[Freeipa-devel] [PATCH] 799 The IP address provided to ipa-server-install must be local
Martin Kosek
mkosek at redhat.com
Thu Jun 16 09:03:15 UTC 2011
On Wed, 2011-06-15 at 14:29 -0400, Rob Crittenden wrote:
> Rob Crittenden wrote:
> > Martin Kosek wrote:
> >> On Tue, 2011-06-14 at 08:56 -0400, Rob Crittenden wrote:
> >>> Martin Kosek wrote:
> >>>> On Mon, 2011-06-13 at 16:41 -0400, Rob Crittenden wrote:
> >>>>> Compare the configured interfaces with the supplied IP address and
> >>>>> optional netmask to determine if the interface is available.
> >>>>>
> >>>>> Note the subtle change when comparing addresses. We have two object
> >>>>> types, IPNetwork and IPAddress. We should only compare addresses
> >>>>> when we
> >>>>> don't have an IPNetwork otherwise we can end up comparing an
> >>>>> address to
> >>>>> an object with a netmask and get a bad result.
> >>>>>
> >>>>> https://fedorahosted.org/freeipa/ticket/1175
> >>>>
> >>>> NACK.
> >>>>
> >>>> 1) This breaks ipa-replica-prepare:
> >>>>
> >>>> # ipa-replica-prepare vm-046.idm.lab.bos.redhat.com
> >>>> --ip-address=10.16.78.46
> >>>> Usage: ipa-replica-prepare [options] FQDN (e.g. replica.example.com)
> >>>>
> >>>> ipa-replica-prepare: error: option --ip-address: invalid IP address
> >>>> 10.16.78.46: No network interface matches the provided IP address and
> >>>> netmask
> >>>>
> >>>> Actually, this is not your fault, we just don't use IP address checking
> >>>> in IPAOptionParser correctly. --ip-address option in
> >>>> ipa-replica-prepare
> >>>> has type "ipnet" which is validated by the CheckedIPAddress. As
> >>>> match_local defaults to True, your new exception is raised.
> >>>
> >>> Ok, but is 10.16.78.46 a configured network interface?
> >>
> >> It is an IP address of new replica, i.e. its not a local network
> >> interface address. As I written, the problem is in a type of
> >> --ip-address option in ipa-replica-prepare. You can check Honza's mail
> >> for implementation hint.
> >
> > Ah, prepare. I tested with an existing replica file...
> >
> > Well, I wonder if an easier fix would be to set match_local=False by
> > default and specifically ask to match_local when we want.
>
> Updated patch attached.
>
> rob
I think this is still not right. When you let match_local default to
False, --ip-address option in ipa-server-install is checked with
match_local=False and thus the check required by BZ isn't made.
Please check my patch 083 I sent this morning. It makes sure that IP
address validation with CheckedIPAddress is run with correct parameters
(i.e. match_local, parse_netmask). You may want to build your patch on
top of this one.
Should we be so strict and raise an exception when the IP address does
not match any local interface? Maybe a warning would be enough.
ipa-server-install will fail anyway few steps later in a scenario
described in BZ.
Martin
More information about the Freeipa-devel
mailing list