[Freeipa-devel] [PATCH] 0035 client: Update DNS with all available local IP addresses.

David Kupka dkupka at redhat.com
Tue Aug 18 18:02:49 UTC 2015 

On 31/07/15 18:31, Martin Basti wrote:
> On 28/07/15 09:52, David Kupka wrote:
>> On 27/07/15 16:45, David Kupka wrote:
>>> On 15/01/15 17:13, David Kupka wrote:
>>>> On 01/15/2015 03:22 PM, David Kupka wrote:
>>>>> On 01/15/2015 12:43 PM, David Kupka wrote:
>>>>>> On 01/12/2015 06:34 PM, Martin Basti wrote:
>>>>>>> On 09/01/15 14:43, David Kupka wrote:
>>>>>>>> On 01/07/2015 04:15 PM, Martin Basti wrote:
>>>>>>>>> On 07/01/15 12:27, David Kupka wrote:
>>>>>>>>>> https://fedorahosted.org/freeipa/ticket/4249
>>>>>>>>>
>>>>>>>>> Thank you for patch:
>>>>>>>>>
>>>>>>>>> 1)
>>>>>>>>> -        root_logger.error("Cannot update DNS records! "
>>>>>>>>> -                          "Failed to connect to server '%s'.",
>>>>>>>>> server)
>>>>>>>>> +        ips = get_local_ipaddresses()
>>>>>>>>> +    except CalledProcessError as e:
>>>>>>>>> +        root_logger.error("Cannot update DNS records. %s" % e)
>>>>>>>>>
>>>>>>>>> IMO the error message should be more specific,  add there
>>>>>>>>> something
>>>>>>>>> like
>>>>>>>>> "Unable to get local IP addresses". at least in log.debug()
>>>>>>>>>
>>>>>>>>> 2)
>>>>>>>>> +    lines = ipresult[0].replace('\\', '').split('\n')
>>>>>>>>>
>>>>>>>>> .replace() is not needed
>>>>>>>>>
>>>>>>>>> 3)
>>>>>>>>> +    if len(ips) == 0:
>>>>>>>>>
>>>>>>>>> if not ips:
>>>>>>>>>
>>>>>>>>> is more pythonic by PEP8
>>>>>>>>>
>>>>>>>>>
>>>>>>>> Thanks for catching these. Updated patch attached.
>>>>>>>>
>>>>>>> merciful NACK
>>>>>>>
>>>>>>> Thank you for the patch, unfortunately I hit one issue which needs
>>>>>>> to be
>>>>>>> resolved.
>>>>>>>
>>>>>>> If "sync PTR" is activated in zone settings, and reverse zone
>>>>>>> doesn't
>>>>>>> exists, nsupdate/BIND returns SERVFAIL and ipa-client-install print
>>>>>>> Error message, 'DNS update failed'. In fact, all A/AAAA records was
>>>>>>> succesfully updated, only PTR records failed.
>>>>>>>
>>>>>>> Bind log:
>>>>>>> named-pkcs11[28652]: updating zone 'example.com/IN': adding an RR at
>>>>>>> 'vm-101.example.com' AAAA
>>>>>>>
>>>>>>> named-pkcs11[28652]: PTR record synchronization (addition) for
>>>>>>> A/AAAA
>>>>>>> 'vm-101.example.com.' refused: unable to find active reverse zone
>>>>>>> for IP
>>>>>>> address '2620:52:0:104c:21a:4aff:fe10:4eaa': not found
>>>>>>>
>>>>>>> With IPv6 we have several addresses from different reverse zones and
>>>>>>> this situation may happen often.
>>>>>>> I suggest following:
>>>>>>> 1) Print list of addresses which will be updated. (Now if update
>>>>>>> fails,
>>>>>>> user needs to read log, which addresses installer tried to update)
>>>>>>> 2) Split nsupdates per A/AAAA record.
>>>>>>> 3a) If failed, check with DNS query if A/AAAA and PTR record are
>>>>>>> there
>>>>>>> and print proper error message
>>>>>>> 3b) Just print A/AAAA (or PTR) record may not be updated for
>>>>>>> particular
>>>>>>> IP address.
>>>>>>>
>>>>>>> Any other suggestions are welcome.
>>>>>>>
>>>>>>
>>>>>> After long discussion with DNS and UX guru I've implemented it this
>>>>>> way:
>>>>>> 1. Call nsupdate only once with all updates.
>>>>>> 2. Verify that the expected records are resolvable.
>>>>>> 3. If no print list of missing A/AAAA, list of missing PTR records
>>>>>> and
>>>>>> list to mismatched PTR record.
>>>>>>
>>>>>> As this is running inside client we can't much more and it's up to
>>>>>> user
>>>>>> to check what's rotten in his DNS setup.
>>>>>>
>>>>>> Updated patch attached.
>>>>>>
>>>>>>
>>>>>> _______________________________________________
>>>>>> Freeipa-devel mailing list
>>>>>> Freeipa-devel at redhat.com
>>>>>> https://www.redhat.com/mailman/listinfo/freeipa-devel
>>>>>>
>>>>>
>>>>>
>>>>> One more change to behave well in -crazy- exotic environments that
>>>>> resolves more PTR records for single IP.
>>>>>
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> Freeipa-devel mailing list
>>>>> Freeipa-devel at redhat.com
>>>>> https://www.redhat.com/mailman/listinfo/freeipa-devel
>>>>>
>>>>
>>>> Yet another change to make language nerds and our UX guru happy :-)
>>>>
>>>>
>>>> _______________________________________________
>>>> Freeipa-devel mailing list
>>>> Freeipa-devel at redhat.com
>>>> https://www.redhat.com/mailman/listinfo/freeipa-devel
>>>>
>>>
>>> Rebased patch attached.
>>>
>>>
>> Updated patch attached.
>>
> Just for record this patch is for dualstack/IPv6 support.
> IMO this ticket also requires to fix ipa-join to support IPv6.
>
> I still have doubts to have multihomed support as default, this may be
> unexpected change of ipa-client-install behavior.
> I know, is hard to detect which addresses user want to register in IPA
> without crystal ball, but it should not be impossible :-) .
>
> I propose following solution:
>
> To add new options:
> --multihomed or --all-ip-address - all IP addresses from client will be
> used
> --ip-address  - adress which will be registered on (IPA) DNS server
> --ip-address-interface - interface from which address will be registered
>
>
> 0) without any option specified, current behavior will be used + IPv6
> * detect which address is used to communicate with IPA server
> * detect interface where this address belongs
> * use ipv4 and all ipv6 addresses of this interface
> * if --enable-dns-updates=true: configure SSSD as is configured now:
> automatically detect which address is used + patched SSSD will also
> updates proper IPv6 address
>
> 1) --multihomed or --all-ip-addresses (this is multihomed ticket)
> * all adresses will be used
> * if --enable-dns-updates=true: SSSD will be configured to send all
> ip_addresses
>
> 2) --ip-address option specified:
> * only specified addresses will be used (+ check if this addresses exist
> locally)
> * if --enable-dns-updates=true: ERROR dynamic updates may change this
> address (user should choose static vs dynamic)
>
> 3) --ip-address-interface option specified:
> * only addresses from specified interfaces will be used
> * if --enable-dns-updates=true: SSSD will be configured to use these
> interfaces to get addresses that will be dynamically updated on dns
>
> Modification of current patch should not be hard, we already have almost
> everything implemented:
> * method get_local_addresses should return dict {interface:[list of
> addresses]}, this can be used in all of 4 cases.
> * restore original function to detect IP address used to communicate
> with IPA server
>
> I insist on 0) and 1), others may be stretch goal (easy to implement)
> (It would be shame to not implemented multihomed support together with
> this ticket, as it requires max 5 extra lines of code)
>
> Seems my proposal reasonable?
>
> What is you opinion Martin? Should we just use all addresses to be
> registered, or try to keep old behavior as much as possible?
>
> Martin^2
>

0-2 implemented, IMO there is no real use-case for 3. It can be added 
later when/if there is need.
Updated patch (+ rebase for ipa-4-2 branch) attached.

-- 
David Kupka
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-dkupka-0035-9-client-Add-support-for-multiple-IP-addresses-during-.patch
Type: text/x-patch
Size: 14503 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20150818/fcd30de2/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-dkupka-0035-9-ipa42-client-Add-support-for-multiple-IP-addresses-during-.patch
Type: text/x-patch
Size: 14496 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20150818/fcd30de2/attachment-0001.bin>

More information about the Freeipa-devel mailing list