search

freeipa / freeipa-container

FreeIPA server in containers — images at https://quay.io/repository/freeipa/freeipa-server?tab=tags
https://quay.io/repository/freeipa/freeipa-server?tab=tags
Apache License 2.0
609 stars 258 forks source link

ScriptError: Unable to determine the amount of available RAM #614

Closed maikwaigant closed 4 months ago

maikwaigant commented 4 months ago

Hello,

I am currently trying to deploy FreeIPA within Docker and am encountering consistent failures across multiple attempts and systems. I have followed the standard installation instructions and am working with cgroup2.

Environment Operating Systems tested: Debian 5.10.216-1 (primary), Fedora, CoreOS, Ubuntu Docker version: Docker version 26.1.4, build 5650f9b FreeIPA version: freeipa/freeipa-server:rocky-8-4.9.11 and freeipa/freeipa-server:fedora-40-4.12.1 and freeipa/freeipa-server:fedora-40

Steps to Reproduce

  1. Followed the FreeIPA installation guide for Docker deployment.
  2. Attempted to deploy on various distributions to isolate the issue.
  3. Consistently encountered the same error across all environments.

Expected Behavior FreeIPA should deploy without errors following the provided documentation.

Actual Behavior The deployment fails consistently, with the same error appearing in all tested environments.

Error Message

output:  /var/log/ipaserver-install.log

 File "/usr/lib/python3.6/site-packages/ipaserver/install/installutils.py", line 1104, in check_available_memory
    "Unable to determine the amount of available RAM"

2024-07-02T15:32:39Z DEBUG The ipa-server-install command failed, exception: ScriptError: Unable to determine the amount of available RAM
2024-07-02T15:32:39Z ERROR Unable to determine the amount of available RAM
2024-07-02T15:32:39Z ERROR The ipa-server-install command failed. See /var/log/ipaserver-install.log for more information

Can anyone provide insights or solutions to address this deployment issue? Any help would be greatly appreciated.

Additionally, I've successfully deployed FreeIPA using Podman without encountering any issues. My preference is to standardize on Docker for all systems in my current environment. Any suggestions to align the deployment process across Docker as effectively as with Podman would be extremely helpful.

Thank you!

rcritten commented 4 months ago

You severely limited the logging lines so its hard to tell what context it was running. But let's assume it did detect that it is running in a container it checks, in this order:

If /sys/fs/cgroup/memory/memory.limit_in_bytes and /sys/fs/cgroup/memory/memory.usage_in_bytes exist, cgroup1, it uses those.

If not it falls back to cgroup2 and if /sys/fs/cgroup/memory.current and /sys/fs/cgroup/memory.max exist it uses those.

If those fails, and for the non-container case, it tries psutil to determine the memory amount.

If all those fail you get the exception you see.

Or you can pass the --skip-mem-check option to ipa-server-install to skip this altogether.

maikwaigant commented 4 months ago

Thank you for the fast response!

I have mounted the entire /sys/fs/cgroup:/sys/fs/cgroup directory into the container. Container is detected.

I have also used the --skip-mem-check option and was able to install FreeIPA with it. However, I feel that this is not the correct approach for automating the deployment of FreeIPA.

here is the full Log Message:

[root@freeipa /]# ipa-server-install
Unable to determine the amount of available RAM
The ipa-server-install command failed. See /var/log/ipaserver-install.log for more information
[root@freeipa /]# cat /var/log/ipaserver-install.log
2024-07-02T15:32:39Z DEBUG Logging to /var/log/ipaserver-install.log
2024-07-02T15:32:39Z DEBUG ipa-server-install was invoked with arguments [] and options: {'unattended': False, 'ip_addresses': None, 'domain_name': None, 'realm_name': None, 'host_name': None, 'ca_cert_files': None, 'domain_level': None, 'setup_adtrust': False, 'setup_kra': False, 'setup_dns': False, 'idstart': None, 'idmax': None, 'no_hbac_allow': False, 'no_pkinit': False, 'no_ui_redirect': False, 'dirsrv_config_file': None, 'skip_mem_check': False, 'dirsrv_cert_files': None, 'http_cert_files': None, 'pkinit_cert_files': None, 'dirsrv_cert_name': None, 'http_cert_name': None, 'pkinit_cert_name': None, 'mkhomedir': False, 'ntp_servers': None, 'ntp_pool': None, 'no_ntp': False, 'force_ntpd': False, 'ssh_trust_dns': False, 'no_ssh': False, 'no_sshd': False, 'subid': False, 'no_dns_sshfp': False, 'external_ca': False, 'external_ca_type': None, 'external_ca_profile': None, 'external_cert_files': None, 'subject_base': None, 'ca_subject': None, 'ca_signing_algorithm': None, 'pki_config_override': None, 'allow_zone_overlap': False, 'reverse_zones': None, 'no_reverse': False, 'auto_reverse': False, 'zonemgr': None, 'forwarders': None, 'no_forwarders': False, 'auto_forwarders': False, 'forward_policy': None, 'no_dnssec_validation': False, 'no_host_dns': False, 'enable_compat': False, 'no_msdcs': False, 'netbios_name': None, 'rid_base': None, 'secondary_rid_base': None, 'ignore_topology_disconnect': False, 'ignore_last_of_role': False, 'verbose': False, 'quiet': False, 'log_file': None, 'uninstall': False}
2024-07-02T15:32:39Z DEBUG IPA version 4.9.11-7.module+el8.8.0+1455+4afde211
2024-07-02T15:32:39Z DEBUG IPA platform rhel_container
2024-07-02T15:32:39Z DEBUG IPA os-release Rocky Linux 8.8 (Green Obsidian)
2024-07-02T15:32:39Z DEBUG container detected
2024-07-02T15:32:39Z DEBUG   File "/usr/lib/python3.6/site-packages/ipapython/admintool.py", line 180, in execute
    return_value = self.run()
  File "/usr/lib/python3.6/site-packages/ipapython/install/cli.py", line 344, in run
    return cfgr.run()
  File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 358, in run
    self.validate()
  File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 368, in validate
    for _nothing in self._validator():
  File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 431, in __runner
    exc_handler(exc_info)
  File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 455, in _handle_validate_exception
    self._handle_exception(exc_info)
  File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 450, in _handle_exception
    six.reraise(*exc_info)
  File "/usr/lib/python3.6/site-packages/six.py", line 693, in reraise
    raise value
  File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 421, in __runner
    step()
  File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 418, in <lambda>
    step = lambda: next(self.__gen)
  File "/usr/lib/python3.6/site-packages/ipapython/install/util.py", line 81, in run_generator_with_yield_from
    six.reraise(*exc_info)
  File "/usr/lib/python3.6/site-packages/six.py", line 693, in reraise
    raise value
  File "/usr/lib/python3.6/site-packages/ipapython/install/util.py", line 59, in run_generator_with_yield_from
    value = gen.send(prev_value)
  File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 633, in _configure
    next(validator)
  File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 431, in __runner
    exc_handler(exc_info)
  File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 455, in _handle_validate_exception
    self._handle_exception(exc_info)
  File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 518, in _handle_exception
    self.__parent._handle_exception(exc_info)
  File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 450, in _handle_exception
    six.reraise(*exc_info)
  File "/usr/lib/python3.6/site-packages/six.py", line 693, in reraise
    raise value
  File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 515, in _handle_exception
    super(ComponentBase, self)._handle_exception(exc_info)
  File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 450, in _handle_exception
    six.reraise(*exc_info)
  File "/usr/lib/python3.6/site-packages/six.py", line 693, in reraise
    raise value
  File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 421, in __runner
    step()
  File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 418, in <lambda>
    step = lambda: next(self.__gen)
  File "/usr/lib/python3.6/site-packages/ipapython/install/util.py", line 81, in run_generator_with_yield_from
    six.reraise(*exc_info)
  File "/usr/lib/python3.6/site-packages/six.py", line 693, in reraise
    raise value
  File "/usr/lib/python3.6/site-packages/ipapython/install/util.py", line 59, in run_generator_with_yield_from
    value = gen.send(prev_value)
  File "/usr/lib/python3.6/site-packages/ipapython/install/common.py", line 65, in _install
    for unused in self._installer(self.parent):
  File "/usr/lib/python3.6/site-packages/ipaserver/install/server/__init__.py", line 564, in main
    master_install_check(self)
  File "/usr/lib/python3.6/site-packages/ipaserver/install/server/install.py", line 278, in decorated
    func(installer)
  File "/usr/lib/python3.6/site-packages/ipaserver/install/server/install.py", line 353, in install_check
    installutils.check_available_memory(ca=options.setup_ca)
  File "/usr/lib/python3.6/site-packages/ipaserver/install/installutils.py", line 1104, in check_available_memory
    "Unable to determine the amount of available RAM"

2024-07-02T15:32:39Z DEBUG The ipa-server-install command failed, exception: ScriptError: Unable to determine the amount of available RAM
2024-07-02T15:32:39Z ERROR Unable to determine the amount of available RAM
2024-07-02T15:32:39Z ERROR The ipa-server-install command failed. See /var/log/ipaserver-install.log for more information
rcritten commented 4 months ago

I don't know a lot about containers. Perhaps shell into the container and see if the memory.current and memory.max files exist.

This code is exists to ensure a basic amount of RAM. Enough people were trying to run IPA with an absolute minimal amount of RAM and ran into problems. Skipping the check is fine as long as your underlying system has a sufficient amount. 2.2Gb is pretty much the absolute minimum to do anything beyond a toy.

adelton commented 4 months ago

FreeIPA should deploy without errors following the provided documentation.

@maikwaigant Our documentation says:

If you receive error like

Unable to determine the amount of available RAM

you might need to use ipa-server-install option --skip-mem-check.

That makes the error go away.

Or, as you mentioned, just use podman.

Assuming your are using a rootless docker (you did not state that specifically), if you want to dig into it some more, the problem stems from a generic issue of docker not really handling cgroups v2 properly to allow systemd run in that container without hitting

Failed to create /init.scope control group: Read-only file system

One would expect --cgroupns=private would be all that is needed in 2024.

The (still open) https://github.com/moby/moby/issues/42910 might be where the proper support is potentially tracked.

The workaround with --cgroupns=host -v /sys/fs/cgroup:/sys/fs/cgroup:rw is the only working approach I was able to find to even start systemd with rootless docker, without forcing people to manually parse /proc/self/cgroup, realize the session-9.scope is not writable but user@1000.service next to it is, and constructing parameters like

-v /sys/fs/cgroup/user.slice/user-1000.slice/user@1000.service:/sys/fs/cgroup:rw

Mounting the root cgroup has the side effect of memory.current not being present there in the root cgroup. I figured people would be OKay with using --skip-mem-check to get past that.

The alternative of us calling rootless docker completely unsupported seems like less usable.