Bug 1204254
Summary: | when configuring freeipa-server on a machine with IPv6 it seems to ignore IPv4 configuration | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Peter Robinson <pbrobinson> |
Component: | freeipa | Assignee: | IPA Maintainers <ipa-maint> |
Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
Severity: | unspecified | Docs Contact: | |
Priority: | unspecified | ||
Version: | 22 | CC: | abokovoy, dkupka, ipa-maint, mkosek, pbrobinson, pvoborni, rcritten, ssorce |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | freeipa-4.2.2-1.fc23 | Doc Type: | Bug Fix |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2015-10-11 16:02:51 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Peter Robinson
2015-03-20 17:22:24 UTC
Sorry it took us too long to answer. David, can you please advise with this one? I've done some more testing now I have it running and it doesn't seem to support dual stack IPv4/IPv6 very well at all. 1) I had to setup the IPv4 reverse zone and DNS records on the IPA server 2) The IPA client on setting up a host doesn't register both IPs. It registers the IPv6 forward/reverse lookup records but not the IPv4 A/PTR records so you have to do this manually afterwards 3) When using --enable-dns-updates it doesn't seem to update the records (although I have to do more testing with this one) (In reply to Peter Robinson from comment #2) > I've done some more testing now I have it running and it doesn't seem to > support dual stack IPv4/IPv6 very well at all. IIRC ipa-server-install works this way: 1. Try to resolve all IP addresses. 2. Checks if each resolved address in assigned to some interface. 3. If not installing with DNS server and IP addresses were provided check that all of them were resolved. Use only provided. So, if hostname of your IPA server resolves to IPv6 address only and you don't provide --ip-address <IPv4-address> it gets configured with only IPv6 addresses. > > 1) I had to setup the IPv4 reverse zone and DNS records on the IPA server I should be added automatically if the address is specified/resolved during installation. > > 2) The IPA client on setting up a host doesn't register both IPs. It > registers the IPv6 forward/reverse lookup records but not the IPv4 A/PTR > records so you have to do this manually afterwards > > 3) When using --enable-dns-updates it doesn't seem to update the records > (although I have to do more testing with this one) Actually, ipa-client does this (https://fedorahosted.org/freeipa/ticket/4249) but we're still waiting for SSSD (https://fedorahosted.org/sssd/ticket/2558). Right now ipa-client-install adds all IP addresses to DNS but updates are performed by SSSD and it replaces the records with just one. From comment 1: IP address(es): 2001:02e3:1b11:2681:9259:afff:fe69:c71 it seems that the issue is with step 1 - IP address resolution. FreeIPA uses socket.getaddrinfo function to get the list of IPs. It usually does a DNS lookup. In python console try: import socket socket.getaddrinfo('my.server.hostname', None, socket.AF_UNSPEC, socket.SOCK_STREAM) Does it return only one or multiple addresses? As David wrote, if the IP addresses are not resolvable, they have to be explicitly defined. IMHO not a bug (client installation is handled in bug 1076262) > 3. If not installing with DNS server and IP addresses were provided check > that all of them were resolved. Use only provided. I was installing the DNS (the questions about configuring of forwarders, and reverse zones above indicate that). > So, if hostname of your IPA server resolves to IPv6 address only and you > don't provide --ip-address <IPv4-address> it gets configured with only IPv6 > addresses. My existing local DNS server has IPv4 for forwarad/reverse configured but nothing for IPv6 so in that case I would expect it to be ignoring the IPv6 not IPv4. > > 1) I had to setup the IPv4 reverse zone and DNS records on the IPA server > > I should be added automatically if the address is specified/resolved during > installation. It wasn't specified but then I would expect if configuring DNS (I was) it would ignore resolving and if there's an IPv4 address and a global IPv6 address configure both. > > 2) The IPA client on setting up a host doesn't register both IPs. It > > registers the IPv6 forward/reverse lookup records but not the IPv4 A/PTR > > records so you have to do this manually afterwards You mention below that ipa-client does this, so presumably it should have been configured initially and not updated later. It wasn't, I'm not sure if that's a side effect of the above or not though. > > 3) When using --enable-dns-updates it doesn't seem to update the records > > (although I have to do more testing with this one) > > Actually, ipa-client does this > (https://fedorahosted.org/freeipa/ticket/4249) but we're still waiting for > SSSD (https://fedorahosted.org/sssd/ticket/2558). Right now > ipa-client-install adds all IP addresses to DNS but updates are performed by > SSSD and it replaces the records with just one. TBH I'm not sure if no records or incorrect records (if configured initially) is worse (In reply to Petr Vobornik from comment #4) > From comment 1: > > IP address(es): 2001:02e3:1b11:2681:9259:afff:fe69:c71 > > it seems that the issue is with step 1 - IP address resolution. See comments about DNS configuration. > As David wrote, if the IP addresses are not resolvable, they have to be > explicitly defined. Actually David wrote: "If not installing with DNS server and IP addresses were provided check that all of them were resolved. Use only provided." So I read that as "if they're not resolvable and we're not configuring DNS they have to be explicitly defined" which makes perfect sense because: 1) if we're configuring a DNS server we'll register all our addresses and records in the DNS we're configuring to serve our domain/IPA instance" 2) if we're using another DNS server the IPA instance needs to be properly resolvable (whether to another IPA instance for a replica or to something like AD for other use cases) and if not... 3) we need to manually specify the IPs so we explicitly know what we're dealing with I was doing 1) which I've done literally dozens of times on customer sites with single stack without issue, I've got 3 stand alone instances running myself on different networks, this is the first time I've done it with dual stack. It's not clear to me what were the DNS and IP address related configuration option you used and what's is the expected behavior. If we're configuring DNS, installer uses one of: a) resolved addresses b) addresses stated by --ip-address (ignores (a)) c) asks user for addresses if a) returned nothing and b) was not used Therefore if you used `--ip-address IPv6Address` option then installer ignores the resolved IPv4 address and uses only the IPv6 one and then configures only the IPv6 reverse zone.
> Therefore if you used `--ip-address IPv6Address` option then installer
> ignores the resolved IPv4 address and uses only the IPv6 one and then
> configures only the IPv6 reverse zone.
I didn't specify any IP address options because I wanted it configured on all IPs, I did specify --setup-dns
Could you propose a behavior you would find user-friendly and intuitive? Feedback from day-to-day users is valuable to us. The reasoning behind current behavior is: We assume that if there is DNS server in the network the safest will be to configure the same unless user specifies otherwise. Was it a first run of the installer? I've noticed a bug where installer left IPv6 address in /etc/hosts when installation with IPv6 + IPv4 address was canceled. The subsequent run used only this address. David, isn't this bug fixed in new FreeIPA 4.2.1 release? I believe is upstream ticket 5266 (https://fedorahosted.org/freeipa/ticket/5266) and it was fixed in FreeIPA 4.2.1. I'll be testing it shortly on F-23 moving to post according to comment 12 freeipa-4.2.2-1.fc23 has been pushed to the Fedora 23 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with $ su -c 'dnf --enablerepo=updates-testing update freeipa' You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2015-4abcc8b937 freeipa-4.2.2-1.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report. |