freeipa

Clone
Source Code
GIT

#5306 ipa-replica-prepare requests explicit reverse zone configuration in RHEL
Closed: Fixed None Opened 8 years ago by ofayans.

Closed: Fixed
Reopen Issue

ipa-replica-prepare in RHEL version of ipa-server package behaves differently from that in fedora.\
The command 

ipa-replica-prepare -p '<admin_password' --ip-address=<replica-ip> <replica-hostname>

under fedora starts the preparation of replica gpg file, while in rhel it presents an additional prompt:

Do you want to configure the reverse zone? [yes]:

This breaks the upstream tests. As a workaround I added a '--no-reverse' option to the 'install_replica' method https://www.redhat.com/archives/freeipa-devel/2015-August/msg00484.html, but this may have unexpected consequences in tests that do require correct reverse zone configuration, so I'd like to have initial problem resolved and the workaround removed.
ipa-server versions affected:

  • ipa-server-4.2.0-8.el7.x86_64
  • ipa-server-4.2.0-9.el7.x86_64

And I can try to track when this behavior was introduced by testing more earlier versions.

Oleg, could you check or send me(privately), content/output of files/commands from both RHEL and Fedora just before running ipa-replica-prepare:

  • /etc/hosts
  • ipa dnszone-find
  • ip a
  • hostname of future replica

I suspect that there is some difference and therefore it behaves differently.

ipa-server-3.3.3-28.el7.x86_64 is not affected

So, my understanding of the problem is as follows:\
In both 'working' and 'non-working' cases the ip of the replica is from different subnet than the master's:

  • master1: 10.40.128.108/20
  • master2: 10.40.128.112/20
  • replica: 10.34.35.80/22

With both masters I provided dns forwarder from the replica's subnet during the installation. The 'working' master configured the reverse zone automatically during the installation, so when adding a replica, it did not require to configure this zone again.
The non-working master, however, did not configure the reverse zone for dns forwarder during installation, so it did request for zone configuration during replica-prepare. The problem with our tests is that they were developed in the environment when all masters and replicas are in the same subnet, so this issue just did not raise.\
The problem itself is not a big deal: it's ok to ask admin to configure reverse zone.
The biggest question now is how do we tweak our tests to survive this situation.

master:

  • 03d696f Added a proper workaround for dnssec test failures in Beaker environment

ipa-4-2:

  • c898c96 Added a proper workaround for dnssec test failures in Beaker environment

The function {{{get_reverse_zone_default}}} is not defined/imported on ipa-4-2 branch. This breaks the build.

ipa-4-2:

  • e7a33b7 Fix import get_reverse_zone_default in tasks

Metadata Update from @ofayans:
- Issue assigned to someone
- Issue set to the milestone: FreeIPA 4.2.2
7 years ago

Login to comment on this ticket.

Metadata
None
None
None
normal
None
None
None
None
defect
None
None
Tests
None
0
None
None
None
None
0
None
None
None
Powered by Pagure 5.13.3
DocumentationFile an IssueAboutSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.