search

freeipa / freeipa-container

FreeIPA server in containers — images at https://quay.io/repository/freeipa/freeipa-server?tab=tags
https://quay.io/repository/freeipa/freeipa-server?tab=tags
Apache License 2.0
611 stars 259 forks source link

Provided but not resolved address(es): 172.18.0.2 #512

Closed patsevanton closed 1 year ago

patsevanton commented 1 year ago

Hello!

Docker-compose

version: "3.8"

services:
  freeipa:
    image: freeipa/freeipa-server:fedora-37-4.10.1
    container_name: freeipa
    restart: unless-stopped
    hostname: zzzzzz
    ports:
      - 123:123/udp
      - 389:389
      - 443:443
      - 464:464
      - 464:464/udp
      - 636:636
      - 80:80
      - 88:88
      - 88:88/udp
    dns:
      - 127.0.0.1
    tty: true
    stdin_open: true
    command:
      - --admin-password=xxxx
      - --dirsrv-pin=xxxx
      - --ds-password=xxx
      - --http-pin=xxxx
      - --realm=yyyyy
      - --unattended
      - --external-ca
    cap_add:
      - SYS_TIME
      - NET_ADMIN
    volumes:
      - /etc/localtime:/etc/localtime:ro
      - /sys/fs/cgroup:/sys/fs/cgroup:ro
      - /var/lib/freeipa:/data
      - /etc/docker-compose/ca:/ca
      - /etc/docker-compose/freeiparoot:/root
    sysctls:
      - net.ipv6.conf.all.disable_ipv6=0
      - net.ipv6.conf.lo.disable_ipv6=0
    security_opt:
      - "seccomp:unconfined"
    tmpfs:
    - /tmp
    - /run

Run and get error

freeipa  | systemd 251.10-588.fc37 running in system mode (+PAM +AUDIT +SELINUX -APPARMOR +IMA +SMACK +SECCOMP -GCRYPT +GNUTLS +OPENSSL +ACL +BLKID +CURL +ELFUTILS +FIDO2 +IDN2 -IDN -IPTC +KMOD +LIBCRYPTSETUP +LIBFDISK +PCRE2 +PWQUALITY +P11KIT +QRENCODE +TPM2 +BZIP2 +LZ4 +XZ +ZLIB +ZSTD +BPF_FRAMEWORK +XKBCOMMON +UTMP +SYSVINIT default-hierarchy=unified)
freeipa  | Detected virtualization container-other.
freeipa  | Detected architecture x86-64.
freeipa  | bpf-lsm: BPF LSM hook not enabled in the kernel, BPF LSM not supported
freeipa  | Queued start job for default target container-ipa.target.
freeipa  | 
freeipa  | The log file for this installation can be found in /var/log/ipaserver-install.log
freeipa  | Thu Jan 12 09:22:21 UTC 2023 /usr/sbin/ipa-server-configure-first 
freeipa  | ==============================================================================
freeipa  | This program will set up the IPA Server.
freeipa  | Version 4.10.1
freeipa  | 
freeipa  | This includes:
freeipa  |   * Configure a stand-alone CA (dogtag) for certificate management
freeipa  |   * Configure the NTP client (chronyd)
freeipa  |   * Create and configure an instance of Directory Server
freeipa  |   * Create and configure a Kerberos Key Distribution Center (KDC)
freeipa  |   * Configure Apache (httpd)
freeipa  |   * Configure SID generation
freeipa  |   * Configure the KDC to enable PKINIT
freeipa  | 
freeipa  | Error: the hostname resolves to IP address(es) that are different
freeipa  | from those provided on the command line.  Please fix your DNS
freeipa  | or /etc/hosts file and restart the installation.
freeipa  | Provided but not resolved address(es): 172.18.0.2

Debug


docker exec -it fc cat /etc/resolv.conf
search ru-central1.internal auto.internal
nameserver 127.0.0.11
options edns0 trust-ad ndots:0

docker exec -it fc cat /etc/hosts
127.0.0.1 localhost
::1 localhost ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
172.28.0.2  zzzzzzzzz freeipa

docker exec -it fc  nslookup zzzzzzzzz 
Server:   127.0.0.11
Address:  127.0.0.11#53

Non-authoritative answer:
Name: zzzzzzzzz
Address: 172.28.0.2

docker exec -it fc  ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
239: eth0@if240: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default 
    link/ether 02:42:ac:1c:00:02 brd ff:ff:ff:ff:ff:ff link-netnsid 0
    inet 172.28.0.2/16 brd 172.28.255.255 scope global eth0
       valid_lft forever preferred_lft forever
    inet6 fe80::42:acff:fe1c:2/64 scope link 
       valid_lft forever preferred_lft forever

Log:

docker exec -it 15 cat /var/log/ipaserver-install.log
2023-01-12T08:54:31Z DEBUG Logging to /var/log/ipaserver-install.log
2023-01-12T08:54:31Z DEBUG ipa-server-install was invoked with arguments [] and options: {'unattended': True, 'ip_addresses': None, 'domain_name': None, 'realm_name': 'apatsev.org.ru', 'host_name': None, 'ca_cert_files': None, 'domain_level': None, 'setup_adtrust': False, 'setup_kra': False, 'setup_dns': False, 'idstart': None, 'idmax': None, 'no_hbac_allow': False, 'no_pkinit': False, 'no_ui_redirect': False, 'dirsrv_config_file': None, 'skip_mem_check': False, 'dirsrv_cert_files': None, 'http_cert_files': None, 'pkinit_cert_files': None, 'dirsrv_cert_name': None, 'http_cert_name': None, 'pkinit_cert_name': None, 'mkhomedir': False, 'ntp_servers': None, 'ntp_pool': None, 'no_ntp': False, 'force_ntpd': False, 'ssh_trust_dns': False, 'no_ssh': False, 'no_sshd': False, 'subid': False, 'no_dns_sshfp': False, 'external_ca': True, 'external_ca_type': None, 'external_ca_profile': None, 'external_cert_files': None, 'subject_base': None, 'ca_subject': None, 'ca_signing_algorithm': None, 'random_serial_numbers': False, 'pki_config_override': None, 'allow_zone_overlap': False, 'reverse_zones': None, 'no_reverse': False, 'auto_reverse': False, 'zonemgr': None, 'forwarders': None, 'no_forwarders': False, 'auto_forwarders': False, 'forward_policy': None, 'no_dnssec_validation': False, 'no_host_dns': False, 'enable_compat': False, 'no_msdcs': False, 'netbios_name': None, 'rid_base': None, 'secondary_rid_base': None, 'ignore_topology_disconnect': False, 'ignore_last_of_role': False, 'verbose': False, 'quiet': False, 'log_file': None, 'uninstall': False}
2023-01-12T08:54:31Z DEBUG IPA version 4.10.1-1.fc37
2023-01-12T08:54:31Z DEBUG IPA platform fedora_container
2023-01-12T08:54:31Z DEBUG IPA os-release Fedora Linux 37 (Container Image)
2023-01-12T08:54:31Z DEBUG container detected
2023-01-12T08:54:31Z DEBUG cgroup v1
2023-01-12T08:54:31Z DEBUG Max RAM 9223372036854771712, used RAM 2676039680
2023-01-12T08:54:31Z DEBUG Available memory is 9223372034178732032B
2023-01-12T08:54:31Z DEBUG Searching for an interface of IP address: ::1
2023-01-12T08:54:31Z DEBUG Testing local IP address: ::1/128 (interface: lo)
2023-01-12T08:54:31Z DEBUG Starting external process
2023-01-12T08:54:31Z DEBUG args=['/usr/sbin/selinuxenabled']
2023-01-12T08:54:31Z DEBUG Process finished, return code=1
2023-01-12T08:54:31Z DEBUG stdout=
2023-01-12T08:54:31Z DEBUG stderr=
2023-01-12T08:54:31Z DEBUG Loading Index file from '/var/lib/ipa-client/sysrestore/sysrestore.index'
2023-01-12T08:54:31Z DEBUG Loading StateFile from '/var/lib/ipa-client/sysrestore/sysrestore.state'
2023-01-12T08:54:31Z DEBUG Loading StateFile from '/var/lib/ipa-client/sysrestore/sysrestore.state'
2023-01-12T08:54:31Z DEBUG Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index'
2023-01-12T08:54:31Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state'
2023-01-12T08:54:31Z DEBUG Starting external process
2023-01-12T08:54:31Z DEBUG args=['/usr/bin/gpg-agent', '--batch', '--homedir', '/tmp/tmp4ljkpg70ipa/ipa-3dq43sxf', '--daemon', '/usr/bin/gpg', '--batch', '--homedir', '/tmp/tmp4ljkpg70ipa/ipa-3dq43sxf', '--passphrase-fd', '0', '--yes', '--no-tty', '-o', '/tmp/tmp4ljkpg70ipa/cache', '-d', '/root/.ipa_cache']
2023-01-12T08:54:31Z DEBUG Process finished, return code=0
2023-01-12T08:54:31Z DEBUG Starting external process
2023-01-12T08:54:31Z DEBUG args=['/bin/systemctl', 'is-enabled', 'ntpd.service']
2023-01-12T08:54:31Z DEBUG Process finished, return code=1
2023-01-12T08:54:31Z DEBUG stdout=
2023-01-12T08:54:31Z DEBUG stderr=Failed to get unit file state for ntpd.service: No such file or directory

2023-01-12T08:54:31Z DEBUG Starting external process
2023-01-12T08:54:31Z DEBUG args=['/bin/systemctl', 'is-active', 'ntpd.service']
2023-01-12T08:54:31Z DEBUG Process finished, return code=3
2023-01-12T08:54:31Z DEBUG stdout=inactive

2023-01-12T08:54:31Z DEBUG stderr=
2023-01-12T08:54:31Z DEBUG Starting external process
2023-01-12T08:54:31Z DEBUG args=['/bin/systemctl', 'is-enabled', 'systemd-timesyncd.service']
2023-01-12T08:54:31Z DEBUG Process finished, return code=1
2023-01-12T08:54:31Z DEBUG stdout=
2023-01-12T08:54:31Z DEBUG stderr=Failed to get unit file state for systemd-timesyncd.service: No such file or directory

2023-01-12T08:54:31Z DEBUG Starting external process
2023-01-12T08:54:31Z DEBUG args=['/bin/systemctl', 'is-active', 'systemd-timesyncd.service']
2023-01-12T08:54:31Z DEBUG Process finished, return code=3
2023-01-12T08:54:31Z DEBUG stdout=inactive

2023-01-12T08:54:31Z DEBUG stderr=
2023-01-12T08:54:31Z DEBUG Check if zzzzzzzzzzzz is a primary hostname for localhost
2023-01-12T08:54:31Z DEBUG Primary hostname for localhost: zzzzz
2023-01-12T08:54:31Z DEBUG Search DNS for zzzzzz
2023-01-12T08:54:31Z DEBUG Check if zzzzzz is not a CNAME
2023-01-12T08:54:31Z DEBUG Check reverse address of 172.25.0.2
2023-01-12T08:54:31Z DEBUG Found reverse name: zzzzz
2023-01-12T08:54:31Z DEBUG will use host_name: zzzzzzz

2023-01-12T08:54:31Z DEBUG Writing configuration file /etc/ipa/default.conf
2023-01-12T08:54:31Z DEBUG [global]
host = zzzzzzz
basedn = dc=zzz,dc=zzzz,dc=zzzz
realm = YYYYYYY
domain = zzzzzz
xmlrpc_uri = https://zzzzzz/ipa/xml
ldap_uri = ldapi://%2Frun%2Fslapd-YYYYY.socket
mode = production
enable_ra = True
ra_plugin = dogtag
dogtag_version = 10

2023-01-12T08:54:32Z DEBUG check_port_bindable: Checking IPv4/IPv6 dual stack and TCP
2023-01-12T08:54:32Z DEBUG check_port_bindable: bind success: 8443/TCP
2023-01-12T08:54:32Z DEBUG check_port_bindable: Checking IPv4/IPv6 dual stack and TCP
2023-01-12T08:54:32Z DEBUG check_port_bindable: bind success: 8080/TCP
2023-01-12T08:54:32Z DEBUG Name zzzzzzzzz resolved to {UnsafeIPAddress('172.25.0.2')}
2023-01-12T08:54:32Z DEBUG   File "/usr/lib/python3.11/site-packages/ipapython/admintool.py", line 180, in execute
    return_value = self.run()
                   ^^^^^^^^^^
  File "/usr/lib/python3.11/site-packages/ipapython/install/cli.py", line 344, in run
    return cfgr.run()
           ^^^^^^^^^^
  File "/usr/lib/python3.11/site-packages/ipapython/install/core.py", line 358, in run
    self.validate()
  File "/usr/lib/python3.11/site-packages/ipapython/install/core.py", line 368, in validate
    for _nothing in self._validator():
  File "/usr/lib/python3.11/site-packages/ipapython/install/core.py", line 431, in __runner
    exc_handler(exc_info)
  File "/usr/lib/python3.11/site-packages/ipapython/install/core.py", line 455, in _handle_validate_exception
    self._handle_exception(exc_info)
  File "/usr/lib/python3.11/site-packages/ipapython/install/core.py", line 450, in _handle_exception
    six.reraise(*exc_info)
  File "/usr/lib/python3.11/site-packages/six.py", line 719, in reraise
    raise value
  File "/usr/lib/python3.11/site-packages/ipapython/install/core.py", line 421, in __runner
    step()
  File "/usr/lib/python3.11/site-packages/ipapython/install/core.py", line 418, in <lambda>
    step = lambda: next(self.__gen)
                   ^^^^^^^^^^^^^^^^
  File "/usr/lib/python3.11/site-packages/ipapython/install/util.py", line 81, in run_generator_with_yield_from
    six.reraise(*exc_info)
  File "/usr/lib/python3.11/site-packages/six.py", line 719, in reraise
    raise value
  File "/usr/lib/python3.11/site-packages/ipapython/install/util.py", line 59, in run_generator_with_yield_from
    value = gen.send(prev_value)
            ^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3.11/site-packages/ipapython/install/core.py", line 633, in _configure
    next(validator)
  File "/usr/lib/python3.11/site-packages/ipapython/install/core.py", line 431, in __runner
    exc_handler(exc_info)
  File "/usr/lib/python3.11/site-packages/ipapython/install/core.py", line 455, in _handle_validate_exception
    self._handle_exception(exc_info)
  File "/usr/lib/python3.11/site-packages/ipapython/install/core.py", line 518, in _handle_exception
    self.__parent._handle_exception(exc_info)
  File "/usr/lib/python3.11/site-packages/ipapython/install/core.py", line 450, in _handle_exception
    six.reraise(*exc_info)
  File "/usr/lib/python3.11/site-packages/six.py", line 719, in reraise
    raise value
  File "/usr/lib/python3.11/site-packages/ipapython/install/core.py", line 515, in _handle_exception
    super(ComponentBase, self)._handle_exception(exc_info)
  File "/usr/lib/python3.11/site-packages/ipapython/install/core.py", line 450, in _handle_exception
    six.reraise(*exc_info)
  File "/usr/lib/python3.11/site-packages/six.py", line 719, in reraise
    raise value
  File "/usr/lib/python3.11/site-packages/ipapython/install/core.py", line 421, in __runner
    step()
  File "/usr/lib/python3.11/site-packages/ipapython/install/core.py", line 418, in <lambda>
    step = lambda: next(self.__gen)
                   ^^^^^^^^^^^^^^^^
  File "/usr/lib/python3.11/site-packages/ipapython/install/util.py", line 81, in run_generator_with_yield_from
    six.reraise(*exc_info)
  File "/usr/lib/python3.11/site-packages/six.py", line 719, in reraise
    raise value
  File "/usr/lib/python3.11/site-packages/ipapython/install/util.py", line 59, in run_generator_with_yield_from
    value = gen.send(prev_value)
            ^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3.11/site-packages/ipapython/install/common.py", line 65, in _install
    for unused in self._installer(self.parent):
  File "/usr/lib/python3.11/site-packages/ipaserver/install/server/__init__.py", line 564, in main
    master_install_check(self)
  File "/usr/lib/python3.11/site-packages/ipaserver/install/server/install.py", line 278, in decorated
    func(installer)
  File "/usr/lib/python3.11/site-packages/ipaserver/install/server/install.py", line 695, in install_check
    ip_addresses = get_server_ip_address(host_name,
                   ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3.11/site-packages/ipaserver/install/installutils.py", line 562, in get_server_ip_address
    raise ScriptError()

2023-01-12T08:54:32Z DEBUG The ipa-server-install command failed, exception: ScriptError: 
2023-01-12T08:54:32Z ERROR The ipa-server-install command failed. See /var/log/ipaserver-install.log for more information
adelton commented 1 year ago

You need to find out where that 172.25.0.2 comes from.

You show outputs from docker exec to various containers (fc, 15) while the one started by the docker-compose is freeipa, and with various mix of hostname (zzzzzz, zzzzzzzzz, zzzzz). You really need to make things consistent.

As for the

    dns:
      - 127.0.0.1

-- what do you try to achieve with that? Use the DNS server on the host running the container, or something else? Note that some docker engine versions use some logic to turn that into the IP address of docker's embedded DNS server (127.0.0.11) so the question is how that ends up being used.

But the primary goal should be to debug the freeipa container, not some others. You might want to check out the DEBUG_NO_EXIT environment variable or the no-exit directive in https://github.com/freeipa/freeipa-container#debugging as well.

I also wonder about the cgroup v1 being reported -- if this is a recent Fedora host like https://github.com/freeipa/freeipa-container/issues/510 indicated, you should be using v2 by now.

patsevanton commented 1 year ago

Thanks! I reinstall Virtual Machine and docker, docker-compose. Worked docker-compose.

version: "3.8"

services:
  freeipa:
    image: freeipa/freeipa-server:fedora-37-4.10.1
    container_name: freeipa
    restart: unless-stopped
    hostname: freeipa.apatsev.org.io
    ports:
      - 123:123/udp
      - 389:389
      - 443:443
      - 464:464
      - 464:464/udp
      - 636:636
      - 80:80
      - 88:88
      - 88:88/udp
    dns:
      - ns1.yandexcloud.net
      - 1.1.1.1
    tty: true
    stdin_open: true
    environment:
      IPA_SERVER_HOSTNAME: freeipa.apatsev.org.io
      TZ: "Europe/Moscow"
    command:
      - --admin-password=password
      - --dirsrv-pin=password
      - --ds-password=password
      - --http-pin=password
      - --realm=apatsev.org.io
      - --unattended
      - --external-ca
      - --external_cert_file=/root/certificate.crt
      - --external_ca_file=/ca/ca_cert.crt
    cap_add:
      - SYS_TIME
      - NET_ADMIN
    volumes:
      - /etc/localtime:/etc/localtime:ro
      - /sys/fs/cgroup:/sys/fs/cgroup:ro
      - /var/lib/freeipa:/data
      - /etc/docker-compose/ca:/ca
      - /etc/docker-compose/freeiparoot:/root
    sysctls:
      - net.ipv6.conf.all.disable_ipv6=0
      - net.ipv6.conf.lo.disable_ipv6=0
    security_opt:
      - "seccomp:unconfined"
    tmpfs:
    - /tmp
    - /run