Martin Basti wrote:
> On 07.12.2016 15:21, Rob Crittenden wrote:
>> Martin Basti wrote:
>>> On 07.12.2016 08:48, List dedicated to discussions about use,
>>> configuration and deployment of the IPA server. wrote:
>>>> Hello,
>>>> the --hostname option to the installer currently modifies the hostname
>>>> of the machine. In some environments, namely in unprivileged
>>>> containers, that operation is not denied. In some cases, it is
>>>> possible to change the FQDN of the container from outside, for example
>>>> with docker run's -h option. However, in some environments, namely in
>>>> OpenShift, there is not such possibility.
>>>> I have found out that disabling the change by turning /bin/hostnamectl
>>>> and /usr/bin/domainname makes ipa-server-install pass while the server
>>>> gets configured with the hostname specified as the parameter to
>>>> --hostname option so it does not seem to be essential for the FQDN to
>>>> change. Of course, some operations might no longer work, like ssh to
>>>> the FreeIPA machine as sshd would need to be set with
>>>> GSSAPIStrictAcceptorCheck no.
>>>> I wonder if either change of the --hostname semantics, or some new
>>>> option would be useful, to specify the hostname to be used by the
>>>> FreeIPA software while not touching the configuration of the hostname
>>>> for the machine.
>>> I agree that --hostname options should not touch system's hostname, I
>>> don't see reason why application installer should change system
>>> hostname.
>> It was done for sanity because a staggering number of users it seems
>> don't properly set their hostname.
> Then we should have checks and prevent installation, but this needs
> proper design and must cover containers, AWS, etc. to count with various
> scenarios.
>>> I'd start with deprecating current behavior of this option in next
>>> release
>> IMHO it is a pretty significant change of behavior.
> True, so as mentioned later, rather just deprecate this option.

Would be hard to do. Think about something like puppet, it would need to
become version-aware.

>>> As you mentioned we need find what cases can be broken when we will use
>>> different local and external hostname, but anyway we have do this for
>>> containers.
>> Agreed. Something needs to happen, I'm just not convinced it should
>> happen in --hostname. I generally oppose new options but one might be
>> warranted in this case to handle things.
> Maybe --external-hostname or so, noted, we will cover it in design.
>> rob

Manage your subscription for the Freeipa-users mailing list:
Go to for more info on the project
  • ... List dedicated to discussions about use, configuration and deployment of the IPA server.
    • ... Martin Basti
      • ... Rob Crittenden
        • ... Martin Basti
          • ... Rob Crittenden

Reply via email to