT

Excluded by options:
  * Configure the Network Time Daemon (ntpd)

Warning: skipping DNS resolution of host master.ndtest77rc.test
The domain name has been determined based on the host name.

Checking DNS domain ndtest77rc.test., please wait ...
Checking DNS forwarders, please wait ...

The IPA Master Server will be configured with:
Hostname:       master.ndtest77rc.test
IP address(es): 10.x.x.x
Domain name:    ndtest77rc.test
Realm name:     NDTEST77RC.TEST

BIND DNS server will be configured to serve IPA domain with:
Forwarders:       10.x.x.x
Forward policy:   only
Reverse zone(s):  No reverse zone

Configuring directory server (dirsrv). Estimated time: 30 seconds
  [1/44]: creating directory server instance
  [2/44]: enabling ldapi
  [3/44]: configure autobind for root
  [4/44]: stopping directory server
  [5/44]: updating configuration in dse.ldif
  [6/44]: starting directory server
  [7/44]: adding default schema
  [8/44]: enabling memberof plugin
  [9/44]: enabling winsync plugin
  [10/44]: configuring replication version plugin
  [11/44]: enabling IPA enrollment plugin
  [12/44]: configuring uniqueness plugin
  [13/44]: configuring uuid plugin
  [14/44]: configuring modrdn plugin
  [15/44]: configuring DNS plugin
  [16/44]: enabling entryUSN plugin
  [17/44]: configuring lockout plugin
  [18/44]: configuring topology plugin
  [19/44]: creating indices
  [20/44]: enabling referential integrity plugin
  [21/44]: configuring certmap.conf
  [22/44]: configure new location for managed entries
  [23/44]: configure dirsrv ccache
  [24/44]: enabling SASL mapping fallback
  [25/44]: restarting directory server
  [26/44]: adding sasl mappings to the directory
  [27/44]: adding default layout
  [28/44]: adding delegation layout
  [29/44]: creating container for managed entries
  [30/44]: configuring user private groups
  [31/44]: configuring netgroups from hostgroups
  [32/44]: creating default Sudo bind user
  [33/44]: creating default Auto Member layout
  [34/44]: adding range check plugin
  [35/44]: creating default HBAC rule allow_all
  [36/44]: adding entries for topology management
  [37/44]: initializing group membership
  [38/44]: adding master entry
  [39/44]: initializing domain level
  [40/44]: configuring Posix uid/gid generation
  [41/44]: adding replication acis
  [42/44]: activating sidgen plugin
  [43/44]: activating extdom plugin
  [44/44]: configuring directory to start on boot
Done configuring directory server (dirsrv).
Configuring Kerberos KDC (krb5kdc)
  [1/10]: adding kerberos container to the directory
  [2/10]: configuring KDC
  [3/10]: initialize kerberos container
  [4/10]: adding default ACIs
  [5/10]: creating a keytab for the directory
  [6/10]: creating a keytab for the machine
  [7/10]: adding the password extension to the directory
  [8/10]: creating anonymous principal
  [9/10]: starting the KDC
  [10/10]: configuring KDC to start on boot
Done configuring Kerberos KDC (krb5kdc).
Configuring kadmin
  [1/2]: starting kadmin 
  [2/2]: configuring kadmin to start on boot
Done configuring kadmin.
Configuring ipa-custodia
  [1/5]: Making sure custodia container exists
  [2/5]: Generating ipa-custodia config file
  [3/5]: Generating ipa-custodia keys
  [4/5]: starting ipa-custodia 
  [5/5]: configuring ipa-custodia to start on boot
Done configuring ipa-custodia.
Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes
  [1/29]: configuring certificate server instance
  [2/29]: reindex attributes
  [3/29]: exporting Dogtag certificate store pin
  [4/29]: stopping certificate server instance to update CS.cfg
  [5/29]: backing up CS.cfg
  [6/29]: disabling nonces
  [7/29]: set up CRL publishing
  [8/29]: enable PKIX certificate path discovery and validation
  [9/29]: starting certificate server instance
  [10/29]: configure certmonger for renewals
dbus.proxies: ERROR    Introspect error on :1.1:/org/fedorahosted/certmonger: dbus.exceptions.DBusException: org.freedesktop.DBus.Error.NoReply: Did not receive a reply. Possible causes include: the remote application did not send a reply, the message bus security policy blocked the reply, the reply timeout expired, or the network connection was broken.
  [error] DBusException: org.freedesktop.DBus.Error.NoReply: Did not receive a reply. Possible causes include: the remote application did not send a reply, the message bus security policy blocked the reply, the reply timeout expired, or the network connection was broken.
ipapython.admintool: ERROR    org.freedesktop.DBus.Error.NoReply: Did not receive a reply. Possible causes include: the remote application did not send a reply, the message bus security policy blocked the reply, the reply timeout expired, or the network connection was broken.
ipapython.admintool: ERROR    The ipa-server-install command failed. See /var/log/ipaserver-install.log for more information
FreeIPA server configuration failed.

[root@master cloud-user]#


Expected results:
ipa-server installation using RHEL77 ipa-container images is successful

Additional info:

Comment 2 Nikhil Dehadrai 2019-07-26 10:04:46 UTC
ipa-server log output:


2019-07-26T09:45:10Z DEBUG stderr=
2019-07-26T09:45:10Z DEBUG Start of certmonger.service complete
2019-07-26T09:45:35Z ERROR Introspect error on :1.1:/org/fedorahosted/certmonger: dbus.exceptions.DBusException: org.freedesktop.DBus.Error.NoReply: Did not receive a reply. Possible causes include: the remote application did not send a reply, the message bus security policy blocked the reply, the reply timeout expired, or the network connection was broken.
2019-07-26T09:45:35Z DEBUG Executing introspect queue due to error
2019-07-26T09:46:00Z DEBUG Traceback (most recent call last):
  File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 567, in start_creation
    run_step(full_msg, method)
  File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 557, in run_step
    method()
  File "/usr/lib/python2.7/site-packages/ipaserver/install/dogtaginstance.py", line 276, in configure_certmonger_renewal
    path = iface.find_ca_by_nickname(name)
  File "/usr/lib64/python2.7/site-packages/dbus/proxies.py", line 70, in __call__
    return self._proxy_method(*args, **keywords)
  File "/usr/lib64/python2.7/site-packages/dbus/proxies.py", line 145, in __call__
    **keywords)
  File "/usr/lib64/python2.7/site-packages/dbus/connection.py", line 651, in call_blocking
    message, timeout)
DBusException: org.freedesktop.DBus.Error.NoReply: Did not receive a reply. Possible causes include: the remote application did not send a reply, the message bus security policy blocked the reply, the reply timeout expired, or the network connection was broken.

2019-07-26T09:46:00Z DEBUG   [error] DBusException: org.freedesktop.DBus.Error.NoReply: Did not receive a reply. Possible causes include: the remote application did not send a reply, the message bus security policy blocked the reply, the reply timeout expired, or the network connection was broken.
2019-07-26T09:46:00Z DEBUG   File "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 178, in execute
    return_value = self.run()
  File "/usr/lib/python2.7/site-packages/ipapython/install/cli.py", line 319, in run
    return cfgr.run()
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 360, in run
    return self.execute()
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 386, in execute
    for rval in self._executor():
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 431, in __runner
    exc_handler(exc_info)
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 460, in _handle_execute_exception
    self._handle_exception(exc_info)
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 450, in _handle_exception
    six.reraise(*exc_info)
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 421, in __runner
    step()
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 418, in <lambda>
    step = lambda: next(self.__gen)
  File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 81, in run_generator_with_yield_from
    six.reraise(*exc_info)
  File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 59, in run_generator_with_yield_from
    value = gen.send(prev_value)
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 655, in _configure
    next(executor)
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 431, in __runner
    exc_handler(exc_info)
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 460, in _handle_execute_exception
    self._handle_exception(exc_info)
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 518, in _handle_exception
    self.__parent._handle_exception(exc_info)
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 450, in _handle_exception
    six.reraise(*exc_info)
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 515, in _handle_exception
    super(ComponentBase, self)._handle_exception(exc_info)
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 450, in _handle_exception
    six.reraise(*exc_info)
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 421, in __runner
    step()
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 418, in <lambda>
    step = lambda: next(self.__gen)
  File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 81, in run_generator_with_yield_from
    six.reraise(*exc_info)
  File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 59, in run_generator_with_yield_from
    value = gen.send(prev_value)
  File "/usr/lib/python2.7/site-packages/ipapython/install/common.py", line 65, in _install
    for unused in self._installer(self.parent):
  File "/usr/lib/python2.7/site-packages/ipaserver/install/server/__init__.py", line 590, in main
    master_install(self)
  File "/usr/lib/python2.7/site-packages/ipaserver/install/server/install.py", line 250, in decorated
    func(installer)
  File "/usr/lib/python2.7/site-packages/ipaserver/install/server/install.py", line 827, in install
    ca.install_step_0(False, None, options, custodia=custodia)
  File "/usr/lib/python2.7/site-packages/ipaserver/install/ca.py", line 334, in install_step_0
    use_ldaps=standalone)
  File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line 490, in configure_instance
    self.start_creation(runtime=runtime)
  File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 567, in start_creation
    run_step(full_msg, method)
  File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 557, in run_step
    method()
  File "/usr/lib/python2.7/site-packages/ipaserver/install/dogtaginstance.py", line 276, in configure_certmonger_renewal
    path = iface.find_ca_by_nickname(name)
  File "/usr/lib64/python2.7/site-packages/dbus/proxies.py", line 70, in __call__
    return self._proxy_method(*args, **keywords)
  File "/usr/lib64/python2.7/site-packages/dbus/proxies.py", line 145, in __call__
    **keywords)
  File "/usr/lib64/python2.7/site-packages/dbus/connection.py", line 651, in call_blocking
    message, timeout)

2019-07-26T09:46:00Z DEBUG The ipa-server-install command failed, exception: DBusException: org.freedesktop.DBus.Error.NoReply: Did not receive a reply. Possible causes include: the remote application did not send a reply, the message bus security policy blocked the reply, the reply timeout expired, or the network connection was broken.
2019-07-26T09:46:00Z ERROR org.freedesktop.DBus.Error.NoReply: Did not receive a reply. Possible causes include: the remote application did not send a reply, the message bus security policy blocked the reply, the reply timeout expired, or the network connection was broken.
2019-07-26T09:46:00Z ERROR The ipa-server-install command failed. See /var/log/ipaserver-install.log for more information