Wait, so I retried the replica installation on LXC, without CA and DNS and
it worked, no gssproxy issues.

However, I retried with CA and DNS and it failed:

# journalctl -xe
Jan 10 18:47:02 ctipa.h2.int.pdp7.net systemd[1]: Starting GSSAPI Proxy
Daemon...
-- Subject: Unit gssproxy.service has begun start-up
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
-- 
-- Unit gssproxy.service has begun starting up.
Jan 10 18:47:02 ctipa.h2.int.pdp7.net systemd[1]: Mounting NFSD
configuration filesystem...
-- Subject: Unit proc-fs-nfsd.mount has begun start-up
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
-- 
-- Unit proc-fs-nfsd.mount has begun starting up.
Jan 10 18:47:02 ctipa.h2.int.pdp7.net mount[1548]: mount: nfsd is
write-protected, mounting read-only
Jan 10 18:47:02 ctipa.h2.int.pdp7.net mount[1548]: mount: cannot mount nfsd
read-only
Jan 10 18:47:02 ctipa.h2.int.pdp7.net systemd[1]: proc-fs-nfsd.mount mount
process exited, code=exited status=32
Jan 10 18:47:02 ctipa.h2.int.pdp7.net systemd[1]: Failed to mount NFSD
configuration filesystem.
-- Subject: Unit proc-fs-nfsd.mount has failed
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
-- 
-- Unit proc-fs-nfsd.mount has failed.
-- 
-- The result is failed.
Jan 10 18:47:02 ctipa.h2.int.pdp7.net systemd[1]: Dependency failed for
GSSAPI Proxy Daemon.
-- Subject: Unit gssproxy.service has failed
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
-- 
-- Unit gssproxy.service has failed.
-- 
-- The result is dependency.
Jan 10 18:47:02 ctipa.h2.int.pdp7.net systemd[1]: Job
gssproxy.service/start failed with result 'dependency'.
Jan 10 18:47:02 ctipa.h2.int.pdp7.net systemd[1]: Unit proc-fs-nfsd.mount
entered failed state.

# systemctl status gssproxy
● gssproxy.service - GSSAPI Proxy Daemon
   Loaded: loaded (/usr/lib/systemd/system/gssproxy.service; disabled;
vendor preset: disabled)
   Active: active (running) since Wed 2018-01-10 18:47:02 UTC; 2min 15s ago
  Process: 1547 ExecStart=/usr/sbin/gssproxy -D (code=exited,
status=0/SUCCESS)
 Main PID: 1549 (gssproxy)
   CGroup: /system.slice/gssproxy.service
           └─1549 /usr/sbin/gssproxy -D

Jan 10 18:47:02 ctipa.h2.int.pdp7.net systemd[1]: Starting GSSAPI Proxy
Daemon...
Jan 10 18:47:02 ctipa.h2.int.pdp7.net systemd[1]: Dependency failed for
GSSAPI Proxy Daemon.
Jan 10 18:47:02 ctipa.h2.int.pdp7.net systemd[1]: Job
gssproxy.service/start failed with result 'dependency'.

# journalctl -u gssproxy
-- Logs begin at Wed 2018-01-10 18:41:32 UTC, end at Wed 2018-01-10
18:48:17 UTC. --
Jan 10 18:47:02 ctipa.h2.int.pdp7.net systemd[1]: Starting GSSAPI Proxy
Daemon...
Jan 10 18:47:02 ctipa.h2.int.pdp7.net systemd[1]: Dependency failed for
GSSAPI Proxy Daemon.
Jan 10 18:47:02 ctipa.h2.int.pdp7.net systemd[1]: Job
gssproxy.service/start failed with result 'dependency'.

...

I'm guessing it might be unrelated to adding CA/DNS (I'm mostly sure the
previous failure was without them), maybe it's something that doesn't
happen reliably.

Anyway, I'd rather have a working full CA/DNS replica on a VM (
https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/thread/7A2I475DZFE235QRJRXMRXTL3DVT46IN/
) and then I'd worry about LXC, although I'm happy to troubleshoot both
issues.

Cheers,

Álex


On Tue, Jan 9, 2018 at 9:38 PM, Martin Basti via FreeIPA-users <
freeipa-users@lists.fedorahosted.org> wrote:

> I meant traceback fot the DNS issue :-)
>
> Could you please provide the reason why gssaproxy didn't start?
>
> journalctl -xe
> systemctl status gssproxy
> journalctl -u gssproxy
>
> 2018-01-09 21:29 GMT+01:00 Alex Corcoles via FreeIPA-users <
> freeipa-users@lists.fedorahosted.org>:
>
>> Hi,
>>
>> I have reproduced the problem on the LXC container. The full debug log is
>> at:
>>
>> https://gist.github.com/alexpdp7/b3d7fd48660a1ffb78cb64fd5dc34476
>>
>> The bit failing is:
>>
>> [root@ctipa ~]# ipa-replica-install -v -n ipa.pdp7.net -P alex -w $pw
>> --mkhomedir
>> ...
>> ipa         : DEBUG      [11/22]: configuring Gssproxy
>>   [11/22]: configuring Gssproxy
>> ipa         : DEBUG    Starting external process
>> ipa         : DEBUG    args=/usr/sbin/selinuxenabled
>> ipa         : DEBUG    Process finished, return code=1
>> ipa         : DEBUG    stdout=
>> ipa         : DEBUG    stderr=
>> ipa         : DEBUG    Starting external process
>> ipa         : DEBUG    args=/bin/systemctl restart gssproxy.service
>> ipa         : DEBUG    Process finished, return code=1
>> ipa         : DEBUG    stdout=
>> ipa         : DEBUG    stderr=A dependency job for gssproxy.service
>> failed. See 'journalctl -xe' for details.
>>
>> ipa         : DEBUG    Traceback (most recent call last):
>>   File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py",
>> line 504, in start_creation
>>     run_step(full_msg, method)
>>   File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py",
>> line 494, in run_step
>>     method()
>>   File "/usr/lib/python2.7/site-packages/ipaserver/install/httpinstance.py",
>> line 242, in configure_gssproxy
>>     services.knownservices.gssproxy.restart()
>>   File "/usr/lib/python2.7/site-packages/ipaplatform/base/services.py",
>> line 322, in restart
>>     capture_output, wait)
>>   File "/usr/lib/python2.7/site-packages/ipaplatform/base/services.py",
>> line 310, in _restart_base
>>     skip_output=not capture_output)
>>   File "/usr/lib/python2.7/site-packages/ipapython/ipautil.py", line
>> 512, in run
>>     raise CalledProcessError(p.returncode, arg_string, str(output))
>> CalledProcessError: Command '/bin/systemctl restart gssproxy.service'
>> returned non-zero exit status 1
>>
>> ipa         : DEBUG      [error] CalledProcessError: Command
>> '/bin/systemctl restart gssproxy.service' returned non-zero exit status 1
>>   [error] CalledProcessError: Command '/bin/systemctl restart
>> gssproxy.service' returned non-zero exit status 1
>> Your system may be partly configured.
>> Run /usr/sbin/ipa-server-install --uninstall to clean up.
>>
>> ipa.ipapython.install.cli.install_tool(CompatServerReplicaInstall):
>> DEBUG      File "/usr/lib/python2.7/site-packages/ipapython/admintool.py",
>> line 172, in execute
>>     return_value = self.run()
>>   File "/usr/lib/python2.7/site-packages/ipapython/install/cli.py", line
>> 333, in run
>>     cfgr.run()
>>   File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
>> line 368, in run
>>     self.execute()
>>   File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
>> line 392, in execute
>>     for _nothing in self._executor():
>>   File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
>> line 434, in __runner
>>     exc_handler(exc_info)
>>   File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
>> line 463, in _handle_execute_exception
>>     self._handle_exception(exc_info)
>>   File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
>> line 453, in _handle_exception
>>     six.reraise(*exc_info)
>>   File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
>> line 424, in __runner
>>     step()
>>   File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
>> line 421, in <lambda>
>>     step = lambda: next(self.__gen)
>>   File "/usr/lib/python2.7/site-packages/ipapython/install/util.py",
>> line 81, in run_generator_with_yield_from
>>     six.reraise(*exc_info)
>>   File "/usr/lib/python2.7/site-packages/ipapython/install/util.py",
>> line 59, in run_generator_with_yield_from
>>     value = gen.send(prev_value)
>>   File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
>> line 658, in _configure
>>     next(executor)
>>   File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
>> line 434, in __runner
>>     exc_handler(exc_info)
>>   File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
>> line 463, in _handle_execute_exception
>>     self._handle_exception(exc_info)
>>   File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
>> line 521, in _handle_exception
>>     self.__parent._handle_exception(exc_info)
>>   File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
>> line 453, in _handle_exception
>>     six.reraise(*exc_info)
>>   File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
>> line 518, in _handle_exception
>>     super(ComponentBase, self)._handle_exception(exc_info)
>>   File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
>> line 453, in _handle_exception
>>     six.reraise(*exc_info)
>>   File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
>> line 424, in __runner
>>     step()
>>   File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
>> line 421, in <lambda>
>>     step = lambda: next(self.__gen)
>>   File "/usr/lib/python2.7/site-packages/ipapython/install/util.py",
>> line 81, in run_generator_with_yield_from
>>     six.reraise(*exc_info)
>>   File "/usr/lib/python2.7/site-packages/ipapython/install/util.py",
>> line 59, in run_generator_with_yield_from
>>     value = gen.send(prev_value)
>>   File "/usr/lib/python2.7/site-packages/ipapython/install/common.py",
>> line 63, in _install
>>     for _nothing in self._installer(self.parent):
>>   File 
>> "/usr/lib/python2.7/site-packages/ipaserver/install/server/__init__.py",
>> line 617, in main
>>     replica_install(self)
>>   File 
>> "/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall.py",
>> line 386, in decorated
>>     func(installer)
>>   File 
>> "/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall.py",
>> line 1440, in install
>>     ca_file=cafile)
>>   File 
>> "/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall.py",
>> line 166, in install_http
>>     subject_base=config.subject_base, master_fqdn=config.master_host
>> _name)
>>   File "/usr/lib/python2.7/site-packages/ipaserver/install/httpinstance.py",
>> line 190, in create_instance
>>     self.start_creation()
>>   File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py",
>> line 504, in start_creation
>>     run_step(full_msg, method)
>>   File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py",
>> line 494, in run_step
>>     method()
>>   File "/usr/lib/python2.7/site-packages/ipaserver/install/httpinstance.py",
>> line 242, in configure_gssproxy
>>     services.knownservices.gssproxy.restart()
>>   File "/usr/lib/python2.7/site-packages/ipaplatform/base/services.py",
>> line 322, in restart
>>     capture_output, wait)
>>   File "/usr/lib/python2.7/site-packages/ipaplatform/base/services.py",
>> line 310, in _restart_base
>>     skip_output=not capture_output)
>>   File "/usr/lib/python2.7/site-packages/ipapython/ipautil.py", line
>> 512, in run
>>     raise CalledProcessError(p.returncode, arg_string, str(output))
>>
>> ipa.ipapython.install.cli.install_tool(CompatServerReplicaInstall):
>> DEBUG    The ipa-replica-install command failed, exception:
>> CalledProcessError: Command '/bin/systemctl restart gssproxy.service'
>> returned non-zero exit status 1
>> ipa.ipapython.install.cli.install_tool(CompatServerReplicaInstall):
>> ERROR    Command '/bin/systemctl restart gssproxy.service' returned
>> non-zero exit status 1
>> ipa.ipapython.install.cli.install_tool(CompatServerReplicaInstall):
>> ERROR    The ipa-replica-install command failed. See
>> /var/log/ipareplica-install.log for more information
>>
>> Cheers,
>>
>> Álex
>>
>> On Tue, Jan 9, 2018 at 7:45 PM, Martin Basti via FreeIPA-users <
>> freeipa-users@lists.fedorahosted.org> wrote:
>>
>>> do you have a traceback in log? I'm curious where exactly this happened,
>>> what is your FreeIPA version?
>>>
>>> [1]
>>> I haven't install FreeIPA in LXC, but I'm happy user of FreeIPA running
>>> in LXC :-) So it should work
>>>
>>> 2018-01-09 11:40 GMT+01:00 Alex Corcoles via FreeIPA-users <
>>> freeipa-users@lists.fedorahosted.org>:
>>>
>>>> Hi Marti,
>>>>
>>>> On Tue, Jan 9, 2018 at 12:46 AM, Martin Basti via FreeIPA-users <
>>>> freeipa-users@lists.fedorahosted.org> wrote:
>>>>
>>>>> it looks that replica is trying to add records to your forward zone.
>>>>> What is the hostname of the replica?
>>>>>
>>>>
>>>> Yeah, it's xxx.h2.int.pdp7.net, which is within the forwarded zone.
>>>>
>>>> I have a dnsmasq acting as DHCP/DNS server in h2.int.pdp7.net to
>>>> provide automatic network configuration to VMs. It's a non-routable
>>>> network, so I'm not sure what the right setup would be.
>>>>
>>>> 1. what is not working on lxc?
>>>>>
>>>>
>>>> It was something about GSSAPI or something like that, I'll try to
>>>> reproduce and start a new thread about that- but I guess it's more of an
>>>> LXC problem (ideally I would like to run my replica on LXC so it consumes
>>>> less RAM, but I can live with a full VM).
>>>>
>>>> Cheers,
>>>>
>>>> Álex
>>>>
>>>> 2018-01-07 12:20 GMT+01:00 Alex Corcoles via FreeIPA-users <
>>>> freeipa-users@lists.fedorahosted.org>:
>>>>
>>>>> Hi,
>>>>>
>>>>> I'm labbing a FreeIPA environment for personal use, and I'm getting
>>>>> that while bringing up a replica.
>>>>>
>>>>> I set up my first freeipa-server instance on a cheap VPS on a public
>>>>> IP, intend on making it publicly accessible so I can always authenticate 
>>>>> my
>>>>> laptop even on wild public networks.
>>>>>
>>>>> I'm adding the replica as a VM(1) on a Proxmox VE, on a private
>>>>> network with VPN connectivity to the first public freeipa-server, but I'm
>>>>> getting:
>>>>>
>>>>> 2018-01-06T20:56:04Z DEBUG The ipa-replica-install command failed,
>>>>> exception: ValidationError: invalid 'dnszoneidnsname': only master zones
>>>>> can contain records
>>>>>
>>>>> . I'm trying to create the replica with CA and DNS, and I had set up
>>>>> DNS forwarding to the internal DNS on the Proxmox system with:
>>>>>
>>>>> $ ipa dnsforwardzone-add h2.int.pdp7.net --forwarder=10.42.42.1
>>>>> $ ipa dnsforwardzone-add --name-from-ip=10.42.42.0/24
>>>>> --forwarder=10.42.42.1 --forward-policy=only
>>>>>
>>>>> on the first server (I run dnsmasq on Proxmox VE, 10.42.42.0/24 -
>>>>> h2.int.pdp7.net is the network it manages), and I guess that's
>>>>> messing with the replica, but I'm not sure how to troubleshoot this.
>>>>>
>>>>> Thoughts? Ideas?
>>>>>
>>>>> Thanks,
>>>>>
>>>>> Álex
>>>>>
>>>>> (1) I can't seem to create a freeipa-replica on an LXC container. Is
>>>>> this something that can be discussed here or should I take it to LXC?
>>>>>
>>>>> --
>>>>>    ___
>>>>>  {~._.~}
>>>>>   ( Y )
>>>>>  ()~*~()  mail: alex at corcoles dot net
>>>>>  (_)-(_)  http://alex.corcoles.net/
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
>>>>> To unsubscribe send an email to freeipa-users-le...@lists.fedo
>>>>> rahosted.org
>>>>>
>>>>>
>>>>
>>>>
>>>> --
>>>> S pozdravom Martin Bašti.
>>>>
>>>>>
>>>>> _______________________________________________
>>>>> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
>>>>> To unsubscribe send an email to freeipa-users-le...@lists.fedo
>>>>> rahosted.org
>>>>>
>>>>>
>>>>
>>>>
>>>> --
>>>>    ___
>>>>  {~._.~}
>>>>   ( Y )
>>>>  ()~*~()  mail: alex at corcoles dot net
>>>>  (_)-(_)  http://alex.corcoles.net/
>>>>
>>>>
>>>> _______________________________________________
>>>> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
>>>> To unsubscribe send an email to freeipa-users-le...@lists.fedo
>>>> rahosted.org
>>>>
>>>>
>>>
>>>
>>> --
>>> S pozdravom Martin Bašti.
>>>
>>> _______________________________________________
>>> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
>>> To unsubscribe send an email to freeipa-users-le...@lists.fedo
>>> rahosted.org
>>>
>>>
>>
>>
>> --
>>    ___
>>  {~._.~}
>>   ( Y )
>>  ()~*~()  mail: alex at corcoles dot net
>>  (_)-(_)  http://alex.corcoles.net/
>>
>>
>> _______________________________________________
>> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
>> To unsubscribe send an email to freeipa-users-le...@lists.fedo
>> rahosted.org
>>
>>
>
>
> --
> S pozdravom Martin Bašti.
>
> _______________________________________________
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
>
>


-- 
   ___
 {~._.~}
  ( Y )
 ()~*~()  mail: alex at corcoles dot net
 (_)-(_)  http://alex.corcoles.net/
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to