freeipa team mailing list archive
  
  - 
     freeipa team freeipa team
- 
    Mailing list archive
  
- 
    Message #00353
  
 [Bug 1627371] [NEW] Timing problems with FreeIPA	installation
  
Public bug reported:
While installing FreeIPA I came accross two situations that turned out
to be timing problems. In both cases, the installation procedure was
attempting to access the certificate server immediately after a restart,
and the server was not listening.
The first one is at step 10 of "Configuring certificate server
(pki_tomcatd)":
  [10/28]: importing CA chain to RA certificate database
  [error] RuntimeError: Unable to retrieve CA chain: [Errno 111] Connection refused
ipa.ipapython.install.cli.install_tool(Server): ERROR Unable to retrieve CA chain: [Errno 111] Connection refused
The second is at step 25:
  [25/28]: migrating certificate profiles to LDAP
  [error] NetworkError: cannot connect to 'https://server.name:8443/ca/rest/account/login': Could not connect to server.name using any address: (PR_ADDRESS_NOT_SUPPORTED_ERROR) Network address type not supported.
My solution was to add a delay at the top of the functions for those
steps.
def __import_ca_chain(self):
    + ##======================
    + # Add wait time to allow certificate server to start up
    + # 
    + time.sleep(10)
    chain = self.__get_ca_chain()
...
def migrate_profiles_to_ldap():
    """Migrate profiles from filesystem to LDAP.
    This must be run *after* switching to the LDAPProfileSubsystem
    and restarting the CA.
    The profile might already exist, e.g. if a replica was already
    upgraded, so this case is ignored.
    """
    + ##======================
    + # Add wait time to allow certificate server to start up
    + # 
    + time.sleep(20)
    ensure_ldap_profiles_container()
It might be necessary to adjust the sleep time.
These bugs are intermittent and they may not appear at all. In my case,
one KVM machine had no problems whatsoever while another had problems at
the "migrate profiles ..." step. Both problems showed up on one
Raspberry Pi. There were also time differences between runs. So, one
needs to be _very_ patient.
This is all on Ubuntu Xenial. freeipa-server 4.3.1-0ubuntu1.
The RaspberryPi is a pi 2B
** Affects: freeipa (Ubuntu)
     Importance: Undecided
         Status: New
-- 
You received this bug notification because you are a member of FreeIPA,
which is subscribed to freeipa in Ubuntu.
https://bugs.launchpad.net/bugs/1627371
Title:
  Timing problems with FreeIPA installation
Status in freeipa package in Ubuntu:
  New
Bug description:
  While installing FreeIPA I came accross two situations that turned out
  to be timing problems. In both cases, the installation procedure was
  attempting to access the certificate server immediately after a
  restart, and the server was not listening.
  The first one is at step 10 of "Configuring certificate server
  (pki_tomcatd)":
    [10/28]: importing CA chain to RA certificate database
    [error] RuntimeError: Unable to retrieve CA chain: [Errno 111] Connection refused
  ipa.ipapython.install.cli.install_tool(Server): ERROR Unable to retrieve CA chain: [Errno 111] Connection refused
  The second is at step 25:
    [25/28]: migrating certificate profiles to LDAP
    [error] NetworkError: cannot connect to 'https://server.name:8443/ca/rest/account/login': Could not connect to server.name using any address: (PR_ADDRESS_NOT_SUPPORTED_ERROR) Network address type not supported.
  My solution was to add a delay at the top of the functions for those
  steps.
  def __import_ca_chain(self):
      + ##======================
      + # Add wait time to allow certificate server to start up
      + # 
      + time.sleep(10)
      chain = self.__get_ca_chain()
  ...
  def migrate_profiles_to_ldap():
      """Migrate profiles from filesystem to LDAP.
      This must be run *after* switching to the LDAPProfileSubsystem
      and restarting the CA.
      The profile might already exist, e.g. if a replica was already
      upgraded, so this case is ignored.
      """
      + ##======================
      + # Add wait time to allow certificate server to start up
      + # 
      + time.sleep(20)
      ensure_ldap_profiles_container()
  It might be necessary to adjust the sleep time.
  These bugs are intermittent and they may not appear at all. In my
  case, one KVM machine had no problems whatsoever while another had
  problems at the "migrate profiles ..." step. Both problems showed up
  on one Raspberry Pi. There were also time differences between runs.
  So, one needs to be _very_ patient.
  This is all on Ubuntu Xenial. freeipa-server 4.3.1-0ubuntu1.
  The RaspberryPi is a pi 2B
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/freeipa/+bug/1627371/+subscriptions
Follow ups
- 
   [Bug 1627371] Re: Timing problems with FreeIPA	installation
  
 From: Timo Aaltonen, 2019-12-16
- 
   [Bug 1627371] Re: Timing problems with FreeIPA	installation
  
 From: Timo Aaltonen, 2019-11-28
- 
   [Bug 1627371] Re: Timing problems with FreeIPA	installation
  
 From: Brad Johnson, 2019-10-31
- 
   [Bug 1627371] Re: Timing problems with FreeIPA	installation
  
 From: Harry Coin, 2018-06-23
- 
   [Bug 1627371] Re: Timing problems with FreeIPA	installation
  
 From: Harry Coin, 2018-06-21
- 
   [Bug 1627371] Re: Timing problems with FreeIPA	installation
  
 From: Harry Coin, 2018-06-21
- 
   [Bug 1627371] Re: Timing problems with FreeIPA	installation
  
 From: Harry Coin, 2018-06-21
- 
   [Bug 1627371] Re: Timing problems with FreeIPA	installation
  
 From: Harry Coin, 2018-06-21
- 
   [Bug 1627371] Re: Timing problems with FreeIPA	installation
  
 From: gianluca, 2018-05-21
- 
   [Bug 1627371] Re: Timing problems with FreeIPA	installation
  
 From: Timo Aaltonen, 2017-10-09
- 
   [Bug 1627371] Re: Timing problems with FreeIPA	installation
  
 From: Andrew Bork, 2017-04-01
- 
   [Bug 1627371] Re: Timing problems with FreeIPA	installation
  
 From: Launchpad Bug Tracker, 2016-11-03
- 
   [Bug 1627371] Re: Timing problems with FreeIPA	installation
  
 From: Ubuntu Foundations Team Bug Bot, 2016-09-25
- 
   [Bug 1627371] Re: Timing problems with FreeIPA	installation
  
 From: Lars Bahner, 2016-09-25
- 
   [Bug 1627371] Re: Timing problems with FreeIPA	installation
  
 From: Lars Bahner, 2016-09-25
- 
   [Bug 1627371] Re: Timing problems with FreeIPA	installation
  
 From: Timo Aaltonen, 2016-09-25
- 
   [Bug 1627371] Re: Timing problems with FreeIPA	installation
  
 From: Launchpad Bug Tracker, 2016-09-25