Red Hat Bugzilla – Bug 1072502
running ipa-server-install --setup-dns results in a crash
Last modified: 2015-03-05 05:10:35 EST
Created attachment 870544 [details] /var/log/ipaserver-install.log Description of problem: running ipa-server-install --setup-dns results in a crash Version-Release number of selected component (if applicable): RHEL 7 beta snapshot 8 How reproducible: Steps to Reproduce: [root@idm1 yum.repos.d]# ipa-server-install --setup-dns The log file for this installation can be found in /var/log/ipaserver-install.log ============================================================================== This program will set up the IPA Server. This includes: * Configure a stand-alone CA (dogtag) for certificate management * Configure the Network Time Daemon (ntpd) * Create and configure an instance of Directory Server * Create and configure a Kerberos Key Distribution Center (KDC) * Configure Apache (httpd) * Configure DNS (bind) To accept the default shown in brackets, press the Enter key. WARNING: conflicting time&date synchronization service 'chronyd' will be disabled in favor of ntpd Existing BIND configuration detected, overwrite? [no]: yes Enter the fully qualified domain name of the computer on which you're setting up server software. Using the form <hostname>.<domainname> Example: master.example.com. Server host name [idm1.linux.lab]: Warning: skipping DNS resolution of host idm1.linux.lab The domain name has been determined based on the host name. Please confirm the domain name [linux.lab]: The kerberos protocol requires a Realm name to be defined. This is typically the domain name converted to uppercase. Please provide a realm name [LINUX.LAB]: Certain directory server operations require an administrative user. This user is referred to as the Directory Manager and has full access to the Directory for system management tasks and will be added to the instance of directory server created for IPA. The password must be at least 8 characters long. Directory Manager password: Password (confirm): The IPA server requires an administrative user, named 'admin'. This user is a regular system account used for IPA server administration. IPA admin password: Password (confirm): Do you want to configure DNS forwarders? [yes]: Enter the IP address of DNS forwarder to use, or press Enter to finish. Enter IP address for a DNS forwarder: 192.168.0.40 DNS forwarder 192.168.0.40 added Enter IP address for a DNS forwarder: 192.168.0.60 DNS forwarder 192.168.0.60 added Enter IP address for a DNS forwarder: Do you want to configure the reverse zone? [yes]: Please specify the reverse zone name [0.168.192.in-addr.arpa.]: Using reverse zone 0.168.192.in-addr.arpa. The IPA Master Server will be configured with: Hostname: idm1.linux.lab IP address: 192.168.0.80 Domain name: linux.lab Realm name: LINUX.LAB BIND DNS server will be configured to serve IPA domain with: Forwarders: 192.168.0.40, 192.168.0.60 Reverse zone: 0.168.192.in-addr.arpa. Continue to configure the system with these values? [no]: yes The following operations may take some minutes to complete. Please wait until the prompt is returned. Configuring NTP daemon (ntpd) [1/4]: stopping ntpd [2/4]: writing configuration [3/4]: configuring ntpd to start on boot [4/4]: starting ntpd Done configuring NTP daemon (ntpd). Configuring directory server (dirsrv): Estimated time 1 minute [1/38]: creating directory server user . . . Actual results: [2/38]: creating directory server instance ipa : CRITICAL failed to create ds instance Command '/usr/sbin/setup-ds.pl --silent --logfile - -f /tmp/tmpTbUKBx' returned non-zero exit status 1 ipa : CRITICAL Failed to restart the directory server (Command '/bin/systemctl restart dirsrv@LINUX-LAB.service' returned non-zero exit status 1). See the installation log for details. [3/38]: adding default schema Unexpected error - see /var/log/ipaserver-install.log for details: IOError: [Errno 2] No such file or directory: '/etc/dirsrv/slapd-LINUX-LAB//schema/60kerberos.ldif' Expected results: completion of install without errors. Additional info:
The DNS name for the system was resolvable but there was no reverse DNS entry. This is why the installation failed. Adding reverse record resolved the issue. IMO we should fail cleaner in this case and with a good actionable error message.
I did indeed confirm that this issues goes away if I have a reverse lookup record--thank you. Though I could not recover from the crash install using the command "ipa-server-install --uninstall" and had to revert to an earlier snapshot of the server. Regardless, the root cause of this issue has been identified. Thanks! Mike
I agree, we seem to have a gap in the validation mechanism. With --setup-dns flag, some hostname the reverse record validation is skipped. We also skip adding a record in /etc/hosts when hostname is resolvable, but apparently DS instance cannot be created what that is missing. We should extend get_server_ip_address function in installutils.py to add these record in this case. I will open an upstream ticket.
Upstream ticket: https://fedorahosted.org/freeipa/ticket/4220
I am lowering the severity to medium given this is an error in validation only and installation worked after reverse record was added.
Fixed upstream master: https://fedorahosted.org/freeipa/changeset/8aa01e24a1664f5f523732f79ae8d842fb4417a8 ipa-4-1: https://fedorahosted.org/freeipa/changeset/7baf8fecd410e5a8b64767d27a6a2848c4a00803 ipa-4-0: https://fedorahosted.org/freeipa/changeset/c1b680c54ec2bc0846c4e8a0f5d3260864d645b9
The fix was accidentaly removed by another patch. https://git.fedorahosted.org/cgit/freeipa.git/diff/ipaserver/install/installutils.py?id=579b614e3f0501138d3fbb669cf6ae85adb3ac56 This has to be fixed again.
I created https://fedorahosted.org/freeipa/ticket/4817 for the regression.
Fixed upstream master: https://fedorahosted.org/freeipa/changeset/3c69435c1b18ad9827f53d31e97ee88fa0eb9370 ipa-4-1: https://fedorahosted.org/freeipa/changeset/30868db4532c2118430b5c34799701d77461641c
Verified. IPA version: ============ ipa-server-4.1.0-15.el7.x86_64 Snip of automation log has been attached.
Created attachment 980750 [details] snip from automation log
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHSA-2015-0442.html