[Freeipa-devel] [PATCHES 0117, 0135-0149] DNSSEC support
Jan Cholasta
jcholast at redhat.com
Tue Oct 21 06:33:33 UTC 2014
Dne 20.10.2014 v 23:40 Martin Basti napsal(a):
> On 20/10/14 18:28, Jan Cholasta wrote:
>> Hi,
>>
>> Dne 20.10.2014 v 17:37 Petr Spacek napsal(a):
>>> On 20.10.2014 17:21, Martin Basti wrote:
>>>> Hello! Hold your hats, DNSSEC patches are here.
>>>>
>>>> Martin^2, Petr^2
>>>
>>> For testing you will need following package:
>>> http://koji.fedoraproject.org/koji/taskinfo?taskID=7915293
>>>
>>> From me, functional self-ACK :-)
>>>
>>
>> Patch 117:
>>
>> 1)
>>
>> As we discussed off-line, this code is wrong and a ticket should be
>> opened to fix it to properly handle service files conflicting with the
>> mask command:
>>
>> + if instance_name != "":
>> + srv_tgt = os.path.join(paths.ETC_SYSTEMD_SYSTEM_DIR,
>> instance_name)
>> + # remove instance file or link before masking
>> + if os.path.islink(srv_tgt):
>> + os.unlink(srv_tgt)
>>
>>
>> Patch 137:
>>
>> 1)
>>
>> There are some whitespace errors:
>>
>> Applying: DNSSEC: add ipapk11helper module
>> /home/jcholast/FreeIPA/git/freeipa/.git/rebase-apply/patch:95:
>> trailing whitespace.
>> *
>> /home/jcholast/FreeIPA/git/freeipa/.git/rebase-apply/patch:100:
>> trailing whitespace.
>> *
>> /home/jcholast/FreeIPA/git/freeipa/.git/rebase-apply/patch:105:
>> trailing whitespace.
>> *
>> /home/jcholast/FreeIPA/git/freeipa/.git/rebase-apply/patch:203:
>> trailing whitespace.
>> *
>> /home/jcholast/FreeIPA/git/freeipa/.git/rebase-apply/patch:208:
>> trailing whitespace.
>> *
>> warning: squelched 3 whitespace errors
>> warning: 8 lines add whitespace errors.
>>
>>
>> Patch 138:
>>
>> 1)
>>
>> There is a whitespace error:
>>
>> Applying: DNSSEC: DNS key synchronization daemon
>> /home/jcholast/FreeIPA/git/freeipa/.git/rebase-apply/patch:54: new
>> blank line at EOF.
>> +
>> warning: 1 line adds whitespace errors.
>>
>>
>> Patch 140:
>>
>> 1)
>>
>> Unless there is a dnssec_keys ipalib plugins, I don't think there
>> should be container_dnssec_keys. Use "DN(('cn', 'keys'), ('cn',
>> 'sec'), api.env.container_dns, ...)" instead of
>> "DN(api.env.container_dnssec_keys, ...)".
>>
>>
>> 2)
>>
>> The masking method definitions in PlatformService should be moved to
>> patch 117.
>>
>>
>> 3)
>>
>> The changes in dnskeysyncinstance.py, odsexportedinstance.py and
>> opendnssecinstance.py should be moved to patches 138 and 139.
>>
>>
>> Patch 147:
>>
>> 1)
>>
>> There are some whitespace errors:
>>
>> Applying: DNSSEC: add ipa dnssec daemons
>> /home/jcholast/FreeIPA/git/freeipa/.git/rebase-apply/patch:135:
>> trailing whitespace.
>> # synchronize metadata about master keys in LDAP
>> /home/jcholast/FreeIPA/git/freeipa/.git/rebase-apply/patch:1228:
>> trailing whitespace.
>>
>> /home/jcholast/FreeIPA/git/freeipa/.git/rebase-apply/patch:1291:
>> trailing whitespace.
>>
>> /home/jcholast/FreeIPA/git/freeipa/.git/rebase-apply/patch:873: new
>> blank line at EOF.
>> +
>> /home/jcholast/FreeIPA/git/freeipa/.git/rebase-apply/patch:1126: new
>> blank line at EOF.
>> +
>> warning: squelched 1 whitespace error
>> warning: 6 lines add whitespace errors.
>>
>>
>> Honza
>>
> Whitespaces fixed,
> mask, and dnssec_container issues move to 4.1.1 please.
mask ACK, container NACK - I don't think we want to introduce a new
configuration option and deprecate it right away and it's a change in
just 3 lines of code.
>
> But we have schema conflict:
>
> [20/Oct/2014:04:48:40 -0400] dse_read_one_file - The entry cn=schema in
> file /etc/dirsrv/slapd-IPA-EXAMPLE/schema/71idviews.ldif (lineno: 1) is
> invalid, error code 20 (Type or value exists) - object class
> ipaOverrideTarget: The name does not match the OID
> "2.16.840.1.113730.3.8.12.34". Another object class is already using the
> name or OID.
>
> git grep -n "2.16.840.1.113730.3.8.12.34"
> install/share/60basev3.ldif:79:objectClasses:
> (2.16.840.1.113730.3.8.12.34 NAME 'ipaSecretKeyRefObject' DESC 'Indirect
> storage for encoded key material' SUP top AUXILIARY MUST (
> ipaSecretKeyRef ) X-...
>
> install/share/71idviews.ldif:8:objectClasses:
> (2.16.840.1.113730.3.8.12.34 NAME 'ipaOverrideTarget' SUP top STRUCTURAL
> MUST ( ipaAnchorUUID ) X-ORIGIN 'IPA v4' )
>
> Updated patches atached.
> "2.16.840.1.113730.3.8.12.35" is not used, I change it in patch mbasti-0150
NACK on patch 150, 2.16.840.1.113730.3.8.12.34 was reserved for
ipaSecretKeyRefObject, there is no reserved OID for ipaOverrideTarget,
so it's ipaOverrideTarget which should be fixed.
--
Jan Cholasta
More information about the Freeipa-devel
mailing list