Closed microbioticajon closed 1 year ago
adelton
commented
1 year ago I don't see anything suspicious.
Can you try
$ docker='sudo docker' replica=none tests/run-master-and-replica.sh freeipa/freeipa-server:almalinux-9-4.10.0 and see what it produces?
microbioticajon
commented
1 year ago @adelton Thanks for your quick reply!
The docker logs from docker='sudo docker' replica=none tests/run-master-and-replica.sh freeipa/freeipa-server:almalinux-9-4.10.0:
FreeIPA server is already configured but with different version, volume update.
Wed Jan 11 11:13:28 UTC 2023 /usr/sbin/ipa-server-configure-first upgrade
/etc/resolv.conf /data/etc/resolv.conf.ipa differ: byte 1, line 1
/data/build-id /data-template/build-id differ: byte 1, line 1
FreeIPA server is already configured but with different version, starting upgrade.
+ '[' -n '' ']'
+ output=/dev/null
+ output2=/dev/null
+ /bin/systemctl daemon-reload
+ USERNAME=dirsrv
+ ALLOCATED_UID=389
+ GROUPNAME=dirsrv
+ ALLOCATED_GID=389
+ HOMEDIR=/usr/share/dirsrv
+ getent group dirsrv
+ getent passwd dirsrv
+ sysctl --system
+ true
+ instbase=/etc/dirsrv
+ ninst=0
+ for dir in $instbase/slapd-*
+ echo dir = /etc/dirsrv/slapd-EXAMPLE-TEST
+ '[' '!' -d /etc/dirsrv/slapd-EXAMPLE-TEST ']'
+ case "$dir" in
++ basename /etc/dirsrv/slapd-EXAMPLE-TEST
+ basename=slapd-EXAMPLE-TEST
++ echo slapd-EXAMPLE-TEST
++ sed -e s/slapd-//g
+ inst=dirsrv@EXAMPLE-TEST
+ echo found instance dirsrv@EXAMPLE-TEST - getting status
+ /bin/systemctl -q is-active dirsrv@EXAMPLE-TEST
+ echo instance dirsrv@EXAMPLE-TEST is not running
++ expr 0 + 1
+ ninst=1
+ '[' 1 -eq 0 ']'
+ echo shutting down all instances . . .
+ '[' -f /data/etc/named.conf ']'
++ uname -m
+ PLATFORM=x86_64
+ '[' x86_64 == x86_64 ']'
+ LIBPATH=/usr/lib64
+ read -r PATTERN
+ SEDSCRIPT+='/^\s*dynamic-db/,/};/ {'
+ read -r PATTERN
+ SEDSCRIPT+=
+ read -r PATTERN
+ SEDSCRIPT+='s/\(\s*\)arg\s\+\(["'\'']\)\([a-zA-Z_]\+\s\)/\1\3\2/g;'
+ read -r PATTERN
+ SEDSCRIPT+=
+ read -r PATTERN
+ SEDSCRIPT+='s/^dynamic-db/dyndb/;'
+ read -r PATTERN
+ SEDSCRIPT+=
+ read -r PATTERN
+ SEDSCRIPT+='s@\(dyndb "[^"]\+"\)@\1 "/usr/lib64/bind/ldap.so"@;'
+ read -r PATTERN
+ SEDSCRIPT+='s@\(dyndb '\''[^'\'']\+'\''\)@\1 '\''/usr/lib64/bind/ldap.so'\''@;'
+ read -r PATTERN
+ SEDSCRIPT+=
+ read -r PATTERN
+ SEDSCRIPT+='/\s*library[^;]\+;/d;'
+ read -r PATTERN
+ SEDSCRIPT+='/\s*cache_ttl[^;]\+;/d;'
+ read -r PATTERN
+ SEDSCRIPT+='/\s*psearch[^;]\+;/d;'
+ read -r PATTERN
+ SEDSCRIPT+='/\s*serial_autoincrement[^;]\+;/d;'
+ read -r PATTERN
+ SEDSCRIPT+='/\s*zone_refresh[^;]\+;/d;'
+ read -r PATTERN
+ SEDSCRIPT+='}'
+ read -r PATTERN
+ sed -i.bak -e '/^\s*dynamic-db/,/};/ {s/\(\s*\)arg\s\+\(["'\'']\)\([a-zA-Z_]\+\s\)/\1\3\2/g;s/^dynamic-db/dyndb/;s@\(dyndb "[^"]\+"\)@\1 "/usr/lib64/bind/ldap.so"@;s@\(dyndb '\''[^'\'']\+'\''\)@\1 '\''/usr/lib64/bind/ldap.so'\''@;/\s*library[^;]\+;/d;/\s*cache_ttl[^;]\+;/d;/\s*psearch[^;]\+;/d;/\s*serial_autoincrement[^;]\+;/d;/\s*zone_refresh[^;]\+;/d;}' /data/etc/named.conf
+ test 2 -eq 1
+ test 2 -gt 1
+ /usr/bin/getcert remove-ca -c certmaster
No CA with name "certmaster" found.
+ :
+ test 2 -eq 1
Upgrading IPA:. Estimated time: 1 minute 30 seconds
[1/9]: saving configuration
[2/9]: disabling listeners
[3/9]: enabling DS global lock
[4/9]: disabling Schema Compat
[5/9]: starting directory server
[6/9]: updating schema
[7/9]: upgrading server
[8/9]: stopping directory server
[9/9]: restoring configuration
Done.
Update complete
Upgrading the configuration of the IPA services
[Verifying that root certificate is published]
[Migrate CRL publish directory]
Publish directory already set to new location
[Verifying that KDC configuration is using ipa-kdb backend]
[Fix DS schema file syntax]
[Removing RA cert from DS NSS database]
[Enable sidgen and extdom plugins by default]
[Updating HTTPD service IPA configuration]
[Updating HTTPD service IPA WSGI configuration]
Nothing to do for configure_httpd_wsgi_conf
[Migrating from mod_nss to mod_ssl]
Already migrated to mod_ssl
[Moving HTTPD service keytab to gssproxy]
[Removing self-signed CA]
[Removing Dogtag 9 CA]
[Set OpenSSL engine for BIND]
[Checking for deprecated KDC configuration files]
[Checking for deprecated backups of Samba configuration files]
dnssec-validation yes
[Add missing CA DNS records]
Upgrading IPA services
Disabled p11-kit-proxy
Restarting ipa-dnskeysyncd
Updating DNS system records
Invalid IP address fe80::{...} for ipa.example.test.: cannot use link-local IP address fe80::{...}
named user config '/data/etc/named/ipa-ext.conf' already exists
named user config '/data/etc/named/ipa-options-ext.conf' already exists
named user config '/data/etc/named/ipa-logging-ext.conf' already exists
[Upgrading CA schema]
CA schema update complete
[Update certmonger certificate renewal configuration]
Certmonger certificate renewal configuration already up-to-date
[Enable PKIX certificate path discovery and validation]
[Authorizing RA Agent to modify profiles]
[Authorizing RA Agent to manage lightweight CAs]
[Ensuring Lightweight CAs container exists in Dogtag database]
[Adding default OCSP URI configuration]
[Disabling cert publishing]
pki-tomcat configuration changed, restart pki-tomcat
[Ensuring CA is using LDAPProfileSubsystem]
[Migrating certificate profiles to LDAP]
[Ensuring presence of included profiles]
[Add default CA ACL]
[Updating ACME configuration]
[Migrating to authselect profile]
[Create systemd-user hbac service and rule]
hbac service systemd-user already exists
[Add root@EXAMPLE.TEST alias to admin account]
Alias already exists
[Setup SPAKE]
[Setup PKINIT]
[Enable server krb5.conf snippet]
[Setup kpasswd_server]
[Adding ipa-ca alias to HTTP certificate]
Certificate is OK; nothing to do
The IPA services were upgraded
The ipa-server-upgrade command was successful
FreeIPA server upgraded.
Wed Jan 11 11:15:14 UTC 2023 /usr/sbin/ipa-server-configure-first update-self-ip-address
ipa.example.test has address 172.{...}
FreeIPA server started.To my untrained eye, nothing seems out of place. Im a little bit stuck...
adelton
commented
1 year ago Before that
FreeIPA server is already configured but with different versionpart there was likely a part that actually run ipa-server-install and configured the FreeIPA server, and it clearly passed. And there you would also see the sudo docker run commands and their parameters.
That should give you a baseline for incrementally tweaking the parameters from the working setup to the parameters in your example, to figure out which one is making the difference and breaking the CA configuration.
microbioticajon
commented
1 year ago Thanks @adelton, I will give that a try and report back.
microbioticajon
commented
1 year ago After a bit of messing about I was able to get the installation to complete. The critical component of the configuration was -v /mnt/ipa_data:/data:Z where /mnt/ipa_data was an AWS EFS mount. The container absolutely had write permissions to this location as evidenced by the presence of log files and other data/ files and directories written by the container - odd...
Starting the container with a local data folder Im still having issues and cannot connect to the web interface. Im not sure these are related but will post them here:
data/var/log/httpd/error_log
[Sun Jan 15 22:30:21.930014 2023] [suexec:notice] [pid 3752:tid 3752] AH01232: suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)
[Sun Jan 15 22:30:22.007322 2023] [lbmethod_heartbeat:notice] [pid 3752:tid 3752] AH02282: No slotmem from mod_heartmonitor
[Sun Jan 15 22:30:22.016530 2023] [mpm_event:notice] [pid 3752:tid 3752] AH00489: Apache/2.4.53 (AlmaLinux) OpenSSL/3.0.1 mod_auth_gssapi/1.6.3 mod_wsgi/4.7.1 Python/3.9 configured -- resuming normal operations
[Sun Jan 15 22:30:22.016558 2023] [core:notice] [pid 3752:tid 3752] AH00094: Command line: '/usr/sbin/httpd -D FOREGROUND'
[Sun Jan 15 22:30:22.025873 2023] [wsgi:alert] [pid 3756:tid 3756] (2)No such file or directory: mod_wsgi (pid=3756): Unable to change working directory to home directory '/var/lib/kdcproxy' for uid=288.
[Sun Jan 15 22:30:22.025899 2023] [wsgi:alert] [pid 3756:tid 3756] mod_wsgi (pid=3756): Failure to configure the daemon process correctly and process left in unspecified state. Restarting daemon process after delay.
[Sun Jan 15 22:30:22.044199 2023] [wsgi:alert] [pid 3755:tid 3755] (2)No such file or directory: mod_wsgi (pid=3755): Unable to change working directory to home directory '/var/lib/kdcproxy' for uid=288.
.............. repeating.....This is generating a lot of log entries...
And probably unrelated - /data/var/log/pki/pki-tomcat/ca/debug.2023-01-15.log ends in a continuous loop of:
2023-01-15 22:31:20 [AuthorityMonitor] SEVERE: LdapBoundConnFactory: Unable to create master connection: Unable to connect to LDAP server: Unable to create socket: java.net.ConnectException: Connection refused
Unable to connect to LDAP server: Unable to create socket: java.net.ConnectException: Connection refused
...
2023-01-15 22:31:20 [AuthorityMonitor] WARNING: AuthorityMonitor: Failed to get LDAPConnection: Unable to connect to LDAP server: Unable to create socket: java.net.ConnectException: Connection refused
Unable to connect to LDAP server: Unable to create socket: java.net.ConnectException: Connection refused
...Im much further than I was so thanks for your help @adelton
microbioticajon
commented
1 year ago Update - I can connect to the web server! But the logs filling up with wsgi:alerts is still a thing.
I will close this issue as it has largely been resolved (issue with data/ volume mount). If there is a comment to be made regarding the logs Im seeing then please feel free to comment but otherwise, thanks for your help!
Hi Guys,
Im having a bit of trouble getting a server running and am hoping someone can look at my configuration and tell me where I'm going wrong.
OS: Amazon Linux 2 Image: almalinux-9-4.10.0 (and others) Host: EC2 A-record: freeipa.my.domain (AWS Route53 private hosted zone) Command:
Install Log at point of error:
sudo less /mnt/ipa_data/var/log/pki/pki-tomcat/ca/debug.2023-01-09.log:
Im not providing any certificates at the moment and suspect this is where things are breaking down. Any help would be appreciated (apologies in advance if this is an obvious problem...)