When /proc/sys/crypto is absent on a system, freeipa-server-install fails on FreeIPA 4.6.x versions.
/proc/sys/crypto
freeipa-server-install
I'm seeing this on CoreOS Container Linux systems, and an Ubuntu user has reported it too.
Installer fails. Top-level message:
Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes [1/28]: configuring certificate server instance [error] RuntimeError: CA configuration failed. FreeIPA server configuration failed.
Debug log messages:
2018-06-27T02:21:46Z DEBUG Starting external process 2018-06-27T02:21:46Z DEBUG args=/usr/sbin/pkispawn -s CA -f /tmp/tmp8pcfosjl 2018-06-27T02:24:02Z DEBUG Process finished, return code=1 2018-06-27T02:24:02Z DEBUG stdout=Log file: /var/log/pki/pki-ca-spawn.20180627022147.log Loading deployment configuration from /tmp/tmp8pcfosjl. WARNING: The 'pki_ssl_server_nickname' in [CA] has been deprecated. Use 'pki_sslserver_nickname' instead. WARNING: The 'pki_ssl_server_subject_dn' in [CA] has been deprecated. Use 'pki_sslserver_subject_dn' instead. Installing CA into /var/lib/pki/pki-tomcat. Storing deployment configuration into /etc/sysconfig/pki/tomcat/pki-tomcat/ca/deployment.cfg. Installation failed: server failed to restart 2018-06-27T02:24:02Z DEBUG stderr=pkispawn : ERROR ....... subprocess.CalledProcessError: Command '['sysctl', 'crypto.fips_enabled', '-bn']' returned non-zero exit status 255! pkispawn : ERROR ....... server failed to restart 2018-06-27T02:24:02Z CRITICAL Failed to configure CA instance: Command '/usr/sbin/pkispawn -s CA -f /tmp/tmp8pcfosjl' returned non-zero exit status 1. 2018-06-27T02:24:02Z CRITICAL See the installation logs and the following files/directories for more information: 2018-06-27T02:24:02Z CRITICAL /var/log/pki/pki-tomcat 2018-06-27T02:24:02Z DEBUG Traceback (most recent call last): File "/usr/lib/python3.6/site-packages/ipaserver/install/dogtaginstance.py", line 150, in spawn_instance ipautil.run(args, nolog=nolog_list) File "/usr/lib/python3.6/site-packages/ipapython/ipautil.py", line 561, in run raise CalledProcessError(p.returncode, arg_string, str(output)) subprocess.CalledProcessError: Command '/usr/sbin/pkispawn -s CA -f /tmp/tmp8pcfosjl' returned non-zero exit status 1.
Installer should complete successfully.
$ rpm -q freeipa-server freeipa-client ipa-server ipa-client 389-ds-base pki-ca krb5-server
freeipa-server-4.6.3-2.fc27.x86_64 freeipa-client-4.6.3-2.fc27.x86_64 389-ds-base-1.3.7.10-1.fc27.x86_64 pki-ca-10.5.7-2.fc27.noarch krb5-server-1.15.2-9.fc27.x86_64
I inquired in the same freeipa-users thread linked above.
@rcritten said running FreeIPA in containers is uncharted territory. He recommended filing an issue against dogtag, which I did here, as well as updating this issue with research links, which I will do.
I also have a long-running issue on the GitHub freeipa-container project tracking FreeIPA 4.6 container support. (Not much there is relevant to this specific issue ATM, although as @jpazdziora points out, the dogtag configuration step has been an ongoing issue when installing in containers.)
To be clear, I said running IPA In LXC containers is uncharted territory.
@rcritten My apologies, I went back and saw how I misrepresented what you said.
Hopefully I'm not not blazing new ground, then, since I'm running in Docker, the container technology the freeipa-container project focuses on.
Dogtag PKI PR #18 resolves this.
Merged in commit 11fa1e2. This issue may be closed.
We'll use this to track the upstream dogtag release and reset IPA dependencies accordingly.
Setting milestone to 4.7 for now.
Metadata Update from @rcritten: - Issue priority set to: normal - Issue set to the milestone: FreeIPA 4.7
Metadata Update from @frenaud: - Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1599572
Issue linked to Bugzilla: Bug 1599572
Metadata Update from @rcritten: - Issue set to the milestone: FreeIPA 4.7.1 (was: FreeIPA 4.7)
FreeIPA 4.7 has been released, moving to FreeIPA 4.7.1 milestone
Fixed in upstream dogtag in v10.6.3.
This has landed in F29+.
I see a build for F28 in koji but no update was created for it. @edewata are you planning to push this into F28 or is it only going to land in F29+? I just need to know to get the milestone right.
@edewata pointed out that 10.6.6 is in F28 updates-testing. So all we need to do for this is to bump the minimum n-v-r once that goes to stable. I'll create the freeipa PR.
It is already submitted to stable this morning. Tomorrow we'll have it in F28 stable updates and @mreznik can do PR CI template updates.
https://github.com/freeipa/freeipa/pull/2345
Once the package lands and the templates are updated this PR will begin to work at which time it can be pushed. In the meantime I'm marking as WIP.
Metadata Update from @rcritten: - Issue assigned to rcritten
master:
ipa-4-7:
Metadata Update from @frenaud: - Issue close_status updated to: fixed - Issue status updated to: Closed (was: Open)
Login to comment on this ticket.