FreeIPA container on services image crashes

[cockpituous]

The job fedora-41/updates-testing failed on commit bf6b816.

Log: https://cockpit-logs.us-east-1.linodeobjects.com/pull-0-bf6b816d-20250129-013124-fedora-41-updates-testing/log.html

[martinpitt]

We've had this problem with the previous services image refresh, see cockpit-project/bots#7350 . My theory is now that the pre-generated /data directory is only valid for one or two days, and then something expires that makes the container want to regenerate something expensive, or crashes on something it considers too old.

[martinpitt]

I don't have the old services image on my laptop any more either. We could try and pin the tag to centos-9-stream-4.12.0. There's no slightly newer version around any more.

Merely starting the container and waiting for "FreeIPA server started." triggers the crash:

# podman exec -it freeipa systemctl --failed
  UNIT                       LOAD   ACTIVE SUB    DESCRIPTION                      
● dirsrv@COCKPIT-LAN.service loaded failed failed 389 Directory Server COCKPIT-LAN.

# podman exec -it freeipa systemctl status dirsrv@COCKPIT-LAN.service
× dirsrv@COCKPIT-LAN.service - 389 Directory Server COCKPIT-LAN.
     Loaded: loaded (/usr/lib/systemd/system/dirsrv@.service; enabled; preset: disabled)
    Drop-In: /usr/lib/systemd/system/dirsrv@.service.d
             └─custom.conf
             /data/etc/systemd/system/dirsrv@COCKPIT-LAN.service.d
             └─ipa-env.conf
     Active: failed (Result: core-dump) since Wed 2025-01-29 07:49:28 UTC; 57s ago
   Duration: 31.966s
    Process: 148 ExecStartPre=/usr/libexec/dirsrv/ds_systemd_ask_password_acl /etc/dirsrv/slapd-COCKPIT-LAN/dse.ldif (code=exited, status=0/SUCCESS)
    Process: 153 ExecStartPre=/usr/libexec/dirsrv/ds_selinux_restorecon.sh /etc/dirsrv/slapd-COCKPIT-LAN/dse.ldif (code=exited, status=0/SUCCESS)
    Process: 158 ExecStart=/usr/sbin/ns-slapd -D /etc/dirsrv/slapd-COCKPIT-LAN -i /run/dirsrv/slapd-COCKPIT-LAN.pid (code=dumped, signal=SEGV)
   Main PID: 158 (code=dumped, signal=SEGV)
     Status: "slapd started: Ready to process requests"
        CPU: 2.170s

Jan 29 07:48:56 f0.cockpit.lan ns-slapd[158]: [29/Jan/2025:07:48:56.107940754 +0000] - INFO - slapd_daemon - slapd started.  Listening on All Interfaces port 389 for LDAP requests
Jan 29 07:48:56 f0.cockpit.lan ns-slapd[158]: [29/Jan/2025:07:48:56.131173566 +0000] - INFO - slapd_daemon - Listening on All Interfaces port 636 for LDAPS requests
Jan 29 07:48:56 f0.cockpit.lan ns-slapd[158]: [29/Jan/2025:07:48:56.135474608 +0000] - INFO - slapd_daemon - Listening on /run/slapd-COCKPIT-LAN.socket for LDAPI requests
Jan 29 07:48:56 f0.cockpit.lan systemd[1]: Started 389 Directory Server COCKPIT-LAN..
Jan 29 07:49:00 f0.cockpit.lan ns-slapd[158]: [29/Jan/2025:07:49:00.939879499 +0000] - ERR - schema-compat-plugin - warning: no entries set up under cn=ng, cn=compat,dc=cockpit,dc=lan
Jan 29 07:49:00 f0.cockpit.lan ns-slapd[158]: [29/Jan/2025:07:49:00.947313349 +0000] - ERR - schema-compat-plugin - warning: no entries set up under cn=computers, cn=compat,dc=cockpit,dc=lan
Jan 29 07:49:00 f0.cockpit.lan ns-slapd[158]: [29/Jan/2025:07:49:00.948034746 +0000] - ERR - schema-compat-plugin - Finished plugin initialization.
Jan 29 07:49:28 f0.cockpit.lan systemd[1]: dirsrv@COCKPIT-LAN.service: Main process exited, code=dumped, status=11/SEGV
Jan 29 07:49:28 f0.cockpit.lan systemd[1]: dirsrv@COCKPIT-LAN.service: Failed with result 'core-dump'.
Jan 29 07:49:28 f0.cockpit.lan systemd[1]: dirsrv@COCKPIT-LAN.service: Consumed 2.170s CPU time.

and you can't authenticate even, or it crashes during some other command:

# podman exec -it freeipa sh -exc 'echo foobarfoo | kinit -f admin; ipa user-find'
+ echo foobarfoo
+ kinit -f admin
kinit: Generic error (see e-text) while getting initial credentials

[martinpitt]

I reported this to https://issues.redhat.com/browse/RHEL-76748

[martinpitt]

Worked around in cockpit-project/bots#7367