On 2016-07-01 10:59, Petr Spacek wrote:
> On 1.7.2016 10:55, Christian Heimes wrote:
>> On 2016-07-01 10:48, Petr Spacek wrote:
>>> On 1.7.2016 10:42, Christian Heimes wrote:
>>>> RedHatCAService.wait_until_running() uses dogtag.ca_status() to make a
>>>> HTTP(s) request to Dogtag in order to check if /ca/admin/ca/getStatus
>>>> returns OK. The ca_status() function defaults to api.env.ca_host as
>>>> host.
>>>>
>>>> On a replica without CA ca_host is a remote host (e.g. master's
>>>> FQDN). ipa-ca-install waits for master:8080 instead of replica:8080,
>>>> which might be blocked by a firewall.
>>>>
>>>> https://fedorahosted.org/freeipa/ticket/6016
>>>
>>> Interesting. How it happens that replica without CA is calling 
>>> RedHatCAService?
>>>
>>> Also, why replica should be waiting for CA if it is not installed?
>>>
>>> I'm confused.
>>
>> There is a hint in the last sentence: ipa-ca-install
>>
>> The patch fixes ipa-ca-install on replicas. Right now ipa-ca-install
>> doesn't wait for the local Dogtag to come up but connects to a remote
>> Dogtag to check if it's up. It uses 8443 or 8080, which might be
>> blocked. In my test setup I have both ports blocked so ipa-ca-install
>> never succeeds.
> 
> Oh, I missed that, thanks!
> 
> Isn't the root cause that ipa.env.ca_host does not get updated during
> ipa-ca-install?

Been there, tried it, didn't work:
https://fedorahosted.org/freeipa/ticket/6016#comment:1

It just doesn't make sense that RedHatCAService should ever check a
remote instance. The rest of the class is about the local systemd
service. As soon as we have sd_notify
https://fedorahosted.org/pki/ticket/1233 implemented, we can use systemd
to wait for Dogtag.


Attachment: signature.asc
Description: OpenPGP digital signature

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to