1353631 – Running ipa-server-install named error

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1353631 - Running ipa-server-install named error

Summary: Running ipa-server-install named error

Keywords:
Status:	CLOSED DUPLICATE of bug 1350957
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	ipa
Sub Component:
Version:	7.3
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	rc
Target Release:	---
Assignee:	IPA Maintainers
QA Contact:	Kaleem
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2016-07-07 15:33 UTC by Tibor Dudlák
Modified:	2016-07-08 14:47 UTC (History)
CC List:	5 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2016-07-08 11:30:17 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Description Tibor Dudlák 2016-07-07 15:33:35 UTC

Description of problem:
Can not install ipa-server, ends with error.

Version-Release number of selected component (if applicable):
ipa-server-4.4.0-1.el7.x86_64

How reproducible:
Deterministic

Steps to Reproduce:
1. ipa-server-install


Actual results:

Jul 07 01:33:54 qe-blade-06.testrelm.test named-pkcs11[22147]: starting BIND 9.9.4-RedHat-9.9.4-36.el7 -u named
Jul 07 01:33:54 qe-blade-06.testrelm.test named-pkcs11[22147]: built with '--build=x86_64-redhat-linux-gnu' '--host=x86_64-redhat-linux-gnu' '--program-prefix=' '--disable-dependency-tracking' '--prefix=/usr' '--exec-prefix=/usr' '--bindir=/usr/bin' '--sbindir=/usr/sbin' '--sysconfdir=/etc' '--datadir=/usr/share' '--includedir=/usr/include' '--libdir=/usr/lib64' '--libexecdir=/usr/libexec' '--sharedstatedir=/var/lib' '--mandir=/usr/share/man' '--infodir=/usr/share/info' '--with-libtool' '--localstatedir=/var' '--enable-threads' '--with-geoip' '--enable-ipv6' '--enable-filter-aaaa' '--enable-rrl' '--with-pic' '--disable-static' '--disable-openssl-version-check' '--enable-exportlib' '--with-export-libdir=/usr/lib64' '--with-export-includedir=/usr/include' '--includedir=/usr/include/bind9' '--enable-native-pkcs11' '--with-pkcs11=/usr/lib64/pkcs11/libsofthsm2.so' '--with-dlopen=yes' '--with-dlz-ldap=yes' '--with-dlz-postgres=yes' '--with-dlz-mysql=yes' '--with-dlz-filesystem=yes' '--with-dlz-bdb=yes' '--with-gssapi=yes' '--disable-isc-spnego' '--enable-fixed-rrset' '--with-docbook-xsl=/usr/share/sgml/docbook/xsl-stylesheets' 'build_alias=x86_64-redhat-linux-gnu' 'host_alias=x86_64-redhat-linux-gnu' 'CFLAGS= -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches -m64 -mtune=generic' 'LDFLAGS=-Wl,-z,relro ' 'CPPFLAGS= -DDIG_SIGCHASE'
Jul 07 01:33:54 qe-blade-06.testrelm.test named-pkcs11[22147]: ----------------------------------------------------
Jul 07 01:33:54 qe-blade-06.testrelm.test named-pkcs11[22147]: BIND 9 is maintained by Internet Systems Consortium,
Jul 07 01:33:54 qe-blade-06.testrelm.test named-pkcs11[22147]: Inc. (ISC), a non-profit 501(c)(3) public-benefit
Jul 07 01:33:54 qe-blade-06.testrelm.test named-pkcs11[22147]: corporation.  Support and training for BIND 9 are
Jul 07 01:33:54 qe-blade-06.testrelm.test named-pkcs11[22147]: available at https://www.isc.org/support
Jul 07 01:33:54 qe-blade-06.testrelm.test named-pkcs11[22147]: ----------------------------------------------------
Jul 07 01:33:54 qe-blade-06.testrelm.test named-pkcs11[22147]: adjusted limit on open files from 4096 to 1048576
Jul 07 01:33:54 qe-blade-06.testrelm.test named-pkcs11[22147]: found 8 CPUs, using 8 worker threads
Jul 07 01:33:54 qe-blade-06.testrelm.test named-pkcs11[22147]: using 8 UDP listeners per interface
Jul 07 01:33:54 qe-blade-06.testrelm.test named-pkcs11[22147]: using up to 4096 sockets
Jul 07 01:33:54 qe-blade-06.testrelm.test named-pkcs11[22147]: ObjectStore.cpp(59): Failed to enumerate object store in /var/lib/ipa/dnssec/tokens
Jul 07 01:33:54 qe-blade-06.testrelm.test named-pkcs11[22147]: SoftHSM.cpp(476): Could not load the object store
Jul 07 01:33:54 qe-blade-06.testrelm.test named-pkcs11[22147]: initializing DST: PKCS#11 initialization failed
Jul 07 01:33:54 qe-blade-06.testrelm.test named-pkcs11[22147]: exiting (due to fatal error)
Jul 07 01:33:54 qe-blade-06.testrelm.test systemd[1]: named-pkcs11.service: control process exited, code=exited status=1
Jul 07 01:33:54 qe-blade-06.testrelm.test systemd[1]: Failed to start Berkeley Internet Name Domain (DNS) with native PKCS#11.
Jul 07 01:33:54 qe-blade-06.testrelm.test systemd[1]: Unit named-pkcs11.service entered failed state.
Jul 07 01:33:54 qe-blade-06.testrelm.test systemd[1]: named-pkcs11.service failed.
Jul 07 01:33:54 qe-blade-06.testrelm.test systemd[1]: Reached target Host and Network Name Lookups.
Jul 07 01:33:54 qe-blade-06.testrelm.test systemd[1]: Starting Host and Network Name Lookups.

Expected results:
No errors.

Additional info:

Comment 2 Jan Pazdziora (Red Hat) 2016-07-07 15:37:44 UTC

Output from comment 0 is from journal, on the terminal, the output is along the lines of:

Configuring DNS key synchronization service (ipa-dnskeysyncd)
  [1/7]: checking status
  [2/7]: setting up bind-dyndb-ldap working directory
  [3/7]: setting up kerberos principal
  [4/7]: setting up SoftHSM
  [5/7]: adding DNSSEC containers
  [6/7]: creating replica keys
  [7/7]: configuring ipa-dnskeysyncd to start on boot
Done configuring DNS key synchronization service (ipa-dnskeysyncd).
Restarting ipa-dnskeysyncd
Restarting named
ipa         : ERROR    Named service failed to start (Command '/bin/systemctl restart named-pkcs11.service' returned non-zero exit status 1)
named service failed to start
Updating DNS system records
ipa         : ERROR    DNS query for qe-blade-12.testrelm.test. 1 failed: The DNS operation timed out after 30.0008788109 seconds
ipa         : ERROR    DNS query for qe-blade-12.testrelm.test. 1 failed: The DNS operation timed out after 30.0003278255 seconds
ipa         : ERROR    DNS query for qe-blade-12.testrelm.test. 1 failed: The DNS operation timed out after 30.000426054 seconds
ipa         : ERROR    DNS query for qe-blade-12.testrelm.test. 1 failed: The DNS operation timed out after 30.0010049343 seconds
ipa         : ERROR    unable to resolve host name qe-blade-12.testrelm.test. to IP address, ipa-ca DNS record will be incomplete
Restarting the web server

Comment 5 Petr Spacek 2016-07-08 08:08:00 UTC

This is very likely caused by SELinux policy. Feel free to re-open if it does not work even in permissive mode.

*** This bug has been marked as a duplicate of bug 1350957 ***

Comment 6 Jan Pazdziora (Red Hat) 2016-07-08 08:38:07 UTC

The AVC denials that we see here are about dogtag-ipa-ca-r, certmonger_t, and log and not about named-pkcs11, named_t, and tokens as listed in bug 1350957. Also, in bug 1350957, ipa-server-install presumably passed because that bug is about ipactl start. Here we are not even able to get the IPA server configured.

So I'm not sure this should be closed as duplicate without investigating that it really is a dupe. Therefore, reopening.

Comment 7 Petr Spacek 2016-07-08 10:30:55 UTC

Okay then, please provide exact steps including command line options / answers for interactive mode you used for installation + version of selinux policy you have installed.

Thanks.

Comment 8 Petr Spacek 2016-07-08 11:30:17 UTC

I've wasted some time on this and I it is really a dupe as mentioned in comment #5.

Parameters I used:

DEBUG ipa-server-install was invoked with arguments [] and options: {'no_dns_sshfp': None, 'ignore_topology_disconnect': None, 'verbose': False, 'ip_addresses': None, 'domainlevel': None, 'mkhomedir': None, 'http_cert_files': None, 'no_ntp': None, 'reverse_zones': None, 'no_forwarders': None, 'external_ca_type': None, 'ssh_trust_dns': None, 'domain_name': 'dom-040.abc.idm.lab.eng.brq.redhat.com', 'idmax': None, 'http_cert_name': None, 'dirsrv_cert_files': None, 'no_dnssec_validation': None, 'ca_signing_algorithm': None, 'no_reverse': None, 'subject': None, 'unattended': True, 'auto_reverse': None, 'auto_forwarders': True, 'no_host_dns': None, 'no_sshd': None, 'no_ui_redirect': None, 'ignore_last_of_role': None, 'realm_name': 'DOM-040.ABC.IDM.LAB.ENG.BRQ.REDHAT.COM', 'forwarders': None, 'idstart': None, 'external_ca': None, 'no_ssh': None, 'external_cert_files': None, 'no_hbac_allow': None, 'forward_policy': None, 'dirsrv_cert_name': None, 'ca_cert_files': None, 'zonemgr': None, 'quiet': False, 'setup_dns': True, 'host_name': None, 'dirsrv_config_file': None, 'log_file': None, 'allow_zone_overlap': None, 'uninstall': False}

The error in console is the very same (as long as --setup-dns is used).
The installation finished in exactly same manner as it did in bug description.
It works when I switch system to permissive mode.

My audit.log from permissive mode contains this:

type=AVC msg=audit(1467976092.551:664): avc:  denied  { read } for  pid=21031 comm="named-pkcs11" name="tokens" dev="dm-0" ino=8968869 scontext=system_u:system_r:named_t:s0 tcontext=unconfined_u:object_r:ipa_var_lib_t:s0 tclass=dir
type=AVC msg=audit(1467976092.551:665): avc:  denied  { read write } for  pid=21031 comm="named-pkcs11" name="generation" dev="dm-0" ino=17388914 scontext=system_u:system_r:named_t:s0 tcontext=unconfined_u:object_r:ipa_var_lib_t:s0 tclass=file
type=AVC msg=audit(1467976092.551:665): avc:  denied  { open } for  pid=21031 comm="named-pkcs11" path="/var/lib/ipa/dnssec/tokens/e44b3d63-08ff-e576-3086-6c51eec6bea8/generation" dev="dm-0" ino=17388914 scontext=system_u:system_r:named_t:s0 tcontext=unconfined_u:object_r:ipa_var_lib_t:s0 tclass=file
type=AVC msg=audit(1467976092.551:666): avc:  denied  { lock } for  pid=21031 comm="named-pkcs11" path="/var/lib/ipa/dnssec/tokens/e44b3d63-08ff-e576-3086-6c51eec6bea8/generation" dev="dm-0" ino=17388914 scontext=system_u:system_r:named_t:s0 tcontext=unconfined_u:object_r:ipa_var_lib_t:s0 tclass=file
type=AVC msg=audit(1467976092.551:667): avc:  denied  { getattr } for  pid=21031 comm="named-pkcs11" path="/var/lib/ipa/dnssec/tokens/e44b3d63-08ff-e576-3086-6c51eec6bea8/generation" dev="dm-0" ino=17388914 scontext=system_u:system_r:named_t:s0 tcontext=unconfined_u:object_r:ipa_var_lib_t:s0 tclass=file

This is consistent with bug 1350957. 

# rpm -q ipa-server selinux-policy softhsm
ipa-server-4.4.0-1.el7.x86_64
selinux-policy-3.13.1-85.el7.noarch
softhsm-2.1.0-2.el7.x86_64

Right now I'm convinced that this is a dupe. If you manage to reproduce it in some other way feel free to re-open and provide additional data.

*** This bug has been marked as a duplicate of bug 1350957 ***

Comment 10 Petr Spacek 2016-07-08 12:17:39 UTC

The original command was:

:: [  BEGIN   ] :: Running ' /usr/sbin/ipa-server-install --setup-dns --forwarder=10.16.36.29 --hostname=qe-blade-12.testrelm.test -r TESTRELM.TEST -n testrelm.test -p Secret123 -a Secret123 --ip-address=10.19.34.82 -U'

Anyway, everything seems like the dupe.

Comment 11 Scott Poore 2016-07-08 14:47:09 UTC

I apologize for any confusion about how I worded bug #1350957

This does look the same as that one to me.  I saw the same ipa-server-install failure.  I was just isolating the description to the easiest thing to show the AVC denials.  I mention in the description that it failed but, never showed that.  At the time I didn't think it was necessary to show the full ipa-server-install output since I was filing an selinux-policy bug.  However, it did look like this.  So, I do believe this is a dup of the AVC denial one.  If you're seeing different AVC denials, maybe those should be added to the selinux bug?

Note You need to log in before you can comment on or make changes to this bug.