Bug 818448 - 389-ds-base fails to start with latest(as of 2-May-2012) development repo resulting in ipa-server config failure
389-ds-base fails to start with latest(as of 2-May-2012) development repo res...
Status: CLOSED WORKSFORME
Product: Fedora
Classification: Fedora
Component: ipa (Show other bugs)
16
Unspecified Linux
unspecified Severity high
: ---
: ---
Assigned To: Rob Crittenden
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2012-05-03 02:29 EDT by Kashyap Chamarthy
Modified: 2012-06-18 10:51 EDT (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2012-06-18 10:51:46 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Kashyap Chamarthy 2012-05-03 02:29:33 EDT
With development repo:
=============================
[root@regular-guest ~]# rpm -q freeipa-server pki-silent pki-ca 389-ds-base
freeipa-server-2.1.90.rc1-0.fc16.x86_64
pki-silent-9.0.19-1.fc16.noarch
pki-ca-9.0.19-1.fc16.noarch
389-ds-base-1.2.10.6-1.fc16.x86_64
=============================

Running the ipa-server-install 


==============
 ipa-server-install --setup-dns --forwarder=10.x.y.z -r FOO.BAR.COM -p testpwd
-P testpwd -a testpwd -U
.
.
.
Configuring directory server for the CA: Estimated time 30 seconds
  [1/3]: creating directory server user
  [2/3]: creating directory server instance
ipa         : CRITICAL failed to restart ds instance Command
'/usr/sbin/setup-ds.pl --silent --logfile - -f /tmp/tmpElBwGd' returned
non-zero exit status 1
  [3/3]: restarting directory server
ipa         : CRITICAL Failed to restart the directory server. See the
installation log for details.
==============

=> Attempting to start dirsrv manually <=
==============
[root@regular-guest slapd-PKI-IPA]# service dirsrv@PKI-IPA.service start
Redirecting to /bin/systemctl  start dirsrv@PKI-IPA.service.service
Job failed. See system logs and 'systemctl status' for details.
==============
[root@regular-guest slapd-PKI-IPA]# service dirsrv@PKI-IPA.service status
Redirecting to /bin/systemctl  status dirsrv@PKI-IPA.service.service
dirsrv@PKI-IPA.service.service - 389 Directory Server PKI-IPA.service.
	  Loaded: loaded (/lib/systemd/system/dirsrv@.service; enabled)
	  Active: failed
	  CGroup: name=systemd:/system/dirsrv@.service/PKI-IPA.service

[root@regular-guest slapd-PKI-IPA]# 
==============



=> Log Info from dirsrv: <=
==============
[root@regular-guest slapd-PKI-IPA]# ls
access  access.rotationinfo  audit  audit.rotationinfo  errors  errors.rotationinfo
==============
[root@regular-guest slapd-PKI-IPA]# tail errors
[02/May/2012:04:46:03 -0400] - slapd shutting down - closing down internal subsystems and plugins
[02/May/2012:04:46:03 -0400] - Waiting for 4 database threads to stop
[02/May/2012:04:46:03 -0400] - All database threads now stopped
[02/May/2012:04:46:03 -0400] - slapd stopped.
[02/May/2012:05:02:24 -0400] - Shutting down due to possible conflicts with other slapd processes
[02/May/2012:05:02:25 -0400] - Shutting down due to possible conflicts with other slapd processes
[02/May/2012:05:02:39 -0400] - Shutting down due to possible conflicts with other slapd processes
[02/May/2012:05:04:15 -0400] - Shutting down due to possible conflicts with other slapd processes
[02/May/2012:05:04:16 -0400] - Shutting down due to possible conflicts with other slapd processes
[03/May/2012:02:10:02 -0400] - Shutting down due to possible conflicts with other slapd processes
==============
[root@regular-guest slapd-PKI-IPA]# ps -ef | grep -i slapd
root     30048 29891  0 02:11 pts/0    00:00:00 grep --color=auto -i slapd
[root@regular-guest slapd-PKI-IPA]# 
==============


=> Log info from ipaserver <=
==============
[root@regular-guest slapd-PKI-IPA]# tail -20 /var/log/ipaserver-install.log
2012-05-02T09:04:15Z DEBUG args=/bin/systemctl --system daemon-reload
2012-05-02T09:04:15Z DEBUG stdout=
2012-05-02T09:04:15Z DEBUG stderr=
2012-05-02T09:04:15Z DEBUG args=/usr/sbin/selinuxenabled
2012-05-02T09:04:15Z DEBUG stdout=
2012-05-02T09:04:15Z DEBUG stderr=
2012-05-02T09:04:15Z DEBUG args=/sbin/restorecon /etc/sysconfig/dirsrv.systemd
2012-05-02T09:04:15Z DEBUG stdout=
2012-05-02T09:04:15Z DEBUG stderr=
2012-05-02T09:04:16Z DEBUG args=/bin/systemctl --system daemon-reload
2012-05-02T09:04:16Z DEBUG stdout=
2012-05-02T09:04:16Z DEBUG stderr=
2012-05-02T09:04:16Z DEBUG args=/bin/systemctl restart dirsrv@PKI-IPA.service
2012-05-02T09:04:16Z DEBUG stdout=
2012-05-02T09:04:16Z DEBUG stderr=
2012-05-02T09:04:16Z DEBUG args=/bin/systemctl is-active dirsrv@PKI-IPA.service
2012-05-02T09:04:16Z DEBUG stdout=deactivating

2012-05-02T09:04:16Z DEBUG stderr=
2012-05-02T09:04:16Z CRITICAL Failed to restart the directory server. See the installation log for details.
[root@regular-guest slapd-PKI-IPA]# 
==============
Comment 1 Nathan Kinder 2012-05-11 16:55:31 EDT
Could you try this with 389-ds-base-1.2.10.8 from updates-testing?  If it solves the issue for you, please provide karma in Bodhi.
Comment 2 Nathan Kinder 2012-05-11 17:11:03 EDT
Actually, the errors log messages make it look like there could be a left over lock file from a previous install.  Was this a truly clean system, or were you performing a new IPA install on a system that you had IPA installed on in the past?

You can check what files you have in the following locations?:

/var/run/dirsrv
/var/lock/dirsrv/slapd-PKI-IPA/server
/var/lock/dirsrv/slapd-PKI-IPA/exports
/var/lock/dirsrv/slapd-PKI-IPA/imports
Comment 3 Kashyap Chamarthy 2012-05-16 07:15:35 EDT
Nathan,

Yes, it was truly clean system when I tried first.

However, now, dirsrv seems to start just fine with the below versions, but there is a different issue of CA config failing (being handled in a different bz(818123)

Here is the version info:

[root@regular-guest export]# rpm -q 389-ds-base pki-ca pki-selinux freeipa-server
389-ds-base-1.2.10.8-1.fc16.x86_64
pki-ca-9.0.20-1.fc16.noarch
pki-selinux-9.0.20-1.fc16.noarch
freeipa-server-2.1.90.rc1-0.fc16.x86_64
[root@regular-guest export]# 


===============================
[root@regular-guest export]# ls /var/run/dirsrv/
slapd-PKI-IPA.pid  slapd-PKI-IPA.startpid  slapd-PKI-IPA.stats
[root@regular-guest export]# ls /var/loc
local/ lock/  
[root@regular-guest export]# ls /var/lock/dirsrv/slapd-PKI-IPA/
exports  imports  server
[root@regular-guest export]# ls /var/lock/dirsrv/slapd-PKI-IPA/server/
18516
[root@regular-guest export]# ls /var/lock/dirsrv/slapd-PKI-IPA/exports/
[root@regular-guest export]# ls /var/lock/dirsrv/slapd-PKI-IPA/imports/
[root@regular-guest export]# 
===============================

[root@regular-guest dirsrv]#ipa-server-install --setup-dns --no-forwarders -r
ENGLAB.PNQ.TEST.COM -p testpwd -P testpwd -a testpwd -U

The log file for this installation can be found in /var/log/ipaserver-install.log
==============================================================================
This program will set up the FreeIPA Server.

This includes:
  * Configure a stand-alone CA (dogtag) for certificate management
  * Configure the Network Time Daemon (ntpd)
  * Create and configure an instance of Directory Server
  * Create and configure a Kerberos Key Distribution Center (KDC)
  * Configure Apache (httpd)
  * Configure DNS (bind)

To accept the default shown in brackets, press the Enter key.

Warning: skipping DNS resolution of host regular-guest.englab.pnq.redhat.com
The domain name has been calculated based on the host name.

Using reverse zone 201.65.10.in-addr.arpa.

The IPA Master Server will be configured with:
Hostname:      regular-guest.englab.pnq.redhat.com
IP address:    10.65.201.202
Domain name:   englab.pnq.redhat.com
Realm name:    ENGLAB.PNQ.TEST.COM

BIND DNS server will be configured to serve IPA domain with:
Forwarders:    No forwarders
Reverse zone:  201.65.10.in-addr.arpa.

Configuring ntpd
  [1/4]: stopping ntpd
  [2/4]: writing configuration
  [3/4]: configuring ntpd to start on boot
  [4/4]: starting ntpd
done configuring ntpd.
Configuring directory server for the CA: Estimated time 30 seconds
  [1/3]: creating directory server user
  [2/3]: creating directory server instance
  [3/3]: restarting directory server
done configuring pkids.
Configuring certificate server: Estimated time 3 minutes 30 seconds
  [1/16]: creating certificate server user
  [2/16]: configuring certificate server instance
ipa         : CRITICAL failed to configure ca instance Command '/usr/bin/perl /usr/bin/pkisilent 'ConfigureCA' '-cs_hostname' 'regular-guest.englab.pnq.redhat.com' '-cs_port' '9445' '-client_certdb_dir' '/tmp/tmp-t8gRZ4' '-client_certdb_pwd' XXXXXXXX '-preop_pin' 'HyE1i9gtNi3fp64ClH7K' '-domain_name' 'IPA' '-admin_user' 'admin' '-admin_email' 'root@localhost' '-admin_password' XXXXXXXX '-agent_name' 'ipa-ca-agent' '-agent_key_size' '2048' '-agent_key_type' 'rsa' '-agent_cert_subject' 'CN=ipa-ca-agent,O=ENGLAB.PNQ.TEST.COM' '-ldap_host' 'regular-guest.englab.pnq.redhat.com' '-ldap_port' '7389' '-bind_dn' 'cn=Directory Manager' '-bind_password' XXXXXXXX '-base_dn' 'o=ipaca' '-db_name' 'ipaca' '-key_size' '2048' '-key_type' 'rsa' '-key_algorithm' 'SHA256withRSA' '-save_p12' 'true' '-backup_pwd' XXXXXXXX '-subsystem_name' 'pki-cad' '-token_name' 'internal' '-ca_subsystem_cert_subject_name' 'CN=CA Subsystem,O=ENGLAB.PNQ.TEST.COM' '-ca_ocsp_cert_subject_name' 'CN=OCSP Subsystem,O=ENGLAB.PNQ.TEST.COM' '-ca_server_cert_subject_name' 'CN=regular-guest.englab.pnq.redhat.com,O=ENGLAB.PNQ.TEST.COM' '-ca_audit_signing_cert_subject_name' 'CN=CA Audit,O=ENGLAB.PNQ.TEST.COM' '-ca_sign_cert_subject_name' 'CN=Certificate Authority,O=ENGLAB.PNQ.TEST.COM' '-external' 'false' '-clone' 'false'' returned non-zero exit status 255
Unexpected error - see ipaserver-install.log for details:
 Configuration of CA failed
[root@regular-guest dirsrv]# pwd
/etc/dirsrv
[root@regular-guest dirsrv]# cd /var/log/dirsrv/slapd-PKI-IPA/
[root@regular-guest slapd-PKI-IPA]# ls
access  access.rotationinfo  audit  audit.rotationinfo  errors  errors.rotationinfo
[root@regular-guest slapd-PKI-IPA]# tail errors
[16/May/2012:06:16:23 -0400] - I'm resizing my cache now...cache was 1658949632 and is now 8000000
[16/May/2012:06:16:24 -0400] - slapd started.  Listening on All Interfaces port 7389 for LDAP requests
[16/May/2012:06:16:25 -0400] - slapd shutting down - signaling operation threads
[16/May/2012:06:16:25 -0400] - slapd shutting down - waiting for 29 threads to terminate
[16/May/2012:06:16:25 -0400] - slapd shutting down - closing down internal subsystems and plugins
[16/May/2012:06:16:25 -0400] - Waiting for 4 database threads to stop
[16/May/2012:06:16:26 -0400] - All database threads now stopped
[16/May/2012:06:16:26 -0400] - slapd stopped.
[16/May/2012:06:16:27 -0400] - 389-Directory/1.2.10.8 B2012.124.1454 starting up
[16/May/2012:06:16:27 -0400] - slapd started.  Listening on All Interfaces port 7389 for LDAP requests
'[root@regular-guest slapd-PKI-IPA]#
==============================================================================
Comment 4 Nathan Kinder 2012-05-16 14:06:55 EDT
The CA issue is definitely something different.  In the DS code, the only reasons for getting the error mentioned in this bug report is if a lock file already exists, or if we are unable to access it (directory doesn't exist, permissions, etc.).

Since this is not currently reproducible, I propose that we close this and re-open it if you encounter the issue again.  If the issue is reproduced, I'd like the system left in the failure state so we can see why the issue is occurring.  Does this sound OK with you?
Comment 5 Rob Crittenden 2012-05-22 10:40:01 EDT
IPA 2.2.0 isn't going to be supported in Fedora 16, the server anyway, so I'd try to reproduce this on F-17 using the final 2.2.0 release instead of the beta.

The dogtag installer changed so that pki-ca >= 9.0.18 no longer works with the beta code.
Comment 6 Rob Crittenden 2012-06-07 09:00:34 EDT
Can you try reproducing this with 2.2.0? I'm inclined to close this as notabug.
Comment 7 Nathan Kinder 2012-06-18 10:51:46 EDT
CLosign this as WORKSFORME.  Please reopen it if there is still an issue.

Note You need to log in before you can comment on or make changes to this bug.