On Thu, Jul 1, 2021 at 9:34 AM lejeczek via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote:
On 12/05/2021 08:03, Florence Renaud via FreeIPA-users wrote:
Hi, this is a known selinux-policy issue, tracked at https://bugzilla.redhat.com/show_bug.cgi?id=1894132 https://bugzilla.redhat.com/show_bug.cgi?id=1894132 flo
On Mon, May 10, 2021 at 9:42 PM Harry G. Coin via FreeIPA-users <freeipa-users@lists.fedorahosted.org mailto:freeipa-users@lists.fedorahosted.org> wrote:
On 5/10/21 10:58 AM, Harry Coin via FreeIPA-users wrote: > In a completely fresh install of freeipa-server, f34, my logs are filled with > > certmonger[5754]: usr/lib/api/apiutil.c Could not open /run/lock/opencryptoki/LCK..APIlock I get similar messages from certutil, certmonger and pk12util May 10 14:31:21 registry1.1.quietfountain.com <http://registry1.1.quietfountain.com> certutil[18672]: usr/lib/api/apiutil.c Could not open /run/lock/opencryptoki/LCK..APIlock May 10 14:31:22 registry1.1.quietfountain.com <http://registry1.1.quietfountain.com> certutil[18674]: usr/lib/api/apiutil.c Could not open /run/lock/opencryptoki/LCK..APIlock May 10 14:31:23 registry1.1.quietfountain.com <http://registry1.1.quietfountain.com> certutil[18676]: usr/lib/api/apiutil.c Could not open /run/lock/opencryptoki/LCK..APIlock May 10 14:31:25 registry1.1.quietfountain.com <http://registry1.1.quietfountain.com> certutil[18678]: usr/lib/api/apiutil.c Could not open /run/lock/opencryptoki/LCK..APIlock May 10 14:31:25 registry1.1.quietfountain.com <http://registry1.1.quietfountain.com> certutil[18680]: usr/lib/api/apiutil.c Could not open /run/lock/opencryptoki/LCK..APIlock May 10 14:31:26 registry1.1.quietfountain.com <http://registry1.1.quietfountain.com> certutil[18682]: usr/lib/api/apiutil.c Could not open /run/lock/opencryptoki/LCK..APIlock May 10 14:31:27 registry1.1.quietfountain.com <http://registry1.1.quietfountain.com> certutil[18684]: usr/lib/api/apiutil.c Could not open /run/lock/opencryptoki/LCK..APIlock May 10 14:31:28 registry1.1.quietfountain.com <http://registry1.1.quietfountain.com> pk12util[18686]: usr/lib/api/apiutil.c Could not open /run/lock/opencryptoki/LCK..APIlock May 10 14:31:32 registry1.1.quietfountain.com <http://registry1.1.quietfountain.com> certutil[18688]: usr/lib/api/apiutil.c Could not open /run/lock/opencryptoki/LCK..APIlock May 10 14:31:35 registry1.1.quietfountain.com <http://registry1.1.quietfountain.com> pk12util[18700]: usr/lib/api/apiutil.c Could not open /run/lock/opencryptoki/LCK..APIlock _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org <mailto:freeipa-users@lists.fedorahosted.org> To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org <mailto:freeipa-users-leave@lists.fedorahosted.org> Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ <https://docs.fedoraproject.org/en-US/project/code-of-conduct/> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines <https://fedoraproject.org/wiki/Mailing_list_guidelines> List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
<
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure <https://pagure.io/fedora-infrastructure>
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to
freeipa-users-leave@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
Do not reply to spam on the list, report it:
https://pagure.io/fedora-infrastructure
I think this might be the culprit in most recent CentOS updated packages:
sssd-client-2.4.0-9.el8_4.1.x86_64 sssd-common-2.4.0-9.el8_4.1.x86_64 sssd-common-pac-2.4.0-9.el8_4.1.x86_64 sssd-dbus-2.4.0-9.el8_4.1.x86_64 sssd-ipa-2.4.0-9.el8_4.1.x86_64 sssd-kcm-2.4.0-9.el8_4.1.x86_64 sssd-krb5-common-2.4.0-9.el8_4.1.x86_64 sssd-nfs-idmap-2.4.0-9.el8_4.1.x86_64 sssd-tools-2.4.0-9.el8_4.1.x86_64 389-ds-base-1.4.3.16-16.module_el8.4.0+845+0c39e1b7.x86_64
There have been several reports today of issues upgrading or installing IPA with Centos 8. It seems they are fixing downgrading 389-ds to 1.4.3.16-13 (instead fo 1.4.3.16-16).
HTH,
Rafael
389-ds-base-libs-1.4.3.16-16.module_el8.4.0+845+0c39e1b7.x86_64 ipa-client-4.9.2-4.module_el8.4.0+846+96522ed7.x86_64 ipa-client-common-4.9.2-4.module_el8.4.0+846+96522ed7.noarch ipa-common-4.9.2-4.module_el8.4.0+846+96522ed7.noarch ipa-selinux-4.9.2-4.module_el8.4.0+846+96522ed7.noarch ipa-server-4.9.2-4.module_el8.4.0+846+96522ed7.x86_64 ipa-server-common-4.9.2-4.module_el8.4.0+846+96522ed7.noarch ipa-server-dns-4.9.2-4.module_el8.4.0+846+96522ed7.noarch ipa-server-trust-ad-4.9.2-4.module_el8.4.0+846+96522ed7.x86_64
which updates make existing IPAs upgrade and new installations fail. I too see: ... Stopped PKI Tomcat Server pki-tomcat. Starting PKI Tomcat Server pki-tomcat... usr/lib/api/apiutil.c Could not open /run/lock/opencryptoki/LCK..APIlock Started PKI Tomcat Server pki-tomcat. Java virtual machine used: /usr/lib/jvm/java-1.8.0-openjdk/bin/java classpath used:
/usr/share/tomcat/bin/bootstrap.jar:/usr/share/tomcat/bin/tomcat-juli.jar:/usr/share/jav>
main class used: org.apache.catalina.startup.Bootstrap flags used: -Dcom.redhat.fips=false options used: -Dcatalina.base=/var/lib/pki/pki-tomcat -Dcatalina.home=/usr/share/tomcat -Djava.endorsed.> arguments used: start .. ipa-pki-wait-running: Connection failed: HTTPConnectionPool(host='midway.ccn.am.priv.dom', po> ipa-pki-wait-running: Connection failed: HTTPConnectionPool(host='midway.ccn.am.priv.dom', po> ipa-pki-wait-running: Connection failed: HTTPConnectionPool(host='midway.ccn.am.priv.dom', po> ...skipping... ipa-pki-wait-running: Request failed unexpectedly, 404 Client Error: for url...
Above is from 'pki-tomcatd@pki-tomcat.service'
regards, L. _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
Do not reply to spam on the list, report it:
https://pagure.io/fedora-infrastructure
-- Rafael Guterres Jeffman Senior Software Engineer FreeIPA - Red Hat