Re: [Freeipa-users] ipa fails to start after centos 7.3 upgrade
2016-12-15 13:47 GMT+01:00 Petr Vobornik : > On 12/12/2016 08:53 PM, Rob Verduijn wrote: > > Hello, > > > > I've recently upgraded to centos 7.3. > > Didn't intend to so soon but should have checked the anounce lists before > > launching my ansible update playbook. > > > > Most of my servers came through, and mostly also the ipa server. > > There were duplicate rpms and a failed rpm upgrade. > > After some yum magic the rpm duplicates where gone and all the updates > installed. > > > > Manually running ipa-server-upgrade also seems to finish properly. > > > > However > > ipactl start keeps failing on the ntpd service. > > Not a big surprise since its running chronyd. > > > > I now start the ipa server with 'ipactl start --ignore-service-failure' > > > > Is there a way to explain the script that it should check for chronyd > instead of > > ntpd ? > > > > I also see this a lot in the logs: > > dns_rdatatype_fromtext() failed for attribute > > 'idnsTemplateAttribute;cnamerecord': unknown class/type > > > > Is that a serious error ? > > > > Rob Verduijn > > > > This looks like 7.3 update incorrectly added NTP service to IPA server > services (which is displayed as NTP role in `ipa server-show $server`). > > A workaround might be to disable the service or remove the service > entry. Disabling is IMHO safer. IPA CLI tools don't allow > enabling/disabling of services so it must be done by LDAP mod. > > It can be done by removing 'enabledService' config value from server's > service entry, e.g.: > > dn: cn=NTP,cn=$SERVER_FQDN,cn=masters,cn=ipa,cn=etc,$SUFFIX > changetype: modify > delete: ipaConfigString > ipaConfigString: enabledService > - > > Where $SERVER_FQDN is e.g. ipa.example.com and $SUFFIX is e.g. > dc=example,dc=com > > > Rob, have you originally installed the replica with NTPD and then later > switched manually to chrony? > > -- > Petr Vobornik > Hello, I can't remember if I installed and configured freeipa and then switched to chronyd or the other way around. I had my ntpd/ntpdate services masked because I got tired of stopping and disabling them all the time. It seems ipactl can't deal with that. Currently I unmasked the services and enabled them (disabling chronyd) so that the server boots properly. I will try your ldiff to see if I can switch back, since I do not use my ipa server as a time source for clients. I'll let you know the results. Rob Verduijn -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] ipa fails to start after centos 7.3 upgrade
On 12/12/2016 08:53 PM, Rob Verduijn wrote: > Hello, > > I've recently upgraded to centos 7.3. > Didn't intend to so soon but should have checked the anounce lists before > launching my ansible update playbook. > > Most of my servers came through, and mostly also the ipa server. > There were duplicate rpms and a failed rpm upgrade. > After some yum magic the rpm duplicates where gone and all the updates > installed. > > Manually running ipa-server-upgrade also seems to finish properly. > > However > ipactl start keeps failing on the ntpd service. > Not a big surprise since its running chronyd. > > I now start the ipa server with 'ipactl start --ignore-service-failure' > > Is there a way to explain the script that it should check for chronyd instead > of > ntpd ? > > I also see this a lot in the logs: > dns_rdatatype_fromtext() failed for attribute > 'idnsTemplateAttribute;cnamerecord': unknown class/type > > Is that a serious error ? > > Rob Verduijn > This looks like 7.3 update incorrectly added NTP service to IPA server services (which is displayed as NTP role in `ipa server-show $server`). A workaround might be to disable the service or remove the service entry. Disabling is IMHO safer. IPA CLI tools don't allow enabling/disabling of services so it must be done by LDAP mod. It can be done by removing 'enabledService' config value from server's service entry, e.g.: dn: cn=NTP,cn=$SERVER_FQDN,cn=masters,cn=ipa,cn=etc,$SUFFIX changetype: modify delete: ipaConfigString ipaConfigString: enabledService - Where $SERVER_FQDN is e.g. ipa.example.com and $SUFFIX is e.g. dc=example,dc=com Rob, have you originally installed the replica with NTPD and then later switched manually to chrony? -- Petr Vobornik -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] ipa fails to start after centos 7.3 upgrade
On 12/12/2016 19:53, Rob Verduijn wrote: I've recently upgraded to centos 7.3. Didn't intend to so soon but should have checked the anounce lists before launching my ansible update playbook. Most of my servers came through, and mostly also the ipa server. There were duplicate rpms and a failed rpm upgrade. After some yum magic the rpm duplicates where gone and all the updates installed. Manually running ipa-server-upgrade also seems to finish properly. However ipactl start keeps failing on the ntpd service. Not a big surprise since its running chronyd. I now start the ipa server with 'ipactl start --ignore-service-failure' Is there a way to explain the script that it should check for chronyd instead of ntpd ? Aside: I also have a use case for running without ntp. I run freeipa inside an lxd container (*), so ntpd is running on the outer host, not in the container. However unlike you, after upgrading to CentOS 7.3 / FreeIPA 4.4.0 inside the container I don't see any problem: [root@ipa-2 ~]# ipactl stop Stopping ipa-otpd Service Stopping pki-tomcatd Service Stopping ntpd Service Stopping ipa-custodia Service Stopping httpd Service Stopping ipa_memcached Service Stopping kadmin Service Stopping krb5kdc Service Stopping Directory Service ipa: INFO: The ipactl command was successful [root@ipa-2 ~]# ipactl start Starting Directory Service Starting krb5kdc Service Starting kadmin Service Starting ipa_memcached Service Starting httpd Service Starting ipa-custodia Service Starting ntpd Service Starting pki-tomcatd Service Starting ipa-otpd Service ipa: INFO: The ipactl command was successful [root@ipa-2 ~]# ntpd won't run inside the container, which is expected: [root@ipa-2 ~]# systemctl status ntpd ● ntpd.service - Network Time Service Loaded: loaded (/usr/lib/systemd/system/ntpd.service; disabled; vendor preset: disabled) Active: failed (Result: exit-code) since Wed 2016-12-14 10:51:09 UTC; 2min 18s ago Process: 1357 ExecStart=/usr/sbin/ntpd -u ntp:ntp $OPTIONS (code=exited, status=0/SUCCESS) Main PID: 1358 (code=exited, status=255) Dec 14 10:51:08 ipa-2.int.cityfibre.com ntpd[1358]: Listen normally on 4 eth0:1 10.0.0.149 UDP 123 Dec 14 10:51:08 ipa-2.int.cityfibre.com ntpd[1358]: Listen normally on 5 lo ::1 UDP 123 Dec 14 10:51:08 ipa-2.int.cityfibre.com ntpd[1358]: Listen normally on 6 eth0 fe80::216:3eff:fef2:a083 UDP 123 Dec 14 10:51:08 ipa-2.int.cityfibre.com ntpd[1358]: Listening on routing socket on fd #23 for interface updates Dec 14 10:51:09 ipa-2.int.cityfibre.com ntpd[1358]: 0.0.0.0 c016 06 restart Dec 14 10:51:09 ipa-2.int.cityfibre.com ntpd[1358]: 0.0.0.0 c012 02 freq_set ntpd 0.000 PPM Dec 14 10:51:09 ipa-2.int.cityfibre.com ntpd[1358]: 0.0.0.0 c011 01 freq_not_set Dec 14 10:51:09 ipa-2.int.cityfibre.com systemd[1]: ntpd.service: main process exited, code=exited, status=255/n/a Dec 14 10:51:09 ipa-2.int.cityfibre.com systemd[1]: Unit ntpd.service entered failed state. Dec 14 10:51:09 ipa-2.int.cityfibre.com systemd[1]: ntpd.service failed. But ipactl is not complaining, which is good. But I don't know why it works for me and not for you. Anyway, I hope that for future reference this use case remains supported. In a container environment like lxd or docker, you *cannot* run ntpd (but that doesn't mean the time isn't synced!) Regards, Brian. (*) Aside: this makes snapshotting IPA a breeze. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] ipa fails to start after centos 7.3 upgrade
Hello, I've recently upgraded to centos 7.3. Didn't intend to so soon but should have checked the anounce lists before launching my ansible update playbook. Most of my servers came through, and mostly also the ipa server. There were duplicate rpms and a failed rpm upgrade. After some yum magic the rpm duplicates where gone and all the updates installed. Manually running ipa-server-upgrade also seems to finish properly. However ipactl start keeps failing on the ntpd service. Not a big surprise since its running chronyd. I now start the ipa server with 'ipactl start --ignore-service-failure' Is there a way to explain the script that it should check for chronyd instead of ntpd ? I also see this a lot in the logs: dns_rdatatype_fromtext() failed for attribute 'idnsTemplateAttribute;cnamerecord': unknown class/type Is that a serious error ? Rob Verduijn -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project