Re: [Freeipa-devel] [PATCH 0137] DNS Locations: make ipa-ca record generation more robus

[Martin Basti]

On 20.06.2016 18:28, Petr Spacek wrote:

Hello,

DNS Locations: make ipa-ca record generation more robust

__add_ca_records_from_hostname() now skips over DNS exceptions and
retries resolution until timeout of 120 seconds is reached.

Luckily current logic fails safe: In cases where resolution failed for
all the CA servers, the resulting zone object will not contain ipa-ca
record at all and the update logic will skip update for this name.
I.e. the original values in ipa-ca record set will be left in place.

https://fedorahosted.org/freeipa/ticket/2008


ACK

master:
* b6bab8d4e0d6f4715ef353b6944c85c5e88d44ab DNS Locations: make ipa-ca 
record generation more robust


--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [PATCH 0137] DNS Locations: make ipa-ca record generation more robus

[Petr Spacek]

Hello,

DNS Locations: make ipa-ca record generation more robust

__add_ca_records_from_hostname() now skips over DNS exceptions and
retries resolution until timeout of 120 seconds is reached.

Luckily current logic fails safe: In cases where resolution failed for
all the CA servers, the resulting zone object will not contain ipa-ca
record at all and the update logic will skip update for this name.
I.e. the original values in ipa-ca record set will be left in place.

https://fedorahosted.org/freeipa/ticket/2008

-- 
Petr^2 Spacek
From 63fdff793acef0232bf352042f952d47d575d1d1 Mon Sep 17 00:00:00 2001
From: Petr Spacek 
Date: Mon, 20 Jun 2016 18:23:51 +0200
Subject: [PATCH] DNS Locations: make ipa-ca record generation more robust

__add_ca_records_from_hostname() now skips over DNS exceptions and
retries resolution until timeout of 120 seconds is reached.

Luckily current logic fails safe: In cases where resolution failed for
all the CA servers, the resulting zone object will not contain ipa-ca
record at all and the update logic will skip update for this name.
I.e. the original values in ipa-ca record set will be left in place.

https://fedorahosted.org/freeipa/ticket/2008
---
 ipaserver/dns_data_management.py | 21 -
 1 file changed, 20 insertions(+), 1 deletion(-)

diff --git a/ipaserver/dns_data_management.py b/ipaserver/dns_data_management.py
index 3ca40c785681a56fd6e7583c6b4db88c58317305..a9e9c0a3856961b5494c8d3ca30ddb2e4aa5c523 100644
--- a/ipaserver/dns_data_management.py
+++ b/ipaserver/dns_data_management.py
@@ -12,12 +12,16 @@ from dns import (
 rdatatype,
 zone,
 )
+from dns.exception import DNSException
 from dns.rdtypes.IN.SRV import SRV
 from dns.rdtypes.ANY.TXT import TXT
 
+from time import sleep, time
+
 from ipalib import errors
 from ipalib.dns import record_name_format
 from ipapython.dnsutil import DNSName, resolve_rrsets
+from ipapython.ipa_log_manager import root_logger
 
 if six.PY3:
 unicode=str
@@ -134,7 +138,22 @@ class IPASystemRecords(object):
 def __add_ca_records_from_hostname(self, zone_obj, hostname):
 assert isinstance(hostname, DNSName) and hostname.is_absolute()
 r_name = DNSName('ipa-ca') + self.domain_abs
-rrsets = resolve_rrsets(hostname, (rdatatype.A, rdatatype.))
+rrsets = []
+end_time = time() + 120  # timeout in seconds
+while time() < end_time:
+try:
+rrsets = resolve_rrsets(hostname, (rdatatype.A, rdatatype.))
+except DNSException:  # logging is done inside resolve_rrsets
+pass
+if rrsets:
+break
+sleep(5)
+
+if not rrsets:
+root_logger.error('unable to resolve host name %s to IP address, '
+  'ipa-ca DNS record will be incomplete', hostname)
+return
+
 for rrset in rrsets:
 for rd in rrset:
 rdataset = zone_obj.get_rdataset(
-- 
2.5.5

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code