Bug 1318303 - rolekit cannot deploy domain controller due to missing nss_myhostname
Summary: rolekit cannot deploy domain controller due to missing nss_myhostname
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: rolekit
Version: 24
Hardware: Unspecified
OS: Unspecified
unspecified
urgent
Target Milestone: ---
Assignee: Stephen Gallagher
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard: AcceptedBlocker AcceptedFreezeException
Keywords:
Depends On: 1284323
Blocks: F24AlphaFreezeException F24BetaBlocker
TreeView+ depends on / blocked
 
Reported: 2016-03-16 13:24 UTC by Stephen Gallagher
Modified: 2016-03-28 19:30 UTC (History)
10 users (show)

(edit)
Clone Of:
(edit)
Last Closed: 2016-03-26 17:54:14 UTC


Attachments (Terms of Use)

Description Stephen Gallagher 2016-03-16 13:24:21 UTC
Description of problem:
From Fedora 21 to 23, the rolekit service on Fedora Server has provided a simplified mechanism for quickly deploying a FreeIPA Domain Controller. In order to avoid a classic chicken-and-egg problem where setting up the FreeIPA server to provide DNS requires a valid DNS entry for the server itself, we have historically been able to rely on the presence of nss_myhostname in /etc/nsswitch.conf to ensure that the local hostname is resolvable to something meaningful.

Without this, the FreeIPA installation fails in a difficult-to-understand way.


Version-Release number of selected component (if applicable):
rolekit-0.5.1-1.fc24
systemd-libs-229-6.fc24.x86_64.rpm
glibc-2.23.1-5.fc24.x86_64.rpm

How reproducible:


Steps to Reproduce:
1. Install the latest Fedora Server 24 pre-release, taking all defaults
2. On the booted system, run `rolectl deploy --name=example.com domaincontroller`


Actual results:
Deployment fails with "Error 256". Installation logs show that it failed attempting to determine the IP address for the machine's hostname and gethostbyname() returned nothing.

Expected results:
FreeIPA should be installed and available.

Additional info:

I'm not sure where the best place to solve this is:

* Have systemd %post return to installing nss_myhostname
* Have glibc enable nss_myhostname by default
* Have rolekit modify /etc/nsswitch to add nss_myhostname when deploying
* Have rolekit modify /etc/hosts to add the current IP address(es) for the domain name.

Comment 1 Fedora Blocker Bugs Application 2016-03-16 13:28:11 UTC
Proposed as a Blocker for 24-beta by Fedora user sgallagh using the blocker tracking app because:

 "The core functional requirements for all Featured Server Roles must be met, but it is acceptable if moderate workarounds are necessary to achieve this." -- Alpha criteria

Not a blocker for Alpha because:
"For instance, if a service needs to be manually enabled or a configuration file minimally tweaked, this is acceptable."

The workaround for now is to modify either /etc/hosts or /etc/nsswitch (which we should put into Common Bugs)

Comment 2 Fedora Blocker Bugs Application 2016-03-16 13:28:35 UTC
Proposed as a Freeze Exception for 24-alpha by Fedora user sgallagh using the blocker tracking app because:

 "The core functional requirements for all Featured Server Roles must be met, but it is acceptable if moderate workarounds are necessary to achieve this." -- Alpha criteria

Not a blocker for Alpha because:
"For instance, if a service needs to be manually enabled or a configuration file minimally tweaked, this is acceptable."

The workaround for now is to modify either /etc/hosts or /etc/nsswitch (which we should put into Common Bugs)

Comment 3 Fedora Admin XMLRPC Client 2016-03-17 14:43:12 UTC
This package has changed ownership in the Fedora Package Database.  Reassigning to the new owner of this component.

Comment 4 Zbigniew Jędrzejewski-Szmek 2016-03-17 15:13:00 UTC
Adding of nss-myhostname to /etc/resolv.conf in glibc got stalled on the question whether "gateway" should be resolved by nss-myhostname or not. The lack of nss-myhostname is causing real issues, while we never had any bug reports about "gateway". So I think we should enable nss-myhostname by default while the remaining issues are discussed.

My order of preference:
1. let glibc add myhostname to /etc/resolv.conf
2. restore the hack to enable it in systmed.rpm
3. wait

Comment 5 Stephen Gallagher 2016-03-17 16:54:53 UTC
(In reply to Zbigniew Jędrzejewski-Szmek from comment #4)
> Adding of nss-myhostname to /etc/resolv.conf in glibc got stalled on the
> question whether "gateway" should be resolved by nss-myhostname or not. The
> lack of nss-myhostname is causing real issues, while we never had any bug
> reports about "gateway". So I think we should enable nss-myhostname by
> default while the remaining issues are discussed.
> 
> My order of preference:
> 1. let glibc add myhostname to /etc/resolv.conf
> 2. restore the hack to enable it in systmed.rpm
> 3. wait

Is there any possibility of disabling "gateway" in the Fedora build while that's sorted out? That way we could get nss-myhostname back in ASAP and then merge "gateway" back in (or not) as we work through the open questions?

Comment 6 Florian Weimer 2016-03-17 18:18:19 UTC
We could also use “_gateway” instead of “gateway”.  This would address my primary concern (the namespace hijack).

Comment 7 Adam Williamson 2016-03-18 00:59:50 UTC
I'm +1 freeze exception on this.

Comment 8 Harald Hoyer 2016-03-18 14:23:49 UTC
I would vote to only resolve "gateway." and not "gateway"

Comment 9 Stephen Gallagher 2016-03-21 11:42:32 UTC
Since this doesn't seem likely to get resolved for Alpha, I'm going to add the following to the Common Bugs page as a temporary solution:

== Deploying Domain Controller Fails ==
Due to some changes with how the machine handles hostname resolution, the machine may not be able to look up the UP address for its own hostname. The workaround for this issue is to add a line similar to:

192.168.122.123 mymachine.mydomain.com

to /etc/hosts (replacing the IP address with the actual *external* IP and the hostname with the real hostname of the system).

Comment 10 Kamil Páral 2016-03-21 17:17:12 UTC
Discussed at today's blocker review meeting [1]. Voted as  AcceptedFreezeException (Alpha) - this is clearly a significant issue for Server that cannot be fully fixed with an update. It's accepted as a freeze exception, if a sufficiently targeted fix is found it will be accepted

[1] https://meetbot-raw.fedoraproject.org/fedora-blocker-review/2016-03-21

Comment 11 Kamil Páral 2016-03-21 18:01:22 UTC
In the same meeting, also voted as AcceptedBlocker (Beta) - clear violation of "The core functional requirements for all Featured Server Roles must be met, without any workarounds being necessary."

Comment 12 Zbigniew Jędrzejewski-Szmek 2016-03-22 15:13:18 UTC
I'll start the process to change the resolution of "gateway" upstream, but I think this will take a while, and we need some fix now.

I restored the addition of myhostname to /etc/nsswitch.conf in systemd %post now. It's building in rawhide/f24 currently.

Comment 13 Stephen Gallagher 2016-03-22 15:36:36 UTC
Zbigniew, could you please modify that so it follows the implementation I suggested in BZ#1284323 ?

That way, it at least won't cache-poison for temporary DNS failures.

Comment 14 Fedora Update System 2016-03-22 23:32:29 UTC
systemd-229-7.fc24 has been submitted as an update to Fedora 24. https://bodhi.fedoraproject.org/updates/FEDORA-2016-14ac3b6fd4

Comment 15 Fedora Update System 2016-03-23 19:56:18 UTC
systemd-229-7.fc24 has been pushed to the Fedora 24 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-14ac3b6fd4

Comment 16 Fedora Update System 2016-03-26 17:54:06 UTC
systemd-229-7.fc24 has been pushed to the Fedora 24 stable repository. If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.