[Freeipa-devel] [PATCH] 0077 Check direct/reverse hostname/address resolution in ipa-replica-install
Rob Crittenden
rcritten at redhat.com
Fri Sep 21 13:21:43 UTC 2012
Petr Viktorin wrote:
> On 09/19/2012 08:46 PM, Rob Crittenden wrote:
>> Petr Viktorin wrote:
>>> On 09/19/2012 04:56 PM, Rob Crittenden wrote:
>>>> Petr Viktorin wrote:
>>>>> On 09/17/2012 08:10 PM, Rob Crittenden wrote:
>>>>>> Petr Viktorin wrote:
>>>>>>> On 09/14/2012 08:46 AM, Martin Kosek wrote:
>>>>>>>> On 09/13/2012 10:35 PM, Rob Crittenden wrote:
>>>>>>>>> Petr Viktorin wrote:
>>>>>>>>>> On 09/11/2012 11:05 PM, Rob Crittenden wrote:
>>>>>>>>>>> Petr Viktorin wrote:
>>>>>>>>>>>> On 09/04/2012 07:44 PM, Rob Crittenden wrote:
>>>>>>>>>>>>> Petr Viktorin wrote:
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> https://fedorahosted.org/freeipa/ticket/2845
>>>>>>>>>>>>>
>>>>>>>>>>>>> Shouldn't this also call verify_fqdn() on the local hostname
>>>>>>>>>>>>> and
>>>>>>>>>>>>> not
>>>>>>>>>>>>> just the master? I think this would eventually fail in the
>>>>>>>>>>>>> conncheck
>>>>>>>>>>>>> but
>>>>>>>>>>>>> what if that was skipped?
>>>>>>>>>>>>>
>>>>>>>>>>>>> rob
>>>>>>>>>>>>
>>>>>>>>>>>> A few lines above there is a call to get_host_name, which will
>>>>>>>>>>>> call
>>>>>>>>>>>> verify_fqdn.
>>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> I double-checked this, it fails in conncheck. Here are my steps:
>>>>>>>>>>>
>>>>>>>>>>> # ipa-server-install --setup-dns
>>>>>>>>>>> # ipa-replica-prepare replica.example.com
>>>>>>>>>>> --ip-address=192.168.100.2
>>>>>>>>>>> # ipa host-del replica.example.com
>>>>>>>>>>>
>>>>>>>>>>> On replica, set DNS to IPA master, with hostname in /etc/hosts.
>>>>>>>>>>>
>>>>>>>>>>> # ipa-replica-install ...
>>>>>>>>>>>
>>>>>>>>>>> The verify_fqdn() passes because the resolver uses /etc/hosts.
>>>>>>>>>>>
>>>>>>>>>>> The conncheck fails:
>>>>>>>>>>>
>>>>>>>>>>> Execute check on remote master
>>>>>>>>>>> Check connection from master to remote replica
>>>>>>>>>>> 'replica.example.com':
>>>>>>>>>>>
>>>>>>>>>>> Remote master check failed with following error message(s):
>>>>>>>>>>> Could not chdir to home directory /home/admin: No such file or
>>>>>>>>>>> directory
>>>>>>>>>>> Port check failed! Unable to resolve host name
>>>>>>>>>>> 'replica.example.com'
>>>>>>>>>>>
>>>>>>>>>>> Connection check failed!
>>>>>>>>>>> Please fix your network settings according to error messages
>>>>>>>>>>> above.
>>>>>>>>>>> If the check results are not valid it can be skipped with
>>>>>>>>>>> --skip-conncheck parameter.
>>>>>>>>>>>
>>>>>>>>>>> The DNS test happens much further after this, and I get why, I
>>>>>>>>>>> just
>>>>>>>>>>> don't see how useful it is unless the --skip-conncheck is used.
>>>>>>>>>>
>>>>>>>>>> For the record, it's because we need to check if the host has DNS
>>>>>>>>>> installed. We need a LDAP connection to check this.
>>>>>>>>>>
>>>>>>>>>>> ipa-replica-install ~rcrit/replica-info-replica.example.com.gpg
>>>>>>>>>>> --skip-conncheck
>>>>>>>>>>> Directory Manager (existing master) password:
>>>>>>>>>>>
>>>>>>>>>>> ipa : ERROR Could not resolve hostname
>>>>>>>>>>> replica.example.com
>>>>>>>>>>> using DNS. Clients may not function properly. Please check your
>>>>>>>>>>> DNS
>>>>>>>>>>> setup. (Note that this check queries IPA DNS directly and
>>>>>>>>>>> ignores
>>>>>>>>>>> /etc/hosts.)
>>>>>>>>>>> Continue? [no]:
>>>>>>>>>>>
>>>>>>>>>>> So I guess, what are the intentions here? It is certainly better
>>>>>>>>>>> than
>>>>>>>>>>> before.
>>>>>>>>>>>
>>>>>>>>>>> rob
>>>>>>>>>>
>>>>>>>>>> If the replica is in the master's /etc/hosts, but not in DNS, the
>>>>>>>>>> conncheck will succeed. This check explicitly queries IPA records
>>>>>>>>>> only
>>>>>>>>>> and ignores /etc/hosts so it'll notice this case and warn.
>>>>>>>>>>
>>>>>>>>>
>>>>>>>>> Ok, like I said, this is better than we have. Just one nit then
>>>>>>>>> you
>>>>>>>>> get an ack:
>>>>>>>>>
>>>>>>>>> + # If remote host has DNS, check forward/reverse
>>>>>>>>> resolution
>>>>>>>>> + try:
>>>>>>>>> + entry = conn.find_entries(u'cn=dns',
>>>>>>>>> base_dn=DN(api.env.basedn))
>>>>>>>>> + except errors.NotFound:
>>>>>>>>>
>>>>>>>>> u'cn=dns' should be str(constants.container_dns).
>>>>>>>>>
>>>>>>>>> rob
>>>>>>>>
>>>>>>>> This is a search filter, Petr could use the one I already have in
>>>>>>>> "dns.py::get_dns_masters()" function:
>>>>>>>> '(&(objectClass=ipaConfigObject)(cn=DNS))'
>>>>>>>>
>>>>>>>> For performance sake, I would also not search in the entire tree,
>>>>>>>> but
>>>>>>>> limit the
>>>>>>>> search only to:
>>>>>>>>
>>>>>>>> DN(('cn', 'masters'), ('cn', 'ipa'), ('cn', 'etc'), api.env.basedn)
>>>>>>>>
>>>>>>>> Martin
>>>>>>>>
>>>>>>>
>>>>>>> Attaching updated patch with Martin's suggestions.
>>>>>>
>>>>>> I think what Martin had in mind was:
>>>>>>
>>>>>> if api.Object.dnsrecord.get_dns_masters():
>>>>>> ...
>>>>>>
>>>>>
>>>>> I didn't want to do this because api.Object.* use our global ldap2
>>>>> Backend, which is hardwired to query localhost.
>>>>> I see now that I can hack around this, and we already do this in
>>>>> ipa-replica-install.
>>>>> I've extracted the hack and reused it to get the DNS masters.
>>>>>
>>>>>
>>>>
>>>> I can't say I'm crazy about the method name you've chosen...
>>>>
>>>> rob
>>>
>>> I intended the name as a warning to not use it unless necessary.
>>>
>>> Changed to temporary_ldap2_connection.
>>>
>>
>> I found a dangling reference to replman. I removed this and installation
>> seemed to work ok.
>>
>> --- install/tools/ipa-replica-install 2012-09-19 14:01:16.169053047
>> -0400
>> +++ /usr/sbin/ipa-replica-install 2012-09-19 14:43:06.684917906
>> -0400
>> @@ -564,8 +564,6 @@
>> finally:
>> if conn and conn.isconnected():
>> conn.disconnect()
>> - if replman and replman.conn:
>> - replman.conn.unbind_s()
>>
>> # Configure ntpd
>> if options.conf_ntp:
>>
>
> I never had a problem with this. How are you installing the replica?
> It's true that replman might be uninitialized if there's an error
> (though it doesn't seem related to the issue). Attached patch
> initializes it.
>
ACK, pushed to master and ipa-3-0
rob
More information about the Freeipa-devel
mailing list