[Freeipa-devel] [PATCH] 0009 Detect and configure all usable IP addresses.
Martin Basti
mbasti at redhat.com
Fri Sep 26 15:50:30 UTC 2014
On 26/09/14 14:47, David Kupka wrote:
> On 09/26/2014 10:30 AM, David Kupka wrote:
>> On 09/26/2014 09:34 AM, Jan Cholasta wrote:
>>> Dne 26.9.2014 v 08:28 David Kupka napsal(a):
>>>> On 09/25/2014 04:17 PM, David Kupka wrote:
>>>>> On 09/24/2014 08:54 PM, Martin Basti wrote:
>>>>>> On 24/09/14 15:44, David Kupka wrote:
>>>>>>> On 09/23/2014 08:25 PM, Martin Basti wrote:
>>>>>>>> On 23/09/14 13:23, David Kupka wrote:
>>>>>>>>> On 09/18/2014 06:34 PM, Martin Basti wrote:
>>>>>>>>>> ...
>>>>>>>>>> 1)
>>>>>>>>>> + if options.unattended:
>>>>>>>>>> + for ip in ip_addresses:
>>>>>>>>>> + if search_reverse_zones and
>>>>>>>>>> find_reverse_zone(str(ip)):
>>>>>>>>>> + # reverse zone is already in LDAP
>>>>>>>>>> + continue
>>>>>>>>>> + for rz in ret_reverse_zones:
>>>>>>>>>> + if verify_reverse_zone(rz, ip):
>>>>>>>>>> + # reverse zone was entered by user
>>>>>>>>>> + break
>>>>>>>>>> + else:
>>>>>>>>>> + rz = get_reverse_zone_default(str(ip))
>>>>>>>>>> + ret_reverse_zones.append(rz)
>>>>>>>>>> + elif options.reverse_zones or create_reverse():
>>>>>>>>>> + for ip in ip_addresses:
>>>>>>>>>> + if search_reverse_zones and
>>>>>>>>>> find_reverse_zone(str(ip)):
>>>>>>>>>> + # reverse zone is already in LDAP
>>>>>>>>>> + continue
>>>>>>>>>> + for rz in ret_reverse_zones:
>>>>>>>>>> + if verify_reverse_zone(rz, ip):
>>>>>>>>>> + # reverse zone was entered by user
>>>>>>>>>> + break
>>>>>>>>>> + else:
>>>>>>>>>> + rz = get_reverse_zone_default(str(ip))
>>>>>>>>>> + rz = read_reverse_zone(rz, str(ip))
>>>>>>>>>> + ret_reverse_zones.append(rz)
>>>>>>>>>> + else:
>>>>>>>>>> + options.no_reverse = True
>>>>>>>>>> + ret_reverse_zones = []
>>>>>>>>>>
>>>>>>>>>> You can make it shorter without duplications:
>>>>>>>>>>
>>>>>>>>>> # this ifs can be in one line
>>>>>>>>>> if not options.unatended:
>>>>>>>>>> if not options.reverse_zones
>>>>>>>>>> if not create_reverse():
>>>>>>>>>> options.no_reverse=True
>>>>>>>>>> return []
>>>>>>>>>>
>>>>>>>>>> for ip in ip_addresses:
>>>>>>>>>> if search_reverse_zones and find_reverse_zone(str(ip)):
>>>>>>>>>> # reverse zone is already in LDAP
>>>>>>>>>> continue
>>>>>>>>>> for rz in ret_reverse_zones:
>>>>>>>>>> if verify_reverse_zone(rz, ip):
>>>>>>>>>> # reverse zone was entered by user
>>>>>>>>>> break
>>>>>>>>>> else:
>>>>>>>>>> rz = get_reverse_zone_default(str(ip))
>>>>>>>>>> if not options.unattended:
>>>>>>>>>> rz = read_reverse_zone(rz, str(ip))
>>>>>>>>>> ret_reverse_zones.append(rz)
>>>>>>>>>>
>>>>>>>>>
>>>>>>>>> Thanks, I modified it bit different way to alse address
>>>>>>>>> recommendation
>>>>>>>>> 3).
>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> 2)
>>>>>>>>>> Typo? There is no IP address matching reverze_zone %s."
>>>>>>>>>> ---------------------------------------------^^
>>>>>>>>>>
>>>>>>>>>
>>>>>>>>> Thanks, fixed.
>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> 3)
>>>>>>>>>> Would be nice to ask user to create new zones only if new zones
>>>>>>>>>> are
>>>>>>>>>> required. (If all required zones exist in LDAP, you ask user
>>>>>>>>>> anyway)
>>>>>>>>>>
>>>>>>>>>
>>>>>>>>> I added one more variable and ask only once.
>>>>>>>>>
>>>>>>>>>> 4)
>>>>>>>>>> Ask framework gurus, if installutils module is better place for
>>>>>>>>>> function
>>>>>>>>>> above
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>
>>>>>>>>> Petr^3 said that it's ok to have it in bindinstance.py.
>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>
>>>>>>>> NACK, most important point is 7
>>>>>>>>
>>>>>>>> 1)
>>>>>>>> I'm not sure if this is bug, but interactively is allowed to add
>>>>>>>> only
>>>>>>>> one ip address
>>>>>>>>
>>>>>>>> Unable to resolve IP address for host name
>>>>>>>> Please provide the IP address to be used for this host name:
>>>>>>>> 2001:db8::2
>>>>>>>> The kerberos protocol requires a Realm name to be defined.
>>>>>>>>
>>>>>>>
>>>>>>> For the sake of infinite usability and UX I rewrote it to ask for
>>>>>>> multiple addresses the same way as for DNS forwarders. Also I
>>>>>>> really
>>>>>>> simplified IP address checking code when I was in it. I tested
>>>>>>> it but
>>>>>>> please look at it carefully.
>>>>>>> Also I found that ipa-dns-install and ipa-adtrust-install also
>>>>>>> accept
>>>>>>> --ip-address param. So I modified ipa-dns-install in the same
>>>>>>> way as
>>>>>>> ipa-server-install and ipa-replica-install. After discussion with
>>>>>>> tbabej I decided to dont touch ipa-adtrust-install now as it do not
>>>>>>> use specified value at all. I will remove the processing code and
>>>>>>> mark
>>>>>>> the param as deprecated in separate patch.
>>>>>>>
>>>>>>>> 2)
>>>>>>>> I'm getting error message
>>>>>>>>
>>>>>>>> Invalid reverse zone 10.in-addr.arpa. for IP address
>>>>>>>> 2001:db8::dead:beef
>>>>>>>> Invalid reverse zone 10.in-addr.arpa. for IP address
>>>>>>>> fed0:babe:baab:0:21a:4aff:fe10:4e18
>>>>>>>>
>>>>>>>> - or -
>>>>>>>>
>>>>>>>> Do you want to configure the reverse zone? [yes]:
>>>>>>>> Please specify the reverse zone name
>>>>>>>> [0.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa.]:
>>>>>>>> Invalid reverse zone 0.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa.
>>>>>>>> for IP
>>>>>>>> address fed0:babe:baab:0:21a:4aff:fe10:4e18
>>>>>>>> Please specify the reverse zone name
>>>>>>>> [0.0.0.0.b.a.a.b.e.b.a.b.0.d.e.f.ip6.arpa.]:
>>>>>>>> Using reverse zone(s) 0.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa.,
>>>>>>>> 0.0.0.0.b.a.a.b.e.b.a.b.0.d.e.f.ip6.arpa.
>>>>>>>>
>>>>>>>> This shouldn't be there
>>>>>>>
>>>>>>> Moved the message to function used when installation is attended by
>>>>>>> user.
>>>>>>>
>>>>>>>>
>>>>>>>> Could be better to ask user to specific zone for ip address
>>>>>>>> a.b.c.d.
>>>>>>>
>>>>>>> Probably, but lets leave some work for future.
>>>>>>>
>>>>>>>>
>>>>>>>> 4) just nitpick
>>>>>>>> The IPA Master Server will be configured with:
>>>>>>>> ...
>>>>>>>> IP address(es): 2001:db8::dead:beef,
>>>>>>>> fed0:babe:baab:0:21a:4aff:fe10:4e18
>>>>>>>> ...
>>>>>>>> Reverse zone: 0.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa.,
>>>>>>>> 0.0.0.0.b.a.a.b.e.b.a.b.0.d.e.f.ip6.arpa.
>>>>>>>>
>>>>>>>> You have label "IP address(es)", so you should use label "Reverse
>>>>>>>> zone(s)"
>>>>>>>>
>>>>>>>
>>>>>>> Fixed.
>>>>>>>
>>>>>>>> 5)
>>>>>>>> ipa-server-install --ip-address=10.16.78.105
>>>>>>>> --reverse-zone=10.in-addr.arpa. --reverse-zone=16.10.in-addr.arpa.
>>>>>>>> --setup-dns
>>>>>>>>
>>>>>>>> Creates both reverse zones, but 10.in-addr.arpa. is empty. I'm not
>>>>>>>> sure
>>>>>>>> if this is wrong, but we prevents user to add zone without
>>>>>>>> address in
>>>>>>>> it, so we should prevents, to add empty zone.
>>>>>>>>
>>>>>>>
>>>>>>> It would be nice but not in this patch.
>>>>>>>
>>>>>>>> 6)
>>>>>>>> ipa-replica-prepare --ip-address 10.16.78.105 --ip-address
>>>>>>>> 2001:db8::dead:beef --reverse-zone 1.0.0.2.ip6.arpa.
>>>>>>>> vm-105.example.com
>>>>>>>> Directory Manager (existing master) password:
>>>>>>>>
>>>>>>>> Invalid reverse zone 1.0.0.2.ip6.arpa. for IP address 10.16.78.105
>>>>>>>> Invalid reverse zone 1.0.0.2.ip6.arpa.
>>>>>>>>
>>>>>>>> IMO This should work, right?
>>>>>>>>
>>>>>>>> + sys.exit("There is no IP address matching reverse
>>>>>>>> zone
>>>>>>>> %s." % rz)
>>>>>>>> I expected at least this error to be shown.
>>>>>>>
>>>>>>> Fixed, thanks.
>>>>>>>
>>>>>>>>
>>>>>>>> 7)
>>>>>>>> ipa-replica-prepare --ip-address 10.16.78.105 --ip-address
>>>>>>>> 2001:db8::dead:beef vm-105.example.com
>>>>>>>> Directory Manager (existing master) password:
>>>>>>>>
>>>>>>>> .......
>>>>>>>> Adding DNS records for vm-105.example.com
>>>>>>>> Values instance has no attribute 'ip_address'
>>>>>>>>
>>>>>>>> Command returns the attribute error.
>>>>>>>> It fails with one --ip-address too.
>>>>>>>>
>>>>>>>
>>>>>>> Sorry, fixed.
>>>>>>>
>>>>>>>>
>>>>>>>> *) Not related with your patch
>>>>>>>> Problem with installation:
>>>>>>>> I'm getting message:
>>>>>>>> IPA server is already configured on this system.
>>>>>>>> Even if I validation wasn't successful and installation was
>>>>>>>> aborted.
>>>>>>>>
>>>>>>>> IPA install detects previous installations by checking state file
>>>>>>>> and
>>>>>>>> restore files. Function get_server_ip_address() stores some
>>>>>>>> data and
>>>>>>>> hosts file and modify the host file, before user agreed
>>>>>>>> installation.
>>>>>>>> This error was there before your patch.
>>>>>>>> https://fedorahosted.org/freeipa/ticket/4561
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>> NACK
>>>>>>
>>>>>> 0)
>>>>>> # ipa-dns-install --ip-address 2001:db8::feed
>>>>>>
>>>>>> 2014-09-24T06:02:13Z DEBUG stderr=
>>>>>> 2014-09-24T06:02:13Z DEBUG File
>>>>>> "/usr/lib/python2.7/site-packages/ipaserver/install/installutils.py",
>>>>>>
>>>>>> line 645, in run_script
>>>>>> return_value = main_function()
>>>>>>
>>>>>> File "/sbin/ipa-dns-install", line 135, in main
>>>>>> ip_addresses = get_server_ip_address(api.env.host, fstore,
>>>>>> options.unattended, options)
>>>>>>
>>>>>> File
>>>>>> "/usr/lib/python2.7/site-packages/ipaserver/install/installutils.py",
>>>>>>
>>>>>> line 473, in get_server_ip_address
>>>>>> if options.setup_dns:
>>>>>>
>>>>>> 2014-09-24T06:02:13Z DEBUG The ipa-dns-install command failed,
>>>>>> exception: AttributeError: Values instance has no attribute
>>>>>> 'setup_dns'
>>>>>
>>>>> Obviously there is no option --setup-dns in ipa-dns-install.
>>>>> Fixed, modified get_server_ip_address function.
>>>>>
>>>>>>
>>>>>> 1)
>>>>>> # ipa-replica-prepare vm-073.example.com --ip-address
>>>>>> 2620:52:0::fe10:4e18 --ip-address 10.16.78.73
>>>>>> Directory Manager (existing master) password:
>>>>>>
>>>>>> Preparing replica for vm-073.example.com from vm-105.example.com
>>>>>> Creating SSL certificate for the Directory Server
>>>>>> Creating SSL certificate for the dogtag Directory Server
>>>>>> Saving dogtag Directory Server port
>>>>>> Creating SSL certificate for the Web Server
>>>>>> Exporting RA certificate
>>>>>> Copying additional files
>>>>>> Finalizing configuration
>>>>>> Packaging replica information into
>>>>>> /var/lib/ipa/replica-info-vm-073.example.com.gpg
>>>>>> Adding DNS records for vm-073.example.com
>>>>>> Values instance has no attribute 'unattended'
>>>>>>
>>>>>> It should be unatended automatically, or we need add the
>>>>>> --unattended
>>>>>> option to ipa-replica-prepare
>>>>>
>>>>> ipa-replica-install is missing --unattended option. I fixed it in my
>>>>> code for now but we should add it there.
>>>>>
>>>>>>
>>>>>> 2) This is nto user friendly, could be IP address check before
>>>>>> installation?
>>>>>> [root at vm-073 ~]# ipa-replica-install replica.file.gpg --ip-address
>>>>>> 2620:52::fe10:4e18 --reverse-zone 10.in-addr.arpa. --setup-dns
>>>>>> --no-forwarders
>>>>>> Directory Manager (existing master) password:
>>>>>>
>>>>>> Run connection check to master
>>>>>> ...
>>>>>> <long long list of succesfully configured services />
>>>>>> ...
>>>>>> Restarting the KDC
>>>>>> There is no IP address matching reverse zone 10.in-addr.arpa..
>>>>>>
>>>>>> LOG:
>>>>>> return_value = main_function()
>>>>>>
>>>>>> File "/sbin/ipa-replica-install", line 721, in main
>>>>>> install_bind(config, options)
>>>>>>
>>>>>> File "/sbin/ipa-replica-install", line 265, in install_bind
>>>>>> reverse_zones =
>>>>>> bindinstance.check_reverse_zones(config.ip_addresses,
>>>>>> options.reverse_zones, options, True)
>>>>>>
>>>>>> File
>>>>>> "/usr/lib/python2.7/site-packages/ipaserver/install/bindinstance.py",
>>>>>>
>>>>>> line 426, in check_reverse_zones
>>>>>> sys.exit("There is no IP address matching reverse zone %s."
>>>>>> % rz)
>>>>>>
>>>>>> 2014-09-24T06:39:23Z DEBUG The ipa-replica-install command failed,
>>>>>> exception: SystemExit: There is no IP address matching reverse zone
>>>>>> 10.in-addr.arpa..
>>>>>
>>>>> Fixed. Asking everything before actual installation.
>>>>>
>>>>>>
>>>>>> 3)
>>>>>> I'm not sure if sys.exit() is good, replica-install shoudl wrote
>>>>>> something about partially configured system
>>>>>
>>>>> This is quite common in installation scripts. I moved this parts
>>>>> before
>>>>> actual installation.
>>>>>
>>>>>>
>>>>>> 4) I'm not sure if this is the best place to ask about reverse zones
>>>>>> ....
>>>>>> Done configuring the web interface (httpd).
>>>>>> Configuring ipa-otpd
>>>>>> [1/2]: starting ipa-otpd
>>>>>> [2/2]: configuring ipa-otpd to start on boot
>>>>>> Done configuring ipa-otpd.
>>>>>> Applying LDAP updates
>>>>>> Restarting the directory server
>>>>>> Restarting the KDC
>>>>>> Do you want to configure the reverse zone? [yes]:
>>>>>
>>>>> Moved.
>>>>>
>>>>>>
>>>>>> 5) And error
>>>>>> # ipa-replica-install replica.file.gpg --ip-address 2620:52:xxxx
>>>>>> --setup-dns
>>>>>> ....
>>>>>> Do you want to configure the reverse zone? [yes]:
>>>>>> Please specify the reverse zone name
>>>>>> [c.4.0.1.0.0.0.0.2.5.0.0.0.2.6.2.ip6.arpa.]:
>>>>>> Using reverse zone(s) c.4.0.1.0.0.0.0.2.5.0.0.0.2.6.2.ip6.arpa.
>>>>>>
>>>>>> Your system may be partly configured.
>>>>>> Run /usr/sbin/ipa-server-install --uninstall to clean up.
>>>>>>
>>>>>> Unexpected error - see /var/log/ipareplica-install.log for details:
>>>>>> AttributeError: 'str' object has no attribute 'version'
>>>>>>
>>>>>> LOG:
>>>>>> 2014-09-24T06:50:44Z DEBUG retrieving schema for SchemaCache
>>>>>> url=ldapi://%2fvar%2frun%2fslapd-IDM-LAB-BOS-REDHAT-COM.socket
>>>>>> conn=<ldap.ldapobject.SimpleLDAPObject instance at 0x46ba950>
>>>>>> 2014-09-24T06:50:45Z DEBUG File
>>>>>> "/usr/lib/python2.7/site-packages/ipaserver/install/installutils.py",
>>>>>>
>>>>>> line 645, in run_script
>>>>>> return_value = main_function()
>>>>>>
>>>>>> File "/sbin/ipa-replica-install", line 721, in main
>>>>>> install_bind(config, options)
>>>>>>
>>>>>> File "/sbin/ipa-replica-install", line 272, in install_bind
>>>>>> ca_configured=options.setup_ca)
>>>>>>
>>>>>> File
>>>>>> "/usr/lib/python2.7/site-packages/ipaserver/install/bindinstance.py",
>>>>>>
>>>>>> line 550, in setup
>>>>>> self.__setup_sub_dict()
>>>>>>
>>>>>> File
>>>>>> "/usr/lib/python2.7/site-packages/ipaserver/install/bindinstance.py",
>>>>>>
>>>>>> line 651, in __setup_sub_dict
>>>>>> if addr.version in (4, 6):
>>>>>>
>>>>>> 2014-09-24T06:50:45Z DEBUG The ipa-replica-install command failed,
>>>>>> exception: AttributeError: 'str' object has no attribute 'version'
>>>>>
>>>>> Fixed. We are using IP addresses as a strings and as a
>>>>> CheckedIPAddress.
>>>>> I swapped them here.
>>>>>>
>>>>>>
>>>>>> *) I don't like this asking to specify zone without IP
>>>>>> Do you want to configure the reverse zone? [yes]:
>>>>>> Please specify the reverse zone name
>>>>>> [0.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa.]:
>>>>>> Please specify the reverse zone name [78.16.10.in-addr.arpa.]:
>>>>>>
>>>>>
>>>>> Would be nice. Prefer to do it as a part of more powerfull reverse
>>>>> zone
>>>>> validation logic.
>>>>>>
>>>>>>
>>>>>> **) I'm not sure how often this case can happen:
>>>>>> master and replica without DNS, you run --ipa-dns-install on master
>>>>>> then
>>>>>> on replica, then replica DNS installation will not try to find
>>>>>> existent
>>>>>> reverse zones in ldap, due configuration in ipa-dns-install.
>>>>>> Maybe you should detect if DNS container exists and then set flag
>>>>>> "search_reverse_zones=True"
>>>>>>
>>>>>> ipa-dns-install:
>>>>>> + reverse_zones = bindinstance.check_reverse_zones(ip_addresses,
>>>>>> options.reverse_zones, options)
>>>>>
>>>>> Same as above.
>>>>>
>>>>>>
>>>>>
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> Freeipa-devel mailing list
>>>>> Freeipa-devel at redhat.com
>>>>> https://www.redhat.com/mailman/listinfo/freeipa-devel
>>>>>
>>>>
>>>> Rebased to current master and ipa-4-1. Removed unintentional
>>>> modification of ipa-adtrust-install.
>>>
>>> + for ip, ip_address in zip(config.ips,
>>> config.ip_addresses):
>>> + reverse_zone = bindinstance.find_reverse_zone(ip)
>>>
>>> Is it always 100% guaranteed that the values in config.ips and
>>> config.ip_addresses are the same length and otherwise match each other
>>> in a way that will not cause things to break? IMO it would be better to
>>> store a single list of 2-tuples somewhere from the start instead of
>>> zipping things later. (Note that zip([1], ['yes', 'oh noes!']) == [(1,
>>> 'yes')].)
>>>
>>
>> The chances that this will break are really small but I cannot guarantee
>> that it won't eventually.
>> One list (config.ip_addresses) is generated from the other (config.ips)
>> and right now there is no need to modify them. But if someone in the
>> future modify only one of them it will fail really badly. So I removed
>> zip() and convert the ip address to string on demand. It will cost a few
>> more cycles but also will be less error prone.
>>
>>
>>
>>
>> _______________________________________________
>> Freeipa-devel mailing list
>> Freeipa-devel at redhat.com
>> https://www.redhat.com/mailman/listinfo/freeipa-devel
>>
>
> Another few flaws eradicated.
>
ACK
There is one issue with info message in ipa-replica-install, where wrong
zone is shown instead of zone where value will be added. (Values in DNS
are correct). This doesn't work on IPA 4.0 too. (by source code, not tested)
--
Martin Basti
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20140926/54f513a6/attachment.htm>
More information about the Freeipa-devel
mailing list