Issue #8422: Multiple similar failures in test_installation.py::TestInstallReplicaAgainstSpecificServer - freeipa

freeipa

#8422 Multiple similar failures in test_installation.py::TestInstallReplicaAgainstSpecificServer

Closed: duplicate 3 years ago by frenaud. Opened 3 years ago by fcami.

In testing_master_latest Nightly PR #295 CA install failed:
logs

[ipatests.pytest_ipa.integration.host.Host.replica0.cmd57]   [4/29]: creating installation admin user
[ipatests.pytest_ipa.integration.host.Host.replica0.cmd57]   [5/29]: configuring certificate server instance
[ipatests.pytest_ipa.integration.host.Host.replica0.cmd57] ipaserver.install.dogtaginstance: CRITICAL Failed to configure CA instance: CalledProcessError(Command ['/usr/sbin/pkispawn', '-s', 'CA', '-f', '/tmp/tmpopcr3_on'] returned non-zero exit status 1: 'Notice: Trust flag u is set automatically if the private key is present.\nWARNING: Unable to modify o=ipaca: netscape.ldap.LDAPException: error result (20); Type or value exists\nPKIException: Internal Server Error\nERROR: CalledProcessError: Command \'[\'pki\', \'-d\', \'/etc/pki/pki-tomcat/alias\', \'-f\', \'/etc/pki/pki-tomcat/password.conf\', \'-U\', \'https://master.ipa.test:443\', \'ca-range-request\', \'request\', \'--session\', \'1989201132665237160\', \'--output-format\', \'json\']\' returned non-zero exit status 255.\n  File "/usr/lib/python3.8/site-packages/pki/server/pkispawn.py", line 575, in main\n    scriptlet.spawn(deployer)\n  File "/usr/lib/python3.8/site-packages/pki/server/deployment/scriptlets/configuration.py", line 854, in spawn\n    subsystem.update_ranges(master_url, deployer.install_token)\n  File "/usr/lib/python3.8/site-packages/pki/server/subsystem.py", line 975, in update_ranges\n    request_range = self.request_range(master_url, \'request\', install_token)\n  File "/usr/lib/python3.8/site-packages/pki/server/subsystem.py", line 967, in request_range\n    output = subprocess.check_output(cmd)\n  File "/usr/lib64/python3.8/subprocess.py", line 411, in check_output\n    return run(*popenargs, stdout=PIPE, timeout=timeout, check=True,\n  File "/usr/lib64/python3.8/subprocess.py", line 512, in run\n    raise CalledProcessError(retcode, process.args,\n\n')
[ipatests.pytest_ipa.integration.host.Host.replica0.cmd57] ipaserver.install.dogtaginstance: CRITICAL See the installation logs and the following files/directories for more information:
[ipatests.pytest_ipa.integration.host.Host.replica0.cmd57] ipaserver.install.dogtaginstance: CRITICAL   /var/log/pki/pki-tomcat
[ipatests.pytest_ipa.integration.host.Host.replica0.cmd57]   [error] RuntimeError: CA configuration failed.
[ipatests.pytest_ipa.integration.host.Host.replica0.cmd57] CA configuration failed.
[ipatests.pytest_ipa.integration.host.Host.replica0.cmd57] 
[ipatests.pytest_ipa.integration.host.Host.replica0.cmd57] Your system may be partly configured.
[ipatests.pytest_ipa.integration.host.Host.replica0.cmd57] Run /usr/sbin/ipa-server-install --uninstall to clean up.
[ipatests.pytest_ipa.integration.host.Host.replica0.cmd57] 
[ipatests.pytest_ipa.integration.host.Host.replica0.cmd57] Exit code: 1
ipa: ERROR: stderr: ipaserver.install.dogtaginstance: CRITICAL Failed to configure CA instance: CalledProcessError(Command ['/usr/sbin/pkispawn', '-s', 'CA', '-f', '/tmp/tmpopcr3_on'] returned non-zero exit status 1: 'Notice: Trust flag u is set automatically if the private key is present.\nWARNING: Unable to modify o=ipaca: netscape.ldap.LDAPException: error result (20); Type or value exists\nPKIException: Internal Server Error\nERROR: CalledProcessError: Command \'[\'pki\', \'-d\', \'/etc/pki/pki-tomcat/alias\', \'-f\', \'/etc/pki/pki-tomcat/password.conf\', \'-U\', \'https://master.ipa.test:443\', \'ca-range-request\', \'request\', \'--session\', \'1989201132665237160\', \'--output-format\', \'json\']\' returned non-zero exit status 255.\n  File "/usr/lib/python3.8/site-packages/pki/server/pkispawn.py", line 575, in main\n    scriptlet.spawn(deployer)\n  File "/usr/lib/python3.8/site-packages/pki/server/deployment/scriptlets/configuration.py", line 854, in spawn\n    subsystem.update_ranges(master_url, deployer.install_token)\n  File "/usr/lib/python3.8/site-packages/pki/server/subsystem.py", line 975, in update_ranges\n    request_range = self.request_range(master_url, \'request\', install_token)\n  File "/usr/lib/python3.8/site-packages/pki/server/subsystem.py", line 967, in request_range\n    output = subprocess.check_output(cmd)\n  File "/usr/lib64/python3.8/subprocess.py", line 411, in check_output\n    return run(*popenargs, stdout=PIPE, timeout=timeout, check=True,\n  File "/usr/lib64/python3.8/subprocess.py", line 512, in run\n    raise CalledProcessError(retcode, process.args,\n\n')
ipaserver.install.dogtaginstance: CRITICAL See the installation logs and the following files/directories for more information:
ipaserver.install.dogtaginstance: CRITICAL   /var/log/pki/pki-tomcat
CA configuration failed.

PKI logs contain:

'['pki', '-d', '/etc/pki/pki-tomcat/alias', '-f', '/etc/pki/pki-tomcat/password.conf', '-U', 'https://master.ipa.test:443', 'ca-range-request', 'request', '--session', '1989201132665237160', '--output-format', 'json']' returned non-zero exit status 255.

fcami commented 3 years ago

Also happens in test_backup_and_restore:
testing_ipa-4.8_latest Nightly PR #296, logs

Edited 3 years ago by fcami

fcami commented 3 years ago

Also in test_replication_layouts.py::TestCompleteTopologyWithCAKRA::test_complete_topology_with_ca_kra
testing_master_389ds Nightly PR #299, report

ftweedal commented 3 years ago

I hit an issue like this a few weeks ago. But now I cannot remember the details or how I resolved it. If I remember anything I will add details here.

ftweedal commented 3 years ago

@fcami now I remember what happened...

See this part of the output:

WARNING: Unable to modify o=ipaca: netscape.ldap.LDAPException: error result (20); Type or value exists

It is a red herring. I now recall that I spent a substantial time investigating the above, but it turned out to be harmless and unrelated to the actual failure.

And what was the actual failure. Well, it is unrelated to your failure here - my devel build of Dogtag was at a bad commit where some Java SystemConfigService changes had been committed, but the corresponding Python pkispawnchanges had not yet been committed, breaking pkispawn.

So, I do not have any good tips for solving the current problem - except that you can ignore that LDAP error. Reach out to the Dogtag team if you need help analysing the issue.

fcami commented 3 years ago

Thanks @ftweedal I've reached out to @dmoluguw , we will sort it out.

rcritten commented 3 years ago

I think the CA debug log needs to be collected to diagnose this.

frenaud commented 3 years ago

dogtagpki issue opened at #3182
The logs on the master show a servlet initialization failure with

access denied ("java.io.FilePermission" "/usr/share/pki/server/webapps/pki/WEB-INF/lib/slf4j-jdk14.jar" "read")

mpolovka commented 3 years ago

Another failure: PR381, logs

frenaud commented 3 years ago

Duplicate of https://pagure.io/freeipa/issue/8476, CA or KRA installation fails on a replica with java.io.FilePermission reported on the master.

Metadata Update from @frenaud:
- Issue close_status updated to: duplicate
- Issue status updated to: Closed (was: Open)

3 years ago

Metadata

Assignee

None

Tags

Blocking

None

Depending on

None

Priority

None

Milestone

None

affects_doc

None

source

None

knownissue

None

type

None

blockedby

None

test_case

None

component

None

blocking

None

on_review

None

keywords

None

test_coverage

None

reviewer

None

external_tracker

None

rhbz

None

tester

None

changelog

None

design

None

freeipa

Source Code

#8422 Multiple similar failures in test_installation.py::TestInstallReplicaAgainstSpecificServer Closed: duplicate 3 years ago by frenaud. Opened 3 years ago by fcami.

Metadata

tests test-failure

#8422 Multiple similar failures in test_installation.py::TestInstallReplicaAgainstSpecificServer

Closed: duplicate 3 years ago by frenaud. Opened 3 years ago by fcami.