[Freeipa-devel] Ticket #1107 - firewall troubles
Rob Crittenden
rcritten at redhat.com
Fri May 20 13:45:36 UTC 2011
Dmitri Pal wrote:
> I think Simo has a point but it is too much for now.
> IMO it is Ok to fail and report a meaningful error message on either
> side. Installation hanging is what we should address here in the scope
> of 2.1.
The problem is we currently have no way of telling if the master can
talk to the replica on a given port. When replication begins a
connection is made from the master to the replica and this is what is
failing. replication is rather robust so it assumes this is a temporary
condition and waits for things to change (they won't).
From the user's perspective the installation has hung. Without doing
active port checking from the master side we have no way of knowing this
may happen (because it can be a firewall somewhere in between too).
So there is no way to fail and report a meaningful error message. If we
could we would catch it up front.
We can't even put a timeout on this because whatever number we choose
will be wrong (640k anyone?)
Simo's idea of ssh'ing to the master may be our only real alternative. I
don't think admin credentials are required though, any user should be
able to run the remote command.
rob
More information about the Freeipa-devel
mailing list