IFS Cloud with RAC - iam issue

Interesting, we tested ExaData (is RAC) a while back with no issues. Have you set any of these flags  (ENLIST=false; HA EVENTS=false; LOAD BALANCING=false; ) in your connection jdbcurl?
What type of connection to the RAC do you use?
...can you send your jdbcurl as defined in your ifscloud-values.yaml? 

The log you have sent is from the Linkerd container in the ifsapp-iam pod - seems it’s just a warning.
Can you send the error from the ifsapp-iam container as well?


After you sent the log of the error in the iam container (i’m interested to see what happens there) try this:

ifscore:
  networkpolicy:
    enabled: true
    dbEgress: |
      - to:
        - ipBlock:
            cidr: 10.1.96.76/24
        ports:
        - port: 1521
        - port: 6200

Where the cidr matches your ip range of your RAC nodes.
 

Hi ​@hhanse 

I tried to use ENLIST=false; HA EVENTS=false; LOAD BALANCING=false; 

Did not help.

In case of using RAC and SCAN service we had to disable networkpolicy to be able to connect via hostname.

last conn string 

data: jdbc:oracle:thin:@(DESCRIPTION=(ADDRESS_LIST=(ADDRESS=(PROTOCOL=TCP)(HOST=hostname)(PORT=1521)))(CONNECT_DATA=(SERVICE_NAME=pdb))(ENLIST=FALSE)(HA_EVENTS=FALSE)(LOAD_BALANCING=FALSE))

also I attached logs. 

I changed hostnames in conn string and logs. 

Hi,

The iam logs are so verbose i can’t see any errors in it. - can you?
Can you disable debug level, and do a “mtctl stop -n <namespace>”
when pods are down start them again “mtctl start -n <namespace>”
When the pods are as stable that will get (IAM not up then?) do a 
“mtctl dump  -n <namespace>” 

Send the dump to me (mailed my mail address to you earlier)
 

​@hhanse 

Hi, I disable debug for iam pod. 

Here is the last part from log before container restarts:

Updating service account users of the clients with service account enabled...
Service account found - service-account-ifs_aurena_native_services
Service account found - service-account-ifs_boomi
Service account found - service-account-ifs_ce_sso
Service account found - service-account-ifs_connect
Service account found - service-account-ifs_docman_esign
Service account found - service-account-ifs_dss
Service account found - service-account-ifs_filestorage
Service account found - service-account-ifs_reporting
Service account found - service-account-ifs_scim
ERROR: Unable to setup realm

Failed to import using keycloak-config-cli Restarting ifsapp-iam container
./start_script.sh: line 7:    41 Killed                  $script
************* Diagnostic traces ***************
dmesg: klogctl: Operation not permitted

Not sure that this is RAC related at all… 
Do you have and users or idp’s configured in you env yet?
If not - I think you should try to empty the ifsiamsys db schema first and restart IAM pod after that.



 

Hi ​@hhanse 

I tried to empty the IFSIAMSYS schema, but it had no effect.
This is a new customer and a fresh installation from Build Home.
As I see it, the problem is that IFSIAM could not import the realm using keycloak-config-cli…

I have attached the full log from the container without debug mode.

From you log:
{"timestamp":"2025-02-11T13:09:12.932865347Z","sequence":207,"loggerClassName":"org.jboss.logmanager.Logger","loggerName":"oracle.simplefan.FanManager","level":"SEVERE","message":"attempt to configure ONS in FanManager failed with oracle.ons.NoServersAvailable: Server time out","threadName":"agroal-21","threadId":36,"mdc":{},"ndc":"","hostName":"ifsapp-iam-b79d6c8fc-7sp84","processName":"quarkus-run.jar","processId":79}


Can you remove the ONS (Oracle Notification Service) and FAN (Fast Application Notification) from the RAC cluster?

ONS (Oracle Notification Service) and FAN (Fast Application Notification) from the RAC cluster?

What would be commands we can use to remove ONS and FAN?

Thanks

IFS Cloud integrated with Oracle RAC or ODA has not yet been tested by our R&D. Consequently, it is too early to ascertain its functionality. This matter has already been reported to R&D, and we are awaiting their response. Thanks for your patience. We will share an update soon.