Some logic should be added in ipalib/constants.py so if
import platform platform.processor() 'armv7l'
startup_timeout is 900 seconds to allow dogtag the time it requires to restart which is about 10 to 13 minutes depending on load.
Editing startup_timeout to 900 manually works just fine.
I have not seen the mail thread about it but I am not sure that this is the right fix. It would sure fix the symptom but not the cause. The fact that Dogtag is taking that amount of time to restart is alarming. I suspect it is related to the entropy collection (pure speculation on my side BTW). So if there is a way to speed up things on the Dogtag side would be better. We should open a ticket for Dogtag to investigate and potentially optimize the startup time.
It only occurs during ipa-server-install, and ipa-replica-install as far as I have noticed. So yes I would concur the likely hood of entropy.
After installation everything starts up at a reasonable time. I'll investigate a bit more and see if I can narrow it down. Otherwise, I'll have to turn the server over to someone to investigate.
It's just my house lab that I'm setting up for testing anyway. To progress my knowledge of FreeIPA in a commercial production setting with my companies products that can be found in any DC. I'm finding more people are asking about FreeIPA and how to integrate with it. I am trying to get ahead of the curve and using an arm device keeps electrical costs down since just powering one of our products is an extra $300 a month already at a minimum. I have IPA on a VM as well, so certainly not critical. But since storage needs to see IPA when it powers up, I was using the arm device as crutch till the VMs come online from the storage.
So for the sake of interest...
ipa1 is a server class system beast I put together ~10 years ago. 2x 6 core AMD 2.9G with 32GB ECC, on a VM with 4 shared cores.
ipa2 is a Raspberry Pi 3 - Quad Core ARMv7 Processor, 1GB RAM
[root@ipa1 ~]# cat /proc/cpuinfo processor : 0 vendor_id : AuthenticAMD cpu family : 16 model : 8 model name : Six-Core AMD Opteron(tm) Processor 2435 stepping : 0 microcode : 0x10000bf cpu MHz : 2600.258 cache size : 512 KB physical id : 0 siblings : 4 core id : 0 cpu cores : 4 apicid : 0 initial apicid : 0 fpu : yes fpu_exception : yes cpuid level : 5 wp : yes flags : fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush mmx fxsr sse sse2 ht syscall nx mmxext fxsr_opt rdtscp lm 3dnowext 3dnow rep_good nopl extd_apicid pni cx16 popcnt lahf_lm cmp_legacy cr8_legacy abm sse4a misalignsse 3dnowprefetch bogomips : 5200.51 TLB size : 1024 4K pages clflush size : 64 cache_alignment : 64 address sizes : 48 bits physical, 48 bits virtual power management: [root@ipa1 ~]# cat /dev/random | rngtest -c 1000 rngtest 5 Copyright (c) 2004 by Henrique de Moraes Holschuh This is free software; see the source for copying conditions. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. rngtest: starting FIPS tests... rngtest: bits received from input: 20000032 rngtest: FIPS 140-2 successes: 1000 rngtest: FIPS 140-2 failures: 0 rngtest: FIPS 140-2(2001-10-10) Monobit: 0 rngtest: FIPS 140-2(2001-10-10) Poker: 0 rngtest: FIPS 140-2(2001-10-10) Runs: 0 rngtest: FIPS 140-2(2001-10-10) Long run: 0 rngtest: FIPS 140-2(2001-10-10) Continuous run: 0 rngtest: input channel speed: (min=437.175; avg=8112.595; max=15024.038)Kibits/s rngtest: FIPS tests speed: (min=19.930; avg=113.974; max=128.875)Mibits/s rngtest: Program run time: 2586639 microseconds [root@ipa2 ~]# cat /proc/cpuinfo processor : 0 model name : ARMv7 Processor rev 4 (v7l) BogoMIPS : 38.40 Features : half thumb fastmult vfp edsp neon vfpv3 tls vfpv4 idiva idivt vfpd32 lpae evtstrm crc32 CPU implementer : 0x41 CPU architecture: 7 CPU variant : 0x0 CPU part : 0xd03 CPU revision : 4 ... Hardware : BCM2709 Revision : a22082 [root@ipa2 ~]# cat /dev/random | rngtest -c 1000 rngtest 5 Copyright (c) 2004 by Henrique de Moraes Holschuh This is free software; see the source for copying conditions. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. rngtest: starting FIPS tests... rngtest: bits received from input: 20000032 rngtest: FIPS 140-2 successes: 997 rngtest: FIPS 140-2 failures: 3 rngtest: FIPS 140-2(2001-10-10) Monobit: 0 rngtest: FIPS 140-2(2001-10-10) Poker: 0 rngtest: FIPS 140-2(2001-10-10) Runs: 1 rngtest: FIPS 140-2(2001-10-10) Long run: 2 rngtest: FIPS 140-2(2001-10-10) Continuous run: 0 rngtest: input channel speed: (min=173.105; avg=2727.545; max=3394.378)Kibits/s rngtest: FIPS tests speed: (min=10.868; avg=26.617; max=26.864)Mibits/s rngtest: Program run time: 7880159 microseconds
If you have somewhere for me to send the install log so it's not public, I can send the entire log otherwise here is just the most notable clips from ipa2 for a peek and sanitized for your viewing pleasure:
cat /var/log/ipareplica-install.log |grep -E 'timeout|duration' ... 2016-08-27T05:10:51Z DEBUG wait_for_open_ports: localhost [8080, 8443] timeout 900 2016-08-27T05:11:25Z DEBUG args=/usr/bin/curl -o - --connect-timeout 30 -k https://ipa2.test.lan:8443/ca/admin/ca/getStatus 2016-08-27T05:11:55Z DEBUG The CA status is: check interrupted due to error: Command '/usr/bin/curl -o - --connect-timeout 30 -k https://ipa2.test.lan:8443/ca/admin/ca/getStatus' returned non-zero exit status 28 ... 2016-08-27T05:24:21Z DEBUG The CA status is: check interrupted due to error: Command '/usr/bin/curl -o - --connect-timeout 30 -k https://ipa2.test.lan:8443/ca/admin/ca/getStatus' returned non-zero exit status 28 2016-08-27T05:24:22Z DEBUG args=/usr/bin/curl -o - --connect-timeout 30 -k https://ipa2.test.lan:8443/ca/admin/ca/getStatus 2016-08-27T05:24:46Z DEBUG duration: 836 seconds 2016-08-27T05:24:47Z DEBUG duration: 1 seconds 2016-08-27T05:24:48Z DEBUG duration: 1 seconds 2016-08-27T05:24:48Z DEBUG duration: 0 seconds 2016-08-27T05:24:49Z DEBUG duration: 0 seconds 2016-08-27T05:24:49Z DEBUG duration: 0 seconds 2016-08-27T05:24:58Z DEBUG duration: 9 seconds 2016-08-27T05:25:02Z DEBUG duration: 3 seconds 2016-08-27T05:25:03Z DEBUG duration: 1 seconds 2016-08-27T05:25:06Z DEBUG duration: 2 seconds 2016-08-27T05:25:07Z DEBUG duration: 0 seconds 2016-08-27T05:25:07Z DEBUG duration: 0 seconds 2016-08-27T05:25:33Z DEBUG wait_for_open_ports: localhost [8080, 8443] timeout 900 2016-08-27T05:26:21Z DEBUG args=/usr/bin/curl -o - --connect-timeout 30 -k https://ipa2.test.lan:8443/ca/admin/ca/getStatus 2016-08-27T05:26:51Z DEBUG The CA status is: check interrupted due to error: Command '/usr/bin/curl -o - --connect-timeout 30 -k https://ipa2.test.lan:8443/ca/admin/ca/getStatus' returned non-zero exit status 28 ... 2016-08-27T05:38:47Z DEBUG args=/usr/bin/curl -o - --connect-timeout 30 -k https://ipa2.test.lan:8443/ca/admin/ca/getStatus 2016-08-27T05:39:17Z DEBUG The CA status is: check interrupted due to error: Command '/usr/bin/curl -o - --connect-timeout 30 -k https://ipa2.test.lan:8443/ca/admin/ca/getStatus' returned non-zero exit status 28 2016-08-27T05:39:18Z DEBUG args=/usr/bin/curl -o - --connect-timeout 30 -k https://ipa2.test.lan:8443/ca/admin/ca/getStatus 2016-08-27T05:39:41Z DEBUG duration: 874 seconds 2016-08-27T05:46:41Z DEBUG duration: 420 seconds 2016-08-27T05:46:54Z DEBUG duration: 12 seconds 2016-08-27T05:47:06Z DEBUG duration: 11 seconds 2016-08-27T05:47:06Z DEBUG duration: 0 seconds 2016-08-27T05:47:23Z DEBUG wait_for_open_ports: localhost [389] timeout 900 2016-08-27T05:47:25Z DEBUG wait_for_open_ports: localhost [8080, 8443] timeout 900 2016-08-27T05:47:59Z DEBUG args=/usr/bin/curl -o - --connect-timeout 30 -k https://ipa2.test.lan:8443/ca/admin/ca/getStatus 2016-08-27T05:48:29Z DEBUG The CA status is: check interrupted due to error: Command '/usr/bin/curl -o - --connect-timeout 30 -k https://ipa2.test.lan:8443/ca/admin/ca/getStatus' returned non-zero exit status 28 ... 2016-08-27T06:14:29Z DEBUG args=/usr/bin/curl -o - --connect-timeout 30 -k https://ipa2.test.lan:8443/ca/admin/ca/getStatus 2016-08-27T06:14:59Z DEBUG The CA status is: check interrupted due to error: Command '/usr/bin/curl -o - --connect-timeout 30 -k https://ipa2.test.lan:8443/ca/admin/ca/getStatus' returned non-zero exit status 28 2016-08-27T06:15:00Z DEBUG args=/usr/bin/curl -o - --connect-timeout 30 -k https://ipa2.test.lan:8443/ca/admin/ca/getStatus 2016-08-27T06:15:20Z DEBUG duration: 0 seconds 2016-08-27T06:15:28Z DEBUG duration: 7 seconds 2016-08-27T06:15:35Z DEBUG session_auth_duration: 0:20:00 2016-08-27T06:15:36Z DEBUG session_auth_duration: 0:20:00 2016-08-27T06:15:36Z DEBUG session_auth_duration: 0:20:00 2016-08-27T06:15:36Z DEBUG session_auth_duration: 0:20:00
possible fix might be to make ipalib/constants.py adjustable by a configuration file in server/replica installation
Metadata Update from @cordel: - Issue assigned to someone - Issue set to the milestone: Future Releases
The startup_timeout parameter can be tuned. If you need to modify the value for ipa-server-install or ipa-replica-install, create a file /etc/ipa/installer.conf with the following content:
$ cat /etc/ipa/installer.conf [global] startup_timeout=900
(the startup_timeout is a value in seconds and can be adapter for your system).
Metadata Update from @frenaud: - Issue close_status updated to: None
An issue #7327 has been opened to track the lack of documentation.
Closing this as it will be covered by documentation and is mentioned on the wiki, https://www.freeipa.org/page/ARM
Metadata Update from @rcritten: - Issue close_status updated to: wontfix - Issue status updated to: Closed (was: Open)
Login to comment on this ticket.