John Morris via FreeIPA-users wrote: > > > On 05/03/2018 08:27 AM, Kees Bakker via FreeIPA-users wrote: >> On 03-05-18 12:07, Kees Bakker via FreeIPA-users wrote: >>> Hey, >>> >>> Trying to do a test installation of a FreeIPA server on Ubuntu 18.04. >>> It fails setting up the certificate server (pki-tomcatd). >>> >>> Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes >>> [1/28]: configuring certificate server instance >>> ipaserver.install.dogtaginstance: CRITICAL Failed to configure CA >>> instance: CalledProcessError(Command ['/usr/sbin/pkispawn', '-s', >>> 'CA', '-f', '/tmp/tmp5ejwx5'] returned non-zero exit status 1: >>> u"pkispawn : ERROR ....... subprocess.CalledProcessError: >>> Command '['sysctl', 'crypto.fips_enabled', '-bn']' returned non-zero >>> exit status 255!\npkispawn : ERROR ........... server did not >>> start after 60s\npkispawn : ERROR ....... server failed to >>> restart\n") >>> ipaserver.install.dogtaginstance: CRITICAL See the installation logs >>> and the following files/directories for more information: >>> ipaserver.install.dogtaginstance: CRITICAL /var/log/pki/pki-tomcat >>> [error] RuntimeError: CA configuration failed. >>> ipapython.admintool: ERROR CA configuration failed. >>> ipapython.admintool: ERROR The ipa-server-install command failed. >>> See /var/log/ipaserver-install.log for more information >>> >>> The failing command is: sysctl crypto.fips_enabled -bn >>> On my system there is no /proc/sys/crypto. >>> >>> BTW. I'm installing in a LXC container, the host is Ubuntu 16.04. >>> That should not matter, because none of my Ubuntu systems (16.04 and >>> 18.04) >>> have /proc/sys/crypto. >>> >>> The problem seems to be in pki/server/deployment/pkihelper.py >>> When the sysctl commands fails due to a missing >>> /proc/sys/crypto/fips_enabled or even /proc/sys/crypto >>> it raises an exception. >>> >>> Notice that there is a ipaplatform with is_fips_enabled. Shouldn't >>> that be >>> used in pkihelper.py ? > > I see this same error running the `fedora-27` Docker container (FreeIPA > 4.6.3) on CoreOS Container Linux, which also doesn't have > /proc/sys/crypto. I went ahead and filed an issue on Pagure [1]. > > Is this a known issue? Maybe nobody is trying to run v. 4.6 outside of > a F27 on bare metal environment?
Lots run it in VMs, I don't know about containers. LXC containers aren't at all tested so you are blazing new ground. Can you update the ticket with your research details from this thread, or just add a pointer to the thread? We'll need to file a sister bug against dogtag to actually the fix the issue. rob > > Thanks- > > John > > [1]: https://pagure.io/freeipa/issue/7608 > > >> >> As a workaround I applied this patch >> --- pkihelper.py.orig 2018-04-25 07:00:08.000000000 +0000 >> +++ pkihelper.py 2018-05-03 12:51:19.034143214 +0000 >> @@ -2304,11 +2304,10 @@ >> extra=config.PKI_INDENTATION_LEVEL_3) >> return False >> except subprocess.CalledProcessError as exc: >> - config.pki_log.error( >> - log.PKI_SUBPROCESS_ERROR_1, exc, >> - extra=config.PKI_INDENTATION_LEVEL_2) >> - if critical_failure: >> - raise >> + config.pki_log.info( >> + log.PKIHELPER_FIPS_MODE_IS_NOT_ENABLED, >> + extra=config.PKI_INDENTATION_LEVEL_3) >> + return False >> except OSError as exc: >> config.pki_log.error( >> log.PKI_OSERROR_1, exc, >> >> But now the pki-tomcat configuration still fails, with what looks like >> a tomcat >> version conflict. >> >> Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes >> [1/28]: configuring certificate server instance >> ipaserver.install.dogtaginstance: CRITICAL Failed to configure CA >> instance: CalledProcessError(Command ['/usr/sbin/pkispawn', '-s', >> 'CA', '-f', '/tmp/tmpN1J9l_'] returned non-zero exit status 1: >> u'pkispawn : ERROR ........... server did not start after >> 60s\npkispawn : ERROR ....... server failed to restart\n') >> ipaserver.install.dogtaginstance: CRITICAL See the installation logs >> and the following files/directories for more information: >> ipaserver.install.dogtaginstance: CRITICAL /var/log/pki/pki-tomcat >> [error] RuntimeError: CA configuration failed. >> ipapython.admintool: ERROR CA configuration failed. >> ipapython.admintool: ERROR The ipa-server-install command failed. >> See /var/log/ipaserver-install.log for more information >> >> root@usrv1:~# grep java.io.FileNotFoundException >> /var/log/pki/pki-tomcat/catalina.out >> java.io.FileNotFoundException: >> /usr/share/java/tomcat-annotations-api.jar (No such file or directory) >> java.io.FileNotFoundException: /usr/share/java/el-api-2.1.jar (No such >> file or directory) >> java.io.FileNotFoundException: /usr/share/java/oscache.jar (No such >> file or directory) >> java.io.FileNotFoundException: >> /usr/share/java/tomcat-annotations-api.jar (No such file or directory) >> java.io.FileNotFoundException: /usr/share/java/el-api-2.1.jar (No such >> file or directory) >> java.io.FileNotFoundException: /usr/share/java/oscache.jar (No such >> file or directory) >> java.io.FileNotFoundException: >> /usr/share/java/tomcat-annotations-api.jar (No such file or directory) >> java.io.FileNotFoundException: /usr/share/java/el-api-2.1.jar (No such >> file or directory) >> java.io.FileNotFoundException: /usr/share/java/oscache.jar (No such >> file or directory) >> java.io.FileNotFoundException: >> /usr/share/java/tomcat-annotations-api.jar (No such file or directory) >> java.io.FileNotFoundException: /usr/share/java/el-api-2.1.jar (No such >> file or directory) >> java.io.FileNotFoundException: /usr/share/java/oscache.jar (No such >> file or directory) >> java.io.FileNotFoundException: >> /usr/share/java/tomcat-annotations-api.jar (No such file or directory) >> java.io.FileNotFoundException: /usr/share/java/el-api-2.1.jar (No such >> file or directory) >> java.io.FileNotFoundException: /usr/share/java/oscache.jar (No such >> file or directory) >> java.io.FileNotFoundException: >> /usr/share/java/tomcat-annotations-api.jar (No such file or directory) >> java.io.FileNotFoundException: /usr/share/java/el-api-2.1.jar (No such >> file or directory) >> java.io.FileNotFoundException: /usr/share/java/oscache.jar (No such >> file or directory) >> >> root@usrv1:~# ls -l /usr/share/java/tomcat*anno* >> -rw-r--r-- 1 root root 12389 Apr 19 11:53 >> /usr/share/java/tomcat8-annotations-api-8.5.30.jar >> lrwxrwxrwx 1 root root 34 Apr 19 11:53 >> /usr/share/java/tomcat8-annotations-api.jar -> >> tomcat8-annotations-api-8.5.30.jar >> root@usrv1:~# ls -l /usr/share/java/el-api* >> -rw-r--r-- 1 root root 81242 Apr 19 11:53 /usr/share/java/el-api-3.0.jar >> root@usrv1:~# ls -l /usr/share/java/oscach* >> ls: cannot access '/usr/share/java/oscach*': No such file or directory >> > _______________________________________________ > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org > To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org > Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/message/LCNQ5DLEJHMJMDHSXQVMNDL67K5LIXDM/ > _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/message/2OFP3IB3VCRXIKYFRULKOMMP7AI3QOVZ/