Merge pull request #1282 from t-woerner/infra_image_enhance_system_se…

…rvices infra/image/system-services: Enhance checks, also fix reverse zone
freeipa · Aug 7, 2024 · 88dc4c6 · 88dc4c6
2 parents 7dbe6ed + e05fbce
commit 88dc4c6
Show file tree

Hide file tree

Showing 4 changed files with 115 additions and 17 deletions.
diff --git a/infra/image/system-service/fixipaip.service b/infra/image/system-service/fixipaip.service
@@ -5,6 +5,8 @@ After=multi-user.target
 [Service]
 Type=oneshot
 ExecStart=/root/fixipaip.sh
+StandardOutput=journal
+StandardError=journal
 
 [Install]
 WantedBy=default.target
diff --git a/infra/image/system-service/fixipaip.sh b/infra/image/system-service/fixipaip.sh
@@ -1,26 +1,82 @@
 #!/bin/bash -eu
 
+function valid_fqdn()
+{
+    local name="${1}"
+
+    [[ "${name}" =~ [[:space:]] ]] && return 1
+    [[ "${name}" =~ \. ]] || return 1
+    [[ "${name}" =~ \.\. ]] && return 1
+    for i in ${name//./ }; do
+        [[ "${i}" =~ ^[a-z0-9_/]+$ ]] || return 1
+    done
+    [[ "${name}" == "localhost.localdomain" ]] && return 1
+    return 0
+}
+
+function valid_ipv4()
+{
+    local ip="${1}"
+    local rematch="^([0-9]{1,3}\.){3}[0-9]{1,3}$"
+
+    [[ "${ip}" =~ ${rematch} ]] || return 1
+    for i in ${ip//./ }; do
+        [[ ${i} -le 255 ]] || return 1
+    done
+
+    return 0
+}
+
 HOSTNAME=$(hostname)
 IP=$(hostname -I | cut -d " " -f 1)
+export KRB5CCNAME=ansible_freeipa_cache
 
-if [ -z "${HOSTNAME}" ]; then
-    echo "ERROR: Failed to retrieve hostname."
+if [ -z "${HOSTNAME}" ] || ! valid_fqdn "${HOSTNAME}" ; then
+    echo "ERROR: Got invalid hostname: '${HOSTNAME}'"
     exit 1
 fi
-if [ -z "${IP}" ]; then
-    echo "ERROR: Failed to retrieve IP address."
+if [ -z "${IP}" ] || ! valid_ipv4 "${IP}" ; then
+    echo "ERROR: Got invalid IPv4 address: '${IP}'"
     exit 1
 fi
+PTR=$(echo "${IP}" | awk -F"." '{print $4}')
+if [ -z "${PTR}" ] || [ -n "${PTR//[0-9]}" ]; then
+    echo "ERROR: Failed to get PTR from IPv4 address: '${PTR}'"
+    exit 1
+fi
+
+echo "Fix IPA IP:"
+echo "  HOSTNAME: '${HOSTNAME}'"
+echo "  IP: '${IP}'"
+echo "  PTR: '${PTR}'"
 
-if ! echo "SomeADMINpassword" | kinit -c ansible_freeipa_cache admin
+if ! echo "SomeADMINpassword" | kinit -c "${KRB5CCNAME}"
 then
     echo "ERROR: Failed to obtain Kerberos ticket"
     exit 1
 fi
-KRB5CCNAME=ansible_freeipa_cache \
-    ipa dnsrecord-mod test.local "${HOSTNAME%%.*}" --a-rec="$IP"
-KRB5CCNAME=ansible_freeipa_cache \
-    ipa dnsrecord-mod test.local ipa-ca --a-rec="$IP"
-kdestroy -c ansible_freeipa_cache -A
+
+ZONES=$(ipa dnszone-find --name-from-ip="${HOSTNAME}." --raw --pkey-only \
+    | grep "idnsname:" | awk -F": " '{print $2}')
+for zone in ${ZONES}; do
+    echo
+    if [[ "${zone}" == *".in-addr.arpa."* ]]; then
+        echo "Fixing reverse zone ${zone}:"
+        OLD_PTR=$(ipa dnsrecord-find "${zone}" --ptr-rec="${HOSTNAME}." \
+                      --raw | grep "idnsname:" | awk -F": " '{print $2}')
+        if [ -z "${OLD_PTR}" ] || [ -n "${OLD_PTR//[0-9]}" ]; then
+            echo "ERROR: Failed to get old PTR from '${zone}': '${OLD_PTR}'"
+        else
+            ipa dnsrecord-mod "${zone}" "${OLD_PTR}" --ptr-rec="${HOSTNAME}." \
+                --rename="${PTR}"
+        fi
+    else
+        echo "Fixing forward zone ${zone}:"
+        ipa dnsrecord-mod test.local "${HOSTNAME%%.*}" --a-rec="$IP"
+        ipa dnsrecord-mod test.local ipa-ca --a-rec="$IP"
+    fi
+done
+
+kdestroy -c "${KRB5CCNAME}" -A
 
 exit 0
diff --git a/infra/image/system-service/fixnet.service b/infra/image/system-service/fixnet.service
@@ -7,6 +7,8 @@ Before=ipa.service
 [Service]
 Type=oneshot
 ExecStart=/root/fixnet.sh
+StandardOutput=journal
+StandardError=journal
 
 [Install]
 WantedBy=ipa.service
diff --git a/infra/image/system-service/fixnet.sh b/infra/image/system-service/fixnet.sh
@@ -1,24 +1,62 @@
 #!/bin/bash -eu
 
+function valid_fqdn()
+{
+    local name="${1}"
+
+    [[ "${name}" =~ [[:space:]] ]] && return 1
+    [[ "${name}" =~ \. ]] || return 1
+    [[ "${name}" =~ \.\. ]] && return 1
+    for i in ${name//./ }; do
+        [[ "${i}" =~ ^[a-z0-9_/]+$ ]] || return 1
+    done
+    [[ "${name}" == "localhost.localdomain" ]] && return 1
+    return 0
+}
+
+function valid_ipv4()
+{
+    local ip="${1}"
+    local rematch="^([0-9]{1,3}\.){3}[0-9]{1,3}$"
+
+    [[ "${ip}" =~ ${rematch} ]] || return 1
+    for i in ${ip//./ }; do
+        [[ ${i} -le 255 ]] || return 1
+    done
+
+    return 0
+}
+
 HOSTNAME=$(hostname)
 IP=$(hostname -I | cut -d " " -f 1)
 
-if [ -z "${HOSTNAME}" ]; then
+if [ -z "${HOSTNAME}" ] || ! valid_fqdn "${HOSTNAME}" ; then
     echo "ERROR: Failed to retrieve hostname."
     exit 1
 fi
-if [ -z "${IP}" ]; then
-    echo "ERROR: Failed to retrieve IP address."
+if [ -z "${IP}" ] || ! valid_ipv4 "${IP}" ; then
+    echo "ERROR: Got invalid IPv4 address: '${IP}'"
     exit 1
 fi
 
-# shellcheck disable=SC2143
-if [ -n "$(grep -P "[[:space:]]${HOSTNAME}" /etc/hosts)" ]; then
-    sed -ie "s/.*${HOSTNAME}/${IP}\t${HOSTNAME}/" /etc/hosts
+echo "Fix NET:"
+echo "  HOSTNAME: '${HOSTNAME}'"
+echo "  IP: '${IP}'"
+echo
+
+if grep -qE "^[^(#\s*)][0-9\.]+\s$HOSTNAME(\s|$)" /etc/hosts
+then
+    sed -i.bak -e "s/.*${HOSTNAME}/${IP}\t${HOSTNAME}/" /etc/hosts
 else
-    echo -e "$IP\t${HOSTNAME}" >> /etc/hosts
+    echo -e "$IP\t${HOSTNAME} ${HOSTNAME%%.*}" >> /etc/hosts
 fi
 
 echo "nameserver 127.0.0.1" > /etc/resolv.conf
 
+echo "/etc/hosts:"
+cat "/etc/hosts"
+echo
+echo "/etc/resolv.conf:"
+cat "/etc/resolv.conf"
+
 exit 0