[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [Freeipa-devel] [PATCH] 799 The IP address provided to ipa-server-install must be local



Jan Cholasta wrote:
On 15.6.2011 20:29, Rob Crittenden wrote:
Rob Crittenden wrote:
Martin Kosek wrote:
On Tue, 2011-06-14 at 08:56 -0400, Rob Crittenden wrote:
Martin Kosek wrote:
On Mon, 2011-06-13 at 16:41 -0400, Rob Crittenden wrote:
Compare the configured interfaces with the supplied IP address and
optional netmask to determine if the interface is available.

Note the subtle change when comparing addresses. We have two object
types, IPNetwork and IPAddress. We should only compare addresses
when we
don't have an IPNetwork otherwise we can end up comparing an
address to
an object with a netmask and get a bad result.

https://fedorahosted.org/freeipa/ticket/1175

NACK.

1) This breaks ipa-replica-prepare:

# ipa-replica-prepare vm-046.idm.lab.bos.redhat.com
--ip-address=10.16.78.46
Usage: ipa-replica-prepare [options] FQDN (e.g. replica.example.com)

ipa-replica-prepare: error: option --ip-address: invalid IP address
10.16.78.46: No network interface matches the provided IP address and
netmask

Actually, this is not your fault, we just don't use IP address
checking
in IPAOptionParser correctly. --ip-address option in
ipa-replica-prepare
has type "ipnet" which is validated by the CheckedIPAddress. As
match_local defaults to True, your new exception is raised.

Ok, but is 10.16.78.46 a configured network interface?

It is an IP address of new replica, i.e. its not a local network
interface address. As I written, the problem is in a type of
--ip-address option in ipa-replica-prepare. You can check Honza's mail
for implementation hint.

Ah, prepare. I tested with an existing replica file...

Well, I wonder if an easier fix would be to set match_local=False by
default and specifically ask to match_local when we want.

Updated patch attached.

parse_ip_address and verify_ip_address still have match_local=True as
default - it probably should be changed for the sake of consistency.

parse_ip_address is only used by ipa-replica-install and in that case we do want to enforce match_local, so True is fine. Similarly verify_ip_address are run on the local machine, we want enforcement.


The check for local IP address in parse_ip_address should be removed,
it's not needed anymore, because you check it in CheckedIPAddress.


rob



Martin



I think we need 2 new option types for IPAOptionParser such as
"iplocal"
and "ipnetlocal" which would be used for --ip-address option in
ipa-server-install or ipa-dns-install and which would use
match_local=True. Current types "ip" and "ipnet" should use
match_local=False.

2) CheckedIPAddress functionality (i.e. this fix) is neither in
ipa-2-0
stable branch nor in RHEL 6.1. But this should be OK since it is
targeted for RHEL 6.2.

Right, I wasn't planning on pushing this to 2.0.

rob



_______________________________________________
Freeipa-devel mailing list
Freeipa-devel redhat com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Honza



[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]