[Freeipa-devel] [PATCH] 799 The IP address provided to ipa-server-install must be local
Jan Cholasta
jcholast at redhat.com
Tue Jun 14 10:22:22 UTC 2011
On 14.6.2011 10:25, Martin Kosek wrote:
> On Mon, 2011-06-13 at 16:41 -0400, Rob Crittenden wrote:
>> Compare the configured interfaces with the supplied IP address and
>> optional netmask to determine if the interface is available.
>>
>> Note the subtle change when comparing addresses. We have two object
>> types, IPNetwork and IPAddress. We should only compare addresses when we
>> don't have an IPNetwork otherwise we can end up comparing an address to
>> an object with a netmask and get a bad result.
>>
>> https://fedorahosted.org/freeipa/ticket/1175
>
> NACK.
>
> 1) This breaks ipa-replica-prepare:
>
> # ipa-replica-prepare vm-046.idm.lab.bos.redhat.com
> --ip-address=10.16.78.46
> Usage: ipa-replica-prepare [options] FQDN (e.g. replica.example.com)
>
> ipa-replica-prepare: error: option --ip-address: invalid IP address
> 10.16.78.46: No network interface matches the provided IP address and
> netmask
>
> Actually, this is not your fault, we just don't use IP address checking
> in IPAOptionParser correctly. --ip-address option in ipa-replica-prepare
> has type "ipnet" which is validated by the CheckedIPAddress. As
> match_local defaults to True, your new exception is raised.
Well, it's my fault. I wasn't sure whether to force the use of local IP
addresses or not, so only a warning is printed (in verify_ip_address) if
the IP address isn't local.
>
> I think we need 2 new option types for IPAOptionParser such as "iplocal"
> and "ipnetlocal" which would be used for --ip-address option in
> ipa-server-install or ipa-dns-install and which would use
> match_local=True. Current types "ip" and "ipnet" should use
> match_local=False.
That's what I had in a WIP version of my patches. Sorry for not keeping
it in :)
Actually, it probably makes more sense to use only one option type "ip"
and add two new option attributes "ip_network" and "ip_local" to
IPAOption, so that the validation details can be set through keyword
arguments to add_option. Without that, we would end up having twice as
much option types every time a new flag is added to CheckedIPAddress.
>
> 2) CheckedIPAddress functionality (i.e. this fix) is neither in ipa-2-0
> stable branch nor in RHEL 6.1. But this should be OK since it is
> targeted for RHEL 6.2.
>
> Martin
Honza
--
Jan Cholasta
More information about the Freeipa-devel
mailing list