Fix ipa-server-install for dual NICs

A server may have 2 or more NICs and its hostname may thus resolve
to 2 and more forward addresses. IP address checks in install
scripts does not expect this setup and may fail or crash.

This script adds a support for multiple forward addresses for
a hostname. The install scripts do not crash now. When one IP
address is needed, user is asked to choose from all detected
server IP addresses.

https://fedorahosted.org/freeipa/ticket/2154

install/tools/ipa-dns-install

@@ -147,7 +147,26 @@ def main():
     else:
         hostaddr = resolve_host(api.env.host)
         try:
-            ip = hostaddr and ipautil.CheckedIPAddress(hostaddr, match_local=True)
+            if len(hostaddr) > 1:
+                print >> sys.stderr, "The server hostname resolves to more than one address:"
+                for addr in hostaddr:
+                    print >> sys.stderr, "  %s" % addr
+
+                if options.ip_address:
+                    if str(options.ip_address) not in hostaddr:
+                        print >> sys.stderr, "Address passed in --ip-address did not match any resolved"
+                        print >> sys.stderr, "address!"
+                        sys.exit(1)
+                    print "Selected IP address:", str(options.ip_address)
+                    ip = options.ip_address
+                else:
+                    if options.unattended:
+                        print >> sys.stderr, "Please use --ip-address option to specify the address"
+                        sys.exit(1)
+                    else:
+                        ip = read_ip_address(api.env.host, fstore)
+            else:
+                ip = hostaddr and ipautil.CheckedIPAddress(hostaddr[0], match_local=True)
         except Exception, e:
             print "Error: Invalid IP Address %s: %s" % (ip, e)
             ip = None

install/tools/ipa-replica-conncheck

@@ -237,7 +237,7 @@ class PortResponder(threading.Thread):
 def port_check(host, port_list):
     ip = installutils.resolve_host(host)
 
-    if ip is None:
+    if not ip:
         raise RuntimeError("Port check failed! Unable to resolve host name '%s'" % host)
 
     failed_ports = []

install/tools/ipa-replica-install

@@ -200,27 +200,22 @@ def install_bind(config, options):
     else:
         forwarders = ()
     bind = bindinstance.BindInstance(dm_password=config.dirman_password)
-    ip_address = resolve_host(config.host_name)
-    if not ip_address:
-        sys.exit("Unable to resolve IP address for host name")
-    ip = ipautil.CheckedIPAddress(ip_address, match_local=True)
-    ip_address = str(ip)
 
     if options.reverse_zone:
-        if not bindinstance.verify_reverse_zone(options.reverse_zone, ip):
+        if not bindinstance.verify_reverse_zone(options.reverse_zone, config.ip):
             sys.exit(1)
         reverse_zone = bindinstance.normalize_zone(options.reverse_zone)
     else:
-        reverse_zone = bindinstance.find_reverse_zone(ip)
+        reverse_zone = bindinstance.find_reverse_zone(config.ip)
         if reverse_zone is None and not options.no_reverse:
-            reverse_zone = bindinstance.get_reverse_zone_default(ip)
+            reverse_zone = bindinstance.get_reverse_zone_default(config.ip)
             if not options.unattended and bindinstance.create_reverse():
-                reverse_zone = bindinstance.read_reverse_zone(reverse_zone, ip)
+                reverse_zone = bindinstance.read_reverse_zone(reverse_zone, config.ip)
 
     if reverse_zone is not None:
         print "Using reverse zone %s" % reverse_zone
 
-    bind.setup(config.host_name, ip_address, config.realm_name,
+    bind.setup(config.host_name, config.ip_address, config.realm_name,
                config.domain_name, forwarders, options.conf_ntp, reverse_zone)
     bind.create_instance()
 
@@ -240,14 +235,9 @@ def install_dns_records(config, options):
                               bind_pw=config.dirman_password,
                               tls_cacertfile=CACERT)
     bind = bindinstance.BindInstance(dm_password=config.dirman_password)
-    ip_address = resolve_host(config.host_name)
-    if not ip_address:
-        sys.exit("Unable to resolve IP address for host name")
-    ip = ipautil.CheckedIPAddress(ip_address, match_local=True)
-    ip_address = str(ip)
-    reverse_zone = bindinstance.find_reverse_zone(ip)
+    reverse_zone = bindinstance.find_reverse_zone(config.ip)
 
-    bind.add_master_dns_records(config.host_name, ip_address,
+    bind.add_master_dns_records(config.host_name, config.ip_address,
                                 config.realm_name, config.domain_name,
                                 reverse_zone, options.conf_ntp)
 
@@ -341,7 +331,8 @@ def main():
         replica_conn_check(config.master_host_name, config.host_name, config.realm_name, options.setup_ca, options.admin_password)
 
     # check replica host IP resolution
-    ip = installutils.get_server_ip_address(config.host_name, fstore, True, options)
+    config.ip = installutils.get_server_ip_address(config.host_name, fstore, True, options)
+    config.ip_address = str(config.ip)
 
     # Create the management framework config file
     # Note: We must do this before bootstraping and finalizing ipalib.api

ipapython/dnsclient.py

@@ -40,6 +40,11 @@ DNS_T_AAAA = 28
 DNS_T_SRV = 33
 DNS_T_ANY = 255
 
+DNS_S_QUERY = 1
+DNS_S_ANSWER = 2
+DNS_S_AUTHORITY = 3
+DNS_S_ADDITIONAL = 4
+
 DEBUG_DNSCLIENT = False
 
 class DNSQueryHeader:
@@ -105,6 +110,7 @@ class DNSResult:
 		self.dns_ttl = 0
 		self.dns_rlength = 0
 		self.rdata = None
+		self.section = None
 
 	def unpack(self, data):
 		(self.dns_type, self.dns_class, self.dns_ttl,
@@ -398,47 +404,51 @@ def dnsParseResults(results):
 			print "Queried for '%s', class = %d, type = %d." % (label,
 				qq.dns_class, qq.dns_type)
 
-	for i in xrange(header.dns_ancount + header.dns_nscount + header.dns_arcount):
-		(rest, label) = dnsParseLabel(rest, results)
-		if label is None:
-			return []
+	for (rec_count, section_id) in ((header.dns_ancount, DNS_S_ANSWER),
+									(header.dns_nscount, DNS_S_AUTHORITY),
+									(header.dns_arcount, DNS_S_ADDITIONAL)):
+		for i in xrange(rec_count):
+			(rest, label) = dnsParseLabel(rest, results)
+			if label is None:
+				return []
 
-		rr = DNSResult()
+			rr = DNSResult()
 
-		rr.dns_name = label
+			rr.dns_name = label
+			rr.section = section_id
 
-		if len(rest) < rr.size():
-			return []
+			if len(rest) < rr.size():
+				return []
 
-		rr.unpack(rest)
-		
-		rest = rest[rr.size():]
+			rr.unpack(rest)
 
-		if DEBUG_DNSCLIENT:
-			print "Answer %d for '%s', class = %d, type = %d, ttl = %d." % (i,
-				rr.dns_name, rr.dns_class, rr.dns_type,
-				rr.dns_ttl)
+			rest = rest[rr.size():]
 
-		if len(rest) < rr.dns_rlength:
 			if DEBUG_DNSCLIENT:
-				print "Answer too short."
-			return []
-		
-		fmap = { DNS_T_A: dnsParseA, DNS_T_NS: dnsParseNS,
-			DNS_T_CNAME: dnsParseCNAME, DNS_T_SOA: dnsParseSOA,
-			DNS_T_NULL: dnsParseNULL, DNS_T_WKS: dnsParseWKS,
-			DNS_T_PTR: dnsParsePTR, DNS_T_HINFO: dnsParseHINFO,
-			DNS_T_MX: dnsParseMX, DNS_T_TXT: dnsParseTXT,
-			DNS_T_AAAA : dnsParseAAAA, DNS_T_SRV: dnsParseSRV}
+				print "Answer %d for '%s', class = %d, type = %d, ttl = %d." % (i,
+					rr.dns_name, rr.dns_class, rr.dns_type,
+					rr.dns_ttl)
 
-		if not rr.dns_type in fmap:
-			if DEBUG_DNSCLIENT:
-				print "Don't know how to parse RR type %d!" %	rr.dns_type
-		else:
-			rr.rdata = fmap[rr.dns_type](rest[:rr.dns_rlength], results)
+			if len(rest) < rr.dns_rlength:
+				if DEBUG_DNSCLIENT:
+					print "Answer too short."
+				return []
 
-		rest = rest[rr.dns_rlength:]
-		rrlist += [rr]
+			fmap = { DNS_T_A: dnsParseA, DNS_T_NS: dnsParseNS,
+				DNS_T_CNAME: dnsParseCNAME, DNS_T_SOA: dnsParseSOA,
+				DNS_T_NULL: dnsParseNULL, DNS_T_WKS: dnsParseWKS,
+				DNS_T_PTR: dnsParsePTR, DNS_T_HINFO: dnsParseHINFO,
+				DNS_T_MX: dnsParseMX, DNS_T_TXT: dnsParseTXT,
+				DNS_T_AAAA : dnsParseAAAA, DNS_T_SRV: dnsParseSRV}
+
+			if not rr.dns_type in fmap:
+				if DEBUG_DNSCLIENT:
+					print "Don't know how to parse RR type %d!" %	rr.dns_type
+			else:
+				rr.rdata = fmap[rr.dns_type](rest[:rr.dns_rlength], results)
+
+			rest = rest[rr.dns_rlength:]
+			rrlist += [rr]
 
 	return rrlist
 

ipaserver/install/bindinstance.py

@@ -197,7 +197,13 @@ def add_zone(name, zonemgr=None, dns_backup=None, ns_hostname=None, ns_ip_addres
             raise errors.NotFound("No IPA server with DNS support found!")
         ns_main = dns_masters.pop(0)
         ns_replicas = dns_masters
-        ns_ip_address = resolve_host(ns_main)
+        addresses = resolve_host(ns_main)
+
+        if len(addresses) > 0:
+            # use the first address
+            ns_ip_address = addresses[0]
+        else:
+            ns_ip_address = None
     else:
         ns_main = ns_hostname
         ns_replicas = []
@@ -230,7 +236,13 @@ def add_reverse_zone(zone, ns_hostname=None, ns_ip_address=None,
             raise errors.NotFound("No IPA server with DNS support found!")
         ns_main = dns_masters.pop(0)
         ns_replicas = dns_masters
-        ns_ip_address = resolve_host(ns_main)
+        addresses = resolve_host(ns_main)
+
+        if len(addresses) > 0:
+            # use the first address
+            ns_ip_address = addresses[0]
+        else:
+            ns_ip_address = None
     else:
         ns_main = ns_hostname
         ns_replicas = []

ipaserver/install/installutils.py

@@ -90,27 +90,35 @@ def verify_dns_records(host_name, responses, resaddr, family):
     if family not in familykw.keys():
         raise RuntimeError("Unknown faimily %s\n" % family)
 
-    rec = None
+    rec_list = []
     for rsn in responses:
-        if rsn.dns_type == familykw[family]['dns_type']:
-            rec = rsn
-            break
+        if rsn.section == dnsclient.DNS_S_ANSWER and \
+                rsn.dns_type == familykw[family]['dns_type']:
+            rec_list.append(rsn)
 
-    if rec == None:
+    if not rec_list:
         raise IOError(errno.ENOENT,
                       "Warning: Hostname (%s) not found in DNS" % host_name)
 
     if family == 'ipv4':
-        familykw[family]['address'] = socket.inet_ntop(socket.AF_INET,
-                                                       struct.pack('!L',rec.rdata.address))
+        familykw[family]['address'] = [socket.inet_ntop(socket.AF_INET,
+                                                        struct.pack('!L',rec.rdata.address)) \
+                                                                for rec in rec_list]
     else:
-        familykw[family]['address'] = socket.inet_ntop(socket.AF_INET6,
-                                                       struct.pack('!16B', *rec.rdata.address))
+        familykw[family]['address'] = [socket.inet_ntop(socket.AF_INET6,
+                                                        struct.pack('!16B', *rec.rdata.address)) \
+                                                                for rec in rec_list]
 
     # Check that DNS address is the same is address returned via standard glibc calls
-    dns_addr = netaddr.IPAddress(familykw[family]['address'])
-    if dns_addr.format() != resaddr:
-        raise RuntimeError("The network address %s does not match the DNS lookup %s. Check /etc/hosts and ensure that %s is the IP address for %s" % (dns_addr.format(), resaddr, dns_addr.format(), host_name))
+    dns_addrs = [netaddr.IPAddress(addr) for addr in familykw[family]['address']]
+    dns_addr = None
+    for addr in dns_addrs:
+        if addr.format() == resaddr:
+            dns_addr = addr
+            break
+
+    if dns_addr is None:
+        raise RuntimeError("Host address %s does not match any address in DNS lookup."  % resaddr)
 
     rs = dnsclient.query(dns_addr.reverse_dns, dnsclient.DNS_C_IN, dnsclient.DNS_T_PTR)
     if len(rs) == 0:
@@ -498,14 +506,19 @@ def resolve_host(host_name):
     try:
         addrinfos = socket.getaddrinfo(host_name, None,
                                        socket.AF_UNSPEC, socket.SOCK_STREAM)
+
+        ip_list = []
+
         for ai in addrinfos:
             ip = ai[4][0]
             if ip == "127.0.0.1" or ip == "::1":
                 raise HostnameLocalhost("The hostname resolves to the localhost address")
 
-        return addrinfos[0][4][0]
-    except:
-        return None
+            ip_list.append(ip)
+
+        return ip_list
+    except socket.error:
+        return []
 
 def get_host_name(no_host_dns):
     """
@@ -534,8 +547,27 @@ def get_server_ip_address(host_name, fstore, unattended, options):
         sys.exit(1)
 
     ip_add_to_hosts = False
-    if hostaddr is not None:
-        ip = ipautil.CheckedIPAddress(hostaddr, match_local=True)
+
+    if len(hostaddr) > 1:
+        print >> sys.stderr, "The server hostname resolves to more than one address:"
+        for addr in hostaddr:
+            print >> sys.stderr, "  %s" % addr
+
+        if options.ip_address:
+            if str(options.ip_address) not in hostaddr:
+                print >> sys.stderr, "Address passed in --ip-address did not match any resolved"
+                print >> sys.stderr, "address!"
+                sys.exit(1)
+            print "Selected IP address:", str(options.ip_address)
+            ip = options.ip_address
+        else:
+            if unattended:
+                print >> sys.stderr, "Please use --ip-address option to specify the address"
+                sys.exit(1)
+            else:
+                ip = read_ip_address(host_name, fstore)
+    elif len(hostaddr) == 1:
+        ip = ipautil.CheckedIPAddress(hostaddr[0], match_local=True)
     else:
         # hostname is not resolvable
         ip = options.ip_address