On Thu, 2011-05-19 at 16:41 -0400, Simo Sorce wrote: > On Thu, 2011-05-19 at 21:54 +0200, Martin Kosek wrote: > > Hello, > > > > I am working on ticket #1107 and I am looking for some ideas hot to deal > > with it. > > > > The problem is that when we are installing a replica and have firewall > > on, the installation may fail or (even worse) hang. There question is > > how to deal with this situation since we cannot test if the ports are > > not blocked locally. It must be done from the remote master. > > > > I discussed this with Rob and I see two solutions here: > > > > 1) Don't complicate this and limit our user handholding (my favorite) - > > just tell him what ports he should open before proceeding with the > > installation. If he doesn't, the installation will fail later. The > > problem is when the installation hangs - its hard to detect. This is the > > easy way. > > > > 2) Implement and register a mod_wsgi application on a master server and > > let it test remotely if the ports on the replica are open. We would have > > to open and listen them in ipa-replica-install as we cannot tell if port > > is not-yet-opened or firewalled just from the network error code. If the > > application would report a firewalled port, we would throw an error in > > the ipa-replica-install. > > > > However, as Rob pointed out, it would open a possible security hole as > > we would basically behave as port scanner. > > It may also create SELinux issues as I think apache is not allowed to > contact random ports normally. > > > Any opinions, suggestions, ideas on this? > > I think a much better solution is to create a simple program pair one > for the master and one for the wannabe replica. > > The one on the replica opens all relevant ports. > The one to be run on the master tries to connect to all these ports. > Each side will report port,service name,success/failure
So you are saying this program would be optional and user could run it if he would be unsure if firewall setting is OK? Like running for example: $ ipa-replica-check-connection --on-replica on the replica which would listen on our set of ports (and as Jakub said, it may be secured by SELinux policy) and then he would run $ ipa-replica-check-connection --on-master on the master server which would test the ports and print a result. > > Bonus points if we create the replica program so that it can use admin > credentials to ssh into the master and run the master side automatically > properly merging the output of that side. I am not sure if we can count on having admin credentials for ssh or even ssh connection at all. Martin _______________________________________________ Freeipa-devel mailing list [email protected] https://www.redhat.com/mailman/listinfo/freeipa-devel
