Issue #8397: Cannot remove First master server with KRA after the server hard disk failed ( destructed) - freeipa

freeipa

#8397 Cannot remove First master server with KRA after the server hard disk failed ( destructed)

Closed: fixed 2 years ago by frenaud. Opened 3 years ago by khoaitaybeo86.

Request for enhancement

As admin , I want remove the first master server with KRA installed to complete the fail over the new master.

Issue

Recently, Hard disk drive on the first master failed ( not recoverable), I was able to switch CA renewal to a new replica master server. And while trying to remove the old master from replication topology i encounter the following error

root@tobor-new:280 # ipa-replica-manage del first-master.sample.com -v --force
ipa: WARNING: Lookup failed: Preferred host new-master.sample.com does not provide KRA.
ipa: INFO: Starting new HTTPS connection (1): first-master.sample.com
ipa: INFO: Starting new HTTPS connection (2): first-master.sample.com
('Connection aborted.', error(111, 'Connection refused'))

This error render me from removing first-master.sample.com and also causing new replication to fail trying Search DNS from first-master.sample.com dns server .

is anyone aware of this issue?

Steps to Reproduce

Installed IPA server with KRA on first master
Create a replica of the First master instance
Poweroff first master.
Promote replica master to CA renewal and cert generation.
Try to remove first master

Actual behavior

Error trying to remove first master.
root@new-master:381 # ipa server-del first-master.sample.com --ignore-last-of-role --force
Removing first-master.sample.com from replication topology, please wait...
ipa: ERROR: an internal error has occurred

root@first-master:280 # ipa-replica-manage del first-master.sample.com -v --force
ipa: WARNING: Lookup failed: Preferred host new-master.sample.com does not provide KRA.
ipa: INFO: Starting new HTTPS connection (1): first-master.sample.com
ipa: INFO: Starting new HTTPS connection (2): first-master.sample.com
('Connection aborted.', error(111, 'Connection refused'))

Expected behavior

(what do you expect to happen)

Version/Release/Distribution

$ rpm -q freeipa-server freeipa-client ipa-server ipa-client 389-ds-base pki-ca krb5-server

Additional info:

package freeipa-server is not installed
package freeipa-client is not installed
ipa-server-4.6.6-11.el7.centos.x86_64
ipa-client-4.6.6-11.el7.centos.x86_64
389-ds-base-1.3.10.1-5.el7.x86_64
pki-ca-10.5.17-6.el7.noarch
krb5-server-1.15.1-46.el7.x86_64

DOmain level

Current domain level: 1

Log file locations: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/config-files-logs.html
Troubleshooting guide: https://www.freeipa.org/page/Troubleshooting

frenaud commented 3 years ago

Hi @khoaitaybeo86
Can you provide the versions that you are using:
rpm -q freeipa-server freeipa-client ipa-server ipa-client 389-ds-base pki-ca krb5-server

and also the domain-level of your topology:
kinit admin
ipa domainlevel-get

If the domain level is 1, the correct command to remove a server is
ipa server-del
as described in Linux Domain Identity, Authentication, and Policy Guide
and it provides the option --ignore-last-of-role to force removal even if the server to be removed is the only one providing a specific service.

khoaitaybeo86 commented 3 years ago

@frenaud Thanks, I have updated my original post with more information.

ipa server-del --ignore-last-of-role also gave me internal error.

rcritten commented 3 years ago

For internal errors look to the Apache error log: /var/log/httpd/error_log

khoaitaybeo86 commented 3 years ago

@rcritten Thanks for pointing out the error_log, Looks like IPA tried to connect the corrupted first-master.svceng.com then thrown error while not able to connect.

[Sun Jul 05 22:38:01.233321 2020] [:error] [pid 57586] ipa: WARNING: Lookup failed: Preferred host tobor-new.svceng.com does not provide KRA.
[Sun Jul 05 22:38:01.245575 2020] [:error] [pid 57586] ipa: INFO: Starting new HTTPS connection (1): first-master.sample.com
[Sun Jul 05 22:38:04.264266 2020] [:error] [pid 57586] ipa: INFO: Starting new HTTPS connection (2): first-master.sample.com
[Sun Jul 05 22:38:07.272380 2020] [:error] [pid 57586] ipa: ERROR: non-public: ConnectionError: ('Connection aborted.', error(111, 'Connection refused'))
[Sun Jul 05 22:38:07.272405 2020] [:error] [pid 57586] Traceback (most recent call last):
[Sun Jul 05 22:38:07.272408 2020] [:error] [pid 57586] File "/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 369, in wsgi_execute
[Sun Jul 05 22:38:07.272410 2020] [:error] [pid 57586] result = command(args, options)
[Sun Jul 05 22:38:07.272413 2020] [:error] [pid 57586] File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 450, in call
[Sun Jul 05 22:38:07.272415 2020] [:error] [pid 57586] return self.__do_call(*args, options)
[Sun Jul 05 22:38:07.272418 2020] [:error] [pid 57586] File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 478, in __do_call
[Sun Jul 05 22:38:07.272420 2020] [:error] [pid 57586] ret = self.run(args, options)
[Sun Jul 05 22:38:07.272423 2020] [:error] [pid 57586] File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 800, in run
[Sun Jul 05 22:38:07.272425 2020] [:error] [pid 57586] return self.execute(*args, options)
[Sun Jul 05 22:38:07.272428 2020] [:error] [pid 57586] File "/usr/lib/python2.7/site-packages/ipaserver/plugins/baseldap.py", line 1590, in execute
[Sun Jul 05 22:38:07.272430 2020] [:error] [pid 57586] delete_entry(pkey)
[Sun Jul 05 22:38:07.272433 2020] [:error] [pid 57586] File "/usr/lib/python2.7/site-packages/ipaserver/plugins/baseldap.py", line 1541, in delete_entry
[Sun Jul 05 22:38:07.272435 2020] [:error] [pid 57586] dn = callback(self, ldap, dn, nkeys, options)
[Sun Jul 05 22:38:07.272438 2020] [:error] [pid 57586] File "/usr/lib/python2.7/site-packages/ipaserver/plugins/server.py", line 751, in pre_callback
[Sun Jul 05 22:38:07.272440 2020] [:error] [pid 57586] pkey, ignore_last_of_role=options.get('ignore_last_of_role', False)
[Sun Jul 05 22:38:07.272443 2020] [:error] [pid 57586] File "/usr/lib/python2.7/site-packages/ipaserver/plugins/server.py", line 510, in _ensure_last_of_role
[Sun Jul 05 22:38:07.272445 2020] [:error] [pid 57586] vault_config = self.api.Command.vaultconfig_show()['result']
[Sun Jul 05 22:38:07.272448 2020] [:error] [pid 57586] File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 450, in call
[Sun Jul 05 22:38:07.272450 2020] [:error] [pid 57586] return self.__do_call(*args, options)
[Sun Jul 05 22:38:07.272452 2020] [:error] [pid 57586] File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 478, in __do_call
[Sun Jul 05 22:38:07.272463 2020] [:error] [pid 57586] ret = self.run(args, options)
[Sun Jul 05 22:38:07.272465 2020] [:error] [pid 57586] File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 800, in run
[Sun Jul 05 22:38:07.272467 2020] [:error] [pid 57586] return self.execute(*args, options)
[Sun Jul 05 22:38:07.272469 2020] [:error] [pid 57586] File "/usr/lib/python2.7/site-packages/ipaserver/plugins/vault.py", line 1001, in execute
[Sun Jul 05 22:38:07.272472 2020] [:error] [pid 57586] transport_cert = kra_client.system_certs.get_transport_cert()
[Sun Jul 05 22:38:07.272474 2020] [:error] [pid 57586] File "/usr/lib/python2.7/site-packages/pki/init.py", line 431, in handler
[Sun Jul 05 22:38:07.272476 2020] [:error] [pid 57586] return fn_call(inst, args, kwargs)
[Sun Jul 05 22:38:07.272478 2020] [:error] [pid 57586] File "/usr/lib/python2.7/site-packages/pki/systemcert.py", line 54, in get_transport_cert
[Sun Jul 05 22:38:07.272480 2020] [:error] [pid 57586] response = self.connection.get(url, self.headers)
[Sun Jul 05 22:38:07.272482 2020] [:error] [pid 57586] File "/usr/lib/python2.7/site-packages/pki/client.py", line 46, in wrapper
[Sun Jul 05 22:38:07.272484 2020] [:error] [pid 57586] return func(self, *args, kwargs)
[Sun Jul 05 22:38:07.272486 2020] [:error] [pid 57586] File "/usr/lib/python2.7/site-packages/pki/client.py", line 159, in get
[Sun Jul 05 22:38:07.272488 2020] [:error] [pid 57586] data=payload)
[Sun Jul 05 22:38:07.272490 2020] [:error] [pid 57586] File "/usr/lib/python2.7/site-packages/requests/sessions.py", line 498, in get
[Sun Jul 05 22:38:07.272492 2020] [:error] [pid 57586] return self.request('GET', url, kwargs)
[Sun Jul 05 22:38:07.272494 2020] [:error] [pid 57586] File "/usr/lib/python2.7/site-packages/requests/sessions.py", line 486, in request
[Sun Jul 05 22:38:07.272496 2020] [:error] [pid 57586] resp = self.send(prep, send_kwargs)
[Sun Jul 05 22:38:07.272499 2020] [:error] [pid 57586] File "/usr/lib/python2.7/site-packages/requests/sessions.py", line 598, in send
[Sun Jul 05 22:38:07.272501 2020] [:error] [pid 57586] r = adapter.send(request, *kwargs)
[Sun Jul 05 22:38:07.272503 2020] [:error] [pid 57586] File "/usr/lib/python2.7/site-packages/requests/adapters.py", line 415, in send
[Sun Jul 05 22:38:07.272505 2020] [:error] [pid 57586] raise ConnectionError(err, request=request)
[Sun Jul 05 22:38:07.272507 2020] [:error] [pid 57586] ConnectionError: ('Connection aborted.', error(111, 'Connection refused'))
[Sun Jul 05 22:38:07.272759 2020] [:error] [pid 57586] ipa: INFO: [jsonserver_session] admin@SVCENG.COM: server_del/1([u'first-master.sample.com'], version=u'2.231'): InternalError

rcritten commented 3 years ago

Apologies for the extreme delay, are you still experiencing this problem?

Metadata Update from @rcritten:
- Issue assigned to rcritten

2 years ago

rcritten commented 2 years ago

I can reproduce this.

It's failing trying to determine if the last KRA server will be removed because it can't contact the last KRA server.

I think the solution is to depend on the server roles to determine where a KRA is configured.

rcritten commented 2 years ago

https://github.com/freeipa/freeipa/pull/5908

rcritten commented 2 years ago

master:

10bd66d Use new method in check to prevent removal of last KRA
2097776 ipatests: test removing last KRA when it is not running

Metadata Update from @rcritten:
- Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1985069

2 years ago

rcritten commented 2 years ago

Issue linked to Bugzilla: Bug 1985069

Metadata Update from @rcritten:
- Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1985069 https://bugzilla.redhat.com/show_bug.cgi?id=1985072 (was: https://bugzilla.redhat.com/show_bug.cgi?id=1985069)

2 years ago

rcritten commented 2 years ago

ipa-4-9:

0b9adf1 Use new method in check to prevent removal of last KRA
8ea8f8b ipatests: test removing last KRA when it is not running

Metadata Update from @rcritten:
- Issue close_status updated to: fixed
- Issue status updated to: Closed (was: Open)

2 years ago

Metadata Update from @rcritten:
- Custom field affects_doc adjusted to on
- Custom field knownissue adjusted to on
- Issue status updated to: Open (was: Closed)

2 years ago

rcritten commented 2 years ago

The previous fix includes server_server=hostname, in the role-find. This limits the search to only the current server. We're trying to see if there are any KRA servers not whether the current server has one.

rcritten commented 2 years ago

https://github.com/freeipa/freeipa/pull/6101

rcritten commented 2 years ago

master:

3bcbc86 Don't limit role-find by hostname when searching for last KRA

frenaud commented 2 years ago

ipa-4-9:

1c66226 Don't limit role-find by hostname when searching for last KRA

Metadata Update from @frenaud:
- Issue close_status updated to: fixed
- Issue status updated to: Closed (was: Open)

2 years ago

Metadata Update from @rcritten:
- Custom field changelog adjusted to The KRA role search was too narrow resulting in false positives when trying to delete a server with a KRA, resulting in an error that the last KRA was being removed when this was not the case.

2 years ago

Metadata Update from @abbra:
- Custom field knownissue reset (from on)

2 years ago

Metadata

Assignee

rcritten

Tags

None

Blocking

None

Depending on

None

Priority

None

Milestone

None

affects_doc

source

None

knownissue

false

type

None

blockedby

None

test_case

None

component

None

blocking

None

on_review

None

keywords

None

test_coverage

None

reviewer

None

external_tracker

None

rhbz

https://bugzilla.redhat.com/show_bug.cgi?id=1985069 https://bugzilla.redhat.com/show_bug.cgi?id=1985072

tester

None

changelog

The KRA role search was too narrow resulting in false positives when trying to delete a server with a KRA, resulting in an error that the last KRA was being removed when this was not the case.

design

None

freeipa

Source Code

#8397 Cannot remove First master server with KRA after the server hard disk failed ( destructed) Closed: fixed 2 years ago by frenaud. Opened 3 years ago by khoaitaybeo86.

Request for enhancement

Issue

Steps to Reproduce

Actual behavior

Expected behavior

Version/Release/Distribution

Additional info:

DOmain level

Current domain level: 1

Metadata

#8397 Cannot remove First master server with KRA after the server hard disk failed ( destructed)

Closed: fixed 2 years ago by frenaud. Opened 3 years ago by khoaitaybeo86.