The `IPA_SERVER_IP` failing to correct the A-record is issue #121:

https://github.com/freeipa/freeipa-container/issues/121

That puts a neat little bow on all my questions in this email thread. :D Thanks-

        John

On 07/24/2017 09:26 PM, John Morris via FreeIPA-users wrote:
Never mind, I partly figured out what's wrong, once I found a clue that
this stage requires server->replica connections.

The `ipa-replica-install` process, probably during `ipa-client-install`,
adds the DNS A-record for the server, but uses the container's IP address.

The freeipa-container scripts allow for this, and if the `IPA_SERVER_IP`
environment variable is set, they will attempt to correct the A-record
with `nsupdate`.  This was silently failing (I don't know why yet).

If the A-record is set prior to running `ipa-replica-install`, the
server can find the replica, the replication can be completed, and
everything hums happily.

For folks in the future, I guess if the replica install breaks at this
particular step, it's a good clue to check connectivity from the server
to the replica.

    John


On 07/24/2017 04:14 PM, John Morris via FreeIPA-users wrote:
I reinstalled both server and replica with the image you suggest.  The
same problem occurs at the same location; see the new gist:

https://gist.github.com/zultron/d7bed6d0c00ae8daef292ba4bb2c04e0

Thanks-

    John

On 07/24/2017 02:47 PM, Felipe Barreto Volpone via FreeIPA-users wrote:
John,

I didn't noticed that you're using adelton's repository.
Could you try more recent image from the official docker hub (/r/freeipa
instead of /r/adelton)?
https://hub.docker.com/r/freeipa/freeipa-server/
<https://hub.docker.com/r/freeipa/freeipa-server/>


On Mon, Jul 24, 2017 at 4:40 PM, John Morris via FreeIPA-users
<freeipa-users@lists.fedorahosted.org
<mailto:freeipa-users@lists.fedorahosted.org>> wrote:

    (Apologies for previously sending off-list, Felipe.)

    Sure:

        docker run \
        --rm \
        --interactive \
        --restart=no \
        --hostname=h01.example.com <http://h01.example.com> \
        --security-opt=seccomp=unconfined \
        --name=ipa \
        --volume=/media/freeipa:/data \
        --volume=/media/state:/media/state \
        --volume=/sys/fs/cgroup:/sys/fs/cgroup:ro \
        --env=IPA_SERVER_IP=1.2.3.4 \
        --add-host=h01.example.com:1 <http://h01.example.com:1>.2.3.4 \
        --publish=80:80 \
        --publish=443:443 \
        --publish=53:53 \
        --publish=53:53/udp \
        --publish=389:389 \
        --publish=636:636 \
        --publish=88:88 \
        --publish=88:88/udp \
        --publish=464:464 \
        --publish=464:464/udp \
        adelton/freeipa-server:centos-7

    Thanks-

        John



    On 07/24/2017 01:29 PM, Felipe Barreto Volpone wrote:

        Hi John,

        could you share the command you have run to setup the ipa
server?

        On Mon, Jul 24, 2017 at 3:12 PM, John Morris via FreeIPA-users
        <freeipa-users@lists.fedorahosted.org
        <mailto:freeipa-users@lists.fedorahosted.org>
        <mailto:freeipa-users@lists.fedorahosted.org
        <mailto:freeipa-users@lists.fedorahosted.org>>> wrote:

            Running FreeIPA out of Docker
(`adelton/freeipa-server:centos-7`
            image), `ipa-replica-install` hangs at `[29/44]: setting up
        initial
            replication`.  The `ipa-server-configure-first.log` (debug
        output
            enabled) is pasted in the below gist, plus output of
`journalctl
            -xe` from within the container.


        https://gist.github.com/zultron/6f9aeb47d304c7bcab93d023e36484ba

<https://gist.github.com/zultron/6f9aeb47d304c7bcab93d023e36484ba>


<https://gist.github.com/zultron/6f9aeb47d304c7bcab93d023e36484ba
<https://gist.github.com/zultron/6f9aeb47d304c7bcab93d023e36484ba>>

            The options to `ipa-replica-install` look like this:

                --unattended
                --principal=admin
                --admin-password=redacted
                --server=h01.example.com <http://h01.example.com>
        <http://h01.example.com>
                --hostname=h11.example.com <http://h11.example.com>
        <http://h11.example.com>
                --realm=EXAMPLE.COM <http://EXAMPLE.COM>
        <http://EXAMPLE.COM>
                --domain=example.com <http://example.com>
        <http://example.com>
                --setup-ca
                --setup-dns
                --no-reverse
                --no-forwarders
                --no-host-dns
                --no-ntp
                --no-ui-redirect
                --allow-zone-overlap
                --debug
                --skip-conncheck

            The docker command looks like this:

                docker run \
                    --rm \
                    --interactive \
                    --restart=no \
                    --hostname=h11.example.com <http://h11.example.com>
        <http://h11.example.com> \
                    --security-opt=seccomp=unconfined \
                    --name=ipa \
                    --volume=/media/freeipa:/data \
                    --volume=/sys/fs/cgroup:/sys/fs/cgroup:ro \
                    --env=IPA_SERVER_IP=2.3.4.5 \
                    --env=KRB5_TRACE=/dev/stdout \
                    --add-host=h01.example.com:1
        <http://h01.example.com:1> <http://h01.example.com:1>.2.3.4 \
                    --publish=80:80 \
                    --publish=443:443 \
                    --publish=53:53 \
                    --publish=53:53/udp \
                    --publish=389:389 \
                    --publish=636:636 \
                    --publish=88:88 \
                    --publish=88:88/udp \
                    --publish=464:464 \
                    --publish=464:464/udp \
                    adelton/freeipa-server:centos-7 \
                    ipa-replica-install

            I'm starting to track this down starting from
            `ipaserver/install/dsinstance.py`, `__setup_replica()`,
but I'd
            really appreciate suggestions.  Thanks-

                    John
            _______________________________________________
            FreeIPA-users mailing list --
        freeipa-users@lists.fedorahosted.org
        <mailto:freeipa-users@lists.fedorahosted.org>
            <mailto:freeipa-users@lists.fedorahosted.org
        <mailto:freeipa-users@lists.fedorahosted.org>>
            To unsubscribe send an email to
            freeipa-users-le...@lists.fedorahosted.org
        <mailto:freeipa-users-le...@lists.fedorahosted.org>
            <mailto:freeipa-users-le...@lists.fedorahosted.org
        <mailto:freeipa-users-le...@lists.fedorahosted.org>>


    _______________________________________________
    FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
    <mailto:freeipa-users@lists.fedorahosted.org>
    To unsubscribe send an email to
    freeipa-users-le...@lists.fedorahosted.org
    <mailto:freeipa-users-le...@lists.fedorahosted.org>




_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to
freeipa-users-le...@lists.fedorahosted.org

_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to
freeipa-users-le...@lists.fedorahosted.org
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to