Issue #8794: Failure to deploy FreeIPA domain controller in Rawhide with systemd-resolved 248-1.fc35 - freeipa

freeipa

#8794 Failure to deploy FreeIPA domain controller in Rawhide with systemd-resolved 248-1.fc35

Closed: fixed 3 years ago by frenaud. Opened 3 years ago by abbra.

When fixing https://pagure.io/freeipa/issue/8150, one use case was missed and is now failing FreeIPA deployment in Rawhide with systemd-resolved from systemd-248-1.fc35.

...
  File "/usr/lib/python3.9/site-packages/ipaserver/install/server/install.py", line 688, in install_check
    dns.install_check(False, api, False, options, host_name)
  File "/usr/lib/python3.9/site-packages/ipaserver/install/dns.py", line 148, in install_check
    dnsutil.check_zone_overlap(reverse_zone)
  File "/usr/lib/python3.9/site-packages/ipapython/dnsutil.py", line 450, in check_zone_overlap
    raise ValueError(msg)

2021-04-05T13:40:35Z DEBUG The ipa-server-install command failed, exception: ValueError: DNS check for domain 2.16.172.in-addr.arpa. failed: All nameservers failed to answer the query 2.16.172.in-addr.arpa. IN SOA: Server 127.0.0.53 UDP port 53 answered SERVFAIL.
2021-04-05T13:40:35Z ERROR DNS check for domain 2.16.172.in-addr.arpa. failed: All nameservers failed to answer the query 2.16.172.in-addr.arpa. IN SOA: Server 127.0.0.53 UDP port 53 answered SERVFAIL.

This can be seen in OpenQA run https://openqa.fedoraproject.org/tests/842610#step/role_deploy_domain_controller/35

abbra commented 3 years ago

check_zone_overlap() raises an exception ValueError in the case when SERVFAIL is returned by the DNS server but we don't look for ValueError anymore in install_check() when performing a reverse zone check.

I think we need to add one more dnsutil exception class to make sure the caller of chack_zone_overlap() can distinguish failed-to-resolve zones from non-existing ones. Then install_check() can decide what to do with such zones. At this point of installation we should probably treat SERVFAIL as a sign that this reverse zone has never existed and proceed with the deployment because we'd own the reverse zone.

abbra commented 3 years ago

PR: https://github.com/freeipa/freeipa/pull/5708

Metadata Update from @abbra:
- Custom field on_review adjusted to https://github.com/freeipa/freeipa/pull/5708
- Issue assigned to abbra

3 years ago

frenaud commented 3 years ago

master:

48ef179 ipaserver/install/dns: handle SERVFAIL when checking reverse zone

frenaud commented 3 years ago

ipa-4-9:

aea2c9f ipaserver/install/dns: handle SERVFAIL when checking reverse zone

Metadata Update from @frenaud:
- Issue close_status updated to: fixed
- Issue status updated to: Closed (was: Open)

3 years ago

Metadata Update from @frenaud:
- Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1948034

3 years ago

Metadata

Assignee

abbra

Tags

None

Blocking

None

Depending on

None

Priority

None

Milestone

None

affects_doc

None

source

None

knownissue

None

type

None

blockedby

None

test_case

None

component

None

blocking

None

on_review

https://github.com/freeipa/freeipa/pull/5708

keywords

None

test_coverage

None

reviewer

None

external_tracker

None

rhbz

https://bugzilla.redhat.com/show_bug.cgi?id=1948034

tester

None

changelog

None

design

None

freeipa

Source Code

#8794 Failure to deploy FreeIPA domain controller in Rawhide with systemd-resolved 248-1.fc35 Closed: fixed 3 years ago by frenaud. Opened 3 years ago by abbra.

Metadata

#8794 Failure to deploy FreeIPA domain controller in Rawhide with systemd-resolved 248-1.fc35

Closed: fixed 3 years ago by frenaud. Opened 3 years ago by abbra.