On 1.7.2016 11:04, Christian Heimes wrote:
> On 2016-07-01 10:59, Petr Spacek wrote:
>> On 1.7.2016 10:55, Christian Heimes wrote:
>>> On 2016-07-01 10:48, Petr Spacek wrote:
>>>> On 1.7.2016 10:42, Christian Heimes wrote:
>>>>> RedHatCAService.wait_until_running() uses dogtag.ca_status() to make a
>>>>> HTTP(s) request to Dogtag in order to check if /ca/admin/ca/getStatus
>>>>> returns OK. The ca_status() function defaults to api.env.ca_host as
>>>>> host.
>>>>> On a replica without CA ca_host is a remote host (e.g. master's
>>>>> FQDN). ipa-ca-install waits for master:8080 instead of replica:8080,
>>>>> which might be blocked by a firewall.
>>>>> https://fedorahosted.org/freeipa/ticket/6016
>>>> Interesting. How it happens that replica without CA is calling 
>>>> RedHatCAService?
>>>> Also, why replica should be waiting for CA if it is not installed?
>>>> I'm confused.
>>> There is a hint in the last sentence: ipa-ca-install
>>> The patch fixes ipa-ca-install on replicas. Right now ipa-ca-install
>>> doesn't wait for the local Dogtag to come up but connects to a remote
>>> Dogtag to check if it's up. It uses 8443 or 8080, which might be
>>> blocked. In my test setup I have both ports blocked so ipa-ca-install
>>> never succeeds.
>> Oh, I missed that, thanks!
>> Isn't the root cause that ipa.env.ca_host does not get updated during
>> ipa-ca-install?
> Been there, tried it, didn't work:
> https://fedorahosted.org/freeipa/ticket/6016#comment:1

I understand that it does not work right now but it does not mean that it is
an actual problem in api.env :-)

Anyway, I'm testing your patch but I'm not sure we can get it into 4.4.0 as
Petr^1 is about to push the RELEASE button any minute now.

Petr^2 Spacek

> It just doesn't make sense that RedHatCAService should ever check a
> remote instance. The rest of the class is about the local systemd
> service. As soon as we have sd_notify
> https://fedorahosted.org/pki/ticket/1233 implemented, we can use systemd
> to wait for Dogtag.

Manage your subscription for the Freeipa-devel mailing list:
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to