RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1072502 - running ipa-server-install --setup-dns results in a crash
Summary: running ipa-server-install --setup-dns results in a crash
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: ipa
Version: 7.0
Hardware: x86_64
OS: Linux
medium
medium
Target Milestone: rc
: ---
Assignee: Martin Kosek
QA Contact: Namita Soman
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2014-03-04 16:58 UTC by Michael Wang
Modified: 2015-03-05 10:10 UTC (History)
6 users (show)

Fixed In Version: ipa-4.1.0-14.el7
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2015-03-05 10:10:35 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)
/var/log/ipaserver-install.log (19.21 KB, text/plain)
2014-03-04 16:58 UTC, Michael Wang 		no flags Details
snip from automation log (12.17 KB, text/plain)
2015-01-16 06:10 UTC, Kaleem 		no flags Details
View All


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2015:0442 0 normal SHIPPED_LIVE Moderate: ipa security, bug fix, and enhancement update 2015-03-05 14:50:39 UTC

Description Michael Wang 2014-03-04 16:58:18 UTC 
Created attachment 870544 [details]
/var/log/ipaserver-install.log

Description of problem:

running ipa-server-install --setup-dns results in a crash

Version-Release number of selected component (if applicable):
RHEL 7 beta snapshot 8

How reproducible:


Steps to Reproduce:
[root@idm1 yum.repos.d]# ipa-server-install --setup-dns

The log file for this installation can be found in /var/log/ipaserver-install.log
==============================================================================
This program will set up the IPA Server.

This includes:
  * Configure a stand-alone CA (dogtag) for certificate management
  * Configure the Network Time Daemon (ntpd)
  * Create and configure an instance of Directory Server
  * Create and configure a Kerberos Key Distribution Center (KDC)
  * Configure Apache (httpd)
  * Configure DNS (bind)

To accept the default shown in brackets, press the Enter key.

WARNING: conflicting time&date synchronization service 'chronyd' will be disabled
in favor of ntpd

Existing BIND configuration detected, overwrite? [no]: yes
Enter the fully qualified domain name of the computer
on which you're setting up server software. Using the form
<hostname>.<domainname>
Example: master.example.com.


Server host name [idm1.linux.lab]: 

Warning: skipping DNS resolution of host idm1.linux.lab
The domain name has been determined based on the host name.

Please confirm the domain name [linux.lab]: 

The kerberos protocol requires a Realm name to be defined.
This is typically the domain name converted to uppercase.

Please provide a realm name [LINUX.LAB]: 
Certain directory server operations require an administrative user.
This user is referred to as the Directory Manager and has full access
to the Directory for system management tasks and will be added to the
instance of directory server created for IPA.
The password must be at least 8 characters long.

Directory Manager password: 
Password (confirm): 

The IPA server requires an administrative user, named 'admin'.
This user is a regular system account used for IPA server administration.

IPA admin password: 
Password (confirm): 

Do you want to configure DNS forwarders? [yes]: 
Enter the IP address of DNS forwarder to use, or press Enter to finish.
Enter IP address for a DNS forwarder: 192.168.0.40
DNS forwarder 192.168.0.40 added
Enter IP address for a DNS forwarder: 192.168.0.60
DNS forwarder 192.168.0.60 added
Enter IP address for a DNS forwarder: 
Do you want to configure the reverse zone? [yes]: 
Please specify the reverse zone name [0.168.192.in-addr.arpa.]: 
Using reverse zone 0.168.192.in-addr.arpa.

The IPA Master Server will be configured with:
Hostname:      idm1.linux.lab
IP address:    192.168.0.80
Domain name:   linux.lab
Realm name:    LINUX.LAB

BIND DNS server will be configured to serve IPA domain with:
Forwarders:    192.168.0.40, 192.168.0.60
Reverse zone:  0.168.192.in-addr.arpa.

Continue to configure the system with these values? [no]: yes

The following operations may take some minutes to complete.
Please wait until the prompt is returned.

Configuring NTP daemon (ntpd)
  [1/4]: stopping ntpd
  [2/4]: writing configuration
  [3/4]: configuring ntpd to start on boot
  [4/4]: starting ntpd
Done configuring NTP daemon (ntpd).
Configuring directory server (dirsrv): Estimated time 1 minute
  [1/38]: creating directory server user
. . . 


Actual results:

  [2/38]: creating directory server instance
ipa         : CRITICAL failed to create ds instance Command '/usr/sbin/setup-ds.pl --silent --logfile - -f /tmp/tmpTbUKBx' returned non-zero exit status 1
ipa         : CRITICAL Failed to restart the directory server (Command '/bin/systemctl restart dirsrv' returned non-zero exit status 1). See the installation log for details.
  [3/38]: adding default schema
Unexpected error - see /var/log/ipaserver-install.log for details:
IOError: [Errno 2] No such file or directory: '/etc/dirsrv/slapd-LINUX-LAB//schema/60kerberos.ldif'

Expected results:
completion of install without errors.

Additional info:
Comment 3 Dmitri Pal 2014-03-04 17:44:14 UTC 
The DNS name for the system was resolvable but there was no reverse DNS entry. This is why the installation failed. 
Adding reverse record resolved the issue.

IMO we should fail cleaner in this case and with a good actionable error message.
Comment 4 Michael Wang 2014-03-04 17:47:18 UTC 
I did indeed confirm that this issues goes away if I have a reverse lookup record--thank you. Though I could not recover from the crash install using the command "ipa-server-install --uninstall" and had to revert to an earlier snapshot of the server.  Regardless, the root cause of this issue has been identified. Thanks!
Mike
Comment 5 Martin Kosek 2014-03-05 09:11:30 UTC 
I agree, we seem to have a gap in the validation mechanism.

With --setup-dns flag, some hostname the reverse record validation is skipped. We also skip adding a record in /etc/hosts when hostname is resolvable, but apparently DS instance cannot be created what that is missing.

We should extend get_server_ip_address function in installutils.py to add these record in this case. I will open an upstream ticket.
Comment 6 Martin Kosek 2014-03-05 09:16:21 UTC 
Upstream ticket:
https://fedorahosted.org/freeipa/ticket/4220
Comment 7 Martin Kosek 2014-03-05 11:34:57 UTC 
I am lowering the severity to medium given this is an error in validation only and installation worked after reverse record was added.
Comment 8 Petr Viktorin (pviktori) 2014-09-03 14:05:21 UTC 
Fixed upstream
master:
https://fedorahosted.org/freeipa/changeset/8aa01e24a1664f5f523732f79ae8d842fb4417a8
ipa-4-1:
https://fedorahosted.org/freeipa/changeset/7baf8fecd410e5a8b64767d27a6a2848c4a00803
ipa-4-0:
https://fedorahosted.org/freeipa/changeset/c1b680c54ec2bc0846c4e8a0f5d3260864d645b9
Comment 11 Martin Bašti 2014-12-16 17:28:46 UTC 
The fix was accidentaly removed by another patch.

https://git.fedorahosted.org/cgit/freeipa.git/diff/ipaserver/install/installutils.py?id=579b614e3f0501138d3fbb669cf6ae85adb3ac56

This has to be fixed again.
Comment 12 Martin Kosek 2014-12-17 12:31:48 UTC 
I created https://fedorahosted.org/freeipa/ticket/4817 for the regression.
Comment 13 Martin Kosek 2014-12-18 12:11:07 UTC 
Fixed upstream
master:
https://fedorahosted.org/freeipa/changeset/3c69435c1b18ad9827f53d31e97ee88fa0eb9370
ipa-4-1:
https://fedorahosted.org/freeipa/changeset/30868db4532c2118430b5c34799701d77461641c
Comment 15 Kaleem 2015-01-16 06:09:33 UTC 
Verified.

IPA version:
============
ipa-server-4.1.0-15.el7.x86_64

Snip of automation log has been attached.
Comment 16 Kaleem 2015-01-16 06:10:31 UTC 
Created attachment 980750 [details]
snip from automation log
Comment 18 errata-xmlrpc 2015-03-05 10:10:35 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHSA-2015-0442.html
Note You need to log in before you can comment on or make changes to this bug.