[Freeipa-devel] [PATCHSET] Replica promotion patches

Jan Cholasta jcholast at redhat.com
Thu Oct 15 08:45:08 UTC 2015 

On 23.9.2015 19:47, Simo Sorce wrote:
> On Wed, 2015-09-23 at 08:35 +0200, Jan Cholasta wrote:
>> What I mean is that installing a replica using an already existing
>> replica file should be prevented at level 1 as well:
>>
>> root at ipa1# ipa-server-install --domain-level=0
>> root at ipa1# ipa-replica-prepare ipa2.example.com
>> root at ipa1# ipa domainlevel-set 1
>>
>> root at ipa2# ipa-replica-install replica-info-ipa2.example.com.gpg
>> ERROR: Can't install replica from a replica file at domain level > 0
>
> Ok I rebased the patchset with a modification to assume promotion if no
> file was provided, and then raise appropriate RuntimeErrors if
> conditions about the domain level are not met.
>
> This change also prevents installing with a replica file if domain level
> is currently at 1.
>
> They are in the usual custodia-review branch.

"Add ipa-custodia service": functional ACK

1) freeipa-python is still missing BuildRequires and Requires on 
python-jwcrypto:

On 23.9.2015 08:35, Jan Cholasta wrote:
> On 23.9.2015 02:47, Simo Sorce wrote:
>> On Tue, 2015-09-22 at 10:57 -0400, Simo Sorce wrote:
>>> On Tue, 2015-09-22 at 10:45 +0200, Jan Cholasta wrote:
>>>> 1) python-jwcrypto dependency is missing in the spec file.
>>>
>>> It shouldn't be necessary as custodia already depends on it.
>
> IMO it is a good practice to require all direct dependencies, because
> you can't control indirect dependencies. For example, if one day
> custodia switched from jwcrypto to something different, ipa would lose
> the jwcrypto dependency without us knowing.


"Require a DS version that has working DNA plugin": ACK


"Implement replica promotion functionality":

1) You should handle NotFound for the find_entries() call in 
cainstance.find_ca_server().

2) You can remove ReplicaCA and ReplicaDNS classes as they are unused.

3) I'm getting this on domain level 0 client:

# ipa-replica-install
Password for admin at ABC.IDM.LAB.ENG.BRQ.REDHAT.COM:
Your system may be partly configured.
Run /usr/sbin/ipa-server-install --uninstall to clean up.

ipa.ipapython.install.cli.install_tool(Replica): ERROR Major (851968): 
Unspecified GSS failure. Minor code may provide more information, Minor 
(2529639053): No Kerberos credentials available

It comes from the "Try out authentication" conn.connect() in 
promote_check(), because it is missing the ccache kwarg.


"Change DNS installer code to use passed in api": ACK


"Allow ipa-replica-conncheck to use default creds":

1) ipa-replica-install prompts for admin password twice during 
connection check:

     Get credentials to log in to remote master
     Check SSH connection to remote master
     admin at vm-137.abc.idm.lab.eng.brq.redhat.com's password:
     Execute check on remote master
     admin at vm-137.abc.idm.lab.eng.brq.redhat.com's password:


"Add function to extract CA certs for install": ACK


"topology: manage ca replication agreements": functional ACK

1) This 20-replication.update bit does not seem to be related to the patch:

# add IPA realm managed suffix to master entry
dn: cn=$FQDN,cn=masters,cn=ipa,cn=etc,$SUFFIX
add: objectclass: ipaReplTopoManagedServer
add: ipaReplTopoManagedSuffix: $SUFFIX

Why is it included? (Petr?)

2) In update_ca_topology, call CAInstance.__update_topology() instead of 
copy & pasting the code.


"enable topology plugin on upgrade": ACK


"topology plugin configuration workaround": ACK


"handle multiple managed suffixes": ACK


"prevent operation on tombstones": ACK


"Allow to setup the CA when promoting a replica": ACK


"Make checks for existing credentials reusable": ACK


"Add low level helper to get domain level": ACK


"Allow ipa-ca-install to use the new promotion code":

1) The --replica option was not removed:

On 22.9.2015 10:45, Jan Cholasta wrote:
> 1) The --replica option is redundant. You can safely decide whether this
> is the first CA master or not based on information in cn=masters.

2) ipa-ca-install prompts for both admin and DM password:

# ipa-ca-install -r
Password for admin at ABC.IDM.LAB.ENG.BRQ.REDHAT.COM:
Directory Manager (existing master) password:

DM password should not be required, right?

3) ipa-ca-install fails with:

Traceback (most recent call last):
   File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", 
line 445, in start_creation
     run_step(full_msg, method)
   File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", 
line 435, in run_step
     method()
   File 
"/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line 
631, in __spawn_instance
     DogtagInstance.spawn_instance(self, cfg_file)
   File 
"/usr/lib/python2.7/site-packages/ipaserver/install/dogtaginstance.py", 
line 185, in spawn_instance
     self.handle_setup_error(e)
   File 
"/usr/lib/python2.7/site-packages/ipaserver/install/dogtaginstance.py", 
line 448, in handle_setup_error
     raise RuntimeError("%s configuration failed." % self.subsystem)
RuntimeError: CA configuration failed.

I guess I'm hitting the authentication bug in Dogtag. It is supposed to 
be fixed in pki-core-10.2.6-10, but is it fixed in pki-core-10.2.7-0.2? 
We might need a new 10.2.7 build.


"Remove unused kra option": ACK


"Allow to install the KRA on a promoted server":

1) ipa-kra-install fails with:

Traceback (most recent call last):
   File "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 
171, in execute
     return_value = self.run()
   File 
"/usr/lib/python2.7/site-packages/ipaserver/install/ipa_kra_install.py", 
line 220, in run
     self._run()
   File 
"/usr/lib/python2.7/site-packages/ipaserver/install/ipa_kra_install.py", 
line 200, in _run
     if config.subject_base is None:
AttributeError: 'NoneType' object has no attribute 'subject_base'


-- 
Jan Cholasta

More information about the Freeipa-devel mailing list