As <persona, e.g. admin> , I want upstream fix so that FreeIPA podman container succeeds.
It would appear that something in python shutil.py falls flat on its face when it tries to move and link /root/kracert.p12 and as a result installation fails in podman container while all previous module steps succeeded in the environment.
Restarting the KDC Configuring KRA server (pki-tomcatd). Estimated time: 2 minutes [1/10]: configuring KRA instance [error] OSError: [Errno 30] Read-only file system: '/root/kracert.p12' [Errno 30] Read-only file system: '/root/kracert.p12' The ipa-server-install command failed. See /var/log/ipaserver-install.log for more information FreeIPA server configuration failed.
2020-05-28T02:49:11Z DEBUG Starting external process 2020-05-28T02:49:11Z DEBUG args=['/usr/sbin/pkispawn', '-s', 'KRA', '-f', '/tmp/tmp1g2fg7od'] 2020-05-28T02:56:49Z DEBUG Process finished, return code=0 2020-05-28T02:56:49Z DEBUG stdout=Installation log: /var/log/pki/pki-kra-spawn.20200528024914.log Loading deployment configuration from /tmp/tmp1g2fg7od. WARNING: The 'pki_ssl_server_token' in [KRA] has been deprecated. Use 'pki_sslserver_token' instead. Installing KRA into /var/lib/pki/pki-tomcat.
2020-05-28T02:56:49Z DEBUG stderr=Notice: Trust flag u is set automatically if the private key is present.
2020-05-28T02:56:49Z DEBUG Traceback (most recent call last): File "/usr/lib64/python3.6/shutil.py", line 552, in move os.rename(src, real_dst) OSError: [Errno 18] Invalid cross-device link: '' -> '/root/kracert.p12'
During handling of the above exception, another exception occurred:
Traceback (most recent call last): File "/usr/lib/python3.6/site-packages/ipaserver/install/service.py", line 603, in start_creation run_step(full_msg, method) File "/usr/lib/python3.6/site-packages/ipaserver/install/service.py", line 589, in run_step method() File "/usr/lib/python3.6/site-packages/ipaserver/install/krainstance.py", line 227, in __spawn_instance shutil.move(paths.KRA_BACKUP_KEYS_P12, paths.KRACERT_P12) File "/usr/lib64/python3.6/shutil.py", line 566, in move copy_function(src, real_dst) File "/usr/lib64/python3.6/shutil.py", line 265, in copy2 copyfile(src, dst, follow_symlinks=follow_symlinks) File "/usr/lib64/python3.6/shutil.py", line 121, in copyfile with open(dst, 'wb') as fdst: OSError: [Errno 30] Read-only file system: '/root/kracert.p12'
2020-05-28T02:56:49Z DEBUG [error] OSError: [Errno 30] Read-only file system: '/root/kracert.p12' 2020-05-28T02:56:49Z DEBUG Removing /var/lib/ipa/tmp-p0ovpf3j 2020-05-28T02:56:49Z DEBUG Removing /root/.dogtag/pki-tomcat/kra 2020-05-28T02:56:49Z DEBUG File "/usr/lib/python3.6/site-packages/ipapython/admintool.py", line 179, in execute return_value = self.run() File "/usr/lib/python3.6/site-packages/ipapython/install/cli.py", line 340, in run return cfgr.run() File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 360, in run return self.execute() File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 386, in execute for rval in self._executor(): File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 431, in runner exc_handler(exc_info) File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 460, in _handle_execute_exception self._handle_exception(exc_info) File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 450, in _handle_exception six.reraise(exc_info) File "/usr/lib/python3.6/site-packages/six.py", line 693, in reraise raise value File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 421, in __runner step() File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 418, in <lambda> step = lambda: next(self.__gen) File "/usr/lib/python3.6/site-packages/ipapython/install/util.py", line 81, in run_generator_with_yield_from six.reraise(exc_info) File "/usr/lib/python3.6/site-packages/six.py", line 693, in reraise raise value File "/usr/lib/python3.6/site-packages/ipapython/install/util.py", line 59, in run_generator_with_yield_from value = gen.send(prev_value) File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 655, in _configure next(executor) File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 431, in __runner exc_handler(exc_info) File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 460, in _handle_execute_exception self._handle_exception(exc_info) File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 518, in _handle_exception self.__parent._handle_exception(exc_info) File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 450, in _handle_exception six.reraise(exc_info) File "/usr/lib/python3.6/site-packages/six.py", line 693, in reraise raise value File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 515, in _handle_exception super(ComponentBase, self)._handle_exception(exc_info) File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 450, in _handle_exception six.reraise(exc_info) File "/usr/lib/python3.6/site-packages/six.py", line 693, in reraise raise value File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 421, in __runner step() File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 418, in <lambda> step = lambda: next(self.__gen) File "/usr/lib/python3.6/site-packages/ipapython/install/util.py", line 81, in run_generator_with_yield_from six.reraise(*exc_info) File "/usr/lib/python3.6/site-packages/six.py", line 693, in reraise raise value File "/usr/lib/python3.6/site-packages/ipapython/install/util.py", line 59, in run_generator_with_yield_from value = gen.send(prev_value) File "/usr/lib/python3.6/site-packages/ipapython/install/common.py", line 65, in _install for unused in self._installer(self.parent): File "/usr/lib/python3.6/site-packages/ipaserver/install/server/__init.py", line 557, in main master_install(self) File "/usr/lib/python3.6/site-packages/ipaserver/install/server/install.py", line 255, in decorated func(installer) File "/usr/lib/python3.6/site-packages/ipaserver/install/server/install.py", line 926, in install kra.install(api, None, options, custodia=custodia) File "/usr/lib/python3.6/site-packages/ipaserver/install/kra.py", line 96, in install pki_config_override=options.pki_config_override, File "/usr/lib/python3.6/site-packages/ipaserver/install/krainstance.py", line 138, in configure_instance self.start_creation(runtime=120) File "/usr/lib/python3.6/site-packages/ipaserver/install/service.py", line 603, in start_creation run_step(full_msg, method) File "/usr/lib/python3.6/site-packages/ipaserver/install/service.py", line 589, in run_step method() File "/usr/lib/python3.6/site-packages/ipaserver/install/krainstance.py", line 227, in __spawn_instance shutil.move(paths.KRA_BACKUP_KEYS_P12, paths.KRACERT_P12) File "/usr/lib64/python3.6/shutil.py", line 566, in move copy_function(src, real_dst) File "/usr/lib64/python3.6/shutil.py", line 265, in copy2 copyfile(src, dst, follow_symlinks=follow_symlinks) File "/usr/lib64/python3.6/shutil.py", line 121, in copyfile with open(dst, 'wb') as fdst:
2020-05-28T02:56:49Z DEBUG The ipa-server-install command failed, exception: OSError: [Errno 30] Read-only file system: '/root/kracert.p12' 2020-05-28T02:56:49Z ERROR [Errno 30] Read-only file system: '/root/kracert.p12' 2020-05-28T02:56:49Z ERROR The ipa-server-install command failed. See /var/log/ipaserver-install.log for more information
The certificate should be moved/linked without an OS error, and the install/config should proceed .
$ [root@ipa0 /]# rpm -q freeipa-server freeipa-client ipa-server ipa-client 389-ds-base pki-ca krb5-server package freeipa-server is not installed package freeipa-client is not installed ipa-server-4.8.0-13.module_el8.1.0+265+e1e65be4.x86_64 ipa-client-4.8.0-13.module_el8.1.0+265+e1e65be4.x86_64 389-ds-base-1.4.1.3-7.module_el8.1.0+234+96aec258.x86_64 pki-ca-10.7.3-1.module_el8.1.0+238+005506d1.noarch krb5-server-1.17-9.el8.x86_64 [root@ipa0 /]#
Tags docker.io/freeipa/freeipa-server:centos-8 ID cf3b68d70379
Any additional information, configuration, data or log snippets that is needed for reproduction or investigation of the issue.
I can't think of any more info to give though gladly will answer questions.
Log file locations: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/config-files-logs.html Troubleshooting guide: https://www.freeipa.org/page/Troubleshooting
@jpazdziora @tdudlak is the RA supported in a container?
Login to comment on this ticket.