UDP port checks in ipa-replica-conncheck are too strict. The entire conncheck fails when UDP ports cannot be verified as open. However, UDP protocol is unrealiable by its nature and the port can also not be checked if there is an application already bound to it. This can happen for example when ipa-replica-conncheck is run as a part of ipa-ca-install and the replica services are thus already running.
This patch changes the behavior of UDP port checks. The conncheck script now rather reports a warning that UDP port cannot be verified but does not fail the entire test. https://fedorahosted.org/freeipa/ticket/2514
>From cd39f11b88fe2098a245d2d7983e01ef533d49e3 Mon Sep 17 00:00:00 2001 From: Martin Kosek <mko...@redhat.com> Date: Fri, 16 Mar 2012 10:26:56 +0100 Subject: [PATCH] Tolerate UDP port failures in conncheck UDP port checks in ipa-replica-conncheck are too strict. The entire conncheck fails when UDP ports cannot be verified as open. However, UDP protocol is unrealiable by its nature and the port can also not be checked if there is an application already bound to it. This can happen for example when ipa-replica-conncheck is run as a part of ipa-ca-install and the replica services are thus already running. This patch changes the behavior of UDP port checks. The conncheck script now rather reports a warning that UDP port cannot be verified but does not fail the entire test. https://fedorahosted.org/freeipa/ticket/2514 --- install/tools/ipa-replica-conncheck | 21 ++++++++++++++++----- 1 files changed, 16 insertions(+), 5 deletions(-) diff --git a/install/tools/ipa-replica-conncheck b/install/tools/ipa-replica-conncheck index 44b3caa45a20d3a72985c051a7982da1f9716147..77d3bbffdd2224bcc0d65d267282db02c7cca854 100755 --- a/install/tools/ipa-replica-conncheck +++ b/install/tools/ipa-replica-conncheck @@ -243,18 +243,29 @@ def port_check(host, port_list): if not ip: raise RuntimeError("Port check failed! Unable to resolve host name '%s'" % host) - failed_ports = [] + ports_failed = [] + ports_udp_warning = [] # conncheck could not verify that port is open for port in port_list: if ipautil.host_port_open(host, port.port, port.port_type, socket_timeout=CONNECT_TIMEOUT): result = "OK" else: - failed_ports.append(port) - result = "FAILED" + if port.port_type == socket.SOCK_DGRAM: + ports_udp_warning.append(port) + result = "WARNING" + else: + ports_failed.append(port) + result = "FAILED" print_info(" %s (%d): %s" % (port.description, port.port, result)) - if failed_ports: + if ports_udp_warning: + print "The following UDP ports could not be verified as open: %s" \ + % ", ".join(str(port.port) for port in ports_udp_warning) + print "This can happen if they are already bound to an application" + print "and ipa-replica-conncheck cannot attach own UDP responder." + + if ports_failed: msg_ports = [] - for port in failed_ports: + for port in ports_failed: port_type_text = "TCP" if port.port_type == SOCK_STREAM else "UDP" msg_ports.append('%d (%s)' % (port.port, port_type_text)) raise RuntimeError("Port check failed! Inaccessible port(s): %s" \ -- 1.7.7.6
_______________________________________________ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel