Handle NTP configuration in a replica server installation

[rcritten]

There were two separate issues:

1. If not enrolling on a pre-configured client then the ntp-server and
   ntp-pool options are not being passed down to the client installer
   invocation.
2. If the client is already enrolled then the ntp options are ignored
   altogether.

So basically reverse those. Detect the ntp options and add them to
the ipa-client-install invocation if the client is not pre-enrolled.

If it is pre-enrolled then call out to the time configuration
methods to setup the servers or pool. The changes will be recorded
in the client sysrestore.

https://pagure.io/freeipa/issue/7723

Signed-off-by: Rob Crittenden rcritten@redhat.com

[Tiboris]

Thanks for the patch. Just had a quick look at it :)
LGTM but not tested i will leave it to assignee

[flo-renaud]

Hi @rcritten
thanks for the PR. Please find inline comments.

[flo-renaud]

At first I was not comfortable with configuring chrony in promote_check, but since this method is doing more than checks (for instance if client is not already installed, it calls ensure_enrolled that calls ipa-client-install), it's OK to do this part here. Moreover both branches of if not client_fstore.has_files(): end with the client installed and NTP configured.

[flo-renaud]

If client was installed with -N and replica without -N, chronyd is not configured on the replica. I am not sure what would be expected in this case (would you expect the admin to explicitely provide -N to both client and replica-install commands if he doesn't want chrony?)

[rcritten]

So for the promote_check that's ok then? I didn't quite follow the branches, is that a problem?

Nice catch on -N, I hadn't thought of that! And there are some more edge cases there too.

client with -N and replica with options, client with options and replica with -N... I can only hope to not make a mess of this.

How about this. If the client is pre-installed then we have to honor whatever NTP configuration is already there and ipa-replica-install errors out if NTP options are passed in.

For a pure install from ipa-replica-install the NTP options are honored. I update the man page to reflect this behavior.

[flo-renaud]

So for the promote_check that's ok then?

Yes.

How about this. If the client is pre-installed then we have to honor whatever NTP configuration is already there and ipa-replica-install errors out if NTP options are passed in.

OK, seems a good proposal.

For a pure install from ipa-replica-install the NTP options are honored. I update the man page to reflect this behavior.

OK, thanks.

[flo-renaud]

Hi @rcritten,
thanks for the updated patch. The new behavior is working as expected, I tested:

• 2-step replica install, ipa-replica-install using ntp options: refused as expected
• 2-step replica install, ipa-replica-install without ntp options: working, chrony config as specified in client-install. Uninstall reverts to the pre-client-install state.
• 1-step replica install with ntp options: working, chrony config as specified in replica-install options. Un-install reverts to the pre-replica-install state.

[rcritten]

master:

• 2fba5ac Handle NTP configuration in a replica server installation