[Freeipa-devel] [PATCH] 283 Improve address family handling in sockets
I did various tests with IPv4 and IPv6 and everything worked for me. I also
tried a mixed IPv4+IPv6 and IPv6-only environment and I was able to install an
IPv6-only replica without issues.
---
Many functions use low-level socket interface for connection or
various checks. However, most of the time we don't respect
automatic address family detection but rather try to force our
values. This may cause either redundat connection tries when an
address family is disabled on system tries or even crashes
when socket exceptions are not properly caught.
Instead of forcing address families to socket, rather use
getaddrinfo interface to automatically retrieve a list of all
relevant address families and other connection settings when
connecting to remote/local machine or binding to a local port.
Now, we will also fill correctly all connection parameters like
flowinfo and scopeid for IPv6 connections which will for example
prevent issues with scoped IPv6 addresses.
bind_port_responder function was changed to at first try to bind
to IPv6 wildcard address before IPv4 as IPv6 socket is able to
accept both IPv4 and IPv6 connections (unlike IPv4 socket).
nsslib connection was refactored to use nss.io.AddrInfo class to
get all the available connections. Socket is now not created by
default in NSSConnection class initializer, but rather when the
actual connection is being made, becase we do not an address family
where connection is successful.
https://fedorahosted.org/freeipa/ticket/2695
--
Martin Kosek
Red Hat Software Engineer
Brno, Czech Republic
>From fd534d0a892f05123789b8049f4993de6da2bb43 Mon Sep 17 00:00:00 2001
From: Martin Kosek
Date: Tue, 3 Jul 2012 16:49:10 +0200
Subject: [PATCH] Improve address family handling in sockets
Many functions use low-level socket interface for connection or
various checks. However, most of the time we don't respect
automatic address family detection but rather try to force our
values. This may cause either redundat connection tries when an
address family is disabled on system tries or even crashes
when socket exceptions are not properly caught.
Instead of forcing address families to socket, rather use
getaddrinfo interface to automatically retrieve a list of all
relevant address families and other connection settings when
connecting to remote/local machine or binding to a local port.
Now, we will also fill correctly all connection parameters like
flowinfo and scopeid for IPv6 connections which will for example
prevent issues with scoped IPv6 addresses.
bind_port_responder function was changed to at first try to bind
to IPv6 wildcard address before IPv4 as IPv6 socket is able to
accept both IPv4 and IPv6 connections (unlike IPv4 socket).
nsslib connection was refactored to use nss.io.AddrInfo class to
get all the available connections. Socket is now not created by
default in NSSConnection class initializer, but rather when the
actual connection is being made, becase we do not an address family
where connection is successful.
https://fedorahosted.org/freeipa/ticket/2695
---
install/tools/ipa-replica-conncheck | 12 +--
ipa-client/ipa-install/ipa-client-install | 51
ipapython/ipautil.py | 128 +
ipapython/nsslib.py | 92 -
ipaserver/install/dsinstance.py | 11 ++-
ipaserver/install/installutils.py | 30 ---
6 files changed, 161 insertions(+), 163 deletions(-)
diff --git a/install/tools/ipa-replica-conncheck b/install/tools/ipa-replica-conncheck
index 6ec3be2a919c4a8a8a32cbf76f54b12d6652ff5e..8e4536cf67cafb907a3e330607a81b4bc034015b 100755
--- a/install/tools/ipa-replica-conncheck
+++ b/install/tools/ipa-replica-conncheck
@@ -236,15 +236,15 @@ class PortResponder(threading.Thread):
self._stop_request = True
def port_check(host, port_list):
-ip = installutils.resolve_host(host)
-
-if not ip:
-raise RuntimeError("Port check failed! Unable to resolve host name '%s'" % host)
-
ports_failed = []
ports_udp_warning = [] # conncheck could not verify that port is open
for port in port_list:
-if ipautil.host_port_open(host, port.port, port.port_type, socket_timeout=CONNECT_TIMEOUT):
+try:
+port_open = ipautil.host_port_open(host, port.port,
+port.port_type, socket_timeout=CONNECT_TIMEOUT)
+except socket.gaierror:
+raise RuntimeError("Port check failed! Unable to resolve host name '%s'" % host)
+if port_open:
result = "OK"
else:
if port.port_type == socket.SOCK_DGRAM:
diff --git a/ipa-client/ipa-install/ipa-client-install b/ipa-client/ipa-install/ipa-client-install
index 4b8d826ddad4bdee3b352833225768fa8c5f05b5..1066e31ce2596b8b932bc4cdf868eceffed39cfb 100755
--- a/ipa-client/ipa-install/ipa-client-install
+++ b/ipa-client/ipa-install/ipa-client-install
@@ -979,19 +979,36 @@ def configure_ss
Re: [Freeipa-devel] [PATCH] 283 Improve address family handling in sockets
On 07/04/2012 09:13 AM, Martin Kosek wrote:
> I did various tests with IPv4 and IPv6 and everything worked for me. I also
> tried a mixed IPv4+IPv6 and IPv6-only environment and I was able to install an
> IPv6-only replica without issues.
>
> ---
>
> Many functions use low-level socket interface for connection or
> various checks. However, most of the time we don't respect
> automatic address family detection but rather try to force our
> values. This may cause either redundat connection tries when an
> address family is disabled on system tries or even crashes
> when socket exceptions are not properly caught.
>
> Instead of forcing address families to socket, rather use
> getaddrinfo interface to automatically retrieve a list of all
> relevant address families and other connection settings when
> connecting to remote/local machine or binding to a local port.
> Now, we will also fill correctly all connection parameters like
> flowinfo and scopeid for IPv6 connections which will for example
> prevent issues with scoped IPv6 addresses.
>
> bind_port_responder function was changed to at first try to bind
> to IPv6 wildcard address before IPv4 as IPv6 socket is able to
> accept both IPv4 and IPv6 connections (unlike IPv4 socket).
>
> nsslib connection was refactored to use nss.io.AddrInfo class to
> get all the available connections. Socket is now not created by
> default in NSSConnection class initializer, but rather when the
> actual connection is being made, becase we do not an address family
> where connection is successful.
>
> https://fedorahosted.org/freeipa/ticket/2695
>
Attaching a rebased patch with updated comment - the patch also fix issues in
ticket 2913.
I just found an easy way to reproduce an issue caused by incorrect address
family handling that can be tried during review:
1) Turn of IPv6 in your (Fedora) OS:
- add "ipv6.disable=1" as kernel parameter in your kernel line in your
bootloader conf
- add "NETWORKING_IPV6=no" to your /etc/sysconfig/network
2) Run "ipa-replica-conncheck -m " where is a fqdn of some of
your running IPA servers. Current IPA version will produce bunch of tracebacks,
patched IPA should work without any issue
Martin
>From c0fea75c8d1efb1863ea98d299211faaaef372ff Mon Sep 17 00:00:00 2001
From: Martin Kosek
Date: Tue, 3 Jul 2012 16:49:10 +0200
Subject: [PATCH] Improve address family handling in sockets
Many functions use low-level socket interface for connection or
various checks. However, most of the time we don't respect
automatic address family detection but rather try to force our
values. This may cause either redundat connection tries when an
address family is disabled on system tries or even crashes
when socket exceptions are not properly caught.
Instead of forcing address families to socket, rather use
getaddrinfo interface to automatically retrieve a list of all
relevant address families and other connection settings when
connecting to remote/local machine or binding to a local port.
Now, we will also fill correctly all connection parameters like
flowinfo and scopeid for IPv6 connections which will for example
prevent issues with scoped IPv6 addresses.
bind_port_responder function was changed to at first try to bind
to IPv6 wildcard address before IPv4 as IPv6 socket is able to
accept both IPv4 and IPv6 connections (unlike IPv4 socket).
nsslib connection was refactored to use nss.io.AddrInfo class to
get all the available connections. Socket is now not created by
default in NSSConnection class initializer, but rather when the
actual connection is being made, becase we do not an address family
where connection is successful.
https://fedorahosted.org/freeipa/ticket/2913
https://fedorahosted.org/freeipa/ticket/2695
---
install/tools/ipa-replica-conncheck | 12 +--
ipa-client/ipa-install/ipa-client-install | 51
ipapython/ipautil.py | 128 +
ipapython/nsslib.py | 92 -
ipaserver/install/dsinstance.py | 11 ++-
ipaserver/install/installutils.py | 30 ---
6 files changed, 161 insertions(+), 163 deletions(-)
diff --git a/install/tools/ipa-replica-conncheck b/install/tools/ipa-replica-conncheck
index 6ec3be2a919c4a8a8a32cbf76f54b12d6652ff5e..8e4536cf67cafb907a3e330607a81b4bc034015b 100755
--- a/install/tools/ipa-replica-conncheck
+++ b/install/tools/ipa-replica-conncheck
@@ -236,15 +236,15 @@ class PortResponder(threading.Thread):
self._stop_request = True
def port_check(host, port_list):
-ip = installutils.resolve_host(host)
-
-if not ip:
-raise RuntimeError("Port check failed! Unable to resolve host name '%s'" % host)
-
ports_failed = []
ports_udp_warning = [] # conncheck could not verify that port is open
for port in port_list:
-if ipautil.host_port_open(host, port.port, port.port_type, socket_timeout=CONNECT_TIMEOUT):
+try:
+port_ope
Re: [Freeipa-devel] [PATCH] 283 Improve address family handling in sockets
Dne 11.7.2012 10:34, Martin Kosek napsal(a): On 07/04/2012 09:13 AM, Martin Kosek wrote: I did various tests with IPv4 and IPv6 and everything worked for me. I also tried a mixed IPv4+IPv6 and IPv6-only environment and I was able to install an IPv6-only replica without issues. --- Many functions use low-level socket interface for connection or various checks. However, most of the time we don't respect automatic address family detection but rather try to force our values. This may cause either redundat connection tries when an address family is disabled on system tries or even crashes when socket exceptions are not properly caught. Instead of forcing address families to socket, rather use getaddrinfo interface to automatically retrieve a list of all relevant address families and other connection settings when connecting to remote/local machine or binding to a local port. Now, we will also fill correctly all connection parameters like flowinfo and scopeid for IPv6 connections which will for example prevent issues with scoped IPv6 addresses. bind_port_responder function was changed to at first try to bind to IPv6 wildcard address before IPv4 as IPv6 socket is able to accept both IPv4 and IPv6 connections (unlike IPv4 socket). nsslib connection was refactored to use nss.io.AddrInfo class to get all the available connections. Socket is now not created by default in NSSConnection class initializer, but rather when the actual connection is being made, becase we do not an address family where connection is successful. https://fedorahosted.org/freeipa/ticket/2695 Attaching a rebased patch with updated comment - the patch also fix issues in ticket 2913. I just found an easy way to reproduce an issue caused by incorrect address family handling that can be tried during review: 1) Turn of IPv6 in your (Fedora) OS: - add "ipv6.disable=1" as kernel parameter in your kernel line in your bootloader conf - add "NETWORKING_IPV6=no" to your /etc/sysconfig/network 2) Run "ipa-replica-conncheck -m " where is a fqdn of some of your running IPA servers. Current IPA version will produce bunch of tracebacks, patched IPA should work without any issue Martin ACK, both IPv4-only and IPv6-only installs work fine. Honza -- Jan Cholasta ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 283 Improve address family handling in sockets
On 07/13/2012 02:20 PM, Jan Cholasta wrote: > Dne 11.7.2012 10:34, Martin Kosek napsal(a): >> On 07/04/2012 09:13 AM, Martin Kosek wrote: >>> I did various tests with IPv4 and IPv6 and everything worked for me. I also >>> tried a mixed IPv4+IPv6 and IPv6-only environment and I was able to install >>> an >>> IPv6-only replica without issues. >>> >>> --- >>> >>> Many functions use low-level socket interface for connection or >>> various checks. However, most of the time we don't respect >>> automatic address family detection but rather try to force our >>> values. This may cause either redundat connection tries when an >>> address family is disabled on system tries or even crashes >>> when socket exceptions are not properly caught. >>> >>> Instead of forcing address families to socket, rather use >>> getaddrinfo interface to automatically retrieve a list of all >>> relevant address families and other connection settings when >>> connecting to remote/local machine or binding to a local port. >>> Now, we will also fill correctly all connection parameters like >>> flowinfo and scopeid for IPv6 connections which will for example >>> prevent issues with scoped IPv6 addresses. >>> >>> bind_port_responder function was changed to at first try to bind >>> to IPv6 wildcard address before IPv4 as IPv6 socket is able to >>> accept both IPv4 and IPv6 connections (unlike IPv4 socket). >>> >>> nsslib connection was refactored to use nss.io.AddrInfo class to >>> get all the available connections. Socket is now not created by >>> default in NSSConnection class initializer, but rather when the >>> actual connection is being made, becase we do not an address family >>> where connection is successful. >>> >>> https://fedorahosted.org/freeipa/ticket/2695 >>> >> >> Attaching a rebased patch with updated comment - the patch also fix issues in >> ticket 2913. >> >> I just found an easy way to reproduce an issue caused by incorrect address >> family handling that can be tried during review: >> >> 1) Turn of IPv6 in your (Fedora) OS: >>- add "ipv6.disable=1" as kernel parameter in your kernel line in your >> bootloader conf >>- add "NETWORKING_IPV6=no" to your /etc/sysconfig/network >> >> 2) Run "ipa-replica-conncheck -m " where is a fqdn of some >> of >> your running IPA servers. Current IPA version will produce bunch of >> tracebacks, >> patched IPA should work without any issue >> >> Martin >> > > ACK, both IPv4-only and IPv6-only installs work fine. > > Honza > Thanks for thorough review. Pushed to master. Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
