[Freeipa-devel] [PATCH] 19 Do stricter checking of IP addressed passed to server install
Jan Cholasta
jcholast at redhat.com
Tue May 24 13:42:55 UTC 2011
On 24.5.2011 14:44, Jan Cholasta wrote:
> On 24.5.2011 14:43, Martin Kosek wrote:
>> On Fri, 2011-05-20 at 20:34 +0200, Jan Cholasta wrote:
>>> On 18.5.2011 10:51, Martin Kosek wrote:
>>>> On Mon, 2011-05-16 at 19:15 +0200, Jan Cholasta wrote:
>>>>> On 16.5.2011 17:26, Martin Kosek wrote:
>>>>>> On Tue, 2011-05-10 at 20:11 +0200, Jan Cholasta wrote:
>>>>>>> Split from patch 3, requires patch 18.
>>>>>>>
>>>>>>> https://fedorahosted.org/freeipa/ticket/1213
>>>>>>>
>>>>>>> Honza
>>>>>>>
>>>>>>
>>>>>> I tested all patches (3.6, 18, 19), but I think some work still
>>>>>> needs to
>>>>>> be done:
>>>>>>
>>>>>> 1) What about adding /sbin/ip package to Requires in spec? I thought
>>>>>> there was an agreement to do it.
>>>>>
>>>>> Will do.
>>>>
>>>> Ok.
>>>>
>>>>>
>>>>>>
>>>>>> 2) When I run `ipa-server-install --ip-address=$ADDR`, and $ADDR is
>>>>>> invalid address (e.g. $ADDR==foo), loopback address (e.g.
>>>>>> $ADDR==127.0.0.1) or just another that the local address (e.g.
>>>>>> $ADDR==123.123.123.123) the installer always fails with "the hostname
>>>>>> resolves to an IP address that is different from the one provided
>>>>>> on the
>>>>>> command line".
>>>>>>
>>>>>> I think we may want a different error message in those 3 cases - it
>>>>>> should be easy to do it now, with the improved IP handling.
>>>>>
>>>>> It looks like the print statements from verify_ip_address doesn't
>>>>> actually print anything to the user. Will look onto that.
>>>>
>>>> Ok.
>>>>
>>>>>
>>>>>>
>>>>>> 3) When I pass netmask to ipa-server-install --ip-address=$ADDR, the
>>>>>> installation always fails with the above message. Even though I
>>>>>> took the
>>>>>> addr+netmask from "/sbin/ip address" output.
>>>>>
>>>>> Works for me. Please make sure you've added your hostname to
>>>>> /etc/hosts.
>>>>
>>>> I think I had. But I will recheck when you send a fix.
>>>>
>>>>>
>>>>>>
>>>>>> 4) I miss IP address checks in --ip-address and --forwarder
>>>>>> parameters
>>>>>> of ipa-dns-install script. I can pass invalid or local addresses to
>>>>>> these parameters. This breaks Bind configuration.
>>>>>
>>>>> --ip-address is checked, but --forwarder is not. Will fix that.
>>>>
>>>> Ok, I will recheck both of them when you do.
>>>>
>>>>>
>>>>>>
>>>>>> 5) I think we may want to check also for local address in
>>>>>> #ipa host-add $HOST --ip-address=127.0.0.1
>>>>>>
>>>>>> 6) I couldn't add IP address with netmask in host module:
>>>>>> # ipa host-add $HOST --ip-address=10.16.78.102/22
>>>>>> ipa: ERROR: invalid 'ip_address': invalid IP address
>>>>>
>>>>> The patches are for the installer, as are the tickets they fix, so
>>>>> these
>>>>> issues are out of scope. A new ticket should be opened for them.
>>>>>
>>>>
>>>> You touched this parameter in your patches, that's why I tested it. I
>>>> created a new ticket for it:
>>>>
>>>> https://fedorahosted.org/freeipa/ticket/1234
>>>>
>>>> Ticket 1234, yey :-)
>>>>
>>>>>>
>>>>>> 7) Why is the _ParsedIPAddress named with a leading underscore?
>>>>>> It's not
>>>>>> really an internal use since it is returned by new IP handling
>>>>>> functions
>>>>>> and used in other modules.
>>>>>
>>>>> _ParsedIPAddress is not for public use. The fact that object of this
>>>>> class is returned by parse_ip_address doesn't really matter - this is
>>>>> Python, not C++ or Java.
>>>>
>>>> Hm, snappy... And I was wondering why my /usr/bin/java doesn't want to
>>>> run FreeIPA, now I know - it's because its Python.
>>>>
>>>> Martin
>>>>
>>>
>>> Patch updated. Requires patch 18.1
>>>
>>> Honza
>>>
>>
>> All reported issues were fixed, good idea with a new type for our
>> IPAOptionParser.
>>
>> Still, NACK from me:
>>
>> ipa-replica-install doesn't use IPAOptionParser, but the good old
>> OptionParser which doesn't know the new type. This makes
>> ipa-replica-prepare crash all the time. I know, I am nitpicker :-)
>>
>> Martin
>>
>
> Thanks, I missed that.
>
> Honza
>
Fixed and added a unit test.
--
Jan Cholasta
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-jcholast-19.2-strict-ip-address-check.patch
Type: text/x-patch
Size: 2479 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20110524/f201e088/attachment.bin>
More information about the Freeipa-devel
mailing list