freeipa team mailing list archive

Thread
Date
[Bug 1627371] Re: Timing problems with FreeIPA installation

To: freeipa@xxxxxxxxxxxxxxxxxxx
From: Harry Coin <hcoin@xxxxxxxxxxxxxxxxx>
Date: Thu, 21 Jun 2018 20:27:09 -0000
Reply-to: Bug 1627371 <1627371@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx
Spoke too soon, though the routine reported success, in the log we have:

Updating DNS system records
ipapython.dnsutil: ERROR    DNS query for directory1.ri.mamabosso.com. 1 failed: The DNS operation timed out after 30.0014941692 seconds
ipaserver.dns_data_management: ERROR    unable to resolve host name directory1.ri.XXX.com. to IP address, ipa-ca DNS record will be incomplete
Configuring client side components
...
Adding SSH public key from /etc/ssh/ssh_host_ed25519_key.pub
[try 1]: Forwarding 'host_mod' to json server 'https://directory1.ri.XXX.com/ipa/session/json'
Could not update DNS SSHFP records.

and then, what is in fact an error though the text is otherwise:

The ipa-client-install command was successful.

So, in bindinstance.py, after import time, added
import psutil
and just before 
system_records = IPASystemRecords(self.api)
added
while psutil.cpu_percent() > 5: time.sleep(2)

and .. that didn't work.  Same error.

Done configuring DNS (named).
Restarting the web server to pick up resolv.conf changes
Configuring DNS key synchronization service (ipa-dnskeysyncd)
  [1/7]: checking status
  [2/7]: setting up bind-dyndb-ldap working directory
  [3/7]: setting up kerberos principal
  [4/7]: setting up SoftHSM
  [5/7]: adding DNSSEC containers
  [6/7]: creating replica keys
  [7/7]: configuring ipa-dnskeysyncd to start on boot
Done configuring DNS key synchronization service (ipa-dnskeysyncd).
Restarting ipa-dnskeysyncd
Restarting named
Updating DNS system records
ipapython.dnsutil: ERROR    DNS query for directory1.ri.xxxx.com. 1 failed: The DNS operation timed out after 30.000576973 seconds
ipaserver.dns_data_management: ERROR    unable to resolve host name directory1.ri.xxx.com. to IP address, ipa-ca DNS record will be incomplete
Configuring client side components
Using existing certificate '/etc/ipa/ca.crt'.
Client hostname: directory1.ri.xxx.com
Realm: RI.XXXX.COM
DNS Domain: ri.xxxx.com
IPA Server: directory1.ri.xxxx.com
BaseDN: dc=ri,dc=xxxxxxx,dc=com

Skipping attempt to configure and synchronize time with chrony server as it has been already done on master.
New SSSD config will be created
Configured sudoers in /etc/nsswitch.conf
Configured /etc/sssd/sssd.conf
trying https://directory1.ri.xxx.com/ipa/json
[try 1]: Forwarding 'ping' to json server 'https://directory1.ri.xxxx.com/ipa/json'
[try 1]: Forwarding 'ca_is_enabled' to json server 'https://directory1.ri.xxxx.com/ipa/json'
Systemwide CA database updated.
Adding SSH public key from /etc/ssh/ssh_host_ecdsa_key.pub
Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub
Adding SSH public key from /etc/ssh/ssh_host_ed25519_key.pub
[try 1]: Forwarding 'host_mod' to json server 'https://directory1.ri.xxxx.com/ipa/json'
Could not update DNS SSHFP records.
SSSD enabled

-- 
You received this bug notification because you are a member of FreeIPA,
which is subscribed to freeipa in Ubuntu.
https://bugs.launchpad.net/bugs/1627371

Title:
  Timing problems with FreeIPA installation

Status in dogtag-pki package in Ubuntu:
  Confirmed
Status in freeipa package in Ubuntu:
  Confirmed

Bug description:
  While installing FreeIPA I came accross two situations that turned out
  to be timing problems. In both cases, the installation procedure was
  attempting to access the certificate server immediately after a
  restart, and the server was not listening.

  The first one is at step 10 of "Configuring certificate server
  (pki_tomcatd)":

    [10/28]: importing CA chain to RA certificate database
    [error] RuntimeError: Unable to retrieve CA chain: [Errno 111] Connection refused
  ipa.ipapython.install.cli.install_tool(Server): ERROR Unable to retrieve CA chain: [Errno 111] Connection refused

  The second is at step 25:

    [25/28]: migrating certificate profiles to LDAP
    [error] NetworkError: cannot connect to 'https://server.name:8443/ca/rest/account/login': Could not connect to server.name using any address: (PR_ADDRESS_NOT_SUPPORTED_ERROR) Network address type not supported.

  My solution was to add a delay at the top of the functions for those
  steps.

  def __import_ca_chain(self):
      + ##======================
      + # Add wait time to allow certificate server to start up
      + # 
      + time.sleep(10)

      chain = self.__get_ca_chain()

  ...

  def migrate_profiles_to_ldap():
      """Migrate profiles from filesystem to LDAP.

      This must be run *after* switching to the LDAPProfileSubsystem
      and restarting the CA.

      The profile might already exist, e.g. if a replica was already
      upgraded, so this case is ignored.

      """
      + ##======================
      + # Add wait time to allow certificate server to start up
      + # 
      + time.sleep(20)

      ensure_ldap_profiles_container()

  It might be necessary to adjust the sleep time.

  These bugs are intermittent and they may not appear at all. In my
  case, one KVM machine had no problems whatsoever while another had
  problems at the "migrate profiles ..." step. Both problems showed up
  on one Raspberry Pi. There were also time differences between runs.
  So, one needs to be _very_ patient.

  This is all on Ubuntu Xenial. freeipa-server 4.3.1-0ubuntu1.
  The RaspberryPi is a pi 2B

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/dogtag-pki/+bug/1627371/+subscriptions
References

[Bug 1627371] [NEW] Timing problems with FreeIPA installation
From: Philippe Clérié, 2016-09-24