freeipa-container: FreeIPA Replica Server Container Exit
Hi,
I am currently playing with a multi-master deployment of FreeIPA version 4.3.1 (CentOS-7 upstream) on separate Docker hosts. The first master container spins up just fine (Host1) and using a OTP to spin up the replica master container (Host2), the process executes then exits while trying to restart named.
This is a snippet of the install process:
...
Created symlink from /etc/systemd/system/named.service to /dev/null.
ipa : DEBUG duration: 0 seconds
ipa : DEBUG [8/8]: changing resolv.conf to point to ourselves
[8/8]: changing resolv.conf to point to ourselves
ipa : DEBUG Backing up system configuration file '/etc/resolv.conf'
ipa : DEBUG Saving Index File to '/var/lib/ipa/sysrestore/sysrestore.index'
ipa : DEBUG duration: 0 seconds
ipa : DEBUG Done configuring DNS (named).
Done configuring DNS (named).
ipa : DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state'
ipa : DEBUG Starting external process
ipa : DEBUG args=/bin/systemctl stop ipa-dnskeysyncd.service
ipa : DEBUG Process finished, return code=0
ipa : DEBUG stdout=
ipa : DEBUG stderr=Failed to open /dev/tty: No such device or address
Failed to open /dev/tty: No such device or address
ipa : DEBUG Configuring DNS key synchronization service (ipa-dnskeysyncd)
Configuring DNS key synchronization service (ipa-dnskeysyncd)
ipa : DEBUG [1/7]: checking status
[1/7]: checking status
ipa.ipapython.ipaldap.SchemaCache: DEBUG flushing ldapi://%2fvar%2frun%2fslapd-CENGNLOCAL-CA.socket from SchemaCache
ipa.ipapython.ipaldap.SchemaCache: DEBUG retrieving schema for SchemaCache url=ldapi://%2fvar%2frun%2fslapd-CENGNLOCAL-CA.socket conn=<ldap.ldapobject.SimpleLDAPObject instance at 0xe553cf 8>
ipa : DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state'
ipa : DEBUG Saving StateFile to '/var/lib/ipa/sysrestore/sysrestore.state'
ipa : DEBUG duration: 0 seconds
ipa : DEBUG [2/7]: setting up bind-dyndb-ldap working directory
[2/7]: setting up bind-dyndb-ldap working directory
ipa : DEBUG duration: 0 seconds
ipa : DEBUG [3/7]: setting up kerberos principal
[3/7]: setting up kerberos principal
ipa : DEBUG Removing service keytab: /etc/ipa/dnssec/ipa-dnskeysyncd.keytab
ipa : DEBUG Starting external process
ipa : DEBUG args=kadmin.local -q addprinc -randkey ipa-dnskeysyncd/ipa2.cengnlocal.ca@CENGNLOCAL.CA -x ipa-setup-override-restrictions
ipa : DEBUG Process finished, return code=0
ipa : DEBUG stdout=Authenticating as principal host/admin@CENGNLOCAL.CA with password.
Principal "ipa-dnskeysyncd/ipa2.cengnlocal.ca@CENGNLOCAL.CA" created.
ipa : DEBUG stderr=WARNING: no policy specified for ipa-dnskeysyncd/ipa2.cengnlocal.ca@CENGNLOCAL.CA; defaulting to no policy
ipa : DEBUG Starting external process
ipa : DEBUG args=kadmin.local -q ktadd -k /etc/ipa/dnssec/ipa-dnskeysyncd.keytab ipa-dnskeysyncd/ipa2.cengnlocal.ca@CENGNLOCAL.CA -x ipa-setup-override-restrictions
ipa : DEBUG Process finished, return code=0
ipa : DEBUG stdout=Authenticating as principal host/admin@CENGNLOCAL.CA with password.
Entry for principal ipa-dnskeysyncd/ipa2.cengnlocal.ca@CENGNLOCAL.CA with kvno 2, encryption type aes256-cts-hmac-sha1-96 added to keytab WRFILE:/etc/ipa/dnssec/ipa-dnskeysyncd.keytab.
Entry for principal ipa-dnskeysyncd/ipa2.cengnlocal.ca@CENGNLOCAL.CA with kvno 2, encryption type aes128-cts-hmac-sha1-96 added to keytab WRFILE:/etc/ipa/dnssec/ipa-dnskeysyncd.keytab.
Entry for principal ipa-dnskeysyncd/ipa2.cengnlocal.ca@CENGNLOCAL.CA with kvno 2, encryption type des3-cbc-sha1 added to keytab WRFILE:/etc/ipa/dnssec/ipa-dnskeysyncd.keytab.
Entry for principal ipa-dnskeysyncd/ipa2.cengnlocal.ca@CENGNLOCAL.CA with kvno 2, encryption type arcfour-hmac added to keytab WRFILE:/etc/ipa/dnssec/ipa-dnskeysyncd.keytab.
Entry for principal ipa-dnskeysyncd/ipa2.cengnlocal.ca@CENGNLOCAL.CA with kvno 2, encryption type camellia128-cts-cmac added to keytab WRFILE:/etc/ipa/dnssec/ipa-dnskeysyncd.keytab.
Entry for principal ipa-dnskeysyncd/ipa2.cengnlocal.ca@CENGNLOCAL.CA with kvno 2, encryption type camellia256-cts-cmac added to keytab WRFILE:/etc/ipa/dnssec/ipa-dnskeysyncd.keytab.
ipa : DEBUG stderr=
ipa.ipapython.ipaldap.SchemaCache: DEBUG flushing ldapi://%2fvar%2frun%2fslapd-CENGNLOCAL-CA.socket from SchemaCache
ipa.ipapython.ipaldap.SchemaCache: DEBUG retrieving schema for SchemaCache url=ldapi://%2fvar%2frun%2fslapd-CENGNLOCAL-CA.socket conn=<ldap.ldapobject.SimpleLDAPObject instance at 0xe553e6 0>
ipa : DEBUG duration: 1 seconds
ipa : DEBUG [4/7]: setting up SoftHSM
[4/7]: setting up SoftHSM
ipa : DEBUG Creating /var/lib/ipa/dnssec directory
ipa : DEBUG Creating new softhsm config file
ipa : DEBUG Backing up system configuration file '/etc/sysconfig/named'
ipa : DEBUG Saving Index File to '/var/lib/ipa/sysrestore/sysrestore.index'
ipa : DEBUG Creating tokens /var/lib/ipa/dnssec/tokens directory
ipa : DEBUG Saving user PIN to /var/lib/ipa/dnssec/softhsm_pin
ipa : DEBUG Saving SO PIN to /etc/ipa/dnssec/softhsm_pin_so
ipa : DEBUG Initializing tokens
ipa : DEBUG Starting external process
ipa : DEBUG args=/usr/bin/softhsm2-util --init-token --slot 0 --label ipaDNSSEC --pin XXXXXXXX --so-pin XXXXXXXX
ipa : DEBUG Process finished, return code=0
ipa : DEBUG stdout=The token has been initialized.
ipa : DEBUG stderr=
ipa : DEBUG duration: 0 seconds
ipa : DEBUG [5/7]: adding DNSSEC containers
[5/7]: adding DNSSEC containers
ipa.ipapython.ipaldap.SchemaCache: DEBUG flushing ldapi://%2fvar%2frun%2fslapd-CENGNLOCAL-CA.socket from SchemaCache
ipa.ipapython.ipaldap.SchemaCache: DEBUG retrieving schema for SchemaCache url=ldapi://%2fvar%2frun%2fslapd-CENGNLOCAL-CA.socket conn=<ldap.ldapobject.SimpleLDAPObject instance at 0x12e041 70>
ipa : INFO DNSSEC container exists (step skipped)
ipa : DEBUG duration: 0 seconds
ipa : DEBUG [6/7]: creating replica keys
[6/7]: creating replica keys
ipa : DEBUG Creating replica's key pair
ipa : DEBUG Storing replica public key to LDAP, ipk11UniqueId=autogenerate,cn=keys,cn=sec,cn=dns,dc=cengnlocal,dc=ca
ipa : DEBUG Replica public key stored
ipa : DEBUG Setting CKA_WRAP=False for old replica keys
ipa : DEBUG Changing ownership of token files
ipa : DEBUG duration: 0 seconds
ipa : DEBUG [7/7]: configuring ipa-dnskeysyncd to start on boot
[7/7]: configuring ipa-dnskeysyncd to start on boot
ipa : DEBUG Starting external process
ipa : DEBUG args=/bin/systemctl disable ipa-dnskeysyncd.service
ipa : DEBUG Process finished, return code=1
ipa : DEBUG stdout=
ipa : DEBUG stderr=Failed to open /dev/tty: No such device or address
Failed to execute operation: Too many levels of symbolic links
ipa : DEBUG duration: 0 seconds
ipa : DEBUG Done configuring DNS key synchronization service (ipa-dnskeysyncd).
Done configuring DNS key synchronization service (ipa-dnskeysyncd).
Restarting ipa-dnskeysyncd
ipa : DEBUG Starting external process
ipa : DEBUG args=/bin/systemctl restart ipa-dnskeysyncd.service
ipa : DEBUG Process finished, return code=0
ipa : DEBUG stdout=
ipa : DEBUG stderr=Failed to open /dev/tty: No such device or address
Failed to open /dev/tty: No such device or address
ipa : DEBUG Starting external process
ipa : DEBUG args=/bin/systemctl is-active ipa-dnskeysyncd.service
ipa : DEBUG Process finished, return code=0
ipa : DEBUG stdout=active
ipa : DEBUG stderr=
ipa : DEBUG Restarting named
Restarting named
ipa : DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state'
ipa : DEBUG Starting external process
ipa : DEBUG args=/bin/systemctl is-active named-pkcs11.service
ipa : DEBUG Process finished, return code=3
ipa : DEBUG stdout=unknown
ipa : DEBUG stderr=
ipa : DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state'
ipa : DEBUG Saving StateFile to '/var/lib/ipa/sysrestore/sysrestore.state'
ipa : DEBUG Starting external process
ipa : DEBUG args=/bin/systemctl restart named-pkcs11.service
ipa : DEBUG Process finished, return code=0
ipa : DEBUG stdout=
ipa : DEBUG stderr=Failed to open /dev/tty: No such device or address
Failed to open /dev/tty: No such device or address
ipa : DEBUG Starting external process
ipa : DEBUG args=/bin/systemctl is-active named-pkcs11.service
ipa : DEBUG Process finished, return code=0
ipa : DEBUG stdout=active
ipa : DEBUG stderr=
ipa.ipalib.plugins.dns.dnsconfig_show: DEBUG raw: dnsconfig_show(version=u'2.164')
ipa.ipalib.plugins.dns.dnsconfig_show: DEBUG dnsconfig_show(rights=False, all=False, raw=False, version=u'2.164')
Global DNS configuration in LDAP server is empty
You can use 'dnsconfig-mod' command to set global DNS options that
would override settings in local named.conf files
ipa : DEBUG Starting external process
ipa : DEBUG args=/bin/systemctl enable ipa.service
ipa : DEBUG Process finished, return code=0
ipa : DEBUG stdout=
ipa : DEBUG stderr=Failed to open /dev/tty: No such device or address
Created symlink from /etc/systemd/system/multi-user.target.wants/ipa.service to /usr/lib/systemd/system/ipa.service.
ipa : DEBUG Starting external process
ipa : DEBUG args=/bin/systemctl restart ipa.service
ipa : DEBUG Process finished, return code=0
ipa : DEBUG stdout=
ipa : DEBUG stderr=Failed to open /dev/tty: No such device or address
Failed to open /dev/tty: No such device or address
ipa : DEBUG Starting external process
ipa : DEBUG args=/bin/systemctl is-active ipa.service
ipa : DEBUG Process finished, return code=0
ipa : DEBUG stdout=active
ipa : DEBUG stderr=
ipa.ipapython.install.cli.install_tool(Replica): INFO The ipa-replica-install command was successful
incorrect section name: 172.17.0.2
syntax error
cat: /run/ipa/exit_code: No such file or directory
I noticed however that the docker container IP addresses on both hosts are the same but I still encountered the same issue with the replica container on a custom docker bridge network.
I manually started the exited container and checked the FreeIPA services. Snippet below:
[root@ipa2 /]# ipactl status
Directory Service: RUNNING
krb5kdc Service: RUNNING
kadmin Service: RUNNING
named Service: RUNNING
ipa_memcached Service: RUNNING
httpd Service: RUNNING
ipa-custodia Service: RUNNING
pki-tomcatd Service: RUNNING
ipa-otpd Service: STOPPED
ipa-dnskeysyncd Service: STOPPED
ipa: INFO: The ipactl command was successful
I then restarted all the services and recalled the command and they were all running. Snippet below:
[root@ipa2 /]# ipactl restart
Stopping pki-tomcatd Service
Restarting Directory Service
Restarting krb5kdc Service
Restarting kadmin Service
Restarting named Service
Restarting ipa_memcached Service
Restarting httpd Service
Restarting ipa-custodia Service
Restarting pki-tomcatd Service
Restarting ipa-otpd Service
Restarting ipa-dnskeysyncd Service
ipa: INFO: The ipactl command was successful
[root@ipa2 /]# ipactl status
Directory Service: RUNNING
krb5kdc Service: RUNNING
kadmin Service: RUNNING
named Service: RUNNING
ipa_memcached Service: RUNNING
httpd Service: RUNNING
ipa-custodia Service: RUNNING
pki-tomcatd Service: RUNNING
ipa-otpd Service: RUNNING
ipa-dnskeysyncd Service: RUNNING
ipa: INFO: The ipactl command was successful
FreeIPA basic operations (login, replication, etc) worked fine but I am still struggling to figure out why the process exited. I would like to think it is docker specific due to this line:
ipa.ipapython.install.cli.install_tool(Replica): INFO The ipa-replica-install command was successful
Any help to shed more light on this would be very much appreciated.
Thanks
About this issue
- Original URL
- State: closed
- Created 8 years ago
- Comments: 23 (3 by maintainers)
The
IPA_SERVER_IPis really only used to put in some specific value to DNS when the IPA server is running DNS server, which is only after the replica was established.We’d need someone from the FreeIPA team to figure out if it’s correct that the
--ip-address 192.168.233.11option that you use on the replica to define “its” IP address to be the IP address of the host does not seem to be used during replication setup. @Tiboris, would you please check what is the behaviour of FreeIPA replicas on the host (no containers) for example in Amazon’s AWS? If you have master outside of AWS and want to setup replica in AWS where the host obviously onyl sees its own IP addresses and you pass--ip-address ...with the public address of the AWS machine, will the replication work?