#8337 Install in podman fails moving cert : OSError: [Errno 18] Invalid cross-device link: '' -> '/root/kracert.p12'
Opened 3 years ago by cordel. Modified 3 years ago

Request for enhancement

As <persona, e.g. admin> , I want upstream fix so that FreeIPA podman container succeeds.

Issue

It would appear that something in python shutil.py falls flat on its face when it tries to move and link /root/kracert.p12 and as a result installation fails in podman container while all previous module steps succeeded in the environment.

Steps to Reproduce

  1. CentOS8.1 fresh vanilla server install, install podman, and dnf update;
  2. Create podman container: podman run --dns=127.0.0.1 -e DEBUG_TRACE=1 -e DEBUG_NO_EXIT=1 -e IPA_SERVER_IP=192.168.120.10 --name ctu_ipa --conmon-pidfile=/var/run/ctu_ipa-container.pid -ti -h ipa0.test.com --read-only -p 53:53/udp -p 53:53 -p 80:80 -p 443:443 -p 389:389 -p 636:636 -p 88:88 -p 464:464 -p 88:88/udp -p 464:464/udp -p 123:123/udp -v /data/ipa/ipa-data:/data:Z -v /etc/machine-id:/etc/machine-id freeipa/freeipa-server:centos-8 --setup-dns --no-forwarders --no-ntp --setup-kra --no_hbac_allow --ssh-trust-dns
  3. Answer the domain/REALM questions.

Actual behavior

Restarting the KDC
Configuring KRA server (pki-tomcatd). Estimated time: 2 minutes
[1/10]: configuring KRA instance
[error] OSError: [Errno 30] Read-only file system: '/root/kracert.p12'
[Errno 30] Read-only file system: '/root/kracert.p12'
The ipa-server-install command failed. See /var/log/ipaserver-install.log for more information
FreeIPA server configuration failed.

DEBUG DATA

2020-05-28T02:49:11Z DEBUG Starting external process
2020-05-28T02:49:11Z DEBUG args=['/usr/sbin/pkispawn', '-s', 'KRA', '-f', '/tmp/tmp1g2fg7od']
2020-05-28T02:56:49Z DEBUG Process finished, return code=0
2020-05-28T02:56:49Z DEBUG stdout=Installation log: /var/log/pki/pki-kra-spawn.20200528024914.log
Loading deployment configuration from /tmp/tmp1g2fg7od.
WARNING: The 'pki_ssl_server_token' in [KRA] has been deprecated. Use 'pki_sslserver_token' instead.
Installing KRA into /var/lib/pki/pki-tomcat.

2020-05-28T02:56:49Z DEBUG stderr=Notice: Trust flag u is set automatically if the private key is present.

2020-05-28T02:56:49Z DEBUG Traceback (most recent call last):
File "/usr/lib64/python3.6/shutil.py", line 552, in move
os.rename(src, real_dst)
OSError: [Errno 18] Invalid cross-device link: '' -> '/root/kracert.p12'

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
File "/usr/lib/python3.6/site-packages/ipaserver/install/service.py", line 603, in start_creation
run_step(full_msg, method)
File "/usr/lib/python3.6/site-packages/ipaserver/install/service.py", line 589, in run_step
method()
File "/usr/lib/python3.6/site-packages/ipaserver/install/krainstance.py", line 227, in __spawn_instance
shutil.move(paths.KRA_BACKUP_KEYS_P12, paths.KRACERT_P12)
File "/usr/lib64/python3.6/shutil.py", line 566, in move
copy_function(src, real_dst)
File "/usr/lib64/python3.6/shutil.py", line 265, in copy2
copyfile(src, dst, follow_symlinks=follow_symlinks)
File "/usr/lib64/python3.6/shutil.py", line 121, in copyfile
with open(dst, 'wb') as fdst:
OSError: [Errno 30] Read-only file system: '/root/kracert.p12'

2020-05-28T02:56:49Z DEBUG [error] OSError: [Errno 30] Read-only file system: '/root/kracert.p12'
2020-05-28T02:56:49Z DEBUG Removing /var/lib/ipa/tmp-p0ovpf3j
2020-05-28T02:56:49Z DEBUG Removing /root/.dogtag/pki-tomcat/kra
2020-05-28T02:56:49Z DEBUG File "/usr/lib/python3.6/site-packages/ipapython/admintool.py", line 179, in execute
return_value = self.run()
File "/usr/lib/python3.6/site-packages/ipapython/install/cli.py", line 340, in run
return cfgr.run()
File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 360, in run
return self.execute()
File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 386, in execute
for rval in self._executor():
File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 431, in runner
exc_handler(exc_info)
File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 460, in _handle_execute_exception
self._handle_exception(exc_info)
File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 450, in _handle_exception
six.reraise(exc_info)
File "/usr/lib/python3.6/site-packages/six.py", line 693, in reraise
raise value
File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 421, in __runner
step()
File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 418, in <lambda>
step = lambda: next(self.__gen)
File "/usr/lib/python3.6/site-packages/ipapython/install/util.py", line 81, in run_generator_with_yield_from
six.reraise(
exc_info)
File "/usr/lib/python3.6/site-packages/six.py", line 693, in reraise
raise value
File "/usr/lib/python3.6/site-packages/ipapython/install/util.py", line 59, in run_generator_with_yield_from
value = gen.send(prev_value)
File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 655, in _configure
next(executor)
File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 431, in __runner
exc_handler(exc_info)
File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 460, in _handle_execute_exception
self._handle_exception(exc_info)
File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 518, in _handle_exception
self.__parent._handle_exception(exc_info)
File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 450, in _handle_exception
six.reraise(exc_info)
File "/usr/lib/python3.6/site-packages/six.py", line 693, in reraise
raise value
File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 515, in _handle_exception
super(ComponentBase, self)._handle_exception(exc_info)
File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 450, in _handle_exception
six.reraise(
exc_info)
File "/usr/lib/python3.6/site-packages/six.py", line 693, in reraise
raise value
File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 421, in __runner
step()
File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 418, in <lambda>
step = lambda: next(self.__gen)
File "/usr/lib/python3.6/site-packages/ipapython/install/util.py", line 81, in run_generator_with_yield_from
six.reraise(*exc_info)
File "/usr/lib/python3.6/site-packages/six.py", line 693, in reraise
raise value
File "/usr/lib/python3.6/site-packages/ipapython/install/util.py", line 59, in run_generator_with_yield_from
value = gen.send(prev_value)
File "/usr/lib/python3.6/site-packages/ipapython/install/common.py", line 65, in _install
for unused in self._installer(self.parent):
File "/usr/lib/python3.6/site-packages/ipaserver/install/server/__init
.py", line 557, in main
master_install(self)
File "/usr/lib/python3.6/site-packages/ipaserver/install/server/install.py", line 255, in decorated
func(installer)
File "/usr/lib/python3.6/site-packages/ipaserver/install/server/install.py", line 926, in install
kra.install(api, None, options, custodia=custodia)
File "/usr/lib/python3.6/site-packages/ipaserver/install/kra.py", line 96, in install
pki_config_override=options.pki_config_override,
File "/usr/lib/python3.6/site-packages/ipaserver/install/krainstance.py", line 138, in configure_instance
self.start_creation(runtime=120)
File "/usr/lib/python3.6/site-packages/ipaserver/install/service.py", line 603, in start_creation
run_step(full_msg, method)
File "/usr/lib/python3.6/site-packages/ipaserver/install/service.py", line 589, in run_step
method()
File "/usr/lib/python3.6/site-packages/ipaserver/install/krainstance.py", line 227, in __spawn_instance
shutil.move(paths.KRA_BACKUP_KEYS_P12, paths.KRACERT_P12)
File "/usr/lib64/python3.6/shutil.py", line 566, in move
copy_function(src, real_dst)
File "/usr/lib64/python3.6/shutil.py", line 265, in copy2
copyfile(src, dst, follow_symlinks=follow_symlinks)
File "/usr/lib64/python3.6/shutil.py", line 121, in copyfile
with open(dst, 'wb') as fdst:

2020-05-28T02:56:49Z DEBUG The ipa-server-install command failed, exception: OSError: [Errno 30] Read-only file system: '/root/kracert.p12'
2020-05-28T02:56:49Z ERROR [Errno 30] Read-only file system: '/root/kracert.p12'
2020-05-28T02:56:49Z ERROR The ipa-server-install command failed. See /var/log/ipaserver-install.log for more information

Expected behavior

The certificate should be moved/linked without an OS error, and the install/config should proceed .

Version/Release/Distribution

$ [root@ipa0 /]# rpm -q freeipa-server freeipa-client ipa-server ipa-client 389-ds-base pki-ca krb5-server
package freeipa-server is not installed
package freeipa-client is not installed
ipa-server-4.8.0-13.module_el8.1.0+265+e1e65be4.x86_64
ipa-client-4.8.0-13.module_el8.1.0+265+e1e65be4.x86_64
389-ds-base-1.4.1.3-7.module_el8.1.0+234+96aec258.x86_64
pki-ca-10.7.3-1.module_el8.1.0+238+005506d1.noarch
krb5-server-1.17-9.el8.x86_64
[root@ipa0 /]#

Tags
docker.io/freeipa/freeipa-server:centos-8
ID
cf3b68d70379

Additional info:

Any additional information, configuration, data or log snippets that is needed for reproduction or investigation of the issue.

I can't think of any more info to give though gladly will answer questions.

Log file locations: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/config-files-logs.html
Troubleshooting guide: https://www.freeipa.org/page/Troubleshooting


@jpazdziora @tdudlak is the RA supported in a container?

Login to comment on this ticket.

Metadata