From 12cafe49be52deca889c6a909f6451a464085b06 Mon Sep 17 00:00:00 2001

From: David Kupka <dkupka@redhat.com>

Date: Sun, 4 Jan 2015 15:04:18 -0500

Subject: [PATCH] client: Add support for multiple IP addresses during

 installation.

https://fedorahosted.org/freeipa/ticket/4249

Reviewed-By: Martin Basti <mbasti@redhat.com>

---

 ipa-client/ipa-install/ipa-client-install | 289 +++++++++++++++++++++++-------

 1 file changed, 223 insertions(+), 66 deletions(-)

diff --git a/ipa-client/ipa-install/ipa-client-install b/ipa-client/ipa-install/ipa-client-install

index 91323ae115a27d221bcbc43fee887c56d99c8635..793de4fc950ad73b1d88f9ab4bd5178afc8b813d 100755

--- a/ipa-client/ipa-install/ipa-client-install

+++ b/ipa-client/ipa-install/ipa-client-install

@@ -32,6 +32,7 @@ try:

     from optparse import SUPPRESS_HELP, OptionGroup, OptionValueError

     import shutil

     from krbV import Krb5Error

+    import dns

     import nss.nss as nss

     import SSSDConfig

@@ -180,9 +181,15 @@ def parse_options():

     basic_group.add_option("--configure-firefox", dest="configure_firefox",

                             action="store_true", default=False,

                             help="configure Firefox")

-    parser.add_option_group(basic_group)

     basic_group.add_option("--firefox-dir", dest="firefox_dir", default=None,

                             help="specify directory where Firefox is installed (for example: '/usr/lib/firefox')")

+    basic_group.add_option("--ip-address", dest="ip_addresses", default=[],

+        action="append", help="Specify IP address that should be added to DNS."

+        " This option can be used multiple times")

+    basic_group.add_option("--all-ip-addresses", dest="all_ip_addresses",

+        default=False, action="store_true", help="All routable IP"

+        " addresses configured on any inteface will be added to DNS")

+    parser.add_option_group(basic_group)

     sssd_group = OptionGroup(parser, "SSSD options")

     sssd_group.add_option("--permit", dest="permit",

@@ -223,6 +230,15 @@ def parse_options():

     if options.no_nisdomain and options.nisdomain:

         parser.error("--no-nisdomain cannot be used together with --nisdomain")

+    if options.ip_addresses:

+        if options.dns_updates:

+            parser.error("--ip-address cannot be used together with"

+                         " --enable-dns-updates")

+

+        if options.all_ip_addresses:

+            parser.error("--ip-address cannot be used together with"

+                         " --all-ip-addresses")

+

     return safe_opts, options

 def logging_setup(options):

@@ -1285,6 +1301,11 @@ def configure_sssd_conf(fstore, cli_realm, cli_domain, cli_server, options, clie

     if options.dns_updates:

         domain.set_option('dyndns_update', True)

+        if options.all_ip_addresses:

+            domain.set_option('dyndns_iface', '*')

+        else:

+            iface = get_server_connection_interface(cli_server[0])

+            domain.set_option('dyndns_iface', iface)

     if options.krb5_offline_passwords:

         domain.set_option('krb5_store_password_if_offline', True)

@@ -1501,39 +1522,41 @@ def unconfigure_nisdomain():

         services.knownservices.domainname.disable()

-def resolve_ipaddress(server):

-    """ Connect to the server's LDAP port in order to determine what ip

-        address this machine uses as "public" ip (relative to the server).

-

-        Returns a tuple with the IP address and address family when

-        connection was successful. Socket error is raised otherwise.

-    """

-    last_socket_error = None

-

-    for res in socket.getaddrinfo(server, 389, socket.AF_UNSPEC,

-            socket.SOCK_STREAM):

-        af, socktype, proto, canonname, sa = res

-        try:

-            s = socket.socket(af, socktype, proto)

-        except socket.error, e:

-            last_socket_error = e

-            s = None

+def get_iface_from_ip(ip_addr):

+    ipresult = ipautil.run([paths.IP, '-oneline', 'address', 'show'])

+    for line in ipresult[0].split('\n'):

+        fields = line.split()

+        if len(fields) < 6:

             continue

-

+        if fields[2] not in ['inet', 'inet6']:

+            continue

+        (ip, mask) = fields[3].rsplit('/', 1)

+        if ip == ip_addr:

+            return fields[1]

+    else:

+        raise RuntimeError("IP %s not assigned to any interface." % ip_addr)

+

+

+def get_local_ipaddresses(iface=None):

+    args = [paths.IP, '-oneline', 'address', 'show']

+    if iface:

+        args += ['dev', iface]

+    ipresult = ipautil.run(args)

+    lines = ipresult[0].split('\n')

+    ips = []

+    for line in lines:

+        fields = line.split()

+        if len(fields) < 6:

+            continue

+        if fields[2] not in ['inet', 'inet6']:

+            continue

+        (ip, mask) = fields[3].rsplit('/', 1)

         try:

-            s.connect(sa)

-            sockname = s.getsockname()

-

-            # For both IPv4 and IPv6 own IP address is always the first item

-            return (sockname[0], af)

-        except socket.error, e:

-            last_socket_error = e

-        finally:

-            if s:

-                s.close()

+            ips.append(ipautil.CheckedIPAddress(ip))

+        except ValueError:

+            continue

+    return ips

-    if last_socket_error is not None:

-        raise last_socket_error  # pylint: disable=E0702

 def do_nsupdate(update_txt):

     root_logger.debug("Writing nsupdate commands to %s:", UPDATE_FILE)

@@ -1558,21 +1581,24 @@ def do_nsupdate(update_txt):

     return result

-UPDATE_TEMPLATE_A = """

-debug

+DELETE_TEMPLATE_A = """

 update delete $HOSTNAME. IN A

 show

 send

-update add $HOSTNAME. $TTL IN A $IPADDRESS

-show

-send

 """

-UPDATE_TEMPLATE_AAAA = """

-debug

+DELETE_TEMPLATE_AAAA = """

 update delete $HOSTNAME. IN AAAA

 show

 send

+"""

+ADD_TEMPLATE_A = """

+update add $HOSTNAME. $TTL IN A $IPADDRESS

+show

+send

+"""

+

+ADD_TEMPLATE_AAAA = """

 update add $HOSTNAME. $TTL IN AAAA $IPADDRESS

 show

 send

@@ -1581,46 +1607,174 @@ send

 UPDATE_FILE = paths.IPA_DNS_UPDATE_TXT

 CCACHE_FILE = paths.IPA_DNS_CCACHE

-def update_dns(server, hostname):

+def update_dns(server, hostname, options):

     try:

-        (ip, af) = resolve_ipaddress(server)

-    except socket.gaierror, e:

-        root_logger.debug("update_dns: could not connect to server: %s", e)

-        root_logger.error("Cannot update DNS records! "

-                          "Failed to connect to server '%s'.", server)

-        return

-

-    sub_dict = dict(HOSTNAME=hostname,

-                    IPADDRESS=ip,

-                    TTL=1200

-                )

-

-    if af == socket.AF_INET:

-        template = UPDATE_TEMPLATE_A

-    elif af == socket.AF_INET6:

-        template = UPDATE_TEMPLATE_AAAA

+        ips = get_local_ipaddresses()

+    except CalledProcessError as e:

+        root_logger.error("Cannot update DNS records. %s" % e)

+        root_logger.debug("Unable to get local IP addresses.")

+

+    if options.all_ip_addresses:

+        update_ips = ips

+    elif options.ip_addresses:

+        update_ips = []

+        for ip in options.ip_addresses:

+            update_ips.append(ipautil.CheckedIPAddress(ip))

     else:

-        root_logger.info("Failed to determine this machine's ip address.")

-        root_logger.warning("Failed to update DNS A record.")

+        try:

+            iface = get_server_connection_interface(server)

+        except RuntimeError as e:

+            root_logger.error("Cannot update DNS records. %s" % e)

+            return

+        try:

+            update_ips = get_local_ipaddresses(iface)

+        except CalledProcessError as e:

+            root_logger.error("Cannot update DNS records. %s" % e)

+            return

+

+    if not update_ips:

+        root_logger.info("Failed to determine this machine's ip address(es).")

         return

-    update_txt = ipautil.template_str(template, sub_dict)

+    update_txt = "debug\n"

+    update_txt += ipautil.template_str(DELETE_TEMPLATE_A,

+                                       dict(HOSTNAME=hostname))

+    update_txt += ipautil.template_str(DELETE_TEMPLATE_AAAA,

+                                       dict(HOSTNAME=hostname))

+

+    for ip in update_ips:

+        sub_dict = dict(HOSTNAME=hostname, IPADDRESS=ip, TTL=1200)

+        if ip.version == 4:

+            template = ADD_TEMPLATE_A

+        elif ip.version == 6:

+            template = ADD_TEMPLATE_AAAA

+        update_txt += ipautil.template_str(template, sub_dict)

+

+    if not do_nsupdate(update_txt):

+        root_logger.error("Failed to update DNS records.")

+    verify_dns_update(hostname, update_ips)

+

-    if do_nsupdate(update_txt):

-        root_logger.info("DNS server record set to: %s -> %s", hostname, ip)

+def verify_dns_update(fqdn, ips):

+    """

+    Verify that the fqdn resolves to all IP addresses and

+    that there's matching PTR record for every IP address.

+    """

+    # verify A/AAAA records

+    missing_ips = [str(ip) for ip in ips]

+    extra_ips = []

+    for record_type in [dns.rdatatype.A, dns.rdatatype.AAAA]:

+        root_logger.debug('DNS resolver: Query: %s IN %s' %

+                          (fqdn, dns.rdatatype.to_text(record_type)))

+        try:

+            answers = dns.resolver.query(fqdn, record_type)

+        except (dns.resolver.NoAnswer, dns.resolver.NXDOMAIN):

+            root_logger.debug('DNS resolver: No record.')

+        except dns.resolver.NoNameservers:

+            root_logger.debug('DNS resolver: No nameservers answered the'

+                              'query.')

+        except dns.exception.DNSException:

+            root_logger.debug('DNS resolver error.')

+        else:

+            for rdata in answers:

+                try:

+                    missing_ips.remove(rdata.address)

+                except ValueError:

+                    extra_ips.append(rdata.address)

+

+    # verify PTR records

+    fqdn_name = dns.name.from_text(fqdn)

+    wrong_reverse = {}

+    missing_reverse = [str(ip) for ip in ips]

+    for ip in ips:

+        ip_str = str(ip)

+        addr = dns.reversename.from_address(ip_str)

+        root_logger.debug('DNS resolver: Query: %s IN PTR' % addr)

+        try:

+            answers = dns.resolver.query(addr, dns.rdatatype.PTR)

+        except (dns.resolver.NoAnswer, dns.resolver.NXDOMAIN):

+            root_logger.debug('DNS resolver: No record.')

+        except dns.resolver.NoNameservers:

+            root_logger.debug('DNS resolver: No nameservers answered the'

+                              'query.')

+        except dns.exception.DNSException:

+            root_logger.debug('DNS resolver error.')

+        else:

+            missing_reverse.remove(ip_str)

+            for rdata in answers:

+                if not rdata.target == fqdn_name:

+                    wrong_reverse.setdefault(ip_str, []).append(rdata.target)

+

+    if missing_ips:

+        root_logger.warning('Missing A/AAAA record(s) for host %s: %s.' %

+                            (fqdn, ', '.join(missing_ips)))

+    if extra_ips:

+        root_logger.warning('Extra A/AAAA record(s) for host %s: %s.' %

+                            (fqdn, ', '.join(extra_ips)))

+    if missing_reverse:

+        root_logger.warning('Missing reverse record(s) for address(es): %s.' %

+                            ', '.join(missing_reverse))

+    if wrong_reverse:

+        root_logger.warning('Incorrect reverse record(s):')

+        for ip in wrong_reverse:

+            for target in wrong_reverse[ip]:

+                root_logger.warning('%s is pointing to %s instead of %s' %

+                                    (ip, target, fqdn_name))

+

+def get_server_connection_interface(server):

+    # connect to IPA server, get all ip addresses of inteface used to connect

+    for res in socket.getaddrinfo(server, 389, socket.AF_UNSPEC, socket.SOCK_STREAM):

+        (af, socktype, proto, canonname, sa) = res

+        try:

+            s = socket.socket(af, socktype, proto)

+        except socket.error as e:

+            last_error = e

+            s = None

+            continue

+        try:

+            s.connect(sa)

+            sockname = s.getsockname()

+            ip = sockname[0]

+        except socket.error as e:

+            last_error = e

+            continue

+        finally:

+            if s:

+                s.close()

+        try:

+            return get_iface_from_ip(ip)

+        except (CalledProcessError, RuntimeError) as e:

+            last_error = e

     else:

-        root_logger.error("Failed to update DNS records.")

+        msg = "Cannot get server connection interface"

+        if last_error:

+            msg += ": %s" % (last_error)

+        raise RuntimeError(msg)

-def client_dns(server, hostname, dns_updates=False):

+

+def client_dns(server, hostname, options):

     dns_ok = ipautil.is_host_resolvable(hostname)

     if not dns_ok:

-        root_logger.warning("Hostname (%s) not found in DNS", hostname)

+        root_logger.warning("Hostname (%s) does not have A/AAAA record.",

+                            hostname)

+

+    if (options.dns_updates or options.all_ip_addresses or options.ip_addresses

+            or not dns_ok):

+        update_dns(server, hostname, options)

-    if dns_updates or not dns_ok:

-        update_dns(server, hostname)

+

+def check_ip_addresses(options):

+    if options.ip_addresses:

+        for ip in options.ip_addresses:

+            try:

+                ipautil.CheckedIPAddress(ip, match_local=True)

+            except ValueError as e:

+                root_logger.error(e)

+                return False

+    return True

 def update_ssh_keys(server, hostname, ssh_dir, create_sshfp):

     if not os.path.isdir(ssh_dir):

@@ -2127,6 +2281,9 @@ def install(options, env, fstore, statestore):

     if not options.ca_cert_file and get_cert_path(options.ca_cert_file) == CACERT:

         root_logger.warning("Using existing certificate '%s'.", CACERT)

+    if not check_ip_addresses(options):

+        return CLIENT_INSTALL_ERROR

+

     # Create the discovery instance

     ds = ipadiscovery.IPADiscovery()

@@ -2717,7 +2874,7 @@ def install(options, env, fstore, statestore):

     root_logger.info("Added CA certificates to the default NSS database.")

     if not options.on_master:

-        client_dns(cli_server[0], hostname, options.dns_updates)

+        client_dns(cli_server[0], hostname, options)

         configure_certmonger(fstore, subject_base, cli_realm, hostname,

                              options, ca_enabled)

-- 

2.4.3