Bug 1326425
| Summary: | [RFE] Add utility to promote CA replica to CRL master | |||
|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 8 | Reporter: | Thorsten Scherf <tscherf> | |
| Component: | ipa | Assignee: | Rob Crittenden <rcritten> | |
| Status: | CLOSED ERRATA | QA Contact: | Kaleem <ksiddiqu> | |
| Severity: | unspecified | Docs Contact: | ||
| Priority: | unspecified | |||
| Version: | 8.0 | CC: | edewata, fcami, frenaud, gparente, mkosek, msauton, ndehadra, pasik, pvoborni, rcritten, ssidhaye, tmihinto, tscherf, twoerner | |
| Target Milestone: | rc | Keywords: | FutureFeature | |
| Target Release: | 8.1 | |||
| Hardware: | Unspecified | |||
| OS: | Unspecified | |||
| Whiteboard: | ||||
| Fixed In Version: | ipa-4.7.90.pre1-3 | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | ||
| Clone Of: | ||||
| : | 1690037 (view as bug list) | Environment: | ||
| Last Closed: | 2019-11-05 20:52:26 UTC | Type: | --- | |
| Regression: | --- | Mount Type: | --- | |
| Documentation: | --- | CRM: | ||
| Verified Versions: | Category: | --- | ||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
| Cloudforms Team: | --- | Target Upstream Version: | ||
| Embargoed: | ||||
| Bug Depends On: | 1683261 | |||
| Bug Blocks: | 1550132, 1644708, 1690037 | |||
|
Description
Thorsten Scherf
2016-04-12 15:56:40 UTC
Linking bz 1326425 and salesforce case 01700517 (symcor) We need to rise the priority of IdM failover on RHEL 7 faster as replica are more often added and removed, and hosts have shorter life time. The current IdM is seen as "single point of failure" with the manual configuration changes required. And it gives a false sense of fail-over feature when we suggest to setup a CA on a replica. For example preparing a replica on a replica running a clone ca will result in a replica installation failure related to the PKI "security domain" in the pkisilent step, which is currently working "as designed", but not good in a deployment. Upstream FreeIPA 5803 is too far in 4.5 backlog Add utility to promote CA replica to CRL master https://fedorahosted.org/freeipa/ticket/5803 Upstream FreeIPA 4911 is in "Future Releases" [RFE] Share CRLs between servers https://fedorahosted.org/freeipa/ticket/4911 Upstream Dogtag 1259 is for 10.4 which is far away, like "Future Releases" Replicated CRL generation https://fedorahosted.org/pki/ticket/1259 For upcoming months or more the FreeIPA/IdM team is focusing on stability, testability of FreeIPA/IdM and thus postponing any RFEs or non-critical bugs. (In reply to Marc Sauton from comment #1) > Linking bz 1326425 and salesforce case 01700517 (symcor) > > We need to rise the priority of IdM failover on RHEL 7 faster as replica are > more often added and removed, and hosts have shorter life time. > The current IdM is seen as "single point of failure" with the manual > configuration changes required. > And it gives a false sense of fail-over feature when we suggest to setup a > CA on a replica. > For example preparing a replica on a replica running a clone ca will result > in a replica installation failure related to the PKI "security domain" in > the pkisilent step, which is currently working "as designed", but not good > in a deployment. The CRL master has absolutely nothing to do with failover. Lacking one will not affect normal operation at all, particularly installation. A single CRL master is used to avoid the real possibility that multiple masters could generate CRLs with different contents. Design page: https://www.freeipa.org/page/V4/Promotion_to_CRL_generation_master There was initial implementation in PR https://github.com/freeipa/freeipa/pull/2053 But it was closed and not-merged with: """ The design was to do this as an ipa-advise plugin and after implementing it I think it was a mistake. This is a rather large python module that generates a rather large bash script. It would be far more maintainable to create a standalone python script to perform the change, ipa-crl-master or something. We could also include a man page for this which isn't possible for an advise script. """ During RHEL-7.7 replanning, it was decided that we would target primarily RHEL-8 product for this feature Fixed upstream master: https://pagure.io/freeipa/c/0d23fa92788b1258005e46920505d9b768d30799 https://pagure.io/freeipa/c/4e3a64f70316c98a18e403486f6f8afcec5e24e4 https://pagure.io/freeipa/c/2e73c964e5896eb18006e1ae8b70f2faef484ab3 Fixed upstream ipa-4-7: https://pagure.io/freeipa/c/52770aa5f9223eb26f42b301e54b228708ba83cc https://pagure.io/freeipa/c/67533b3a1d037f314ad013572e0892ec85ffc288 https://pagure.io/freeipa/c/e654a1b9189e38aafa5faa72cb9587262e13cec2 Fixed upstream ipa-4-6: https://pagure.io/freeipa/c/af5abe0d743155953aa91c8e49f9d0199e5fe78a https://pagure.io/freeipa/c/8fa3e9bf55062bbb6bcf255cc2a0142946adf5c2 https://pagure.io/freeipa/c/52e259b3fe9b6b07cafb7e1b2eea5d7e201a2878 Build used for verification: ipa-common-4.7.90.pre1-3.module+el8.1.0+3389+a3c612fa.noarch ipa-server-4.7.90.pre1-3.module+el8.1.0+3389+a3c612fa.x86_64 ipa-server-common-4.7.90.pre1-3.module+el8.1.0+3389+a3c612fa.noarch ipa-server-dns-4.7.90.pre1-3.module+el8.1.0+3389+a3c612fa.noarch ipa-client-4.7.90.pre1-3.module+el8.1.0+3389+a3c612fa.x86_64 ipa-client-common-4.7.90.pre1-3.module+el8.1.0+3389+a3c612fa.noarch Tests performed: following scenarios are tested 1. test master enable crlgen already enabled 2. test master disable crlgen 3. test master disable crlgen already disabled 4. test master enable crlgen 5. test crlgen status on replica 6. test crlgen disable on caless replica 7. test crlgen enable on caless replica 8. test crlgen enable on ca replica 9. test crlgen enable on broken master 10. test crlgen disable on broken master 11. test crlgen enable on broken replica 12. test crlgen disable on broken replica 13. test uninstall without ignore last of role 14. test uninstall with ignore last of role 15. test uninstall last master does not require ignore last of role Hence marking this bugzilla as verified. Attaching the junit XML for reference. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2019:3348 |