tripleo

FreeIPA failed to connect LDAP server

Bug #1996684 reported by Amol Kahat
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
tripleo
Fix Released
Critical
Ronelle Landy
tripleo antelope-1

Bug Description

IPA Server failed to connect LDAP server while installation

  [17/30]: requesting RA certificate from CA
  [error] RuntimeError: Certificate issuance failed (CA_REJECTED: Server at "http://ipa.ooo.test:8080/ca/ee/ca//profileSubmit" replied: Unable to create enrollment request: Failed to connect LDAP server Unable to connect to LDAP server: Unable to create socket: java.net.ConnectException: Connection refused)
Certificate issuance failed (CA_REJECTED: Server at "http://ipa.ooo.test:8080/ca/ee/ca//profileSubmit" replied: Unable to create enrollment request: Failed to connect LDAP server Unable to connect to LDAP server: Unable to create socket: java.net.ConnectException: Connection refused)
The ipa-server-install command failed. See /var/log/ipaserver-install.log for more information

Logs
- https://logserver.rdoproject.org/69/41469/30/check/periodic-tripleo-ci-centos-9-ovb-3ctlr_1comp_1supp-featureset064-master/1fcd959/logs/supplemental/home/cloud-user/deploy_freeipa.log.txt.gz
- https://logserver.rdoproject.org/openstack-periodic-integration-main/opendev.org/openstack/tripleo-ci/master/periodic-tripleo-ci-centos-9-ovb-3ctlr_1comp_1supp-featureset064-master/e7193b5/logs/supplemental/home/cloud-user/deploy_freeipa.log.txt.gz
- https://logserver.rdoproject.org/69/41469/29/check/periodic-tripleo-ci-centos-9-ovb-3ctlr_1comp_1supp-featureset064-master/ce62ee4/logs/supplemental/home/cloud-user/deploy_freeipa.log.txt.gz
- https://logserver.rdoproject.org/openstack-periodic-integration-main/opendev.org/openstack/tripleo-ci/56e6bc85adc03809f07a6f5627b76798a0deef33/periodic-tripleo-ci-centos-9-ovb-3ctlr_1comp_1supp-featureset064-master/6cae939/logs/supplemental/var/log/ipaserver-install.log.txt.gz

Amol Kahat (amolkahat)
Changed in tripleo:
status: New → Invalid
importance: High → Low
tags: removed: ci promotion-blocker
Ronelle Landy (rlandy)
Changed in tripleo:
status: Invalid → Triaged
milestone: none → antelope-1
importance: Low → High
Revision history for this message
Ronelle Landy (rlandy) wrote :

https://github.com/openstack/tripleo-quickstart-extras/blob/master/roles/freeipa-setup/templates/deploy_freeipa.sh.j2#L60
and
https://github.com/openstack/tripleo-quickstart-extras/blob/master/roles/ipa-multinode/tasks/ipaserver-subnode-install.yml#L86

both run ' ipa-server-install' but with different options.

The multinode one does not fail intermittently like the OVB one.

tags: added: promotion-blocker
Changed in tripleo:
importance: High → Critical
Revision history for this message
Sandeep Yadav (sandeepyadav93) wrote :

Latest failure on master

https://logserver.rdoproject.org/openstack-periodic-integration-main/opendev.org/openstack/tripleo-ci/master/periodic-tripleo-ci-centos-9-ovb-3ctlr_1comp_1supp-featureset064-master/23a8417/job-output.txt

~~~
2022-11-21 21:25:50.997134 | primary | TASK [freeipa-setup : Deploy FreeIPA] ******************************************
2022-11-21 21:25:50.997151 | primary | Monday 21 November 2022 21:25:50 -0500 (0:00:02.349) 0:05:17.157 *******
2022-11-21 21:31:01.705750 | primary | fatal: [supplemental]: FAILED! => {"changed": true, "cmd": "~cloud-user/deploy_freeipa.sh &> ~cloud-user/deploy_freeipa.log", "delta": "0:05:08.151002", "end": "2022-11-21 21:31:00.196060", "msg": "non-zero return code", "rc": 1, "start": "2022-11-21 21:25:52.045058", "stderr": "", "stderr_lines": [], "stdout": "", "stdout_lines": []}
2022-11-21 21:31:01.707110 | primary |
~~~

https://logserver.rdoproject.org/openstack-periodic-integration-main/opendev.org/openstack/tripleo-ci/master/periodic-tripleo-ci-centos-9-ovb-3ctlr_1comp_1supp-featureset064-master/23a8417/logs/supplemental/home/cloud-user/deploy_freeipa.log.txt.gz
~~~
  [17/30]: requesting RA certificate from CA
  [error] RuntimeError: Certificate issuance failed (CA_UNREACHABLE: Error 7 connecting to http://ipa.ooo.test:8080/ca/ee/ca//profileSubmit: Couldn't connect to server.)
Certificate issuance failed (CA_UNREACHABLE: Error 7 connecting to http://ipa.ooo.test:8080/ca/ee/ca//profileSubmit: Couldn't connect to server.)
The ipa-server-install command failed. See /var/log/ipaserver-install.log for more information
~~~~

Revision history for this message
Sandeep Yadav (sandeepyadav93) wrote :

Zed is also failing on the same error:

https://logserver.rdoproject.org/openstack-periodic-integration-zed-centos9/opendev.org/openstack/tripleo-ci/master/periodic-tripleo-ci-centos-9-ovb-3ctlr_1comp_1supp-featureset064-zed/7648fa0/logs/supplemental/home/cloud-user/deploy_freeipa.log.txt.gz

Revision history for this message
Ronelle Landy (rlandy) wrote :

Considering two jobs from one buildset:

Multinode-ipa job:

https://logserver.rdoproject.org/openstack-periodic-integration-main/opendev.org/openstack/tripleo-ci/master/periodic-tripleo-ci-centos-9-standalone-on-multinode-ipa-master/a783e4d/logs/38.102.83.198/var/log/extra/package-list-installed.txt.gz

fs064:

https://logserver.rdoproject.org/openstack-periodic-integration-main/opendev.org/openstack/tripleo-ci/master/periodic-tripleo-ci-centos-9-ovb-3ctlr_1comp_1supp-featureset064-master/23a8417/logs/supplemental/var/log/extra/package-list-installed.txt.gz

Revision history for this message
Ronelle Landy (rlandy) wrote :

rpmlist diff of the same jobs above:

https://www.diffchecker.com/gFzb2RGA

Revision history for this message
Ade Lee (alee-3) wrote :

The issue appears to be OOM killer:

https://logserver.rdoproject.org/openstack-periodic-integration-main/opendev.org/openstack/tripleo-ci/master/periodic-tripleo-ci-centos-9-ovb-3ctlr_1comp_1supp-featureset064-master/23a8417/logs/supplemental/var/log/extra/journal_errors.txt.gz

java is pki-ca (dogtag) and ns-ldap is directory server. Both are killed about the same time that the ipa installer fails to connect and bails out.

My guess is that multinode supplemental node is defined to be bigger.

Revision history for this message
Ronelle Landy (rlandy) wrote :

https://bugs.launchpad.net/tripleo/+bug/1997539 was merged. Watching to see if results improve here.

Changed in tripleo:
assignee: nobody → Ronelle Landy (rlandy)
Revision history for this message
Sandeep Yadav (sandeepyadav93) wrote :

As per fs039/64 build history, No more ipa deploy failure since [1] merged in last 24 hours, closing this bug for now.

[0]

~~~
https://review.rdoproject.org/zuul/builds?job_name=periodic-tripleo-ci-centos-9-ovb-3ctlr_1comp-featureset035-master&skip=0
https://review.rdoproject.org/zuul/builds?job_name=periodic-tripleo-ci-centos-9-ovb-3ctlr_1comp-featureset035-zed&skip=0
https://review.rdoproject.org/zuul/builds?job_name=periodic-tripleo-ci-centos-9-ovb-3ctlr_1comp_1supp-featureset064-master&skip=0
https://review.rdoproject.org/zuul/builds?job_name=periodic-tripleo-ci-centos-9-ovb-3ctlr_1comp_1supp-featureset064-zed&skip=0
~~~

[1] https://review.rdoproject.org/r/c/config/+/46173

Changed in tripleo:
status: Triaged → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.