Issue #5582: Installation of DNSSEC master on upgraded IPA server fails on crashing ods-enforcerd - freeipa

freeipa

#5582 Installation of DNSSEC master on upgraded IPA server fails on crashing ods-enforcerd

Closed: Duplicate None Opened 8 years ago by mbabinsk.

When upgrading IPA server from 4.2.3-2 to current master and running {{{ipa-dns-install --dnssec-master}}}, the installation fails:

Configuring DNS (named)
  [1/8]: generating rndc key file
  [2/8]: setting up our own record
  [3/8]: adding NS record to the zones
  [4/8]: setting up CA record
  [5/8]: setting up kerberos principal
  [6/8]: setting up named.conf
  [7/8]: configuring named to start on boot
  [8/8]: changing resolv.conf to point to ourselves
Done configuring DNS (named).
Configuring DNS key synchronization service (ipa-dnskeysyncd)
  [1/7]: checking status
  [2/7]: setting up bind-dyndb-ldap working directory
  [3/7]: setting up kerberos principal
  [4/7]: setting up SoftHSM
  [5/7]: adding DNSSEC containers
  [6/7]: creating replica keys
  [7/7]: configuring ipa-dnskeysyncd to start on boot
Done configuring DNS key synchronization service (ipa-dnskeysyncd).
Configuring IPA OpenDNSSEC exporter daemon (ipa-ods-exporter)
  [1/6]: checking status
  [2/6]: setting up DNS Key Exporter
  [3/6]: setting up kerberos principal
  [4/6]: disabling default signer daemon
  [5/6]: starting DNS Key Exporter
  [6/6]: configuring DNS Key Exporter to start on boot
Done configuring IPA OpenDNSSEC exporter daemon (ipa-ods-exporter).
Configuring OpenDNSSEC enforcer daemon (ods-enforcerd)
  [1/8]: checking status
  [2/8]: setting up configuration files
  [3/8]: setting up ownership and file mode bits
  [4/8]: generating master key
  [5/8]: setting up OpenDNSSEC
  [6/8]: setting up ipa-dnskeysyncd
  [7/8]: starting OpenDNSSEC enforcer
  [error] CalledProcessError: Command '/bin/systemctl restart ods-enforcerd.service' returned non-zero exit status 1
Unexpected error - see /var/log/ipaserver-install.log for details:
CalledProcessError: Command '/bin/systemctl restart ods-enforcerd.service' returned non-zero exit status 1

It looks like the daemon has trouble reading data from kasp.db:

Jan 07 09:52:06 master1.ipa.test systemd[1]: Starting OpenDNSSEC Enforcer daemon...
-- Subject: Unit ods-enforcerd.service has begun start-up
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
-- 
-- Unit ods-enforcerd.service has begun starting up.
Jan 07 09:52:06 master1.ipa.test ods-enforcerd[24670]: opendnssec starting...
Jan 07 09:52:06 master1.ipa.test ods-enforcerd[24670]: opendnssec Parent exiting...
Jan 07 09:52:06 master1.ipa.test ods-enforcerd[24670]: OpenDNSSEC ods-enforcerd started (version 1.4.7), pid 24671
Jan 07 09:52:06 master1.ipa.test ods-enforcerd[24671]: opendnssec forked OK...
Jan 07 09:52:06 master1.ipa.test ods-enforcerd[24671]: group set to: ods (992)
Jan 07 09:52:06 master1.ipa.test ods-enforcerd[24671]: user set to: ods (995)
Jan 07 09:52:06 master1.ipa.test ods-enforcerd[24671]: opendnssec started (version 1.4.7), pid 24671
Jan 07 09:52:06 master1.ipa.test ods-enforcerd[24671]: HSM opened successfully.
Jan 07 09:52:06 master1.ipa.test ods-enforcerd[24671]: Checking database connection...
Jan 07 09:52:06 master1.ipa.test ods-enforcerd[24671]: ERROR: error executing SQL - no such table: dbadmin
Jan 07 09:52:06 master1.ipa.test ods-enforcerd[24671]: Database connection failed
Jan 07 09:52:06 master1.ipa.test systemd[1]: ods-enforcerd.service: PID file /var/run/opendnssec/enforcerd.pid not readable (yet?) after start: No such file or directory
Jan 07 09:52:06 master1.ipa.test systemd[1]: Failed to start OpenDNSSEC Enforcer daemon.
-- Subject: Unit ods-enforcerd.service has failed
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
-- 
-- Unit ods-enforcerd.service has failed.
-- 
-- The result is failed.
Jan 07 09:52:06 master1.ipa.test systemd[1]: ods-enforcerd.service: Unit entered failed state.

Indeed, /var/opendnssec/kasp.db file exists, but is empty:

[root@master1 ~]# ls -l /var/opendnssec/kasp.db
-rw-rw----. 1 ods ods 0 Jan  7 09:35 /var/opendnssec/kasp.db

Steps to reproduce:

1.) install 4.2.3-2 IPA master with DNS
2.) upgrade master to current git version
3.) run {{{ipa-dns-install}}} to promote server to DNSSEC keymaster

Expected result:

DNSSEC daemons are configured succesfully.

Actual result:

DNSSEC setup fails because ods-enforcerd fails to start

mbasti commented 8 years ago

This is caused by the same root cause as the bug #5574

Metadata Update from @mbabinsk:
- Issue assigned to someone
- Issue set to the milestone: 0.0 NEEDS_TRIAGE

7 years ago

Metadata

Assignee

someone

Tags

None

Blocking

None

Depending on

None

Priority

normal

Milestone

0.0 NEEDS_TRIAGE

None

affects_doc

None

source

None

knownissue

None

type

defect

blockedby

None

test_case

None

component

DNS

blocking

None

on_review

keywords

None

test_coverage

None

reviewer

None

external_tracker

None

rhbz

None

tester

None

changelog

None

design

None

freeipa

Source Code

#5582 Installation of DNSSEC master on upgraded IPA server fails on crashing ods-enforcerd Closed: Duplicate None Opened 8 years ago by mbabinsk.

Metadata

#5582 Installation of DNSSEC master on upgraded IPA server fails on crashing ods-enforcerd

Closed: Duplicate None Opened 8 years ago by mbabinsk.