<html>
<head>
<meta content="text/html; charset=windows-1252"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<div class="moz-cite-prefix">On 26/09/14 14:47, David Kupka wrote:<br>
</div>
<blockquote cite="mid:5425606E.5090703@redhat.com" type="cite">On
09/26/2014 10:30 AM, David Kupka wrote:
<br>
<blockquote type="cite">On 09/26/2014 09:34 AM, Jan Cholasta
wrote:
<br>
<blockquote type="cite">Dne 26.9.2014 v 08:28 David Kupka
napsal(a):
<br>
<blockquote type="cite">On 09/25/2014 04:17 PM, David Kupka
wrote:
<br>
<blockquote type="cite">On 09/24/2014 08:54 PM, Martin Basti
wrote:
<br>
<blockquote type="cite">On 24/09/14 15:44, David Kupka
wrote:
<br>
<blockquote type="cite">On 09/23/2014 08:25 PM, Martin
Basti wrote:
<br>
<blockquote type="cite">On 23/09/14 13:23, David Kupka
wrote:
<br>
<blockquote type="cite">On 09/18/2014 06:34 PM,
Martin Basti wrote:
<br>
<blockquote type="cite">...
<br>
1)
<br>
+ if options.unattended:
<br>
+ for ip in ip_addresses:
<br>
+ if search_reverse_zones and
<br>
find_reverse_zone(str(ip)):
<br>
+ # reverse zone is already
in LDAP
<br>
+ continue
<br>
+ for rz in ret_reverse_zones:
<br>
+ if verify_reverse_zone(rz,
ip):
<br>
+ # reverse zone was
entered by user
<br>
+ break
<br>
+ else:
<br>
+ rz =
get_reverse_zone_default(str(ip))
<br>
+
ret_reverse_zones.append(rz)
<br>
+ elif options.reverse_zones or
create_reverse():
<br>
+ for ip in ip_addresses:
<br>
+ if search_reverse_zones and
<br>
find_reverse_zone(str(ip)):
<br>
+ # reverse zone is already
in LDAP
<br>
+ continue
<br>
+ for rz in ret_reverse_zones:
<br>
+ if verify_reverse_zone(rz,
ip):
<br>
+ # reverse zone was
entered by user
<br>
+ break
<br>
+ else:
<br>
+ rz =
get_reverse_zone_default(str(ip))
<br>
+ rz = read_reverse_zone(rz,
str(ip))
<br>
+
ret_reverse_zones.append(rz)
<br>
+ else:
<br>
+ options.no_reverse = True
<br>
+ ret_reverse_zones = []
<br>
<br>
You can make it shorter without duplications:
<br>
<br>
# this ifs can be in one line
<br>
if not options.unatended:
<br>
if not options.reverse_zones
<br>
if not create_reverse():
<br>
options.no_reverse=True
<br>
return []
<br>
<br>
for ip in ip_addresses:
<br>
if search_reverse_zones and
find_reverse_zone(str(ip)):
<br>
# reverse zone is already in LDAP
<br>
continue
<br>
for rz in ret_reverse_zones:
<br>
if verify_reverse_zone(rz, ip):
<br>
# reverse zone was entered by user
<br>
break
<br>
else:
<br>
rz =
get_reverse_zone_default(str(ip))
<br>
if not options.unattended:
<br>
rz = read_reverse_zone(rz,
str(ip))
<br>
ret_reverse_zones.append(rz)
<br>
<br>
</blockquote>
<br>
Thanks, I modified it bit different way to alse
address
<br>
recommendation
<br>
3).
<br>
<br>
<blockquote type="cite">
<br>
2)
<br>
Typo? There is no IP address matching
reverze_zone %s."
<br>
---------------------------------------------^^
<br>
<br>
</blockquote>
<br>
Thanks, fixed.
<br>
<br>
<blockquote type="cite">
<br>
3)
<br>
Would be nice to ask user to create new zones
only if new zones
<br>
are
<br>
required. (If all required zones exist in LDAP,
you ask user
<br>
anyway)
<br>
<br>
</blockquote>
<br>
I added one more variable and ask only once.
<br>
<br>
<blockquote type="cite">4)
<br>
Ask framework gurus, if installutils module is
better place for
<br>
function
<br>
above
<br>
<br>
<br>
</blockquote>
<br>
Petr^3 said that it's ok to have it in
bindinstance.py.
<br>
<br>
<blockquote type="cite">
<br>
</blockquote>
<br>
</blockquote>
NACK, most important point is 7
<br>
<br>
1)
<br>
I'm not sure if this is bug, but interactively is
allowed to add
<br>
only
<br>
one ip address
<br>
<br>
Unable to resolve IP address for host name
<br>
Please provide the IP address to be used for this
host name:
<br>
2001:db8::2
<br>
The kerberos protocol requires a Realm name to be
defined.
<br>
<br>
</blockquote>
<br>
For the sake of infinite usability and UX I rewrote it
to ask for
<br>
multiple addresses the same way as for DNS forwarders.
Also I really
<br>
simplified IP address checking code when I was in it.
I tested it but
<br>
please look at it carefully.
<br>
Also I found that ipa-dns-install and
ipa-adtrust-install also accept
<br>
--ip-address param. So I modified ipa-dns-install in
the same way as
<br>
ipa-server-install and ipa-replica-install. After
discussion with
<br>
tbabej I decided to dont touch ipa-adtrust-install now
as it do not
<br>
use specified value at all. I will remove the
processing code and
<br>
mark
<br>
the param as deprecated in separate patch.
<br>
<br>
<blockquote type="cite">2)
<br>
I'm getting error message
<br>
<br>
Invalid reverse zone 10.in-addr.arpa. for IP address
<br>
2001:db8::dead:beef
<br>
Invalid reverse zone 10.in-addr.arpa. for IP address
<br>
fed0:babe:baab:0:21a:4aff:fe10:4e18
<br>
<br>
- or -
<br>
<br>
Do you want to configure the reverse zone? [yes]:
<br>
Please specify the reverse zone name
<br>
[0.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa.]:
<br>
Invalid reverse zone
0.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa.
<br>
for IP
<br>
address fed0:babe:baab:0:21a:4aff:fe10:4e18
<br>
Please specify the reverse zone name
<br>
[0.0.0.0.b.a.a.b.e.b.a.b.0.d.e.f.ip6.arpa.]:
<br>
Using reverse zone(s)
0.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa.,
<br>
0.0.0.0.b.a.a.b.e.b.a.b.0.d.e.f.ip6.arpa.
<br>
<br>
This shouldn't be there
<br>
</blockquote>
<br>
Moved the message to function used when installation
is attended by
<br>
user.
<br>
<br>
<blockquote type="cite">
<br>
Could be better to ask user to specific zone for ip
address a.b.c.d.
<br>
</blockquote>
<br>
Probably, but lets leave some work for future.
<br>
<br>
<blockquote type="cite">
<br>
4) just nitpick
<br>
The IPA Master Server will be configured with:
<br>
...
<br>
IP address(es): 2001:db8::dead:beef,
<br>
fed0:babe:baab:0:21a:4aff:fe10:4e18
<br>
...
<br>
Reverse zone:
0.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa.,
<br>
0.0.0.0.b.a.a.b.e.b.a.b.0.d.e.f.ip6.arpa.
<br>
<br>
You have label "IP address(es)", so you should use
label "Reverse
<br>
zone(s)"
<br>
<br>
</blockquote>
<br>
Fixed.
<br>
<br>
<blockquote type="cite">5)
<br>
ipa-server-install --ip-address=10.16.78.105
<br>
--reverse-zone=10.in-addr.arpa.
--reverse-zone=16.10.in-addr.arpa.
<br>
--setup-dns
<br>
<br>
Creates both reverse zones, but 10.in-addr.arpa. is
empty. I'm not
<br>
sure
<br>
if this is wrong, but we prevents user to add zone
without
<br>
address in
<br>
it, so we should prevents, to add empty zone.
<br>
<br>
</blockquote>
<br>
It would be nice but not in this patch.
<br>
<br>
<blockquote type="cite">6)
<br>
ipa-replica-prepare --ip-address 10.16.78.105
--ip-address
<br>
2001:db8::dead:beef --reverse-zone 1.0.0.2.ip6.arpa.
<br>
vm-105.example.com
<br>
Directory Manager (existing master) password:
<br>
<br>
Invalid reverse zone 1.0.0.2.ip6.arpa. for IP
address 10.16.78.105
<br>
Invalid reverse zone 1.0.0.2.ip6.arpa.
<br>
<br>
IMO This should work, right?
<br>
<br>
+ sys.exit("There is no IP address
matching reverse
<br>
zone
<br>
%s." % rz)
<br>
I expected at least this error to be shown.
<br>
</blockquote>
<br>
Fixed, thanks.
<br>
<br>
<blockquote type="cite">
<br>
7)
<br>
ipa-replica-prepare --ip-address 10.16.78.105
--ip-address
<br>
2001:db8::dead:beef vm-105.example.com
<br>
Directory Manager (existing master) password:
<br>
<br>
.......
<br>
Adding DNS records for vm-105.example.com
<br>
Values instance has no attribute 'ip_address'
<br>
<br>
Command returns the attribute error.
<br>
It fails with one --ip-address too.
<br>
<br>
</blockquote>
<br>
Sorry, fixed.
<br>
<br>
<blockquote type="cite">
<br>
*) Not related with your patch
<br>
Problem with installation:
<br>
I'm getting message:
<br>
IPA server is already configured on this system.
<br>
Even if I validation wasn't successful and
installation was aborted.
<br>
<br>
IPA install detects previous installations by
checking state file
<br>
and
<br>
restore files. Function get_server_ip_address()
stores some data and
<br>
hosts file and modify the host file, before user
agreed
<br>
installation.
<br>
This error was there before your patch.
<br>
<a class="moz-txt-link-freetext" href="https://fedorahosted.org/freeipa/ticket/4561">https://fedorahosted.org/freeipa/ticket/4561</a>
<br>
<br>
<br>
<br>
</blockquote>
<br>
</blockquote>
NACK
<br>
<br>
0)
<br>
# ipa-dns-install --ip-address 2001:db8::feed
<br>
<br>
2014-09-24T06:02:13Z DEBUG stderr=
<br>
2014-09-24T06:02:13Z DEBUG File
<br>
"/usr/lib/python2.7/site-packages/ipaserver/install/installutils.py",
<br>
line 645, in run_script
<br>
return_value = main_function()
<br>
<br>
File "/sbin/ipa-dns-install", line 135, in main
<br>
ip_addresses = get_server_ip_address(api.env.host,
fstore,
<br>
options.unattended, options)
<br>
<br>
File
<br>
"/usr/lib/python2.7/site-packages/ipaserver/install/installutils.py",
<br>
line 473, in get_server_ip_address
<br>
if options.setup_dns:
<br>
<br>
2014-09-24T06:02:13Z DEBUG The ipa-dns-install command
failed,
<br>
exception: AttributeError: Values instance has no
attribute
<br>
'setup_dns'
<br>
</blockquote>
<br>
Obviously there is no option --setup-dns in
ipa-dns-install.
<br>
Fixed, modified get_server_ip_address function.
<br>
<br>
<blockquote type="cite">
<br>
1)
<br>
# ipa-replica-prepare vm-073.example.com --ip-address
<br>
2620:52:0::fe10:4e18 --ip-address 10.16.78.73
<br>
Directory Manager (existing master) password:
<br>
<br>
Preparing replica for vm-073.example.com from
vm-105.example.com
<br>
Creating SSL certificate for the Directory Server
<br>
Creating SSL certificate for the dogtag Directory Server
<br>
Saving dogtag Directory Server port
<br>
Creating SSL certificate for the Web Server
<br>
Exporting RA certificate
<br>
Copying additional files
<br>
Finalizing configuration
<br>
Packaging replica information into
<br>
/var/lib/ipa/replica-info-vm-073.example.com.gpg
<br>
Adding DNS records for vm-073.example.com
<br>
Values instance has no attribute 'unattended'
<br>
<br>
It should be unatended automatically, or we need add the
--unattended
<br>
option to ipa-replica-prepare
<br>
</blockquote>
<br>
ipa-replica-install is missing --unattended option. I
fixed it in my
<br>
code for now but we should add it there.
<br>
<br>
<blockquote type="cite">
<br>
2) This is nto user friendly, could be IP address check
before
<br>
installation?
<br>
[root@vm-073 ~]# ipa-replica-install replica.file.gpg
--ip-address
<br>
2620:52::fe10:4e18 --reverse-zone 10.in-addr.arpa.
--setup-dns
<br>
--no-forwarders
<br>
Directory Manager (existing master) password:
<br>
<br>
Run connection check to master
<br>
...
<br>
<long long list of succesfully configured services
/>
<br>
...
<br>
Restarting the KDC
<br>
There is no IP address matching reverse zone
10.in-addr.arpa..
<br>
<br>
LOG:
<br>
return_value = main_function()
<br>
<br>
File "/sbin/ipa-replica-install", line 721, in main
<br>
install_bind(config, options)
<br>
<br>
File "/sbin/ipa-replica-install", line 265, in
install_bind
<br>
reverse_zones =
<br>
bindinstance.check_reverse_zones(config.ip_addresses,
<br>
options.reverse_zones, options, True)
<br>
<br>
File
<br>
"/usr/lib/python2.7/site-packages/ipaserver/install/bindinstance.py",
<br>
line 426, in check_reverse_zones
<br>
sys.exit("There is no IP address matching reverse
zone %s." % rz)
<br>
<br>
2014-09-24T06:39:23Z DEBUG The ipa-replica-install
command failed,
<br>
exception: SystemExit: There is no IP address matching
reverse zone
<br>
10.in-addr.arpa..
<br>
</blockquote>
<br>
Fixed. Asking everything before actual installation.
<br>
<br>
<blockquote type="cite">
<br>
3)
<br>
I'm not sure if sys.exit() is good, replica-install
shoudl wrote
<br>
something about partially configured system
<br>
</blockquote>
<br>
This is quite common in installation scripts. I moved this
parts before
<br>
actual installation.
<br>
<br>
<blockquote type="cite">
<br>
4) I'm not sure if this is the best place to ask about
reverse zones
<br>
....
<br>
Done configuring the web interface (httpd).
<br>
Configuring ipa-otpd
<br>
[1/2]: starting ipa-otpd
<br>
[2/2]: configuring ipa-otpd to start on boot
<br>
Done configuring ipa-otpd.
<br>
Applying LDAP updates
<br>
Restarting the directory server
<br>
Restarting the KDC
<br>
Do you want to configure the reverse zone? [yes]:
<br>
</blockquote>
<br>
Moved.
<br>
<br>
<blockquote type="cite">
<br>
5) And error
<br>
# ipa-replica-install replica.file.gpg --ip-address
2620:52:xxxx
<br>
--setup-dns
<br>
....
<br>
Do you want to configure the reverse zone? [yes]:
<br>
Please specify the reverse zone name
<br>
[c.4.0.1.0.0.0.0.2.5.0.0.0.2.6.2.ip6.arpa.]:
<br>
Using reverse zone(s)
c.4.0.1.0.0.0.0.2.5.0.0.0.2.6.2.ip6.arpa.
<br>
<br>
Your system may be partly configured.
<br>
Run /usr/sbin/ipa-server-install --uninstall to clean
up.
<br>
<br>
Unexpected error - see /var/log/ipareplica-install.log
for details:
<br>
AttributeError: 'str' object has no attribute 'version'
<br>
<br>
LOG:
<br>
2014-09-24T06:50:44Z DEBUG retrieving schema for
SchemaCache
<br>
url=ldapi://%2fvar%2frun%2fslapd-IDM-LAB-BOS-REDHAT-COM.socket
<br>
conn=<ldap.ldapobject.SimpleLDAPObject instance at
0x46ba950>
<br>
2014-09-24T06:50:45Z DEBUG File
<br>
"/usr/lib/python2.7/site-packages/ipaserver/install/installutils.py",
<br>
line 645, in run_script
<br>
return_value = main_function()
<br>
<br>
File "/sbin/ipa-replica-install", line 721, in main
<br>
install_bind(config, options)
<br>
<br>
File "/sbin/ipa-replica-install", line 272, in
install_bind
<br>
ca_configured=options.setup_ca)
<br>
<br>
File
<br>
"/usr/lib/python2.7/site-packages/ipaserver/install/bindinstance.py",
<br>
line 550, in setup
<br>
self.__setup_sub_dict()
<br>
<br>
File
<br>
"/usr/lib/python2.7/site-packages/ipaserver/install/bindinstance.py",
<br>
line 651, in __setup_sub_dict
<br>
if addr.version in (4, 6):
<br>
<br>
2014-09-24T06:50:45Z DEBUG The ipa-replica-install
command failed,
<br>
exception: AttributeError: 'str' object has no attribute
'version'
<br>
</blockquote>
<br>
Fixed. We are using IP addresses as a strings and as a
<br>
CheckedIPAddress.
<br>
I swapped them here.
<br>
<blockquote type="cite">
<br>
<br>
*) I don't like this asking to specify zone without IP
<br>
Do you want to configure the reverse zone? [yes]:
<br>
Please specify the reverse zone name
<br>
[0.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa.]:
<br>
Please specify the reverse zone name
[78.16.10.in-addr.arpa.]:
<br>
<br>
</blockquote>
<br>
Would be nice. Prefer to do it as a part of more powerfull
reverse zone
<br>
validation logic.
<br>
<blockquote type="cite">
<br>
<br>
**) I'm not sure how often this case can happen:
<br>
master and replica without DNS, you run
--ipa-dns-install on master
<br>
then
<br>
on replica, then replica DNS installation will not try
to find
<br>
existent
<br>
reverse zones in ldap, due configuration in
ipa-dns-install.
<br>
Maybe you should detect if DNS container exists and then
set flag
<br>
"search_reverse_zones=True"
<br>
<br>
ipa-dns-install:
<br>
+ reverse_zones =
bindinstance.check_reverse_zones(ip_addresses,
<br>
options.reverse_zones, options)
<br>
</blockquote>
<br>
Same as above.
<br>
<br>
<blockquote type="cite">
<br>
</blockquote>
<br>
<br>
<br>
_______________________________________________
<br>
Freeipa-devel mailing list
<br>
<a class="moz-txt-link-abbreviated" href="mailto:Freeipa-devel@redhat.com">Freeipa-devel@redhat.com</a>
<br>
<a class="moz-txt-link-freetext" href="https://www.redhat.com/mailman/listinfo/freeipa-devel">https://www.redhat.com/mailman/listinfo/freeipa-devel</a>
<br>
<br>
</blockquote>
<br>
Rebased to current master and ipa-4-1. Removed unintentional
<br>
modification of ipa-adtrust-install.
<br>
</blockquote>
<br>
+ for ip, ip_address in zip(config.ips,
config.ip_addresses):
<br>
+ reverse_zone =
bindinstance.find_reverse_zone(ip)
<br>
<br>
Is it always 100% guaranteed that the values in config.ips and
<br>
config.ip_addresses are the same length and otherwise match
each other
<br>
in a way that will not cause things to break? IMO it would be
better to
<br>
store a single list of 2-tuples somewhere from the start
instead of
<br>
zipping things later. (Note that zip([1], ['yes', 'oh noes!'])
== [(1,
<br>
'yes')].)
<br>
<br>
</blockquote>
<br>
The chances that this will break are really small but I cannot
guarantee
<br>
that it won't eventually.
<br>
One list (config.ip_addresses) is generated from the other
(config.ips)
<br>
and right now there is no need to modify them. But if someone in
the
<br>
future modify only one of them it will fail really badly. So I
removed
<br>
zip() and convert the ip address to string on demand. It will
cost a few
<br>
more cycles but also will be less error prone.
<br>
<br>
<br>
<br>
<br>
_______________________________________________
<br>
Freeipa-devel mailing list
<br>
<a class="moz-txt-link-abbreviated" href="mailto:Freeipa-devel@redhat.com">Freeipa-devel@redhat.com</a>
<br>
<a class="moz-txt-link-freetext" href="https://www.redhat.com/mailman/listinfo/freeipa-devel">https://www.redhat.com/mailman/listinfo/freeipa-devel</a>
<br>
<br>
</blockquote>
<br>
Another few flaws eradicated.
<br>
<br>
</blockquote>
<big><big><big><big>ACK</big></big></big></big><br>
<br>
There is one issue with info message in ipa-replica-install, where
wrong zone is shown instead of zone where value will be added.
(Values in DNS are correct). This doesn't work on IPA 4.0 too. (by
source code, not tested)<br>
<br>
<pre class="moz-signature" cols="72">--
Martin Basti</pre>
</body>
</html>