Bug 1874936 - TLS-E on pre-provisioned nodes fail with msg": "--server cannot be used without providing --domain"
Summary: TLS-E on pre-provisioned nodes fail with msg": "--server cannot be used witho...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat OpenStack
Classification: Red Hat
Component: openstack-tripleo-heat-templates
Version: 16.1 (Train)
Hardware: Unspecified
OS: Unspecified
medium
medium
Target Milestone: z4
: 16.1 (Train on RHEL 8.2)
Assignee: Grzegorz Grasza
QA Contact: Jeremy Agee
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2020-09-02 15:42 UTC by Sadique Puthen
Modified: 2021-03-17 15:32 UTC (History)
6 users (show)

Fixed In Version: openstack-tripleo-heat-templates-11.3.2-1.20210104205653.el8ost
Doc Type: Bug Fix
Doc Text:
Before this update, TLS-E on pre-provisioned nodes failed with the message: "--server cannot be used without providing --domain". With this update, the IDM domain name is detected by first resolving "ipa-ca" through DNS, then doing a reverse DNS lookup on the resulting IP address. It might be necessary to add the PTR record, which is required for the reverse lookup, manually.
Clone Of:
Environment:
Last Closed: 2021-03-17 15:31:57 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Fedora Pagure 3912 0 None None None 2020-09-04 14:26:35 UTC
Launchpad 1904856 0 None None None 2020-11-19 10:30:18 UTC
OpenStack gerrit 763342 0 None MERGED Don't pass empty values for ipaclient_servers to ipaclient role 2021-02-08 05:53:44 UTC
OpenStack gerrit 768400 0 None MERGED Don't pass empty values for ipaclient_servers to ipaclient role 2021-02-08 05:53:45 UTC
Red Hat Product Errata RHBA-2021:0817 0 None None None 2021-03-17 15:32:27 UTC

Description Sadique Puthen 2020-09-02 15:42:11 UTC 
Description of problem:

TLS-E on pre-provisioned nodes fail with:


TASK [ipaclient : Install - IPA client test] ***********************************
Tuesday 01 September 2020  03:01:10 -0400 (0:00:00.189)       0:12:23.307 ***** 
fatal: [controller-2]: FAILED! => {"changed": false, "msg": "--server cannot be used without providing --domain"}
fatal: [controller-3]: FAILED! => {"changed": false, "msg": "--server cannot be used without providing --domain"}
fatal: [controller-1]: FAILED! => {"changed": false, "msg": "--server cannot be used without providing --domain"}

Sep  1 07:01:11 controller-1 platform-python[46861]: ansible-ipaclient_test Invoked with domain= servers=[''] hostname=controller-1.redhat.local no_ntp=False force_ntpd=False no_nisdomain=False kinit_attempts=5 configure_firefox=False all_ip_addresses=False on_master=False enable_dns_updates=False realm=None ntp_servers=None ntp_pool=None nisdomain=None ca_cert_files=None firefox_dir=None ip_addresses=None

Setting below manually workarounds it.

  IdMServer: <ipa server ip>
  IdMDomain: <ipa domain>

This need a code fix and doc change to document the workaround till the code is fixed.


Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1.
2.
3.

Actual results:


Expected results:


Additional info:
Comment 4 Ade Lee 2020-09-04 16:23:36 UTC 
The pagure linked to is pretty old.  But the log here comes from the ipaclient ansible module.

The problem is probably something in the way that we call things, because even though Sadique did not specify either the Server 
or the Domain, we run into this issue.  It likely has to do with the defaults we use when calling this module.

We need to make sure to omit correctly if there are no values provided.
Comment 18 errata-xmlrpc 2021-03-17 15:31:57 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Red Hat OpenStack Platform 16.1.4 director bug fix advisory), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2021:0817
Note You need to log in before you can comment on or make changes to this bug.