Hi all, I'll keep a watch on the bugzilla.
For now; the upgrade succeeded and IPA is running perfectly. Thanks a lot! Winfried -----Oorspronkelijk bericht----- Van: Rob Crittenden via FreeIPA-users < freeipa-users@lists.fedorahosted.org> Antwoord-naar: FreeIPA users list <freeipa-users@lists.fedorahosted.org > Aan: Winfried de Heiden <w...@dds.nl>, FreeIPA users list < freeipa-users@lists.fedorahosted.org> Cc: Rob Crittenden <rcrit...@redhat.com> Onderwerp: [Freeipa-users] Re: ipa-server-upgrade failed Datum: Sun, 26 Jan 2020 22:08:25 -0500 Winfried de Heiden wrote: > Hi all, > Fixed it, thanks for the tip Rob :-)!Certmonger was to blame or my > rather slow Udooboard Celeron processor.Anyway, instead of hacking > the upgrade script, I modified thecertmonger.serivce file by adding a > 180 secs (!!) sleep and extraTimeout: (The modified > certmonger.service was removed after the upgrade) > [Unit]Description=Certificate monitoring and PKI > enrollmentAfter=syslog.target network.target dbus.service > [Service]Type=dbusPIDFile=/var/run/certmonger.pidEnvironmentFile=- > /etc/sysconfig/certmongerExecStart=/usr/sbin/certmonger -S -p > /var/run/certmonger.pid -n $OPTSExecStartPost=/bin/sleep > 180TimeoutSec=240BusName=org.fedorahosted.certmonger > Runing "ipa-server-upgrade" finished OK now. Certmonger takes itÅ› > timewhen it's (restarted, some dogtag-ipa-ca-r(enew ?) processes > eating mostof the cpu: > top - 16:00:24 up 18:51, 3 users, load average: 2.41, 1.87, > 1.37Tasks: 261 total, 6 running, 221 sleeping, 0 stopped, 34 > zombie%Cpu0 : 90.2 us, 7.8 sy, 0.0 ni, 0.0 id, 0.0 wa, 1.6 > hi, 0.3si, 0.0 st%Cpu1 : 92.4 us, 6.6 sy, 0.0 ni, 0.0 id, 0.0 > wa, 1.0 hi, 0.0si, 0.0 st%Cpu2 : 95.1 us, 3.6 sy, 0.0 ni, 0.0 > id, 0.0 wa, 1.3 hi, 0.0si, 0.0 st%Cpu3 : 88.6 us, 9.2 sy, 0.0 > ni, 0.0 id, 0.0 wa, 1.3 hi, 1.0si, 0.0 stMiB Mem : 3847.2 > total, 335.4 free, 2154.9 used, 1356.9 buff/cacheMiB > Swap: 3968.0 total, 3968.0 free, 0.0 used. 1452.0 avail > Mem > PID USER PR NI VIRT RES SHR > S %CPU %MEM TIME+COMMAND 21750 > root 20 0 401244 85296 22612 R 85.9 2.2 0:13.36dogtag- > ipa-ca-r 21764 > root 20 0 386700 72880 22508 R 78.4 1.8 0:06.93dogtag- > ipa-ca-r 21771 > root 20 0 161788 27332 10812 R 74.5 0.7 0:03.65dogtag- > ipa-ca-r 21758 > root 20 0 394512 78340 22436 R 67.3 2.0 0:10.65dogtag- > ipa-ca-r 21746 > root 20 0 0 0 0 Z 51.6 0.0 0:15.36dogtag- > ipa-ca-r 21778 > root 20 0 106004 1220 0 > R 24.8 0.0 0:00.76certmonger > This seems like a new issue for me... Certainly, the Udoo x86 isn't > thefasted in the world, but was running IPA bravely the last year... > Am Ihitting the bug Rob mentioned? Is there a bug report somewhere > totrack... I'll like to see it fixed in CentOS 8. It should be in 8.2 beta, https://bugzilla.redhat.com/show_bug.cgi?id=1763745 > "getcert list" showed "/var/lib/ipa/private/httpd.key" > and"/var/lib/ipa/certs/httpd.crt" wating for PIN. Running "ipa- > getcertresubmit -i 20200126151811 -p /var/lib/ipa/passwds/ipa.xxx- > 443-RSA"fixed it. I can't explain that. rob > Winfried > -----Oorspronkelijk bericht-----*Van*: Rob Crittenden < > rcrit...@redhat.com > <mailto:rob%20crittenden%20%3crcrit...@redhat.com%3e>>*Aan*: FreeIPA > users list <freeipa-users@lists.fedorahosted.org > <mailto: > freeipa%20users%20list%20%3cfreeipa-us...@lists.fedorahosted.org%3e>> > *Cc*: Winfried de Heiden <w...@dds.nl > <mailto:winfried%20de%20heiden%20%3c...@dds.nl%3e>>*Onderwerp*: Re: > [Freeipa-users] Re: ipa-server-upgrade failed*Datum*: Sat, 25 Jan > 2020 17:04:39 -0500 > Winfried de Heiden via FreeIPA-users wrote: > > Hi all, > > /var/lib/ipa/private/httpd.key was in a status "waiting for PIN", > > but Idid brong is back to life using "ipa-getcert resubmit -i > > 20200117075404-p /var/lib/ipa/passwds/xxxx-443-RSA. All certss look > > fine now. "getcert list" works, although it's a bit slow the first > > time (runningon a Udoo x86 board with a celeron....) > > Just to be shure about dbus, I restarted the entire machine; no > > success. :-( > > Timing issue and/or casued by my rather slow Udoo board.....? > > It is very possible. I fixed an issue in certmonger where every time > it > forked (and it forks a LOT) it closed ALL the fds it knew about. On > containers this was 1M. It took a LONG time. The default is a more > modest 1k but can still take a while given the amount of forks that > certmonger does. This is fixed upstream, and I don't know of a > workaround, but this can definitely lead to timeout issues if > certmonger > is being restarted immediately before this failure. > > To diagnose it see what the load on the system is and what processes > are > running. If you see dozens of certmonger processes with high load > then > that's probably it. You'd have to hack the update script to do a > sleep > to give things a chance to settle down. > > rob > > > Winfried > > > > > > > > > > Rob Crittenden schreef op za 25-01-2020 om 14:53 [-0500]: > > > Winfried de Heiden via FreeIPA-users wrote: > > > > Hi all, > > > > Using CentOS Linux release 8.1.1911 and the Stream > > > > repositories,upgrading IPA fails: > > > > ( Upgrade > > > > ipa-server-common-4.8.0-13.module_el8.1.0+265+e1e65be4.noarch@AppStream > > > > Upgradedipa-server-common-4.8.0- > > > > 11.module_el8.1.0+253+3b90c921.noarch @@System ) > > > > Running ipa-server-upgrade manually will result in: > > > > [Upgrading CA schema]CA schema update complete (no > > > > changes)[Verifying that CA audit signing cert has 2 year > > > > validity][Update certmonger certificate renewal > > > > configuration]Introspect error on > > > > :1.417:/org/fedorahosted/certmonger:dbus.exceptions.DBusExcepti > > > > on: org.freedesktop.DBus.Error.NoReply: Didnot receive a reply. > > > > Possible causes include: the remote application didnot send a > > > > reply, the message bus security policy blocked the reply, > > > > thereply timeout expired, or the network connection was broken. > > > > > > I assume certmonger and dbus services are running? > > > Does `getcert list` work? > > > The dbus service sometimes isn't too fond of being restarted but > > > youcould try that. > > > rob > > > > _______________________________________________FreeIPA-users > > mailing list -- freeipa-users@lists.fedorahosted.org > > <mailto:freeipa-users@lists.fedorahosted.org> > > To unsubscribe send an email to > > freeipa-users-le...@lists.fedorahosted.org > > <mailto:freeipa-users-le...@lists.fedorahosted.org> > > Fedora Code of Conduct: > > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > > > > List Guidelines: > > https://fedoraproject.org/wiki/Mailing_list_guidelines > > > > List Archives: > > https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org > > > > _______________________________________________FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
_______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org