Re: [Freeipa-devel] [PATCH] 0035 client: Update DNS with all available local IP addresses.
On 08/18/2015 10:53 PM, Martin Basti wrote: On 08/18/2015 08:02 PM, David Kupka wrote: On 31/07/15 18:31, Martin Basti wrote: On 28/07/15 09:52, David Kupka wrote: On 27/07/15 16:45, David Kupka wrote: On 15/01/15 17:13, David Kupka wrote: On 01/15/2015 03:22 PM, David Kupka wrote: On 01/15/2015 12:43 PM, David Kupka wrote: On 01/12/2015 06:34 PM, Martin Basti wrote: On 09/01/15 14:43, David Kupka wrote: On 01/07/2015 04:15 PM, Martin Basti wrote: On 07/01/15 12:27, David Kupka wrote: https://fedorahosted.org/freeipa/ticket/4249 Thank you for patch: 1) -root_logger.error(Cannot update DNS records! - Failed to connect to server '%s'., server) +ips = get_local_ipaddresses() +except CalledProcessError as e: +root_logger.error(Cannot update DNS records. %s % e) IMO the error message should be more specific, add there something like Unable to get local IP addresses. at least in log.debug() 2) +lines = ipresult[0].replace('\\', '').split('\n') .replace() is not needed 3) +if len(ips) == 0: if not ips: is more pythonic by PEP8 Thanks for catching these. Updated patch attached. merciful NACK Thank you for the patch, unfortunately I hit one issue which needs to be resolved. If sync PTR is activated in zone settings, and reverse zone doesn't exists, nsupdate/BIND returns SERVFAIL and ipa-client-install print Error message, 'DNS update failed'. In fact, all A/ records was succesfully updated, only PTR records failed. Bind log: named-pkcs11[28652]: updating zone 'example.com/IN': adding an RR at 'vm-101.example.com' named-pkcs11[28652]: PTR record synchronization (addition) for A/ 'vm-101.example.com.' refused: unable to find active reverse zone for IP address '2620:52:0:104c:21a:4aff:fe10:4eaa': not found With IPv6 we have several addresses from different reverse zones and this situation may happen often. I suggest following: 1) Print list of addresses which will be updated. (Now if update fails, user needs to read log, which addresses installer tried to update) 2) Split nsupdates per A/ record. 3a) If failed, check with DNS query if A/ and PTR record are there and print proper error message 3b) Just print A/ (or PTR) record may not be updated for particular IP address. Any other suggestions are welcome. After long discussion with DNS and UX guru I've implemented it this way: 1. Call nsupdate only once with all updates. 2. Verify that the expected records are resolvable. 3. If no print list of missing A/, list of missing PTR records and list to mismatched PTR record. As this is running inside client we can't much more and it's up to user to check what's rotten in his DNS setup. Updated patch attached. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel One more change to behave well in -crazy- exotic environments that resolves more PTR records for single IP. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel Yet another change to make language nerds and our UX guru happy :-) ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel Rebased patch attached. Updated patch attached. Just for record this patch is for dualstack/IPv6 support. IMO this ticket also requires to fix ipa-join to support IPv6. I still have doubts to have multihomed support as default, this may be unexpected change of ipa-client-install behavior. I know, is hard to detect which addresses user want to register in IPA without crystal ball, but it should not be impossible :-) . I propose following solution: To add new options: --multihomed or --all-ip-address - all IP addresses from client will be used --ip-address - adress which will be registered on (IPA) DNS server --ip-address-interface - interface from which address will be registered 0) without any option specified, current behavior will be used + IPv6 * detect which address is used to communicate with IPA server * detect interface where this address belongs * use ipv4 and all ipv6 addresses of this interface * if --enable-dns-updates=true: configure SSSD as is configured now: automatically detect which address is used + patched SSSD will also updates proper IPv6 address 1) --multihomed or --all-ip-addresses (this is multihomed ticket) * all adresses will be used * if --enable-dns-updates=true: SSSD will be configured to send all ip_addresses 2) --ip-address option specified: * only specified addresses will be used (+ check if this addresses exist locally) * if --enable-dns-updates=true: ERROR dynamic updates may change this address (user should choose static vs dynamic) 3) --ip-address-interface option specified: * only
Re: [Freeipa-devel] [PATCH] 0035 client: Update DNS with all available local IP addresses.
On 31/07/15 18:31, Martin Basti wrote: On 28/07/15 09:52, David Kupka wrote: On 27/07/15 16:45, David Kupka wrote: On 15/01/15 17:13, David Kupka wrote: On 01/15/2015 03:22 PM, David Kupka wrote: On 01/15/2015 12:43 PM, David Kupka wrote: On 01/12/2015 06:34 PM, Martin Basti wrote: On 09/01/15 14:43, David Kupka wrote: On 01/07/2015 04:15 PM, Martin Basti wrote: On 07/01/15 12:27, David Kupka wrote: https://fedorahosted.org/freeipa/ticket/4249 Thank you for patch: 1) -root_logger.error(Cannot update DNS records! - Failed to connect to server '%s'., server) +ips = get_local_ipaddresses() +except CalledProcessError as e: +root_logger.error(Cannot update DNS records. %s % e) IMO the error message should be more specific, add there something like Unable to get local IP addresses. at least in log.debug() 2) +lines = ipresult[0].replace('\\', '').split('\n') .replace() is not needed 3) +if len(ips) == 0: if not ips: is more pythonic by PEP8 Thanks for catching these. Updated patch attached. merciful NACK Thank you for the patch, unfortunately I hit one issue which needs to be resolved. If sync PTR is activated in zone settings, and reverse zone doesn't exists, nsupdate/BIND returns SERVFAIL and ipa-client-install print Error message, 'DNS update failed'. In fact, all A/ records was succesfully updated, only PTR records failed. Bind log: named-pkcs11[28652]: updating zone 'example.com/IN': adding an RR at 'vm-101.example.com' named-pkcs11[28652]: PTR record synchronization (addition) for A/ 'vm-101.example.com.' refused: unable to find active reverse zone for IP address '2620:52:0:104c:21a:4aff:fe10:4eaa': not found With IPv6 we have several addresses from different reverse zones and this situation may happen often. I suggest following: 1) Print list of addresses which will be updated. (Now if update fails, user needs to read log, which addresses installer tried to update) 2) Split nsupdates per A/ record. 3a) If failed, check with DNS query if A/ and PTR record are there and print proper error message 3b) Just print A/ (or PTR) record may not be updated for particular IP address. Any other suggestions are welcome. After long discussion with DNS and UX guru I've implemented it this way: 1. Call nsupdate only once with all updates. 2. Verify that the expected records are resolvable. 3. If no print list of missing A/, list of missing PTR records and list to mismatched PTR record. As this is running inside client we can't much more and it's up to user to check what's rotten in his DNS setup. Updated patch attached. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel One more change to behave well in -crazy- exotic environments that resolves more PTR records for single IP. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel Yet another change to make language nerds and our UX guru happy :-) ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel Rebased patch attached. Updated patch attached. Just for record this patch is for dualstack/IPv6 support. IMO this ticket also requires to fix ipa-join to support IPv6. I still have doubts to have multihomed support as default, this may be unexpected change of ipa-client-install behavior. I know, is hard to detect which addresses user want to register in IPA without crystal ball, but it should not be impossible :-) . I propose following solution: To add new options: --multihomed or --all-ip-address - all IP addresses from client will be used --ip-address - adress which will be registered on (IPA) DNS server --ip-address-interface - interface from which address will be registered 0) without any option specified, current behavior will be used + IPv6 * detect which address is used to communicate with IPA server * detect interface where this address belongs * use ipv4 and all ipv6 addresses of this interface * if --enable-dns-updates=true: configure SSSD as is configured now: automatically detect which address is used + patched SSSD will also updates proper IPv6 address 1) --multihomed or --all-ip-addresses (this is multihomed ticket) * all adresses will be used * if --enable-dns-updates=true: SSSD will be configured to send all ip_addresses 2) --ip-address option specified: * only specified addresses will be used (+ check if this addresses exist locally) * if --enable-dns-updates=true: ERROR dynamic updates may change this address (user should choose static vs dynamic) 3) --ip-address-interface option specified: * only addresses from specified interfaces will be used * if --enable-dns-updates=true: SSSD will be configured to
Re: [Freeipa-devel] [PATCH] 0035 client: Update DNS with all available local IP addresses.
On 08/18/2015 08:02 PM, David Kupka wrote: On 31/07/15 18:31, Martin Basti wrote: On 28/07/15 09:52, David Kupka wrote: On 27/07/15 16:45, David Kupka wrote: On 15/01/15 17:13, David Kupka wrote: On 01/15/2015 03:22 PM, David Kupka wrote: On 01/15/2015 12:43 PM, David Kupka wrote: On 01/12/2015 06:34 PM, Martin Basti wrote: On 09/01/15 14:43, David Kupka wrote: On 01/07/2015 04:15 PM, Martin Basti wrote: On 07/01/15 12:27, David Kupka wrote: https://fedorahosted.org/freeipa/ticket/4249 Thank you for patch: 1) -root_logger.error(Cannot update DNS records! - Failed to connect to server '%s'., server) +ips = get_local_ipaddresses() +except CalledProcessError as e: +root_logger.error(Cannot update DNS records. %s % e) IMO the error message should be more specific, add there something like Unable to get local IP addresses. at least in log.debug() 2) +lines = ipresult[0].replace('\\', '').split('\n') .replace() is not needed 3) +if len(ips) == 0: if not ips: is more pythonic by PEP8 Thanks for catching these. Updated patch attached. merciful NACK Thank you for the patch, unfortunately I hit one issue which needs to be resolved. If sync PTR is activated in zone settings, and reverse zone doesn't exists, nsupdate/BIND returns SERVFAIL and ipa-client-install print Error message, 'DNS update failed'. In fact, all A/ records was succesfully updated, only PTR records failed. Bind log: named-pkcs11[28652]: updating zone 'example.com/IN': adding an RR at 'vm-101.example.com' named-pkcs11[28652]: PTR record synchronization (addition) for A/ 'vm-101.example.com.' refused: unable to find active reverse zone for IP address '2620:52:0:104c:21a:4aff:fe10:4eaa': not found With IPv6 we have several addresses from different reverse zones and this situation may happen often. I suggest following: 1) Print list of addresses which will be updated. (Now if update fails, user needs to read log, which addresses installer tried to update) 2) Split nsupdates per A/ record. 3a) If failed, check with DNS query if A/ and PTR record are there and print proper error message 3b) Just print A/ (or PTR) record may not be updated for particular IP address. Any other suggestions are welcome. After long discussion with DNS and UX guru I've implemented it this way: 1. Call nsupdate only once with all updates. 2. Verify that the expected records are resolvable. 3. If no print list of missing A/, list of missing PTR records and list to mismatched PTR record. As this is running inside client we can't much more and it's up to user to check what's rotten in his DNS setup. Updated patch attached. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel One more change to behave well in -crazy- exotic environments that resolves more PTR records for single IP. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel Yet another change to make language nerds and our UX guru happy :-) ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel Rebased patch attached. Updated patch attached. Just for record this patch is for dualstack/IPv6 support. IMO this ticket also requires to fix ipa-join to support IPv6. I still have doubts to have multihomed support as default, this may be unexpected change of ipa-client-install behavior. I know, is hard to detect which addresses user want to register in IPA without crystal ball, but it should not be impossible :-) . I propose following solution: To add new options: --multihomed or --all-ip-address - all IP addresses from client will be used --ip-address - adress which will be registered on (IPA) DNS server --ip-address-interface - interface from which address will be registered 0) without any option specified, current behavior will be used + IPv6 * detect which address is used to communicate with IPA server * detect interface where this address belongs * use ipv4 and all ipv6 addresses of this interface * if --enable-dns-updates=true: configure SSSD as is configured now: automatically detect which address is used + patched SSSD will also updates proper IPv6 address 1) --multihomed or --all-ip-addresses (this is multihomed ticket) * all adresses will be used * if --enable-dns-updates=true: SSSD will be configured to send all ip_addresses 2) --ip-address option specified: * only specified addresses will be used (+ check if this addresses exist locally) * if --enable-dns-updates=true: ERROR dynamic updates may change this address (user should choose static vs dynamic) 3) --ip-address-interface option specified: * only addresses from specified interfaces will be used * if
Re: [Freeipa-devel] [PATCH] 0035 client: Update DNS with all available local IP addresses.
On 07/31/2015 06:31 PM, Martin Basti wrote: On 28/07/15 09:52, David Kupka wrote: On 27/07/15 16:45, David Kupka wrote: On 15/01/15 17:13, David Kupka wrote: On 01/15/2015 03:22 PM, David Kupka wrote: On 01/15/2015 12:43 PM, David Kupka wrote: On 01/12/2015 06:34 PM, Martin Basti wrote: On 09/01/15 14:43, David Kupka wrote: On 01/07/2015 04:15 PM, Martin Basti wrote: On 07/01/15 12:27, David Kupka wrote: https://fedorahosted.org/freeipa/ticket/4249 Thank you for patch: 1) -root_logger.error(Cannot update DNS records! - Failed to connect to server '%s'., server) +ips = get_local_ipaddresses() +except CalledProcessError as e: +root_logger.error(Cannot update DNS records. %s % e) IMO the error message should be more specific, add there something like Unable to get local IP addresses. at least in log.debug() 2) +lines = ipresult[0].replace('\\', '').split('\n') .replace() is not needed 3) +if len(ips) == 0: if not ips: is more pythonic by PEP8 Thanks for catching these. Updated patch attached. merciful NACK Thank you for the patch, unfortunately I hit one issue which needs to be resolved. If sync PTR is activated in zone settings, and reverse zone doesn't exists, nsupdate/BIND returns SERVFAIL and ipa-client-install print Error message, 'DNS update failed'. In fact, all A/ records was succesfully updated, only PTR records failed. Bind log: named-pkcs11[28652]: updating zone 'example.com/IN': adding an RR at 'vm-101.example.com' named-pkcs11[28652]: PTR record synchronization (addition) for A/ 'vm-101.example.com.' refused: unable to find active reverse zone for IP address '2620:52:0:104c:21a:4aff:fe10:4eaa': not found With IPv6 we have several addresses from different reverse zones and this situation may happen often. I suggest following: 1) Print list of addresses which will be updated. (Now if update fails, user needs to read log, which addresses installer tried to update) 2) Split nsupdates per A/ record. 3a) If failed, check with DNS query if A/ and PTR record are there and print proper error message 3b) Just print A/ (or PTR) record may not be updated for particular IP address. Any other suggestions are welcome. After long discussion with DNS and UX guru I've implemented it this way: 1. Call nsupdate only once with all updates. 2. Verify that the expected records are resolvable. 3. If no print list of missing A/, list of missing PTR records and list to mismatched PTR record. As this is running inside client we can't much more and it's up to user to check what's rotten in his DNS setup. Updated patch attached. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel One more change to behave well in -crazy- exotic environments that resolves more PTR records for single IP. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel Yet another change to make language nerds and our UX guru happy :-) ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel Rebased patch attached. Updated patch attached. Just for record this patch is for dualstack/IPv6 support. IMO this ticket also requires to fix ipa-join to support IPv6. I still have doubts to have multihomed support as default, this may be unexpected change of ipa-client-install behavior. I know, is hard to detect which addresses user want to register in IPA without crystal ball, but it should not be impossible :-) . I propose following solution: To add new options: --multihomed or --all-ip-address - all IP addresses from client will be used --ip-address - adress which will be registered on (IPA) DNS server --ip-address-interface - interface from which address will be registered 0) without any option specified, current behavior will be used + IPv6 * detect which address is used to communicate with IPA server * detect interface where this address belongs * use ipv4 and all ipv6 addresses of this interface * if --enable-dns-updates=true: configure SSSD as is configured now: automatically detect which address is used + patched SSSD will also updates proper IPv6 address 1) --multihomed or --all-ip-addresses (this is multihomed ticket) * all adresses will be used * if --enable-dns-updates=true: SSSD will be configured to send all ip_addresses 2) --ip-address option specified: * only specified addresses will be used (+ check if this addresses exist locally) * if --enable-dns-updates=true: ERROR dynamic updates may change this address (user should choose static vs dynamic) 3) --ip-address-interface option specified: * only addresses from specified interfaces will be used * if --enable-dns-updates=true: SSSD will be
Re: [Freeipa-devel] [PATCH] 0035 client: Update DNS with all available local IP addresses.
On 28/07/15 09:52, David Kupka wrote: On 27/07/15 16:45, David Kupka wrote: On 15/01/15 17:13, David Kupka wrote: On 01/15/2015 03:22 PM, David Kupka wrote: On 01/15/2015 12:43 PM, David Kupka wrote: On 01/12/2015 06:34 PM, Martin Basti wrote: On 09/01/15 14:43, David Kupka wrote: On 01/07/2015 04:15 PM, Martin Basti wrote: On 07/01/15 12:27, David Kupka wrote: https://fedorahosted.org/freeipa/ticket/4249 Thank you for patch: 1) -root_logger.error(Cannot update DNS records! - Failed to connect to server '%s'., server) +ips = get_local_ipaddresses() +except CalledProcessError as e: +root_logger.error(Cannot update DNS records. %s % e) IMO the error message should be more specific, add there something like Unable to get local IP addresses. at least in log.debug() 2) +lines = ipresult[0].replace('\\', '').split('\n') .replace() is not needed 3) +if len(ips) == 0: if not ips: is more pythonic by PEP8 Thanks for catching these. Updated patch attached. merciful NACK Thank you for the patch, unfortunately I hit one issue which needs to be resolved. If sync PTR is activated in zone settings, and reverse zone doesn't exists, nsupdate/BIND returns SERVFAIL and ipa-client-install print Error message, 'DNS update failed'. In fact, all A/ records was succesfully updated, only PTR records failed. Bind log: named-pkcs11[28652]: updating zone 'example.com/IN': adding an RR at 'vm-101.example.com' named-pkcs11[28652]: PTR record synchronization (addition) for A/ 'vm-101.example.com.' refused: unable to find active reverse zone for IP address '2620:52:0:104c:21a:4aff:fe10:4eaa': not found With IPv6 we have several addresses from different reverse zones and this situation may happen often. I suggest following: 1) Print list of addresses which will be updated. (Now if update fails, user needs to read log, which addresses installer tried to update) 2) Split nsupdates per A/ record. 3a) If failed, check with DNS query if A/ and PTR record are there and print proper error message 3b) Just print A/ (or PTR) record may not be updated for particular IP address. Any other suggestions are welcome. After long discussion with DNS and UX guru I've implemented it this way: 1. Call nsupdate only once with all updates. 2. Verify that the expected records are resolvable. 3. If no print list of missing A/, list of missing PTR records and list to mismatched PTR record. As this is running inside client we can't much more and it's up to user to check what's rotten in his DNS setup. Updated patch attached. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel One more change to behave well in -crazy- exotic environments that resolves more PTR records for single IP. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel Yet another change to make language nerds and our UX guru happy :-) ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel Rebased patch attached. Updated patch attached. Just for record this patch is for dualstack/IPv6 support. IMO this ticket also requires to fix ipa-join to support IPv6. I still have doubts to have multihomed support as default, this may be unexpected change of ipa-client-install behavior. I know, is hard to detect which addresses user want to register in IPA without crystal ball, but it should not be impossible :-) . I propose following solution: To add new options: --multihomed or --all-ip-address - all IP addresses from client will be used --ip-address - adress which will be registered on (IPA) DNS server --ip-address-interface - interface from which address will be registered 0) without any option specified, current behavior will be used + IPv6 * detect which address is used to communicate with IPA server * detect interface where this address belongs * use ipv4 and all ipv6 addresses of this interface * if --enable-dns-updates=true: configure SSSD as is configured now: automatically detect which address is used + patched SSSD will also updates proper IPv6 address 1) --multihomed or --all-ip-addresses (this is multihomed ticket) * all adresses will be used * if --enable-dns-updates=true: SSSD will be configured to send all ip_addresses 2) --ip-address option specified: * only specified addresses will be used (+ check if this addresses exist locally) * if --enable-dns-updates=true: ERROR dynamic updates may change this address (user should choose static vs dynamic) 3) --ip-address-interface option specified: * only addresses from specified interfaces will be used * if --enable-dns-updates=true: SSSD will be configured to use these
Re: [Freeipa-devel] [PATCH] 0035 client: Update DNS with all available local IP addresses.
On 27/07/15 16:45, David Kupka wrote: On 15/01/15 17:13, David Kupka wrote: On 01/15/2015 03:22 PM, David Kupka wrote: On 01/15/2015 12:43 PM, David Kupka wrote: On 01/12/2015 06:34 PM, Martin Basti wrote: On 09/01/15 14:43, David Kupka wrote: On 01/07/2015 04:15 PM, Martin Basti wrote: On 07/01/15 12:27, David Kupka wrote: https://fedorahosted.org/freeipa/ticket/4249 Thank you for patch: 1) -root_logger.error(Cannot update DNS records! - Failed to connect to server '%s'., server) +ips = get_local_ipaddresses() +except CalledProcessError as e: +root_logger.error(Cannot update DNS records. %s % e) IMO the error message should be more specific, add there something like Unable to get local IP addresses. at least in log.debug() 2) +lines = ipresult[0].replace('\\', '').split('\n') .replace() is not needed 3) +if len(ips) == 0: if not ips: is more pythonic by PEP8 Thanks for catching these. Updated patch attached. merciful NACK Thank you for the patch, unfortunately I hit one issue which needs to be resolved. If sync PTR is activated in zone settings, and reverse zone doesn't exists, nsupdate/BIND returns SERVFAIL and ipa-client-install print Error message, 'DNS update failed'. In fact, all A/ records was succesfully updated, only PTR records failed. Bind log: named-pkcs11[28652]: updating zone 'example.com/IN': adding an RR at 'vm-101.example.com' named-pkcs11[28652]: PTR record synchronization (addition) for A/ 'vm-101.example.com.' refused: unable to find active reverse zone for IP address '2620:52:0:104c:21a:4aff:fe10:4eaa': not found With IPv6 we have several addresses from different reverse zones and this situation may happen often. I suggest following: 1) Print list of addresses which will be updated. (Now if update fails, user needs to read log, which addresses installer tried to update) 2) Split nsupdates per A/ record. 3a) If failed, check with DNS query if A/ and PTR record are there and print proper error message 3b) Just print A/ (or PTR) record may not be updated for particular IP address. Any other suggestions are welcome. After long discussion with DNS and UX guru I've implemented it this way: 1. Call nsupdate only once with all updates. 2. Verify that the expected records are resolvable. 3. If no print list of missing A/, list of missing PTR records and list to mismatched PTR record. As this is running inside client we can't much more and it's up to user to check what's rotten in his DNS setup. Updated patch attached. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel One more change to behave well in -crazy- exotic environments that resolves more PTR records for single IP. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel Yet another change to make language nerds and our UX guru happy :-) ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel Rebased patch attached. Updated patch attached. -- David Kupka From 5c923daf7ce662e19b144e338557e1b8df7a061d Mon Sep 17 00:00:00 2001 From: David Kupka dku...@redhat.com Date: Sun, 4 Jan 2015 15:04:18 -0500 Subject: [PATCH] client: Update DNS with all available local IP addresses. Detect all usable IP addresses assigned to any interface and create coresponding DNS records on server. https://fedorahosted.org/freeipa/ticket/4249 --- ipa-client/ipa-install/ipa-client-install | 174 +++--- 1 file changed, 113 insertions(+), 61 deletions(-) diff --git a/ipa-client/ipa-install/ipa-client-install b/ipa-client/ipa-install/ipa-client-install index 91323ae115a27d221bcbc43fee887c56d99c8635..947cb10d98e950498b9ea1e4a3b715de1ee33e3b 100755 --- a/ipa-client/ipa-install/ipa-client-install +++ b/ipa-client/ipa-install/ipa-client-install @@ -32,6 +32,7 @@ try: from optparse import SUPPRESS_HELP, OptionGroup, OptionValueError import shutil from krbV import Krb5Error +import dns import nss.nss as nss import SSSDConfig @@ -1285,6 +1286,7 @@ def configure_sssd_conf(fstore, cli_realm, cli_domain, cli_server, options, clie if options.dns_updates: domain.set_option('dyndns_update', True) +domain.set_option('dyndns_iface', '*') if options.krb5_offline_passwords: domain.set_option('krb5_store_password_if_offline', True) @@ -1500,40 +1502,22 @@ def unconfigure_nisdomain(): if not enabled: services.knownservices.domainname.disable() - -def resolve_ipaddress(server): - Connect to the server's LDAP port in order to determine what ip -address this machine uses as public ip (relative to the server). - -
Re: [Freeipa-devel] [PATCH] 0035 client: Update DNS with all available local IP addresses.
On 15/01/15 17:13, David Kupka wrote: On 01/15/2015 03:22 PM, David Kupka wrote: On 01/15/2015 12:43 PM, David Kupka wrote: On 01/12/2015 06:34 PM, Martin Basti wrote: On 09/01/15 14:43, David Kupka wrote: On 01/07/2015 04:15 PM, Martin Basti wrote: On 07/01/15 12:27, David Kupka wrote: https://fedorahosted.org/freeipa/ticket/4249 Thank you for patch: 1) -root_logger.error(Cannot update DNS records! - Failed to connect to server '%s'., server) +ips = get_local_ipaddresses() +except CalledProcessError as e: +root_logger.error(Cannot update DNS records. %s % e) IMO the error message should be more specific, add there something like Unable to get local IP addresses. at least in log.debug() 2) +lines = ipresult[0].replace('\\', '').split('\n') .replace() is not needed 3) +if len(ips) == 0: if not ips: is more pythonic by PEP8 Thanks for catching these. Updated patch attached. merciful NACK Thank you for the patch, unfortunately I hit one issue which needs to be resolved. If sync PTR is activated in zone settings, and reverse zone doesn't exists, nsupdate/BIND returns SERVFAIL and ipa-client-install print Error message, 'DNS update failed'. In fact, all A/ records was succesfully updated, only PTR records failed. Bind log: named-pkcs11[28652]: updating zone 'example.com/IN': adding an RR at 'vm-101.example.com' named-pkcs11[28652]: PTR record synchronization (addition) for A/ 'vm-101.example.com.' refused: unable to find active reverse zone for IP address '2620:52:0:104c:21a:4aff:fe10:4eaa': not found With IPv6 we have several addresses from different reverse zones and this situation may happen often. I suggest following: 1) Print list of addresses which will be updated. (Now if update fails, user needs to read log, which addresses installer tried to update) 2) Split nsupdates per A/ record. 3a) If failed, check with DNS query if A/ and PTR record are there and print proper error message 3b) Just print A/ (or PTR) record may not be updated for particular IP address. Any other suggestions are welcome. After long discussion with DNS and UX guru I've implemented it this way: 1. Call nsupdate only once with all updates. 2. Verify that the expected records are resolvable. 3. If no print list of missing A/, list of missing PTR records and list to mismatched PTR record. As this is running inside client we can't much more and it's up to user to check what's rotten in his DNS setup. Updated patch attached. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel One more change to behave well in -crazy- exotic environments that resolves more PTR records for single IP. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel Yet another change to make language nerds and our UX guru happy :-) ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel Rebased patch attached. -- David Kupka From 3ae6959cfd08c34cfcb0eaf29d057b5ea4ebbac4 Mon Sep 17 00:00:00 2001 From: David Kupka dku...@redhat.com Date: Sun, 4 Jan 2015 15:04:18 -0500 Subject: [PATCH] client: Update DNS with all available local IP addresses. Detect all usable IP addresses assigned to any interface and create coresponding DNS records on server. https://fedorahosted.org/freeipa/ticket/4249 --- ipa-client/ipa-install/ipa-client-install | 173 +++--- 1 file changed, 112 insertions(+), 61 deletions(-) diff --git a/ipa-client/ipa-install/ipa-client-install b/ipa-client/ipa-install/ipa-client-install index 91323ae115a27d221bcbc43fee887c56d99c8635..eab20e6c44954834b736d3477db88c7708912002 100755 --- a/ipa-client/ipa-install/ipa-client-install +++ b/ipa-client/ipa-install/ipa-client-install @@ -32,6 +32,7 @@ try: from optparse import SUPPRESS_HELP, OptionGroup, OptionValueError import shutil from krbV import Krb5Error +import dns import nss.nss as nss import SSSDConfig @@ -1500,40 +1501,22 @@ def unconfigure_nisdomain(): if not enabled: services.knownservices.domainname.disable() - -def resolve_ipaddress(server): - Connect to the server's LDAP port in order to determine what ip -address this machine uses as public ip (relative to the server). - -Returns a tuple with the IP address and address family when -connection was successful. Socket error is raised otherwise. - -last_socket_error = None - -for res in socket.getaddrinfo(server, 389, socket.AF_UNSPEC, -socket.SOCK_STREAM): -af, socktype, proto, canonname, sa = res -try: -s = socket.socket(af, socktype, proto) -except socket.error,
Re: [Freeipa-devel] [PATCH] 0035 client: Update DNS with all available local IP addresses.
On 15.1.2015 20:49, Lukas Slebodnik wrote: On (15/01/15 20:38), Martin Basti wrote: On 15/01/15 20:24, Martin Basti wrote: On 15/01/15 17:13, David Kupka wrote: On 01/15/2015 03:22 PM, David Kupka wrote: On 01/15/2015 12:43 PM, David Kupka wrote: On 01/12/2015 06:34 PM, Martin Basti wrote: On 09/01/15 14:43, David Kupka wrote: On 01/07/2015 04:15 PM, Martin Basti wrote: On 07/01/15 12:27, David Kupka wrote: https://fedorahosted.org/freeipa/ticket/4249 Thank you for patch: 1) -root_logger.error(Cannot update DNS records! - Failed to connect to server '%s'., server) +ips = get_local_ipaddresses() +except CalledProcessError as e: +root_logger.error(Cannot update DNS records. %s % e) IMO the error message should be more specific, add there something like Unable to get local IP addresses. at least in log.debug() 2) +lines = ipresult[0].replace('\\', '').split('\n') .replace() is not needed 3) +if len(ips) == 0: if not ips: is more pythonic by PEP8 Thanks for catching these. Updated patch attached. merciful NACK Thank you for the patch, unfortunately I hit one issue which needs to be resolved. If sync PTR is activated in zone settings, and reverse zone doesn't exists, nsupdate/BIND returns SERVFAIL and ipa-client-install print Error message, 'DNS update failed'. In fact, all A/ records was succesfully updated, only PTR records failed. Bind log: named-pkcs11[28652]: updating zone 'example.com/IN': adding an RR at 'vm-101.example.com' named-pkcs11[28652]: PTR record synchronization (addition) for A/ 'vm-101.example.com.' refused: unable to find active reverse zone for IP address '2620:52:0:104c:21a:4aff:fe10:4eaa': not found With IPv6 we have several addresses from different reverse zones and this situation may happen often. I suggest following: 1) Print list of addresses which will be updated. (Now if update fails, user needs to read log, which addresses installer tried to update) 2) Split nsupdates per A/ record. 3a) If failed, check with DNS query if A/ and PTR record are there and print proper error message 3b) Just print A/ (or PTR) record may not be updated for particular IP address. Any other suggestions are welcome. After long discussion with DNS and UX guru I've implemented it this way: 1. Call nsupdate only once with all updates. 2. Verify that the expected records are resolvable. 3. If no print list of missing A/, list of missing PTR records and list to mismatched PTR record. As this is running inside client we can't much more and it's up to user to check what's rotten in his DNS setup. Updated patch attached. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel One more change to behave well in -crazy- exotic environments that resolves more PTR records for single IP. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel Yet another change to make language nerds and our UX guru happy :-) Sorry, but NACK. 1) BIND/dyndb-ldap bug? (if sync_ptr is enabled) +try: +answers = dns.resolver.query(fqdn, record_type) +except dns.resolver.NoAnswer: +if record_type == dns.rdatatype.A: +root_logger.debug('No A record for %s' % fqdn) +elif record_type == dns.rdatatype.: +root_logger.debug('No record for %s' % fqdn) +except dns.exception.DNSException as e: +root_logger.debug('DNS resolver error: ' % e) +else: +for rdata in answers: +try: +missing_ips.remove(rdata.address) +except ValueError: +extra_ips.append(rdata.address) This somehow doesn't work, for missing A/ records (4 A/ records expected) $host `hostname` vm-024.example.com has address 10.16.78.24 vm-024.example.com has IPv6 address fed0:babe:baab:0:21a:4aff:fe10:4e37 But I get *no warning*. == Why == Probably bug in BIND, all /A records *exists for several seconds*, then bind remove all A/ records without PTR record. (Needs more investigation, maybe it is dependent on bind version, in previous testing, the A/ records stay untouched ) This it the older journal from the *same machine* with same packages, where record without PTR haven't been deleted after few seconds EXAMPLE.COM: updating zone 'example.com/IN': deleting rrset at 'vm-101.example.com' A EXAMPLE.COM: updating zone 'example.com/IN': deleting rrset at 'vm-101.example.com' EXAMPLE.COM: updating zone 'example.com/IN': adding an RR at 'vm-101.example.com' A EXAMPLE.COM: updating zone 'example.com/IN': adding an RR at 'vm-101.example.com'
Re: [Freeipa-devel] [PATCH] 0035 client: Update DNS with all available local IP addresses.
On 01/15/2015 03:22 PM, David Kupka wrote: On 01/15/2015 12:43 PM, David Kupka wrote: On 01/12/2015 06:34 PM, Martin Basti wrote: On 09/01/15 14:43, David Kupka wrote: On 01/07/2015 04:15 PM, Martin Basti wrote: On 07/01/15 12:27, David Kupka wrote: https://fedorahosted.org/freeipa/ticket/4249 Thank you for patch: 1) -root_logger.error(Cannot update DNS records! - Failed to connect to server '%s'., server) +ips = get_local_ipaddresses() +except CalledProcessError as e: +root_logger.error(Cannot update DNS records. %s % e) IMO the error message should be more specific, add there something like Unable to get local IP addresses. at least in log.debug() 2) +lines = ipresult[0].replace('\\', '').split('\n') .replace() is not needed 3) +if len(ips) == 0: if not ips: is more pythonic by PEP8 Thanks for catching these. Updated patch attached. merciful NACK Thank you for the patch, unfortunately I hit one issue which needs to be resolved. If sync PTR is activated in zone settings, and reverse zone doesn't exists, nsupdate/BIND returns SERVFAIL and ipa-client-install print Error message, 'DNS update failed'. In fact, all A/ records was succesfully updated, only PTR records failed. Bind log: named-pkcs11[28652]: updating zone 'example.com/IN': adding an RR at 'vm-101.example.com' named-pkcs11[28652]: PTR record synchronization (addition) for A/ 'vm-101.example.com.' refused: unable to find active reverse zone for IP address '2620:52:0:104c:21a:4aff:fe10:4eaa': not found With IPv6 we have several addresses from different reverse zones and this situation may happen often. I suggest following: 1) Print list of addresses which will be updated. (Now if update fails, user needs to read log, which addresses installer tried to update) 2) Split nsupdates per A/ record. 3a) If failed, check with DNS query if A/ and PTR record are there and print proper error message 3b) Just print A/ (or PTR) record may not be updated for particular IP address. Any other suggestions are welcome. After long discussion with DNS and UX guru I've implemented it this way: 1. Call nsupdate only once with all updates. 2. Verify that the expected records are resolvable. 3. If no print list of missing A/, list of missing PTR records and list to mismatched PTR record. As this is running inside client we can't much more and it's up to user to check what's rotten in his DNS setup. Updated patch attached. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel One more change to behave well in -crazy- exotic environments that resolves more PTR records for single IP. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel Yet another change to make language nerds and our UX guru happy :-) -- David Kupka From d667e108d0114e67aac51d35203a3dc2e15f2c4d Mon Sep 17 00:00:00 2001 From: David Kupka dku...@redhat.com Date: Sun, 4 Jan 2015 15:04:18 -0500 Subject: [PATCH] client: Update DNS with all available local IP addresses. Detect all usable IP addresses assigned to any interface and create coresponding DNS records on server. https://fedorahosted.org/freeipa/ticket/4249 --- ipa-client/ipa-install/ipa-client-install | 169 +++--- 1 file changed, 108 insertions(+), 61 deletions(-) diff --git a/ipa-client/ipa-install/ipa-client-install b/ipa-client/ipa-install/ipa-client-install index dfe0e3b7597c2ea63c299969b3a9d76cf8ecc273..78df2089739746beb9347c00e41c12d9f6eb0fbe 100755 --- a/ipa-client/ipa-install/ipa-client-install +++ b/ipa-client/ipa-install/ipa-client-install @@ -31,6 +31,7 @@ try: from ConfigParser import RawConfigParser from optparse import SUPPRESS_HELP, OptionGroup, OptionValueError import shutil +import dns import nss.nss as nss import SSSDConfig @@ -1494,40 +1495,22 @@ def unconfigure_nisdomain(): if not enabled: services.knownservices.domainname.disable() - -def resolve_ipaddress(server): - Connect to the server's LDAP port in order to determine what ip -address this machine uses as public ip (relative to the server). - -Returns a tuple with the IP address and address family when -connection was successful. Socket error is raised otherwise. - -last_socket_error = None - -for res in socket.getaddrinfo(server, 389, socket.AF_UNSPEC, -socket.SOCK_STREAM): -af, socktype, proto, canonname, sa = res -try: -s = socket.socket(af, socktype, proto) -except socket.error, e: -last_socket_error = e -s = None +def get_local_ipaddresses(): +ipresult = ipautil.run([paths.IP, '-oneline', 'address', 'show']) +lines = ipresult[0].split('\n') +ips =
Re: [Freeipa-devel] [PATCH] 0035 client: Update DNS with all available local IP addresses.
On 15/01/15 17:13, David Kupka wrote: On 01/15/2015 03:22 PM, David Kupka wrote: On 01/15/2015 12:43 PM, David Kupka wrote: On 01/12/2015 06:34 PM, Martin Basti wrote: On 09/01/15 14:43, David Kupka wrote: On 01/07/2015 04:15 PM, Martin Basti wrote: On 07/01/15 12:27, David Kupka wrote: https://fedorahosted.org/freeipa/ticket/4249 Thank you for patch: 1) -root_logger.error(Cannot update DNS records! - Failed to connect to server '%s'., server) +ips = get_local_ipaddresses() +except CalledProcessError as e: +root_logger.error(Cannot update DNS records. %s % e) IMO the error message should be more specific, add there something like Unable to get local IP addresses. at least in log.debug() 2) +lines = ipresult[0].replace('\\', '').split('\n') .replace() is not needed 3) +if len(ips) == 0: if not ips: is more pythonic by PEP8 Thanks for catching these. Updated patch attached. merciful NACK Thank you for the patch, unfortunately I hit one issue which needs to be resolved. If sync PTR is activated in zone settings, and reverse zone doesn't exists, nsupdate/BIND returns SERVFAIL and ipa-client-install print Error message, 'DNS update failed'. In fact, all A/ records was succesfully updated, only PTR records failed. Bind log: named-pkcs11[28652]: updating zone 'example.com/IN': adding an RR at 'vm-101.example.com' named-pkcs11[28652]: PTR record synchronization (addition) for A/ 'vm-101.example.com.' refused: unable to find active reverse zone for IP address '2620:52:0:104c:21a:4aff:fe10:4eaa': not found With IPv6 we have several addresses from different reverse zones and this situation may happen often. I suggest following: 1) Print list of addresses which will be updated. (Now if update fails, user needs to read log, which addresses installer tried to update) 2) Split nsupdates per A/ record. 3a) If failed, check with DNS query if A/ and PTR record are there and print proper error message 3b) Just print A/ (or PTR) record may not be updated for particular IP address. Any other suggestions are welcome. After long discussion with DNS and UX guru I've implemented it this way: 1. Call nsupdate only once with all updates. 2. Verify that the expected records are resolvable. 3. If no print list of missing A/, list of missing PTR records and list to mismatched PTR record. As this is running inside client we can't much more and it's up to user to check what's rotten in his DNS setup. Updated patch attached. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel One more change to behave well in -crazy- exotic environments that resolves more PTR records for single IP. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel Yet another change to make language nerds and our UX guru happy :-) Sorry, but NACK. 1) BIND/dyndb-ldap bug? (if sync_ptr is enabled) +try: +answers = dns.resolver.query(fqdn, record_type) +except dns.resolver.NoAnswer: +if record_type == dns.rdatatype.A: +root_logger.debug('No A record for %s' % fqdn) +elif record_type == dns.rdatatype.: +root_logger.debug('No record for %s' % fqdn) +except dns.exception.DNSException as e: +root_logger.debug('DNS resolver error: ' % e) +else: +for rdata in answers: +try: +missing_ips.remove(rdata.address) +except ValueError: +extra_ips.append(rdata.address) This somehow doesn't work, for missing A/ records (4 A/ records expected) $host `hostname` vm-024.example.com has address 10.16.78.24 vm-024.example.com has IPv6 address fed0:babe:baab:0:21a:4aff:fe10:4e37 But I get *no warning*. == Why == Probably bug in BIND, all /A records *exists for several seconds*, then bind remove all A/ records without PTR record. (Needs more investigation, maybe it is dependent on bind version, in previous testing, the A/ records stay untouched ) This it the older journal from the *same machine* with same packages, where record without PTR haven't been deleted after few seconds EXAMPLE.COM: updating zone 'example.com/IN': deleting rrset at 'vm-101.example.com' A EXAMPLE.COM: updating zone 'example.com/IN': deleting rrset at 'vm-101.example.com' EXAMPLE.COM: updating zone 'example.com/IN': adding an RR at 'vm-101.example.com' A EXAMPLE.COM: updating zone 'example.com/IN': adding an RR at 'vm-101.example.com' vm-101.example.com.' refused: unable to find active reverse zone for IP address '2620:52:0:104c:21a:4aff:fe10:4eaa': not found EXAMPLE.COM: updating zone 'idm.example.com/IN': adding an RR at
Re: [Freeipa-devel] [PATCH] 0035 client: Update DNS with all available local IP addresses.
On 15/01/15 20:24, Martin Basti wrote: On 15/01/15 17:13, David Kupka wrote: On 01/15/2015 03:22 PM, David Kupka wrote: On 01/15/2015 12:43 PM, David Kupka wrote: On 01/12/2015 06:34 PM, Martin Basti wrote: On 09/01/15 14:43, David Kupka wrote: On 01/07/2015 04:15 PM, Martin Basti wrote: On 07/01/15 12:27, David Kupka wrote: https://fedorahosted.org/freeipa/ticket/4249 Thank you for patch: 1) -root_logger.error(Cannot update DNS records! - Failed to connect to server '%s'., server) +ips = get_local_ipaddresses() +except CalledProcessError as e: +root_logger.error(Cannot update DNS records. %s % e) IMO the error message should be more specific, add there something like Unable to get local IP addresses. at least in log.debug() 2) +lines = ipresult[0].replace('\\', '').split('\n') .replace() is not needed 3) +if len(ips) == 0: if not ips: is more pythonic by PEP8 Thanks for catching these. Updated patch attached. merciful NACK Thank you for the patch, unfortunately I hit one issue which needs to be resolved. If sync PTR is activated in zone settings, and reverse zone doesn't exists, nsupdate/BIND returns SERVFAIL and ipa-client-install print Error message, 'DNS update failed'. In fact, all A/ records was succesfully updated, only PTR records failed. Bind log: named-pkcs11[28652]: updating zone 'example.com/IN': adding an RR at 'vm-101.example.com' named-pkcs11[28652]: PTR record synchronization (addition) for A/ 'vm-101.example.com.' refused: unable to find active reverse zone for IP address '2620:52:0:104c:21a:4aff:fe10:4eaa': not found With IPv6 we have several addresses from different reverse zones and this situation may happen often. I suggest following: 1) Print list of addresses which will be updated. (Now if update fails, user needs to read log, which addresses installer tried to update) 2) Split nsupdates per A/ record. 3a) If failed, check with DNS query if A/ and PTR record are there and print proper error message 3b) Just print A/ (or PTR) record may not be updated for particular IP address. Any other suggestions are welcome. After long discussion with DNS and UX guru I've implemented it this way: 1. Call nsupdate only once with all updates. 2. Verify that the expected records are resolvable. 3. If no print list of missing A/, list of missing PTR records and list to mismatched PTR record. As this is running inside client we can't much more and it's up to user to check what's rotten in his DNS setup. Updated patch attached. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel One more change to behave well in -crazy- exotic environments that resolves more PTR records for single IP. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel Yet another change to make language nerds and our UX guru happy :-) Sorry, but NACK. 1) BIND/dyndb-ldap bug? (if sync_ptr is enabled) +try: +answers = dns.resolver.query(fqdn, record_type) +except dns.resolver.NoAnswer: +if record_type == dns.rdatatype.A: +root_logger.debug('No A record for %s' % fqdn) +elif record_type == dns.rdatatype.: +root_logger.debug('No record for %s' % fqdn) +except dns.exception.DNSException as e: +root_logger.debug('DNS resolver error: ' % e) +else: +for rdata in answers: +try: +missing_ips.remove(rdata.address) +except ValueError: +extra_ips.append(rdata.address) This somehow doesn't work, for missing A/ records (4 A/ records expected) $host `hostname` vm-024.example.com has address 10.16.78.24 vm-024.example.com has IPv6 address fed0:babe:baab:0:21a:4aff:fe10:4e37 But I get *no warning*. == Why == Probably bug in BIND, all /A records *exists for several seconds*, then bind remove all A/ records without PTR record. (Needs more investigation, maybe it is dependent on bind version, in previous testing, the A/ records stay untouched ) This it the older journal from the *same machine* with same packages, where record without PTR haven't been deleted after few seconds EXAMPLE.COM: updating zone 'example.com/IN': deleting rrset at 'vm-101.example.com' A EXAMPLE.COM: updating zone 'example.com/IN': deleting rrset at 'vm-101.example.com' EXAMPLE.COM: updating zone 'example.com/IN': adding an RR at 'vm-101.example.com' A EXAMPLE.COM: updating zone 'example.com/IN': adding an RR at 'vm-101.example.com' vm-101.example.com.' refused: unable to find active reverse zone for IP address '2620:52:0:104c:21a:4aff:fe10:4eaa': not found EXAMPLE.COM: updating zone
Re: [Freeipa-devel] [PATCH] 0035 client: Update DNS with all available local IP addresses.
On (15/01/15 20:38), Martin Basti wrote: On 15/01/15 20:24, Martin Basti wrote: On 15/01/15 17:13, David Kupka wrote: On 01/15/2015 03:22 PM, David Kupka wrote: On 01/15/2015 12:43 PM, David Kupka wrote: On 01/12/2015 06:34 PM, Martin Basti wrote: On 09/01/15 14:43, David Kupka wrote: On 01/07/2015 04:15 PM, Martin Basti wrote: On 07/01/15 12:27, David Kupka wrote: https://fedorahosted.org/freeipa/ticket/4249 Thank you for patch: 1) -root_logger.error(Cannot update DNS records! - Failed to connect to server '%s'., server) +ips = get_local_ipaddresses() +except CalledProcessError as e: +root_logger.error(Cannot update DNS records. %s % e) IMO the error message should be more specific, add there something like Unable to get local IP addresses. at least in log.debug() 2) +lines = ipresult[0].replace('\\', '').split('\n') .replace() is not needed 3) +if len(ips) == 0: if not ips: is more pythonic by PEP8 Thanks for catching these. Updated patch attached. merciful NACK Thank you for the patch, unfortunately I hit one issue which needs to be resolved. If sync PTR is activated in zone settings, and reverse zone doesn't exists, nsupdate/BIND returns SERVFAIL and ipa-client-install print Error message, 'DNS update failed'. In fact, all A/ records was succesfully updated, only PTR records failed. Bind log: named-pkcs11[28652]: updating zone 'example.com/IN': adding an RR at 'vm-101.example.com' named-pkcs11[28652]: PTR record synchronization (addition) for A/ 'vm-101.example.com.' refused: unable to find active reverse zone for IP address '2620:52:0:104c:21a:4aff:fe10:4eaa': not found With IPv6 we have several addresses from different reverse zones and this situation may happen often. I suggest following: 1) Print list of addresses which will be updated. (Now if update fails, user needs to read log, which addresses installer tried to update) 2) Split nsupdates per A/ record. 3a) If failed, check with DNS query if A/ and PTR record are there and print proper error message 3b) Just print A/ (or PTR) record may not be updated for particular IP address. Any other suggestions are welcome. After long discussion with DNS and UX guru I've implemented it this way: 1. Call nsupdate only once with all updates. 2. Verify that the expected records are resolvable. 3. If no print list of missing A/, list of missing PTR records and list to mismatched PTR record. As this is running inside client we can't much more and it's up to user to check what's rotten in his DNS setup. Updated patch attached. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel One more change to behave well in -crazy- exotic environments that resolves more PTR records for single IP. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel Yet another change to make language nerds and our UX guru happy :-) Sorry, but NACK. 1) BIND/dyndb-ldap bug? (if sync_ptr is enabled) +try: +answers = dns.resolver.query(fqdn, record_type) +except dns.resolver.NoAnswer: +if record_type == dns.rdatatype.A: +root_logger.debug('No A record for %s' % fqdn) +elif record_type == dns.rdatatype.: +root_logger.debug('No record for %s' % fqdn) +except dns.exception.DNSException as e: +root_logger.debug('DNS resolver error: ' % e) +else: +for rdata in answers: +try: +missing_ips.remove(rdata.address) +except ValueError: +extra_ips.append(rdata.address) This somehow doesn't work, for missing A/ records (4 A/ records expected) $host `hostname` vm-024.example.com has address 10.16.78.24 vm-024.example.com has IPv6 address fed0:babe:baab:0:21a:4aff:fe10:4e37 But I get *no warning*. == Why == Probably bug in BIND, all /A records *exists for several seconds*, then bind remove all A/ records without PTR record. (Needs more investigation, maybe it is dependent on bind version, in previous testing, the A/ records stay untouched ) This it the older journal from the *same machine* with same packages, where record without PTR haven't been deleted after few seconds EXAMPLE.COM: updating zone 'example.com/IN': deleting rrset at 'vm-101.example.com' A EXAMPLE.COM: updating zone 'example.com/IN': deleting rrset at 'vm-101.example.com' EXAMPLE.COM: updating zone 'example.com/IN': adding an RR at 'vm-101.example.com' A EXAMPLE.COM: updating zone 'example.com/IN': adding an RR at 'vm-101.example.com' vm-101.example.com.' refused: unable to find active reverse zone for IP address '2620:52:0:104c:21a:4aff:fe10:4eaa': not found EXAMPLE.COM: updating zone
Re: [Freeipa-devel] [PATCH] 0035 client: Update DNS with all available local IP addresses.
On 15/01/15 20:24, Martin Basti wrote: On 15/01/15 17:13, David Kupka wrote: On 01/15/2015 03:22 PM, David Kupka wrote: On 01/15/2015 12:43 PM, David Kupka wrote: On 01/12/2015 06:34 PM, Martin Basti wrote: On 09/01/15 14:43, David Kupka wrote: On 01/07/2015 04:15 PM, Martin Basti wrote: On 07/01/15 12:27, David Kupka wrote: https://fedorahosted.org/freeipa/ticket/4249 Thank you for patch: 1) -root_logger.error(Cannot update DNS records! - Failed to connect to server '%s'., server) +ips = get_local_ipaddresses() +except CalledProcessError as e: +root_logger.error(Cannot update DNS records. %s % e) IMO the error message should be more specific, add there something like Unable to get local IP addresses. at least in log.debug() 2) +lines = ipresult[0].replace('\\', '').split('\n') .replace() is not needed 3) +if len(ips) == 0: if not ips: is more pythonic by PEP8 Thanks for catching these. Updated patch attached. merciful NACK Thank you for the patch, unfortunately I hit one issue which needs to be resolved. If sync PTR is activated in zone settings, and reverse zone doesn't exists, nsupdate/BIND returns SERVFAIL and ipa-client-install print Error message, 'DNS update failed'. In fact, all A/ records was succesfully updated, only PTR records failed. Bind log: named-pkcs11[28652]: updating zone 'example.com/IN': adding an RR at 'vm-101.example.com' named-pkcs11[28652]: PTR record synchronization (addition) for A/ 'vm-101.example.com.' refused: unable to find active reverse zone for IP address '2620:52:0:104c:21a:4aff:fe10:4eaa': not found With IPv6 we have several addresses from different reverse zones and this situation may happen often. I suggest following: 1) Print list of addresses which will be updated. (Now if update fails, user needs to read log, which addresses installer tried to update) 2) Split nsupdates per A/ record. 3a) If failed, check with DNS query if A/ and PTR record are there and print proper error message 3b) Just print A/ (or PTR) record may not be updated for particular IP address. Any other suggestions are welcome. After long discussion with DNS and UX guru I've implemented it this way: 1. Call nsupdate only once with all updates. 2. Verify that the expected records are resolvable. 3. If no print list of missing A/, list of missing PTR records and list to mismatched PTR record. As this is running inside client we can't much more and it's up to user to check what's rotten in his DNS setup. Updated patch attached. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel One more change to behave well in -crazy- exotic environments that resolves more PTR records for single IP. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel Yet another change to make language nerds and our UX guru happy :-) Sorry, but NACK. 1) BIND/dyndb-ldap bug? (if sync_ptr is enabled) +try: +answers = dns.resolver.query(fqdn, record_type) +except dns.resolver.NoAnswer: +if record_type == dns.rdatatype.A: +root_logger.debug('No A record for %s' % fqdn) +elif record_type == dns.rdatatype.: +root_logger.debug('No record for %s' % fqdn) +except dns.exception.DNSException as e: +root_logger.debug('DNS resolver error: ' % e) +else: +for rdata in answers: +try: +missing_ips.remove(rdata.address) +except ValueError: +extra_ips.append(rdata.address) This somehow doesn't work, for missing A/ records (4 A/ records expected) $host `hostname` vm-024.example.com has address 10.16.78.24 vm-024.example.com has IPv6 address fed0:babe:baab:0:21a:4aff:fe10:4e37 But I get *no warning*. == Why == Probably bug in BIND, all /A records *exists for several seconds*, then bind remove all A/ records without PTR record. (Needs more investigation, maybe it is dependent on bind version, in previous testing, the A/ records stay untouched ) This it the older journal from the *same machine* with same packages, where record without PTR haven't been deleted after few seconds EXAMPLE.COM: updating zone 'example.com/IN': deleting rrset at 'vm-101.example.com' A EXAMPLE.COM: updating zone 'example.com/IN': deleting rrset at 'vm-101.example.com' EXAMPLE.COM: updating zone 'example.com/IN': adding an RR at 'vm-101.example.com' A EXAMPLE.COM: updating zone 'example.com/IN': adding an RR at 'vm-101.example.com' vm-101.example.com.' refused: unable to find active reverse zone for IP address '2620:52:0:104c:21a:4aff:fe10:4eaa': not found EXAMPLE.COM: updating zone
Re: [Freeipa-devel] [PATCH] 0035 client: Update DNS with all available local IP addresses.
On 01/12/2015 06:34 PM, Martin Basti wrote: On 09/01/15 14:43, David Kupka wrote: On 01/07/2015 04:15 PM, Martin Basti wrote: On 07/01/15 12:27, David Kupka wrote: https://fedorahosted.org/freeipa/ticket/4249 Thank you for patch: 1) -root_logger.error(Cannot update DNS records! - Failed to connect to server '%s'., server) +ips = get_local_ipaddresses() +except CalledProcessError as e: +root_logger.error(Cannot update DNS records. %s % e) IMO the error message should be more specific, add there something like Unable to get local IP addresses. at least in log.debug() 2) +lines = ipresult[0].replace('\\', '').split('\n') .replace() is not needed 3) +if len(ips) == 0: if not ips: is more pythonic by PEP8 Thanks for catching these. Updated patch attached. merciful NACK Thank you for the patch, unfortunately I hit one issue which needs to be resolved. If sync PTR is activated in zone settings, and reverse zone doesn't exists, nsupdate/BIND returns SERVFAIL and ipa-client-install print Error message, 'DNS update failed'. In fact, all A/ records was succesfully updated, only PTR records failed. Bind log: named-pkcs11[28652]: updating zone 'example.com/IN': adding an RR at 'vm-101.example.com' named-pkcs11[28652]: PTR record synchronization (addition) for A/ 'vm-101.example.com.' refused: unable to find active reverse zone for IP address '2620:52:0:104c:21a:4aff:fe10:4eaa': not found With IPv6 we have several addresses from different reverse zones and this situation may happen often. I suggest following: 1) Print list of addresses which will be updated. (Now if update fails, user needs to read log, which addresses installer tried to update) 2) Split nsupdates per A/ record. 3a) If failed, check with DNS query if A/ and PTR record are there and print proper error message 3b) Just print A/ (or PTR) record may not be updated for particular IP address. Any other suggestions are welcome. After long discussion with DNS and UX guru I've implemented it this way: 1. Call nsupdate only once with all updates. 2. Verify that the expected records are resolvable. 3. If no print list of missing A/, list of missing PTR records and list to mismatched PTR record. As this is running inside client we can't much more and it's up to user to check what's rotten in his DNS setup. Updated patch attached. -- David Kupka From 9cd99ad800f7c2863805edc70f77eaeb829ddc7f Mon Sep 17 00:00:00 2001 From: David Kupka dku...@redhat.com Date: Sun, 4 Jan 2015 15:04:18 -0500 Subject: [PATCH] client: Update DNS with all available local IP addresses. Detect all usable IP addresses assigned to any interface and create coresponding DNS records on server. https://fedorahosted.org/freeipa/ticket/4249 --- ipa-client/ipa-install/ipa-client-install | 167 +++--- 1 file changed, 106 insertions(+), 61 deletions(-) diff --git a/ipa-client/ipa-install/ipa-client-install b/ipa-client/ipa-install/ipa-client-install index dfe0e3b7597c2ea63c299969b3a9d76cf8ecc273..0a45e51e4a80d1e16f8e63fb2ddfd173e2b9c273 100755 --- a/ipa-client/ipa-install/ipa-client-install +++ b/ipa-client/ipa-install/ipa-client-install @@ -31,6 +31,7 @@ try: from ConfigParser import RawConfigParser from optparse import SUPPRESS_HELP, OptionGroup, OptionValueError import shutil +import dns import nss.nss as nss import SSSDConfig @@ -1494,40 +1495,22 @@ def unconfigure_nisdomain(): if not enabled: services.knownservices.domainname.disable() - -def resolve_ipaddress(server): - Connect to the server's LDAP port in order to determine what ip -address this machine uses as public ip (relative to the server). - -Returns a tuple with the IP address and address family when -connection was successful. Socket error is raised otherwise. - -last_socket_error = None - -for res in socket.getaddrinfo(server, 389, socket.AF_UNSPEC, -socket.SOCK_STREAM): -af, socktype, proto, canonname, sa = res -try: -s = socket.socket(af, socktype, proto) -except socket.error, e: -last_socket_error = e -s = None +def get_local_ipaddresses(): +ipresult = ipautil.run([paths.IP, '-oneline', 'address', 'show']) +lines = ipresult[0].split('\n') +ips = [] +for line in lines: +fields = line.split() +if len(fields) 6: +continue +if fields[2] not in ['inet', 'inet6']: continue - +(ip, mask) = fields[3].rsplit('/', 1) try: -s.connect(sa) -sockname = s.getsockname() - -# For both IPv4 and IPv6 own IP address is always the first item -return (sockname[0], af) -except socket.error, e: -last_socket_error = e -finally: -if s: -s.close() - -if
Re: [Freeipa-devel] [PATCH] 0035 client: Update DNS with all available local IP addresses.
On 01/15/2015 12:43 PM, David Kupka wrote: On 01/12/2015 06:34 PM, Martin Basti wrote: On 09/01/15 14:43, David Kupka wrote: On 01/07/2015 04:15 PM, Martin Basti wrote: On 07/01/15 12:27, David Kupka wrote: https://fedorahosted.org/freeipa/ticket/4249 Thank you for patch: 1) -root_logger.error(Cannot update DNS records! - Failed to connect to server '%s'., server) +ips = get_local_ipaddresses() +except CalledProcessError as e: +root_logger.error(Cannot update DNS records. %s % e) IMO the error message should be more specific, add there something like Unable to get local IP addresses. at least in log.debug() 2) +lines = ipresult[0].replace('\\', '').split('\n') .replace() is not needed 3) +if len(ips) == 0: if not ips: is more pythonic by PEP8 Thanks for catching these. Updated patch attached. merciful NACK Thank you for the patch, unfortunately I hit one issue which needs to be resolved. If sync PTR is activated in zone settings, and reverse zone doesn't exists, nsupdate/BIND returns SERVFAIL and ipa-client-install print Error message, 'DNS update failed'. In fact, all A/ records was succesfully updated, only PTR records failed. Bind log: named-pkcs11[28652]: updating zone 'example.com/IN': adding an RR at 'vm-101.example.com' named-pkcs11[28652]: PTR record synchronization (addition) for A/ 'vm-101.example.com.' refused: unable to find active reverse zone for IP address '2620:52:0:104c:21a:4aff:fe10:4eaa': not found With IPv6 we have several addresses from different reverse zones and this situation may happen often. I suggest following: 1) Print list of addresses which will be updated. (Now if update fails, user needs to read log, which addresses installer tried to update) 2) Split nsupdates per A/ record. 3a) If failed, check with DNS query if A/ and PTR record are there and print proper error message 3b) Just print A/ (or PTR) record may not be updated for particular IP address. Any other suggestions are welcome. After long discussion with DNS and UX guru I've implemented it this way: 1. Call nsupdate only once with all updates. 2. Verify that the expected records are resolvable. 3. If no print list of missing A/, list of missing PTR records and list to mismatched PTR record. As this is running inside client we can't much more and it's up to user to check what's rotten in his DNS setup. Updated patch attached. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel One more change to behave well in -crazy- exotic environments that resolves more PTR records for single IP. -- David Kupka From 6af4567a732051a736e7151b03789740042874f3 Mon Sep 17 00:00:00 2001 From: David Kupka dku...@redhat.com Date: Sun, 4 Jan 2015 15:04:18 -0500 Subject: [PATCH] client: Update DNS with all available local IP addresses. Detect all usable IP addresses assigned to any interface and create coresponding DNS records on server. https://fedorahosted.org/freeipa/ticket/4249 --- ipa-client/ipa-install/ipa-client-install | 169 +++--- 1 file changed, 108 insertions(+), 61 deletions(-) diff --git a/ipa-client/ipa-install/ipa-client-install b/ipa-client/ipa-install/ipa-client-install index dfe0e3b7597c2ea63c299969b3a9d76cf8ecc273..29b49bfb03199add67295462e9958e3d52d80b1f 100755 --- a/ipa-client/ipa-install/ipa-client-install +++ b/ipa-client/ipa-install/ipa-client-install @@ -31,6 +31,7 @@ try: from ConfigParser import RawConfigParser from optparse import SUPPRESS_HELP, OptionGroup, OptionValueError import shutil +import dns import nss.nss as nss import SSSDConfig @@ -1494,40 +1495,22 @@ def unconfigure_nisdomain(): if not enabled: services.knownservices.domainname.disable() - -def resolve_ipaddress(server): - Connect to the server's LDAP port in order to determine what ip -address this machine uses as public ip (relative to the server). - -Returns a tuple with the IP address and address family when -connection was successful. Socket error is raised otherwise. - -last_socket_error = None - -for res in socket.getaddrinfo(server, 389, socket.AF_UNSPEC, -socket.SOCK_STREAM): -af, socktype, proto, canonname, sa = res -try: -s = socket.socket(af, socktype, proto) -except socket.error, e: -last_socket_error = e -s = None +def get_local_ipaddresses(): +ipresult = ipautil.run([paths.IP, '-oneline', 'address', 'show']) +lines = ipresult[0].split('\n') +ips = [] +for line in lines: +fields = line.split() +if len(fields) 6: +continue +if fields[2] not in ['inet', 'inet6']: continue - +(ip, mask) = fields[3].rsplit('/', 1) try: -s.connect(sa)
Re: [Freeipa-devel] [PATCH] 0035 client: Update DNS with all available local IP addresses.
On 09/01/15 14:43, David Kupka wrote: On 01/07/2015 04:15 PM, Martin Basti wrote: On 07/01/15 12:27, David Kupka wrote: https://fedorahosted.org/freeipa/ticket/4249 Thank you for patch: 1) -root_logger.error(Cannot update DNS records! - Failed to connect to server '%s'., server) +ips = get_local_ipaddresses() +except CalledProcessError as e: +root_logger.error(Cannot update DNS records. %s % e) IMO the error message should be more specific, add there something like Unable to get local IP addresses. at least in log.debug() 2) +lines = ipresult[0].replace('\\', '').split('\n') .replace() is not needed 3) +if len(ips) == 0: if not ips: is more pythonic by PEP8 Thanks for catching these. Updated patch attached. merciful NACK Thank you for the patch, unfortunately I hit one issue which needs to be resolved. If sync PTR is activated in zone settings, and reverse zone doesn't exists, nsupdate/BIND returns SERVFAIL and ipa-client-install print Error message, 'DNS update failed'. In fact, all A/ records was succesfully updated, only PTR records failed. Bind log: named-pkcs11[28652]: updating zone 'example.com/IN': adding an RR at 'vm-101.example.com' named-pkcs11[28652]: PTR record synchronization (addition) for A/ 'vm-101.example.com.' refused: unable to find active reverse zone for IP address '2620:52:0:104c:21a:4aff:fe10:4eaa': not found With IPv6 we have several addresses from different reverse zones and this situation may happen often. I suggest following: 1) Print list of addresses which will be updated. (Now if update fails, user needs to read log, which addresses installer tried to update) 2) Split nsupdates per A/ record. 3a) If failed, check with DNS query if A/ and PTR record are there and print proper error message 3b) Just print A/ (or PTR) record may not be updated for particular IP address. Any other suggestions are welcome. -- Martin Basti ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0035 client: Update DNS with all available local IP addresses.
On 01/07/2015 04:15 PM, Martin Basti wrote: On 07/01/15 12:27, David Kupka wrote: https://fedorahosted.org/freeipa/ticket/4249 Thank you for patch: 1) -root_logger.error(Cannot update DNS records! - Failed to connect to server '%s'., server) +ips = get_local_ipaddresses() +except CalledProcessError as e: +root_logger.error(Cannot update DNS records. %s % e) IMO the error message should be more specific, add there something like Unable to get local IP addresses. at least in log.debug() 2) +lines = ipresult[0].replace('\\', '').split('\n') .replace() is not needed 3) +if len(ips) == 0: if not ips: is more pythonic by PEP8 Thanks for catching these. Updated patch attached. -- David Kupka From 54e7aea7374bb6dd89e2438e648ad8df6f9225dd Mon Sep 17 00:00:00 2001 From: David Kupka dku...@redhat.com Date: Sun, 4 Jan 2015 15:04:18 -0500 Subject: [PATCH] client: Update DNS with all available local IP addresses. Detect all usable IP addresses assigned to any interface and create coresponding DNS records on server. https://fedorahosted.org/freeipa/ticket/4249 --- ipa-client/ipa-install/ipa-client-install | 104 +- 1 file changed, 46 insertions(+), 58 deletions(-) diff --git a/ipa-client/ipa-install/ipa-client-install b/ipa-client/ipa-install/ipa-client-install index dfe0e3b7597c2ea63c299969b3a9d76cf8ecc273..34829f403e774278ec511958ae3c9e3dd4219682 100755 --- a/ipa-client/ipa-install/ipa-client-install +++ b/ipa-client/ipa-install/ipa-client-install @@ -1494,40 +1494,22 @@ def unconfigure_nisdomain(): if not enabled: services.knownservices.domainname.disable() - -def resolve_ipaddress(server): - Connect to the server's LDAP port in order to determine what ip -address this machine uses as public ip (relative to the server). - -Returns a tuple with the IP address and address family when -connection was successful. Socket error is raised otherwise. - -last_socket_error = None - -for res in socket.getaddrinfo(server, 389, socket.AF_UNSPEC, -socket.SOCK_STREAM): -af, socktype, proto, canonname, sa = res -try: -s = socket.socket(af, socktype, proto) -except socket.error, e: -last_socket_error = e -s = None +def get_local_ipaddresses(): +ipresult = ipautil.run([paths.IP, '-oneline', 'address', 'show']) +lines = ipresult[0].split('\n') +ips = [] +for line in lines: +fields = line.split() +if len(fields) 6: +continue +if fields[2] not in ['inet', 'inet6']: continue - +(ip, mask) = fields[3].rsplit('/', 1) try: -s.connect(sa) -sockname = s.getsockname() - -# For both IPv4 and IPv6 own IP address is always the first item -return (sockname[0], af) -except socket.error, e: -last_socket_error = e -finally: -if s: -s.close() - -if last_socket_error is not None: -raise last_socket_error # pylint: disable=E0702 +ips.append(ipautil.CheckedIPAddress(ip)) +except ValueError: +continue +return ips def do_nsupdate(update_txt): root_logger.debug(Writing nsupdate commands to %s:, UPDATE_FILE) @@ -1552,21 +1534,24 @@ def do_nsupdate(update_txt): return result -UPDATE_TEMPLATE_A = -debug +DELETE_TEMPLATE_A = update delete $HOSTNAME. IN A show send -update add $HOSTNAME. $TTL IN A $IPADDRESS -show -send -UPDATE_TEMPLATE_ = -debug +DELETE_TEMPLATE_ = update delete $HOSTNAME. IN show send + +ADD_TEMPLATE_A = +update add $HOSTNAME. $TTL IN A $IPADDRESS +show +send + + +ADD_TEMPLATE_ = update add $HOSTNAME. $TTL IN $IPADDRESS show send @@ -1578,31 +1563,34 @@ CCACHE_FILE = paths.IPA_DNS_CCACHE def update_dns(server, hostname): try: -(ip, af) = resolve_ipaddress(server) -except socket.gaierror, e: -root_logger.debug(update_dns: could not connect to server: %s, e) -root_logger.error(Cannot update DNS records! - Failed to connect to server '%s'., server) +ips = get_local_ipaddresses() +except CalledProcessError as e: +root_logger.error(Cannot update DNS records. %s % e) +root_logger.debug(Unable to get local IP addresses.) return -sub_dict = dict(HOSTNAME=hostname, -IPADDRESS=ip, -TTL=1200 -) - -if af == socket.AF_INET: -template = UPDATE_TEMPLATE_A -elif af == socket.AF_INET6: -template = UPDATE_TEMPLATE_ -else: -root_logger.info(Failed to determine this machine's ip address.) -root_logger.warning(Failed to update DNS A record.) +if not ips: +root_logger.info(Failed to determine this machine's ip address(es).)
[Freeipa-devel] [PATCH] 0035 client: Update DNS with all available local IP addresses.
https://fedorahosted.org/freeipa/ticket/4249 -- David Kupka From 3bd0b78b7b6f77d39478aa75d7f808a06fed562b Mon Sep 17 00:00:00 2001 From: David Kupka dku...@redhat.com Date: Sun, 4 Jan 2015 15:04:18 -0500 Subject: [PATCH] client: Update DNS with all available local IP addresses. Detect all usable IP addresses assigned to any interface and create coresponding DNS records on server. https://fedorahosted.org/freeipa/ticket/4249 --- ipa-client/ipa-install/ipa-client-install | 103 +- 1 file changed, 45 insertions(+), 58 deletions(-) diff --git a/ipa-client/ipa-install/ipa-client-install b/ipa-client/ipa-install/ipa-client-install index dfe0e3b7597c2ea63c299969b3a9d76cf8ecc273..027dda2e04212fe90ab291adf23edb63b194475d 100755 --- a/ipa-client/ipa-install/ipa-client-install +++ b/ipa-client/ipa-install/ipa-client-install @@ -1494,40 +1494,22 @@ def unconfigure_nisdomain(): if not enabled: services.knownservices.domainname.disable() - -def resolve_ipaddress(server): - Connect to the server's LDAP port in order to determine what ip -address this machine uses as public ip (relative to the server). - -Returns a tuple with the IP address and address family when -connection was successful. Socket error is raised otherwise. - -last_socket_error = None - -for res in socket.getaddrinfo(server, 389, socket.AF_UNSPEC, -socket.SOCK_STREAM): -af, socktype, proto, canonname, sa = res -try: -s = socket.socket(af, socktype, proto) -except socket.error, e: -last_socket_error = e -s = None +def get_local_ipaddresses(): +ipresult = ipautil.run([paths.IP, '-oneline', 'address', 'show']) +lines = ipresult[0].replace('\\', '').split('\n') +ips = [] +for line in lines: +fields = line.split() +if len(fields) 6: +continue +if fields[2] not in ['inet', 'inet6']: continue - +(ip, mask) = fields[3].rsplit('/', 1) try: -s.connect(sa) -sockname = s.getsockname() - -# For both IPv4 and IPv6 own IP address is always the first item -return (sockname[0], af) -except socket.error, e: -last_socket_error = e -finally: -if s: -s.close() - -if last_socket_error is not None: -raise last_socket_error # pylint: disable=E0702 +ips.append(ipautil.CheckedIPAddress(ip)) +except ValueError: +continue +return ips def do_nsupdate(update_txt): root_logger.debug(Writing nsupdate commands to %s:, UPDATE_FILE) @@ -1552,21 +1534,24 @@ def do_nsupdate(update_txt): return result -UPDATE_TEMPLATE_A = -debug +DELETE_TEMPLATE_A = update delete $HOSTNAME. IN A show send -update add $HOSTNAME. $TTL IN A $IPADDRESS -show -send -UPDATE_TEMPLATE_ = -debug +DELETE_TEMPLATE_ = update delete $HOSTNAME. IN show send + +ADD_TEMPLATE_A = +update add $HOSTNAME. $TTL IN A $IPADDRESS +show +send + + +ADD_TEMPLATE_ = update add $HOSTNAME. $TTL IN $IPADDRESS show send @@ -1578,31 +1563,33 @@ CCACHE_FILE = paths.IPA_DNS_CCACHE def update_dns(server, hostname): try: -(ip, af) = resolve_ipaddress(server) -except socket.gaierror, e: -root_logger.debug(update_dns: could not connect to server: %s, e) -root_logger.error(Cannot update DNS records! - Failed to connect to server '%s'., server) +ips = get_local_ipaddresses() +except CalledProcessError as e: +root_logger.error(Cannot update DNS records. %s % e) return -sub_dict = dict(HOSTNAME=hostname, -IPADDRESS=ip, -TTL=1200 -) - -if af == socket.AF_INET: -template = UPDATE_TEMPLATE_A -elif af == socket.AF_INET6: -template = UPDATE_TEMPLATE_ -else: -root_logger.info(Failed to determine this machine's ip address.) -root_logger.warning(Failed to update DNS A record.) +if len(ips) == 0: +root_logger.info(Failed to determine this machine's ip address(es).) return -update_txt = ipautil.template_str(template, sub_dict) +update_txt = debug\n +update_txt += ipautil.template_str(DELETE_TEMPLATE_A, dict(HOSTNAME=hostname)) +update_txt += ipautil.template_str(DELETE_TEMPLATE_, dict(HOSTNAME=hostname)) + +for ip in ips: +sub_dict = dict(HOSTNAME=hostname, +IPADDRESS=ip, +TTL=1200 + ) +if ip.version == 4: +template = ADD_TEMPLATE_A +elif ip.version == 6: +template = ADD_TEMPLATE_ +update_txt += ipautil.template_str(template, sub_dict) if do_nsupdate(update_txt): -root_logger.info(DNS server record set to: %s - %s, hostname, ip) +
Re: [Freeipa-devel] [PATCH] 0035 client: Update DNS with all available local IP addresses.
David Kupka wrote: https://fedorahosted.org/freeipa/ticket/4249 Rather than scraping the output of ip is the python-netifaces package a viable alternative? Yes it adds another dep, and I'm not sure it is available for all platforms, but it makes the client less dependent upon output format changes in a cli utility. rob ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0035 client: Update DNS with all available local IP addresses.
On 01/07/2015 03:12 PM, Rob Crittenden wrote: David Kupka wrote: https://fedorahosted.org/freeipa/ticket/4249 Rather than scraping the output of ip is the python-netifaces package a viable alternative? Yes it adds another dep, and I'm not sure it is available for all platforms, but it makes the client less dependent upon output format changes in a cli utility. rob Yes, it would be much better and I originally wanted to use it. But it isn't available on all platforms that FreeIPA runs on. -- David Kupka ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0035 client: Update DNS with all available local IP addresses.
On 07/01/15 12:27, David Kupka wrote: https://fedorahosted.org/freeipa/ticket/4249 Thank you for patch: 1) -root_logger.error(Cannot update DNS records! - Failed to connect to server '%s'., server) +ips = get_local_ipaddresses() +except CalledProcessError as e: +root_logger.error(Cannot update DNS records. %s % e) IMO the error message should be more specific, add there something like Unable to get local IP addresses. at least in log.debug() 2) +lines = ipresult[0].replace('\\', '').split('\n') .replace() is not needed 3) +if len(ips) == 0: if not ips: is more pythonic by PEP8 -- Martin Basti ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel