Red Hat Bugzilla – Bug 739604
ipa-server-install :: failing to configure CA :: restorecon returning 1 when changing context
Last modified: 2011-12-06 13:31:53 EST
Description of problem: IPA server is now failing to install as restorecon returns 1 when changing context and IPA is expecting 0 for success. Unexpected error - see ipaserver-install.log for details: Command '/sbin/restorecon /var/lib/pki-ca/publish' returned non-zero exit status 1 ipa-server-install.log <snip> 2011-09-19 11:36:41,937 DEBUG stderr= 2011-09-19 11:36:42,002 DEBUG args=/usr/bin/certutil -d /etc/httpd/alias -f XXXXXXXX -A -t CT,C,C -n TESTRELM IPA CA -a -i /tmp/tmpo5puqh 2011-09-19 11:36:42,003 DEBUG stdout= 2011-09-19 11:36:42,004 DEBUG stderr= 2011-09-19 11:36:42,005 DEBUG duration: 0 seconds 2011-09-19 11:36:42,006 DEBUG [8/17]: fixing RA database permissions 2011-09-19 11:36:42,008 DEBUG duration: 0 seconds 2011-09-19 11:36:42,009 DEBUG [9/17]: setting up signing cert profile 2011-09-19 11:36:42,012 DEBUG duration: 0 seconds 2011-09-19 11:36:42,013 DEBUG [10/17]: set up CRL publishing 2011-09-19 11:36:44,042 DEBUG args=/sbin/restorecon /var/lib/pki-ca/publish 2011-09-19 11:36:44,043 DEBUG stdout= 2011-09-19 11:36:44,044 DEBUG stderr= 2011-09-19 11:36:44,067 DEBUG Command '/sbin/restorecon /var/lib/pki-ca/publish' returned non-zero exit status 1 File "/usr/sbin/ipa-server-install", line 1068, in <module> sys.exit(main()) File "/usr/sbin/ipa-server-install", line 871, in main subject_base=options.subject) File "/usr/lib/python2.6/site-packages/ipaserver/install/cainstance.py", line 544, in configure_instance self.start_creation("Configuring certificate server", 210) File "/usr/lib/python2.6/site-packages/ipaserver/install/service.py", line 276, in start_creation method() File "/usr/lib/python2.6/site-packages/ipaserver/install/cainstance.py", line 1047, in __enable_crl_publish ipautil.run(["/sbin/restorecon", publishdir]) File "/usr/lib/python2.6/site-packages/ipapython/ipautil.py", line 242, in run raise CalledProcessError(p.returncode, args) </snip> Version-Release number of selected component (if applicable): How reproducible: Steps to Reproduce: 1. 2. 3. Actual results: Expected results: Additional info:
Upstream ticket: https://fedorahosted.org/freeipa/ticket/1816
This isn't a regression in IPA code. Dan Walsh tells me that restorecon returns 1 when it changes a context. Not sure if this is something new or if something else changed.
You should probably just ignore the status output from restorecon.
Fixed upstream: master: https://fedorahosted.org/freeipa/changeset/1d8a891844ad8505e376c473f42055368ba00767 ipa-2-1: https://fedorahosted.org/freeipa/changeset/7a4295ef1ae1d4e7d51d4c7072102694243873e2
fix verified : <snip> 2011-09-21 10:07:43,622 DEBUG [9/17]: setting up signing cert profile 2011-09-21 10:07:43,623 DEBUG duration: 0 seconds 2011-09-21 10:07:43,623 DEBUG [10/17]: set up CRL publishing 2011-09-21 10:07:43,759 DEBUG args=/sbin/restorecon /var/lib/pki-ca/publish 2011-09-21 10:07:43,759 DEBUG stdout= 2011-09-21 10:07:43,759 DEBUG stderr= 2011-09-21 10:07:43,759 DEBUG duration: 0 seconds 2011-09-21 10:07:43,759 DEBUG [11/17]: set certificate subject base 2011-09-21 10:07:43,761 DEBUG duration: 0 seconds </snip> version: ipa-server-2.1.1-3.el6.x86_64
Technical note added. If any revisions are required, please edit the "Technical Notes" field accordingly. All revisions will be proofread by the Engineering Content Services team. New Contents: Do not document
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHSA-2011-1533.html