On Wed, Sep 21, 2016 at 12:01:44PM +0200, Jan Pazdziora wrote: > > I've recently hit again the situation of IPA installer not happy > about the provided IP address not being local to it, this time in > containerized environment: > > https://bugzilla.redhat.com/show_bug.cgi?id=1377973 > > During the discussion, we came to an interesting question: > > What would break if loopback addresses were allowed for IPA > server? > > Of course, the idea is that it would only be used for installation and > then IPA would change its IP address in DNS to whatever is the real IP > address under which it is accessible. > > Where does the allow_loopback=False requirement in the installer come > from and what would break if it was removed altogether?
I also see messages like Adding [10.11.12.13 ipa.example.com] to your /etc/hosts file in some cases. Actually, it's 10.11.12.13 ipa.example.com ipa which gets added so the message is not accurate. Modification of /etc/hosts itself seems unfortunate. Should the IP address change in the future, there will be one more place where the IP address stays hardcoded. I wonder why hosts: files dns myhostname isn't enough, and whether hosts: files myhostname dns might actually be better order. When the value is not in /etc/hosts, I see weird startup issues, presumably because individual components time out resolving $HOSTNAME, so systemctl start ipa fails. Perhaps it has something to do with named being up at that point, rather than unreachable, just not resolving anything yet. Chicken and egg. I wonder why we cannot add ipa.example.com to 127.0.0.1. I've tried that and have seen named-pkcs11[453]: LDAP error: Local error: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Server ldap/localh...@example.test not found in Kerberos database): bind to LDAP server failed which suggests something derives the hostname and thus the principal from the IP address used. Why is not $HOSTNAME used everywhere? What part of the system cares about the IP address (and the reverse resolution)? If overloading 127.0.0.1 with the $HOSTNAME does not work, could 127.0.0.2 do the trick? It seems to work for subsequent starts (did not try it during ipa-server-install) in containers. -- Jan Pazdziora Senior Principal Software Engineer, Identity Management Engineering, Red Hat -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code