[Freeipa-devel] [PATCH 0057] Don't show part of warning containing --force-ntpd in replica install

Martin Basti mbasti at redhat.com
Thu Aug 11 13:34:40 UTC 2016 


On 09.08.2016 15:27, Stanislav Laznicka wrote:
> On 08/04/2016 07:34 AM, Jan Cholasta wrote:
>> On 3.8.2016 19:39, Martin Basti wrote:
>>>
>>>
>>> On 03.08.2016 18:10, Petr Vobornik wrote:
>>>> On 07/13/2016 12:36 PM, Stanislav Laznicka wrote:
>>>>> On 07/13/2016 09:51 AM, Petr Vobornik wrote:
>>>>>> On 07/13/2016 08:26 AM, Stanislav Laznicka wrote:
>>>>>>> On 07/12/2016 08:44 AM, Stanislav Laznicka wrote:
>>>>>>>> On 07/11/2016 04:27 PM, Petr Vobornik wrote:
>>>>>>>>> On 07/11/2016 01:23 PM, Stanislav Laznicka wrote:
>>>>>>>>>> https://fedorahosted.org/freeipa/ticket/6046
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>> Isn't the bug about something else?
>>>>>>>>>
>>>>>>>>> The issue was that ipa-replica-install doesn't have --force-ntpd
>>>>>>>>> option.
>>>>>>>>> It is an option of ipa-client-install which is run from replica
>>>>>>>>> installer.
>>>>>>>>>
>>>>>>>>> The unattended mode is unrelated.
>>>>>>>> My understanding is that the bug says that '--force-ntpd' option
>>>>>>>> should not be shown when ipa-client-install is run during replica
>>>>>>>> installation.
>>>>>>>>
>>>>>>>> During replica installation, the ipa-client-install script is run
>>>>>>>> with
>>>>>>>> the '--unattended' flag in the 'ensure_enrolled()' function. 
>>>>>>>> Being a
>>>>>>>> separate script, there's not many options on how to pass the
>>>>>>>> information not to show the message to ipa-client-install. 
>>>>>>>> Using the
>>>>>>>> already used flag to get rid of the message seemed easiest to me.
>>>>>>>> Introducing a new 'hidden' flag (like '--from-replica'), on the 
>>>>>>>> other
>>>>>>>> hand, seems a bit harsh.
>>>>>>>>
>>>>>>> Just to throw it out there - it's possible that the '--force-join'
>>>>>>> client option would also appear as a hint from the client install
>>>>>>> script
>>>>>>> (during replica installation). Should this also be muted somehow?
>>>>>>> To me,
>>>>>>> it seems reasonable to rather add it as an argument to
>>>>>>> ipa-replica-install to pass it to the client install script.
>>>>>>>
>>>>>> IMO client installation initiated from replica needs to have a 
>>>>>> special
>>>>>> option(hidden in help) similar to --on-server (or what's its name).
>>>>>> E.g.
>>>>>> the name can be --replica-install. Maybe --on-server can be used 
>>>>>> but it
>>>>>> may have other implication which might not be valid for this use 
>>>>>> case.
>>>>>>
>>>>>> Anything else are just workarounds. Imagine that admin runs
>>>>>> ipa-client-install with --unattended or --force-join. He would 
>>>>>> then not
>>>>>> get the message as now.
>>>> Reviving thread to get other opinion.
>>>>
>>>>> The --on-master option won't do here as it seems that the client 
>>>>> would
>>>>> require some IPA pre-configuration for successful install. A new 
>>>>> option
>>>>> will have to be created, then.
>>>> I'm for new "hidden" option.
>>>
>>> I'm against any hidden options, this should be made correctly by
>>> modularization/fixing of client install, to be able call it from python
>>> not as external process
>>
>> +1, but this is non-trivial and definitely not material for 4.4.1. 
>> For 4.4.1 the hidden option should be OK.
>>
>>>
>>> Just from top of my head, can we just use option --no-ntp with client
>>> install in replica installer? Server NTP should not depend on client 
>>> ntp
>>> config.
>>> I'm just afraid that we may get kerberos time issue during client
>>> install if client time does not match server time.
>>>
>>> Or second approach, always call client install from replica with
>>> --force-ntpd, unless there is --no-ntp used for replica, then call
>>> ipa-client-install with --no-ntp
>>>
>>> But it needs investigation.
>>
>> CCing David as he knows everything NTP-related.
>>
>>>
>>> Martin^2
>>>
>>>>
>>>>> As I was trying to point out, the situation about --force-join is 
>>>>> a bit
>>>>> different. The option again would be shown and is not available in
>>>>> ipa-replica-install. I think it should be available to allow direct
>>>>> replica installation even when previous installation failed/left some
>>>>> mess on the master (ofc the user could run `ipa-replica-manage del
>>>>> <bad-bad-hostname> --cleanup` on the master instead).
>>>>>
>>>> That could work but imho is out of scope of this ticket.
>>>
>>
>>
> Please see the attached patch that always adds the --no-ntp option to 
> ipa-client-install.
>
ACK

Pushed to master: 0745c5d0f96f572a3780b32a3f2dce4f3512c396

More information about the Freeipa-devel mailing list