Re: [Freeipa-devel] [PATCH] 0645 ipa-replica-prepare: Wait for the DNS entry to be resolvable
On 09/25/2014 03:23 PM, Petr Spacek wrote:
On 25.9.2014 14:56, Petr Viktorin wrote:
On 09/24/2014 02:07 PM, Petr Viktorin wrote:
On 09/24/2014 01:54 PM, Petr Spacek wrote:
On 24.9.2014 13:47, Petr Viktorin wrote:
On 09/23/2014 06:00 PM, Petr Spacek wrote:
On 22.9.2014 14:09, Petr Viktorin wrote:
On 09/22/2014 01:48 PM, Petr Spacek wrote:
On 22.9.2014 10:38, Martin Kosek wrote:
On 09/22/2014 10:31 AM, Petr Spacek wrote:
On 22.9.2014 10:14, Martin Kosek wrote:
On 09/19/2014 07:29 PM, Petr Viktorin wrote:
https://fedorahosted.org/freeipa/ticket/4551
See ticket & commit message for details.
Shouldn't we add a 1 sec sleep between tries? Wouldn't current
version just
hammer DNS server with as many DNS queries as it can send?
[...]
LGTM except one nitpick I didn't see before:
+if not options.wait_for_dns or self.check_dns(replica_fqdn):
+self.log.debug('%s A/ record resolvable',
replica_fqdn)
+return
This will print message
'%s A/ record resolvable', replica_fqdn
even if I use switch --no-wait-for-dns
This is sooo minor detail that it can be deferred, please open a ticket
if you don't plan to send new version of the patch.
You're right.
Let's do it correctly now; this isn't worth the overhead of a ticket.
Based on discussion more with Petr, I extended the list of handled
exceptions.
ACK, it works even in corner cases like YXDOMAIN* answer and the like.
* "Some name that ought not to exist, does exist." [RFC2136]
Thanks for the review!
Pushed to:
master: ffe4417c630537b1fd51292c86877fbea66862fb
ipa-4-1: ee4a023cf1d2cf5f3d10386979d00d96410e9e80
ipa-4-0: 179423761eb297dd62f0fa9bc33a4aa849d8bb34
--
Petr³
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0645 ipa-replica-prepare: Wait for the DNS entry to be resolvable
On 25.9.2014 14:56, Petr Viktorin wrote:
On 09/24/2014 02:07 PM, Petr Viktorin wrote:
On 09/24/2014 01:54 PM, Petr Spacek wrote:
On 24.9.2014 13:47, Petr Viktorin wrote:
On 09/23/2014 06:00 PM, Petr Spacek wrote:
On 22.9.2014 14:09, Petr Viktorin wrote:
On 09/22/2014 01:48 PM, Petr Spacek wrote:
On 22.9.2014 10:38, Martin Kosek wrote:
On 09/22/2014 10:31 AM, Petr Spacek wrote:
On 22.9.2014 10:14, Martin Kosek wrote:
On 09/19/2014 07:29 PM, Petr Viktorin wrote:
https://fedorahosted.org/freeipa/ticket/4551
See ticket & commit message for details.
Shouldn't we add a 1 sec sleep between tries? Wouldn't current
version just
hammer DNS server with as many DNS queries as it can send?
[...]
LGTM except one nitpick I didn't see before:
+if not options.wait_for_dns or self.check_dns(replica_fqdn):
+self.log.debug('%s A/ record resolvable', replica_fqdn)
+return
This will print message
'%s A/ record resolvable', replica_fqdn
even if I use switch --no-wait-for-dns
This is sooo minor detail that it can be deferred, please open a ticket
if you don't plan to send new version of the patch.
You're right.
Let's do it correctly now; this isn't worth the overhead of a ticket.
Based on discussion more with Petr, I extended the list of handled exceptions.
ACK, it works even in corner cases like YXDOMAIN* answer and the like.
* "Some name that ought not to exist, does exist." [RFC2136]
--
Petr^2 Spacek
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0645 ipa-replica-prepare: Wait for the DNS entry to be resolvable
On 09/24/2014 02:07 PM, Petr Viktorin wrote:
On 09/24/2014 01:54 PM, Petr Spacek wrote:
On 24.9.2014 13:47, Petr Viktorin wrote:
On 09/23/2014 06:00 PM, Petr Spacek wrote:
On 22.9.2014 14:09, Petr Viktorin wrote:
On 09/22/2014 01:48 PM, Petr Spacek wrote:
On 22.9.2014 10:38, Martin Kosek wrote:
On 09/22/2014 10:31 AM, Petr Spacek wrote:
On 22.9.2014 10:14, Martin Kosek wrote:
On 09/19/2014 07:29 PM, Petr Viktorin wrote:
https://fedorahosted.org/freeipa/ticket/4551
See ticket & commit message for details.
Shouldn't we add a 1 sec sleep between tries? Wouldn't current
version just
hammer DNS server with as many DNS queries as it can send?
[...]
LGTM except one nitpick I didn't see before:
+if not options.wait_for_dns or self.check_dns(replica_fqdn):
+self.log.debug('%s A/ record resolvable', replica_fqdn)
+return
This will print message
'%s A/ record resolvable', replica_fqdn
even if I use switch --no-wait-for-dns
This is sooo minor detail that it can be deferred, please open a ticket
if you don't plan to send new version of the patch.
You're right.
Let's do it correctly now; this isn't worth the overhead of a ticket.
Based on discussion more with Petr, I extended the list of handled
exceptions.
--
Petr³
From 8832e243297a8ab5f265798350fd30dfbc3a710f Mon Sep 17 00:00:00 2001
From: Petr Viktorin
Date: Fri, 19 Sep 2014 15:57:44 +0200
Subject: [PATCH] ipa-replica-prepare: Wait for the DNS entry to be resolvable
It takes some time after the DNS record is added until it propagates
to Bind. In automated installations, it might happen that
replica-install is attempted before the hostname is resolvable;
in that case the connection check would fail.
Wait for the name to be resolvable at the end of replica-prepare.
Mention that this can be interrupted (Ctrl+C).
Provide an option to skip the wait.
In case DNS is not managed by IPA, this reminds the admin of the necessary
configuration and checks their work, but it's possible to skip (either by
interrupting it interactively, or by the option).
https://fedorahosted.org/freeipa/ticket/4551
---
ipaserver/install/ipa_replica_prepare.py | 53
1 file changed, 53 insertions(+)
diff --git a/ipaserver/install/ipa_replica_prepare.py b/ipaserver/install/ipa_replica_prepare.py
index 7762614a1174208db0915d4e882212b3f578476e..c8d2e64c2ffc9addbb8cffbd13317ac2f82be5f6 100644
--- a/ipaserver/install/ipa_replica_prepare.py
+++ b/ipaserver/install/ipa_replica_prepare.py
@@ -21,9 +21,12 @@
import os
import shutil
import tempfile
+import time
from optparse import OptionGroup
from ConfigParser import SafeConfigParser
+import dns.resolver
+
from ipaserver.install import certs, installutils, bindinstance, dsinstance
from ipaserver.install.replication import enable_replication_version_checking
from ipaserver.plugins.ldap2 import ldap2
@@ -64,6 +67,9 @@ def add_options(cls, parser):
parser.add_option("--ca", dest="ca_file", default=paths.CACERT_P12,
metavar="FILE",
help="location of CA PKCS#12 file, default /root/cacert.p12")
+parser.add_option('--no-wait-for-dns', dest='wait_for_dns',
+action='store_false', default=True,
+help="do not wait until the replica is resolvable in DNS")
group = OptionGroup(parser, "SSL certificate options",
"Only used if the server was installed using custom SSL certificates")
@@ -290,6 +296,9 @@ def run(self):
if options.ip_address:
self.add_dns_records()
+if options.wait_for_dns:
+self.wait_for_dns()
+
def copy_ds_certificate(self):
options = self.options
@@ -451,6 +460,50 @@ def add_dns_records(self):
raise admintool.ScriptError(
"Could not add reverse DNS record for the replica: %s" % e)
+def check_dns(self, replica_fqdn):
+"""Return true if the replica hostname is resolvable"""
+resolver = dns.resolver.Resolver()
+exceptions = (dns.resolver.NXDOMAIN, dns.resolver.NoAnswer,
+ dns.resolver.Timeout, dns.resolver.NoNameservers)
+
+try:
+dns_answer = resolver.query(replica_fqdn, 'A', 'IN')
+except exceptions:
+try:
+dns_answer = resolver.query(replica_fqdn, '', 'IN')
+except exceptions:
+return False
+except Exception as e:
+self.log.warn('Exception while waiting for DNS record: %s: %s',
+ type(e).__name__, e)
+
+return True
+
+def wait_for_dns(self):
+options = self.options
+
+# Make sure replica_fqdn has a trailing dot, so the
+# 'search' directive in /etc/resolv.conf doesn't apply
+replica_fqdn = self.replica_fqdn
+if not replica_fqdn.endswith('.'):
+replica_fqdn += '.'
+
+if self.check_dns(replica_fqdn):
+
Re: [Freeipa-devel] [PATCH] 0645 ipa-replica-prepare: Wait for the DNS entry to be resolvable
On 09/24/2014 01:54 PM, Petr Spacek wrote:
On 24.9.2014 13:47, Petr Viktorin wrote:
On 09/23/2014 06:00 PM, Petr Spacek wrote:
On 22.9.2014 14:09, Petr Viktorin wrote:
On 09/22/2014 01:48 PM, Petr Spacek wrote:
On 22.9.2014 10:38, Martin Kosek wrote:
On 09/22/2014 10:31 AM, Petr Spacek wrote:
On 22.9.2014 10:14, Martin Kosek wrote:
On 09/19/2014 07:29 PM, Petr Viktorin wrote:
https://fedorahosted.org/freeipa/ticket/4551
See ticket & commit message for details.
Shouldn't we add a 1 sec sleep between tries? Wouldn't current
version just
hammer DNS server with as many DNS queries as it can send?
[...]
LGTM except one nitpick I didn't see before:
+if not options.wait_for_dns or self.check_dns(replica_fqdn):
+self.log.debug('%s A/ record resolvable', replica_fqdn)
+return
This will print message
'%s A/ record resolvable', replica_fqdn
even if I use switch --no-wait-for-dns
This is sooo minor detail that it can be deferred, please open a ticket
if you don't plan to send new version of the patch.
You're right.
Let's do it correctly now; this isn't worth the overhead of a ticket.
--
Petr³
From ba204806df3edaf681ae2d1d297af887f83f23f1 Mon Sep 17 00:00:00 2001
From: Petr Viktorin
Date: Fri, 19 Sep 2014 15:57:44 +0200
Subject: [PATCH] ipa-replica-prepare: Wait for the DNS entry to be resolvable
It takes some time after the DNS record is added until it propagates
to Bind. In automated installations, it might happen that
replica-install is attempted before the hostname is resolvable;
in that case the connection check would fail.
Wait for the name to be resolvable at the end of replica-prepare.
Mention that this can be interrupted (Ctrl+C).
Provide an option to skip the wait.
In case DNS is not managed by IPA, this reminds the admin of the necessary
configuration and checks their work, but it's possible to skip (either by
interrupting it interactively, or by the option).
https://fedorahosted.org/freeipa/ticket/4551
---
ipaserver/install/ipa_replica_prepare.py | 49
1 file changed, 49 insertions(+)
diff --git a/ipaserver/install/ipa_replica_prepare.py b/ipaserver/install/ipa_replica_prepare.py
index c1ced3dcbcf9b619285347efff31ced335f397ce..17d7774394bec8eb004fd0eb397dd68843508636 100644
--- a/ipaserver/install/ipa_replica_prepare.py
+++ b/ipaserver/install/ipa_replica_prepare.py
@@ -21,9 +21,12 @@
import os
import shutil
import tempfile
+import time
from optparse import OptionGroup
from ConfigParser import SafeConfigParser
+import dns.resolver
+
from ipaserver.install import certs, installutils, bindinstance, dsinstance
from ipaserver.install.replication import enable_replication_version_checking
from ipaserver.plugins.ldap2 import ldap2
@@ -64,6 +67,9 @@ def add_options(cls, parser):
parser.add_option("--ca", dest="ca_file", default=paths.CACERT_P12,
metavar="FILE",
help="location of CA PKCS#12 file, default /root/cacert.p12")
+parser.add_option('--no-wait-for-dns', dest='wait_for_dns',
+action='store_false', default=True,
+help="do not wait until the replica is resolvable in DNS")
group = OptionGroup(parser, "SSL certificate options",
"Only used if the server was installed using custom SSL certificates")
@@ -290,6 +296,9 @@ def run(self):
if options.ip_address:
self.add_dns_records()
+if options.wait_for_dns:
+self.wait_for_dns()
+
def copy_ds_certificate(self):
options = self.options
@@ -454,6 +463,46 @@ def add_dns_records(self):
raise admintool.ScriptError(
"Could not add reverse DNS record for the replica: %s" % e)
+def check_dns(self, replica_fqdn):
+"""Return true if the replica hostname is resolvable"""
+resolver = dns.resolver.Resolver()
+exceptions = dns.resolver.NXDOMAIN, dns.resolver.NoAnswer
+
+try:
+dns_answer = resolver.query(replica_fqdn, 'A', 'IN')
+except exceptions:
+try:
+dns_answer = resolver.query(replica_fqdn, '', 'IN')
+except exceptions:
+return False
+
+return True
+
+def wait_for_dns(self):
+options = self.options
+
+# Make sure replica_fqdn has a trailing dot, so the
+# 'search' directive in /etc/resolv.conf doesn't apply
+replica_fqdn = self.replica_fqdn
+if not replica_fqdn.endswith('.'):
+replica_fqdn += '.'
+
+if self.check_dns(replica_fqdn):
+self.log.debug('%s A/ record resolvable', replica_fqdn)
+return
+
+self.log.info('Waiting for %s A or record to be resolvable',
+ replica_fqdn)
+print 'This can be safely interrupted (Ctrl+C)'
+
+try:
+while not self.check_dns(replica_fqdn):
+time.sleep(1)
+
Re: [Freeipa-devel] [PATCH] 0645 ipa-replica-prepare: Wait for the DNS entry to be resolvable
On 24.9.2014 13:47, Petr Viktorin wrote:
On 09/23/2014 06:00 PM, Petr Spacek wrote:
On 22.9.2014 14:09, Petr Viktorin wrote:
On 09/22/2014 01:48 PM, Petr Spacek wrote:
On 22.9.2014 10:38, Martin Kosek wrote:
On 09/22/2014 10:31 AM, Petr Spacek wrote:
On 22.9.2014 10:14, Martin Kosek wrote:
On 09/19/2014 07:29 PM, Petr Viktorin wrote:
https://fedorahosted.org/freeipa/ticket/4551
See ticket & commit message for details.
Shouldn't we add a 1 sec sleep between tries? Wouldn't current
version just
hammer DNS server with as many DNS queries as it can send?
Oh yes, please add some time.sleep() call :-)
Wow, no idea how that slipped out. Thanks for the catch.
Also I would like to see more detailed message:
+self.log.info('Waiting for hostname %s to be resolvable',
+ self.replica_fqdn)
=> 'Waiting for hostname %s to be resolvable to A or record'
Really? Shouldn't term "resolvable" already have that covered? A good
software
should work on all network types, whether it is IPv4, IPv6 or IPv8.
So I
personally do not think we need to be that specific and can stick to
original
proposal.
I will agree with you if you post magic code which will work with DNS
records for IPv8 :-) The code is not going to work with IPv8 just
because we didn't mention 'A/' in the error message, A and
RRtypes are hardcoded in the code.
+1; we're checking A and so that's what we should say we're doing.
Is this wording OK?
Little NACK. (However, the wording is fine.)
Tcpdump revealed this:
IP vm-117.test.34067 > vm-133.test.domain: 38467+ A? vm-092.test. (51)
IP vm-133.test.domain > vm-117.test.34067: 38467 NXDomain* 0/1/0 (116)
IP vm-117.test.36006 > vm-133.test.domain: 20194+ A?
vm-092.test.ipa.example. (63)
IP vm-133.test.domain > vm-117.test.36006: 20194 NXDomain* 0/1/0 (143)
IP vm-117.test.51333 > vm-133.test.domain: 34027+ ? vm-092.test. (51)
IP vm-133.test.domain > vm-117.test.51333: 34027 NXDomain* 0/1/0 (116)
IP vm-117.test.60373 > vm-133.test.domain: 45679+ ?
vm-092.test.ipa.example. (63)
You can see that the query for each A/ type is repeated twice, the
second time with 'ipa.example.' suffix.
This is caused by search list processing (search directive in
/etc/resolv.conf) and is highly undesirable. (Read this [1] e-mail if
you want to hear it from Paul Vixie.)
The fix is simple: You have to be sure that self.replica_fqdn is
actually absolute FQDN - with the trailing period.
Naive solution would be to use
dns_answer = resolver.query(self.replica_fqdn + '.', 'A', 'IN')
but I don't know if self.replica_fqdn variable can contain trailing
period or not.
Mbasti can show you more advanced code snippets using 'dns.name'.
[1]
https://lists.dns-oarc.net/pipermail/dns-operations/2014-September/012157.html
Does this version look good?
LGTM except one nitpick I didn't see before:
+if not options.wait_for_dns or self.check_dns(replica_fqdn):
+self.log.debug('%s A/ record resolvable', replica_fqdn)
+return
This will print message
'%s A/ record resolvable', replica_fqdn
even if I use switch --no-wait-for-dns
This is sooo minor detail that it can be deferred, please open a ticket if you
don't plan to send new version of the patch.
--
Petr^2 Spacek
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0645 ipa-replica-prepare: Wait for the DNS entry to be resolvable
On 09/23/2014 06:00 PM, Petr Spacek wrote:
On 22.9.2014 14:09, Petr Viktorin wrote:
On 09/22/2014 01:48 PM, Petr Spacek wrote:
On 22.9.2014 10:38, Martin Kosek wrote:
On 09/22/2014 10:31 AM, Petr Spacek wrote:
On 22.9.2014 10:14, Martin Kosek wrote:
On 09/19/2014 07:29 PM, Petr Viktorin wrote:
https://fedorahosted.org/freeipa/ticket/4551
See ticket & commit message for details.
Shouldn't we add a 1 sec sleep between tries? Wouldn't current
version just
hammer DNS server with as many DNS queries as it can send?
Oh yes, please add some time.sleep() call :-)
Wow, no idea how that slipped out. Thanks for the catch.
Also I would like to see more detailed message:
+self.log.info('Waiting for hostname %s to be resolvable',
+ self.replica_fqdn)
=> 'Waiting for hostname %s to be resolvable to A or record'
Really? Shouldn't term "resolvable" already have that covered? A good
software
should work on all network types, whether it is IPv4, IPv6 or IPv8.
So I
personally do not think we need to be that specific and can stick to
original
proposal.
I will agree with you if you post magic code which will work with DNS
records for IPv8 :-) The code is not going to work with IPv8 just
because we didn't mention 'A/' in the error message, A and
RRtypes are hardcoded in the code.
+1; we're checking A and so that's what we should say we're doing.
Is this wording OK?
Little NACK. (However, the wording is fine.)
Tcpdump revealed this:
IP vm-117.test.34067 > vm-133.test.domain: 38467+ A? vm-092.test. (51)
IP vm-133.test.domain > vm-117.test.34067: 38467 NXDomain* 0/1/0 (116)
IP vm-117.test.36006 > vm-133.test.domain: 20194+ A?
vm-092.test.ipa.example. (63)
IP vm-133.test.domain > vm-117.test.36006: 20194 NXDomain* 0/1/0 (143)
IP vm-117.test.51333 > vm-133.test.domain: 34027+ ? vm-092.test. (51)
IP vm-133.test.domain > vm-117.test.51333: 34027 NXDomain* 0/1/0 (116)
IP vm-117.test.60373 > vm-133.test.domain: 45679+ ?
vm-092.test.ipa.example. (63)
You can see that the query for each A/ type is repeated twice, the
second time with 'ipa.example.' suffix.
This is caused by search list processing (search directive in
/etc/resolv.conf) and is highly undesirable. (Read this [1] e-mail if
you want to hear it from Paul Vixie.)
The fix is simple: You have to be sure that self.replica_fqdn is
actually absolute FQDN - with the trailing period.
Naive solution would be to use
dns_answer = resolver.query(self.replica_fqdn + '.', 'A', 'IN')
but I don't know if self.replica_fqdn variable can contain trailing
period or not.
Mbasti can show you more advanced code snippets using 'dns.name'.
[1]
https://lists.dns-oarc.net/pipermail/dns-operations/2014-September/012157.html
Does this version look good?
--
Petr³
From 95cb012079bf6ad83498cf113bcb78a8bcd61a07 Mon Sep 17 00:00:00 2001
From: Petr Viktorin
Date: Fri, 19 Sep 2014 15:57:44 +0200
Subject: [PATCH] ipa-replica-prepare: Wait for the DNS entry to be resolvable
It takes some time after the DNS record is added until it propagates
to Bind. In automated installations, it might happen that
replica-install is attempted before the hostname is resolvable;
in that case the connection check would fail.
Wait for the name to be resolvable at the end of replica-prepare.
Mention that this can be interrupted (Ctrl+C).
Provide an option to skip the wait.
In case DNS is not managed by IPA, this reminds the admin of the necessary
configuration and checks their work, but it's possible to skip (either by
interrupting it interactively, or by the option).
https://fedorahosted.org/freeipa/ticket/4551
---
ipaserver/install/ipa_replica_prepare.py | 48
1 file changed, 48 insertions(+)
diff --git a/ipaserver/install/ipa_replica_prepare.py b/ipaserver/install/ipa_replica_prepare.py
index c1ced3dcbcf9b619285347efff31ced335f397ce..1a10eed94907c66ee9629bb99a3144365a9387df 100644
--- a/ipaserver/install/ipa_replica_prepare.py
+++ b/ipaserver/install/ipa_replica_prepare.py
@@ -21,9 +21,12 @@
import os
import shutil
import tempfile
+import time
from optparse import OptionGroup
from ConfigParser import SafeConfigParser
+import dns.resolver
+
from ipaserver.install import certs, installutils, bindinstance, dsinstance
from ipaserver.install.replication import enable_replication_version_checking
from ipaserver.plugins.ldap2 import ldap2
@@ -64,6 +67,9 @@ def add_options(cls, parser):
parser.add_option("--ca", dest="ca_file", default=paths.CACERT_P12,
metavar="FILE",
help="location of CA PKCS#12 file, default /root/cacert.p12")
+parser.add_option('--no-wait-for-dns', dest='wait_for_dns',
+action='store_false', default=True,
+help="do not wait until the replica is resolvable in DNS")
group = OptionGroup(parser, "SSL certificate options",
"Only used if the server was installed using custom SSL certificate
Re: [Freeipa-devel] [PATCH] 0645 ipa-replica-prepare: Wait for the DNS entry to be resolvable
On 22.9.2014 14:09, Petr Viktorin wrote:
On 09/22/2014 01:48 PM, Petr Spacek wrote:
On 22.9.2014 10:38, Martin Kosek wrote:
On 09/22/2014 10:31 AM, Petr Spacek wrote:
On 22.9.2014 10:14, Martin Kosek wrote:
On 09/19/2014 07:29 PM, Petr Viktorin wrote:
https://fedorahosted.org/freeipa/ticket/4551
See ticket & commit message for details.
Shouldn't we add a 1 sec sleep between tries? Wouldn't current
version just
hammer DNS server with as many DNS queries as it can send?
Oh yes, please add some time.sleep() call :-)
Wow, no idea how that slipped out. Thanks for the catch.
Also I would like to see more detailed message:
+self.log.info('Waiting for hostname %s to be resolvable',
+ self.replica_fqdn)
=> 'Waiting for hostname %s to be resolvable to A or record'
Really? Shouldn't term "resolvable" already have that covered? A good
software
should work on all network types, whether it is IPv4, IPv6 or IPv8. So I
personally do not think we need to be that specific and can stick to
original
proposal.
I will agree with you if you post magic code which will work with DNS
records for IPv8 :-) The code is not going to work with IPv8 just
because we didn't mention 'A/' in the error message, A and
RRtypes are hardcoded in the code.
+1; we're checking A and so that's what we should say we're doing.
Is this wording OK?
Little NACK. (However, the wording is fine.)
Tcpdump revealed this:
IP vm-117.test.34067 > vm-133.test.domain: 38467+ A? vm-092.test. (51)
IP vm-133.test.domain > vm-117.test.34067: 38467 NXDomain* 0/1/0 (116)
IP vm-117.test.36006 > vm-133.test.domain: 20194+ A? vm-092.test.ipa.example.
(63)
IP vm-133.test.domain > vm-117.test.36006: 20194 NXDomain* 0/1/0 (143)
IP vm-117.test.51333 > vm-133.test.domain: 34027+ ? vm-092.test. (51)
IP vm-133.test.domain > vm-117.test.51333: 34027 NXDomain* 0/1/0 (116)
IP vm-117.test.60373 > vm-133.test.domain: 45679+ ?
vm-092.test.ipa.example. (63)
You can see that the query for each A/ type is repeated twice, the second
time with 'ipa.example.' suffix.
This is caused by search list processing (search directive in
/etc/resolv.conf) and is highly undesirable. (Read this [1] e-mail if you want
to hear it from Paul Vixie.)
The fix is simple: You have to be sure that self.replica_fqdn is actually
absolute FQDN - with the trailing period.
Naive solution would be to use
dns_answer = resolver.query(self.replica_fqdn + '.', 'A', 'IN')
but I don't know if self.replica_fqdn variable can contain trailing period or
not.
Mbasti can show you more advanced code snippets using 'dns.name'.
[1]
https://lists.dns-oarc.net/pipermail/dns-operations/2014-September/012157.html
--
Petr^2 Spacek
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0645 ipa-replica-prepare: Wait for the DNS entry to be resolvable
On 09/22/2014 01:48 PM, Petr Spacek wrote:
On 22.9.2014 10:38, Martin Kosek wrote:
On 09/22/2014 10:31 AM, Petr Spacek wrote:
On 22.9.2014 10:14, Martin Kosek wrote:
On 09/19/2014 07:29 PM, Petr Viktorin wrote:
https://fedorahosted.org/freeipa/ticket/4551
See ticket & commit message for details.
Shouldn't we add a 1 sec sleep between tries? Wouldn't current
version just
hammer DNS server with as many DNS queries as it can send?
Oh yes, please add some time.sleep() call :-)
Wow, no idea how that slipped out. Thanks for the catch.
Also I would like to see more detailed message:
+self.log.info('Waiting for hostname %s to be resolvable',
+ self.replica_fqdn)
=> 'Waiting for hostname %s to be resolvable to A or record'
Really? Shouldn't term "resolvable" already have that covered? A good
software
should work on all network types, whether it is IPv4, IPv6 or IPv8. So I
personally do not think we need to be that specific and can stick to
original
proposal.
I will agree with you if you post magic code which will work with DNS
records for IPv8 :-) The code is not going to work with IPv8 just
because we didn't mention 'A/' in the error message, A and
RRtypes are hardcoded in the code.
+1; we're checking A and so that's what we should say we're doing.
Is this wording OK?
--
Petr³
From 29b751d5791a813f0faccda1c0640ca5a9c3f6df Mon Sep 17 00:00:00 2001
From: Petr Viktorin
Date: Fri, 19 Sep 2014 15:57:44 +0200
Subject: [PATCH] ipa-replica-prepare: Wait for the DNS entry to be resolvable
It takes some time after the DNS record is added until it propagates
to Bind. In automated installations, it might happen that
replica-install is attempted before the hostname is resolvable;
in that case the connection check would fail.
Wait for the name to be resolvable at the end of replica-prepare.
Mention that this can be interrupted (Ctrl+C).
Provide an option to skip the wait.
In case DNS is not managed by IPA, this reminds the admin of the necessary
configuration and checks their work, but it's possible to skip (either by
interrupting it interactively, or by the option).
https://fedorahosted.org/freeipa/ticket/4551
---
ipaserver/install/ipa_replica_prepare.py | 39
1 file changed, 39 insertions(+)
diff --git a/ipaserver/install/ipa_replica_prepare.py b/ipaserver/install/ipa_replica_prepare.py
index 2e91ddd92d9eb9ccd690daa1c78d9027f1b0b965..5d3127c1399f18646c2f1c6ff51ed5eae117c0c1 100644
--- a/ipaserver/install/ipa_replica_prepare.py
+++ b/ipaserver/install/ipa_replica_prepare.py
@@ -21,9 +21,12 @@
import os
import shutil
import tempfile
+import time
from optparse import OptionGroup
from ConfigParser import SafeConfigParser
+import dns.resolver
+
from ipaserver.install import certs, installutils, bindinstance, dsinstance
from ipaserver.install.replication import enable_replication_version_checking
from ipaserver.plugins.ldap2 import ldap2
@@ -64,6 +67,9 @@ def add_options(cls, parser):
parser.add_option("--ca", dest="ca_file", default=paths.CACERT_P12,
metavar="FILE",
help="location of CA PKCS#12 file, default /root/cacert.p12")
+parser.add_option('--no-wait-for-dns', dest='wait_for_dns',
+action='store_false', default=True,
+help="do not wait until the replica is resolvable in DNS")
group = OptionGroup(parser, "SSL certificate options",
"Only used if the server was installed using custom SSL certificates")
@@ -290,6 +296,8 @@ def run(self):
if options.ip_address:
self.add_dns_records()
+self.wait_for_dns()
+
def copy_ds_certificate(self):
options = self.options
@@ -452,6 +460,37 @@ def add_dns_records(self):
raise admintool.ScriptError(
"Could not add reverse DNS record for the replica: %s" % e)
+def check_dns(self):
+"""Return true if the replica hostname is resolvable"""
+resolver = dns.resolver.Resolver()
+exceptions = dns.resolver.NXDOMAIN, dns.resolver.NoAnswer
+
+try:
+dns_answer = resolver.query(self.replica_fqdn, 'A', 'IN')
+except exceptions:
+try:
+dns_answer = resolver.query(self.replica_fqdn, '', 'IN')
+except exceptions:
+return False
+
+return True
+
+def wait_for_dns(self):
+options = self.options
+
+if not options.wait_for_dns or self.check_dns():
+return
+
+self.log.info('Waiting for %s A or record to be resolvable',
+ self.replica_fqdn)
+print 'This can be safely interrupted (Ctrl+C)'
+
+try:
+while not self.check_dns():
+time.sleep(1)
+except KeyboardInterrupt:
+self.log.info('Interrupted')
+
def copy_info_file(self, source, dest):
"""Copy a file into
Re: [Freeipa-devel] [PATCH] 0645 ipa-replica-prepare: Wait for the DNS entry to be resolvable
On 22.9.2014 10:38, Martin Kosek wrote:
On 09/22/2014 10:31 AM, Petr Spacek wrote:
On 22.9.2014 10:14, Martin Kosek wrote:
On 09/19/2014 07:29 PM, Petr Viktorin wrote:
https://fedorahosted.org/freeipa/ticket/4551
See ticket & commit message for details.
Shouldn't we add a 1 sec sleep between tries? Wouldn't current version just
hammer DNS server with as many DNS queries as it can send?
Oh yes, please add some time.sleep() call :-)
Also I would like to see more detailed message:
+self.log.info('Waiting for hostname %s to be resolvable',
+ self.replica_fqdn)
=> 'Waiting for hostname %s to be resolvable to A or record'
Really? Shouldn't term "resolvable" already have that covered? A good software
should work on all network types, whether it is IPv4, IPv6 or IPv8. So I
personally do not think we need to be that specific and can stick to original
proposal.
I will agree with you if you post magic code which will work with DNS records
for IPv8 :-) The code is not going to work with IPv8 just because we didn't
mention 'A/' in the error message, A and RRtypes are hardcoded in the
code.
My point is that user should see what exactly IPA wants and thus exactly why
it failed.
Imagine that IPv8 is deployed and IPv8 addresses are stored in new RR type
. Now somebody is installing/upgrading an old IPA installation and it
gets stuck on 'Waiting for hostname %s to be resolvable' message.
So he runs 'host new-replica.ipa.test.' command and it will return an IPv8
address. And here is the WTF moment: 'The message tells me that the name
should be resolvable, it *is* resolvable but it still doesn't work!'
This is exactly the problem I would like to address in ticket
"[RFE] Make DNS error messages more clear - say exactly what is wrong"
https://fedorahosted.org/freeipa/ticket/3298
--
Petr^2 Spacek
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0645 ipa-replica-prepare: Wait for the DNS entry to be resolvable
On 09/22/2014 10:31 AM, Petr Spacek wrote:
> On 22.9.2014 10:14, Martin Kosek wrote:
>> On 09/19/2014 07:29 PM, Petr Viktorin wrote:
>>> https://fedorahosted.org/freeipa/ticket/4551
>>>
>>> See ticket & commit message for details.
>>
>> Shouldn't we add a 1 sec sleep between tries? Wouldn't current version just
>> hammer DNS server with as many DNS queries as it can send?
>
> Oh yes, please add some time.sleep() call :-)
>
> Also I would like to see more detailed message:
> +self.log.info('Waiting for hostname %s to be resolvable',
> + self.replica_fqdn)
>
> => 'Waiting for hostname %s to be resolvable to A or record'
Really? Shouldn't term "resolvable" already have that covered? A good software
should work on all network types, whether it is IPv4, IPv6 or IPv8. So I
personally do not think we need to be that specific and can stick to original
proposal.
Martin
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0645 ipa-replica-prepare: Wait for the DNS entry to be resolvable
On 22.9.2014 10:14, Martin Kosek wrote:
On 09/19/2014 07:29 PM, Petr Viktorin wrote:
https://fedorahosted.org/freeipa/ticket/4551
See ticket & commit message for details.
Shouldn't we add a 1 sec sleep between tries? Wouldn't current version just
hammer DNS server with as many DNS queries as it can send?
Oh yes, please add some time.sleep() call :-)
Also I would like to see more detailed message:
+self.log.info('Waiting for hostname %s to be resolvable',
+ self.replica_fqdn)
=> 'Waiting for hostname %s to be resolvable to A or record'
Thank you!
--
Petr^2 Spacek
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0645 ipa-replica-prepare: Wait for the DNS entry to be resolvable
On 09/19/2014 07:29 PM, Petr Viktorin wrote: > https://fedorahosted.org/freeipa/ticket/4551 > > See ticket & commit message for details. Shouldn't we add a 1 sec sleep between tries? Wouldn't current version just hammer DNS server with as many DNS queries as it can send? Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
