URL: https://github.com/freeipa/freeipa/pull/5174 Author: tiran Title: #5174: Lookup ipa-ca record with NSS Action: opened
PR body: """ DNS data management now uses NSS's getaddrinfo() instead of direct DNS queries to resolve the ipa-ca record. This fixes missing ipa-ca records when the current hostname is not resolvable in DNS but has correct records in /etc/hosts. Reduce timeout to 15 seconds and tighten timeout loop. The changeset can speed up installation by almost 60 seconds. ipa-server-install without built-in DNS calls into DNS data management twice with a timeout of 30 seconds for each call. Fixes: https://pagure.io/freeipa/issue/8529 Related: https://pagure.io/freeipa/issue/8521 Related: https://pagure.io/freeipa/issue/8501 Signed-off-by: Christian Heimes <chei...@redhat.com> """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/5174/head:pr5174 git checkout pr5174
From b080449f0770c8cfb58d5544cfbecec42364ad93 Mon Sep 17 00:00:00 2001 From: Christian Heimes <chei...@redhat.com> Date: Tue, 6 Oct 2020 13:12:41 +0200 Subject: [PATCH] Lookup ipa-ca record with NSS DNS data management now uses NSS's getaddrinfo() instead of direct DNS queries to resolve the ipa-ca record. This fixes missing ipa-ca records when the current hostname is not resolvable in DNS but has correct records in /etc/hosts. Reduce timeout to 15 seconds and tighten timeout loop. The changeset can speed up installation by almost 60 seconds. ipa-server-install without built-in DNS calls into DNS data management twice with a timeout of 30 seconds for each call. Fixes: https://pagure.io/freeipa/issue/8529 Related: https://pagure.io/freeipa/issue/8521 Related: https://pagure.io/freeipa/issue/8501 Signed-off-by: Christian Heimes <chei...@redhat.com> --- ipaserver/dns_data_management.py | 25 +++++++++++-------------- ipaserver/install/installutils.py | 4 +++- 2 files changed, 14 insertions(+), 15 deletions(-) diff --git a/ipaserver/dns_data_management.py b/ipaserver/dns_data_management.py index 9ef2e6c384..f6c432780a 100644 --- a/ipaserver/dns_data_management.py +++ b/ipaserver/dns_data_management.py @@ -15,13 +15,12 @@ rdatatype, zone, ) -from dns.exception import DNSException - -from time import sleep, time from ipalib import errors from ipalib.dns import record_name_format -from ipapython.dnsutil import DNSName, resolve_rrsets +from ipapython.dnsutil import DNSName +from ipapython.ipautil import Sleeper +from ipaserver.install import installutils if six.PY3: unicode=str @@ -55,7 +54,7 @@ (DNSName("_ntp._udp"), 123), ) -CA_RECORDS_DNS_TIMEOUT = 30 # timeout in seconds +CA_RECORDS_DNS_TIMEOUT = 15 # timeout in seconds class IPADomainIsNotManagedByIPAError(Exception): @@ -139,23 +138,21 @@ def __add_srv_records( def __add_ca_records_from_hostname(self, zone_obj, hostname): assert isinstance(hostname, DNSName) and hostname.is_absolute() r_name = DNSName('ipa-ca') + self.domain_abs - rrsets = [] - end_time = time() + CA_RECORDS_DNS_TIMEOUT - while time() < end_time: - try: - rrsets = resolve_rrsets(hostname, (rdatatype.A, rdatatype.AAAA)) - except DNSException: # logging is done inside resolve_rrsets - pass + sleep = Sleeper(sleep=1, timeout=CA_RECORDS_DNS_TIMEOUT) + while True: + # logging is done inside function + rrsets = installutils.resolve_ip_addresses_nss(hostname) if rrsets: break - sleep(5) + if not sleep(): + break if not rrsets: logger.error('unable to resolve host name %s to IP address, ' 'ipa-ca DNS record will be incomplete', hostname) return - for rrset in rrsets: + for rrset in sorted(rrsets): for rd in rrset: rdataset = zone_obj.get_rdataset( r_name, rd.rdtype, create=True) diff --git a/ipaserver/install/installutils.py b/ipaserver/install/installutils.py index 17009bde19..7edb152f27 100644 --- a/ipaserver/install/installutils.py +++ b/ipaserver/install/installutils.py @@ -55,7 +55,7 @@ from ipalib import api, errors, x509 from ipalib.install import dnsforwarders from ipapython.dn import DN -from ipapython.dnsutil import resolve +from ipapython.dnsutil import DNSName, resolve from ipaserver.install import certs, service, sysupgrade from ipaplatform import services from ipaplatform.paths import paths @@ -451,6 +451,8 @@ def resolve_ip_addresses_nss(fqdn): :returns: list of IP addresses as UnsafeIPAddress objects """ + if isinstance(fqdn, DNSName): + fqdn = DNSName.to_text() # it would be good disable search list processing from resolv.conf # to avoid cases where we get IP address for an totally different name # but there is no way to do this using getaddrinfo parameters
_______________________________________________ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org