Re: FBR: Fix krb5

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Fri, Sep 15, 2017 at 5:54 PM, Patrick Uiterwijk
<puiterwijk@xxxxxxxxxx> wrote:
> Hi all,
>
> After a lot of debugging, it seems IPA 4.5.0 broke active/active
> failover for krb5.
> While I wait on getting that fixed, I would like to request +1s for
> the following patch.
>
>
> commit 4005fd5929c034436e21c56af0322d53cef04e74
> Author: Patrick Uiterwijk <puiterwijk@xxxxxxxxxx>
> Date:   Fri Sep 15 22:50:02 2017 +0000
>
>     Fix krb5 with failover
>
>     Seems like IPA 4.5.0 broke active/active failover of krb5 KDC.
>     While we wait on getting that fixed, let's set us up for
> active/passive failover on the HTTPD end.
>     Since we can't do active/passive for UDP (there's no checks
> there), let's just remove ipa02 for those.
>
>     Signed-off-by: Patrick Uiterwijk <puiterwijk@xxxxxxxxxx>
>
> diff --git a/roles/haproxy/templates/haproxy.cfg
> b/roles/haproxy/templates/haproxy.cfg
> index be1e5b5..cda10ab 100644
> --- a/roles/haproxy/templates/haproxy.cfg
> +++ b/roles/haproxy/templates/haproxy.cfg
> @@ -340,7 +340,7 @@ listen  ipa 0.0.0.0:10053
>      balance hdr(appserver)
>      server  ipa01 ipa01:443 check inter 10s rise 1 fall 2 ssl verify
> required ca-file /etc/haproxy/ipa.pem
>  {% if env != "staging" %}
> -    server  ipa02 ipa02:443 check inter 10s rise 1 fall 2 ssl verify
> required ca-file /etc/haproxy/ipa.pem
> +    server  ipa02 ipa02:443 check inter 10s rise 1 fall 2 ssl verify
> required ca-file /etc/haproxy/ipa.pem backup
>  {% endif %}
>      option  httpchk GET /ipa/ui/
>
> @@ -354,7 +354,7 @@ listen krb5 0.0.0.0:1088
>      timeout connect 86400000
>      server  ipa01 ipa01:88 weight 1 maxconn 16384
>  {% if env == "production" %}
> -    server  ipa02 ipa02:88 weight 1 maxconn 16384
> +    # server  ipa02 ipa02:88 weight 1 maxconn 16384
>  {% endif %}
>
>  listen docker-candidate-registry 0.0.0.0:10054

+1

-AdamM

> _______________________________________________
> infrastructure mailing list -- infrastructure@xxxxxxxxxxxxxxxxxxxxxxx
> To unsubscribe send an email to infrastructure-leave@xxxxxxxxxxxxxxxxxxxxxxx
_______________________________________________
infrastructure mailing list -- infrastructure@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to infrastructure-leave@xxxxxxxxxxxxxxxxxxxxxxx
[Index of Archives]     [Fedora Development]     [Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [KDE Users]

  Powered by Linux