search

freeipa / freeipa-container

FreeIPA server in containers — images at https://quay.io/repository/freeipa/freeipa-server?tab=tags
https://quay.io/repository/freeipa/freeipa-server?tab=tags
Apache License 2.0
614 stars 259 forks source link

Failed to start 389 Directory Server EXAMPLE-TEST.. #604

Closed airmaxwill closed 8 months ago

airmaxwill commented 8 months ago

I am trying to deploy freeipa with podman. Background to the environment (Debian 12 on a Proxmox VM).

I run the container with: podman run -ti -h ipa.example.test --read-only -v /var/lib/ipa-data:/data:Z quay.io/freeipa/freeipa-server:almalinux-9 ipa-server-install I navigate though the install process and the install crashes with:

[**    ] A start job is running for Configure IPA server upon the first start (6min 2s / no limit)
Process chronyc waitsync failed to sync time!
Unable to sync time with chrony server, assuming the time is in sync. Please check that 123 UDP port is opened, and any time server is on network.
Warning: IPA was unable to sync time with chrony!
         Time synchronization is required for IPA to work correctly
Configuring directory server (dirsrv). Estimated time: 30 seconds
  [1/43]: creating directory server instance
Validate installation settings ...
[*     ] A start job is running for Configure IPA server upon the first start (6min 2s / no limit)
[  OK  ] Created slice Slice /system/dirsrv.
         Starting 389 Directory Server EXAMPLE-TEST....
[FAILED] Failed to start 389 Directory Server EXAMPLE-TEST..
See 'systemctl status dirsrv@EXAMPLE-TEST.service' for details.
  [error] CalledProcessError: Command '['systemctl', 'start', 'dirsrv@EXAMPLE-TEST']' returned non-zero exit status 1.
Command '['systemctl', 'start', 'dirsrv@EXAMPLE-TEST']' returned non-zero exit status 1.
The ipa-server-install command failed. See /var/log/ipaserver-install.log for more information

My interpretation would be that podman has problem connecting to the sytemd daemon of the host. When looking into the log file i can see multiple instances where freeipa can not connect to a daemon. I have attached the log file for reference ipaserver-install.log

Now i have googled the hell out of this problem, but i have no idea what the problem could be. Some additional infos: Cgroup Version: 2 Cgroup Manager systemd

podman info:

host:
  arch: amd64
  buildahVersion: 1.28.2
  cgroupControllers:
  - cpu
  - memory
  - pids
  cgroupManager: systemd
  cgroupVersion: v2
  conmon:
    package: conmon_2.1.6+ds1-1_amd64
    path: /usr/bin/conmon
    version: 'conmon version 2.1.6, commit: unknown'
  cpuUtilization:
    idlePercent: 99.39
    systemPercent: 0.2
    userPercent: 0.4
  cpus: 4
  distribution:
    codename: bookworm
    distribution: debian
    version: "12"
  eventLogger: journald
  hostname: docker-worker1
  idMappings:
    gidmap:
    - container_id: 0
      host_id: 1000
      size: 1
    - container_id: 1
      host_id: 100000
      size: 65536
    uidmap:
    - container_id: 0
      host_id: 1000
      size: 1
    - container_id: 1
      host_id: 100000
      size: 65536
  kernel: 6.1.0-18-amd64
  linkmode: dynamic
  logDriver: journald
  memFree: 2483994624
  memTotal: 4104876032
  networkBackend: netavark
  ociRuntime:
    name: crun
    package: crun_1.8.1-1+deb12u1_amd64
    path: /usr/bin/crun
    version: |-
      crun version 1.8.1
      commit: f8a096be060b22ccd3d5f3ebe44108517fbf6c30
      rundir: /run/user/1000/crun
      spec: 1.0.0
      +SYSTEMD +SELINUX +APPARMOR +CAP +SECCOMP +EBPF +YAJL
  os: linux
  remoteSocket:
    path: /run/user/1000/podman/podman.sock
  security:
    apparmorEnabled: false
    capabilities: CAP_CHOWN,CAP_DAC_OVERRIDE,CAP_FOWNER,CAP_FSETID,CAP_KILL,CAP_NET_BIND_SERVICE,CAP_SETFCAP,CAP_SETGID,CAP_SETPCAP,CAP_SETUID,CAP_SYS_CHROOT
    rootless: true
    seccompEnabled: true
    seccompProfilePath: /usr/share/containers/seccomp.json
    selinuxEnabled: false
  serviceIsRemote: false
  slirp4netns:
    executable: /usr/bin/slirp4netns
    package: slirp4netns_1.2.0-1_amd64
    version: |-
      slirp4netns version 1.2.0
      commit: 656041d45cfca7a4176f6b7eed9e4fe6c11e8383
      libslirp: 4.7.0
      SLIRP_CONFIG_VERSION_MAX: 4
      libseccomp: 2.5.4
  swapFree: 0
  swapTotal: 0
  uptime: 0h 36m 9.00s
plugins:
  authorization: null
  log:
  - k8s-file
  - none
  - passthrough
  - journald
  network:
  - bridge
  - macvlan
  volume:
  - local
registries: {}
store:
  configFile: /home/user/.config/containers/storage.conf
  containerStore:
    number: 1
    paused: 0
    running: 1
    stopped: 0
  graphDriverName: overlay
  graphOptions: {}
  graphRoot: /home/user/.local/share/containers/storage
  graphRootAllocated: 33643237376
  graphRootUsed: 3963469824
  graphStatus:
    Backing Filesystem: extfs
    Native Overlay Diff: "true"
    Supports d_type: "true"
    Using metacopy: "false"
  imageCopyTmpDir: /var/tmp
  imageStore:
    number: 1
  runRoot: /run/user/1000/containers
  volumePath: /home/user/.local/share/containers/storage/volumes
version:
  APIVersion: 4.3.1
  Built: 0
  BuiltTime: Thu Jan  1 00:00:00 1970
  GitCommit: ""
  GoVersion: go1.19.8
  Os: linux
  OsArch: linux/amd64
  Version: 4.3.1

podman strage=.conf

[storage]
driver = "overlay"
adelton commented 8 months ago

You might want to add -e DEBUG_NO_EXIT=1 to the podman run options to keep the container running even after the ipa-server-install fails and then podman exec to the container and run systemctl status dirsrv@EXAMPLE-TEST.service to see what exactly it is not happy about.

adelton commented 8 months ago

You might be hitting https://github.com/freeipa/freeipa-container/issues/553 where the /dev/shm was too small.

airmaxwill commented 8 months ago

You are right. This was a user error then. (Googled the wrong issues). Thank you very much!!