[Freeipa-devel] [PATCHSET] Replica promotion patches

Petr Vobornik pvoborni at redhat.com
Thu Oct 15 10:00:27 UTC 2015 

On 10/15/2015 10:45 AM, Jan Cholasta wrote:
> On 23.9.2015 19:47, Simo Sorce wrote:
>> On Wed, 2015-09-23 at 08:35 +0200, Jan Cholasta wrote:
>>> What I mean is that installing a replica using an already existing
>>> replica file should be prevented at level 1 as well:
>>>
>>> root at ipa1# ipa-server-install --domain-level=0
>>> root at ipa1# ipa-replica-prepare ipa2.example.com
>>> root at ipa1# ipa domainlevel-set 1
>>>
>>> root at ipa2# ipa-replica-install replica-info-ipa2.example.com.gpg
>>> ERROR: Can't install replica from a replica file at domain level > 0
>>
>> Ok I rebased the patchset with a modification to assume promotion if no
>> file was provided, and then raise appropriate RuntimeErrors if
>> conditions about the domain level are not met.
>>
>> This change also prevents installing with a replica file if domain level
>> is currently at 1.
>>
>> They are in the usual custodia-review branch.
>
> "Add ipa-custodia service": functional ACK
>
> 1) freeipa-python is still missing BuildRequires and Requires on
> python-jwcrypto:
>
> On 23.9.2015 08:35, Jan Cholasta wrote:
>> On 23.9.2015 02:47, Simo Sorce wrote:
>>> On Tue, 2015-09-22 at 10:57 -0400, Simo Sorce wrote:
>>>> On Tue, 2015-09-22 at 10:45 +0200, Jan Cholasta wrote:
>>>>> 1) python-jwcrypto dependency is missing in the spec file.
>>>>
>>>> It shouldn't be necessary as custodia already depends on it.
>>
>> IMO it is a good practice to require all direct dependencies, because
>> you can't control indirect dependencies. For example, if one day
>> custodia switched from jwcrypto to something different, ipa would lose
>> the jwcrypto dependency without us knowing.
>
>
> "Require a DS version that has working DNA plugin": ACK
>
>
> "Implement replica promotion functionality":
>
> 1) You should handle NotFound for the find_entries() call in
> cainstance.find_ca_server().
>
> 2) You can remove ReplicaCA and ReplicaDNS classes as they are unused.
>
> 3) I'm getting this on domain level 0 client:
>
> # ipa-replica-install
> Password for admin at ABC.IDM.LAB.ENG.BRQ.REDHAT.COM:
> Your system may be partly configured.
> Run /usr/sbin/ipa-server-install --uninstall to clean up.
>
> ipa.ipapython.install.cli.install_tool(Replica): ERROR Major (851968):
> Unspecified GSS failure. Minor code may provide more information, Minor
> (2529639053): No Kerberos credentials available
>
> It comes from the "Try out authentication" conn.connect() in
> promote_check(), because it is missing the ccache kwarg.
>
>
> "Change DNS installer code to use passed in api": ACK
>
>
> "Allow ipa-replica-conncheck to use default creds":
>
> 1) ipa-replica-install prompts for admin password twice during
> connection check:
>
>      Get credentials to log in to remote master
>      Check SSH connection to remote master
>      admin at vm-137.abc.idm.lab.eng.brq.redhat.com's password:
>      Execute check on remote master
>      admin at vm-137.abc.idm.lab.eng.brq.redhat.com's password:
>
>
> "Add function to extract CA certs for install": ACK
>
>
> "topology: manage ca replication agreements": functional ACK
>
> 1) This 20-replication.update bit does not seem to be related to the patch:
>
> # add IPA realm managed suffix to master entry
> dn: cn=$FQDN,cn=masters,cn=ipa,cn=etc,$SUFFIX
> add: objectclass: ipaReplTopoManagedServer
> add: ipaReplTopoManagedSuffix: $SUFFIX
>
> Why is it included? (Petr?)

I believe this could be send as a separate patch. It was included during 
tuning of update and is not related to replica promotion nor managing of 
CA agreements.

>
> 2) In update_ca_topology, call CAInstance.__update_topology() instead of
> copy & pasting the code.
>
>
> "enable topology plugin on upgrade": ACK
>
>
> "topology plugin configuration workaround": ACK
>
>
> "handle multiple managed suffixes": ACK
>
>
> "prevent operation on tombstones": ACK
>
>
> "Allow to setup the CA when promoting a replica": ACK
>
>
> "Make checks for existing credentials reusable": ACK
>
>
> "Add low level helper to get domain level": ACK
>
>
> "Allow ipa-ca-install to use the new promotion code":
>
> 1) The --replica option was not removed:
>
> On 22.9.2015 10:45, Jan Cholasta wrote:
>> 1) The --replica option is redundant. You can safely decide whether this
>> is the first CA master or not based on information in cn=masters.
>
> 2) ipa-ca-install prompts for both admin and DM password:
>
> # ipa-ca-install -r
> Password for admin at ABC.IDM.LAB.ENG.BRQ.REDHAT.COM:
> Directory Manager (existing master) password:
>
> DM password should not be required, right?
>
> 3) ipa-ca-install fails with:
>
> Traceback (most recent call last):
>    File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py",
> line 445, in start_creation
>      run_step(full_msg, method)
>    File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py",
> line 435, in run_step
>      method()
>    File
> "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line
> 631, in __spawn_instance
>      DogtagInstance.spawn_instance(self, cfg_file)
>    File
> "/usr/lib/python2.7/site-packages/ipaserver/install/dogtaginstance.py",
> line 185, in spawn_instance
>      self.handle_setup_error(e)
>    File
> "/usr/lib/python2.7/site-packages/ipaserver/install/dogtaginstance.py",
> line 448, in handle_setup_error
>      raise RuntimeError("%s configuration failed." % self.subsystem)
> RuntimeError: CA configuration failed.
>
> I guess I'm hitting the authentication bug in Dogtag. It is supposed to
> be fixed in pki-core-10.2.6-10, but is it fixed in pki-core-10.2.7-0.2?
> We might need a new 10.2.7 build.
>
>
> "Remove unused kra option": ACK
>
>
> "Allow to install the KRA on a promoted server":
>
> 1) ipa-kra-install fails with:
>
> Traceback (most recent call last):
>    File "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line
> 171, in execute
>      return_value = self.run()
>    File
> "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_kra_install.py",
> line 220, in run
>      self._run()
>    File
> "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_kra_install.py",
> line 200, in _run
>      if config.subject_base is None:
> AttributeError: 'NoneType' object has no attribute 'subject_base'
>
>


-- 
Petr Vobornik

More information about the Freeipa-devel mailing list