While I was working on my Ansible playbook for FreeIPA, Inoticed a problem with DNS. Sometimes ipa-client-install does not create some PTR records for clients although the playbook enables sync PTR with ipa dnsconfig-mod --allow-sync-ptr=TRUE. With some assistance from Petr I was able to track down the cause of the issue.
ipa dnsconfig-mod --allow-sync-ptr=TRUE
The playbook installs KRA with ipa-kra-install directly after ipa-server-install. ipa-client-install runs shortly after ipa-kra-install. During installation of KRA, Dogtag restarts 389-DS. This causes bind-dyndb-ldap to loose its connection to LDAP. bind-dyndb-ldap waits 60 seconds before it attempts to reconnect. When ipa-client-install creates the A record within the 60 seconds window, bind-dyndb-ldap seems to skip PTR sync. (Petr: Is my assumption correct?)
For now my playbook has a simple workaround for the issue: I restart named after ipa-kra-install and wait until named serves 53/TCP. The problem should be fixed in a more general way, though. Is it possible to notify named about a 389-DS restart, e.g. with some systemd magic?
My question is: Does really KRA need to restart DS?
I don't know. pkispawn doesn't restart DS. It's ipaserver.install.ipa_kra_install that restarts DS twice.
ipaserver.install.ipa_kra_install
If the restart is necessary, would it make sense to restart all IPA services to prevent possible similar issues in other components?
For now I agree. Let's see what happens when we containerize more things.
pv: I would restart whole IPA at the end of ipa-kra-install to prevent possible other issues in different components. If that then 4.4 (assuming one command at the end of installer) mbasti: would be nice to check if DS restart is really needed, might be safer to restart whole IPA, but I dont think that KRA install actually needs to restart DS 3 times
This ticket is out of scope of 4.4.0 release. Moving to 4.4.1. Note that 4.4.1 needs to be triaged, therefore not everything will be implemented.
moving out tickets not implemented in 4.4.1
4.4.2 is a stabilization milestone. If this bug is important stabilization bug then please put it to NEEDS TRIAGE milestone for retriage.
Metadata Update from @cheimes: - Issue assigned to someone - Issue set to the milestone: FreeIPA 4.5 backlog
https://github.com/freeipa/freeipa/pull/1522
Metadata Update from @cheimes: - Custom field on_review adjusted to https://github.com/freeipa/freeipa/pull/1522 (was: 0) - Issue assigned to cheimes (was: someone) - Issue close_status updated to: None - Issue set to the milestone: FreeIPA 4.6.4 (was: FreeIPA 4.5 backlog)
master:
ipa-4-6:
Metadata Update from @cheimes: - Issue close_status updated to: fixed - Issue status updated to: Closed (was: Open)
Login to comment on this ticket.