Timing problems with FreeIPA installation
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
dogtag-pki (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned | ||
freeipa (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned |
Bug Description
While installing FreeIPA I came accross two situations that turned out to be timing problems. In both cases, the installation procedure was attempting to access the certificate server immediately after a restart, and the server was not listening.
The first one is at step 10 of "Configuring certificate server (pki_tomcatd)":
[10/28]: importing CA chain to RA certificate database
[error] RuntimeError: Unable to retrieve CA chain: [Errno 111] Connection refused
ipa.ipapython.
The second is at step 25:
[25/28]: migrating certificate profiles to LDAP
[error] NetworkError: cannot connect to 'https:/
My solution was to add a delay at the top of the functions for those steps.
def __import_
+ ##=====
+ # Add wait time to allow certificate server to start up
+ #
+ time.sleep(10)
chain = self.__
...
def migrate_
"""Migrate profiles from filesystem to LDAP.
This must be run *after* switching to the LDAPProfileSubs
and restarting the CA.
The profile might already exist, e.g. if a replica was already
upgraded, so this case is ignored.
"""
+ ##=====
+ # Add wait time to allow certificate server to start up
+ #
+ time.sleep(20)
ensure_
It might be necessary to adjust the sleep time.
These bugs are intermittent and they may not appear at all. In my case, one KVM machine had no problems whatsoever while another had problems at the "migrate profiles ..." step. Both problems showed up on one Raspberry Pi. There were also time differences between runs. So, one needs to be _very_ patient.
This is all on Ubuntu Xenial. freeipa-server 4.3.1-0ubuntu1.
The RaspberryPi is a pi 2B
Status changed to 'Confirmed' because the bug affects multiple users.