#7566 Installation of replica against a specific master
Closed: fixed a year ago Opened 2 years ago by pvoborni.

This can be viewed as both RFE and a bug.

Request for enhancement

As an administrator, I want to install a replica(promote client) against a specific server so that it doesn't pick a replica which is unreachable(e.g. the replica is on different site) for the to-be-promoted client. It should not require communicating with other servers as they might be unreachable.

Issue

A replica has several steps when it communicates with another master: getting secrets, creation of service principles, requests of certificates, replication of domain and ca suffixes. It is not guaranteed that all operations will be done against a single master. This can be a cause of race-conditions when something is created on one master, but replica communicates with another master where it was not yet replicated thus failing the installation.

Also in environments with split topology (error state), the replica installation can be a CA server in disconnected CA suffix and thus fail.

Actual behavior

In some race conditions and error conditions, replica installation might fail.

Expected behavior

Replica installation will be more robust.

So the use cases are:

  • installation of a replica in a network with some masters behind a firewall
  • more robust installation, e.g. multiple replicas in parallel, in split topology

Version/Release/Distribution

$ every IPA release till this date (May 28 2018 - unreleased 4.7), maybe after an introduction of replica promotion

Additional information:

A proposal for behavior:

  • If the supplied master doesn't fulfill prerequisites - e.g. doesn't have CA/KRA server then installation should fail.
  • If no server is provided then replica should pick one automatically (e.g. similarly as now) and then behave as it was picked

Metadata Update from @frenaud:
- Issue set to the milestone: FreeIPA 4.6.4

2 years ago

Metadata Update from @frenaud:
- Issue priority set to: important

2 years ago

Metadata Update from @rcritten:
- Issue set to the milestone: FreeIPA 4.6.5 (was: FreeIPA 4.6.4)

a year ago

Metadata Update from @pvoborni:
- Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1591824

a year ago

PR https://github.com/freeipa/freeipa/pull/2048 addresses one issue with CA replication peer selection.

master:

  • 8c3ff03 Always set ca_host when installing replica

ipa-4-6:

  • 14519c2 Always set ca_host when installing replica

ipa-4-5:

  • 2c471b5 Always set ca_host when installing replica

master:

  • 7c2ca14 Query for server role IPA master
  • 10457a0 Only create DNS SRV records for ready server
  • 7284097 Delay enabling services until end of installer

ipa-4-5:

  • 4085d1e Query for server role IPA master
  • 54a7eef Only create DNS SRV records for ready server
  • 2142a5b Delay enabling services until end of installer

ipa-4-6:

  • e70c922 Query for server role IPA master
  • ce88908 Only create DNS SRV records for ready server
  • 8fd206f Delay enabling services until end of installer

master:

master:

  • f294127 replicainstall: DS SSL replica install pick right certmonger host

ipa-4-6:

ipa-4-6:

  • f5aa209 replicainstall: DS SSL replica install pick right certmonger host

master:

  • 199d50a Fix race condition in get_locations_records()

ipa-4-6:

  • 3679e6a Fix race condition in get_locations_records()

ipa-4-5:

  • ec60901 replicainstall: DS SSL replica install pick right certmonger host
  • 5ef8333 Fix race condition in get_locations_records()
  • a9cc862 Tune DS replication settings
  • 79fe981 Auto-retry failed certmonger requests
  • f3dd0cb Wait for client certificates

master:

  • 9222a08 Fix DNSSEC install regression

ipa-4-5:

  • 56e0309 Fix DNSSEC install regression

ipa-4-6:

  • 87466d1 Fix DNSSEC install regression

master:

  • f89e501 Handle races in replica config

ipa-4-6:

  • 2394463 Handle races in replica config

ipa-4-5:

  • 572103d Handle races in replica config

master:

  • 6175672 Do not set ca_host when --setup-ca is used

ipa-4-6:

  • c4481d7 Do not set ca_host when --setup-ca is used

ipa-4-5:

  • 35958aa Do not set ca_host when --setup-ca is used

ipa-4-7:

  • 15ce6c8 Do not set ca_host when --setup-ca is used

master:

  • 6175672 Do not set ca_host when --setup-ca is used

ipa-4-5:

  • 35958aa Do not set ca_host when --setup-ca is used

ipa-4-6:

  • c4481d7 Do not set ca_host when --setup-ca is used

ipa-4-7:

  • 15ce6c8 Do not set ca_host when --setup-ca is used

master:

  • 2a227c2 ipa-replica-install: fix pkinit setup
  • bcfd18f Tests: test successful PKINIT install on replica

ipa-4-5:

  • 2ff9684 ipa-replica-install: fix pkinit setup
  • 5b8531e Tests: test successful PKINIT install on replica

ipa-4-6:

  • e02041d ipa-replica-install: fix pkinit setup
  • 2a2fd08 Tests: test successful PKINIT install on replica

ipa-4-7:

  • 09c78a1 ipa-replica-install: fix pkinit setup
  • 5ea8f8a Tests: test successful PKINIT install on replica

Metadata Update from @frenaud:
- Issue close_status updated to: fixed
- Issue status updated to: Closed (was: Open)

a year ago

master:

  • 802e54d replica install: enforce --server arg

ipa-4-8:

  • c845ef0 replica install: enforce --server arg

ipa-4-7:

  • 6c5e72a replica install: enforce --server arg

ipa-4-6:

  • 22e4eef replica install: enforce --server arg

master:

  • c2c1000 Installation of replica against a specific server
  • c77bbe7 Add test to nightly yamls

ipa-4-8:

  • b6134e8 Installation of replica against a specific server
  • b585e58 Add test to nightly yamls.

ipa-4-7:

  • e12fa0b Installation of replica against a specific server
  • 16c794d add test to nightly yaml

ipa-4-6:

  • f4dc0ee Installation of replica against a specific server
  • 9b3855e Add test to nightly.yaml

Login to comment on this ticket.

Metadata