[Freeipa-devel] [PATCH] 0077 Check direct/reverse hostname/address resolution in ipa-replica-install
Rob Crittenden
rcritten at redhat.com
Wed Sep 19 18:46:49 UTC 2012
Petr Viktorin wrote:
> On 09/19/2012 04:56 PM, Rob Crittenden wrote:
>> Petr Viktorin wrote:
>>> On 09/17/2012 08:10 PM, Rob Crittenden wrote:
>>>> Petr Viktorin wrote:
>>>>> On 09/14/2012 08:46 AM, Martin Kosek wrote:
>>>>>> On 09/13/2012 10:35 PM, Rob Crittenden wrote:
>>>>>>> Petr Viktorin wrote:
>>>>>>>> On 09/11/2012 11:05 PM, Rob Crittenden wrote:
>>>>>>>>> Petr Viktorin wrote:
>>>>>>>>>> On 09/04/2012 07:44 PM, Rob Crittenden wrote:
>>>>>>>>>>> Petr Viktorin wrote:
>>>>>>>>>>>>
>>>>>>>>>>>> https://fedorahosted.org/freeipa/ticket/2845
>>>>>>>>>>>
>>>>>>>>>>> Shouldn't this also call verify_fqdn() on the local hostname and
>>>>>>>>>>> not
>>>>>>>>>>> just the master? I think this would eventually fail in the
>>>>>>>>>>> conncheck
>>>>>>>>>>> but
>>>>>>>>>>> what if that was skipped?
>>>>>>>>>>>
>>>>>>>>>>> rob
>>>>>>>>>>
>>>>>>>>>> A few lines above there is a call to get_host_name, which will
>>>>>>>>>> call
>>>>>>>>>> verify_fqdn.
>>>>>>>>>>
>>>>>>>>>
>>>>>>>>> I double-checked this, it fails in conncheck. Here are my steps:
>>>>>>>>>
>>>>>>>>> # ipa-server-install --setup-dns
>>>>>>>>> # ipa-replica-prepare replica.example.com
>>>>>>>>> --ip-address=192.168.100.2
>>>>>>>>> # ipa host-del replica.example.com
>>>>>>>>>
>>>>>>>>> On replica, set DNS to IPA master, with hostname in /etc/hosts.
>>>>>>>>>
>>>>>>>>> # ipa-replica-install ...
>>>>>>>>>
>>>>>>>>> The verify_fqdn() passes because the resolver uses /etc/hosts.
>>>>>>>>>
>>>>>>>>> The conncheck fails:
>>>>>>>>>
>>>>>>>>> Execute check on remote master
>>>>>>>>> Check connection from master to remote replica
>>>>>>>>> 'replica.example.com':
>>>>>>>>>
>>>>>>>>> Remote master check failed with following error message(s):
>>>>>>>>> Could not chdir to home directory /home/admin: No such file or
>>>>>>>>> directory
>>>>>>>>> Port check failed! Unable to resolve host name
>>>>>>>>> 'replica.example.com'
>>>>>>>>>
>>>>>>>>> Connection check failed!
>>>>>>>>> Please fix your network settings according to error messages
>>>>>>>>> above.
>>>>>>>>> If the check results are not valid it can be skipped with
>>>>>>>>> --skip-conncheck parameter.
>>>>>>>>>
>>>>>>>>> The DNS test happens much further after this, and I get why, I
>>>>>>>>> just
>>>>>>>>> don't see how useful it is unless the --skip-conncheck is used.
>>>>>>>>
>>>>>>>> For the record, it's because we need to check if the host has DNS
>>>>>>>> installed. We need a LDAP connection to check this.
>>>>>>>>
>>>>>>>>> ipa-replica-install ~rcrit/replica-info-replica.example.com.gpg
>>>>>>>>> --skip-conncheck
>>>>>>>>> Directory Manager (existing master) password:
>>>>>>>>>
>>>>>>>>> ipa : ERROR Could not resolve hostname
>>>>>>>>> replica.example.com
>>>>>>>>> using DNS. Clients may not function properly. Please check your
>>>>>>>>> DNS
>>>>>>>>> setup. (Note that this check queries IPA DNS directly and ignores
>>>>>>>>> /etc/hosts.)
>>>>>>>>> Continue? [no]:
>>>>>>>>>
>>>>>>>>> So I guess, what are the intentions here? It is certainly better
>>>>>>>>> than
>>>>>>>>> before.
>>>>>>>>>
>>>>>>>>> rob
>>>>>>>>
>>>>>>>> If the replica is in the master's /etc/hosts, but not in DNS, the
>>>>>>>> conncheck will succeed. This check explicitly queries IPA records
>>>>>>>> only
>>>>>>>> and ignores /etc/hosts so it'll notice this case and warn.
>>>>>>>>
>>>>>>>
>>>>>>> Ok, like I said, this is better than we have. Just one nit then you
>>>>>>> get an ack:
>>>>>>>
>>>>>>> + # If remote host has DNS, check forward/reverse resolution
>>>>>>> + try:
>>>>>>> + entry = conn.find_entries(u'cn=dns',
>>>>>>> base_dn=DN(api.env.basedn))
>>>>>>> + except errors.NotFound:
>>>>>>>
>>>>>>> u'cn=dns' should be str(constants.container_dns).
>>>>>>>
>>>>>>> rob
>>>>>>
>>>>>> This is a search filter, Petr could use the one I already have in
>>>>>> "dns.py::get_dns_masters()" function:
>>>>>> '(&(objectClass=ipaConfigObject)(cn=DNS))'
>>>>>>
>>>>>> For performance sake, I would also not search in the entire tree, but
>>>>>> limit the
>>>>>> search only to:
>>>>>>
>>>>>> DN(('cn', 'masters'), ('cn', 'ipa'), ('cn', 'etc'), api.env.basedn)
>>>>>>
>>>>>> Martin
>>>>>>
>>>>>
>>>>> Attaching updated patch with Martin's suggestions.
>>>>
>>>> I think what Martin had in mind was:
>>>>
>>>> if api.Object.dnsrecord.get_dns_masters():
>>>> ...
>>>>
>>>
>>> I didn't want to do this because api.Object.* use our global ldap2
>>> Backend, which is hardwired to query localhost.
>>> I see now that I can hack around this, and we already do this in
>>> ipa-replica-install.
>>> I've extracted the hack and reused it to get the DNS masters.
>>>
>>>
>>
>> I can't say I'm crazy about the method name you've chosen...
>>
>> rob
>
> I intended the name as a warning to not use it unless necessary.
>
> Changed to temporary_ldap2_connection.
>
I found a dangling reference to replman. I removed this and installation
seemed to work ok.
--- install/tools/ipa-replica-install 2012-09-19 14:01:16.169053047 -0400
+++ /usr/sbin/ipa-replica-install 2012-09-19 14:43:06.684917906 -0400
@@ -564,8 +564,6 @@
finally:
if conn and conn.isconnected():
conn.disconnect()
- if replman and replman.conn:
- replman.conn.unbind_s()
# Configure ntpd
if options.conf_ntp:
More information about the Freeipa-devel
mailing list