On 02/15/2013 04:38 PM, Rob Crittenden wrote:
Petr Viktorin wrote:
ipa-replica-conncheck ran SSH in quiet mode, probably to suppress a
message about connecting to an unknown host. This made it hard to debug
connection errors.
I didn't find a way to separate SSH output from the output of the called
command, I decided to try an additional SSH connection before calling
conncheck. SSH is set to verbose and if it fails the errors get printed
out. Also, the host is added to a temporary known_hosts file.
The second SSH is called without the -q flag so errors/warnings are not
lost even if the command fails. The temporary known_hosts file is used
so the unknown host warning doesn't appear here.
https://fedorahosted.org/freeipa/ticket/3402
The general procedure looks good, I don't think we should hardcode the
path to ssh. ipautil.run() overrides the current environment so we
should be able to safely run just 'ssh'.
We eventually need a cross-platform way of locating system binaries.
The hardcoded path to ipa-replica-conncheck is probably ok since we
provide that binary ourselves.
rob
Changed, thanks.
--
PetrĀ³
From fe3ffa5e644614d1e46766275b472b7d3403c94d Mon Sep 17 00:00:00 2001
From: Petr Viktorin <pvikt...@redhat.com>
Date: Wed, 13 Feb 2013 08:25:11 -0500
Subject: [PATCH] Check SSH connection in ipa-replica-conncheck
Since it is not really possible to separate SSH errors from
errors of the called program, add a SSH check before
calling replica-conncheck on the master.
The check also adds the master to a temporary known_hosts file,
so suppressing SSH's warning about unknown host is no longer
necessary. If the "real" connection fails despite the check,
any SSH errors will be included in the output.
https://fedorahosted.org/freeipa/ticket/3402
---
install/tools/ipa-replica-conncheck | 43 ++++++++++++++++++++++++++++------
1 files changed, 35 insertions(+), 8 deletions(-)
diff --git a/install/tools/ipa-replica-conncheck b/install/tools/ipa-replica-conncheck
index 29c43f60bd9e38d649db3730daacb76bd45b8786..91bb92e9dc1a5ca0f0348e0f4a14caa3d6c13a37 100755
--- a/install/tools/ipa-replica-conncheck
+++ b/install/tools/ipa-replica-conncheck
@@ -359,16 +359,43 @@ def main():
if returncode != 0:
raise RuntimeError("Could not get ticket for master server: %s" % stderr)
- print_info("Execute check on remote master")
+ print_info("Check SSH connection to remote master")
- stderr = ''
remote_addr = "%s@%s" % (user, options.master)
- (stdout, stderr, returncode) = ipautil.run(['/usr/bin/ssh',
- '-q', '-o StrictHostKeychecking=no',
- '-o UserKnownHostsFile=/dev/null', remote_addr,
- "/usr/sbin/ipa-replica-conncheck " + " ".join(remote_check_opts)],
- env={'KRB5_CONFIG':KRB5_CONFIG, 'KRB5CCNAME' : CCACHE_FILE},
- raiseonerr=False)
+ temp_known_hosts = tempfile.NamedTemporaryFile()
+
+ def run_ssh(command, verbose=False):
+ """Run given command on remote master over SSH
+
+ Return stdout, stderr, returncode
+ """
+ ssh_command = ['ssh']
+ if verbose:
+ ssh_command.append('-v')
+ ssh_command += [
+ '-o StrictHostKeychecking=no',
+ '-o UserKnownHostsFile=%s' % temp_known_hosts.name,
+ remote_addr, command
+ ]
+ return ipautil.run(
+ ssh_command,
+ env={'KRB5_CONFIG': KRB5_CONFIG,
+ 'KRB5CCNAME' : CCACHE_FILE},
+ raiseonerr=False)
+
+ stdout, stderr, returncode = run_ssh('echo OK', verbose=True)
+
+ if returncode != 0:
+ print 'Could not SSH into remote host. Error output:'
+ for line in stderr.splitlines():
+ print ' %s' % line
+ raise RuntimeError('Could not SSH to remote host.')
+
+ print_info("Execute check on remote master")
+
+ stdout, stderr, returncode = run_ssh(
+ "/usr/sbin/ipa-replica-conncheck " +
+ " ".join(remote_check_opts))
print_info(stdout)
--
1.7.7.6
_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
