Error ipa-replica-install on LXC (was The ipa-replica-install command failed, exception: ValidationError: invalid 'dnszoneidnsname': only master zones can contain records)
Hi,
I have reproduced the problem on the LXC container. The full debug log is at:
https://gist.github.com/alexpdp7/b3d7fd48660a1ffb78cb64fd5dc34476
The bit failing is:
[root@ctipa ~]# ipa-replica-install -v -n ipa.pdp7.net -P alex -w $pw --mkhomedir ... ipa : DEBUG [11/22]: configuring Gssproxy [11/22]: configuring Gssproxy ipa : DEBUG Starting external process ipa : DEBUG args=/usr/sbin/selinuxenabled ipa : DEBUG Process finished, return code=1 ipa : DEBUG stdout= ipa : DEBUG stderr= ipa : DEBUG Starting external process ipa : DEBUG args=/bin/systemctl restart gssproxy.service ipa : DEBUG Process finished, return code=1 ipa : DEBUG stdout= ipa : DEBUG stderr=A dependency job for gssproxy.service failed. See 'journalctl -xe' for details.
ipa : DEBUG Traceback (most recent call last): File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 504, in start_creation run_step(full_msg, method) File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 494, in run_step method() File "/usr/lib/python2.7/site-packages/ipaserver/install/httpinstance.py", line 242, in configure_gssproxy services.knownservices.gssproxy.restart() File "/usr/lib/python2.7/site-packages/ipaplatform/base/services.py", line 322, in restart capture_output, wait) File "/usr/lib/python2.7/site-packages/ipaplatform/base/services.py", line 310, in _restart_base skip_output=not capture_output) File "/usr/lib/python2.7/site-packages/ipapython/ipautil.py", line 512, in run raise CalledProcessError(p.returncode, arg_string, str(output)) CalledProcessError: Command '/bin/systemctl restart gssproxy.service' returned non-zero exit status 1
ipa : DEBUG [error] CalledProcessError: Command '/bin/systemctl restart gssproxy.service' returned non-zero exit status 1 [error] CalledProcessError: Command '/bin/systemctl restart gssproxy.service' returned non-zero exit status 1 Your system may be partly configured. Run /usr/sbin/ipa-server-install --uninstall to clean up.
ipa.ipapython.install.cli.install_tool(CompatServerReplicaInstall): DEBUG File "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 172, in execute return_value = self.run() File "/usr/lib/python2.7/site-packages/ipapython/install/cli.py", line 333, in run cfgr.run() File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 368, in run self.execute() File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 392, in execute for _nothing in self._executor(): File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 434, in __runner exc_handler(exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 463, in _handle_execute_exception self._handle_exception(exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 453, in _handle_exception six.reraise(*exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 424, in __runner step() File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 421, in <lambda> step = lambda: next(self.__gen) File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 81, in run_generator_with_yield_from six.reraise(*exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 59, in run_generator_with_yield_from value = gen.send(prev_value) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 658, in _configure next(executor) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 434, in __runner exc_handler(exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 463, in _handle_execute_exception self._handle_exception(exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 521, in _handle_exception self.__parent._handle_exception(exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 453, in _handle_exception six.reraise(*exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 518, in _handle_exception super(ComponentBase, self)._handle_exception(exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 453, in _handle_exception six.reraise(*exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 424, in __runner step() File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 421, in <lambda> step = lambda: next(self.__gen) File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 81, in run_generator_with_yield_from six.reraise(*exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 59, in run_generator_with_yield_from value = gen.send(prev_value) File "/usr/lib/python2.7/site-packages/ipapython/install/common.py", line 63, in _install for _nothing in self._installer(self.parent): File "/usr/lib/python2.7/site-packages/ipaserver/install/server/__init__.py", line 617, in main replica_install(self) File "/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall.py", line 386, in decorated func(installer) File "/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall.py", line 1440, in install ca_file=cafile) File "/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall.py", line 166, in install_http subject_base=config.subject_base, master_fqdn=config.master_host_name) File "/usr/lib/python2.7/site-packages/ipaserver/install/httpinstance.py", line 190, in create_instance self.start_creation() File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 504, in start_creation run_step(full_msg, method) File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 494, in run_step method() File "/usr/lib/python2.7/site-packages/ipaserver/install/httpinstance.py", line 242, in configure_gssproxy services.knownservices.gssproxy.restart() File "/usr/lib/python2.7/site-packages/ipaplatform/base/services.py", line 322, in restart capture_output, wait) File "/usr/lib/python2.7/site-packages/ipaplatform/base/services.py", line 310, in _restart_base skip_output=not capture_output) File "/usr/lib/python2.7/site-packages/ipapython/ipautil.py", line 512, in run raise CalledProcessError(p.returncode, arg_string, str(output))
ipa.ipapython.install.cli.install_tool(CompatServerReplicaInstall): DEBUG The ipa-replica-install command failed, exception: CalledProcessError: Command '/bin/systemctl restart gssproxy.service' returned non-zero exit status 1 ipa.ipapython.install.cli.install_tool(CompatServerReplicaInstall): ERROR Command '/bin/systemctl restart gssproxy.service' returned non-zero exit status 1 ipa.ipapython.install.cli.install_tool(CompatServerReplicaInstall): ERROR The ipa-replica-install command failed. See /var/log/ipareplica-install.log for more information
Cheers,
Álex
On Tue, Jan 9, 2018 at 7:45 PM, Martin Basti via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote:
do you have a traceback in log? I'm curious where exactly this happened, what is your FreeIPA version?
[1] I haven't install FreeIPA in LXC, but I'm happy user of FreeIPA running in LXC :-) So it should work
2018-01-09 11:40 GMT+01:00 Alex Corcoles via FreeIPA-users < freeipa-users@lists.fedorahosted.org>:
Hi Marti,
On Tue, Jan 9, 2018 at 12:46 AM, Martin Basti via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote:
it looks that replica is trying to add records to your forward zone. What is the hostname of the replica?
Yeah, it's xxx.h2.int.pdp7.net, which is within the forwarded zone.
I have a dnsmasq acting as DHCP/DNS server in h2.int.pdp7.net to provide automatic network configuration to VMs. It's a non-routable network, so I'm not sure what the right setup would be.
- what is not working on lxc?
It was something about GSSAPI or something like that, I'll try to reproduce and start a new thread about that- but I guess it's more of an LXC problem (ideally I would like to run my replica on LXC so it consumes less RAM, but I can live with a full VM).
Cheers,
Álex
2018-01-07 12:20 GMT+01:00 Alex Corcoles via FreeIPA-users < freeipa-users@lists.fedorahosted.org>:
Hi,
I'm labbing a FreeIPA environment for personal use, and I'm getting that while bringing up a replica.
I set up my first freeipa-server instance on a cheap VPS on a public IP, intend on making it publicly accessible so I can always authenticate my laptop even on wild public networks.
I'm adding the replica as a VM(1) on a Proxmox VE, on a private network with VPN connectivity to the first public freeipa-server, but I'm getting:
2018-01-06T20:56:04Z DEBUG The ipa-replica-install command failed, exception: ValidationError: invalid 'dnszoneidnsname': only master zones can contain records
. I'm trying to create the replica with CA and DNS, and I had set up DNS forwarding to the internal DNS on the Proxmox system with:
$ ipa dnsforwardzone-add h2.int.pdp7.net --forwarder=10.42.42.1 $ ipa dnsforwardzone-add --name-from-ip=10.42.42.0/24 --forwarder=10.42.42.1 --forward-policy=only
on the first server (I run dnsmasq on Proxmox VE, 10.42.42.0/24 - h2.int.pdp7.net is the network it manages), and I guess that's messing with the replica, but I'm not sure how to troubleshoot this.
Thoughts? Ideas?
Thanks,
Álex
(1) I can't seem to create a freeipa-replica on an LXC container. Is this something that can be discussed here or should I take it to LXC?
-- ___ {~._.~} ( Y ) ()~*~() mail: alex at corcoles dot net (_)-(_) http://alex.corcoles.net/
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedo rahosted.org
-- S pozdravom Martin Bašti.
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedo rahosted.org
-- ___ {~._.~} ( Y ) ()~*~() mail: alex at corcoles dot net (_)-(_) http://alex.corcoles.net/
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedo rahosted.org
-- S pozdravom Martin Bašti.
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
I meant traceback fot the DNS issue :-)
Could you please provide the reason why gssaproxy didn't start?
journalctl -xe systemctl status gssproxy journalctl -u gssproxy
2018-01-09 21:29 GMT+01:00 Alex Corcoles via FreeIPA-users < freeipa-users@lists.fedorahosted.org>:
Hi,
I have reproduced the problem on the LXC container. The full debug log is at:
https://gist.github.com/alexpdp7/b3d7fd48660a1ffb78cb64fd5dc34476
The bit failing is:
[root@ctipa ~]# ipa-replica-install -v -n ipa.pdp7.net -P alex -w $pw --mkhomedir ... ipa : DEBUG [11/22]: configuring Gssproxy [11/22]: configuring Gssproxy ipa : DEBUG Starting external process ipa : DEBUG args=/usr/sbin/selinuxenabled ipa : DEBUG Process finished, return code=1 ipa : DEBUG stdout= ipa : DEBUG stderr= ipa : DEBUG Starting external process ipa : DEBUG args=/bin/systemctl restart gssproxy.service ipa : DEBUG Process finished, return code=1 ipa : DEBUG stdout= ipa : DEBUG stderr=A dependency job for gssproxy.service failed. See 'journalctl -xe' for details.
ipa : DEBUG Traceback (most recent call last): File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 504, in start_creation run_step(full_msg, method) File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 494, in run_step method() File "/usr/lib/python2.7/site-packages/ipaserver/install/httpinstance.py", line 242, in configure_gssproxy services.knownservices.gssproxy.restart() File "/usr/lib/python2.7/site-packages/ipaplatform/base/services.py", line 322, in restart capture_output, wait) File "/usr/lib/python2.7/site-packages/ipaplatform/base/services.py", line 310, in _restart_base skip_output=not capture_output) File "/usr/lib/python2.7/site-packages/ipapython/ipautil.py", line 512, in run raise CalledProcessError(p.returncode, arg_string, str(output)) CalledProcessError: Command '/bin/systemctl restart gssproxy.service' returned non-zero exit status 1
ipa : DEBUG [error] CalledProcessError: Command '/bin/systemctl restart gssproxy.service' returned non-zero exit status 1 [error] CalledProcessError: Command '/bin/systemctl restart gssproxy.service' returned non-zero exit status 1 Your system may be partly configured. Run /usr/sbin/ipa-server-install --uninstall to clean up.
ipa.ipapython.install.cli.install_tool(CompatServerReplicaInstall): DEBUG File "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 172, in execute return_value = self.run() File "/usr/lib/python2.7/site-packages/ipapython/install/cli.py", line 333, in run cfgr.run() File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 368, in run self.execute() File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 392, in execute for _nothing in self._executor(): File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 434, in __runner exc_handler(exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 463, in _handle_execute_exception self._handle_exception(exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 453, in _handle_exception six.reraise(*exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 424, in __runner step() File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 421, in <lambda> step = lambda: next(self.__gen) File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 81, in run_generator_with_yield_from six.reraise(*exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 59, in run_generator_with_yield_from value = gen.send(prev_value) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 658, in _configure next(executor) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 434, in __runner exc_handler(exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 463, in _handle_execute_exception self._handle_exception(exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 521, in _handle_exception self.__parent._handle_exception(exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 453, in _handle_exception six.reraise(*exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 518, in _handle_exception super(ComponentBase, self)._handle_exception(exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 453, in _handle_exception six.reraise(*exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 424, in __runner step() File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 421, in <lambda> step = lambda: next(self.__gen) File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 81, in run_generator_with_yield_from six.reraise(*exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 59, in run_generator_with_yield_from value = gen.send(prev_value) File "/usr/lib/python2.7/site-packages/ipapython/install/common.py", line 63, in _install for _nothing in self._installer(self.parent): File "/usr/lib/python2.7/site-packages/ipaserver/install/server/__init__.py", line 617, in main replica_install(self) File "/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall.py", line 386, in decorated func(installer) File "/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall.py", line 1440, in install ca_file=cafile) File "/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall.py", line 166, in install_http subject_base=config.subject_base, master_fqdn=config.master_host_name) File "/usr/lib/python2.7/site-packages/ipaserver/install/httpinstance.py", line 190, in create_instance self.start_creation() File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 504, in start_creation run_step(full_msg, method) File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 494, in run_step method() File "/usr/lib/python2.7/site-packages/ipaserver/install/httpinstance.py", line 242, in configure_gssproxy services.knownservices.gssproxy.restart() File "/usr/lib/python2.7/site-packages/ipaplatform/base/services.py", line 322, in restart capture_output, wait) File "/usr/lib/python2.7/site-packages/ipaplatform/base/services.py", line 310, in _restart_base skip_output=not capture_output) File "/usr/lib/python2.7/site-packages/ipapython/ipautil.py", line 512, in run raise CalledProcessError(p.returncode, arg_string, str(output))
ipa.ipapython.install.cli.install_tool(CompatServerReplicaInstall): DEBUG The ipa-replica-install command failed, exception: CalledProcessError: Command '/bin/systemctl restart gssproxy.service' returned non-zero exit status 1 ipa.ipapython.install.cli.install_tool(CompatServerReplicaInstall): ERROR Command '/bin/systemctl restart gssproxy.service' returned non-zero exit status 1 ipa.ipapython.install.cli.install_tool(CompatServerReplicaInstall): ERROR The ipa-replica-install command failed. See /var/log/ipareplica-install.log for more information
Cheers,
Álex
On Tue, Jan 9, 2018 at 7:45 PM, Martin Basti via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote:
do you have a traceback in log? I'm curious where exactly this happened, what is your FreeIPA version?
[1] I haven't install FreeIPA in LXC, but I'm happy user of FreeIPA running in LXC :-) So it should work
2018-01-09 11:40 GMT+01:00 Alex Corcoles via FreeIPA-users < freeipa-users@lists.fedorahosted.org>:
Hi Marti,
On Tue, Jan 9, 2018 at 12:46 AM, Martin Basti via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote:
it looks that replica is trying to add records to your forward zone. What is the hostname of the replica?
Yeah, it's xxx.h2.int.pdp7.net, which is within the forwarded zone.
I have a dnsmasq acting as DHCP/DNS server in h2.int.pdp7.net to provide automatic network configuration to VMs. It's a non-routable network, so I'm not sure what the right setup would be.
- what is not working on lxc?
It was something about GSSAPI or something like that, I'll try to reproduce and start a new thread about that- but I guess it's more of an LXC problem (ideally I would like to run my replica on LXC so it consumes less RAM, but I can live with a full VM).
Cheers,
Álex
2018-01-07 12:20 GMT+01:00 Alex Corcoles via FreeIPA-users < freeipa-users@lists.fedorahosted.org>:
Hi,
I'm labbing a FreeIPA environment for personal use, and I'm getting that while bringing up a replica.
I set up my first freeipa-server instance on a cheap VPS on a public IP, intend on making it publicly accessible so I can always authenticate my laptop even on wild public networks.
I'm adding the replica as a VM(1) on a Proxmox VE, on a private network with VPN connectivity to the first public freeipa-server, but I'm getting:
2018-01-06T20:56:04Z DEBUG The ipa-replica-install command failed, exception: ValidationError: invalid 'dnszoneidnsname': only master zones can contain records
. I'm trying to create the replica with CA and DNS, and I had set up DNS forwarding to the internal DNS on the Proxmox system with:
$ ipa dnsforwardzone-add h2.int.pdp7.net --forwarder=10.42.42.1 $ ipa dnsforwardzone-add --name-from-ip=10.42.42.0/24 --forwarder=10.42.42.1 --forward-policy=only
on the first server (I run dnsmasq on Proxmox VE, 10.42.42.0/24 - h2.int.pdp7.net is the network it manages), and I guess that's messing with the replica, but I'm not sure how to troubleshoot this.
Thoughts? Ideas?
Thanks,
Álex
(1) I can't seem to create a freeipa-replica on an LXC container. Is this something that can be discussed here or should I take it to LXC?
-- ___ {~._.~} ( Y ) ()~*~() mail: alex at corcoles dot net (_)-(_) http://alex.corcoles.net/
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedo rahosted.org
-- S pozdravom Martin Bašti.
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedo rahosted.org
-- ___ {~._.~} ( Y ) ()~*~() mail: alex at corcoles dot net (_)-(_) http://alex.corcoles.net/
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedo rahosted.org
-- S pozdravom Martin Bašti.
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedo rahosted.org
-- ___ {~._.~} ( Y ) ()~*~() mail: alex at corcoles dot net (_)-(_) http://alex.corcoles.net/
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
Wait, so I retried the replica installation on LXC, without CA and DNS and it worked, no gssproxy issues.
However, I retried with CA and DNS and it failed:
# journalctl -xe Jan 10 18:47:02 ctipa.h2.int.pdp7.net systemd[1]: Starting GSSAPI Proxy Daemon... -- Subject: Unit gssproxy.service has begun start-up -- Defined-By: systemd -- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
Alex Corcoles via FreeIPA-users freeipa-users@lists.fedorahosted.org writes:
Jan 10 18:47:02 ctipa.h2.int.pdp7.net systemd[1]: Dependency failed for GSSAPI Proxy Daemon. -- Subject: Unit gssproxy.service has failed -- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
-- Unit gssproxy.service has failed.
-- The result is dependency. Jan 10 18:47:02 ctipa.h2.int.pdp7.net systemd[1]: Job gssproxy.service/start failed with result 'dependency'. Jan 10 18:47:02 ctipa.h2.int.pdp7.net systemd[1]: Unit proc-fs-nfsd.mount entered failed state.
This is RHEL-7.4? If you're not using NFS, you can remove the "Requires=proc-fs-nfsd.mount" line from gssproxy.service.
Would of course be interesting to see why that failed, though we'd probably have to ask NFS folk about it.
Thanks, --Robbie
Maybe this is a bug in the definition of gssproxy? Should it be a Wants= instead of a Requires=?
On Wed, Jan 10, 2018 at 9:41 PM, Robbie Harwood rharwood@redhat.com wrote:
Alex Corcoles via FreeIPA-users freeipa-users@lists.fedorahosted.org writes:
Jan 10 18:47:02 ctipa.h2.int.pdp7.net systemd[1]: Dependency failed for GSSAPI Proxy Daemon. -- Subject: Unit gssproxy.service has failed -- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
-- Unit gssproxy.service has failed.
-- The result is dependency. Jan 10 18:47:02 ctipa.h2.int.pdp7.net systemd[1]: Job gssproxy.service/start failed with result 'dependency'. Jan 10 18:47:02 ctipa.h2.int.pdp7.net systemd[1]: Unit
proc-fs-nfsd.mount
entered failed state.
This is RHEL-7.4? If you're not using NFS, you can remove the "Requires=proc-fs-nfsd.mount" line from gssproxy.service.
Would of course be interesting to see why that failed, though we'd probably have to ask NFS folk about it.
Thanks, --Robbie
Alex Corcoles via FreeIPA-users freeipa-users@lists.fedorahosted.org writes:
Maybe this is a bug in the definition of gssproxy? Should it be a Wants= instead of a Requires=?
No, it's a bug I will have fixed in 7.5. The requirement needs to be from proc-fs-nfsd on gssproxy, not the other way around, because gssproxy doesn't require nfs-utils to be present in order to operate.
More information: https://bugzilla.redhat.com/show_bug.cgi?id=1326440
Thanks, --Robbie
Ah, that'd be wonderful- that will solve my problem as I don't need NFS on LXC. If I have some time I will try editing the gssproxy unit file and see if that's the only stopper to running a FreeIPA replica on LXC.
On Thu, Jan 11, 2018 at 9:17 PM, Robbie Harwood rharwood@redhat.com wrote:
Alex Corcoles via FreeIPA-users freeipa-users@lists.fedorahosted.org writes:
Maybe this is a bug in the definition of gssproxy? Should it be a Wants= instead of a Requires=?
No, it's a bug I will have fixed in 7.5. The requirement needs to be from proc-fs-nfsd on gssproxy, not the other way around, because gssproxy doesn't require nfs-utils to be present in order to operate.
More information: https://bugzilla.redhat.com/show_bug.cgi?id=1326440
Thanks, --Robbie
Alex Corcoles via FreeIPA-users freeipa-users@lists.fedorahosted.org writes:
Maybe this is a bug in the definition of gssproxy? Should it be a Wants= instead of a Requires=?
And anyway something else is broken with proc-fs-nfsd to boot.
Thanks, --Robbie
On 11/01/18 19:49, Alex Corcoles via FreeIPA-users wrote:
Jan 10 18:47:02 ctipa.h2.int.pdp7.net http://ctipa.h2.int.pdp7.net
systemd[1]: Dependency failed for
GSSAPI Proxy Daemon. -- Subject: Unit gssproxy.service has failed -- Defined-By: systemd -- Support:
http://lists.freedesktop.org/mailman/listinfo/systemd-devel http://lists.freedesktop.org/mailman/listinfo/systemd-devel
--
-- Unit gssproxy.service has failed.
-- The result is dependency. Jan 10 18:47:02 ctipa.h2.int.pdp7.net
http://ctipa.h2.int.pdp7.net systemd[1]: Job
gssproxy.service/start failed with result 'dependency'. Jan 10 18:47:02 ctipa.h2.int.pdp7.net
http://ctipa.h2.int.pdp7.net systemd[1]: Unit proc-fs-nfsd.mount
entered failed state.
This is RHEL-7.4? If you're not using NFS, you can remove the "Requires=proc-fs-nfsd.mount" line from gssproxy.service.
I have Centos 7 in an LXC but both gssproxy & proc-fs-nfsd.mount start fine.(maybe different programs versions?) What I see in my container is:
# systemctl status -l auth-rpcgss-module.service ● auth-rpcgss-module.service - Kernel Module supporting RPCSEC_GSS Loaded: loaded (/usr/lib/systemd/system/auth-rpcgss-module.service; static; vendor preset: disabled) Active: failed (Result: exit-code) since Fri 2018-01-12 10:59:30 UTC; 33min ago Process: 15 ExecStart=/sbin/modprobe -q auth_rpcgss (code=exited, status=1/FAILURE) Main PID: 15 (code=exited, status=1/FAILURE)
But above is simply about missing kernel drivers, which can be installed in LXC or mounted to host's fs, like with libvirt:
<filesystem type='mount' accessmode='passthrough'> <source dir='/lib/modules'/> <target dir='/lib/modules'/> </filesystem>
and that problem goes away.
Never mind, I don't seem to be able to reproduce this.
On Fri, Jan 12, 2018 at 12:35 PM, lejeczek via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote:
On 11/01/18 19:49, Alex Corcoles via FreeIPA-users wrote:
Jan 10 18:47:02 ctipa.h2.int.pdp7.net http://ctipa.h2.int.pdp7.net
systemd[1]: Dependency failed for
GSSAPI Proxy Daemon. -- Subject: Unit gssproxy.service has failed -- Defined-By: systemd -- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
http://lists.freedesktop.org/mailman/listinfo/systemd-devel
--
-- Unit gssproxy.service has failed.
-- The result is dependency. Jan 10 18:47:02 ctipa.h2.int.pdp7.net http://ctipa.h2.int.pdp7.net
systemd[1]: Job
gssproxy.service/start failed with result 'dependency'. Jan 10 18:47:02 ctipa.h2.int.pdp7.net http://ctipa.h2.int.pdp7.net
systemd[1]: Unit proc-fs-nfsd.mount
entered failed state.
This is RHEL-7.4? If you're not using NFS, you can remove the "Requires=proc-fs-nfsd.mount" line from gssproxy.service.
I have Centos 7 in an LXC but both gssproxy & proc-fs-nfsd.mount start fine.(maybe different programs versions?) What I see in my container is:
# systemctl status -l auth-rpcgss-module.service ● auth-rpcgss-module.service - Kernel Module supporting RPCSEC_GSS Loaded: loaded (/usr/lib/systemd/system/auth-rpcgss-module.service; static; vendor preset: disabled) Active: failed (Result: exit-code) since Fri 2018-01-12 10:59:30 UTC; 33min ago Process: 15 ExecStart=/sbin/modprobe -q auth_rpcgss (code=exited, status=1/FAILURE) Main PID: 15 (code=exited, status=1/FAILURE)
But above is simply about missing kernel drivers, which can be installed in LXC or mounted to host's fs, like with libvirt:
<filesystem type='mount' accessmode='passthrough'> <source dir='/lib/modules'/> <target dir='/lib/modules'/> </filesystem>and that problem goes away.
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
freeipa-users@lists.fedorahosted.org
-
Alex Corcoles -
lejeczek -
Martin Basti -
Robbie Harwood