[Freeipa-devel] [PATCHES 523-525] replica install: add remote connection check over API
Tomas Babej
tbabej at redhat.com
Fri Dec 11 17:49:12 UTC 2015
On 12/11/2015 05:37 PM, Martin Basti wrote:
>
>
> On 11.12.2015 15:40, Jan Cholasta wrote:
>> On 11.12.2015 08:03, Jan Cholasta wrote:
>>> On 11.12.2015 07:08, Jan Cholasta wrote:
>>>> On 10.12.2015 15:56, Martin Babinsky wrote:
>>>>> On 12/10/2015 09:48 AM, Jan Cholasta wrote:
>>>>>> On 9.12.2015 16:38, Jan Cholasta wrote:
>>>>>>> On 9.12.2015 14:52, Jan Cholasta wrote:
>>>>>>>> On 9.12.2015 10:02, Jan Cholasta wrote:
>>>>>>>>> Hi,
>>>>>>>>>
>>>>>>>>> the attached patches fix
>>>>>>>>> <https://fedorahosted.org/freeipa/ticket/5497>.
>>>>>>>>
>>>>>>>> Note that this needs selinux-policy fix to work, so put SELinux
>>>>>>>> into
>>>>>>>> permissive mode for testing:
>>>>>>>> <https://bugzilla.redhat.com/show_bug.cgi?id=1289930>.
>>>>>>>
>>>>>>> Updated patches attached.
>>>>>>
>>>>>> I screwed up a change in patch 524 and accidentally included a
>>>>>> chunk of
>>>>>> code in patch 525 that doesn't belong in it.
>>>>>>
>>>>>> Updated patches attached.
>>>>>>
>>>>>>
>>>>>>
>>>>>
>>>>> Patches work as expected and I was not able to find any functional
>>>>> problem.
>>>>>
>>>>> I have a question about the naming of the oddjob helper script: the
>>>>> one
>>>>> related to trusts is named 'com.redhat.idm.trust-fetch-domains',
>>>>> and the
>>>>> conncheck runner is named 'org.freeipa.server.conncheck'. I don't want
>>>>> to start another bikeshedding conversation but shouldn't we named them
>>>>> in a consistent fashion (either rename the first one in separate patch
>>>>> or rename the new helper to com.redhat.idm.server.conncheck)?
>>>>>
>>>>> I understand that as an upstream, we should go with the
>>>>> 'org.freeipa.*'
>>>>> convention, but having two helpers with different prefixes makes me
>>>>> sad.
>>>>
>>>> If you look at the larger picture, org.freeipa is the consistent name.
>>>> It makes me sad as well, but mistakes should be corrected. This is
>>>> similar to how we use PEP8 in new code, but do not fix it in old code
>>>> just for the sake of fixing it.
>>>>
>>>>>
>>>>> That is a nitpick though, it does not affect the overall functionality
>>>>> of the patches so ACK.
>>>>
>>>> Thanks for the review. The current patch 523 breaks the trusts oddjob
>>>> with SELinux in enforcing mode, I will send an update which corrects
>>>> that, until bug 1289930 is fixed.
>>>
>>> Updated patches attached.
>>
>> Rebased on top of current master.
>>
>>
>>
> Just question, should be any kinited user allowed to run conncheck via rpc?
>
> Martin^2
I guess there's is little harm, any kinited user that was allowed to
access the machine could perform the conncheck even without these patches:
# ipa-replica-conncheck --master master.ipa.test -p random at IPA.TEST -w
ratarata -a -r IPA.TEST
Check connection from replica to remote master 'master.ipa.test':
Directory Service: Unsecure port (389): OK
Directory Service: Secure port (636): OK
Kerberos KDC: TCP (88): OK
Kerberos Kpasswd: TCP (464): OK
HTTP Server: Unsecure port (80): OK
HTTP Server: Secure port (443): OK
The following list of ports use UDP protocol and would need to be
checked manually:
Kerberos KDC: UDP (88): SKIPPED
Kerberos Kpasswd: UDP (464): SKIPPED
Connection from replica to master is OK.
Start listening on required ports for remote master check
Get credentials to log in to remote master
Check SSH connection to remote master
Execute check on remote master
Check connection from master to remote replica 'replica.ipa.test':
Directory Service: Unsecure port (389): OK
Directory Service: Secure port (636): OK
Kerberos KDC: TCP (88): OK
Kerberos KDC: UDP (88): OK
Kerberos Kpasswd: TCP (464): OK
Kerberos Kpasswd: UDP (464): OK
HTTP Server: Unsecure port (80): OK
HTTP Server: Secure port (443): OK
Connection from master to replica is OK.
More information about the Freeipa-devel
mailing list