On 30.6.2015 16:04, Martin Basti wrote: > On 30/06/15 10:25, Martin Basti wrote: >> On 29/06/15 15:16, Martin Basti wrote: >>> On 25/06/15 13:46, Petr Spacek wrote: >>>> On 17.6.2015 13:37, Martin Basti wrote: >>>>> On 17/06/15 13:26, Petr Spacek wrote: >>>>>> On 16.6.2015 15:40, Martin Basti wrote: >>>>>>> On 05/06/15 12:54, Petr Spacek wrote: >>>>>>>> On 20.5.2015 18:00, Martin Basti wrote: >>>>>>>>> This patch allows to disable DNSSEC key master on IPA server, or >>>>>>>>> replace >>>>>>>>> current DNSSEC key master with another IPA server. >>>>>>>>> >>>>>>>>> Only for master branch. >>>>>>>>> >>>>>>>>> https://fedorahosted.org/freeipa/ticket/4657 >>>>>>>>> >>>>>>>>> Patches attached. >>>>>>>> NACK. This happens on DNSSEC key master: >>>>>>>> $ ipa-dns-install --disable-dnssec-master >>>>>>>> >>>>>>>> Do you want to disable current DNSSEC key master? [no]: yes >>>>>>>> Unexpected error - see /var/log/ipaserver-install.log for details: >>>>>>>> TypeError: sequence item 0: expected string, DNSName found >>>>>>>> 2015-06-05T10:52:35Z DEBUG File >>>>>>>> "/usr/lib/python2.7/site-packages/ipaserver/install/installutils.py", >>>>>>>> line >>>>>>>> 733, in run_script >>>>>>>> return_value = main_function() >>>>>>>> >>>>>>>> File "/sbin/ipa-dns-install", line 128, in main >>>>>>>> dns_installer.disable_dnssec_master(options.unattended) >>>>>>>> >>>>>>>> File "/usr/lib/python2.7/site-packages/ipaserver/install/dns.py", >>>>>>>> line >>>>>>>> 112, >>>>>>>> in disable_dnssec_master >>>>>>>> ", ".join(dnssec_zones)) >>>>>>>> >>>>>>>> 2015-06-05T10:52:35Z DEBUG The ipa-dns-install command failed, >>>>>>>> exception: >>>>>>>> TypeError: sequence item 0: expected string, DNSName found >>>>>>>> >>>>>>> Updated patches attached. >>>>>>> >>>>>>> Due new installers, more changes were required. >>>>>> Sorry, NACK, I'm not able to apply this patch set to current master >>>>>> (69607250b9762a6c9b657dd31653b03d54a7b411). >>>>>> >>>>> Rebased patches attached. >>>> NACK. >>>> >>>> >>>> 0) ipa-dns-install --replace-dnssec-master always puts file into >>>> /root/ipa-kasp.db. >>>> >>>> It would be better to put it into local working directory or /var/lib/ipa >>>> (as >>>> with replica files). >>>> >>>> >>>> 1) I installed DNSSEC key master role on the vm-134 but DNSSEC services >>>> were >>>> not stopped by ipactl stop: >>>> >>>> [root@vm-134 review]# ipactl stop >>>> Stopping ipa-otpd Service >>>> Stopping httpd Service >>>> Stopping ipa_memcached Service >>>> Stopping kadmin Service >>>> Stopping krb5kdc Service >>>> Stopping Directory Service >>>> ipa: INFO: The ipactl command was successful >>>> >>>> [root@vm-134 review]# ipactl start >>>> Starting Directory Service >>>> Starting krb5kdc Service >>>> Starting kadmin Service >>>> Starting named Service >>>> Starting ipa_memcached Service >>>> Starting httpd Service >>>> Starting ipa-otpd Service >>>> Starting ipa-ods-exporter Service >>>> Starting ods-enforcerd Service >>>> Starting ipa-dnskeysyncd Service >>>> >>>> Subsequent ipactl stop worked fine, only the first one is affected. >>>> >>>> >>>> 2a) vm-134 was the original master. I ran this: >>>> >>>> [root@vm-134 review]# ipa-dns-install >>>> --replace-dnssec-master=vm-090.abc.idm.lab.eng.brq.redhat.com >>>> >>>> ... and then attempted to install master to vm-059: >>>> [root@vm-059 review]# ipa-dns-install --dnssec-master >>>> >>>> This command was accepted despite of missing --kasp-db option and wrong >>>> replica name. >>>> >>>> It should error out and tell the user to run the command with --kasp-db >>>> option. >>>> >>>> Even better, we could get rid of explicit replica name specification in >>>> --replace-dnssec-master option and allow to run installation with >>>> --kasp-db on >>>> any replica as long as the kasp.db file is provided. >>>> >>>> >>>> >>>> 2b) Attempt to move DNSSEC key master from vm-134 to vm-090 *without* >>>> specifying --kasp-db option was accepted. >>>> >>>> [root@vm-090 review]# ipa-dns-install --dnssec-master >>>> >>>> As in case (2a), it should print what user is supposed to do. >>>> >>>> I propose following text: >>>> >>>> Current DNSSEC key master <vm-134.abc.idm.lab.eng.brq.redhat.com> is being >>>> moved to different server. >>>> >>>> You need to copy kasp.db file from <vm-134.abc.idm.lab.eng.brq.redhat.com> >>>> and >>>> run following command to complete the transition: >>>> >>>> # ipa-dns-install --dnssec-master --kasp-db=/path/to/the/copied/kasp.db >>>> >>>> >>>> >>>> 3) [root@vm-134 review]# ipa-dns-install >>>> --replace-dnssec-master=vm-090.abc.idm.lab.eng.brq.redhat.com >>>> does not remove ISMASTER option from file /etc/sysconfig/ipa-dnskeysyncd . >>>> >>>> >>>> 4) [root@vm-134 review]# ipa-dns-install >>>> --replace-dnssec-master=vm-090.abc.idm.lab.eng.brq.redhat.com >>>> >>>> it is possible to run >>>> >>>> [root@vm-134 review]# ipa-dns-install --dnssec-master >>>> >>>> again without --kasp-db and it is accepted. >>>> >>>> Moreover, in this case ipaConfigString "NEW_DNSSEC_MASTER" is not properly >>>> removed from >>>> cn=DNSKeySync,cn=vm-090.abc.idm.lab.eng.brq.redhat.com,cn=masters,cn=ipa,cn=etc,dc=ipa,dc=example. >>>> >>>> >>>> >>>> >>>> 5) Sequence of commands >>>> [root@vm-134 review]# ipa-dns-install >>>> --replace-dnssec-master=vm-090.abc.idm.lab.eng.brq.redhat.com >>>> >>>> [root@vm-090 review]# ipa-replica-manage del >>>> vm-134.abc.idm.lab.eng.brq.redhat.com >>>> >>>> allows me to run >>>> [root@vm-090 review]# ipa-dns-install --dnssec-master >>>> >>>> without --kasp-db option, it does not throw an error, and the information >>>> that >>>> some other master existed somewhere is lost. >>>> >>>> It would be probably better to replace this and to use some global >>>> attribute >>>> in cn=dns so similar problems do not happen. >>>> >>>> >>>> >>>> 6) The migration itself seems to work, KASP DB seems to work properly, >>>> however >>>> it is necessary to run 'ods-ksmutil zonelist' command *before* all the >>>> daemons >>>> on the new master are (re)started. This needs do be done to re-generate >>>> file >>>> /etc/opendnssec/zonelist.xml from the new (copied) DB. >>>> >>>> Here please be careful about file permissions. >>>> >>>> The command should be ran under 'ods' user to avoid permission clobbering. >>>> >>>> >>>> Thank you for your hard work on this! >>>> >>> New patches attached. >>> >>> Major part of the code was changed. >>> >>> Please apply patch 268 first. >>> >>> >>> >>> >>> >> Updated patches attached. >> >> I just changed the error log to debug log >> ipautil.run(cmd, runas=ods_enforcerd.get_user_name()) >> - except CalledProcessError as e: >> - root_logger.error("%s", e) >> + except CalledProcessError: >> + root_logger.debug("OpenDNSSEC database has not been >> updated") >> >> As this is not error during uninstall. >> >> -- >> Martin Basti >> >> > Updated patches attached.
Cond-NACK. Moving master does not work without additional patching. I'm attaching fix for this + some polish for messages. Please review my amendments, it can be pushed if you are okay with my changes. -- Petr^2 Spacek
From ad15e86313e0281ec7e4ad178fbaf3cffc618aab Mon Sep 17 00:00:00 2001 From: Petr Spacek <pspa...@redhat.com> Date: Tue, 30 Jun 2015 20:53:06 +0200 Subject: [PATCH] fixup! DNSSEC: allow to disable/replace DNSSEC key master --- ipaplatform/base/paths.py | 1 + ipaserver/install/opendnssecinstance.py | 11 +++++++++-- 2 files changed, 10 insertions(+), 2 deletions(-) diff --git a/ipaplatform/base/paths.py b/ipaplatform/base/paths.py index d96bf7d660859bf4836834de1f5246cb6e2a33b8..ab88e8f12d915af033e7117adb7f7ea2f0a32e3e 100644 --- a/ipaplatform/base/paths.py +++ b/ipaplatform/base/paths.py @@ -90,6 +90,7 @@ class BasePathNamespace(object): ETC_OPENDNSSEC_DIR = "/etc/opendnssec" OPENDNSSEC_CONF_FILE = "/etc/opendnssec/conf.xml" OPENDNSSEC_KASP_FILE = "/etc/opendnssec/kasp.xml" + OPENDNSSEC_ZONELIST_FILE = "/etc/opendnssec/zonelist.xml" OPENLDAP_LDAP_CONF = "/etc/openldap/ldap.conf" PAM_LDAP_CONF = "/etc/pam_ldap.conf" PASSWD = "/etc/passwd" diff --git a/ipaserver/install/opendnssecinstance.py b/ipaserver/install/opendnssecinstance.py index dea6c654abd8017c2c5218ba48b74cde0768dea1..d68691fa32f135c7527ce28ed771757eadab4831 100644 --- a/ipaserver/install/opendnssecinstance.py +++ b/ipaserver/install/opendnssecinstance.py @@ -288,8 +288,15 @@ class OpenDNSSECInstance(service.Service): # regenerate zonelist.xml ods_enforcerd = services.knownservices.ods_enforcerd - cmd = ['ods-ksmutil', 'zonelist'] - ipautil.run(cmd, runas=ods_enforcerd.get_user_name()) + cmd = [paths.ODS_KSMUTIL, 'zonelist', 'export'] + stdout, stderr, retcode = ipautil.run(cmd, + runas=ods_enforcerd.get_user_name()) + with open(paths.OPENDNSSEC_ZONELIST_FILE, 'w') as zonelistf: + zonelistf.write(stdout) + os.chown(paths.OPENDNSSEC_ZONELIST_FILE, + self.ods_uid, self.ods_gid) + os.chmod(paths.OPENDNSSEC_ZONELIST_FILE, 0660) + else: # initialize new kasp.db command = [ -- 2.1.0
From 9f8f315b9a827bcba12764de72952b0c0eed7e31 Mon Sep 17 00:00:00 2001 From: Petr Spacek <pspa...@redhat.com> Date: Tue, 30 Jun 2015 21:29:26 +0200 Subject: [PATCH] fixup! DNSSEC: update message --- ipaserver/install/dns.py | 28 +++++++++++++++++++++------- 1 file changed, 21 insertions(+), 7 deletions(-) diff --git a/ipaserver/install/dns.py b/ipaserver/install/dns.py index 1382382b587edce097fc866cac3079b9d0590e87..bd176c1efc5ed0cddefe481c94c41f7be484b98e 100644 --- a/ipaserver/install/dns.py +++ b/ipaserver/install/dns.py @@ -154,8 +154,15 @@ def install_check(standalone, replica, options, hostname): if dnssec_zones and not options.force: raise RuntimeError( "Cannot disable DNSSEC key master, DNSSEC signing is still " - "enabled for following zone(s): %s\n" - "Use --force option to skip this check." % + "enabled for following zone(s):\n" + "%s\n" + "It is possible to move DNSSEC key master role to a different " + "server by using --force option to skip this check.\n\n" + "WARNING: You have to immediatelly copy kasp.db file to a new " + "server and run command 'ipa-dns-install --dnssec-master " + "--kasp-db'.\n" + "Your DNS zones will become unavailable if you " + "do not reinstall the DNSSEC key master role immediatelly." % ", ".join([str(zone) for zone in dnssec_zones])) elif options.dnssec_master: # check opendnssec packages are installed @@ -186,18 +193,25 @@ def install_check(standalone, replica, options, hostname): suplementary_groups=[named.get_group_name()]) except CalledProcessError as e: root_logger.debug("%s", e) - raise RuntimeError("IPA server cannot be the new DNSSEC master " - "(some keys are missing)") + raise RuntimeError("This IPA server cannot be promoted to " + "DNSSEC master role because some keys were " + "not replicated from the original " + "DNSSEC master server") finally: if dnskeysyncd_running: dnskeysyncd.start() elif dnssec_zones and not options.force: # some zones have --dnssec=true, make sure a user really want to # install new database raise RuntimeError( - "DNSSEC is enabled for following zone(s): %s\n" - "Please use option --kasp-db to keep current OpenDNSSEC " - "database or use --force option to skip this check." % + "DNSSEC signing is already enabled for following zone(s): %s\n" + "Installation cannot continue without the OpenDNSSEC database " + "file from the original DNSSEC master server.\n" + "Please use option --kasp-db to specify location " + "of the kasp.db file copied from the original " + "DNSSEC master server.\n" + "WARNING: Zones will become unavailable if you do not provide " + "the original kasp.db file." % ", ".join([str(zone) for zone in dnssec_zones])) -- 2.1.0
From 5a71eb493c0153a6a45a2ebd3e6356e66d7e62ea Mon Sep 17 00:00:00 2001 From: Petr Spacek <pspa...@redhat.com> Date: Tue, 30 Jun 2015 21:48:47 +0200 Subject: [PATCH] DNSSEC: ipa-dns-install: Detect existing master server sooner. User should get the error before he installs missing packages etc. https://fedorahosted.org/freeipa/ticket/4657 --- ipaserver/install/dns.py | 26 ++++++++++++-------------- 1 file changed, 12 insertions(+), 14 deletions(-) diff --git a/ipaserver/install/dns.py b/ipaserver/install/dns.py index bd176c1efc5ed0cddefe481c94c41f7be484b98e..a307ec5f935cce6e9b2d9f6a9d9253074ef28ecc 100644 --- a/ipaserver/install/dns.py +++ b/ipaserver/install/dns.py @@ -94,6 +94,7 @@ def install_check(standalone, replica, options, hostname): global ip_addresses global dns_forwarders global reverse_zones + fstore = sysrestore.FileStore(paths.SYSRESTORE) if standalone: print "==============================================================================" @@ -164,7 +165,18 @@ def install_check(standalone, replica, options, hostname): "Your DNS zones will become unavailable if you " "do not reinstall the DNSSEC key master role immediatelly." % ", ".join([str(zone) for zone in dnssec_zones])) + elif options.dnssec_master: + ods = opendnssecinstance.OpenDNSSECInstance( + fstore, ldapi=True) + ods.realm = api.env.realm + dnssec_masters = ods.get_masters() + # we can reinstall current server if it is dnssec master + if api.env.host not in dnssec_masters and dnssec_masters: + print "DNSSEC key master(s):", u','.join(dnssec_masters) + sys.exit("Only one DNSSEC key master is supported in current " + "version.") + # check opendnssec packages are installed if not opendnssecinstance.check_inst(): sys.exit("Aborting installation") @@ -214,20 +226,6 @@ def install_check(standalone, replica, options, hostname): "the original kasp.db file." % ", ".join([str(zone) for zone in dnssec_zones])) - - fstore = sysrestore.FileStore(paths.SYSRESTORE) - - if options.dnssec_master: - ods = opendnssecinstance.OpenDNSSECInstance( - fstore, ldapi=True) - ods.realm = api.env.realm - dnssec_masters = ods.get_masters() - # we can reinstall current server if it is dnssec master - if api.env.host not in dnssec_masters and dnssec_masters: - print "DNSSEC key master(s):", u','.join(dnssec_masters) - sys.exit("Only one DNSSEC key master is supported in current " - "version.") - ip_addresses = get_server_ip_address( hostname, fstore, options.unattended, True, options.ip_addresses) -- 2.1.0
From 0cb17d11a235e3591482db87942360ac148be2ba Mon Sep 17 00:00:00 2001 From: Petr Spacek <pspa...@redhat.com> Date: Tue, 30 Jun 2015 22:05:44 +0200 Subject: [PATCH] DNSSEC: Detect attempt to install & disable master at the same time. https://fedorahosted.org/freeipa/ticket/4657 --- ipaserver/install/dns.py | 3 +++ 1 file changed, 3 insertions(+) diff --git a/ipaserver/install/dns.py b/ipaserver/install/dns.py index a307ec5f935cce6e9b2d9f6a9d9253074ef28ecc..9012e9121384142c028f18a08d69af2b59281d6b 100644 --- a/ipaserver/install/dns.py +++ b/ipaserver/install/dns.py @@ -146,6 +146,9 @@ def install_check(standalone, replica, options, hostname): sys.exit("Aborting installation.") if options.disable_dnssec_master: + if options.dnssec_master: + sys.exit("Invalid combination of parameters: " + "--dnssec-master and --disable-dnssec") _is_master() if options.disable_dnssec_master or options.dnssec_master: -- 2.1.0
-- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code