Make failover work over IP families #7658
Conversation
|
@thalman, could you please add a release note (or convert commit message to a release note)? |
done |
Originally the option ipv4_first and ipv6_first was taken into account when resolving IP address. When both families are resolvable but the primary is blocked on firewall, the SSSD should try the secondary family before giving up. :relnote:SSSD now attempts to connect to the server using a secondary protocol if the server is not reachable using the primary one. See the lookup_family_order option.
|
All system tests fail. |
Test that IPA server is still reachable when primary address family is blocked but secondary is working.
| @@ -80,3 +80,30 @@ def test_failover__reactivation_timeout_is_honored( | |||
| assert ( | |||
| f"Primary server reactivation timeout set to {expected} seconds" in log | |||
| ), f"'Primary server reactivation timeout set to {expected} seconds' not found in logs!" | |||
|
|
|||
|
|
|||
| @pytest.mark.importance("low") | |||
There was a problem hiding this comment.
Can we make this a generic provider test?
or
Move this test into test_ipa.py ?
| client.fs.append("/etc/hosts", "cafe:cafe::3 %s" % ipa.host.hostname) | ||
| client.sssd.start() | ||
| result = client.tools.id(user) | ||
| assert result is not None |
There was a problem hiding this comment.
Can you add an error message please
assert result is not None, f"{user.name} was not found!"
| client.sssd.domain["lookup_family_order"] = "ipv6_first" | ||
| client.fs.append("/etc/hosts", "cafe:cafe::3 %s" % ipa.host.hostname) | ||
| client.sssd.start() | ||
| result = client.tools.id(user) |
| 2. user is resolved | ||
| :customerscenario: False | ||
| """ | ||
| user = "testuser" |
There was a problem hiding this comment.
squash these lines?
user = ipa.user("testuser").add()
| 3. Set IPv6 address in /etc/hosts so it resolves but it | ||
| points to non-exesting machine | ||
| :steps: | ||
| 1. Restart SSSD |
There was a problem hiding this comment.
Technically, you are starting SSSD. This line can be the 4th step in the setup, so the test only contains one step.
|
|
||
| @pytest.mark.importance("low") | ||
| @pytest.mark.topology(KnownTopology.IPA) | ||
| def test_failover__connect_second_family(client: Client, ipa: IPA): |
There was a problem hiding this comment.
I'd add ipv6 in the name, since "families" can also refer to ipv4
tail_failover_connect_using_ipv6_second_family
| { | ||
| if (server != NULL && | ||
| server->common != NULL && | ||
| server->common->rhostent) { |
There was a problem hiding this comment.
This is cosmetic and I'm not asking you to fix it. But if you want to, I will not oppose.
You compare against NULL in the two previous lines, but not in this one.
Originally the option ipv4_first and ipv6_first was taken into account
when resolving IP address.
When both families are resolvable but the primary is blocked on
firewall, the SSSD must switch to the socondary family.