Bug 812692

Summary: ipa will not install on amazon ec2
Product: Red Hat Enterprise Linux 6 Reporter: Brian Harrington <bharrington>
Component: ipaAssignee: Rob Crittenden <rcritten>
Status: CLOSED WORKSFORME QA Contact: IDM QE LIST <seceng-idm-qe-list>
Severity: high Docs Contact:
Priority: unspecified    
Version: 6.2CC: dpal, jpazdziora, kburres, mkosek
Target Milestone: rc   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-04-25 06:32:54 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
ipaserver-install.log none

Description Brian Harrington 2012-04-16 00:38:30 UTC 
Description of problem:
Due to checks in the installer related to IP addressing, IPA will  not install on Amazon EC2.

On Amazon EC2 virtual machines are provisioned with an IP address effectively situated behind network address translation.  This leads to a situation where the public facing IP will never match up with the address of the interface, even to other machines which will be accessing IPA.

The specific issue even occurs when trying to force the IP address that the server will use.

How reproducible:
100%

Steps to Reproduce:
1. Provision RHEL machine on Amazon EC2
2. yum -y install ipa-server
3. ipa-server-install
  
Actual results:
[root@ipa ~]# ipa-server-install 

...

Unexpected error - see ipaserver-install.log for details:
 No network interface matches the provided IP address and netmask

[root@ipa ~]# ipa-server-install --ip-address=50.19.212.236
Usage: ipa-server-install [options]

ipa-server-install: error: option --ip-address: invalid IP address 50.19.212.236: No network interface matches the provided IP address and netmask

[root@ipa ~]# ifconfig eth0
eth0      Link encap:Ethernet  HWaddr 12:31:3B:02:5C:3D  
          inet addr:10.243.95.203  Bcast:10.243.95.255  Mask:255.255.254.0
          inet6 addr: fe80::1031:3bff:fe02:5c3d/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:44356 errors:0 dropped:0 overruns:0 frame:0
          TX packets:12170 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:61443561 (58.5 MiB)  TX bytes:1553781 (1.4 MiB)
          Interrupt:8 


Expected results:

Working IPA install
Comment 2 Rob Crittenden 2012-04-16 14:42:32 UTC 
What does /etc/hosts look like? Does it contain the local host/IP combination?

You might try the --no-host-dns option but I don't think it will help in this particular case.
Comment 3 Dmitri Pal 2012-04-16 15:37:40 UTC 
Should it be installed on the internal address then?
I mean -ip-address=10.243.95.203 ?

IPA needs to be sure its host name resolution is consistent. The NATing can be done but outside of IPA as long as it understands where its head and tail.
Comment 4 Brian Harrington 2012-04-16 15:56:27 UTC 
[root@ipa ~]# ifconfig -a
eth0      Link encap:Ethernet  HWaddr 12:31:3B:01:D8:B3  
          inet addr:10.242.223.65  Bcast:10.242.223.255  Mask:255.255.254.0
          inet6 addr: fe80::1031:3bff:fe01:d8b3/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:78 errors:0 dropped:0 overruns:0 frame:0
          TX packets:67 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:10586 (10.3 KiB)  TX bytes:9003 (8.7 KiB)
          Interrupt:8 

lo        Link encap:Local Loopback  
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:4 errors:0 dropped:0 overruns:0 frame:0
          TX packets:4 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:282 (282.0 b)  TX bytes:282 (282.0 b)

[root@ipa ~]# route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
10.242.222.0    0.0.0.0         255.255.254.0   U     0      0        0 eth0
169.254.0.0     0.0.0.0         255.255.0.0     U     1002   0        0 eth0
0.0.0.0         10.242.222.1    0.0.0.0         UG    0      0        0 eth0
[root@ipa ~]# cat /etc/hosts
127.0.0.1		localhost.localdomain localhost
::1		localhost6.localdomain6 localhost6
Comment 5 Brian Harrington 2012-04-16 16:12:43 UTC 
Created attachment 577758 [details]
ipaserver-install.log

Contents of ipaserver-install.log from EC2
Comment 6 Martin Kosek 2012-04-17 07:55:00 UTC 
I would recommend trying to install IPA with either

1) --ip-address=10.242.223.65, i.e. using internal address behind NAT as Dmitri suggested
2) with --no-host-dns that would skip various DNS checks which may help overcome this DNS issue
Comment 7 Rob Crittenden 2012-04-17 13:27:49 UTC 
Upstream ticket:
https://fedorahosted.org/freeipa/ticket/2648
Comment 8 Martin Kosek 2012-04-25 06:32:54 UTC 
The upstream ticket has been closed. I tried IPA in EC2 VM and it worked for me. I just needed to pass an internal IP address to ipa-server-install. Then I was still able to connect to IPA Web UI from a VM outside of EC2 internal network using the EC2 VM's public IP address.

Closing the BZ as worksforme.