Issue #1107: IPA Replica Install Hangs if DS port is unreachable by Master Server - freeipa

freeipa

#1107 IPA Replica Install Hangs if DS port is unreachable by Master Server

Closed: Fixed None Opened 13 years ago by rcritten.

If the IPA replica's DS port is unreachable (PKI-CA instance), the replica
install will hang attempting to initialize the replication agreement.

Install attempt with Replica's Firewall running:

# ipa-replica-install -p Secret123
/dev/shm/replica-info-dhcp-100-19-174.testrelm.gpg
Configuring ntpd
  [1/4]: stopping ntpd
  [2/4]: writing configuration
  [3/4]: configuring ntpd to start on boot
  [4/4]: starting ntpd
done configuring ntpd.
Configuring directory server for the CA: Estimated time 30 seconds
  [1/3]: creating directory server user
  [2/3]: creating directory server instance
  [3/3]: restarting directory server
done configuring pkids.
Configuring certificate server: Estimated time 6 minutes
  [1/13]: creating certificate server user
  [2/13]: creating pki-ca instance
  [3/13]: restarting certificate server
  [4/13]: configuring certificate server instance

DS error log:

Last entry:

[18/Mar/2011:09:46:10 -0400] NSMMReplicationPlugin -
agmt="cn=masterAgreement1-dhcp-100-19-174.testrelm-pki-ca"
(dhcp-100-19-174:7389): Replica has a different generation ID than the local
data.

Subsequently, stopping the replica's firewall, the DS errors log gets flooded
with the above message.

https://bugzilla.redhat.com/show_bug.cgi?id=688925

mkosek commented 13 years ago

Function that checks for open ports implemented in #1076 could be called in ipa-replica-install to fix this.

mkosek commented 12 years ago

I was able to reproduce the problem, but there is a question of realizing a repair. How can we detect in the replica installer that a port is not allowed from the outside?

rcritten commented 12 years ago

Right, I saw the same thing. What we'd have to do is check when doing ipa-replica-prepare and warn which ports to open. The trick is properly identifying which ports are not available due to firewall and which are simply not running services. I played around with the different error messages you receive from a default firewall rejection vs the service not running on the port. This seems rather fragile.

Another option is to write a small daemon in python that listens on 389, 9180, etc. then makes an HTTP call to the IPA master which runs an unauthenticated python-wsgi app to try to connect to each of those ports. This would be done early on in the installation process.

mkosek commented 12 years ago

master: 241ee33

mkosek commented 9 years ago

Related freeipa-devel design discussion: http://www.redhat.com/archives/freeipa-devel/2011-May/msg00186.html

Metadata Update from @rcritten:
- Issue assigned to mkosek
- Issue set to the milestone: FreeIPA 2.1 - 2011/05

7 years ago

Metadata

Assignee

mkosek

Tags

None

Blocking

None

Depending on

None

Priority

normal

Milestone

FreeIPA 2.1 - 2011/05

None

affects_doc

None

source

None

knownissue

None

type

defect

blockedby

None

test_case

None

component

IPA

blocking

None

on_review

keywords

None

test_coverage

None

reviewer

None

external_tracker

None

rhbz

https://bugzilla.redhat.com/show_bug.cgi?id=688925

tester

None

changelog

None

design

None

freeipa

Source Code

#1107 IPA Replica Install Hangs if DS port is unreachable by Master Server Closed: Fixed None Opened 13 years ago by rcritten.

Metadata

#1107 IPA Replica Install Hangs if DS port is unreachable by Master Server

Closed: Fixed None Opened 13 years ago by rcritten.