search

freeipa / ansible-freeipa

Ansible roles and modules for FreeIPA
GNU General Public License v3.0
489 stars 232 forks source link

ipareplica - Allow KRA and DNS setup after initial replica setup #62

Open ghost opened 5 years ago

ghost commented 5 years ago

ipa-replica-install command defaults to not setting up KRA or DNS, however after the replica is setup you can run "ipa-kra-install" or "ipa-dns-install" to add those roles/functionality.

ansible-freeipa should support the same ability

Currently if ipareplica is run, then ipareplica_setup_dns and ipareplica_setup_kra are changed to yes, and ansible is rerun, ipareplica role will fail with the following message "IPA server is already configured on this system.\nIf you want to reinstall the IPA server, please uninstall it first using 'ipa-server-install --uninstall" Expected results would be KRA and DNS roles are added to existing configured replica.

t-woerner commented 5 years ago

The roles in ansible-freeipa are doing the deployment in the same way as the command line installers at the moment. The idea to be able to use the roles again to enable additional features is something that the client role is already allowing with allow_repair setting, but the server and replica role do not, yet. It is planned to add this as soon as we have the ability to identify missing or broken parts for example with the health check tool.

relrod commented 5 years ago

Is there a workaround to this for the time being? I'm hitting a case where I'm trying to add a replica getting an error mid-way through (for some reason doing a replica with DNS isn't working right), but when I re-run it after it errors, it skips everything.

Sometimes I can undo things by setting the role to ensure: absent and running the playbook, then setting it to ensure: present to try again. But several times trying that got things into a weird enough state (read: Python tracebacks everywhere) that I just decided to wipe the VM and try it again.

I guess my best case is to do a deploy of the replica without DNS (which does work successfully), and then try a manual ipa-dns-install as @jlanclos alluded to in the original report?

t-woerner commented 5 years ago

Is there a workaround to this for the time being? I'm hitting a case where I'm trying to add a replica getting an error mid-way through (for some reason doing a replica with DNS isn't working right), but when I re-run it after it errors, it skips everything.

Sometimes I can undo things by setting the role to ensure: absent and running the playbook, then setting it to ensure: present to try again. But several times trying that got things into a weird enough state (read: Python tracebacks everywhere) that I just decided to wipe the VM and try it again.

I guess my best case is to do a deploy of the replica without DNS (which does work successfully), and then try a manual ipa-dns-install as @jlanclos alluded to in the original report?

What exact error are you hitting with DNS? Please open a bug report for this. Yes, as a work-a-around you could try to deploy without DNS support and enable DNS support after the deployment has finished.