Melissa Ferreira da Silva Boiko via FreeIPA-users wrote: > Hello all. > > I'm trying to replace an ancient FreeIPA 4.5.0 master (and primary CA > master) on CentOS 7.4. I am having problems trying to make replicas > with FreeIPA 4.11, and past threads suggest the errors are due to > incompatibility of password hash algorithms, which are supposed to be > fixed on the older releases rather than the newer. > > Therefore I'm trying to upgrade the old server to the current version in > the CentOS 7 repos, 4.6.8, to try to create fresh replicas from there. > But I'm having issues with the certmonger systemd service hanging, and > breaking ipa-server-upgrade--whether I update the whole CentOS to > 7.9.2009, or just ipa-server and its dependencies, the result is the same. > > This is where ipa-server-upgrade breaks: > > [Verifying that root certificate is published] > [Migrate CRL publish directory] > CRL tree already moved > [Verifying that CA proxy configuration is correct] > IPA server upgrade failed: Inspect /var/log/ipaupgrade.log and > run command ipa-server-upgrade manually. > Unexpected error - see /var/log/ipaupgrade.log for details: > CalledProcessError: Command '/bin/systemctl start > certmonger.service' returned non-zero exit status 1 > The ipa-server-upgrade command failed. See > /var/log/ipaupgrade.log for more information > > This is because certmonger.service hangs until timeout. That happens > when starting the service manually, too. Logs for certmonger.service > are not informative: > > -- Subject: Unit certmonger.service has begun start-up > -- Unit certmonger.service has begun starting up. > Jan 31 14:38:59 vm-ipa-1.intra.viaboxxsystems.de > <http://vm-ipa-1.intra.viaboxxsystems.de> systemd[1]: certmonger.service > start operation timed out. Terminating. > Jan 31 14:40:29 vm-ipa-1.intra.viaboxxsystems.de > <http://vm-ipa-1.intra.viaboxxsystems.de> systemd[1]: certmonger.service > stop-sigterm timed out. Killing. > Jan 31 14:40:29 vm-ipa-1.intra.viaboxxsystems.de > <http://vm-ipa-1.intra.viaboxxsystems.de> systemd[1]: > certmonger.service: main process exited, code=killed, status=9/KILL > -- Subject: Unit certmonger.service has failed > -- Unit certmonger.service has failed. > Jan 31 14:40:29 vm-ipa-1.intra.viaboxxsystems.de > <http://vm-ipa-1.intra.viaboxxsystems.de> systemd[1]: Unit > certmonger.service entered failed state. > Jan 31 14:40:29 vm-ipa-1.intra.viaboxxsystems.de > <http://vm-ipa-1.intra.viaboxxsystems.de> systemd[1]: certmonger.service > failed. > r...@vm-ipa-1.intra.viaboxxsystems.de > <mailto:r...@vm-ipa-1.intra.viaboxxsystems.de>[lxc](e:0,1s)(j:0) ~ > > Running `certmonger -S -n -d 9` seems to run ok. The only difference in > the systemd service file is, I think, whatever it is that the BusName > setting does. dbus is running seemingly without issue, nothing on > logs. Restarting dbus.service doesn't help. > > The machine is an LXC container with 4GiB RAM, which doesn't come close > to being exhausted when trying to restart certmonger. No OOM in logs. > > I saw this thread about certmonger problems with ulimit in containers: > https://bugzilla.redhat.com/show_bug.cgi?id=1656519 > But the suggested workaround (make sure ulimit -n is the same in > container and host) doesn't apply because it's already the same for us. > > How should I proceed from here?
Why not create a new CentOS replica from the current one. Then use that to upgrade to 8 and then 9? rob -- _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
