[Freeipa-devel] [PATCHES 0252-0253, 268] DNSSEC: allow to move DNSSEC key master to another IPA server

Martin Basti mbasti at redhat.com
Tue Jun 30 08:25:25 UTC 2015 

On 29/06/15 15:16, Martin Basti wrote:
> On 25/06/15 13:46, Petr Spacek wrote:
>> On 17.6.2015 13:37, Martin Basti wrote:
>>> On 17/06/15 13:26, Petr Spacek wrote:
>>>> On 16.6.2015 15:40, Martin Basti wrote:
>>>>> On 05/06/15 12:54, Petr Spacek wrote:
>>>>>> On 20.5.2015 18:00, Martin Basti wrote:
>>>>>>> This patch allows to disable DNSSEC key master on IPA server, or 
>>>>>>> replace
>>>>>>> current DNSSEC key master with another IPA server.
>>>>>>>
>>>>>>> Only for master branch.
>>>>>>>
>>>>>>> https://fedorahosted.org/freeipa/ticket/4657
>>>>>>>
>>>>>>> Patches attached.
>>>>>> NACK. This happens on DNSSEC key master:
>>>>>> $ ipa-dns-install --disable-dnssec-master
>>>>>>
>>>>>> Do you want to disable current DNSSEC key master? [no]: yes
>>>>>> Unexpected error - see /var/log/ipaserver-install.log for details:
>>>>>> TypeError: sequence item 0: expected string, DNSName found
>>>>>>       2015-06-05T10:52:35Z DEBUG   File
>>>>>> "/usr/lib/python2.7/site-packages/ipaserver/install/installutils.py", 
>>>>>> line
>>>>>> 733, in run_script
>>>>>>        return_value = main_function()
>>>>>>
>>>>>>      File "/sbin/ipa-dns-install", line 128, in main
>>>>>> dns_installer.disable_dnssec_master(options.unattended)
>>>>>>
>>>>>>      File 
>>>>>> "/usr/lib/python2.7/site-packages/ipaserver/install/dns.py", line
>>>>>> 112,
>>>>>> in disable_dnssec_master
>>>>>>        ", ".join(dnssec_zones))
>>>>>>
>>>>>> 2015-06-05T10:52:35Z DEBUG The ipa-dns-install command failed, 
>>>>>> exception:
>>>>>> TypeError: sequence item 0: expected string, DNSName found
>>>>>>
>>>>> Updated patches attached.
>>>>>
>>>>> Due new installers, more changes were required.
>>>> Sorry, NACK, I'm not able to apply this patch set to current master
>>>> (69607250b9762a6c9b657dd31653b03d54a7b411).
>>>>
>>> Rebased patches attached.
>> NACK.
>>
>>
>> 0) ipa-dns-install --replace-dnssec-master always puts file into
>> /root/ipa-kasp.db.
>>
>> It would be better to put it into local working directory or 
>> /var/lib/ipa (as
>> with replica files).
>>
>>
>> 1) I installed DNSSEC key master role on the vm-134 but DNSSEC 
>> services were
>> not stopped by ipactl stop:
>>
>> [root at vm-134 review]# ipactl stop
>> Stopping ipa-otpd Service
>> Stopping httpd Service
>> Stopping ipa_memcached Service
>> Stopping kadmin Service
>> Stopping krb5kdc Service
>> Stopping Directory Service
>> ipa: INFO: The ipactl command was successful
>>
>> [root at vm-134 review]# ipactl start
>> Starting Directory Service
>> Starting krb5kdc Service
>> Starting kadmin Service
>> Starting named Service
>> Starting ipa_memcached Service
>> Starting httpd Service
>> Starting ipa-otpd Service
>> Starting ipa-ods-exporter Service
>> Starting ods-enforcerd Service
>> Starting ipa-dnskeysyncd Service
>>
>> Subsequent ipactl stop worked fine, only the first one is affected.
>>
>>
>> 2a) vm-134 was the original master. I ran this:
>>
>> [root at vm-134 review]# ipa-dns-install
>> --replace-dnssec-master=vm-090.abc.idm.lab.eng.brq.redhat.com
>>
>> ... and then attempted to install master to vm-059:
>> [root at vm-059 review]# ipa-dns-install --dnssec-master
>>
>> This command was accepted despite of missing --kasp-db option and wrong
>> replica name.
>>
>> It should error out and tell the user to run the command with 
>> --kasp-db option.
>>
>> Even better, we could get rid of explicit replica name specification in
>> --replace-dnssec-master option and allow to run installation with 
>> --kasp-db on
>> any replica as long as the kasp.db file is provided.
>>
>>
>>
>> 2b) Attempt to move DNSSEC key master from vm-134 to vm-090 *without*
>> specifying --kasp-db option was accepted.
>>
>> [root at vm-090 review]# ipa-dns-install --dnssec-master
>>
>> As in case (2a), it should print what user is supposed to do.
>>
>> I propose following text:
>>
>> Current DNSSEC key master <vm-134.abc.idm.lab.eng.brq.redhat.com> is 
>> being
>> moved to different server.
>>
>> You need to copy kasp.db file from 
>> <vm-134.abc.idm.lab.eng.brq.redhat.com> and
>> run following command to complete the transition:
>>
>> # ipa-dns-install --dnssec-master --kasp-db=/path/to/the/copied/kasp.db
>>
>>
>>
>> 3) [root at vm-134 review]# ipa-dns-install
>> --replace-dnssec-master=vm-090.abc.idm.lab.eng.brq.redhat.com
>> does not remove ISMASTER option from file 
>> /etc/sysconfig/ipa-dnskeysyncd .
>>
>>
>> 4) [root at vm-134 review]# ipa-dns-install
>> --replace-dnssec-master=vm-090.abc.idm.lab.eng.brq.redhat.com
>>
>> it is possible to run
>>
>> [root at vm-134 review]# ipa-dns-install --dnssec-master
>>
>> again without --kasp-db and it is accepted.
>>
>> Moreover, in this case ipaConfigString "NEW_DNSSEC_MASTER" is not 
>> properly
>> removed from
>> cn=DNSKeySync,cn=vm-090.abc.idm.lab.eng.brq.redhat.com,cn=masters,cn=ipa,cn=etc,dc=ipa,dc=example. 
>>
>>
>>
>>
>> 5) Sequence of commands
>> [root at vm-134 review]# ipa-dns-install
>> --replace-dnssec-master=vm-090.abc.idm.lab.eng.brq.redhat.com
>>
>> [root at vm-090 review]# ipa-replica-manage del 
>> vm-134.abc.idm.lab.eng.brq.redhat.com
>>
>> allows me to run
>> [root at vm-090 review]# ipa-dns-install --dnssec-master
>>
>> without --kasp-db option, it does not throw an error, and the 
>> information that
>> some other master existed somewhere is lost.
>>
>> It would be probably better to replace this and to use some global 
>> attribute
>> in cn=dns so similar problems do not happen.
>>
>>
>>
>> 6) The migration itself seems to work, KASP DB seems to work 
>> properly, however
>> it is necessary to run 'ods-ksmutil zonelist' command *before* all 
>> the daemons
>> on the new master are (re)started. This needs do be done to 
>> re-generate file
>> /etc/opendnssec/zonelist.xml from the new (copied) DB.
>>
>> Here please be careful about file permissions.
>>
>> The command should be ran under 'ods' user to avoid permission 
>> clobbering.
>>
>>
>> Thank you for your hard work on this!
>>
> New patches attached.
>
> Major part of the code was changed.
>
> Please apply patch 268 first.
>
>
>
>
>
Updated patches attached.

I just changed the error log to debug log
                  ipautil.run(cmd, runas=ods_enforcerd.get_user_name())
-            except CalledProcessError as e:
-                root_logger.error("%s", e)
+            except CalledProcessError:
+                root_logger.debug("OpenDNSSEC database has not been 
updated")

As this is not error during uninstall.

-- 
Martin Basti

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20150630/673cb6fa/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-mbasti-0252.5-DNSSEC-allow-to-disable-replace-DNSSEC-key-master.patch
Type: text/x-patch
Size: 24380 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20150630/673cb6fa/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-mbasti-0253.5-DNSSEC-update-message.patch
Type: text/x-patch
Size: 1050 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20150630/673cb6fa/attachment-0001.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-mbasti-0268-Allow-to-run-subprocess-with-suplementary-groups.patch
Type: text/x-patch
Size: 3182 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20150630/673cb6fa/attachment-0002.bin>

More information about the Freeipa-devel mailing list