Bug 1364139 - When master's IP address does not resolve to its name, ipa-replica-install fails
Summary: When master's IP address does not resolve to its name, ipa-replica-install fails
Keywords:
Status: ASSIGNED
Alias: None
Product: Red Hat Enterprise Linux 8
Classification: Red Hat
Component: ipa
Version: 8.0
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: Petr Vobornik
QA Contact: Kaleem
URL:
Whiteboard:
Depends On:
Blocks: 1751951
TreeView+ depends on / blocked
 
Reported: 2016-08-04 14:21 UTC by Jan Pazdziora
Modified: 2020-08-03 15:45 UTC (History)
10 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
: 1751951 (view as bug list)
Environment:
Last Closed: 2017-10-22 19:39:45 UTC
Type: Bug
Target Upstream Version:


Attachments (Terms of Use)
verification steps with console output (17.83 KB, text/plain)
2020-02-18 15:17 UTC, Kaleem
no flags Details

Description Jan Pazdziora 2016-08-04 14:21:33 UTC
Description of problem:

When IP address of master does not resolve to its hostname, ipa-replica-install fails.

Version-Release number of selected component (if applicable):

python2-ipaserver-4.4.0-4.el7.noarch

How reproducible:

Deterministic.

Steps to Reproduce:
1. Have setup where IP address of master as seen by replica does not match master's hostname.
2. Run ipa-replica-install --server ipa.example.test --domain example.test

Actual results:

/etc/ssh/ssh_config not found, skipping configuration
/etc/ssh/sshd_config not found, skipping configuration
Configuring example.test as NIS domain.
Client configuration complete.

Unenrolling client from IPA server
Removing Kerberos service principals from /etc/krb5.keytab
Disabling client Kerberos and LDAP configurations
Redundant SSSD configuration file /etc/sssd/sssd.conf was moved to /etc/sssd/sssd.conf.deleted
Restoring client configuration files
Unconfiguring the NIS domain.
nscd daemon is not installed, skip configuration
nslcd daemon is not installed, skip configuration
Systemwide CA database updated.
Client uninstall complete.
ipa.ipapython.install.cli.install_tool(Replica): ERROR    The host name ipa.example.test does not match the primary host name freeipa-server-container.freeipa-network. Please check /etc/hosts or DNS name resolution
ipa.ipapython.install.cli.install_tool(Replica): ERROR    The ipa-replica-install command failed. See /var/log/ipareplica-install.log for more information

Removing client side components

Your system may be partly configured.
Run /usr/sbin/ipa-server-install --uninstall to clean up.

The log ends with

2016-08-04T13:29:08Z DEBUG Check if replica.example.test is a primary hostname for localhost
2016-08-04T13:29:08Z DEBUG Primary hostname for localhost: replica.example.test
2016-08-04T13:29:08Z DEBUG Search DNS for replica.example.test
2016-08-04T13:29:08Z DEBUG Check if replica.example.test is not a CNAME
2016-08-04T13:29:09Z DEBUG Check reverse address of 172.18.0.3
2016-08-04T13:29:09Z DEBUG Found reverse name: replica.example.test
2016-08-04T13:29:09Z DEBUG Check if ipa.example.test is a primary hostname for localhost
2016-08-04T13:29:09Z DEBUG Primary hostname for localhost: freeipa-server-container.freeipa-network
2016-08-04T13:29:09Z DEBUG Starting external process
2016-08-04T13:29:09Z DEBUG args=/usr/sbin/ipa-client-install --unattended --uninstall
2016-08-04T13:29:19Z DEBUG Process finished, return code=0
2016-08-04T13:29:19Z DEBUG   File "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 171, in execute
    return_value = self.run()
  File "/usr/lib/python2.7/site-packages/ipapython/install/cli.py", line 318, in run
    cfgr.run()
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 308, in run
    self.validate()
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 317, in validate
    for nothing in self._validator():
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 372, in __runner
    self._handle_exception(exc_info)
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 394, in _handle_exception
    six.reraise(*exc_info)
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 362, in __runner
    step()
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 359, in <lambda>
    step = lambda: next(self.__gen)
  File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 81, in run_generator_with_yield_from
    six.reraise(*exc_info)
  File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 59, in run_generator_with_yield_from
    value = gen.send(prev_value)
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 564, in _configure
    next(validator)
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 372, in __runner
    self._handle_exception(exc_info)
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 449, in _handle_exception
    self.__parent._handle_exception(exc_info)
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 394, in _handle_exception
    six.reraise(*exc_info)
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 446, in _handle_exception
    super(ComponentBase, self)._handle_exception(exc_info)
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 394, in _handle_exception
    six.reraise(*exc_info)
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 362, in __runner
    step()
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 359, in <lambda>
    step = lambda: next(self.__gen)
  File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 81, in run_generator_with_yield_from
    six.reraise(*exc_info)
  File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 59, in run_generator_with_yield_from
    value = gen.send(prev_value)
  File "/usr/lib/python2.7/site-packages/ipapython/install/common.py", line 63, in _install
    for nothing in self._installer(self.parent):
  File "/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall.py", line 1712, in main
    promote_check(self)
  File "/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall.py", line 364, in decorated
    func(installer)
  File "/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall.py", line 386, in decorated
    func(installer)
  File "/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall.py", line 1108, in promote_check
    installutils.verify_fqdn(config.master_host_name, options.no_host_dns)
  File "/usr/lib/python2.7/site-packages/ipaserver/install/installutils.py", line 166, in verify_fqdn
    "Please check /etc/hosts or DNS name resolution" % (host_name, ex_name[0]))

2016-08-04T13:29:19Z DEBUG The ipa-replica-install command failed, exception: HostLookupError: The host name ipa.example.test does not match the primary host name freeipa-server-container.freeipa-network. Please check /etc/hosts or DNS name resolution
2016-08-04T13:29:19Z ERROR The host name ipa.example.test does not match the primary host name freeipa-server-container.freeipa-network. Please check /etc/hosts or DNS name resolution
2016-08-04T13:29:19Z ERROR The ipa-replica-install command failed. See /var/log/ipareplica-install.log for more information

Expected results:

No error.

Additional info:

Comment 1 Jan Pazdziora 2016-08-04 14:22:58 UTC
The

   installutils.verify_fqdn(config.master_host_name, options.no_host_dns)

calls in

   /usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall.py

should likely include local_hostname=False.

Comment 2 Jan Pazdziora 2016-08-04 14:28:50 UTC
(In reply to Jan Pazdziora from comment #1)
> The
> 
>    installutils.verify_fqdn(config.master_host_name, options.no_host_dns)
> 
> calls in
> 
>   
> /usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall.py
> 
> should likely include local_hostname=False.

With this change, ipa-replica install complains but proceeds setting up the replica:

/etc/ssh/sshd_config not found, skipping configuration
Configuring example.test as NIS domain.
Client configuration complete.

ipa         : ERROR    The host name ipa.example.test does not match the value freeipa-server-container.freeipa-network obtained by reverse lookup on IP address 172.18.0.2

Configuring NTP daemon (ntpd)
  [1/4]: stopping ntpd
  [2/4]: writing configuration
  [3/4]: configuring ntpd to start on boot
  [4/4]: starting ntpd
Done configuring NTP daemon (ntpd).
Configuring directory server (dirsrv). Estimated time: 1 minute
  [1/44]: creating directory server user
  [2/44]: creating directory server instance

That ERROR output should likely also be purged.

Comment 4 Petr Vobornik 2016-08-12 13:50:42 UTC
Upstream ticket:
https://fedorahosted.org/freeipa/ticket/6210

Comment 8 Red Hat Bugzilla Rules Engine 2017-10-22 19:39:45 UTC
Development Management has reviewed and declined this request. You may appeal this decision by reopening this request.

Comment 10 Tibor Dudlák 2019-09-16 07:46:39 UTC
Fixed upstream
master:
https://pagure.io/freeipa/c/f1e20b45c5deeb25989c87a2d717bda5a31bb084

Comment 11 Tibor Dudlák 2019-09-16 14:09:47 UTC
Missclicked status MIDIFIED setting to POST;

Fixed upstream
ipa-4-8:
https://pagure.io/freeipa/c/0b2ed9c415370de79f8ecaa1be153a1d80cf6ea1
Fixed upstream
ipa-4-7:
https://pagure.io/freeipa/c/82351f1e09e9d592e3b0bef521c2c94b0d222cce
Fixed upstream
ipa-4-6:
https://pagure.io/freeipa/c/a016ed75ecbe7e2698530036043ef19df1bd718f

Comment 12 Jan Pazdziora 2019-10-09 08:34:43 UTC
The pull requests add that local_hostname=False in containers. I don't think this is the proper fix.

This is about the master's IP address not resolving directly to its hostname, so the same situation likely happens in AWS, and the same situation happens when the master is in container (or in general, in reverse-DNS-challenging environment) and replica is on a host, outside of containers.

When verifying this bugzilla, please use a setup when the IP address of master as seen by the replica does not resolve to master's hostname, outside of containers.

Comment 16 Kaleem 2020-02-18 15:17:11 UTC
Created attachment 1663784 [details]
verification steps with console output

Verified based on same steps done for 7.8 bugs mentioned at 
https://bugzilla.redhat.com/show_bug.cgi?id=1751951#c10

Comment 17 Jan Pazdziora 2020-02-18 16:59:30 UTC
I still don't see how this verifies the change. We need a reproducer of the failing setup with the older version of IdM, and then fixed reproducer with newer package versions.

Similar to my comments in bug 1751951, unless you show that the behaviour has changed (improved), the bugzilla cannot be considered verified.


Note You need to log in before you can comment on or make changes to this bug.