[Freeipa-users] Re: Error ipa-replica-install on LXC (was The ipa-replica-install command failed, exception: ValidationError: invalid 'dnszoneidnsname': only master zones can contain records)

2018-01-12 Thread Alex Corcoles via FreeIPA-users 
Never mind, I don't seem to be able to reproduce this.

On Fri, Jan 12, 2018 at 12:35 PM, lejeczek via FreeIPA-users <
freeipa-users@lists.fedorahosted.org> wrote:

>
>
> On 11/01/18 19:49, Alex Corcoles via FreeIPA-users wrote:
>
>> > Jan 10 18:47:02 ctipa.h2.int.pdp7.net 
>> systemd[1]: Dependency failed for
>> > GSSAPI Proxy Daemon.
>> > -- Subject: Unit gssproxy.service has failed
>> > -- Defined-By: systemd
>> > -- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
>> 
>> > --
>> > -- Unit gssproxy.service has failed.
>> > --
>> > -- The result is dependency.
>> > Jan 10 18:47:02 ctipa.h2.int.pdp7.net 
>> systemd[1]: Job
>> > gssproxy.service/start failed with result 'dependency'.
>> > Jan 10 18:47:02 ctipa.h2.int.pdp7.net 
>> systemd[1]: Unit proc-fs-nfsd.mount
>> > entered failed state.
>>
>> This is RHEL-7.4?  If you're not using NFS, you can remove the
>> "Requires=proc-fs-nfsd.mount" line from gssproxy.service.
>>
>
> I have Centos 7 in an LXC but both gssproxy & proc-fs-nfsd.mount start
> fine.(maybe different programs versions?)
> What I see in my container is:
>
> # systemctl status -l auth-rpcgss-module.service
> ● auth-rpcgss-module.service - Kernel Module supporting RPCSEC_GSS
>Loaded: loaded (/usr/lib/systemd/system/auth-rpcgss-module.service;
> static; vendor preset: disabled)
>Active: failed (Result: exit-code) since Fri 2018-01-12 10:59:30 UTC;
> 33min ago
>   Process: 15 ExecStart=/sbin/modprobe -q auth_rpcgss (code=exited,
> status=1/FAILURE)
>  Main PID: 15 (code=exited, status=1/FAILURE)
>
> But above is simply about missing kernel drivers, which can be installed
> in LXC or mounted to host's fs, like with libvirt:
>
> 
>   
>   
> 
>
> and that problem goes away.
>
> ___
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
>



-- 
   ___
 {~._.~}
  ( Y )
 ()~*~()  mail: alex at corcoles dot net
 (_)-(_)  http://alex.corcoles.net/
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

[Freeipa-users] Re: Error ipa-replica-install on LXC (was The ipa-replica-install command failed, exception: ValidationError: invalid 'dnszoneidnsname': only master zones can contain records)

2018-01-12 Thread lejeczek via FreeIPA-users 



On 11/01/18 19:49, Alex Corcoles via FreeIPA-users wrote:
> Jan 10 18:47:02 ctipa.h2.int.pdp7.net  
systemd[1]: Dependency failed for

> GSSAPI Proxy Daemon.
> -- Subject: Unit gssproxy.service has failed
> -- Defined-By: systemd
> -- Support: 
http://lists.freedesktop.org/mailman/listinfo/systemd-devel 


> --
> -- Unit gssproxy.service has failed.
> --
> -- The result is dependency.
> Jan 10 18:47:02 ctipa.h2.int.pdp7.net 
 systemd[1]: Job

> gssproxy.service/start failed with result 'dependency'.
> Jan 10 18:47:02 ctipa.h2.int.pdp7.net 
 systemd[1]: Unit 
proc-fs-nfsd.mount

> entered failed state.

This is RHEL-7.4?  If you're not using NFS, you can remove the
"Requires=proc-fs-nfsd.mount" line from gssproxy.service.


I have Centos 7 in an LXC but both gssproxy & 
proc-fs-nfsd.mount start fine.(maybe different programs 
versions?)

What I see in my container is:

# systemctl status -l auth-rpcgss-module.service
● auth-rpcgss-module.service - Kernel Module supporting 
RPCSEC_GSS
   Loaded: loaded 
(/usr/lib/systemd/system/auth-rpcgss-module.service; static; 
vendor preset: disabled)
   Active: failed (Result: exit-code) since Fri 2018-01-12 
10:59:30 UTC; 33min ago
  Process: 15 ExecStart=/sbin/modprobe -q auth_rpcgss 
(code=exited, status=1/FAILURE)

 Main PID: 15 (code=exited, status=1/FAILURE)

But above is simply about missing kernel drivers, which can 
be installed in LXC or mounted to host's fs, like with libvirt:


    
  
  
    

and that problem goes away.
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

[Freeipa-users] Re: Error ipa-replica-install on LXC (was The ipa-replica-install command failed, exception: ValidationError: invalid 'dnszoneidnsname': only master zones can contain records)

2018-01-11 Thread Alex Corcoles via FreeIPA-users 
Ah, that'd be wonderful- that will solve my problem as I don't need NFS on
LXC. If I have some time I will try editing the gssproxy unit file and see
if that's the only stopper to running a FreeIPA replica on LXC.

On Thu, Jan 11, 2018 at 9:17 PM, Robbie Harwood  wrote:

> Alex Corcoles via FreeIPA-users 
> writes:
>
> > Maybe this is a bug in the definition of gssproxy? Should it be a Wants=
> > instead of a Requires=?
>
> No, it's a bug I will have fixed in 7.5.  The requirement needs to be
> from proc-fs-nfsd on gssproxy, not the other way around, because
> gssproxy doesn't require nfs-utils to be present in order to operate.
>
> More information: https://bugzilla.redhat.com/show_bug.cgi?id=1326440
>
> Thanks,
> --Robbie
>



-- 
   ___
 {~._.~}
  ( Y )
 ()~*~()  mail: alex at corcoles dot net
 (_)-(_)  http://alex.corcoles.net/
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

[Freeipa-users] Re: Error ipa-replica-install on LXC (was The ipa-replica-install command failed, exception: ValidationError: invalid 'dnszoneidnsname': only master zones can contain records)

2018-01-11 Thread Robbie Harwood via FreeIPA-users 
Alex Corcoles via FreeIPA-users 
writes:

> Maybe this is a bug in the definition of gssproxy? Should it be a Wants=
> instead of a Requires=?

And anyway something else is broken with proc-fs-nfsd to boot.

Thanks,
--Robbie


signature.asc
Description: PGP signature
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

[Freeipa-users] Re: Error ipa-replica-install on LXC (was The ipa-replica-install command failed, exception: ValidationError: invalid 'dnszoneidnsname': only master zones can contain records)

2018-01-11 Thread Robbie Harwood via FreeIPA-users 
Alex Corcoles via FreeIPA-users 
writes:

> Maybe this is a bug in the definition of gssproxy? Should it be a Wants=
> instead of a Requires=?

No, it's a bug I will have fixed in 7.5.  The requirement needs to be
from proc-fs-nfsd on gssproxy, not the other way around, because
gssproxy doesn't require nfs-utils to be present in order to operate.

More information: https://bugzilla.redhat.com/show_bug.cgi?id=1326440

Thanks,
--Robbie


signature.asc
Description: PGP signature
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

[Freeipa-users] Re: Error ipa-replica-install on LXC (was The ipa-replica-install command failed, exception: ValidationError: invalid 'dnszoneidnsname': only master zones can contain records)

2018-01-11 Thread Alex Corcoles via FreeIPA-users 
Maybe this is a bug in the definition of gssproxy? Should it be a Wants=
instead of a Requires=?

On Wed, Jan 10, 2018 at 9:41 PM, Robbie Harwood  wrote:

> Alex Corcoles via FreeIPA-users 
> writes:
>
> > Jan 10 18:47:02 ctipa.h2.int.pdp7.net systemd[1]: Dependency failed for
> > GSSAPI Proxy Daemon.
> > -- Subject: Unit gssproxy.service has failed
> > -- Defined-By: systemd
> > -- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
> > --
> > -- Unit gssproxy.service has failed.
> > --
> > -- The result is dependency.
> > Jan 10 18:47:02 ctipa.h2.int.pdp7.net systemd[1]: Job
> > gssproxy.service/start failed with result 'dependency'.
> > Jan 10 18:47:02 ctipa.h2.int.pdp7.net systemd[1]: Unit
> proc-fs-nfsd.mount
> > entered failed state.
>
> This is RHEL-7.4?  If you're not using NFS, you can remove the
> "Requires=proc-fs-nfsd.mount" line from gssproxy.service.
>
> Would of course be interesting to see why that failed, though we'd
> probably have to ask NFS folk about it.
>
> Thanks,
> --Robbie
>



-- 
   ___
 {~._.~}
  ( Y )
 ()~*~()  mail: alex at corcoles dot net
 (_)-(_)  http://alex.corcoles.net/
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

[Freeipa-users] Re: Error ipa-replica-install on LXC (was The ipa-replica-install command failed, exception: ValidationError: invalid 'dnszoneidnsname': only master zones can contain records)

2018-01-10 Thread Robbie Harwood via FreeIPA-users 
Alex Corcoles via FreeIPA-users 
writes:

> Jan 10 18:47:02 ctipa.h2.int.pdp7.net systemd[1]: Dependency failed for
> GSSAPI Proxy Daemon.
> -- Subject: Unit gssproxy.service has failed
> -- Defined-By: systemd
> -- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
> -- 
> -- Unit gssproxy.service has failed.
> -- 
> -- The result is dependency.
> Jan 10 18:47:02 ctipa.h2.int.pdp7.net systemd[1]: Job
> gssproxy.service/start failed with result 'dependency'.
> Jan 10 18:47:02 ctipa.h2.int.pdp7.net systemd[1]: Unit proc-fs-nfsd.mount
> entered failed state.

This is RHEL-7.4?  If you're not using NFS, you can remove the
"Requires=proc-fs-nfsd.mount" line from gssproxy.service.

Would of course be interesting to see why that failed, though we'd
probably have to ask NFS folk about it.

Thanks,
--Robbie


signature.asc
Description: PGP signature
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

[Freeipa-users] Re: Error ipa-replica-install on LXC (was The ipa-replica-install command failed, exception: ValidationError: invalid 'dnszoneidnsname': only master zones can contain records)

2018-01-10 Thread Alex Corcoles via FreeIPA-users 
Wait, so I retried the replica installation on LXC, without CA and DNS and
it worked, no gssproxy issues.

However, I retried with CA and DNS and it failed:

# journalctl -xe
Jan 10 18:47:02 ctipa.h2.int.pdp7.net systemd[1]: Starting GSSAPI Proxy
Daemon...
-- Subject: Unit gssproxy.service has begun start-up
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
-- 
-- Unit gssproxy.service has begun starting up.
Jan 10 18:47:02 ctipa.h2.int.pdp7.net systemd[1]: Mounting NFSD
configuration filesystem...
-- Subject: Unit proc-fs-nfsd.mount has begun start-up
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
-- 
-- Unit proc-fs-nfsd.mount has begun starting up.
Jan 10 18:47:02 ctipa.h2.int.pdp7.net mount[1548]: mount: nfsd is
write-protected, mounting read-only
Jan 10 18:47:02 ctipa.h2.int.pdp7.net mount[1548]: mount: cannot mount nfsd
read-only
Jan 10 18:47:02 ctipa.h2.int.pdp7.net systemd[1]: proc-fs-nfsd.mount mount
process exited, code=exited status=32
Jan 10 18:47:02 ctipa.h2.int.pdp7.net systemd[1]: Failed to mount NFSD
configuration filesystem.
-- Subject: Unit proc-fs-nfsd.mount has failed
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
-- 
-- Unit proc-fs-nfsd.mount has failed.
-- 
-- The result is failed.
Jan 10 18:47:02 ctipa.h2.int.pdp7.net systemd[1]: Dependency failed for
GSSAPI Proxy Daemon.
-- Subject: Unit gssproxy.service has failed
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
-- 
-- Unit gssproxy.service has failed.
-- 
-- The result is dependency.
Jan 10 18:47:02 ctipa.h2.int.pdp7.net systemd[1]: Job
gssproxy.service/start failed with result 'dependency'.
Jan 10 18:47:02 ctipa.h2.int.pdp7.net systemd[1]: Unit proc-fs-nfsd.mount
entered failed state.

# systemctl status gssproxy
● gssproxy.service - GSSAPI Proxy Daemon
   Loaded: loaded (/usr/lib/systemd/system/gssproxy.service; disabled;
vendor preset: disabled)
   Active: active (running) since Wed 2018-01-10 18:47:02 UTC; 2min 15s ago
  Process: 1547 ExecStart=/usr/sbin/gssproxy -D (code=exited,
status=0/SUCCESS)
 Main PID: 1549 (gssproxy)
   CGroup: /system.slice/gssproxy.service
   └─1549 /usr/sbin/gssproxy -D

Jan 10 18:47:02 ctipa.h2.int.pdp7.net systemd[1]: Starting GSSAPI Proxy
Daemon...
Jan 10 18:47:02 ctipa.h2.int.pdp7.net systemd[1]: Dependency failed for
GSSAPI Proxy Daemon.
Jan 10 18:47:02 ctipa.h2.int.pdp7.net systemd[1]: Job
gssproxy.service/start failed with result 'dependency'.

# journalctl -u gssproxy
-- Logs begin at Wed 2018-01-10 18:41:32 UTC, end at Wed 2018-01-10
18:48:17 UTC. --
Jan 10 18:47:02 ctipa.h2.int.pdp7.net systemd[1]: Starting GSSAPI Proxy
Daemon...
Jan 10 18:47:02 ctipa.h2.int.pdp7.net systemd[1]: Dependency failed for
GSSAPI Proxy Daemon.
Jan 10 18:47:02 ctipa.h2.int.pdp7.net systemd[1]: Job
gssproxy.service/start failed with result 'dependency'.

...

I'm guessing it might be unrelated to adding CA/DNS (I'm mostly sure the
previous failure was without them), maybe it's something that doesn't
happen reliably.

Anyway, I'd rather have a working full CA/DNS replica on a VM (
https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/thread/7A2I475DZFE235QRJRXMRXTL3DVT46IN/
) and then I'd worry about LXC, although I'm happy to troubleshoot both
issues.

Cheers,

Álex


On Tue, Jan 9, 2018 at 9:38 PM, Martin Basti via FreeIPA-users <
freeipa-users@lists.fedorahosted.org> wrote:

> I meant traceback fot the DNS issue :-)
>
> Could you please provide the reason why gssaproxy didn't start?
>
> journalctl -xe
> systemctl status gssproxy
> journalctl -u gssproxy
>
> 2018-01-09 21:29 GMT+01:00 Alex Corcoles via FreeIPA-users <
> freeipa-users@lists.fedorahosted.org>:
>
>> Hi,
>>
>> I have reproduced the problem on the LXC container. The full debug log is
>> at:
>>
>> https://gist.github.com/alexpdp7/b3d7fd48660a1ffb78cb64fd5dc34476
>>
>> The bit failing is:
>>
>> [root@ctipa ~]# ipa-replica-install -v -n ipa.pdp7.net -P alex -w $pw
>> --mkhomedir
>> ...
>> ipa : DEBUG  [11/22]: configuring Gssproxy
>>   [11/22]: configuring Gssproxy
>> ipa : DEBUGStarting external process
>> ipa : DEBUGargs=/usr/sbin/selinuxenabled
>> ipa : DEBUGProcess finished, return code=1
>> ipa : DEBUGstdout=
>> ipa : DEBUGstderr=
>> ipa : DEBUGStarting external process
>> ipa : DEBUGargs=/bin/systemctl restart gssproxy.service
>> ipa : DEBUGProcess finished, return code=1
>> ipa : DEBUGstdout=
>> ipa : DEBUGstderr=A dependency job for gssproxy.service
>> failed. See 'journalctl -xe' for details.
>>
>> ipa : DEBUGTraceback (most recent call last):
>>   File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py",
>> line 504, in start_creation
>> run_step(full_msg, method)
>>

[Freeipa-users] Re: Error ipa-replica-install on LXC (was The ipa-replica-install command failed, exception: ValidationError: invalid 'dnszoneidnsname': only master zones can contain records)

2018-01-09 Thread Martin Basti via FreeIPA-users 
I meant traceback fot the DNS issue :-)

Could you please provide the reason why gssaproxy didn't start?

journalctl -xe
systemctl status gssproxy
journalctl -u gssproxy

2018-01-09 21:29 GMT+01:00 Alex Corcoles via FreeIPA-users <
freeipa-users@lists.fedorahosted.org>:

> Hi,
>
> I have reproduced the problem on the LXC container. The full debug log is
> at:
>
> https://gist.github.com/alexpdp7/b3d7fd48660a1ffb78cb64fd5dc34476
>
> The bit failing is:
>
> [root@ctipa ~]# ipa-replica-install -v -n ipa.pdp7.net -P alex -w $pw
> --mkhomedir
> ...
> ipa : DEBUG  [11/22]: configuring Gssproxy
>   [11/22]: configuring Gssproxy
> ipa : DEBUGStarting external process
> ipa : DEBUGargs=/usr/sbin/selinuxenabled
> ipa : DEBUGProcess finished, return code=1
> ipa : DEBUGstdout=
> ipa : DEBUGstderr=
> ipa : DEBUGStarting external process
> ipa : DEBUGargs=/bin/systemctl restart gssproxy.service
> ipa : DEBUGProcess finished, return code=1
> ipa : DEBUGstdout=
> ipa : DEBUGstderr=A dependency job for gssproxy.service
> failed. See 'journalctl -xe' for details.
>
> ipa : DEBUGTraceback (most recent call last):
>   File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py",
> line 504, in start_creation
> run_step(full_msg, method)
>   File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py",
> line 494, in run_step
> method()
>   File "/usr/lib/python2.7/site-packages/ipaserver/install/httpinstance.py",
> line 242, in configure_gssproxy
> services.knownservices.gssproxy.restart()
>   File "/usr/lib/python2.7/site-packages/ipaplatform/base/services.py",
> line 322, in restart
> capture_output, wait)
>   File "/usr/lib/python2.7/site-packages/ipaplatform/base/services.py",
> line 310, in _restart_base
> skip_output=not capture_output)
>   File "/usr/lib/python2.7/site-packages/ipapython/ipautil.py", line 512,
> in run
> raise CalledProcessError(p.returncode, arg_string, str(output))
> CalledProcessError: Command '/bin/systemctl restart gssproxy.service'
> returned non-zero exit status 1
>
> ipa : DEBUG  [error] CalledProcessError: Command
> '/bin/systemctl restart gssproxy.service' returned non-zero exit status 1
>   [error] CalledProcessError: Command '/bin/systemctl restart
> gssproxy.service' returned non-zero exit status 1
> Your system may be partly configured.
> Run /usr/sbin/ipa-server-install --uninstall to clean up.
>
> ipa.ipapython.install.cli.install_tool(CompatServerReplicaInstall):
> DEBUG  File "/usr/lib/python2.7/site-packages/ipapython/admintool.py",
> line 172, in execute
> return_value = self.run()
>   File "/usr/lib/python2.7/site-packages/ipapython/install/cli.py", line
> 333, in run
> cfgr.run()
>   File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line
> 368, in run
> self.execute()
>   File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line
> 392, in execute
> for _nothing in self._executor():
>   File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line
> 434, in __runner
> exc_handler(exc_info)
>   File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line
> 463, in _handle_execute_exception
> self._handle_exception(exc_info)
>   File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line
> 453, in _handle_exception
> six.reraise(*exc_info)
>   File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line
> 424, in __runner
> step()
>   File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line
> 421, in 
> step = lambda: next(self.__gen)
>   File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line
> 81, in run_generator_with_yield_from
> six.reraise(*exc_info)
>   File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line
> 59, in run_generator_with_yield_from
> value = gen.send(prev_value)
>   File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line
> 658, in _configure
> next(executor)
>   File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line
> 434, in __runner
> exc_handler(exc_info)
>   File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line
> 463, in _handle_execute_exception
> self._handle_exception(exc_info)
>   File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line
> 521, in _handle_exception
> self.__parent._handle_exception(exc_info)
>   File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line
> 453, in _handle_exception
> six.reraise(*exc_info)
>   File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line
> 518, in _handle_exception
> super(ComponentBase, self)._handle_exception(exc_info)
>   File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line
> 453, in _handle_exception
> six.re