On Wed, 2021-03-10 at 16:09 +0100, Florence Blanc-Renaud wrote:
> On 3/9/21 10:59 AM, Antoine Gatineau via FreeIPA-users wrote:
> > I could rebuild my cluster from backup before the upgrade to CentOS Stream.
> > So I'll be able to work from there.
> >
> > On Mon, 2021-03-08 at 17:41 +0100, Antoine Gatineau via FreeIPA-users wrote:
> > > Hello,
> > >
> > > I'm on freeipa 4.9.0 on CentOS Stream. (1 master and 1 replica)
> > > I have noticed that my replication is broken. Unfortunatly, I don't know
> > > since when...
> > >
> > > First Question, can it b fixed?
> > > Second question, is it possible to peform a restore (on one node, both
> > > nodes) to fix the issue.
> > > I recently upgraded from CentOS 8 to CentOS Stream (ipa with it). So can
> > > I restore from a previous version?
> > >
> > >
> > > Here are some snipets of what I see.
> > > $ sudo ipa-healthcheck
> > > Internal server error
> > > HTTPSConnectionPool(host='ipa-master-tmp.empire.lan', port=443): Max
> > > retries exceeded with url:
> > > /ca/rest/certs/search?size=3 (Caused by
> > > NewConnectionError('<urllib3.connection.VerifiedHTTPSConnection object at
> > > 0x7fa49f3df320>:
> > > Failed
> > > to
> > > establish a new connection: [Errno -2] Name or service not known',))
> > > [
> > > {
> > > "source": "pki.server.healthcheck.clones.connectivity_and_data",
> > > "check": "ClonesConnectivyAndDataCheck",
> > > "result": "ERROR",
> > > "uuid": "66815b82-56d9-43a4-9035-78333c5cb5cd",
> > > "when": "20210308162643Z",
> > > "duration": "0.364202",
> > > "kw": {
> > > "status": "ERROR: pki-tomcat : Internal error testing CA clone.
> > > Host: ipa-master-tmp.empire.lan Port: 443"
> > > }
> > > },
>
> Hi,
>
> the above error can be ignored, it's a known issue:
> https://pagure.io/freeipa/issue/8582
>
>
> > > {
> > > "source": "ipahealthcheck.ds.replication",
> > > "check": "ReplicationCheck",
> > > "result": "WARNING",
> > > "uuid": "55addd45-6440-4317-8d0b-8eb0d516bd4e",
> > > "when": "20210308162645Z",
> > > "duration": "0.353734",
> > > "kw": {
> > > "key": "DSREPLLE0002",
> > > "items": [
> > > "Replication",
> > > "Conflict Entries"
> > > ],
> > > "msg": "There were 6 conflict entries found under the replication
> > > suffix \"dc=empire,dc=lan\"."
> > > }
> > > }
> > > ]
> > >
>
> Replication can be fixed, but the resolution depends on the current
> situation.
> - If there are conflict entries, it means that the same entry was
> modified on 2 different servers and the replication isn't able to
> reconcile the updates. In this case, the admin must manually fix the
> conflict (which basically means choose which updates need to be applied
> or dropped). See "Solving common replication conflicts" [1].
>
> - If the replication doesn't propagate new entries from one server to
> the other, then check "Troubleshooting Replication-Related Problems" [2].
>
> The 2 above links are related to Red Hat Directory Server, which is the
> LDAP server used by IPA, and may help you understand what's going on
> behind the hood, but IPA provides its own commands to administer
> replication agreements. The concepts are detailed in "Managing
> Replication Topology" [3] and the commands details are available with
> # ipa help topology
>
> HTH,
> flo
>
> [1]
> https://access.redhat.com/documentation/en-us/red_hat_directory_server/10/html/administration_guide/managing_replication-
> solving_common_replication_conflicts
>
> [2]
> https://access.redhat.com/documentation/en-us/red_hat_directory_server/10/html/administration_guide/managing_replication-
> troubleshooting_replication_related_problems
>
> [3]
> https://access.redhat.com/documentation/en-
> us/red_hat_enterprise_linux/7/html/linux_domain_identity_authentication_and_policy_guide/managing-topology
Thanks for the reply. I had tried those but with no luck.
Roll back and restore allowed me to get back to a working state but i'll
definitely work on the fixing part for future possible issues.
Best
> > > pki-tomcatd seems ok :
> > > $ sudo journalctl -u pki-tomcatd@pki-tomcat
> > > -- Logs begin at Mon 2021-03-08 17:24:39 CET, end at Mon 2021-03-08
> > > 17:35:01 CET. --
> > > Mar 08 17:25:01 ipa-master.empire.lan systemd[1]: Starting PKI Tomcat
> > > Server pki-tomcat...
> > > Mar 08 17:25:04 ipa-master.empire.lan java[1613]: usr/lib/api/apiutil.c
> > > Could not open /run/lock/opencryptoki/LCK..APIlock
> > > Mar 08 17:25:05 ipa-master.empire.lan server[1716]: Java virtual machine
> > > used: /usr/lib/jvm/java-1.8.0-openjdk/bin/java
> > > Mar 08 17:25:05 ipa-master.empire.lan server[1716]: classpath used:
> > > /usr/share/tomcat/bin/bootstrap.jar:/usr/share/tomcat/bin/tomcat-
> > > juli.jar:/usr/share/java/ant.jar:/usr/share/java/ant-la>
> > > Mar 08 17:25:05 ipa-master.empire.lan server[1716]: main class used:
> > > org.apache.catalina.startup.Bootstrap
> > > Mar 08 17:25:05 ipa-master.empire.lan server[1716]: flags used:
> > > -Dcom.redhat.fips=false
> > > Mar 08 17:25:05 ipa-master.empire.lan server[1716]: options used:
> > > -Dcatalina.base=/var/lib/pki/pki-tomcat -
> > > Dcatalina.home=/usr/share/tomcat
> > > -Djava.endorsed.dirs= -Djava.io.tmpdir=/var/lib/>
> > > Mar 08 17:25:05 ipa-master.empire.lan server[1716]: arguments used: start
> > > Mar 08 17:25:05 ipa-master.empire.lan ipa-pki-wait-running[1717]:
> > > pki.client: /usr/libexec/ipa/ipa-pki-wait-running:63: The subsystem
> > > in
> > > PKIConnection.__init__() has been deprecated (https>
> > > Mar 08 17:25:05 ipa-master.empire.lan ipa-pki-wait-running[1717]:
> > > ipa-pki-wait-running: Created connection
> > > http://ipa-master.empire.lan:8080/ca
> > > Mar 08 17:25:05 ipa-master.empire.lan ipa-pki-wait-running[1717]:
> > > ipa-pki-wait-running: Connection failed:
> > > HTTPConnectionPool(host='ipa-
> > > master.empire.lan', port=8080): Max retries exceeded>
> > > Mar 08 17:25:06 ipa-master.empire.lan java[1716]: usr/lib/api/apiutil.c
> > > Could not open /run/lock/opencryptoki/LCK..APIlock
> > > Mar 08 17:25:06 ipa-master.empire.lan server[1716]: WARNING: Some of the
> > > specified [protocols] are not supported by the SSL engine and
> > > have
> > > been skipped: [[TLSv1, TLSv1.1]]
> > > Mar 08 17:25:07 ipa-master.empire.lan ipa-pki-wait-running[1717]:
> > > ipa-pki-wait-running: Connection failed:
> > > HTTPConnectionPool(host='ipa-
> > > master.empire.lan', port=8080): Read timed out. (rea>
> > > Mar 08 17:25:09 ipa-master.empire.lan ipa-pki-wait-running[1717]:
> > > ipa-pki-wait-running: Connection failed:
> > > HTTPConnectionPool(host='ipa-
> > > master.empire.lan', port=8080): Read timed out. (rea>
> > > Mar 08 17:25:11 ipa-master.empire.lan ipa-pki-wait-running[1717]:
> > > ipa-pki-wait-running: Connection failed:
> > > HTTPConnectionPool(host='ipa-
> > > master.empire.lan', port=8080): Read timed out. (rea>
> > > Mar 08 17:25:12 ipa-master.empire.lan ipa-pki-wait-running[1717]:
> > > ipa-pki-wait-running: Success, subsystem ca is running!
> > > Mar 08 17:25:12 ipa-master.empire.lan systemd[1]: Started PKI Tomcat
> > > Server pki-tomcat.
> > >
> > > Best
> > > Antoine
> > >
> > >
> > >
> > > _______________________________________________
> > > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> > > To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
> > > Fedora Code of Conduct:
> > > https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> > > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> > > List Archives:
> > > https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
> > > Do not reply to spam on the list, report it:
> > > https://pagure.io/fedora-infrastructure
> >
> >
> >
> > _______________________________________________
> > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> > To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
> > Fedora Code of Conduct:
> > https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> > List Archives:
> > https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
> > Do not reply to spam on the list, report it:
> > https://pagure.io/fedora-infrastructure
> >
>
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam on the list, report it:
https://pagure.io/fedora-infrastructure
