Hi all,
I'll keep a watch on the bugzilla.
For now; the upgrade succeeded and IPA is running perfectly. Thanks a
lot!
Winfried
-----Oorspronkelijk bericht-----
Van: Rob Crittenden via FreeIPA-users <
freeipa-users(a)lists.fedorahosted.org
Antwoord-naar: FreeIPA users list <freeipa-users(a)lists.fedorahosted.org
Aan: Winfried de Heiden <wdh(a)dds.nl>, FreeIPA users list
<
freeipa-users(a)lists.fedorahosted.org
Cc: Rob
Crittenden <rcritten(a)redhat.com
Onderwerp: [Freeipa-users] Re:
ipa-server-upgrade failed
Datum: Sun, 26 Jan 2020 22:08:25 -0500
Winfried de Heiden wrote:
Hi all,
Fixed it, thanks for the tip Rob :-)!Certmonger was to blame or my
rather slow Udooboard Celeron processor.Anyway, instead of hacking
the upgrade script, I modified thecertmonger.serivce file by adding a
180 secs (!!) sleep and extraTimeout: (The modified
certmonger.service was removed after the upgrade)
[Unit]Description=Certificate monitoring and PKI
enrollmentAfter=syslog.target network.target dbus.service
[Service]Type=dbusPIDFile=/var/run/certmonger.pidEnvironmentFile=-
/etc/sysconfig/certmongerExecStart=/usr/sbin/certmonger -S -p
/var/run/certmonger.pid -n $OPTSExecStartPost=/bin/sleep
180TimeoutSec=240BusName=org.fedorahosted.certmonger
Runing "ipa-server-upgrade" finished OK now. Certmonger takes itś
timewhen it's (restarted, some dogtag-ipa-ca-r(enew ?) processes
eating mostof the cpu:
top - 16:00:24 up 18:51, 3 users, load average: 2.41, 1.87,
1.37Tasks: 261 total, 6 running, 221 sleeping, 0 stopped, 34
zombie%Cpu0 : 90.2 us, 7.8 sy, 0.0 ni, 0.0 id, 0.0 wa, 1.6
hi, 0.3si, 0.0 st%Cpu1 : 92.4 us, 6.6 sy, 0.0 ni, 0.0 id, 0.0
wa, 1.0 hi, 0.0si, 0.0 st%Cpu2 : 95.1 us, 3.6 sy, 0.0 ni, 0.0
id, 0.0 wa, 1.3 hi, 0.0si, 0.0 st%Cpu3 : 88.6 us, 9.2 sy, 0.0
ni, 0.0 id, 0.0 wa, 1.3 hi, 1.0si, 0.0 stMiB Mem : 3847.2
total, 335.4 free, 2154.9 used, 1356.9 buff/cacheMiB
Swap: 3968.0 total, 3968.0 free, 0.0 used. 1452.0 avail
Mem
PID USER PR NI VIRT RES SHR
S %CPU %MEM TIME+COMMAND 21750
root 20 0 401244 85296 22612 R 85.9 2.2 0:13.36dogtag-
ipa-ca-r 21764
root 20 0 386700 72880 22508 R 78.4 1.8 0:06.93dogtag-
ipa-ca-r 21771
root 20 0 161788 27332 10812 R 74.5 0.7 0:03.65dogtag-
ipa-ca-r 21758
root 20 0 394512 78340 22436 R 67.3 2.0 0:10.65dogtag-
ipa-ca-r 21746
root 20 0 0 0 0 Z 51.6 0.0 0:15.36dogtag-
ipa-ca-r 21778
root 20 0 106004 1220 0
R 24.8 0.0 0:00.76certmonger
This seems like a new issue for me... Certainly, the Udoo x86 isn't
thefasted in the world, but was running IPA bravely the last year...
Am Ihitting the bug Rob mentioned? Is there a bug report somewhere
totrack... I'll like to see it fixed in CentOS 8.
It should be in 8.2 beta,
https://bugzilla.redhat.com/show_bug.cgi?id=1763745
"getcert list" showed
"/var/lib/ipa/private/httpd.key"
and"/var/lib/ipa/certs/httpd.crt" wating for PIN. Running "ipa-
getcertresubmit -i 20200126151811 -p /var/lib/ipa/passwds/ipa.xxx-
443-RSA"fixed it.
I can't explain that.
rob
> Winfried
> -----Oorspronkelijk bericht-----*Van*: Rob Crittenden <
> rcritten(a)redhat.com
> <mailto:Rob%20Crittenden%20%3crcritten@redhat.com%3e>>*Aan*: FreeIPA
> users list <freeipa-users(a)lists.fedorahosted.org
> <mailto:
> FreeIPA%20users%20list%20%3cfreeipa-users(a)lists.fedorahosted.org%3e>
> *Cc*: Winfried de Heiden <wdh(a)dds.nl
> <mailto:Winfried%20de%20Heiden%20%3cwdh@dds.nl%3e>>*Onderwerp*: Re:
> [Freeipa-users] Re: ipa-server-upgrade failed*Datum*: Sat, 25 Jan
> 2020 17:04:39 -0500
> Winfried de Heiden via FreeIPA-users wrote:
> > Hi all,
> > /var/lib/ipa/private/httpd.key was in a status "waiting for PIN",
> > but Idid brong is back to life using "ipa-getcert resubmit -i
> > 20200117075404-p /var/lib/ipa/passwds/xxxx-443-RSA. All certss look
> > fine now. "getcert list" works, although it's a bit slow the
first
> > time (runningon a Udoo x86 board with a celeron....)
> > Just to be shure about dbus, I restarted the entire machine; no
> > success. :-(
> > Timing issue and/or casued by my rather slow Udoo board.....?
>
> It is very possible. I fixed an issue in certmonger where every time
> it
> forked (and it forks a LOT) it closed ALL the fds it knew about. On
> containers this was 1M. It took a LONG time. The default is a more
> modest 1k but can still take a while given the amount of forks that
> certmonger does. This is fixed upstream, and I don't know of a
> workaround, but this can definitely lead to timeout issues if
> certmonger
> is being restarted immediately before this failure.
>
> To diagnose it see what the load on the system is and what processes
> are
> running. If you see dozens of certmonger processes with high load
> then
> that's probably it. You'd have to hack the update script to do a
> sleep
> to give things a chance to settle down.
>
> rob
>
> > Winfried
> >
> >
> >
> >
> > Rob Crittenden schreef op za 25-01-2020 om 14:53 [-0500]:
> > > Winfried de Heiden via FreeIPA-users wrote:
> > > > Hi all,
> > > > Using CentOS Linux release 8.1.1911 and the Stream
> > > > repositories,upgrading IPA fails:
> > > > ( Upgrade
> > > >
ipa-server-common-4.8.0-13.module_el8.1.0+265+e1e65be4.noarch@AppStream
> > > > Upgradedipa-server-common-4.8.0-
> > > > 11.module_el8.1.0+253+3b90c921.noarch @@System )
> > > > Running ipa-server-upgrade manually will result in:
> > > > [Upgrading CA schema]CA schema update complete (no
> > > > changes)[Verifying that CA audit signing cert has 2 year
> > > > validity][Update certmonger certificate renewal
> > > > configuration]Introspect error on
> > > > :1.417:/org/fedorahosted/certmonger:dbus.exceptions.DBusExcepti
> > > > on: org.freedesktop.DBus.Error.NoReply: Didnot receive a reply.
> > > > Possible causes include: the remote application didnot send a
> > > > reply, the message bus security policy blocked the reply,
> > > > thereply timeout expired, or the network connection was broken.
> > >
> > > I assume certmonger and dbus services are running?
> > > Does `getcert list` work?
> > > The dbus service sometimes isn't too fond of being restarted but
> > > youcould try that.
> > > rob
> >
> > _______________________________________________FreeIPA-users
> > mailing list -- freeipa-users(a)lists.fedorahosted.org
> > <mailto:freeipa-users@lists.fedorahosted.org
> >
To unsubscribe send an email to
> > freeipa-users-leave(a)lists.fedorahosted.org
> > <mailto:freeipa-users-leave@lists.fedorahosted.org
> > Fedora Code of Conduct:
> >
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> >
> > List Guidelines:
> >
https://fedoraproject.org/wiki/Mailing_list_guidelines
> >
> > List Archives:
> >
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
> >
> >
_______________________________________________FreeIPA-users mailing
list -- freeipa-users(a)lists.fedorahosted.org
To unsubscribe send an email to
freeipa-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...