freeipa-container: Services do not come up after restarting container (after succesfull installation)
Hi,
I am trying to install the latest version of freeipa-container(fedora-25) on my docker host (17.03.0-ce), previous versions have been running without any problems.
[setup@spark ~]$ uname -a
Linux spark.example.com 4.6.6-300.fc24.x86_64 #1 SMP Wed Aug 10 21:07:35 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux
I installed freeipa-container using the following command:
docker run --name freeipa -it \
--security-opt seccomp=unconfined \
--hostname ipa.example.com \
--volume /data/DockerAppData/freeipa:/data \
--volume /etc/localtime:/etc/localtime:ro \
--volume /sys/fs/cgroup:/sys/fs/cgroup:ro \
--cap-add SYS_ADMIN \
--cap-add SYS_TIME \
--publish 192.168.134.2:80:80 \
--publish 192.168.134.2:443:443 \
--publish 192.168.134.2:389:389 \
--publish 192.168.134.2:636:636 \
--publish 192.168.134.2:88:88 \
--publish 192.168.134.2:464:464 \
--publish 192.168.134.2:53:53 \
--publish 192.168.134.2:88:88/udp \
--publish 192.168.134.2:464:464/udp \
--publish 192.168.134.2:53:53/udp \
--publish 192.168.134.2:123:123/udp \
--publish 192.168.134.2:135:135 \
--publish 192.168.134.2:138:138 \
--publish 192.168.134.2:139:139 \
--publish 192.168.134.2:445:445 \
--publish 192.168.134.2:1024:1024 \
--publish 192.168.134.2:138:138/udp \
--publish 192.168.134.2:139:139/udp \
--publish 192.168.134.2:389:389/udp \
--publish 192.168.134.2:445:445/udp \
--env container=docker \
--memory 2048M \
--memory-swap 2048M \
adelton/freeipa-server:fedora-25
Installation is successful and I can enroll machines into the domain. After removing and restarting the container services fail to start. The command I use to start the container is exactly the same as above, except I replaced -it with -d.
Before restarting the container (after successful install), this is what I get:
[root@example /]# systemctl status named-pkcs11 -l
* named-pkcs11.service - Berkeley Internet Name Domain (DNS) with native PKCS#11
Loaded: loaded (/usr/lib/systemd/system/named-pkcs11.service; bad; vendor preset: disabled)
Active: active (running) since Mon 2017-05-15 21:29:23 CEST; 24min ago
Main PID: 3209 (named-pkcs11)
Tasks: 8 (limit: 4915)
CGroup: /docker/1eefcc4903b2bc5db92d90c2e43fdf3860e0620aec84d83c676e0488a1303a27/system.slice/named-pkcs11.service
`-3209 /usr/sbin/named-pkcs11 -u named
May 15 21:53:18 example.com named-pkcs11[3209]: network unreachable resolving 'ns-235.awsdns-29.com/A/IN': 2600:9000:5304:9d00::1#53
May 15 21:53:18 example.com named-pkcs11[3209]: network unreachable resolving 'ns-235.awsdns-29.com/A/IN': 2600:9000:5306:dd00::1#53
May 15 21:53:18 example.com named-pkcs11[3209]: network unreachable resolving 'ns-418.awsdns-52.com/AAAA/IN': 2600:9000:5300:3500::1#53
May 15 21:53:18 example.com named-pkcs11[3209]: network unreachable resolving 'ns-418.awsdns-52.com/AAAA/IN': 2600:9000:5304:b400::1#53
May 15 21:53:18 example.com named-pkcs11[3209]: network unreachable resolving 'ns-418.awsdns-52.com/AAAA/IN': 2600:9000:5302:7400::1#53
May 15 21:53:18 example.com named-pkcs11[3209]: network unreachable resolving 'ns-1306.awsdns-35.org/A/IN': 2600:9000:5304:2600::1#53
May 15 21:53:18 example.com named-pkcs11[3209]: network unreachable resolving 'ns-1306.awsdns-35.org/A/IN': 2600:9000:5300:a300::1#53
May 15 21:53:18 example.com named-pkcs11[3209]: network unreachable resolving 'ns-1414.awsdns-48.org/A/IN': 2600:9000:5300:b000::1#53
May 15 21:53:18 example.com named-pkcs11[3209]: network unreachable resolving 'ns-1414.awsdns-48.org/A/IN': 2600:9000:5302:f200::1#53
May 15 21:53:18 example.com named-pkcs11[3209]: network unreachable resolving 'ns-1414.awsdns-48.org/A/IN': 2600:9000:5304:3300::1#53
[root@example /]# netstat -tulpn | wc -l
32
[root@example /]# netstat -tulpn
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:749 0.0.0.0:* LISTEN 2137/kadmind
tcp 0 0 0.0.0.0:464 0.0.0.0:* LISTEN 2137/kadmind
tcp 0 0 192.168.136.4:53 0.0.0.0:* LISTEN -
tcp 0 0 127.0.0.1:53 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:88 0.0.0.0:* LISTEN 2833/krb5kdc
tcp6 0 0 :::8443 :::* LISTEN -
tcp6 0 0 :::443 :::* LISTEN 3238/httpd
tcp6 0 0 :::636 :::* LISTEN -
tcp6 0 0 127.0.0.1:8005 :::* LISTEN -
tcp6 0 0 :::389 :::* LISTEN -
tcp6 0 0 127.0.0.1:8009 :::* LISTEN -
tcp6 0 0 :::749 :::* LISTEN 2137/kadmind
tcp6 0 0 :::8080 :::* LISTEN -
tcp6 0 0 :::464 :::* LISTEN 2137/kadmind
tcp6 0 0 :::80 :::* LISTEN 3238/httpd
tcp6 0 0 :::53 :::* LISTEN -
tcp6 0 0 :::88 :::* LISTEN 2833/krb5kdc
udp 0 0 192.168.136.4:53 0.0.0.0:* -
udp 0 0 127.0.0.1:53 0.0.0.0:* -
udp 0 0 0.0.0.0:88 0.0.0.0:* 2833/krb5kdc
udp 0 0 192.168.136.4:123 0.0.0.0:* -
udp 0 0 127.0.0.1:123 0.0.0.0:* -
udp 0 0 0.0.0.0:123 0.0.0.0:* -
udp 0 0 0.0.0.0:464 0.0.0.0:* 2137/kadmind
udp6 0 0 :::53 :::* -
udp6 0 0 :::88 :::* 2833/krb5kdc
udp6 0 0 fe80::42:c0ff:fea8::123 :::* -
udp6 0 0 ::1:123 :::* -
udp6 0 0 :::123 :::* -
udp6 0 0 :::464 :::* 2137/kadmind
After restarting the container, it looks like it’s trying to start all services but it fails after a while:
[root@example /]# ipactl status
Directory Service: STOPPED
Directory Service must be running in order to obtain status of other services
ipa: INFO: The ipactl command was successful
Trying to ignore failures gives:
[root@example /]# ipactl --ignore-service-failures start
Existing service file detected!
Assuming stale, cleaning and proceeding
Starting Directory Service
Starting krb5kdc Service
Starting kadmin Service
Starting named Service
Failed to start named Service
Forced start, ignoring named Service, continuing normal operation
Starting ipa_memcached Service
Starting httpd Service
Starting ipa-custodia Service
Starting ntpd Service
Starting pki-tomcatd Service
Starting ipa-otpd Service
Starting ipa-dnskeysyncd Service
ipa: INFO: The ipactl command was successful
And bind fails with the following:
[root@example /]# systemctl status named-pkcs11 -l
* named-pkcs11.service - Berkeley Internet Name Domain (DNS) with native PKCS#11
Loaded: loaded (/usr/lib/systemd/system/named-pkcs11.service; bad; vendor preset: disabled)
Active: failed (Result: exit-code) since Mon 2017-05-15 21:57:05 CEST; 9s ago
Process: 422 ExecStart=/usr/sbin/named-pkcs11 -u named $OPTIONS (code=exited, status=1/FAILURE)
Process: 420 ExecStartPre=/bin/bash -c if [ ! "$DISABLE_ZONE_CHECKING" == "yes" ]; then /usr/sbin/named-checkconf -z /etc/named.conf; else echo "Checking of zone files is disabled"; fi (code=exited, status=0/S
UCCESS)
May 15 21:56:25 example.com named-pkcs11[428]: option 'serial_autoincrement' is not supported, ignoring
May 15 21:56:45 example.com named-pkcs11[428]: GSSAPI client step 1
May 15 21:56:45 example.com named-pkcs11[428]: GSSAPI client step 1
May 15 21:57:05 example.com named-pkcs11[428]: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Server ldap/example.com@EXAMPLE.COM not found in Kerberos database)
May 15 21:57:05 example.com named-pkcs11[428]: LDAP error: Local error: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Server ldap/example.com@EXAMPLE.COM not found in Kerberos database): bind to LDAP server failed
May 15 21:57:05 example.com named-pkcs11[428]: couldn't establish connection in LDAP connection pool: failure
May 15 21:57:05 example.com systemd[1]: named-pkcs11.service: Control process exited, code=exited status=1
May 15 21:57:05 example.com systemd[1]: Failed to start Berkeley Internet Name Domain (DNS) with native PKCS#11.
May 15 21:57:05 example.com systemd[1]: named-pkcs11.service: Unit entered failed state.
May 15 21:57:05 example.com systemd[1]: named-pkcs11.service: Failed with result 'exit-code'.
All other services look fine to me.
[root@example /]# netstat -tulpn | wc -l
26
[root@example /]# netstat -tulpn
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:749 0.0.0.0:* LISTEN 725/kadmind
tcp 0 0 0.0.0.0:464 0.0.0.0:* LISTEN 725/kadmind
tcp 0 0 0.0.0.0:88 0.0.0.0:* LISTEN 717/krb5kdc
tcp6 0 0 :::8443 :::* LISTEN -
tcp6 0 0 :::443 :::* LISTEN 761/httpd
tcp6 0 0 :::636 :::* LISTEN -
tcp6 0 0 127.0.0.1:8005 :::* LISTEN -
tcp6 0 0 :::389 :::* LISTEN -
tcp6 0 0 127.0.0.1:8009 :::* LISTEN -
tcp6 0 0 :::749 :::* LISTEN 725/kadmind
tcp6 0 0 :::8080 :::* LISTEN -
tcp6 0 0 :::464 :::* LISTEN 725/kadmind
tcp6 0 0 :::80 :::* LISTEN 761/httpd
tcp6 0 0 :::88 :::* LISTEN 717/krb5kdc
udp 0 0 0.0.0.0:88 0.0.0.0:* 717/krb5kdc
udp 0 0 192.168.136.4:123 0.0.0.0:* -
udp 0 0 127.0.0.1:123 0.0.0.0:* -
udp 0 0 0.0.0.0:123 0.0.0.0:* -
udp 0 0 0.0.0.0:464 0.0.0.0:* 725/kadmind
udp6 0 0 :::88 :::* 717/krb5kdc
udp6 0 0 fe80::42:c0ff:fea8::123 :::* -
udp6 0 0 ::1:123 :::* -
udp6 0 0 :::123 :::* -
udp6 0 0 :::464 :::* 725/kadmind
About this issue
- Original URL
- State: closed
- Created 7 years ago
- Comments: 32 (1 by maintainers)
I’ve filed https://github.com/freeipa/freeipa-container/pull/173 for that.