Re: [Freeipa-devel] [PATCH] Use DNS forwarders in /etc/named.conf
On Mon, 2009-09-07 at 07:54 +1000, David O'Brien wrote: > Martin Nagy wrote: > > On Fri, 2009-09-04 at 09:50 +1000, David O'Brien wrote: > > > >> Martin Nagy wrote: > >> > >>> Hi, > >>> This patch adds options --forwarder and --no-forwarders. At least one of > >>> them must be used if you are doing a setup with DNS server. They are > >>> also mutually exclusive. The --forwarder option can be used more than > >>> once to specify more servers. If the installer runs in interactive mode, > >>> it will prompt the user if none of these option was given at the command > >>> > >>> Martin > >>> > >> Something like ipa-server-install --setup-dns --forwarder > >> --forwarder ? > >> You can't use a separated list of IP addresses to save space and typing? > >> > >> That may go against coding style or practice, I don't know... > >> > >> /me has user hat on :-) > >> > > > > Hm, well, we use a python module to handle option parsing [1] and this > > is the way it handles lists. We could allow the IP addresses to be > > separated by, say, ',' but this also has the risk that the user will do > > "--forwarder 1.2.3.4, 2.3.4.5" which of course wouldn't work (the last > > IP is treated as a positional argument). > > > > Martin > > > > [1] http://docs.python.org/library/optparse.html > > > > > ok, well if it's SOP to handle options this way I'm not about to suggest > otherwise[1], but if there were a user-friendly way of doing it that > didn't bend or break any rules I'd make more noise. > > cheers > David > > [1] One of the goals in ECS' style guide is to adhere as much as > possible to industry standards and standard practice, not invent new > ones that Red Hat likes better. I'll patch it to also accept comma-separated IP addresses, it's not that big a deal :) Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] Use DNS forwarders in /etc/named.conf
Martin Nagy wrote: On Fri, 2009-09-04 at 09:50 +1000, David O'Brien wrote: Martin Nagy wrote: Hi, This patch adds options --forwarder and --no-forwarders. At least one of them must be used if you are doing a setup with DNS server. They are also mutually exclusive. The --forwarder option can be used more than once to specify more servers. If the installer runs in interactive mode, it will prompt the user if none of these option was given at the command Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel Something like ipa-server-install --setup-dns --forwarder --forwarder ? You can't use a separated list of IP addresses to save space and typing? That may go against coding style or practice, I don't know... /me has user hat on :-) Hm, well, we use a python module to handle option parsing [1] and this is the way it handles lists. We could allow the IP addresses to be separated by, say, ',' but this also has the risk that the user will do "--forwarder 1.2.3.4, 2.3.4.5" which of course wouldn't work (the last IP is treated as a positional argument). Martin [1] http://docs.python.org/library/optparse.html ok, well if it's SOP to handle options this way I'm not about to suggest otherwise[1], but if there were a user-friendly way of doing it that didn't bend or break any rules I'd make more noise. cheers David [1] One of the goals in ECS' style guide is to adhere as much as possible to industry standards and standard practice, not invent new ones that Red Hat likes better. -- David O'Brien IPA Content Author Red Hat Asia Pacific +61 7 3514 8189 http://freeipa.org/page/DocumentationPortal http://git.fedorahosted.org/git/ipadocs.git "He who asks is a fool for five minutes, but he who does not ask remains a fool forever." ~ Chinese proverb ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] Use DNS forwarders in /etc/named.conf
On Fri, 2009-09-04 at 09:50 +1000, David O'Brien wrote: > Martin Nagy wrote: > > Hi, > > This patch adds options --forwarder and --no-forwarders. At least one of > > them must be used if you are doing a setup with DNS server. They are > > also mutually exclusive. The --forwarder option can be used more than > > once to specify more servers. If the installer runs in interactive mode, > > it will prompt the user if none of these option was given at the command > > > > Martin > > > > > > ___ > > Freeipa-devel mailing list > > Freeipa-devel@redhat.com > > https://www.redhat.com/mailman/listinfo/freeipa-devel > Something like ipa-server-install --setup-dns --forwarder > --forwarder ? > You can't use a separated list of IP addresses to save space and typing? > > That may go against coding style or practice, I don't know... > > /me has user hat on :-) Hm, well, we use a python module to handle option parsing [1] and this is the way it handles lists. We could allow the IP addresses to be separated by, say, ',' but this also has the risk that the user will do "--forwarder 1.2.3.4, 2.3.4.5" which of course wouldn't work (the last IP is treated as a positional argument). Martin [1] http://docs.python.org/library/optparse.html ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] Use DNS forwarders in /etc/named.conf
Martin Nagy wrote: Hi, This patch adds options --forwarder and --no-forwarders. At least one of them must be used if you are doing a setup with DNS server. They are also mutually exclusive. The --forwarder option can be used more than once to specify more servers. If the installer runs in interactive mode, it will prompt the user if none of these option was given at the command Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel Something like ipa-server-install --setup-dns --forwarder --forwarder ? You can't use a separated list of IP addresses to save space and typing? That may go against coding style or practice, I don't know... /me has user hat on :-) -- David O'Brien IPA Content Author Red Hat Asia Pacific +61 7 3514 8189 http://freeipa.org/page/DocumentationPortal http://git.fedorahosted.org/git/ipadocs.git "He who asks is a fool for five minutes, but he who does not ask remains a fool forever." ~ Chinese proverb ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] Use DNS forwarders in /etc/named.conf
On Wed, 2009-09-02 at 08:41 -0400, Simo Sorce wrote: > On Wed, 2009-09-02 at 03:16 +0200, Martin Nagy wrote: > > Martin Nagy wrote: > > > Hi, > > > This patch adds options --forwarder and --no-forwarders. At least > > one of > > > them must be used if you are doing a setup with DNS server. They are > > > also mutually exclusive. The --forwarder option can be used more > > than > > > once to specify more servers. If the installer runs in interactive > > mode, > > > it will prompt the user if none of these option was given at the > > command > > > > > > Martin > > > > Actually, I forgot on the replica installer. Updated patch attached. > > Ack, > Simo. Pushed. Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] Use DNS forwarders in /etc/named.conf
On Wed, 2009-09-02 at 03:16 +0200, Martin Nagy wrote: > Martin Nagy wrote: > > Hi, > > This patch adds options --forwarder and --no-forwarders. At least > one of > > them must be used if you are doing a setup with DNS server. They are > > also mutually exclusive. The --forwarder option can be used more > than > > once to specify more servers. If the installer runs in interactive > mode, > > it will prompt the user if none of these option was given at the > command > > > > Martin > > Actually, I forgot on the replica installer. Updated patch attached. Ack, Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] Use DNS forwarders in /etc/named.conf
Martin Nagy wrote: > Hi, > This patch adds options --forwarder and --no-forwarders. At least one of > them must be used if you are doing a setup with DNS server. They are > also mutually exclusive. The --forwarder option can be used more than > once to specify more servers. If the installer runs in interactive mode, > it will prompt the user if none of these option was given at the command > > Martin Actually, I forgot on the replica installer. Updated patch attached. Martin>From b3ecb8dac8bd1f78304752ea6cc2e5c35100850b Mon Sep 17 00:00:00 2001 From: Martin Nagy Date: Tue, 1 Sep 2009 23:28:52 +0200 Subject: [PATCH] Use DNS forwarders in /etc/named.conf This patch adds options --forwarder and --no-forwarders. At least one of them must be used if you are doing a setup with DNS server. They are also mutually exclusive. The --forwarder option can be used more than once to specify more servers. If the installer runs in interactive mode, it will prompt the user if none of these option was given at the command line. --- install/share/bind.named.conf.template |3 ++ install/tools/ipa-replica-install | 24 ++-- install/tools/ipa-server-install| 46 ++- install/tools/man/ipa-replica-install.1 | 12 +++- install/tools/man/ipa-server-install.1 | 12 +++- ipaserver/install/bindinstance.py | 13 - 6 files changed, 103 insertions(+), 7 deletions(-) diff --git a/install/share/bind.named.conf.template b/install/share/bind.named.conf.template index 69bd86b..8b5fac2 100644 --- a/install/share/bind.named.conf.template +++ b/install/share/bind.named.conf.template @@ -5,6 +5,9 @@ options { statistics-file "data/named_stats.txt"; memstatistics-file "data/named_mem_stats.txt"; + forward first; + forwarders {$FORWARDERS}; + tkey-gssapi-credential "DNS/$FQDN"; tkey-domain "$REALM"; }; diff --git a/install/tools/ipa-replica-install b/install/tools/ipa-replica-install index d76ec05..a4d8848 100755 --- a/install/tools/ipa-replica-install +++ b/install/tools/ipa-replica-install @@ -60,12 +60,26 @@ def parse_options(): help="Directory Manager (existing master) password") parser.add_option("--setup-dns", dest="setup_dns", action="store_true", default=False, help="configure bind with our zone") +parser.add_option("--forwarder", dest="forwarders", action="append", + help="Add a DNS forwarder") +parser.add_option("--no-forwarders", dest="no_forwarders", action="store_true", + default=False, help="Do not add any DNS forwarders, use root servers instead") options, args = parser.parse_args() if len(args) != 1: parser.error("you must provide a file generated by ipa-replica-prepare") +if not options.setup_dns: +if options.forwarders: +parser.error("You cannot specify a --forwarder option without the --setup-dns option") +if options.no_forwarders: +parser.error("You cannot specify a --no-forwarders option without the --setup-dns option") +elif options.forwarders and options.no_forwarders: +parser.error("You cannot specify a --forwarder option together with --no-forwarders") +elif not options.forwarders and not options.no_forwarders: +parser.error("You must specify at least one --forwarder option or --no-forwarders option") + return options, args[0] def get_dirman_password(): @@ -189,10 +203,14 @@ def install_http(config): print "error copying files: " + str(e) sys.exit(1) -def install_bind(config): +def install_bind(config, options): +if options.forwarders: +forwarders = options.forwarders +else: +forwarders = () bind = bindinstance.BindInstance(dm_password=config.dirman_password) ip_address = resolve_host(config.host_name) -bind.setup(config.host_name, ip_address, config.realm_name, config.domain_name) +bind.setup(config.host_name, ip_address, config.realm_name, config.domain_name, forwarders) bind.create_instance() def check_dirsrv(): @@ -311,7 +329,7 @@ def main(): install_krb(config) install_http(config) if options.setup_dns: -install_bind(config) +install_bind(config, options) if CA: CA.import_ra_cert(dir + "/ra.p12") CA.fix_ra_perms() diff --git a/install/tools/ipa-server-install b/install/tools/ipa-server-install index d0e9397..2c890b4 100755 --- a/install/tools/ipa-server-install +++ b/install/tools/ipa-server-install @@ -84,6 +84,10 @@ def parse_options(): default=False, help="configure bind with our zone file") parser.add_option("--setup-dns", dest="setup_dns", action="store_true", default=False, help="configure bind with our zone") +parser.add_option("--forwarder", dest="forwarders", action="append", + help="Add a DNS forwar
[Freeipa-devel] [PATCH] Use DNS forwarders in /etc/named.conf
Hi, This patch adds options --forwarder and --no-forwarders. At least one of them must be used if you are doing a setup with DNS server. They are also mutually exclusive. The --forwarder option can be used more than once to specify more servers. If the installer runs in interactive mode, it will prompt the user if none of these option was given at the command Martin>From 2dbd272bdbd366c4e1fc9a1b7456c5c6d12377ab Mon Sep 17 00:00:00 2001 From: Martin Nagy Date: Tue, 1 Sep 2009 23:28:52 +0200 Subject: [PATCH] Use DNS forwarders in /etc/named.conf This patch adds options --forwarder and --no-forwarders. At least one of them must be used if you are doing a setup with DNS server. They are also mutually exclusive. The --forwarder option can be used more than once to specify more servers. If the installer runs in interactive mode, it will prompt the user if none of these option was given at the command line. --- install/share/bind.named.conf.template |3 ++ install/tools/ipa-server-install | 46 +++- install/tools/man/ipa-server-install.1 | 12 +++- ipaserver/install/bindinstance.py | 13 - 4 files changed, 71 insertions(+), 3 deletions(-) diff --git a/install/share/bind.named.conf.template b/install/share/bind.named.conf.template index 69bd86b..8b5fac2 100644 --- a/install/share/bind.named.conf.template +++ b/install/share/bind.named.conf.template @@ -5,6 +5,9 @@ options { statistics-file "data/named_stats.txt"; memstatistics-file "data/named_mem_stats.txt"; + forward first; + forwarders {$FORWARDERS}; + tkey-gssapi-credential "DNS/$FQDN"; tkey-domain "$REALM"; }; diff --git a/install/tools/ipa-server-install b/install/tools/ipa-server-install index d0e9397..2c890b4 100755 --- a/install/tools/ipa-server-install +++ b/install/tools/ipa-server-install @@ -84,6 +84,10 @@ def parse_options(): default=False, help="configure bind with our zone file") parser.add_option("--setup-dns", dest="setup_dns", action="store_true", default=False, help="configure bind with our zone") +parser.add_option("--forwarder", dest="forwarders", action="append", + help="Add a DNS forwarder") +parser.add_option("--no-forwarders", dest="no_forwarders", action="store_true", + default=False, help="Do not add any DNS forwarders, use root servers instead") parser.add_option("-U", "--unattended", dest="unattended", action="store_true", default=False, help="unattended installation never prompts the user") parser.add_option("", "--uninstall", dest="uninstall", action="store_true", @@ -108,6 +112,14 @@ def parse_options(): help="The starting gid value (default random)") options, args = parser.parse_args() +if not options.setup_dns: +if options.forwarders: +parser.error("You cannot specify a --forwarder option without the --setup-dns option") +if options.no_forwarders: +parser.error("You cannot specify a --no-forwarders option without the --setup-dns option") +elif options.forwarders and options.no_forwarders: +parser.error("You cannot specify a --forwarder option together with --no-forwarders") + if options.uninstall: if (options.ds_user or options.realm_name or options.dm_password or options.admin_password or @@ -117,6 +129,9 @@ def parse_options(): if (not options.ds_user or not options.realm_name or not options.dm_password or not options.admin_password): parser.error("error: In unattended mode you need to provide at least -u, -r, -p and -a options") +if options.setup_dns: +if not options.forwarders and not options.no_forwarders: +parser.error("You must specify at least one --forwarder option or --no-forwarders option") # If any of the PKCS#12 options are selected, all are required. Create a # list of the options and count it to enforce that all are required without @@ -210,6 +225,27 @@ def read_ip_address(host_name): return ip +def read_dns_forwarders(): +addrs = [] +while True: +ip = user_input("Enter IP address for a DNS forwarder (empty to stop)", allow_empty=True) + +if not ip: +break +if ip == "127.0.0.1" or ip == "::1": +print "You cannot use localhost as a DNS forwarder" +continue +if not verify_ip_address(ip): +continue + +print "DNS forwarder %s added" % ip +addrs.append(ip) + +if not addrs: +print "No DNS forwarders configured" + +return addrs + def read_ds_user(): print "The server must run as a specific user in a specific group." print "It is strongly recommended that this user should have no privileges" @@ -504,6 +540,14 @@ def main(): else: admin_password = options.admin_passwor