The `IPA_SERVER_IP` failing to correct the A-record is issue #121:
https://github.com/freeipa/freeipa-container/issues/121
That puts a neat little bow on all my questions in this email thread.
:D Thanks-
John
On 07/24/2017 09:26 PM, John Morris via FreeIPA-users wrote:
Never mind, I partly figured out what's wrong, once I found a clue that
this stage requires server->replica connections.
The `ipa-replica-install` process, probably during `ipa-client-install`,
adds the DNS A-record for the server, but uses the container's IP address.
The freeipa-container scripts allow for this, and if the `IPA_SERVER_IP`
environment variable is set, they will attempt to correct the A-record
with `nsupdate`. This was silently failing (I don't know why yet).
If the A-record is set prior to running `ipa-replica-install`, the
server can find the replica, the replication can be completed, and
everything hums happily.
For folks in the future, I guess if the replica install breaks at this
particular step, it's a good clue to check connectivity from the server
to the replica.
John
On 07/24/2017 04:14 PM, John Morris via FreeIPA-users wrote:
I reinstalled both server and replica with the image you suggest. The
same problem occurs at the same location; see the new gist:
https://gist.github.com/zultron/d7bed6d0c00ae8daef292ba4bb2c04e0
Thanks-
John
On 07/24/2017 02:47 PM, Felipe Barreto Volpone via FreeIPA-users wrote:
John,
I didn't noticed that you're using adelton's repository.
Could you try more recent image from the official docker hub (/r/freeipa
instead of /r/adelton)?
https://hub.docker.com/r/freeipa/freeipa-server/
<https://hub.docker.com/r/freeipa/freeipa-server/>
On Mon, Jul 24, 2017 at 4:40 PM, John Morris via FreeIPA-users
<freeipa-users@lists.fedorahosted.org
<mailto:freeipa-users@lists.fedorahosted.org>> wrote:
(Apologies for previously sending off-list, Felipe.)
Sure:
docker run \
--rm \
--interactive \
--restart=no \
--hostname=h01.example.com <http://h01.example.com> \
--security-opt=seccomp=unconfined \
--name=ipa \
--volume=/media/freeipa:/data \
--volume=/media/state:/media/state \
--volume=/sys/fs/cgroup:/sys/fs/cgroup:ro \
--env=IPA_SERVER_IP=1.2.3.4 \
--add-host=h01.example.com:1 <http://h01.example.com:1>.2.3.4 \
--publish=80:80 \
--publish=443:443 \
--publish=53:53 \
--publish=53:53/udp \
--publish=389:389 \
--publish=636:636 \
--publish=88:88 \
--publish=88:88/udp \
--publish=464:464 \
--publish=464:464/udp \
adelton/freeipa-server:centos-7
Thanks-
John
On 07/24/2017 01:29 PM, Felipe Barreto Volpone wrote:
Hi John,
could you share the command you have run to setup the ipa
server?
On Mon, Jul 24, 2017 at 3:12 PM, John Morris via FreeIPA-users
<freeipa-users@lists.fedorahosted.org
<mailto:freeipa-users@lists.fedorahosted.org>
<mailto:freeipa-users@lists.fedorahosted.org
<mailto:freeipa-users@lists.fedorahosted.org>>> wrote:
Running FreeIPA out of Docker
(`adelton/freeipa-server:centos-7`
image), `ipa-replica-install` hangs at `[29/44]: setting up
initial
replication`. The `ipa-server-configure-first.log` (debug
output
enabled) is pasted in the below gist, plus output of
`journalctl
-xe` from within the container.
https://gist.github.com/zultron/6f9aeb47d304c7bcab93d023e36484ba
<https://gist.github.com/zultron/6f9aeb47d304c7bcab93d023e36484ba>
<https://gist.github.com/zultron/6f9aeb47d304c7bcab93d023e36484ba
<https://gist.github.com/zultron/6f9aeb47d304c7bcab93d023e36484ba>>
The options to `ipa-replica-install` look like this:
--unattended
--principal=admin
--admin-password=redacted
--server=h01.example.com <http://h01.example.com>
<http://h01.example.com>
--hostname=h11.example.com <http://h11.example.com>
<http://h11.example.com>
--realm=EXAMPLE.COM <http://EXAMPLE.COM>
<http://EXAMPLE.COM>
--domain=example.com <http://example.com>
<http://example.com>
--setup-ca
--setup-dns
--no-reverse
--no-forwarders
--no-host-dns
--no-ntp
--no-ui-redirect
--allow-zone-overlap
--debug
--skip-conncheck
The docker command looks like this:
docker run \
--rm \
--interactive \
--restart=no \
--hostname=h11.example.com <http://h11.example.com>
<http://h11.example.com> \
--security-opt=seccomp=unconfined \
--name=ipa \
--volume=/media/freeipa:/data \
--volume=/sys/fs/cgroup:/sys/fs/cgroup:ro \
--env=IPA_SERVER_IP=2.3.4.5 \
--env=KRB5_TRACE=/dev/stdout \
--add-host=h01.example.com:1
<http://h01.example.com:1> <http://h01.example.com:1>.2.3.4 \
--publish=80:80 \
--publish=443:443 \
--publish=53:53 \
--publish=53:53/udp \
--publish=389:389 \
--publish=636:636 \
--publish=88:88 \
--publish=88:88/udp \
--publish=464:464 \
--publish=464:464/udp \
adelton/freeipa-server:centos-7 \
ipa-replica-install
I'm starting to track this down starting from
`ipaserver/install/dsinstance.py`, `__setup_replica()`,
but I'd
really appreciate suggestions. Thanks-
John
_______________________________________________
FreeIPA-users mailing list --
freeipa-users@lists.fedorahosted.org
<mailto:freeipa-users@lists.fedorahosted.org>
<mailto:freeipa-users@lists.fedorahosted.org
<mailto:freeipa-users@lists.fedorahosted.org>>
To unsubscribe send an email to
freeipa-users-le...@lists.fedorahosted.org
<mailto:freeipa-users-le...@lists.fedorahosted.org>
<mailto:freeipa-users-le...@lists.fedorahosted.org
<mailto:freeipa-users-le...@lists.fedorahosted.org>>
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
<mailto:freeipa-users@lists.fedorahosted.org>
To unsubscribe send an email to
freeipa-users-le...@lists.fedorahosted.org
<mailto:freeipa-users-le...@lists.fedorahosted.org>
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to
freeipa-users-le...@lists.fedorahosted.org
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to
freeipa-users-le...@lists.fedorahosted.org
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org