Univention Bugzilla – Bug 48099
Adding computers via the wizard should not silently add networks and DHCP subnets
Last modified: 2019-03-12 10:50:31 CET
The UCS@school wizard "Computers (schools)" offers to add a new computer. There, we have to manually enter an IP address. The subnet mask is prefilled with 255.255.255.0. If the network does not exist yet, it is created (including a new DHCP subnet). 1. The subnet ist not usable, because it lacks DHCP policies 2. This breaks network scenarios, where the subnet mask ist not 255.255.255.0 Imagine the following scenario: 1. The network administrator created a network "10.200.40.0/22" (subnet mask 255.255.252.0) which has a range from 10.200.40.0 to 10.200.43.255. 2. Some time later, a client administrator adds a new computer via the wizard "Computers (schools)", enters an IP "10.200.42.42" and leaves the subnet mask at the default "255.255.255.0" by accident or because a lack of knowledge. 3. The wizard _silently_ creates an additional network "10.200.42.0/24" which overlaps with the already existing "10.200.40.0/22". It also creates a corresponding DHCP subnet "10.200.42.0", but does not link any polices (DNS, routing ...). 4. The newly created client is not usable. At a customer, the client was served with "10.200.42.42/24", but was not able to reach its default gateway (10.200.40.1) IMHO it should not be allowed to create overlapping networks and DHCP subnets. I propose that the wizard should not require an IP address and subnet mask to be entered *manually* at all. Instead, we should simply offer a combobox with the _existing_ networks to choose from, just like the regular UCS "add computer" wizard.
Further discussion in #ucsschool: Sönke > IMHO the problem that has encountered is that a usecase shift is taking place > here. The wizards were actually intended for the test users in order to get > started immediately. The usecase had intended that the computers would be > imported later in productive operation via CLI. If customers are now > increasingly using wizards in their everyday lives, then we have to adapt the > process (and thus also the wizards) accordingly. Because the next question > arises immediately from your suggestion: how do the entire networks initially > get into LDAP? Do you also see this rather in the UMC or on the CLI or even in > the UDM? Michael: > The wizards are also used in practice to add one or three, maybe even five > computers. This is done by an IT representative of the school, the trainee at > the operator etc ... and a real admin has no time or desire to build a CSV file > and start the import. > To be honest, I see the networks on the CLI via import_networks. This is done > imho once centrally and that stays for a while. Whereas computers are often > replaced or switched in smaller quantities, and that's where the wizards offer > their services to the customer.
After discussion with Sönke we arrived at the following proposal: The wizard basically stays as it is. But if you want to save the computer it is checked if a new subnet would be created. If so, you have to confirm that. If you would create a subnet that is a subset or superset of another, already existing net, the creation is blocked.
Package: ucs-school-lib Version: 11.0.2-3A~4.3.0.201902071125 Branch: ucs_4.3-0 Scope: ucs-school-4.3 Package: ucs-school-umc-wizards Version: 10.0.1-2A~4.3.0.201902071126 Branch: ucs_4.3-0 Scope: ucs-school-4.3 The validation of computer objects in the ucsschoollib was extended: - If the IP and subnetmask of the new computer would cause the creation of a new network a warning is added. - If that new network would overlap with any other network in the domain, an error is added to the validation - - There is one exception: If the system identifies as a singlemaster environment, the error is not created if the network is identical to the domains default network. This is due to the special DHCP behavior of singleservers. Additionally the Computerwizard in the UMC now respects warnings and requires an acknowledgement of the user before creating the object.
Package: ucs-school-lib Version: 12.1.0-2A~4.4.0.201902071203 Branch: ucs_4.4-0 Scope: ucs-school-4.4 Package: ucs-school-umc-wizards Version: 11.0.0-1A~4.4.0.201902071204 Branch: ucs_4.4-0 Scope: ucs-school-4.4 The changes in ucs-school-umc-wizards are restricted to the computer wizard only. But we might want to think about activating this new behavior for all wizards to provide user acknowledgement if warnings are present.
4.3: a3c4573e7 Bug #48099: adjust ucs-test script to new UMC module behaviour 4.4: 5d44b74ca Bug #48099: adjust ucs-test script to new UMC module behaviour
Small typo found: "Subnetzmaske: Die festgelegte IP Adresse und Netzmaske" → "Subnetzmaske: Die festgelegte IP-Adresse und Netzmaske"
http://jenkins.knut.univention.de:8080/job/UCSschool-4.3/job/Upgrade%20Multiserver/395/Config=s4-all-components,TestGroup=base1/testReport/90_ucsschool/104_delete_computers_delete_related_objects/test/ still fails due to this bug.
Package: ucs-test-ucsschool Version: 5.0.4-4A~4.3.0.201902180802 Branch: ucs_4.3-0 Scope: ucs-school-4.3 Package: ucs-test-ucsschool Version: 6.0.0-17A~4.4.0.201902180807 Branch: ucs_4.4-0 Scope: ucs-school-4.4 UMC computers are now successfully created in test script and ignore the warning. The test still fails due to a host record not being deleted upon computer deletion on my Test VM. This should have nothing to do with the changes made here though.
Fixed typo. Package: ucs-school-lib Version: 11.0.2-4A~4.3.0.201902180830 Branch: ucs_4.3-0 Scope: ucs-school-4.3 Package: ucs-school-lib Version: 12.1.0-8A~4.4.0.201902180834 Branch: ucs_4.4-0 Scope: ucs-school-4.4
Package: ucs-school-umc-wizards Version: 11.0.0-2A~4.4.0.201902181135 Branch: ucs_4.4-0 Scope: ucs-school-4.4 Package: ucs-school-umc-wizards Version: 10.0.1-3A~4.3.0.201902181139 Branch: ucs_4.3-0 Scope: ucs-school-4.3 Optimized object iteration as discussed with Daniel
OK: code changes OK: manual tests: - warning if the IP/mask a new computer would create a new network - user can acknowledge warning and new network is created - error if the IP/mask a new computer would create an overlapping network OK: automated tests (f3db7a366) REOPEN: missing (updated) advisories for ucs-school-lib and ucs-school-umc-wizards in both 4.3 and 4.4
Did not find anything missing in 4.3 but added the advisory information in 4.4
OK: advisories
UCS@school 4.3 v7 has been released. https://docs.software-univention.de/changelog-ucsschool-4.3v7-de.html If this error occurs again, please clone this bug.