search

freeipa / freeipa-container

FreeIPA server in containers — images at https://quay.io/repository/freeipa/freeipa-server?tab=tags
https://quay.io/repository/freeipa/freeipa-server?tab=tags
Apache License 2.0
609 stars 258 forks source link

Container não fica online Docker #532

Closed ricardorrs closed 1 year ago

ricardorrs commented 1 year ago

Olá boa tarde.

Gostaria da ajuda de vocês.

Estou tentando subir um container para fazer alguns testes porém não tenho sucesso.

Uso o vagrant+virtualbox, subir uma imagem com rockylinux 9 atualizado + docker e docker-compose.

estou utilizando o seguinte comando.

 cat /etc/hosts
       192.168.1.10 ipa.example.test  ipa

mkdir /var/lib/freeipa-data

git clone https://github.com/freeipa/freeipa-container.git 

cd freeipa-container

docker build -t freeipa-conteiner -f Dockerfile.rocky-9 .
docker run --name freeipa-server-container -ti \
    -h ipa.example.test -p 53:53/udp -p 53:53 -p 80:80 -p 443:443 -p 389:389 -p 636:636 -p 88:88 -p 464:464 -p 88:88/udp -p 464:464/udp -p 123:123/udp \
    --read-only --sysctl net.ipv6.conf.all.disable_ipv6=0 \
    --privileged \
    --security-opt seccomp:unconfined --tmpfs /run \
    -v /var/lib/freeipa-data:/data:Z freeipa-conteiner

Ao iniciar o container sigo as configuração do bind, domínio, password e ntp, vejo algums start e stop de serviços.

Initializing machine ID from random generator. Queued start job for default target Minimal target for containerized FreeIPA server. Fri May 12 16:02:23 UTC 2023 /usr/sbin/ipa-server-configure-first

The log file for this installation can be found in /var/log/ipaserver-install.log This program will set up the IPA Server. Version 4.10.0

This includes:

To accept the default shown in brackets, press the Enter key.

Do you want to configure integrated DNS (BIND)? [no]:

Enter the fully qualified domain name of the computer on which you're setting up server software. Using the form

. Example: master.example.com Server host name [ipa.example.test]: The domain name has been determined based on the host name. Please confirm the domain name [example.test]: The kerberos protocol requires a Realm name to be defined. This is typically the domain name converted to uppercase. Please provide a realm name [EXAMPLE.TEST]: Certain directory server operations require an administrative user. This user is referred to as the Directory Manager and has full access to the Directory for system management tasks and will be added to the instance of directory server created for IPA. The password must be at least 8 characters long. Directory Manager password: Password (confirm): The IPA server requires an administrative user, named 'admin'. This user is a regular system account used for IPA server administration. IPA admin password: Password (confirm): Trust is configured but no NetBIOS domain name found, setting it now. Enter the NetBIOS name for the IPA domain. Only up to 15 uppercase ASCII letters, digits and dashes are allowed. Example: EXAMPLE. NetBIOS domain name [EXAMPLE]: Do you want to configure chrony with NTP server or pool address? [no]: The IPA Master Server will be configured with: Hostname: ipa.example.test IP address(es): 172.17.0.3 Domain name: example.test Realm name: EXAMPLE.TEST The CA will be configured with: Subject DN: CN=Certificate Authority,O=EXAMPLE.TEST Subject base: O=EXAMPLE.TEST Chaining: self-signed Continue to configure the system with these values? [no]: y The following operations may take some minutes to complete. Please wait until the prompt is returned. Disabled p11-kit-proxy Synchronizing time No SRV records of NTP servers found and no NTP server or pool address was provided. Using default chrony configuration. Starting NTP client/server... [ OK ] Started NTP client/server. Attempting to sync time with chronyc. [] A start job is running for Configure IPA server upon the first start (52s / no limit) Time synchronization was successful. Configuring directory server (dirsrv). Estimated time: 30 seconds [1/42]: creating directory server instance [] A start job is running for Configure IPA server upon the first start (52s / no limit) Create file system structures ... Perform SELinux labeling ... [ OK ] Created slice Slice /system/dirsrv. Starting 389 Directory Server EXAMPLE-TEST.... [ OK ] Started 389 Directory Server EXAMPLE-TEST.. Create database backend: dc=example,dc=test ... Perform post-installation tasks ... Stopping 389 Directory Server EXAMPLE-TEST.... [ OK ] Stopped 389 Directory Server EXAMPLE-TEST.. Starting 389 Directory Server EXAMPLE-TEST.... [ OK ] Started 389 Directory Server EXAMPLE-TEST.. [2/42]: tune ldbm plugin [3/42]: adding default schema [4/42]: enabling memberof plugin [5/42]: enabling winsync plugin [6/42]: configure password logging [7/42]: configuring replication version plugin [8/42]: enabling IPA enrollment plugin [9/42]: configuring uniqueness plugin [10/42]: configuring uuid plugin [11/42]: configuring modrdn plugin [12/42]: configuring DNS plugin [13/42]: enabling entryUSN plugin [14/42]: configuring lockout plugin [15/42]: configuring graceperiod plugin [16/42]: configuring topology plugin [17/42]: creating indices [18/42]: enabling referential integrity plugin [19/42]: configuring certmap.conf [20/42]: configure new location for managed entries [21/42]: configure dirsrv ccache and keytab [] A start job is running for Configure IPA server upon the first start (1min 5s / no limit) [22/42]: enabling SASL mapping fallback Stopping 389 Directory Server EXAMPLE-TEST.... [ OK ] Stopped 389 Directory Server EXAMPLE-TEST.. Starting 389 Directory Server EXAMPLE-TEST.... [ OK ] Started 389 Directory Server EXAMPLE-TEST.. [24/42]: adding sasl mappings to the directory [25/42]: adding default layout [26/42]: adding delegation layout [27/42]: creating container for managed entries [28/42]: configuring user private groups [29/42]: configuring netgroups from hostgroups [30/42]: creating default Sudo bind user [31/42]: creating default Auto Member layout [32/42]: adding range check plugin [33/42]: creating default HBAC rule allow_all [34/42]: adding entries for topology management [35/42]: initializing group membership [36/42]: adding master entry [ ] A start job is running for Configure IPA server upon the first start (1min 14s / no limit) [37/42]: initializing domain level [38/42]: configuring Posix uid/gid generation [39/42]: adding replication acis [40/42]: activating sidgen plugin [41/42]: activating extdom plugin [42/42]: configuring directory to start on boot Done configuring directory server (dirsrv). Configuring Kerberos KDC (krb5kdc) [1/10]: adding kerberos container to the directory [2/10]: configuring KDC [3/10]: initialize kerberos container [4/10]: adding default ACIs [5/10]: creating a keytab for the directory [6/10]: creating a keytab for the machine [7/10]: adding the password extension to the directory [8/10]: creating anonymous principal [ OK ] Reached target Network is Online. Starting Kerberos 5 KDC... [ OK ] Started Kerberos 5 KDC. [10/10]: configuring KDC to start on boot Done configuring Kerberos KDC (krb5kdc). Configuring kadmin [1/2]: starting kadmin Starting Kerberos 5 Password-changing and Administration... [ OK ] Started Kerberos 5 Password-changing and Administration. [2/2]: configuring kadmin to start on boot Done configuring kadmin. Configuring ipa-custodia [1/5]: Making sure custodia container exists [2/5]: Generating ipa-custodia config file [3/5]: Generating ipa-custodia keys [4/5]: starting ipa-custodia Starting IPA Custodia Service... [ OK ] Started IPA Custodia Service. [5/5]: configuring ipa-custodia to start on boot Done configuring ipa-custodia. Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes [1/30]: configuring certificate server instance [ OK ] Created slice Slice /system/pki-tomcatd. Starting PKI Tomcat Server pki-tomcat... [ OK ] Started PKI Tomcat Server pki-tomcat. Stopping PKI Tomcat Server pki-tomcat... [ OK ] Stopped PKI Tomcat Server pki-tomcat. Starting PKI Tomcat Server pki-tomcat... [ OK ] Started PKI Tomcat Server pki-tomcat. [ ] A start job is running for Configure IPA server upon the first start (2min 49s / no limit) Stopping PKI Tomcat Server pki-tomcat... [ OK ] Stopped PKI Tomcat Server pki-tomcat. [3/30]: backing up CS.cfg [4/30]: Add ipa-pki-wait-running [5/30]: secure AJP connector [6/30]: reindex attributes [7/30]: exporting Dogtag certificate store pin [8/30]: disabling nonces [9/30]: set up CRL publishing [10/30]: enable PKIX certificate path discovery and validation [11/30]: authorizing RA to modify profiles [12/30]: authorizing RA to manage lightweight CAs [13/30]: Ensure lightweight CAs container exists [14/30]: Ensuring backward compatibility [15/30]: starting certificate server instance Starting PKI Tomcat Server pki-tomcat... [ OK ] Started PKI Tomcat Server pki-tomcat. [16/30]: configure certmonger for renewals Starting Certificate monitoring and PKI enrollment... [ OK ] Started Certificate monitoring and PKI enrollment. [17/30]: requesting RA certificate from CA [ ] A start job is running for Configure IPA server upon the first start (3min 9s / no limit) [18/30]: publishing the CA certificate [19/30]: adding RA agent as a trusted user [ ] A start job is running for Configure IPA server upon the first start (3min 14s / no limit) [21/30]: Configure HTTP to proxy connections [22/30]: updating IPA configuration [23/30]: enabling CA instance [24/30]: importing IPA certificate profiles [25/30]: migrating certificate profiles to LDAP [26/30]: adding default CA ACL [27/30]: adding 'ipa' CA entry [28/30]: Recording random serial number state [29/30]: configuring certmonger renewal for lightweight CAs [30/30]: deploying ACME service Done configuring certificate server (pki-tomcatd). Configuring directory server (dirsrv) Stopping 389 Directory Server EXAMPLE-TEST.... [ OK ] Stopped 389 Directory Server EXAMPLE-TEST.. Starting 389 Directory Server EXAMPLE-TEST.... [ OK ] Started 389 Directory Server EXAMPLE-TEST.. [2/3]: adding CA certificate entry [3/3]: restarting directory server Stopping 389 Directory Server EXAMPLE-TEST.... [ OK ] Stopped 389 Directory Server EXAMPLE-TEST.. Starting 389 Directory Server EXAMPLE-TEST.... [ OK ] Started 389 Directory Server EXAMPLE-TEST.. Done configuring directory server (dirsrv). Stopping PKI Tomcat Server pki-tomcat... [ OK ] Stopped PKI Tomcat Server pki-tomcat. Stopping 389 Directory Server EXAMPLE-TEST.... [ OK ] Stopped 389 Directory Server EXAMPLE-TEST.. Starting 389 Directory Server EXAMPLE-TEST.... [ OK ] Started 389 Directory Server EXAMPLE-TEST.. Starting PKI Tomcat Server pki-tomcat... [ OK ] Started PKI Tomcat Server pki-tomcat. Configuring ipa-otpd [1/2]: starting ipa-otpd [ OK ] Listening on ipa-otpd socket. [2/2]: configuring ipa-otpd to start on boot Done configuring ipa-otpd. Configuring the web interface (httpd) [1/22]: stopping httpd [2/22]: backing up ssl.conf [3/22]: disabling nss.conf [4/22]: configuring mod_ssl certificate paths [5/22]: setting mod_ssl protocol list [6/22]: configuring mod_ssl log directory [7/22]: disabling mod_ssl OCSP [8/22]: adding URL rewriting rules [9/22]: configuring httpd Nothing to do for configure_httpd_wsgi_conf [10/22]: setting up httpd keytab [11/22]: configuring Gssproxy Starting GSSAPI Proxy Daemon... [ OK ] Started GSSAPI Proxy Daemon. [12/22]: setting up ssl [13/22]: configure certmonger for renewals [14/22]: publish CA cert [15/22]: clean up any existing httpd ccaches [16/22]: enable ccache sweep [17/22]: configuring SELinux for httpd [18/22]: create KDC proxy config [19/22]: enable KDC proxy [20/22]: starting httpd Starting One-time temporary TLS key generation for httpd.service... [ OK ] Finished One-time temporary TLS key generation for httpd.service. Starting The Apache HTTP Server... [ OK ] Started The Apache HTTP Server. [21/22]: configuring httpd to start on boot [22/22]: enabling oddjobd [ OK ] Started privileged operations for unprivileged applications. Done configuring the web interface (httpd). Configuring Kerberos KDC (krb5kdc) [1/1]: installing X509 Certificate for PKINIT Stopping Kerberos 5 KDC... [ OK ] Stopped Kerberos 5 KDC. Starting Kerberos 5 KDC... [ OK ] Started Kerberos 5 KDC. Done configuring Kerberos KDC (krb5kdc). Stopping Kerberos 5 KDC... [ OK ] Stopped Kerberos 5 KDC. Starting Kerberos 5 KDC... [ OK ] Started Kerberos 5 KDC. Applying LDAP updates Upgrading IPA:. Estimated time: 1 minute 30 seconds [1/10]: stopping directory server Stopping 389 Directory Server EXAMPLE-TEST.... [ OK ] Stopped 389 Directory Server EXAMPLE-TEST.. [2/10]: saving configuration [3/10]: disabling listeners [4/10]: enabling DS global lock [5/10]: disabling Schema Compat [6/10]: starting directory server Starting 389 Directory Server EXAMPLE-TEST.... [ OK ] Started 389 Directory Server EXAMPLE-TEST.. [7/10]: upgrading server [] A start job is running for Configure IPA server upon the first start (4min 54s / no limit) [] A start job is running for Configure IPA server upon the first start (5min 57s / no limit) Could not get dnaHostname entries in 60 seconds Stopping 389 Directory Server EXAMPLE-TEST.... [ OK ] Stopped 389 Directory Server EXAMPLE-TEST.. [9/10]: restoring configuration [10/10]: starting directory server Starting 389 Directory Server EXAMPLE-TEST.... [ OK ] Started 389 Directory Server EXAMPLE-TEST.. Done. Restarting the KDC Stopping Kerberos 5 KDC... [ OK ] Stopped Kerberos 5 KDC. Starting Kerberos 5 KDC... [ OK ] Started Kerberos 5 KDC. Configuring SID generation [1/8]: creating samba domain object [2/8]: adding admin(group) SIDs [3/8]: adding RID bases [4/8]: updating Kerberos config 'dns_lookup_kdc' already set to 'true', nothing to do. [5/8]: activating sidgen task [6/8]: restarting Directory Server to take MS PAC and LDAP plugins changes into account Stopping 389 Directory Server EXAMPLE-TEST.... [ OK ] Stopped 389 Directory Server EXAMPLE-TEST.. Starting 389 Directory Server EXAMPLE-TEST.... [ OK ] Started 389 Directory Server EXAMPLE-TEST.. [7/8]: adding fallback group [8/8]: adding SIDs to existing users and groups This step may take considerable amount of time, please wait.. Done. Configuring client side components This program will set up IPA client. Version 4.10.0 The sudo binary does not seem to be present on this system. Please consider installing sudo if required. Using existing certificate '/etc/ipa/ca.crt'. Client hostname: ipa.example.test Realm: EXAMPLE.TEST DNS Domain: example.test IPA Server: ipa.example.test BaseDN: dc=example,dc=test Configured /etc/sssd/sssd.conf No valid Negotiate header in server response The ipa-client-install command failed. See /var/log/ipaclient-install.log for more information Configuration of client side components failed! The ipa-server-install command failed. See /var/log/ipaserver-install.log for more information [FAILED] Failed to start Configure IPA server upon the first start. See 'systemctl status ipa-server-configure-first.service' for details. [ OK ] Stopped target Minimal target for containerized FreeIPA server. [ OK ] Closed ipa-otpd socket. Unmounting /data... Unmounting /etc/hostname... Unmounting /etc/hosts... Unmounting /etc/resolv.conf... Unmounting /var/log/journal... Stopping Certificate monitoring and PKI enrollment... Stopping 389 Directory Server EXAMPLE-TEST.... FreeIPA server configuration failed. Stopping GSSAPI Proxy Daemon... Stopping The Apache HTTP Server... Stopping IPA Custodia Service... Stopping Kerberos 5 Password-changing and Administration... Stopping Kerberos 5 KDC... Stopping privileged operations for unprivileged applications... Stopping PKI Tomcat Server pki-tomcat... [ OK ] Stopped Kerberos 5 Password-changing and Administration. [ OK ] Stopped IPA Custodia Service. [ OK ] Stopped Certificate monitoring and PKI enrollment. [ OK ] Stopped GSSAPI Proxy Daemon. [ OK ] Stopped privileged operations for unprivileged applications. [ OK ] Stopped Kerberos 5 KDC. [FAILED] Failed unmounting /data. [ OK ] Unmounted /etc/hostname. [ OK ] Unmounted /etc/hosts. [ OK ] Unmounted /etc/resolv.conf. [ OK ] Unmounted /var/log/journal. Stopping D-Bus System Message Bus... [ OK ] Stopped D-Bus System Message Bus. [ OK ] Closed D-Bus System Message Bus Socket. [ OK ] Stopped PKI Tomcat Server pki-tomcat. [ OK ] Removed slice Slice /system/pki-tomcatd. [ OK ] Stopped The Apache HTTP Server. [ OK ] Stopped 389 Directory Server EXAMPLE-TEST.. [ OK ] Removed slice Slice /system/dirsrv. [ OK ] Stopped target Network is Online. Stopping NTP client/server... [ OK ] Stopped NTP client/server. [ OK ] Stopped target System Initialization. Unmounting Temporary Directory /tmp... [ OK ] Stopped Create Volatile Files and Directories. [ OK ] Reached target System Shutdown. [ OK ] Unmounted Temporary Directory /tmp. [ OK ] Reached target Unmount All Filesystems. [ OK ] Reached target Late Shutdown Services. Starting System Power Off... [ OK ] Finished Exit the Container. [ OK ] Reached target Exit the Container. Sending SIGTERM to remaining processes... Sending SIGKILL to remaining processes... All filesystems, swaps, loop devices, MD devices and DM devices detached. Exiting container. Com isso co container não fica online, caso eu inicie ele manualmente via portainer fica apenas a messagem. Sending SIGTERM to remaining processes... Sending SIGKILL to remaining processes... All filesystems, swaps, loop devices, MD devices and DM devices detached. Exiting container. systemd 250-12.el9_1.3 running in system mode (+PAM +AUDIT +SELINUX -APPARMOR +IMA +SMACK +SECCOMP +GCRYPT +GNUTLS +OPENSSL +ACL +BLKID +CURL +ELFUTILS -FIDO2 +IDN2 -IDN -IPTC +KMOD +LIBCRYPTSETUP +LIBFDISK +PCRE2 -PWQUALITY +P11KIT -QRENCODE +BZIP2 +LZ4 +XZ +ZLIB +ZSTD -BPF_FRAMEWORK +XKBCOMMON +UTMP +SYSVINIT default-hierarchy=unified) Detected virtualization docker. Detected architecture x86-64. Queued start job for default target Minimal target for containerized FreeIPA server. Alguém pode me explicar o que eu estou errando para não subir a aplicação ?
rjeffman commented 1 year ago

A instalação está falhando:

No valid Negotiate header in server response
The ipa-client-install command failed. See /var/log/ipaclient-install.log for more information
Configuration of client side components failed!
The ipa-server-install command failed. See /var/log/ipaserver-install.log for more information

Você pode mostrar que erros estão sendo exibidos nos logs?

ricardorrs commented 1 year ago

@rjeffman , antes de mais nada, obrigado pela força.

Abaixo está o log do /var/log/ipaclient-install.log e em seguida o /var/log/ipaserver-install.log

2023-05-12T16:08:33Z DEBUG Logging to /var/log/ipaclient-install.log 2023-05-12T16:08:33Z DEBUG ipa-client-install was invoked with arguments [] and options: {'unattended': True, 'principal': None, 'prompt_password': False, 'on_master': True, 'ca_cert_files': None, 'force': False, 'configure_firefox': False, 'firefox_dir': None, 'keytab': None, 'mkhomedir': False, 'force_join': False, 'ntp_servers': None, 'ntp_pool': None, 'no_ntp': True, 'force_ntpd': False, 'nisdomain': None, 'no_nisdomain': False, 'ssh_trust_dns': False, 'no_ssh': False, 'no_sshd': False, 'no_sudo': False, 'subid': False, 'no_dns_sshfp': False, 'kinit_attempts': None, 'request_cert': False, 'ip_addresses': None, 'all_ip_addresses': False, 'fixed_primary': False, 'permit': False, 'enable_dns_updates': False, 'no_krb5_offline_passwords': False, 'preserve_sssd': False, 'automount_location': None, 'domain_name': 'example.test', 'servers': ['ipa.example.test'], 'realm_name': 'EXAMPLE.TEST', 'host_name': 'ipa.example.test', 'verbose': False, 'quiet': False, 'log_file': None, 'uninstall': False} 2023-05-12T16:08:33Z DEBUG IPA version 4.10.0-8.el9_1 2023-05-12T16:08:33Z DEBUG IPA platform rhel_container 2023-05-12T16:08:33Z DEBUG IPA os-release Rocky Linux 9.1 (Blue Onyx) 2023-05-12T16:08:33Z DEBUG Starting external process 2023-05-12T16:08:33Z DEBUG args=['/usr/sbin/selinuxenabled'] 2023-05-12T16:08:33Z DEBUG Process finished, return code=1 2023-05-12T16:08:33Z DEBUG stdout= 2023-05-12T16:08:33Z DEBUG stderr= 2023-05-12T16:08:33Z DEBUG Loading Index file from '/var/lib/ipa-client/sysrestore/sysrestore.index' 2023-05-12T16:08:33Z DEBUG Loading StateFile from '/var/lib/ipa-client/sysrestore/sysrestore.state' 2023-05-12T16:08:33Z DEBUG Loading StateFile from '/var/lib/ipa-client/sysrestore/sysrestore.state' 2023-05-12T16:08:33Z DEBUG Starting external process 2023-05-12T16:08:33Z DEBUG args=['sudo', '-V'] 2023-05-12T16:08:33Z DEBUG Process execution failed 2023-05-12T16:08:33Z INFO The sudo binary does not seem to be present on this system. Please consider installing sudo if required. 2023-05-12T16:08:33Z WARNING Using existing certificate '/etc/ipa/ca.crt'. 2023-05-12T16:08:33Z DEBUG [IPA Discovery] 2023-05-12T16:08:33Z DEBUG Starting IPA discovery with domain=example.test, servers=['ipa.example.test'], hostname=ipa.example.test 2023-05-12T16:08:33Z DEBUG Server and domain forced 2023-05-12T16:08:33Z DEBUG [Kerberos realm search] 2023-05-12T16:08:33Z DEBUG Kerberos realm forced 2023-05-12T16:08:33Z DEBUG [LDAP server check] 2023-05-12T16:08:33Z DEBUG Verifying that ipa.example.test (realm EXAMPLE.TEST) is an IPA server 2023-05-12T16:08:33Z DEBUG Init LDAP connection to: ldap://ipa.example.test:389 2023-05-12T16:08:33Z DEBUG Search LDAP server for IPA base DN 2023-05-12T16:08:33Z DEBUG Check if naming context 'dc=example,dc=test' is for IPA 2023-05-12T16:08:33Z DEBUG Naming context 'dc=example,dc=test' is a valid IPA context 2023-05-12T16:08:33Z DEBUG Search for (objectClass=krbRealmContainer) in dc=example,dc=test (sub) 2023-05-12T16:08:33Z DEBUG Found: cn=EXAMPLE.TEST,cn=kerberos,dc=example,dc=test 2023-05-12T16:08:33Z DEBUG Discovery result: Success; server=ipa.example.test, domain=example.test, kdc=ipa.example.test, basedn=dc=example,dc=test 2023-05-12T16:08:33Z DEBUG Validated servers: ipa.example.test 2023-05-12T16:08:33Z DEBUG will use discovered domain: example.test 2023-05-12T16:08:33Z DEBUG Using servers from command line, disabling DNS discovery 2023-05-12T16:08:33Z DEBUG will use provided server: ipa.example.test 2023-05-12T16:08:33Z DEBUG will use discovered realm: EXAMPLE.TEST 2023-05-12T16:08:33Z DEBUG will use discovered basedn: dc=example,dc=test 2023-05-12T16:08:33Z INFO Client hostname: ipa.example.test 2023-05-12T16:08:33Z DEBUG Hostname source: Provided as option 2023-05-12T16:08:33Z INFO Realm: EXAMPLE.TEST 2023-05-12T16:08:33Z DEBUG Realm source: Discovered from LDAP DNS records in ipa.example.test 2023-05-12T16:08:33Z INFO DNS Domain: example.test 2023-05-12T16:08:33Z DEBUG DNS Domain source: Forced 2023-05-12T16:08:33Z INFO IPA Server: ipa.example.test 2023-05-12T16:08:33Z DEBUG IPA Server source: Provided as option 2023-05-12T16:08:33Z INFO BaseDN: dc=example,dc=test 2023-05-12T16:08:33Z DEBUG BaseDN source: From IPA server ldap://ipa.example.test:389 2023-05-12T16:08:33Z DEBUG Loading Index file from '/var/lib/ipa-client/sysrestore/sysrestore.index' 2023-05-12T16:08:33Z DEBUG Loading StateFile from '/var/lib/ipa-client/sysrestore/sysrestore.state' 2023-05-12T16:08:33Z DEBUG Loading StateFile from '/var/lib/ipa-client/sysrestore/sysrestore.state' 2023-05-12T16:08:33Z DEBUG Saving StateFile to '/var/lib/ipa-client/sysrestore/sysrestore.state' 2023-05-12T16:08:33Z DEBUG Skipping attempt to configure and synchronize time with chrony server as it has been already done on master. 2023-05-12T16:08:33Z DEBUG Backing up system configuration file '/etc/sssd/sssd.conf' 2023-05-12T16:08:33Z DEBUG -> Not backing up - '/etc/sssd/sssd.conf' doesn't exist 2023-05-12T16:08:33Z DEBUG New SSSD config will be created 2023-05-12T16:08:33Z INFO Configured /etc/sssd/sssd.conf 2023-05-12T16:08:33Z DEBUG Initializing principal host/ipa.example.test@EXAMPLE.TEST using keytab /data/etc/krb5.keytab 2023-05-12T16:08:33Z DEBUG using ccache /etc/ipa/.dns_ccache 2023-05-12T16:08:33Z DEBUG Attempt 1/5: success 2023-05-12T16:08:33Z DEBUG Starting external process 2023-05-12T16:08:33Z DEBUG args=['/usr/bin/certutil', '-d', '/tmp/tmpgp5ptvrg', '-N', '-f', '/tmp/tmpgp5ptvrg/pwdfile.txt', '-@', '/tmp/tmpgp5ptvrg/pwdfile.txt'] 2023-05-12T16:08:33Z DEBUG Process finished, return code=0 2023-05-12T16:08:33Z DEBUG stdout= 2023-05-12T16:08:33Z DEBUG stderr= 2023-05-12T16:08:33Z DEBUG Starting external process 2023-05-12T16:08:33Z DEBUG args=['/usr/sbin/selinuxenabled'] 2023-05-12T16:08:33Z DEBUG Process finished, return code=1 2023-05-12T16:08:33Z DEBUG stdout= 2023-05-12T16:08:33Z DEBUG stderr= 2023-05-12T16:08:33Z DEBUG Starting external process 2023-05-12T16:08:33Z DEBUG args=['/usr/sbin/selinuxenabled'] 2023-05-12T16:08:33Z DEBUG Process finished, return code=1 2023-05-12T16:08:33Z DEBUG stdout= 2023-05-12T16:08:33Z DEBUG stderr= 2023-05-12T16:08:33Z DEBUG Starting external process 2023-05-12T16:08:33Z DEBUG args=['/usr/sbin/selinuxenabled'] 2023-05-12T16:08:33Z DEBUG Process finished, return code=1 2023-05-12T16:08:33Z DEBUG stdout= 2023-05-12T16:08:33Z DEBUG stderr= 2023-05-12T16:08:33Z DEBUG Starting external process 2023-05-12T16:08:33Z DEBUG args=['/usr/sbin/selinuxenabled'] 2023-05-12T16:08:33Z DEBUG Process finished, return code=1 2023-05-12T16:08:33Z DEBUG stdout= 2023-05-12T16:08:33Z DEBUG stderr= 2023-05-12T16:08:33Z DEBUG Starting external process 2023-05-12T16:08:33Z DEBUG args=['/usr/sbin/selinuxenabled'] 2023-05-12T16:08:33Z DEBUG Process finished, return code=1 2023-05-12T16:08:33Z DEBUG stdout= 2023-05-12T16:08:33Z DEBUG stderr= 2023-05-12T16:08:33Z DEBUG Starting external process 2023-05-12T16:08:33Z DEBUG args=['/usr/bin/certutil', '-d', 'sql:/tmp/tmpgp5ptvrg', '-A', '-n', 'CA certificate 1', '-t', 'C,,', '-a', '-f', '/tmp/tmpgp5ptvrg/pwdfile.txt'] 2023-05-12T16:08:33Z DEBUG Process finished, return code=0 2023-05-12T16:08:33Z DEBUG stdout= 2023-05-12T16:08:33Z DEBUG stderr= 2023-05-12T16:08:33Z DEBUG failed to find session_cookie in persistent storage for principal 'host/ipa.example.test@EXAMPLE.TEST' 2023-05-12T16:08:33Z DEBUG trying https://ipa.example.test/ipa/json 2023-05-12T16:08:33Z DEBUG Created connection context.rpcclient_140107774866624 2023-05-12T16:08:33Z DEBUG [try 1]: Forwarding 'schema' to json server 'https://ipa.example.test/ipa/json' 2023-05-12T16:08:33Z DEBUG New HTTP connection (ipa.example.test) 2023-05-12T16:08:33Z DEBUG HTTP connection destroyed (ipa.example.test) Traceback (most recent call last): File "/usr/lib/python3.9/site-packages/ipaclient/remote_plugins/init.py", line 120, in get_package plugins = api._remote_plugins AttributeError: 'API' object has no attribute '_remote_plugins'

During handling of the above exception, another exception occurred:

Traceback (most recent call last): File "/usr/lib/python3.9/site-packages/ipalib/rpc.py", line 724, in single_request if not self._auth_complete(response): File "/usr/lib/python3.9/site-packages/ipalib/rpc.py", line 673, in _auth_complete raise errors.KerberosError( ipalib.errors.KerberosError: No valid Negotiate header in server response 2023-05-12T16:08:33Z DEBUG Destroyed connection context.rpcclient_140107774866624 2023-05-12T16:08:33Z DEBUG File "/usr/lib/python3.9/site-packages/ipapython/admintool.py", line 180, in execute return_value = self.run() File "/usr/lib/python3.9/site-packages/ipapython/install/cli.py", line 344, in run return cfgr.run() File "/usr/lib/python3.9/site-packages/ipapython/install/core.py", line 360, in run return self.execute() File "/usr/lib/python3.9/site-packages/ipapython/install/core.py", line 386, in execute for rval in self._executor(): File "/usr/lib/python3.9/site-packages/ipapython/install/core.py", line 431, in runner exc_handler(exc_info) File "/usr/lib/python3.9/site-packages/ipapython/install/core.py", line 460, in _handle_execute_exception self._handle_exception(exc_info) File "/usr/lib/python3.9/site-packages/ipapython/install/core.py", line 450, in _handle_exception six.reraise(exc_info) File "/usr/lib/python3.9/site-packages/six.py", line 709, in reraise raise value File "/usr/lib/python3.9/site-packages/ipapython/install/core.py", line 421, in runner step() File "/usr/lib/python3.9/site-packages/ipapython/install/core.py", line 418, in step = lambda: next(self.gen) File "/usr/lib/python3.9/site-packages/ipapython/install/util.py", line 81, in run_generator_with_yield_from six.reraise(exc_info) File "/usr/lib/python3.9/site-packages/six.py", line 709, in reraise raise value File "/usr/lib/python3.9/site-packages/ipapython/install/util.py", line 59, in run_generator_with_yield_from value = gen.send(prev_value) File "/usr/lib/python3.9/site-packages/ipapython/install/core.py", line 655, in _configure next(executor) File "/usr/lib/python3.9/site-packages/ipapython/install/core.py", line 431, in runner exc_handler(exc_info) File "/usr/lib/python3.9/site-packages/ipapython/install/core.py", line 460, in _handle_execute_exception self._handle_exception(exc_info) File "/usr/lib/python3.9/site-packages/ipapython/install/core.py", line 518, in _handle_exception self.parent._handle_exception(exc_info) File "/usr/lib/python3.9/site-packages/ipapython/install/core.py", line 450, in _handle_exception six.reraise(exc_info) File "/usr/lib/python3.9/site-packages/six.py", line 709, in reraise raise value File "/usr/lib/python3.9/site-packages/ipapython/install/core.py", line 515, in _handle_exception super(ComponentBase, self)._handle_exception(exc_info) File "/usr/lib/python3.9/site-packages/ipapython/install/core.py", line 450, in _handle_exception six.reraise(exc_info) File "/usr/lib/python3.9/site-packages/six.py", line 709, in reraise raise value File "/usr/lib/python3.9/site-packages/ipapython/install/core.py", line 421, in runner step() File "/usr/lib/python3.9/site-packages/ipapython/install/core.py", line 418, in step = lambda: next(self.gen) File "/usr/lib/python3.9/site-packages/ipapython/install/util.py", line 81, in run_generator_with_yield_from six.reraise(*exc_info) File "/usr/lib/python3.9/site-packages/six.py", line 709, in reraise raise value File "/usr/lib/python3.9/site-packages/ipapython/install/util.py", line 59, in run_generator_with_yield_from value = gen.send(prev_value) File "/usr/lib/python3.9/site-packages/ipapython/install/common.py", line 65, in _install for unused in self._installer(self.parent): File "/usr/lib/python3.9/site-packages/ipaclient/install/client.py", line 3976, in main install(self) File "/usr/lib/python3.9/site-packages/ipaclient/install/client.py", line 2686, in install _install(options, dict()) File "/usr/lib/python3.9/site-packages/ipaclient/install/client.py", line 115, in inner func(options, tdict) File "/usr/lib/python3.9/site-packages/ipaclient/install/client.py", line 2970, in _install api.finalize() File "/usr/lib/python3.9/site-packages/ipalib/plugable.py", line 753, in finalize self.do_if_not_done('load_plugins') File "/usr/lib/python3.9/site-packages/ipalib/plugable.py", line 432, in do_if_not_done getattr(self, name)() File "/usr/lib/python3.9/site-packages/ipalib/plugable.py", line 632, in load_plugins for package in self.packages: File "/usr/lib/python3.9/site-packages/ipalib/init__.py", line 955, in packages ipaclient.remote_plugins.get_package(self), File "/usr/lib/python3.9/site-packages/ipaclient/remote_plugins/init.py", line 128, in get_package plugins = schema.get_package(server_info, client) File "/usr/lib/python3.9/site-packages/ipaclient/remote_plugins/schema.py", line 546, in get_package schema = Schema(client) File "/usr/lib/python3.9/site-packages/ipaclient/remote_plugins/schema.py", line 395, in init fingerprint, ttl = self._fetch(client, ignore_cache=read_failed) File "/usr/lib/python3.9/site-packages/ipaclient/remote_plugins/schema.py", line 420, in _fetch schema = client.forward(u'schema', *kwargs)['result'] File "/usr/lib/python3.9/site-packages/ipalib/rpc.py", line 1146, in forward return self._call_command(command, params) File "/usr/lib/python3.9/site-packages/ipalib/rpc.py", line 1122, in _call_command return command(params) File "/usr/lib/python3.9/site-packages/ipalib/rpc.py", line 1276, in _call return self.request(name, args) File "/usr/lib/python3.9/site-packages/ipalib/rpc.py", line 1239, in request response = self.__transport.request( File "/usr/lib64/python3.9/xmlrpc/client.py", line 1166, in request return self.single_request(host, handler, request_body, verbose) File "/usr/lib/python3.9/site-packages/ipalib/rpc.py", line 724, in single_request if not self._auth_complete(response): File "/usr/lib/python3.9/site-packages/ipalib/rpc.py", line 673, in _auth_complete raise errors.KerberosError(

2023-05-12T16:08:33Z DEBUG The ipa-client-install command failed, exception: KerberosError: No valid Negotiate header in server response 2023-05-12T16:08:33Z ERROR No valid Negotiate header in server response 2023-05-12T16:08:33Z ERROR The ipa-client-install command failed. See /var/log/ipaclient-install.log for more information

ipaserver-install.log

adelton commented 1 year ago

I'd prefer if we could keep conversations in English.

I can see --privileged --security-opt seccomp:unconfined among the docker run arguments. What documentation shows these to be needed on a Rocky Linux 9 machine?

ricardorrs commented 1 year ago

@adelton

Sorry for the Portuguese conversation, I'm not fluent in English but I can use google translate.

The commands mentioned are from docker, researching more about I found here in the community in the problems already solved using such commands.

When I don't use the commands it just doesn't start.

docker run --name freeipa-server-container -ti \
> -h ipa.example.test -p 53:53/udp -p 53:53 -p 80:80 -p 443:443 -p 389:389 -p 636:636 -p 88:88 -p 464:464 -p 88:88/udp -p 464:464/udp -p 123:123/udp \
> --read-only --sysctl net.ipv6.conf.all.disable_ipv6=0 \
> -v /var/lib/freeipa-data:/data:Z freeipa-container
systemd 250-12.el9_1.3 running in system mode (+PAM +AUDIT +SELINUX -APPARMOR +IMA +SMACK +SECCOMP +GCRYPT +GNUTLS +OPENSSL +ACL +BLKID +CURL +ELFUTILS -FIDO2 +IDN2 -IDN -IPTC + KMOD +LIBCRYPTSETUP +LIBFDISK +PCRE2 -PWQUALITY +P11KIT -QRENCODE +BZIP2 +LZ4 +XZ +ZLIB +ZSTD -BPF_FRAMEWORK +XKBCOMMON +UTMP +SYSVINIT default-hierarchy=unified)
Virtualization Docker detected.
Architecture detected x86-64.
Failed to create control group /init.scope: read-only file system
Failed to allocate manager object: read-only file system
[!!!!!!] Failed to allocate the manager object.
Leaving PID 1..
adelton commented 1 year ago

Those parameters actually cause exactly the "No valid Negotiate header in server response" failure; they are never the solution (in the recent years).

Assuming your host is Rocky Linux 9, it is safe to assume you use cgroups v2. If that is the case, do you have user namespace remapping enabled in docker configuration, per https://github.com/freeipa/freeipa-container#running-freeipa-server-container?

adelton commented 1 year ago

We seem to have lost the traction here.