freeipa-server-rocky-9 ipa-server-install: DNS problems

[wentau]

Host machine specs

• Ubuntu 20.04 LTS
• no Internet access during setup the freeipa server (being a development server, it is only accessible to the docker hub and ntp pool)
• systemd-resolved installed by default and active
• chrony / chronyd installed and active

The command I used (rootless):

docker run -it -e PASSWORD=Secret123 \
    -e IPA_SERVER_IP=10.5.5.23 \
    -p 10.5.5.23:53:53/udp -p 10.5.5.23:53:53 \
    -p 80:80 -p 443:443 \
    -p 389:389 -p 636:636 \
    -p 88:88 -p 464:464 \
    -p 88:88/udp -p 464:464/udp -p 123:123/udp \
    --name freeipa-server-container \
    -h master.zyyt.org \
    -v /sys/fs/cgroup:/sys/fs/cgroup:ro \
    -v /path/to/freeipa/ipa-data:/data:Z \
    --sysctl net.ipv6.conf.all.disable_ipv6=0  \
    --read-only \
    freeipa-rocky-9 --setup-dns --no-ntp

I skip the NTP configuration since the chrony service is active on this host machine and because of this closed issue #488 .

The prompted messages during the execution

``` systemd 250-12.el9_1 running in system mode (+PAM +AUDIT +SELINUX -APPARMOR +IMA +SMACK +SECCOMP +GCRYPT +GNUTLS +OPENSSL +ACL +BLKID +CURL +ELFUTILS -FIDO2 +IDN2 -IDN -IPTC +KMOD +LIBCRYPTSETUP +LIBFDISK +PCRE2 -PWQUALITY +P11KIT -QRENCODE +BZIP2 +LZ4 +XZ +ZLIB +ZSTD -BPF_FRAMEWORK +XKBCOMMON +UTMP +SYSVINIT default-hierarchy=unified) Detected virtualization docker. Detected architecture x86-64. Queued start job for default target Minimal target for containerized FreeIPA server. -.slice: Failed to get cgroup ID on cgroup /sys/fs/cgroup/unified/docker/a30c37a06b7710efe8aac9a1bb74f599e9c25ee3a4e114ba3cbffa38b6a6b5b6, ignoring: Operation not permitted system.slice: Failed to get cgroup ID on cgroup /sys/fs/cgroup/unified/docker/a30c37a06b7710efe8aac9a1bb74f599e9c25ee3a4e114ba3cbffa38b6a6b5b6/system.slice, ignoring: Operation not permitted systemd-journald.service: Failed to get cgroup ID on cgroup /sys/fs/cgroup/unified/docker/a30c37a06b7710efe8aac9a1bb74f599e9c25ee3a4e114ba3cbffa38b6a6b5b6/system.slice/systemd-journald.service, ignoring: Operation not permitted system.slice: Failed to get cgroup ID on cgroup /sys/fs/cgroup/unified/docker/a30c37a06b7710efe8aac9a1bb74f599e9c25ee3a4e114ba3cbffa38b6a6b5b6/system.slice, ignoring: Operation not permitted -.slice: Failed to get cgroup ID on cgroup /sys/fs/cgroup/unified/docker/a30c37a06b7710efe8aac9a1bb74f599e9c25ee3a4e114ba3cbffa38b6a6b5b6, ignoring: Operation not permitted Wed Dec 7 07:05:28 UTC 2022 /usr/sbin/ipa-server-configure-first The log file for this installation can be found in /var/log/ipaserver-install.log ============================================================================== This program will set up the IPA Server. Version 4.10.0 This includes: * Configure a stand-alone CA (dogtag) for certificate management * Create and configure an instance of Directory Server * Create and configure a Kerberos Key Distribution Center (KDC) * Configure Apache (httpd) * Configure DNS (bind) * Configure SID generation * Configure the KDC to enable PKINIT Excluded by options: * Configure the NTP client (chronyd) To accept the default shown in brackets, press the Enter key. Enter the fully qualified domain name of the computer on which you're setting up server software. Using the form . Example: master.example.com Server host name [master.zyyt.org]: The domain name has been determined based on the host name. Please confirm the domain name [zyyt.org]: The kerberos protocol requires a Realm name to be defined. This is typically the domain name converted to uppercase. Please provide a realm name [ZYYT.ORG]: Checking DNS domain zyyt.org., please wait ... Do you want to configure DNS forwarders? [yes]: Following DNS servers are configured in /etc/resolv.conf: 219.141.136.10, 202.106.0.20 Do you want to configure these servers as DNS forwarders? [yes]: All detected DNS servers were added. You can enter additional addresses now: Enter an IP address for a DNS forwarder, or press Enter to skip: DNS forwarders: 219.141.136.10, 202.106.0.20 Checking DNS forwarders, please wait ... DNS server 219.141.136.10 does not support DNSSEC: answer to query '. SOA' is missing DNSSEC signatures (no RRSIG data) Please fix forwarder configuration to enable DNSSEC support. DNS server 219.141.136.10: answer to query '. SOA' is missing DNSSEC signatures (no RRSIG data) Please fix forwarder configuration to enable DNSSEC support. DNS server 202.106.0.20 does not support DNSSEC: answer to query '. SOA' is missing DNSSEC signatures (no RRSIG data) Please fix forwarder configuration to enable DNSSEC support. DNS server 202.106.0.20: answer to query '. SOA' is missing DNSSEC signatures (no RRSIG data) Please fix forwarder configuration to enable DNSSEC support. WARNING: DNSSEC validation will be disabled Do you want to search for missing reverse zones? [yes]: Reverse record for IP address 172.17.0.2 already exists Trust is configured but no NetBIOS domain name found, setting it now. Enter the NetBIOS name for the IPA domain. Only up to 15 uppercase ASCII letters, digits and dashes are allowed. Example: EXAMPLE. NetBIOS domain name [ZYYT]: The IPA Master Server will be configured with: Hostname: master.zyyt.org IP address(es): 172.17.0.2 Domain name: zyyt.org Realm name: ZYYT.ORG The CA will be configured with: Subject DN: CN=Certificate Authority,O=ZYYT.ORG Subject base: O=ZYYT.ORG Chaining: self-signed BIND DNS server will be configured to serve IPA domain with: Forwarders: 219.141.136.10, 202.106.0.20 Forward policy: only Reverse zone(s): No reverse zone Continue to configure the system with these values? [no]:yes The following operations may take some minutes to complete. Please wait until the prompt is returned. Disabled p11-kit-proxy Configuring directory server (dirsrv). Estimated time: 30 seconds [1/42]: creating directory server instance Validate installation settings ... Create file system structures ... Perform SELinux labeling ... selinux is disabled, will not relabel ports or files. [ OK ] Created slice Slice /system/dirsrv. Starting 389 Directory Server ZYYT-ORG.... [ OK ] Started 389 Directory Server ZYYT-ORG.. Create database backend: dc=zyyt,dc=org ... Perform post-installation tasks ... Stopping 389 Directory Server ZYYT-ORG.... [ OK ] Stopped 389 Directory Server ZYYT-ORG.. Starting 389 Directory Server ZYYT-ORG.... [ OK ] Started 389 Directory Server ZYYT-ORG.. [2/42]: tune ldbm plugin [3/42]: adding default schema [4/42]: enabling memberof plugin [5/42]: enabling winsync plugin [6/42]: configure password logging [7/42]: configuring replication version plugin [8/42]: enabling IPA enrollment plugin [9/42]: configuring uniqueness plugin [10/42]: configuring uuid plugin [11/42]: configuring modrdn plugin [12/42]: configuring DNS plugin [13/42]: enabling entryUSN plugin [14/42]: configuring lockout plugin [15/42]: configuring graceperiod plugin [16/42]: configuring topology plugin [17/42]: creating indices [18/42]: enabling referential integrity plugin [19/42]: configuring certmap.conf [20/42]: configure new location for managed entries [21/42]: configure dirsrv ccache and keytab [22/42]: enabling SASL mapping fallback Stopping 389 Directory Server ZYYT-ORG.... [ OK ] Stopped 389 Directory Server ZYYT-ORG.. Starting 389 Directory Server ZYYT-ORG.... [ OK ] Started 389 Directory Server ZYYT-ORG.. [24/42]: adding sasl mappings to the directory [25/42]: adding default layout [26/42]: adding delegation layout [27/42]: creating container for managed entries [28/42]: configuring user private groups [29/42]: configuring netgroups from hostgroups [30/42]: creating default Sudo bind user [31/42]: creating default Auto Member layout [32/42]: adding range check plugin [33/42]: creating default HBAC rule allow_all [34/42]: adding entries for topology management [36/42]: adding master entry [38/42]: configuring Posix uid/gid generation [39/42]: adding replication acis [40/42]: activating sidgen plugin [41/42]: activating extdom plugin Done configuring directory server (dirsrv). Configuring Kerberos KDC (krb5kdc) [1/10]: adding kerberos container to the directory [2/10]: configuring KDC [3/10]: initialize kerberos container [4/10]: adding default ACIs [5/10]: creating a keytab for the directory [6/10]: creating a keytab for the machine [7/10]: adding the password extension to the directory [ OK ] Reached target Network is Online. Starting Kerberos 5 KDC... [ OK ] Started Kerberos 5 KDC. [10/10]: configuring KDC to start on boot Done configuring Kerberos KDC (krb5kdc). Configuring kadmin [1/2]: starting kadmin Starting Kerberos 5 Password-changing and Administration... [ OK ] Started Kerberos 5 Password-changing and Administration. [2/2]: configuring kadmin to start on boot Done configuring kadmin. Configuring ipa-custodia [1/5]: Making sure custodia container exists [2/5]: Generating ipa-custodia config file [3/5]: Generating ipa-custodia keys [4/5]: starting ipa-custodia Starting IPA Custodia Service... [ OK ] Started IPA Custodia Service. [5/5]: configuring ipa-custodia to start on boot Done configuring ipa-custodia. Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes [1/30]: configuring certificate server instance [ OK ] Created slice Slice /system/pki-tomcatd. Starting PKI Tomcat Server pki-tomcat... [ OK ] Started PKI Tomcat Server pki-tomcat. Stopping PKI Tomcat Server pki-tomcat... [ OK ] Stopped PKI Tomcat Server pki-tomcat. Starting PKI Tomcat Server pki-tomcat... [ OK ] Started PKI Tomcat Server pki-tomcat. Stopping PKI Tomcat Server pki-tomcat... [ OK ] Stopped PKI Tomcat Server pki-tomcat. [3/30]: backing up CS.cfg [4/30]: Add ipa-pki-wait-running [5/30]: secure AJP connector [6/30]: reindex attributes [7/30]: exporting Dogtag certificate store pin [8/30]: disabling nonces [9/30]: set up CRL publishing [10/30]: enable PKIX certificate path discovery and validation [11/30]: authorizing RA to modify profiles [12/30]: authorizing RA to manage lightweight CAs [13/30]: Ensure lightweight CAs container exists [14/30]: Ensuring backward compatibility [15/30]: starting certificate server instance Starting PKI Tomcat Server pki-tomcat... [ OK ] Started PKI Tomcat Server pki-tomcat. [16/30]: configure certmonger for renewals Starting Certificate monitoring and PKI enrollment... [ OK ] Started Certificate monitoring and PKI enrollment. [17/30]: requesting RA certificate from CA [18/30]: publishing the CA certificate [19/30]: adding RA agent as a trusted user [21/30]: Configure HTTP to proxy connections [22/30]: updating IPA configuration [23/30]: enabling CA instance [24/30]: importing IPA certificate profiles [25/30]: migrating certificate profiles to LDAP [26/30]: adding default CA ACL [27/30]: adding 'ipa' CA entry [28/30]: Recording random serial number state [29/30]: configuring certmonger renewal for lightweight CAs [30/30]: deploying ACME service Done configuring certificate server (pki-tomcatd). Configuring directory server (dirsrv) Stopping 389 Directory Server ZYYT-ORG.... [ OK ] Stopped 389 Directory Server ZYYT-ORG.. Starting 389 Directory Server ZYYT-ORG.... [ OK ] Started 389 Directory Server ZYYT-ORG.. [2/3]: adding CA certificate entry [3/3]: restarting directory server Stopping 389 Directory Server ZYYT-ORG.... [ OK ] Stopped 389 Directory Server ZYYT-ORG.. Starting 389 Directory Server ZYYT-ORG.... [ OK ] Started 389 Directory Server ZYYT-ORG.. Done configuring directory server (dirsrv). Stopping PKI Tomcat Server pki-tomcat... [ OK ] Stopped PKI Tomcat Server pki-tomcat. Stopping 389 Directory Server ZYYT-ORG.... [ OK ] Stopped 389 Directory Server ZYYT-ORG.. Starting 389 Directory Server ZYYT-ORG.... [ OK ] Started 389 Directory Server ZYYT-ORG.. Starting PKI Tomcat Server pki-tomcat... [ OK ] Started PKI Tomcat Server pki-tomcat. Configuring ipa-otpd [1/2]: starting ipa-otpd [ OK ] Listening on ipa-otpd socket. [2/2]: configuring ipa-otpd to start on boot Done configuring ipa-otpd. Configuring the web interface (httpd) [1/22]: stopping httpd [2/22]: backing up ssl.conf [3/22]: disabling nss.conf [4/22]: configuring mod_ssl certificate paths [5/22]: setting mod_ssl protocol list [6/22]: configuring mod_ssl log directory [7/22]: disabling mod_ssl OCSP [8/22]: adding URL rewriting rules [9/22]: configuring httpd Nothing to do for configure_httpd_wsgi_conf [10/22]: setting up httpd keytab [11/22]: configuring Gssproxy Starting GSSAPI Proxy Daemon... [ OK ] Started GSSAPI Proxy Daemon. [12/22]: setting up ssl [14/22]: publish CA cert [15/22]: clean up any existing httpd ccaches [16/22]: enable ccache sweep [17/22]: configuring SELinux for httpd [18/22]: create KDC proxy config [19/22]: enable KDC proxy Starting One-time temporary TLS key generation for httpd.service... [ OK ] Finished One-time temporary TLS key generation for httpd.service. Starting The Apache HTTP Server... [ OK ] Started The Apache HTTP Server. [21/22]: configuring httpd to start on boot [22/22]: enabling oddjobd [ OK ] Started privileged operations for unprivileged applications. Done configuring the web interface (httpd). Configuring Kerberos KDC (krb5kdc) [1/1]: installing X509 Certificate for PKINIT Stopping Kerberos 5 KDC... [ OK ] Stopped Kerberos 5 KDC. Starting Kerberos 5 KDC... [ OK ] Started Kerberos 5 KDC. Done configuring Kerberos KDC (krb5kdc). Stopping Kerberos 5 KDC... [ OK ] Stopped Kerberos 5 KDC. Starting Kerberos 5 KDC... [ OK ] Started Kerberos 5 KDC. Applying LDAP updates Upgrading IPA:. Estimated time: 1 minute 30 seconds [1/10]: stopping directory server Stopping 389 Directory Server ZYYT-ORG.... [ OK ] Stopped 389 Directory Server ZYYT-ORG.. [2/10]: saving configuration [3/10]: disabling listeners [4/10]: enabling DS global lock [5/10]: disabling Schema Compat [6/10]: starting directory server Starting 389 Directory Server ZYYT-ORG.... [ OK ] Started 389 Directory Server ZYYT-ORG.. [7/10]: upgrading server Could not get dnaHostname entries in 60 seconds Stopping 389 Directory Server ZYYT-ORG.... [ OK ] Stopped 389 Directory Server ZYYT-ORG.. [9/10]: restoring configuration [10/10]: starting directory server Starting 389 Directory Server ZYYT-ORG.... [ OK ] Started 389 Directory Server ZYYT-ORG.. Done. Restarting the KDC Starting Kerberos 5 KDC... [ OK ] Started Kerberos 5 KDC. dnssec-validation no Configuring DNS (named) [1/12]: generating rndc key file [2/12]: adding DNS container [3/12]: setting up our zone [4/12]: setting up our own record [5/12]: setting up records for other masters [6/12]: adding NS record to the zones [9/12]: setting up named.conf created new /etc/named.conf created named user config '/data/etc/named/ipa-ext.conf' created named user config '/data/etc/named/ipa-options-ext.conf' created named user config '/data/etc/named/ipa-logging-ext.conf' [10/12]: setting up server configuration [12/12]: changing resolv.conf to point to ourselves Could not update DNS config: [Errno 30] Read-only file system: '/etc/resolv.conf' Done configuring DNS (named). Stopping The Apache HTTP Server... [ OK ] Stopped The Apache HTTP Server. Starting One-time temporary TLS key generation for httpd.service... [ OK ] Finished One-time temporary TLS key generation for httpd.service. Starting The Apache HTTP Server... [ OK ] Started The Apache HTTP Server. Configuring DNS key synchronization service (ipa-dnskeysyncd) [1/7]: checking status [2/7]: setting up bind-dyndb-ldap working directory [3/7]: setting up kerberos principal [4/7]: setting up SoftHSM [5/7]: adding DNSSEC containers [6/7]: creating replica keys [7/7]: configuring ipa-dnskeysyncd to start on boot Done configuring DNS key synchronization service (ipa-dnskeysyncd). Restarting ipa-dnskeysyncd [ OK ] Started IPA key daemon. Restarting named Starting Generate rndc key for BIND (DNS)... [ OK ] Finished Generate rndc key for BIND (DNS). Starting Berkeley Internet Name Domain (DNS)... [FAILED] Failed to start Berkeley Internet Name Domain (DNS). See 'systemctl status named.service' for details. [ OK ] Reached target Host and Network Name Lookups. Named service failed to start (CalledProcessError(Command ['/bin/systemctl', 'restart', 'named.service'] returned non-zero exit status 1: 'Job for named.service failed because the control process exited with error code.\nSee "systemctl status named.service" and "journalctl -xeu named.service" for details.\n')) named service failed to start Updating DNS system records Configuring SID generation [1/8]: creating samba domain object [2/8]: adding admin(group) SIDs [3/8]: adding RID bases [4/8]: updating Kerberos config 'dns_lookup_kdc' already set to 'true', nothing to do. [5/8]: activating sidgen task [6/8]: restarting Directory Server to take MS PAC and LDAP plugins changes into account Stopping 389 Directory Server ZYYT-ORG.... [ OK ] Stopped 389 Directory Server ZYYT-ORG.. Starting 389 Directory Server ZYYT-ORG.... [ OK ] Started 389 Directory Server ZYYT-ORG.. [7/8]: adding fallback group [8/8]: adding SIDs to existing users and groups This step may take considerable amount of time, please wait.. Done. Configuring client side components This program will set up IPA client. Version 4.10.0 The sudo binary does not seem to be present on this system. Please consider installing sudo if required. Using existing certificate '/etc/ipa/ca.crt'. Client hostname: master.zyyt.org Realm: ZYYT.ORG DNS Domain: zyyt.org IPA Server: master.zyyt.org BaseDN: dc=zyyt,dc=org Starting System Security Services Daemon... [ OK ] Started System Security Services Daemon. [ OK ] Reached target User and Group Name Lookups. Configured /etc/openldap/ldap.conf /etc/ssh/ssh_config not found, skipping configuration /etc/ssh/sshd_config not found, skipping configuration Configuring zyyt.org as NIS domain. Starting Read and set NIS domainname from /etc/sysconfig/network... [ OK ] Finished Read and set NIS domainname from /etc/sysconfig/network. Client configuration complete. The ipa-client-install command was successful [ OK ] Reached target Network. Starting Identity, Policy, Audit... Starting Generate rndc key for BIND (DNS)... [ OK ] Finished Generate rndc key for BIND (DNS). Starting Berkeley Internet Name Domain (DNS)... [FAILED] Failed to start Berkeley Internet Name Domain (DNS). See 'systemctl status named.service' for details. Stopping Kerberos 5 KDC... [ OK ] Stopped Kerberos 5 KDC. Stopping Kerberos 5 Password-changing and Administration... [ OK ] Stopped Kerberos 5 Password-changing and Administration. Stopping The Apache HTTP Server... [ OK ] Stopped The Apache HTTP Server. Stopping IPA Custodia Service... [ OK ] Stopped IPA Custodia Service. Stopping PKI Tomcat Server pki-tomcat... [ OK ] Closed ipa-otpd socket. [ OK ] Stopped IPA key daemon. Stopping 389 Directory Server ZYYT-ORG.... [ OK ] Stopped PKI Tomcat Server pki-tomcat. [ OK ] Stopped 389 Directory Server ZYYT-ORG.. [FAILED] Failed to start Identity, Policy, Audit. See 'systemctl status ipa.service' for details. CalledProcessError(Command ['/bin/systemctl', 'restart', 'ipa.service'] returned non-zero exit status 1: 'Job for ipa.service failed because the control process exited with error code.\nSee "systemctl status ipa.service" and "journalctl -xeu ipa.service" for details.\n') The ipa-server-install command failed. See /var/log/ipaserver-install.log for more information [FAILED] Failed to start Configure IPA server upon the first start. See 'systemctl status ipa-server-configure-first.service' for details. [ OK ] Removed slice Slice /system/dirsrv. [ OK ] Removed slice Slice /system/pki-tomcatd. [ OK ] Stopped target Minimal target for containerized FreeIPA server. [ OK ] Stopped target Network is Online. [ OK ] Stopped target Host and Network Name Lookups. [ OK ] Stopped target User and Group Name Lookups. Unmounting /data... Unmounting /etc/hostname... Unmounting /etc/hosts... Unmounting /etc/resolv.conf... Unmounting /var/log/journal... Stopping Certificate monitoring and PKI enrollment... Stopping GSSAPI Proxy Daemon... Stopping privileged operations for unprivileged applications... Stopping System Security Services Daemon... [ OK ] Stopped privileged operations for unprivileged applications. [FAILED] Failed unmounting /data. [FAILED] Failed unmounting /etc/hostname. [FAILED] Failed unmounting /etc/hosts. [FAILED] Failed unmounting /etc/resolv.conf. [ OK ] Stopped GSSAPI Proxy Daemon. [ OK ] Stopped Certificate monitoring and PKI enrollment. [ OK ] Stopped target Network. Stopping D-Bus System Message Bus... [FAILED] Failed unmounting /var/log/journal. [ OK ] Stopped D-Bus System Message Bus. [ OK ] Closed D-Bus System Message Bus Socket. Unmounting Temporary Directory /tmp... [ OK ] Stopped System Security Services Daemon. [ OK ] Stopped target System Initialization. [ OK ] Stopped Read and set NIS domainname from /etc/sysconfig/network. [ OK ] Stopped Create Volatile Files and Directories. [ OK ] Reached target System Shutdown. [FAILED] Failed unmounting Temporary Directory /tmp. [ OK ] Reached target Unmount All Filesystems. [ OK ] Reached target Late Shutdown Services. Starting System Power Off... [ OK ] Finished Exit the Container. [ OK ] Reached target Exit the Container. Sending SIGTERM to remaining processes... Sending SIGKILL to remaining processes... All filesystems, swaps, loop devices, MD devices and DM devices detached. Exiting container. ```

From the above, it seems there is (or could be) something wrong with:

• cgroup: Failed to get cgroup ID on cgroup
• the DNS forwarders: something with the DNSSEC validation
• the /etc/resolv.conf: Could not update DNS config: [Errno 30] Read-only file system: '/etc/resolv.conf'
• the named.service: [FAILED] Failed to start Berkeley Internet Name Domain (DNS).
• other services: [FAILED] Failed to start Identity, Policy, Audit.

The host machine has a systemd-resolved service running at port 53, which is why I use -p <HOST_IP>:53:53/udp -p <HOST_IP>:53:53 in the above docker run command. The comment in /etc/resolv.conf also indicates that the file is managed by this service.

I have searched through the issues and found little related to the problem. Any help would be appreciated.

[adelton]

The README says

When running DNS server (the --setup-dns argument to ipa-server-install) in a container with read-only root filesystem (the --read-only option to podman run or docker run), the setup code in the container won't be able to edit /etc/resolv.conf in the container to point it to itself. Add --dns=127.0.0.1 option to the podman run or docker run invocation to allow the FreeIPA server to reach its own DNS server.

I suspect this might fit your situation.

[wentau]

Thanks for the suggestion!

I have tried adding the --dns=127.0.0.1 option, but sadly it failed right after the prompted DNS setup. Here's the prompt messages (the first line is a new warning that occurred)

WARNING: Localhost DNS setting (--dns=127.0.0.1) may fail in containers.
......
......
......
Checking DNS domain zyyt.org., please wait ...
DNS check for domain zyyt.org. failed: The DNS operation timed out after 24.213485956192017 seconds.
Do you want to configure DNS forwarders? [yes]: 
Following DNS servers are configured in /etc/resolv.conf: 127.0.0.1
Do you want to configure these servers as DNS forwarders? [yes]: 
All detected DNS servers were added. You can enter additional addresses now:
Enter an IP address for a DNS forwarder, or press Enter to skip: 
DNS forwarders: 127.0.0.1
Checking DNS forwarders, please wait ...
DNS server 127.0.0.1: query '. SOA': The DNS operation timed out after 10.101528406143188 seconds
DNS server 127.0.0.1: query '. SOA': The DNS operation timed out after 10.101528406143188 seconds
The ipa-server-install command failed. See /var/log/ipaserver-install.log for more information

Below is the logfile,

ipaserver-install.log

``` 2022-12-09T02:39:22Z DEBUG Logging to /var/log/ipaserver-install.log 2022-12-09T02:39:22Z DEBUG ipa-server-install was invoked with arguments [] and options: {'unattended': False, 'ip_addresses': None, 'domain_name': None, 'realm_name': None, 'host_name': None, 'ca_cert_files': None, 'domain_level': None, 'setup_adtrust': False, 'setup_kra': False, 'setup_dns': True, 'idstart': None, 'idmax': None, 'no_hbac_allow': False, 'no_pkinit': False, 'no_ui_redirect': False, 'dirsrv_config_file': None, 'skip_mem_check': False, 'dirsrv_cert_files': None, 'http_cert_files': None, 'pkinit_cert_files': None, 'dirsrv_cert_name': None, 'http_cert_name': None, 'pkinit_cert_name': None, 'mkhomedir': False, 'ntp_servers': None, 'ntp_pool': None, 'no_ntp': True, 'force_ntpd': False, 'ssh_trust_dns': False, 'no_ssh': False, 'no_sshd': False, 'subid': False, 'no_dns_sshfp': False, 'external_ca': False, 'external_ca_type': None, 'external_ca_profile': None, 'external_cert_files': None, 'subject_base': None, 'ca_subject': None, 'ca_signing_algorithm': None, 'random_serial_numbers': False, 'pki_config_override': None, 'allow_zone_overlap': False, 'reverse_zones': None, 'no_reverse': False, 'auto_reverse': False, 'zonemgr': None, 'forwarders': None, 'no_forwarders': False, 'auto_forwarders': False, 'forward_policy': None, 'no_dnssec_validation': False, 'no_host_dns': False, 'enable_compat': False, 'no_msdcs': False, 'netbios_name': None, 'rid_base': None, 'secondary_rid_base': None, 'ignore_topology_disconnect': False, 'ignore_last_of_role': False, 'verbose': False, 'quiet': False, 'log_file': None, 'uninstall': False} 2022-12-09T02:39:22Z DEBUG IPA version 4.10.0-7.el9_1 2022-12-09T02:39:22Z DEBUG IPA platform rhel_container 2022-12-09T02:39:22Z DEBUG IPA os-release Rocky Linux 9.1 (Blue Onyx) 2022-12-09T02:39:22Z DEBUG container detected 2022-12-09T02:39:22Z DEBUG cgroup v1 2022-12-09T02:39:22Z DEBUG Max RAM 9223372036854771712, used RAM 171281551360 2022-12-09T02:39:22Z DEBUG Available memory is 9223371865573220352B 2022-12-09T02:39:22Z DEBUG Searching for an interface of IP address: ::1 2022-12-09T02:39:22Z DEBUG Testing local IP address: ::1/128 (interface: lo) 2022-12-09T02:39:22Z DEBUG Starting external process 2022-12-09T02:39:22Z DEBUG args=['/usr/sbin/selinuxenabled'] 2022-12-09T02:39:22Z DEBUG Process finished, return code=1 2022-12-09T02:39:22Z DEBUG stdout= 2022-12-09T02:39:22Z DEBUG stderr= 2022-12-09T02:39:22Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' 2022-12-09T02:39:22Z DEBUG Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' 2022-12-09T02:39:22Z DEBUG httpd is not configured 2022-12-09T02:39:22Z DEBUG kadmin is not configured 2022-12-09T02:39:22Z DEBUG dirsrv is not configured 2022-12-09T02:39:22Z DEBUG pki-tomcatd is not configured 2022-12-09T02:39:22Z DEBUG install is not configured 2022-12-09T02:39:22Z DEBUG krb5kdc is not configured 2022-12-09T02:39:22Z DEBUG named is not configured 2022-12-09T02:39:22Z DEBUG filestore is tracking no files 2022-12-09T02:39:22Z DEBUG Loading Index file from '/var/lib/ipa-client/sysrestore/sysrestore.index' 2022-12-09T02:39:22Z DEBUG Loading StateFile from '/var/lib/ipa-client/sysrestore/sysrestore.state' 2022-12-09T02:39:22Z DEBUG Loading StateFile from '/var/lib/ipa-client/sysrestore/sysrestore.state' 2022-12-09T02:39:22Z DEBUG Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' 2022-12-09T02:39:22Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' 2022-12-09T02:39:23Z DEBUG will use host_name: master.zyyt.org 2022-12-09T02:39:23Z DEBUG read domain_name: zyyt.org 2022-12-09T02:39:24Z DEBUG read realm_name: ZYYT.ORG 2022-12-09T02:39:24Z DEBUG Writing configuration file /etc/ipa/default.conf 2022-12-09T02:39:24Z DEBUG [global] host = master.zyyt.org basedn = dc=zyyt,dc=org realm = ZYYT.ORG domain = zyyt.org xmlrpc_uri = https://master.zyyt.org/ipa/xml ldap_uri = ldapi://%2Frun%2Fslapd-ZYYT-ORG.socket mode = production enable_ra = True ra_plugin = dogtag dogtag_version = 10 2022-12-09T02:39:24Z DEBUG importing all plugin modules in ipaserver.plugins... 2022-12-09T02:39:24Z DEBUG importing plugin module ipaserver.plugins.aci 2022-12-09T02:39:24Z DEBUG importing plugin module ipaserver.plugins.automember 2022-12-09T02:39:24Z DEBUG importing plugin module ipaserver.plugins.automount 2022-12-09T02:39:24Z DEBUG importing plugin module ipaserver.plugins.baseldap 2022-12-09T02:39:24Z DEBUG ipaserver.plugins.baseldap is not a valid plugin module 2022-12-09T02:39:24Z DEBUG importing plugin module ipaserver.plugins.baseuser 2022-12-09T02:39:24Z DEBUG importing plugin module ipaserver.plugins.batch 2022-12-09T02:39:24Z DEBUG importing plugin module ipaserver.plugins.ca 2022-12-09T02:39:24Z DEBUG importing plugin module ipaserver.plugins.caacl 2022-12-09T02:39:24Z DEBUG importing plugin module ipaserver.plugins.cert 2022-12-09T02:39:24Z DEBUG importing plugin module ipaserver.plugins.certmap 2022-12-09T02:39:24Z DEBUG importing plugin module ipaserver.plugins.certprofile 2022-12-09T02:39:24Z DEBUG importing plugin module ipaserver.plugins.config 2022-12-09T02:39:24Z DEBUG importing plugin module ipaserver.plugins.delegation 2022-12-09T02:39:24Z DEBUG importing plugin module ipaserver.plugins.dns 2022-12-09T02:39:24Z DEBUG importing plugin module ipaserver.plugins.dnsserver 2022-12-09T02:39:24Z DEBUG importing plugin module ipaserver.plugins.dogtag 2022-12-09T02:39:24Z DEBUG importing plugin module ipaserver.plugins.domainlevel 2022-12-09T02:39:24Z DEBUG importing plugin module ipaserver.plugins.group 2022-12-09T02:39:24Z DEBUG importing plugin module ipaserver.plugins.hbac 2022-12-09T02:39:24Z DEBUG ipaserver.plugins.hbac is not a valid plugin module 2022-12-09T02:39:24Z DEBUG importing plugin module ipaserver.plugins.hbacrule 2022-12-09T02:39:24Z DEBUG importing plugin module ipaserver.plugins.hbacsvc 2022-12-09T02:39:24Z DEBUG importing plugin module ipaserver.plugins.hbacsvcgroup 2022-12-09T02:39:24Z DEBUG importing plugin module ipaserver.plugins.hbactest 2022-12-09T02:39:24Z DEBUG importing plugin module ipaserver.plugins.host 2022-12-09T02:39:24Z DEBUG importing plugin module ipaserver.plugins.hostgroup 2022-12-09T02:39:24Z DEBUG importing plugin module ipaserver.plugins.idp 2022-12-09T02:39:24Z DEBUG importing plugin module ipaserver.plugins.idrange 2022-12-09T02:39:24Z DEBUG importing plugin module ipaserver.plugins.idviews 2022-12-09T02:39:24Z DEBUG importing plugin module ipaserver.plugins.internal 2022-12-09T02:39:24Z DEBUG importing plugin module ipaserver.plugins.join 2022-12-09T02:39:24Z DEBUG importing plugin module ipaserver.plugins.krbtpolicy 2022-12-09T02:39:24Z DEBUG importing plugin module ipaserver.plugins.ldap2 2022-12-09T02:39:24Z DEBUG importing plugin module ipaserver.plugins.location 2022-12-09T02:39:24Z DEBUG importing plugin module ipaserver.plugins.migration 2022-12-09T02:39:24Z DEBUG importing plugin module ipaserver.plugins.misc 2022-12-09T02:39:24Z DEBUG importing plugin module ipaserver.plugins.netgroup 2022-12-09T02:39:24Z DEBUG importing plugin module ipaserver.plugins.otp 2022-12-09T02:39:24Z DEBUG ipaserver.plugins.otp is not a valid plugin module 2022-12-09T02:39:24Z DEBUG importing plugin module ipaserver.plugins.otpconfig 2022-12-09T02:39:24Z DEBUG importing plugin module ipaserver.plugins.otptoken 2022-12-09T02:39:24Z DEBUG importing plugin module ipaserver.plugins.passwd 2022-12-09T02:39:24Z DEBUG importing plugin module ipaserver.plugins.permission 2022-12-09T02:39:24Z DEBUG importing plugin module ipaserver.plugins.ping 2022-12-09T02:39:24Z DEBUG importing plugin module ipaserver.plugins.pkinit 2022-12-09T02:39:24Z DEBUG importing plugin module ipaserver.plugins.privilege 2022-12-09T02:39:24Z DEBUG importing plugin module ipaserver.plugins.pwpolicy 2022-12-09T02:39:24Z DEBUG importing plugin module ipaserver.plugins.rabase 2022-12-09T02:39:24Z DEBUG ipaserver.plugins.rabase is not a valid plugin module 2022-12-09T02:39:24Z DEBUG importing plugin module ipaserver.plugins.radiusproxy 2022-12-09T02:39:24Z DEBUG importing plugin module ipaserver.plugins.realmdomains 2022-12-09T02:39:24Z DEBUG importing plugin module ipaserver.plugins.role 2022-12-09T02:39:24Z DEBUG importing plugin module ipaserver.plugins.schema 2022-12-09T02:39:24Z DEBUG importing plugin module ipaserver.plugins.selfservice 2022-12-09T02:39:24Z DEBUG importing plugin module ipaserver.plugins.selinuxusermap 2022-12-09T02:39:24Z DEBUG importing plugin module ipaserver.plugins.server 2022-12-09T02:39:24Z DEBUG importing plugin module ipaserver.plugins.serverrole 2022-12-09T02:39:24Z DEBUG importing plugin module ipaserver.plugins.serverroles 2022-12-09T02:39:24Z DEBUG importing plugin module ipaserver.plugins.service 2022-12-09T02:39:24Z DEBUG importing plugin module ipaserver.plugins.servicedelegation 2022-12-09T02:39:24Z DEBUG importing plugin module ipaserver.plugins.session 2022-12-09T02:39:24Z DEBUG importing plugin module ipaserver.plugins.stageuser 2022-12-09T02:39:24Z DEBUG importing plugin module ipaserver.plugins.subid 2022-12-09T02:39:24Z DEBUG importing plugin module ipaserver.plugins.sudo 2022-12-09T02:39:24Z DEBUG ipaserver.plugins.sudo is not a valid plugin module 2022-12-09T02:39:24Z DEBUG importing plugin module ipaserver.plugins.sudocmd 2022-12-09T02:39:24Z DEBUG importing plugin module ipaserver.plugins.sudocmdgroup 2022-12-09T02:39:24Z DEBUG importing plugin module ipaserver.plugins.sudorule 2022-12-09T02:39:24Z DEBUG importing plugin module ipaserver.plugins.topology 2022-12-09T02:39:24Z DEBUG importing plugin module ipaserver.plugins.trust 2022-12-09T02:39:24Z DEBUG importing plugin module ipaserver.plugins.user 2022-12-09T02:39:24Z DEBUG importing plugin module ipaserver.plugins.vault 2022-12-09T02:39:24Z DEBUG importing plugin module ipaserver.plugins.virtual 2022-12-09T02:39:24Z DEBUG ipaserver.plugins.virtual is not a valid plugin module 2022-12-09T02:39:24Z DEBUG importing plugin module ipaserver.plugins.whoami 2022-12-09T02:39:24Z DEBUG importing plugin module ipaserver.plugins.xmlserver 2022-12-09T02:39:24Z DEBUG importing all plugin modules in ipaserver.install.plugins... 2022-12-09T02:39:24Z DEBUG importing plugin module ipaserver.install.plugins.adtrust 2022-12-09T02:39:24Z DEBUG importing plugin module ipaserver.install.plugins.ca_renewal_master 2022-12-09T02:39:24Z DEBUG importing plugin module ipaserver.install.plugins.dns 2022-12-09T02:39:24Z DEBUG importing plugin module ipaserver.install.plugins.fix_kra_people_entry 2022-12-09T02:39:24Z DEBUG importing plugin module ipaserver.install.plugins.fix_replica_agreements 2022-12-09T02:39:24Z DEBUG importing plugin module ipaserver.install.plugins.rename_managed 2022-12-09T02:39:24Z DEBUG importing plugin module ipaserver.install.plugins.update_ca_topology 2022-12-09T02:39:24Z DEBUG importing plugin module ipaserver.install.plugins.update_changelog_maxage 2022-12-09T02:39:24Z DEBUG importing plugin module ipaserver.install.plugins.update_dna_shared_config 2022-12-09T02:39:24Z DEBUG importing plugin module ipaserver.install.plugins.update_fix_duplicate_cacrt_in_ldap 2022-12-09T02:39:24Z DEBUG importing plugin module ipaserver.install.plugins.update_idranges 2022-12-09T02:39:24Z DEBUG importing plugin module ipaserver.install.plugins.update_ldap_server_list 2022-12-09T02:39:24Z DEBUG importing plugin module ipaserver.install.plugins.update_managed_permissions 2022-12-09T02:39:24Z DEBUG importing plugin module ipaserver.install.plugins.update_nis 2022-12-09T02:39:24Z DEBUG importing plugin module ipaserver.install.plugins.update_pacs 2022-12-09T02:39:24Z DEBUG importing plugin module ipaserver.install.plugins.update_passsync 2022-12-09T02:39:24Z DEBUG importing plugin module ipaserver.install.plugins.update_pwpolicy 2022-12-09T02:39:24Z DEBUG importing plugin module ipaserver.install.plugins.update_ra_cert_store 2022-12-09T02:39:24Z DEBUG importing plugin module ipaserver.install.plugins.update_referint 2022-12-09T02:39:24Z DEBUG importing plugin module ipaserver.install.plugins.update_services 2022-12-09T02:39:24Z DEBUG importing plugin module ipaserver.install.plugins.update_unhashed_password 2022-12-09T02:39:24Z DEBUG importing plugin module ipaserver.install.plugins.update_uniqueness 2022-12-09T02:39:24Z DEBUG importing plugin module ipaserver.install.plugins.upload_cacrt 2022-12-09T02:39:25Z DEBUG check_port_bindable: Checking IPv4/IPv6 dual stack and TCP 2022-12-09T02:39:25Z DEBUG check_port_bindable: bind success: 8443/TCP 2022-12-09T02:39:25Z DEBUG check_port_bindable: Checking IPv4/IPv6 dual stack and TCP 2022-12-09T02:39:25Z DEBUG check_port_bindable: bind success: 8080/TCP 2022-12-09T02:39:25Z DEBUG Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' 2022-12-09T02:39:25Z INFO Checking DNS domain zyyt.org., please wait ... 2022-12-09T02:39:49Z WARNING DNS check for domain zyyt.org. failed: The DNS operation timed out after 24.213485956192017 seconds. 2022-12-09T02:39:49Z DEBUG Name master.zyyt.org resolved to {UnsafeIPAddress('172.17.0.2')} 2022-12-09T02:39:49Z DEBUG Searching for an interface of IP address: 172.17.0.2 2022-12-09T02:39:49Z DEBUG Testing local IP address: 127.0.0.1/255.0.0.0 (interface: lo) 2022-12-09T02:39:49Z DEBUG Testing local IP address: 172.17.0.2/255.255.0.0 (interface: eth0) 2022-12-09T02:39:49Z DEBUG IP address 172.17.0.2 belongs to a private range, using forward policy only 2022-12-09T02:40:32Z DEBUG Checking DNS server: 127.0.0.1 2022-12-09T02:40:42Z ERROR DNS server 127.0.0.1: query '. SOA': The DNS operation timed out after 10.101528406143188 seconds 2022-12-09T02:40:42Z DEBUG File "/usr/lib/python3.9/site-packages/ipapython/admintool.py", line 180, in execute return_value = self.run() File "/usr/lib/python3.9/site-packages/ipapython/install/cli.py", line 344, in run return cfgr.run() File "/usr/lib/python3.9/site-packages/ipapython/install/core.py", line 358, in run self.validate() File "/usr/lib/python3.9/site-packages/ipapython/install/core.py", line 368, in validate for _nothing in self._validator(): File "/usr/lib/python3.9/site-packages/ipapython/install/core.py", line 431, in __runner exc_handler(exc_info) File "/usr/lib/python3.9/site-packages/ipapython/install/core.py", line 455, in _handle_validate_exception self._handle_exception(exc_info) File "/usr/lib/python3.9/site-packages/ipapython/install/core.py", line 450, in _handle_exception six.reraise(*exc_info) File "/usr/lib/python3.9/site-packages/six.py", line 709, in reraise raise value File "/usr/lib/python3.9/site-packages/ipapython/install/core.py", line 421, in __runner step() File "/usr/lib/python3.9/site-packages/ipapython/install/core.py", line 418, in step = lambda: next(self.__gen) File "/usr/lib/python3.9/site-packages/ipapython/install/util.py", line 81, in run_generator_with_yield_from six.reraise(*exc_info) File "/usr/lib/python3.9/site-packages/six.py", line 709, in reraise raise value File "/usr/lib/python3.9/site-packages/ipapython/install/util.py", line 59, in run_generator_with_yield_from value = gen.send(prev_value) File "/usr/lib/python3.9/site-packages/ipapython/install/core.py", line 633, in _configure next(validator) File "/usr/lib/python3.9/site-packages/ipapython/install/core.py", line 431, in __runner exc_handler(exc_info) File "/usr/lib/python3.9/site-packages/ipapython/install/core.py", line 455, in _handle_validate_exception self._handle_exception(exc_info) File "/usr/lib/python3.9/site-packages/ipapython/install/core.py", line 518, in _handle_exception self.__parent._handle_exception(exc_info) File "/usr/lib/python3.9/site-packages/ipapython/install/core.py", line 450, in _handle_exception six.reraise(*exc_info) File "/usr/lib/python3.9/site-packages/six.py", line 709, in reraise raise value File "/usr/lib/python3.9/site-packages/ipapython/install/core.py", line 515, in _handle_exception super(ComponentBase, self)._handle_exception(exc_info) File "/usr/lib/python3.9/site-packages/ipapython/install/core.py", line 450, in _handle_exception six.reraise(*exc_info) File "/usr/lib/python3.9/site-packages/six.py", line 709, in reraise raise value File "/usr/lib/python3.9/site-packages/ipapython/install/core.py", line 421, in __runner step() File "/usr/lib/python3.9/site-packages/ipapython/install/core.py", line 418, in step = lambda: next(self.__gen) File "/usr/lib/python3.9/site-packages/ipapython/install/util.py", line 81, in run_generator_with_yield_from six.reraise(*exc_info) File "/usr/lib/python3.9/site-packages/six.py", line 709, in reraise raise value File "/usr/lib/python3.9/site-packages/ipapython/install/util.py", line 59, in run_generator_with_yield_from value = gen.send(prev_value) File "/usr/lib/python3.9/site-packages/ipapython/install/common.py", line 65, in _install for unused in self._installer(self.parent): File "/usr/lib/python3.9/site-packages/ipaserver/install/server/__init__.py", line 564, in main master_install_check(self) File "/usr/lib/python3.9/site-packages/ipaserver/install/server/install.py", line 278, in decorated func(installer) File "/usr/lib/python3.9/site-packages/ipaserver/install/server/install.py", line 687, in install_check dns.install_check(False, api, False, options, host_name) File "/usr/lib/python3.9/site-packages/ipaserver/install/dns.py", line 301, in install_check and not bindinstance.check_forwarders(options.forwarders): File "/usr/lib/python3.9/site-packages/ipaserver/install/bindinstance.py", line 567, in check_forwarders raise RuntimeError("DNS server %s: %s" % (forwarder, e)) 2022-12-09T02:40:42Z DEBUG The ipa-server-install command failed, exception: RuntimeError: DNS server 127.0.0.1: query '. SOA': The DNS operation timed out after 10.101528406143188 seconds 2022-12-09T02:40:42Z ERROR DNS server 127.0.0.1: query '. SOA': The DNS operation timed out after 10.101528406143188 seconds 2022-12-09T02:40:42Z ERROR The ipa-server-install command failed. See /var/log/ipaserver-install.log for more information ```

It seems the hostname was resolved to a private IP address 172.17.0.2, rather than the one I set in the docker run environment variable IPA_SERVER_IP. I continue to run ifconfig to inspect all of my nodes, only on this one where I am attempting to install the ipa server have I found the 172.17.0.1 IP address. Not sure if this is the issue.

[adelton]

You've set up DNS forwarders to 127.0.0.1 which I don't think can work -- that would just lead to infinite resolution loop.

[wentau]

Make sense. I will add the --no-forwarders or enter "no" when prompted for DNS forwarders configuration.

Sorry but I have a second question about the DNS check, is it supposed to fail? I mean when I am not using the --dns=127.0.0.1 option in the first time, the prompt message seems to be OK (?)

[adelton]

It is expected that a misconfigured DNS setup fails.

What the desired correct FreeIPA setup is depends on the desired topology of your DNS and where primary DNS servers for your individual domains should live. What do you try to achieve? How would you achieve it with a normal on-host / on-a-VM FreeIPA installation?

I'd suggest you stop trying to use the FreeIPA container and just use some VM and get the setup right because the containerization only adds complexity and you might have some work to do getting the basic understanding and setup right.