[Freeipa-devel] [freeipa PR#872][synchronized] Add IPA-specific bind unit file
URL: https://github.com/freeipa/freeipa/pull/872 Author: stlaz Title: #872: Add IPA-specific bind unit file Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/872/head:pr872 git checkout pr872 From c8f0060ce4ac27db4db1771a65b9319fb6557cdc Mon Sep 17 00:00:00 2001 From: Stanislav Laznicka Date: Wed, 14 Jun 2017 07:46:16 +0200 Subject: [PATCH] Add IPA-specific bind unit file During upgrade of Fedora 25 to 26, when FreeIPA is installed with DNS, bind attempts to start before KDC which leads to a failed start because it requires a ticket to connect to LDAP. Add an own unit file with a dependency which sets bind to start after the KDC service. https://pagure.io/freeipa/issue/7018 --- freeipa.spec.in | 1 + init/systemd/Makefile.am | 2 + init/systemd/ipa-named-pkcs11.service.in | 27 ipaplatform/redhat/services.py | 3 +- ipaserver/install/bindinstance.py| 66 ipaserver/install/server/upgrade.py | 45 +-- ipatests/pytest_plugins/integration/tasks.py | 4 +- ipatests/test_xmlrpc/test_location_plugin.py | 4 +- 8 files changed, 114 insertions(+), 38 deletions(-) create mode 100644 init/systemd/ipa-named-pkcs11.service.in diff --git a/freeipa.spec.in b/freeipa.spec.in index 1446dfbb7c..00b2bb8ae1 100644 --- a/freeipa.spec.in +++ b/freeipa.spec.in @@ -1220,6 +1220,7 @@ fi %attr(644,root,root) %{_unitdir}/ipa-dnskeysyncd.service %attr(644,root,root) %{_unitdir}/ipa-ods-exporter.socket %attr(644,root,root) %{_unitdir}/ipa-ods-exporter.service +%attr(644,root,root) %{_unitdir}/ipa-named-pkcs11.service # END %attr(755,root,root) %{plugin_dir}/libipa_pwd_extop.so %attr(755,root,root) %{plugin_dir}/libipa_enrollment_extop.so diff --git a/init/systemd/Makefile.am b/init/systemd/Makefile.am index 945f6ac22a..c417caac87 100644 --- a/init/systemd/Makefile.am +++ b/init/systemd/Makefile.am @@ -3,10 +3,12 @@ AUTOMAKE_OPTIONS = 1.7 dist_noinst_DATA = \ + ipa-named-pkcs11.service.in \ ipa-custodia.service.in \ ipa.service.in systemdsystemunit_DATA = \ + ipa-named-pkcs11.service \ ipa-custodia.service \ ipa.service diff --git a/init/systemd/ipa-named-pkcs11.service.in b/init/systemd/ipa-named-pkcs11.service.in new file mode 100644 index 00..d89d9976e5 --- /dev/null +++ b/init/systemd/ipa-named-pkcs11.service.in @@ -0,0 +1,27 @@ +[Unit] +Description=Berkeley Internet Name Domain (DNS) with native PKCS#11 +Wants=nss-lookup.target +Wants=named-setup-rndc.service +Before=nss-lookup.target +After=network.target +After=named-setup-rndc.service +# we need to wait for KDC so that named may connect to LDAP via GSSAPI +After=krb5kdc.service + +[Service] +Type=forking +EnvironmentFile=-/etc/sysconfig/named +Environment=KRB5_KTNAME=/etc/named.keytab +PIDFile=/run/named/named.pid + +ExecStartPre=/bin/bash -c 'if [ ! "$DISABLE_ZONE_CHECKING" == "yes" ]; then /usr/sbin/named-checkconf -z /etc/named.conf; else echo "Checking of zone files is disabled"; fi' +ExecStart=/usr/sbin/named-pkcs11 -u named $OPTIONS + +ExecReload=/bin/sh -c '/usr/sbin/rndc reload > /dev/null 2>&1 || /bin/kill -HUP $MAINPID' + +ExecStop=/bin/sh -c '/usr/sbin/rndc stop > /dev/null 2>&1 || /bin/kill -TERM $MAINPID' + +PrivateTmp=true + +[Install] +WantedBy=multi-user.target diff --git a/ipaplatform/redhat/services.py b/ipaplatform/redhat/services.py index 8fae1f3cc5..ee5060e28f 100644 --- a/ipaplatform/redhat/services.py +++ b/ipaplatform/redhat/services.py @@ -62,7 +62,8 @@ redhat_system_units['ipa-otpd'] = 'ipa-otpd.socket' redhat_system_units['ipa-dnskeysyncd'] = 'ipa-dnskeysyncd.service' redhat_system_units['named-regular'] = 'named.service' -redhat_system_units['named-pkcs11'] = 'named-pkcs11.service' +redhat_system_units['named-pkcs11-regular'] = 'named-pkcs11.service' +redhat_system_units['named-pkcs11'] = 'ipa-named-pkcs11.service' redhat_system_units['named'] = redhat_system_units['named-pkcs11'] redhat_system_units['ods-enforcerd'] = 'ods-enforcerd.service' redhat_system_units['ods_enforcerd'] = redhat_system_units['ods-enforcerd'] diff --git a/ipaserver/install/bindinstance.py b/ipaserver/install/bindinstance.py index 03dce56aa0..dbc014303e 100644 --- a/ipaserver/install/bindinstance.py +++ b/ipaserver/install/bindinstance.py @@ -619,7 +619,11 @@ def __init__(self, fstore=None, api=api): self.forwarders = None self.sub_dict = None self.reverse_zones = [] -self.named_regular = services.service('named-regular', api) +# these DNS services should be disabled prior to setting up our own +self.regular_dns_services = { +'named': services.service('named-regular', api), +'named-pkcs11': services.service('named-pkcs11-regular', api) +} suffix = ipautil.dn_attribute_property('_suffix') @@ -735,8 +73
[Freeipa-devel] [freeipa PR#872][synchronized] Add IPA-specific bind unit file
URL: https://github.com/freeipa/freeipa/pull/872 Author: stlaz Title: #872: Add IPA-specific bind unit file Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/872/head:pr872 git checkout pr872 From 37f46e4f72622a3458e43d1b960ea03cdf47a99a Mon Sep 17 00:00:00 2001 From: Stanislav Laznicka Date: Wed, 14 Jun 2017 07:46:16 +0200 Subject: [PATCH] Add IPA-specific bind unit file During upgrade of Fedora 25 to 26, when FreeIPA is installed with DNS, bind attempts to start before KDC which leads to a failed start because it requires a ticket to connect to LDAP. Add an own unit file with a dependency which sets bind to start after the KDC service. https://pagure.io/freeipa/issue/7018 --- freeipa.spec.in | 1 + init/systemd/Makefile.am | 2 + init/systemd/ipa-named-pkcs11.service.in | 27 ipaplatform/redhat/services.py | 3 +- ipaserver/install/bindinstance.py| 66 ipaserver/install/server/upgrade.py | 45 +-- ipatests/pytest_plugins/integration/tasks.py | 4 +- ipatests/test_xmlrpc/test_location_plugin.py | 4 +- 8 files changed, 114 insertions(+), 38 deletions(-) create mode 100644 init/systemd/ipa-named-pkcs11.service.in diff --git a/freeipa.spec.in b/freeipa.spec.in index 1446dfbb7c..00b2bb8ae1 100644 --- a/freeipa.spec.in +++ b/freeipa.spec.in @@ -1220,6 +1220,7 @@ fi %attr(644,root,root) %{_unitdir}/ipa-dnskeysyncd.service %attr(644,root,root) %{_unitdir}/ipa-ods-exporter.socket %attr(644,root,root) %{_unitdir}/ipa-ods-exporter.service +%attr(644,root,root) %{_unitdir}/ipa-named-pkcs11.service # END %attr(755,root,root) %{plugin_dir}/libipa_pwd_extop.so %attr(755,root,root) %{plugin_dir}/libipa_enrollment_extop.so diff --git a/init/systemd/Makefile.am b/init/systemd/Makefile.am index 945f6ac22a..c417caac87 100644 --- a/init/systemd/Makefile.am +++ b/init/systemd/Makefile.am @@ -3,10 +3,12 @@ AUTOMAKE_OPTIONS = 1.7 dist_noinst_DATA = \ + ipa-named-pkcs11.service.in \ ipa-custodia.service.in \ ipa.service.in systemdsystemunit_DATA = \ + ipa-named-pkcs11.service \ ipa-custodia.service \ ipa.service diff --git a/init/systemd/ipa-named-pkcs11.service.in b/init/systemd/ipa-named-pkcs11.service.in new file mode 100644 index 00..d89d9976e5 --- /dev/null +++ b/init/systemd/ipa-named-pkcs11.service.in @@ -0,0 +1,27 @@ +[Unit] +Description=Berkeley Internet Name Domain (DNS) with native PKCS#11 +Wants=nss-lookup.target +Wants=named-setup-rndc.service +Before=nss-lookup.target +After=network.target +After=named-setup-rndc.service +# we need to wait for KDC so that named may connect to LDAP via GSSAPI +After=krb5kdc.service + +[Service] +Type=forking +EnvironmentFile=-/etc/sysconfig/named +Environment=KRB5_KTNAME=/etc/named.keytab +PIDFile=/run/named/named.pid + +ExecStartPre=/bin/bash -c 'if [ ! "$DISABLE_ZONE_CHECKING" == "yes" ]; then /usr/sbin/named-checkconf -z /etc/named.conf; else echo "Checking of zone files is disabled"; fi' +ExecStart=/usr/sbin/named-pkcs11 -u named $OPTIONS + +ExecReload=/bin/sh -c '/usr/sbin/rndc reload > /dev/null 2>&1 || /bin/kill -HUP $MAINPID' + +ExecStop=/bin/sh -c '/usr/sbin/rndc stop > /dev/null 2>&1 || /bin/kill -TERM $MAINPID' + +PrivateTmp=true + +[Install] +WantedBy=multi-user.target diff --git a/ipaplatform/redhat/services.py b/ipaplatform/redhat/services.py index 8fae1f3cc5..ee5060e28f 100644 --- a/ipaplatform/redhat/services.py +++ b/ipaplatform/redhat/services.py @@ -62,7 +62,8 @@ redhat_system_units['ipa-otpd'] = 'ipa-otpd.socket' redhat_system_units['ipa-dnskeysyncd'] = 'ipa-dnskeysyncd.service' redhat_system_units['named-regular'] = 'named.service' -redhat_system_units['named-pkcs11'] = 'named-pkcs11.service' +redhat_system_units['named-pkcs11-regular'] = 'named-pkcs11.service' +redhat_system_units['named-pkcs11'] = 'ipa-named-pkcs11.service' redhat_system_units['named'] = redhat_system_units['named-pkcs11'] redhat_system_units['ods-enforcerd'] = 'ods-enforcerd.service' redhat_system_units['ods_enforcerd'] = redhat_system_units['ods-enforcerd'] diff --git a/ipaserver/install/bindinstance.py b/ipaserver/install/bindinstance.py index 03dce56aa0..27f67fa83a 100644 --- a/ipaserver/install/bindinstance.py +++ b/ipaserver/install/bindinstance.py @@ -619,7 +619,11 @@ def __init__(self, fstore=None, api=api): self.forwarders = None self.sub_dict = None self.reverse_zones = [] -self.named_regular = services.service('named-regular', api) +# these DNS services should be disabled prior to setting up our own +self.regular_dns_services = { +'named': services.service('named-regular', api), +'named-pkcs11': services.service('named-pkcs11-regular', api) +} suffix = ipautil.dn_attribute_property('_suffix') @@ -735,8 +73
[Freeipa-devel] [freeipa PR#872][synchronized] Add IPA-specific bind unit file
URL: https://github.com/freeipa/freeipa/pull/872 Author: stlaz Title: #872: Add IPA-specific bind unit file Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/872/head:pr872 git checkout pr872 From 5cdf5d0cff1a743c8257528324acb153214cc044 Mon Sep 17 00:00:00 2001 From: Stanislav Laznicka Date: Wed, 14 Jun 2017 07:46:16 +0200 Subject: [PATCH] Add IPA-specific bind unit file During upgrade of Fedora 25 to 26, when FreeIPA is installed with DNS, bind attempts to start before KDC which leads to a failed start because it requires a ticket to connect to LDAP. Add an own unit file with a dependency which sets bind to start after the KDC service. https://pagure.io/freeipa/issue/7018 --- freeipa.spec.in | 1 + init/systemd/Makefile.am | 2 ++ init/systemd/ipa-named-pkcs11.service.in | 27 ++ ipaplatform/redhat/services.py | 2 +- ipaserver/install/server/upgrade.py | 34 ipatests/pytest_plugins/integration/tasks.py | 4 ++-- ipatests/test_xmlrpc/test_location_plugin.py | 4 ++-- 7 files changed, 65 insertions(+), 9 deletions(-) create mode 100644 init/systemd/ipa-named-pkcs11.service.in diff --git a/freeipa.spec.in b/freeipa.spec.in index 1446dfbb7c..00b2bb8ae1 100644 --- a/freeipa.spec.in +++ b/freeipa.spec.in @@ -1220,6 +1220,7 @@ fi %attr(644,root,root) %{_unitdir}/ipa-dnskeysyncd.service %attr(644,root,root) %{_unitdir}/ipa-ods-exporter.socket %attr(644,root,root) %{_unitdir}/ipa-ods-exporter.service +%attr(644,root,root) %{_unitdir}/ipa-named-pkcs11.service # END %attr(755,root,root) %{plugin_dir}/libipa_pwd_extop.so %attr(755,root,root) %{plugin_dir}/libipa_enrollment_extop.so diff --git a/init/systemd/Makefile.am b/init/systemd/Makefile.am index 945f6ac22a..c417caac87 100644 --- a/init/systemd/Makefile.am +++ b/init/systemd/Makefile.am @@ -3,10 +3,12 @@ AUTOMAKE_OPTIONS = 1.7 dist_noinst_DATA = \ + ipa-named-pkcs11.service.in \ ipa-custodia.service.in \ ipa.service.in systemdsystemunit_DATA = \ + ipa-named-pkcs11.service \ ipa-custodia.service \ ipa.service diff --git a/init/systemd/ipa-named-pkcs11.service.in b/init/systemd/ipa-named-pkcs11.service.in new file mode 100644 index 00..d89d9976e5 --- /dev/null +++ b/init/systemd/ipa-named-pkcs11.service.in @@ -0,0 +1,27 @@ +[Unit] +Description=Berkeley Internet Name Domain (DNS) with native PKCS#11 +Wants=nss-lookup.target +Wants=named-setup-rndc.service +Before=nss-lookup.target +After=network.target +After=named-setup-rndc.service +# we need to wait for KDC so that named may connect to LDAP via GSSAPI +After=krb5kdc.service + +[Service] +Type=forking +EnvironmentFile=-/etc/sysconfig/named +Environment=KRB5_KTNAME=/etc/named.keytab +PIDFile=/run/named/named.pid + +ExecStartPre=/bin/bash -c 'if [ ! "$DISABLE_ZONE_CHECKING" == "yes" ]; then /usr/sbin/named-checkconf -z /etc/named.conf; else echo "Checking of zone files is disabled"; fi' +ExecStart=/usr/sbin/named-pkcs11 -u named $OPTIONS + +ExecReload=/bin/sh -c '/usr/sbin/rndc reload > /dev/null 2>&1 || /bin/kill -HUP $MAINPID' + +ExecStop=/bin/sh -c '/usr/sbin/rndc stop > /dev/null 2>&1 || /bin/kill -TERM $MAINPID' + +PrivateTmp=true + +[Install] +WantedBy=multi-user.target diff --git a/ipaplatform/redhat/services.py b/ipaplatform/redhat/services.py index 8fae1f3cc5..279a117e03 100644 --- a/ipaplatform/redhat/services.py +++ b/ipaplatform/redhat/services.py @@ -62,7 +62,7 @@ redhat_system_units['ipa-otpd'] = 'ipa-otpd.socket' redhat_system_units['ipa-dnskeysyncd'] = 'ipa-dnskeysyncd.service' redhat_system_units['named-regular'] = 'named.service' -redhat_system_units['named-pkcs11'] = 'named-pkcs11.service' +redhat_system_units['named-pkcs11'] = 'ipa-named-pkcs11.service' redhat_system_units['named'] = redhat_system_units['named-pkcs11'] redhat_system_units['ods-enforcerd'] = 'ods-enforcerd.service' redhat_system_units['ods_enforcerd'] = redhat_system_units['ods-enforcerd'] diff --git a/ipaserver/install/server/upgrade.py b/ipaserver/install/server/upgrade.py index 3e2abefc21..49a380e656 100644 --- a/ipaserver/install/server/upgrade.py +++ b/ipaserver/install/server/upgrade.py @@ -31,6 +31,7 @@ from ipaclient.install.client import sssd_enable_service from ipaplatform import services from ipaplatform.tasks import tasks +from ipaplatform.base.services import SystemdService from ipapython import ipautil, version, certdb from ipapython.ipa_log_manager import root_logger from ipapython import dnsutil @@ -1592,6 +1593,28 @@ def disable_httpd_system_trust(http): db.add_cert(cert, nickname, trust_flags) +def swap_bind_unit_files(fstore): +""" +IPA changed its unit file, stop named-pkcs11 service using the old and +use the new instead +""" +root_logger.info('[Making bind use FreeIPA-specific unit file]') + +if