[Freeipa-devel] [PATCH 0017] Improve error message in ipa-replica-manage

Tomas Babej tbabej at redhat.com
Thu Oct 25 10:40:13 UTC 2012 

On 10/24/2012 04:40 AM, Rob Crittenden wrote:
> Tomas Babej wrote:
>> On 10/19/2012 09:55 AM, Petr Viktorin wrote:
>>> On 10/18/2012 08:01 PM, Rob Crittenden wrote:
>>>> Tomas Babej wrote:
>>>>> On 10/02/2012 03:55 PM, Rob Crittenden wrote:
>>>>>> Tomas Babej wrote:
>>>>>>> Hi,
>>>>>>>
>>>>>>> When executing ipa-replica-manage connect to an unknown or 
>>>>>>> irrelevant
>>>>>>> master, we now print a sensible error message informing the user
>>>>>>> about this possiblity as well.
>>>>>>>
>>>>>>> https://fedorahosted.org/freeipa/ticket/3105
>>>>>>>
>>>>>>> Tomas
>>>>>>
>>>>>> I put a whole bunch of code into a try/except and this may be 
>>>>>> catching
>>>>>> errors in unexpected ways.
>>>>>>
>>>>>> I'm not entirely sure right now what we should do, but looking at 
>>>>>> the
>>>>>> code in the try:
>>>>>>
>>>>>> repl1.conn.getEntry(master1_dn, ldap.SCOPE_BASE)
>>>>>> repl1.conn.getEntry(master2_dn, ldap.SCOPE_BASE)
>>>>>>
>>>>>> We take in replica1 and replica1 as arguments (the default for
>>>>>> replica1 is the current host).
>>>>>>
>>>>>> If either of these raise a NotFound it means there there is no 
>>>>>> master
>>>>>> of that name. Does that mean that the master was deleted? Well,
>>>>>> clearly not.
>>>>>>
>>>>>> A lot has changed since I did this, I may have been relying on a
>>>>>> side-effect, or just hadn't tested well-enough.
>>>>>>
>>>>>> I wonder if we need that message at all. Is "foo" is not an IPA 
>>>>>> server
>>>>>> good enough? It still might be confusing if someone didn't know that
>>>>>> "foo" was deleted and it was still running. We could probably verify
>>>>>> that it is at least an IPA server by doing similar checking in the
>>>>>> client, it all depends on how far we want to take it.
>>>>>>
>>>>>> rob
>>>>>
>>>>> I modified the patch. Now if the NotFound error is encountered, we 
>>>>> try
>>>>> to investigate whether we're trying to connect to an IPA server at 
>>>>> all.
>>>>> Please see if you have any suggestions.
>>>>>
>>>>> Tomas
>>>>
>>>> Getting there, the errors are a lot better.
>>>>
>>>> Can you modify the 'Connection unsuccessful' message to include the
>>>> server we failed to connect to?
>>>>
>>>> The logger isn't so nice either, I think I'd prefer it if we could
>>>> exclude the severity:
>>>>
>>>> ipa: ERROR: LDAP Error: Connect error: TLS error -8172:Peer's
>>>> certificate issuer has been marked as not trusted by the user.
>>>> Connection unsuccessful.
>>>>
>>>> So drop the 'ipa: ERROR: ' part for consistency. TI don't believe we
>>>> configure the root logger at all in this tool so it is using the
>>>> defaults.
>>>
>>> It's not very easy to find the right call to configure the logger to
>>> drop the "ipa: ERROR:" part:
>>> standard_logging_setup(console_format='%(message)s')
>>> The function is in ipapython.ipa_log_manager. Hopefully that helps.
>>>
>> Thanks!
>>>> I'd also replace the test for -4 with the constant
>>>> ipadiscovery.NOT_IPA_SERVER
>>>>
>>>> rob
>>>>
>>>
>> I implemented your suggestions. Please have a look at the new patch
>> version.
>>
>> Tomas
>
> Getting a traceback:
>
> # ipa-replica-manage connect otherinstall.example.com
> LDAP Error: Connect error: TLS error -8054:You are attempting to 
> import a cert with the same issuer/serial as an existing cert, but 
> that is not the same cert.
> Traceback (most recent call last):
>   File "/usr/sbin/ipa-replica-manage", line 862, in <module>
>     main()
>   File "/usr/sbin/ipa-replica-manage", line 845, in main
>     add_link(realm, replica1, replica2, dirman_passwd, options)
>   File "/usr/sbin/ipa-replica-manage", line 732, in add_link
>     sys.exit("Connection to %s unsuccessful.", replica2)
> TypeError: exit expected at most 1 arguments, got 2
>
> I was just going to fix this and push and discovered another thing to 
> improve.
>
> Trying to connect to a host not in DNS doesn't return a very nice 
> message. It says that the CA wasn't found, which is true in an offbeat 
> sort of way I guess.
>
> Here is a quick mock-up to see if a host resolves. Note that we can't 
> use ipapython.ipautil.is_host_resolvable() because that only uses DNS.
>
> I whipped this up in 2 seconds just to see how it'd work. The name 
> stinks, it should probably go into ipapython/ipautil and the way I'm 
> checking in add_link would lead to a lot of duplication if tried in 
> the other commands. Probably best to have try to centralize the 
> message and sys.exit().
>
> --- ipa-replica-manage  2012-10-23 22:08:36.426435673 -0400
> +++ /usr/sbin/ipa-replica-manage        2012-10-23 22:34:36.946371449 
> -0400
> @@ -21,6 +21,7 @@
>  import os
>
>  import ldap, re, krbV
> +import socket
>  import traceback
>  from urllib2 import urlparse
>
> @@ -54,6 +55,19 @@
>      "list-clean-ruv":(0, 0, "", ""),
>  }
>
> +def host_exists(host):
> +    """
> +    Resolve the host to see if it exists.
> +
> +    Returns True/False
> +    """
> +    try:
> +        socket.getaddrinfo(host, 80)
> +    except socket.gaierror:
> +        return False
> +    else:
> +        return True
> +
>  def convert_error(exc):
>      """
>      LDAP exceptions are a dictionary, make them prettier.
> @@ -652,6 +666,11 @@
>
>  def add_link(realm, replica1, replica2, dirman_passwd, options):
>
> +    if not host_exists(replica1):
> +        sys.exit("unknown host %s" % replica1)
> +    if not host_exists(replica2):
> +        sys.exit("unknown host %s" % replica2)
> +
>      if options.winsync:
>          if not options.binddn or not options.bindpw or not 
> options.cacert or not options.passsync:
>              root_logger.error("The arguments --binddn, --bindpw, 
> --passsync and --cacert are required to create a winsync agreement")
> @@ -729,7 +748,7 @@
>                      "but it might be unknown, foreign or previously 
> deleted "
>                      "one." % replica2)
>              else:
> -                sys.exit("Connection to %s unsuccessful.", replica2)
> +                sys.exit("Connection to %s unsuccessful." % replica2)
>
>          repl1.setup_gssapi_replication(replica2, DN(('cn', 'Directory 
> Manager')), dirman_passwd)
>      print "Connected '%s' to '%s'" % (replica1, replica2)
>
I added the host_exists function to ipautil.py and added check for
hosts in each relevant function in ipa-replica-manage. I retested
the patch, seems to work as expected.

Tomas
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-tbabej-0017-4-IPA-Server-check-in-ipa-replica-manage.patch
Type: text/x-patch
Size: 6058 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20121025/5e106603/attachment.bin>

More information about the Freeipa-devel mailing list