If a replica installation fails before all the services have been enabled then it could leave things in a bad state.
The server-role code will try to enforce that all masters with a given service have that service as enabled.
We delay enablement until the successful end of installation so things are left in a non-working state.
This can be confirmed with: ipa config-show
This has been reported multiple times upstream but we never were able to gather enough information at the time:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org/thread/UEROPENXUV4IVNCU346GLU62Q7KWEJC3/
Hats off to Doub Ledford for tracking down the issue to ipaConfigString being set to configuredService rather than enabledService
Off the top of my head in no particular order.
The reproducer works best with HTTP service. It didn't make a difference when I modified CA or KRA service. After I enabled debug mode, I got this traceback:
HTTP
ipa: DEBUG: WSGI wsgi_execute PublicError: Traceback (most recent call last): File "/usr/lib/python3.7/site-packages/ipaserver/rpcserver.py", line 370, in wsgi_execute result = command(*args, **options) File "/usr/lib/python3.7/site-packages/ipalib/frontend.py", line 450, in __call__ return self.__do_call(*args, **options) File "/usr/lib/python3.7/site-packages/ipalib/frontend.py", line 478, in __do_call ret = self.run(*args, **options) File "/usr/lib/python3.7/site-packages/ipalib/frontend.py", line 800, in run return self.execute(*args, **options) File "/usr/lib/python3.7/site-packages/ipaserver/plugins/baseldap.py", line 1340, in execute self, ldap, entry_attrs.dn, entry_attrs, *keys, **options) File "/usr/lib/python3.7/site-packages/ipaserver/plugins/config.py", line 567, in post_callback entry_attrs, "CA server", "IPA master", **options) File "/usr/lib/python3.7/site-packages/ipaserver/plugins/config.py", line 306, in show_servroles_attributes self.update_entry_with_role_config(role, entry_attrs) File "/usr/lib/python3.7/site-packages/ipaserver/plugins/config.py", line 286, in update_entry_with_role_config role_config = backend.config_retrieve(role_name) File "/usr/lib/python3.7/site-packages/ipaserver/plugins/serverroles.py", line 143, in config_retrieve attr_value = attr.get(self.api) File "/usr/lib/python3.7/site-packages/ipaserver/servroles.py", line 289, in get {'role': self.associated_role.name}) ipalib.errors.ValidationError: invalid 'PKINIT enabled server': all masters must have IPA master role enabled
I dont' know why we have the check in the first place. It looks like a sanity check. I had to modify the _get_assoc_role_providers method for hidden replicas. We could consider configured services as valid services, too.
_get_assoc_role_providers
https://github.com/freeipa/freeipa/blob/713c9b0ce89ce9835b78c25d3c7b46bb0d71bd83/ipaserver/servroles.py#L346-L353
Metadata Update from @cheimes: - Issue priority set to: critical (was: important) - Issue set to the milestone: FreeIPA 4.6.6
Metadata Update from @cheimes: - Custom field on_review adjusted to https://github.com/freeipa/freeipa/pull/3093
master:
ipa-4-7:
ipa-4-6:
Metadata Update from @rcritten: - Issue close_status updated to: fixed - Issue status updated to: Closed (was: Open)
A workaround to be able to remove the master causing the issue is to mark its services as enabled and then immediately delete it.
To mark the services as enabled run this python script:
from ipaserver.install import service from ipalib import api api.bootstrap(in_server=True, context='fixme') api.finalize() api.Backend.ldap2.connect() service.enable_services(u'master_that_failed_install')
Metadata Update from @rcritten: - Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1712794
Issue linked to Bugzilla: Bug 1712794
ipa-4-8:
Login to comment on this ticket.