RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1080532 - ipa-client-install --uninstall crash on a freshly installed machine joined to IPA via reamd and anaconda
Summary: ipa-client-install --uninstall crash on a freshly installed machine joined to...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: ipa
Version: 7.0
Hardware: Unspecified
OS: Unspecified
medium
medium
Target Milestone: rc
: ---
Assignee: Martin Kosek
QA Contact: Namita Soman
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2014-03-25 15:53 UTC by Patrik Kis
Modified: 2015-03-05 10:10 UTC (History)
7 users (show)

Fixed In Version: ipa-4.0.3-1.el7
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2015-03-05 10:10:43 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)
ipa install/uninstall logs (15.51 KB, application/x-gzip)
2014-03-26 09:10 UTC, Patrik Kis 		no flags Details
View All


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2015:0442 0 normal SHIPPED_LIVE Moderate: ipa security, bug fix, and enhancement update 2015-03-05 14:50:39 UTC

Description Patrik Kis 2014-03-25 15:53:58 UTC 
Description of problem:
When joining a machine to IPA via realmd during the machine installation with anaconda kickstart, the ipa uninstall crashes. I was not able to reproduce this issue under other conditions, only just after installation and joining via anaconda. It seems that ipa client ties to start the chronyd service, but as it is not installed it crashes. I think it should handle the situation more clearly.

Version-Release number of selected component (if applicable):
ipa-client-3.3.3-25.el7

How reproducible:
always

Steps to Reproduce:
1/ Install a machine with kickstart and join it to IPA; I use the following kickstart file:

text
zerombr
bootloader --location=mbr
clearpart --all --initlabel
autopart
logging --level=debug
rootpw --plaintext redhat
firewall --disabled
keyboard us
lang en_US
timezone --isUtc America/New_York
network --bootproto=static --device=eth0 --gateway=192.168.100.1 --ip=192.168.100.72 --netmask=255.255.255.0 --nameserver=10.34.37.24 --hostname=rhel72.ipa.baseos.qe --noipv6 --activate
reboot

realm join --one-time-password=MyPassword ipa.baseos.qe

%packages --ignoremissing
wget
make
@core
%end

2/ After the installation log into the machine and try remove it from IPA:

[root@rhel72 ~]# /usr/sbin/ipa-client-install --uninstall --unattended
Unenrolling client from IPA server
Removing Kerberos service principals from /etc/krb5.keytab
Disabling client Kerberos and LDAP configurations
Redundant SSSD configuration file /etc/sssd/sssd.conf was moved to /etc/sssd/sssd.conf.deleted
Restoring client configuration files
nscd daemon is not installed, skip configuration
nslcd daemon is not installed, skip configuration
Traceback (most recent call last):
  File "/usr/sbin/ipa-client-install", line 2597, in <module>
    sys.exit(main())
  File "/usr/sbin/ipa-client-install", line 2569, in main
    return uninstall(options, env)
  File "/usr/sbin/ipa-client-install", line 619, in uninstall
    ipaclient.ntpconf.restore_forced_ntpd(statestore)
  File "/usr/lib/python2.7/site-packages/ipaclient/ntpconf.py", line 224, in restore_forced_ntpd
    service.start()
  File "/usr/lib/python2.7/site-packages/ipapython/platform/base/systemd.py", line 119, in start
    ipautil.run(["/bin/systemctl", "start", self.service_instance(instance_name)], capture_output=capture_output)
  File "/usr/lib/python2.7/site-packages/ipapython/ipautil.py", line 328, in run
    raise CalledProcessError(p.returncode, arg_string, stdout)
subprocess.CalledProcessError: Command '/bin/systemctl start chronyd.service' returned non-zero exit status 6

The second attempt seems to be successful:

[root@rhel72 log]# 
[root@rhel72 log]# /usr/sbin/ipa-client-install --uninstall --unattended
Unenrolling client from IPA server
Unenrolling host failed: Error getting default Kerberos realm: Configuration file does not specify default realm.

Removing Kerberos service principals from /etc/krb5.keytab
Failed to remove Kerberos service principals: Command '/usr/sbin/ipa-rmkeytab -k /etc/krb5.keytab -r IPA.BASEOS.QE' returned non-zero exit status 5
Disabling client Kerberos and LDAP configurations
Redundant SSSD configuration file /etc/sssd/sssd.conf was moved to /etc/sssd/sssd.conf.deleted
nscd daemon is not installed, skip configuration
nslcd daemon is not installed, skip configuration
Client uninstall complete.
Comment 1 Martin Kosek 2014-03-26 08:58:44 UTC 
chrony apparently could not be started. Can you please also attach ipaclient-uninstall.log? It would help us understand why.
Comment 2 Patrik Kis 2014-03-26 09:10:41 UTC 
Created attachment 878914 [details]
ipa install/uninstall logs
Comment 3 Martin Kosek 2014-03-26 09:32:49 UTC 
Thanks. I will open an upstream ticket.
Comment 4 Martin Kosek 2014-03-26 09:37:08 UTC 
Upstream ticket:
https://fedorahosted.org/freeipa/ticket/4273
Comment 5 Jan Pazdziora 2014-06-10 09:56:25 UTC 
What does /bin/systemctl status chronyd.service show as the log after that failed /bin/systemctl start chronyd.service?
Comment 6 Patrik Kis 2014-06-13 12:13:38 UTC 
(In reply to Jan Pazdziora from comment #5)
> What does /bin/systemctl status chronyd.service show as the log after that
> failed /bin/systemctl start chronyd.service?

I guess it would report error since chronyd is not installed as it is mentioned description, but I have not tested it. I don't have the failing environment anymore so it would take some time to set it up again; do you really need to test this?
Comment 7 Jan Pazdziora 2014-06-18 07:56:17 UTC 
This is strange because the restore_forced_ntpd where it tracebacks should take the list of services from the statestore and should attempt to start the service only if it was seen running before.

Looking at the ipaclient-install.log

2014-03-25T15:26:35Z DEBUG args=/bin/systemctl is-enabled chronyd.service
2014-03-25T15:26:35Z DEBUG Process finished, return code=1
2014-03-25T15:26:35Z DEBUG stdout=
2014-03-25T15:26:35Z DEBUG stderr=
2014-03-25T15:26:35Z DEBUG Starting external process
2014-03-25T15:26:35Z DEBUG args=/bin/systemctl is-active chronyd.service
2014-03-25T15:26:35Z DEBUG Process finished, return code=0
2014-03-25T15:26:35Z DEBUG stdout=
2014-03-25T15:26:35Z DEBUG stderr=Running in chroot, ignoring request.

2014-03-25T15:26:35Z DEBUG Saving StateFile to '/var/lib/ipa-client/sysrestore/sysrestore.state'
2014-03-25T15:26:35Z DEBUG Saving StateFile to '/var/lib/ipa-client/sysrestore/sysrestore.state'
2014-03-25T15:26:35Z DEBUG Starting external process
2014-03-25T15:26:35Z DEBUG args=/bin/systemctl stop chronyd.service
2014-03-25T15:26:35Z DEBUG Process finished, return code=0
2014-03-25T15:26:35Z DEBUG stdout=
2014-03-25T15:26:35Z DEBUG stderr=Running in chroot, ignoring request.

The problem seems to be that /bin/systemctl is-active chronyd.service returns code 0 even if it says Running in chroot, ignoring request.
Comment 8 Jan Pazdziora 2014-06-24 07:20:28 UTC 
For the record: bug 1110675 was filed to get systemd behaviour changed.

However, until that happens and change gets to RHEL 7 (if the behaviour is ever changed), we might need to check for the "running in chroot" situation and ignore the systemctl results.
Comment 9 Petr Viktorin (pviktori) 2014-07-08 08:31:36 UTC 
Fixed upstream
master:
https://fedorahosted.org/freeipa/changeset/2ff14607b170c86ccd93cff60f5a34d64cd1e419
ipa-4-1:
https://fedorahosted.org/freeipa/changeset/2ff14607b170c86ccd93cff60f5a34d64cd1e419
ipa-4-0:
https://fedorahosted.org/freeipa/changeset/2ff14607b170c86ccd93cff60f5a34d64cd1e419
Comment 11 Scott Poore 2015-01-28 17:11:34 UTC 
Verified.

Version ::

ipa-client-4.1.0-16.el7.x86_64

Results ::

[root@vm2 ~]# ipa-client-install --uninstall --unattended
Unenrolling client from IPA server
Removing Kerberos service principals from /etc/krb5.keytab
Disabling client Kerberos and LDAP configurations
Redundant SSSD configuration file /etc/sssd/sssd.conf was moved to /etc/sssd/sssd.conf.deleted
Restoring client configuration files
Unconfiguring the NIS domain.
nscd daemon is not installed, skip configuration
nslcd daemon is not installed, skip configuration
Failed to start chronyd: Command ''/bin/systemctl' 'start' 'chronyd.service'' returned non-zero exit status 6
Systemwide CA database updated.
Client uninstall complete.

So, proper error message and no crash.
Comment 13 errata-xmlrpc 2015-03-05 10:10:43 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHSA-2015-0442.html
Note You need to log in before you can comment on or make changes to this bug.