On Thu, 2011-05-19 at 18:32 -0400, Dmitri Pal wrote:
> On 05/19/2011 04:41 PM, Simo Sorce wrote:
> > On Thu, 2011-05-19 at 21:54 +0200, Martin Kosek wrote:
> >> Hello,
> >>
> >> I am working on ticket #1107 and I am looking for some ideas hot to deal
> >> with it.
> >>
> >> The problem is that when we are installing a replica and have firewall
> >> on, the installation may fail or (even worse) hang. There question is
> >> how to deal with this situation since we cannot test if the ports are
> >> not blocked locally. It must be done from the remote master.
> >>
> >> I discussed this with Rob and I see two solutions here:
> >>
> >> 1) Don't complicate this and limit our user handholding (my favorite) -
> >> just tell him what ports he should open before proceeding with the
> >> installation. If he doesn't, the installation will fail later. The
> >> problem is when the installation hangs - its hard to detect. This is the
> >> easy way.
> >>
> >> 2) Implement and register a mod_wsgi application on a master server and
> >> let it test remotely if the ports on the replica are open. We would have
> >> to open and listen them in ipa-replica-install as we cannot tell if port
> >> is not-yet-opened or firewalled just from the network error code. If the
> >> application would report a firewalled port, we would throw an error in
> >> the ipa-replica-install.
> >>
> >> However, as Rob pointed out, it would open a possible security hole as
> >> we would basically behave as port scanner.
> > It may also create SELinux issues as I think apache is not allowed to
> > contact random ports normally.
> >
> >> Any opinions, suggestions, ideas on this?
> > I think a much better solution is to create a simple program pair one
> > for the master and one for the wannabe replica.
> >
> > The one on the replica opens all relevant ports.
> > The one to be run on the master tries to connect to all these ports.
> > Each side will report port,service name,success/failure
> >
> > Bonus points if we create the replica program so that it can use admin
> > credentials to ssh into the master and run the master side automatically
> > properly merging the output of that side.
> >
> > Simo.
> >
> I think Simo has a point but it is too much for now.
> IMO it is Ok to fail and report a meaningful error message on either
> side. Installation hanging is what we should address here in the scope
> of 2.1.

I am thinking about implementing a watchdog for this critical
installation step (`/usr/bin/pkisilent ConfigureCA`), where replica is
known to hang. We could set a safe timeout, say 5-10 minutes for the
pkisilent process and if it doesn't finish in given time, we would kill
the process and inform the user + ask him to check the if the  ports are

The list of our ports to check could be printed to user almost every
time the installation fails so that he would have a hint where to


Freeipa-devel mailing list

Reply via email to