On Thu, Jul 1, 2021 at 9:34 AM lejeczek via FreeIPA-users <
freeipa-users(a)lists.fedorahosted.org> wrote:
On 12/05/2021 08:03, Florence Renaud via FreeIPA-users wrote:
> Hi,
> this is a known selinux-policy issue, tracked at
>
https://bugzilla.redhat.com/show_bug.cgi?id=1894132
> <
https://bugzilla.redhat.com/show_bug.cgi?id=1894132>
> flo
>
> On Mon, May 10, 2021 at 9:42 PM Harry G. Coin via
> FreeIPA-users <freeipa-users(a)lists.fedorahosted.org
> <mailto:freeipa-users@lists.fedorahosted.org>> wrote:
>
>
> On 5/10/21 10:58 AM, Harry Coin via FreeIPA-users wrote:
> > In a completely fresh install of freeipa-server,
> f34, my logs are filled with
> >
> > certmonger[5754]: usr/lib/api/apiutil.c Could not
> open /run/lock/opencryptoki/LCK..APIlock
>
> I get similar messages from certutil, certmonger and
> pk12util
>
> May 10 14:31:21
registry1.1.quietfountain.com
> <
http://registry1.1.quietfountain.com> certutil[18672]:
> usr/lib/api/apiutil.c Could not open
> /run/lock/opencryptoki/LCK..APIlock
> May 10 14:31:22
registry1.1.quietfountain.com
> <
http://registry1.1.quietfountain.com> certutil[18674]:
> usr/lib/api/apiutil.c Could not open
> /run/lock/opencryptoki/LCK..APIlock
> May 10 14:31:23
registry1.1.quietfountain.com
> <
http://registry1.1.quietfountain.com> certutil[18676]:
> usr/lib/api/apiutil.c Could not open
> /run/lock/opencryptoki/LCK..APIlock
> May 10 14:31:25
registry1.1.quietfountain.com
> <
http://registry1.1.quietfountain.com> certutil[18678]:
> usr/lib/api/apiutil.c Could not open
> /run/lock/opencryptoki/LCK..APIlock
> May 10 14:31:25
registry1.1.quietfountain.com
> <
http://registry1.1.quietfountain.com> certutil[18680]:
> usr/lib/api/apiutil.c Could not open
> /run/lock/opencryptoki/LCK..APIlock
> May 10 14:31:26
registry1.1.quietfountain.com
> <
http://registry1.1.quietfountain.com> certutil[18682]:
> usr/lib/api/apiutil.c Could not open
> /run/lock/opencryptoki/LCK..APIlock
> May 10 14:31:27
registry1.1.quietfountain.com
> <
http://registry1.1.quietfountain.com> certutil[18684]:
> usr/lib/api/apiutil.c Could not open
> /run/lock/opencryptoki/LCK..APIlock
> May 10 14:31:28
registry1.1.quietfountain.com
> <
http://registry1.1.quietfountain.com> pk12util[18686]:
> usr/lib/api/apiutil.c Could not open
> /run/lock/opencryptoki/LCK..APIlock
> May 10 14:31:32
registry1.1.quietfountain.com
> <
http://registry1.1.quietfountain.com> certutil[18688]:
> usr/lib/api/apiutil.c Could not open
> /run/lock/opencryptoki/LCK..APIlock
> May 10 14:31:35
registry1.1.quietfountain.com
> <
http://registry1.1.quietfountain.com> pk12util[18700]:
> usr/lib/api/apiutil.c Could not open
> /run/lock/opencryptoki/LCK..APIlock
> _______________________________________________
> FreeIPA-users mailing list --
> freeipa-users(a)lists.fedorahosted.org
> <mailto:freeipa-users@lists.fedorahosted.org>
> To unsubscribe send an email to
> freeipa-users-leave(a)lists.fedorahosted.org
> <mailto:freeipa-users-leave@lists.fedorahosted.org>
> Fedora Code of Conduct:
>
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> <
https://docs.fedoraproject.org/en-US/project/code-of-conduct/>
> List Guidelines:
>
https://fedoraproject.org/wiki/Mailing_list_guidelines
> <
https://fedoraproject.org/wiki/Mailing_list_guidelines>
> List Archives:
>
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
> <
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
> Do not reply to spam on the list, report it:
>
https://pagure.io/fedora-infrastructure
> <
https://pagure.io/fedora-infrastructure>
>
>
> _______________________________________________
> FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
> To unsubscribe send an email to
freeipa-users-leave(a)lists.fedorahosted.org
> Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
> Do not reply to spam on the list, report it:
https://pagure.io/fedora-infrastructure
I think this might be the culprit in most recent CentOS
updated packages:
sssd-client-2.4.0-9.el8_4.1.x86_64
sssd-common-2.4.0-9.el8_4.1.x86_64
sssd-common-pac-2.4.0-9.el8_4.1.x86_64
sssd-dbus-2.4.0-9.el8_4.1.x86_64
sssd-ipa-2.4.0-9.el8_4.1.x86_64
sssd-kcm-2.4.0-9.el8_4.1.x86_64
sssd-krb5-common-2.4.0-9.el8_4.1.x86_64
sssd-nfs-idmap-2.4.0-9.el8_4.1.x86_64
sssd-tools-2.4.0-9.el8_4.1.x86_64
389-ds-base-1.4.3.16-16.module_el8.4.0+845+0c39e1b7.x86_64
There have been several reports today of issues upgrading or installing IPA
with Centos 8.
It seems they are fixing downgrading 389-ds to 1.4.3.16-13 (instead fo
1.4.3.16-16).
HTH,
Rafael
389-ds-base-libs-1.4.3.16-16.module_el8.4.0+845+0c39e1b7.x86_64
ipa-client-4.9.2-4.module_el8.4.0+846+96522ed7.x86_64
ipa-client-common-4.9.2-4.module_el8.4.0+846+96522ed7.noarch
ipa-common-4.9.2-4.module_el8.4.0+846+96522ed7.noarch
ipa-selinux-4.9.2-4.module_el8.4.0+846+96522ed7.noarch
ipa-server-4.9.2-4.module_el8.4.0+846+96522ed7.x86_64
ipa-server-common-4.9.2-4.module_el8.4.0+846+96522ed7.noarch
ipa-server-dns-4.9.2-4.module_el8.4.0+846+96522ed7.noarch
ipa-server-trust-ad-4.9.2-4.module_el8.4.0+846+96522ed7.x86_64
which updates make existing IPAs upgrade and new
installations fail. I too see:
...
Stopped PKI Tomcat Server pki-tomcat.
Starting PKI Tomcat Server pki-tomcat...
usr/lib/api/apiutil.c Could not open
/run/lock/opencryptoki/LCK..APIlock
Started PKI Tomcat Server pki-tomcat.
Java virtual machine used:
/usr/lib/jvm/java-1.8.0-openjdk/bin/java
classpath used:
/usr/share/tomcat/bin/bootstrap.jar:/usr/share/tomcat/bin/tomcat-juli.jar:/usr/share/jav>
main class used: org.apache.catalina.startup.Bootstrap
flags used: -Dcom.redhat.fips=false
options used: -Dcatalina.base=/var/lib/pki/pki-tomcat
-Dcatalina.home=/usr/share/tomcat -Djava.endorsed.>
arguments used: start
..
ipa-pki-wait-running: Connection failed:
HTTPConnectionPool(host='midway.ccn.am.priv.dom', po>
ipa-pki-wait-running: Connection failed:
HTTPConnectionPool(host='midway.ccn.am.priv.dom', po>
ipa-pki-wait-running: Connection failed:
HTTPConnectionPool(host='midway.ccn.am.priv.dom', po>
...skipping...
ipa-pki-wait-running: Request failed unexpectedly, 404
Client Error: for url...
Above is from 'pki-tomcatd(a)pki-tomcat.service'
regards, L.
_______________________________________________
FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
Do not reply to spam on the list, report it:
https://pagure.io/fedora-infrastructure
--
Rafael Guterres Jeffman
Senior Software Engineer
FreeIPA - Red Hat