freeipa

Clone
Source Code
GIT

#7378 ipa-ods-exporter fails with socket activation did not return socket
Closed: fixed 6 years ago Opened 6 years ago by cheimes.

Closed: fixed
Reopen Issue

Issue

ipa-ods-exporter fails with socket activation did not return socket when installing DNSSEC and enabling DNSSEC for a domain. This breaks DNSSEC support.

Steps to Reproduce

  1. ipa-install-server ...
  2. ipa-dns-install --dnssec-master --auto-forwarders --auto-reverse --unattended
  3. ipa dnszone-mod $DOMAIN --dnssec=true

Actual behavior

ipa-ods-exporter fails to set up DNSSEC key material. dig +dnssec $DOMAIN SOA does not report RRSIG.

Expected behavior

dig +dnssec $DOMAIN SOA contains RRSIG as explained at https://www.freeipa.org/page/Howto/DNSSEC

Version/Release/Distribution

  • freeipa-server-4.6.2.dev201801231908+gitb05e983c3-0.fc27.x86_64

Additional info:

$ journalctl -u ipa-ods-exporter.service -o cat
replica pub keys in LDAP: set(['0x0ecb9d24f67345eb601e487c58377700'])
replica pub keys in SoftHSM: set(['0x0ecb9d24f67345eb601e487c58377700'])
new replica keys in LDAP: set([])
obsolete replica keys in local HSM: set([])
ldap2master_replica: keys in local HSM & LDAP: set(['0x0ecb9d24f67345eb601e487c58377700'])
master keys in local HSM: set(['0xa7ebe934d0502085fdc72f28e85afe2e'])
master keys in LDAP HSM: set(['0xa7ebe934d0502085fdc72f28e85afe2e'])
new master keys in local HSM: set([])
master keys in LDAP after flush: set(['0xa7ebe934d0502085fdc72f28e85afe2e'])
synchronizing master key metadata: 0xa7ebe934d0502085fdc72f28e85afe2e
enabled replica key ids: set(['0x0ecb9d24f67345eb601e487c58377700'])
processing master key data: 0xa7ebe934d0502085fdc72f28e85afe2e
master key 0xa7ebe934d0502085fdc72f28e85afe2e is not wrapped with replica keys set([])
zone keys in LDAP: set([])
zone keys in local HSM: set([])
new zone keys in local HSM: set([])
master2ldap_zone_keys: keys in local HSM & LDAP: set([])
master2ldap_zone_keys: keys in local HSM & LDAP: set([])
socket activation did not return socket with a command

I have seen this issue multiple times when I was testing DNSSEC with Python 3. A small timeout in the select() call fixed the issue for me. See https://github.com/freeipa/freeipa/pull/1289/commits/35fe1312d85fe4d50fe4a3c105e88a7672b1e65e

Metadata Update from @cheimes:
- Issue assigned to cheimes
6 years ago

Metadata Update from @cheimes:
- Custom field on_review adjusted to https://github.com/freeipa/freeipa/pull/1490
6 years ago

Metadata Update from @cheimes:
- Issue priority set to: critical
- Issue set to the milestone: FreeIPA 4.6.3
6 years ago

I'm setting this to critical because it caused my 4.6.3 test system to fail.

master:

  • e1e3218 Give ODS socket a bit of time

ipa-4-6:

  • 57a8693 Give ODS socket a bit of time

It's still not working correctly. I'm getting a SELinux violation:

type=AVC msg=audit(1516781702.689:1031): avc:  denied  { execute_no_trans } for  pid=104673 comm="sh" path="/usr/sbin/ods-signer" dev="dm-0" ino=180013 scontext=system_u:system_r:opendnssec_t:s0 tcontext=system_u:object_r:opendnssec_exec_t:s0 tclass=file permissive=0

I'm able to fix DNSSEC by setting the opendnssec domain to permissive and re-creating DNSSEC information for my domain:

$ semanage permissive -a opendnssec_t
$ ipa dnszone-mod $DOMAIN --dnssec=false
$ ipa dnszone-mod $DOMAIN --dnssec=true

Metadata Update from @rcritten:
- Issue set to the milestone: FreeIPA 4.6.4 (was: FreeIPA 4.6.3)
6 years ago

FreeIPA 4.6.3 has been released, moving to FreeIPA 4.6.4 milestone

selinux-policy-3.13.1-283.21 has fixed the issue.

Metadata Update from @cheimes:
- Issue close_status updated to: fixed
- Issue set to the milestone: FreeIPA 4.6.3 (was: FreeIPA 4.6.4)
- Issue status updated to: Closed (was: Open)
6 years ago

master:

  • df0e669 Bump SELinux policy for DNSSEC

ipa-4-6:

  • 48564ad Bump SELinux policy for DNSSEC

This issue is back as of 3/2021. Freeipa 4.9.2-4.fc33 SELinux=permissive as well. The length of the 'timeout=1' addition didn't work, timeout=10 didn't work. timeout=100, neither did 600.

Mar 07 09:40:32 registry1.1.quietfountain.com ipa-ods-exporter[108845]: ipa-ods-exporter: CRITICAL socket activation did not return a readable socket with a command.
Mar 07 09:40:33 registry1.1.quietfountain.com systemd[1]: ipa-ods-exporter.service: Main process exited, code=exited, status=1/FAILURE
Mar 07 09:40:33 registry1.1.quietfountain.com audit[1]: SERVICE_STOP pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=ipa-ods-exporter comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=failed'
Mar 07 09:40:33 registry1.1.quietfountain.com systemd[1]: ipa-ods-exporter.service: Failed with result 'exit-code'.
Mar 07 09:40:33 registry1.1.quietfountain.com systemd[1]: ipa-ods-exporter.service: Consumed 16.676s CPU time.

Added to related item https://bugzilla.redhat.com/show_bug.cgi?id=1537971

A re-install on fc33 no longer generates this message on the same vm on the same host. DS records don't make it into named, but all the opendnssec debugging tips look normal.
I'll open a different bug report since it appears I can't reproduce this on an install on a later date. Still probably some race condition.

Login to comment on this ticket.

Metadata
None
None
None
critical
None
None
None
None
None
None
None
None
None
https://github.com/freeipa/freeipa/pull/1490
None
None
None
None
None
None
None
None
Powered by Pagure 5.13.3
DocumentationFile an IssueAboutSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.