[Freeipa-devel] [PATCH] 0077 Check direct/reverse hostname/address resolution in ipa-replica-install
Petr Viktorin
pviktori at redhat.com
Thu Sep 20 08:32:59 UTC 2012
On 09/19/2012 08:46 PM, Rob Crittenden wrote:
> Petr Viktorin wrote:
>> On 09/19/2012 04:56 PM, Rob Crittenden wrote:
>>> Petr Viktorin wrote:
>>>> On 09/17/2012 08:10 PM, Rob Crittenden wrote:
>>>>> Petr Viktorin wrote:
>>>>>> On 09/14/2012 08:46 AM, Martin Kosek wrote:
>>>>>>> On 09/13/2012 10:35 PM, Rob Crittenden wrote:
>>>>>>>> Petr Viktorin wrote:
>>>>>>>>> On 09/11/2012 11:05 PM, Rob Crittenden wrote:
>>>>>>>>>> Petr Viktorin wrote:
>>>>>>>>>>> On 09/04/2012 07:44 PM, Rob Crittenden wrote:
>>>>>>>>>>>> Petr Viktorin wrote:
>>>>>>>>>>>>>
>>>>>>>>>>>>> https://fedorahosted.org/freeipa/ticket/2845
>>>>>>>>>>>>
>>>>>>>>>>>> Shouldn't this also call verify_fqdn() on the local hostname
>>>>>>>>>>>> and
>>>>>>>>>>>> not
>>>>>>>>>>>> just the master? I think this would eventually fail in the
>>>>>>>>>>>> conncheck
>>>>>>>>>>>> but
>>>>>>>>>>>> what if that was skipped?
>>>>>>>>>>>>
>>>>>>>>>>>> rob
>>>>>>>>>>>
>>>>>>>>>>> A few lines above there is a call to get_host_name, which will
>>>>>>>>>>> call
>>>>>>>>>>> verify_fqdn.
>>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> I double-checked this, it fails in conncheck. Here are my steps:
>>>>>>>>>>
>>>>>>>>>> # ipa-server-install --setup-dns
>>>>>>>>>> # ipa-replica-prepare replica.example.com
>>>>>>>>>> --ip-address=192.168.100.2
>>>>>>>>>> # ipa host-del replica.example.com
>>>>>>>>>>
>>>>>>>>>> On replica, set DNS to IPA master, with hostname in /etc/hosts.
>>>>>>>>>>
>>>>>>>>>> # ipa-replica-install ...
>>>>>>>>>>
>>>>>>>>>> The verify_fqdn() passes because the resolver uses /etc/hosts.
>>>>>>>>>>
>>>>>>>>>> The conncheck fails:
>>>>>>>>>>
>>>>>>>>>> Execute check on remote master
>>>>>>>>>> Check connection from master to remote replica
>>>>>>>>>> 'replica.example.com':
>>>>>>>>>>
>>>>>>>>>> Remote master check failed with following error message(s):
>>>>>>>>>> Could not chdir to home directory /home/admin: No such file or
>>>>>>>>>> directory
>>>>>>>>>> Port check failed! Unable to resolve host name
>>>>>>>>>> 'replica.example.com'
>>>>>>>>>>
>>>>>>>>>> Connection check failed!
>>>>>>>>>> Please fix your network settings according to error messages
>>>>>>>>>> above.
>>>>>>>>>> If the check results are not valid it can be skipped with
>>>>>>>>>> --skip-conncheck parameter.
>>>>>>>>>>
>>>>>>>>>> The DNS test happens much further after this, and I get why, I
>>>>>>>>>> just
>>>>>>>>>> don't see how useful it is unless the --skip-conncheck is used.
>>>>>>>>>
>>>>>>>>> For the record, it's because we need to check if the host has DNS
>>>>>>>>> installed. We need a LDAP connection to check this.
>>>>>>>>>
>>>>>>>>>> ipa-replica-install ~rcrit/replica-info-replica.example.com.gpg
>>>>>>>>>> --skip-conncheck
>>>>>>>>>> Directory Manager (existing master) password:
>>>>>>>>>>
>>>>>>>>>> ipa : ERROR Could not resolve hostname
>>>>>>>>>> replica.example.com
>>>>>>>>>> using DNS. Clients may not function properly. Please check your
>>>>>>>>>> DNS
>>>>>>>>>> setup. (Note that this check queries IPA DNS directly and ignores
>>>>>>>>>> /etc/hosts.)
>>>>>>>>>> Continue? [no]:
>>>>>>>>>>
>>>>>>>>>> So I guess, what are the intentions here? It is certainly better
>>>>>>>>>> than
>>>>>>>>>> before.
>>>>>>>>>>
>>>>>>>>>> rob
>>>>>>>>>
>>>>>>>>> If the replica is in the master's /etc/hosts, but not in DNS, the
>>>>>>>>> conncheck will succeed. This check explicitly queries IPA records
>>>>>>>>> only
>>>>>>>>> and ignores /etc/hosts so it'll notice this case and warn.
>>>>>>>>>
>>>>>>>>
>>>>>>>> Ok, like I said, this is better than we have. Just one nit then you
>>>>>>>> get an ack:
>>>>>>>>
>>>>>>>> + # If remote host has DNS, check forward/reverse resolution
>>>>>>>> + try:
>>>>>>>> + entry = conn.find_entries(u'cn=dns',
>>>>>>>> base_dn=DN(api.env.basedn))
>>>>>>>> + except errors.NotFound:
>>>>>>>>
>>>>>>>> u'cn=dns' should be str(constants.container_dns).
>>>>>>>>
>>>>>>>> rob
>>>>>>>
>>>>>>> This is a search filter, Petr could use the one I already have in
>>>>>>> "dns.py::get_dns_masters()" function:
>>>>>>> '(&(objectClass=ipaConfigObject)(cn=DNS))'
>>>>>>>
>>>>>>> For performance sake, I would also not search in the entire tree,
>>>>>>> but
>>>>>>> limit the
>>>>>>> search only to:
>>>>>>>
>>>>>>> DN(('cn', 'masters'), ('cn', 'ipa'), ('cn', 'etc'), api.env.basedn)
>>>>>>>
>>>>>>> Martin
>>>>>>>
>>>>>>
>>>>>> Attaching updated patch with Martin's suggestions.
>>>>>
>>>>> I think what Martin had in mind was:
>>>>>
>>>>> if api.Object.dnsrecord.get_dns_masters():
>>>>> ...
>>>>>
>>>>
>>>> I didn't want to do this because api.Object.* use our global ldap2
>>>> Backend, which is hardwired to query localhost.
>>>> I see now that I can hack around this, and we already do this in
>>>> ipa-replica-install.
>>>> I've extracted the hack and reused it to get the DNS masters.
>>>>
>>>>
>>>
>>> I can't say I'm crazy about the method name you've chosen...
>>>
>>> rob
>>
>> I intended the name as a warning to not use it unless necessary.
>>
>> Changed to temporary_ldap2_connection.
>>
>
> I found a dangling reference to replman. I removed this and installation
> seemed to work ok.
>
> --- install/tools/ipa-replica-install 2012-09-19 14:01:16.169053047 -0400
> +++ /usr/sbin/ipa-replica-install 2012-09-19 14:43:06.684917906 -0400
> @@ -564,8 +564,6 @@
> finally:
> if conn and conn.isconnected():
> conn.disconnect()
> - if replman and replman.conn:
> - replman.conn.unbind_s()
>
> # Configure ntpd
> if options.conf_ntp:
>
I never had a problem with this. How are you installing the replica?
It's true that replman might be uninitialized if there's an error
(though it doesn't seem related to the issue). Attached patch
initializes it.
--
Petr³
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-pviktori-0077-05-Check-direct-reverse-hostname-address-resolution-in-.patch
Type: text/x-patch
Size: 10240 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20120920/3c9a06fe/attachment.bin>
More information about the Freeipa-devel
mailing list