Re: [Freeipa-users] IPv6
On 04/30/2012 08:27 AM, John Dennis wrote: Agreed. We should not try to influence family selection. I will open an IPA trac ticket. https://fedorahosted.org/freeipa/ticket/2695 -- John Dennis Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] IPv6
On 04/30/2012 03:54 AM, Petr Spacek wrote: On 04/27/2012 02:43 PM, John Dennis wrote: On 04/27/2012 04:45 AM, Petr Spacek wrote: On 04/26/2012 11:42 PM, Simo Sorce wrote: On Thu, 2012-04-26 at 21:18 +, Steven Jones wrote: Hi, FYI, I shutdown IPv6 as we dont do IPv6 and found that IPA wouldnt workslight oops there... Hi Steve, can you be more explicit on how you 'shutdown' IPv6 ? And can you please tell exactly how IPA breaks in that case ? Is this after IPA is fully installed ? Or does the installer fail ? Simo. Is it same issue as described in https://www.redhat.com/archives/freeipa-users/2012-April/msg00160.html ? We do IPv6 in several places, but a while ago I noticed the way we iterate over address families in nsslib in conjunction with getaddrinfo (the io.AddrInfo class) looks dubious, it seems overly complex as if it's trying to force a family selection (not sure, I would have to go back and really look at the code again). Family selection should not be enforced from our code, I think. This way can create hidden dependency based on our (probably wrong) assumptions. Agreed. We should not try to influence family selection. I will open an IPA trac ticket. In any event getaddrinfo is designed to return a list of possible addresses sorted in priority order by the system. You're supposed to start at the first address in the list and see if you can connect, if not try the next address. You're not supposed to take addresses in the list based on some other criteria (which is what we seem to be doing with the family). FWIW, the raw c lib getaddrinfo allows one to specify constraints (such as family), unfortunately NSPR (the wrapper around getaddrinfo in nsslib) does not permit this, not sure why (probably because NSPR has to fallback to other mechanisms if getaddrinfo is not available) AFAIK "right place" to specify this kind of constraints is to use "/etc/gai.conf" configuration file. NSPR ignores it? No. I believe /etc/gai.conf will be respected on modern systems with getaddrinfo support by NSPR because NSPR calls into getaddrinfo which is influenced by /etc/gai.conf. What I was referring to is that getaddrinfo exposes network address selection filtration based on gai.conf (or so I believe). -- John Dennis Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] IPv6
On 04/27/2012 02:43 PM, John Dennis wrote: On 04/27/2012 04:45 AM, Petr Spacek wrote: On 04/26/2012 11:42 PM, Simo Sorce wrote: On Thu, 2012-04-26 at 21:18 +, Steven Jones wrote: Hi, FYI, I shutdown IPv6 as we dont do IPv6 and found that IPA wouldnt workslight oops there... Hi Steve, can you be more explicit on how you 'shutdown' IPv6 ? And can you please tell exactly how IPA breaks in that case ? Is this after IPA is fully installed ? Or does the installer fail ? Simo. Is it same issue as described in https://www.redhat.com/archives/freeipa-users/2012-April/msg00160.html ? We do IPv6 in several places, but a while ago I noticed the way we iterate over address families in nsslib in conjunction with getaddrinfo (the io.AddrInfo class) looks dubious, it seems overly complex as if it's trying to force a family selection (not sure, I would have to go back and really look at the code again). Family selection should not be enforced from our code, I think. This way can create hidden dependency based on our (probably wrong) assumptions. In any event getaddrinfo is designed to return a list of possible addresses sorted in priority order by the system. You're supposed to start at the first address in the list and see if you can connect, if not try the next address. You're not supposed to take addresses in the list based on some other criteria (which is what we seem to be doing with the family). FWIW, the raw c lib getaddrinfo allows one to specify constraints (such as family), unfortunately NSPR (the wrapper around getaddrinfo in nsslib) does not permit this, not sure why (probably because NSPR has to fallback to other mechanisms if getaddrinfo is not available) AFAIK "right place" to specify this kind of constraints is to use "/etc/gai.conf" configuration file. NSPR ignores it? Petr^2 Spacek ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] IPv6
On 04/27/2012 04:45 AM, Petr Spacek wrote: On 04/26/2012 11:42 PM, Simo Sorce wrote: On Thu, 2012-04-26 at 21:18 +, Steven Jones wrote: Hi, FYI, I shutdown IPv6 as we dont do IPv6 and found that IPA wouldnt workslight oops there... Hi Steve, can you be more explicit on how you 'shutdown' IPv6 ? And can you please tell exactly how IPA breaks in that case ? Is this after IPA is fully installed ? Or does the installer fail ? Simo. Is it same issue as described in https://www.redhat.com/archives/freeipa-users/2012-April/msg00160.html ? We do IPv6 in several places, but a while ago I noticed the way we iterate over address families in nsslib in conjunction with getaddrinfo (the io.AddrInfo class) looks dubious, it seems overly complex as if it's trying to force a family selection (not sure, I would have to go back and really look at the code again). In any event getaddrinfo is designed to return a list of possible addresses sorted in priority order by the system. You're supposed to start at the first address in the list and see if you can connect, if not try the next address. You're not supposed to take addresses in the list based on some other criteria (which is what we seem to be doing with the family). FWIW, the raw c lib getaddrinfo allows one to specify constraints (such as family), unfortunately NSPR (the wrapper around getaddrinfo in nsslib) does not permit this, not sure why (probably because NSPR has to fallback to other mechanisms if getaddrinfo is not available) -- John Dennis Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] IPv6
On 04/26/2012 11:42 PM, Simo Sorce wrote: On Thu, 2012-04-26 at 21:18 +, Steven Jones wrote: Hi, FYI, I shutdown IPv6 as we dont do IPv6 and found that IPA wouldnt workslight oops there... Hi Steve, can you be more explicit on how you 'shutdown' IPv6 ? And can you please tell exactly how IPA breaks in that case ? Is this after IPA is fully installed ? Or does the installer fail ? Simo. Is it same issue as described in https://www.redhat.com/archives/freeipa-users/2012-April/msg00160.html ? Petr^2 Spacek ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] IPv6
On Thu, 2012-04-26 at 21:18 +, Steven Jones wrote: > Hi, > > FYI, > > I shutdown IPv6 as we dont do IPv6 and found that IPA wouldnt workslight > oops there... Hi Steve, can you be more explicit on how you 'shutdown' IPv6 ? And can you please tell exactly how IPA breaks in that case ? Is this after IPA is fully installed ? Or does the installer fail ? Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] IPv6
Hi, FYI, I shutdown IPv6 as we dont do IPv6 and found that IPA wouldnt workslight oops there... regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users