Red Hat Bugzilla – Bug 1075129
bogus time estimates shown for configuration of various component in replica installation
Last modified: 2015-03-05 05:10:37 EST
Description of problem: This i faced when i tried to create a replica from a Replica (RHEL-7.0) which was migrated from a RHEL-6.5 based Master. Version-Release number of selected component (if applicable): [root@rhel70-replica ~]# rpm -q ipa-server pki-ca 389-ds-base ipa-server-3.3.3-21.el7.x86_64 pki-ca-10.0.5-3.el7.noarch 389-ds-base-1.3.1.6-22.el7.x86_64 [root@rhel70-replica ~]# How reproducible: Always Steps to Reproduce: 1. Install Master on RHEL-6.5 2. Install Replica on RHEL-7.0 from RHEL-6.5 based Master. 3. Now again install another replica on RHEL-7.0 from replica of step (2). Actual results: Bogus time estimate shown for configuration of various component (dirsrv, ca instance etc) Expected results: No bogus time estimate should be shown. ======================================================================== Here directory server configuration show that it will take 31 minutes but actually it takes less than that. Configuring directory server (dirsrv): Estimated time 31 minutes [1/34]: creating directory server user [2/34]: creating directory server instance [3/34]: adding default schema [4/34]: enabling memberof plugin [5/34]: enabling winsync plugin [6/34]: configuring replication version plugin [7/34]: enabling IPA enrollment plugin [8/34]: enabling ldapi [9/34]: configuring uniqueness plugin [10/34]: configuring uuid plugin [11/34]: configuring modrdn plugin [12/34]: configuring DNS plugin [13/34]: enabling entryUSN plugin [14/34]: configuring lockout plugin [15/34]: creating indices [16/34]: enabling referential integrity plugin [17/34]: configuring ssl for ds instance [18/34]: configuring certmap.conf [19/34]: configure autobind for root [20/34]: configure new location for managed entries [21/34]: configure dirsrv ccache [22/34]: enable SASL mapping fallback [23/34]: restarting directory server [24/34]: setting up initial replication Starting replication, please wait until this has completed. Update in progress, 21 seconds elapsed Update succeeded [25/34]: updating schema [26/34]: setting Auto Member configuration [27/34]: enabling S4U2Proxy delegation [28/34]: initializing group membership [29/34]: adding master entry [30/34]: configuring Posix uid/gid generation [31/34]: adding replication acis [32/34]: enabling compatibility plugin [33/34]: tuning directory server [34/34]: configuring directory to start on boot Done configuring directory server (dirsrv). Configuring certificate server (pki-tomcatd): Estimated time 33 minutes 30 seconds [1/19]: creating certificate server user [2/19]: configuring certificate server instance ipa : CRITICAL failed to configure ca instance Command '/usr/sbin/pkispawn -s CA -f /tmp/tmp8ZctZ3' returned non-zero exit status 1 Your system may be partly configured.
In my 7.0 VM, this issue did not happen in the referred scenario, we will need to further investigate what happened. But this does not look as a blocking issue.
Upstream ticket: https://fedorahosted.org/freeipa/ticket/4242
This is probably affected by the local time zone setting, installer framework process the estimated duration in a strange way. Kallem, can you please see what time zone do you use? # ls -la /etc/localtime
I see following [root@rhel70-replica ~]# ls -la /etc/localtime lrwxrwxrwx. 1 root root 34 Mar 11 20:26 /etc/localtime -> ../usr/share/zoneinfo/Asia/Kolkata [root@rhel70-replica ~]#
Ok, this is the reproducer then: Works ok: # ls -la /etc/localtime lrwxrwxrwx. 1 root root 38 Jan 9 10:51 /etc/localtime -> ../usr/share/zoneinfo/America/New_York # python -c "import time; t= time.localtime(300); print t.tm_min, t.tm_sec" 5 0 Breaks: # ln -sf ../usr/share/zoneinfo/Asia/Kolkata /etc/localtime # ls -la /etc/localtime lrwxrwxrwx. 1 root root 34 Mar 12 17:40 /etc/localtime -> ../usr/share/zoneinfo/Asia/Kolkata # python -c "import time; t= time.localtime(300); print t.tm_min, t.tm_sec" 35 0 We will fix upstream.
Fixed upstream master: https://fedorahosted.org/freeipa/changeset/7c9fa8fad96c039b96939f8df8d740ad6b50eec9
Verified. Version :: ipa-server-4.1.0-16.el7.x86_64 Results :: ENV: rhel6.6 master -> rhel7.1 replica -> rhel7.1 replica [root@rhel7-3 etc]# ipa-replica-manage list rhel6-2.testrelm.test rhel7-2.testrelm.test: replica [root@rhel7-3 etc]# ipa-replica-manage list rhel7-2.testrelm.test rhel6-2.testrelm.test: replica rhel7-3.testrelm.test: replica [root@rhel7-3 etc]# ipa-replica-manage list rhel7-3.testrelm.test rhel7-2.testrelm.test: replica Time estimates look normal. [root@rhel7-3 etc]# date Wed Jan 28 00:25:54 IST 2015 [root@rhel7-3 etc]# ls -l /etc/localtime lrwxrwxrwx. 1 root root 34 Jan 27 22:48 /etc/localtime -> ../usr/share/zoneinfo/Asia/Kolkata [root@rhel7-3 etc]# ipa-replica-install --setup-ca --setup-dns --forwarder=192.168.122.1 -w Secret123 -p Secret123 /var/lib/ipa/replica-info-rhel7-3.testrelm.test.gpg Checking forwarders, please wait ... WARNING: DNS forwarder 192.168.122.1 does not return DNSSEC signatures in answers Please fix forwarder configuration to enable DNSSEC support. (For BIND 9 add directive "dnssec-enable yes;" to "options {}") WARNING: DNSSEC validation will be disabled Run connection check to master Check connection from replica to remote master 'rhel7-2.testrelm.test': Directory Service: Unsecure port (389): OK Directory Service: Secure port (636): OK Kerberos KDC: TCP (88): OK Kerberos Kpasswd: TCP (464): OK HTTP Server: Unsecure port (80): OK HTTP Server: Secure port (443): OK The following list of ports use UDP protocol and would need to be checked manually: Kerberos KDC: UDP (88): SKIPPED Kerberos Kpasswd: UDP (464): SKIPPED Connection from replica to master is OK. Start listening on required ports for remote master check Get credentials to log in to remote master Check SSH connection to remote master Execute check on remote master Check connection from master to remote replica 'rhel7-3.testrelm.test': Directory Service: Unsecure port (389): OK Directory Service: Secure port (636): OK Kerberos KDC: TCP (88): OK Kerberos KDC: UDP (88): OK Kerberos Kpasswd: TCP (464): OK Kerberos Kpasswd: UDP (464): OK HTTP Server: Unsecure port (80): OK HTTP Server: Secure port (443): OK Connection from master to replica is OK. Connection check OK Using reverse zone(s) 122.168.192.in-addr.arpa. Configuring NTP daemon (ntpd) [1/4]: stopping ntpd [2/4]: writing configuration [3/4]: configuring ntpd to start on boot [4/4]: starting ntpd Done configuring NTP daemon (ntpd). Configuring directory server (dirsrv): Estimated time 1 minute [1/35]: creating directory server user [2/35]: creating directory server instance [3/35]: adding default schema [4/35]: enabling memberof plugin [5/35]: enabling winsync plugin [6/35]: configuring replication version plugin [7/35]: enabling IPA enrollment plugin [8/35]: enabling ldapi [9/35]: configuring uniqueness plugin [10/35]: configuring uuid plugin [11/35]: configuring modrdn plugin [12/35]: configuring DNS plugin [13/35]: enabling entryUSN plugin [14/35]: configuring lockout plugin [15/35]: creating indices [16/35]: enabling referential integrity plugin [17/35]: configuring ssl for ds instance [18/35]: configuring certmap.conf [19/35]: configure autobind for root [20/35]: configure new location for managed entries [21/35]: configure dirsrv ccache [22/35]: enable SASL mapping fallback [23/35]: restarting directory server [24/35]: setting up initial replication Starting replication, please wait until this has completed. Update in progress, 3 seconds elapsed Update succeeded [25/35]: updating schema [26/35]: setting Auto Member configuration [27/35]: enabling S4U2Proxy delegation [28/35]: importing CA certificates from LDAP [29/35]: initializing group membership [30/35]: adding master entry [31/35]: configuring Posix uid/gid generation [32/35]: adding replication acis [33/35]: enabling compatibility plugin [34/35]: tuning directory server [35/35]: configuring directory to start on boot Done configuring directory server (dirsrv). Configuring certificate server (pki-tomcatd): Estimated time 3 minutes 30 seconds [1/22]: creating certificate server user [2/22]: configuring certificate server instance [3/22]: stopping certificate server instance to update CS.cfg [4/22]: backing up CS.cfg [5/22]: disabling nonces [6/22]: set up CRL publishing [7/22]: enable PKIX certificate path discovery and validation [8/22]: starting certificate server instance [9/22]: creating RA agent certificate database [10/22]: importing CA chain to RA certificate database [11/22]: fixing RA database permissions [12/22]: setting up signing cert profile [13/22]: set certificate subject base [14/22]: enabling Subject Key Identifier [15/22]: enabling Subject Alternative Name [16/22]: enabling CRL and OCSP extensions for certificates [17/22]: setting audit signing renewal to 2 years [18/22]: configuring certificate server to start on boot [19/22]: configure certmonger for renewals [20/22]: configure certificate renewals [21/22]: configure Server-Cert certificate renewal [22/22]: Configure HTTP to proxy connections Done configuring certificate server (pki-tomcatd). Restarting the directory and certificate servers Configuring Kerberos KDC (krb5kdc): Estimated time 30 seconds [1/9]: adding sasl mappings to the directory [2/9]: writing stash file from DS [3/9]: configuring KDC [4/9]: creating a keytab for the directory [5/9]: creating a keytab for the machine [6/9]: adding the password extension to the directory [7/9]: enable GSSAPI for replication [8/9]: starting the KDC [9/9]: configuring KDC to start on boot Done configuring Kerberos KDC (krb5kdc). Configuring kadmin [1/2]: starting kadmin [2/2]: configuring kadmin to start on boot Done configuring kadmin. Configuring ipa_memcached [1/2]: starting ipa_memcached [2/2]: configuring ipa_memcached to start on boot Done configuring ipa_memcached. Configuring the web interface (httpd): Estimated time 1 minute [1/15]: setting mod_nss port to 443 [2/15]: setting mod_nss protocol list to TLSv1.0 - TLSv1.1 [3/15]: setting mod_nss password file [4/15]: enabling mod_nss renegotiate [5/15]: adding URL rewriting rules [6/15]: configuring httpd [7/15]: configure certmonger for renewals [8/15]: setting up ssl [9/15]: importing CA certificates from LDAP [10/15]: publish CA cert [11/15]: creating a keytab for httpd [12/15]: clean up any existing httpd ccache [13/15]: configuring SELinux for httpd [14/15]: restarting httpd [15/15]: configuring httpd to start on boot Done configuring the web interface (httpd). Configuring ipa-otpd [1/2]: starting ipa-otpd [2/2]: configuring ipa-otpd to start on boot Done configuring ipa-otpd. Applying LDAP updates Restarting Directory server to apply updates [1/2]: stopping directory server [2/2]: starting directory server Done. Restarting the directory server Restarting the KDC Restarting the certificate server Configuring DNS (named) [1/9]: generating rndc key file [2/9]: setting up reverse zone [3/9]: setting up our own record [4/9]: adding NS record to the zones [5/9]: setting up CA record [6/9]: setting up kerberos principal [7/9]: setting up named.conf [8/9]: configuring named to start on boot [9/9]: changing resolv.conf to point to ourselves Done configuring DNS (named). Restarting named Global DNS configuration in LDAP server is empty You can use 'dnsconfig-mod' command to set global DNS options that would override settings in local named.conf files Restarting the web server
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHSA-2015-0442.html