Issue #6588: replication race condition prevents IPA to install - freeipa

freeipa

#6588 replication race condition prevents IPA to install

Closed: Fixed None Opened 7 years ago by mbasti.

From issue reported here:
https://www.redhat.com/archives/freeipa-users/2016-December/msg00395.html

Configuring the web interface (httpd). Estimated time: 1 minute
  [1/19]: setting mod_nss port to 443
  [2/19]: setting mod_nss cipher suite
  [3/19]: setting mod_nss protocol list to TLSv1.0 - TLSv1.2
  [4/19]: setting mod_nss password file
  [5/19]: enabling mod_nss renegotiate
  [6/19]: adding URL rewriting rules
  [7/19]: configuring httpd
  [8/19]: setting up httpd keytab
  [9/19]: setting up ssl
  [error] NotFound: no such entry
Your system may be partly configured.
Run /usr/sbin/ipa-server-install --uninstall to clean up.

ipa.ipapython.install.cli.install_tool(Replica): ERROR    no such entry
ipa.ipapython.install.cli.install_tool(Replica): ERROR    The ipa-replica-install command failed. See /var/log/ipareplica-install.log for more information

During installation replica cannot find HTTP service and installer fails.
This is not 100% reproducible, but is is caused by replication when http entry is not replicated on time from master server.

Steps are following (IPA 4.4):
1. install DS on replica
1. create the http service entry on master for replica (using remote_api; install_http_certs(config, fstore, remote_api))
1. install other services, including http
1. http service fails to install in case that ldap entry from is not replicated yet to replica from master

This is reproducible mainly with ca-less install because in that case replication has less time to replicate entries from master.

Proposed fix: wait after install_http_certs until http service entry is replicated