[Freeipa-devel] [PATCHSET] Replica promotion patches

Jan Cholasta jcholast at redhat.com
Thu Oct 15 12:29:30 UTC 2015 

On 15.10.2015 12:00, Petr Vobornik wrote:
> On 10/15/2015 10:45 AM, Jan Cholasta wrote:
>> On 23.9.2015 19:47, Simo Sorce wrote:
>>> On Wed, 2015-09-23 at 08:35 +0200, Jan Cholasta wrote:
>>>> What I mean is that installing a replica using an already existing
>>>> replica file should be prevented at level 1 as well:
>>>>
>>>> root at ipa1# ipa-server-install --domain-level=0
>>>> root at ipa1# ipa-replica-prepare ipa2.example.com
>>>> root at ipa1# ipa domainlevel-set 1
>>>>
>>>> root at ipa2# ipa-replica-install replica-info-ipa2.example.com.gpg
>>>> ERROR: Can't install replica from a replica file at domain level > 0
>>>
>>> Ok I rebased the patchset with a modification to assume promotion if no
>>> file was provided, and then raise appropriate RuntimeErrors if
>>> conditions about the domain level are not met.
>>>
>>> This change also prevents installing with a replica file if domain level
>>> is currently at 1.
>>>
>>> They are in the usual custodia-review branch.
>>
>> "Add ipa-custodia service": functional ACK
>>
>> 1) freeipa-python is still missing BuildRequires and Requires on
>> python-jwcrypto:
>>
>> On 23.9.2015 08:35, Jan Cholasta wrote:
>>> On 23.9.2015 02:47, Simo Sorce wrote:
>>>> On Tue, 2015-09-22 at 10:57 -0400, Simo Sorce wrote:
>>>>> On Tue, 2015-09-22 at 10:45 +0200, Jan Cholasta wrote:
>>>>>> 1) python-jwcrypto dependency is missing in the spec file.
>>>>>
>>>>> It shouldn't be necessary as custodia already depends on it.
>>>
>>> IMO it is a good practice to require all direct dependencies, because
>>> you can't control indirect dependencies. For example, if one day
>>> custodia switched from jwcrypto to something different, ipa would lose
>>> the jwcrypto dependency without us knowing.
>>
>>
>> "Require a DS version that has working DNA plugin": ACK
>>
>>
>> "Implement replica promotion functionality":
>>
>> 1) You should handle NotFound for the find_entries() call in
>> cainstance.find_ca_server().
>>
>> 2) You can remove ReplicaCA and ReplicaDNS classes as they are unused.
>>
>> 3) I'm getting this on domain level 0 client:
>>
>> # ipa-replica-install
>> Password for admin at ABC.IDM.LAB.ENG.BRQ.REDHAT.COM:
>> Your system may be partly configured.
>> Run /usr/sbin/ipa-server-install --uninstall to clean up.
>>
>> ipa.ipapython.install.cli.install_tool(Replica): ERROR Major (851968):
>> Unspecified GSS failure. Minor code may provide more information, Minor
>> (2529639053): No Kerberos credentials available
>>
>> It comes from the "Try out authentication" conn.connect() in
>> promote_check(), because it is missing the ccache kwarg.
>>
>>
>> "Change DNS installer code to use passed in api": ACK
>>
>>
>> "Allow ipa-replica-conncheck to use default creds":
>>
>> 1) ipa-replica-install prompts for admin password twice during
>> connection check:
>>
>>      Get credentials to log in to remote master
>>      Check SSH connection to remote master
>>      admin at vm-137.abc.idm.lab.eng.brq.redhat.com's password:
>>      Execute check on remote master
>>      admin at vm-137.abc.idm.lab.eng.brq.redhat.com's password:
>>
>>
>> "Add function to extract CA certs for install": ACK
>>
>>
>> "topology: manage ca replication agreements": functional ACK
>>
>> 1) This 20-replication.update bit does not seem to be related to the
>> patch:
>>
>> # add IPA realm managed suffix to master entry
>> dn: cn=$FQDN,cn=masters,cn=ipa,cn=etc,$SUFFIX
>> add: objectclass: ipaReplTopoManagedServer
>> add: ipaReplTopoManagedSuffix: $SUFFIX
>>
>> Why is it included? (Petr?)
>
> I believe this could be send as a separate patch. It was included during
> tuning of update and is not related to replica promotion nor managing of
> CA agreements.

(reference: 
<https://www.redhat.com/archives/freeipa-devel/2015-October/msg00262.html>)

>
>>
>> 2) In update_ca_topology, call CAInstance.__update_topology() instead of
>> copy & pasting the code.
>>
>>
>> "enable topology plugin on upgrade": ACK
>>
>>
>> "topology plugin configuration workaround": ACK
>>
>>
>> "handle multiple managed suffixes": ACK
>>
>>
>> "prevent operation on tombstones": ACK
>>
>>
>> "Allow to setup the CA when promoting a replica": ACK
>>
>>
>> "Make checks for existing credentials reusable": ACK
>>
>>
>> "Add low level helper to get domain level": ACK

To speed things up, I fixed the issues I found in the patches above, to 
be able to push them.

Pushed to master: 6a0087aea176d1e1154b359fa262066896d663e3

>>
>>
>> "Allow ipa-ca-install to use the new promotion code":
>>
>> 1) The --replica option was not removed:
>>
>> On 22.9.2015 10:45, Jan Cholasta wrote:
>>> 1) The --replica option is redundant. You can safely decide whether this
>>> is the first CA master or not based on information in cn=masters.
>>
>> 2) ipa-ca-install prompts for both admin and DM password:
>>
>> # ipa-ca-install -r
>> Password for admin at ABC.IDM.LAB.ENG.BRQ.REDHAT.COM:
>> Directory Manager (existing master) password:
>>
>> DM password should not be required, right?
>>
>> 3) ipa-ca-install fails with:
>>
>> Traceback (most recent call last):
>>    File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py",
>> line 445, in start_creation
>>      run_step(full_msg, method)
>>    File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py",
>> line 435, in run_step
>>      method()
>>    File
>> "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line
>> 631, in __spawn_instance
>>      DogtagInstance.spawn_instance(self, cfg_file)
>>    File
>> "/usr/lib/python2.7/site-packages/ipaserver/install/dogtaginstance.py",
>> line 185, in spawn_instance
>>      self.handle_setup_error(e)
>>    File
>> "/usr/lib/python2.7/site-packages/ipaserver/install/dogtaginstance.py",
>> line 448, in handle_setup_error
>>      raise RuntimeError("%s configuration failed." % self.subsystem)
>> RuntimeError: CA configuration failed.
>>
>> I guess I'm hitting the authentication bug in Dogtag. It is supposed to
>> be fixed in pki-core-10.2.6-10, but is it fixed in pki-core-10.2.7-0.2?
>> We might need a new 10.2.7 build.
>>
>>
>> "Remove unused kra option": ACK

I also pushed this one.

Pushed to master: 9e007edbd902a5395797ca0ca9a698033540d755

>>
>>
>> "Allow to install the KRA on a promoted server":
>>
>> 1) ipa-kra-install fails with:
>>
>> Traceback (most recent call last):
>>    File "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line
>> 171, in execute
>>      return_value = self.run()
>>    File
>> "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_kra_install.py",
>> line 220, in run
>>      self._run()
>>    File
>> "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_kra_install.py",
>> line 200, in _run
>>      if config.subject_base is None:
>> AttributeError: 'NoneType' object has no attribute 'subject_base'
>>
>>
>
>


-- 
Jan Cholasta

More information about the Freeipa-devel mailing list