[Freeipa-users] Re: IPA Server down after system update
I was able to resolve but some services are down. ntpd Service: STOPPED and smb Service: STOPPED Please help # ipactl status Directory Service: RUNNING krb5kdc Service: RUNNING kadmin Service: RUNNING named Service: RUNNING httpd Service: RUNNING ipa-custodia Service: RUNNING ntpd Service: STOPPED pki-tomcatd Service: RUNNING smb Service: STOPPED winbind Service: RUNNING ipa-otpd Service: RUNNING ipa-dnskeysyncd Service: RUNNING ipa: INFO: The ipactl command was successful But NTP is installed # systemctl restart ntpd Failed to restart ntpd.service: Unit is masked. # yum install ntp Loaded plugins: versionlock Package ntp-4.2.6p5-25.el7.centos.2.x86_64 already installed and latest version Nothing to do Thanks, Gady -Original Message- From: Jochen Hein [mailto:joc...@jochen.org] Sent: September 15, 2017 1:26 PM To: Gady Notrica via FreeIPA-users Cc: Alexander Bokovoy ; Rob Crittenden ; Gady Notrica Subject: Re: [Freeipa-users] Re: IPA Server down after system update Gady Notrica via FreeIPA-users writes: > But still having the same issue: No, you don't. Earlier it timed out waiting for dirsrv, but now it's dogtag (Port 8080, 8443): > > 2017-09-15T15:58:46Z DEBUG stderr= 2017-09-15T15:58:46Z DEBUG > wait_for_open_ports: localhost [8080, 8443] timeout 300 > 2017-09-15T16:03:46Z ERROR IPA server upgrade failed: Inspect > /var/log/ipaupgrade.log and run command ipa-server-upgrade manually. Have a look at the dogtag logs and possibly https://floblanc.wordpress.com/2017/09/11/troubleshooting-freeipa-pki-tomcatd-fails-to-start/ For me another replica refreshed the certificate while ipaupgrade was running. Another possibility was failure to refresh the cert due to selinux. (Can't find the ticket now). Jochen -- This space is intentionally left blank. ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
[Freeipa-users] Re: IPA Server down after system update
Gady Notrica via FreeIPA-users writes: > But still having the same issue: No, you don't. Earlier it timed out waiting for dirsrv, but now it's dogtag (Port 8080, 8443): > > 2017-09-15T15:58:46Z DEBUG stderr= 2017-09-15T15:58:46Z DEBUG > wait_for_open_ports: localhost [8080, 8443] timeout 300 > 2017-09-15T16:03:46Z ERROR IPA server upgrade failed: Inspect > /var/log/ipaupgrade.log and run command ipa-server-upgrade manually. Have a look at the dogtag logs and possibly https://floblanc.wordpress.com/2017/09/11/troubleshooting-freeipa-pki-tomcatd-fails-to-start/ For me another replica refreshed the certificate while ipaupgrade was running. Another possibility was failure to refresh the cert due to selinux. (Can't find the ticket now). Jochen -- This space is intentionally left blank. ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
[Freeipa-users] Re: IPA Server down after system update
I enabled IPv6 as you can see below: Int1: flags=4163 mtu 1500 inet 10.0.120.200 netmask 255.255.255.0 broadcast 10.0.120.255 inet6 fe80::250:56ff:fe81:c4ba prefixlen 64 scopeid 0x20 ether 00:50:56:81:c4:ba txqueuelen 1000 (Ethernet) RX packets 148560 bytes 12827163 (12.2 MiB) RX errors 0 dropped 50 overruns 0 frame 0 TX packets 46268 bytes 16994535 (16.2 MiB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 Int2: flags=4163 mtu 1500 inet 192.168.1.200 netmask 255.255.255.0 broadcast 192.168.1.255 inet6 fe80::250:56ff:fe81:4615 prefixlen 64 scopeid 0x20 ether 00:50:56:81:46:15 txqueuelen 1000 (Ethernet) RX packets 3831 bytes 278364 (271.8 KiB) RX errors 0 dropped 50 overruns 0 frame 0 TX packets 12 bytes 760 (760.0 B) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 But still having the same issue: 2017-09-15T15:58:46Z DEBUG stderr= 2017-09-15T15:58:46Z DEBUG wait_for_open_ports: localhost [8080, 8443] timeout 300 2017-09-15T16:03:46Z ERROR IPA server upgrade failed: Inspect /var/log/ipaupgrade.log and run command ipa-server-upgrade manually. 2017-09-15T16:03:46Z DEBUG File "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 172, in execute return_value = self.run() File "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_server_upgrade.py", line 46, in run server.upgrade() File "/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py", line 1913, in upgrade upgrade_configuration() File "/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py", line 1652, in upgrade_configuration ca.start('pki-tomcat') File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 401, in start self.service.start(instance_name, capture_output=capture_output, wait=wait) File "/usr/lib/python2.7/site-packages/ipaplatform/redhat/services.py", line 211, in start instance_name, capture_output=capture_output, wait=wait) File "/usr/lib/python2.7/site-packages/ipaplatform/base/services.py", line 300, in start self.wait_for_open_ports(self.service_instance(instance_name)) File "/usr/lib/python2.7/site-packages/ipaplatform/base/services.py", line 270, in wait_for_open_ports self.api.env.startup_timeout) File "/usr/lib/python2.7/site-packages/ipapython/ipautil.py", line 1227, in wait_for_open_ports raise socket.timeout("Timeout exceeded") 2017-09-15T16:03:46Z DEBUG The ipa-server-upgrade command failed, exception: timeout: Timeout exceeded 2017-09-15T16:03:46Z ERROR Timeout exceeded 2017-09-15T16:03:46Z ERROR The ipa-server-upgrade command failed. See /var/log/ipaupgrade.log for more information -Original Message- From: Alexander Bokovoy [mailto:aboko...@redhat.com] Sent: September 15, 2017 12:26 PM To: FreeIPA users list Cc: Rob Crittenden ; Gady Notrica Subject: Re: [Freeipa-users] Re: IPA Server down after system update On pe, 15 syys 2017, Gady Notrica via FreeIPA-users wrote: >I am going to try now. Any workaround for people that don't want to have IPv6? >On IPA servers? IPA masters must have IPv6 stack enabled in the kernel. You may opt to not assigning IP addresses to the interfaces but we do rely on availability of IPv6 stack in IPA and it is an absolute requirement to be enabled. https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/installing-ipa.html#prerequisites (in 2.1.2). > >Thanks, > >-Original Message- >From: Rob Crittenden [mailto:rcrit...@redhat.com] >Sent: September 15, 2017 11:44 AM >To: FreeIPA users list >Cc: Gady Notrica >Subject: Re: [Freeipa-users] IPA Server down after system update > >Gady Notrica via FreeIPA-users wrote: >> Hello, >> >> Please HELP >> >> After upgrading my server, IPA is not running any more. Here is the error I >> am getting and I can't seem to find any solution on the web. >> >> All services are stopped except the directory service >> >> # ipactl status >> Directory Service: RUNNING >> krb5kdc Service: STOPPED >> kadmin Service: STOPPED >> named Service: STOPPED >> httpd Service: STOPPED >> ipa-custodia Service: STOPPED >> ntpd Service: STOPPED >> pki-tomcatd Service: STOPPED >> ipa-otpd Service: STOPPED >> ipa-dnskeysyncd Service: STOPPED >> ipa: INFO: The ipactl command was successful >> >> And here is the error from /var/log/ipaupgrade.log >> >> 2017-09-15T15:30:22Z DEBUG stderr= >> 2017-09-15T15:30:22Z DEBUG wait_for_open_ports: localhost [389] >> timeout 300 2017-09-15T15:35:23
[Freeipa-users] Re: IPA Server down after system update
On pe, 15 syys 2017, Gady Notrica via FreeIPA-users wrote: I am going to try now. Any workaround for people that don't want to have IPv6? On IPA servers? IPA masters must have IPv6 stack enabled in the kernel. You may opt to not assigning IP addresses to the interfaces but we do rely on availability of IPv6 stack in IPA and it is an absolute requirement to be enabled. https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/installing-ipa.html#prerequisites (in 2.1.2). Thanks, -Original Message- From: Rob Crittenden [mailto:rcrit...@redhat.com] Sent: September 15, 2017 11:44 AM To: FreeIPA users list Cc: Gady Notrica Subject: Re: [Freeipa-users] IPA Server down after system update Gady Notrica via FreeIPA-users wrote: Hello, Please HELP After upgrading my server, IPA is not running any more. Here is the error I am getting and I can't seem to find any solution on the web. All services are stopped except the directory service # ipactl status Directory Service: RUNNING krb5kdc Service: STOPPED kadmin Service: STOPPED named Service: STOPPED httpd Service: STOPPED ipa-custodia Service: STOPPED ntpd Service: STOPPED pki-tomcatd Service: STOPPED ipa-otpd Service: STOPPED ipa-dnskeysyncd Service: STOPPED ipa: INFO: The ipactl command was successful And here is the error from /var/log/ipaupgrade.log 2017-09-15T15:30:22Z DEBUG stderr= 2017-09-15T15:30:22Z DEBUG wait_for_open_ports: localhost [389] timeout 300 2017-09-15T15:35:23Z ERROR IPA server upgrade failed: Inspect /var/log/ipaupgrade.log and run command ipa-server-upgrade manually. 2017-09-15T15:35:23Z DEBUG File "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 172, in execute return_value = self.run() File "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_server_upgrade.py", line 46, in run server.upgrade() File "/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py", line 1913, in upgrade upgrade_configuration() File "/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py", line 1585, in upgrade_configuration ds.start(ds_serverid) File "/usr/lib/python2.7/site-packages/ipaserver/install/dsinstance.py", line 627, in start super(DsInstance, self).start(*args, **kwargs) File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 401, in start self.service.start(instance_name, capture_output=capture_output, wait=wait) File "/usr/lib/python2.7/site-packages/ipaplatform/redhat/services.py", line 157, in start instance_name, capture_output=capture_output, wait=wait) File "/usr/lib/python2.7/site-packages/ipaplatform/base/services.py", line 300, in start self.wait_for_open_ports(self.service_instance(instance_name)) File "/usr/lib/python2.7/site-packages/ipaplatform/base/services.py", line 270, in wait_for_open_ports self.api.env.startup_timeout) File "/usr/lib/python2.7/site-packages/ipapython/ipautil.py", line 1227, in wait_for_open_ports raise socket.timeout("Timeout exceeded") 2017-09-15T15:35:23Z DEBUG The ipa-server-upgrade command failed, exception: timeout: Timeout exceeded 2017-09-15T15:35:23Z ERROR Timeout exceeded 2017-09-15T15:35:23Z ERROR The ipa-server-upgrade command failed. See /var/log/ipaupgrade.log for more information Enable IPv6 and re-run ipa-server-upgrade. rob ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org -- / Alexander Bokovoy ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
[Freeipa-users] Re: IPA Server down after system update
I enabled IPv6 as you can see below: Int1: flags=4163 mtu 1500 inet 10.0.120.200 netmask 255.255.255.0 broadcast 10.20.10.255 inet6 fe80::250:56ff:fe81:c4ba prefixlen 64 scopeid 0x20 ether 00:50:56:81:c4:ba txqueuelen 1000 (Ethernet) RX packets 148560 bytes 12827163 (12.2 MiB) RX errors 0 dropped 50 overruns 0 frame 0 TX packets 46268 bytes 16994535 (16.2 MiB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 Int2: flags=4163 mtu 1500 inet 192.168.1.200 netmask 255.255.255.0 broadcast 192.168.110.255 inet6 fe80::250:56ff:fe81:4615 prefixlen 64 scopeid 0x20 ether 00:50:56:81:46:15 txqueuelen 1000 (Ethernet) RX packets 3831 bytes 278364 (271.8 KiB) RX errors 0 dropped 50 overruns 0 frame 0 TX packets 12 bytes 760 (760.0 B) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 Still having the same issue 2017-09-15T15:58:46Z DEBUG stderr= 2017-09-15T15:58:46Z DEBUG wait_for_open_ports: localhost [8080, 8443] timeout 300 2017-09-15T16:03:46Z ERROR IPA server upgrade failed: Inspect /var/log/ipaupgrade.log and run command ipa-server-upgrade manually. 2017-09-15T16:03:46Z DEBUG File "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 172, in execute return_value = self.run() File "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_server_upgrade.py", line 46, in run server.upgrade() File "/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py", line 1913, in upgrade upgrade_configuration() File "/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py", line 1652, in upgrade_configuration ca.start('pki-tomcat') File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 401, in start self.service.start(instance_name, capture_output=capture_output, wait=wait) File "/usr/lib/python2.7/site-packages/ipaplatform/redhat/services.py", line 211, in start instance_name, capture_output=capture_output, wait=wait) File "/usr/lib/python2.7/site-packages/ipaplatform/base/services.py", line 300, in start self.wait_for_open_ports(self.service_instance(instance_name)) File "/usr/lib/python2.7/site-packages/ipaplatform/base/services.py", line 270, in wait_for_open_ports self.api.env.startup_timeout) File "/usr/lib/python2.7/site-packages/ipapython/ipautil.py", line 1227, in wait_for_open_ports raise socket.timeout("Timeout exceeded") 2017-09-15T16:03:46Z DEBUG The ipa-server-upgrade command failed, exception: timeout: Timeout exceeded 2017-09-15T16:03:46Z ERROR Timeout exceeded 2017-09-15T16:03:46Z ERROR The ipa-server-upgrade command failed. See /var/log/ipaupgrade.log for more information -Original Message- From: Gady Notrica via FreeIPA-users [mailto:freeipa-users@lists.fedorahosted.org] Sent: September 15, 2017 11:57 AM To: Rob Crittenden ; FreeIPA users list Cc: Gady Notrica Subject: [Freeipa-users] Re: IPA Server down after system update I am going to try now. Any workaround for people that don't want to have IPv6? On IPA servers? Thanks, -Original Message- From: Rob Crittenden [mailto:rcrit...@redhat.com] Sent: September 15, 2017 11:44 AM To: FreeIPA users list Cc: Gady Notrica Subject: Re: [Freeipa-users] IPA Server down after system update Gady Notrica via FreeIPA-users wrote: > Hello, > > Please HELP > > After upgrading my server, IPA is not running any more. Here is the error I > am getting and I can't seem to find any solution on the web. > > All services are stopped except the directory service > > # ipactl status > Directory Service: RUNNING > krb5kdc Service: STOPPED > kadmin Service: STOPPED > named Service: STOPPED > httpd Service: STOPPED > ipa-custodia Service: STOPPED > ntpd Service: STOPPED > pki-tomcatd Service: STOPPED > ipa-otpd Service: STOPPED > ipa-dnskeysyncd Service: STOPPED > ipa: INFO: The ipactl command was successful > > And here is the error from /var/log/ipaupgrade.log > > 2017-09-15T15:30:22Z DEBUG stderr= > 2017-09-15T15:30:22Z DEBUG wait_for_open_ports: localhost [389] > timeout 300 2017-09-15T15:35:23Z ERROR IPA server upgrade failed: Inspect > /var/log/ipaupgrade.log and run command ipa-server-upgrade manually. > 2017-09-15T15:35:23Z DEBUG File > "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 172, in > execute > return_value = self.run() > File > "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_server_upgrade.py", > line 46, in run > server.upgrade() > File > "/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py", line > 1913, in upgrade > upg
[Freeipa-users] Re: IPA Server down after system update
I am going to try now. Any workaround for people that don't want to have IPv6? On IPA servers? Thanks, -Original Message- From: Rob Crittenden [mailto:rcrit...@redhat.com] Sent: September 15, 2017 11:44 AM To: FreeIPA users list Cc: Gady Notrica Subject: Re: [Freeipa-users] IPA Server down after system update Gady Notrica via FreeIPA-users wrote: > Hello, > > Please HELP > > After upgrading my server, IPA is not running any more. Here is the error I > am getting and I can't seem to find any solution on the web. > > All services are stopped except the directory service > > # ipactl status > Directory Service: RUNNING > krb5kdc Service: STOPPED > kadmin Service: STOPPED > named Service: STOPPED > httpd Service: STOPPED > ipa-custodia Service: STOPPED > ntpd Service: STOPPED > pki-tomcatd Service: STOPPED > ipa-otpd Service: STOPPED > ipa-dnskeysyncd Service: STOPPED > ipa: INFO: The ipactl command was successful > > And here is the error from /var/log/ipaupgrade.log > > 2017-09-15T15:30:22Z DEBUG stderr= > 2017-09-15T15:30:22Z DEBUG wait_for_open_ports: localhost [389] > timeout 300 2017-09-15T15:35:23Z ERROR IPA server upgrade failed: Inspect > /var/log/ipaupgrade.log and run command ipa-server-upgrade manually. > 2017-09-15T15:35:23Z DEBUG File > "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 172, in > execute > return_value = self.run() > File > "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_server_upgrade.py", > line 46, in run > server.upgrade() > File > "/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py", line > 1913, in upgrade > upgrade_configuration() > File > "/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py", line > 1585, in upgrade_configuration > ds.start(ds_serverid) > File "/usr/lib/python2.7/site-packages/ipaserver/install/dsinstance.py", > line 627, in start > super(DsInstance, self).start(*args, **kwargs) > File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line > 401, in start > self.service.start(instance_name, capture_output=capture_output, > wait=wait) > File "/usr/lib/python2.7/site-packages/ipaplatform/redhat/services.py", > line 157, in start > instance_name, capture_output=capture_output, wait=wait) > File "/usr/lib/python2.7/site-packages/ipaplatform/base/services.py", line > 300, in start > self.wait_for_open_ports(self.service_instance(instance_name)) > File "/usr/lib/python2.7/site-packages/ipaplatform/base/services.py", line > 270, in wait_for_open_ports > self.api.env.startup_timeout) > File "/usr/lib/python2.7/site-packages/ipapython/ipautil.py", line 1227, in > wait_for_open_ports > raise socket.timeout("Timeout exceeded") > > 2017-09-15T15:35:23Z DEBUG The ipa-server-upgrade command failed, > exception: timeout: Timeout exceeded 2017-09-15T15:35:23Z ERROR > Timeout exceeded 2017-09-15T15:35:23Z ERROR The ipa-server-upgrade > command failed. See /var/log/ipaupgrade.log for more information > Enable IPv6 and re-run ipa-server-upgrade. rob ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
[Freeipa-users] Re: IPA Server down after system update
Gady Notrica via FreeIPA-users wrote: > Hello, > > Please HELP > > After upgrading my server, IPA is not running any more. Here is the error I > am getting and I can't seem to find any solution on the web. > > All services are stopped except the directory service > > # ipactl status > Directory Service: RUNNING > krb5kdc Service: STOPPED > kadmin Service: STOPPED > named Service: STOPPED > httpd Service: STOPPED > ipa-custodia Service: STOPPED > ntpd Service: STOPPED > pki-tomcatd Service: STOPPED > ipa-otpd Service: STOPPED > ipa-dnskeysyncd Service: STOPPED > ipa: INFO: The ipactl command was successful > > And here is the error from /var/log/ipaupgrade.log > > 2017-09-15T15:30:22Z DEBUG stderr= > 2017-09-15T15:30:22Z DEBUG wait_for_open_ports: localhost [389] timeout 300 > 2017-09-15T15:35:23Z ERROR IPA server upgrade failed: Inspect > /var/log/ipaupgrade.log and run command ipa-server-upgrade manually. > 2017-09-15T15:35:23Z DEBUG File > "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 172, in > execute > return_value = self.run() > File > "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_server_upgrade.py", > line 46, in run > server.upgrade() > File > "/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py", line > 1913, in upgrade > upgrade_configuration() > File > "/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py", line > 1585, in upgrade_configuration > ds.start(ds_serverid) > File "/usr/lib/python2.7/site-packages/ipaserver/install/dsinstance.py", > line 627, in start > super(DsInstance, self).start(*args, **kwargs) > File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line > 401, in start > self.service.start(instance_name, capture_output=capture_output, > wait=wait) > File "/usr/lib/python2.7/site-packages/ipaplatform/redhat/services.py", > line 157, in start > instance_name, capture_output=capture_output, wait=wait) > File "/usr/lib/python2.7/site-packages/ipaplatform/base/services.py", line > 300, in start > self.wait_for_open_ports(self.service_instance(instance_name)) > File "/usr/lib/python2.7/site-packages/ipaplatform/base/services.py", line > 270, in wait_for_open_ports > self.api.env.startup_timeout) > File "/usr/lib/python2.7/site-packages/ipapython/ipautil.py", line 1227, in > wait_for_open_ports > raise socket.timeout("Timeout exceeded") > > 2017-09-15T15:35:23Z DEBUG The ipa-server-upgrade command failed, exception: > timeout: Timeout exceeded > 2017-09-15T15:35:23Z ERROR Timeout exceeded > 2017-09-15T15:35:23Z ERROR The ipa-server-upgrade command failed. See > /var/log/ipaupgrade.log for more information > Enable IPv6 and re-run ipa-server-upgrade. rob ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org