This patch depends on my patch 140 (attached just to be sure).

Do I understand it correctly that new proposed bind-dyndb-ldap option
ldap_hostname won't be needed?

Martin
>From 21b8bea688b03e6c4d13da2dbcdebed8ff0fa09d Mon Sep 17 00:00:00 2001
From: Martin Kosek <mko...@redhat.com>
Date: Wed, 12 Oct 2011 14:46:08 +0200
Subject: [PATCH] Hostname used by IPA must be a system hostname

Make sure that the hostname IPA uses is a system hostname. If user
passes a non-system hostname, update the network settings and
system hostname in the same way that ipa-client-install does.

This step should prevent various services failures which may not
be ready to talk to IPA with non-system hostname.

https://fedorahosted.org/freeipa/ticket/1931
---
 install/tools/ipa-server-install          |   23 +++++++++++++++++++++++
 install/tools/man/ipa-server-install.1    |    2 +-
 ipa-client/ipa-install/ipa-client-install |    4 +++-
 ipaserver/install/installutils.py         |    5 -----
 4 files changed, 27 insertions(+), 7 deletions(-)

diff --git a/install/tools/ipa-server-install b/install/tools/ipa-server-install
index 45e3e999f0489f54b94181fac955800ef72ac051..a114378e60c712077b520a7d7db78b214c0af53f 100755
--- a/install/tools/ipa-server-install
+++ b/install/tools/ipa-server-install
@@ -525,6 +525,14 @@ def uninstall():
 
     ipaservices.knownservices.ipa.disable()
 
+    old_hostname = sstore.restore_state('network','hostname')
+    system_hostname = get_fqdn()
+    if old_hostname is not None and old_hostname != system_hostname:
+        try:
+            ipautil.run(['/bin/hostname', old_hostname])
+        except CalledProcessError, e:
+            print >>sys.stderr, "Failed to set this machine hostname back to %s (%s)." % (old_hostname, str(e))
+
     # Now for some sanity checking. Make sure everything was really
     # uninstalled.
     serverids = dsinstance.check_existing_installation()
@@ -752,6 +760,15 @@ def main():
     host_name = host_name.lower()
     logging.debug("will use host_name: %s\n" % host_name)
 
+    system_hostname = get_fqdn()
+    if host_name != system_hostname:
+        print >>sys.stderr
+        print >>sys.stderr, "Warning: hostname %s does not match system hostname %s." \
+                            % (host_name, system_hostname)
+        print >>sys.stderr, "System hostname will be updated during the installation process"
+        print >>sys.stderr, "to prevent service failures."
+        print >>sys.stderr
+
     if not options.domain_name:
         domain_name = read_domain_name(host_name[host_name.find(".")+1:], options.unattended)
         logging.debug("read domain_name: %s\n" % domain_name)
@@ -884,6 +901,12 @@ def main():
         print "Please wait until the prompt is returned."
         print ""
 
+    if host_name != system_hostname:
+        logging.debug("Chosen hostname (%s) differs from system hostname (%s) - change it" \
+                      % (host_name, system_hostname))
+        # configure /etc/sysconfig/network to contain the custom hostname
+        ipaservices.backup_and_replace_hostname(fstore, sstore, host_name)
+
     # Create DS group if it doesn't exist yet
     try:
         grp.getgrnam(dsinstance.DS_GROUP)
diff --git a/install/tools/man/ipa-server-install.1 b/install/tools/man/ipa-server-install.1
index f305723b1926851c007d0fd177e52baa51d927d6..a281711381e231fa9bacb021238cf0c36d88d194 100644
--- a/install/tools/man/ipa-server-install.1
+++ b/install/tools/man/ipa-server-install.1
@@ -42,7 +42,7 @@ The kerberos master password (normally autogenerated)
 The password for the IPA admin user
 .TP
 \fB\-\-hostname\fR=\fIHOST_NAME\fR
-The fully\-qualified DNS name of this server
+The fully\-qualified DNS name of this server. If the hostname does not match system hostname, the system hostname will be updated accordingly to prevent service failures.
 .TP
 \fB\-\-ip\-address\fR=\fIIP_ADDRESS\fR
 The IP address of this server. If this address does not match the address the host resolves to and --setup-dns is not selected the installation will fail.
diff --git a/ipa-client/ipa-install/ipa-client-install b/ipa-client/ipa-install/ipa-client-install
index 969dc9b0faa5e131f1e9199325bdf2350157ab8a..62de4f8e127cdb0cde1d458ce2047dc252bd01ec 100755
--- a/ipa-client/ipa-install/ipa-client-install
+++ b/ipa-client/ipa-install/ipa-client-install
@@ -894,8 +894,10 @@ def install(options, env, fstore, statestore):
     if not options.unattended and not user_input("Continue to configure the system with these values?", False):
         return CLIENT_INSTALL_ERROR
 
-    if options.hostname:
+    if options.hostname and not options.on_master:
         # configure /etc/sysconfig/network to contain the hostname we set.
+        # skip this step when run by ipa-server-install as it always configures
+        # hostname if different from system hostname
         ipaservices.backup_and_replace_hostname(fstore, statestore, options.hostname)
 
     if not options.unattended:
diff --git a/ipaserver/install/installutils.py b/ipaserver/install/installutils.py
index a924e771a5e3d780a458b42337ba050d835dd7d8..f3ea3bd70a0d011c951c0dd8985fdad9176fdcab 100644
--- a/ipaserver/install/installutils.py
+++ b/ipaserver/install/installutils.py
@@ -160,11 +160,6 @@ def verify_fqdn(host_name, no_host_dns=False, local_hostname=True):
         except socket.gaierror:
             pass
 
-        system_host_name = socket.gethostname()
-        if not (host_name + '.').startswith(system_host_name + '.'):
-            print "Warning: The host name '%s' does not match the system host name '%s'." % (host_name, system_host_name)
-            print "         Some services may not work properly."
-
     if no_host_dns:
         print "Warning: skipping DNS resolution of host", host_name
         return
-- 
1.7.6.4

>From 21483cbc41c687fae1944b9d46edca0ef5b13d2b Mon Sep 17 00:00:00 2001
From: Martin Kosek <mko...@redhat.com>
Date: Fri, 7 Oct 2011 14:23:20 +0200
Subject: [PATCH] Check hostname resolution sanity

Always check (even with --setup-dns or --no-host-dns) that if the
host name or ip address resolves, it resolves to sane value. Otherwise
report an error. Misconfigured /etc/hosts causing these errors could
harm the installation later.

https://fedorahosted.org/freeipa/ticket/1923
---
 install/tools/ipa-replica-prepare |    2 +-
 install/tools/ipa-server-install  |   13 +++++++++++++
 ipaserver/install/installutils.py |   14 +++++++++++---
 3 files changed, 25 insertions(+), 4 deletions(-)

diff --git a/install/tools/ipa-replica-prepare b/install/tools/ipa-replica-prepare
index 6b7130be9df262aee80c5e17201492fc4be01891..74c6d09296adb85dc8f66db35b61a413aad113c5 100755
--- a/install/tools/ipa-replica-prepare
+++ b/install/tools/ipa-replica-prepare
@@ -269,7 +269,7 @@ def main():
         sys.exit("\nUnable to connect to LDAP server %s" % api.env.host)
 
     try:
-        installutils.verify_fqdn(replica_fqdn, system_name_check=False)
+        installutils.verify_fqdn(replica_fqdn, local_hostname=False)
     except BadHostError, e:
         msg = str(e)
         if isinstance(e, HostLookupError):
diff --git a/install/tools/ipa-server-install b/install/tools/ipa-server-install
index 7839dbd9fd68cb16ec9ec1f8ea385f0feacb8f2e..45e3e999f0489f54b94181fac955800ef72ac051 100755
--- a/install/tools/ipa-server-install
+++ b/install/tools/ipa-server-install
@@ -41,6 +41,7 @@ import random
 import tempfile
 import nss.error
 from optparse import OptionGroup, OptionValueError
+import socket
 
 from ipaserver.install import dsinstance
 from ipaserver.install import krbinstance
@@ -784,6 +785,18 @@ def main():
         logging.debug("read ip_address: %s\n" % str(ip))
     ip_address = str(ip)
 
+    # check that if the address resolves, it resolves to this hostname
+    try:
+        revname = socket.gethostbyaddr(ip_address)[0]
+
+        if revname != host_name:
+            print >>sys.stderr, "The host name %s does not match the reverse lookup %s for %s"\
+                    % (host_name, revname, ip_address)
+            print >>sys.stderr, "Please check your DNS or /etc/hosts file and restart the installation."
+            return 1
+    except socket.gaierror:
+        pass
+
     if options.reverse_zone and not bindinstance.verify_reverse_zone(options.reverse_zone, ip):
         sys.exit(1)
 
diff --git a/ipaserver/install/installutils.py b/ipaserver/install/installutils.py
index 64d212282de5d54af71aa84fd1dba857ae60f519..a924e771a5e3d780a458b42337ba050d835dd7d8 100644
--- a/ipaserver/install/installutils.py
+++ b/ipaserver/install/installutils.py
@@ -129,7 +129,7 @@ def verify_dns_records(host_name, responses, resaddr, family):
         raise RuntimeError("The DNS forward record %s does not match the reverse address %s" % (rec.dns_name, rev.rdata.ptrdname))
 
 
-def verify_fqdn(host_name, no_host_dns=False, system_name_check=True):
+def verify_fqdn(host_name, no_host_dns=False, local_hostname=True):
     """
     Run fqdn checks for given host:
         - test hostname format
@@ -140,7 +140,7 @@ def verify_fqdn(host_name, no_host_dns=False, system_name_check=True):
 
     :param host_name: The host name to verify.
     :param no_host_dns: If true, skip DNS resolution tests of the host name.
-    :param system_name_check: If true, check if the host name matches the system host name.
+    :param local_hostname: If true, run additional checks for local hostnames
     """
     if len(host_name.split(".")) < 2 or host_name == "localhost.localdomain":
         raise BadHostError("Invalid hostname '%s', must be fully-qualified." % host_name)
@@ -151,7 +151,15 @@ def verify_fqdn(host_name, no_host_dns=False, system_name_check=True):
     if ipautil.valid_ip(host_name):
         raise BadHostError("IP address not allowed as a hostname")
 
-    if system_name_check:
+    if local_hostname:
+        try:
+            ex_name = socket.gethostbyaddr(host_name)
+            if host_name != ex_name[0]:
+                raise HostLookupError("The host name %s does not match the primary host name %s. "\
+                        "Please check /etc/hosts or DNS name resolution" % (host_name, ex_name[0]))
+        except socket.gaierror:
+            pass
+
         system_host_name = socket.gethostname()
         if not (host_name + '.').startswith(system_host_name + '.'):
             print "Warning: The host name '%s' does not match the system host name '%s'." % (host_name, system_host_name)
-- 
1.7.6.4

_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Reply via email to