Hello, DNS: Remove unnecessary DNS check from installer
Previously we were checking content of DNS before actually adding DNS records for replicas. This is causing cycle in logic and adds weird corner cases to the installer which can blow up on DNS timeout or so. The check was completely unnecessary because the installer knows IP addresses and name of the machine. Removal of the check makes the installer more reliable. https://fedorahosted.org/freeipa/ticket/5962 Use NSS for name->resolution in IPA installer This fixes scenarios where IPA server is not able to resolve own name and option --ip-address was not specified by the user. This partially reverts changes from commit dc405005f537cf278fd6ddfe6b87060bd13d9a67 https://fedorahosted.org/freeipa/ticket/5962 client-install: do not fail if DNS times out during DNS update generation https://fedorahosted.org/freeipa/ticket/5962 -- Petr^2 Spacek
From 83751ef09f7502292344e877392f20b74c458a1b Mon Sep 17 00:00:00 2001 From: Petr Spacek <pspa...@redhat.com> Date: Tue, 28 Jun 2016 18:13:58 +0200 Subject: [PATCH] client-install: do not fail if DNS times out during DNS update generation https://fedorahosted.org/freeipa/ticket/5962 --- client/ipa-client-install | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/client/ipa-client-install b/client/ipa-client-install index 2da2720d1f959b452a4895ebb23e0efadae2a7fc..1cdaf7b3e25e40301ad9e3bbd13559f69cb04745 100755 --- a/client/ipa-client-install +++ b/client/ipa-client-install @@ -1769,6 +1769,10 @@ def client_dns(server, hostname, options): root_logger.warning("Hostname (%s) does not have A/AAAA record.", hostname) dns_ok = False + except errors.DNSResolverError as ex: + root_logger.warning("DNS resolution for hostname %s failed: %s", + hostname, ex) + dns_ok = False if (options.dns_updates or options.all_ip_addresses or options.ip_addresses or not dns_ok): -- 2.7.4
From 93bd9850ba04df2bfc15c2d2442bff9d2aa2e65c Mon Sep 17 00:00:00 2001 From: Petr Spacek <pspa...@redhat.com> Date: Tue, 28 Jun 2016 13:53:58 +0200 Subject: [PATCH] Use NSS for name->resolution in IPA installer This fixes scenarios where IPA server is not able to resolve own name and option --ip-address was not specified by the user. This partially reverts changes from commit dc405005f537cf278fd6ddfe6b87060bd13d9a67 https://fedorahosted.org/freeipa/ticket/5962 --- ipapython/dnsutil.py | 2 +- ipaserver/install/bindinstance.py | 4 +--- ipaserver/install/installutils.py | 43 +++++++++++++++++++++++++++++++++++++-- 3 files changed, 43 insertions(+), 6 deletions(-) diff --git a/ipapython/dnsutil.py b/ipapython/dnsutil.py index 6aa0e0772d2a3339a18e06c33419083a58e237e4..aca506120ac4c64f3e7af960e0430ae5a3e16d35 100644 --- a/ipapython/dnsutil.py +++ b/ipapython/dnsutil.py @@ -321,7 +321,7 @@ def resolve_rrsets(fqdn, rdtypes): def resolve_ip_addresses(fqdn): - """Get IP addresses from DNS A/AAAA records for given host. + """Get IP addresses from DNS A/AAAA records for given host (using DNS). :returns: list of IP addresses as CheckedIPAddress objects """ diff --git a/ipaserver/install/bindinstance.py b/ipaserver/install/bindinstance.py index 2bc753883fdf1eee01e6b77967df9a1a98a76897..6b266edaa7716dd23196152cc40db442a45c92a5 100644 --- a/ipaserver/install/bindinstance.py +++ b/ipaserver/install/bindinstance.py @@ -870,9 +870,7 @@ class BindInstance(service.Service): if fqdn == self.fqdn: continue - addrs = dnsutil.resolve_ip_addresses(fqdn) - # hack, will go away with locations - addrs = [str(addr) for addr in addrs] + addrs = installutils.resolve_ip_addresses_nss(fqdn) root_logger.debug("Adding DNS records for master %s" % fqdn) self.__add_master_records(fqdn, addrs) diff --git a/ipaserver/install/installutils.py b/ipaserver/install/installutils.py index b1ad19c857d10213c21a88313c45b23a1189d470..a15571f92242c4628d067de1b05424eaa15b20af 100644 --- a/ipaserver/install/installutils.py +++ b/ipaserver/install/installutils.py @@ -445,6 +445,46 @@ def create_keytab(path, principal): kadmin("ktadd -k " + path + " " + principal) +def resolve_ip_addresses_nss(fqdn): + """Get list of IP addresses for given host (using NSS/getaddrinfo). + :returns: + list of IP addresses as CheckedIPAddress objects + """ + # make sure the name is fully qualified + # so search path from resolv.conf does not apply + fqdn = str(dnsutil.DNSName(fqdn).make_absolute()) + try: + addrinfos = socket.getaddrinfo(fqdn, None, + socket.AF_UNSPEC, socket.SOCK_STREAM) + except socket.error as ex: + if ex.errno == socket.EAI_NODATA or ex.errno == socket.EAI_NONAME: + root_logger.debug('Name %s does not have any address: %s', + fqdn, ex) + return set() + else: + raise + + # accept whatever we got from NSS + ip_addresses = set() + for ai in addrinfos: + try: + ip = ipautil.CheckedIPAddress(ai[4][0], + parse_netmask=False, + # these are unreliable, disable them + allow_network=True, + allow_loopback=True, + allow_broadcast=True, + allow_multicast=True) + except ValueError as ex: + # getaddinfo may return link-local address other similar oddities + # which are not accepted by CheckedIPAddress - skip these + root_logger.warning('Name %s resolved to an unacceptable IP ' + 'address %s: %s', fqdn, ai[4][0], ex) + else: + ip_addresses.add(ip) + root_logger.debug('Name %s resolved to %s', fqdn, ip_addresses) + return ip_addresses + def get_host_name(no_host_dns): """ Get the current FQDN from the socket and verify that it is valid. @@ -459,8 +499,7 @@ def get_host_name(no_host_dns): return hostname def get_server_ip_address(host_name, unattended, setup_dns, ip_addresses): - # Check we have a public IP that is associated with the hostname - hostaddr = dnsutil.resolve_ip_addresses(host_name) + hostaddr = resolve_ip_addresses_nss(host_name) if hostaddr.intersection( {ipautil.CheckedIPAddress(ip, allow_loopback=True) for ip in ['127.0.0.1', '::1']}): -- 2.7.4
From 4d5228026aa421314d4c33f753c4343a583eda85 Mon Sep 17 00:00:00 2001 From: Petr Spacek <pspa...@redhat.com> Date: Tue, 28 Jun 2016 18:18:01 +0200 Subject: [PATCH] DNS: Remove unnecessary DNS check from installer Previously we were checking content of DNS before actually adding DNS records for replicas. This is causing cycle in logic and adds weird corner cases to the installer which can blow up on DNS timeout or so. The check was completely unnecessary because the installer knows IP addresses and name of the machine. Removal of the check makes the installer more reliable. https://fedorahosted.org/freeipa/ticket/5962 --- ipaserver/install/bindinstance.py | 10 +--------- 1 file changed, 1 insertion(+), 9 deletions(-) diff --git a/ipaserver/install/bindinstance.py b/ipaserver/install/bindinstance.py index 6b266edaa7716dd23196152cc40db442a45c92a5..ebb4212ab161456dc3898456567d7b97a6a9939e 100644 --- a/ipaserver/install/bindinstance.py +++ b/ipaserver/install/bindinstance.py @@ -54,7 +54,7 @@ from ipalib.util import (validate_zonemgr_str, normalize_zonemgr, normalize_zone, get_reverse_zone_default, zone_is_reverse, validate_dnssec_global_forwarder, DNSSECSignatureMissingError, EDNS0UnsupportedError, - UnresolvableRecordError, verify_host_resolvable) + UnresolvableRecordError) from ipalib.constants import CACERT if six.PY3: @@ -837,14 +837,6 @@ class BindInstance(service.Service): def __add_master_records(self, fqdn, addrs): host, zone = fqdn.split(".", 1) - if not dns_zone_exists(zone, self.api): - # check if master hostname is resolvable - try: - verify_host_resolvable(fqdn) - except errors.DNSNotARecordError: - root_logger.warning("Master FQDN (%s) is not resolvable.", - fqdn) - # Add forward and reverse records to self for addr in addrs: try: -- 2.7.4
-- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
