2222931 – Under pressure, ipa certificate processing have a hard time

Bug 2222931 - Under pressure, ipa certificate processing have a hard time

Summary: Under pressure, ipa certificate processing have a hard time

Keywords:
Status:	NEW
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	ipa
Sub Component:
Version:	7.6
Hardware:	x86_64
OS:	All
Priority:	unspecified
Severity:	low
Target Milestone:	rc
Target Release:	---
Assignee:	Florence Blanc-Renaud
QA Contact:	ipa-qe
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2023-07-14 14:01 UTC by David Hill
Modified:	2023-07-19 15:56 UTC (History)
CC List:	2 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Priority	Status	Summary	Last Updated
Red Hat Issue Tracker	FREEIPA-10134	None	None	None	2023-07-14 14:04:46 UTC
Red Hat Issue Tracker	RHELPLAN-162388	None	None	None	2023-07-14 14:04:51 UTC
Red Hat Knowledge Base (Solution)	7024687	None	None	None	2023-07-14 14:02:25 UTC

Description David Hill 2023-07-14 14:01:53 UTC

Description of problem:
Under pressure, ipa certificate processing have a hard time:
~~~
[Fri Jul 14 03:55:03.251161 2023] [:error] [pid 14263]     data = read_input(environ)
[Fri Jul 14 03:55:03.251187 2023] [:error] [pid 14263]   File "/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 200, in read_input
[Fri Jul 14 03:55:03.251210 2023] [:error] [pid 14263]     return environ['wsgi.input'].read(length).decode('utf-8')
[Fri Jul 14 03:55:03.251227 2023] [:error] [pid 14263] IOError: request data read error
[Fri Jul 14 03:55:03.251482 2023] [:error] [pid 14263] ipa: INFO: [xmlserver] host/compute4.localdomain@LOCALDOMAIN: None: InternalError
~~~

In this case we're resubmitting a couple hundred certificates to the IPA and some of them return CA_UNREACHABLE .   Once the overcloud deployment failed, we restart certmonger on the hosts with failed resubmit and resubmit goes through.

Version-Release number of selected component (if applicable):
RHEL 7.6 / ipa-server-4.6.4-10.el7_6.3.x86_64

How reproducible:
Always but random host each time

Steps to Reproduce:
1. Deploy an overcloud with more than 100 computes
2. Run an overcloud_deploy.sh
3.

Actual results:
Failure to resubmit certs on random hosts

Expected results:
No failures

Additional info:

Comment 4 Rob Crittenden 2023-07-14 14:17:50 UTC

Is the Apache error log available from the IPA server during the failure(s)?

Comment 5 David Hill 2023-07-19 15:36:43 UTC

Yes, we should have sosreports from both IPA servers attached to the case but I'm not a IDM support engineer so my knowledge of where the logs are is pretty limited beside pointing you back to supportshell.

Note You need to log in before you can comment on or make changes to this bug.