Merge lp:~ahasenack/charms/precise/postgresql/nicer-fix-to-avoid-cnames-in-pg_hba into lp:charms/postgresql
Proposed by
Andreas Hasenack
| Status: | Work in progress | ||||
|---|---|---|---|---|---|
| Proposed branch: | lp:~ahasenack/charms/precise/postgresql/nicer-fix-to-avoid-cnames-in-pg_hba | ||||
| Merge into: | lp:charms/postgresql | ||||
| Diff against target: |
23 lines (+2/-6) 1 file modified
hooks/hooks.py (+2/-6) |
||||
| To merge this branch: | bzr merge lp:~ahasenack/charms/precise/postgresql/nicer-fix-to-avoid-cnames-in-pg_hba | ||||
| Related bugs: |
|
| Reviewer | Review Type | Date Requested | Status |
|---|---|---|---|
| Cory Johns (community) | Needs Information | ||
| Stuart Bishop (community) | Needs Information | ||
|
Review via email:
|
|||
Commit message
Use a much cheaper call to gethostbyname() instead of calling out to "dig" to avoid using CNAMEs in pg_hba.conf.
Description of the change
Use a much cheaper call to gethostbyname() instead of calling out to "dig" to avoid using CNAMEs in pg_hba.conf.
To post a comment you must log in.
Revision history for this message
| Andreas Hasenack (ahasenack) wrote | # |
Revision history for this message
| Stuart Bishop (stub) wrote | # |
Revision history for this message
| Andreas Hasenack (ahasenack) wrote | # |
Revision history for this message
| Andreas Hasenack (ahasenack) wrote | # |
Unmerged revisions
- 86. By Andreas Hasenack
-
Since we are returning an IP this time, mask it with /32.
- 85. By Andreas Hasenack
-
Use gethostbyname instead of calling out to dig, much simpler/better.
Preview Diff
[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
This is going to be a permanent fix as I understanding, as charms supoprting MaaS that need this sort of IP filtering (Most services? Few services?) will be required to do the CNAME dereferencing themselves. This will mean MaaS needs to guarantee that the CNAME will never be changed, and always point to the same A record. This still allows MaaS to change the IP addresses of machines, as the CNAME points to an A record and the IP address associated with that A record may be changed.
For a permanent fix, I don't think we should have the bare except in here. I think that if the DNS lookups fail, it is a good reason to have the hook fail.
This code isn't quite doing the same thing as the dig lookup. The dig lookup is only dereferencing CNAMES to an A record. The address this A record points to can change, and everything will still be happy. The new lookup deferences both CNAMES and A records to IP addresses. If a juju provider supports changing the IP address of a machine it could do so by giving a DNS name rather than an IP address as the private-address. It can then change where that name points to without needing to kick off all the -changed hooks, as the standard DNS TTL mechanism will sort things out. If a juju provider did this, it would break the proposed use of socket.
I'd vote to leave it like it is, and just remove the exception handler since the dig lookup seems stable. This is not performance critical.