[Freeipa-devel] [PATCH] 146 ipa-client-install hangs if the discovered server is
For starters I added a 15 second timeout and 2 tries. These numbers are arbitrary, I am open to suggestions. Martin --- Add a timeout to the wget call to cover a case when autodiscovered server does not response to our attempt to download ca.crt. Let user specify a different IPA server in that case. https://fedorahosted.org/freeipa/ticket/1960 From d3a74fbc40f29eb5baaf7461c6f301671ca1580a Mon Sep 17 00:00:00 2001 From: Martin Kosek mko...@redhat.com Date: Wed, 12 Oct 2011 10:55:08 +0200 Subject: [PATCH] ipa-client-install hangs if the discovered server is unresponsive Add a timeout to the wget call to cover a case when autodiscovered server does not response to our attempt to download ca.crt. Let user specify a different IPA server in that case. https://fedorahosted.org/freeipa/ticket/1960 --- ipa-client/ipa-install/ipa-client-install |6 -- ipa-client/ipaclient/ipadiscovery.py |3 ++- 2 files changed, 6 insertions(+), 3 deletions(-) diff --git a/ipa-client/ipa-install/ipa-client-install b/ipa-client/ipa-install/ipa-client-install index 969dc9b0faa5e131f1e9199325bdf2350157ab8a..233d56e3f9b5cac8e8491f56b84c4e44ee8d9279 100755 --- a/ipa-client/ipa-install/ipa-client-install +++ b/ipa-client/ipa-install/ipa-client-install @@ -803,7 +803,8 @@ def install(options, env, fstore, statestore): if ret == ipadiscovery.NOT_FQDN: print sys.stderr, %s is not a fully-qualified hostname % hostname return CLIENT_INSTALL_ERROR -if ret == ipadiscovery.NO_LDAP_SERVER or not ds.getDomainName(): +if ret in (ipadiscovery.NO_LDAP_SERVER, ipadiscovery.NOT_IPA_SERVER) \ +or not ds.getDomainName(): logging.debug(Domain not found) if options.domain: cli_domain = options.domain @@ -821,7 +822,8 @@ def install(options, env, fstore, statestore): cli_domain = ds.getDomainName() logging.debug(will use domain: %s\n, cli_domain) -if ret == ipadiscovery.NO_LDAP_SERVER or not ds.getServerName(): +if ret in (ipadiscovery.NO_LDAP_SERVER, ipadiscovery.NOT_IPA_SERVER) \ +or not ds.getServerName(): logging.debug(IPA Server not found) if options.server: cli_server = options.server diff --git a/ipa-client/ipaclient/ipadiscovery.py b/ipa-client/ipaclient/ipadiscovery.py index cd5f81bd5147929deca43e502c4f9b2bdb98f99c..e786e98d8d722b7ac55db6f616effd737f920364 100644 --- a/ipa-client/ipaclient/ipadiscovery.py +++ b/ipa-client/ipaclient/ipadiscovery.py @@ -220,7 +220,8 @@ class IPADiscovery: raise RuntimeError(Creating temporary directory failed: %s % str(e)) try: -run([/usr/bin/wget, -O, %s/ca.crt % temp_ca_dir, http://%s/ipa/config/ca.crt; % format_netloc(thost)]) +run([/usr/bin/wget, -O, %s/ca.crt % temp_ca_dir, -T, 15, -t, 2, + http://%s/ipa/config/ca.crt; % format_netloc(thost)]) except CalledProcessError, e: logging.debug('Retrieving CA from %s failed.\n%s' % (thost, str(e))) return [NOT_IPA_SERVER] -- 1.7.6.4 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 146 ipa-client-install hangs if the discovered server is
Martin Kosek wrote: For starters I added a 15 second timeout and 2 tries. These numbers are arbitrary, I am open to suggestions. Martin --- Add a timeout to the wget call to cover a case when autodiscovered server does not response to our attempt to download ca.crt. Let user specify a different IPA server in that case. https://fedorahosted.org/freeipa/ticket/1960 There is a wget call in ipa-client-install as well, should a timeout be added there? rob ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 146 ipa-client-install hangs if the discovered server is
On Wed, 2011-10-12 at 08:52 -0400, Rob Crittenden wrote: Martin Kosek wrote: For starters I added a 15 second timeout and 2 tries. These numbers are arbitrary, I am open to suggestions. Martin --- Add a timeout to the wget call to cover a case when autodiscovered server does not response to our attempt to download ca.crt. Let user specify a different IPA server in that case. https://fedorahosted.org/freeipa/ticket/1960 There is a wget call in ipa-client-install as well, should a timeout be added there? rob This wget is for the very same ca.crt that was already (successfully) retrieved when the server was being checked by ipadiscovery. Thus I don't think it is necessary. Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 146 ipa-client-install hangs if the discovered server is
On Wed, 2011-10-12 at 15:03 +0200, Martin Kosek wrote: On Wed, 2011-10-12 at 08:52 -0400, Rob Crittenden wrote: Martin Kosek wrote: For starters I added a 15 second timeout and 2 tries. These numbers are arbitrary, I am open to suggestions. Martin --- Add a timeout to the wget call to cover a case when autodiscovered server does not response to our attempt to download ca.crt. Let user specify a different IPA server in that case. https://fedorahosted.org/freeipa/ticket/1960 There is a wget call in ipa-client-install as well, should a timeout be added there? rob This wget is for the very same ca.crt that was already (successfully) retrieved when the server was being checked by ipadiscovery. Thus I don't think it is necessary. Shouldn't it be eliminated then ? OR do we really need to dload the cert twice? Or did I misunderstand your reply ? Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 146 ipa-client-install hangs if the discovered server is
Martin Kosek wrote: On Wed, 2011-10-12 at 09:31 -0400, Simo Sorce wrote: On Wed, 2011-10-12 at 15:03 +0200, Martin Kosek wrote: On Wed, 2011-10-12 at 08:52 -0400, Rob Crittenden wrote: Martin Kosek wrote: For starters I added a 15 second timeout and 2 tries. These numbers are arbitrary, I am open to suggestions. Martin --- Add a timeout to the wget call to cover a case when autodiscovered server does not response to our attempt to download ca.crt. Let user specify a different IPA server in that case. https://fedorahosted.org/freeipa/ticket/1960 There is a wget call in ipa-client-install as well, should a timeout be added there? rob This wget is for the very same ca.crt that was already (successfully) retrieved when the server was being checked by ipadiscovery. Thus I don't think it is necessary. Shouldn't it be eliminated then ? OR do we really need to dload the cert twice? Or did I misunderstand your reply ? Simo. You understood correctly. We always try to download ca.crt during ipacheckldap() call. We clean up all temporary files downloaded during server verification in the end. When the user finally confirms and we start the actual client installation, then we download ca.crt to /etc/ipa/. I think that the current procedure is OK compared to additional code we would have to add to pass the ca.crt from ipacheckldap() and cover all possible cases. Please, open an enhancement ticket if you think otherwise. Martin ACK, works fine. pushed to master and ipa-2-1 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel