Ticket was cloned from Red Hat Bugzilla (product Fedora): Bug 1448788
Description of problem: When installing FreeIPA with an external CA, the second ipa-server-install --external-cert-file=... pass causes the addition of unnecessary /etc/hosts entries, presumably by way of this bit from around line 620 in /usr/lib/python2.7/site-packages/ipaserver/install/server/install.py: # installer needs to update hosts file when DNS subsystem will be # installed or custom addresses are used if options.ip_addresses or options.setup_dns: installer._update_hosts_file = True It appears to be recording the addresses it saw on the first pass, and unconditionally treating them as manually specified command line options on the second. Version-Release number of selected component (if applicable): freeipa-server-4.4.4-1.fc25.x86_64 python2-ipaserver-4.4.4-1.fc25.noarch How reproducible: 100% with --external-ca / --external-cert-file Steps to Reproduce: 1. Run ipa-server-install --external-ca 2. Sign the resulting CSR 3. Run ipa-server-install --external-cert-file=ipa.pem --external-cert-file=ca.pem Actual results: /etc/hosts is modified with all v4/v6 addresses currently present on the host, including dynamic SLAAC and privacy addresses Expected results: /etc/hosts is left alone Additional info: This is obviously easy to clean up by hand, but appears to be an oversight in the install scripts that'll cause surprises for anyone installing IPA with an external CA on hosts with dynamic or otherwise temporary addresses.
Metadata Update from @pvoborni: - Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1448788
Metadata Update from @pvoborni: - Issue set to the milestone: FreeIPA 4.7 - Issue tagged with: bug
Confirmed that options.ip_addresses is stored in the cached file so appears as it was passed as an option when re-read for the second round.
It just isn't obvious to me why this is a problem. Asked for info in the BZ.
Metadata Update from @rcritten: - Issue set to the milestone: FreeIPA 4.7.1 (was: FreeIPA 4.7)
FreeIPA 4.7 has been released, moving to FreeIPA 4.7.1 milestone
Just confirmed that this still happens in 4.8.4 on F31, which now appears wholly unnecessary since the installation fails (with CA_UNREACHABLE errors) unless the system's name is resolvable in the DNS anyway.
Login to comment on this ticket.