#6522 ipa-replica-conncheck should check for open ports on all IPs resolved from hostname
Closed: Fixed None Opened 7 years ago by tkrizek.

If hostname is provided to ipa-replica-conncheck, the conncheck will resolve this hostname to an IP address and then check if ports are open. However, if the hostname resolves to multiple IPs, it is sufficient to have each port open on at least one of the IP adresses.

This can result in a weird behavior when some subset of ports are reachable on IPv4 and some other subset of ports are reachable only on IPv6.

I propose that if a hostname is provided to conncheck, ALL ports MUST be reachable on ALL IPs that are resolved from that hostname.


I certainly support this. We have --skip-conncheck option in installers for super-special cases (I cannot think of any).

master:

  • a24cd01 ipautil: check for open ports on all resolved IPs

Metadata Update from @tkrizek:
- Issue assigned to tkrizek
- Issue set to the milestone: FreeIPA 4.5

7 years ago

Login to comment on this ticket.

Metadata