Fix ipa-server-configure-first script to work with ipv4 and ipv6 addrs #639
Conversation
|
Rerun failed tests please! They didn't pass because they reached a timeout |
|
I did rerun it but upon closer inspection, the Fedora 41 on K3s did not fail because of timeout but because of the replica setup failing ... |
|
But anyway, as we've already discussed in #617, it is not clear to me why you try to add this logic at all. What exactly in the current behaviour prevents you from achieving the setup you need. If I understand the problem correctly, it's not about IPv6 addresses at all -- if you set those explicitly with the The problem might be with the IPv4 addresses. If the It seems to me that the best way forward is actually to add a logic to disable this internal update of the IPv4 address of the container. Please see #640 for a possible approach. It should allow you to use multiple IPv4 addresses with multiple |
That is not right. I run tests many times and k3s in fedora didn't fail https://github.com/SJay3/freeipa-container/actions/runs/11911454741/job/33193138724 https://github.com/SJay3/freeipa-container/actions/runs/11912673594/job/33196965918
Thast is also not correct. The problem is that freeipa-container works with ipv4 adresses. Not with ipv6 and dualstack. it's obvious from the ipa-server-configure-first script. If we didn't set IPA_SERVER_IP environment variable we didn't have /run/ipa/ipa-server-ip file with ip address. So afterr freeipa server install or start this script set detect ip address from global interface in the container https://github.com/freeipa/freeipa-container/blob/master/ipa-server-configure-first#L40 and then update dns with detected address https://github.com/freeipa/freeipa-container/blob/master/ipa-server-configure-first#L53 . Script ignores script ipa-server-configure-first will update address in dns to ipv4 internal address of the container. But this not works because script trying to update only ipv4 addresses in dns https://github.com/freeipa/freeipa-container/blob/master/ipa-server-configure-first#L53
Why we need to disable this logic? if we set ip address with
If this is true, then I don't see the point in the script logic for updating the address in DNS. Maybe I should remove it completely? Then, if freeipa is launched in a container, we always need to set the IP address parameter when launching the container so that the correct addresses get into DNS, unless we launch the container with network=host. Or if we need to update address after freeipa server-install or container restart could you explain why? |
My apologies. I don't understand yet the reason why the tests fail. They do it every other time. I'll continue to figure it out. |
But for the IPv6 address, there is nothing to solve. After the the address is there, set by
Yes. But not by running the container again with a different
When you run the container, the IP address which will be assigned to that container and through which it will be accessible from other containers might not be known before the container is created. So we need some logic in the container to put the A record to the DNS so that other containers on the same host or the same virtual network can resolve that FreeIPA server's hostname. That's the reason for the But you might not want the internal container address in the DNS because access from other hosts is what you desire and you have port mapping or Kubernetes ingress or OpenShift route set. That's what the Today you are able to use the |
That is not quite true. In ipv6 only I want to have only AAAA DNS record. But after ipa-server-configure-first script finish I have AAAA dns record with my ipv6 address and A record with 172.17.0.2 docker internal address
Why not? This is exactly what the script does through the IPA_SERVER_IP variable
Agree. I'll save compatibility |
That's why I said "after the The A record gets there exactly via the mechanism that can be disabled with #640 and
I explained the (historical) reasons for that approach above. But any time we can use existing functionality in FreeIPA, I prefer that over adding another one to the containerization layer. |
Ok. What should I do if I need to update ipv6 address?
I will definitely check this mechanism as soon as I fix the problem in my PR that causes tests to fail.
My question was, why can't we use the |
The same thing you would do on a FreeIPA server installed on a bare metal host or on a VM -- |
|
Why should I do this manually if a script can do it automatically? Besides, such functionality already exists for IPv4 address. I just extended it so that it works for IPv6 or dualstack. Please run tests for new changes |
SJay3
force-pushed
the
ipv6_address_update
branch
from
0e3f337
to
26384d2
Compare
|
Rebase PR. Please run tests |
Can you elaborate what you view as manual vs. automatic here? What is that "it" that you are after? AFAICS, all those setups are (or can be) scripted. The use of
I already explained that the To be explicit: I do not intend to merge your pull request since it seems to evolve in more band-aids and workarounds, not less. If you have a specific use case or setup which cannot be achieved with the current images, please describe it (and only it), ideally in a new issue. |
Сontinuing work on pull request #617
Parsing
--ip-addressoption from server-install or replica-install options instead of using environment variableUpdate configure-first script to work in dual stack mode
Fix rootless podman tests