[Freeipa-users] Re: FreeIPA Upgrade F31 -> F32: usr/lib/api/apiutil.c Could not open /run/lock/opencryptoki/LCK..APIlock

Thu, 01 Jul 2021 05:33:52 -0700 


On 12/05/2021 08:03, Florence Renaud via FreeIPA-users wrote:

Hi,

this is a known selinux-policy issue, tracked at 
https://bugzilla.redhat.com/show_bug.cgi?id=1894132 
<https://bugzilla.redhat.com/show_bug.cgi?id=1894132>

flo


On Mon, May 10, 2021 at 9:42 PM Harry G. Coin via 
FreeIPA-users <freeipa-users@lists.fedorahosted.org 
<mailto:freeipa-users@lists.fedorahosted.org>> wrote:



    On 5/10/21 10:58 AM, Harry Coin via FreeIPA-users wrote:
    > In a completely fresh install of freeipa-server,
    f34, my logs are filled with
    >
    > certmonger[5754]: usr/lib/api/apiutil.c Could not
    open /run/lock/opencryptoki/LCK..APIlock

    I get similar messages from certutil, certmonger and
    pk12util

    May 10 14:31:21 registry1.1.quietfountain.com
    <http://registry1.1.quietfountain.com> certutil[18672]:
    usr/lib/api/apiutil.c Could not open
    /run/lock/opencryptoki/LCK..APIlock
    May 10 14:31:22 registry1.1.quietfountain.com
    <http://registry1.1.quietfountain.com> certutil[18674]:
    usr/lib/api/apiutil.c Could not open
    /run/lock/opencryptoki/LCK..APIlock
    May 10 14:31:23 registry1.1.quietfountain.com
    <http://registry1.1.quietfountain.com> certutil[18676]:
    usr/lib/api/apiutil.c Could not open
    /run/lock/opencryptoki/LCK..APIlock
    May 10 14:31:25 registry1.1.quietfountain.com
    <http://registry1.1.quietfountain.com> certutil[18678]:
    usr/lib/api/apiutil.c Could not open
    /run/lock/opencryptoki/LCK..APIlock
    May 10 14:31:25 registry1.1.quietfountain.com
    <http://registry1.1.quietfountain.com> certutil[18680]:
    usr/lib/api/apiutil.c Could not open
    /run/lock/opencryptoki/LCK..APIlock
    May 10 14:31:26 registry1.1.quietfountain.com
    <http://registry1.1.quietfountain.com> certutil[18682]:
    usr/lib/api/apiutil.c Could not open
    /run/lock/opencryptoki/LCK..APIlock
    May 10 14:31:27 registry1.1.quietfountain.com
    <http://registry1.1.quietfountain.com> certutil[18684]:
    usr/lib/api/apiutil.c Could not open
    /run/lock/opencryptoki/LCK..APIlock
    May 10 14:31:28 registry1.1.quietfountain.com
    <http://registry1.1.quietfountain.com> pk12util[18686]:
    usr/lib/api/apiutil.c Could not open
    /run/lock/opencryptoki/LCK..APIlock
    May 10 14:31:32 registry1.1.quietfountain.com
    <http://registry1.1.quietfountain.com> certutil[18688]:
    usr/lib/api/apiutil.c Could not open
    /run/lock/opencryptoki/LCK..APIlock
    May 10 14:31:35 registry1.1.quietfountain.com
    <http://registry1.1.quietfountain.com> pk12util[18700]:
    usr/lib/api/apiutil.c Could not open
    /run/lock/opencryptoki/LCK..APIlock
    _______________________________________________
    FreeIPA-users mailing list --
    freeipa-users@lists.fedorahosted.org
    <mailto:freeipa-users@lists.fedorahosted.org>
    To unsubscribe send an email to
    freeipa-users-le...@lists.fedorahosted.org
    <mailto:freeipa-users-le...@lists.fedorahosted.org>
    Fedora Code of Conduct:
    https://docs.fedoraproject.org/en-US/project/code-of-conduct/
    <https://docs.fedoraproject.org/en-US/project/code-of-conduct/>
    List Guidelines:
    https://fedoraproject.org/wiki/Mailing_list_guidelines
    <https://fedoraproject.org/wiki/Mailing_list_guidelines>
    List Archives:
    
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
    
<https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org>
    Do not reply to spam on the list, report it:
    https://pagure.io/fedora-infrastructure
    <https://pagure.io/fedora-infrastructure>


_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

I think this might be the culprit in most recent CentOS 
updated packages:


sssd-client-2.4.0-9.el8_4.1.x86_64
sssd-common-2.4.0-9.el8_4.1.x86_64
sssd-common-pac-2.4.0-9.el8_4.1.x86_64
sssd-dbus-2.4.0-9.el8_4.1.x86_64
sssd-ipa-2.4.0-9.el8_4.1.x86_64
sssd-kcm-2.4.0-9.el8_4.1.x86_64
sssd-krb5-common-2.4.0-9.el8_4.1.x86_64
sssd-nfs-idmap-2.4.0-9.el8_4.1.x86_64
sssd-tools-2.4.0-9.el8_4.1.x86_64
389-ds-base-1.4.3.16-16.module_el8.4.0+845+0c39e1b7.x86_64
389-ds-base-libs-1.4.3.16-16.module_el8.4.0+845+0c39e1b7.x86_64
ipa-client-4.9.2-4.module_el8.4.0+846+96522ed7.x86_64
ipa-client-common-4.9.2-4.module_el8.4.0+846+96522ed7.noarch
ipa-common-4.9.2-4.module_el8.4.0+846+96522ed7.noarch
ipa-selinux-4.9.2-4.module_el8.4.0+846+96522ed7.noarch
ipa-server-4.9.2-4.module_el8.4.0+846+96522ed7.x86_64
ipa-server-common-4.9.2-4.module_el8.4.0+846+96522ed7.noarch
ipa-server-dns-4.9.2-4.module_el8.4.0+846+96522ed7.noarch
ipa-server-trust-ad-4.9.2-4.module_el8.4.0+846+96522ed7.x86_64


which updates make existing IPAs upgrade and new 
installations fail. I too see:

...
Stopped PKI Tomcat Server pki-tomcat.
Starting PKI Tomcat Server pki-tomcat...

usr/lib/api/apiutil.c Could not open 
/run/lock/opencryptoki/LCK..APIlock

Started PKI Tomcat Server pki-tomcat.

Java virtual machine used: 
/usr/lib/jvm/java-1.8.0-openjdk/bin/java
classpath used: 
/usr/share/tomcat/bin/bootstrap.jar:/usr/share/tomcat/bin/tomcat-juli.jar:/usr/share/jav>

main class used: org.apache.catalina.startup.Bootstrap
flags used: -Dcom.redhat.fips=false

options used: -Dcatalina.base=/var/lib/pki/pki-tomcat 
-Dcatalina.home=/usr/share/tomcat -Djava.endorsed.>

arguments used: start
..

ipa-pki-wait-running: Connection failed: 
HTTPConnectionPool(host='midway.ccn.am.priv.dom', po>
ipa-pki-wait-running: Connection failed: 
HTTPConnectionPool(host='midway.ccn.am.priv.dom', po>
ipa-pki-wait-running: Connection failed: 
HTTPConnectionPool(host='midway.ccn.am.priv.dom', po>

...skipping...

ipa-pki-wait-running: Request failed unexpectedly, 404 
Client Error:  for url...


Above is from 'pki-tomcatd@pki-tomcat.service'

regards, L.
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure






















					Reply via email to