freeipa team mailing list archive
-
freeipa team
-
Mailing list archive
-
Message #00771
[Bug 1627371] Re: Timing problems with FreeIPA installation
Same issue here. Adding haveged reduced the error count, but still
failed with 2 processors and 2gb. 3 processors and 3gb failed with a
network error
[24/28]: migrating certificate profiles to LDAP
[error] NetworkError: cannot connect to 'https://directory1.ri.mamabosso.com:8443/ca/rest/account/logout': [Errno 104] Connection reset by peer
ipapython.admintool: ERROR cannot connect to 'https://XXXXXXXXXXXXXXXXXX.com:8443/ca/rest/account/logout': [Errno 104] Connection reset by peer
ipapython.admintool: ERROR The ipa-server-install command failed. See /var/log/ipaserver-install.log for more information
4gb and 4 processors: CPU usage 100$ after 10/28 was printed.
(requesting RA cert..)
Usage at 100% through step 21 (restarting cert server), and.. 24
migrating cert profiles...(where it failed before)... 55% cpu usage..
37%... 43%... 64%... 87%... 73%... and failed again:
[24/28]: migrating certificate profiles to LDAP
[error] NetworkError: cannot connect to 'https://directory1.ri.mamabosso.com:8443/ca/rest/account/logout': [Errno 111] Connection refused
ipapython.admintool: ERROR cannot connect to 'https://XXXXXXXXXXXXXXX.com:8443/ca/rest/account/logout': [Errno 111] Connection refused
ipapython.admintool: ERROR The ipa-server-install command failed. See /var/log/ipaserver-install.log for more information
from the log:
2018-06-21T15:49:02Z DEBUG request POST https://directory1.ri.mamabosso.com:8443/ca/rest/profiles/raw
2018-06-21T15:49:02Z DEBUG request body "desc=This certificate profile is for ...
2018-06-21T15:49:02Z DEBUG httplib request failed:
Traceback (most recent call last):
File "/usr/lib/python2.7/dist-packages/ipapython/dogtag.py", line 220, in _httplib_request
conn.request(method, uri, body=request_body, headers=headers)
File "/usr/lib/python2.7/httplib.py", line 1042, in request
self._send_request(method, url, body, headers)
File "/usr/lib/python2.7/httplib.py", line 1082, in _send_request
self.endheaders(body)
File "/usr/lib/python2.7/httplib.py", line 1038, in endheaders
self._send_output(message_body)
File "/usr/lib/python2.7/httplib.py", line 882, in _send_output
self.send(msg)
File "/usr/lib/python2.7/httplib.py", line 844, in send
self.connect()
File "/usr/lib/python2.7/httplib.py", line 1263, in connect
server_hostname=server_hostname)
File "/usr/lib/python2.7/ssl.py", line 369, in wrap_socket
_context=self)
File "/usr/lib/python2.7/ssl.py", line 617, in __init__
self.do_handshake()
File "/usr/lib/python2.7/ssl.py", line 846, in do_handshake
self._sslobj.do_handshake()
error: [Errno 104] Connection reset by peer
2018-06-21T15:49:02Z DEBUG request GET https://directory1.ri.mamabosso.com:8443/ca/rest/account/logout
2018-06-21T15:49:02Z DEBUG request body ''
2018-06-21T15:49:02Z DEBUG httplib request failed:
Traceback (most recent call last):
File "/usr/lib/python2.7/dist-packages/ipapython/dogtag.py", line 220, in _httplib_request
conn.request(method, uri, body=request_body, headers=headers)
File "/usr/lib/python2.7/httplib.py", line 1042, in request
self._send_request(method, url, body, headers)
File "/usr/lib/python2.7/httplib.py", line 1082, in _send_request
self.endheaders(body)
File "/usr/lib/python2.7/httplib.py", line 1038, in endheaders
self._send_output(message_body)
File "/usr/lib/python2.7/httplib.py", line 882, in _send_output
self.send(msg)
File "/usr/lib/python2.7/httplib.py", line 844, in send
self.connect()
File "/usr/lib/python2.7/httplib.py", line 1255, in connect
HTTPConnection.connect(self)
File "/usr/lib/python2.7/httplib.py", line 821, in connect
self.timeout, self.source_address)
File "/usr/lib/python2.7/socket.py", line 575, in create_connection
raise err
error: [Errno 111] Connection refused
2018-06-21T15:49:02Z DEBUG Traceback (most recent call last):
File "/usr/lib/python2.7/dist-packages/ipaserver/install/service.py", line 555, in start_creation
run_step(full_msg, method)
File "/usr/lib/python2.7/dist-packages/ipaserver/install/service.py", line 541, in run_step
method()
File "/usr/lib/python2.7/dist-packages/ipaserver/install/cainstance.py", line 1790, in migrate_profiles_to_ldap
_create_dogtag_profile(profile_id, profile_data, overwrite=False)
File "/usr/lib/python2.7/dist-packages/ipaserver/install/cainstance.py", line 1823, in _create_dogtag_profile
profile_id)
File "/usr/lib/python2.7/dist-packages/ipaserver/plugins/dogtag.py", line 1312, in __exit__
method='GET'
File "/usr/lib/python2.7/dist-packages/ipapython/dogtag.py", line 167, in https_request
method=method, headers=headers)
File "/usr/lib/python2.7/dist-packages/ipapython/dogtag.py", line 229, in _httplib_request
raise NetworkError(uri=uri, error=str(e))
NetworkError: cannot connect to 'https://directory1.ri.mamabosso.com:8443/ca/rest/account/logout': [Errno 111] Connection refused
2018-06-21T15:49:02Z DEBUG [error] NetworkError: cannot connect to 'https://directory1.ri.mamabosso.com:8443/ca/rest/account/logout': [Errno 111] Connection refused
2018-06-21T15:49:02Z DEBUG File "/usr/lib/python2.7/dist-packages/ipapython/admintool.py", line 174, in execute
return_value = self.run()
File "/usr/lib/python2.7/dist-packages/ipapython/install/cli.py", line 319, in run
return cfgr.run()
File "/usr/lib/python2.7/dist-packages/ipapython/install/core.py", line 364, in run
return self.execute()
File "/usr/lib/python2.7/dist-packages/ipapython/install/core.py", line 389, in execute
for rval in self._executor():
File "/usr/lib/python2.7/dist-packages/ipapython/install/core.py", line 434, in __runner
exc_handler(exc_info)
File "/usr/lib/python2.7/dist-packages/ipapython/install/core.py", line 463, in _handle_execute_exception
self._handle_exception(exc_info)
File "/usr/lib/python2.7/dist-packages/ipapython/install/core.py", line 453, in _handle_exception
six.reraise(*exc_info)
File "/usr/lib/python2.7/dist-packages/ipapython/install/core.py", line 424, in __runner
step()
File "/usr/lib/python2.7/dist-packages/ipapython/install/core.py", line 421, in <lambda>
step = lambda: next(self.__gen)
File "/usr/lib/python2.7/dist-packages/ipapython/install/util.py", line 81, in run_generator_with_yield_from
six.reraise(*exc_info)
File "/usr/lib/python2.7/dist-packages/ipapython/install/util.py", line 59, in run_generator_with_yield_from
value = gen.send(prev_value)
File "/usr/lib/python2.7/dist-packages/ipapython/install/core.py", line 658, in _configure
next(executor)
File "/usr/lib/python2.7/dist-packages/ipapython/install/core.py", line 434, in __runner
exc_handler(exc_info)
File "/usr/lib/python2.7/dist-packages/ipapython/install/core.py", line 463, in _handle_execute_exception
self._handle_exception(exc_info)
File "/usr/lib/python2.7/dist-packages/ipapython/install/core.py", line 521, in _handle_exception
self.__parent._handle_exception(exc_info)
File "/usr/lib/python2.7/dist-packages/ipapython/install/core.py", line 453, in _handle_exception
six.reraise(*exc_info)
File "/usr/lib/python2.7/dist-packages/ipapython/install/core.py", line 518, in _handle_exception
super(ComponentBase, self)._handle_exception(exc_info)
File "/usr/lib/python2.7/dist-packages/ipapython/install/core.py", line 453, in _handle_exception
six.reraise(*exc_info)
File "/usr/lib/python2.7/dist-packages/ipapython/install/core.py", line 424, in __runner
step()
File "/usr/lib/python2.7/dist-packages/ipapython/install/core.py", line 421, in <lambda>
step = lambda: next(self.__gen)
File "/usr/lib/python2.7/dist-packages/ipapython/install/util.py", line 81, in run_generator_with_yield_from
six.reraise(*exc_info)
File "/usr/lib/python2.7/dist-packages/ipapython/install/util.py", line 59, in run_generator_with_yield_from
value = gen.send(prev_value)
File "/usr/lib/python2.7/dist-packages/ipapython/install/common.py", line 65, in _install
for unused in self._installer(self.parent):
File "/usr/lib/python2.7/dist-packages/ipaserver/install/server/__init__.py", line 581, in main
master_install(self)
File "/usr/lib/python2.7/dist-packages/ipaserver/install/server/install.py", line 252, in decorated
func(installer)
File "/usr/lib/python2.7/dist-packages/ipaserver/install/server/install.py", line 838, in install
ca.install_step_0(False, None, options)
File "/usr/lib/python2.7/dist-packages/ipaserver/install/ca.py", line 326, in install_step_0
use_ldaps=standalone)
File "/usr/lib/python2.7/dist-packages/ipaserver/install/cainstance.py", line 473, in configure_instance
self.start_creation(runtime=runtime)
File "/usr/lib/python2.7/dist-packages/ipaserver/install/service.py", line 555, in start_creation
run_step(full_msg, method)
File "/usr/lib/python2.7/dist-packages/ipaserver/install/service.py", line 541, in run_step
method()
File "/usr/lib/python2.7/dist-packages/ipaserver/install/cainstance.py", line 1790, in migrate_profiles_to_ldap
_create_dogtag_profile(profile_id, profile_data, overwrite=False)
File "/usr/lib/python2.7/dist-packages/ipaserver/install/cainstance.py", line 1823, in _create_dogtag_profile
profile_id)
File "/usr/lib/python2.7/dist-packages/ipaserver/plugins/dogtag.py", line 1312, in __exit__
method='GET'
File "/usr/lib/python2.7/dist-packages/ipapython/dogtag.py", line 167, in https_request
method=method, headers=headers)
File "/usr/lib/python2.7/dist-packages/ipapython/dogtag.py", line 229, in _httplib_request
raise NetworkError(uri=uri, error=str(e))
2018-06-21T15:49:02Z DEBUG The ipa-server-install command failed,...
--
You received this bug notification because you are a member of FreeIPA,
which is subscribed to freeipa in Ubuntu.
https://bugs.launchpad.net/bugs/1627371
Title:
Timing problems with FreeIPA installation
Status in dogtag-pki package in Ubuntu:
Confirmed
Status in freeipa package in Ubuntu:
Confirmed
Bug description:
While installing FreeIPA I came accross two situations that turned out
to be timing problems. In both cases, the installation procedure was
attempting to access the certificate server immediately after a
restart, and the server was not listening.
The first one is at step 10 of "Configuring certificate server
(pki_tomcatd)":
[10/28]: importing CA chain to RA certificate database
[error] RuntimeError: Unable to retrieve CA chain: [Errno 111] Connection refused
ipa.ipapython.install.cli.install_tool(Server): ERROR Unable to retrieve CA chain: [Errno 111] Connection refused
The second is at step 25:
[25/28]: migrating certificate profiles to LDAP
[error] NetworkError: cannot connect to 'https://server.name:8443/ca/rest/account/login': Could not connect to server.name using any address: (PR_ADDRESS_NOT_SUPPORTED_ERROR) Network address type not supported.
My solution was to add a delay at the top of the functions for those
steps.
def __import_ca_chain(self):
+ ##======================
+ # Add wait time to allow certificate server to start up
+ #
+ time.sleep(10)
chain = self.__get_ca_chain()
...
def migrate_profiles_to_ldap():
"""Migrate profiles from filesystem to LDAP.
This must be run *after* switching to the LDAPProfileSubsystem
and restarting the CA.
The profile might already exist, e.g. if a replica was already
upgraded, so this case is ignored.
"""
+ ##======================
+ # Add wait time to allow certificate server to start up
+ #
+ time.sleep(20)
ensure_ldap_profiles_container()
It might be necessary to adjust the sleep time.
These bugs are intermittent and they may not appear at all. In my
case, one KVM machine had no problems whatsoever while another had
problems at the "migrate profiles ..." step. Both problems showed up
on one Raspberry Pi. There were also time differences between runs.
So, one needs to be _very_ patient.
This is all on Ubuntu Xenial. freeipa-server 4.3.1-0ubuntu1.
The RaspberryPi is a pi 2B
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/dogtag-pki/+bug/1627371/+subscriptions
References
