[Freeipa-devel] [PATCH 0131-0132] Add missing attributes to named.conf

Martin Basti Fri, 03 Oct 2014 03:47:19 -0700

Hello!

Patch 131:
https://fedorahosted.org/freeipa/ticket/3801#comment:31


Patch 132:

I modified named.conf in 131, so I change the rest of paths to beipaplatform specified.


Patches attached

--
Martin Basti

From 4fe9f258c272d9d7c98b084579bafbef6ba6bc83 Mon Sep 17 00:00:00 2001
From: Martin Basti <mba...@redhat.com>
Date: Thu, 2 Oct 2014 14:55:10 +0200
Subject: [PATCH 1/2] Add missing attributes to named.conf

Ticket: https://fedorahosted.org/freeipa/ticket/3801#comment:31
---
 install/share/bind.named.conf.template |   6 ++
 install/tools/ipa-upgradeconfig        | 120 +++++++++++++++++++++++++++++++++
 ipaplatform/base/paths.py              |   3 +
 ipaserver/install/bindinstance.py      |  28 ++++++++
 4 files changed, 157 insertions(+)

diff --git a/install/share/bind.named.conf.template b/install/share/bind.named.conf.template
index 6db17120f983d3762d4fb728d262eae10a18f74e..cdf21c1429f204e6ce5d4e4bcb1460f9fd0bb5b8 100644
--- a/install/share/bind.named.conf.template
+++ b/install/share/bind.named.conf.template
@@ -18,6 +18,11 @@ options {
 	pid-file "/run/named/named.pid";
 
 	dnssec-enable yes;
+
+	/* Path to ISC DLV key */
+	bindkeys-file "$BINDKEYS_FILE";
+
+	managed-keys-directory "$MANAGED_KEYS_DIR";
 };
 
 /* If you want to enable debugging, eg. using the 'rndc trace' command,
@@ -38,6 +43,7 @@ zone "." IN {
 };
 
 include "/etc/named.rfc1912.zones";
+include "$ROOT_KEY";
 
 dynamic-db "ipa" {
 	library "ldap.so";
diff --git a/install/tools/ipa-upgradeconfig b/install/tools/ipa-upgradeconfig
index 3914eb59066b515d33bebc19ca5afb4f50548bb2..93ce71dd5fb198e986230dbfac63ef910b8b6beb 100644
--- a/install/tools/ipa-upgradeconfig
+++ b/install/tools/ipa-upgradeconfig
@@ -624,6 +624,123 @@ def named_enable_dnssec():
     return True
 
 
+def named_bindkey_file_option():
+    """
+    Add options bindkey_file to named.conf
+    """
+    if not bindinstance.named_conf_exists():
+        # DNS service may not be configured
+        root_logger.info('DNS is not configured')
+        return False
+
+    if sysupgrade.get_upgrade_state('named.conf', 'bindkey-file_updated'):
+        root_logger.debug('Skip bindkey-file configuration check')
+        return False
+
+    try:
+        bindkey_file = bindinstance.named_conf_get_directive('bindkey-file',
+                bindinstance.NAMED_SECTION_OPTIONS)
+    except IOError, e:
+        root_logger.error('Cannot retrieve bindkey-file option from %s: %s',
+                bindinstance.NAMED_CONF, e)
+        return False
+    else:
+        if bindkey_file:
+            root_logger.debug('bindkey-file configuration already updated')
+            sysupgrade.set_upgrade_state('named.conf', 'bindkey-file_updated', True)
+            return False
+
+    root_logger.info('[Setting "bindkeys-file" option in named.conf]')
+    try:
+        bindinstance.named_conf_set_directive('bindkeys-file',
+                                              paths.NAMED_BINDKEYS_FILE,
+                                              bindinstance.NAMED_SECTION_OPTIONS)
+    except IOError, e:
+        root_logger.error('Cannot update bindkeys-file configuration in %s: %s',
+                bindinstance.NAMED_CONF, e)
+        return False
+
+
+    sysupgrade.set_upgrade_state('named.conf', 'bindkey-file_updated', True)
+    return True
+
+def named_managed_keys_dir_option():
+    """
+    Add options managed_keys_directory to named.conf
+    """
+    if not bindinstance.named_conf_exists():
+        # DNS service may not be configured
+        root_logger.info('DNS is not configured')
+        return False
+
+    if sysupgrade.get_upgrade_state('named.conf', 'managed-keys-directory_updated'):
+        root_logger.debug('Skip managed-keys-directory configuration check')
+        return False
+
+    try:
+        managed_keys = bindinstance.named_conf_get_directive('managed-keys-directory',
+                bindinstance.NAMED_SECTION_OPTIONS)
+    except IOError, e:
+        root_logger.error('Cannot retrieve managed-keys-directory option from %s: %s',
+                bindinstance.NAMED_CONF, e)
+        return False
+    else:
+        if managed_keys:
+            root_logger.debug('managed_keys_directory configuration already updated')
+            sysupgrade.set_upgrade_state('named.conf', 'managed-keys-directory_updated', True)
+            return False
+
+    root_logger.info('[Setting "managed-keys-directory" option in named.conf]')
+    try:
+        bindinstance.named_conf_set_directive('managed-keys-directory',
+                                              paths.NAMED_MANAGED_KEYS_DIR,
+                                              bindinstance.NAMED_SECTION_OPTIONS)
+    except IOError, e:
+        root_logger.error('Cannot update managed-keys-directory configuration in %s: %s',
+                bindinstance.NAMED_CONF, e)
+        return False
+
+
+    sysupgrade.set_upgrade_state('named.conf', 'managed-keys-directory_updated', True)
+    return True
+
+def named_root_key_include():
+    """
+    Add options managed_keys_directory to named.conf
+    """
+    if not bindinstance.named_conf_exists():
+        # DNS service may not be configured
+        root_logger.info('DNS is not configured')
+        return False
+
+    if sysupgrade.get_upgrade_state('named.conf', 'root_key_updated'):
+        root_logger.debug('Skip root key configuration check')
+        return False
+
+    try:
+        root_key = bindinstance.named_conf_include_exists(paths.NAMED_ROOT_KEY)
+    except IOError, e:
+        root_logger.error('Cannot check root key include in %s: %s',
+                bindinstance.NAMED_CONF, e)
+        return False
+    else:
+        if root_key:
+            root_logger.debug('root keys configuration already updated')
+            sysupgrade.set_upgrade_state('named.conf', 'root_key_updated', True)
+            return False
+
+    root_logger.info('[Including named root key in named.conf]')
+    try:
+        bindinstance.named_conf_add_include(paths.NAMED_ROOT_KEY)
+    except IOError, e:
+        root_logger.error('Cannot update named root key include in %s: %s',
+                bindinstance.NAMED_CONF, e)
+        return False
+
+
+    sysupgrade.set_upgrade_state('named.conf', 'root_key_updated', True)
+    return True
+
 def certificate_renewal_update(ca):
     """
     Update certmonger certificate renewal configuration.
@@ -1170,6 +1287,9 @@ def main():
                           named_update_gssapi_configuration(),
                           named_update_pid_file(),
                           named_enable_dnssec(),
+                          named_bindkey_file_option(),
+                          named_managed_keys_dir_option(),
+                          named_root_key_include(),
                          )
 
     if any(named_conf_changes):
diff --git a/ipaplatform/base/paths.py b/ipaplatform/base/paths.py
index 1d936016a698339c337b189335926663f76383f4..cc24dcdb4c44d7b30ebf11d65101bd4f0b478309 100644
--- a/ipaplatform/base/paths.py
+++ b/ipaplatform/base/paths.py
@@ -71,6 +71,9 @@ class BasePathNamespace(object):
     NAMED_CONF = "/etc/named.conf"
     NAMED_KEYTAB = "/etc/named.keytab"
     NAMED_RFC1912_ZONES = "/etc/named.rfc1912.zones"
+    NAMED_ROOT_KEY = "/etc/named.root.key"
+    NAMED_BINDKEYS_FILE = "/etc/named.iscdlv.key"
+    NAMED_MANAGED_KEYS_DIR = "/var/named/dynamic"
     NSLCD_CONF = "/etc/nslcd.conf"
     NSS_LDAP_CONF = "/etc/nss_ldap.conf"
     NSSWITCH_CONF = "/etc/nsswitch.conf"
diff --git a/ipaserver/install/bindinstance.py b/ipaserver/install/bindinstance.py
index 2e8836ec6bc9e727a6917523a0979febd33a1585..928ca1b5c85d78d6a983d4e39ed8f957def040e4 100644
--- a/ipaserver/install/bindinstance.py
+++ b/ipaserver/install/bindinstance.py
@@ -55,6 +55,9 @@ named_conf_arg_options_template = "%(indent)s%(name)s \"%(value)s\";\n"
 # non string args for options section
 named_conf_arg_options_re_nonstr = re.compile(r'(?P<indent>\s*)(?P<name>\S+)\s+(?P<value>[^"]+)\s*;')
 named_conf_arg_options_template_nonstr = "%(indent)s%(name)s %(value)s;\n"
+# include directive
+named_conf_include_re = re.compile(r'\s*include\s+"(?P<path>)"\s*;')
+named_conf_include_template = "include \"%(path)s\";\n"
 
 def check_inst(unattended):
     has_bind = True
@@ -203,6 +206,28 @@ def named_conf_set_directive(name, value, section=NAMED_SECTION_IPA,
     with open(NAMED_CONF, 'w') as f:
         f.write("".join(new_lines))
 
+def named_conf_include_exists(path):
+    """
+    Check if include exists in named.conf
+    :param path: path in include directive
+    :return: True if include exists, else False
+    """
+    with open(NAMED_CONF, 'r') as f:
+        for line in f:
+            match = named_conf_include_re.match(line)
+            if match and path == match.group('path'):
+                return True
+
+    return False
+
+def named_conf_add_include(path):
+    """
+    append include at the end of file
+    :param path: path to be insert to include directive
+    """
+    with open(NAMED_CONF, 'a') as f:
+        f.write(named_conf_include_template % {'path': path})
+
 def dns_container_exists(fqdn, suffix, dm_password=None, ldapi=False, realm=None,
                          autobind=ipaldap.AUTOBIND_DISABLED):
     """
@@ -638,6 +663,9 @@ class BindInstance(service.Service):
             OPTIONAL_NTP=optional_ntp,
             ZONEMGR=self.zonemgr,
             IPA_CA_RECORD=ipa_ca,
+            BINDKEYS_FILE=paths.NAMED_BINDKEYS_FILE,
+            MANAGED_KEYS_DIR=paths.NAMED_MANAGED_KEYS_DIR,
+            ROOT_KEY=paths.NAMED_ROOT_KEY,
             )
 
     def __setup_dns_container(self):
-- 
1.8.3.1

From c923f3f461b18915e51ec76a5915e6a0580c9e9a Mon Sep 17 00:00:00 2001
From: Martin Basti <mba...@redhat.com>
Date: Thu, 2 Oct 2014 16:31:24 +0200
Subject: [PATCH 2/2] Make named.conf template platform independent

---
 install/share/bind.named.conf.template | 8 ++++----
 ipaplatform/base/paths.py              | 1 +
 ipaserver/install/bindinstance.py      | 4 ++++
 3 files changed, 9 insertions(+), 4 deletions(-)

diff --git a/install/share/bind.named.conf.template b/install/share/bind.named.conf.template
index cdf21c1429f204e6ce5d4e4bcb1460f9fd0bb5b8..2017cb7961e544b113750a95f3025edc923a0fbb 100644
--- a/install/share/bind.named.conf.template
+++ b/install/share/bind.named.conf.template
@@ -3,7 +3,7 @@ options {
 	listen-on-v6 {any;};
 
 	// Put files that named is allowed to write in the data/ directory:
-	directory "/var/named"; // the default
+	directory "$NAMED_VAR_DIR"; // the default
 	dump-file		"data/cache_dump.db";
 	statistics-file		"data/named_stats.txt";
 	memstatistics-file	"data/named_mem_stats.txt";
@@ -14,8 +14,8 @@ options {
 	// Any host is permitted to issue recursive queries
 	allow-recursion { any; };
 
-	tkey-gssapi-keytab "/etc/named.keytab";
-	pid-file "/run/named/named.pid";
+	tkey-gssapi-keytab "$NAMED_KEYTAB";
+	pid-file "$NAMED_PID";
 
 	dnssec-enable yes;
 
@@ -42,7 +42,7 @@ zone "." IN {
 	file "named.ca";
 };
 
-include "/etc/named.rfc1912.zones";
+include "$RFC1912_ZONES";
 include "$ROOT_KEY";
 
 dynamic-db "ipa" {
diff --git a/ipaplatform/base/paths.py b/ipaplatform/base/paths.py
index cc24dcdb4c44d7b30ebf11d65101bd4f0b478309..41739f002932694e2d3e24f39f48d4fa96f7a4cb 100644
--- a/ipaplatform/base/paths.py
+++ b/ipaplatform/base/paths.py
@@ -69,6 +69,7 @@ class BasePathNamespace(object):
     LDAP_CONF = "/etc/ldap.conf"
     LIBNSS_LDAP_CONF = "/etc/libnss-ldap.conf"
     NAMED_CONF = "/etc/named.conf"
+    NAMED_VAR_DIR = "/var/named"
     NAMED_KEYTAB = "/etc/named.keytab"
     NAMED_RFC1912_ZONES = "/etc/named.rfc1912.zones"
     NAMED_ROOT_KEY = "/etc/named.root.key"
diff --git a/ipaserver/install/bindinstance.py b/ipaserver/install/bindinstance.py
index 928ca1b5c85d78d6a983d4e39ed8f957def040e4..636e04f5ee40d250f7fe8bd01578924669571bae 100644
--- a/ipaserver/install/bindinstance.py
+++ b/ipaserver/install/bindinstance.py
@@ -666,6 +666,10 @@ class BindInstance(service.Service):
             BINDKEYS_FILE=paths.NAMED_BINDKEYS_FILE,
             MANAGED_KEYS_DIR=paths.NAMED_MANAGED_KEYS_DIR,
             ROOT_KEY=paths.NAMED_ROOT_KEY,
+            NAMED_KEYTAB=paths.NAMED_KEYTAB,
+            RFC1912_ZONES=paths.NAMED_RFC1912_ZONES,
+            NAMED_PID=paths.NAMED_PID,
+            NAMED_VAR_DIR=paths.NAMED_VAR_DIR,
             )
 
     def __setup_dns_container(self):
-- 
1.8.3.1

_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

[Freeipa-devel] [PATCH 0131-0132] Add missing attributes to named.conf

Reply via email to