#6984 ipa-server-install modifies /etc/hosts unnecessarily during external CA install
Opened 3 years ago by pvoborni. Modified 4 months ago

Ticket was cloned from Red Hat Bugzilla (product Fedora): Bug 1448788

Description of problem:

When installing FreeIPA with an external CA, the second ipa-server-install
--external-cert-file=... pass causes the addition of unnecessary /etc/hosts
entries, presumably by way of this bit from around line 620 in
/usr/lib/python2.7/site-packages/ipaserver/install/server/install.py:

    # installer needs to update hosts file when DNS subsystem will be
    # installed or custom addresses are used
    if options.ip_addresses or options.setup_dns:
        installer._update_hosts_file = True

It appears to be recording the addresses it saw on the first pass, and
unconditionally treating them as manually specified command line options on the
second.


Version-Release number of selected component (if applicable):

freeipa-server-4.4.4-1.fc25.x86_64
python2-ipaserver-4.4.4-1.fc25.noarch


How reproducible:

100% with --external-ca / --external-cert-file


Steps to Reproduce:
1. Run ipa-server-install --external-ca
2. Sign the resulting CSR
3. Run ipa-server-install --external-cert-file=ipa.pem
--external-cert-file=ca.pem


Actual results:

/etc/hosts is modified with all v4/v6 addresses currently present on the host,
including dynamic SLAAC and privacy addresses


Expected results:

/etc/hosts is left alone


Additional info:

This is obviously easy to clean up by hand, but appears to be an oversight in
the install scripts that'll cause surprises for anyone installing IPA with an
external CA on hosts with dynamic or otherwise temporary addresses.

Metadata Update from @pvoborni:
- Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1448788

3 years ago

Metadata Update from @pvoborni:
- Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1448788

3 years ago

Metadata Update from @pvoborni:
- Issue set to the milestone: FreeIPA 4.7
- Issue tagged with: bug

3 years ago

Confirmed that options.ip_addresses is stored in the cached file so appears as it was passed as an option when re-read for the second round.

It just isn't obvious to me why this is a problem. Asked for info in the BZ.

Metadata Update from @rcritten:
- Issue set to the milestone: FreeIPA 4.7.1 (was: FreeIPA 4.7)

2 years ago

FreeIPA 4.7 has been released, moving to FreeIPA 4.7.1 milestone

Just confirmed that this still happens in 4.8.4 on F31, which now appears wholly unnecessary since the installation fails (with CA_UNREACHABLE errors) unless the system's name is resolvable in the DNS anyway.

Login to comment on this ticket.

Metadata