ipaclient: Defer creating the final krb5.conf on clients #1050
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
A temporary krb5 configuration was used to join the domain in ipaclient_join. After that the final krkb5 configuration was created with enabled DNS discovery and used for the remainaing tasks, where also a connection to the IPA API was done. With several servers the DNS discovery could have picked up a different server. If the client deployment was faster than the replication this could have lead to an unknown host error. The issue was seen in performance testing where many simultaneous client enrollments have been done.. The goal is to keep server affinity as long as possible within the deployment process: The temporary krb5.conf that was used before in ipaclient_join was pulled out into an own module. The generated temporary krb5.conf is now used in ipaclient_join and also ipaclient_api. The generation of the final krb5.conf is moved to the end of the deployment process. Same as: https://pagure.io/freeipa/issue/9228 The setup of certmonger has been pulled out of ipaclient_setup_nss and moved to the end of the process after generating the final krb5.conf as it will use t will only use /etc/krb5.conf. Certificate issuance may fail during deployment due to using the final krb5.conf, but certmonger will re-try the request in this case. Same as: https://pagure.io/freeipa/issue/9246
t-woerner
force-pushed
the
ipaclient_defer_krb5_configuration
branch
from
794d3a9
to
6b5acd9
Compare
varunmylaraiah
approved these changes
Mar 8, 2023
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
A temporary krb5 configuration was used to join the domain in ipaclient_join. After that the final krkb5 configuration was created with enabled DNS discovery and used for the remainaing tasks, where also a connection to the IPA API was done.
With several servers the DNS discovery could have picked up a different server. If the client deployment was faster than the replication this could have lead to an unknown host error.
The issue was seen in performance testing where many simultaneous client enrollments have been done..
The goal is to keep server affinity as long as possible within the deployment process:
The temporary krb5.conf that was used before in ipaclient_join was pulled out into an own module. The generated temporary krb5.conf is now used in ipaclient_join and also ipaclient_api.
The generation of the final krb5.conf is moved to the end of the deployment process.
Same as: https://pagure.io/freeipa/issue/9228
The setup of certmonger has been pulled out of ipaclient_setup_nss and moved to the end of the process after generating the final krb5.conf as it will use t will only use /etc/krb5.conf.
Certificate issuance may fail during deployment due to using the final krb5.conf, but certmonger will re-try the request in this case.
Same as: https://pagure.io/freeipa/issue/9246