Wait, so I retried the replica installation on LXC, without CA and DNS and it worked, no gssproxy issues.
However, I retried with CA and DNS and it failed: # journalctl -xe Jan 10 18:47:02 ctipa.h2.int.pdp7.net systemd[1]: Starting GSSAPI Proxy Daemon... -- Subject: Unit gssproxy.service has begun start-up -- Defined-By: systemd -- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel -- -- Unit gssproxy.service has begun starting up. Jan 10 18:47:02 ctipa.h2.int.pdp7.net systemd[1]: Mounting NFSD configuration filesystem... -- Subject: Unit proc-fs-nfsd.mount has begun start-up -- Defined-By: systemd -- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel -- -- Unit proc-fs-nfsd.mount has begun starting up. Jan 10 18:47:02 ctipa.h2.int.pdp7.net mount[1548]: mount: nfsd is write-protected, mounting read-only Jan 10 18:47:02 ctipa.h2.int.pdp7.net mount[1548]: mount: cannot mount nfsd read-only Jan 10 18:47:02 ctipa.h2.int.pdp7.net systemd[1]: proc-fs-nfsd.mount mount process exited, code=exited status=32 Jan 10 18:47:02 ctipa.h2.int.pdp7.net systemd[1]: Failed to mount NFSD configuration filesystem. -- Subject: Unit proc-fs-nfsd.mount has failed -- Defined-By: systemd -- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel -- -- Unit proc-fs-nfsd.mount has failed. -- -- The result is failed. Jan 10 18:47:02 ctipa.h2.int.pdp7.net systemd[1]: Dependency failed for GSSAPI Proxy Daemon. -- Subject: Unit gssproxy.service has failed -- Defined-By: systemd -- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel -- -- Unit gssproxy.service has failed. -- -- The result is dependency. Jan 10 18:47:02 ctipa.h2.int.pdp7.net systemd[1]: Job gssproxy.service/start failed with result 'dependency'. Jan 10 18:47:02 ctipa.h2.int.pdp7.net systemd[1]: Unit proc-fs-nfsd.mount entered failed state. # systemctl status gssproxy ● gssproxy.service - GSSAPI Proxy Daemon Loaded: loaded (/usr/lib/systemd/system/gssproxy.service; disabled; vendor preset: disabled) Active: active (running) since Wed 2018-01-10 18:47:02 UTC; 2min 15s ago Process: 1547 ExecStart=/usr/sbin/gssproxy -D (code=exited, status=0/SUCCESS) Main PID: 1549 (gssproxy) CGroup: /system.slice/gssproxy.service └─1549 /usr/sbin/gssproxy -D Jan 10 18:47:02 ctipa.h2.int.pdp7.net systemd[1]: Starting GSSAPI Proxy Daemon... Jan 10 18:47:02 ctipa.h2.int.pdp7.net systemd[1]: Dependency failed for GSSAPI Proxy Daemon. Jan 10 18:47:02 ctipa.h2.int.pdp7.net systemd[1]: Job gssproxy.service/start failed with result 'dependency'. # journalctl -u gssproxy -- Logs begin at Wed 2018-01-10 18:41:32 UTC, end at Wed 2018-01-10 18:48:17 UTC. -- Jan 10 18:47:02 ctipa.h2.int.pdp7.net systemd[1]: Starting GSSAPI Proxy Daemon... Jan 10 18:47:02 ctipa.h2.int.pdp7.net systemd[1]: Dependency failed for GSSAPI Proxy Daemon. Jan 10 18:47:02 ctipa.h2.int.pdp7.net systemd[1]: Job gssproxy.service/start failed with result 'dependency'. ... I'm guessing it might be unrelated to adding CA/DNS (I'm mostly sure the previous failure was without them), maybe it's something that doesn't happen reliably. Anyway, I'd rather have a working full CA/DNS replica on a VM ( https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/thread/7A2I475DZFE235QRJRXMRXTL3DVT46IN/ ) and then I'd worry about LXC, although I'm happy to troubleshoot both issues. Cheers, Álex On Tue, Jan 9, 2018 at 9:38 PM, Martin Basti via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote: > I meant traceback fot the DNS issue :-) > > Could you please provide the reason why gssaproxy didn't start? > > journalctl -xe > systemctl status gssproxy > journalctl -u gssproxy > > 2018-01-09 21:29 GMT+01:00 Alex Corcoles via FreeIPA-users < > freeipa-users@lists.fedorahosted.org>: > >> Hi, >> >> I have reproduced the problem on the LXC container. The full debug log is >> at: >> >> https://gist.github.com/alexpdp7/b3d7fd48660a1ffb78cb64fd5dc34476 >> >> The bit failing is: >> >> [root@ctipa ~]# ipa-replica-install -v -n ipa.pdp7.net -P alex -w $pw >> --mkhomedir >> ... >> ipa : DEBUG [11/22]: configuring Gssproxy >> [11/22]: configuring Gssproxy >> ipa : DEBUG Starting external process >> ipa : DEBUG args=/usr/sbin/selinuxenabled >> ipa : DEBUG Process finished, return code=1 >> ipa : DEBUG stdout= >> ipa : DEBUG stderr= >> ipa : DEBUG Starting external process >> ipa : DEBUG args=/bin/systemctl restart gssproxy.service >> ipa : DEBUG Process finished, return code=1 >> ipa : DEBUG stdout= >> ipa : DEBUG stderr=A dependency job for gssproxy.service >> failed. See 'journalctl -xe' for details. >> >> ipa : DEBUG Traceback (most recent call last): >> File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", >> line 504, in start_creation >> run_step(full_msg, method) >> File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", >> line 494, in run_step >> method() >> File "/usr/lib/python2.7/site-packages/ipaserver/install/httpinstance.py", >> line 242, in configure_gssproxy >> services.knownservices.gssproxy.restart() >> File "/usr/lib/python2.7/site-packages/ipaplatform/base/services.py", >> line 322, in restart >> capture_output, wait) >> File "/usr/lib/python2.7/site-packages/ipaplatform/base/services.py", >> line 310, in _restart_base >> skip_output=not capture_output) >> File "/usr/lib/python2.7/site-packages/ipapython/ipautil.py", line >> 512, in run >> raise CalledProcessError(p.returncode, arg_string, str(output)) >> CalledProcessError: Command '/bin/systemctl restart gssproxy.service' >> returned non-zero exit status 1 >> >> ipa : DEBUG [error] CalledProcessError: Command >> '/bin/systemctl restart gssproxy.service' returned non-zero exit status 1 >> [error] CalledProcessError: Command '/bin/systemctl restart >> gssproxy.service' returned non-zero exit status 1 >> Your system may be partly configured. >> Run /usr/sbin/ipa-server-install --uninstall to clean up. >> >> ipa.ipapython.install.cli.install_tool(CompatServerReplicaInstall): >> DEBUG File "/usr/lib/python2.7/site-packages/ipapython/admintool.py", >> line 172, in execute >> return_value = self.run() >> File "/usr/lib/python2.7/site-packages/ipapython/install/cli.py", line >> 333, in run >> cfgr.run() >> File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", >> line 368, in run >> self.execute() >> File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", >> line 392, in execute >> for _nothing in self._executor(): >> File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", >> line 434, in __runner >> exc_handler(exc_info) >> File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", >> line 463, in _handle_execute_exception >> self._handle_exception(exc_info) >> File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", >> line 453, in _handle_exception >> six.reraise(*exc_info) >> File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", >> line 424, in __runner >> step() >> File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", >> line 421, in <lambda> >> step = lambda: next(self.__gen) >> File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", >> line 81, in run_generator_with_yield_from >> six.reraise(*exc_info) >> File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", >> line 59, in run_generator_with_yield_from >> value = gen.send(prev_value) >> File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", >> line 658, in _configure >> next(executor) >> File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", >> line 434, in __runner >> exc_handler(exc_info) >> File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", >> line 463, in _handle_execute_exception >> self._handle_exception(exc_info) >> File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", >> line 521, in _handle_exception >> self.__parent._handle_exception(exc_info) >> File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", >> line 453, in _handle_exception >> six.reraise(*exc_info) >> File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", >> line 518, in _handle_exception >> super(ComponentBase, self)._handle_exception(exc_info) >> File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", >> line 453, in _handle_exception >> six.reraise(*exc_info) >> File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", >> line 424, in __runner >> step() >> File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", >> line 421, in <lambda> >> step = lambda: next(self.__gen) >> File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", >> line 81, in run_generator_with_yield_from >> six.reraise(*exc_info) >> File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", >> line 59, in run_generator_with_yield_from >> value = gen.send(prev_value) >> File "/usr/lib/python2.7/site-packages/ipapython/install/common.py", >> line 63, in _install >> for _nothing in self._installer(self.parent): >> File >> "/usr/lib/python2.7/site-packages/ipaserver/install/server/__init__.py", >> line 617, in main >> replica_install(self) >> File >> "/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall.py", >> line 386, in decorated >> func(installer) >> File >> "/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall.py", >> line 1440, in install >> ca_file=cafile) >> File >> "/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall.py", >> line 166, in install_http >> subject_base=config.subject_base, master_fqdn=config.master_host >> _name) >> File "/usr/lib/python2.7/site-packages/ipaserver/install/httpinstance.py", >> line 190, in create_instance >> self.start_creation() >> File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", >> line 504, in start_creation >> run_step(full_msg, method) >> File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", >> line 494, in run_step >> method() >> File "/usr/lib/python2.7/site-packages/ipaserver/install/httpinstance.py", >> line 242, in configure_gssproxy >> services.knownservices.gssproxy.restart() >> File "/usr/lib/python2.7/site-packages/ipaplatform/base/services.py", >> line 322, in restart >> capture_output, wait) >> File "/usr/lib/python2.7/site-packages/ipaplatform/base/services.py", >> line 310, in _restart_base >> skip_output=not capture_output) >> File "/usr/lib/python2.7/site-packages/ipapython/ipautil.py", line >> 512, in run >> raise CalledProcessError(p.returncode, arg_string, str(output)) >> >> ipa.ipapython.install.cli.install_tool(CompatServerReplicaInstall): >> DEBUG The ipa-replica-install command failed, exception: >> CalledProcessError: Command '/bin/systemctl restart gssproxy.service' >> returned non-zero exit status 1 >> ipa.ipapython.install.cli.install_tool(CompatServerReplicaInstall): >> ERROR Command '/bin/systemctl restart gssproxy.service' returned >> non-zero exit status 1 >> ipa.ipapython.install.cli.install_tool(CompatServerReplicaInstall): >> ERROR The ipa-replica-install command failed. See >> /var/log/ipareplica-install.log for more information >> >> Cheers, >> >> Álex >> >> On Tue, Jan 9, 2018 at 7:45 PM, Martin Basti via FreeIPA-users < >> freeipa-users@lists.fedorahosted.org> wrote: >> >>> do you have a traceback in log? I'm curious where exactly this happened, >>> what is your FreeIPA version? >>> >>> [1] >>> I haven't install FreeIPA in LXC, but I'm happy user of FreeIPA running >>> in LXC :-) So it should work >>> >>> 2018-01-09 11:40 GMT+01:00 Alex Corcoles via FreeIPA-users < >>> freeipa-users@lists.fedorahosted.org>: >>> >>>> Hi Marti, >>>> >>>> On Tue, Jan 9, 2018 at 12:46 AM, Martin Basti via FreeIPA-users < >>>> freeipa-users@lists.fedorahosted.org> wrote: >>>> >>>>> it looks that replica is trying to add records to your forward zone. >>>>> What is the hostname of the replica? >>>>> >>>> >>>> Yeah, it's xxx.h2.int.pdp7.net, which is within the forwarded zone. >>>> >>>> I have a dnsmasq acting as DHCP/DNS server in h2.int.pdp7.net to >>>> provide automatic network configuration to VMs. It's a non-routable >>>> network, so I'm not sure what the right setup would be. >>>> >>>> 1. what is not working on lxc? >>>>> >>>> >>>> It was something about GSSAPI or something like that, I'll try to >>>> reproduce and start a new thread about that- but I guess it's more of an >>>> LXC problem (ideally I would like to run my replica on LXC so it consumes >>>> less RAM, but I can live with a full VM). >>>> >>>> Cheers, >>>> >>>> Álex >>>> >>>> 2018-01-07 12:20 GMT+01:00 Alex Corcoles via FreeIPA-users < >>>> freeipa-users@lists.fedorahosted.org>: >>>> >>>>> Hi, >>>>> >>>>> I'm labbing a FreeIPA environment for personal use, and I'm getting >>>>> that while bringing up a replica. >>>>> >>>>> I set up my first freeipa-server instance on a cheap VPS on a public >>>>> IP, intend on making it publicly accessible so I can always authenticate >>>>> my >>>>> laptop even on wild public networks. >>>>> >>>>> I'm adding the replica as a VM(1) on a Proxmox VE, on a private >>>>> network with VPN connectivity to the first public freeipa-server, but I'm >>>>> getting: >>>>> >>>>> 2018-01-06T20:56:04Z DEBUG The ipa-replica-install command failed, >>>>> exception: ValidationError: invalid 'dnszoneidnsname': only master zones >>>>> can contain records >>>>> >>>>> . I'm trying to create the replica with CA and DNS, and I had set up >>>>> DNS forwarding to the internal DNS on the Proxmox system with: >>>>> >>>>> $ ipa dnsforwardzone-add h2.int.pdp7.net --forwarder=10.42.42.1 >>>>> $ ipa dnsforwardzone-add --name-from-ip=10.42.42.0/24 >>>>> --forwarder=10.42.42.1 --forward-policy=only >>>>> >>>>> on the first server (I run dnsmasq on Proxmox VE, 10.42.42.0/24 - >>>>> h2.int.pdp7.net is the network it manages), and I guess that's >>>>> messing with the replica, but I'm not sure how to troubleshoot this. >>>>> >>>>> Thoughts? Ideas? >>>>> >>>>> Thanks, >>>>> >>>>> Álex >>>>> >>>>> (1) I can't seem to create a freeipa-replica on an LXC container. Is >>>>> this something that can be discussed here or should I take it to LXC? >>>>> >>>>> -- >>>>> ___ >>>>> {~._.~} >>>>> ( Y ) >>>>> ()~*~() mail: alex at corcoles dot net >>>>> (_)-(_) http://alex.corcoles.net/ >>>>> >>>>> >>>>> _______________________________________________ >>>>> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org >>>>> To unsubscribe send an email to freeipa-users-le...@lists.fedo >>>>> rahosted.org >>>>> >>>>> >>>> >>>> >>>> -- >>>> S pozdravom Martin Bašti. >>>> >>>>> >>>>> _______________________________________________ >>>>> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org >>>>> To unsubscribe send an email to freeipa-users-le...@lists.fedo >>>>> rahosted.org >>>>> >>>>> >>>> >>>> >>>> -- >>>> ___ >>>> {~._.~} >>>> ( Y ) >>>> ()~*~() mail: alex at corcoles dot net >>>> (_)-(_) http://alex.corcoles.net/ >>>> >>>> >>>> _______________________________________________ >>>> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org >>>> To unsubscribe send an email to freeipa-users-le...@lists.fedo >>>> rahosted.org >>>> >>>> >>> >>> >>> -- >>> S pozdravom Martin Bašti. >>> >>> _______________________________________________ >>> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org >>> To unsubscribe send an email to freeipa-users-le...@lists.fedo >>> rahosted.org >>> >>> >> >> >> -- >> ___ >> {~._.~} >> ( Y ) >> ()~*~() mail: alex at corcoles dot net >> (_)-(_) http://alex.corcoles.net/ >> >> >> _______________________________________________ >> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org >> To unsubscribe send an email to freeipa-users-le...@lists.fedo >> rahosted.org >> >> > > > -- > S pozdravom Martin Bašti. > > _______________________________________________ > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org > To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org > > -- ___ {~._.~} ( Y ) ()~*~() mail: alex at corcoles dot net (_)-(_) http://alex.corcoles.net/
_______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
