Closed ricosega closed 3 years ago
Ok, achieved to discover couple things.
It won't work with docker-compose options "network_mode: host" nor "privileged: true" for sure, because it will return the second error I posted before. Configuration of client side components failed.
Which is exactly the same error posted here.
So finally I added "--no-host-dns" and removed IPA_SERVER_HOSTNAME
and IPA_SERVER_IP
variables and again received the "Cannot set hostname" error. Then I did exactly the same as posted here and replaced the /bin/hostnamectl
by this and it worked!
Can't you just uncomment that
hostname: freeipa.server.dev
line?
The commented lines are there because I tried with all options available but none of them works.
I tried with that option uncommented for sure but I was also getting errors, maybe because of combination with privileged: true
or network_mode: host
You should never need to use privileged. Whether to use host network or not really depends on your needs.
But if the docker-compose that you use supports the hostname option, I'd go with that to avoid the need for hitting the code path of changing it later (which is what then wants to call hostnamectl
).
Tested again from starting point with two different PC's.
With, Ubuntu 18.04, Docker version 19.03.6 and docker-compose version 1.17.1 the option hostname: freeipa.server.dev
does not work with the following options:
version: '3.2'
services:
freeipa:
image: freeipa/freeipa-server:centos-8
container_name: freeipa
hostname: freeipa.server.dev
sysctls:
- net.ipv6.conf.all.disable_ipv6=0
volumes:
- /sys/fs/cgroup:/sys/fs/cgroup:ro
- /srv/freeipa:/data
- /srv/certs:/certs
command:
[
"--no-ntp",
"--no-host-dns",
"--realm=SERVER.DEV",
"--domain=server.dev",
"--ds-password=randompasswd",
"--admin-password=randompasswd",
"--pki-config-override=/certs/pki.cfg",
"--external-ca",
"--unattended",
"-v"
]
And the output is:
freeipa2 | Container invoked without fully-qualified hostname
freeipa2 | and without specifying hostname to use.
freeipa2 | Consider using -h FQDN option to docker run.
freeipa2 exited with code 15
In this case I can skip this error by using privileged mode.
With the second PC, Ubuntu 20.04, Docker version 20.10.6 and docker-compose version 1.25.0 the option hostname: freeipa.server.dev
works properly the first time.
But now, with both PC's the second time I run the docker-compose after signing the CSR with my own CA I get the hostname error.
freeipa | The ipa-server-install command failed, exception: CalledProcessError: CalledProcessError(Command ['/bin/hostnamectl', 'set-hostname', 'freeipa.server.dev'] returned non-zero exit status 1: 'Could not set property: Connection timed out\n')
freeipa | CalledProcessError(Command ['/bin/hostnamectl', 'set-hostname', 'freeipa.server.dev'] returned non-zero exit status 1: 'Could not set property: Connection timed out\n')
freeipa | The ipa-server-install command failed. See /var/log/ipaserver-install.log for more information
freeipa | FreeIPA server configuration failed.
freeipa exited with code 123
Any idea?
Could you run
ca=--external-ca replica=none tests/run-master-and-replica.sh freeipa/freeipa-server:centos-8
to see if you get the error as well? It passes both on my local environments and in GitHub Action's CI for this repository without hitting the hostnamectl
issue so running the test in your environment should help us to narrow down the cause of this issue.
As mentioned already, you should never need to use privileged; please don't do that. We've worked hard enough to make it possible to use FreeIPA container unprivileged and the privileged setup can actually cause new set of issues.
We seem to have lost traction here.
Sorry I had no time. The tests command that you asked me passed.
But tried again and same issue with hostname after signing CSR.
freeipa | Process finished, return code=0
freeipa | stdout=certutil: certificate is valid
freeipa |
freeipa | stderr=
freeipa | Name freeipa.server.dev resolved to {UnsafeIPAddress('172.19.0.2')}
freeipa | Searching for an interface of IP address: 172.19.0.2
freeipa | Testing local IP address: 127.0.0.1/255.0.0.0 (interface: lo)
freeipa | Testing local IP address: 172.19.0.2/255.255.0.0 (interface: eth0)
freeipa | Starting external process
freeipa | args=['/bin/systemctl', 'is-active', 'dirsrv@SERVER-DEV.service']
freeipa | Process finished, return code=0
freeipa | stdout=active
freeipa |
freeipa | stderr=
freeipa | Backing up system configuration file '/etc/hostname'
freeipa | Saving Index File to '/var/lib/ipa/sysrestore/sysrestore.index'
freeipa | Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state'
freeipa | Saving StateFile to '/var/lib/ipa/sysrestore/sysrestore.state'
freeipa | Starting external process
freeipa | args=['/bin/hostnamectl', 'set-hostname', 'freeipa.server.dev']
freeipa | Process finished, return code=1
freeipa | stdout=
freeipa | stderr=Could not set property: Connection timed out
freeipa |
freeipa | File "/usr/lib/python3.6/site-packages/ipapython/admintool.py", line 179, in execute
freeipa | return_value = self.run()
freeipa | File "/usr/lib/python3.6/site-packages/ipapython/install/cli.py", line 340, in run
freeipa | return cfgr.run()
freeipa | File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 360, in run
freeipa | return self.execute()
freeipa | File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 386, in execute
freeipa | for rval in self._executor():
freeipa | File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 431, in __runner
freeipa | exc_handler(exc_info)
freeipa | File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 460, in _handle_execute_exception
freeipa | self._handle_exception(exc_info)
freeipa | File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 450, in _handle_exception
freeipa | six.reraise(*exc_info)
freeipa | File "/usr/lib/python3.6/site-packages/six.py", line 693, in reraise
freeipa | raise value
freeipa | File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 421, in __runner
freeipa | step()
freeipa | File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 418, in <lambda>
freeipa | step = lambda: next(self.__gen)
freeipa | File "/usr/lib/python3.6/site-packages/ipapython/install/util.py", line 81, in run_generator_with_yield_from
freeipa | six.reraise(*exc_info)
freeipa | File "/usr/lib/python3.6/site-packages/six.py", line 693, in reraise
freeipa | raise value
freeipa | File "/usr/lib/python3.6/site-packages/ipapython/install/util.py", line 59, in run_generator_with_yield_from
freeipa | value = gen.send(prev_value)
freeipa | File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 655, in _configure
freeipa | next(executor)
freeipa | File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 431, in __runner
freeipa | exc_handler(exc_info)
freeipa | File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 460, in _handle_execute_exception
freeipa | self._handle_exception(exc_info)
freeipa | File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 518, in _handle_exception
freeipa | self.__parent._handle_exception(exc_info)
freeipa | File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 450, in _handle_exception
freeipa | six.reraise(*exc_info)
freeipa | File "/usr/lib/python3.6/site-packages/six.py", line 693, in reraise
freeipa | raise value
freeipa | File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 515, in _handle_exception
freeipa | super(ComponentBase, self)._handle_exception(exc_info)
freeipa | File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 450, in _handle_exception
freeipa | six.reraise(*exc_info)
freeipa | File "/usr/lib/python3.6/site-packages/six.py", line 693, in reraise
freeipa | raise value
freeipa | File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 421, in __runner
freeipa | step()
freeipa | File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 418, in <lambda>
freeipa | step = lambda: next(self.__gen)
freeipa | File "/usr/lib/python3.6/site-packages/ipapython/install/util.py", line 81, in run_generator_with_yield_from
freeipa | six.reraise(*exc_info)
freeipa | File "/usr/lib/python3.6/site-packages/six.py", line 693, in reraise
freeipa | raise value
freeipa | File "/usr/lib/python3.6/site-packages/ipapython/install/util.py", line 59, in run_generator_with_yield_from
freeipa | value = gen.send(prev_value)
freeipa | File "/usr/lib/python3.6/site-packages/ipapython/install/common.py", line 65, in _install
freeipa | for unused in self._installer(self.parent):
freeipa | File "/usr/lib/python3.6/site-packages/ipaserver/install/server/__init__.py", line 569, in main
freeipa | master_install(self)
freeipa | File "/usr/lib/python3.6/site-packages/ipaserver/install/server/install.py", line 276, in decorated
freeipa | func(installer)
freeipa | File "/usr/lib/python3.6/site-packages/ipaserver/install/server/install.py", line 807, in install
freeipa | tasks.set_hostname(host_name)
freeipa | File "/usr/lib/python3.6/site-packages/ipaplatform/redhat/tasks.py", line 587, in set_hostname
freeipa | ipautil.run([paths.BIN_HOSTNAMECTL, 'set-hostname', hostname])
freeipa | File "/usr/lib/python3.6/site-packages/ipapython/ipautil.py", line 598, in run
freeipa | p.returncode, arg_string, output_log, error_log
freeipa |
freeipa | The ipa-server-install command failed, exception: CalledProcessError: CalledProcessError(Command ['/bin/hostnamectl', 'set-hostname', 'freeipa.server.dev'] returned non-zero exit status 1: 'Could not set property: Connection timed out\n')
freeipa | CalledProcessError(Command ['/bin/hostnamectl', 'set-hostname', 'freeipa.server.dev'] returned non-zero exit status 1: 'Could not set property: Connection timed out\n')
freeipa | The ipa-server-install command failed. See /var/log/ipaserver-install.log for more information
freeipa | FreeIPA server configuration failed.
Looking at that /usr/lib/python3.6/site-packages/ipaserver/install/server/install.py:807, the code is
# set hostname (transient and static) if user instructed us to do so
if options._host_name_overridden:
tasks.backup_hostname(fstore, sstore)
tasks.set_hostname(host_name)
and the options._host_name_overridden
is set in
options._host_name_overridden = bool(options.host_name)
What does /var/log/ipaserver-install.log
say about that option:
# grep host_name /var/log/ipaserver-install.log
?
Here is the output:
2021-05-05T08:26:49Z DEBUG ipa-server-install was invoked with arguments [] and options: {'unattended': True, 'ip_addresses': None, 'domain_name': 'server.dev', 'realm_name': 'SERVER.DEV', 'host_name': None, 'ca_cert_files': None, 'domain_level': None, 'setup_adtrust': False, 'setup_kra': False, 'setup_dns': False, 'idstart': None, 'idmax': None, 'no_hbac_allow': False, 'no_pkinit': False, 'no_ui_redirect': False, 'dirsrv_config_file': None, 'dirsrv_cert_files': None, 'http_cert_files': None, 'pkinit_cert_files': None, 'dirsrv_cert_name': None, 'http_cert_name': None, 'pkinit_cert_name': None, 'mkhomedir': False, 'ntp_servers': None, 'ntp_pool': None, 'no_ntp': True, 'force_ntpd': False, 'ssh_trust_dns': False, 'no_ssh': False, 'no_sshd': False, 'no_dns_sshfp': False, 'external_ca': False, 'external_ca_type': None, 'external_ca_profile': None, 'external_cert_files': ['/certs/server.pem', '/certs/ca.pem'], 'subject_base': None, 'ca_subject': None, 'ca_signing_algorithm': None, 'pki_config_override': None, 'allow_zone_overlap': False, 'reverse_zones': None, 'no_reverse': False, 'auto_reverse': False, 'zonemgr': None, 'forwarders': None, 'no_forwarders': False, 'auto_forwarders': False, 'forward_policy': None, 'no_dnssec_validation': False, 'no_host_dns': True, 'enable_compat': False, 'netbios_name': None, 'no_msdcs': False, 'rid_base': None, 'secondary_rid_base': None, 'ignore_topology_disconnect': False, 'ignore_last_of_role': False, 'verbose': True, 'quiet': False, 'log_file': None, 'uninstall': False}
2021-05-05T08:26:49Z DEBUG will use host_name: freeipa.server.dev
tasks.set_hostname(host_name)
It seems is not taking it 'host_name': None,
and I will have to pass it as an argument with --hostname=freeipa.server.dev
.
Going to try it.
No, it's the other way round. The option was not passed so it's not clear to me why options._host_name_overridden
gets set and tasks.set_hostname(host_name)
executed.
Are you able to run docker exec freeipa hostname
while the container is running the first and the second time to see what the internal understanding of the hostname is in it?
Tried with --hostname=freeipa.server.dev
and still and error.
freeipa | stderr=
freeipa | Name freeipa.server.dev resolved to {UnsafeIPAddress('172.19.0.2')}
freeipa | Searching for an interface of IP address: 172.19.0.2
freeipa | Testing local IP address: 127.0.0.1/255.0.0.0 (interface: lo)
freeipa | Testing local IP address: 172.19.0.2/255.255.0.0 (interface: eth0)
freeipa | Starting external process
freeipa | args=['/bin/systemctl', 'is-active', 'dirsrv@SERVER-DEV.service']
freeipa | Process finished, return code=0
freeipa | stdout=active
freeipa |
freeipa | stderr=
freeipa | Backing up system configuration file '/etc/hostname'
freeipa | -> Not backing up - already have a copy of '/etc/hostname'
freeipa | Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state'
freeipa | Saving StateFile to '/var/lib/ipa/sysrestore/sysrestore.state'
freeipa | Starting external process
freeipa | args=['/bin/hostnamectl', 'set-hostname', 'freeipa.server.dev']
freeipa | Process finished, return code=1
freeipa | stdout=
freeipa | stderr=Could not set property: Failed to activate service 'org.freedesktop.hostname1': timed out (service_start_timeout=25000ms)
freeipa |
freeipa | File "/usr/lib/python3.6/site-packages/ipapython/admintool.py", line 179, in execute
freeipa | return_value = self.run()
freeipa | File "/usr/lib/python3.6/site-packages/ipapython/install/cli.py", line 340, in run
freeipa | return cfgr.run()
freeipa | File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 360, in run
freeipa | return self.execute()
freeipa | File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 386, in execute
freeipa | for rval in self._executor():
freeipa | File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 431, in __runner
freeipa | exc_handler(exc_info)
freeipa | File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 460, in _handle_execute_exception
freeipa | self._handle_exception(exc_info)
freeipa | File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 450, in _handle_exception
freeipa | six.reraise(*exc_info)
freeipa | File "/usr/lib/python3.6/site-packages/six.py", line 693, in reraise
freeipa | raise value
freeipa | File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 421, in __runner
freeipa | step()
freeipa | File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 418, in <lambda>
freeipa | step = lambda: next(self.__gen)
freeipa | File "/usr/lib/python3.6/site-packages/ipapython/install/util.py", line 81, in run_generator_with_yield_from
freeipa | six.reraise(*exc_info)
freeipa | File "/usr/lib/python3.6/site-packages/six.py", line 693, in reraise
freeipa | raise value
freeipa | File "/usr/lib/python3.6/site-packages/ipapython/install/util.py", line 59, in run_generator_with_yield_from
freeipa | value = gen.send(prev_value)
freeipa | File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 655, in _configure
freeipa | next(executor)
freeipa | File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 431, in __runner
freeipa | exc_handler(exc_info)
freeipa | File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 460, in _handle_execute_exception
freeipa | self._handle_exception(exc_info)
freeipa | File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 518, in _handle_exception
freeipa | self.__parent._handle_exception(exc_info)
freeipa | File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 450, in _handle_exception
freeipa | six.reraise(*exc_info)
freeipa | File "/usr/lib/python3.6/site-packages/six.py", line 693, in reraise
freeipa | raise value
freeipa | File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 515, in _handle_exception
freeipa | super(ComponentBase, self)._handle_exception(exc_info)
freeipa | File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 450, in _handle_exception
freeipa | six.reraise(*exc_info)
freeipa | File "/usr/lib/python3.6/site-packages/six.py", line 693, in reraise
freeipa | raise value
freeipa | File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 421, in __runner
freeipa | step()
freeipa | File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 418, in <lambda>
freeipa | step = lambda: next(self.__gen)
freeipa | File "/usr/lib/python3.6/site-packages/ipapython/install/util.py", line 81, in run_generator_with_yield_from
freeipa | six.reraise(*exc_info)
freeipa | File "/usr/lib/python3.6/site-packages/six.py", line 693, in reraise
freeipa | raise value
freeipa | File "/usr/lib/python3.6/site-packages/ipapython/install/util.py", line 59, in run_generator_with_yield_from
freeipa | value = gen.send(prev_value)
freeipa | File "/usr/lib/python3.6/site-packages/ipapython/install/common.py", line 65, in _install
freeipa | for unused in self._installer(self.parent):
freeipa | File "/usr/lib/python3.6/site-packages/ipaserver/install/server/__init__.py", line 569, in main
freeipa | master_install(self)
freeipa | File "/usr/lib/python3.6/site-packages/ipaserver/install/server/install.py", line 276, in decorated
freeipa | func(installer)
freeipa | File "/usr/lib/python3.6/site-packages/ipaserver/install/server/install.py", line 807, in install
freeipa | tasks.set_hostname(host_name)
freeipa | File "/usr/lib/python3.6/site-packages/ipaplatform/redhat/tasks.py", line 587, in set_hostname
freeipa | ipautil.run([paths.BIN_HOSTNAMECTL, 'set-hostname', hostname])
freeipa | File "/usr/lib/python3.6/site-packages/ipapython/ipautil.py", line 598, in run
freeipa | p.returncode, arg_string, output_log, error_log
freeipa |
freeipa | The ipa-server-install command failed, exception: CalledProcessError: CalledProcessError(Command ['/bin/hostnamectl', 'set-hostname', 'freeipa.server.dev'] returned non-zero exit status 1: "Could not set property: Failed to activate service 'org.freedesktop.hostname1': timed out (service_start_timeout=25000ms)\n")
freeipa | CalledProcessError(Command ['/bin/hostnamectl', 'set-hostname', 'freeipa.server.dev'] returned non-zero exit status 1: "Could not set property: Failed to activate service 'org.freedesktop.hostname1': timed out (service_start_timeout=25000ms)\n")
freeipa | The ipa-server-install command failed. See /var/log/ipaserver-install.log for more information
freeipa | FreeIPA server configuration failed.
In both executions the result is the same:
ubuntu@mininuc ~/freeipa$ docker exec freeipa hostname
freeipa.server.dev
For hostnamectl set-hostname
failures in containers, make sure to add pidfd_open
to the list of permitted syscalls to your seccomp profile. This is the syscall used by systemd since Linux 5.3 kernel and if your container host runs on newer kernel, you get this issue.
I've tried to build image from
diff --git a/Dockerfile.centos-8 b/Dockerfile.centos-8
index 04a54e2..d7ad635 100644
--- a/Dockerfile.centos-8
+++ b/Dockerfile.centos-8
@@ -94,3 +94,5 @@ RUN uuidgen > /data-template/build-id
# docker run -ti -v /sys/fs/cgroup:/sys/fs/cgroup:ro --tmpfs /run --tmpfs /tmp -v /opt/ipa-data:/data:Z -h ipa.example.test ${NAME} [ options ]
LABEL maintainer="FreeIPA Developers <freeipa-devel@lists.fedorahosted.org>"
+
+RUN rm -f /usr/bin/hostnamectl ; ln -s /bin/false /usr/bin/hostnamectl
to force hostnamectl
to always fail.
Then I run
docker=podman ca=--external-ca replica=none tests/run-master-and-replica.sh local/freeipa-server:centos-8
(and the same with docker) and it did not fail. Which to me it means that hostnamectl
was never actually called in this test.
While in @ricosega's docker-compose it gets called for some reason, even if the host_name
option is not used.
Closing as I'm not able to reproduce the case when hostnamectl
gets called.
Hi there,
Trying to install it with custom certificate but cannot make it work. It is even difficult to install it with its own because sometimes fails in the process and sometimes not with the same configuration, so I would really thank if someone could help.
I will paste the info about docker versions and images used below:
That said, here is the docker-compose.yml config that I am using:
The commented lines are there because I tried with all options available but none of them works. I have an ipaserver-install.log with all the outputs saved.
The steps i follow are the next: FIRST TIME
If there is no error I get the CSR to sign. After signing it I execute it with the following: SECOND TIME
And in this second step I use to get different errors: