[Freeipa-devel] [PATCHES 0252-0253, 268] DNSSEC: allow to move DNSSEC key master to another IPA server

Martin Basti mbasti at redhat.com
Mon Jun 29 13:16:07 UTC 2015 

On 25/06/15 13:46, Petr Spacek wrote:
> On 17.6.2015 13:37, Martin Basti wrote:
>> On 17/06/15 13:26, Petr Spacek wrote:
>>> On 16.6.2015 15:40, Martin Basti wrote:
>>>> On 05/06/15 12:54, Petr Spacek wrote:
>>>>> On 20.5.2015 18:00, Martin Basti wrote:
>>>>>> This patch allows to disable DNSSEC key master on IPA server, or replace
>>>>>> current DNSSEC key master with another IPA server.
>>>>>>
>>>>>> Only for master branch.
>>>>>>
>>>>>> https://fedorahosted.org/freeipa/ticket/4657
>>>>>>
>>>>>> Patches attached.
>>>>> NACK. This happens on DNSSEC key master:
>>>>> $ ipa-dns-install --disable-dnssec-master
>>>>>
>>>>> Do you want to disable current DNSSEC key master? [no]: yes
>>>>> Unexpected error - see /var/log/ipaserver-install.log for details:
>>>>> TypeError: sequence item 0: expected string, DNSName found
>>>>>       2015-06-05T10:52:35Z DEBUG   File
>>>>> "/usr/lib/python2.7/site-packages/ipaserver/install/installutils.py", line
>>>>> 733, in run_script
>>>>>        return_value = main_function()
>>>>>
>>>>>      File "/sbin/ipa-dns-install", line 128, in main
>>>>>        dns_installer.disable_dnssec_master(options.unattended)
>>>>>
>>>>>      File "/usr/lib/python2.7/site-packages/ipaserver/install/dns.py", line
>>>>> 112,
>>>>> in disable_dnssec_master
>>>>>        ", ".join(dnssec_zones))
>>>>>
>>>>> 2015-06-05T10:52:35Z DEBUG The ipa-dns-install command failed, exception:
>>>>> TypeError: sequence item 0: expected string, DNSName found
>>>>>
>>>> Updated patches attached.
>>>>
>>>> Due new installers, more changes were required.
>>> Sorry, NACK, I'm not able to apply this patch set to current master
>>> (69607250b9762a6c9b657dd31653b03d54a7b411).
>>>
>> Rebased patches attached.
> NACK.
>
>
> 0) ipa-dns-install --replace-dnssec-master always puts file into
> /root/ipa-kasp.db.
>
> It would be better to put it into local working directory or /var/lib/ipa (as
> with replica files).
>
>
> 1) I installed DNSSEC key master role on the vm-134 but DNSSEC services were
> not stopped by ipactl stop:
>
> [root at vm-134 review]# ipactl stop
> Stopping ipa-otpd Service
> Stopping httpd Service
> Stopping ipa_memcached Service
> Stopping kadmin Service
> Stopping krb5kdc Service
> Stopping Directory Service
> ipa: INFO: The ipactl command was successful
>
> [root at vm-134 review]# ipactl start
> Starting Directory Service
> Starting krb5kdc Service
> Starting kadmin Service
> Starting named Service
> Starting ipa_memcached Service
> Starting httpd Service
> Starting ipa-otpd Service
> Starting ipa-ods-exporter Service
> Starting ods-enforcerd Service
> Starting ipa-dnskeysyncd Service
>
> Subsequent ipactl stop worked fine, only the first one is affected.
>
>
> 2a) vm-134 was the original master. I ran this:
>
> [root at vm-134 review]# ipa-dns-install
> --replace-dnssec-master=vm-090.abc.idm.lab.eng.brq.redhat.com
>
> ... and then attempted to install master to vm-059:
> [root at vm-059 review]# ipa-dns-install --dnssec-master
>
> This command was accepted despite of missing --kasp-db option and wrong
> replica name.
>
> It should error out and tell the user to run the command with --kasp-db option.
>
> Even better, we could get rid of explicit replica name specification in
> --replace-dnssec-master option and allow to run installation with --kasp-db on
> any replica as long as the kasp.db file is provided.
>
>
>
> 2b) Attempt to move DNSSEC key master from vm-134 to vm-090 *without*
> specifying --kasp-db option was accepted.
>
> [root at vm-090 review]# ipa-dns-install --dnssec-master
>
> As in case (2a), it should print what user is supposed to do.
>
> I propose following text:
>
> Current DNSSEC key master <vm-134.abc.idm.lab.eng.brq.redhat.com> is being
> moved to different server.
>
> You need to copy kasp.db file from <vm-134.abc.idm.lab.eng.brq.redhat.com> and
> run following command to complete the transition:
>
> # ipa-dns-install --dnssec-master --kasp-db=/path/to/the/copied/kasp.db
>
>
>
> 3) [root at vm-134 review]# ipa-dns-install
> --replace-dnssec-master=vm-090.abc.idm.lab.eng.brq.redhat.com
> does not remove ISMASTER option from file /etc/sysconfig/ipa-dnskeysyncd .
>
>
> 4) [root at vm-134 review]# ipa-dns-install
> --replace-dnssec-master=vm-090.abc.idm.lab.eng.brq.redhat.com
>
> it is possible to run
>
> [root at vm-134 review]# ipa-dns-install --dnssec-master
>
> again without --kasp-db and it is accepted.
>
> Moreover, in this case ipaConfigString "NEW_DNSSEC_MASTER" is not properly
> removed from
> cn=DNSKeySync,cn=vm-090.abc.idm.lab.eng.brq.redhat.com,cn=masters,cn=ipa,cn=etc,dc=ipa,dc=example.
>
>
>
> 5) Sequence of commands
> [root at vm-134 review]# ipa-dns-install
> --replace-dnssec-master=vm-090.abc.idm.lab.eng.brq.redhat.com
>
> [root at vm-090 review]# ipa-replica-manage del vm-134.abc.idm.lab.eng.brq.redhat.com
>
> allows me to run
> [root at vm-090 review]# ipa-dns-install --dnssec-master
>
> without --kasp-db option, it does not throw an error, and the information that
> some other master existed somewhere is lost.
>
> It would be probably better to replace this and to use some global attribute
> in cn=dns so similar problems do not happen.
>
>
>
> 6) The migration itself seems to work, KASP DB seems to work properly, however
> it is necessary to run 'ods-ksmutil zonelist' command *before* all the daemons
> on the new master are (re)started. This needs do be done to re-generate file
> /etc/opendnssec/zonelist.xml from the new (copied) DB.
>
> Here please be careful about file permissions.
>
> The command should be ran under 'ods' user to avoid permission clobbering.
>
>
> Thank you for your hard work on this!
>
New patches attached.

Major part of the code was changed.

Please apply patch 268 first.



-- 
Martin Basti

-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-mbasti-0252.4-DNSSEC-allow-to-disable-replace-DNSSEC-key-master.patch
Type: text/x-patch
Size: 24350 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20150629/2b9fbf65/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-mbasti-0253.4-DNSSEC-update-message.patch
Type: text/x-patch
Size: 1050 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20150629/2b9fbf65/attachment-0001.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-mbasti-0268-Allow-to-run-subprocess-with-suplementary-groups.patch
Type: text/x-patch
Size: 3182 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20150629/2b9fbf65/attachment-0002.bin>

More information about the Freeipa-devel mailing list