Re: [Freeipa-devel] [PATCH] 888 always verify hostname
On Tue, 2011-10-11 at 17:07 +0200, Martin Kosek wrote: On Fri, 2011-10-07 at 09:18 -0400, Rob Crittenden wrote: Martin Kosek wrote: Yes but the entry is added /etc/hosts at the very END of installation, apparently too late for some things. We can alternately add this prior to configuring anything else. But we add the entry to /etc/hosts right in the beginning. After the line marked with is printed. I double-checked it right now. Ok, this is totally freaky then. See ticket https://fedorahosted.org/freeipa/ticket/1931 I think it is worth mentioning there that the /etc/hosts entry is added in the beginning only if the hostname is not resolvable and IP address is passed by the user, i.e. only when the following line printed: # ipa-server-install --setup-dns (or --no-host-dns) ... Please provide the IP address to be used for this host name: 10.16.78.50 Adding [10.16.78.50 ipa.example.com] to your /etc/hosts file ... I saw that 1931 should be solved by a new custom hostname parameter passed to bind-dyndb-ldap plugin. I did some additional testing of my proposed patch 140 and it behaved fine. It is able to catch misconfigured /etc/hosts in both following ways: 1) invalid hostname for given IP address 1.2.3.4 foo or short name first: 1.2.3.4 foo foo.example.com To sum this up - I think the patch is ready for review. What's the status of this patch ? Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 888 always verify hostname
On Tue, 2011-11-29 at 10:18 -0500, Simo Sorce wrote: On Tue, 2011-10-11 at 17:07 +0200, Martin Kosek wrote: On Fri, 2011-10-07 at 09:18 -0400, Rob Crittenden wrote: Martin Kosek wrote: Yes but the entry is added /etc/hosts at the very END of installation, apparently too late for some things. We can alternately add this prior to configuring anything else. But we add the entry to /etc/hosts right in the beginning. After the line marked with is printed. I double-checked it right now. Ok, this is totally freaky then. See ticket https://fedorahosted.org/freeipa/ticket/1931 I think it is worth mentioning there that the /etc/hosts entry is added in the beginning only if the hostname is not resolvable and IP address is passed by the user, i.e. only when the following line printed: # ipa-server-install --setup-dns (or --no-host-dns) ... Please provide the IP address to be used for this host name: 10.16.78.50 Adding [10.16.78.50 ipa.example.com] to your /etc/hosts file ... I saw that 1931 should be solved by a new custom hostname parameter passed to bind-dyndb-ldap plugin. I did some additional testing of my proposed patch 140 and it behaved fine. It is able to catch misconfigured /etc/hosts in both following ways: 1) invalid hostname for given IP address 1.2.3.4 foo or short name first: 1.2.3.4 foo foo.example.com To sum this up - I think the patch is ready for review. What's the status of this patch ? Simo. All patches related to this topic has been reviewed, acked and pushed in different thread named [PATCH] 140 + 148 + 147 Hostname fixes. Both relevant tickets has been fixed with these 3 patches: https://fedorahosted.org/freeipa/ticket/1923 https://fedorahosted.org/freeipa/ticket/1931 But you are right that no information that the discussion continues somewhere else was given here. Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 888 always verify hostname
On Fri, 2011-10-07 at 09:18 -0400, Rob Crittenden wrote: Martin Kosek wrote: Yes but the entry is added /etc/hosts at the very END of installation, apparently too late for some things. We can alternately add this prior to configuring anything else. But we add the entry to /etc/hosts right in the beginning. After the line marked with is printed. I double-checked it right now. Ok, this is totally freaky then. See ticket https://fedorahosted.org/freeipa/ticket/1931 I think it is worth mentioning there that the /etc/hosts entry is added in the beginning only if the hostname is not resolvable and IP address is passed by the user, i.e. only when the following line printed: # ipa-server-install --setup-dns (or --no-host-dns) ... Please provide the IP address to be used for this host name: 10.16.78.50 Adding [10.16.78.50 ipa.example.com] to your /etc/hosts file ... I saw that 1931 should be solved by a new custom hostname parameter passed to bind-dyndb-ldap plugin. I did some additional testing of my proposed patch 140 and it behaved fine. It is able to catch misconfigured /etc/hosts in both following ways: 1) invalid hostname for given IP address 1.2.3.4 foo or short name first: 1.2.3.4 foo foo.example.com To sum this up - I think the patch is ready for review. Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 888 always verify hostname
On Thu, 2011-10-06 at 22:59 -0400, Rob Crittenden wrote: When installing with DNS we skip a few hostname checks on the assumption that the DNS we are installing will cover things. We still need to verify /etc/hosts and we do this with gethostbyname_ex() which returns the primary name and all other names of the host. If the primary name doesn't match (e.g. the shortname is defined first in /etc/hosts) or it isn't resolvable at all then we error out. This also prevents a chicken-and-egg error as several services need to start before DNS is available so the hostname must be defined. rob I see several problems with the patch. At first, it needs a rebase, I reworked the exceptions raised in verify_fqdn in #1899. Then, this patch would break several things: 1) Now, when we install a server with --setup-dns and the host is not resolvable, we add a record to /etc/hosts ourselves, so that the user is not obliged to hack /etc/hosts: # ipa-server-install --setup-dns ... Server host name [vm-050.idm.lab.bos.redhat.com]: Warning: skipping DNS resolution of host vm-050.idm.lab.bos.redhat.com The domain name has been calculated based on the host name. Please confirm the domain name [idm.lab.bos.redhat.com]: Unable to resolve IP address for host name Please provide the IP address to be used for this host name: 10.16.78.50 Adding [10.16.78.50 vm-050.idm.lab.bos.redhat.com] to your /etc/hosts file The IPA Master Server will be configured with Hostname:vm-050.idm.lab.bos.redhat.com IP address: 10.16.78.50 Domain name: idm.lab.bos.redhat.com 2) This will break ipa-replica-prepare. We cannot assume that only local host names are passed to to verify_fqdn since it is also used to for new replica hostname check in ipa-replica-prepare: # ipa-replica-prepare vm-103.idm.lab.bos.redhat.com Directory Manager (existing master) password: The host name vm-103.idm.lab.bos.redhat.com is not resolvable. It must appear in at least /etc/hosts. Add the --ip-address argument to create a DNS entry. We must be very cautious in this function, there was already a BZ from RHEV-M guys which could be now broken: https://bugzilla.redhat.com/show_bug.cgi?id=729357 Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 888 always verify hostname
Martin Kosek wrote: On Thu, 2011-10-06 at 22:59 -0400, Rob Crittenden wrote: When installing with DNS we skip a few hostname checks on the assumption that the DNS we are installing will cover things. We still need to verify /etc/hosts and we do this with gethostbyname_ex() which returns the primary name and all other names of the host. If the primary name doesn't match (e.g. the shortname is defined first in /etc/hosts) or it isn't resolvable at all then we error out. This also prevents a chicken-and-egg error as several services need to start before DNS is available so the hostname must be defined. rob I see several problems with the patch. At first, it needs a rebase, I reworked the exceptions raised in verify_fqdn in #1899. Then, this patch would break several things: 1) Now, when we install a server with --setup-dns and the host is not resolvable, we add a record to /etc/hosts ourselves, so that the user is not obliged to hack /etc/hosts: # ipa-server-install --setup-dns ... Server host name [vm-050.idm.lab.bos.redhat.com]: Warning: skipping DNS resolution of host vm-050.idm.lab.bos.redhat.com The domain name has been calculated based on the host name. Please confirm the domain name [idm.lab.bos.redhat.com]: Unable to resolve IP address for host name Please provide the IP address to be used for this host name: 10.16.78.50 Adding [10.16.78.50 vm-050.idm.lab.bos.redhat.com] to your /etc/hosts file The IPA Master Server will be configured with Hostname:vm-050.idm.lab.bos.redhat.com IP address: 10.16.78.50 Domain name: idm.lab.bos.redhat.com Yes but the entry is added /etc/hosts at the very END of installation, apparently too late for some things. We can alternately add this prior to configuring anything else. 2) This will break ipa-replica-prepare. We cannot assume that only local host names are passed to to verify_fqdn since it is also used to for new replica hostname check in ipa-replica-prepare: # ipa-replica-prepare vm-103.idm.lab.bos.redhat.com Directory Manager (existing master) password: The host name vm-103.idm.lab.bos.redhat.com is not resolvable. It must appear in at least /etc/hosts. Add the --ip-address argument to create a DNS entry. We must be very cautious in this function, there was already a BZ from RHEV-M guys which could be now broken: https://bugzilla.redhat.com/show_bug.cgi?id=729357 Martin Ok, perhaps it just needs to be pulled directly into ipa-server-install. We do need some mechanism to check /etc/hosts to be sure that there isn't an existing bad host entry. rob ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 888 always verify hostname
On Fri, 2011-10-07 at 08:58 -0400, Rob Crittenden wrote: Martin Kosek wrote: On Thu, 2011-10-06 at 22:59 -0400, Rob Crittenden wrote: When installing with DNS we skip a few hostname checks on the assumption that the DNS we are installing will cover things. We still need to verify /etc/hosts and we do this with gethostbyname_ex() which returns the primary name and all other names of the host. If the primary name doesn't match (e.g. the shortname is defined first in /etc/hosts) or it isn't resolvable at all then we error out. This also prevents a chicken-and-egg error as several services need to start before DNS is available so the hostname must be defined. rob I see several problems with the patch. At first, it needs a rebase, I reworked the exceptions raised in verify_fqdn in #1899. Then, this patch would break several things: 1) Now, when we install a server with --setup-dns and the host is not resolvable, we add a record to /etc/hosts ourselves, so that the user is not obliged to hack /etc/hosts: # ipa-server-install --setup-dns ... Server host name [vm-050.idm.lab.bos.redhat.com]: Warning: skipping DNS resolution of host vm-050.idm.lab.bos.redhat.com The domain name has been calculated based on the host name. Please confirm the domain name [idm.lab.bos.redhat.com]: Unable to resolve IP address for host name Please provide the IP address to be used for this host name: 10.16.78.50 Adding [10.16.78.50 vm-050.idm.lab.bos.redhat.com] to your /etc/hosts file The IPA Master Server will be configured with Hostname:vm-050.idm.lab.bos.redhat.com IP address: 10.16.78.50 Domain name: idm.lab.bos.redhat.com Yes but the entry is added /etc/hosts at the very END of installation, apparently too late for some things. We can alternately add this prior to configuring anything else. But we add the entry to /etc/hosts right in the beginning. After the line marked with is printed. I double-checked it right now. 2) This will break ipa-replica-prepare. We cannot assume that only local host names are passed to to verify_fqdn since it is also used to for new replica hostname check in ipa-replica-prepare: # ipa-replica-prepare vm-103.idm.lab.bos.redhat.com Directory Manager (existing master) password: The host name vm-103.idm.lab.bos.redhat.com is not resolvable. It must appear in at least /etc/hosts. Add the --ip-address argument to create a DNS entry. We must be very cautious in this function, there was already a BZ from RHEV-M guys which could be now broken: https://bugzilla.redhat.com/show_bug.cgi?id=729357 Martin Ok, perhaps it just needs to be pulled directly into ipa-server-install. We do need some mechanism to check /etc/hosts to be sure that there isn't an existing bad host entry. rob Please check the patch I sent. I do one part in verify_fqdn and one part in ipa-server-install when user gives us an address. Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 888 always verify hostname
Martin Kosek wrote: On Fri, 2011-10-07 at 08:58 -0400, Rob Crittenden wrote: Martin Kosek wrote: On Thu, 2011-10-06 at 22:59 -0400, Rob Crittenden wrote: When installing with DNS we skip a few hostname checks on the assumption that the DNS we are installing will cover things. We still need to verify /etc/hosts and we do this with gethostbyname_ex() which returns the primary name and all other names of the host. If the primary name doesn't match (e.g. the shortname is defined first in /etc/hosts) or it isn't resolvable at all then we error out. This also prevents a chicken-and-egg error as several services need to start before DNS is available so the hostname must be defined. rob I see several problems with the patch. At first, it needs a rebase, I reworked the exceptions raised in verify_fqdn in #1899. Then, this patch would break several things: 1) Now, when we install a server with --setup-dns and the host is not resolvable, we add a record to /etc/hosts ourselves, so that the user is not obliged to hack /etc/hosts: # ipa-server-install --setup-dns ... Server host name [vm-050.idm.lab.bos.redhat.com]: Warning: skipping DNS resolution of host vm-050.idm.lab.bos.redhat.com The domain name has been calculated based on the host name. Please confirm the domain name [idm.lab.bos.redhat.com]: Unable to resolve IP address for host name Please provide the IP address to be used for this host name: 10.16.78.50 Adding [10.16.78.50 vm-050.idm.lab.bos.redhat.com] to your /etc/hosts file The IPA Master Server will be configured with Hostname:vm-050.idm.lab.bos.redhat.com IP address: 10.16.78.50 Domain name: idm.lab.bos.redhat.com Yes but the entry is added /etc/hosts at the very END of installation, apparently too late for some things. We can alternately add this prior to configuring anything else. But we add the entry to /etc/hosts right in the beginning. After the line marked with is printed. I double-checked it right now. Ok, this is totally freaky then. See ticket https://fedorahosted.org/freeipa/ticket/1931 2) This will break ipa-replica-prepare. We cannot assume that only local host names are passed to to verify_fqdn since it is also used to for new replica hostname check in ipa-replica-prepare: # ipa-replica-prepare vm-103.idm.lab.bos.redhat.com Directory Manager (existing master) password: The host name vm-103.idm.lab.bos.redhat.com is not resolvable. It must appear in at least /etc/hosts. Add the --ip-address argument to create a DNS entry. We must be very cautious in this function, there was already a BZ from RHEV-M guys which could be now broken: https://bugzilla.redhat.com/show_bug.cgi?id=729357 Martin Ok, perhaps it just needs to be pulled directly into ipa-server-install. We do need some mechanism to check /etc/hosts to be sure that there isn't an existing bad host entry. rob Please check the patch I sent. I do one part in verify_fqdn and one part in ipa-server-install when user gives us an address. Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 888 always verify hostname
When installing with DNS we skip a few hostname checks on the assumption that the DNS we are installing will cover things. We still need to verify /etc/hosts and we do this with gethostbyname_ex() which returns the primary name and all other names of the host. If the primary name doesn't match (e.g. the shortname is defined first in /etc/hosts) or it isn't resolvable at all then we error out. This also prevents a chicken-and-egg error as several services need to start before DNS is available so the hostname must be defined. rob From 61eca7977029bb9794d03b1498292d7f3569ddce Mon Sep 17 00:00:00 2001 From: Rob Crittenden rcrit...@redhat.com Date: Thu, 6 Oct 2011 17:11:58 -0400 Subject: [PATCH] Require hostname be resolveable and sane, even with --setup-dns When installing with DNS we skip a bunch of checks because we assume the DNS server itself will handle things. We still need to double-check that /etc/hosts is sane (and configured). https://fedorahosted.org/freeipa/ticket/1923 --- ipaserver/install/installutils.py |7 +++ 1 files changed, 7 insertions(+), 0 deletions(-) diff --git a/ipaserver/install/installutils.py b/ipaserver/install/installutils.py index ac1e3f4..828c84f 100644 --- a/ipaserver/install/installutils.py +++ b/ipaserver/install/installutils.py @@ -142,6 +142,13 @@ def verify_fqdn(host_name, no_host_dns=False, system_name_check=True): print Warning: The host name '%s' does not match the system host name '%s'. % (host_name, system_host_name) print Some services may not work properly. +try: +ex_name = socket.gethostbyname_ex(host_name) +if host_name != ex_name[0]: +raise RuntimeError(The host name %s does not match the primary host name %s % (host_name, ex_name[0])) +except socket.gaierror: +raise RuntimeError(The host name %s is not resolvable. It must appear in at least /etc/hosts. % host_name) + if no_host_dns: print Warning: skipping DNS resolution of host, host_name return -- 1.7.6.4 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel