[Freeipa-devel] [PATCH] 799 The IP address provided to ipa-server-install must be local
Rob Crittenden
rcritten at redhat.com
Thu Jun 16 13:07:19 UTC 2011
Martin Kosek wrote:
> On Wed, 2011-06-15 at 14:29 -0400, Rob Crittenden wrote:
>> Rob Crittenden wrote:
>>> Martin Kosek wrote:
>>>> On Tue, 2011-06-14 at 08:56 -0400, Rob Crittenden wrote:
>>>>> Martin Kosek wrote:
>>>>>> On Mon, 2011-06-13 at 16:41 -0400, Rob Crittenden wrote:
>>>>>>> Compare the configured interfaces with the supplied IP address and
>>>>>>> optional netmask to determine if the interface is available.
>>>>>>>
>>>>>>> Note the subtle change when comparing addresses. We have two object
>>>>>>> types, IPNetwork and IPAddress. We should only compare addresses
>>>>>>> when we
>>>>>>> don't have an IPNetwork otherwise we can end up comparing an
>>>>>>> address to
>>>>>>> an object with a netmask and get a bad result.
>>>>>>>
>>>>>>> https://fedorahosted.org/freeipa/ticket/1175
>>>>>>
>>>>>> NACK.
>>>>>>
>>>>>> 1) This breaks ipa-replica-prepare:
>>>>>>
>>>>>> # ipa-replica-prepare vm-046.idm.lab.bos.redhat.com
>>>>>> --ip-address=10.16.78.46
>>>>>> Usage: ipa-replica-prepare [options] FQDN (e.g. replica.example.com)
>>>>>>
>>>>>> ipa-replica-prepare: error: option --ip-address: invalid IP address
>>>>>> 10.16.78.46: No network interface matches the provided IP address and
>>>>>> netmask
>>>>>>
>>>>>> Actually, this is not your fault, we just don't use IP address checking
>>>>>> in IPAOptionParser correctly. --ip-address option in
>>>>>> ipa-replica-prepare
>>>>>> has type "ipnet" which is validated by the CheckedIPAddress. As
>>>>>> match_local defaults to True, your new exception is raised.
>>>>>
>>>>> Ok, but is 10.16.78.46 a configured network interface?
>>>>
>>>> It is an IP address of new replica, i.e. its not a local network
>>>> interface address. As I written, the problem is in a type of
>>>> --ip-address option in ipa-replica-prepare. You can check Honza's mail
>>>> for implementation hint.
>>>
>>> Ah, prepare. I tested with an existing replica file...
>>>
>>> Well, I wonder if an easier fix would be to set match_local=False by
>>> default and specifically ask to match_local when we want.
>>
>> Updated patch attached.
>>
>> rob
>
> I think this is still not right. When you let match_local default to
> False, --ip-address option in ipa-server-install is checked with
> match_local=False and thus the check required by BZ isn't made.
Yes but it is checked again later. Try it, enforcement happens.
> Please check my patch 083 I sent this morning. It makes sure that IP
> address validation with CheckedIPAddress is run with correct parameters
> (i.e. match_local, parse_netmask). You may want to build your patch on
> top of this one.
>
> Should we be so strict and raise an exception when the IP address does
> not match any local interface? Maybe a warning would be enough.
> ipa-server-install will fail anyway few steps later in a scenario
> described in BZ.
We should fail as soon as possible. By doing this before installation
starts they don't have to uninstall.
rob
More information about the Freeipa-devel
mailing list