FAQ
hi,


Can someone help debug why the ipa tests are failing when run inside a
VM ? ref:
https://ci.centos.org/view/AtomicApp/job/vagrant-libvirt-base/27/console


I've bumped machine resources to multiple cores and 4G of ram, but
afaict, its not failing due to running out of resources here.


seems to work fine when run in the same infra, but on the bare metal
machine. Which makes me think it might be network related ? this is the
same test running on the bare metal:
https://ci.centos.org/view/CentOS-Core-QA/job/CentOS-Core-QA-t_functional-c7-64/5/console




regards


--
Karanbir Singh, Project Lead, The CentOS Project
+44-207-0999389 | http://www.centos.org/ | twitter.com/CentOS
GnuPG Key : http://www.karan.org/publickey.asc

Search Discussions

  • Nico Kadel-Garcia at Jun 13, 2015 at 11:37 am

    On Sat, Jun 13, 2015 at 3:38 AM, Karanbir Singh wrote:
    hi,

    Can someone help debug why the ipa tests are failing when run inside a
    VM ? ref:
    https://ci.centos.org/view/AtomicApp/job/vagrant-libvirt-base/27/console

    I've bumped machine resources to multiple cores and 4G of ram, but
    afaict, its not failing due to running out of resources here.

    seems to work fine when run in the same infra, but on the bare metal
    machine. Which makes me think it might be network related ? this is the
    same test running on the bare metal:
    https://ci.centos.org/view/CentOS-Core-QA/job/CentOS-Core-QA-t_functional-c7-64/5/console


    regards

    Do the "bare metal" and the VM environment have the same OS image? I
    doubt it, especially with the error:


             Configuring certificate server (pki-tomcatd): Estimated time 3
    minutes 30 seconds


       [1/27]: creating certificate server user
       [2/27]: configuring certificate server instance
       [3/27]: stopping certificate server instance to update CS.cfg
       [4/27]: backing up CS.cfg
       [5/27]: disabling nonces
       [6/27]: set up CRL publishing
       [7/27]: enable PKIX certificate path discovery and validation
       [8/27]: starting certificate server instance
       [9/27]: creating RA agent certificate database
       [10/27]: importing CA chain to RA certificate database
       [error] RuntimeError: Unable to retrieve CA chain: [Errno 111]
    Connection refused
    Unable to retrieve CA chain: [Errno 111] Connection refused
    [+] Fri 12 Jun 17:42:54 EDT 2015 -> FAIL
    + exit 1


    That's hinting to me that it's failing to verify the CA chain, and
    *that* may be is sensitive to current members of the existing SSL
    setups for the build user. It may also be sensitive in this build
    environment to the locally configured FQDN, which does not normally
    match the system hostname of the build server. I've not taken apart
    the IPA particular packages, so can't offer much more help than that.


    I personally admit that I haven't found any use for IPA. Kerberos
    authentication, yes, but with only a few local users on most systems
    requiring account management, I've really seen no use for it. Frankly,
    in large environments, I find it much easier to use Kerberos for
    authentication, and a locked down central NIS server for account
    management. It's much lighter weight, it's much easier to slave, and
    it's much easier to keep the NIS accounts segregated from local system
    accounts on the NIS server itself by using alternative passwd and
    group files. It's *much* lighter weight, and closer to the models used
    by MIT when they published Kerberos.
  • Karanbir Singh at Jun 14, 2015 at 9:12 am

    On 13/06/15 12:37, Nico Kadel-Garcia wrote:
    Do the "bare metal" and the VM environment have the same OS image? I
    doubt it, especially with the error:

    the image and bare-metal install are identical. the only diff is that
    the VM has Kubernetes installed ahead of time, but as far as i can tell
    its not interfering with the networking part.


    - KB


    --
    Karanbir Singh
    +44-207-0999389 | http://www.karan.org/ | twitter.com/kbsingh
    GnuPG Key : http://www.karan.org/publickey.asc
  • Nico Kadel-Garcia at Jun 14, 2015 at 12:32 pm

    On Sun, Jun 14, 2015 at 5:12 AM, Karanbir Singh wrote:
    On 13/06/15 12:37, Nico Kadel-Garcia wrote:
    Do the "bare metal" and the VM environment have the same OS image? I
    doubt it, especially with the error:
    the image and bare-metal install are identical. the only diff is that
    the VM has Kubernetes installed ahead of time, but as far as i can tell
    its not interfering with the networking part.

    - KB

    Do they have the exact same versions of all packages, including
    dependencies that might by "yum" updated by the Kubernetes
    installation? Then the obvious test is to try a VM without Kubernetes
    installed ahead of time, and/or to instlal Kubernetes on the hardware
    platform and retest, isn't it?


    I'll also admit that this is the point where I seriously value having
    a PXE setup to allow me to re-install my hardware OS in a completely
    controlled fashion and return my hardware to a well defined original
    state. It can help ensure that even a casual "in passing change" is
    cleared away for fresh testing, and it's part of why I appreciate
    'mock' and similar tools lso much for providing clean build
    environments.
  • Jitse Klomp at Jun 15, 2015 at 1:23 pm

    On 06/13/2015 01:37 PM, Nico Kadel-Garcia wrote:
    On Sat, Jun 13, 2015 at 3:38 AM, Karanbir Singh wrote:
    hi,

    Can someone help debug why the ipa tests are failing when run inside a
    VM ? ref:
    https://ci.centos.org/view/AtomicApp/job/vagrant-libvirt-base/27/console

    I've bumped machine resources to multiple cores and 4G of ram, but
    afaict, its not failing due to running out of resources here.

    seems to work fine when run in the same infra, but on the bare metal
    machine. Which makes me think it might be network related ? this is the
    same test running on the bare metal:
    https://ci.centos.org/view/CentOS-Core-QA/job/CentOS-Core-QA-t_functional-c7-64/5/console


    regards
    Do the "bare metal" and the VM environment have the same OS image? I
    doubt it, especially with the error:

    Configuring certificate server (pki-tomcatd): Estimated time 3
    minutes 30 seconds

    [1/27]: creating certificate server user
    [2/27]: configuring certificate server instance
    [3/27]: stopping certificate server instance to update CS.cfg
    [4/27]: backing up CS.cfg
    [5/27]: disabling nonces
    [6/27]: set up CRL publishing
    [7/27]: enable PKIX certificate path discovery and validation
    [8/27]: starting certificate server instance
    [9/27]: creating RA agent certificate database
    [10/27]: importing CA chain to RA certificate database
    [error] RuntimeError: Unable to retrieve CA chain: [Errno 111]
    Connection refused
    Unable to retrieve CA chain: [Errno 111] Connection refused
    [+] Fri 12 Jun 17:42:54 EDT 2015 -> FAIL
    + exit 1

    That's hinting to me that it's failing to verify the CA chain, and
    *that* may be is sensitive to current members of the existing SSL
    setups for the build user. It may also be sensitive in this build
    environment to the locally configured FQDN, which does not normally
    match the system hostname of the build server. I've not taken apart
    the IPA particular packages, so can't offer much more help than that.

    Can you post the contents of /var/log/ipaserver-install.log?


       - Jitse

Related Discussions

Discussion Navigation
viewthread | post
Discussion Overview
groupcentos-devel @
categoriescentos
postedJun 13, '15 at 7:38a
activeJun 15, '15 at 1:23p
posts5
users4
websitecentos.org
irc#centos

People

Translate

site design / logo © 2021 Grokbase