Re: [Freeipa-devel] [PATCH] Use DNS forwarders in /etc/named.conf

2009-09-07 Thread Martin Nagy 
On Mon, 2009-09-07 at 07:54 +1000, David O'Brien wrote:
> Martin Nagy wrote:
> > On Fri, 2009-09-04 at 09:50 +1000, David O'Brien wrote:
> >   
> >> Martin Nagy wrote:
> >> 
> >>> Hi,
> >>> This patch adds options --forwarder and --no-forwarders. At least one of
> >>> them must be used if you are doing a setup with DNS server. They are
> >>> also mutually exclusive. The --forwarder option can be used more than
> >>> once to specify more servers. If the installer runs in interactive mode,
> >>> it will prompt the user if none of these option was given at the command
> >>>
> >>> Martin
> >>>   
> >> Something like ipa-server-install --setup-dns --forwarder  
> >> --forwarder  ?
> >> You can't use a separated list of IP addresses to save space and typing?
> >>
> >> That may go against coding style or practice, I don't know...
> >>
> >> /me has user hat on  :-)
> >> 
> >
> > Hm, well, we use a python module to handle option parsing [1] and this
> > is the way it handles lists. We could allow the IP addresses to be
> > separated by, say, ',' but this also has the risk that the user will do
> > "--forwarder 1.2.3.4, 2.3.4.5" which of course wouldn't work (the last
> > IP is treated as a positional argument).
> >
> > Martin
> >
> > [1] http://docs.python.org/library/optparse.html
> >
> >   
> ok, well if it's SOP to handle options this way I'm not about to suggest 
> otherwise[1], but if there were a user-friendly way of doing it that 
> didn't bend or break any rules I'd make more noise.
> 
> cheers
> David
> 
> [1] One of the goals in ECS' style guide is to adhere as much as 
> possible to industry standards and standard practice, not invent new 
> ones that Red Hat likes better.

I'll patch it to also accept comma-separated IP addresses, it's not that
big a deal :)

Martin

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH] Use DNS forwarders in /etc/named.conf

2009-09-06 Thread David O'Brien 

Martin Nagy wrote:

On Fri, 2009-09-04 at 09:50 +1000, David O'Brien wrote:
  

Martin Nagy wrote:


Hi,
This patch adds options --forwarder and --no-forwarders. At least one of
them must be used if you are doing a setup with DNS server. They are
also mutually exclusive. The --forwarder option can be used more than
once to specify more servers. If the installer runs in interactive mode,
it will prompt the user if none of these option was given at the command

Martin


___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
  
Something like ipa-server-install --setup-dns --forwarder  
--forwarder  ?

You can't use a separated list of IP addresses to save space and typing?

That may go against coding style or practice, I don't know...

/me has user hat on  :-)



Hm, well, we use a python module to handle option parsing [1] and this
is the way it handles lists. We could allow the IP addresses to be
separated by, say, ',' but this also has the risk that the user will do
"--forwarder 1.2.3.4, 2.3.4.5" which of course wouldn't work (the last
IP is treated as a positional argument).

Martin

[1] http://docs.python.org/library/optparse.html

  
ok, well if it's SOP to handle options this way I'm not about to suggest 
otherwise[1], but if there were a user-friendly way of doing it that 
didn't bend or break any rules I'd make more noise.


cheers
David

[1] One of the goals in ECS' style guide is to adhere as much as 
possible to industry standards and standard practice, not invent new 
ones that Red Hat likes better.


--
David O'Brien
IPA Content Author
Red Hat Asia Pacific
+61 7 3514 8189

http://freeipa.org/page/DocumentationPortal
http://git.fedorahosted.org/git/ipadocs.git

"He who asks is a fool for five minutes, but he who does not ask remains a fool 
forever."
 ~ Chinese proverb

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH] Use DNS forwarders in /etc/named.conf

2009-09-04 Thread Martin Nagy 
On Fri, 2009-09-04 at 09:50 +1000, David O'Brien wrote:
> Martin Nagy wrote:
> > Hi,
> > This patch adds options --forwarder and --no-forwarders. At least one of
> > them must be used if you are doing a setup with DNS server. They are
> > also mutually exclusive. The --forwarder option can be used more than
> > once to specify more servers. If the installer runs in interactive mode,
> > it will prompt the user if none of these option was given at the command
> >
> > Martin
> > 
> >
> > ___
> > Freeipa-devel mailing list
> > Freeipa-devel@redhat.com
> > https://www.redhat.com/mailman/listinfo/freeipa-devel
> Something like ipa-server-install --setup-dns --forwarder  
> --forwarder  ?
> You can't use a separated list of IP addresses to save space and typing?
> 
> That may go against coding style or practice, I don't know...
> 
> /me has user hat on  :-)

Hm, well, we use a python module to handle option parsing [1] and this
is the way it handles lists. We could allow the IP addresses to be
separated by, say, ',' but this also has the risk that the user will do
"--forwarder 1.2.3.4, 2.3.4.5" which of course wouldn't work (the last
IP is treated as a positional argument).

Martin

[1] http://docs.python.org/library/optparse.html

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH] Use DNS forwarders in /etc/named.conf

2009-09-03 Thread David O'Brien 

Martin Nagy wrote:

Hi,
This patch adds options --forwarder and --no-forwarders. At least one of
them must be used if you are doing a setup with DNS server. They are
also mutually exclusive. The --forwarder option can be used more than
once to specify more servers. If the installer runs in interactive mode,
it will prompt the user if none of these option was given at the command

Martin


___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
Something like ipa-server-install --setup-dns --forwarder  
--forwarder  ?

You can't use a separated list of IP addresses to save space and typing?

That may go against coding style or practice, I don't know...

/me has user hat on  :-)

--
David O'Brien
IPA Content Author
Red Hat Asia Pacific
+61 7 3514 8189

http://freeipa.org/page/DocumentationPortal
http://git.fedorahosted.org/git/ipadocs.git

"He who asks is a fool for five minutes, but he who does not ask remains a fool 
forever."
 ~ Chinese proverb

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH] Use DNS forwarders in /etc/named.conf

2009-09-02 Thread Martin Nagy 
On Wed, 2009-09-02 at 08:41 -0400, Simo Sorce wrote:
> On Wed, 2009-09-02 at 03:16 +0200, Martin Nagy wrote:
> > Martin Nagy wrote:
> > > Hi,
> > > This patch adds options --forwarder and --no-forwarders. At least
> > one of
> > > them must be used if you are doing a setup with DNS server. They are
> > > also mutually exclusive. The --forwarder option can be used more
> > than
> > > once to specify more servers. If the installer runs in interactive
> > mode,
> > > it will prompt the user if none of these option was given at the
> > command
> > > 
> > > Martin
> > 
> > Actually, I forgot on the replica installer. Updated patch attached.
> 
> Ack,
> Simo.

Pushed.
Martin

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH] Use DNS forwarders in /etc/named.conf

2009-09-02 Thread Simo Sorce 
On Wed, 2009-09-02 at 03:16 +0200, Martin Nagy wrote:
> Martin Nagy wrote:
> > Hi,
> > This patch adds options --forwarder and --no-forwarders. At least
> one of
> > them must be used if you are doing a setup with DNS server. They are
> > also mutually exclusive. The --forwarder option can be used more
> than
> > once to specify more servers. If the installer runs in interactive
> mode,
> > it will prompt the user if none of these option was given at the
> command
> > 
> > Martin
> 
> Actually, I forgot on the replica installer. Updated patch attached.

Ack,
Simo.

-- 
Simo Sorce * Red Hat, Inc * New York

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH] Use DNS forwarders in /etc/named.conf

2009-09-01 Thread Martin Nagy 
Martin Nagy wrote:
> Hi,
> This patch adds options --forwarder and --no-forwarders. At least one of
> them must be used if you are doing a setup with DNS server. They are
> also mutually exclusive. The --forwarder option can be used more than
> once to specify more servers. If the installer runs in interactive mode,
> it will prompt the user if none of these option was given at the command
> 
> Martin

Actually, I forgot on the replica installer. Updated patch attached.

Martin>From b3ecb8dac8bd1f78304752ea6cc2e5c35100850b Mon Sep 17 00:00:00 2001
From: Martin Nagy 
Date: Tue, 1 Sep 2009 23:28:52 +0200
Subject: [PATCH] Use DNS forwarders in /etc/named.conf

This patch adds options --forwarder and --no-forwarders. At least one of
them must be used if you are doing a setup with DNS server. They are
also mutually exclusive. The --forwarder option can be used more than
once to specify more servers. If the installer runs in interactive mode,
it will prompt the user if none of these option was given at the command
line.
---
 install/share/bind.named.conf.template  |3 ++
 install/tools/ipa-replica-install   |   24 ++--
 install/tools/ipa-server-install|   46 ++-
 install/tools/man/ipa-replica-install.1 |   12 +++-
 install/tools/man/ipa-server-install.1  |   12 +++-
 ipaserver/install/bindinstance.py   |   13 -
 6 files changed, 103 insertions(+), 7 deletions(-)

diff --git a/install/share/bind.named.conf.template b/install/share/bind.named.conf.template
index 69bd86b..8b5fac2 100644
--- a/install/share/bind.named.conf.template
+++ b/install/share/bind.named.conf.template
@@ -5,6 +5,9 @@ options {
 	statistics-file		"data/named_stats.txt";
 	memstatistics-file	"data/named_mem_stats.txt";
 
+	forward first;
+	forwarders {$FORWARDERS};
+
 	tkey-gssapi-credential "DNS/$FQDN";
 	tkey-domain "$REALM";
 };
diff --git a/install/tools/ipa-replica-install b/install/tools/ipa-replica-install
index d76ec05..a4d8848 100755
--- a/install/tools/ipa-replica-install
+++ b/install/tools/ipa-replica-install
@@ -60,12 +60,26 @@ def parse_options():
   help="Directory Manager (existing master) password")
 parser.add_option("--setup-dns", dest="setup_dns", action="store_true",
   default=False, help="configure bind with our zone")
+parser.add_option("--forwarder", dest="forwarders", action="append",
+  help="Add a DNS forwarder")
+parser.add_option("--no-forwarders", dest="no_forwarders", action="store_true",
+  default=False, help="Do not add any DNS forwarders, use root servers instead")
 
 options, args = parser.parse_args()
 
 if len(args) != 1:
 parser.error("you must provide a file generated by ipa-replica-prepare")
 
+if not options.setup_dns:
+if options.forwarders:
+parser.error("You cannot specify a --forwarder option without the --setup-dns option")
+if options.no_forwarders:
+parser.error("You cannot specify a --no-forwarders option without the --setup-dns option")
+elif options.forwarders and options.no_forwarders:
+parser.error("You cannot specify a --forwarder option together with --no-forwarders")
+elif not options.forwarders and not options.no_forwarders:
+parser.error("You must specify at least one --forwarder option or --no-forwarders option")
+
 return options, args[0]
 
 def get_dirman_password():
@@ -189,10 +203,14 @@ def install_http(config):
 print "error copying files: " + str(e)
 sys.exit(1)
 
-def install_bind(config):
+def install_bind(config, options):
+if options.forwarders:
+forwarders = options.forwarders
+else:
+forwarders = ()
 bind = bindinstance.BindInstance(dm_password=config.dirman_password)
 ip_address = resolve_host(config.host_name)
-bind.setup(config.host_name, ip_address, config.realm_name, config.domain_name)
+bind.setup(config.host_name, ip_address, config.realm_name, config.domain_name, forwarders)
 bind.create_instance()
 
 def check_dirsrv():
@@ -311,7 +329,7 @@ def main():
 install_krb(config)
 install_http(config)
 if options.setup_dns:
-install_bind(config)
+install_bind(config, options)
 if CA:
 CA.import_ra_cert(dir + "/ra.p12")
 CA.fix_ra_perms()
diff --git a/install/tools/ipa-server-install b/install/tools/ipa-server-install
index d0e9397..2c890b4 100755
--- a/install/tools/ipa-server-install
+++ b/install/tools/ipa-server-install
@@ -84,6 +84,10 @@ def parse_options():
   default=False, help="configure bind with our zone file")
 parser.add_option("--setup-dns", dest="setup_dns", action="store_true",
   default=False, help="configure bind with our zone")
+parser.add_option("--forwarder", dest="forwarders", action="append",
+  help="Add a DNS forwar

[Freeipa-devel] [PATCH] Use DNS forwarders in /etc/named.conf

2009-09-01 Thread Martin Nagy 
Hi,
This patch adds options --forwarder and --no-forwarders. At least one of
them must be used if you are doing a setup with DNS server. They are
also mutually exclusive. The --forwarder option can be used more than
once to specify more servers. If the installer runs in interactive mode,
it will prompt the user if none of these option was given at the command

Martin>From 2dbd272bdbd366c4e1fc9a1b7456c5c6d12377ab Mon Sep 17 00:00:00 2001
From: Martin Nagy 
Date: Tue, 1 Sep 2009 23:28:52 +0200
Subject: [PATCH] Use DNS forwarders in /etc/named.conf

This patch adds options --forwarder and --no-forwarders. At least one of
them must be used if you are doing a setup with DNS server. They are
also mutually exclusive. The --forwarder option can be used more than
once to specify more servers. If the installer runs in interactive mode,
it will prompt the user if none of these option was given at the command
line.
---
 install/share/bind.named.conf.template |3 ++
 install/tools/ipa-server-install   |   46 +++-
 install/tools/man/ipa-server-install.1 |   12 +++-
 ipaserver/install/bindinstance.py  |   13 -
 4 files changed, 71 insertions(+), 3 deletions(-)

diff --git a/install/share/bind.named.conf.template b/install/share/bind.named.conf.template
index 69bd86b..8b5fac2 100644
--- a/install/share/bind.named.conf.template
+++ b/install/share/bind.named.conf.template
@@ -5,6 +5,9 @@ options {
 	statistics-file		"data/named_stats.txt";
 	memstatistics-file	"data/named_mem_stats.txt";
 
+	forward first;
+	forwarders {$FORWARDERS};
+
 	tkey-gssapi-credential "DNS/$FQDN";
 	tkey-domain "$REALM";
 };
diff --git a/install/tools/ipa-server-install b/install/tools/ipa-server-install
index d0e9397..2c890b4 100755
--- a/install/tools/ipa-server-install
+++ b/install/tools/ipa-server-install
@@ -84,6 +84,10 @@ def parse_options():
   default=False, help="configure bind with our zone file")
 parser.add_option("--setup-dns", dest="setup_dns", action="store_true",
   default=False, help="configure bind with our zone")
+parser.add_option("--forwarder", dest="forwarders", action="append",
+  help="Add a DNS forwarder")
+parser.add_option("--no-forwarders", dest="no_forwarders", action="store_true",
+  default=False, help="Do not add any DNS forwarders, use root servers instead")
 parser.add_option("-U", "--unattended", dest="unattended", action="store_true",
   default=False, help="unattended installation never prompts the user")
 parser.add_option("", "--uninstall", dest="uninstall", action="store_true",
@@ -108,6 +112,14 @@ def parse_options():
   help="The starting gid value (default random)")
 options, args = parser.parse_args()
 
+if not options.setup_dns:
+if options.forwarders:
+parser.error("You cannot specify a --forwarder option without the --setup-dns option")
+if options.no_forwarders:
+parser.error("You cannot specify a --no-forwarders option without the --setup-dns option")
+elif options.forwarders and options.no_forwarders:
+parser.error("You cannot specify a --forwarder option together with --no-forwarders")
+
 if options.uninstall:
 if (options.ds_user or options.realm_name or
 options.dm_password or options.admin_password or
@@ -117,6 +129,9 @@ def parse_options():
 if (not options.ds_user or not options.realm_name or
 not options.dm_password or not options.admin_password):
 parser.error("error: In unattended mode you need to provide at least -u, -r, -p and -a options")
+if options.setup_dns:
+if not options.forwarders and not options.no_forwarders:
+parser.error("You must specify at least one --forwarder option or --no-forwarders option")
 
 # If any of the PKCS#12 options are selected, all are required. Create a
 # list of the options and count it to enforce that all are required without
@@ -210,6 +225,27 @@ def read_ip_address(host_name):
 
 return ip
 
+def read_dns_forwarders():
+addrs = []
+while True:
+ip = user_input("Enter IP address for a DNS forwarder (empty to stop)", allow_empty=True)
+
+if not ip:
+break
+if ip == "127.0.0.1" or ip == "::1":
+print "You cannot use localhost as a DNS forwarder"
+continue
+if not verify_ip_address(ip):
+continue
+
+print "DNS forwarder %s added" % ip
+addrs.append(ip)
+
+if not addrs:
+print "No DNS forwarders configured"
+
+return addrs
+
 def read_ds_user():
 print "The server must run as a specific user in a specific group."
 print "It is strongly recommended that this user should have no privileges"
@@ -504,6 +540,14 @@ def main():
 else:
 admin_password = options.admin_passwor