Hide Forgot
Description of problem: Execution of ipa_server_install (per instructions at: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/install-server.html) results in an error starting ipa_memcached. Version-Release number of selected component (if applicable): How reproducible: very. ran the same on another server with the same results. Steps to Reproduce: 1. yum install ipa-server ipa-server-dns 2. ipa-server-install Actual results: Configuring ipa_memcached [1/2]: starting ipa_memcached [error] CalledProcessError: Command ''/bin/systemctl' 'restart' 'ipa_memcached.service'' returned non-zero exit status 1 ipa.ipapython.install.cli.install_tool(Server): ERROR Command ''/bin/systemctl' 'restart' 'ipa_memcached.service'' returned non-zero exit status 1 Expected results: installation complete? Additional info: # systemctl -l status ipa_memcached ● ipa_memcached.service - IPA memcached daemon, increases IPA server performance Loaded: loaded (/usr/lib/systemd/system/ipa_memcached.service; disabled; vendor preset: disabled) Active: failed (Result: resources) since Wed 2016-09-07 14:04:13 CDT; 1h 33min ago Process: 13533 ExecStart=/usr/bin/memcached -d -s $SOCKET_PATH -u $USER -m $CACHESIZE -c $MAXCONN -P /var/run/ipa_memcached/ipa_memcached.pid $OPTIONS (code=exited, status=0/SUCCESS) Sep 07 14:04:13 hostname systemd[1]: Starting IPA memcached daemon, increases IPA server performance... Sep 07 14:04:13 hostname systemd[1]: PID file /var/run/ipa_memcached/ipa_memcached.pid not readable (yet?) after start. Sep 07 14:04:13 hostname systemd[1]: Failed to start IPA memcached daemon, increases IPA server performance. Sep 07 14:04:13 hostname systemd[1]: Unit ipa_memcached.service entered failed state. Sep 07 14:04:13 hostname systemd[1]: ipa_memcached.service failed. Also, no documented info on what to do if this fails. Do I just re-run ipa-server-install?
This issue is not common. It may be just temporal glitch. First try uninstallation of this failed installation and re-run ipa-server-install ipa-server-install --uninstall If it will fail again then please attach /var/log/ipaserver-install.log (you may obfuscate info there) and releavant journal log: journalctl -u ipa_memcached.service
Created attachment 1199139 [details] ipa install log file This is the log from the attempted re-install.
Uninstall resulted in errors, as well: # ipa-server-install --uninstall This is a NON REVERSIBLE operation and will delete all data and configuration! Are you sure you want to continue with the uninstall procedure? [no]: y WARNING: Failed to connect to Directory Server to find information about replication agreements. Uninstallation will continue despite the possible existing replication agreements. Shutting down all IPA services Removing IPA client configuration Unconfiguring ntpd Configuring certmonger to stop tracking system certificates for KRA Configuring certmonger to stop tracking system certificates for CA Unconfiguring CA ipa : ERROR 'getpwnam(): name not found: apache' I continued on with the re-install, despite this, but didn't get very far: # ipa-server-install The log file for this installation can be found in /var/log/ipaserver-install.log ipa.ipapython.install.cli.install_tool(Server): ERROR IPA server is already configured on this system. If you want to reinstall the IPA server, please uninstall it first using 'ipa-server-install --uninstall'.
Bot issues are probably connected with httpd Could you attache relevant part of /var/log/httpd/error_log And if there is anything in: # journalctl -u httpd.service Sometimes running the uninstaller again helps.
Also, does apache user exist? Was there any custom changes done on the machine related to Apache(httpd) configuration? e.g. any other "web application present?"? Are there any SELinux AVCs? # ausearch -m AVC
No apache user, no httpd logs, and journalctl -u httpd.service output was just this: # journalctl -u httpd.service -- Logs begin at Wed 2016-09-07 15:44:02 CDT, end at Thu 2016-09-08 10:01:01 CDT. -- This was originally a fresh install of the OS. Attempted execution of the uninstaller resulted in identical behavior.
Absence of apache user is probably the cause of the IPA's issues. Question is what caused it.
Apache group and user can be added by: /usr/sbin/groupadd -g 48 -r apache /usr/sbin/useradd -c "Apache" -u 48 -g 48 -s /sbin/nologin -r -d /usr/share/httpd apache But it may uncover just another issue caused by the root cause(possibly not IPA issue) - and at that state the system might be unreliable or it would more thorough analysis which is not possible to do here. It may be better and easier to get fresh OS, fully upgrade it and try again.
I did a yum erase httpd, which also removed ipa-server et. al. I then did a yum install ipa-server ipa-server-dns, which also installed httpd. Installation of httpd put apache user back local. Looks like the uninstall script needs some debugging when it gets into this situation. I then tried to run the ipa-server-install again, but it complained that it was already installed: The log file for this installation can be found in /var/log/ipaserver-install.log ipa.ipapython.install.cli.install_tool(Server): ERROR IPA server is already configured on this system. If you want to reinstall the IPA server, please uninstall it first using 'ipa-server-install --uninstall'. I then ran the uninstaller again, and it sat at this point for > 30 minutes: # ipa-server-install --uninstall This is a NON REVERSIBLE operation and will delete all data and configuration! Are you sure you want to continue with the uninstall procedure? [no]: y WARNING: Failed to connect to Directory Server to find information about replication agreements. Uninstallation will continue despite the possible existing replication agreements. Shutting down all IPA services Removing IPA client configuration Configuring certmonger to stop tracking system certificates for KRA Configuring certmonger to stop tracking system certificates for CA Unconfiguring krb5kdc Unconfiguring kadmin Unconfiguring directory server ipa : ERROR Instance removal failed. ipa : ERROR Failed to remove DS instance. You may need to remove instance data manually Unconfiguring ipa_memcached I pressed on, re-running the install. It took a long time to get through the ds creation, but appears to have succeeded. I have 14 additional installations of ipa to do to complete our deployment. If all are as convoluted as this, we will seek out another solution.
It would be nice to check this situation but given that IdM/IPA is an integration solution which puts together number of various services which require various accounts and have quite a lot of other assumptions, it doesn't make much sense - IPA installer/uninstaller would need to verify "half" of the OS. From that reason, IPA installer tries to validate only variables provided by user or expected to be changed. Or other common issues. Given that it works for you now, and we don't know what cause it, and assuming that we cannot investigate the root cause(time costly for you), I'm closing this bug.