URL: https://github.com/freeipa/freeipa/pull/6109 Author: fcami Title: #6109: [Backport][ipa-4-9] freeipa.spec: depend on bind-pkcs11-utils Action: opened
PR body: """ This PR was opened automatically because PR #6074 was pushed to master and backport to ipa-4-9 is required. """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/6109/head:pr6109 git checkout pr6109
From b7b970aad93839413815947b8bafa5d4c8f24191 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fran=C3=A7ois=20Cami?= <fc...@redhat.com> Date: Thu, 4 Nov 2021 12:01:38 +0100 Subject: [PATCH] freeipa.spec: depend on bind-dnssec-utils MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The OpenDNSSec integration code requires: /usr/sbin/dnssec-keyfromlabel-pkcs11 which is provided by bind-pkcs11-utils, but that package is only available on RHEL<9. With this change, freeipa-server-dns depends on bind-dnssec-utils on all Fedora releases and RHEL==9+, and uses: /usr/sbin/dnssec-keyfromlabel -E pkcs11 instead of dnssec-keyfromlabel-pkcs11. Fixes: https://pagure.io/freeipa/issue/9026 Signed-off-by: François Cami <fc...@redhat.com> --- freeipa.spec.in | 4 +++- ipaplatform/base/paths.py | 2 +- ipaplatform/fedora/paths.py | 1 - ipaserver/dnssec/bindmgr.py | 1 + 4 files changed, 5 insertions(+), 3 deletions(-) diff --git a/freeipa.spec.in b/freeipa.spec.in index e20edb7bc60..8f5c370e561 100755 --- a/freeipa.spec.in +++ b/freeipa.spec.in @@ -576,9 +576,11 @@ Requires: %{name}-server = %{version}-%{release} Requires: bind-dyndb-ldap >= 11.2-2 Requires: bind >= %{bind_version} Requires: bind-utils >= %{bind_version} +# bind-dnssec-utils is required by the OpenDNSSec integration +# https://pagure.io/freeipa/issue/9026 +Requires: bind-dnssec-utils >= %{bind_version} %if %{with bind_pkcs11} Requires: bind-pkcs11 >= %{bind_version} -Requires: bind-pkcs11-utils >= %{bind_version} %else Requires: softhsm >= %{softhsm_version} Requires: openssl-pkcs11 >= %{openssl_pkcs11_version} diff --git a/ipaplatform/base/paths.py b/ipaplatform/base/paths.py index 42a47f1df37..7d21367ece0 100644 --- a/ipaplatform/base/paths.py +++ b/ipaplatform/base/paths.py @@ -259,7 +259,7 @@ class BasePathNamespace: IPA_PKI_RETRIEVE_KEY = "/usr/libexec/ipa/ipa-pki-retrieve-key" IPA_HTTPD_PASSWD_READER = "/usr/libexec/ipa/ipa-httpd-pwdreader" IPA_PKI_WAIT_RUNNING = "/usr/libexec/ipa/ipa-pki-wait-running" - DNSSEC_KEYFROMLABEL = "/usr/sbin/dnssec-keyfromlabel-pkcs11" + DNSSEC_KEYFROMLABEL = "/usr/sbin/dnssec-keyfromlabel" GETSEBOOL = "/usr/sbin/getsebool" GROUPADD = "/usr/sbin/groupadd" USERMOD = "/usr/sbin/usermod" diff --git a/ipaplatform/fedora/paths.py b/ipaplatform/fedora/paths.py index 92a948966b6..4e993c063e2 100644 --- a/ipaplatform/fedora/paths.py +++ b/ipaplatform/fedora/paths.py @@ -36,7 +36,6 @@ class FedoraPathNamespace(RedHatPathNamespace): NAMED_CRYPTO_POLICY_FILE = "/etc/crypto-policies/back-ends/bind.config" if HAS_NFS_CONF: SYSCONFIG_NFS = '/etc/nfs.conf' - DNSSEC_KEYFROMLABEL = "/usr/sbin/dnssec-keyfromlabel" paths = FedoraPathNamespace() diff --git a/ipaserver/dnssec/bindmgr.py b/ipaserver/dnssec/bindmgr.py index a15c0e601a2..0c79cc03d40 100644 --- a/ipaserver/dnssec/bindmgr.py +++ b/ipaserver/dnssec/bindmgr.py @@ -127,6 +127,7 @@ def install_key(self, zone, uuid, attrs, workdir): ) cmd = [ paths.DNSSEC_KEYFROMLABEL, + '-E', 'pkcs11', '-K', workdir, '-a', attrs['idnsSecAlgorithm'][0], '-l', uri
_______________________________________________ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
