Skip to content

moving ipa2 to a second subnet #129

Open
danlavu wants to merge 1 commit intoSSSD:masterfrom
danlavu:ipa-trust-two-nets
Open

moving ipa2 to a second subnet #129
danlavu wants to merge 1 commit intoSSSD:masterfrom
danlavu:ipa-trust-two-nets

Conversation

@danlavu
Copy link
Contributor

@danlavu danlavu commented May 2, 2025
edited
Loading

  • making this environment more realistic
  • moved the network create to use the docker command because docker-compose defaults the isolation value to true

@danlavu danlavu requested a review from justin-stephenson May 2, 2025 18:57
@danlavu danlavu mentioned this pull request May 2, 2025
Closed
@danlavu
Copy link
Contributor Author

danlavu commented May 2, 2025

This should work, @justin-stephenson, can you please test this? Something may be foo bar on my workstation, but I think it should work. The second network is created and master.ipa2.test is provisioned correctly. The problem is that 'sssd' network is not routable to the 'ipa' network.

However, both the 'sssd' and 'IPA' networks are routable from the host and the ad vagrant network.

@justin-stephenson
Copy link
Contributor

justin-stephenson commented May 5, 2025

This should work, @justin-stephenson, can you please test this? Something may be foo bar on my workstation, but I think it should work. The second network is created and master.ipa2.test is provisioned correctly. The problem is that 'sssd' network is not routable to the 'ipa' network.

However, both the 'sssd' and 'IPA' networks are routable from the host and the ad vagrant network.

Hi,

I built this PR but cannot ping master.ipa2.test or 172.16.110.10 from master.ipa.test , I see some errors about dns in the journal.

May 05 15:26:10 fedora.test.local dns[856731]: dnsmasq[60]: query[A] master.ipa2.test from 172.16.100.1
May 05 15:26:15 fedora.test.local aardvark-dns[856608]: 5346 dns request got empty response

Sorry I can't help much here I don't have much experience with networking

@danlavu
Copy link
Contributor Author

danlavu commented May 6, 2025

Thanks for testing, it's not my workstation, @jakub-vavra-cz suggested something that I will look into.

@andreboscatto andreboscatto requested a review from thalman May 6, 2025 12:42
thalman
thalman reviewed May 12, 2025
View reviewed changes
@danlavu danlavu force-pushed the ipa-trust-two-nets branch from 74e2f75 to 7da8ef2 Compare May 15, 2025 16:37
@danlavu
Copy link
Contributor Author

danlavu commented May 15, 2025

@thalman solved it. docker-compose and podman-compose creates networks differently. Docker creates the network with isolation = true while podman has it set to false. Added another commit, changing docker-compose.

@danlavu
Copy link
Contributor Author

danlavu commented May 15, 2025

After talking to @thalman and seeing the ci failures. podman-compose isn't installed on other distros. I'm going to create the networks using the docker command and have docker-compose use pre-existing networks, so there is no dependency on podman-compose.

@danlavu danlavu marked this pull request as draft May 15, 2025 19:44
@danlavu danlavu force-pushed the ipa-trust-two-nets branch 2 times, most recently from 7c0c418 to 0e4bd5f Compare May 21, 2025 05:09
@danlavu danlavu changed the title moving ipa2 to a second subnet moving ipa2 to a second subnet May 21, 2025
@danlavu danlavu force-pushed the ipa-trust-two-nets branch 3 times, most recently from 6bfff4b to 08670e0 Compare May 21, 2025 19:01
@danlavu danlavu marked this pull request as ready for review May 21, 2025 19:36
@danlavu danlavu requested a review from thalman May 29, 2025 02:28
@danlavu danlavu force-pushed the ipa-trust-two-nets branch from 08670e0 to c776f05 Compare May 30, 2025 16:12
@danlavu danlavu force-pushed the ipa-trust-two-nets branch from c776f05 to 56de71b Compare June 11, 2025 01:13
@andreboscatto andreboscatto marked this pull request as draft June 17, 2025 12:39
@danlavu danlavu force-pushed the ipa-trust-two-nets branch 3 times, most recently from a86a44d to 922f962 Compare June 18, 2025 01:30
@pbrezina pbrezina mentioned this pull request Aug 25, 2025
Closed
@danlavu danlavu force-pushed the ipa-trust-two-nets branch from 922f962 to 83e211e Compare August 26, 2025 12:16
@danlavu
Copy link
Contributor Author

danlavu commented Aug 26, 2025

@pbrezina yea, it's done, just needs testing. Moving it out of draft.

thalman
thalman approved these changes Sep 15, 2025
View reviewed changes
Copy link

@thalman thalman left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@danlavu danlavu force-pushed the ipa-trust-two-nets branch from afc94dd to b6cc933 Compare October 30, 2025 19:32
justin-stephenson
justin-stephenson reviewed Oct 30, 2025
View reviewed changes
@danlavu danlavu force-pushed the ipa-trust-two-nets branch from b6cc933 to d8a5ed0 Compare October 30, 2025 20:03
justin-stephenson
justin-stephenson reviewed Oct 30, 2025
View reviewed changes
@danlavu danlavu force-pushed the ipa-trust-two-nets branch 12 times, most recently from 02f4410 to 0f652c2 Compare November 1, 2025 03:56
moving ipa2 to a second subnet
ccb81d5 
* making this environment more realistic
* moved the network create to use the docker command because
  docker-compose defaults the isolation value to true
@danlavu danlavu force-pushed the ipa-trust-two-nets branch from 0f652c2 to ccb81d5 Compare November 1, 2025 07:02
@danlavu
Copy link
Contributor Author

danlavu commented Nov 1, 2025

Okay, being unfamiliar with the Makefile there were a number of mistakes. I figured them out, there are enough changes from Tomas's review that it should be reviewed again. The containers are now being built successfully.

  • added make start (doesn't create the networks), in the event you just wanted to start the containers from being stopped.
  • The compose function has a condition for up|down to execute the script

@justin-stephenson
Copy link
Contributor

justin-stephenson commented Nov 3, 2025

@danlavu I tried to make build locally and it fails because I don't have docker running, but I can't install docker due to dependency failure it seems.


+ docker-compose -f ../docker-compose.yml -f ./docker-compose.build.yml up --detach
Emulate Docker CLI using podman. Create /etc/containers/nodocker to quiet msg.
>>>> Executing external compose provider "/usr/libexec/docker/cli-plugins/docker-compose". Please see podman-compose(1) for how to disable this message. <<<<

unable to get image 'localhost/sssd/ci-base-ipa:latest': Cannot connect to the Docker daemon at unix:///run/user/1000/podman/podman.sock. Is the docker daemon running?
Error: executing /usr/libexec/docker/cli-plugins/docker-compose -f ../docker-compose.yml -f ./docker-compose.build.yml up --detach: exit status 1
+ cleanup
make: *** [Makefile:3: build] Error 1
justin@justin-fedora:~/github/sssd-ci-containers$ sudo dnf install docker
[sudo] password for justin: 
Sorry, try again.
[sudo] password for justin: 
Updating and loading repositories:
Repositories loaded.
Failed to resolve the transaction:
Problem: problem with installed package
  - installed package podman-docker-5:5.6.2-1.fc42.noarch conflicts with docker provided by moby-engine-27.5.1-1.fc42.x86_64 from fedora
  - installed package podman-docker-5:5.6.2-1.fc42.noarch conflicts with moby-engine provided by moby-engine-27.5.1-1.fc42.x86_64 from fedora
  - package podman-docker-5:5.6.2-1.fc42.noarch from updates conflicts with docker provided by moby-engine-27.5.1-1.fc42.x86_64 from fedora
  - package podman-docker-5:5.6.2-1.fc42.noarch from updates conflicts with moby-engine provided by moby-engine-27.5.1-1.fc42.x86_64 from fedora
  - package podman-docker-5:5.4.1-1.fc42.noarch from fedora conflicts with docker provided by moby-engine-27.5.1-1.fc42.x86_64 from fedora
  - package podman-docker-5:5.4.1-1.fc42.noarch from fedora conflicts with moby-engine provided by moby-engine-27.5.1-1.fc42.x86_64 from fedora
  - conflicting requests
  - installed package podman-docker-5:5.6.2-1.fc42.noarch conflicts with docker provided by moby-engine-28.5.1-2.fc42.x86_64 from updates
  - installed package podman-docker-5:5.6.2-1.fc42.noarch conflicts with moby-engine provided by moby-engine-28.5.1-2.fc42.x86_64 from updates
  - package podman-docker-5:5.6.2-1.fc42.noarch from updates conflicts with docker provided by moby-engine-28.5.1-2.fc42.x86_64 from updates
  - package podman-docker-5:5.6.2-1.fc42.noarch from updates conflicts with moby-engine provided by moby-engine-28.5.1-2.fc42.x86_64 from updates
  - package podman-docker-5:5.4.1-1.fc42.noarch from fedora conflicts with docker provided by moby-engine-28.5.1-2.fc42.x86_64 from updates
  - package podman-docker-5:5.4.1-1.fc42.noarch from fedora conflicts with moby-engine provided by moby-engine-28.5.1-2.fc42.x86_64 from updates
You can try to add to command line:
  --allowerasing to allow removing of installed packages to resolve problems
  --skip-broken to skip uninstallable packages

@justin-stephenson
Copy link
Contributor

justin-stephenson commented Nov 3, 2025

By the way @pbrezina may want to look and review this PR.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@justin-stephenson justin-stephenson justin-stephenson left review comments

@thalman thalman Awaiting requested review from thalman

Assignees

@thalman thalman

@justin-stephenson justin-stephenson

Labels

Blocked Needs testing

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@danlavu @justin-stephenson @pbrezina @thalman @alexey-tikhonov