[Freeipa-devel] [PATCH 0503-0513, 0515-0519, 0520-0528] DNS locations

Martin Basti mbasti at redhat.com
Fri Jun 17 13:27:15 UTC 2016 


On 17.06.2016 15:17, Petr Spacek wrote:
> On 17.6.2016 12:25, Martin Basti wrote:
>>
>> On 17.06.2016 08:46, Petr Spacek wrote:
>>> On 16.6.2016 22:14, Martin Basti wrote:
>>>> On 16.06.2016 15:59, Petr Spacek wrote:
>>>>> On 16.6.2016 13:57, Martin Basti wrote:
>>>>>> On 16.06.2016 12:09, Petr Spacek wrote:
>>>>>>> On 15.6.2016 17:24, Petr Spacek wrote:
>>>>>>>> On 15.6.2016 15:45, Martin Basti wrote:
>>>>>>>>> On 15.06.2016 14:52, Martin Basti wrote:
>>>>>>>>>> <snip>
>>>>>>>>>> Hydra patching: Updated patches attached + new patches for dnsserver-*
>>>>>>>>>> commands attached
>>>>>>>>>> Updated+rebased patches after Honza's interactive review
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>> Minor nitpick fixed
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>> freeipa-mbasti-0503.3-DNS-Locations-add-index-for-ipalocation-attribute.patch
>>>>>>>>
>>>>>>>>
>>>>>>>> ACK
>>>>>>>>
>>>>>>>> freeipa-mbasti-0505.3-DNS-Locations-add-idnsTemplateObject-objectclass.patch
>>>>>>>>
>>>>>>>> ACK
>>>>>>>>
>>>>>>>>
>>>>>>>> I will get to the rest later on.
>>>>>>> Problems I found (could be solved in separate patches if you wish):
>>>>>>>
>>>>>>> 1. NACK
>>>>>>> # ipa dns-update-system-records --dry-run
>>>>>>> ipa: ERROR: an internal error has occurred
>>>>>>> ValueError: dns_update_system_records.validate_output(): unexpected keys
>>>>>>> ['summary'] in { ...
>>>>>> Fixed
>>>>>>> 2. NACK
>>>>>>> Command ipa dns-update-system-records does not work with DNS Administrators
>>>>>>> privilege when some record is missing:
>>>>>>>
>>>>>>> ipa: WARNING: Update of system record
>>>>>>> '_kpasswd._tcp.dom-046.abc.idm.lab.eng.brq.redhat.com. 86400 IN SRV 0
>>>>>>> 100 464
>>>>>>> vm-046.abc.idm.lab.eng.brq.redhat.com.' failed with error: Insufficient
>>>>>>> access: Insufficient 'write' privilege to the 'objectClass' attribute of
>>>>>>> entry
>>>>>>> 'idnsname=_kpasswd._tcp,idnsname=dom-046.abc.idm.lab.eng.brq.redhat.com.,cn=dns,dc=suffix'.
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>> Fixed (I hope)
>>>>>>> 3. NACK
>>>>>>> IPA server upgrade does not create idnsServerConfigObjects in cn=dns
>>>>>>> In fact the upgrade does not even add the object class into schema.
>>>>>>>
>>>>>> Fixed
>>>>>>> These needs to be fixed before we can proceed.
>>>>>>>
>>>>>> Updated patches attached
>>>>> 4. NACK
>>>>> ipa-ca-install does not add A/AAAA records for the new CA.
>>>> This should work, code is on the right place. Maybe it is a race condition.
>>>>
>>>> ... 2 hours later ...
>>>>
>>>> I found that this is broken since 4.3.0, I will fix it separately
>>>> https://fedorahosted.org/freeipa/ticket/5966
>>>>
>>>> Anyway I found bug in replicainstall (fixed) because copy&paste everywhere
>>>>
>>>>> 5. NACK
>>>>> ipa-replica-manage del <replica> does not delete SRV records from the
>>>>> remaining master
>>>>>
>>>>> # ipa-replica-manage del vm-046.abc.idm.lab.eng.brq.redhat.com
>>>>> WARNING: yacc table file version is out of date
>>>>> Checking connectivity in topology suffix 'domain'
>>>>> Checking connectivity in topology suffix 'ca'
>>>>> Failed to cleanup vm-046.abc.idm.lab.eng.brq.redhat.com entries: invalid
>>>>> 'idnsserverid': must be Unicode text
>>>>> You may need to manually remove them from the tree
>>>>> Checking for deleted segments in suffix 'domain'
>>>>> Agreements deleted
>>>>> Checking for deleted segments in suffix 'ca'
>>>>> Agreements deleted
>>>>> Failed to cleanup vm-046.abc.idm.lab.eng.brq.redhat.com DNS entries:
>>>>> abc.idm.lab.eng.brq.redhat.com.: DNS zone not found
>>>>> You may need to manually remove them from the tree
>>>> Fixed
>>>>> Manual execution of ipa dns-update-system-records fixes that.
>>>>>
>>>>>
>>>>>
>>>>> Besides NACKs above one more thing is missing:
>>>>> Following config options are not migrated from named.conf to LDAP object:
>>>>>
>>>>> https://fedorahosted.org/bind-dyndb-ldap/wiki/Design/PerServerConfigInLDAP#Upgrade
>>>>>
>>>>>
>>>>>
>>>>> This can go to a separate patch set if you wish (at the very end).
>>>> I will leave this for later, bind-dyndb-ldap will continue working with local
>>>> configuration as before, patches are of course welcome.
>>>>
>>>> Updated patches attached, + hydra patching
>>> 6. NACK
>>> # ipa server-show $(hostname)
>>> Managed suffixes: domain, ca
>>>     Min domain level: 0
>>>     Max domain level: 1
>>>     Location: l1
>>>     Enabled server roles: CA server, DNS server, NTP server
>>>     Server name: vm-046.abc.idm.lab.eng.brq.redhat.com
>>>
>>> [root at vm-046 review]# ipa server-mod $(hostname) --location=l2
>>> ipa: ERROR: no modifications to be performed
>>>
>> Updated patches attached
> ACK up to patch 519.
master:
* 0f5cca0e45481520d25b20b48f939b2581f4d27b DNS Locations: add index for 
ipalocation attribute
* d7671ee66786b674454b7b58c9558e0c7c853cd5 DNS Locations: fix location-del
* 745a2e6471b27faabeb5479b9d2845b18606d8b0 DNS Locations: add 
idnsTemplateObject objectclass
* 87c23ba029df9227384b3f5e2028f3f0e429e9ab DNS Locations: DNS data 
management
* 394b094fc22ef67742824ec03d4e851a2876fd81 DNS Locations: permission: 
allow to read status of services
* cf634a4ff8a100589f99e57c51b2c4591853e88a DNS Locations: add ACI for 
template attribute
* e23159596e1851f156461d00b9f9f99dc698e12b DNS Locations: command 
dns-update-system-records
* 45a93265740fdfc14e6ee8785f844f8d34508fc4 DNS Locations: use 
dns_update_service_records in installers
* a5a6ceafcd3418a6242bbf948d825f2b61c95f23 DNS Locations: 
adtrustinstance simplify dns management
* a7e463948db5870d264f59954c9a2e9b5b59e1dd DNS Locations: use automatic 
records update in ipa-adtrust-install
* 4076e8e4e50d527f613536138cd851cd068cd2d9 DNS Locations: server-mod: 
add automatic records update
* 88a0952f26f9d1e2ee9d02126b27f3075dbad46a DNS Locations: dnsservers: 
add required objectclasses
* 2157ea0e6d0d762bdc71022ddd55045406c4b300 DNS Locations: dnsserver-* 
commands
* 52590d6fa581e3b53e2c9350dc307a1f360c40a3 DNS Locations: dnsserver: put 
server_id option into named.conf
* 08265f1e92bd91d9e4ba3285b953ff9ccd79040b DNS Locations: dnsserver: use 
the newer config way in installer
* d70e52b61b35f42ca2d34ef05310fd2c18c882ce DNS Locations: dnsserver: 
remove config when replica is removed

>
> 7th NACK to the rest:
Actually it is just 2nd NACK, because patches 520+ have just 2nd 
revision ;-)
>
> It fails while attempting to add non-DNS to a location:
>
> # ipa server-show vm-046.abc.idm.lab.eng.brq.redhat.com
>    Managed suffixes: domain
>    Min domain level: 0
>    Max domain level: 1
>    Location: l1
>    Enabled server roles:
>    Server name: vm-046.abc.idm.lab.eng.brq.redhat.com
>
> # ipa server-mod vm-046.abc.idm.lab.eng.brq.redhat.com --location l2
> ipa: ERROR: vm-046.abc.idm.lab.eng.brq.redhat.com: DNS server not found
>
Will send fix, soon...
Martin^2

More information about the Freeipa-devel mailing list