freeipa server install fails at http setup due unicode error

[ikke-t]

I have tried to install freeipa several times on rhel8.5, both with the roles coming from ansible-freeipa-0.3.8-1.el8.noarch or upstram collections version 1.5.3. I can not get it to work.

My variables:

ipaserver_domain: cool.lab
ipaserver_realm: COOL.LAB
ipaserver_setup_dns: true
ipaserver_forwarders:
  - 10.1.102.5
  - 10.1.102.10

passwords are in vault

end of ansible log:

TASK [ipaserver : Install - Setup HTTP] ******************************************************************************************************************************************************************************************
task path: /usr/share/ansible/roles/ipaserver/tasks/install.yml:322
<10.128.1.10> ESTABLISH SSH CONNECTION FOR USER: root
<10.128.1.10> SSH: EXEC ssh -C -o ControlMaster=auto -o ControlPersist=60s -o StrictHostKeyChecking=no -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o 'User="root"' -o ConnectTimeout=10 -o ControlPath=/home/itengval/.ansible/cp/99b8d4ca43 10.128.1.10 '/bin/sh -c '"'"'echo ~root && sleep 0'"'"''
<10.128.1.10> (0, b'/root\n', b'')
<10.128.1.10> ESTABLISH SSH CONNECTION FOR USER: root
<10.128.1.10> SSH: EXEC ssh -C -o ControlMaster=auto -o ControlPersist=60s -o StrictHostKeyChecking=no -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o 'User="root"' -o ConnectTimeout=10 -o ControlPath=/home/itengval/.ansible/cp/99b8d4ca43 10.128.1.10 '/bin/sh -c '"'"'( umask 77 && mkdir -p "` echo /root/.ansible/tmp `"&& mkdir "` echo /root/.ansible/tmp/ansible-tmp-1640940320.6876967-641791-31392728919061 `" && echo ansible-tmp-1640940320.6876967-641791-31392728919061="` echo /root/.ansible/tmp/ansible-tmp-1640940320.6876967-641791-31392728919061 `" ) && sleep 0'"'"''
<10.128.1.10> (0, b'ansible-tmp-1640940320.6876967-641791-31392728919061=/root/.ansible/tmp/ansible-tmp-1640940320.6876967-641791-31392728919061\n', b'')
Using module file /usr/share/ansible/roles/ipaserver/library/ipaserver_setup_http.py
<10.128.1.10> PUT /home/itengval/.ansible/tmp/ansible-local-6410591oz6d1kx/tmp2xjimbgz TO /root/.ansible/tmp/ansible-tmp-1640940320.6876967-641791-31392728919061/AnsiballZ_ipaserver_setup_http.py
<10.128.1.10> SSH: EXEC sftp -b - -C -o ControlMaster=auto -o ControlPersist=60s -o StrictHostKeyChecking=no -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o 'User="root"' -o ConnectTimeout=10 -o ControlPath=/home/itengval/.ansible/cp/99b8d4ca43 '[10.128.1.10]'
<10.128.1.10> (0, b'sftp> put /home/itengval/.ansible/tmp/ansible-local-6410591oz6d1kx/tmp2xjimbgz /root/.ansible/tmp/ansible-tmp-1640940320.6876967-641791-31392728919061/AnsiballZ_ipaserver_setup_http.py\n', b'')
<10.128.1.10> ESTABLISH SSH CONNECTION FOR USER: root
<10.128.1.10> SSH: EXEC ssh -C -o ControlMaster=auto -o ControlPersist=60s -o StrictHostKeyChecking=no -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o 'User="root"' -o ConnectTimeout=10 -o ControlPath=/home/itengval/.ansible/cp/99b8d4ca43 10.128.1.10 '/bin/sh -c '"'"'chmod u+x /root/.ansible/tmp/ansible-tmp-1640940320.6876967-641791-31392728919061/ /root/.ansible/tmp/ansible-tmp-1640940320.6876967-641791-31392728919061/AnsiballZ_ipaserver_setup_http.py && sleep 0'"'"''
<10.128.1.10> (0, b'', b'')
<10.128.1.10> ESTABLISH SSH CONNECTION FOR USER: root
<10.128.1.10> SSH: EXEC ssh -C -o ControlMaster=auto -o ControlPersist=60s -o StrictHostKeyChecking=no -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o 'User="root"' -o ConnectTimeout=10 -o ControlPath=/home/itengval/.ansible/cp/99b8d4ca43 -tt 10.128.1.10 '/bin/sh -c '"'"'/usr/libexec/platform-python /root/.ansible/tmp/ansible-tmp-1640940320.6876967-641791-31392728919061/AnsiballZ_ipaserver_setup_http.py && sleep 0'"'"''
<10.128.1.10> (0, b'--- Logging error ---\r\nTraceback (most recent call last):\r\n  File "/usr/lib64/python3.6/logging/__init__.py", line 996, in emit\r\n    stream.write(msg)\r\nUnicodeEncodeError: \'ascii\' codec can\'t encode characters in position 155-157: ordinal not in range(128)\r\nCall stack:\r\n  File "/root/.ansible/tmp/ansible-tmp-1640940320.6876967-641791-31392728919061/AnsiballZ_ipaserver_setup_http.py", line 102, in <module>\r\n    _ansiballz_main()\r\n  File "/root/.ansible/tmp/ansible-tmp-1640940320.6876967-641791-31392728919061/AnsiballZ_ipaserver_setup_http.py", line 94, in _ansiballz_main\r\n    invoke_module(zipped_mod, temp_path, ANSIBALLZ_PARAMS)\r\n  File "/root/.ansible/tmp/ansible-tmp-1640940320.6876967-641791-31392728919061/AnsiballZ_ipaserver_setup_http.py", line 40, in invoke_module\r\n    runpy.run_module(mod_name=\'ansible.modules.ipaserver_setup_http\', init_globals=None, run_name=\'__main__\', alter_sys=True)\r\n  File "/usr/lib64/python3.6/runpy.py", line 205, in run_module\r\n    return _run_module_code(code, init_globals, run_name, mod_spec)\r\n  File "/usr/lib64/python3.6/runpy.py", line 96, in _run_module_code\r\n    mod_name, mod_spec, pkg_name, script_name)\r\n  File "/usr/lib64/python3.6/runpy.py", line 85, in _run_code\r\n    exec(code, run_globals)\r\n  File "/tmp/ansible_ipaserver_setup_http_payload_x5l6dnt0/ansible_ipaserver_setup_http_payload.zip/ansible/modules/ipaserver_setup_http.py", line 325, in <module>\r\n  File "/tmp/ansible_ipaserver_setup_http_payload_x5l6dnt0/ansible_ipaserver_setup_http_payload.zip/ansible/modules/ipaserver_setup_http.py", line 301, in main\r\n  File "/usr/lib/python3.6/site-packages/ipaserver/install/httpinstance.py", line 151, in create_instance\r\n    self.start_creation()\r\n  File "/usr/lib/python3.6/site-packages/ipaserver/install/service.py", line 635, in start_creation\r\n    run_step(full_msg, method)\r\n  File "/usr/lib/python3.6/site-packages/ipaserver/install/service.py", line 621, in run_step\r\n    method()\r\n  File "/usr/lib/python3.6/site-packages/ipaserver/install/httpinstance.py", line 177, in remove_httpd_ccaches\r\n    [paths.SYSTEMD_TMPFILES, \'--create\', \'--prefix\', paths.IPA_CCACHES]\r\n  File "/usr/lib/python3.6/site-packages/ipapython/ipautil.py", line 579, in run\r\n    logger.debug(\'stderr=%s\', error_log)\r\nMessage: \'stderr=%s\'\r\nArguments: (\'[/etc/tmpfiles.d/dirsrv-COOL-LAB.conf:1] Line references path below legacy directory /var/run/, updating /var/run/dirsrv \xef\xbf\xbd\xef\xbf\xbd\xef\xbf\xbd /run/dirsrv; please update the tmpfiles.d/ drop-in file accordingly.\\n\',)\r\nApplying LDAP updates\r\nRestarting the KDC\r\n\r\n{"changed": true, "invocation": {"module_args": {"dm_password": "VALUE_SPECIFIED_IN_NO_LOG_PARAMETER", "password": "VALUE_SPECIFIED_IN_NO_LOG_PARAMETER", "master_password": "VALUE_SPECIFIED_IN_NO_LOG_PARAMETER", "domain": "cool.lab", "realm": "COOL.LAB", "hostname": "rh-idm-01.cool-lab.tech", "reverse_zones": [], "setup_adtrust": false, "setup_kra": false, "setup_dns": true, "setup_ca": true, "no_host_dns": true, "dirsrv_cert_files": [], "subject_base": "O=COOL.LAB", "_subject_base": "O=COOL.LAB", "ca_subject": "CN=Certificate Authority,O=COOL.LAB", "_ca_subject": "CN=Certificate Authority,O=COOL.LAB", "no_reverse": false, "auto_forwarders": false, "no_pkinit": false, "no_hbac_allow": false, "idstart": 1932200000, "idmax": 1932399999, "http_cert_files": [], "no_ui_redirect": false, "ip_addresses": [], "external_cert_files": [], "domainlevel": null, "dirsrv_config_file": null, "_dirsrv_pkcs12_info": null, "_http_pkcs12_info": null}}}\r\n', b'Shared connection to 10.128.1.10 closed.\r\n')
[WARNING]: Module invocation had junk after the JSON data:   File "/usr/lib/python3.6/site-packages/ipapython/ipautil.py", line 579, in run     logger.debug('stderr=%s', error_log) Message: 'stderr=%s' Arguments:
('[/etc/tmpfiles.d/dirsrv-COOL-LAB.conf:1] Line references path below legacy directory /var/run/, updating /var/run/dirsrv ��� /run/dirsrv; please update the tmpfiles.d/ drop-in file accordingly.\n',) Applying LDAP updates
Restarting the KDC  {"changed": true, "invocation": {"module_args": {"dm_password": "VALUE_SPECIFIED_IN_NO_LOG_PARAMETER", "password": "VALUE_SPECIFIED_IN_NO_LOG_PARAMETER", "master_password":
"VALUE_SPECIFIED_IN_NO_LOG_PARAMETER", "domain": "cool.lab", "realm": "COOL.LAB", "hostname": "rh-idm-01.cool-lab.tech", "reverse_zones": [], "setup_adtrust": false, "setup_kra": false, "setup_dns": true, "setup_ca": true,
"no_host_dns": true, "dirsrv_cert_files": [], "subject_base": "O=COOL.LAB", "_subject_base": "O=COOL.LAB", "ca_subject": "CN=Certificate Authority,O=COOL.LAB", "_ca_subject": "CN=Certificate Authority,O=COOL.LAB",
"no_reverse": false, "auto_forwarders": false, "no_pkinit": false, "no_hbac_allow": false, "idstart": 1932200000, "idmax": 1932399999, "http_cert_files": [], "no_ui_redirect": false, "ip_addresses": [], "external_cert_files":
[], "domainlevel": null, "dirsrv_config_file": null, "_dirsrv_pkcs12_info": null, "_http_pkcs12_info": null}}}
<10.128.1.10> ESTABLISH SSH CONNECTION FOR USER: root
<10.128.1.10> SSH: EXEC ssh -C -o ControlMaster=auto -o ControlPersist=60s -o StrictHostKeyChecking=no -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o 'User="root"' -o ConnectTimeout=10 -o ControlPath=/home/itengval/.ansible/cp/99b8d4ca43 10.128.1.10 '/bin/sh -c '"'"'rm -f -r /root/.ansible/tmp/ansible-tmp-1640940320.6876967-641791-31392728919061/ > /dev/null 2>&1 && sleep 0'"'"''
<10.128.1.10> (0, b'', b'')
fatal: [10.128.1.10]: FAILED! => {
    "changed": false,
    "module_stderr": "Shared connection to 10.128.1.10 closed.\r\n",
    "module_stdout": "--- Logging error ---\r\nTraceback (most recent call last):\r\n  File \"/usr/lib64/python3.6/logging/__init__.py\", line 996, in emit\r\n    stream.write(msg)\r\nUnicodeEncodeError: 'ascii' codec can't encode characters in position 155-157: ordinal not in range(128)\r\nCall stack:\r\n  File \"/root/.ansible/tmp/ansible-tmp-1640940320.6876967-641791-31392728919061/AnsiballZ_ipaserver_setup_http.py\", line 102, in <module>\r\n    _ansiballz_main()\r\n  File \"/root/.ansible/tmp/ansible-tmp-1640940320.6876967-641791-31392728919061/AnsiballZ_ipaserver_setup_http.py\", line 94, in _ansiballz_main\r\n    invoke_module(zipped_mod, temp_path, ANSIBALLZ_PARAMS)\r\n  File \"/root/.ansible/tmp/ansible-tmp-1640940320.6876967-641791-31392728919061/AnsiballZ_ipaserver_setup_http.py\", line 40, in invoke_module\r\n    runpy.run_module(mod_name='ansible.modules.ipaserver_setup_http', init_globals=None, run_name='__main__', alter_sys=True)\r\n  File \"/usr/lib64/python3.6/runpy.py\", line 205, in run_module\r\n    return _run_module_code(code, init_globals, run_name, mod_spec)\r\n  File \"/usr/lib64/python3.6/runpy.py\", line 96, in _run_module_code\r\n    mod_name, mod_spec, pkg_name, script_name)\r\n  File \"/usr/lib64/python3.6/runpy.py\", line 85, in _run_code\r\n    exec(code, run_globals)\r\n  File \"/tmp/ansible_ipaserver_setup_http_payload_x5l6dnt0/ansible_ipaserver_setup_http_payload.zip/ansible/modules/ipaserver_setup_http.py\", line 325, in <module>\r\n  File \"/tmp/ansible_ipaserver_setup_http_payload_x5l6dnt0/ansible_ipaserver_setup_http_payload.zip/ansible/modules/ipaserver_setup_http.py\", line 301, in main\r\n  File \"/usr/lib/python3.6/site-packages/ipaserver/install/httpinstance.py\", line 151, in create_instance\r\n    self.start_creation()\r\n  File \"/usr/lib/python3.6/site-packages/ipaserver/install/service.py\", line 635, in start_creation\r\n    run_step(full_msg, method)\r\n  File \"/usr/lib/python3.6/site-packages/ipaserver/install/service.py\", line 621, in run_step\r\n    method()\r\n  File \"/usr/lib/python3.6/site-packages/ipaserver/install/httpinstance.py\", line 177, in remove_httpd_ccaches\r\n    [paths.SYSTEMD_TMPFILES, '--create', '--prefix', paths.IPA_CCACHES]\r\n  File \"/usr/lib/python3.6/site-packages/ipapython/ipautil.py\", line 579, in run\r\n    logger.debug('stderr=%s', error_log)\r\nMessage: 'stderr=%s'\r\nArguments: ('[/etc/tmpfiles.d/dirsrv-COOL-LAB.conf:1] Line references path below legacy directory /var/run/, updating /var/run/dirsrv ��� /run/dirsrv; please update the tmpfiles.d/ drop-in file accordingly.\\n',)\r\nApplying LDAP updates\r\nRestarting the KDC\r\n\r\n{\"changed\": true, \"invocation\": {\"module_args\": {\"dm_password\": \"VALUE_SPECIFIED_IN_NO_LOG_PARAMETER\", \"password\": \"VALUE_SPECIFIED_IN_NO_LOG_PARAMETER\", \"master_password\": \"VALUE_SPECIFIED_IN_NO_LOG_PARAMETER\", \"domain\": \"cool.lab\", \"realm\": \"COOL.LAB\", \"hostname\": \"rh-idm-01.cool-lab.tech\", \"reverse_zones\": [], \"setup_adtrust\": false, \"setup_kra\": false, \"setup_dns\": true, \"setup_ca\": true, \"no_host_dns\": true, \"dirsrv_cert_files\": [], \"subject_base\": \"O=COOL.LAB\", \"_subject_base\": \"O=COOL.LAB\", \"ca_subject\": \"CN=Certificate Authority,O=COOL.LAB\", \"_ca_subject\": \"CN=Certificate Authority,O=COOL.LAB\", \"no_reverse\": false, \"auto_forwarders\": false, \"no_pkinit\": false, \"no_hbac_allow\": false, \"idstart\": 1932200000, \"idmax\": 1932399999, \"http_cert_files\": [], \"no_ui_redirect\": false, \"ip_addresses\": [], \"external_cert_files\": [], \"domainlevel\": null, \"dirsrv_config_file\": null, \"_dirsrv_pkcs12_info\": null, \"_http_pkcs12_info\": null}}}\r\n",
    "msg": "MODULE FAILURE\nSee stdout/stderr for the exact error",
    "rc": 0
}

[ikke-t]

since it's about unicode, here's my locale:

▶ ssh root@10.128.1.10            
The authenticity of host '10.128.1.10 (10.128.1.10)' can't be established.
ECDSA key fingerprint is SHA256:V6Nnz8fIlTndlb5dleV0R+UVZJS5rhrZXgnFdrZ4XOM.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.128.1.10' (ECDSA) to the list of known hosts.
Last login: Fri Dec 31 10:45:56 2021 from 10.254.253.2
[root@rh-idm-01 ~]# locale
locale: Cannot set LC_ALL to default locale: No such file or directory
LANG=en_US.UTF-8
LC_CTYPE="en_US.UTF-8"
LC_NUMERIC=fi_FI.UTF-8
LC_TIME=fi_FI.UTF-8
LC_COLLATE="en_US.UTF-8"
LC_MONETARY=fi_FI.UTF-8
LC_MESSAGES="en_US.UTF-8"
LC_PAPER=fi_FI.UTF-8
LC_NAME="en_US.UTF-8"
LC_ADDRESS="en_US.UTF-8"
LC_TELEPHONE="en_US.UTF-8"
LC_MEASUREMENT=fi_FI.UTF-8
LC_IDENTIFICATION="en_US.UTF-8"
LC_ALL=

[ikke-t]

I tried also with: LC_ALL=en_US.UTF-8 ansible-playbook ... no difference

[ikke-t]

ansible 2.9.27

[ikke-t]

doing the same install manually works perfectly:

ipa-server-install \
  --domain cool.lab \
  --realm COOL.LAB \
  --ds-password bar \
  --admin-password foo \
  --unattended \
  --setup-dns \
  --forwarder 10.1.102.5 \
  --auto-reverse

[abbra]

It looks like this is triggered by a systemd tool's warning which contains UTF-8 but non-ASCII characters (an arrow) which is then cannot be parsed by Python. Three possible solutions:

• fix 389-ds installer code to use correct path so that warning is not issued
• fix environment in which IPA executes these tools
• fix ansible-freeipa code to make sure UTF-8 is acceptable

I think a longer term solution would be for both (1) and (3). We do expect UTF-8 locale to be present and working on the system in IPA.

[ikke-t]

I try with:

   - name: gen eu_US locale
      locale_gen:
        name: en_US
        state: present

    - name: set as default locale
      command: localectl set-locale LANG=en_US LC_ALL=en_US

[ikke-t]

the locale_gen module doesn't seem to work on rhel

[ikke-t]

How should the locales be set in freeipa?

[ikke-t]

I try now with localectl set-locale LANG=C

[ikke-t]

no help

[ikke-t]

The kickstart config for rhel is here https://github.com/ikke-t/ansible-packer/blob/master/templates/cfg-rhel_8.j2

And the ipa install adding to that is here: https://github.com/RedHatNordicsSA/cool-lab/blob/main/setup-idm.yml

[t-woerner]

There is a locale error:

[root@rh-idm-01 ~]# locale
locale: Cannot set LC_ALL to default locale: No such file or directory

Have you modified the system after doing the kickstart installation? In the kickstart file there is lang en_US.UTF-8, but in your locale output there is LC_NUMERIC=fi_FI.UTF-8 for example.

What system are you using for the controller?

[t-woerner]

Do you have glibc-langpack-fi installed on rh-idm-01? Is the locale command and the role working if you install this package?

[ikke-t]

Those fi things come from my laptop where I run the ansibles from. I've also tried with LC_ALL=C ansible-playbook -u root -e "subs_username=$subs_username subs_pw=$subs_pw" setup-idm.yml -vvv --skip-tags replica,subs to avoid my laptop settings taking effect. I'll try also with installing the finnish locales.

[ikke-t]

Now I took another look at it. The warning comes from the fact this file has lines that produce warning into log:

[root@rh-idm-01 ~]# cat /etc/tmpfiles.d/dirsrv-COOL-LAB.conf
d /var/run/dirsrv 0770 dirsrv dirsrv
d /var/lock/dirsrv/ 0770 dirsrv dirsrv
d /var/lock/dirsrv/slapd-COOL-LAB 0770 dirsrv dirsrv

In the ansible warning:

[WARNING]: Module invocation had junk after the JSON data:   File "/usr/lib/python3.6/site-packages/ipapython/ipautil.py", line 579, in run     logger.debug('stderr=%s', error_log) Message: 'stderr=%s' Arguments:
('[/etc/tmpfiles.d/dirsrv-COOL-LAB.conf:1] Line references path below legacy directory /var/run/, updating /var/run/dirsrv ��� /run/dirsrv; please update the tmpfiles.d/ drop-in file accordingly.\n',) Applying LDAP updates

So I believe the possible arrow there, like pointed out by @abbra then breaks the reading of json. Now the fix would be to generate the file so it won't cause a warning, as instructed in the warning.

Of course the ansible should not fail reading the log also. but as a quick fix the file syntax should be correct.

[ikke-t]

So this package: 389-ds-base-1.4.3.23-12.module+el8.5.0+13329+4096c77a.x86_64 has a file: /usr/share/dirsrv/inf/defaults.inf which sets the run dir:

/usr/share/dirsrv/inf/defaults.inf:run_dir = /var/run/dirsrv
/usr/share/dirsrv/inf/defaults.inf:pid_file = /var/run/dirsrv/slapd-{instance_name}.pid

at least that place. I don't know exactly where that install line comes from, but it's using legacy path.

[ikke-t]

question is, who generates this file: /etc/tmpfiles.d/dirsrv-COOL-LAB.conf, and how can the path inside it be fixed? It should point to /run/, instead of /var/run

[ikke-t]

I think changing the /var/run from everywhere is slightly more work, as it seems to be even in selinux targets.

[ikke-t]

@t-woerner you are right. The package glibc-langpack-fi fixes it. I wonder why when i had the LC_ALL in the command line....

[rjeffman]

@t-woerner for ansible-freeipa plugins we are forcing os.environ["LANGUAGE"] = "C", should it be also done to roles?

[ikke-t]

Hmmmm, seems to be all my fault. I recalled LC_ALL sets all locales, but it won't. This gets rid of the local finnish locales I have:

LC_ALL=en_US.UTF-8 LANG=en_US.UTF-8 ansible-playbook -i hosts -u root -e "subs_username=$subs_username subs_pw=$subs_pw" setup-idm.yml

So the problem at the end was that Ansible carries my laptops locales to remote system, which somehow leads to error, as the target machine doesn't have the Finnish locales. So setting up the LC_ALL and LANG to en_US.UTF-8 will get rid of all this problem.

[rjeffman]

@ikke-t that's the reason for my question. To fix it on ansible-freeipa side, we might need to force the locale on the roles.

[ikke-t]

Funny, actually in the previous I had a typo. I had LANG set incorrectly to en_US.UFT-8, then it worked. So this is the way to get it working:

LC_ALL=en_US.UTF-8 LANG=C ansible-playbook -i hosts -u root -e "subs_username=$subs_username subs_pw=$subs_pw" setup-idm.yml

[myllynen]

LC_ALL indeed should override all the other locale settings but setting LANGUAGE should only affect the messages displayed by programs. See locale(7) for details. Since source code mentions "ansible-freeipa requires locale to be C, IPA requires utf-8", not sure would using C.UTF-8 on recent distributions be of any help.