On Fri, 2011-10-07 at 11:25 +0200, Martin Kosek wrote: > On Thu, 2011-10-06 at 22:59 -0400, Rob Crittenden wrote: > > When installing with DNS we skip a few hostname checks on the assumption > > that the DNS we are installing will cover things. We still need to > > verify /etc/hosts and we do this with gethostbyname_ex() which returns > > the primary name and all other names of the host. If the primary name > > doesn't match (e.g. the shortname is defined first in /etc/hosts) or it > > isn't resolvable at all then we error out. > > > > This also prevents a chicken-and-egg error as several services need to > > start before DNS is available so the hostname must be defined. > > > > rob > > I see several problems with the patch. At first, it needs a rebase, I > reworked the exceptions raised in verify_fqdn in #1899. > > Then, this patch would break several things: > > 1) Now, when we install a server with --setup-dns and the host is not > resolvable, we add a record to /etc/hosts ourselves, so that the user is > not obliged to hack /etc/hosts: > > # ipa-server-install --setup-dns > ... > Server host name [vm-050.idm.lab.bos.redhat.com]: > > Warning: skipping DNS resolution of host vm-050.idm.lab.bos.redhat.com > The domain name has been calculated based on the host name. > > Please confirm the domain name [idm.lab.bos.redhat.com]: > > Unable to resolve IP address for host name > Please provide the IP address to be used for this host name: 10.16.78.50 > Adding [10.16.78.50 vm-050.idm.lab.bos.redhat.com] to your /etc/hosts file > <<<<<< > The IPA Master Server will be configured with > Hostname: vm-050.idm.lab.bos.redhat.com > IP address: 10.16.78.50 > Domain name: idm.lab.bos.redhat.com > > > 2) This will break ipa-replica-prepare. We cannot assume that only local > host names are passed to to verify_fqdn since it is also used to for new > replica hostname check in ipa-replica-prepare: > > # ipa-replica-prepare vm-103.idm.lab.bos.redhat.com > Directory Manager (existing master) password: > > The host name vm-103.idm.lab.bos.redhat.com is not resolvable. It must > appear in at least /etc/hosts. > Add the --ip-address argument to create a DNS entry. > > We must be very cautious in this function, there was already a BZ from > RHEV-M guys which could be now broken: > > https://bugzilla.redhat.com/show_bug.cgi?id=729357 > > Martin >
What about doing something like this (attached)? This would prevent user installing IPA with misconfigured /etc/hosts for both following cases: 1.2.3.4 foo << just short name 1.2.3.4 foo foo.example.com << short name is primary It would still allow user to configure IPA with --setup-dns without making a record in /etc/hosts on his own. Martin
>From 21483cbc41c687fae1944b9d46edca0ef5b13d2b Mon Sep 17 00:00:00 2001 From: Martin Kosek <[email protected]> Date: Fri, 7 Oct 2011 14:23:20 +0200 Subject: [PATCH] Check hostname resolution sanity Always check (even with --setup-dns or --no-host-dns) that if the host name or ip address resolves, it resolves to sane value. Otherwise report an error. Misconfigured /etc/hosts causing these errors could harm the installation later. https://fedorahosted.org/freeipa/ticket/1923 --- install/tools/ipa-replica-prepare | 2 +- install/tools/ipa-server-install | 13 +++++++++++++ ipaserver/install/installutils.py | 14 +++++++++++--- 3 files changed, 25 insertions(+), 4 deletions(-) diff --git a/install/tools/ipa-replica-prepare b/install/tools/ipa-replica-prepare index 6b7130be9df262aee80c5e17201492fc4be01891..74c6d09296adb85dc8f66db35b61a413aad113c5 100755 --- a/install/tools/ipa-replica-prepare +++ b/install/tools/ipa-replica-prepare @@ -269,7 +269,7 @@ def main(): sys.exit("\nUnable to connect to LDAP server %s" % api.env.host) try: - installutils.verify_fqdn(replica_fqdn, system_name_check=False) + installutils.verify_fqdn(replica_fqdn, local_hostname=False) except BadHostError, e: msg = str(e) if isinstance(e, HostLookupError): diff --git a/install/tools/ipa-server-install b/install/tools/ipa-server-install index 7839dbd9fd68cb16ec9ec1f8ea385f0feacb8f2e..45e3e999f0489f54b94181fac955800ef72ac051 100755 --- a/install/tools/ipa-server-install +++ b/install/tools/ipa-server-install @@ -41,6 +41,7 @@ import random import tempfile import nss.error from optparse import OptionGroup, OptionValueError +import socket from ipaserver.install import dsinstance from ipaserver.install import krbinstance @@ -784,6 +785,18 @@ def main(): logging.debug("read ip_address: %s\n" % str(ip)) ip_address = str(ip) + # check that if the address resolves, it resolves to this hostname + try: + revname = socket.gethostbyaddr(ip_address)[0] + + if revname != host_name: + print >>sys.stderr, "The host name %s does not match the reverse lookup %s for %s"\ + % (host_name, revname, ip_address) + print >>sys.stderr, "Please check your DNS or /etc/hosts file and restart the installation." + return 1 + except socket.gaierror: + pass + if options.reverse_zone and not bindinstance.verify_reverse_zone(options.reverse_zone, ip): sys.exit(1) diff --git a/ipaserver/install/installutils.py b/ipaserver/install/installutils.py index 64d212282de5d54af71aa84fd1dba857ae60f519..a924e771a5e3d780a458b42337ba050d835dd7d8 100644 --- a/ipaserver/install/installutils.py +++ b/ipaserver/install/installutils.py @@ -129,7 +129,7 @@ def verify_dns_records(host_name, responses, resaddr, family): raise RuntimeError("The DNS forward record %s does not match the reverse address %s" % (rec.dns_name, rev.rdata.ptrdname)) -def verify_fqdn(host_name, no_host_dns=False, system_name_check=True): +def verify_fqdn(host_name, no_host_dns=False, local_hostname=True): """ Run fqdn checks for given host: - test hostname format @@ -140,7 +140,7 @@ def verify_fqdn(host_name, no_host_dns=False, system_name_check=True): :param host_name: The host name to verify. :param no_host_dns: If true, skip DNS resolution tests of the host name. - :param system_name_check: If true, check if the host name matches the system host name. + :param local_hostname: If true, run additional checks for local hostnames """ if len(host_name.split(".")) < 2 or host_name == "localhost.localdomain": raise BadHostError("Invalid hostname '%s', must be fully-qualified." % host_name) @@ -151,7 +151,15 @@ def verify_fqdn(host_name, no_host_dns=False, system_name_check=True): if ipautil.valid_ip(host_name): raise BadHostError("IP address not allowed as a hostname") - if system_name_check: + if local_hostname: + try: + ex_name = socket.gethostbyaddr(host_name) + if host_name != ex_name[0]: + raise HostLookupError("The host name %s does not match the primary host name %s. "\ + "Please check /etc/hosts or DNS name resolution" % (host_name, ex_name[0])) + except socket.gaierror: + pass + system_host_name = socket.gethostname() if not (host_name + '.').startswith(system_host_name + '.'): print "Warning: The host name '%s' does not match the system host name '%s'." % (host_name, system_host_name) -- 1.7.6.4
_______________________________________________ Freeipa-devel mailing list [email protected] https://www.redhat.com/mailman/listinfo/freeipa-devel
