[Freeipa-devel] [PATCH] 888 always verify hostname
Rob Crittenden
rcritten at redhat.com
Fri Oct 7 13:18:01 UTC 2011
Martin Kosek wrote:
> On Fri, 2011-10-07 at 08:58 -0400, Rob Crittenden wrote:
>> Martin Kosek wrote:
>>> On Thu, 2011-10-06 at 22:59 -0400, Rob Crittenden wrote:
>>>> When installing with DNS we skip a few hostname checks on the assumption
>>>> that the DNS we are installing will cover things. We still need to
>>>> verify /etc/hosts and we do this with gethostbyname_ex() which returns
>>>> the primary name and all other names of the host. If the primary name
>>>> doesn't match (e.g. the shortname is defined first in /etc/hosts) or it
>>>> isn't resolvable at all then we error out.
>>>>
>>>> This also prevents a chicken-and-egg error as several services need to
>>>> start before DNS is available so the hostname must be defined.
>>>>
>>>> rob
>>>
>>> I see several problems with the patch. At first, it needs a rebase, I
>>> reworked the exceptions raised in verify_fqdn in #1899.
>>>
>>> Then, this patch would break several things:
>>>
>>> 1) Now, when we install a server with --setup-dns and the host is not
>>> resolvable, we add a record to /etc/hosts ourselves, so that the user is
>>> not obliged to hack /etc/hosts:
>>>
>>> # ipa-server-install --setup-dns
>>> ...
>>> Server host name [vm-050.idm.lab.bos.redhat.com]:
>>>
>>> Warning: skipping DNS resolution of host vm-050.idm.lab.bos.redhat.com
>>> The domain name has been calculated based on the host name.
>>>
>>> Please confirm the domain name [idm.lab.bos.redhat.com]:
>>>
>>> Unable to resolve IP address for host name
>>> Please provide the IP address to be used for this host name: 10.16.78.50
>>> Adding [10.16.78.50 vm-050.idm.lab.bos.redhat.com] to your /etc/hosts file<<<<<<
>>> The IPA Master Server will be configured with
>>> Hostname: vm-050.idm.lab.bos.redhat.com
>>> IP address: 10.16.78.50
>>> Domain name: idm.lab.bos.redhat.com
>>
>> Yes but the entry is added /etc/hosts at the very END of installation,
>> apparently too late for some things. We can alternately add this prior
>> to configuring anything else.
>
> But we add the entry to /etc/hosts right in the beginning. After the
> line marked with<<<<<< is printed. I double-checked it right now.
Ok, this is totally freaky then. See ticket
https://fedorahosted.org/freeipa/ticket/1931
>
>>
>>>
>>>
>>> 2) This will break ipa-replica-prepare. We cannot assume that only local
>>> host names are passed to to verify_fqdn since it is also used to for new
>>> replica hostname check in ipa-replica-prepare:
>>>
>>> # ipa-replica-prepare vm-103.idm.lab.bos.redhat.com
>>> Directory Manager (existing master) password:
>>>
>>> The host name vm-103.idm.lab.bos.redhat.com is not resolvable. It must
>>> appear in at least /etc/hosts.
>>> Add the --ip-address argument to create a DNS entry.
>>>
>>> We must be very cautious in this function, there was already a BZ from
>>> RHEV-M guys which could be now broken:
>>>
>>> https://bugzilla.redhat.com/show_bug.cgi?id=729357
>>>
>>> Martin
>>>
>>
>> Ok, perhaps it just needs to be pulled directly into ipa-server-install.
>> We do need some mechanism to check /etc/hosts to be sure that there
>> isn't an existing bad host entry.
>>
>> rob
>
> Please check the patch I sent. I do one part in verify_fqdn and one part
> in ipa-server-install when user gives us an address.
>
> Martin
>
More information about the Freeipa-devel
mailing list