On 1.7.2016 11:04, Christian Heimes wrote: > On 2016-07-01 10:59, Petr Spacek wrote: >> On 1.7.2016 10:55, Christian Heimes wrote: >>> On 2016-07-01 10:48, Petr Spacek wrote: >>>> On 1.7.2016 10:42, Christian Heimes wrote: >>>>> RedHatCAService.wait_until_running() uses dogtag.ca_status() to make a >>>>> HTTP(s) request to Dogtag in order to check if /ca/admin/ca/getStatus >>>>> returns OK. The ca_status() function defaults to api.env.ca_host as >>>>> host. >>>>> >>>>> On a replica without CA ca_host is a remote host (e.g. master's >>>>> FQDN). ipa-ca-install waits for master:8080 instead of replica:8080, >>>>> which might be blocked by a firewall. >>>>> >>>>> https://fedorahosted.org/freeipa/ticket/6016 >>>> >>>> Interesting. How it happens that replica without CA is calling >>>> RedHatCAService? >>>> >>>> Also, why replica should be waiting for CA if it is not installed? >>>> >>>> I'm confused. >>> >>> There is a hint in the last sentence: ipa-ca-install >>> >>> The patch fixes ipa-ca-install on replicas. Right now ipa-ca-install >>> doesn't wait for the local Dogtag to come up but connects to a remote >>> Dogtag to check if it's up. It uses 8443 or 8080, which might be >>> blocked. In my test setup I have both ports blocked so ipa-ca-install >>> never succeeds. >> >> Oh, I missed that, thanks! >> >> Isn't the root cause that ipa.env.ca_host does not get updated during >> ipa-ca-install? > > Been there, tried it, didn't work: > https://fedorahosted.org/freeipa/ticket/6016#comment:1
I understand that it does not work right now but it does not mean that it is an actual problem in api.env :-) Anyway, I'm testing your patch but I'm not sure we can get it into 4.4.0 as Petr^1 is about to push the RELEASE button any minute now. Petr^2 Spacek > It just doesn't make sense that RedHatCAService should ever check a > remote instance. The rest of the class is about the local systemd > service. As soon as we have sd_notify > https://fedorahosted.org/pki/ticket/1233 implemented, we can use systemd > to wait for Dogtag. -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code