On 30.6.2015 16:04, Martin Basti wrote:
> On 30/06/15 10:25, Martin Basti wrote:
>> On 29/06/15 15:16, Martin Basti wrote:
>>> On 25/06/15 13:46, Petr Spacek wrote:
>>>> On 17.6.2015 13:37, Martin Basti wrote:
>>>>> On 17/06/15 13:26, Petr Spacek wrote:
>>>>>> On 16.6.2015 15:40, Martin Basti wrote:
>>>>>>> On 05/06/15 12:54, Petr Spacek wrote:
>>>>>>>> On 20.5.2015 18:00, Martin Basti wrote:
>>>>>>>>> This patch allows to disable DNSSEC key master on IPA server, or
>>>>>>>>> replace
>>>>>>>>> current DNSSEC key master with another IPA server.
>>>>>>>>>
>>>>>>>>> Only for master branch.
>>>>>>>>>
>>>>>>>>> https://fedorahosted.org/freeipa/ticket/4657
>>>>>>>>>
>>>>>>>>> Patches attached.
>>>>>>>> NACK. This happens on DNSSEC key master:
>>>>>>>> $ ipa-dns-install --disable-dnssec-master
>>>>>>>>
>>>>>>>> Do you want to disable current DNSSEC key master? [no]: yes
>>>>>>>> Unexpected error - see /var/log/ipaserver-install.log for details:
>>>>>>>> TypeError: sequence item 0: expected string, DNSName found
>>>>>>>> 2015-06-05T10:52:35Z DEBUG File
>>>>>>>> "/usr/lib/python2.7/site-packages/ipaserver/install/installutils.py",
>>>>>>>> line
>>>>>>>> 733, in run_script
>>>>>>>> return_value = main_function()
>>>>>>>>
>>>>>>>> File "/sbin/ipa-dns-install", line 128, in main
>>>>>>>> dns_installer.disable_dnssec_master(options.unattended)
>>>>>>>>
>>>>>>>> File "/usr/lib/python2.7/site-packages/ipaserver/install/dns.py",
>>>>>>>> line
>>>>>>>> 112,
>>>>>>>> in disable_dnssec_master
>>>>>>>> ", ".join(dnssec_zones))
>>>>>>>>
>>>>>>>> 2015-06-05T10:52:35Z DEBUG The ipa-dns-install command failed,
>>>>>>>> exception:
>>>>>>>> TypeError: sequence item 0: expected string, DNSName found
>>>>>>>>
>>>>>>> Updated patches attached.
>>>>>>>
>>>>>>> Due new installers, more changes were required.
>>>>>> Sorry, NACK, I'm not able to apply this patch set to current master
>>>>>> (69607250b9762a6c9b657dd31653b03d54a7b411).
>>>>>>
>>>>> Rebased patches attached.
>>>> NACK.
>>>>
>>>>
>>>> 0) ipa-dns-install --replace-dnssec-master always puts file into
>>>> /root/ipa-kasp.db.
>>>>
>>>> It would be better to put it into local working directory or /var/lib/ipa
>>>> (as
>>>> with replica files).
>>>>
>>>>
>>>> 1) I installed DNSSEC key master role on the vm-134 but DNSSEC services
>>>> were
>>>> not stopped by ipactl stop:
>>>>
>>>> [root@vm-134 review]# ipactl stop
>>>> Stopping ipa-otpd Service
>>>> Stopping httpd Service
>>>> Stopping ipa_memcached Service
>>>> Stopping kadmin Service
>>>> Stopping krb5kdc Service
>>>> Stopping Directory Service
>>>> ipa: INFO: The ipactl command was successful
>>>>
>>>> [root@vm-134 review]# ipactl start
>>>> Starting Directory Service
>>>> Starting krb5kdc Service
>>>> Starting kadmin Service
>>>> Starting named Service
>>>> Starting ipa_memcached Service
>>>> Starting httpd Service
>>>> Starting ipa-otpd Service
>>>> Starting ipa-ods-exporter Service
>>>> Starting ods-enforcerd Service
>>>> Starting ipa-dnskeysyncd Service
>>>>
>>>> Subsequent ipactl stop worked fine, only the first one is affected.
>>>>
>>>>
>>>> 2a) vm-134 was the original master. I ran this:
>>>>
>>>> [root@vm-134 review]# ipa-dns-install
>>>> --replace-dnssec-master=vm-090.abc.idm.lab.eng.brq.redhat.com
>>>>
>>>> ... and then attempted to install master to vm-059:
>>>> [root@vm-059 review]# ipa-dns-install --dnssec-master
>>>>
>>>> This command was accepted despite of missing --kasp-db option and wrong
>>>> replica name.
>>>>
>>>> It should error out and tell the user to run the command with --kasp-db
>>>> option.
>>>>
>>>> Even better, we could get rid of explicit replica name specification in
>>>> --replace-dnssec-master option and allow to run installation with
>>>> --kasp-db on
>>>> any replica as long as the kasp.db file is provided.
>>>>
>>>>
>>>>
>>>> 2b) Attempt to move DNSSEC key master from vm-134 to vm-090 *without*
>>>> specifying --kasp-db option was accepted.
>>>>
>>>> [root@vm-090 review]# ipa-dns-install --dnssec-master
>>>>
>>>> As in case (2a), it should print what user is supposed to do.
>>>>
>>>> I propose following text:
>>>>
>>>> Current DNSSEC key master <vm-134.abc.idm.lab.eng.brq.redhat.com> is being
>>>> moved to different server.
>>>>
>>>> You need to copy kasp.db file from <vm-134.abc.idm.lab.eng.brq.redhat.com>
>>>> and
>>>> run following command to complete the transition:
>>>>
>>>> # ipa-dns-install --dnssec-master --kasp-db=/path/to/the/copied/kasp.db
>>>>
>>>>
>>>>
>>>> 3) [root@vm-134 review]# ipa-dns-install
>>>> --replace-dnssec-master=vm-090.abc.idm.lab.eng.brq.redhat.com
>>>> does not remove ISMASTER option from file /etc/sysconfig/ipa-dnskeysyncd .
>>>>
>>>>
>>>> 4) [root@vm-134 review]# ipa-dns-install
>>>> --replace-dnssec-master=vm-090.abc.idm.lab.eng.brq.redhat.com
>>>>
>>>> it is possible to run
>>>>
>>>> [root@vm-134 review]# ipa-dns-install --dnssec-master
>>>>
>>>> again without --kasp-db and it is accepted.
>>>>
>>>> Moreover, in this case ipaConfigString "NEW_DNSSEC_MASTER" is not properly
>>>> removed from
>>>> cn=DNSKeySync,cn=vm-090.abc.idm.lab.eng.brq.redhat.com,cn=masters,cn=ipa,cn=etc,dc=ipa,dc=example.
>>>>
>>>>
>>>>
>>>>
>>>> 5) Sequence of commands
>>>> [root@vm-134 review]# ipa-dns-install
>>>> --replace-dnssec-master=vm-090.abc.idm.lab.eng.brq.redhat.com
>>>>
>>>> [root@vm-090 review]# ipa-replica-manage del
>>>> vm-134.abc.idm.lab.eng.brq.redhat.com
>>>>
>>>> allows me to run
>>>> [root@vm-090 review]# ipa-dns-install --dnssec-master
>>>>
>>>> without --kasp-db option, it does not throw an error, and the information
>>>> that
>>>> some other master existed somewhere is lost.
>>>>
>>>> It would be probably better to replace this and to use some global
>>>> attribute
>>>> in cn=dns so similar problems do not happen.
>>>>
>>>>
>>>>
>>>> 6) The migration itself seems to work, KASP DB seems to work properly,
>>>> however
>>>> it is necessary to run 'ods-ksmutil zonelist' command *before* all the
>>>> daemons
>>>> on the new master are (re)started. This needs do be done to re-generate
>>>> file
>>>> /etc/opendnssec/zonelist.xml from the new (copied) DB.
>>>>
>>>> Here please be careful about file permissions.
>>>>
>>>> The command should be ran under 'ods' user to avoid permission clobbering.
>>>>
>>>>
>>>> Thank you for your hard work on this!
>>>>
>>> New patches attached.
>>>
>>> Major part of the code was changed.
>>>
>>> Please apply patch 268 first.
>>>
>>>
>>>
>>>
>>>
>> Updated patches attached.
>>
>> I just changed the error log to debug log
>> ipautil.run(cmd, runas=ods_enforcerd.get_user_name())
>> - except CalledProcessError as e:
>> - root_logger.error("%s", e)
>> + except CalledProcessError:
>> + root_logger.debug("OpenDNSSEC database has not been
>> updated")
>>
>> As this is not error during uninstall.
>>
>> --
>> Martin Basti
>>
>>
> Updated patches attached.
Cond-NACK. Moving master does not work without additional patching. I'm
attaching fix for this + some polish for messages.
Please review my amendments, it can be pushed if you are okay with my changes.
--
Petr^2 Spacek
From ad15e86313e0281ec7e4ad178fbaf3cffc618aab Mon Sep 17 00:00:00 2001
From: Petr Spacek <pspa...@redhat.com>
Date: Tue, 30 Jun 2015 20:53:06 +0200
Subject: [PATCH] fixup! DNSSEC: allow to disable/replace DNSSEC key master
---
ipaplatform/base/paths.py | 1 +
ipaserver/install/opendnssecinstance.py | 11 +++++++++--
2 files changed, 10 insertions(+), 2 deletions(-)
diff --git a/ipaplatform/base/paths.py b/ipaplatform/base/paths.py
index d96bf7d660859bf4836834de1f5246cb6e2a33b8..ab88e8f12d915af033e7117adb7f7ea2f0a32e3e 100644
--- a/ipaplatform/base/paths.py
+++ b/ipaplatform/base/paths.py
@@ -90,6 +90,7 @@ class BasePathNamespace(object):
ETC_OPENDNSSEC_DIR = "/etc/opendnssec"
OPENDNSSEC_CONF_FILE = "/etc/opendnssec/conf.xml"
OPENDNSSEC_KASP_FILE = "/etc/opendnssec/kasp.xml"
+ OPENDNSSEC_ZONELIST_FILE = "/etc/opendnssec/zonelist.xml"
OPENLDAP_LDAP_CONF = "/etc/openldap/ldap.conf"
PAM_LDAP_CONF = "/etc/pam_ldap.conf"
PASSWD = "/etc/passwd"
diff --git a/ipaserver/install/opendnssecinstance.py b/ipaserver/install/opendnssecinstance.py
index dea6c654abd8017c2c5218ba48b74cde0768dea1..d68691fa32f135c7527ce28ed771757eadab4831 100644
--- a/ipaserver/install/opendnssecinstance.py
+++ b/ipaserver/install/opendnssecinstance.py
@@ -288,8 +288,15 @@ class OpenDNSSECInstance(service.Service):
# regenerate zonelist.xml
ods_enforcerd = services.knownservices.ods_enforcerd
- cmd = ['ods-ksmutil', 'zonelist']
- ipautil.run(cmd, runas=ods_enforcerd.get_user_name())
+ cmd = [paths.ODS_KSMUTIL, 'zonelist', 'export']
+ stdout, stderr, retcode = ipautil.run(cmd,
+ runas=ods_enforcerd.get_user_name())
+ with open(paths.OPENDNSSEC_ZONELIST_FILE, 'w') as zonelistf:
+ zonelistf.write(stdout)
+ os.chown(paths.OPENDNSSEC_ZONELIST_FILE,
+ self.ods_uid, self.ods_gid)
+ os.chmod(paths.OPENDNSSEC_ZONELIST_FILE, 0660)
+
else:
# initialize new kasp.db
command = [
--
2.1.0
From 9f8f315b9a827bcba12764de72952b0c0eed7e31 Mon Sep 17 00:00:00 2001
From: Petr Spacek <pspa...@redhat.com>
Date: Tue, 30 Jun 2015 21:29:26 +0200
Subject: [PATCH] fixup! DNSSEC: update message
---
ipaserver/install/dns.py | 28 +++++++++++++++++++++-------
1 file changed, 21 insertions(+), 7 deletions(-)
diff --git a/ipaserver/install/dns.py b/ipaserver/install/dns.py
index 1382382b587edce097fc866cac3079b9d0590e87..bd176c1efc5ed0cddefe481c94c41f7be484b98e 100644
--- a/ipaserver/install/dns.py
+++ b/ipaserver/install/dns.py
@@ -154,8 +154,15 @@ def install_check(standalone, replica, options, hostname):
if dnssec_zones and not options.force:
raise RuntimeError(
"Cannot disable DNSSEC key master, DNSSEC signing is still "
- "enabled for following zone(s): %s\n"
- "Use --force option to skip this check." %
+ "enabled for following zone(s):\n"
+ "%s\n"
+ "It is possible to move DNSSEC key master role to a different "
+ "server by using --force option to skip this check.\n\n"
+ "WARNING: You have to immediatelly copy kasp.db file to a new "
+ "server and run command 'ipa-dns-install --dnssec-master "
+ "--kasp-db'.\n"
+ "Your DNS zones will become unavailable if you "
+ "do not reinstall the DNSSEC key master role immediatelly." %
", ".join([str(zone) for zone in dnssec_zones]))
elif options.dnssec_master:
# check opendnssec packages are installed
@@ -186,18 +193,25 @@ def install_check(standalone, replica, options, hostname):
suplementary_groups=[named.get_group_name()])
except CalledProcessError as e:
root_logger.debug("%s", e)
- raise RuntimeError("IPA server cannot be the new DNSSEC master "
- "(some keys are missing)")
+ raise RuntimeError("This IPA server cannot be promoted to "
+ "DNSSEC master role because some keys were "
+ "not replicated from the original "
+ "DNSSEC master server")
finally:
if dnskeysyncd_running:
dnskeysyncd.start()
elif dnssec_zones and not options.force:
# some zones have --dnssec=true, make sure a user really want to
# install new database
raise RuntimeError(
- "DNSSEC is enabled for following zone(s): %s\n"
- "Please use option --kasp-db to keep current OpenDNSSEC "
- "database or use --force option to skip this check." %
+ "DNSSEC signing is already enabled for following zone(s): %s\n"
+ "Installation cannot continue without the OpenDNSSEC database "
+ "file from the original DNSSEC master server.\n"
+ "Please use option --kasp-db to specify location "
+ "of the kasp.db file copied from the original "
+ "DNSSEC master server.\n"
+ "WARNING: Zones will become unavailable if you do not provide "
+ "the original kasp.db file." %
", ".join([str(zone) for zone in dnssec_zones]))
--
2.1.0
From 5a71eb493c0153a6a45a2ebd3e6356e66d7e62ea Mon Sep 17 00:00:00 2001
From: Petr Spacek <pspa...@redhat.com>
Date: Tue, 30 Jun 2015 21:48:47 +0200
Subject: [PATCH] DNSSEC: ipa-dns-install: Detect existing master server
sooner.
User should get the error before he installs missing packages etc.
https://fedorahosted.org/freeipa/ticket/4657
---
ipaserver/install/dns.py | 26 ++++++++++++--------------
1 file changed, 12 insertions(+), 14 deletions(-)
diff --git a/ipaserver/install/dns.py b/ipaserver/install/dns.py
index bd176c1efc5ed0cddefe481c94c41f7be484b98e..a307ec5f935cce6e9b2d9f6a9d9253074ef28ecc 100644
--- a/ipaserver/install/dns.py
+++ b/ipaserver/install/dns.py
@@ -94,6 +94,7 @@ def install_check(standalone, replica, options, hostname):
global ip_addresses
global dns_forwarders
global reverse_zones
+ fstore = sysrestore.FileStore(paths.SYSRESTORE)
if standalone:
print "=============================================================================="
@@ -164,7 +165,18 @@ def install_check(standalone, replica, options, hostname):
"Your DNS zones will become unavailable if you "
"do not reinstall the DNSSEC key master role immediatelly." %
", ".join([str(zone) for zone in dnssec_zones]))
+
elif options.dnssec_master:
+ ods = opendnssecinstance.OpenDNSSECInstance(
+ fstore, ldapi=True)
+ ods.realm = api.env.realm
+ dnssec_masters = ods.get_masters()
+ # we can reinstall current server if it is dnssec master
+ if api.env.host not in dnssec_masters and dnssec_masters:
+ print "DNSSEC key master(s):", u','.join(dnssec_masters)
+ sys.exit("Only one DNSSEC key master is supported in current "
+ "version.")
+
# check opendnssec packages are installed
if not opendnssecinstance.check_inst():
sys.exit("Aborting installation")
@@ -214,20 +226,6 @@ def install_check(standalone, replica, options, hostname):
"the original kasp.db file." %
", ".join([str(zone) for zone in dnssec_zones]))
-
- fstore = sysrestore.FileStore(paths.SYSRESTORE)
-
- if options.dnssec_master:
- ods = opendnssecinstance.OpenDNSSECInstance(
- fstore, ldapi=True)
- ods.realm = api.env.realm
- dnssec_masters = ods.get_masters()
- # we can reinstall current server if it is dnssec master
- if api.env.host not in dnssec_masters and dnssec_masters:
- print "DNSSEC key master(s):", u','.join(dnssec_masters)
- sys.exit("Only one DNSSEC key master is supported in current "
- "version.")
-
ip_addresses = get_server_ip_address(
hostname, fstore, options.unattended, True, options.ip_addresses)
--
2.1.0
From 0cb17d11a235e3591482db87942360ac148be2ba Mon Sep 17 00:00:00 2001
From: Petr Spacek <pspa...@redhat.com>
Date: Tue, 30 Jun 2015 22:05:44 +0200
Subject: [PATCH] DNSSEC: Detect attempt to install & disable master at the
same time.
https://fedorahosted.org/freeipa/ticket/4657
---
ipaserver/install/dns.py | 3 +++
1 file changed, 3 insertions(+)
diff --git a/ipaserver/install/dns.py b/ipaserver/install/dns.py
index a307ec5f935cce6e9b2d9f6a9d9253074ef28ecc..9012e9121384142c028f18a08d69af2b59281d6b 100644
--- a/ipaserver/install/dns.py
+++ b/ipaserver/install/dns.py
@@ -146,6 +146,9 @@ def install_check(standalone, replica, options, hostname):
sys.exit("Aborting installation.")
if options.disable_dnssec_master:
+ if options.dnssec_master:
+ sys.exit("Invalid combination of parameters: "
+ "--dnssec-master and --disable-dnssec")
_is_master()
if options.disable_dnssec_master or options.dnssec_master:
--
2.1.0
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
