freeipa

Clone
Source Code
GIT

#5770 [RFE] do not stop all IPA services in ipactl if non-fatal doesn't start
Opened 8 years ago by pvoborni. Modified 7 years ago

Open
Close issue as:
fixed wontfix worksforme duplicate insufficientinfo invalid

Use case: If a CA doesn't start from some reason (e.g. network is down), ipactl stops all services making this IPA server completely unusable - has bigger unwanted impact than not being able to renew or request certs.

Possible services to mark as non-fatal:

  • CA
  • KRA
  • DNS

Note: there is an option --ignore-service-failure but it ignores all services, including the fatal ones like KDC.

DNS but it might be actually scratched out - especially if it is the only DNS server

a short term solution will be handled in #5820

triage notes:

  • simo: for the failed non essential service IPA could notify the admin, e.g. via email
  • mkosek: emit a warning message that can be seen in "systemctl status ipa.service" in case of system shutdown that advertises the option. Admin needs to deal with this case anyway, at least now he will see how.
  • the proposal is to do this as a quick&cheap solution before we do something more robust, like IPA over SELinux, Roles....
  • once IPA will have notification, we can make some service non-critical - lessen pressure

Metadata Update from @pvoborni:
- Issue assigned to someone
- Issue set to the milestone: Future Releases
7 years ago

Login to comment on this ticket.

Metadata
None
None
None
normal
None
None
None
None
defect
None
None
IPA
None
0
None
None
None
None
todo
None
None
None
Powered by Pagure 5.13.3
DocumentationFile an IssueAboutSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.