Description of problem: ipa-server-install does not complete on a new VM build. While configuring Kerberos KDC, it hangs in step 4, initialize kerberos container. Version-Release number of selected component (if applicable): [root@ipa ~]# yum list installed freeipa* Loaded plugins: langpacks, refresh-packagekit Installed Packages freeipa-admintools.x86_64 3.3.4-3.fc20 @local-updates freeipa-client.x86_64 3.3.4-3.fc20 @local-updates freeipa-python.x86_64 3.3.4-3.fc20 @local-updates freeipa-server.x86_64 3.3.4-3.fc20 @local-updates [root@ipa ~]# yum list installed krb5* Loaded plugins: langpacks, refresh-packagekit Installed Packages krb5-libs.x86_64 1.11.5-4.fc20 @local-updates krb5-pkinit.x86_64 1.11.5-4.fc20 @local-updates krb5-server.x86_64 1.11.5-4.fc20 @local-updates krb5-workstation.x86_64 1.11.5-4.fc20 @local-updates [root@ipa ~]# How reproducible: consistent Steps to Reproduce: 1. Build a new Fedora 19 or 20 VM 2. ipa-server-install \ --admin-password adminpassword \ --domain $domainname \ --ds-password dspassword \ --forwarder $forward1 \ --forwarder $forward2 \ --hostname $hostname \ --mkhomedir \ --realm $realmname \ --setup-dns \ --unattended Actual results: .... Configuring Kerberos KDC (krb5kdc): Estimated time 30 seconds [1/10]: adding sasl mappings to the directory [2/10]: adding kerberos container to the directory [3/10]: configuring KDC [4/10]: initialize kerberos container Expected results: successful installation Additional info: From /var/log/ipaserver-install.log .... 2014-04-13T16:16:56Z DEBUG Configuring Kerberos KDC (krb5kdc): Estimated time 30 seconds 2014-04-13T16:16:56Z DEBUG [1/10]: adding sasl mappings to the directory 2014-04-13T16:16:56Z DEBUG flushing ldapi://%2fvar%2frun%2fslapd-HUNTER-ORG.socket from SchemaCache 2014-04-13T16:16:56Z DEBUG retrieving schema for SchemaCache url=ldapi://%2fvar%2frun%2fslapd-HUNTER-ORG.socket conn=<ldap.ldapobject.SimpleLDAPObject instance at 0x37c1368> 2014-04-13T16:16:56Z DEBUG duration: 0 seconds 2014-04-13T16:16:56Z DEBUG [2/10]: adding kerberos container to the directory 2014-04-13T16:16:56Z DEBUG Starting external process 2014-04-13T16:16:56Z DEBUG args=/usr/bin/ldapmodify -v -f /tmp/tmpNy_6IT -H ldapi://%2fvar%2frun%2fslapd-HUNTER-ORG.socket -x -D cn=Directory Manager -y /tmp/tmp_u6gaB 2014-04-13T16:16:56Z DEBUG Process finished, return code=0 2014-04-13T16:16:56Z DEBUG stdout=add objectClass: krbContainer top add cn: kerberos adding new entry "cn=kerberos,dc=hunter,dc=org" modify complete add cn: HUNTER.ORG add objectClass: top krbrealmcontainer krbticketpolicyaux add krbSubTrees: dc=hunter,dc=org add krbSearchScope: 2 add krbSupportedEncSaltTypes: aes256-cts:normal aes256-cts:special aes128-cts:normal aes128-cts:special des3-hmac-sha1:normal des3-hmac-sha1:special arcfour-hmac:normal arcfour-hmac:special camellia128-cts-cmac:normal camellia128-cts-cmac:special camellia256-cts-cmac:normal camellia256-cts-cmac:special add krbMaxTicketLife: 86400 add krbMaxRenewableAge: 604800 add krbDefaultEncSaltTypes: aes256-cts:special aes128-cts:special des3-hmac-sha1:special arcfour-hmac:special adding new entry "cn=HUNTER.ORG,cn=kerberos,dc=hunter,dc=org" modify complete add objectClass: top nsContainer krbPwdPolicy add krbMinPwdLife: 3600 add krbPwdMinDiffChars: 0 add krbPwdMinLength: 8 add krbPwdHistoryLength: 0 add krbMaxPwdLife: 7776000 add krbPwdMaxFailure: 6 add krbPwdFailureCountInterval: 60 add krbPwdLockoutDuration: 600 adding new entry "cn=global_policy,cn=HUNTER.ORG,cn=kerberos,dc=hunter,dc=org" modify complete 2014-04-13T16:16:56Z DEBUG stderr=ldap_initialize( ldapi://%2Fvar%2Frun%2Fslapd-HUNTER-ORG.socket/??base ) 2014-04-13T16:16:56Z DEBUG duration: 0 seconds 2014-04-13T16:16:56Z DEBUG [3/10]: configuring KDC 2014-04-13T16:16:56Z DEBUG Backing up system configuration file '/var/kerberos/krb5kdc/kdc.conf' 2014-04-13T16:16:56Z DEBUG Saving Index File to '/var/lib/ipa/sysrestore/sysrestore.index' 2014-04-13T16:16:56Z DEBUG Backing up system configuration file '/etc/krb5.conf' 2014-04-13T16:16:56Z DEBUG Saving Index File to '/var/lib/ipa/sysrestore/sysrestore.index' 2014-04-13T16:16:56Z DEBUG Backing up system configuration file '/usr/share/ipa/html/krb5.ini' 2014-04-13T16:16:56Z DEBUG -> Not backing up - '/usr/share/ipa/html/krb5.ini' doesn't exist 2014-04-13T16:16:56Z DEBUG Backing up system configuration file '/usr/share/ipa/html/krb.con' 2014-04-13T16:16:56Z DEBUG -> Not backing up - '/usr/share/ipa/html/krb.con' doesn't exist 2014-04-13T16:16:56Z DEBUG Backing up system configuration file '/usr/share/ipa/html/krbrealm.con' 2014-04-13T16:16:56Z DEBUG -> Not backing up - '/usr/share/ipa/html/krbrealm.con' doesn't exist 2014-04-13T16:16:56Z DEBUG Starting external process 2014-04-13T16:16:56Z DEBUG args=klist -V 2014-04-13T16:16:56Z DEBUG Process finished, return code=0 2014-04-13T16:16:56Z DEBUG stdout=Kerberos 5 version 1.11.5 2014-04-13T16:16:56Z DEBUG stderr= 2014-04-13T16:16:56Z DEBUG Backing up system configuration file '/etc/sysconfig/krb5kdc' 2014-04-13T16:16:56Z DEBUG Saving Index File to '/var/lib/ipa/sysrestore/sysrestore.index' 2014-04-13T16:16:56Z DEBUG Starting external process 2014-04-13T16:16:56Z DEBUG args=/usr/sbin/selinuxenabled 2014-04-13T16:16:56Z DEBUG Process finished, return code=0 2014-04-13T16:16:56Z DEBUG stdout= 2014-04-13T16:16:56Z DEBUG stderr= 2014-04-13T16:16:56Z DEBUG Starting external process 2014-04-13T16:16:56Z DEBUG args=/usr/sbin/restorecon /etc/sysconfig/krb5kdc 2014-04-13T16:16:56Z DEBUG Process finished, return code=0 2014-04-13T16:16:56Z DEBUG stdout= 2014-04-13T16:16:56Z DEBUG stderr= 2014-04-13T16:16:56Z DEBUG duration: 0 seconds 2014-04-13T16:16:56Z DEBUG [4/10]: initialize kerberos container 2014-04-13T16:16:56Z DEBUG Starting external process 2014-04-13T16:16:56Z DEBUG args=kdb5_util create -s -r HUNTER.ORG -x ipa-setup-override-restrictions
The kdb5_util process is not accumulating any CPU time, even after an hour: [root@ipa ~]# ps -ef | grep kdb5_util root 3650 1891 0 11:16 ? 00:00:00 kdb5_util create -s -r HUNTER.ORG -x ipa-setup-override-restrictions
We can't do anything because it is your VM lacking enough entropy. You need to make more entropy available to the VM. I have following example: https://www.redhat.com/archives/freeipa-devel/2014-February/msg00632.html
Yeah I think your VM is simply starved of entropy. You can install a virtio rngd or do somethining like running rngd -i /dev/urandom on the VM to overcome the problem.
Closoing because it is not a FreeIPA bug, however if you feel this is something the distribution should handle, maybe you can reopen and reassing to one of the virt-related components.
There is no way to check that this requirement for a successful installation can be met instead of just waiting with no indication as to the nature of the problem?
That's a good point, I am thinking we could be more explicit in telling users that this step requires entropy. Maybe we could link this Bugzilla to similar upstream ticket: https://fedorahosted.org/freeipa/ticket/4210 And at least state that entropy is required: ... [4/10]: initialize kerberos container (requires entropy) ... or even as advised in https://fedorahosted.org/freeipa/ticket/4210#comment:3, try to read /proc/sys/kernel/random/entropy_avail and print warning when entropy is too low.
Thank you. Some indication of the nature of the problem, and therefore its resolution, would be better than an infinite wait. Knowing that the problem was caused by insufficient entropy for random number generation, I was able to work around it by upgrading the VM host to Fedora 20 and adding "--rng /dev/random" to the virt-install command used to build the IPA VM guest.
Upstream ticket: https://fedorahosted.org/freeipa/ticket/4210
Fixed upstream master: https://fedorahosted.org/freeipa/changeset/71c6d2f1eb9610a0e0a994a6cfd78fdf9bb9d1fa
Watching the results of "cat /proc/sys/kernel/random/entropy_avail" it appears that playing Freecell Solitare while waiting for a new VM to build was more responsible for solving my problem than changing the virt-install options.
FreeIPA 4.0.0 (Rawhide/Fedora 21) has the explanatory message.