[Freeipa-devel] [PATCH] 1023 tool for configuring automount

Rob Crittenden rcritten at redhat.com
Mon Jun 25 18:20:32 UTC 2012 

Martin Kosek wrote:
> On 06/22/2012 07:27 PM, Rob Crittenden wrote:
>> Martin Kosek wrote:
>>> On Wed, 2012-06-20 at 13:23 -0400, Rob Crittenden wrote:
>>>> Rob Crittenden wrote:
>>>>> Rob Crittenden wrote:
>>>>>> Here is a tool that can be used to configure automount in an IPA
>>>>>> client.
>>>>>> It can use either SSSD or autofs for automount. It also configures
>>>>>> NFSv4
>>>>>> on the client so secure maps will work.
>>>>>
>>>>> rebased patch
>>>>
>>>> rebase again
>>>>
>>>> rob
>>>
>>> I finally managed to look on this patch. This is generally a good work
>>> and make things a lot easier, but still I found few issues:
> [snip]
>>>
>>> 5) Would it make sense to check if the given automount location exists?
>>> Currently there is no check for that:
>>>
>>> # ipa-configure-automount --server vm-091.idm.lab.bos.redhat.com
>>> --location foo
>>> Searching for IPA server...
>>> IPA server: DNS discovery
>>> Location: foo
>>> Continue to configure the system with these values? [no]: y
>>> Configured /etc/nsswitch.conf
>>> Configured /etc/sysconfig/nfs
>>> Configured /etc/idmapd.conf
>>> Started nfs-server.service
>>> Started nfs-secure.service
>>> Restarting sssd, waiting for it to become available.
>>> Started autofs.service
>>>
>>> Automount then obviously not work:
>>
>> There was even a TODO in the code for this. I went ahead and did it. I
>> had punted originally because it wasn't really a big deal to unconfigure
>> and reconfigure with the right location.
>
> Its better, thanks. The error message could be more user-friendly and
> for example print all available automount location, but its not a
> blocking issue.
>
> We may however print other errors.ExecutionError's, e.g. I hit this when
> I uninstalled automount support and then installed it again too fast:
>
> # ipa-client-automount --server=vm-091.idm.lab.bos.redhat.com --location
> brno --no-sssdSearching for IPA server...
> IPA server: DNS discovery
> Location: brno
> Traceback (most recent call last):
>    File "/sbin/ipa-client-automount", line 458, in<module>
>      sys.exit(main())
>    File "/sbin/ipa-client-automount", line 426, in main
>      api.Command['automountlocation_show'](unicode(options.location))
>    File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 435,
> in __call__
>      ret = self.run(*args, **options)
>    File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 748,
> in run
>      return self.forward(*args, **options)
>    File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 769,
> in forward
>      return self.Backend.xmlclient.forward(self.name, *args, **kw)
>    File "/usr/lib/python2.7/site-packages/ipalib/rpc.py", line 531, in
> forward
>      return self.forward(name, *args, **kw)
>    File "/usr/lib/python2.7/site-packages/ipalib/rpc.py", line 514, in
> forward
>      raise NetworkError(uri=server, error=str(e))
> ipalib.errors.NetworkError: cannot connect to
> 'http://vm-091.idm.lab.bos.redhat.com/ipa/xml': [Errno -8053]
> (SEC_ERROR_BUSY) NSS could not shutdown. Objects are still in use.

I don't think this was related to the speed in which you configured and 
unconfigured though it looks like a timing issue. I wasn't able to 
reproduce this but I did make the logging on it a little nicer if it 
happens again.

>
>>> 7) This is related to ipa-client-install, but even when I disable
>>> autodiscovery and add --server option it still disregards it and tries
>>> to search SRV records:
>>>
>>> # ipa-configure-automount --server=vm-091.idm.lab.bos.redhat.com
>>> <after some time and SRV searches>
>>> Unable to confirm that<some-ldap-server>.redhat.com is an IPA v2 server
>>
>> Yeah, I think a separate ticket should be opened up, I call the same
>> code as ipa-client-install.
>
> The issue here is that you don't pass neither server nor domain to
> ds.search() function. ipa-client-install use this call:
>
> ret = ds.search(domain=options.domain, server=options.server,
> hostname=hostname)
>
> But ipa-client-automount just calls:
>
> +    ret = ds.search()
>
> You may also need to add --domain parameter just like ipa-client-install
> does.

Ok, I see the problem. I'm not actually trying to do discovery, I'm just 
seeing if it works. If we are able to autodiscover the IPA servers then 
we configure the client to use discovery. Otherwise a server is 
hardcoded in.

It would do this even if a server was provided, I changed that in this 
patch.

>
>>
>>>
>>> 8) When discovery is on, we are not really verbose:
>>>
>>> # ipa-configure-automount
>>> Searching for IPA server...
>>> IPA server: DNS discovery
>>> Location: default
>>> Continue to configure the system with these values? [no]:
>>>
>>> We just write "IPA server: DNS discovery", but I would at least like to
>>> now what servers it detected so that I know it does the right thing.
>>
>> This should be better with Petr^3's patches. Is it not? Perhaps only
>> with --debug?
>
> I don't think it does this is printed in ipa-client-automount:
>
> +    if not autodiscover:
> +        print "IPA server: %s" % server
> +    else:
> +        print "IPA server: DNS discovery"
>

I'm open to changing the message but basically it is saying whether or 
not a fixed IPA server is going to be configured on the client for autofs.

>>
>>> 9) autofs via LDAP (no SSSD )is broken when autodiscovery is used. After
>>> some investigation I found this line is causing it:
>>>
>>> +    if not autodiscover:
>>> +        ldap_uri = "ldap://%s" % server
>>> +    else:
>>> +        ldap_uri = "ldap:///%s" % api.env.basedn<<<
>>>
>>> There should be an IPA server, not basedn. When I fixed it, autofs via
>>> LDAP worked.
>>
>> I'm not sure why it didn't work, this is correct.
>> ldap:///dc=example,dc=com tells the autofs client to use DNS discovery
>> to find the right server. It works for me.
>
> Now, it forked for me too, I must have had some bad setting.
>
> [snip]
>
> 11) I found another issue, nested indirect maps did not work with sssd
> provider but they did with ldap provider in nsswitch. But this is a
> problem on SSSD side, I filed a ticket for them:
>
> https://fedorahosted.org/sssd/ticket/1390
>
> I also found 3 new issues (sorry for not finding them in original review).
>
> 12) I see we log to ~/.ipa/default.log. I think it would be better to
> append the log ipaclient-install.log or similar.

Ok, good idea. Done.

> 13) First three options in ipa-client-automount man pages are not
> formatted right. Bold format is missing + there is extra tag<fl>  in
> --location option:
>
>         --server=SERVER Set the IPA server to connect to
>
>         --location=<fl>LOCATION
>                Automount location
>
>         -S, --no-sssd
>                Do not configure the client to use SSSD for automount

I only saw the bad <fl> which I fixed. They are otherwise bolded for me.

> 14) I assume that your patch covers also ticket 2193, I think it should
> be added to the patch description too.

Fixed that too

rob

-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-rcrit-1023-5-automount.patch
Type: text/x-diff
Size: 5106 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20120625/6ff2a06d/attachment.bin>

More information about the Freeipa-devel mailing list