On 29.6.2016 14:22, Martin Basti wrote:
> 
> 
> On 28.06.2016 19:40, Petr Spacek wrote:
>> Hello,
>>
>> DNS: Remove unnecessary DNS check from installer
>>
>> Previously we were checking content of DNS before actually adding DNS
>> records for replicas. This is causing cycle in logic and adds weird
>> corner cases to the installer which can blow up on DNS timeout or so.
>>
>> The check was completely unnecessary because the installer knows IP
>> addresses and name of the machine. Removal of the check makes
>> the installer more reliable.
>>
>> https://fedorahosted.org/freeipa/ticket/5962
>>
>> Use NSS for name->resolution in IPA installer
>>
>> This fixes scenarios where IPA server is not able to resolve own name
>> and option --ip-address was not specified by the user.
>>
>> This partially reverts changes from commit
>> dc405005f537cf278fd6ddfe6b87060bd13d9a67
>>
>> https://fedorahosted.org/freeipa/ticket/5962
>>
>> client-install: do not fail if DNS times out during DNS update generation
>>
>> https://fedorahosted.org/freeipa/ticket/5962
>>
> ACK
> 
> master:
> * 1802f7a2258c793d11c7a9c2a4786cea42b9b058 client-install: do not fail if DNS
> times out during DNS update generation
> * 7be50ea7150b36adf9051fc1003dd36f61d68451 Use NSS for name->resolution in IPA
> installer
> * 954f6095fd2783e631cba042f86bec87394f9224 DNS: Remove unnecessary DNS check
> from installer
> 
> Patches for ipa-4-3 need rebase

Here is the rebase.

-- 
Petr^2 Spacek
From 92585dd70adaf490a1d6a2ebed14697c6f763d3a Mon Sep 17 00:00:00 2001
From: Petr Spacek <pspa...@redhat.com>
Date: Tue, 28 Jun 2016 18:13:58 +0200
Subject: [PATCH] client-install: do not fail if DNS times out during DNS
 update generation

https://fedorahosted.org/freeipa/ticket/5962
---
 client/ipa-client-install | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/client/ipa-client-install b/client/ipa-client-install
index 8ba6f9c1ba441d6a73dcd6c2598ed5463d6a9e3b..b900eca4ed9e3dce3641e176d6d1651535dabcdc 100755
--- a/client/ipa-client-install
+++ b/client/ipa-client-install
@@ -1764,6 +1764,10 @@ def client_dns(server, hostname, options):
         root_logger.warning("Hostname (%s) does not have A/AAAA record.",
                             hostname)
         dns_ok = False
+    except errors.DNSResolverError as ex:
+        root_logger.warning("DNS resolution for hostname %s failed: %s",
+                            hostname, ex)
+        dns_ok = False
 
     if (options.dns_updates or options.all_ip_addresses or options.ip_addresses
             or not dns_ok):
-- 
2.7.4

From b4d24d7241fa929d0cb49af4c59978420074222e Mon Sep 17 00:00:00 2001
From: Petr Spacek <pspa...@redhat.com>
Date: Tue, 28 Jun 2016 13:53:58 +0200
Subject: [PATCH] Use NSS for name->resolution in IPA installer

This fixes scenarios where IPA server is not able to resolve own name
and option --ip-address was not specified by the user.

This partially reverts changes from commit
dc405005f537cf278fd6ddfe6b87060bd13d9a67

https://fedorahosted.org/freeipa/ticket/5962
---
 ipapython/dnsutil.py              |  2 +-
 ipaserver/install/bindinstance.py |  4 +---
 ipaserver/install/installutils.py | 43 +++++++++++++++++++++++++++++++++++++--
 3 files changed, 43 insertions(+), 6 deletions(-)

diff --git a/ipapython/dnsutil.py b/ipapython/dnsutil.py
index 6aa0e0772d2a3339a18e06c33419083a58e237e4..aca506120ac4c64f3e7af960e0430ae5a3e16d35 100644
--- a/ipapython/dnsutil.py
+++ b/ipapython/dnsutil.py
@@ -321,7 +321,7 @@ def resolve_rrsets(fqdn, rdtypes):
 
 
 def resolve_ip_addresses(fqdn):
-    """Get IP addresses from DNS A/AAAA records for given host.
+    """Get IP addresses from DNS A/AAAA records for given host (using DNS).
     :returns:
         list of IP addresses as CheckedIPAddress objects
     """
diff --git a/ipaserver/install/bindinstance.py b/ipaserver/install/bindinstance.py
index 3e6e26ccdd7bbfb25a19f210307d6597be901a37..efabab167fdaa30cd1483b097c7939f9fcbe4cea 100644
--- a/ipaserver/install/bindinstance.py
+++ b/ipaserver/install/bindinstance.py
@@ -910,9 +910,7 @@ class BindInstance(service.Service):
             if fqdn == self.fqdn:
                 continue
 
-            addrs = dnsutil.resolve_ip_addresses(fqdn)
-            # hack, will go away with locations
-            addrs = [str(addr) for addr in addrs]
+            addrs = installutils.resolve_ip_addresses_nss(fqdn)
 
             root_logger.debug("Adding DNS records for master %s" % fqdn)
             self.__add_master_records(fqdn, addrs)
diff --git a/ipaserver/install/installutils.py b/ipaserver/install/installutils.py
index baa0d3d69987584afd6bf7186a236c4b21fbd748..49336a864791aed74ef4736b43900d7977e49a0c 100644
--- a/ipaserver/install/installutils.py
+++ b/ipaserver/install/installutils.py
@@ -447,6 +447,46 @@ def create_keytab(path, principal):
 
     kadmin("ktadd -k " + path + " " + principal)
 
+def resolve_ip_addresses_nss(fqdn):
+    """Get list of IP addresses for given host (using NSS/getaddrinfo).
+    :returns:
+        list of IP addresses as CheckedIPAddress objects
+    """
+    # make sure the name is fully qualified
+    # so search path from resolv.conf does not apply
+    fqdn = str(dnsutil.DNSName(fqdn).make_absolute())
+    try:
+        addrinfos = socket.getaddrinfo(fqdn, None,
+                                       socket.AF_UNSPEC, socket.SOCK_STREAM)
+    except socket.error as ex:
+        if ex.errno == socket.EAI_NODATA or ex.errno == socket.EAI_NONAME:
+            root_logger.debug('Name %s does not have any address: %s',
+                              fqdn, ex)
+            return set()
+        else:
+            raise
+
+    # accept whatever we got from NSS
+    ip_addresses = set()
+    for ai in addrinfos:
+        try:
+            ip = ipautil.CheckedIPAddress(ai[4][0],
+                                          parse_netmask=False,
+                                          # these are unreliable, disable them
+                                          allow_network=True,
+                                          allow_loopback=True,
+                                          allow_broadcast=True,
+                                          allow_multicast=True)
+        except ValueError as ex:
+            # getaddinfo may return link-local address other similar oddities
+            # which are not accepted by CheckedIPAddress - skip these
+            root_logger.warning('Name %s resolved to an unacceptable IP '
+                                'address %s: %s', fqdn, ai[4][0], ex)
+        else:
+            ip_addresses.add(ip)
+    root_logger.debug('Name %s resolved to %s', fqdn, ip_addresses)
+    return ip_addresses
+
 def get_host_name(no_host_dns):
     """
     Get the current FQDN from the socket and verify that it is valid.
@@ -461,8 +501,7 @@ def get_host_name(no_host_dns):
     return hostname
 
 def get_server_ip_address(host_name, unattended, setup_dns, ip_addresses):
-    # Check we have a public IP that is associated with the hostname
-    hostaddr = dnsutil.resolve_ip_addresses(host_name)
+    hostaddr = resolve_ip_addresses_nss(host_name)
     if hostaddr.intersection(
             {ipautil.CheckedIPAddress(ip, allow_loopback=True)
              for ip in ['127.0.0.1', '::1']}):
-- 
2.7.4

From aba853e87fef938508b221abad805dba63bc4faf Mon Sep 17 00:00:00 2001
From: Petr Spacek <pspa...@redhat.com>
Date: Tue, 28 Jun 2016 18:18:01 +0200
Subject: [PATCH] DNS: Remove unnecessary DNS check from installer

Previously we were checking content of DNS before actually adding DNS
records for replicas. This is causing cycle in logic and adds weird
corner cases to the installer which can blow up on DNS timeout or so.

The check was completely unnecessary because the installer knows IP
addresses and name of the machine. Removal of the check makes
the installer more reliable.

https://fedorahosted.org/freeipa/ticket/5962
---
 ipaserver/install/bindinstance.py | 10 +---------
 1 file changed, 1 insertion(+), 9 deletions(-)

diff --git a/ipaserver/install/bindinstance.py b/ipaserver/install/bindinstance.py
index efabab167fdaa30cd1483b097c7939f9fcbe4cea..abd1452efb39f2ac42bf2628d7caf355408444e7 100644
--- a/ipaserver/install/bindinstance.py
+++ b/ipaserver/install/bindinstance.py
@@ -50,7 +50,7 @@ from ipalib.util import (validate_zonemgr_str, normalize_zonemgr,
                          normalize_zone, get_reverse_zone_default,
                          zone_is_reverse, validate_dnssec_global_forwarder,
                          DNSSECSignatureMissingError, EDNS0UnsupportedError,
-                         UnresolvableRecordError, verify_host_resolvable)
+                         UnresolvableRecordError)
 from ipalib.constants import CACERT
 
 if six.PY3:
@@ -877,14 +877,6 @@ class BindInstance(service.Service):
             add_rr(self.domain, rname, "SRV", rdata, self.dns_backup,
                    api=self.api)
 
-        if not dns_zone_exists(zone, self.api):
-            # check if master hostname is resolvable
-            try:
-                verify_host_resolvable(fqdn)
-            except errors.DNSNotARecordError:
-                root_logger.warning("Master FQDN (%s) is not resolvable.",
-                                    fqdn)
-
         # Add forward and reverse records to self
         for addr in addrs:
             try:
-- 
2.7.4

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to