Enable IPv6 support in standalone plugin #4773
Conversation
…oth servers run on the same port.
|
All of the assumptions in code here are based on things tested manually. That is:
|
|
@bmw, I haven't added tests (nor have I tested the whole thing manually...), because I made a few design decisions here based on the discussion in #1466 and other places that might seem weirder now that they've actually been implemented. No need to do a full review just yet, but if you're good with the overall structure, I'll:
|
|
|
For the purposes of trying to land everything we want in time for the release, I've asked @zjs to take a look at this, but one thing I wanted to mention:
If desired, I believe we can work around this and get the same behavior as the BSDs using |
acme/acme/standalone.py
Outdated
| new_args = (new_address,) + args[1:] | ||
| server = ServerClass(*new_args, **kwargs) | ||
| except socket.error: | ||
| pass |
There was a problem hiding this comment.
nit: It seems like some logging here would be useful for debugging things if things don't work quite as we expect.
There was a problem hiding this comment.
It's expected behavior that this will fail, so setting the level to DEBUG.
| # connect to all addresses | ||
| for sockname in socknames: | ||
| host, port = sockname[:2] | ||
| cert = crypto_util.probe_sni( |
There was a problem hiding this comment.
This test fails for me locally with Error: [Errno -9] Address family for hostname not supported (which seems to match some of the Travis results.
There was a problem hiding this comment.
01a5ada solves this for me and when run manually, the standalone plugin now successfully binds to IPv6 on my machine (Ubuntu, Python 2.7).
acme/acme/standalone.py
Outdated
| kwargs["ipv6"] = ip_version | ||
| new_address = (address[0],) + (port,) + address[2:] | ||
| new_args = (new_address,) + args[1:] | ||
| server = ServerClass(*new_args, **kwargs) |
There was a problem hiding this comment.
nit: lint doesn't like this use of star args
There was a problem hiding this comment.
ok but the linter thinks it's bad for readability but really we want it for functionality so I'm going to tell it to mind its own business.
zjs
dismissed
their stale review
Comments have been addressed in subsequent commits.
Example of how to do this is in |
|
Anyway, I ended up mimicking FreeBSD-like conditions in the unit tests, and Travis runs things on Ubuntu, so I no longer feel as strongly that we need to automate system tests to get this in. |
|
Manual testing I've done:
|
|
Also, we do get BSD testing, because we run tests on OSX! |
|
I'm reviewing this. |
acme/acme/standalone.py
Outdated
| else: | ||
| self.servers.append(server) | ||
| # Always bind to the same port | ||
| port = server.socket.getsockname()[1] |
There was a problem hiding this comment.
The purpose of this wasn't immediately obvious to me. I think it's for when port is initially None. Perhaps for future readers it might be helpful to expand the comment to explain the case(s) where this is is used?
There was a problem hiding this comment.
Posting this a little earlier than I normally would to get all my comments out there.
Just got a single cert on both Ubuntu for two domains where one was over IPv4 and one was over IPv6. Testing the same on FreeBSD now.
Other than my nitpicky inline comments and the things we talked about out of band, one concern I have is the combination of the unreleased --<challenge-name>-address flag and this PR. What would you expect Certbot's behavior to be when using this flag and standalone? Is what we do correct/OK? Do we want to support it long term?
acme/acme/standalone.py
Outdated
| """ | ||
|
|
||
| def __init__(self, *args, **kwargs): | ||
| address = args[0] |
There was a problem hiding this comment.
nit: Since we'll blow up here if this class is called with no args, perhaps we should just add a server_address argument to __init__. This documents the need to provide this argument and it should have no negative effect as this is the name of the parameter used in socketserver.TCPServer (and its subclass BaseHTTPServer.HTTPServer).
acme/acme/standalone.py
Outdated
| def __init__(self, *args, **kwargs): | ||
| address = args[0] | ||
| port = address[1] | ||
| ServerClass = kwargs.pop("server_class", object) |
There was a problem hiding this comment.
Is using object the right thing here? Other thoughts:
- Since this in theory is a general class for providing a single server object for IPv4 and IPv6, perhaps we should fall back to
socketserver.TCPServerthat all classes currently used by this server are based on. - Since using this class with an ACME client without providing a
server_classis almost certainly an error, we should handle it as such. This currently happens when usingobject, but the error is pretty cryptic. I think the best way to do this is check ifserver_classis inkwargsand raise aTypeErrorif it's not. Alternatively, we can makeserver_classthe first argument afterselfto__init__and theTypeErrorwill be handled for you, but this further deviates the class from the server objects it's trying to wrap.
I have a preference for approach number 2 as I think it'll help catch errors. We could always go the first route later if we wanted. You can do whatever you think is best though.
There was a problem hiding this comment.
It can't be socketserver.TCPServer, because that doesn't like when you pass in an ipv6 kwarg. I think it's actually fine to make it a named argument, because you probably wouldn't directly use the Base class anyway, and our TLSSNI01DualNetworkedServers and HTTP01DualNetworkedServers set that argument for you.
| self.servers.append(server) | ||
| # If two servers are set up and port 0 was passed in, ensure we always | ||
| # bind to the same port for both servers. | ||
| port = server.socket.getsockname()[1] |
acme/acme/standalone_test.py
Outdated
| @@ -1,6 +1,8 @@ | |||
| """Tests for acme.standalone.""" | |||
| import mock | |||
| self.address_family = socket.AF_INET | ||
| socketserver.TCPServer.__init__(self, *args, **kwargs) | ||
| if ipv6: | ||
| # pylint: disable=no-member |
There was a problem hiding this comment.
With this line, the three disable=no-member comments below can be removed.
There was a problem hiding this comment.
pylint scoping is strange.
I built this PR on top of #4694, so I was intending it to work correctly with these changes. Manual testing indicates that's the case. It's always fine to fail to start a server. So if you pass an IPv6 address, it just won't correctly start up the IPv4 server, and on FreeBSD vice versa. |
It works, but it's a new flag that we have a chance to modify right now. Does it work the way we want long term? To be fair, this may not be the right place for this discussion as I don't think it should block this PR, however, it may cause us to block shipping #4694. With that said, after thinking about it, I'm personally fine with things as they are now. Given I think we should support a flag like this, I think our options are:
Having separate flags makes Certbot uglier and increases complexity (what happens if you provide both IPv4 and IPv6 flags?). Currently, Certbot just works whether you provide an IPv4 or IPv6 address on the command line. As other plugins support this flag, we may have to write code that determines whether an address is IPv4 or IPv6 but then every plugin can benefit from it. The only downside I see to this approach is you can't tell Certbot to listen on both IPv4 and IPv6 and specify the interface for each one. The only reason I could come up with where someone would want to do this is they have multiple domains that each require a different interface be used but they want all domains in the same cert. This is an extreme edge case though and I don't think it's unreasonable to have the user create two certs in this case. I'd like someone else to make sure they agree with me here, but otherwise, I think the only thing left to worry about here are my obnoxious nits. |
I think it's reasonable to say "create two certs" for that case. |
Fixes #1466.