[Freeipa-devel] [PATCH] 19 Do stricter checking of IP addressed passed to server install

Jan Cholasta jcholast at redhat.com
Mon May 16 17:15:13 UTC 2011 

On 16.5.2011 17:26, Martin Kosek wrote:
> On Tue, 2011-05-10 at 20:11 +0200, Jan Cholasta wrote:
>> Split from patch 3, requires patch 18.
>>
>> https://fedorahosted.org/freeipa/ticket/1213
>>
>> Honza
>>
>
> I tested all patches (3.6, 18, 19), but I think some work still needs to
> be done:
>
> 1) What about adding /sbin/ip package to Requires in spec? I thought
> there was an agreement to do it.

Will do.

>
> 2) When I run `ipa-server-install --ip-address=$ADDR`, and $ADDR is
> invalid address (e.g. $ADDR==foo), loopback address (e.g.
> $ADDR==127.0.0.1) or just another that the local address (e.g.
> $ADDR==123.123.123.123) the installer always fails with "the hostname
> resolves to an IP address that is different from the one provided on the
> command line".
>
> I think we may want a different error message in those 3 cases - it
> should be easy to do it now, with the improved IP handling.

It looks like the print statements from verify_ip_address doesn't 
actually print anything to the user. Will look onto that.

>
> 3) When I pass netmask to ipa-server-install --ip-address=$ADDR, the
> installation always fails with the above message. Even though I took the
> addr+netmask from "/sbin/ip address" output.

Works for me. Please make sure you've added your hostname to /etc/hosts.

>
> 4) I miss IP address checks in --ip-address and --forwarder parameters
> of ipa-dns-install script. I can pass invalid or local addresses to
> these parameters. This breaks Bind configuration.

--ip-address is checked, but --forwarder is not. Will fix that.

>
> 5) I think we may want to check also for local address in
> #ipa host-add $HOST --ip-address=127.0.0.1
>
> 6) I couldn't add IP address with netmask in host module:
> # ipa host-add $HOST --ip-address=10.16.78.102/22
> ipa: ERROR: invalid 'ip_address': invalid IP address

The patches are for the installer, as are the tickets they fix, so these 
issues are out of scope. A new ticket should be opened for them.

>
> 7) Why is the _ParsedIPAddress named with a leading underscore? It's not
> really an internal use since it is returned by new IP handling functions
> and used in other modules.

_ParsedIPAddress is not for public use. The fact that object of this 
class is returned by parse_ip_address doesn't really matter - this is 
Python, not C++ or Java.

>
>
> Martin
>

Honza


-- 
Jan Cholasta

More information about the Freeipa-devel mailing list