On 3/9/21 10:59 AM, Antoine Gatineau via FreeIPA-users wrote:
I could rebuild my cluster from backup before the upgrade to CentOS Stream.
So I'll be able to work from there.
On Mon, 2021-03-08 at 17:41 +0100, Antoine Gatineau via FreeIPA-users wrote:
Hello,
I'm on freeipa 4.9.0 on CentOS Stream. (1 master and 1 replica)
I have noticed that my replication is broken. Unfortunatly, I don't know since
when...
First Question, can it b fixed?
Second question, is it possible to peform a restore (on one node, both nodes)
to fix the issue.
I recently upgraded from CentOS 8 to CentOS Stream (ipa with it). So can I
restore from a previous version?
Here are some snipets of what I see.
$ sudo ipa-healthcheck
Internal server error HTTPSConnectionPool(host='ipa-master-tmp.empire.lan',
port=443): Max retries exceeded with url:
/ca/rest/certs/search?size=3 (Caused by
NewConnectionError('<urllib3.connection.VerifiedHTTPSConnection object at
0x7fa49f3df320>: Failed
to
establish a new connection: [Errno -2] Name or service not known',))
[
{
"source": "pki.server.healthcheck.clones.connectivity_and_data",
"check": "ClonesConnectivyAndDataCheck",
"result": "ERROR",
"uuid": "66815b82-56d9-43a4-9035-78333c5cb5cd",
"when": "20210308162643Z",
"duration": "0.364202",
"kw": {
"status": "ERROR: pki-tomcat : Internal error testing CA clone. Host:
ipa-master-tmp.empire.lan Port: 443"
}
},
Hi,
the above error can be ignored, it's a known issue:
https://pagure.io/freeipa/issue/8582
{
"source": "ipahealthcheck.ds.replication",
"check": "ReplicationCheck",
"result": "WARNING",
"uuid": "55addd45-6440-4317-8d0b-8eb0d516bd4e",
"when": "20210308162645Z",
"duration": "0.353734",
"kw": {
"key": "DSREPLLE0002",
"items": [
"Replication",
"Conflict Entries"
],
"msg": "There were 6 conflict entries found under the replication suffix
\"dc=empire,dc=lan\"."
}
}
]
Replication can be fixed, but the resolution depends on the current
situation.
- If there are conflict entries, it means that the same entry was
modified on 2 different servers and the replication isn't able to
reconcile the updates. In this case, the admin must manually fix the
conflict (which basically means choose which updates need to be applied
or dropped). See "Solving common replication conflicts" [1].
- If the replication doesn't propagate new entries from one server to
the other, then check "Troubleshooting Replication-Related Problems" [2].
The 2 above links are related to Red Hat Directory Server, which is the
LDAP server used by IPA, and may help you understand what's going on
behind the hood, but IPA provides its own commands to administer
replication agreements. The concepts are detailed in "Managing
Replication Topology" [3] and the commands details are available with
# ipa help topology
HTH,
flo
[1]
https://access.redhat.com/documentation/en-us/red_hat_directory_server/10/html/administration_guide/managing_replication-solving_common_replication_conflicts
[2]
https://access.redhat.com/documentation/en-us/red_hat_directory_server/10/html/administration_guide/managing_replication-troubleshooting_replication_related_problems
[3]
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/linux_domain_identity_authentication_and_policy_guide/managing-topology
pki-tomcatd seems ok :
$ sudo journalctl -u pki-tomcatd@pki-tomcat
-- Logs begin at Mon 2021-03-08 17:24:39 CET, end at Mon 2021-03-08 17:35:01
CET. --
Mar 08 17:25:01 ipa-master.empire.lan systemd[1]: Starting PKI Tomcat Server
pki-tomcat...
Mar 08 17:25:04 ipa-master.empire.lan java[1613]: usr/lib/api/apiutil.c Could
not open /run/lock/opencryptoki/LCK..APIlock
Mar 08 17:25:05 ipa-master.empire.lan server[1716]: Java virtual machine used:
/usr/lib/jvm/java-1.8.0-openjdk/bin/java
Mar 08 17:25:05 ipa-master.empire.lan server[1716]: classpath used:
/usr/share/tomcat/bin/bootstrap.jar:/usr/share/tomcat/bin/tomcat-
juli.jar:/usr/share/java/ant.jar:/usr/share/java/ant-la>
Mar 08 17:25:05 ipa-master.empire.lan server[1716]: main class used:
org.apache.catalina.startup.Bootstrap
Mar 08 17:25:05 ipa-master.empire.lan server[1716]: flags used:
-Dcom.redhat.fips=false
Mar 08 17:25:05 ipa-master.empire.lan server[1716]: options used:
-Dcatalina.base=/var/lib/pki/pki-tomcat -
Dcatalina.home=/usr/share/tomcat
-Djava.endorsed.dirs= -Djava.io.tmpdir=/var/lib/>
Mar 08 17:25:05 ipa-master.empire.lan server[1716]: arguments used: start
Mar 08 17:25:05 ipa-master.empire.lan ipa-pki-wait-running[1717]: pki.client:
/usr/libexec/ipa/ipa-pki-wait-running:63: The subsystem in
PKIConnection.__init__() has been deprecated (https>
Mar 08 17:25:05 ipa-master.empire.lan ipa-pki-wait-running[1717]:
ipa-pki-wait-running: Created connection
http://ipa-master.empire.lan:8080/ca
Mar 08 17:25:05 ipa-master.empire.lan ipa-pki-wait-running[1717]:
ipa-pki-wait-running: Connection failed: HTTPConnectionPool(host='ipa-
master.empire.lan', port=8080): Max retries exceeded>
Mar 08 17:25:06 ipa-master.empire.lan java[1716]: usr/lib/api/apiutil.c Could
not open /run/lock/opencryptoki/LCK..APIlock
Mar 08 17:25:06 ipa-master.empire.lan server[1716]: WARNING: Some of the
specified [protocols] are not supported by the SSL engine and
have
been skipped: [[TLSv1, TLSv1.1]]
Mar 08 17:25:07 ipa-master.empire.lan ipa-pki-wait-running[1717]:
ipa-pki-wait-running: Connection failed: HTTPConnectionPool(host='ipa-
master.empire.lan', port=8080): Read timed out. (rea>
Mar 08 17:25:09 ipa-master.empire.lan ipa-pki-wait-running[1717]:
ipa-pki-wait-running: Connection failed: HTTPConnectionPool(host='ipa-
master.empire.lan', port=8080): Read timed out. (rea>
Mar 08 17:25:11 ipa-master.empire.lan ipa-pki-wait-running[1717]:
ipa-pki-wait-running: Connection failed: HTTPConnectionPool(host='ipa-
master.empire.lan', port=8080): Read timed out. (rea>
Mar 08 17:25:12 ipa-master.empire.lan ipa-pki-wait-running[1717]:
ipa-pki-wait-running: Success, subsystem ca is running!
Mar 08 17:25:12 ipa-master.empire.lan systemd[1]: Started PKI Tomcat Server
pki-tomcat.
Best
Antoine
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam on the list, report it:
https://pagure.io/fedora-infrastructure
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam on the list, report it:
https://pagure.io/fedora-infrastructure
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam on the list, report it:
https://pagure.io/fedora-infrastructure
