[Freeipa-devel] [PATCH 031] RedHatCAService should wait for local Dogtag instance
Christian Heimes
cheimes at redhat.com
Fri Jul 1 09:26:11 UTC 2016
On 2016-07-01 11:17, Petr Spacek wrote:
> On 1.7.2016 11:04, Christian Heimes wrote:
>> On 2016-07-01 10:59, Petr Spacek wrote:
>>> On 1.7.2016 10:55, Christian Heimes wrote:
>>>> On 2016-07-01 10:48, Petr Spacek wrote:
>>>>> On 1.7.2016 10:42, Christian Heimes wrote:
>>>>>> RedHatCAService.wait_until_running() uses dogtag.ca_status() to make a
>>>>>> HTTP(s) request to Dogtag in order to check if /ca/admin/ca/getStatus
>>>>>> returns OK. The ca_status() function defaults to api.env.ca_host as
>>>>>> host.
>>>>>>
>>>>>> On a replica without CA ca_host is a remote host (e.g. master's
>>>>>> FQDN). ipa-ca-install waits for master:8080 instead of replica:8080,
>>>>>> which might be blocked by a firewall.
>>>>>>
>>>>>> https://fedorahosted.org/freeipa/ticket/6016
>>>>>
>>>>> Interesting. How it happens that replica without CA is calling RedHatCAService?
>>>>>
>>>>> Also, why replica should be waiting for CA if it is not installed?
>>>>>
>>>>> I'm confused.
>>>>
>>>> There is a hint in the last sentence: ipa-ca-install
>>>>
>>>> The patch fixes ipa-ca-install on replicas. Right now ipa-ca-install
>>>> doesn't wait for the local Dogtag to come up but connects to a remote
>>>> Dogtag to check if it's up. It uses 8443 or 8080, which might be
>>>> blocked. In my test setup I have both ports blocked so ipa-ca-install
>>>> never succeeds.
>>>
>>> Oh, I missed that, thanks!
>>>
>>> Isn't the root cause that ipa.env.ca_host does not get updated during
>>> ipa-ca-install?
>>
>> Been there, tried it, didn't work:
>> https://fedorahosted.org/freeipa/ticket/6016#comment:1
>
> I understand that it does not work right now but it does not mean that it is
> an actual problem in api.env :-)
>
> Anyway, I'm testing your patch but I'm not sure we can get it into 4.4.0 as
> Petr^1 is about to push the RELEASE button any minute now.
Thanks Petr.
I talked to Petr^1 on IRC. Since 4.2 and 4.3 are also affected, it's
better not to rush this patch. It won't make it into 4.4.0.
Christian
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 455 bytes
Desc: OpenPGP digital signature
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20160701/7ac09a8e/attachment.sig>
More information about the Freeipa-devel
mailing list