Re: [Freeipa-devel] [PATCH] 671 ensure replica server exists in DNS

Mon, 10 Jan 2011 14:20:14 -0800 

Simo Sorce wrote:

On Mon, 10 Jan 2011 13:49:59 -0500
Rob Crittenden<rcrit...@redhat.com>  wrote:


Before allowing ipa-replica-prepare to proceed ensure that the target
server exists in DNS. This can add the entry if you include the
--ip-address option.

The result if the DNS entry doesn't exist is the replication
agreement will fail because the master can't connect to the replica.


Nack,
if you pass --ip-address you are going to test for existence of the DNS
record before actually creating it therefore always failing the check.

Simo.



Ok, use the existing verify_fqdn() method instead of calling the API.

I left the dns_resolve() change so it isn't IPv4-specific.

rob

>From 8df6e71c29744c500e437e3016a80a5f40f3bb35 Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcrit...@redhat.com>
Date: Mon, 10 Jan 2011 17:16:25 -0500
Subject: [PATCH] Exit if a DNS A or AAAA record doesn't exist for the replica we are preparing.

Without this it is possible to prepare a replica for a host that doesn't
exist in DNS. The result when this replica file is installed is that
replication will fail because the master won't be able to communicate
to the replica by name.

ticket 680
---
 install/tools/ipa-replica-prepare |   22 ++++++++++++++++++++++
 ipalib/plugins/dns.py             |   14 +++++++++++---
 ipaserver/install/installutils.py |    4 ++--
 3 files changed, 35 insertions(+), 5 deletions(-)

diff --git a/install/tools/ipa-replica-prepare b/install/tools/ipa-replica-prepare
index 0c3388d..908c50a 100755
--- a/install/tools/ipa-replica-prepare
+++ b/install/tools/ipa-replica-prepare
@@ -245,6 +245,22 @@ def main():
     if not options.pkinit_pkcs12 and not certs.ipa_self_signed():
         options.setup_pkinit = False
 
+    try:
+        installutils.verify_fqdn(replica_fqdn)
+    except RuntimeError, e:
+        msg = str(e)
+        if msg.startswith('Unable to resolve host name'):
+            if options.ip_address is None:
+                if bindinstance.dns_container_exists(api.env.host,
+                    api.env.basedn):
+                    msg += '\nAdd the --ip-address argument to create a DNS entry.'
+                sys.exit(msg)
+            else:
+                # The host doesn't exist in DNS but we're adding it.
+                pass
+        else:
+            sys.exit(msg)
+
     if options.ip_address:
         if not bindinstance.dns_container_exists(api.env.host, api.env.basedn):
             print "You can't add a DNS record because DNS is not set up."
@@ -255,6 +271,12 @@ def main():
 
     check_ipa_configuration(api.env.realm)
 
+    if not options.ip_address:
+        try:
+            api.Command['dns_resolve'](replica_fqdn)
+        except errors.NotFound:
+            sys.exit("Neither an A nor AAAA record for host '%s' does not exist in DNS.\nUse the --ip-address option to add DNS entries for the replica." % replica_fqdn)
+
     if api.env.host == replica_fqdn:
         print "You can't create a replica on itself"
         sys.exit(1)
diff --git a/ipalib/plugins/dns.py b/ipalib/plugins/dns.py
index 88baee8..ced13ef 100644
--- a/ipalib/plugins/dns.py
+++ b/ipalib/plugins/dns.py
@@ -923,9 +923,17 @@ class dns_resolve(Command):
             query = '%s.%s.' % (query, api.env.domain)
         if query[-1] != '.':
             query = query + '.'
-        rr = dnsclient.query(query, dnsclient.DNS_C_IN, dnsclient.DNS_T_A)
-        self.log.debug('%s' % rr)
-        if len(rr) == 0:
+        reca = dnsclient.query(query, dnsclient.DNS_C_IN, dnsclient.DNS_T_A)
+        rec6 = dnsclient.query(query, dnsclient.DNS_C_IN, dnsclient.DNS_T_AAAA)
+        records = reca + rec6
+        found = False
+        for rec in records:
+            if rec.dns_type == dnsclient.DNS_T_A or \
+              rec.dns_type == dnsclient.DNS_T_AAAA:
+                found = True
+                break
+
+        if not found:
             raise errors.NotFound(reason=_('Host \'%(host)s\' not found' % {'host':query}))
 
         return dict(result=True, value=query)
diff --git a/ipaserver/install/installutils.py b/ipaserver/install/installutils.py
index b9e2ebd..a5457e2 100644
--- a/ipaserver/install/installutils.py
+++ b/ipaserver/install/installutils.py
@@ -99,7 +99,7 @@ def verify_dns_records(host_name, responses, resaddr, family):
 
 def verify_fqdn(host_name,no_host_dns=False):
     if len(host_name.split(".")) < 2 or host_name == "localhost.localdomain":
-        raise RuntimeError("Invalid hostname: " + host_name)
+        raise RuntimeError("Invalid hostname '%s', must be fully-qualified." % host_name)
 
     try:
         hostaddr = socket.getaddrinfo(host_name, None)
@@ -129,7 +129,7 @@ def verify_fqdn(host_name,no_host_dns=False):
     if len(rs) != 0:
         for rsn in rs:
             if rsn.dns_type == dnsclient.DNS_T_CNAME:
-                raise RuntimeError("The IPA Server Hostname cannot be a CNAME, only A names are allowed.")
+                raise RuntimeError("The IPA Server Hostname cannot be a CNAME, only A and AAAA names are allowed.")
 
     # Verify that it is a DNS A or AAAA record
     rs = dnsclient.query(host_name+".", dnsclient.DNS_C_IN, dnsclient.DNS_T_A)
-- 
1.7.3.4


_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Reply via email to