Bug 766162
| Summary: | Conncheck fails if IPv6 DNS servers are specified in /etc/resolv.conf | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 6 | Reporter: | Sigbjorn Lie <sigbjorn> |
| Component: | ipa | Assignee: | Rob Crittenden <rcritten> |
| Status: | CLOSED NOTABUG | QA Contact: | IDM QE LIST <seceng-idm-qe-list> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 6.2 | CC: | dpal, grajaiya, jgalipea, mkosek |
| Target Milestone: | rc | ||
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2012-04-17 11:47:27 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 804630 | ||
| Bug Blocks: | |||
|
Description
Sigbjorn Lie
2011-12-10 17:54:53 UTC
Upstream ticket: https://fedorahosted.org/freeipa/ticket/2183 I just run various tests on my VMs and I wasn't able to reproduce the issue. I tried 2 scenarios: 1) master is ipv6-only, replica is ipv6 only 2) master is ipv4+ipv6, replica is ipv4 only and both worked for me well. ipa-replica-conncheck has an IPv6 fallback, i.e. when IPv4 connection fails, it tries connecting via IPv6 so it should just work when at least one connection works. Can you please verify that: - name server is responding correctly on the IP addresses you have in resolv.conf and have all records needed? dig -t a <replica> @srv-ipv4-addr dig -t a <replica> @srv-ipv6-addr dig -t aaaa <replica> @srv-ipv4-addr dig -t aaaa <replica> @srv-ipv6-addr - there is no obstacle like ip6tables You can also try testing the port with some custom tool like `nc'. The key to the issue seem to be the "options rotate" I have in my resolv.conf file. The ipa-replica-conncheck command executes fine if I have only IPv4 DNS addresses and "options rotate" in my resolv.conf. BTW, it also excutes fine without the "options rotate". However if I have both IPv4 and IPv6, or only IPv6 DNS servers specified in resolv.conf, and having "options rotate" at the same time, the issue occur. Thanks for info Sigbjorn, but I still was not able to reproduce your issue (I tried "options rotate" with both IPv4 and IPv6 addresses in my /etc/resolv.conf). My previous concerns are left untouched. Can you please verify that DNS and network is OK and the issue is really just in the ipa-replica-concheck script? The script does not use any special measures for DNS resolution, it uses standard connection via Python sockets, i.e. it should not be touched with IPv4/IPv6 address of DNS resolver. You can use commands I posted above to verify that DNS is indeed served right on both IPv4 and IPv6 interfaces using standard Linux tools like `dig' or `host'. Few suggestions for testing in addition to above dig commands: # host -4 <replica> # host -6 <replica> # telnet <replica> 636 # telnet <replica> 88 ... I've ran all your requested "dig" and "host" commands, and they all resolved the hostname into IPv4 and IPv6 addresses successfully. Telneting into the requested ports also worked successfully. When I'm testing I'm leaving my IPv6 dns servers on the top of resolv.conf. I have also tried to comment out the IPv4 addresses completely, leaving only IPv6 addresses. I have verified both the IPv6 DNS servers that I specify in resolv.conf. Same result as before when enabling options rotate. Signbjorn, thanks for your results and cooperation. I did some more research and found it is actually a bug in glibc. I filed a Bug 804630. As you stated above, the key is in "options rotate" statement. It does not work well with IPv6 only nameservers. As I found out with tcpdump, glibc always attached a domain to fqdn and thus made it invalid and not resolvable. You can check details and my test outputs in Bug 804630. glibc team will fix this issue for _one_ IPv6 nameserver only in 6.3, details can be checked in Bug 804630.Other use cases are planned to be fixed (Bug 771204) in 6.4. Until then, there are two workarounds that can be used: 1) Do not use "options rotate" in /etc/resol.conf 2) Add at least one IPv4 nameserver address to /etc/resol.conf I tested the issue with fixed glibc-2.12-1.78.el6.x86_64 and everything worked fine then. Closing this ticket as there is nothing to be done on IPA side. Please follow up on Bug 804630 and Bug 771204 to get additional updates. |