search

freeipa / freeipa-healthcheck

Check the health of a freeIPA installation
GNU General Public License v3.0
50 stars 28 forks source link

IPADNSSystemRecordsCheck displays warning message for 2 expected ipa-ca AAAA records. #270

Closed menonsudhir closed 1 year ago

menonsudhir commented 2 years ago

ipa-server and ipa-replica have been installed using ipv4 and ipv6 address, but when healthcheck test is run it displays WARNING message as below

ipa-server-install --setup-dns --forwarder=ipv4-add -a password -p pasword -n testrealm.test -r TESTREALM.TEST --hostname server.testrealm.test --ip-address=ipv6-add --auto-reverse -U

ipa-replica-install --setup-dns --forwarder=ipv4-add --realm TESTREALM.TEST -n testrealm.test -w password --setup-ca -P admin --ip-address=ipv4-add --server=server.testrealm.test -v --ip-address=ipv6-add -U --skip-conncheck

[root@server ~]# ipa dnsrecord-find Zone name: testrealm.test Record name: @ NS record: server.testrealm.test., replica.testrealm.test.

Record name: _kerberos TXT record: "TESTREALM.TEST" URI record: 0 100 "krb5srv:m:tcp:server.testrealm.test.", 0 100 "krb5srv:m:udp:server.testrealm.test.", 0 100 "krb5srv:m:tcp:replica.testrealm.test.", 0 100 "krb5srv:m:udp:replica.testrealm.test."

Record name: _kpasswd URI record: 0 100 "krb5srv:m:tcp:server.testrealm.test.", 0 100 "krb5srv:m:udp:server.testrealm.test.", 0 100 "krb5srv:m:tcp:replica.testrealm.test.", 0 100 "krb5srv:m:udp:replica.testrealm.test."

Record name: _kerberos._tcp SRV record: 0 100 88 server.testrealm.test., 0 100 88 replica.testrealm.test.

Record name: _kerberos-master._tcp SRV record: 0 100 88 server.testrealm.test., 0 100 88 replica.testrealm.test.

Record name: _kpasswd._tcp SRV record: 0 100 464 server.testrealm.test., 0 100 464 replica.testrealm.test.

Record name: _ldap._tcp SRV record: 0 100 389 server.testrealm.test., 0 100 389 replica.testrealm.test.

Record name: _kerberos._udp SRV record: 0 100 88 server.testrealm.test., 0 100 88 replica.testrealm.test.

Record name: _kerberos-master._udp SRV record: 0 100 88 server.testrealm.test., 0 100 88 replica.testrealm.test.

Record name: _kpasswd._udp SRV record: 0 100 464 server.testrealm.test., 0 100 464 replica.testrealm.test.

Record name: ipa-ca A record: replica-add AAAA record: replica-ipv6-add, server-ipv6-add

Record name: replica A record: replica-ipv4-add AAAA record: replica-ipv6-add SSHFP record:

Record name: server AAAA record: server-ipv6-add SSHFP record: Number of entries returned 13

ipa-healthcheck --failures-only

{ "source": "ipahealthcheck.ipa.idns", "check": "IPADNSSystemRecordsCheck", "result": "WARNING", "uuid": "5fe925f2-6bd5-411c-9a0d-352d850b792c", "when": "20220617143708Z", "duration": "0.038578", "kw": { "msg": "Got {count} ipa-ca A records, expected {expected}", "count": 1, "expected": 2 }

flo-renaud commented 2 years ago

The issue happens when IPv4 or IPv6 is configured on one server but not on all the servers. Relevant code: https://github.com/freeipa/freeipa-healthcheck/blob/c9feb33f7cbd315f303af2556ab20eabe9bb7b77/src/ipahealthcheck/ipa/idns.py#L195-L201 and https://github.com/freeipa/freeipa-healthcheck/blob/c9feb33f7cbd315f303af2556ab20eabe9bb7b77/src/ipahealthcheck/ipa/idns.py#L230-L236

ca_count is incremented for each server with the CA role, not considering that the server could have either IPv4 or IPv6 disabled. The code assumes all-or-nothing: if one server has an IPv4 address, all the other ones are expected to also have an IPv4 address and ipa-ca should contain an A record for each server with the CA role. Same for IPv6.

rcritten commented 2 years ago

This is working as designed. There is no way to know at execution time whether this is on purpose or not. A missing ipa-ca record can impact ACME in particular. Hence it is marked as a WARNING. If this does not apply to an installation the result can be excluded via configuration.

flo-renaud commented 2 years ago

IMO it's also possible to avoid the warning, if the logic is replaced with the following:

For instance, let's imagine serverA has 1 A record, server B none, serverC one, and the 3 servers have the CA role. We should expect 1+0+1 ipa-ca A records. Other example, serverA has 1 record, serverB none, serverC one but serverC doesn't have the CA role, we should expect 1+0+0 ipa-ca A record.

Same logic can be applied to ipa-ca AAAA records.

rcritten commented 2 years ago

Rather than doing a count I compare the expected and actual records and report those taht don't match expectations. It is a rather radical change.

rcritten commented 2 years ago

It looks like dns-update-system-records doesn't handle removing the last IP type. I opened IPA issue https://pagure.io/freeipa/issue/9195