URL: https://github.com/freeipa/freeipa/pull/872 Author: stlaz Title: #872: Add IPA-specific bind unit file Action: opened
PR body: """ During upgrade of Fedora 25 to 26, when FreeIPA is installed with DNS, bind attempts to start before KDC which leads to a failed start because it requires a ticket to connect to LDAP. Add an own unit file with a dependency which sets bind to start after the KDC service. https://pagure.io/freeipa/issue/7018 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/872/head:pr872 git checkout pr872
From 82cbaafffdebdaad4606846ffa74283999966393 Mon Sep 17 00:00:00 2001 From: Stanislav Laznicka <slazn...@redhat.com> Date: Wed, 14 Jun 2017 07:46:16 +0200 Subject: [PATCH] Add IPA-specific bind unit file During upgrade of Fedora 25 to 26, when FreeIPA is installed with DNS, bind attempts to start before KDC which leads to a failed start because it requires a ticket to connect to LDAP. Add an own unit file with a dependency which sets bind to start after the KDC service. https://pagure.io/freeipa/issue/7018 --- freeipa.spec.in | 1 + init/systemd/Makefile.am | 2 ++ init/systemd/ipa-named-pkcs11.service.in | 27 ++++++++++++++++++++++ ipaplatform/redhat/services.py | 2 +- ipaserver/install/server/upgrade.py | 34 ++++++++++++++++++++++++---- ipatests/pytest_plugins/integration/tasks.py | 2 +- 6 files changed, 62 insertions(+), 6 deletions(-) create mode 100644 init/systemd/ipa-named-pkcs11.service.in diff --git a/freeipa.spec.in b/freeipa.spec.in index 1446dfbb7c..00b2bb8ae1 100644 --- a/freeipa.spec.in +++ b/freeipa.spec.in @@ -1220,6 +1220,7 @@ fi %attr(644,root,root) %{_unitdir}/ipa-dnskeysyncd.service %attr(644,root,root) %{_unitdir}/ipa-ods-exporter.socket %attr(644,root,root) %{_unitdir}/ipa-ods-exporter.service +%attr(644,root,root) %{_unitdir}/ipa-named-pkcs11.service # END %attr(755,root,root) %{plugin_dir}/libipa_pwd_extop.so %attr(755,root,root) %{plugin_dir}/libipa_enrollment_extop.so diff --git a/init/systemd/Makefile.am b/init/systemd/Makefile.am index 945f6ac22a..c417caac87 100644 --- a/init/systemd/Makefile.am +++ b/init/systemd/Makefile.am @@ -3,10 +3,12 @@ AUTOMAKE_OPTIONS = 1.7 dist_noinst_DATA = \ + ipa-named-pkcs11.service.in \ ipa-custodia.service.in \ ipa.service.in systemdsystemunit_DATA = \ + ipa-named-pkcs11.service \ ipa-custodia.service \ ipa.service diff --git a/init/systemd/ipa-named-pkcs11.service.in b/init/systemd/ipa-named-pkcs11.service.in new file mode 100644 index 0000000000..d89d9976e5 --- /dev/null +++ b/init/systemd/ipa-named-pkcs11.service.in @@ -0,0 +1,27 @@ +[Unit] +Description=Berkeley Internet Name Domain (DNS) with native PKCS#11 +Wants=nss-lookup.target +Wants=named-setup-rndc.service +Before=nss-lookup.target +After=network.target +After=named-setup-rndc.service +# we need to wait for KDC so that named may connect to LDAP via GSSAPI +After=krb5kdc.service + +[Service] +Type=forking +EnvironmentFile=-/etc/sysconfig/named +Environment=KRB5_KTNAME=/etc/named.keytab +PIDFile=/run/named/named.pid + +ExecStartPre=/bin/bash -c 'if [ ! "$DISABLE_ZONE_CHECKING" == "yes" ]; then /usr/sbin/named-checkconf -z /etc/named.conf; else echo "Checking of zone files is disabled"; fi' +ExecStart=/usr/sbin/named-pkcs11 -u named $OPTIONS + +ExecReload=/bin/sh -c '/usr/sbin/rndc reload > /dev/null 2>&1 || /bin/kill -HUP $MAINPID' + +ExecStop=/bin/sh -c '/usr/sbin/rndc stop > /dev/null 2>&1 || /bin/kill -TERM $MAINPID' + +PrivateTmp=true + +[Install] +WantedBy=multi-user.target diff --git a/ipaplatform/redhat/services.py b/ipaplatform/redhat/services.py index 8fae1f3cc5..279a117e03 100644 --- a/ipaplatform/redhat/services.py +++ b/ipaplatform/redhat/services.py @@ -62,7 +62,7 @@ redhat_system_units['ipa-otpd'] = 'ipa-otpd.socket' redhat_system_units['ipa-dnskeysyncd'] = 'ipa-dnskeysyncd.service' redhat_system_units['named-regular'] = 'named.service' -redhat_system_units['named-pkcs11'] = 'named-pkcs11.service' +redhat_system_units['named-pkcs11'] = 'ipa-named-pkcs11.service' redhat_system_units['named'] = redhat_system_units['named-pkcs11'] redhat_system_units['ods-enforcerd'] = 'ods-enforcerd.service' redhat_system_units['ods_enforcerd'] = redhat_system_units['ods-enforcerd'] diff --git a/ipaserver/install/server/upgrade.py b/ipaserver/install/server/upgrade.py index 3e2abefc21..49a380e656 100644 --- a/ipaserver/install/server/upgrade.py +++ b/ipaserver/install/server/upgrade.py @@ -31,6 +31,7 @@ from ipaclient.install.client import sssd_enable_service from ipaplatform import services from ipaplatform.tasks import tasks +from ipaplatform.base.services import SystemdService from ipapython import ipautil, version, certdb from ipapython.ipa_log_manager import root_logger from ipapython import dnsutil @@ -1592,6 +1593,28 @@ def disable_httpd_system_trust(http): db.add_cert(cert, nickname, trust_flags) +def swap_bind_unit_files(fstore): + """ + IPA changed its unit file, stop named-pkcs11 service using the old and + use the new instead + """ + root_logger.info('[Making bind use FreeIPA-specific unit file]') + + if sysupgrade.get_upgrade_state('named-pkcs11.service', + 'ipa_unit_file'): + root_logger.info("Already using the IPA-specific unit file") + return + + bind_old = SystemdService('named-pkcs11', 'named-pkcs11.service', api=api) + if bind_old.is_running(): + bind_old.stop() + bind = bindinstance.BindInstance(fstore) + bind.start() + + sysupgrade.set_upgrade_state( + 'named-pkcs11.service', 'ipa_unit_file', True) + + def upgrade_configuration(): """ Execute configuration upgrade of the IPA services @@ -1756,10 +1779,13 @@ def upgrade_configuration(): # install DNSKeySync service only if DNS is configured on server if bindinstance.named_conf_exists(): - dnskeysyncd = dnskeysyncinstance.DNSKeySyncInstance(fstore) - if not dnskeysyncd.is_configured(): - dnskeysyncd.create_instance(fqdn, api.env.realm) - dnskeysyncd.start_dnskeysyncd() + # swap the named-pkcs11 systemd unit file for ipa-specific + swap_bind_unit_files(fstore) + + dnskeysyncd = dnskeysyncinstance.DNSKeySyncInstance(fstore) + if not dnskeysyncd.is_configured(): + dnskeysyncd.create_instance(fqdn, api.env.realm) + dnskeysyncd.start_dnskeysyncd() cleanup_kdc(fstore) cleanup_adtrust(fstore) diff --git a/ipatests/pytest_plugins/integration/tasks.py b/ipatests/pytest_plugins/integration/tasks.py index 172f5b8cb3..c4c928d5ce 100644 --- a/ipatests/pytest_plugins/integration/tasks.py +++ b/ipatests/pytest_plugins/integration/tasks.py @@ -445,7 +445,7 @@ def install_adtrust(host): result = host.run_command(['systemctl', 'is-enabled', 'named'], raiseonerr=False) if result.stdout_text.startswith("masked"): - host.run_command(['systemctl', 'restart', 'named-pkcs11']) + host.run_command(['systemctl', 'restart', 'ipa-named-pkcs11']) else: host.run_command(['systemctl', 'restart', 'named'])
_______________________________________________ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
