Unable to start container - Could not set pretty hostname

[jonlev1n]

I'm trying to start a freeIPA container with the following command:

docker run -dit --network="a nework" \
        --platform=linux/amd64 \
        --ip="192.168.56.50" \
        --name "ipa-server" \
        --privileged --cap-add SYS_ADMIN \
        --security-opt seccomp=unconfined \
        --publish 80:80 --publish 443:443 \
        --mount type=bind,source="/path/to/dir",target=/a/diff/dir \
        -v ipa-data:/data:Z \
        --sysctl "net.ipv6.conf.lo.disable_ipv6=0" \
        -h ipa.blue.local --read-only \
        freeipa/freeipa-server:fedora-38 ipa-server-install -U --no-ntp --hostname ipa.blue.local --domain blue.local --realm BLUE.LOCAL --ds-password passw0rd --admin-password passw0rd

I've run this command before and have been able to successfully start a container and access from the host machine - today I tried running, and ran into the following issue:

CalledProcessError(Command ['/bin/hostnamectl', 'set-hostname', 'ipa.blue.local'] returned non-zero exit status 1: 'Could not set pretty hostname: Could not activate remote peer: startup job failed.\n') The ipa-server-install command failed. See /var/log/ipaserver-install.log for more information

The container kept exiting while I tried to access the log files, but I was able to get the last 1000 lines from the ipaserver-install.log:

[root@ipa /]# tail -1000 /var/log/ipaserver-install.log
2024-03-18T20:35:34Z DEBUG Logging to /var/log/ipaserver-install.log
2024-03-18T20:35:34Z DEBUG ipa-server-install was invoked with arguments [] and options: {'unattended': True, 'ip_addresses': None, 'domain_name': 'blue.local', 'realm_name': 'BLUE.LOCAL', 'host_name': 'ipa.blue.local', 'ca_cert_files': None, 'domain_level': None, 'setup_adtrust': False, 'setup_kra': False, 'setup_dns': False, 'idstart': None, 'idmax': None, 'no_hbac_allow': False, 'no_pkinit': False, 'no_ui_redirect': False, 'dirsrv_config_file': None, 'skip_mem_check': False, 'dirsrv_cert_files': None, 'http_cert_files': None, 'pkinit_cert_files': None, 'dirsrv_cert_name': None, 'http_cert_name': None, 'pkinit_cert_name': None, 'mkhomedir': False, 'ntp_servers': None, 'ntp_pool': None, 'no_ntp': True, 'force_ntpd': False, 'ssh_trust_dns': False, 'no_ssh': False, 'no_sshd': False, 'subid': False, 'no_dns_sshfp': False, 'external_ca': False, 'external_ca_type': None, 'external_ca_profile': None, 'external_cert_files': None, 'subject_base': None, 'ca_subject': None, 'ca_signing_algorithm': None, 'random_serial_numbers': False, 'pki_config_override': None, 'allow_zone_overlap': False, 'reverse_zones': None, 'no_reverse': False, 'auto_reverse': False, 'zonemgr': None, 'forwarders': None, 'no_forwarders': False, 'auto_forwarders': False, 'forward_policy': None, 'no_dnssec_validation': False, 'no_host_dns': False, 'enable_compat': False, 'no_msdcs': False, 'netbios_name': None, 'rid_base': None, 'secondary_rid_base': None, 'ignore_topology_disconnect': False, 'ignore_last_of_role': False, 'verbose': False, 'quiet': False, 'log_file': None, 'uninstall': False}
2024-03-18T20:35:34Z DEBUG IPA version 4.10.3-2.fc38
2024-03-18T20:35:34Z DEBUG IPA platform fedora_container
2024-03-18T20:35:34Z DEBUG IPA os-release Fedora Linux 38 (Container Image)
2024-03-18T20:35:34Z DEBUG container detected
2024-03-18T20:35:34Z DEBUG cgroup v2
2024-03-18T20:35:34Z DEBUG Max RAM max, used RAM 191938560
2024-03-18T20:35:34Z DEBUG svmem(total=8221675520, available=7344312320, percent=10.7, used=709812224, free=6987747328, active=908886016, inactive=98639872, buffers=28864512, cached=495251456, shared=1667072, slab=83611648)
2024-03-18T20:35:34Z DEBUG Available memory is 7344312320B
2024-03-18T20:35:34Z DEBUG Searching for an interface of IP address: ::1
2024-03-18T20:35:34Z DEBUG Testing local IP address: ::1/128 (interface: lo)
2024-03-18T20:35:34Z DEBUG Starting external process
2024-03-18T20:35:34Z DEBUG args=['/usr/sbin/selinuxenabled']
2024-03-18T20:35:34Z DEBUG Process finished, return code=1
2024-03-18T20:35:34Z DEBUG stdout=
2024-03-18T20:35:34Z DEBUG stderr=
2024-03-18T20:35:34Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state'
2024-03-18T20:35:34Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state'
2024-03-18T20:35:34Z DEBUG Loading Index file from '/var/lib/ipa-client/sysrestore/sysrestore.index'
2024-03-18T20:35:34Z DEBUG Loading StateFile from '/var/lib/ipa-client/sysrestore/sysrestore.state'
2024-03-18T20:35:34Z DEBUG Loading StateFile from '/var/lib/ipa-client/sysrestore/sysrestore.state'
2024-03-18T20:35:34Z DEBUG Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index'
2024-03-18T20:35:34Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state'
2024-03-18T20:35:34Z DEBUG Check if ipa.blue.local is a primary hostname for localhost
2024-03-18T20:35:34Z DEBUG Primary hostname for localhost: ipa.blue.local
2024-03-18T20:35:34Z DEBUG Search DNS for ipa.blue.local
2024-03-18T20:35:34Z DEBUG Check if ipa.blue.local is not a CNAME
2024-03-18T20:35:38Z DEBUG Check reverse address of 192.168.56.50
2024-03-18T20:35:38Z DEBUG Found reverse name: ipa.blue.local
2024-03-18T20:35:38Z DEBUG will use host_name: ipa.blue.local

2024-03-18T20:35:38Z DEBUG Writing configuration file /etc/ipa/default.conf
2024-03-18T20:35:38Z DEBUG [global]
host = ipa.blue.local
basedn = dc=blue,dc=local
realm = BLUE.LOCAL
domain = blue.local
xmlrpc_uri = https://ipa.blue.local/ipa/xml
ldap_uri = ldapi://%2Frun%2Fslapd-BLUE-LOCAL.socket
mode = production
enable_ra = True
ra_plugin = dogtag
dogtag_version = 10

2024-03-18T20:35:38Z DEBUG importing all plugin modules in ipaserver.plugins...
2024-03-18T20:35:38Z DEBUG importing plugin module ipaserver.plugins.aci
2024-03-18T20:35:38Z DEBUG importing plugin module ipaserver.plugins.automember
2024-03-18T20:35:38Z DEBUG importing plugin module ipaserver.plugins.automount
2024-03-18T20:35:38Z DEBUG importing plugin module ipaserver.plugins.baseldap
2024-03-18T20:35:38Z DEBUG ipaserver.plugins.baseldap is not a valid plugin module
2024-03-18T20:35:38Z DEBUG importing plugin module ipaserver.plugins.baseuser
2024-03-18T20:35:38Z DEBUG importing plugin module ipaserver.plugins.batch
2024-03-18T20:35:38Z DEBUG importing plugin module ipaserver.plugins.ca
2024-03-18T20:35:38Z DEBUG importing plugin module ipaserver.plugins.caacl
2024-03-18T20:35:38Z DEBUG importing plugin module ipaserver.plugins.cert
2024-03-18T20:35:38Z DEBUG importing plugin module ipaserver.plugins.certmap
2024-03-18T20:35:38Z DEBUG importing plugin module ipaserver.plugins.certprofile
2024-03-18T20:35:38Z DEBUG importing plugin module ipaserver.plugins.config
2024-03-18T20:35:38Z DEBUG importing plugin module ipaserver.plugins.delegation
2024-03-18T20:35:38Z DEBUG importing plugin module ipaserver.plugins.dns
2024-03-18T20:35:38Z DEBUG importing plugin module ipaserver.plugins.dnsserver
2024-03-18T20:35:38Z DEBUG importing plugin module ipaserver.plugins.dogtag
2024-03-18T20:35:38Z DEBUG importing plugin module ipaserver.plugins.domainlevel
2024-03-18T20:35:38Z DEBUG importing plugin module ipaserver.plugins.group
2024-03-18T20:35:39Z DEBUG importing plugin module ipaserver.plugins.hbac
2024-03-18T20:35:39Z DEBUG ipaserver.plugins.hbac is not a valid plugin module
2024-03-18T20:35:39Z DEBUG importing plugin module ipaserver.plugins.hbacrule
2024-03-18T20:35:39Z DEBUG importing plugin module ipaserver.plugins.hbacsvc
2024-03-18T20:35:39Z DEBUG importing plugin module ipaserver.plugins.hbacsvcgroup
2024-03-18T20:35:39Z DEBUG importing plugin module ipaserver.plugins.hbactest
2024-03-18T20:35:39Z DEBUG importing plugin module ipaserver.plugins.host
2024-03-18T20:35:39Z DEBUG importing plugin module ipaserver.plugins.hostgroup
2024-03-18T20:35:39Z DEBUG importing plugin module ipaserver.plugins.idp
2024-03-18T20:35:39Z DEBUG importing plugin module ipaserver.plugins.idrange
2024-03-18T20:35:39Z DEBUG importing plugin module ipaserver.plugins.idviews
2024-03-18T20:35:39Z DEBUG importing plugin module ipaserver.plugins.internal
2024-03-18T20:35:39Z DEBUG importing plugin module ipaserver.plugins.join
2024-03-18T20:35:39Z DEBUG importing plugin module ipaserver.plugins.krbtpolicy
2024-03-18T20:35:39Z DEBUG importing plugin module ipaserver.plugins.ldap2
2024-03-18T20:35:39Z DEBUG importing plugin module ipaserver.plugins.location
2024-03-18T20:35:39Z DEBUG importing plugin module ipaserver.plugins.migration
2024-03-18T20:35:39Z DEBUG importing plugin module ipaserver.plugins.misc
2024-03-18T20:35:39Z DEBUG importing plugin module ipaserver.plugins.netgroup
2024-03-18T20:35:39Z DEBUG importing plugin module ipaserver.plugins.otp
2024-03-18T20:35:39Z DEBUG ipaserver.plugins.otp is not a valid plugin module
2024-03-18T20:35:39Z DEBUG importing plugin module ipaserver.plugins.otpconfig
2024-03-18T20:35:39Z DEBUG importing plugin module ipaserver.plugins.otptoken
2024-03-18T20:35:39Z DEBUG importing plugin module ipaserver.plugins.passwd
2024-03-18T20:35:39Z DEBUG importing plugin module ipaserver.plugins.permission
2024-03-18T20:35:39Z DEBUG importing plugin module ipaserver.plugins.ping
2024-03-18T20:35:39Z DEBUG importing plugin module ipaserver.plugins.pkinit
2024-03-18T20:35:39Z DEBUG importing plugin module ipaserver.plugins.privilege
2024-03-18T20:35:39Z DEBUG importing plugin module ipaserver.plugins.pwpolicy
2024-03-18T20:35:39Z DEBUG importing plugin module ipaserver.plugins.rabase
2024-03-18T20:35:39Z DEBUG ipaserver.plugins.rabase is not a valid plugin module
2024-03-18T20:35:39Z DEBUG importing plugin module ipaserver.plugins.radiusproxy
2024-03-18T20:35:39Z DEBUG importing plugin module ipaserver.plugins.realmdomains
2024-03-18T20:35:39Z DEBUG importing plugin module ipaserver.plugins.role
2024-03-18T20:35:39Z DEBUG importing plugin module ipaserver.plugins.schema
2024-03-18T20:35:39Z DEBUG importing plugin module ipaserver.plugins.selfservice
2024-03-18T20:35:39Z DEBUG importing plugin module ipaserver.plugins.selinuxusermap
2024-03-18T20:35:39Z DEBUG importing plugin module ipaserver.plugins.server
2024-03-18T20:35:39Z DEBUG importing plugin module ipaserver.plugins.serverrole
2024-03-18T20:35:39Z DEBUG importing plugin module ipaserver.plugins.serverroles
2024-03-18T20:35:39Z DEBUG importing plugin module ipaserver.plugins.service
2024-03-18T20:35:39Z DEBUG importing plugin module ipaserver.plugins.servicedelegation
2024-03-18T20:35:39Z DEBUG importing plugin module ipaserver.plugins.session
2024-03-18T20:35:39Z DEBUG importing plugin module ipaserver.plugins.stageuser
2024-03-18T20:35:39Z DEBUG importing plugin module ipaserver.plugins.subid
2024-03-18T20:35:39Z DEBUG importing plugin module ipaserver.plugins.sudo
2024-03-18T20:35:39Z DEBUG ipaserver.plugins.sudo is not a valid plugin module
2024-03-18T20:35:39Z DEBUG importing plugin module ipaserver.plugins.sudocmd
2024-03-18T20:35:39Z DEBUG importing plugin module ipaserver.plugins.sudocmdgroup
2024-03-18T20:35:39Z DEBUG importing plugin module ipaserver.plugins.sudorule
2024-03-18T20:35:39Z DEBUG importing plugin module ipaserver.plugins.topology
2024-03-18T20:35:39Z DEBUG importing plugin module ipaserver.plugins.trust
2024-03-18T20:35:39Z DEBUG importing plugin module ipaserver.plugins.user
2024-03-18T20:35:39Z DEBUG importing plugin module ipaserver.plugins.vault
2024-03-18T20:35:39Z DEBUG importing plugin module ipaserver.plugins.virtual
2024-03-18T20:35:39Z DEBUG ipaserver.plugins.virtual is not a valid plugin module
2024-03-18T20:35:39Z DEBUG importing plugin module ipaserver.plugins.whoami
2024-03-18T20:35:39Z DEBUG importing plugin module ipaserver.plugins.xmlserver
2024-03-18T20:35:39Z DEBUG importing all plugin modules in ipaserver.install.plugins...
2024-03-18T20:35:39Z DEBUG importing plugin module ipaserver.install.plugins.adtrust
2024-03-18T20:35:39Z DEBUG importing plugin module ipaserver.install.plugins.ca_renewal_master
2024-03-18T20:35:39Z DEBUG importing plugin module ipaserver.install.plugins.dns
2024-03-18T20:35:39Z DEBUG importing plugin module ipaserver.install.plugins.fix_kra_people_entry
2024-03-18T20:35:39Z DEBUG importing plugin module ipaserver.install.plugins.fix_replica_agreements
2024-03-18T20:35:39Z DEBUG importing plugin module ipaserver.install.plugins.rename_managed
2024-03-18T20:35:39Z DEBUG importing plugin module ipaserver.install.plugins.update_ca_topology
2024-03-18T20:35:39Z DEBUG importing plugin module ipaserver.install.plugins.update_changelog_maxage
2024-03-18T20:35:39Z DEBUG importing plugin module ipaserver.install.plugins.update_dna_shared_config
2024-03-18T20:35:39Z DEBUG importing plugin module ipaserver.install.plugins.update_fix_duplicate_cacrt_in_ldap
2024-03-18T20:35:39Z DEBUG importing plugin module ipaserver.install.plugins.update_idranges
2024-03-18T20:35:39Z DEBUG importing plugin module ipaserver.install.plugins.update_ldap_server_list
2024-03-18T20:35:39Z DEBUG importing plugin module ipaserver.install.plugins.update_managed_permissions
2024-03-18T20:35:39Z DEBUG importing plugin module ipaserver.install.plugins.update_nis
2024-03-18T20:35:39Z DEBUG importing plugin module ipaserver.install.plugins.update_pacs
2024-03-18T20:35:39Z DEBUG importing plugin module ipaserver.install.plugins.update_passsync
2024-03-18T20:35:39Z DEBUG importing plugin module ipaserver.install.plugins.update_pwpolicy
2024-03-18T20:35:39Z DEBUG importing plugin module ipaserver.install.plugins.update_ra_cert_store
2024-03-18T20:35:39Z DEBUG importing plugin module ipaserver.install.plugins.update_referint
2024-03-18T20:35:39Z DEBUG importing plugin module ipaserver.install.plugins.update_services
2024-03-18T20:35:39Z DEBUG importing plugin module ipaserver.install.plugins.update_unhashed_password
2024-03-18T20:35:39Z DEBUG importing plugin module ipaserver.install.plugins.update_uniqueness
2024-03-18T20:35:39Z DEBUG importing plugin module ipaserver.install.plugins.upload_cacrt
2024-03-18T20:35:41Z DEBUG check_port_bindable: Checking IPv4/IPv6 dual stack and TCP
2024-03-18T20:35:41Z DEBUG check_port_bindable: bind success: 8443/TCP
2024-03-18T20:35:41Z DEBUG check_port_bindable: Checking IPv4/IPv6 dual stack and TCP
2024-03-18T20:35:41Z DEBUG check_port_bindable: bind success: 8080/TCP
2024-03-18T20:35:41Z DEBUG Name ipa.blue.local resolved to {UnsafeIPAddress('192.168.56.50')}
2024-03-18T20:35:41Z DEBUG Searching for an interface of IP address: 192.168.56.50
2024-03-18T20:35:41Z DEBUG Testing local IP address: 127.0.0.1/255.0.0.0 (interface: lo)
2024-03-18T20:35:41Z DEBUG Testing local IP address: 192.168.56.50/255.255.255.0 (interface: eth0)
2024-03-18T20:35:41Z DEBUG LDAP is not connected, can not retrieve NetBIOS name
2024-03-18T20:35:41Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state'
2024-03-18T20:35:41Z DEBUG Saving StateFile to '/var/lib/ipa/sysrestore/sysrestore.state'
2024-03-18T20:35:41Z DEBUG Backing up system configuration file '/etc/hostname'
2024-03-18T20:35:41Z DEBUG   -> Not backing up - already have a copy of '/etc/hostname'
2024-03-18T20:35:41Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state'
2024-03-18T20:35:41Z DEBUG Saving StateFile to '/var/lib/ipa/sysrestore/sysrestore.state'
2024-03-18T20:35:41Z DEBUG Starting external process
2024-03-18T20:35:41Z DEBUG args=['/bin/hostnamectl', 'set-hostname', 'ipa.blue.local']
2024-03-18T20:35:41Z DEBUG Process finished, return code=1
2024-03-18T20:35:41Z DEBUG stdout=
2024-03-18T20:35:41Z DEBUG stderr=Could not set pretty hostname: Could not activate remote peer: startup job failed.

2024-03-18T20:35:41Z DEBUG   File "/usr/lib/python3.11/site-packages/ipapython/admintool.py", line 180, in execute
    return_value = self.run()
                   ^^^^^^^^^^
  File "/usr/lib/python3.11/site-packages/ipapython/install/cli.py", line 344, in run
    return cfgr.run()
           ^^^^^^^^^^
  File "/usr/lib/python3.11/site-packages/ipapython/install/core.py", line 360, in run
    return self.execute()
           ^^^^^^^^^^^^^^
  File "/usr/lib/python3.11/site-packages/ipapython/install/core.py", line 386, in execute
    for rval in self._executor():
  File "/usr/lib/python3.11/site-packages/ipapython/install/core.py", line 435, in __runner
    exc_handler(exc_info)
  File "/usr/lib/python3.11/site-packages/ipapython/install/core.py", line 468, in _handle_execute_exception
    self._handle_exception(exc_info)
  File "/usr/lib/python3.11/site-packages/ipapython/install/core.py", line 458, in _handle_exception
    six.reraise(*exc_info)
  File "/usr/lib/python3.11/site-packages/six.py", line 719, in reraise
    raise value
  File "/usr/lib/python3.11/site-packages/ipapython/install/core.py", line 425, in __runner
    step()
  File "/usr/lib/python3.11/site-packages/ipapython/install/core.py", line 419, in step_next
    return next(self.__gen)
           ^^^^^^^^^^^^^^^^
  File "/usr/lib/python3.11/site-packages/ipapython/install/util.py", line 81, in run_generator_with_yield_from
    six.reraise(*exc_info)
  File "/usr/lib/python3.11/site-packages/six.py", line 719, in reraise
    raise value
  File "/usr/lib/python3.11/site-packages/ipapython/install/util.py", line 59, in run_generator_with_yield_from
    value = gen.send(prev_value)
            ^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3.11/site-packages/ipapython/install/core.py", line 663, in _configure
    next(executor)
  File "/usr/lib/python3.11/site-packages/ipapython/install/core.py", line 435, in __runner
    exc_handler(exc_info)
  File "/usr/lib/python3.11/site-packages/ipapython/install/core.py", line 468, in _handle_execute_exception
    self._handle_exception(exc_info)
  File "/usr/lib/python3.11/site-packages/ipapython/install/core.py", line 526, in _handle_exception
    self.__parent._handle_exception(exc_info)
  File "/usr/lib/python3.11/site-packages/ipapython/install/core.py", line 458, in _handle_exception
    six.reraise(*exc_info)
  File "/usr/lib/python3.11/site-packages/six.py", line 719, in reraise
    raise value
  File "/usr/lib/python3.11/site-packages/ipapython/install/core.py", line 523, in _handle_exception
    super(ComponentBase, self)._handle_exception(exc_info)
  File "/usr/lib/python3.11/site-packages/ipapython/install/core.py", line 458, in _handle_exception
    six.reraise(*exc_info)
  File "/usr/lib/python3.11/site-packages/six.py", line 719, in reraise
    raise value
  File "/usr/lib/python3.11/site-packages/ipapython/install/core.py", line 425, in __runner
    step()
  File "/usr/lib/python3.11/site-packages/ipapython/install/core.py", line 419, in step_next
    return next(self.__gen)
           ^^^^^^^^^^^^^^^^
  File "/usr/lib/python3.11/site-packages/ipapython/install/util.py", line 81, in run_generator_with_yield_from
    six.reraise(*exc_info)
  File "/usr/lib/python3.11/site-packages/six.py", line 719, in reraise
    raise value
  File "/usr/lib/python3.11/site-packages/ipapython/install/util.py", line 59, in run_generator_with_yield_from
    value = gen.send(prev_value)
            ^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3.11/site-packages/ipapython/install/common.py", line 65, in _install
    for unused in self._installer(self.parent):
  File "/usr/lib/python3.11/site-packages/ipaserver/install/server/__init__.py", line 566, in main
    master_install(self)
  File "/usr/lib/python3.11/site-packages/ipaserver/install/server/install.py", line 278, in decorated
    func(installer)
  File "/usr/lib/python3.11/site-packages/ipaserver/install/server/install.py", line 829, in install
    tasks.set_hostname(host_name)
  File "/usr/lib/python3.11/site-packages/ipaplatform/redhat/tasks.py", line 587, in set_hostname
    ipautil.run([paths.BIN_HOSTNAMECTL, 'set-hostname', hostname])
  File "/usr/lib/python3.11/site-packages/ipapython/ipautil.py", line 599, in run
    raise CalledProcessError(

2024-03-18T20:35:41Z DEBUG The ipa-server-install command failed, exception: CalledProcessError: CalledProcessError(Command ['/bin/hostnamectl', 'set-hostname', 'ipa.blue.local'] returned non-zero exit status 1: 'Could not set pretty hostname: Could not activate remote peer: startup job failed.\n')
2024-03-18T20:35:41Z ERROR CalledProcessError(Command ['/bin/hostnamectl', 'set-hostname', 'ipa.blue.local'] returned non-zero exit status 1: 'Could not set pretty hostname: Could not activate remote peer: startup job failed.\n')
2024-03-18T20:35:41Z ERROR The ipa-server-install command failed. See /var/log/ipaserver-install.log for more information

A few hours worth of google searching has been fruitless here, any ideas what might be going on? Checking the hostname on the CLI also returns ipa.blue.local so it appears that the hostname has actually changed.

[adelton]

Can't you just follow the guidance in our README?

To allow for unprivileged container operation, use the -h ... option to set the hostname for the FreeIPA server in the container.

That way your container will have the hostname from the very start, you won't have to use the horrible combo of --privileged and --cap-add SYS_ADMIN and --security-opt seccomp=unconfined ...

[jonlev1n]

Apologies for not specifying earlier, I'm running on OSX, and have not had any success without --privileged, etc, as others have noted (#309, #189)... removing those options gives me

Failed to allocate manager object: Read-only file system
[!!!!!!] Failed to allocate manager object.

So far, other variations of the docker command have resulted in varying levels failures

[adelton]

It might be but --privileged gives you setup that will be not just properly isolated but also with some parts not working properly.

Can you debug with

tests/run-partial-tests.sh Dockerfile.fedora-38

? That was reported as eventually working in https://github.com/freeipa/freeipa-container/issues/309.

[jonlev1n]

➜  freeipa-container git:(master) ✗ ./tests/run-partial-tests.sh Dockerfile.fedora-38

[+] Building 136.0s (15/15) FINISHED                                                                                 docker:desktop-linux

=> [internal] load build definition from Dockerfile.fedora-38.part                                                                  0.0s

=> => transferring dockerfile: 1.44kB                                                                                               0.0s

=> [internal] load metadata for registry.fedoraproject.org/fedora:38                                                                0.2s

=> [internal] load .dockerignore                                                                                                    0.0s

=> => transferring context: 111B                                                                                                    0.0s

=> [ 1/11] FROM registry.fedoraproject.org/fedora:38@sha256:6349d2df6b4322c5690df1bb7743c45c356e20471dda69f27218cd9ba4a6c3c7        8.3s

=> => resolve registry.fedoraproject.org/fedora:38@sha256:6349d2df6b4322c5690df1bb7743c45c356e20471dda69f27218cd9ba4a6c3c7          0.0s

=> => sha256:6349d2df6b4322c5690df1bb7743c45c356e20471dda69f27218cd9ba4a6c3c7 955B / 955B                                           0.0s

=> => sha256:fb9ae7277805988d510b275e93a1cdcef2a5ea45b112b19f8641b0e9b82a614f 429B / 429B                                           0.0s

=> => sha256:9b4f7095fc78dc2b4e926defa7bdf49cd4ef9b7d389b842bfc89567d3b15b57c 1.32kB / 1.32kB                                       0.0s

=> => sha256:895b3e5252b242b95bc10aebb390be9c95205f6e2667b6a4535868e7c1534fc0 68.89MB / 68.89MB                                     6.6s

=> => extracting sha256:895b3e5252b242b95bc10aebb390be9c95205f6e2667b6a4535868e7c1534fc0                                            1.6s

=> [ 2/11] RUN groupadd -g 288 kdcproxy ; useradd -u 288 -g 288 -c 'IPA KDC Proxy User' -r -d / -s '/sbin/nologin' kdcproxy         0.2s

=> [ 3/11] RUN groupadd -g 289 ipaapi; useradd -u 289 -g 289 -c 'IPA Framework User' -r -d / -s '/sbin/nologin' ipaapi              0.2s

=> [ 4/11] RUN ln -s /bin/false /usr/sbin/systemd-machine-id-setup                                                                  0.3s

=> [ 5/11] RUN sed -i 's!%_install_langs.*!%_install_langs all!' /etc/rpm/macros.image-language-conf                                0.3s

=> [ 6/11] RUN dnf upgrade -y --setopt=install_weak_deps=False  && dnf install -y --setopt=install_weak_deps=False freeipa-serve  123.3s

=> [ 7/11] RUN test $( getent passwd | grep -E "^(dirsrv:x:389|ipaapi:x:289|kdcproxy:x:288|pkiuser:x:17):" | wc -l ) -eq 4          0.2s

=> [ 8/11] RUN systemctl mask rpc-gssd.service                                                                                      0.3s

=> [ 9/11] RUN test -f /etc/machine-id && ! test -s /etc/machine-id                                                                 0.3s

=> [10/11] RUN test "oci" = oci                                                                                                     0.3s

=> [11/11] RUN echo "DefaultLimitNOFILE=1024" >> /etc/systemd/system.conf                                                           0.3s

=> exporting to image                                                                                                               1.8s

=> => exporting layers                                                                                                              1.8s

=> => writing image sha256:e5b2caafdf1f40ad8ff312dd72e5ce09e6c9c2fdffe104a518bcac035c82d00a                                         0.0s

=> => naming to localhost/freeipa-server-test:fedora-38                                                                             0.0s

[+] Building 0.0s (5/5) FINISHED                                                                                     docker:desktop-linux

=> [internal] load build definition from Dockerfile.fedora-38.part.addons                                                           0.0s

=> => transferring dockerfile: 171B                                                                                                 0.0s

=> [internal] load metadata for localhost/freeipa-server-test:fedora-38                                                             0.0s

=> [internal] load .dockerignore                                                                                                    0.0s

=> => transferring context: 111B                                                                                                    0.0s

=> [1/1] FROM localhost/freeipa-server-test:fedora-38                                                                               0.0s

=> exporting to image                                                                                                               0.0s

=> => exporting layers                                                                                                              0.0s

=> => writing image sha256:563e057e4094aeef86c4897b879390f1fabf7c2e8c2a8815b1b0357f08161304                                         0.0s

=> => naming to localhost/freeipa-server-test-addons:fedora-38                                                                      0.0s

+ docker run --name freeipa-server-container-fedora-38 -d -h ipa.example.test --tmpfs /run --tmpfs /tmp --sysctl net.ipv6.conf.all.disable_ipv6=0 -v /sys/fs/cgroup:/sys/fs/cgroup:ro localhost/freeipa-server-test-addons:fedora-38

c90389609a6a90c5ff6336cdb9f622e887e126f8d6b1df95b29f6f87ad073299

Executing ./tests/systemd-container-failed.sh freeipa-server-container-fedora-38

Error response from daemon: container c90389609a6a90c5ff6336cdb9f622e887e126f8d6b1df95b29f6f87ad073299 is not running

The container stops immediately with code 255, so something is definitely off there.

Going back to original command just omitting the hostname yields the following:

Disabled p11-kit-proxy
Configuring directory server (dirsrv). Estimated time: 30 seconds
  [1/43]: creating directory server instance
Validate installation settings ...
Create file system structures ...
selinux is disabled, will not relabel ports or files.
[  OK  ] Created slice system-dirsrv.slice - Slice /system/dirsrv.
         Starting systemd-tmpfiles-setup.service - Create Volatile Files and Directories...
[FAILED] Failed to start systemd-tmpfiles-setup.service - Create Volatile Files and Directories.
See 'systemctl status systemd-tmpfiles-setup.service' for details.
         Starting dirsrv@BLUE-LOCAL.service - 389 Directory Server BLUE-LOCAL....
[  OK  ] Started dirsrv@BLUE-LOCAL.service - 389 Directory Server BLUE-LOCAL..
Create database backend: dc=blue,dc=local ...
Perform post-installation tasks ...
         Stopping dirsrv@BLUE-LOCAL.service - 389 Directory Server BLUE-LOCAL....
[  OK  ] Stopped dirsrv@BLUE-LOCAL.service - 389 Directory Server BLUE-LOCAL..
         Starting systemd-tmpfiles-setup.service - Create Volatile Files and Directories...
[FAILED] Failed to start systemd-tmpfiles-setup.service - Create Volatile Files and Directories.
See 'systemctl status systemd-tmpfiles-setup.service' for details.
         Starting dirsrv@BLUE-LOCAL.service - 389 Directory Server BLUE-LOCAL....
[  OK  ] Started dirsrv@BLUE-LOCAL.service - 389 Directory Server BLUE-LOCAL..
  [2/43]: tune ldbm plugin
  [3/43]: adding default schema
  [4/43]: enabling memberof plugin
  [5/43]: enabling winsync plugin
  [6/43]: configure password logging
  [7/43]: configuring replication version plugin
  [8/43]: enabling IPA enrollment plugin
  [9/43]: configuring uniqueness plugin
  [10/43]: configuring uuid plugin
  [11/43]: configuring modrdn plugin
  [12/43]: configuring DNS plugin
  [13/43]: enabling entryUSN plugin
  [14/43]: configuring lockout plugin
  [15/43]: configuring graceperiod plugin
  [16/43]: configuring topology plugin
  [17/43]: creating indices
[   ***] Job ipa-server-configure-first.service/start running (32s / no limit)
  [18/43]: enabling referential integrity plugin
  [19/43]: configuring certmap.conf
  [20/43]: configure new location for managed entries
[  *** ] Job ipa-server-configure-first.service/start running (32s / no limit)
  [22/43]: enabling SASL mapping fallback
         Stopping dirsrv@BLUE-LOCAL.service - 389 Directory Server BLUE-LOCAL....
[  OK  ] Stopped dirsrv@BLUE-LOCAL.service - 389 Directory Server BLUE-LOCAL..
         Starting systemd-tmpfiles-setup.service - Create Volatile Files and Directories...
[FAILED] Failed to start systemd-tmpfiles-setup.service - Create Volatile Files and Directories.
See 'systemctl status systemd-tmpfiles-setup.service' for details.
         Starting dirsrv@BLUE-LOCAL.service - 389 Directory Server BLUE-LOCAL....
[  OK  ] Started dirsrv@BLUE-LOCAL.service - 389 Directory Server BLUE-LOCAL..
  [24/43]: adding sasl mappings to the directory
  [25/43]: adding default layout
[ ***  ] Job ipa-server-configure-first.service/start running (47s / no limit)
[   ***] Job ipa-server-configure-first.service/start running (53s / no limit)
[ ***  ] Job ipa-server-configure-first.service/start running (54s / no limit)
  [28/43]: configuring user private groups
  [29/43]: configuring netgroups from hostgroups
[***   ] Job ipa-server-configure-first.service/start running (54s / no limit)
[**    ] Job ipa-server-configure-first.service/start running (55s / no limit)
  [32/43]: adding range check plugin
  [33/43]: creating default HBAC rule allow_all
[*     ] Job ipa-server-configure-first.service/start running (55s / no limit)
[***   ] Job ipa-server-configure-first.service/start running (56s / no limit)
[ ***  ] Job ipa-server-configure-first.service/start running (57s / no limit)
  [37/43]: initializing domain level
[  *** ] Job ipa-server-configure-first.service/start running (57s / no limit)
  [39/43]: adding replication acis
  [40/43]: activating sidgen plugin
  [41/43]: activating extdom plugin
[   ***] Job ipa-server-configure-first.service/start running (57s / no limit)
         Stopping dirsrv@BLUE-LOCAL.service - 389 Directory Server BLUE-LOCAL....
[  OK  ] Stopped dirsrv@BLUE-LOCAL.service - 389 Directory Server BLUE-LOCAL..
         Starting systemd-tmpfiles-setup.service - Create Volatile Files and Directories...
[FAILED] Failed to start systemd-tmpfiles-setup.service - Create Volatile Files and Directories.
See 'systemctl status systemd-tmpfiles-setup.service' for details.
         Starting dirsrv@BLUE-LOCAL.service - 389 Directory Server BLUE-LOCAL....
[  OK  ] Started dirsrv@BLUE-LOCAL.service - 389 Directory Server BLUE-LOCAL..
Done configuring directory server (dirsrv).
Configuring Kerberos KDC (krb5kdc)
  [1/11]: adding kerberos container to the directory
  [2/11]: configuring KDC
  [3/11]: initialize kerberos container
[*     ] Job ipa-server-configure-first.service/start running (1min 10s / no limit)
[  *** ] Job ipa-server-configure-first.service/start running (1min 12s / no limit)
[***   ] Job ipa-server-configure-first.service/start running (1min 18s / no limit)
[**    ] Job ipa-server-configure-first.service/start running (1min 24s / no limit)
  [7/11]: adding the password extension to the directory
[ ***  ] Job ipa-server-configure-first.service/start running (1min 25s / no limit)
[  OK  ] Reached target network-online.target - Network is Online.
         Starting krb5kdc.service - Kerberos 5 KDC...
[  OK  ] Started krb5kdc.service - Kerberos 5 KDC.
  [10/11]: configuring KDC to start on boot
  [11/11]: enable PAC ticket signature support
Done configuring Kerberos KDC (krb5kdc).
Configuring kadmin
  [1/2]: starting kadmin
         Starting kadmin.service - Kerberos 5 Password-changing and Administration...
[  OK  ] Started kadmin.service - Kerberos 5 Password-changing and Administration.
  [2/2]: configuring kadmin to start on boot
Done configuring kadmin.
Configuring ipa-custodia
  [1/5]: Making sure custodia container exists
  [2/5]: Generating ipa-custodia config file
  [3/5]: Generating ipa-custodia keys
  [4/5]: starting ipa-custodia
         Starting ipa-custodia.service - IPA Custodia Service...
[  OK  ] Started ipa-custodia.service - IPA Custodia Service.
  [5/5]: configuring ipa-custodia to start on boot
Done configuring ipa-custodia.
Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes
  [1/30]: configuring certificate server instance
Failed to configure CA instance
See the installation logs and the following files/directories for more information:
  /var/log/pki/pki-tomcat
  [error] RuntimeError: CA configuration failed.
CA configuration failed.
The ipa-server-install command failed. See /var/log/ipaserver-install.log for more information
[FAILED] Failed to start ipa-server-configure-first.service - Configure IPA server upon the first start.
See 'systemctl status ipa-server-configure-first.service' for details.
         Unmounting data.mount - /data...
         Unmounting etc-hostname.mount - /etc/hostname...
         Unmounting etc-hosts.mount - /etc/hosts...
         Unmounting etc-resolv.conf.mount - /etc/resolv.conf...
         Unmounting opt-metacop-scripts.mount - /opt/metacop/scripts...
         Unmounting tmp-data.mount - /tmp/data...
         Unmounting var-log-journal.mount - /var/log/journal...
         Stopping dbus-broker.service - D-Bus System Message Bus...
         Stopping dirsrv@BLUE-LOCAL.service - 389 Directory Server BLUE-LOCAL....
         Stopping ipa-custodia.service - IPA Custodia Service...
         Stopping kadmin.service - Kerberos 5 Password-changing and Administration...
         Stopping krb5kdc.service - Kerberos 5 KDC...
[  OK  ] Stopped dbus-broker.service - D-Bus System Message Bus.
[  OK  ] Stopped kadmin.service - Kerberos 5 Password-changing and Administration.
[  OK  ] Stopped ipa-custodia.service - IPA Custodia Service.
[FAILED] Failed unmounting data.mount - /data.
[  OK  ] Unmounted etc-hostname.mount - /etc/hostname.
[  OK  ] Unmounted opt-metacop-scripts.mount - /opt/metacop/scripts.
[  OK  ] Unmounted tmp-data.mount - /tmp/data.
[  OK  ] Closed dbus.socket - D-Bus System Message Bus Socket.
[  OK  ] Unmounted etc-hosts.mount - /etc/hosts.
[  OK  ] Unmounted etc-resolv.conf.mount - /etc/resolv.conf.
[  OK  ] Stopped krb5kdc.service - Kerberos 5 KDC.
[  OK  ] Unmounted var-log-journal.mount - /var/log/journal.
FreeIPA server configuration failed.
[  OK  ] Stopped dirsrv@BLUE-LOCAL.service - 389 Directory Server BLUE-LOCAL..
[  OK  ] Removed slice system-dirsrv.slice - Slice /system/dirsrv.
[  OK  ] Stopped target network-online.target - Network is Online.
[  OK  ] Stopped target sysinit.target - System Initialization.
[  OK  ] Reached target shutdown.target - System Shutdown.
         Unmounting tmp.mount - Temporary Directory /tmp...
[  OK  ] Unmounted tmp.mount - Temporary Directory /tmp.
[  OK  ] Reached target umount.target - Unmount All Filesystems.
[  OK  ] Reached target final.target - Late Shutdown Services.
         Starting systemd-poweroff.service - System Power Off...
[  OK  ] Finished systemd-exit.service - Exit the Container.
[  OK  ] Reached target exit.target - Exit the Container.
Sending SIGTERM to remaining processes...
Sending SIGKILL to remaining processes...
All filesystems, swaps, loop devices, MD devices and DM devices detached.
Exiting container.

[adelton]

The container stops immediately with code 255, so something is definitely off there.

That's the point to investigate.

[adelton]

Failed to configure CA instance
See the installation logs and the following files/directories for more information:
 /var/log/pki/pki-tomcat
 [error] RuntimeError: CA configuration failed.
CA configuration failed.
The ipa-server-install command failed. See /var/log/ipaserver-install.log for more information

And /var/log/ipaserver-install.log is where the debugging should start for this case.

[jonlev1n]

After two days of debugging, switching to an identical out-of-the-box machine and running the original command has resulted in a success, so I'll call this a weird hardware-specific issue, close this issue, and take a win where I can get one...