[Freeipa-devel] [PATCH] 1023 tool for configuring automount

Rob Crittenden rcritten at redhat.com
Tue Jun 26 14:41:51 UTC 2012 

Martin Kosek wrote:
> On 06/25/2012 09:35 PM, Rob Crittenden wrote:
>> Rob Crittenden wrote:
>>> Martin Kosek wrote:
>>>> On 06/22/2012 07:27 PM, Rob Crittenden wrote:
>>>>> Martin Kosek wrote:
>>>>>> On Wed, 2012-06-20 at 13:23 -0400, Rob Crittenden wrote:
>>>>>>> Rob Crittenden wrote:
>>>>>>>> Rob Crittenden wrote:
>>>>>>>>> Here is a tool that can be used to configure automount in an IPA
>>>>>>>>> client.
>>>>>>>>> It can use either SSSD or autofs for automount. It also configures
>>>>>>>>> NFSv4
>>>>>>>>> on the client so secure maps will work.
>>>>>>>>
>>>>>>>> rebased patch
>>>>>>>
>>>>>>> rebase again
>>>>>>>
>>>>>>> rob
>>>>>>
>>>>>> I finally managed to look on this patch. This is generally a good work
>>>>>> and make things a lot easier, but still I found few issues:
>>>> [snip]
>>>>>>
>>>>>> 5) Would it make sense to check if the given automount location
>>>>>> exists?
>>>>>> Currently there is no check for that:
>>>>>>
>>>>>> # ipa-configure-automount --server vm-091.idm.lab.bos.redhat.com
>>>>>> --location foo
>>>>>> Searching for IPA server...
>>>>>> IPA server: DNS discovery
>>>>>> Location: foo
>>>>>> Continue to configure the system with these values? [no]: y
>>>>>> Configured /etc/nsswitch.conf
>>>>>> Configured /etc/sysconfig/nfs
>>>>>> Configured /etc/idmapd.conf
>>>>>> Started nfs-server.service
>>>>>> Started nfs-secure.service
>>>>>> Restarting sssd, waiting for it to become available.
>>>>>> Started autofs.service
>>>>>>
>>>>>> Automount then obviously not work:
>>>>>
>>>>> There was even a TODO in the code for this. I went ahead and did it. I
>>>>> had punted originally because it wasn't really a big deal to
>>>>> unconfigure
>>>>> and reconfigure with the right location.
>>>>
>>>> Its better, thanks. The error message could be more user-friendly and
>>>> for example print all available automount location, but its not a
>>>> blocking issue.
>>>>
>>>> We may however print other errors.ExecutionError's, e.g. I hit this when
>>>> I uninstalled automount support and then installed it again too fast:
>>>>
>>>> # ipa-client-automount --server=vm-091.idm.lab.bos.redhat.com --location
>>>> brno --no-sssdSearching for IPA server...
>>>> IPA server: DNS discovery
>>>> Location: brno
>>>> Traceback (most recent call last):
>>>> File "/sbin/ipa-client-automount", line 458, in<module>
>>>> sys.exit(main())
>>>> File "/sbin/ipa-client-automount", line 426, in main
>>>> api.Command['automountlocation_show'](unicode(options.location))
>>>> File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 435,
>>>> in __call__
>>>> ret = self.run(*args, **options)
>>>> File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 748,
>>>> in run
>>>> return self.forward(*args, **options)
>>>> File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 769,
>>>> in forward
>>>> return self.Backend.xmlclient.forward(self.name, *args, **kw)
>>>> File "/usr/lib/python2.7/site-packages/ipalib/rpc.py", line 531, in
>>>> forward
>>>> return self.forward(name, *args, **kw)
>>>> File "/usr/lib/python2.7/site-packages/ipalib/rpc.py", line 514, in
>>>> forward
>>>> raise NetworkError(uri=server, error=str(e))
>>>> ipalib.errors.NetworkError: cannot connect to
>>>> 'http://vm-091.idm.lab.bos.redhat.com/ipa/xml': [Errno -8053]
>>>> (SEC_ERROR_BUSY) NSS could not shutdown. Objects are still in use.
>>>
>>> I don't think this was related to the speed in which you configured and
>>> unconfigured though it looks like a timing issue. I wasn't able to
>>> reproduce this but I did make the logging on it a little nicer if it
>>> happens again.
>>>
>>>>
>>>>>> 7) This is related to ipa-client-install, but even when I disable
>>>>>> autodiscovery and add --server option it still disregards it and tries
>>>>>> to search SRV records:
>>>>>>
>>>>>> # ipa-configure-automount --server=vm-091.idm.lab.bos.redhat.com
>>>>>> <after some time and SRV searches>
>>>>>> Unable to confirm that<some-ldap-server>.redhat.com is an IPA v2
>>>>>> server
>>>>>
>>>>> Yeah, I think a separate ticket should be opened up, I call the same
>>>>> code as ipa-client-install.
>>>>
>>>> The issue here is that you don't pass neither server nor domain to
>>>> ds.search() function. ipa-client-install use this call:
>>>>
>>>> ret = ds.search(domain=options.domain, server=options.server,
>>>> hostname=hostname)
>>>>
>>>> But ipa-client-automount just calls:
>>>>
>>>> + ret = ds.search()
>>>>
>>>> You may also need to add --domain parameter just like ipa-client-install
>>>> does.
>>>
>>> Ok, I see the problem. I'm not actually trying to do discovery, I'm just
>>> seeing if it works. If we are able to autodiscover the IPA servers then
>>> we configure the client to use discovery. Otherwise a server is
>>> hardcoded in.
>>>
>>> It would do this even if a server was provided, I changed that in this
>>> patch.
>>>
>>>>
>>>>>
>>>>>>
>>>>>> 8) When discovery is on, we are not really verbose:
>>>>>>
>>>>>> # ipa-configure-automount
>>>>>> Searching for IPA server...
>>>>>> IPA server: DNS discovery
>>>>>> Location: default
>>>>>> Continue to configure the system with these values? [no]:
>>>>>>
>>>>>> We just write "IPA server: DNS discovery", but I would at least
>>>>>> like to
>>>>>> now what servers it detected so that I know it does the right thing.
>>>>>
>>>>> This should be better with Petr^3's patches. Is it not? Perhaps only
>>>>> with --debug?
>>>>
>>>> I don't think it does this is printed in ipa-client-automount:
>>>>
>>>> + if not autodiscover:
>>>> + print "IPA server: %s" % server
>>>> + else:
>>>> + print "IPA server: DNS discovery"
>>>>
>>>
>>> I'm open to changing the message but basically it is saying whether or
>>> not a fixed IPA server is going to be configured on the client for
>>> autofs.
>>>
>>>>>
>>>>>> 9) autofs via LDAP (no SSSD )is broken when autodiscovery is used.
>>>>>> After
>>>>>> some investigation I found this line is causing it:
>>>>>>
>>>>>> + if not autodiscover:
>>>>>> + ldap_uri = "ldap://%s" % server
>>>>>> + else:
>>>>>> + ldap_uri = "ldap:///%s" % api.env.basedn<<<
>>>>>>
>>>>>> There should be an IPA server, not basedn. When I fixed it, autofs via
>>>>>> LDAP worked.
>>>>>
>>>>> I'm not sure why it didn't work, this is correct.
>>>>> ldap:///dc=example,dc=com tells the autofs client to use DNS discovery
>>>>> to find the right server. It works for me.
>>>>
>>>> Now, it forked for me too, I must have had some bad setting.
>>>>
>>>> [snip]
>>>>
>>>> 11) I found another issue, nested indirect maps did not work with sssd
>>>> provider but they did with ldap provider in nsswitch. But this is a
>>>> problem on SSSD side, I filed a ticket for them:
>>>>
>>>> https://fedorahosted.org/sssd/ticket/1390
>>>>
>>>> I also found 3 new issues (sorry for not finding them in original
>>>> review).
>>>>
>>>> 12) I see we log to ~/.ipa/default.log. I think it would be better to
>>>> append the log ipaclient-install.log or similar.
>>>
>>> Ok, good idea. Done.
>>>
>>>> 13) First three options in ipa-client-automount man pages are not
>>>> formatted right. Bold format is missing + there is extra tag<fl>  in
>>>> --location option:
>>>>
>>>> --server=SERVER Set the IPA server to connect to
>>>>
>>>> --location=<fl>LOCATION
>>>> Automount location
>>>>
>>>> -S, --no-sssd
>>>> Do not configure the client to use SSSD for automount
>>>
>>> I only saw the bad<fl>  which I fixed. They are otherwise bolded for me.
>>>
>>>> 14) I assume that your patch covers also ticket 2193, I think it should
>>>> be added to the patch description too.
>>>
>>> Fixed that too
>>>
>>> rob
>>
>> And now the correct patch.
>>
>> rob
>
> Thanks, everything seems to be fixed. I just see that
> ipaclient-install.log is truncated when I start ipa-client-automount. So
> I would rather append the log to it (like we do in ipa-dns-install) so
> that we don't loose the client install debug info.
>
> ACK if you do this change or choose a different log file.
>
> Martin

fixed and pushed to master

More information about the Freeipa-devel mailing list