New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
CA-less container setup fails to upgrade after new docker image pull #276
Comments
After further investigation, the upgrade succeeds with the I tried to start a brand new master with |
We've seen that certmonger problem for quite some time. It's been tracked as https://bugzilla.redhat.com/show_bug.cgi?id=1656519. |
Is there a known workaround when this issue happens ? My only option was to delete the replica completely and recreate it from scratch. Also, what is the role of certmonger in the case of a CA-less install like mine ? I already provide a full chain pkcs12 to freeipa. |
The fix for the https://bugzilla.redhat.com/show_bug.cgi?id=1656519 is in master (3d8437d) and in latest images. @jdel, could you please check if they fix the problem for you as well? |
Hello, I will check and get back to you. |
I have updated to use |
Thanks. So you are back to having working setup. |
I have a couple of FreeIPA replicas running in containers and using local persistant disk for bind mounting
/data
.The servers are CoreOS stable, and are treated as ephemeral, they can be completely gone and respawned with the same disk and ignition configuration.
This strategy has been working out so far with a variety of containers but I am facing issues with FreeIPA.
The initial master is setup with:
The replicas with:
I only wish to use LDAP and the web ui with a wildcard cert bought online.
Everything works as intended until a new
freeipa/freeipa-server:fedora-29
is pulled and the container restarted.The upgrade process kicks in and fails with:
From the code here I am still wondering why
sed
triggers as my/usr/share
directory only contains a directory calledipa
.Touching the missing file enables the upgrade process to continue.
So the upgrade kicks in and I can see a fee upgrade complete messages before it all ends abruptly with:
The certmonger journal contains the following:
I also have to mention I am concerned about the tagging of the docker images for use outside of a test environment as already mentioned in #246, but I understand the difficulty you are facing.
The only way I can get a replica to work again after a docker image update is to delete the affected replica IPA from another standing master, delete the volume on disk and restart the replica from scratch, which is far from ideal. as it involves manual steps and does not appear very robust.
Could you assist with the troubleshooting and advise on potential solutions ?
Thanks in advance
The text was updated successfully, but these errors were encountered: