subject:"\[Freeipa\-users\] ipa fails to start after centos 7.3 upgrade"

Re: [Freeipa-users] ipa fails to start after centos 7.3 upgrade

2016-12-16 Thread Rob Verduijn

2016-12-15 13:47 GMT+01:00 Petr Vobornik :

> On 12/12/2016 08:53 PM, Rob Verduijn wrote:
> > Hello,
> >
> > I've recently upgraded to centos 7.3.
> > Didn't intend to so soon but should have checked the anounce lists before
> > launching my ansible update playbook.
> >
> > Most of my servers came through, and mostly also the ipa server.
> > There were duplicate rpms and a failed rpm upgrade.
> > After some yum magic the rpm duplicates where gone and all the updates
> installed.
> >
> > Manually running ipa-server-upgrade also seems to finish properly.
> >
> > However
> > ipactl start keeps failing on the ntpd service.
> > Not a big surprise since its running chronyd.
> >
> > I now start the ipa server with 'ipactl start --ignore-service-failure'
> >
> > Is there a way to explain the script that it should check for chronyd
> instead of
> > ntpd ?
> >
> > I also see this a lot in the logs:
> > dns_rdatatype_fromtext() failed for attribute
> > 'idnsTemplateAttribute;cnamerecord': unknown class/type
> >
> > Is that a serious error ?
> >
> > Rob Verduijn
> >
>
> This looks like 7.3 update incorrectly added NTP service to IPA server
> services (which is displayed as NTP role in `ipa server-show $server`).
>
> A workaround might be to disable the service or remove the service
> entry. Disabling is IMHO safer.  IPA CLI tools don't allow
> enabling/disabling of services so it must be done by LDAP mod.
>
> It can be done by removing  'enabledService' config value from server's
> service entry, e.g.:
>
> dn: cn=NTP,cn=$SERVER_FQDN,cn=masters,cn=ipa,cn=etc,$SUFFIX
> changetype: modify
> delete: ipaConfigString
> ipaConfigString: enabledService
> -
>
> Where $SERVER_FQDN is e.g. ipa.example.com and $SUFFIX is e.g.
> dc=example,dc=com
>
>
> Rob, have you originally installed the replica with NTPD and then later
> switched manually to chrony?
>
> --
> Petr Vobornik
>

Hello,

I can't remember if I installed and configured freeipa and then switched to
chronyd or the other way around.

I had my ntpd/ntpdate services masked because I got tired of stopping and
disabling them all the time.
It seems ipactl can't deal with that.

Currently I unmasked the services and enabled them (disabling chronyd) so
that the server boots properly.

I will try your ldiff to see if I can switch back, since I do not use my
ipa server as a time source for clients.

I'll let you know the results.

Rob Verduijn
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] ipa fails to start after centos 7.3 upgrade

2016-12-14 Thread Brian Candler


On 12/12/2016 19:53, Rob Verduijn wrote:

I've recently upgraded to centos 7.3.
Didn't intend to so soon but should have checked the anounce lists 
before launching my ansible update playbook.


Most of my servers came through, and mostly also the ipa server.
There were duplicate rpms and a failed rpm upgrade.
After some yum magic the rpm duplicates where gone and all the updates 
installed.


Manually running ipa-server-upgrade also seems to finish properly.

However
ipactl start keeps failing on the ntpd service.
Not a big surprise since its running chronyd.

I now start the ipa server with 'ipactl start --ignore-service-failure'

Is there a way to explain the script that it should check for chronyd 
instead of ntpd ?



Aside: I also have a use case for running without ntp.  I run freeipa 
inside an lxd container (*), so ntpd is running on the outer host, not 
in the container.


However unlike you, after upgrading to CentOS 7.3 / FreeIPA 4.4.0 inside 
the container I don't see any problem:


[root@ipa-2 ~]# ipactl stop
Stopping ipa-otpd Service
Stopping pki-tomcatd Service
Stopping ntpd Service
Stopping ipa-custodia Service
Stopping httpd Service
Stopping ipa_memcached Service
Stopping kadmin Service
Stopping krb5kdc Service
Stopping Directory Service
ipa: INFO: The ipactl command was successful
[root@ipa-2 ~]# ipactl start
Starting Directory Service
Starting krb5kdc Service
Starting kadmin Service
Starting ipa_memcached Service
Starting httpd Service
Starting ipa-custodia Service
Starting ntpd Service
Starting pki-tomcatd Service
Starting ipa-otpd Service
ipa: INFO: The ipactl command was successful
[root@ipa-2 ~]#

ntpd won't run inside the container, which is expected:

[root@ipa-2 ~]# systemctl status ntpd
● ntpd.service - Network Time Service
   Loaded: loaded (/usr/lib/systemd/system/ntpd.service; disabled; 
vendor preset: disabled)
   Active: failed (Result: exit-code) since Wed 2016-12-14 10:51:09 
UTC; 2min 18s ago
  Process: 1357 ExecStart=/usr/sbin/ntpd -u ntp:ntp $OPTIONS 
(code=exited, status=0/SUCCESS)

 Main PID: 1358 (code=exited, status=255)

Dec 14 10:51:08 ipa-2.int.cityfibre.com ntpd[1358]: Listen normally on 4 
eth0:1 10.0.0.149 UDP 123
Dec 14 10:51:08 ipa-2.int.cityfibre.com ntpd[1358]: Listen normally on 5 
lo ::1 UDP 123
Dec 14 10:51:08 ipa-2.int.cityfibre.com ntpd[1358]: Listen normally on 6 
eth0 fe80::216:3eff:fef2:a083 UDP 123
Dec 14 10:51:08 ipa-2.int.cityfibre.com ntpd[1358]: Listening on routing 
socket on fd #23 for interface updates

Dec 14 10:51:09 ipa-2.int.cityfibre.com ntpd[1358]: 0.0.0.0 c016 06 restart
Dec 14 10:51:09 ipa-2.int.cityfibre.com ntpd[1358]: 0.0.0.0 c012 02 
freq_set ntpd 0.000 PPM
Dec 14 10:51:09 ipa-2.int.cityfibre.com ntpd[1358]: 0.0.0.0 c011 01 
freq_not_set
Dec 14 10:51:09 ipa-2.int.cityfibre.com systemd[1]: ntpd.service: main 
process exited, code=exited, status=255/n/a
Dec 14 10:51:09 ipa-2.int.cityfibre.com systemd[1]: Unit ntpd.service 
entered failed state.

Dec 14 10:51:09 ipa-2.int.cityfibre.com systemd[1]: ntpd.service failed.

But ipactl is not complaining, which is good. But I don't know why it 
works for me and not for you.


Anyway, I hope that for future reference this use case remains 
supported.  In a container environment like lxd or docker, you *cannot* 
run ntpd (but that doesn't mean the time isn't synced!)


Regards,

Brian.

(*) Aside: this makes snapshotting IPA a breeze.


--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] ipa fails to start after centos 7.3 upgrade

2016-12-12 Thread Rob Verduijn

Hello,

I've recently upgraded to centos 7.3.
Didn't intend to so soon but should have checked the anounce lists before
launching my ansible update playbook.

Most of my servers came through, and mostly also the ipa server.
There were duplicate rpms and a failed rpm upgrade.
After some yum magic the rpm duplicates where gone and all the updates
installed.

Manually running ipa-server-upgrade also seems to finish properly.

However
ipactl start keeps failing on the ntpd service.
Not a big surprise since its running chronyd.

I now start the ipa server with 'ipactl start --ignore-service-failure'

Is there a way to explain the script that it should check for chronyd
instead of ntpd ?

I also see this a lot in the logs:
dns_rdatatype_fromtext() failed for attribute
'idnsTemplateAttribute;cnamerecord': unknown class/type

Is that a serious error ?

Rob Verduijn
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] ipa fails to start after centos 7.3 upgrade

Re: [Freeipa-users] ipa fails to start after centos 7.3 upgrade

[Freeipa-users] ipa fails to start after centos 7.3 upgrade

3 matches

Site Navigation

Mail list logo

Footer information