On 08/21/2015 07:17 PM, Benjamin Reed wrote: > I recently upgraded my CentOS7 machine to the latest el7.1 updates, and > had oomkiller trigger in the middle of yum upgrade. > > I managed to recover by doing a number of things including restoring > dirsrv's data/config from backup and re-running ipa-upgradeconfig, > followed by an ipa-replica-manage re-initialize from a known-good > machine. Now, when I start up ipa, everything seems to be in sync > data-wise, but in dirsrv's error log, I see this: > > [21/Aug/2015:12:45:50 -0400] NSMMReplicationPlugin - > agmt="cn=masterAgreement1-ipa2.opennms.com-pki-tomcat" (ipa2:389): > Missing data encountered > [21/Aug/2015:12:45:50 -0400] NSMMReplicationPlugin - > agmt="cn=masterAgreement1-ipa2.opennms.com-pki-tomcat" (ipa2:389): > Incremental update failed and requires administrator action > > I fear this means that something is still not properly in sync and will > eventually come back to bite me. Any ideas what's going on here, and > how to fix it?
Yup, this looks as something that can eventually bite you. It looks like your replica's CA database got somehow corrupted and stopped replicating with other master. This could lead to outdated data on the replica, like certificates, CRL, etc. You can re-initialize the Dogtag database from other healthy master with CA, using "ipa-csreplica-manage" command. Some advise should be for example here: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/managing-topology.html#initialize (Note that we need "ipa-csreplica-manage" in this case, as the reported faulty agreement is Dogtag/CA agreement) Martin -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project