From 54a251bceaabfaf82d0a18b2614c261e2bded0c0 Mon Sep 17 00:00:00 2001 From: Rob Crittenden Date: Sep 15 2023 11:53:12 +0000 Subject: Configure affinity during server installation Write a new krb5.conf in case any values changed finding the right server to configure against (e.g. for CA, KRA) and ensure the API connection is to the remote server that will be installed against. When finding a CA or KRA during initial replica installation set the remote master as well. The order is: - existing server value in /etc/ipa/default.conf - the chosen CA host if the server doesn't provide one - the chosen KRA host if the server doesn't provide one This is more or less heirarchical. If a server is provided then that is considered first. If it provides all the optional services needed (CA and/or KRA) then it will be used. Otherwise it will fall back to a server that provides all the required services. In short, providing --server either at client install or with ipa-replica-install is no guarantee that it will define all topology. This may be unexpected behavior. For the case of adding a CA or KRA things are effectively unchanged. This type of install does not appear to be impacted by affinity issues. Fixes: https://pagure.io/freeipa/issue/9289 Signed-off-by: Rob Crittenden Reviewed-By: Alexander Bokovoy Reviewed-By: Florence Blanc-Renaud --- diff --git a/ipaserver/install/server/replicainstall.py b/ipaserver/install/server/replicainstall.py index 8a0c298..ba5c917 100644 --- a/ipaserver/install/server/replicainstall.py +++ b/ipaserver/install/server/replicainstall.py @@ -781,6 +781,20 @@ def promotion_check_host_principal_auth_ind(conn, hostdn): ) +def remote_connection(config): + ldapuri = 'ldaps://%s' % ipautil.format_netloc(config.master_host_name) + xmlrpc_uri = 'https://{}/ipa/xml'.format( + ipautil.format_netloc(config.master_host_name)) + remote_api = create_api(mode=None) + remote_api.bootstrap(in_server=True, + context='installer', + confdir=paths.ETC_IPA, + ldap_uri=ldapuri, + xmlrpc_uri=xmlrpc_uri) + remote_api.finalize() + return remote_api + + @common_cleanup @preserve_enrollment_state def promote_check(installer): @@ -943,16 +957,7 @@ def promote_check(installer): raise RuntimeError("CA cert file is not available! Please reinstall" "the client and try again.") - ldapuri = 'ldaps://%s' % ipautil.format_netloc(config.master_host_name) - xmlrpc_uri = 'https://{}/ipa/xml'.format( - ipautil.format_netloc(config.master_host_name)) - remote_api = create_api(mode=None) - remote_api.bootstrap(in_server=True, - context='installer', - confdir=paths.ETC_IPA, - ldap_uri=ldapuri, - xmlrpc_uri=xmlrpc_uri) - remote_api.finalize() + remote_api = remote_connection(config) installer._remote_api = remote_api with rpc_client(remote_api) as client: @@ -1082,7 +1087,16 @@ def promote_check(installer): 'CA', conn, preferred_cas ) if ca_host is not None: + if config.master_host_name != ca_host: + conn.disconnect() + del remote_api + config.master_host_name = ca_host + remote_api = remote_connection(config) + installer._remote_api = remote_api + conn = remote_api.Backend.ldap2 + conn.connect(ccache=installer._ccache) config.ca_host_name = ca_host + config.master_host_name = ca_host ca_enabled = True if options.dirsrv_cert_files: logger.error("Certificates could not be provided when " @@ -1121,7 +1135,17 @@ def promote_check(installer): 'KRA', conn, preferred_kras ) if kra_host is not None: + if config.master_host_name != kra_host: + conn.disconnect() + del remote_api + config.master_host_name = kra_host + remote_api = remote_connection(config) + installer._remote_api = remote_api + conn = remote_api.Backend.ldap2 + conn.connect(ccache=installer._ccache) config.kra_host_name = kra_host + config.ca_host_name = kra_host + config.master_host_name = kra_host kra_enabled = True if options.setup_kra and options.server and \ kra_host != options.server: @@ -1239,6 +1263,24 @@ def install(installer): if tasks.configure_pkcs11_modules(fstore): print("Disabled p11-kit-proxy") + _hostname, _sep, host_domain = config.host_name.partition('.') + fstore.backup_file(paths.KRB5_CONF) + + # Write a new krb5.conf in case any values changed finding the + # right server to configure against (for CA, KRA). + logger.debug("Installing against server %s", config.master_host_name) + configure_krb5_conf( + cli_realm=api.env.realm, + cli_domain=api.env.domain, + cli_server=[config.master_host_name], + cli_kdc=[config.master_host_name], + dnsok=False, + filename=paths.KRB5_CONF, + client_domain=host_domain, + client_hostname=config.host_name, + configure_sssd=False + ) + if installer._add_to_ipaservers: try: conn.connect(ccache=installer._ccache) diff --git a/ipaserver/masters.py b/ipaserver/masters.py index c9b57b2..cae48b3 100644 --- a/ipaserver/masters.py +++ b/ipaserver/masters.py @@ -127,6 +127,8 @@ def find_providing_servers(svcname, conn=None, preferred_hosts=(), api=api): ) else: servers.insert(0, host_name) + logger.debug("Discovery: available servers for service '%s' are %s", + svcname, ', '.join(servers)) return servers @@ -143,8 +145,11 @@ def find_providing_server(svcname, conn=None, preferred_hosts=(), api=api): svcname, conn=conn, preferred_hosts=preferred_hosts, api=api ) if not servers: + logger.debug("Discovery: no '%s' service found.", svcname) return None else: + logger.debug("Discovery: using %s for '%s' service", + servers[0], svcname) return servers[0]