fedora-infrastructure

Clone
Source Code
GIT

#10013 Retrace playbook fails on "ipa/client" task
Closed: Fixed 2 years ago by kevin. Opened 2 years ago by mgrabovs.

Closed: Fixed
Reopen Issue

Running sudo rbac-playbook groups/retrace.yml -l retrace-stg.aws.fedoraproject.org on batcave01 fails with on the task "ipa/client : Enroll system as IPA client" with the following error:

TASK [ipa/client : Enroll system as IPA client] ***********************************************
Thursday 03 June 2021  10:25:20 +0000 (0:00:00.653)       0:02:18.855 *********                
Thursday 03 June 2021  10:25:20 +0000 (0:00:00.653)       0:02:18.855 *********                
fatal: [retrace-stg.aws.fedoraproject.org]: FAILED! => {"changed": true, "cmd": ["ipa-client-install", "--server=ipa01.stg.iad2.fedoraproject.org",
[... abridged ...]

PLAY RECAP ************************************************************************************
retrace-stg.aws.fedoraproject.org : ok=108  changed=0    unreachable=0    failed=1    skipped=134  rescued=0    ignored=0

logs written to: /var/log/ansible/retrace/2021/06/03/10.23.01                                  
Thursday 03 June 2021  10:25:21 +0000 (0:00:00.912)       0:02:19.767 *********
[...]

Metadata Update from @mohanboddu:
- Issue priority set to: Waiting on Assignee (was: Needs Review)
- Issue tagged with: low-gain, low-trouble, ops
2 years ago

This is due to this instance being a bit different. :)

Our normal staging hosts are in iad2 and can talk directly to the ipa server(s).
This instance is in aws, and being external can't talk to the ipa server(s). ;(

So alternatives:

  1. We could just drop ipa/client role here and you could manage users locally, or just use root.
  2. We could setup a bastion01.stg with openvpn and connect this instance and the ipa servers to it so they could talk.
  3. We could move this instance into iad2 staging (but not sure what resources it needs)

I'd prefer 1 or 3 as they seem like less work, but whats your thoughts?

Thanks for the clarification, Kevin. Number 1 seems the most sensible to me at the moment.

Is it enough to just add a condition to the import_role: name=ipa/client line in playbooks/groups/retrace.yml so that it's not executed for stg? I'm in the process of doing some adjustments to the playbooks so I could slide this one in as well.
Edited 2 years ago by mgrabovs

Yep. Just add a when: env != 'staging' to not do it in staging. :)

I'll close this now, but re-open or file a new ticket if there's anything you need us to do.

Metadata Update from @kevin:
- Issue close_status updated to: Fixed
- Issue status updated to: Closed (was: Open)
2 years ago

Login to comment on this ticket.

Metadata
None

low-trouble low-gain ops

None
None
Waiting on Assignee
Boards 1
ops Status: Done
Powered by Pagure 5.13.3
DocumentationFile an IssueAboutSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.