On 18/11/14 15:01, Jan Cholasta wrote:
Hi,
Dne 13.11.2014 v 14:50 Martin Basti napsal(a):
On 13/11/14 13:59, Jan Cholasta wrote:
Dne 12.11.2014 v 13:33 Martin Basti napsal(a):
On 11/11/14 16:58, Jan Cholasta wrote:
Hi,
Dne 11.11.2014 v 16:22 Martin Basti napsal(a):
Using specfile to create file doesn't work if named user is not on
system.
Appropriate permission have to be set during ipa-dns installation.
Patch attached
Why is the directory set up in dnskeysyncinstance instead of
bindinstance?
Because, dnskeysyncinstance is the daemon which requires permission
change.
(dir is created by dyndb-ldap plugin)
OK. But please rename the method to something more suitable
(fix_dyndb_ldap_workdir_permissions?) and add a docstring/comment.
Also please change the ticket link to
<https://fedorahosted.org/freeipa/ticket/4716> (cloned from BZ).
The original patch was released with 4.1.1, shouldn't there be update
in ipa-upgradeconfig?
Cases:
1) fresh RPM install, no named user during RPM install -> named
doesn't
start, user had to fix it immediately, can't wait until next release.
2) fresh RPM install, named user -> no impact
3) upgrade IPA with DNS -> no impact
4) upgrade IPA without DNS -> after DNS installation, same as 1)
5) IPA 4.1.0 with installed DNS, upgrade to 4.1.2 -> DNSSEC will not
work (If user doesnt use DNSSEC)
Only 5) looks serious for me, so here is updated patch.
Could you do the update without the code duplication? In similar code
an appropriate *instance method is usually called.
The uid/gid resolution in ipa-upgradeconfig still looks like
duplicated code to me. I would suggest doing something along these
lines in ipa-upgradeconfig:
dnskeysync = dnskeysyncinstance.DNSKeySyncInstance()
dnskeysync.set_dyndb_ldap_workdir_permissions()
and have DNSKeySyncInstance.set_dyndb_ldap_workdir_permissions() do
all the real work.
Updated patch attached.
Martin^2
Martin^2
Honza
Honza
Thanks.
updated patch attached.
Martin^2
Honza
--
Martin Basti
From 59b6e540f03898ffc93621a3eab74b7e07974728 Mon Sep 17 00:00:00 2001
From: Martin Basti <mba...@redhat.com>
Date: Tue, 11 Nov 2014 13:00:18 +0100
Subject: [PATCH] Fix named working directory permissions
Just adding dir to specfile doesnt work, because is not guarantee the
named is installed, during RPM installation.
Ticket: https://fedorahosted.org/freeipa/ticket/4716
---
freeipa.spec.in | 3 +--
install/tools/ipa-upgradeconfig | 14 +++++++++++++
ipaplatform/base/paths.py | 1 +
ipaserver/install/dnskeysyncinstance.py | 36 +++++++++++++++++++++++++++------
4 files changed, 46 insertions(+), 8 deletions(-)
diff --git a/freeipa.spec.in b/freeipa.spec.in
index 36c2a35e7a0c60d4f68e2d945688ee30506e47c6..d0e9f910e2247ce1620e9b62f412d43ff663652d 100644
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -420,7 +420,6 @@ mkdir -p %{buildroot}%{_usr}/share/ipa/html/
/bin/touch %{buildroot}%{_usr}/share/ipa/html/preferences.html
mkdir -p %{buildroot}%{_initrddir}
mkdir %{buildroot}%{_sysconfdir}/sysconfig/
-mkdir -p %{buildroot}%{_localstatedir}/named/dyndb-ldap/ipa/
install -m 644 init/ipa_memcached.conf %{buildroot}%{_sysconfdir}/sysconfig/ipa_memcached
install -m 644 init/ipa-dnskeysyncd.conf %{buildroot}%{_sysconfdir}/sysconfig/ipa-dnskeysyncd
install -m 644 init/ipa-ods-exporter.conf %{buildroot}%{_sysconfdir}/sysconfig/ipa-ods-exporter
@@ -660,7 +659,6 @@ fi
%config(noreplace) %{_sysconfdir}/sysconfig/ipa-ods-exporter
%dir %attr(0700,apache,apache) %{_localstatedir}/run/ipa_memcached/
%dir %attr(0700,root,root) %{_localstatedir}/run/ipa/
-%dir %attr(0770,named,named) %{_localstatedir}/named/dyndb-ldap/ipa/
# NOTE: systemd specific section
%{_tmpfilesdir}/%{name}.conf
%attr(644,root,root) %{_unitdir}/ipa.service
@@ -774,6 +772,7 @@ fi
%attr(700,root,root) %dir %{_localstatedir}/lib/ipa/sysupgrade
%attr(755,root,root) %dir %{_localstatedir}/lib/ipa/pki-ca
%ghost %{_localstatedir}/lib/ipa/pki-ca/publish
+%ghost %{_localstatedir}/named/dyndb-ldap/ipa
%attr(755,root,root) %{_libdir}/krb5/plugins/kdb/ipadb.so
%{_mandir}/man1/ipa-replica-conncheck.1.gz
%{_mandir}/man1/ipa-replica-install.1.gz
diff --git a/install/tools/ipa-upgradeconfig b/install/tools/ipa-upgradeconfig
index 6556d8f313d3a9efeb32d4cba97cb82796459652..b0b574476ffc5ce6f075cf46177cc059483551ab 100644
--- a/install/tools/ipa-upgradeconfig
+++ b/install/tools/ipa-upgradeconfig
@@ -30,6 +30,7 @@ import shutil
import pwd
import fileinput
import ConfigParser
+import grp
from ipalib import api
import SSSDConfig
@@ -1161,6 +1162,18 @@ def mask_named_regular():
return False
+def fix_dyndb_ldap_workdir_permissions():
+ """Fix dyndb-ldap working dir permissions. DNSSEC daemons requires it"""
+ if sysupgrade.get_upgrade_state('dns', 'dyndb_ipa_workdir_perm'):
+ return
+
+ if bindinstance.named_conf_exists():
+ root_logger.info('[Fix bind-dyndb-ldap IPA working directory]')
+ dnskeysync = dnskeysyncinstance.DNSKeySyncInstance()
+ dnskeysync.set_dyndb_ldap_workdir_permissions()
+
+ sysupgrade.set_upgrade_state('dns', 'dyndb_ipa_workdir_perm', True)
+
def fix_schema_file_syntax():
"""Fix syntax errors in schema files
@@ -1433,6 +1446,7 @@ def main():
named_managed_keys_dir_option(),
named_root_key_include(),
mask_named_regular(),
+ fix_dyndb_ldap_workdir_permissions(),
)
if any(named_conf_changes):
diff --git a/ipaplatform/base/paths.py b/ipaplatform/base/paths.py
index af502628e493ad7b4d8d30ed1acb98bba8cb39e4..e4970e9b684b06ad98d56605d6d0419cb9e39cb2 100644
--- a/ipaplatform/base/paths.py
+++ b/ipaplatform/base/paths.py
@@ -189,6 +189,7 @@ class BasePathNamespace(object):
BIN_WGET = "/usr/bin/wget"
ZIP = "/usr/bin/zip"
BIND_LDAP_SO = "/usr/lib/bind/ldap.so"
+ BIND_LDAP_DNS_IPA_WORKDIR = "/var/named/dyndb-ldap/ipa/"
BIND_LDAP_DNS_ZONE_WORKDIR = "/var/named/dyndb-ldap/ipa/master/"
USR_LIB_DIRSRV = "/usr/lib/dirsrv"
USR_LIB_SLAPD_INSTANCE_TEMPLATE = "/usr/lib/dirsrv/slapd-%s"
diff --git a/ipaserver/install/dnskeysyncinstance.py b/ipaserver/install/dnskeysyncinstance.py
index 1dd9a0983fb689f14656431496dfd4b2bb2e30a9..5da65d87b1471710b762f90b9a33c453c7d809b7 100644
--- a/ipaserver/install/dnskeysyncinstance.py
+++ b/ipaserver/install/dnskeysyncinstance.py
@@ -60,7 +60,6 @@ def dnssec_container_exists(fqdn, suffix, dm_password=None, ldapi=False,
return ret
-
class DNSKeySyncInstance(service.Service):
def __init__(self, fstore=None, dm_password=None, logger=root_logger,
ldapi=False):
@@ -84,6 +83,23 @@ class DNSKeySyncInstance(service.Service):
suffix = ipautil.dn_attribute_property('_suffix')
+ def set_dyndb_ldap_workdir_permissions(self):
+ """
+ Setting up correct permissions to allow write/read access for daemons
+ """
+ if self.named_uid is None:
+ self.named_uid = self.__get_named_uid()
+
+ if self.named_gid is None:
+ self.named_gid = self.__get_named_gid()
+
+ if not os.path.exists(paths.BIND_LDAP_DNS_IPA_WORKDIR):
+ os.mkdir(paths.BIND_LDAP_DNS_IPA_WORKDIR, 0770)
+ # dnssec daemons require to have access into the directory
+ os.chmod(paths.BIND_LDAP_DNS_IPA_WORKDIR, 0770)
+ os.chown(paths.BIND_LDAP_DNS_IPA_WORKDIR, self.named_uid,
+ self.named_gid)
+
def remove_replica_public_keys(self, replica_fqdn):
ldap = api.Backend.ldap2
dn_base = DN(('cn', 'keys'), ('cn', 'sec'), ('cn', 'dns'), api.env.basedn)
@@ -119,6 +135,8 @@ class DNSKeySyncInstance(service.Service):
self.ldap_connect()
# checking status step must be first
self.step("checking status", self.__check_dnssec_status)
+ self.step("setting up bind-dyndb-ldap working directory",
+ self.set_dyndb_ldap_workdir_permissions)
self.step("setting up kerberos principal", self.__setup_principal)
self.step("setting up SoftHSM", self.__setup_softhsm)
self.step("adding DNSSEC containers", self.__setup_dnssec_containers)
@@ -127,20 +145,26 @@ class DNSKeySyncInstance(service.Service):
# we need restart named after setting up this service
self.start_creation()
- def __check_dnssec_status(self):
+ def __get_named_uid(self):
named = services.knownservices.named
- ods_enforcerd = services.knownservices.ods_enforcerd
-
try:
- self.named_uid = pwd.getpwnam(named.get_user_name()).pw_uid
+ return pwd.getpwnam(named.get_user_name()).pw_uid
except KeyError:
raise RuntimeError("Named UID not found")
+ def __get_named_gid(self):
+ named = services.knownservices.named
try:
- self.named_gid = grp.getgrnam(named.get_group_name()).gr_gid
+ return grp.getgrnam(named.get_group_name()).gr_gid
except KeyError:
raise RuntimeError("Named GID not found")
+ def __check_dnssec_status(self):
+ ods_enforcerd = services.knownservices.ods_enforcerd
+
+ self.named_uid = self.__get_named_uid()
+ self.named_gid = self.__get_named_gid()
+
try:
self.ods_uid = pwd.getpwnam(ods_enforcerd.get_user_name()).pw_uid
except KeyError:
--
1.8.3.1
_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
