PR#50571: Ticket 50567, 50568 - strict host check disable and display container version - 389-ds-base

389-ds-base

#50571 Ticket 50567, 50568 - strict host check disable and display container version

Closed 3 years ago by spichugi. Opened 4 years ago by firstyear.

firstyear/389-ds-base 50567-50568-version-and-host-check into master

Ticket 50567, 50568 - strict host check disable and display container version

William Brown • 4 years ago

ba42545

src/lib389/cli/dscontainer

file modified

		`@@ -67,6 +67,7 @@`
		`#`
		`# We wouldn't need this except for testing containers that build to /opt/dirsrv`
		`paths = Paths(serverid='localhost')`
		`+ log.info("389 Directory Server Version: %s" % paths.version)`

		`# Make sure that /data/config, /data/ssca and /data/config exist, because`
		`# k8s may not template them out.`

src/lib389/lib389/instance/options.py

file modified

+1 -1

		`@@ -114,7 +114,7 @@`
		`self._type['full_machine_name'] = str`
		`self._helptext['full_machine_name'] = "Sets the fully qualified hostname (FQDN) of this system. When installing this instance with GSSAPI authentication behind a load balancer, set this parameter to the FQDN of the load balancer and, additionally, set \"strict_host_checking\" to \"false\"."`

		`- self._options['strict_host_checking'] = True`
		`+ self._options['strict_host_checking'] = False`
		`self._type['strict_host_checking'] = bool`
		`self._helptext['strict_host_checking'] = "Sets whether the server verifies the forward and reverse record set in the \"full_machine_name\" parameter. When installing this instance with GSSAPI authentication behind a load balancer, set this parameter to \"false\". Container installs imply \"false\"."`

src/lib389/lib389/instance/setup.py

file modified

+1 -19

		`@@ -244,7 +244,7 @@`

		`# Set the defaults`
		`general = {'config_version': 2, 'full_machine_name': socket.getfqdn(),`
		`- 'strict_host_checking': True, 'selinux': True, 'systemd': ds_paths.with_systemd,`
		`+ 'strict_host_checking': False, 'selinux': True, 'systemd': ds_paths.with_systemd,`
		`'defaults': '999999999', 'start': True}`

		`slapd = {'self_sign_cert_valid_months': 24,`
		`@@ -288,24 +288,6 @@`
		`if val != "":`
		`general['full_machine_name'] = val`

		`- # Strict host name checking`
		`- msg = ("\nUse strict hostname verification (set to \"no\" if using GSSAPI behind a load balancer) [yes]: ")`
		`- while 1:`
		`- val = input(msg).rstrip().lower()`
		`- if val != "":`
		`- if val == "no" or val == "n":`
		`- slapd['strict_host_checking'] = False`
		`- break`
		`- if val == "yes" or val == "y":`
		`- # Use default`
		`- break`
		`-`
		`- # Unknown value`
		`- print ("Value \"{}\" is invalid, please use \"yes\" or \"no\"".format(val))`
		`- continue`
		`- else:`
		`- break`
		`-`
		`# Instance name - adjust defaults once set`
		`while 1:`
		`slapd['instance_name'] = general['full_machine_name'].split('.', 1)[0]`

firstyear commented 4 years ago

Bug Description: This is a minor fix to disable strict host checking
by default as it causes some installs to unexpectedly fail. We also
display the container version by default to aid future issue reports.

Fix Description: strict host check to false, and print paths.version.

https://pagure.io/389-ds-base/issue/50568
https://pagure.io/389-ds-base/issue/50567

Author: William Brown william@blackhats.net.au

Review by: ???

mreynolds commented on line 15 of src/lib389/lib389/instance/setup.py 4 years ago

I actually have a patch in the works where I removed this option/question, and default to False for the interactive installer. Do you still want to keep the question in the installer?

firstyear commented 4 years ago

The option has to stay I think, but I would be happy to remove this question from the installer.

IE the only way to do strict_host_check = true is a from-file install. Is that acceptable to you?

rebased onto a9bfc8c58b9a927bc70b3d454bd919a1540f17b7

4 years ago

firstyear commented 4 years ago

Okay updated to remove the question from interactive. Is that all good?

mreynolds commented 4 years ago