[Freeipa-devel] [PATCHES 0252-0253, 268] DNSSEC: allow to move DNSSEC key master to another IPA server

Martin Basti mbasti at redhat.com
Tue Jun 30 14:04:15 UTC 2015 

On 30/06/15 10:25, Martin Basti wrote:
> On 29/06/15 15:16, Martin Basti wrote:
>> On 25/06/15 13:46, Petr Spacek wrote:
>>> On 17.6.2015 13:37, Martin Basti wrote:
>>>> On 17/06/15 13:26, Petr Spacek wrote:
>>>>> On 16.6.2015 15:40, Martin Basti wrote:
>>>>>> On 05/06/15 12:54, Petr Spacek wrote:
>>>>>>> On 20.5.2015 18:00, Martin Basti wrote:
>>>>>>>> This patch allows to disable DNSSEC key master on IPA server, 
>>>>>>>> or replace
>>>>>>>> current DNSSEC key master with another IPA server.
>>>>>>>>
>>>>>>>> Only for master branch.
>>>>>>>>
>>>>>>>> https://fedorahosted.org/freeipa/ticket/4657
>>>>>>>>
>>>>>>>> Patches attached.
>>>>>>> NACK. This happens on DNSSEC key master:
>>>>>>> $ ipa-dns-install --disable-dnssec-master
>>>>>>>
>>>>>>> Do you want to disable current DNSSEC key master? [no]: yes
>>>>>>> Unexpected error - see /var/log/ipaserver-install.log for details:
>>>>>>> TypeError: sequence item 0: expected string, DNSName found
>>>>>>>       2015-06-05T10:52:35Z DEBUG   File
>>>>>>> "/usr/lib/python2.7/site-packages/ipaserver/install/installutils.py", 
>>>>>>> line
>>>>>>> 733, in run_script
>>>>>>>        return_value = main_function()
>>>>>>>
>>>>>>>      File "/sbin/ipa-dns-install", line 128, in main
>>>>>>> dns_installer.disable_dnssec_master(options.unattended)
>>>>>>>
>>>>>>>      File 
>>>>>>> "/usr/lib/python2.7/site-packages/ipaserver/install/dns.py", line
>>>>>>> 112,
>>>>>>> in disable_dnssec_master
>>>>>>>        ", ".join(dnssec_zones))
>>>>>>>
>>>>>>> 2015-06-05T10:52:35Z DEBUG The ipa-dns-install command failed, 
>>>>>>> exception:
>>>>>>> TypeError: sequence item 0: expected string, DNSName found
>>>>>>>
>>>>>> Updated patches attached.
>>>>>>
>>>>>> Due new installers, more changes were required.
>>>>> Sorry, NACK, I'm not able to apply this patch set to current master
>>>>> (69607250b9762a6c9b657dd31653b03d54a7b411).
>>>>>
>>>> Rebased patches attached.
>>> NACK.
>>>
>>>
>>> 0) ipa-dns-install --replace-dnssec-master always puts file into
>>> /root/ipa-kasp.db.
>>>
>>> It would be better to put it into local working directory or 
>>> /var/lib/ipa (as
>>> with replica files).
>>>
>>>
>>> 1) I installed DNSSEC key master role on the vm-134 but DNSSEC 
>>> services were
>>> not stopped by ipactl stop:
>>>
>>> [root at vm-134 review]# ipactl stop
>>> Stopping ipa-otpd Service
>>> Stopping httpd Service
>>> Stopping ipa_memcached Service
>>> Stopping kadmin Service
>>> Stopping krb5kdc Service
>>> Stopping Directory Service
>>> ipa: INFO: The ipactl command was successful
>>>
>>> [root at vm-134 review]# ipactl start
>>> Starting Directory Service
>>> Starting krb5kdc Service
>>> Starting kadmin Service
>>> Starting named Service
>>> Starting ipa_memcached Service
>>> Starting httpd Service
>>> Starting ipa-otpd Service
>>> Starting ipa-ods-exporter Service
>>> Starting ods-enforcerd Service
>>> Starting ipa-dnskeysyncd Service
>>>
>>> Subsequent ipactl stop worked fine, only the first one is affected.
>>>
>>>
>>> 2a) vm-134 was the original master. I ran this:
>>>
>>> [root at vm-134 review]# ipa-dns-install
>>> --replace-dnssec-master=vm-090.abc.idm.lab.eng.brq.redhat.com
>>>
>>> ... and then attempted to install master to vm-059:
>>> [root at vm-059 review]# ipa-dns-install --dnssec-master
>>>
>>> This command was accepted despite of missing --kasp-db option and wrong
>>> replica name.
>>>
>>> It should error out and tell the user to run the command with 
>>> --kasp-db option.
>>>
>>> Even better, we could get rid of explicit replica name specification in
>>> --replace-dnssec-master option and allow to run installation with 
>>> --kasp-db on
>>> any replica as long as the kasp.db file is provided.
>>>
>>>
>>>
>>> 2b) Attempt to move DNSSEC key master from vm-134 to vm-090 *without*
>>> specifying --kasp-db option was accepted.
>>>
>>> [root at vm-090 review]# ipa-dns-install --dnssec-master
>>>
>>> As in case (2a), it should print what user is supposed to do.
>>>
>>> I propose following text:
>>>
>>> Current DNSSEC key master <vm-134.abc.idm.lab.eng.brq.redhat.com> is 
>>> being
>>> moved to different server.
>>>
>>> You need to copy kasp.db file from 
>>> <vm-134.abc.idm.lab.eng.brq.redhat.com> and
>>> run following command to complete the transition:
>>>
>>> # ipa-dns-install --dnssec-master --kasp-db=/path/to/the/copied/kasp.db
>>>
>>>
>>>
>>> 3) [root at vm-134 review]# ipa-dns-install
>>> --replace-dnssec-master=vm-090.abc.idm.lab.eng.brq.redhat.com
>>> does not remove ISMASTER option from file 
>>> /etc/sysconfig/ipa-dnskeysyncd .
>>>
>>>
>>> 4) [root at vm-134 review]# ipa-dns-install
>>> --replace-dnssec-master=vm-090.abc.idm.lab.eng.brq.redhat.com
>>>
>>> it is possible to run
>>>
>>> [root at vm-134 review]# ipa-dns-install --dnssec-master
>>>
>>> again without --kasp-db and it is accepted.
>>>
>>> Moreover, in this case ipaConfigString "NEW_DNSSEC_MASTER" is not 
>>> properly
>>> removed from
>>> cn=DNSKeySync,cn=vm-090.abc.idm.lab.eng.brq.redhat.com,cn=masters,cn=ipa,cn=etc,dc=ipa,dc=example. 
>>>
>>>
>>>
>>>
>>> 5) Sequence of commands
>>> [root at vm-134 review]# ipa-dns-install
>>> --replace-dnssec-master=vm-090.abc.idm.lab.eng.brq.redhat.com
>>>
>>> [root at vm-090 review]# ipa-replica-manage del 
>>> vm-134.abc.idm.lab.eng.brq.redhat.com
>>>
>>> allows me to run
>>> [root at vm-090 review]# ipa-dns-install --dnssec-master
>>>
>>> without --kasp-db option, it does not throw an error, and the 
>>> information that
>>> some other master existed somewhere is lost.
>>>
>>> It would be probably better to replace this and to use some global 
>>> attribute
>>> in cn=dns so similar problems do not happen.
>>>
>>>
>>>
>>> 6) The migration itself seems to work, KASP DB seems to work 
>>> properly, however
>>> it is necessary to run 'ods-ksmutil zonelist' command *before* all 
>>> the daemons
>>> on the new master are (re)started. This needs do be done to 
>>> re-generate file
>>> /etc/opendnssec/zonelist.xml from the new (copied) DB.
>>>
>>> Here please be careful about file permissions.
>>>
>>> The command should be ran under 'ods' user to avoid permission 
>>> clobbering.
>>>
>>>
>>> Thank you for your hard work on this!
>>>
>> New patches attached.
>>
>> Major part of the code was changed.
>>
>> Please apply patch 268 first.
>>
>>
>>
>>
>>
> Updated patches attached.
>
> I just changed the error log to debug log
>                  ipautil.run(cmd, runas=ods_enforcerd.get_user_name())
> -            except CalledProcessError as e:
> -                root_logger.error("%s", e)
> +            except CalledProcessError:
> +                root_logger.debug("OpenDNSSEC database has not been 
> updated")
>
> As this is not error during uninstall.
>
> -- 
> Martin Basti
>
>
Updated patches attached.

-- 
Martin Basti

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20150630/e3022f0c/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-mbasti-0252.6-DNSSEC-allow-to-disable-replace-DNSSEC-key-master.patch
Type: text/x-patch
Size: 24448 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20150630/e3022f0c/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-mbasti-0253.6-DNSSEC-update-message.patch
Type: text/x-patch
Size: 1050 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20150630/e3022f0c/attachment-0001.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-mbasti-0268-Allow-to-run-subprocess-with-suplementary-groups.patch
Type: text/x-patch
Size: 3182 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20150630/e3022f0c/attachment-0002.bin>

More information about the Freeipa-devel mailing list