Join GitHub today
GitHub is home to over 40 million developers working together to host and review code, manage projects, and build software together.Sign up
CA-less container setup fails to upgrade after new docker image pull #276
I have a couple of FreeIPA replicas running in containers and using local persistant disk for bind mounting
The servers are CoreOS stable, and are treated as ephemeral, they can be completely gone and respawned with the same disk and ignition configuration.
This strategy has been working out so far with a variety of containers but I am facing issues with FreeIPA.
The initial master is setup with:
The replicas with:
I only wish to use LDAP and the web ui with a wildcard cert bought online.
The upgrade process kicks in and fails with:
From the code here I am still wondering why
Touching the missing file enables the upgrade process to continue.
So the upgrade kicks in and I can see a fee upgrade complete messages before it all ends abruptly with:
The certmonger journal contains the following:
I also have to mention I am concerned about the tagging of the docker images for use outside of a test environment as already mentioned in #246, but I understand the difficulty you are facing.
The only way I can get a replica to work again after a docker image update is to delete the affected replica IPA from another standing master, delete the volume on disk and restart the replica from scratch, which is far from ideal. as it involves manual steps and does not appear very robust.
Could you assist with the troubleshooting and advise on potential solutions ?
Thanks in advance
After further investigation, the upgrade succeeds with the
I tried to start a brand new master with
We've seen that certmonger problem for quite some time. It's been tracked as https://bugzilla.redhat.com/show_bug.cgi?id=1656519.
Is there a known workaround when this issue happens ? My only option was to delete the replica completely and recreate it from scratch.
Also, what is the role of certmonger in the case of a CA-less install like mine ? I already provide a full chain pkcs12 to freeipa.