Hello!
Patch 131:
https://fedorahosted.org/freeipa/ticket/3801#comment:31
Patch 132:
I modified named.conf in 131, so I change the rest of paths to be
ipaplatform specified.
Patches attached
--
Martin Basti
From 4fe9f258c272d9d7c98b084579bafbef6ba6bc83 Mon Sep 17 00:00:00 2001
From: Martin Basti <mba...@redhat.com>
Date: Thu, 2 Oct 2014 14:55:10 +0200
Subject: [PATCH 1/2] Add missing attributes to named.conf
Ticket: https://fedorahosted.org/freeipa/ticket/3801#comment:31
---
install/share/bind.named.conf.template | 6 ++
install/tools/ipa-upgradeconfig | 120 +++++++++++++++++++++++++++++++++
ipaplatform/base/paths.py | 3 +
ipaserver/install/bindinstance.py | 28 ++++++++
4 files changed, 157 insertions(+)
diff --git a/install/share/bind.named.conf.template b/install/share/bind.named.conf.template
index 6db17120f983d3762d4fb728d262eae10a18f74e..cdf21c1429f204e6ce5d4e4bcb1460f9fd0bb5b8 100644
--- a/install/share/bind.named.conf.template
+++ b/install/share/bind.named.conf.template
@@ -18,6 +18,11 @@ options {
pid-file "/run/named/named.pid";
dnssec-enable yes;
+
+ /* Path to ISC DLV key */
+ bindkeys-file "$BINDKEYS_FILE";
+
+ managed-keys-directory "$MANAGED_KEYS_DIR";
};
/* If you want to enable debugging, eg. using the 'rndc trace' command,
@@ -38,6 +43,7 @@ zone "." IN {
};
include "/etc/named.rfc1912.zones";
+include "$ROOT_KEY";
dynamic-db "ipa" {
library "ldap.so";
diff --git a/install/tools/ipa-upgradeconfig b/install/tools/ipa-upgradeconfig
index 3914eb59066b515d33bebc19ca5afb4f50548bb2..93ce71dd5fb198e986230dbfac63ef910b8b6beb 100644
--- a/install/tools/ipa-upgradeconfig
+++ b/install/tools/ipa-upgradeconfig
@@ -624,6 +624,123 @@ def named_enable_dnssec():
return True
+def named_bindkey_file_option():
+ """
+ Add options bindkey_file to named.conf
+ """
+ if not bindinstance.named_conf_exists():
+ # DNS service may not be configured
+ root_logger.info('DNS is not configured')
+ return False
+
+ if sysupgrade.get_upgrade_state('named.conf', 'bindkey-file_updated'):
+ root_logger.debug('Skip bindkey-file configuration check')
+ return False
+
+ try:
+ bindkey_file = bindinstance.named_conf_get_directive('bindkey-file',
+ bindinstance.NAMED_SECTION_OPTIONS)
+ except IOError, e:
+ root_logger.error('Cannot retrieve bindkey-file option from %s: %s',
+ bindinstance.NAMED_CONF, e)
+ return False
+ else:
+ if bindkey_file:
+ root_logger.debug('bindkey-file configuration already updated')
+ sysupgrade.set_upgrade_state('named.conf', 'bindkey-file_updated', True)
+ return False
+
+ root_logger.info('[Setting "bindkeys-file" option in named.conf]')
+ try:
+ bindinstance.named_conf_set_directive('bindkeys-file',
+ paths.NAMED_BINDKEYS_FILE,
+ bindinstance.NAMED_SECTION_OPTIONS)
+ except IOError, e:
+ root_logger.error('Cannot update bindkeys-file configuration in %s: %s',
+ bindinstance.NAMED_CONF, e)
+ return False
+
+
+ sysupgrade.set_upgrade_state('named.conf', 'bindkey-file_updated', True)
+ return True
+
+def named_managed_keys_dir_option():
+ """
+ Add options managed_keys_directory to named.conf
+ """
+ if not bindinstance.named_conf_exists():
+ # DNS service may not be configured
+ root_logger.info('DNS is not configured')
+ return False
+
+ if sysupgrade.get_upgrade_state('named.conf', 'managed-keys-directory_updated'):
+ root_logger.debug('Skip managed-keys-directory configuration check')
+ return False
+
+ try:
+ managed_keys = bindinstance.named_conf_get_directive('managed-keys-directory',
+ bindinstance.NAMED_SECTION_OPTIONS)
+ except IOError, e:
+ root_logger.error('Cannot retrieve managed-keys-directory option from %s: %s',
+ bindinstance.NAMED_CONF, e)
+ return False
+ else:
+ if managed_keys:
+ root_logger.debug('managed_keys_directory configuration already updated')
+ sysupgrade.set_upgrade_state('named.conf', 'managed-keys-directory_updated', True)
+ return False
+
+ root_logger.info('[Setting "managed-keys-directory" option in named.conf]')
+ try:
+ bindinstance.named_conf_set_directive('managed-keys-directory',
+ paths.NAMED_MANAGED_KEYS_DIR,
+ bindinstance.NAMED_SECTION_OPTIONS)
+ except IOError, e:
+ root_logger.error('Cannot update managed-keys-directory configuration in %s: %s',
+ bindinstance.NAMED_CONF, e)
+ return False
+
+
+ sysupgrade.set_upgrade_state('named.conf', 'managed-keys-directory_updated', True)
+ return True
+
+def named_root_key_include():
+ """
+ Add options managed_keys_directory to named.conf
+ """
+ if not bindinstance.named_conf_exists():
+ # DNS service may not be configured
+ root_logger.info('DNS is not configured')
+ return False
+
+ if sysupgrade.get_upgrade_state('named.conf', 'root_key_updated'):
+ root_logger.debug('Skip root key configuration check')
+ return False
+
+ try:
+ root_key = bindinstance.named_conf_include_exists(paths.NAMED_ROOT_KEY)
+ except IOError, e:
+ root_logger.error('Cannot check root key include in %s: %s',
+ bindinstance.NAMED_CONF, e)
+ return False
+ else:
+ if root_key:
+ root_logger.debug('root keys configuration already updated')
+ sysupgrade.set_upgrade_state('named.conf', 'root_key_updated', True)
+ return False
+
+ root_logger.info('[Including named root key in named.conf]')
+ try:
+ bindinstance.named_conf_add_include(paths.NAMED_ROOT_KEY)
+ except IOError, e:
+ root_logger.error('Cannot update named root key include in %s: %s',
+ bindinstance.NAMED_CONF, e)
+ return False
+
+
+ sysupgrade.set_upgrade_state('named.conf', 'root_key_updated', True)
+ return True
+
def certificate_renewal_update(ca):
"""
Update certmonger certificate renewal configuration.
@@ -1170,6 +1287,9 @@ def main():
named_update_gssapi_configuration(),
named_update_pid_file(),
named_enable_dnssec(),
+ named_bindkey_file_option(),
+ named_managed_keys_dir_option(),
+ named_root_key_include(),
)
if any(named_conf_changes):
diff --git a/ipaplatform/base/paths.py b/ipaplatform/base/paths.py
index 1d936016a698339c337b189335926663f76383f4..cc24dcdb4c44d7b30ebf11d65101bd4f0b478309 100644
--- a/ipaplatform/base/paths.py
+++ b/ipaplatform/base/paths.py
@@ -71,6 +71,9 @@ class BasePathNamespace(object):
NAMED_CONF = "/etc/named.conf"
NAMED_KEYTAB = "/etc/named.keytab"
NAMED_RFC1912_ZONES = "/etc/named.rfc1912.zones"
+ NAMED_ROOT_KEY = "/etc/named.root.key"
+ NAMED_BINDKEYS_FILE = "/etc/named.iscdlv.key"
+ NAMED_MANAGED_KEYS_DIR = "/var/named/dynamic"
NSLCD_CONF = "/etc/nslcd.conf"
NSS_LDAP_CONF = "/etc/nss_ldap.conf"
NSSWITCH_CONF = "/etc/nsswitch.conf"
diff --git a/ipaserver/install/bindinstance.py b/ipaserver/install/bindinstance.py
index 2e8836ec6bc9e727a6917523a0979febd33a1585..928ca1b5c85d78d6a983d4e39ed8f957def040e4 100644
--- a/ipaserver/install/bindinstance.py
+++ b/ipaserver/install/bindinstance.py
@@ -55,6 +55,9 @@ named_conf_arg_options_template = "%(indent)s%(name)s \"%(value)s\";\n"
# non string args for options section
named_conf_arg_options_re_nonstr = re.compile(r'(?P<indent>\s*)(?P<name>\S+)\s+(?P<value>[^"]+)\s*;')
named_conf_arg_options_template_nonstr = "%(indent)s%(name)s %(value)s;\n"
+# include directive
+named_conf_include_re = re.compile(r'\s*include\s+"(?P<path>)"\s*;')
+named_conf_include_template = "include \"%(path)s\";\n"
def check_inst(unattended):
has_bind = True
@@ -203,6 +206,28 @@ def named_conf_set_directive(name, value, section=NAMED_SECTION_IPA,
with open(NAMED_CONF, 'w') as f:
f.write("".join(new_lines))
+def named_conf_include_exists(path):
+ """
+ Check if include exists in named.conf
+ :param path: path in include directive
+ :return: True if include exists, else False
+ """
+ with open(NAMED_CONF, 'r') as f:
+ for line in f:
+ match = named_conf_include_re.match(line)
+ if match and path == match.group('path'):
+ return True
+
+ return False
+
+def named_conf_add_include(path):
+ """
+ append include at the end of file
+ :param path: path to be insert to include directive
+ """
+ with open(NAMED_CONF, 'a') as f:
+ f.write(named_conf_include_template % {'path': path})
+
def dns_container_exists(fqdn, suffix, dm_password=None, ldapi=False, realm=None,
autobind=ipaldap.AUTOBIND_DISABLED):
"""
@@ -638,6 +663,9 @@ class BindInstance(service.Service):
OPTIONAL_NTP=optional_ntp,
ZONEMGR=self.zonemgr,
IPA_CA_RECORD=ipa_ca,
+ BINDKEYS_FILE=paths.NAMED_BINDKEYS_FILE,
+ MANAGED_KEYS_DIR=paths.NAMED_MANAGED_KEYS_DIR,
+ ROOT_KEY=paths.NAMED_ROOT_KEY,
)
def __setup_dns_container(self):
--
1.8.3.1
From c923f3f461b18915e51ec76a5915e6a0580c9e9a Mon Sep 17 00:00:00 2001
From: Martin Basti <mba...@redhat.com>
Date: Thu, 2 Oct 2014 16:31:24 +0200
Subject: [PATCH 2/2] Make named.conf template platform independent
---
install/share/bind.named.conf.template | 8 ++++----
ipaplatform/base/paths.py | 1 +
ipaserver/install/bindinstance.py | 4 ++++
3 files changed, 9 insertions(+), 4 deletions(-)
diff --git a/install/share/bind.named.conf.template b/install/share/bind.named.conf.template
index cdf21c1429f204e6ce5d4e4bcb1460f9fd0bb5b8..2017cb7961e544b113750a95f3025edc923a0fbb 100644
--- a/install/share/bind.named.conf.template
+++ b/install/share/bind.named.conf.template
@@ -3,7 +3,7 @@ options {
listen-on-v6 {any;};
// Put files that named is allowed to write in the data/ directory:
- directory "/var/named"; // the default
+ directory "$NAMED_VAR_DIR"; // the default
dump-file "data/cache_dump.db";
statistics-file "data/named_stats.txt";
memstatistics-file "data/named_mem_stats.txt";
@@ -14,8 +14,8 @@ options {
// Any host is permitted to issue recursive queries
allow-recursion { any; };
- tkey-gssapi-keytab "/etc/named.keytab";
- pid-file "/run/named/named.pid";
+ tkey-gssapi-keytab "$NAMED_KEYTAB";
+ pid-file "$NAMED_PID";
dnssec-enable yes;
@@ -42,7 +42,7 @@ zone "." IN {
file "named.ca";
};
-include "/etc/named.rfc1912.zones";
+include "$RFC1912_ZONES";
include "$ROOT_KEY";
dynamic-db "ipa" {
diff --git a/ipaplatform/base/paths.py b/ipaplatform/base/paths.py
index cc24dcdb4c44d7b30ebf11d65101bd4f0b478309..41739f002932694e2d3e24f39f48d4fa96f7a4cb 100644
--- a/ipaplatform/base/paths.py
+++ b/ipaplatform/base/paths.py
@@ -69,6 +69,7 @@ class BasePathNamespace(object):
LDAP_CONF = "/etc/ldap.conf"
LIBNSS_LDAP_CONF = "/etc/libnss-ldap.conf"
NAMED_CONF = "/etc/named.conf"
+ NAMED_VAR_DIR = "/var/named"
NAMED_KEYTAB = "/etc/named.keytab"
NAMED_RFC1912_ZONES = "/etc/named.rfc1912.zones"
NAMED_ROOT_KEY = "/etc/named.root.key"
diff --git a/ipaserver/install/bindinstance.py b/ipaserver/install/bindinstance.py
index 928ca1b5c85d78d6a983d4e39ed8f957def040e4..636e04f5ee40d250f7fe8bd01578924669571bae 100644
--- a/ipaserver/install/bindinstance.py
+++ b/ipaserver/install/bindinstance.py
@@ -666,6 +666,10 @@ class BindInstance(service.Service):
BINDKEYS_FILE=paths.NAMED_BINDKEYS_FILE,
MANAGED_KEYS_DIR=paths.NAMED_MANAGED_KEYS_DIR,
ROOT_KEY=paths.NAMED_ROOT_KEY,
+ NAMED_KEYTAB=paths.NAMED_KEYTAB,
+ RFC1912_ZONES=paths.NAMED_RFC1912_ZONES,
+ NAMED_PID=paths.NAMED_PID,
+ NAMED_VAR_DIR=paths.NAMED_VAR_DIR,
)
def __setup_dns_container(self):
--
1.8.3.1
_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel