If the IPA replica's DS port is unreachable (PKI-CA instance), the replica install will hang attempting to initialize the replication agreement.
Install attempt with Replica's Firewall running:
# ipa-replica-install -p Secret123 /dev/shm/replica-info-dhcp-100-19-174.testrelm.gpg Configuring ntpd [1/4]: stopping ntpd [2/4]: writing configuration [3/4]: configuring ntpd to start on boot [4/4]: starting ntpd done configuring ntpd. Configuring directory server for the CA: Estimated time 30 seconds [1/3]: creating directory server user [2/3]: creating directory server instance [3/3]: restarting directory server done configuring pkids. Configuring certificate server: Estimated time 6 minutes [1/13]: creating certificate server user [2/13]: creating pki-ca instance [3/13]: restarting certificate server [4/13]: configuring certificate server instance
DS error log:
Last entry:
[18/Mar/2011:09:46:10 -0400] NSMMReplicationPlugin - agmt="cn=masterAgreement1-dhcp-100-19-174.testrelm-pki-ca" (dhcp-100-19-174:7389): Replica has a different generation ID than the local data.
Subsequently, stopping the replica's firewall, the DS errors log gets flooded with the above message.
https://bugzilla.redhat.com/show_bug.cgi?id=688925
Function that checks for open ports implemented in #1076 could be called in ipa-replica-install to fix this.
I was able to reproduce the problem, but there is a question of realizing a repair. How can we detect in the replica installer that a port is not allowed from the outside?
Right, I saw the same thing. What we'd have to do is check when doing ipa-replica-prepare and warn which ports to open. The trick is properly identifying which ports are not available due to firewall and which are simply not running services. I played around with the different error messages you receive from a default firewall rejection vs the service not running on the port. This seems rather fragile.
Another option is to write a small daemon in python that listens on 389, 9180, etc. then makes an HTTP call to the IPA master which runs an unauthenticated python-wsgi app to try to connect to each of those ports. This would be done early on in the installation process.
master: 241ee33
Related freeipa-devel design discussion: http://www.redhat.com/archives/freeipa-devel/2011-May/msg00186.html
Metadata Update from @rcritten: - Issue assigned to mkosek - Issue set to the milestone: FreeIPA 2.1 - 2011/05
Login to comment on this ticket.