Closed maikwaigant closed 4 months ago
You severely limited the logging lines so its hard to tell what context it was running. But let's assume it did detect that it is running in a container it checks, in this order:
If /sys/fs/cgroup/memory/memory.limit_in_bytes and /sys/fs/cgroup/memory/memory.usage_in_bytes exist, cgroup1, it uses those.
If not it falls back to cgroup2 and if /sys/fs/cgroup/memory.current and /sys/fs/cgroup/memory.max exist it uses those.
If those fails, and for the non-container case, it tries psutil to determine the memory amount.
If all those fail you get the exception you see.
Or you can pass the --skip-mem-check option to ipa-server-install to skip this altogether.
Thank you for the fast response!
I have mounted the entire /sys/fs/cgroup:/sys/fs/cgroup directory into the container. Container is detected.
I have also used the --skip-mem-check option and was able to install FreeIPA with it. However, I feel that this is not the correct approach for automating the deployment of FreeIPA.
here is the full Log Message:
[root@freeipa /]# ipa-server-install
Unable to determine the amount of available RAM
The ipa-server-install command failed. See /var/log/ipaserver-install.log for more information
[root@freeipa /]# cat /var/log/ipaserver-install.log
2024-07-02T15:32:39Z DEBUG Logging to /var/log/ipaserver-install.log
2024-07-02T15:32:39Z DEBUG ipa-server-install was invoked with arguments [] and options: {'unattended': False, 'ip_addresses': None, 'domain_name': None, 'realm_name': None, 'host_name': None, 'ca_cert_files': None, 'domain_level': None, 'setup_adtrust': False, 'setup_kra': False, 'setup_dns': False, 'idstart': None, 'idmax': None, 'no_hbac_allow': False, 'no_pkinit': False, 'no_ui_redirect': False, 'dirsrv_config_file': None, 'skip_mem_check': False, 'dirsrv_cert_files': None, 'http_cert_files': None, 'pkinit_cert_files': None, 'dirsrv_cert_name': None, 'http_cert_name': None, 'pkinit_cert_name': None, 'mkhomedir': False, 'ntp_servers': None, 'ntp_pool': None, 'no_ntp': False, 'force_ntpd': False, 'ssh_trust_dns': False, 'no_ssh': False, 'no_sshd': False, 'subid': False, 'no_dns_sshfp': False, 'external_ca': False, 'external_ca_type': None, 'external_ca_profile': None, 'external_cert_files': None, 'subject_base': None, 'ca_subject': None, 'ca_signing_algorithm': None, 'pki_config_override': None, 'allow_zone_overlap': False, 'reverse_zones': None, 'no_reverse': False, 'auto_reverse': False, 'zonemgr': None, 'forwarders': None, 'no_forwarders': False, 'auto_forwarders': False, 'forward_policy': None, 'no_dnssec_validation': False, 'no_host_dns': False, 'enable_compat': False, 'no_msdcs': False, 'netbios_name': None, 'rid_base': None, 'secondary_rid_base': None, 'ignore_topology_disconnect': False, 'ignore_last_of_role': False, 'verbose': False, 'quiet': False, 'log_file': None, 'uninstall': False}
2024-07-02T15:32:39Z DEBUG IPA version 4.9.11-7.module+el8.8.0+1455+4afde211
2024-07-02T15:32:39Z DEBUG IPA platform rhel_container
2024-07-02T15:32:39Z DEBUG IPA os-release Rocky Linux 8.8 (Green Obsidian)
2024-07-02T15:32:39Z DEBUG container detected
2024-07-02T15:32:39Z DEBUG File "/usr/lib/python3.6/site-packages/ipapython/admintool.py", line 180, in execute
return_value = self.run()
File "/usr/lib/python3.6/site-packages/ipapython/install/cli.py", line 344, in run
return cfgr.run()
File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 358, in run
self.validate()
File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 368, in validate
for _nothing in self._validator():
File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 431, in __runner
exc_handler(exc_info)
File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 455, in _handle_validate_exception
self._handle_exception(exc_info)
File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 450, in _handle_exception
six.reraise(*exc_info)
File "/usr/lib/python3.6/site-packages/six.py", line 693, in reraise
raise value
File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 421, in __runner
step()
File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 418, in <lambda>
step = lambda: next(self.__gen)
File "/usr/lib/python3.6/site-packages/ipapython/install/util.py", line 81, in run_generator_with_yield_from
six.reraise(*exc_info)
File "/usr/lib/python3.6/site-packages/six.py", line 693, in reraise
raise value
File "/usr/lib/python3.6/site-packages/ipapython/install/util.py", line 59, in run_generator_with_yield_from
value = gen.send(prev_value)
File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 633, in _configure
next(validator)
File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 431, in __runner
exc_handler(exc_info)
File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 455, in _handle_validate_exception
self._handle_exception(exc_info)
File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 518, in _handle_exception
self.__parent._handle_exception(exc_info)
File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 450, in _handle_exception
six.reraise(*exc_info)
File "/usr/lib/python3.6/site-packages/six.py", line 693, in reraise
raise value
File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 515, in _handle_exception
super(ComponentBase, self)._handle_exception(exc_info)
File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 450, in _handle_exception
six.reraise(*exc_info)
File "/usr/lib/python3.6/site-packages/six.py", line 693, in reraise
raise value
File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 421, in __runner
step()
File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 418, in <lambda>
step = lambda: next(self.__gen)
File "/usr/lib/python3.6/site-packages/ipapython/install/util.py", line 81, in run_generator_with_yield_from
six.reraise(*exc_info)
File "/usr/lib/python3.6/site-packages/six.py", line 693, in reraise
raise value
File "/usr/lib/python3.6/site-packages/ipapython/install/util.py", line 59, in run_generator_with_yield_from
value = gen.send(prev_value)
File "/usr/lib/python3.6/site-packages/ipapython/install/common.py", line 65, in _install
for unused in self._installer(self.parent):
File "/usr/lib/python3.6/site-packages/ipaserver/install/server/__init__.py", line 564, in main
master_install_check(self)
File "/usr/lib/python3.6/site-packages/ipaserver/install/server/install.py", line 278, in decorated
func(installer)
File "/usr/lib/python3.6/site-packages/ipaserver/install/server/install.py", line 353, in install_check
installutils.check_available_memory(ca=options.setup_ca)
File "/usr/lib/python3.6/site-packages/ipaserver/install/installutils.py", line 1104, in check_available_memory
"Unable to determine the amount of available RAM"
2024-07-02T15:32:39Z DEBUG The ipa-server-install command failed, exception: ScriptError: Unable to determine the amount of available RAM
2024-07-02T15:32:39Z ERROR Unable to determine the amount of available RAM
2024-07-02T15:32:39Z ERROR The ipa-server-install command failed. See /var/log/ipaserver-install.log for more information
I don't know a lot about containers. Perhaps shell into the container and see if the memory.current and memory.max files exist.
This code is exists to ensure a basic amount of RAM. Enough people were trying to run IPA with an absolute minimal amount of RAM and ran into problems. Skipping the check is fine as long as your underlying system has a sufficient amount. 2.2Gb is pretty much the absolute minimum to do anything beyond a toy.
FreeIPA should deploy without errors following the provided documentation.
@maikwaigant Our documentation says:
If you receive error like
Unable to determine the amount of available RAM
you might need to use ipa-server-install option --skip-mem-check.
That makes the error go away.
Or, as you mentioned, just use podman.
Assuming your are using a rootless docker (you did not state that specifically), if you want to dig into it some more, the problem stems from a generic issue of docker not really handling cgroups v2 properly to allow systemd run in that container without hitting
Failed to create /init.scope control group: Read-only file system
One would expect --cgroupns=private
would be all that is needed in 2024.
The (still open) https://github.com/moby/moby/issues/42910 might be where the proper support is potentially tracked.
The workaround with --cgroupns=host -v /sys/fs/cgroup:/sys/fs/cgroup:rw
is the only working approach I was able to find to even start systemd with rootless docker, without forcing people to manually parse /proc/self/cgroup
, realize the session-9.scope
is not writable but user@1000.service
next to it is, and constructing parameters like
-v /sys/fs/cgroup/user.slice/user-1000.slice/user@1000.service:/sys/fs/cgroup:rw
Mounting the root cgroup has the side effect of memory.current
not being present there in the root cgroup. I figured people would be OKay with using --skip-mem-check
to get past that.
The alternative of us calling rootless docker completely unsupported seems like less usable.
Hello,
I am currently trying to deploy FreeIPA within Docker and am encountering consistent failures across multiple attempts and systems. I have followed the standard installation instructions and am working with cgroup2.
Environment Operating Systems tested: Debian 5.10.216-1 (primary), Fedora, CoreOS, Ubuntu Docker version: Docker version 26.1.4, build 5650f9b FreeIPA version: freeipa/freeipa-server:rocky-8-4.9.11 and freeipa/freeipa-server:fedora-40-4.12.1 and freeipa/freeipa-server:fedora-40
Steps to Reproduce
Expected Behavior FreeIPA should deploy without errors following the provided documentation.
Actual Behavior The deployment fails consistently, with the same error appearing in all tested environments.
Error Message
Can anyone provide insights or solutions to address this deployment issue? Any help would be greatly appreciated.
Additionally, I've successfully deployed FreeIPA using Podman without encountering any issues. My preference is to standardize on Docker for all systems in my current environment. Any suggestions to align the deployment process across Docker as effectively as with Podman would be extremely helpful.
Thank you!