On 05/19/2011 04:41 PM, Simo Sorce wrote: > On Thu, 2011-05-19 at 21:54 +0200, Martin Kosek wrote: >> Hello, >> >> I am working on ticket #1107 and I am looking for some ideas hot to deal >> with it. >> >> The problem is that when we are installing a replica and have firewall >> on, the installation may fail or (even worse) hang. There question is >> how to deal with this situation since we cannot test if the ports are >> not blocked locally. It must be done from the remote master. >> >> I discussed this with Rob and I see two solutions here: >> >> 1) Don't complicate this and limit our user handholding (my favorite) - >> just tell him what ports he should open before proceeding with the >> installation. If he doesn't, the installation will fail later. The >> problem is when the installation hangs - its hard to detect. This is the >> easy way. >> >> 2) Implement and register a mod_wsgi application on a master server and >> let it test remotely if the ports on the replica are open. We would have >> to open and listen them in ipa-replica-install as we cannot tell if port >> is not-yet-opened or firewalled just from the network error code. If the >> application would report a firewalled port, we would throw an error in >> the ipa-replica-install. >> >> However, as Rob pointed out, it would open a possible security hole as >> we would basically behave as port scanner. > It may also create SELinux issues as I think apache is not allowed to > contact random ports normally. > >> Any opinions, suggestions, ideas on this? > I think a much better solution is to create a simple program pair one > for the master and one for the wannabe replica. > > The one on the replica opens all relevant ports. > The one to be run on the master tries to connect to all these ports. > Each side will report port,service name,success/failure > > Bonus points if we create the replica program so that it can use admin > credentials to ssh into the master and run the master side automatically > properly merging the output of that side. > > Simo. > I think Simo has a point but it is too much for now. IMO it is Ok to fail and report a meaningful error message on either side. Installation hanging is what we should address here in the scope of 2.1.
-- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ _______________________________________________ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel