During setup of ipa-server, erroring out with the error in title.
The installations works fine, right up until the setup of the CA, it errors out with the following (debug log):
DEBUG: Command: systemctl start pki-tomcatd@pki-tomcat.service INFO: Waiting for PKI server to start INFO: Waiting for PKI server to start (1s) INFO: Waiting for PKI server to start (2s) INFO: PKI server started INFO: Waiting for CA subsystem FileNotFoundError: [Errno 2] No such file or directory: 'sysctl': 'sysctl' File "/usr/lib/python3.6/site-packages/pki/server/pkispawn.py", line 575, in main scriptlet.spawn(deployer) File "/usr/lib/python3.6/site-packages/pki/server/deployment/scriptlets/configuration.py", line 713, in spawn subsystem.wait_for_startup(deployer.startup_timeout, deployer.request_timeout) File "/usr/lib/python3.6/site-packages/pki/server/subsystem.py", line 409, in wait_for_startup fips_mode = pki.FIPS.is_enabled() File "/usr/lib/python3.6/site-packages/pki/init.py", line 246, in is_enabled output = subprocess.check_output(command, stderr=fnull).decode('utf-8') File "/usr/lib64/python3.6/subprocess.py", line 356, in check_output kwargs).stdout File "/usr/lib64/python3.6/subprocess.py", line 423, in run with Popen(*popenargs, kwargs) as process: File "/usr/lib64/python3.6/subprocess.py", line 729, in init restore_signals, start_new_session) File "/usr/lib64/python3.6/subprocess.py", line 1364, in _execute_child raise child_exception_type(errno_num, err_msg, err_filename) 2021-11-17T10:06:49Z CRITICAL Failed to configure CA instance 2021-11-17T10:06:49Z CRITICAL See the installation logs and the following files/directories for > more information: 2021-11-17T10:06:49Z CRITICAL /var/log/pki/pki-tomcat 2021-11-17T10:06:49Z DEBUG Traceback (most recent call last): File "/usr/lib/python3.6/site-packages/ipaserver/install/service.py", line 635, in start_creation run_step(full_msg, method) File "/usr/lib/python3.6/site-packages/ipaserver/install/service.py", line 621, in run_step method() File "/usr/lib/python3.6/site-packages/ipaserver/install/cainstance.py", line 629, in __spawn_instance nolog_list=nolog_list File "/usr/lib/python3.6/site-packages/ipaserver/install/dogtaginstance.py", line 213, in spawn_instance self.handle_setup_error(e) File "/usr/lib/python3.6/site-packages/ipaserver/install/dogtaginstance.py", line 567, in handle_setup_error ) from None RuntimeError: CA configuration failed. 2021-11-17T10:06:49Z DEBUG [error] RuntimeError: CA configuration failed. 2021-11-17T10:06:49Z DEBUG Removing /root/.dogtag/pki-tomcat/ca 2021-11-17T10:06:49Z DEBUG File "/usr/lib/python3.6/site-packages/ipapython/admintool.py", line 180, in execute return_value = self.run() File "/usr/lib/python3.6/site-packages/ipapython/install/cli.py", line 342, in run return cfgr.run() File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 360, in run return self.execute() File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 386, in execute for rval in self._executor(): File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 431, in runner exc_handler(exc_info) File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 460, in _handle_execute_exception self._handle_exception(exc_info) File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 450, in _handle_exception six.reraise(exc_info) File "/usr/lib/python3.6/site-packages/six.py", line 693, in reraise raise value File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 421, in __runner step() File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 418, in <lambda> step = lambda: next(self.__gen) File "/usr/lib/python3.6/site-packages/ipapython/install/util.py", line 81, in run_generator_with_yield_from six.reraise(exc_info) File "/usr/lib/python3.6/site-packages/six.py", line 693, in reraise raise value File "/usr/lib/python3.6/site-packages/ipapython/install/util.py", line 59, in run_generator_with_yield_from value = gen.send(prev_value) File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 655, in _configure next(executor) File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 431, in __runner exc_handler(exc_info) File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 460, in _handle_execute_exception self._handle_exception(exc_info) File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 518, in _handle_exception self.__parent._handle_exception(exc_info) File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 450, in _handle_exception six.reraise(exc_info) File "/usr/lib/python3.6/site-packages/six.py", line 693, in reraise raise value File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 515, in _handle_exception super(ComponentBase, self)._handle_exception(exc_info) File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 450, in _handle_exception six.reraise(exc_info) File "/usr/lib/python3.6/site-packages/six.py", line 693, in reraise raise value File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 421, in __runner step() File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 418, in <lambda> step = lambda: next(self.__gen) File "/usr/lib/python3.6/site-packages/ipapython/install/util.py", line 81, in run_generator_with_yield_from six.reraise(*exc_info) File "/usr/lib/python3.6/site-packages/six.py", line 693, in reraise raise value File "/usr/lib/python3.6/site-packages/ipapython/install/util.py", line 59, in run_generator_with_yield_from value = gen.send(prev_value) File "/usr/lib/python3.6/site-packages/ipapython/install/common.py", line 65, in _install for unused in self._installer(self.parent): File "/usr/lib/python3.6/site-packages/ipaserver/install/server/__init.py", line 575, in main master_install(self) File "/usr/lib/python3.6/site-packages/ipaserver/install/server/install.py", line 275, in decorated func(installer) File "/usr/lib/python3.6/site-packages/ipaserver/install/server/install.py", line 909, in install ca.install_step_0(False, None, options, custodia=custodia) File "/usr/lib/python3.6/site-packages/ipaserver/install/ca.py", line 355, in install_step_0 pki_config_override=options.pki_config_override, File "/usr/lib/python3.6/site-packages/ipaserver/install/cainstance.py", line 503, in configure_instance self.start_creation(runtime=runtime) File "/usr/lib/python3.6/site-packages/ipaserver/install/service.py", line 635, in start_creation run_step(full_msg, method) File "/usr/lib/python3.6/site-packages/ipaserver/install/service.py", line 621, in run_step method() File "/usr/lib/python3.6/site-packages/ipaserver/install/cainstance.py", line 629, in __spawn_instance nolog_list=nolog_list File "/usr/lib/python3.6/site-packages/ipaserver/install/dogtaginstance.py", line 213, in spawn_instance self.handle_setup_error(e) File "/usr/lib/python3.6/site-packages/ipaserver/install/dogtaginstance.py", line 567, in handle_setup_error ) from None 2021-11-17T10:06:49Z DEBUG The ipa-server-install command failed, exception: RuntimeError: CA configuration failed. 2021-11-17T10:06:49Z ERROR CA configuration failed.
DEBUG: Command: systemctl start pki-tomcatd@pki-tomcat.service INFO: Waiting for PKI server to start INFO: Waiting for PKI server to start (1s) INFO: Waiting for PKI server to start (2s) INFO: PKI server started INFO: Waiting for CA subsystem FileNotFoundError: [Errno 2] No such file or directory: 'sysctl': 'sysctl' File "/usr/lib/python3.6/site-packages/pki/server/pkispawn.py", line 575, in main scriptlet.spawn(deployer) File "/usr/lib/python3.6/site-packages/pki/server/deployment/scriptlets/configuration.py", line 713, in spawn subsystem.wait_for_startup(deployer.startup_timeout, deployer.request_timeout) File "/usr/lib/python3.6/site-packages/pki/server/subsystem.py", line 409, in wait_for_startup fips_mode = pki.FIPS.is_enabled() File "/usr/lib/python3.6/site-packages/pki/init.py", line 246, in is_enabled output = subprocess.check_output(command, stderr=fnull).decode('utf-8') File "/usr/lib64/python3.6/subprocess.py", line 356, in check_output kwargs).stdout File "/usr/lib64/python3.6/subprocess.py", line 423, in run with Popen(*popenargs, kwargs) as process: File "/usr/lib64/python3.6/subprocess.py", line 729, in init restore_signals, start_new_session) File "/usr/lib64/python3.6/subprocess.py", line 1364, in _execute_child raise child_exception_type(errno_num, err_msg, err_filename)
2021-11-17T10:06:49Z CRITICAL Failed to configure CA instance 2021-11-17T10:06:49Z CRITICAL See the installation logs and the following files/directories for > more information: 2021-11-17T10:06:49Z CRITICAL /var/log/pki/pki-tomcat 2021-11-17T10:06:49Z DEBUG Traceback (most recent call last): File "/usr/lib/python3.6/site-packages/ipaserver/install/service.py", line 635, in start_creation run_step(full_msg, method) File "/usr/lib/python3.6/site-packages/ipaserver/install/service.py", line 621, in run_step method() File "/usr/lib/python3.6/site-packages/ipaserver/install/cainstance.py", line 629, in __spawn_instance nolog_list=nolog_list File "/usr/lib/python3.6/site-packages/ipaserver/install/dogtaginstance.py", line 213, in spawn_instance self.handle_setup_error(e) File "/usr/lib/python3.6/site-packages/ipaserver/install/dogtaginstance.py", line 567, in handle_setup_error ) from None RuntimeError: CA configuration failed.
2021-11-17T10:06:49Z DEBUG [error] RuntimeError: CA configuration failed. 2021-11-17T10:06:49Z DEBUG Removing /root/.dogtag/pki-tomcat/ca 2021-11-17T10:06:49Z DEBUG File "/usr/lib/python3.6/site-packages/ipapython/admintool.py", line 180, in execute return_value = self.run() File "/usr/lib/python3.6/site-packages/ipapython/install/cli.py", line 342, in run return cfgr.run() File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 360, in run return self.execute() File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 386, in execute for rval in self._executor(): File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 431, in runner exc_handler(exc_info) File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 460, in _handle_execute_exception self._handle_exception(exc_info) File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 450, in _handle_exception six.reraise(exc_info) File "/usr/lib/python3.6/site-packages/six.py", line 693, in reraise raise value File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 421, in __runner step() File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 418, in <lambda> step = lambda: next(self.__gen) File "/usr/lib/python3.6/site-packages/ipapython/install/util.py", line 81, in run_generator_with_yield_from six.reraise(exc_info) File "/usr/lib/python3.6/site-packages/six.py", line 693, in reraise raise value File "/usr/lib/python3.6/site-packages/ipapython/install/util.py", line 59, in run_generator_with_yield_from value = gen.send(prev_value) File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 655, in _configure next(executor) File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 431, in __runner exc_handler(exc_info) File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 460, in _handle_execute_exception self._handle_exception(exc_info) File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 518, in _handle_exception self.__parent._handle_exception(exc_info) File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 450, in _handle_exception six.reraise(exc_info) File "/usr/lib/python3.6/site-packages/six.py", line 693, in reraise raise value File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 515, in _handle_exception super(ComponentBase, self)._handle_exception(exc_info) File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 450, in _handle_exception six.reraise(exc_info) File "/usr/lib/python3.6/site-packages/six.py", line 693, in reraise raise value File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 421, in __runner step() File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 418, in <lambda> step = lambda: next(self.__gen) File "/usr/lib/python3.6/site-packages/ipapython/install/util.py", line 81, in run_generator_with_yield_from six.reraise(*exc_info) File "/usr/lib/python3.6/site-packages/six.py", line 693, in reraise raise value File "/usr/lib/python3.6/site-packages/ipapython/install/util.py", line 59, in run_generator_with_yield_from value = gen.send(prev_value) File "/usr/lib/python3.6/site-packages/ipapython/install/common.py", line 65, in _install for unused in self._installer(self.parent): File "/usr/lib/python3.6/site-packages/ipaserver/install/server/__init.py", line 575, in main master_install(self) File "/usr/lib/python3.6/site-packages/ipaserver/install/server/install.py", line 275, in decorated func(installer) File "/usr/lib/python3.6/site-packages/ipaserver/install/server/install.py", line 909, in install ca.install_step_0(False, None, options, custodia=custodia) File "/usr/lib/python3.6/site-packages/ipaserver/install/ca.py", line 355, in install_step_0 pki_config_override=options.pki_config_override, File "/usr/lib/python3.6/site-packages/ipaserver/install/cainstance.py", line 503, in configure_instance self.start_creation(runtime=runtime) File "/usr/lib/python3.6/site-packages/ipaserver/install/service.py", line 635, in start_creation run_step(full_msg, method) File "/usr/lib/python3.6/site-packages/ipaserver/install/service.py", line 621, in run_step method() File "/usr/lib/python3.6/site-packages/ipaserver/install/cainstance.py", line 629, in __spawn_instance nolog_list=nolog_list File "/usr/lib/python3.6/site-packages/ipaserver/install/dogtaginstance.py", line 213, in spawn_instance self.handle_setup_error(e) File "/usr/lib/python3.6/site-packages/ipaserver/install/dogtaginstance.py", line 567, in handle_setup_error ) from None
2021-11-17T10:06:49Z DEBUG The ipa-server-install command failed, exception: RuntimeError: CA configuration failed. 2021-11-17T10:06:49Z ERROR CA configuration failed.
The CA to install correctly
$ rpm -q freeipa-server freeipa-client ipa-server ipa-client 389-ds-base pki-ca krb5-server
package freeipa-server is not installed package freeipa-client is not installed ipa-server-4.9.6-6.module+el8.5.0+675+61f67439.x86_64 ipa-client-4.9.6-6.module+el8.5.0+675+61f67439.x86_64 389-ds-base-1.4.3.23-10.module+el8.5.0+700+370e33d5.x86_64 pki-ca-10.11.2-2.module+el8.5.0+701+8dc610e5.noarch krb5-server-1.18.2-14.el8.x86_64
Disabled selinux to see if that was the cause, it's not. I see reference to FIPS being enabled, but it's not. This is not a replica, it's a master - but I do also get the same error when installing a replica.
Looks like you are missing sysctl utility? It is in procps-ng package. At least in Fedora it is required by the dogtag-pki-server package.
sysctl
Please report this to Rocky. We as upstream have no influence over the downstream packages.
I'll report it to Rocky as well, but thought I would start here instead of spamming everyone.
sysctl is installed though:
sysctl -V && which sysctl
sysctl from procps-ng 3.3.15 /sbin/sysctl
Edit: Rocky case here https://bugs.rockylinux.org/show_bug.cgi?id=176
I wonder what PATH dogtag uses. It calls just 'sysctl', not a fully-qualified path. which sysctl on my RHEL 8.something hackish install returns /usr/sbin/sysctl. Theoretically /sbin should be a symlink to /usr/sbin.
which sysctl
/usr/sbin/sysctl
It looks dogtag this is trying to determine if FIPS is enabled. As a workaround you could hack code to get past this.
The call is in/usr/lib/python3.6/site-packages/pki/__init__.py
/usr/lib/python3.6/site-packages/pki/__init__.py
You could add a return, as appropriate for your environment, in is_enabled() to skip the execution.
is_enabled()
I looked at a couple of my Rocky IPA domains and the path I get is /usr/sbin/sysctl - It almost seems like something is missing or something is misconfigured to cause /usr not show up as the path on the system itself.
/usr
According to the bug report on our end, it's noted that this was happening on our 8.5 AMI but not our 8.4. I created a simple minimal VM in my lab with 8.5 and it setup just fine. I'll roll out an 8.5 AMI to do some investigation there too.
Spun up an 8.5 AMI and this was the result:
[root@ip-172-16-12-82 ipa]# uname -a Linux testing.resf.io 4.18.0-348.el8.0.2.x86_64 #1 SMP Sun Nov 14 00:51:12 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux [root@ip-172-16-12-82 ipa]# cat /etc/os-release NAME="Rocky Linux" VERSION="8.5 (Green Obsidian)" ID="rocky" ID_LIKE="rhel centos fedora" VERSION_ID="8.5" PLATFORM_ID="platform:el8" PRETTY_NAME="Rocky Linux 8.5 (Green Obsidian)" ANSI_COLOR="0;32" CPE_NAME="cpe:/o:rocky:rocky:8.5:GA" HOME_URL="https://rockylinux.org/" BUG_REPORT_URL="https://bugs.rockylinux.org/" ROCKY_SUPPORT_PRODUCT="Rocky Linux" ROCKY_SUPPORT_PRODUCT_VERSION="8" [root@ip-172-16-12-82 ~]# echo $PATH /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/root/bin [root@ip-172-16-12-82 ~]# yum module enable idm:DL1/{dns,server,common} [root@ip-172-16-12-82 ~]# clear [root@ip-172-16-12-82 ~]# yum install ipa-server ipa-server-dns -y [root@ip-172-16-12-82 ~]# hostnamectl set-hostname testing.ipa.resf.org [root@ip-172-16-12-82 ~]# ipa-server-install --setup-dns \ --no-reverse \ --domain ipa.resf.org \ --realm IPA.RESF.ORG \ --hostname testing.ipa.resf.org \ --admin-password "ThisIsATest1!" \ --ds-password "ThisIsATest1!" \ --no-forwarders \ --no-ntp \ --unattended ... ============================================================================== Setup complete Next steps: 1. You must make sure these network ports are open: TCP Ports: * 80, 443: HTTP/HTTPS * 389, 636: LDAP/LDAPS * 88, 464: kerberos * 53: bind UDP Ports: * 88, 464: kerberos * 53: bind 2. You can now obtain a kerberos ticket using the command: 'kinit admin' This ticket will allow you to use the IPA tools (e.g., ipa user-add) and the web user interface. Be sure to back up the CA certificates stored in /root/cacert.p12 These files are required to create replicas. The password for these files is the Directory Manager password The ipa-server-install command was successful
The installation worked fine for me on an 8.5 AMI of ours.
Is there anything extra that you could perhaps be doing when rolling out your system? Or installing something else before hand?
Thank you for all your help with this, it's much appreciated.
I've followed your steps, and can confirm it installs correctly.
This led me to believe it was what we were doing in our cloudformation userdata, specifically we run this:
alternatives --set python /usr/bin/python2
Which I thought was the culprit. However, after setting that to be python3 after cloudformation has finished hasn't fixed the issue. What is even stranger though, is that after it has failed the installation, if I then uninstall ipa-server and re-run the installation it works. It's driving me up the wall.
Here is the entire userdata commands we run:
dnf -y install python2 python3 unzip perf jq at bind-utils openldap-clients nmap systemctl enable --now atd.service alternatives --set python /usr/bin/python2 curl https://s3.amazonaws.com/cloudformation-examples/aws-cfn-bootstrap-latest.tar.gz -o /tmp/aws-cfn-bootstrap.tar.gz cd /tmp tar xzvf aws-cfn-bootstrap.tar.gz cd aws-cfn-bootstrap-* python2 setup.py build python2 setup.py install mkdir -p /opt/aws/bin ln -s /usr/init/redhat/cfn-hup /etc/init.d/cfn-hup chmod 775 /usr/init/redhat/cfn-hup ln -s /usr/bin/cfn-hup /opt/aws/bin/cfn-hup ln -s /usr/bin/cfn-signal /opt/aws/bin/cfn-signal ln -s /usr/bin/cfn-init /opt/aws/bin/cfn-init ln -s /usr/bin/cfn-get-metadata /opt/aws/bin/cfn-get-metadata ln -s /usr/bin/cfn-send-cmd-event /opt/aws/bin/cfn-send-cmd-event ln -s /usr/bin/cfn-send-cmd-result /opt/aws/bin/cfn-send-cmd-result curl https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip -o /tmp/awscliv2.zip cd /tmp unzip -q awscliv2.zip cd aws ./install cd /tmp rm -rf /tmp/aws\ dnf -y install https://s3.eu-west-1.amazonaws.com/amazoncloudwatch-agent-eu-west-1/centos/amd64/latest/amazon-cloudwatch-agent.rpm echo "$(date --date='4 minutes' +%M) * * * * /bin/bash /opt/cwSetup.sh" | crontab - echo "$(date --date='3 minutes' +%M) * * * * /bin/bash /opt/IdentityManagementServerScript.sh" | crontab -
The IdentityManagementServerScript.sh installs ipa-server. I still believe the issue is the python alias, but I'm drawing a blank as to why it would work the 2nd time it is run (the python alias is reverted to python3 at the beginning of the install script).
Fixed. Updated the Rocky bug with how.
TL:DR: I was using cron to schedule the script to install ipa-server and cron does not have the same PATH.
Metadata Update from @wolf-allywilson: - Issue close_status updated to: worksforme - Issue status updated to: Closed (was: Open)
Login to comment on this ticket.