[Freeipa-devel] [PATCH] 0299 client: Update DNS with all available local IP addresses.

Martin Basti mbasti at redhat.com
Wed Aug 19 08:36:49 UTC 2015 


On 08/18/2015 10:53 PM, Martin Basti wrote:
>
>
> On 08/18/2015 08:02 PM, David Kupka wrote:
>> On 31/07/15 18:31, Martin Basti wrote:
>>> On 28/07/15 09:52, David Kupka wrote:
>>>> On 27/07/15 16:45, David Kupka wrote:
>>>>> On 15/01/15 17:13, David Kupka wrote:
>>>>>> On 01/15/2015 03:22 PM, David Kupka wrote:
>>>>>>> On 01/15/2015 12:43 PM, David Kupka wrote:
>>>>>>>> On 01/12/2015 06:34 PM, Martin Basti wrote:
>>>>>>>>> On 09/01/15 14:43, David Kupka wrote:
>>>>>>>>>> On 01/07/2015 04:15 PM, Martin Basti wrote:
>>>>>>>>>>> On 07/01/15 12:27, David Kupka wrote:
>>>>>>>>>>>> https://fedorahosted.org/freeipa/ticket/4249
>>>>>>>>>>>
>>>>>>>>>>> Thank you for patch:
>>>>>>>>>>>
>>>>>>>>>>> 1)
>>>>>>>>>>> -        root_logger.error("Cannot update DNS records! "
>>>>>>>>>>> -                          "Failed to connect to server '%s'.",
>>>>>>>>>>> server)
>>>>>>>>>>> +        ips = get_local_ipaddresses()
>>>>>>>>>>> +    except CalledProcessError as e:
>>>>>>>>>>> +        root_logger.error("Cannot update DNS records. %s" % e)
>>>>>>>>>>>
>>>>>>>>>>> IMO the error message should be more specific, add there
>>>>>>>>>>> something
>>>>>>>>>>> like
>>>>>>>>>>> "Unable to get local IP addresses". at least in log.debug()
>>>>>>>>>>>
>>>>>>>>>>> 2)
>>>>>>>>>>> +    lines = ipresult[0].replace('\\', '').split('\n')
>>>>>>>>>>>
>>>>>>>>>>> .replace() is not needed
>>>>>>>>>>>
>>>>>>>>>>> 3)
>>>>>>>>>>> +    if len(ips) == 0:
>>>>>>>>>>>
>>>>>>>>>>> if not ips:
>>>>>>>>>>>
>>>>>>>>>>> is more pythonic by PEP8
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>> Thanks for catching these. Updated patch attached.
>>>>>>>>>>
>>>>>>>>> merciful NACK
>>>>>>>>>
>>>>>>>>> Thank you for the patch, unfortunately I hit one issue which 
>>>>>>>>> needs
>>>>>>>>> to be
>>>>>>>>> resolved.
>>>>>>>>>
>>>>>>>>> If "sync PTR" is activated in zone settings, and reverse zone
>>>>>>>>> doesn't
>>>>>>>>> exists, nsupdate/BIND returns SERVFAIL and ipa-client-install 
>>>>>>>>> print
>>>>>>>>> Error message, 'DNS update failed'. In fact, all A/AAAA 
>>>>>>>>> records was
>>>>>>>>> succesfully updated, only PTR records failed.
>>>>>>>>>
>>>>>>>>> Bind log:
>>>>>>>>> named-pkcs11[28652]: updating zone 'example.com/IN': adding an 
>>>>>>>>> RR at
>>>>>>>>> 'vm-101.example.com' AAAA
>>>>>>>>>
>>>>>>>>> named-pkcs11[28652]: PTR record synchronization (addition) for
>>>>>>>>> A/AAAA
>>>>>>>>> 'vm-101.example.com.' refused: unable to find active reverse zone
>>>>>>>>> for IP
>>>>>>>>> address '2620:52:0:104c:21a:4aff:fe10:4eaa': not found
>>>>>>>>>
>>>>>>>>> With IPv6 we have several addresses from different reverse 
>>>>>>>>> zones and
>>>>>>>>> this situation may happen often.
>>>>>>>>> I suggest following:
>>>>>>>>> 1) Print list of addresses which will be updated. (Now if update
>>>>>>>>> fails,
>>>>>>>>> user needs to read log, which addresses installer tried to 
>>>>>>>>> update)
>>>>>>>>> 2) Split nsupdates per A/AAAA record.
>>>>>>>>> 3a) If failed, check with DNS query if A/AAAA and PTR record are
>>>>>>>>> there
>>>>>>>>> and print proper error message
>>>>>>>>> 3b) Just print A/AAAA (or PTR) record may not be updated for
>>>>>>>>> particular
>>>>>>>>> IP address.
>>>>>>>>>
>>>>>>>>> Any other suggestions are welcome.
>>>>>>>>>
>>>>>>>>
>>>>>>>> After long discussion with DNS and UX guru I've implemented it 
>>>>>>>> this
>>>>>>>> way:
>>>>>>>> 1. Call nsupdate only once with all updates.
>>>>>>>> 2. Verify that the expected records are resolvable.
>>>>>>>> 3. If no print list of missing A/AAAA, list of missing PTR records
>>>>>>>> and
>>>>>>>> list to mismatched PTR record.
>>>>>>>>
>>>>>>>> As this is running inside client we can't much more and it's up to
>>>>>>>> user
>>>>>>>> to check what's rotten in his DNS setup.
>>>>>>>>
>>>>>>>> Updated patch attached.
>>>>>>>>
>>>>>>>>
>>>>>>>> _______________________________________________
>>>>>>>> Freeipa-devel mailing list
>>>>>>>> Freeipa-devel at redhat.com
>>>>>>>> https://www.redhat.com/mailman/listinfo/freeipa-devel
>>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> One more change to behave well in -crazy- exotic environments that
>>>>>>> resolves more PTR records for single IP.
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> _______________________________________________
>>>>>>> Freeipa-devel mailing list
>>>>>>> Freeipa-devel at redhat.com
>>>>>>> https://www.redhat.com/mailman/listinfo/freeipa-devel
>>>>>>>
>>>>>>
>>>>>> Yet another change to make language nerds and our UX guru happy :-)
>>>>>>
>>>>>>
>>>>>> _______________________________________________
>>>>>> Freeipa-devel mailing list
>>>>>> Freeipa-devel at redhat.com
>>>>>> https://www.redhat.com/mailman/listinfo/freeipa-devel
>>>>>>
>>>>>
>>>>> Rebased patch attached.
>>>>>
>>>>>
>>>> Updated patch attached.
>>>>
>>> Just for record this patch is for dualstack/IPv6 support.
>>> IMO this ticket also requires to fix ipa-join to support IPv6.
>>>
>>> I still have doubts to have multihomed support as default, this may be
>>> unexpected change of ipa-client-install behavior.
>>> I know, is hard to detect which addresses user want to register in IPA
>>> without crystal ball, but it should not be impossible :-) .
>>>
>>> I propose following solution:
>>>
>>> To add new options:
>>> --multihomed or --all-ip-address - all IP addresses from client will be
>>> used
>>> --ip-address  - adress which will be registered on (IPA) DNS server
>>> --ip-address-interface - interface from which address will be 
>>> registered
>>>
>>>
>>> 0) without any option specified, current behavior will be used + IPv6
>>> * detect which address is used to communicate with IPA server
>>> * detect interface where this address belongs
>>> * use ipv4 and all ipv6 addresses of this interface
>>> * if --enable-dns-updates=true: configure SSSD as is configured now:
>>> automatically detect which address is used + patched SSSD will also
>>> updates proper IPv6 address
>>>
>>> 1) --multihomed or --all-ip-addresses (this is multihomed ticket)
>>> * all adresses will be used
>>> * if --enable-dns-updates=true: SSSD will be configured to send all
>>> ip_addresses
>>>
>>> 2) --ip-address option specified:
>>> * only specified addresses will be used (+ check if this addresses 
>>> exist
>>> locally)
>>> * if --enable-dns-updates=true: ERROR dynamic updates may change this
>>> address (user should choose static vs dynamic)
>>>
>>> 3) --ip-address-interface option specified:
>>> * only addresses from specified interfaces will be used
>>> * if --enable-dns-updates=true: SSSD will be configured to use these
>>> interfaces to get addresses that will be dynamically updated on dns
>>>
>>> Modification of current patch should not be hard, we already have 
>>> almost
>>> everything implemented:
>>> * method get_local_addresses should return dict {interface:[list of
>>> addresses]}, this can be used in all of 4 cases.
>>> * restore original function to detect IP address used to communicate
>>> with IPA server
>>>
>>> I insist on 0) and 1), others may be stretch goal (easy to implement)
>>> (It would be shame to not implemented multihomed support together with
>>> this ticket, as it requires max 5 extra lines of code)
>>>
>>> Seems my proposal reasonable?
>>>
>>> What is you opinion Martin? Should we just use all addresses to be
>>> registered, or try to keep old behavior as much as possible?
>>>
>>> Martin^2
>>>
>>
>> 0-2 implemented, IMO there is no real use-case for 3. It can be added 
>> later when/if there is need.
>> Updated patch (+ rebase for ipa-4-2 branch) attached.
>>
>
> ACK, I just modified typo in --ip-address help message before push.
>
> SSSD guys (Pavel CCed) will provide SSSD srpm that should go to our 
> freeipa-master copr. Then we will bump required SSSD version in specfile.
>
> Pushed to ipa-4-2: ff34125bcaa99898859cb8ceefea88a4497959b3
> Pushed to master: 8ba1392a3903894dda06c733bf37853c6cc3108c
>
Attached patch bumps required version of SSSD (available in 
freeipa-master copr)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-mbasti-0299-Add-dependency-to-SSSD-1.13.1.patch
Type: text/x-patch
Size: 1170 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20150819/2cc3daaf/attachment.bin>

More information about the Freeipa-devel mailing list