[Freeipa-users] PKI-CAD couldn't start

Schmitt, Christian c.schmitt at briefdomain.de
Sat Jul 13 13:23:24 UTC 2013 

btw. it was a new 'test' install.
So it wasn't an issue by making a new install.
The certs wasn't expired, and as said it couldn't get too far, but the
initscript didn't changed. i diff'd every config file of pki-ca.
i also tried to reproduce it on a second test machine, by shutting it down
and up some times on vmware esxi.

Btw. I only did a maintance mode on vmware esxi installed a new driver (an
intel driver for networking) then i stopped the maintance mode, and
shutdown the whole hypervisor.
Two machines were shutdown correct, but i think the ipa server didn't he
stucked by shutting down pki-ca (btw. this step takes a long time even when
rebooting from a shell)

then after the reboot of the hypervisor, the two other vm's started
correctly. only the ipa machine took a long time to be turned on. (btw. the
time was in sync)
but i didn't change any config file or init.d file. it was a clean install
where i only added groups / users and changed some dns things and added 2
hosts.

machine was / is a totally standard machine 2 intel nics, 4 harddrives, 1
processors e5 didn't know the correct spec, so nothing special.
the ipa machine was as already said a CentOS 6.4 with IdM and an ntp server
(btw. the config files say on virtual machines you shouldn't do this, but
since we have no chance to run any ntp outside of a vm we need to do it)
I think the problem caused by a ungraceful shutdown of the Idenity
Management. While it tried to shutdown PKI-CA.

As said even on a second test VM i couldn't reproduce it since i've always
shutdown correctly. never tried to shutdown the hypervisor off again.
But I can do it on monday.
I've also taken a look into catalina.out but there was only a socket error.
nothing that has something to do with the grep command.

I think the problem got caused by a chain of really bad steps that and i
was really unhappy to reach this kind of things.
i don't think the problem will getting reporduced that easily.

but still thanks for your help. maybe i just need to be more careful.



2013/7/12 Rob Crittenden <rcritten at redhat.com>

> Nathan Kinder wrote:
>
>> On 07/12/2013 01:58 PM, Dmitri Pal wrote:
>>
>>> On 07/12/2013 05:18 AM, natxo asenjo wrote:
>>>
>>>> On 07/12/2013 10:55 AM, Christian Schmitt wrote:
>>>>
>>>>  I can't start the IPA Service with service ipa start after an reboot.
>>>>> It fails on the pki-cad service, that only outputs
>>>>> 'grep --help' gives you more information.
>>>>>
>>>>> I'm really not sure whats the correct error and how to restart ipa now.
>>>>>
>>>> logs? look in /var/log/dirsrv/slapd-PKI-{**yourinstancename}/ , the
>>>> answer should be in one of the files in there.
>>>>
>>>>  This is a DS log, you need to look into the PKI-CA log. Unfortunately I
>>> do not recall its location from top of my head.
>>>
>> We need to see if /var/log/pki-ca/catalina.out gives any clues when the
>> startup fails.
>>
>
> I wonder if it is even getting that far. If it is failing with grep usage
> then I wonder if something is missing that the init script is looking for.
>
> rob
>
>
> ______________________________**_________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/**mailman/listinfo/freeipa-users<https://www.redhat.com/mailman/listinfo/freeipa-users>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20130713/9c1c62f2/attachment.htm>

More information about the Freeipa-users mailing list