fedora-infrastructure

Clone
Source Code
GIT

#11004 Task 'ipa/service : Create service entry' fails for copr-fe-dev
Closed: Fixed with Explanation 2 years ago by kevin. Opened 2 years ago by frostyx.

Closed: Fixed with Explanation
Reopen Issue

We are moving our Copr dev instances to F37, and when provisioning copr-fe-dev from scratch, I am getting this issue

TASK [ipa/service : Create service entry] *****************************************************************************************************************************************************************************************************
Tuesday 22 November 2022  14:12:54 +0000 (0:00:02.732)       0:04:16.122 ******                                                                                                                                                                
Tuesday 22 November 2022  14:12:54 +0000 (0:00:02.732)       0:04:16.122 ****** 
fatal: [copr-fe-dev.aws.fedoraproject.org -> ipa01.stg.iad2.fedoraproject.org]: FAILED! => {"changed": false, "msg": "service_add_principal: HTTP/copr-fe-dev.aws.fedoraproject.org: 'krbprincipalname' already contains one or more values"}

PLAY RECAP ************************************************************************************************************************************************************************************************************************************
copr-fe-dev.aws.fedoraproject.org : ok=165  changed=4    unreachable=0    failed=1    skipped=160  rescued=0    ignored=0

It seems to me that the issue is somewhere on the IPA side of things.

Metadata Update from @phsmoura:
- Issue priority set to: Waiting on Assignee (was: Needs Review)
- Issue tagged with: Needs investigation, medium-gain, medium-trouble, ops
2 years ago

@kevin it's not related to ansible-corp version ?

Edited 2 years ago by seddik

So i suggest to update the main task, by adding condition to check if service already created ...
For me the module is not idempotent :(
As discussed with @frostyx, he will try to test tomorrow .

---
- name: Create host entry
  delegate_to: "{{ ipa_server }}"
  ipahost:
    ipaadmin_password: "{{ ipa_admin_password }}"
    name: "{{ host }}"
    force: yes
  tags:
 - config
  - krb5

- name: Check if service exists
  delegate_to: "{{ ipa_server }}"
  stat:
    path: "{{ service }}/{{ host }}"
  register: ipa_service_defined
  tags:
   - config
    - krb5

- name: Create service entry
  delegate_to: "{{ ipa_server }}"
  ipaservice:
    ipaadmin_password: "{{ ipa_admin_password }}"
    name: "{{ service }}/{{ host }}"
    principal: "{{ principal_alias | default(omit) }}"
    force: yes
  when: not ipa_service_defined.stat.exists  
  tags:
 - config
  - krb5

PR created if the patch will be accepted
https://pagure.io/fedora-infra/ansible/pull-request/1259

To sum-up, I reverted the pr #1257, and applied the commit c59e68a986e5a34d038b0a002158b616d895fe21 and the keytab was successfully generated for us. So far so good...

But it would be nice if anyone could do the review before we close this issue.

Yes, this seems like a reasonable workaround for the issue in older freeipa-ansible.

Metadata Update from @kevin:
- Issue close_status updated to: Fixed with Explanation
- Issue status updated to: Closed (was: Open)
2 years ago

Log in to comment on this ticket.

Metadata
None

Needs investigation ops medium-gain medium-trouble

None
None
Waiting on Assignee
Boards 1
ops Status: Backlog
Powered by Pagure 5.14.1
DocumentationFile an IssueAboutSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.