tripleo

Adding a host without a domain or with a different domain causes failures with tls everywhere enabled

Bug #1889105 reported by Grzegorz Grasza on 2020-07-27

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	tripleo	Fix Released	Undecided	Grzegorz Grasza

Bug Description

Description
===========

TLS everywhere integration adds entries to IPA DNS by default, using the entries from the Ansible variable that contains host names to write into /etc/hosts.

Additional hosts may be specified by adding them to ExtraHostFileEntries.

The code in tripleo-ipa assumes that all of these entries contain a domain and that forward and reverse dns entries should be added. This is true until the user specifies something unrelated in ExtraHostFileEntries.

We are submitting this bug to gather feedback about what should happen by default. Some of the options are:

* Don't change the implementation, make sure the host entry is logged, so that it is easier to fix the configuration issue
* Ignore entries without domains
* Ignore entries from outside the cloud domain (not ending with <dot> + cloud_domain)
* Make this configurable?

Steps to reproduce
==================

* Enable TLS Everywhere
* Add an example value to ExtraHostFileEntries:
- '1.2.3.4 stillhavemythumb'

Expected result
===============
The deployment succeeds?

Actual result
=============
The deployment fails with an error:

The task includes an option with an undefined variable. The error was: list object has no element 1

The error appears to be in '/usr/share/ansible/roles/tripleo_ipa_dns/tasks/dns.yaml': line 18, column 3, but may
be elsewhere in the file depending on the exact syntax problem.

The offending line appears to be:

- name: set forward dns record values
^ here

Environment
===========

Master with TLS Everywhere enabled.

Logs & Configs
==============

Log: http://paste.openstack.org/show/796339/

Revision history for this message

Alex Schultz (alex-schultz) wrote on 2020-07-27:

tripleo-ipa shouldn't verify any hosts in ExtraHostFileEntries. Also shouldn't IPA have some forwarder to support external looksup anwyay?

Revision history for this message

Ade Lee (alee-3) wrote on 2020-07-27:

IPA does have forwarder support, and is expected to be configured accordingly.

The question here is whether we should be creating DNS entries for those entries in ExtraHostFileEntries, and I think the answer you're giving is "no".

So, the change would be to only add entries with *.cloud_domain, and ignore any malformed entries.
If anyone wants to add other entries, they can always do this manually on the IPA server ahead of time.

Revision history for this message

Alan Bishop (alan-bishop) wrote on 2020-07-27:

Ade's proposal to limit registering entries with IPA to just the ones in the cloud domain seems reasonable. The user can add additional entries in that domain if that's their goal, but if an entry isn't in the domain then it won't foul up the IPA registration process for TLS-e.

Grzegorz Grasza (xek) on 2020-08-17

Changed in tripleo:
assignee:	nobody → Grzegorz Grasza (xek)
status:	New → Confirmed

Revision history for this message

Grzegorz Grasza (xek) wrote on 2021-04-07:

fixed in 0.2.1

Changed in tripleo:
status:	Confirmed → Fix Released

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.