On 3/9/21 10:59 AM, Antoine Gatineau via FreeIPA-users wrote:
I could rebuild my cluster from backup before the upgrade to CentOS
Stream.
So I'll be able to work from there.
On Mon, 2021-03-08 at 17:41 +0100, Antoine Gatineau via FreeIPA-users wrote:
> Hello,
>
> I'm on freeipa 4.9.0 on CentOS Stream. (1 master and 1 replica)
> I have noticed that my replication is broken. Unfortunatly, I don't know since
when...
>
> First Question, can it b fixed?
> Second question, is it possible to peform a restore (on one node, both nodes) to fix
the issue.
> I recently upgraded from CentOS 8 to CentOS Stream (ipa with it). So can I restore
from a previous version?
>
>
> Here are some snipets of what I see.
> $ sudo ipa-healthcheck
> Internal server error HTTPSConnectionPool(host='ipa-master-tmp.empire.lan',
port=443): Max retries exceeded with url:
> /ca/rest/certs/search?size=3 (Caused by
NewConnectionError('<urllib3.connection.VerifiedHTTPSConnection object at
0x7fa49f3df320>: Failed
> to
> establish a new connection: [Errno -2] Name or service not known',))
> [
> {
> "source":
"pki.server.healthcheck.clones.connectivity_and_data",
> "check": "ClonesConnectivyAndDataCheck",
> "result": "ERROR",
> "uuid": "66815b82-56d9-43a4-9035-78333c5cb5cd",
> "when": "20210308162643Z",
> "duration": "0.364202",
> "kw": {
> "status": "ERROR: pki-tomcat : Internal error testing CA
clone. Host: ipa-master-tmp.empire.lan Port: 443"
> }
> },
Hi,
the above error can be ignored, it's a known issue:
https://pagure.io/freeipa/issue/8582
> {
> "source": "ipahealthcheck.ds.replication",
> "check": "ReplicationCheck",
> "result": "WARNING",
> "uuid": "55addd45-6440-4317-8d0b-8eb0d516bd4e",
> "when": "20210308162645Z",
> "duration": "0.353734",
> "kw": {
> "key": "DSREPLLE0002",
> "items": [
> "Replication",
> "Conflict Entries"
> ],
> "msg": "There were 6 conflict entries found under the
replication suffix \"dc=empire,dc=lan\"."
> }
> }
> ]
>
Replication can be fixed, but the resolution depends on the current
situation.
- If there are conflict entries, it means that the same entry was
modified on 2 different servers and the replication isn't able to
reconcile the updates. In this case, the admin must manually fix the
conflict (which basically means choose which updates need to be applied
or dropped). See "Solving common replication conflicts" [1].
- If the replication doesn't propagate new entries from one server to
the other, then check "Troubleshooting Replication-Related Problems" [2].
The 2 above links are related to Red Hat Directory Server, which is the
LDAP server used by IPA, and may help you understand what's going on
behind the hood, but IPA provides its own commands to administer
replication agreements. The concepts are detailed in "Managing
Replication Topology" [3] and the commands details are available with
# ipa help topology
HTH,
flo
[1]
https://access.redhat.com/documentation/en-us/red_hat_directory_server/10...
[2]
https://access.redhat.com/documentation/en-us/red_hat_directory_server/10...
[3]
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/...
> pki-tomcatd seems ok :
> $ sudo journalctl -u pki-tomcatd@pki-tomcat
> -- Logs begin at Mon 2021-03-08 17:24:39 CET, end at Mon 2021-03-08 17:35:01 CET. --
> Mar 08 17:25:01 ipa-master.empire.lan systemd[1]: Starting PKI Tomcat Server
pki-tomcat...
> Mar 08 17:25:04 ipa-master.empire.lan java[1613]: usr/lib/api/apiutil.c Could not
open /run/lock/opencryptoki/LCK..APIlock
> Mar 08 17:25:05 ipa-master.empire.lan server[1716]: Java virtual machine used:
/usr/lib/jvm/java-1.8.0-openjdk/bin/java
> Mar 08 17:25:05 ipa-master.empire.lan server[1716]: classpath used:
/usr/share/tomcat/bin/bootstrap.jar:/usr/share/tomcat/bin/tomcat-
> juli.jar:/usr/share/java/ant.jar:/usr/share/java/ant-la>
> Mar 08 17:25:05 ipa-master.empire.lan server[1716]: main class used:
org.apache.catalina.startup.Bootstrap
> Mar 08 17:25:05 ipa-master.empire.lan server[1716]: flags used:
-Dcom.redhat.fips=false
> Mar 08 17:25:05 ipa-master.empire.lan server[1716]: options used:
-Dcatalina.base=/var/lib/pki/pki-tomcat -
> Dcatalina.home=/usr/share/tomcat
> -Djava.endorsed.dirs= -Djava.io.tmpdir=/var/lib/>
> Mar 08 17:25:05 ipa-master.empire.lan server[1716]: arguments used: start
> Mar 08 17:25:05 ipa-master.empire.lan ipa-pki-wait-running[1717]: pki.client:
/usr/libexec/ipa/ipa-pki-wait-running:63: The subsystem in
> PKIConnection.__init__() has been deprecated (https>
> Mar 08 17:25:05 ipa-master.empire.lan ipa-pki-wait-running[1717]:
ipa-pki-wait-running: Created connection
>
http://ipa-master.empire.lan:8080/ca
> Mar 08 17:25:05 ipa-master.empire.lan ipa-pki-wait-running[1717]:
ipa-pki-wait-running: Connection failed: HTTPConnectionPool(host='ipa-
> master.empire.lan', port=8080): Max retries exceeded>
> Mar 08 17:25:06 ipa-master.empire.lan java[1716]: usr/lib/api/apiutil.c Could not
open /run/lock/opencryptoki/LCK..APIlock
> Mar 08 17:25:06 ipa-master.empire.lan server[1716]: WARNING: Some of the specified
[protocols] are not supported by the SSL engine and
> have
> been skipped: [[TLSv1, TLSv1.1]]
> Mar 08 17:25:07 ipa-master.empire.lan ipa-pki-wait-running[1717]:
ipa-pki-wait-running: Connection failed: HTTPConnectionPool(host='ipa-
> master.empire.lan', port=8080): Read timed out. (rea>
> Mar 08 17:25:09 ipa-master.empire.lan ipa-pki-wait-running[1717]:
ipa-pki-wait-running: Connection failed: HTTPConnectionPool(host='ipa-
> master.empire.lan', port=8080): Read timed out. (rea>
> Mar 08 17:25:11 ipa-master.empire.lan ipa-pki-wait-running[1717]:
ipa-pki-wait-running: Connection failed: HTTPConnectionPool(host='ipa-
> master.empire.lan', port=8080): Read timed out. (rea>
> Mar 08 17:25:12 ipa-master.empire.lan ipa-pki-wait-running[1717]:
ipa-pki-wait-running: Success, subsystem ca is running!
> Mar 08 17:25:12 ipa-master.empire.lan systemd[1]: Started PKI Tomcat Server
pki-tomcat.
>
> Best
> Antoine
>
>
>
> _______________________________________________
> FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
> Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
> Do not reply to spam on the list, report it:
https://pagure.io/fedora-infrastructure
_______________________________________________
FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
Do not reply to spam on the list, report it:
https://pagure.io/fedora-infrastructure