Bug 1197290 - realm crash during kickstart
Summary: realm crash during kickstart
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: anaconda
Version: 22
Hardware: x86_64
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: David Shea
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard: abrt_hash:755ef70308544a72015a055eddb...
Depends On:
Blocks: F22AlphaBlocker 1197838
TreeView+ depends on / blocked
 
Reported: 2015-02-28 03:24 UTC by Scott Poore
Modified: 2015-03-07 00:06 UTC (History)
9 users (show)

Fixed In Version: anaconda-22.20.2-1.fc22
Doc Type: Bug Fix
Doc Text:
Clone Of:
: 1197838 (view as bug list)
Environment:
Last Closed: 2015-03-07 00:06:00 UTC


Attachments (Terms of Use)
File: anaconda-tb (413.52 KB, text/plain)
2015-02-28 03:24 UTC, Scott Poore
no flags Details
File: anaconda.log (14.74 KB, text/plain)
2015-02-28 03:24 UTC, Scott Poore
no flags Details
File: dnf.log (91.30 KB, text/plain)
2015-02-28 03:24 UTC, Scott Poore
no flags Details
File: dnf.rpm.log (27.17 KB, text/plain)
2015-02-28 03:24 UTC, Scott Poore
no flags Details
File: environ (492 bytes, text/plain)
2015-02-28 03:24 UTC, Scott Poore
no flags Details
File: ks.cfg (726 bytes, text/plain)
2015-02-28 03:24 UTC, Scott Poore
no flags Details
File: lsblk_output (2.07 KB, text/plain)
2015-02-28 03:24 UTC, Scott Poore
no flags Details
File: nmcli_dev_list (979 bytes, text/plain)
2015-02-28 03:24 UTC, Scott Poore
no flags Details
File: os_info (443 bytes, text/plain)
2015-02-28 03:24 UTC, Scott Poore
no flags Details
File: program.log (33.37 KB, text/plain)
2015-02-28 03:24 UTC, Scott Poore
no flags Details
File: storage.log (75.25 KB, text/plain)
2015-02-28 03:24 UTC, Scott Poore
no flags Details
File: syslog (58.71 KB, text/plain)
2015-02-28 03:24 UTC, Scott Poore
no flags Details
File: ifcfg.log (5.62 KB, text/plain)
2015-02-28 03:24 UTC, Scott Poore
no flags Details
File: packaging.log (1.34 KB, text/plain)
2015-02-28 03:24 UTC, Scott Poore
no flags Details

Description Scott Poore 2015-02-28 03:24:17 UTC
Description of problem:


Version-Release number of selected component:
anaconda-22.20.1-1

The following was filed automatically by anaconda:
anaconda 22.20.1-1 exception report
Traceback (most recent call first):
  File "/usr/lib64/python2.7/site-packages/pyanaconda/kickstart.py", line 569, in execute
    rc = iutil.execWithRedirect("realm", argv)[0]
  File "/usr/lib64/python2.7/site-packages/pyanaconda/install.py", line 112, in doConfiguration
    ksdata.realm.execute(storage, ksdata, instClass)
  File "/usr/lib64/python2.7/threading.py", line 766, in run
    self.__target(*self.__args, **self.__kwargs)
  File "/usr/lib64/python2.7/site-packages/pyanaconda/threads.py", line 238, in run
    threading.Thread.run(self, *args, **kwargs)
TypeError: 'int' object has no attribute '__getitem__'

Additional info:
addons:         com_redhat_kdump
cmdline:        /usr/bin/python2  /sbin/anaconda
cmdline_file:   method=http://dl.fedoraproject.org/pub/alt/stage/22_Alpha_TC7/Server/x86_64/os/ ks=file:/fedora0.ks console=tty0 console=ttyS0,115200
executable:     /sbin/anaconda
hashmarkername: anaconda
kernel:         4.0.0-0.rc1.git0.1.fc22.x86_64
product:        Fedora"
release:        Cannot get release name.
type:           anaconda
version:        Fedora

Comment 1 Scott Poore 2015-02-28 03:24:20 UTC
Created attachment 996350 [details]
File: anaconda-tb

Comment 2 Scott Poore 2015-02-28 03:24:21 UTC
Created attachment 996351 [details]
File: anaconda.log

Comment 3 Scott Poore 2015-02-28 03:24:22 UTC
Created attachment 996352 [details]
File: dnf.log

Comment 4 Scott Poore 2015-02-28 03:24:23 UTC
Created attachment 996353 [details]
File: dnf.rpm.log

Comment 5 Scott Poore 2015-02-28 03:24:24 UTC
Created attachment 996354 [details]
File: environ

Comment 6 Scott Poore 2015-02-28 03:24:25 UTC
Created attachment 996355 [details]
File: ks.cfg

Comment 7 Scott Poore 2015-02-28 03:24:26 UTC
Created attachment 996356 [details]
File: lsblk_output

Comment 8 Scott Poore 2015-02-28 03:24:27 UTC
Created attachment 996357 [details]
File: nmcli_dev_list

Comment 9 Scott Poore 2015-02-28 03:24:28 UTC
Created attachment 996358 [details]
File: os_info

Comment 10 Scott Poore 2015-02-28 03:24:29 UTC
Created attachment 996359 [details]
File: program.log

Comment 11 Scott Poore 2015-02-28 03:24:31 UTC
Created attachment 996360 [details]
File: storage.log

Comment 12 Scott Poore 2015-02-28 03:24:32 UTC
Created attachment 996361 [details]
File: syslog

Comment 13 Scott Poore 2015-02-28 03:24:33 UTC
Created attachment 996362 [details]
File: ifcfg.log

Comment 14 Scott Poore 2015-02-28 03:24:34 UTC
Created attachment 996363 [details]
File: packaging.log

Comment 15 Scott Poore 2015-02-28 04:08:29 UTC
Failure occurred testing kickstart with realm join.  I am able to join successfully after a kickstart but, not when realm is included in ks.cfg.  

Something to note (not sure if it's related though) is that when I do successfully join an IPA domain using realmd after kickstart, I do have to install python-sssdconfig.

[root@fedora0 ~]# realm join -v --one-time-password=MyPassword example.test
 * Resolving: _ldap._tcp.example.test
 * Performing LDAP DSE lookup on: 192.168.122.201
 * Successfully discovered: example.test
 * Required files: /usr/sbin/ipa-client-install, /usr/sbin/oddjobd, /usr/libexec/oddjob/mkhomedir, /usr/sbin/sssd
 * LANG=C /usr/sbin/ipa-client-install --domain example.test --realm EXAMPLE.TEST --mkhomedir --enable-dns-updates --unattended --force-join --password MyPassword --force-ntpd
There was a problem importing one of the required Python modules. The
error was:

    No module named SSSDConfig

 ! Running ipa-client-install failed
realm: Couldn't join realm: Running ipa-client-install failed

[root@fedora0 ~]# dnf -y install python-sssdconfig
Using metadata from Sat Feb 28 03:46:08 2015
Dependencies resolved.
=======================================================================================================
 Package                     Arch             Version                  Repository                 Size
=======================================================================================================
Installing:
 python-sssdconfig           noarch           1.12.4-2.fc22            updates-testing            96 k

Transaction Summary
=======================================================================================================
Install  1 Package

Total download size: 96 k
Installed size: 219 k
Downloading Packages:
python-sssdconfig-1.12.4-2.fc22.noarch.rpm                              13 kB/s |  96 kB     00:07    
-------------------------------------------------------------------------------------------------------
Total                                                                  1.5 kB/s |  96 kB     01:01     
Running transaction check
Transaction check succeeded.
Running transaction test
Transaction test succeeded.
Running transaction
  Installing  : python-sssdconfig-1.12.4-2.fc22.noarch                                             1/1 
  Verifying   : python-sssdconfig-1.12.4-2.fc22.noarch                                             1/1 

Installed:
  python-sssdconfig.noarch 1.12.4-2.fc22                                                               

Complete!

[root@fedora0 ~]# realm join -v --one-time-password=MyPassword example.test
 * Resolving: _ldap._tcp.example.test
 * Performing LDAP DSE lookup on: 192.168.122.201
 * Successfully discovered: example.test
 * Required files: /usr/sbin/ipa-client-install, /usr/sbin/oddjobd, /usr/libexec/oddjob/mkhomedir, /usr/sbin/sssd
 * LANG=C /usr/sbin/ipa-client-install --domain example.test --realm EXAMPLE.TEST --mkhomedir --enable-dns-updates --unattended --force-join --password MyPassword --force-ntpd
Discovery was successful!
Hostname: fedora0.example.test
Realm: EXAMPLE.TEST
DNS Domain: example.test
IPA Server: vm1.example.test
BaseDN: dc=example,dc=test
Synchronizing time with KDC...
Downloading the CA certificate via HTTP, this is INSECURE
Successfully retrieved CA cert
    Subject:     CN=Certificate Authority,O=EXAMPLE.TEST
    Issuer:      CN=Certificate Authority,O=EXAMPLE.TEST
    Valid From:  Wed Feb 11 23:46:12 2015 UTC
    Valid Until: Sun Feb 11 23:46:12 2035 UTC

Enrolled in IPA realm EXAMPLE.TEST
Created /etc/ipa/default.conf
New SSSD config will be created
Configured sudoers in /etc/nsswitch.conf
Configured /etc/sssd/sssd.conf
Configured /etc/krb5.conf for IPA realm EXAMPLE.TEST
trying https://vm1.example.test/ipa/json
Forwarding 'ping' to json server 'https://vm1.example.test/ipa/json'
Forwarding 'ca_is_enabled' to json server 'https://vm1.example.test/ipa/json'
Systemwide CA database updated.
Added CA certificates to the default NSS database.
DNS server record set to: fedora0.example.test -> 192.168.122.30
Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub
Adding SSH public key from /etc/ssh/ssh_host_ecdsa_key.pub
Adding SSH public key from /etc/ssh/ssh_host_ed25519_key.pub
Forwarding 'host_mod' to json server 'https://vm1.example.test/ipa/json'
SSSD enabled
Configured /etc/openldap/ldap.conf
NTP enabled
Configured /etc/ssh/ssh_config
Configured /etc/ssh/sshd_config
Configuring example.test as NIS domain.

Client configuration complete.
 * /usr/bin/systemctl enable sssd.service
 * /usr/bin/systemctl restart sssd.service
 * /usr/bin/sh -c /usr/sbin/authconfig --update --enablesssd --enablesssdauth --enablemkhomedir --nostart && /usr/bin/systemctl enable oddjobd.service && /usr/bin/systemctl start oddjobd.service
 * Successfully enrolled machine in realm

[root@fedora0 ~]# id admin@example.test
uid=252400000(admin@example.test) gid=252400000(admins@example.test) groups=252400000(admins@example.test)

[root@fedora0 ~]#

Comment 16 Scott Poore 2015-03-02 16:19:56 UTC
I forgot to mention that this was seen running the kickstart via virt-install.  I don't think that affects things but, it's more information.

qemu-img create -f qcow2 -o preallocation=metadata $DISKIMAGE 8G
virt-install --connect=qemu:///system \
    --network=bridge:virbr0 \
    --initrd-inject=/tmp/${VMNAME}.ks \
    --extra-args="ks=file:/${VMNAME}.ks $EXTRAARGS" \
    --name=$VMNAME \
    --disk path=$DISKIMAGE,format=qcow2,size=8 \
    --ram 1024 \
    --vcpus=1 \
    --check-cpu \
    --hvm \
    --location=$OSIMG \
    --nographics

with ${VMNAME}.ks being the ks.cfg included from comment #6.

Comment 17 Scott Poore 2015-03-02 17:33:54 UTC
This is the Fedora Release Alpha Criteria that I think applies to this bug:

https://fedoraproject.org/wiki/Fedora_22_Alpha_Release_Criteria#Remote_authentication

Comment 18 Petr Schindler 2015-03-02 17:38:39 UTC
Discussed at today's blocker review meeting [1].

This bug was accepted as Alpha Blocker - This bug is a clear violation of the Alpha criterion: "It must be possible to join the system to a FreeIPA or Active Directory domain at install time and post-install, and the system must respect the identity, authentication and access control configuration provided by the domain."

http://meetbot.fedoraproject.org/fedora-blocker-review/2015-03-02/

Comment 19 Fedora Update System 2015-03-03 23:33:50 UTC
python-blivet-1.0.1-1.fc22, anaconda-22.20.2-1.fc22 has been submitted as an update for Fedora 22.
https://admin.fedoraproject.org/updates/anaconda-22.20.2-1.fc22,python-blivet-1.0.1-1.fc22

Comment 20 Fedora Update System 2015-03-04 21:08:12 UTC
Package python-blivet-1.0.1-1.fc22, anaconda-22.20.2-1.fc22:
* should fix your issue,
* was pushed to the Fedora 22 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing python-blivet-1.0.1-1.fc22 anaconda-22.20.2-1.fc22'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2015-3110/anaconda-22.20.2-1.fc22,python-blivet-1.0.1-1.fc22
then log in and leave karma (feedback).

Comment 21 Fedora Update System 2015-03-05 00:07:30 UTC
anaconda-22.20.3-1.fc22, python-blivet-1.0.2-1.fc22 has been submitted as an update for Fedora 22.
https://admin.fedoraproject.org/updates/python-blivet-1.0.2-1.fc22,anaconda-22.20.3-1.fc22

Comment 22 Adam Williamson 2015-03-05 03:27:26 UTC
So the updates previously submitted (#c20 and #c21) were unpushed because of major problems caused by the new python-blivet.

However, looking through the changelogs, nothing in python-blivet 1.0.1 is actually needed to fix an Alpha blocker. The important fixes were in anaconda-22.20.2. Looking through the anaconda 22.20.1 -> 22.20.2 changes, I don't see anything that requires blivet 1.0.1 either.

So I believe all we need for Alpha - currently, at least - is an update containing anaconda-22.20.2-1.fc22 (note: *NOT* 22.20.3) and no blivet update. I have tested a live compose with blivet 1.0 and anaconda 22.20.2 and it worked fine.

If we then find further blockers in anaconda we would have to revert the commits that adjusted to blivet 1.0.1 or create a new branch starting from 22.20.2, and if we found further blockers in blivet we would have to create a branch from 1.0.0. But both of those seem perfectly possible, right?

We don't need any builds-to-obsolete-old-builds or epoch bumps or anything awkward like that.

Comment 23 Fedora Update System 2015-03-05 14:09:07 UTC
anaconda-22.20.2-1.fc22 has been submitted as an update for Fedora 22.
https://admin.fedoraproject.org/updates/anaconda-22.20.2-1.fc22

Comment 24 Fedora Update System 2015-03-05 17:11:36 UTC
Package anaconda-22.20.2-1.fc22:
* should fix your issue,
* was pushed to the Fedora 22 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing anaconda-22.20.2-1.fc22'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2015-3284/anaconda-22.20.2-1.fc22
then log in and leave karma (feedback).

Comment 25 Scott Poore 2015-03-06 16:38:21 UTC
This looks like it's fixed.

Using same test as above with RC3:

From anaconda.log:
16:21:48,840 INFO anaconda: /sbin/anaconda 22.20.2-1

From program.log:
16:25:29,353 INFO program: Running... realm join --install /mnt/sysimage --verbose --one-time-password=MyPassword example.test
16:25:46,172 INFO program: * Resolving: _ldap._tcp.example.test
16:25:46,177 INFO program: * Performing LDAP DSE lookup on: 192.168.122.201
16:25:46,177 INFO program: * Successfully discovered: example.test
16:25:46,177 INFO program: * Assuming packages are installed
16:25:46,177 INFO program: * LANG=C /usr/sbin/ipa-client-install --domain example.test --realm EXAMPLE.TEST --mkhomedir --enable-dns-updates --unattended --force-join --password MyPassword --force-ntpd
16:25:46,178 INFO program: Discovery was successful!
16:25:46,178 INFO program: Hostname: fedora0.example.test
16:25:46,178 INFO program: Realm: EXAMPLE.TEST
16:25:46,178 INFO program: DNS Domain: example.test
16:25:46,178 INFO program: IPA Server: vm1.example.test
16:25:46,178 INFO program: BaseDN: dc=example,dc=test
16:25:46,178 INFO program: Synchronizing time with KDC...
16:25:46,179 INFO program: Downloading the CA certificate via HTTP, this is INSECURE
16:25:46,179 INFO program: Successfully retrieved CA cert
16:25:46,179 INFO program: Subject:     CN=Certificate Authority,O=EXAMPLE.TEST
16:25:46,179 INFO program: Issuer:      CN=Certificate Authority,O=EXAMPLE.TEST
16:25:46,179 INFO program: Valid From:  Wed Feb 11 23:46:12 2015 UTC
16:25:46,179 INFO program: Valid Until: Sun Feb 11 23:46:12 2035 UTC
16:25:46,179 INFO program: 
16:25:46,180 INFO program: Enrolled in IPA realm EXAMPLE.TEST
16:25:46,180 INFO program: Created /etc/ipa/default.conf
16:25:46,180 INFO program: New SSSD config will be created
16:25:46,180 INFO program: Configured sudoers in /etc/nsswitch.conf
16:25:46,180 INFO program: Configured /etc/sssd/sssd.conf
16:25:46,180 INFO program: Configured /etc/krb5.conf for IPA realm EXAMPLE.TEST
16:25:46,180 INFO program: trying https://vm1.example.test/ipa/json
16:25:46,181 INFO program: Forwarding 'ping' to json server 'https://vm1.example.test/ipa/json'
16:25:46,181 INFO program: Forwarding 'ca_is_enabled' to json server 'https://vm1.example.test/ipa/json'
16:25:46,181 INFO program: Systemwide CA database updated.
16:25:46,181 INFO program: Added CA certificates to the default NSS database.
16:25:46,181 INFO program: DNS server record set to: fedora0.example.test -> 192.168.122.30
16:25:46,181 INFO program: Forwarding 'host_mod' to json server 'https://vm1.example.test/ipa/json'
16:25:46,181 INFO program: SSSD enabled
16:25:46,182 INFO program: Configured /etc/openldap/ldap.conf
16:25:46,182 INFO program: Unable to find 'admin' user with 'getent passwd admin@example.test'!
16:25:46,182 INFO program: Unable to reliably detect configuration. Check NSS setup manually.
16:25:46,182 INFO program: NTP enabled
16:25:46,182 INFO program: Configured /etc/ssh/ssh_config
16:25:46,182 INFO program: Configured /etc/ssh/sshd_config
16:25:46,182 INFO program: Configuring example.test as NIS domain.
16:25:46,183 INFO program: Client configuration complete.
16:25:46,183 INFO program: 
16:25:46,183 INFO program: * /usr/bin/systemctl enable sssd.service
16:25:46,183 INFO program: * /usr/bin/sh -c /usr/sbin/authconfig --update --enablesssd --enablesssdauth --enablemkhomedir --nostart && /usr/bin/systemctl enable oddjobd.service && /usr/bin/systemctl start oddjobd.service
16:25:46,183 INFO program: Running in chroot, ignoring request.
16:25:46,183 INFO program: * Successfully enrolled machine in realm



[root@fedora0 anaconda]# id admin@example.test
uid=252400000(admin@example.test) gid=252400000(admins@example.test) groups=252400000(admins@example.test)


Looks good.

I'll give karma too.

Comment 26 Fedora Update System 2015-03-07 00:06:00 UTC
anaconda-22.20.2-1.fc22 has been pushed to the Fedora 22 stable repository.  If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.