[CentOS-devel] help with the IPA tests

Sat Jun 13 11:37:55 UTC 2015
Nico Kadel-Garcia <nkadel at gmail.com>

On Sat, Jun 13, 2015 at 3:38 AM, Karanbir Singh <kbsingh at centos.org> wrote:
> hi,
>
> Can someone help debug why the ipa tests are failing when run inside a
> VM ? ref:
> https://ci.centos.org/view/AtomicApp/job/vagrant-libvirt-base/27/console
>
> I've bumped machine resources to multiple cores and 4G of ram, but
> afaict, its not failing due to running out of resources here.
>
> seems to work fine when run in the same infra, but on the bare metal
> machine. Which makes me think it might be network related ? this is the
> same test running on the bare metal:
> https://ci.centos.org/view/CentOS-Core-QA/job/CentOS-Core-QA-t_functional-c7-64/5/console
>
>
> regards

Do the "bare metal" and the VM environment have the same OS image? I
doubt it, especially with the error:

        Configuring certificate server (pki-tomcatd): Estimated time 3
minutes 30 seconds

  [1/27]: creating certificate server user
  [2/27]: configuring certificate server instance
  [3/27]: stopping certificate server instance to update CS.cfg
  [4/27]: backing up CS.cfg
  [5/27]: disabling nonces
  [6/27]: set up CRL publishing
  [7/27]: enable PKIX certificate path discovery and validation
  [8/27]: starting certificate server instance
  [9/27]: creating RA agent certificate database
  [10/27]: importing CA chain to RA certificate database
  [error] RuntimeError: Unable to retrieve CA chain: [Errno 111]
Connection refused
Unable to retrieve CA chain: [Errno 111] Connection refused
[+] Fri 12 Jun 17:42:54 EDT 2015 -> FAIL
+ exit 1

That's hinting to me that it's failing to verify the CA chain, and
*that* may be is sensitive to current members of the existing SSL
setups for the build user. It may also be sensitive in this build
environment to the locally configured FQDN, which does not normally
match the system hostname of the build server. I've not taken apart
the IPA particular packages, so can't offer much more help than that.

I personally admit that I haven't found any use for IPA. Kerberos
authentication, yes, but with only a few local users on most systems
requiring account management, I've really seen no use for it. Frankly,
in large environments, I find it much easier to use Kerberos for
authentication, and a locked down central NIS server for account
management. It's much lighter weight, it's much easier to slave, and
it's much easier to keep the NIS accounts segregated from local system
accounts on the NIS server itself by using alternative passwd and
group files. It's *much* lighter weight, and closer to the models used
by MIT when they published Kerberos.