On Fri, 2011-10-07 at 11:25 +0200, Martin Kosek wrote:
> On Thu, 2011-10-06 at 22:59 -0400, Rob Crittenden wrote:
> > When installing with DNS we skip a few hostname checks on the assumption 
> > that the DNS we are installing will cover things. We still need to 
> > verify /etc/hosts and we do this with gethostbyname_ex() which returns 
> > the primary name and all other names of the host. If the primary name 
> > doesn't match (e.g. the shortname is defined first in /etc/hosts) or it 
> > isn't resolvable at all then we error out.
> > 
> > This also prevents a chicken-and-egg error as several services need to 
> > start before DNS is available so the hostname must be defined.
> > 
> > rob
> 
> I see several problems with the patch. At first, it needs a rebase, I
> reworked the exceptions raised in verify_fqdn in #1899.
> 
> Then, this patch would break several things:
> 
> 1) Now, when we install a server with --setup-dns and the host is not
> resolvable, we add a record to /etc/hosts ourselves, so that the user is
> not obliged to hack /etc/hosts:
> 
> # ipa-server-install --setup-dns
> ...
> Server host name [vm-050.idm.lab.bos.redhat.com]: 
> 
> Warning: skipping DNS resolution of host vm-050.idm.lab.bos.redhat.com
> The domain name has been calculated based on the host name.
> 
> Please confirm the domain name [idm.lab.bos.redhat.com]: 
> 
> Unable to resolve IP address for host name
> Please provide the IP address to be used for this host name: 10.16.78.50
> Adding [10.16.78.50 vm-050.idm.lab.bos.redhat.com] to your /etc/hosts file   
> <<<<<<
> The IPA Master Server will be configured with
> Hostname:    vm-050.idm.lab.bos.redhat.com
> IP address:  10.16.78.50
> Domain name: idm.lab.bos.redhat.com
> 
> 
> 2) This will break ipa-replica-prepare. We cannot assume that only local
> host names are passed to to verify_fqdn since it is also used to for new
> replica hostname check in ipa-replica-prepare:
> 
> # ipa-replica-prepare vm-103.idm.lab.bos.redhat.com
> Directory Manager (existing master) password: 
> 
> The host name vm-103.idm.lab.bos.redhat.com is not resolvable. It must
> appear in at least /etc/hosts.
> Add the --ip-address argument to create a DNS entry.
> 
> We must be very cautious in this function, there was already a BZ from
> RHEV-M guys which could be now broken:
> 
> https://bugzilla.redhat.com/show_bug.cgi?id=729357
> 
> Martin
> 

What about doing something like this (attached)? This would prevent user
installing IPA with misconfigured /etc/hosts for both following cases:
1.2.3.4 foo                                << just short name
1.2.3.4 foo foo.example.com                << short name is primary

It would still allow user to configure IPA with --setup-dns without
making a record in /etc/hosts on his own.

Martin
>From 21483cbc41c687fae1944b9d46edca0ef5b13d2b Mon Sep 17 00:00:00 2001
From: Martin Kosek <mko...@redhat.com>
Date: Fri, 7 Oct 2011 14:23:20 +0200
Subject: [PATCH] Check hostname resolution sanity

Always check (even with --setup-dns or --no-host-dns) that if the
host name or ip address resolves, it resolves to sane value. Otherwise
report an error. Misconfigured /etc/hosts causing these errors could
harm the installation later.

https://fedorahosted.org/freeipa/ticket/1923
---
 install/tools/ipa-replica-prepare |    2 +-
 install/tools/ipa-server-install  |   13 +++++++++++++
 ipaserver/install/installutils.py |   14 +++++++++++---
 3 files changed, 25 insertions(+), 4 deletions(-)

diff --git a/install/tools/ipa-replica-prepare b/install/tools/ipa-replica-prepare
index 6b7130be9df262aee80c5e17201492fc4be01891..74c6d09296adb85dc8f66db35b61a413aad113c5 100755
--- a/install/tools/ipa-replica-prepare
+++ b/install/tools/ipa-replica-prepare
@@ -269,7 +269,7 @@ def main():
         sys.exit("\nUnable to connect to LDAP server %s" % api.env.host)
 
     try:
-        installutils.verify_fqdn(replica_fqdn, system_name_check=False)
+        installutils.verify_fqdn(replica_fqdn, local_hostname=False)
     except BadHostError, e:
         msg = str(e)
         if isinstance(e, HostLookupError):
diff --git a/install/tools/ipa-server-install b/install/tools/ipa-server-install
index 7839dbd9fd68cb16ec9ec1f8ea385f0feacb8f2e..45e3e999f0489f54b94181fac955800ef72ac051 100755
--- a/install/tools/ipa-server-install
+++ b/install/tools/ipa-server-install
@@ -41,6 +41,7 @@ import random
 import tempfile
 import nss.error
 from optparse import OptionGroup, OptionValueError
+import socket
 
 from ipaserver.install import dsinstance
 from ipaserver.install import krbinstance
@@ -784,6 +785,18 @@ def main():
         logging.debug("read ip_address: %s\n" % str(ip))
     ip_address = str(ip)
 
+    # check that if the address resolves, it resolves to this hostname
+    try:
+        revname = socket.gethostbyaddr(ip_address)[0]
+
+        if revname != host_name:
+            print >>sys.stderr, "The host name %s does not match the reverse lookup %s for %s"\
+                    % (host_name, revname, ip_address)
+            print >>sys.stderr, "Please check your DNS or /etc/hosts file and restart the installation."
+            return 1
+    except socket.gaierror:
+        pass
+
     if options.reverse_zone and not bindinstance.verify_reverse_zone(options.reverse_zone, ip):
         sys.exit(1)
 
diff --git a/ipaserver/install/installutils.py b/ipaserver/install/installutils.py
index 64d212282de5d54af71aa84fd1dba857ae60f519..a924e771a5e3d780a458b42337ba050d835dd7d8 100644
--- a/ipaserver/install/installutils.py
+++ b/ipaserver/install/installutils.py
@@ -129,7 +129,7 @@ def verify_dns_records(host_name, responses, resaddr, family):
         raise RuntimeError("The DNS forward record %s does not match the reverse address %s" % (rec.dns_name, rev.rdata.ptrdname))
 
 
-def verify_fqdn(host_name, no_host_dns=False, system_name_check=True):
+def verify_fqdn(host_name, no_host_dns=False, local_hostname=True):
     """
     Run fqdn checks for given host:
         - test hostname format
@@ -140,7 +140,7 @@ def verify_fqdn(host_name, no_host_dns=False, system_name_check=True):
 
     :param host_name: The host name to verify.
     :param no_host_dns: If true, skip DNS resolution tests of the host name.
-    :param system_name_check: If true, check if the host name matches the system host name.
+    :param local_hostname: If true, run additional checks for local hostnames
     """
     if len(host_name.split(".")) < 2 or host_name == "localhost.localdomain":
         raise BadHostError("Invalid hostname '%s', must be fully-qualified." % host_name)
@@ -151,7 +151,15 @@ def verify_fqdn(host_name, no_host_dns=False, system_name_check=True):
     if ipautil.valid_ip(host_name):
         raise BadHostError("IP address not allowed as a hostname")
 
-    if system_name_check:
+    if local_hostname:
+        try:
+            ex_name = socket.gethostbyaddr(host_name)
+            if host_name != ex_name[0]:
+                raise HostLookupError("The host name %s does not match the primary host name %s. "\
+                        "Please check /etc/hosts or DNS name resolution" % (host_name, ex_name[0]))
+        except socket.gaierror:
+            pass
+
         system_host_name = socket.gethostname()
         if not (host_name + '.').startswith(system_host_name + '.'):
             print "Warning: The host name '%s' does not match the system host name '%s'." % (host_name, system_host_name)
-- 
1.7.6.4

_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Reply via email to