#9491 CA less servers are failing to be added in topology segment for domain suffix
Closed: fixed a year ago by frenaud. Opened a year ago by rcritten.

Issue

While creating topology segment for 2 caless servers, ipa topologysegment add command is failing.

Steps to Reproduce

  1. install ipa server with ca
  2. install caless replica1 against master
  3. install caless replica2 against replica1
  4. ipa topologysegment-add --leftnode=master.testrealm.test --rightnode=replica2.testrealm.test domain Line1_seg_1

Actual behavior

command failed to add topology segment (it exists)

Expected behavior

in RHEL9.3, command used to work i.e topology segment added.


This is related to the server affinity changes made upstream in https://pagure.io/freeipa/issue/9289

It picks master because, ostensibly, replica1 doesn't have a CA on it:

Discovery: available servers for service 'CA' are master.testrealm.test
Discovery: using master.testrealm.test for 'CA' service

A split-brain installation can cause racing but that isn't the case here. The replica install is CAless so there should be no issue.

Looks like if the selected host does not contain a CA then it unconditionally switches to one that does, regardless of whether a CA will be installed locally or not.
The CA host(s) are queried so we know who to request certificates from. This should not necessarily affect who we create agreeements with, particularly if the user provides a server to connect to.

Metadata Update from @rcritten:
- Custom field rhbz adjusted to https://issues.redhat.com/browse/FREEIPA-10626

a year ago

master:

  • 2a95a05 Server affinity: Retain user-requested remote server

ipa-4-11:

  • d2ffa10 Server affinity: Retain user-requested remote server

ipa-4-10:

  • fdc27b2 Server affinity: Retain user-requested remote server

ipa-4-9:

  • 3add9ba Server affinity: Retain user-requested remote server

Metadata Update from @frenaud:
- Issue close_status updated to: fixed
- Issue status updated to: Closed (was: Open)

a year ago
a year ago

Additional patches are needed:
master:

  • 3645543 Server affinity: Don't rely just on [ca|kra]_enabled for installs

ipa-4-11:

  • 851ce93 Server affinity: Don't rely just on [ca|kra]_enabled for installs

ipa-4-10:

  • a55f331 Server affinity: Don't rely just on [ca|kra]_enabled for installs

ipa-4-9:

  • 701339d Server affinity: Don't rely just on [ca|kra]_enabled for installs

Log in to comment on this ticket.

Metadata