I tried creating a FreeIPA replica in GCE.

GCE is a little weird in that it's DHCP assigns a /32 netmask to VMs. There
does not seem to be any way to disable that specific behavior in GCE since
as a user you have no control of the DHCP server. As a user you can create
your own networks but it seems that under the hood Google wants to always
route everything themselves, so even though they allow you to create say a
/16 network, the machines all get a /32 netmask and use the gateway for
routing, even within their own network. It's actually a little confusing
because from the view of the the machine, you actually have no way of
determining the size of the network (you have to actually learn the
netmask/size of the virtual network via other means, like the glcoud
command or web console)

But with the /32 netmask routing does work, and machines can find other
machines. Unfortunately, the FreeIPA server install scripts seem to have
some error checking that gets confused by the /32 netmask scheme GCE uses
and causes the scripts to crap out.

I managed to trick ipa-server-install into installing by temporarily
manually opening up the netmask. It only kind of works, since in some cases
it breaks networking and the connection to the machine is lost. However,
once IPA server is set up, it keeps working and I can enroll client
machines.  It seems like too much of a hack and I couldn't get he same
trick to work for replicas in any case. This is the error I get:

line 877, in main install_check(self) File
line 295, in decorated func(installer) File
line 514, in install_check options.ip_addresses) File
"/usr/lib/python2.7/site-packages/ipaserver/install/installutils.py", line
516, in get_server_ip_address
sys.exit(1)ipa.ipapython.install.cli.install_tool(Replica): DEBUG The
ipa-replica-install command failed, exception: SystemExit: 1

I went into installutils.py and commented out the error test at line 516:

# if not ips:
#     print >> sys.stderr, "No usable IP address provided nor resolved."
#     sys.exit(1)

It's an ugly hack but you can at least get past the error check and install
the replica.

Would it be possible to make the installer scripts a less sensitive to the
/32 netmask?
Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project

Reply via email to