Sandro Bonazzola has uploaded a new change for review. Change subject: packaging: stricter FQDN validation ......................................................................
packaging: stricter FQDN validation common_utils.getConfiguredIps now returns only Ips configured on non loopback devices. engine_validators.validateFQDN now tolerates that the FQDN provided could not be resolved through a DNS but just only by /etc/hosts. However, if the FQDN is resolved by DNS, it has also to reverse resolve the ip address provided by the DNS. engine-setup doesn't accept anymore a FQDN that doesn't pass the validation, avoiding failures at later stages. Change-Id: I512446c80dfa9c83adb179a445bfae82736d403f Bug-Url: https://bugzilla.redhat.com/948311 Bug-Url: https://bugzilla.redhat.com/928667 Signed-off-by: Sandro Bonazzola <[email protected]> --- M packaging/fedora/setup/common_utils.py M packaging/fedora/setup/engine-setup.py M packaging/fedora/setup/engine_validators.py M packaging/fedora/setup/output_messages.py 4 files changed, 80 insertions(+), 40 deletions(-) git pull ssh://gerrit.ovirt.org:29418/ovirt-engine refs/changes/33/13933/1 diff --git a/packaging/fedora/setup/common_utils.py b/packaging/fedora/setup/common_utils.py index dc33bcb..7987999 100755 --- a/packaging/fedora/setup/common_utils.py +++ b/packaging/fedora/setup/common_utils.py @@ -599,27 +599,49 @@ output, rc = execCmd(cmdList=cmd) return output + def getConfiguredIps(): try: - iplist=set() + iplist = set() cmd = [ basedefs.EXEC_IP, "addr", ] - output, rc = execCmd(cmdList=cmd, failOnError=True, msg=output_messages.ERR_EXP_GET_CFG_IPS_CODES) - ipaddrPattern=re.compile('\s+inet (\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}).+') - list=output.splitlines() - for line in list: + output, rc = execCmd( + cmdList=cmd, + failOnError=True, + msg=output_messages.ERR_EXP_GET_CFG_IPS_CODES + ) + devicePattern = re.compile('^\d+:\s+(\w+)') + ipaddrPattern = re.compile( + '\s+inet (\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}).+' + ) + loopbackPattern = re.compile('.+LOOPBACK.+') + lines = output.splitlines() + isLoopback = False + for line in lines: + foundDevice = devicePattern.search(line) + foundLoopback = loopbackPattern.search(line) + if foundDevice is not None: + if foundLoopback is not None: + logging.debug( + "found loopback device: {device}".format( + device=foundDevice.group(1) + ) + ) + isLoopback = True + else: + isLoopback = False foundIp = ipaddrPattern.search(line) - if foundIp: - if foundIp.group(1) != "127.0.0.1": - ipAddr = foundIp.group(1) - logging.debug("Found IP Address: %s"%(ipAddr)) - iplist.add(ipAddr) + if foundIp is not None and not isLoopback: + ipAddr = foundIp.group(1) + logging.debug("Found IP Address: %s"%(ipAddr)) + iplist.add(ipAddr) return iplist except: logging.error(traceback.format_exc()) raise Exception(output_messages.ERR_EXP_GET_CFG_IPS) + def getCurrentDateTime(isUtc=None): now = None if (isUtc is not None): diff --git a/packaging/fedora/setup/engine-setup.py b/packaging/fedora/setup/engine-setup.py index 8204cf3..ccc4df0 100755 --- a/packaging/fedora/setup/engine-setup.py +++ b/packaging/fedora/setup/engine-setup.py @@ -319,7 +319,7 @@ "VALIDATION_FUNC" :validate.validateFQDN, "DEFAULT_VALUE" :socket.getfqdn(), "MASK_INPUT" : False, - "LOOSE_VALIDATION": True, + "LOOSE_VALIDATION": False, "CONF_NAME" : "HOST_FQDN", "USE_DEFAULT" : False, "NEED_CONFIRM" : False, diff --git a/packaging/fedora/setup/engine_validators.py b/packaging/fedora/setup/engine_validators.py index 2486832..e2b4721 100644 --- a/packaging/fedora/setup/engine_validators.py +++ b/packaging/fedora/setup/engine_validators.py @@ -13,6 +13,8 @@ import tempfile import cracklib import uuid +import socket + from setup_controller import Controller def validateNFSMountPoint(param, options=[]): @@ -340,7 +342,7 @@ def validateFQDN(param, options=[]): - logging.info("Validating %s as a FQDN"%(param)) + logging.info("Validating %s as a FQDN on non loopback devices" % (param)) # Ensure that it isn't an IP address. if re.match("\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}", param): logging.error(output_messages.ERR_CANT_USE_IP_AS_FQDN % (param)) @@ -359,17 +361,29 @@ #resolve fqdn pattern = 'Address: (\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})' resolvedAddresses = _getPatternFromNslookup(param, pattern) + resolvedFromDNS = False if len(resolvedAddresses) < 1: - logging.error("Failed to resolve %s"%(param)) - print output_messages.ERR_DIDNT_RESOLVED_IP%(param) - return False - + logging.error("Failed to resolve %s using DNS."%(param)) + try: + resolvedAddresses = set(socket.gethostbyname_ex(param)[2]) + except socket.error: + #can't be resolved by /etc/hosts + print output_messages.ERR_DIDNT_RESOLVED_IP%(param) + return False + logging.warning('%s can be resolved only locally!' % param) + else: + resolvedFromDNS = True #string is generated here since we use it in all latter error messages prettyString = " ".join(["%s"%string for string in resolvedAddresses]) #compare found IP with list of local IPs and match. if not resolvedAddresses.issubset(ipAddresses): - logging.error("the following address(es): %s are not configured on this host"%(prettyString)) + logging.error( + ( + "the following address(es): %s can't be mapped to " + "non loopback devices on this host" + ) %(prettyString) + ) #different grammar for plural and single if len(resolvedAddresses) > 1: print output_messages.ERR_IPS_NOT_CONFIGED%(prettyString, param) @@ -378,27 +392,28 @@ return False #reverse resolved IP and compare with given fqdn - counter = 0 - pattern = '[\w\.-]+\s+name\s\=\s([\w\.\-]+)\.' - for address in resolvedAddresses: - addressSet = _getPatternFromNslookup(address, pattern) - reResolvedAddress = None - revResolved = False - if len(addressSet) > 0: - reResolvedAddress = addressSet.pop() - if reResolvedAddress.lower() == param.lower(): - counter += 1 - revResolved = True - if not revResolved: - logging.warn("%s did not reverse-resolve into %s"%(address,param)) - if counter < 1: - logging.error("The following addresses: %s did not reverse resolve into %s"%(prettyString, param)) - #different grammar for plural and single - if len(resolvedAddresses) > 1: - print output_messages.ERR_IPS_HAS_NO_PTR%(prettyString, param) - else: - print output_messages.ERR_IP_HAS_NO_PTR%(prettyString, param) - return False + if resolvedFromDNS: + counter = 0 + pattern = '[\w\.-]+\s+name\s\=\s([\w\.\-]+)\.' + for address in resolvedAddresses: + addressSet = _getPatternFromNslookup(address, pattern) + reResolvedAddress = None + revResolved = False + if len(addressSet) > 0: + reResolvedAddress = addressSet.pop() + if reResolvedAddress.lower() == param.lower(): + counter += 1 + revResolved = True + if not revResolved: + logging.warn("%s did not reverse-resolve into %s"%(address,param)) + if counter < 1: + logging.error("The following addresses: %s did not reverse resolve into %s"%(prettyString, param)) + #different grammar for plural and single + if len(resolvedAddresses) > 1: + print output_messages.ERR_IPS_HAS_NO_PTR%(prettyString, param) + else: + print output_messages.ERR_IP_HAS_NO_PTR%(prettyString, param) + return False #conditions passed return True diff --git a/packaging/fedora/setup/output_messages.py b/packaging/fedora/setup/output_messages.py index ae75529..49ceeea 100644 --- a/packaging/fedora/setup/output_messages.py +++ b/packaging/fedora/setup/output_messages.py @@ -373,8 +373,11 @@ #validate fqdn ERR_EXP_CANT_FIND_IP="Could not find any configured IP address" ERR_DIDNT_RESOLVED_IP="%s did not resolve into an IP address" -ERR_IPS_NOT_CONFIGED="Some or all of the IP addresses: (%s) which were resolved from the FQDN %s are not configured on any interface on this host" -ERR_IPS_NOT_CONFIGED_ON_INT="The IP (%s) which was resolved from the FQDN %s is not configured on any interface on this host" +ERR_IPS_NOT_CONFIGED="Some or all of the IP addresses: (%s) which were \ +resolved from the FQDN %s are not configured on any non loopback interface \ +on this host" +ERR_IPS_NOT_CONFIGED_ON_INT="The IP (%s) which was resolved from the FQDN %s \ +is not configured on any non loopback interface on this host" ERR_IPS_HAS_NO_PTR="None of the IP addresses on this host(%s) holds a PTR record for the FQDN: %s" ERR_IP_HAS_NO_PTR="The IP %s does not hold a PTR record for the FQDN: %s" ERR_CANT_USE_IP_AS_FQDN="%s is an IP address and not a FQDN. A FQDN is needed \ -- To view, visit http://gerrit.ovirt.org/13933 To unsubscribe, visit http://gerrit.ovirt.org/settings Gerrit-MessageType: newchange Gerrit-Change-Id: I512446c80dfa9c83adb179a445bfae82736d403f Gerrit-PatchSet: 1 Gerrit-Project: ovirt-engine Gerrit-Branch: master Gerrit-Owner: Sandro Bonazzola <[email protected]> _______________________________________________ Engine-patches mailing list [email protected] http://lists.ovirt.org/mailman/listinfo/engine-patches
