Bug 1364139

Summary:

When master's IP address does not resolve to its name, ipa-replica-install fails

Product:

Red Hat Enterprise Linux 8

Reporter:

Jan Pazdziora <jpazdziora>

Component:

ipa

Assignee:

Florence Blanc-Renaud <frenaud>

Status:

ASSIGNED ---

QA Contact:

Kaleem <ksiddiqu>

Severity:

unspecified

Docs Contact:

Priority:

medium

Version:

8.0

CC:

cobrown, frenaud, jpazdziora, pasik, rcritten, tscherf, twoerner

Target Milestone:

Keywords:

Reopened, Triaged

Target Release:

---

Hardware:

Unspecified

OS:

Unspecified

Whiteboard:

Fixed In Version:

Doc Type:

If docs needed, set a value

Doc Text:

Story Points:

---

Clone Of:

Clones:

1751951 (view as bug list)

Environment:

Last Closed:

2017-10-22 19:39:45 UTC

Type:

Bug

Regression:

---

Mount Type:

---

Documentation:

---

CRM:

Verified Versions:

Category:

---

oVirt Team:

---

RHEL 7.3 requirements from Atomic Host:

Cloudforms Team:

---

Target Upstream Version:

Embargoed:

Bug Depends On:

Bug Blocks:

1751951

Attachments:

Description	Flags
verification steps with console output	none

Description Jan Pazdziora 2016-08-04 14:21:33 UTC

Description of problem:

When IP address of master does not resolve to its hostname, ipa-replica-install fails.

Version-Release number of selected component (if applicable):

python2-ipaserver-4.4.0-4.el7.noarch

How reproducible:

Deterministic.

Steps to Reproduce:
1. Have setup where IP address of master as seen by replica does not match master's hostname.
2. Run ipa-replica-install --server ipa.example.test --domain example.test

Actual results:

/etc/ssh/ssh_config not found, skipping configuration
/etc/ssh/sshd_config not found, skipping configuration
Configuring example.test as NIS domain.
Client configuration complete.

Unenrolling client from IPA server
Removing Kerberos service principals from /etc/krb5.keytab
Disabling client Kerberos and LDAP configurations
Redundant SSSD configuration file /etc/sssd/sssd.conf was moved to /etc/sssd/sssd.conf.deleted
Restoring client configuration files
Unconfiguring the NIS domain.
nscd daemon is not installed, skip configuration
nslcd daemon is not installed, skip configuration
Systemwide CA database updated.
Client uninstall complete.
ipa.ipapython.install.cli.install_tool(Replica): ERROR    The host name ipa.example.test does not match the primary host name freeipa-server-container.freeipa-network. Please check /etc/hosts or DNS name resolution
ipa.ipapython.install.cli.install_tool(Replica): ERROR    The ipa-replica-install command failed. See /var/log/ipareplica-install.log for more information

Removing client side components

Your system may be partly configured.
Run /usr/sbin/ipa-server-install --uninstall to clean up.

The log ends with

2016-08-04T13:29:08Z DEBUG Check if replica.example.test is a primary hostname for localhost
2016-08-04T13:29:08Z DEBUG Primary hostname for localhost: replica.example.test
2016-08-04T13:29:08Z DEBUG Search DNS for replica.example.test
2016-08-04T13:29:08Z DEBUG Check if replica.example.test is not a CNAME
2016-08-04T13:29:09Z DEBUG Check reverse address of 172.18.0.3
2016-08-04T13:29:09Z DEBUG Found reverse name: replica.example.test
2016-08-04T13:29:09Z DEBUG Check if ipa.example.test is a primary hostname for localhost
2016-08-04T13:29:09Z DEBUG Primary hostname for localhost: freeipa-server-container.freeipa-network
2016-08-04T13:29:09Z DEBUG Starting external process
2016-08-04T13:29:09Z DEBUG args=/usr/sbin/ipa-client-install --unattended --uninstall
2016-08-04T13:29:19Z DEBUG Process finished, return code=0
2016-08-04T13:29:19Z DEBUG   File "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 171, in execute
    return_value = self.run()
  File "/usr/lib/python2.7/site-packages/ipapython/install/cli.py", line 318, in run
    cfgr.run()
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 308, in run
    self.validate()
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 317, in validate
    for nothing in self._validator():
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 372, in __runner
    self._handle_exception(exc_info)
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 394, in _handle_exception
    six.reraise(*exc_info)
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 362, in __runner
    step()
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 359, in <lambda>
    step = lambda: next(self.__gen)
  File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 81, in run_generator_with_yield_from
    six.reraise(*exc_info)
  File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 59, in run_generator_with_yield_from
    value = gen.send(prev_value)
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 564, in _configure
    next(validator)
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 372, in __runner
    self._handle_exception(exc_info)
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 449, in _handle_exception
    self.__parent._handle_exception(exc_info)
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 394, in _handle_exception
    six.reraise(*exc_info)
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 446, in _handle_exception
    super(ComponentBase, self)._handle_exception(exc_info)
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 394, in _handle_exception
    six.reraise(*exc_info)
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 362, in __runner
    step()
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 359, in <lambda>
    step = lambda: next(self.__gen)
  File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 81, in run_generator_with_yield_from
    six.reraise(*exc_info)
  File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 59, in run_generator_with_yield_from
    value = gen.send(prev_value)
  File "/usr/lib/python2.7/site-packages/ipapython/install/common.py", line 63, in _install
    for nothing in self._installer(self.parent):
  File "/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall.py", line 1712, in main
    promote_check(self)
  File "/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall.py", line 364, in decorated
    func(installer)
  File "/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall.py", line 386, in decorated
    func(installer)
  File "/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall.py", line 1108, in promote_check
    installutils.verify_fqdn(config.master_host_name, options.no_host_dns)
  File "/usr/lib/python2.7/site-packages/ipaserver/install/installutils.py", line 166, in verify_fqdn
    "Please check /etc/hosts or DNS name resolution" % (host_name, ex_name[0]))

2016-08-04T13:29:19Z DEBUG The ipa-replica-install command failed, exception: HostLookupError: The host name ipa.example.test does not match the primary host name freeipa-server-container.freeipa-network. Please check /etc/hosts or DNS name resolution
2016-08-04T13:29:19Z ERROR The host name ipa.example.test does not match the primary host name freeipa-server-container.freeipa-network. Please check /etc/hosts or DNS name resolution
2016-08-04T13:29:19Z ERROR The ipa-replica-install command failed. See /var/log/ipareplica-install.log for more information

Expected results:

No error.

Additional info:

Comment 1 Jan Pazdziora 2016-08-04 14:22:58 UTC

The

   installutils.verify_fqdn(config.master_host_name, options.no_host_dns)

calls in

   /usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall.py

should likely include local_hostname=False.

Comment 2 Jan Pazdziora 2016-08-04 14:28:50 UTC

(In reply to Jan Pazdziora from comment #1)
> The
> 
>    installutils.verify_fqdn(config.master_host_name, options.no_host_dns)
> 
> calls in
> 
>   
> /usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall.py
> 
> should likely include local_hostname=False.

With this change, ipa-replica install complains but proceeds setting up the replica:

/etc/ssh/sshd_config not found, skipping configuration
Configuring example.test as NIS domain.
Client configuration complete.

ipa         : ERROR    The host name ipa.example.test does not match the value freeipa-server-container.freeipa-network obtained by reverse lookup on IP address 172.18.0.2

Configuring NTP daemon (ntpd)
  [1/4]: stopping ntpd
  [2/4]: writing configuration
  [3/4]: configuring ntpd to start on boot
  [4/4]: starting ntpd
Done configuring NTP daemon (ntpd).
Configuring directory server (dirsrv). Estimated time: 1 minute
  [1/44]: creating directory server user
  [2/44]: creating directory server instance

That ERROR output should likely also be purged.

Comment 4 Petr Vobornik 2016-08-12 13:50:42 UTC

Upstream ticket:
https://fedorahosted.org/freeipa/ticket/6210

Comment 8 Red Hat Bugzilla Rules Engine 2017-10-22 19:39:45 UTC

Development Management has reviewed and declined this request. You may appeal this decision by reopening this request.

Comment 10 Tibor Dudlák 2019-09-16 07:46:39 UTC

Fixed upstream
master:
https://pagure.io/freeipa/c/f1e20b45c5deeb25989c87a2d717bda5a31bb084

Comment 11 Tibor Dudlák 2019-09-16 14:09:47 UTC

Missclicked status MIDIFIED setting to POST;

Fixed upstream
ipa-4-8:
https://pagure.io/freeipa/c/0b2ed9c415370de79f8ecaa1be153a1d80cf6ea1
Fixed upstream
ipa-4-7:
https://pagure.io/freeipa/c/82351f1e09e9d592e3b0bef521c2c94b0d222cce
Fixed upstream
ipa-4-6:
https://pagure.io/freeipa/c/a016ed75ecbe7e2698530036043ef19df1bd718f

Comment 12 Jan Pazdziora 2019-10-09 08:34:43 UTC

The pull requests add that local_hostname=False in containers. I don't think this is the proper fix.

This is about the master's IP address not resolving directly to its hostname, so the same situation likely happens in AWS, and the same situation happens when the master is in container (or in general, in reverse-DNS-challenging environment) and replica is on a host, outside of containers.

When verifying this bugzilla, please use a setup when the IP address of master as seen by the replica does not resolve to master's hostname, outside of containers.

Comment 16 Kaleem 2020-02-18 15:17:11 UTC

Created attachment 1663784 [details]
verification steps with console output

Verified based on same steps done for 7.8 bugs mentioned at 
https://bugzilla.redhat.com/show_bug.cgi?id=1751951#c10

Comment 17 Jan Pazdziora 2020-02-18 16:59:30 UTC

I still don't see how this verifies the change. We need a reproducer of the failing setup with the older version of IdM, and then fixed reproducer with newer package versions.

Similar to my comments in bug 1751951, unless you show that the behaviour has changed (improved), the bugzilla cannot be considered verified.