Bug 818448
Summary: | 389-ds-base fails to start with latest(as of 2-May-2012) development repo resulting in ipa-server config failure | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Kashyap Chamarthy <kchamart> |
Component: | ipa | Assignee: | Rob Crittenden <rcritten> |
Status: | CLOSED WORKSFORME | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
Severity: | high | Docs Contact: | |
Priority: | unspecified | ||
Version: | 16 | CC: | extras-orphan, nkinder, rcritten, ssorce |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | Unspecified | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2012-06-18 14:51:46 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Kashyap Chamarthy
2012-05-03 06:29:33 UTC
Could you try this with 389-ds-base-1.2.10.8 from updates-testing? If it solves the issue for you, please provide karma in Bodhi. Actually, the errors log messages make it look like there could be a left over lock file from a previous install. Was this a truly clean system, or were you performing a new IPA install on a system that you had IPA installed on in the past? You can check what files you have in the following locations?: /var/run/dirsrv /var/lock/dirsrv/slapd-PKI-IPA/server /var/lock/dirsrv/slapd-PKI-IPA/exports /var/lock/dirsrv/slapd-PKI-IPA/imports Nathan, Yes, it was truly clean system when I tried first. However, now, dirsrv seems to start just fine with the below versions, but there is a different issue of CA config failing (being handled in a different bz(818123) Here is the version info: [root@regular-guest export]# rpm -q 389-ds-base pki-ca pki-selinux freeipa-server 389-ds-base-1.2.10.8-1.fc16.x86_64 pki-ca-9.0.20-1.fc16.noarch pki-selinux-9.0.20-1.fc16.noarch freeipa-server-2.1.90.rc1-0.fc16.x86_64 [root@regular-guest export]# =============================== [root@regular-guest export]# ls /var/run/dirsrv/ slapd-PKI-IPA.pid slapd-PKI-IPA.startpid slapd-PKI-IPA.stats [root@regular-guest export]# ls /var/loc local/ lock/ [root@regular-guest export]# ls /var/lock/dirsrv/slapd-PKI-IPA/ exports imports server [root@regular-guest export]# ls /var/lock/dirsrv/slapd-PKI-IPA/server/ 18516 [root@regular-guest export]# ls /var/lock/dirsrv/slapd-PKI-IPA/exports/ [root@regular-guest export]# ls /var/lock/dirsrv/slapd-PKI-IPA/imports/ [root@regular-guest export]# =============================== [root@regular-guest dirsrv]#ipa-server-install --setup-dns --no-forwarders -r ENGLAB.PNQ.TEST.COM -p testpwd -P testpwd -a testpwd -U The log file for this installation can be found in /var/log/ipaserver-install.log ============================================================================== This program will set up the FreeIPA Server. This includes: * Configure a stand-alone CA (dogtag) for certificate management * Configure the Network Time Daemon (ntpd) * Create and configure an instance of Directory Server * Create and configure a Kerberos Key Distribution Center (KDC) * Configure Apache (httpd) * Configure DNS (bind) To accept the default shown in brackets, press the Enter key. Warning: skipping DNS resolution of host regular-guest.englab.pnq.redhat.com The domain name has been calculated based on the host name. Using reverse zone 201.65.10.in-addr.arpa. The IPA Master Server will be configured with: Hostname: regular-guest.englab.pnq.redhat.com IP address: 10.65.201.202 Domain name: englab.pnq.redhat.com Realm name: ENGLAB.PNQ.TEST.COM BIND DNS server will be configured to serve IPA domain with: Forwarders: No forwarders Reverse zone: 201.65.10.in-addr.arpa. Configuring ntpd [1/4]: stopping ntpd [2/4]: writing configuration [3/4]: configuring ntpd to start on boot [4/4]: starting ntpd done configuring ntpd. Configuring directory server for the CA: Estimated time 30 seconds [1/3]: creating directory server user [2/3]: creating directory server instance [3/3]: restarting directory server done configuring pkids. Configuring certificate server: Estimated time 3 minutes 30 seconds [1/16]: creating certificate server user [2/16]: configuring certificate server instance ipa : CRITICAL failed to configure ca instance Command '/usr/bin/perl /usr/bin/pkisilent 'ConfigureCA' '-cs_hostname' 'regular-guest.englab.pnq.redhat.com' '-cs_port' '9445' '-client_certdb_dir' '/tmp/tmp-t8gRZ4' '-client_certdb_pwd' XXXXXXXX '-preop_pin' 'HyE1i9gtNi3fp64ClH7K' '-domain_name' 'IPA' '-admin_user' 'admin' '-admin_email' 'root@localhost' '-admin_password' XXXXXXXX '-agent_name' 'ipa-ca-agent' '-agent_key_size' '2048' '-agent_key_type' 'rsa' '-agent_cert_subject' 'CN=ipa-ca-agent,O=ENGLAB.PNQ.TEST.COM' '-ldap_host' 'regular-guest.englab.pnq.redhat.com' '-ldap_port' '7389' '-bind_dn' 'cn=Directory Manager' '-bind_password' XXXXXXXX '-base_dn' 'o=ipaca' '-db_name' 'ipaca' '-key_size' '2048' '-key_type' 'rsa' '-key_algorithm' 'SHA256withRSA' '-save_p12' 'true' '-backup_pwd' XXXXXXXX '-subsystem_name' 'pki-cad' '-token_name' 'internal' '-ca_subsystem_cert_subject_name' 'CN=CA Subsystem,O=ENGLAB.PNQ.TEST.COM' '-ca_ocsp_cert_subject_name' 'CN=OCSP Subsystem,O=ENGLAB.PNQ.TEST.COM' '-ca_server_cert_subject_name' 'CN=regular-guest.englab.pnq.redhat.com,O=ENGLAB.PNQ.TEST.COM' '-ca_audit_signing_cert_subject_name' 'CN=CA Audit,O=ENGLAB.PNQ.TEST.COM' '-ca_sign_cert_subject_name' 'CN=Certificate Authority,O=ENGLAB.PNQ.TEST.COM' '-external' 'false' '-clone' 'false'' returned non-zero exit status 255 Unexpected error - see ipaserver-install.log for details: Configuration of CA failed [root@regular-guest dirsrv]# pwd /etc/dirsrv [root@regular-guest dirsrv]# cd /var/log/dirsrv/slapd-PKI-IPA/ [root@regular-guest slapd-PKI-IPA]# ls access access.rotationinfo audit audit.rotationinfo errors errors.rotationinfo [root@regular-guest slapd-PKI-IPA]# tail errors [16/May/2012:06:16:23 -0400] - I'm resizing my cache now...cache was 1658949632 and is now 8000000 [16/May/2012:06:16:24 -0400] - slapd started. Listening on All Interfaces port 7389 for LDAP requests [16/May/2012:06:16:25 -0400] - slapd shutting down - signaling operation threads [16/May/2012:06:16:25 -0400] - slapd shutting down - waiting for 29 threads to terminate [16/May/2012:06:16:25 -0400] - slapd shutting down - closing down internal subsystems and plugins [16/May/2012:06:16:25 -0400] - Waiting for 4 database threads to stop [16/May/2012:06:16:26 -0400] - All database threads now stopped [16/May/2012:06:16:26 -0400] - slapd stopped. [16/May/2012:06:16:27 -0400] - 389-Directory/1.2.10.8 B2012.124.1454 starting up [16/May/2012:06:16:27 -0400] - slapd started. Listening on All Interfaces port 7389 for LDAP requests '[root@regular-guest slapd-PKI-IPA]# ============================================================================== The CA issue is definitely something different. In the DS code, the only reasons for getting the error mentioned in this bug report is if a lock file already exists, or if we are unable to access it (directory doesn't exist, permissions, etc.). Since this is not currently reproducible, I propose that we close this and re-open it if you encounter the issue again. If the issue is reproduced, I'd like the system left in the failure state so we can see why the issue is occurring. Does this sound OK with you? IPA 2.2.0 isn't going to be supported in Fedora 16, the server anyway, so I'd try to reproduce this on F-17 using the final 2.2.0 release instead of the beta. The dogtag installer changed so that pki-ca >= 9.0.18 no longer works with the beta code. Can you try reproducing this with 2.2.0? I'm inclined to close this as notabug. CLosign this as WORKSFORME. Please reopen it if there is still an issue. |