Rob Crittenden wrote:
Martin Kosek wrote:
On Tue, 2011-06-14 at 08:56 -0400, Rob Crittenden wrote:
Martin Kosek wrote:
On Mon, 2011-06-13 at 16:41 -0400, Rob Crittenden wrote:
Compare the configured interfaces with the supplied IP address and
optional netmask to determine if the interface is available.

Note the subtle change when comparing addresses. We have two object
types, IPNetwork and IPAddress. We should only compare addresses
when we
don't have an IPNetwork otherwise we can end up comparing an
address to
an object with a netmask and get a bad result.


1) This breaks ipa-replica-prepare:

# ipa-replica-prepare
Usage: ipa-replica-prepare [options] FQDN (e.g.

ipa-replica-prepare: error: option --ip-address: invalid IP address No network interface matches the provided IP address and

Actually, this is not your fault, we just don't use IP address checking
in IPAOptionParser correctly. --ip-address option in
has type "ipnet" which is validated by the CheckedIPAddress. As
match_local defaults to True, your new exception is raised.

Ok, but is a configured network interface?

It is an IP address of new replica, i.e. its not a local network
interface address. As I written, the problem is in a type of
--ip-address option in ipa-replica-prepare. You can check Honza's mail
for implementation hint.

Ah, prepare. I tested with an existing replica file...

Well, I wonder if an easier fix would be to set match_local=False by
default and specifically ask to match_local when we want.

Updated patch attached.



I think we need 2 new option types for IPAOptionParser such as
and "ipnetlocal" which would be used for --ip-address option in
ipa-server-install or ipa-dns-install and which would use
match_local=True. Current types "ip" and "ipnet" should use

2) CheckedIPAddress functionality (i.e. this fix) is neither in ipa-2-0
stable branch nor in RHEL 6.1. But this should be OK since it is
targeted for RHEL 6.2.

Right, I wasn't planning on pushing this to 2.0.


Freeipa-devel mailing list

>From 3c9b11eaa34ea969b8d0b08ab8fb611f464d5403 Mon Sep 17 00:00:00 2001
From: Rob Crittenden <>
Date: Mon, 13 Jun 2011 16:37:40 -0400
Subject: [PATCH] The IP address provided to ipa-server-install must be local

Compare the configured interfaces with the supplied IP address and
optional netmask to determine if the interface is available.
 install/tools/ipa-server-install |    2 +-
 ipapython/             |    7 +++++--
 2 files changed, 6 insertions(+), 3 deletions(-)

diff --git a/install/tools/ipa-server-install b/install/tools/ipa-server-install
index 8fb13a3..756e4b0 100755
--- a/install/tools/ipa-server-install
+++ b/install/tools/ipa-server-install
@@ -596,7 +596,7 @@ def main():
     # Check we have a public IP that is associated with the hostname
     hostaddr = resolve_host(host_name)
     if hostaddr is not None:
-        ip = CheckedIPAddress(hostaddr)
+        ip = CheckedIPAddress(hostaddr, match_local=True)
         if not options.ip_address:
             print "Unable to resolve IP address for host name"
diff --git a/ipapython/ b/ipapython/
index ed8f04a..91d19e9 100644
--- a/ipapython/
+++ b/ipapython/
@@ -66,7 +66,7 @@ def get_domain_name():
     return domain_name
 class CheckedIPAddress(netaddr.IPAddress):
-    def __init__(self, addr, match_local=True, parse_netmask=True):
+    def __init__(self, addr, match_local=False, parse_netmask=True):
         if isinstance(addr, CheckedIPAddress):
             super(CheckedIPAddress, self).__init__(addr)
             self.prefixlen = addr.prefixlen
@@ -117,11 +117,14 @@ class CheckedIPAddress(netaddr.IPAddress):
                 ifnet = netaddr.IPNetwork(fields[3])
-                if ifnet == net or ifnet.ip == addr:
+                if ifnet == net or (net is None and ifnet.ip == addr):
                     net = ifnet
                     iface = fields[1]
+            if iface is None:
+                raise ValueError('No network interface matches the provided IP address and netmask')
         if net is None:
             defnet = True
             if addr.version == 4:

Freeipa-devel mailing list

Reply via email to