From d2ffa10df62bba45aa63232d3ad9a5ebf7158eea Mon Sep 17 00:00:00 2001 From: Rob Crittenden Date: Tue, 5 Dec 2023 14:34:31 -0500 Subject: [PATCH] Server affinity: Retain user-requested remote server We want to avoid splitting a replica server installation between two hosts where possible so if a CA or KRA is requested then we only try to install against a remote server that also provides those capabilities. This avoids race conditions. If a CA or KRA is not requested and the user has provided a server to install against then use that instead of overriding it. Extend the logic of picking the remote Custodia mode (KRA, CA, *MASTER*) to include considering whether the CA and KRA services are requested. If the service(s) are not requested the the associated hostname may not be reliable. Fixes: https://pagure.io/freeipa/issue/9491 Related: https://pagure.io/freeipa/issue/9289 Signed-off-by: Rob Crittenden Reviewed-By: Florence Blanc-Renaud --- ipaserver/install/server/replicainstall.py | 19 +++++++++---------- 1 file changed, 9 insertions(+), 10 deletions(-) diff --git a/ipaserver/install/server/replicainstall.py b/ipaserver/install/server/replicainstall.py index 27fbdef8ec9aa5ae343352ebf3c61d74d65c8958..8096b6accb4c94fefdfcc06f19584c63c24d7baf 100644 --- a/ipaserver/install/server/replicainstall.py +++ b/ipaserver/install/server/replicainstall.py @@ -782,6 +782,7 @@ def promotion_check_host_principal_auth_ind(conn, hostdn): def remote_connection(config): + logger.debug("Creating LDAP connection to %s", config.master_host_name) ldapuri = 'ldaps://%s' % ipautil.format_netloc(config.master_host_name) xmlrpc_uri = 'https://{}/ipa/xml'.format( ipautil.format_netloc(config.master_host_name)) @@ -1087,7 +1088,7 @@ def promote_check(installer): 'CA', conn, preferred_cas ) if ca_host is not None: - if config.master_host_name != ca_host: + if options.setup_ca and config.master_host_name != ca_host: conn.disconnect() del remote_api config.master_host_name = ca_host @@ -1096,8 +1097,7 @@ def promote_check(installer): conn = remote_api.Backend.ldap2 conn.connect(ccache=installer._ccache) config.ca_host_name = ca_host - config.master_host_name = ca_host - ca_enabled = True + ca_enabled = True # There is a CA somewhere in the topology if options.dirsrv_cert_files: logger.error("Certificates could not be provided when " "CA is present on some master.") @@ -1135,7 +1135,7 @@ def promote_check(installer): 'KRA', conn, preferred_kras ) if kra_host is not None: - if config.master_host_name != kra_host: + if options.setup_kra and config.master_host_name != kra_host: conn.disconnect() del remote_api config.master_host_name = kra_host @@ -1143,10 +1143,9 @@ def promote_check(installer): installer._remote_api = remote_api conn = remote_api.Backend.ldap2 conn.connect(ccache=installer._ccache) - config.kra_host_name = kra_host - config.ca_host_name = kra_host - config.master_host_name = kra_host - kra_enabled = True + config.kra_host_name = kra_host + config.ca_host_name = kra_host + kra_enabled = True # There is a KRA somewhere in the topology if options.setup_kra and options.server and \ kra_host != options.server: # Installer was provided with a specific master @@ -1372,10 +1371,10 @@ def install(installer): otpd.create_instance('OTPD', config.host_name, ipautil.realm_to_suffix(config.realm_name)) - if kra_enabled: + if options.setup_kra and kra_enabled: # A KRA peer always provides a CA, too. mode = custodiainstance.CustodiaModes.KRA_PEER - elif ca_enabled: + elif options.setup_ca and ca_enabled: mode = custodiainstance.CustodiaModes.CA_PEER else: mode = custodiainstance.CustodiaModes.MASTER_PEER -- 2.43.0