On Thu, Jul 1, 2021 at 9:34 AM lejeczek via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote: > > > > On 12/05/2021 08:03, Florence Renaud via FreeIPA-users wrote: > > Hi, > > this is a known selinux-policy issue, tracked at > > https://bugzilla.redhat.com/show_bug.cgi?id=1894132 > > <https://bugzilla.redhat.com/show_bug.cgi?id=1894132> > > flo > > > > On Mon, May 10, 2021 at 9:42 PM Harry G. Coin via > > FreeIPA-users <freeipa-users@lists.fedorahosted.org > > <mailto:freeipa-users@lists.fedorahosted.org>> wrote: > > > > > > On 5/10/21 10:58 AM, Harry Coin via FreeIPA-users wrote: > > > In a completely fresh install of freeipa-server, > > f34, my logs are filled with > > > > > > certmonger[5754]: usr/lib/api/apiutil.c Could not > > open /run/lock/opencryptoki/LCK..APIlock > > > > I get similar messages from certutil, certmonger and > > pk12util > > > > May 10 14:31:21 registry1.1.quietfountain.com > > <http://registry1.1.quietfountain.com> certutil[18672]: > > usr/lib/api/apiutil.c Could not open > > /run/lock/opencryptoki/LCK..APIlock > > May 10 14:31:22 registry1.1.quietfountain.com > > <http://registry1.1.quietfountain.com> certutil[18674]: > > usr/lib/api/apiutil.c Could not open > > /run/lock/opencryptoki/LCK..APIlock > > May 10 14:31:23 registry1.1.quietfountain.com > > <http://registry1.1.quietfountain.com> certutil[18676]: > > usr/lib/api/apiutil.c Could not open > > /run/lock/opencryptoki/LCK..APIlock > > May 10 14:31:25 registry1.1.quietfountain.com > > <http://registry1.1.quietfountain.com> certutil[18678]: > > usr/lib/api/apiutil.c Could not open > > /run/lock/opencryptoki/LCK..APIlock > > May 10 14:31:25 registry1.1.quietfountain.com > > <http://registry1.1.quietfountain.com> certutil[18680]: > > usr/lib/api/apiutil.c Could not open > > /run/lock/opencryptoki/LCK..APIlock > > May 10 14:31:26 registry1.1.quietfountain.com > > <http://registry1.1.quietfountain.com> certutil[18682]: > > usr/lib/api/apiutil.c Could not open > > /run/lock/opencryptoki/LCK..APIlock > > May 10 14:31:27 registry1.1.quietfountain.com > > <http://registry1.1.quietfountain.com> certutil[18684]: > > usr/lib/api/apiutil.c Could not open > > /run/lock/opencryptoki/LCK..APIlock > > May 10 14:31:28 registry1.1.quietfountain.com > > <http://registry1.1.quietfountain.com> pk12util[18686]: > > usr/lib/api/apiutil.c Could not open > > /run/lock/opencryptoki/LCK..APIlock > > May 10 14:31:32 registry1.1.quietfountain.com > > <http://registry1.1.quietfountain.com> certutil[18688]: > > usr/lib/api/apiutil.c Could not open > > /run/lock/opencryptoki/LCK..APIlock > > May 10 14:31:35 registry1.1.quietfountain.com > > <http://registry1.1.quietfountain.com> pk12util[18700]: > > usr/lib/api/apiutil.c Could not open > > /run/lock/opencryptoki/LCK..APIlock > > _______________________________________________ > > FreeIPA-users mailing list -- > > freeipa-users@lists.fedorahosted.org > > <mailto:freeipa-users@lists.fedorahosted.org> > > To unsubscribe send an email to > > freeipa-users-le...@lists.fedorahosted.org > > <mailto:freeipa-users-le...@lists.fedorahosted.org> > > Fedora Code of Conduct: > > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > > <https://docs.fedoraproject.org/en-US/project/code-of-conduct/> > > List Guidelines: > > https://fedoraproject.org/wiki/Mailing_list_guidelines > > <https://fedoraproject.org/wiki/Mailing_list_guidelines> > > List Archives: > > https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org > > < https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org > > > Do not reply to spam on the list, report it: > > https://pagure.io/fedora-infrastructure > > <https://pagure.io/fedora-infrastructure> > > > > > > _______________________________________________ > > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org > > To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org > > Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > > List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org > > Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure > I think this might be the culprit in most recent CentOS > updated packages: > > sssd-client-2.4.0-9.el8_4.1.x86_64 > sssd-common-2.4.0-9.el8_4.1.x86_64 > sssd-common-pac-2.4.0-9.el8_4.1.x86_64 > sssd-dbus-2.4.0-9.el8_4.1.x86_64 > sssd-ipa-2.4.0-9.el8_4.1.x86_64 > sssd-kcm-2.4.0-9.el8_4.1.x86_64 > sssd-krb5-common-2.4.0-9.el8_4.1.x86_64 > sssd-nfs-idmap-2.4.0-9.el8_4.1.x86_64 > sssd-tools-2.4.0-9.el8_4.1.x86_64 > 389-ds-base-1.4.3.16-16.module_el8.4.0+845+0c39e1b7.x86_64
There have been several reports today of issues upgrading or installing IPA with Centos 8. It seems they are fixing downgrading 389-ds to 1.4.3.16-13 (instead fo 1.4.3.16-16). HTH, Rafael > 389-ds-base-libs-1.4.3.16-16.module_el8.4.0+845+0c39e1b7.x86_64 > ipa-client-4.9.2-4.module_el8.4.0+846+96522ed7.x86_64 > ipa-client-common-4.9.2-4.module_el8.4.0+846+96522ed7.noarch > ipa-common-4.9.2-4.module_el8.4.0+846+96522ed7.noarch > ipa-selinux-4.9.2-4.module_el8.4.0+846+96522ed7.noarch > ipa-server-4.9.2-4.module_el8.4.0+846+96522ed7.x86_64 > ipa-server-common-4.9.2-4.module_el8.4.0+846+96522ed7.noarch > ipa-server-dns-4.9.2-4.module_el8.4.0+846+96522ed7.noarch > ipa-server-trust-ad-4.9.2-4.module_el8.4.0+846+96522ed7.x86_64 > > which updates make existing IPAs upgrade and new > installations fail. I too see: > ... > Stopped PKI Tomcat Server pki-tomcat. > Starting PKI Tomcat Server pki-tomcat... > usr/lib/api/apiutil.c Could not open > /run/lock/opencryptoki/LCK..APIlock > Started PKI Tomcat Server pki-tomcat. > Java virtual machine used: > /usr/lib/jvm/java-1.8.0-openjdk/bin/java > classpath used: > /usr/share/tomcat/bin/bootstrap.jar:/usr/share/tomcat/bin/tomcat-juli.jar:/usr/share/jav> > main class used: org.apache.catalina.startup.Bootstrap > flags used: -Dcom.redhat.fips=false > options used: -Dcatalina.base=/var/lib/pki/pki-tomcat > -Dcatalina.home=/usr/share/tomcat -Djava.endorsed.> > arguments used: start > .. > ipa-pki-wait-running: Connection failed: > HTTPConnectionPool(host='midway.ccn.am.priv.dom', po> > ipa-pki-wait-running: Connection failed: > HTTPConnectionPool(host='midway.ccn.am.priv.dom', po> > ipa-pki-wait-running: Connection failed: > HTTPConnectionPool(host='midway.ccn.am.priv.dom', po> > ...skipping... > ipa-pki-wait-running: Request failed unexpectedly, 404 > Client Error: for url... > > Above is from 'pki-tomcatd@pki-tomcat.service' > > regards, L. > _______________________________________________ > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org > To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org > Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org > Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure -- Rafael Guterres Jeffman Senior Software Engineer FreeIPA - Red Hat
_______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure