Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Replica sets ipa-ca A record to the containers IP address instead of a given address #594

Open
m3e-g opened this issue Mar 1, 2024 · 3 comments

Comments

@m3e-g
Copy link

m3e-g commented Mar 1, 2024

I've created a replica which was able to install itself successfully, with the following docker-compose.yml file (with some jinja2 templating):

networks:
  default:
    name: {{ network_name }}
    external: true

services:
  freeipa:
    image: freeipa/freeipa-server:{{ freeipa.version }}
    container_name: {{ role_name_local }}
    stdin_open: true
    tty: true
    sysctls:
     - net.ipv6.conf.all.disable_ipv6=0
    hostname: "ipa.{{ root_domain }}"
    read_only: true
    dns:
      - {{dns_ip}}
      - 127.0.0.1
    extra_hosts:
      - "ipa-re.{{root_domain}}:{{freeipa.src_replica_ip}}"
      - "ipa-re:{{freeipa.src_replica_ip}}"
      - "ipa.{{root_domain}}:{{freeipa.ip}}"
    environment:
      - TZ={{ tz }}
    command:
      - ipa-replica-install
      - --setup-ca
      - --admin-password={{ freeipa.ipa_admin_pass }}
      - --domain={{ root_domain }}
      - --realm={{ root_domain|upper }}
      - --setup-dns
      - --forwarder=8.8.8.8
      - --forwarder=8.8.4.4
      - --skip-mem-check
      - --force-join
      - --ip-address={{freeipa.ip}}
    ports:
      # FreeIPA WebUI
      #- "80:80"
      #- "443:443"
      # Kerberos
      - "88:88/udp"
      - "88:88"
      - "464:464/udp"
      - "464:464"
      # LDAP
      - "389:389"
      - "636:636"
      # DNS
      - "53:53/udp"
      - "53:53"
      # NTP
      - "123:123/udp"
    tmpfs:
      - /run
      - /var/run
      - /tmp
    volumes:
      - /etc/localtime:/etc/localtime:ro
      - {{ role_appdata_dir }}:/data:Z
      - {{ role_log_dir }}:/data/var/log:Z
      - /sys/fs/cgroup/unified:/sys/fs/cgroup

I've been replicating from the ipa-re.{{root_domain}} to the ipa.{{root_domain}}, where ipa-re is a VM running the Rocky-9 with IPA 4.10.2.

Container used is freeipa/freeipa-server:rocky-9 (IPA 4.10.2), host is Ubuntu 22.04 LTS with Docker v25.

This seems work like it used to before (it's communicating with the other docker containers on the same network and with external hosts) and ipa-healthcheck in the container does not return anything.

But I've noticed that ipa-ca address is set to the 172.18.0.4 which is internal IP of the container. When I've originally created this IPA instance in container over 2years ago, I'm not sure if the ipa-ca had been set at all. When I search thought the snapshots I cannot find any mention of this field in the /var/named (it's mentioned only in the certmonger, pki-tomcatd and httpd configs).

When I issue the ipa dns-update-system-records --dry-run it still shows the 172.18.0.4 as the ipa-ca address, so I suppose that changing it manually won't last. What would be the expected solution for this?

As a sidenote: If I add the IPA_SERVER_IP to the docker-compose above it will configure replica as well but will never leave this loop

because it will be always resolved to the internal address by the docker dns service (127.0.0.11) (Also it does not fix the original issue anyway)

[root@ipa /]# dig -t A ipa.<root_domain>

; <<>> DiG 9.16.23-RH <<>> -t A ipa.<root_domain>
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 59419
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;ipa.<root_domain>.             IN      A

;; ANSWER SECTION:
ipa.<root_domain>.      600     IN      A       172.18.0.4

;; Query time: 0 msec
;; SERVER: 127.0.0.11#53(127.0.0.11)
;; WHEN: Fri Mar 01 00:00:24 CET 2024
;; MSG SIZE  rcvd: 68
@m3e-g
Copy link
Author

m3e-g commented Mar 1, 2024

I've restored my freeipa instance from 2023-11-30 backup (rocky-8) and the ipa-ca had been correctly set to the external address, but ipa dns-update-system-records --dry-run is still suggesting the internal address

@adelton
Copy link
Collaborator

adelton commented Mar 1, 2024

Last time we discussed this was in #321 and there we concluded that --ip-address (which you use) should be working. Albeit that was on a master, not replica. But with that and especially the extra_hosts which I assume set records in /etc/hosts in the container, there's not much more you could do to make FreeIPA happy.

Any chance you would be able to setup a replica in a VM with some nonstandard IP setup, instead of in a container, and see if the ipa dns-update-system-records works in that case?

@m3e-g
Copy link
Author

m3e-g commented Mar 1, 2024

I wish I'd stumble upon the #321 earlier, as it would save me some debugging time ;)
For the record, when creating a new container with a master, using the --ip-address also sets the ipa-ca A record to the internal address. I suppose there is no mechanizm to override this address within the ipa itself or it's kept like this by design.

If time permits I'll try to recreate similar setup in the VMs, but I'd have to figure out proper NAT for those first.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants