[Freeipa-devel] [PATCH 0503-0513, 0515-0519, 0520-0528] DNS locations

Martin Basti mbasti at redhat.com
Fri Jun 17 16:10:24 UTC 2016 


On 17.06.2016 18:00, Petr Spacek wrote:
> On 17.6.2016 17:05, Martin Basti wrote:
>>
>> On 17.06.2016 15:17, Petr Spacek wrote:
>>> On 17.6.2016 12:25, Martin Basti wrote:
>>>> On 17.06.2016 08:46, Petr Spacek wrote:
>>>>> On 16.6.2016 22:14, Martin Basti wrote:
>>>>>> On 16.06.2016 15:59, Petr Spacek wrote:
>>>>>>> On 16.6.2016 13:57, Martin Basti wrote:
>>>>>>>> On 16.06.2016 12:09, Petr Spacek wrote:
>>>>>>>>> On 15.6.2016 17:24, Petr Spacek wrote:
>>>>>>>>>> On 15.6.2016 15:45, Martin Basti wrote:
>>>>>>>>>>> On 15.06.2016 14:52, Martin Basti wrote:
>>>>>>>>>>>> <snip>
>>>>>>>>>>>> Hydra patching: Updated patches attached + new patches for dnsserver-*
>>>>>>>>>>>> commands attached
>>>>>>>>>>>> Updated+rebased patches after Honza's interactive review
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>> Minor nitpick fixed
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>> freeipa-mbasti-0503.3-DNS-Locations-add-index-for-ipalocation-attribute.patch
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> ACK
>>>>>>>>>>
>>>>>>>>>> freeipa-mbasti-0505.3-DNS-Locations-add-idnsTemplateObject-objectclass.patch
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> ACK
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> I will get to the rest later on.
>>>>>>>>> Problems I found (could be solved in separate patches if you wish):
>>>>>>>>>
>>>>>>>>> 1. NACK
>>>>>>>>> # ipa dns-update-system-records --dry-run
>>>>>>>>> ipa: ERROR: an internal error has occurred
>>>>>>>>> ValueError: dns_update_system_records.validate_output(): unexpected keys
>>>>>>>>> ['summary'] in { ...
>>>>>>>> Fixed
>>>>>>>>> 2. NACK
>>>>>>>>> Command ipa dns-update-system-records does not work with DNS
>>>>>>>>> Administrators
>>>>>>>>> privilege when some record is missing:
>>>>>>>>>
>>>>>>>>> ipa: WARNING: Update of system record
>>>>>>>>> '_kpasswd._tcp.dom-046.abc.idm.lab.eng.brq.redhat.com. 86400 IN SRV 0
>>>>>>>>> 100 464
>>>>>>>>> vm-046.abc.idm.lab.eng.brq.redhat.com.' failed with error: Insufficient
>>>>>>>>> access: Insufficient 'write' privilege to the 'objectClass' attribute of
>>>>>>>>> entry
>>>>>>>>> 'idnsname=_kpasswd._tcp,idnsname=dom-046.abc.idm.lab.eng.brq.redhat.com.,cn=dns,dc=suffix'.
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>> Fixed (I hope)
>>>>>>>>> 3. NACK
>>>>>>>>> IPA server upgrade does not create idnsServerConfigObjects in cn=dns
>>>>>>>>> In fact the upgrade does not even add the object class into schema.
>>>>>>>>>
>>>>>>>> Fixed
>>>>>>>>> These needs to be fixed before we can proceed.
>>>>>>>>>
>>>>>>>> Updated patches attached
>>>>>>> 4. NACK
>>>>>>> ipa-ca-install does not add A/AAAA records for the new CA.
>>>>>> This should work, code is on the right place. Maybe it is a race condition.
>>>>>>
>>>>>> ... 2 hours later ...
>>>>>>
>>>>>> I found that this is broken since 4.3.0, I will fix it separately
>>>>>> https://fedorahosted.org/freeipa/ticket/5966
>>>>>>
>>>>>> Anyway I found bug in replicainstall (fixed) because copy&paste everywhere
>>>>>>
>>>>>>> 5. NACK
>>>>>>> ipa-replica-manage del <replica> does not delete SRV records from the
>>>>>>> remaining master
>>>>>>>
>>>>>>> # ipa-replica-manage del vm-046.abc.idm.lab.eng.brq.redhat.com
>>>>>>> WARNING: yacc table file version is out of date
>>>>>>> Checking connectivity in topology suffix 'domain'
>>>>>>> Checking connectivity in topology suffix 'ca'
>>>>>>> Failed to cleanup vm-046.abc.idm.lab.eng.brq.redhat.com entries: invalid
>>>>>>> 'idnsserverid': must be Unicode text
>>>>>>> You may need to manually remove them from the tree
>>>>>>> Checking for deleted segments in suffix 'domain'
>>>>>>> Agreements deleted
>>>>>>> Checking for deleted segments in suffix 'ca'
>>>>>>> Agreements deleted
>>>>>>> Failed to cleanup vm-046.abc.idm.lab.eng.brq.redhat.com DNS entries:
>>>>>>> abc.idm.lab.eng.brq.redhat.com.: DNS zone not found
>>>>>>> You may need to manually remove them from the tree
>>>>>> Fixed
>>>>>>> Manual execution of ipa dns-update-system-records fixes that.
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> Besides NACKs above one more thing is missing:
>>>>>>> Following config options are not migrated from named.conf to LDAP object:
>>>>>>>
>>>>>>> https://fedorahosted.org/bind-dyndb-ldap/wiki/Design/PerServerConfigInLDAP#Upgrade
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> This can go to a separate patch set if you wish (at the very end).
>>>>>> I will leave this for later, bind-dyndb-ldap will continue working with
>>>>>> local
>>>>>> configuration as before, patches are of course welcome.
>>>>>>
>>>>>> Updated patches attached, + hydra patching
>>>>> 6. NACK
>>>>> # ipa server-show $(hostname)
>>>>> Managed suffixes: domain, ca
>>>>>      Min domain level: 0
>>>>>      Max domain level: 1
>>>>>      Location: l1
>>>>>      Enabled server roles: CA server, DNS server, NTP server
>>>>>      Server name: vm-046.abc.idm.lab.eng.brq.redhat.com
>>>>>
>>>>> [root at vm-046 review]# ipa server-mod $(hostname) --location=l2
>>>>> ipa: ERROR: no modifications to be performed
>>>>>
>>>> Updated patches attached
>>> ACK up to patch 519.
>>>
>>> 7th NACK to the rest:
>>>
>>> It fails while attempting to add non-DNS to a location:
>>>
>>> # ipa server-show vm-046.abc.idm.lab.eng.brq.redhat.com
>>>     Managed suffixes: domain
>>>     Min domain level: 0
>>>     Max domain level: 1
>>>     Location: l1
>>>     Enabled server roles:
>>>     Server name: vm-046.abc.idm.lab.eng.brq.redhat.com
>>>
>>> # ipa server-mod vm-046.abc.idm.lab.eng.brq.redhat.com --location l2
>>> ipa: ERROR: vm-046.abc.idm.lab.eng.brq.redhat.com: DNS server not found
>>>
>> Updated patches attached + 2 extra hydra patches :)
> ACK with full force!
>
pushed to master:
* ef12cad30b3fc867b3b09abe6521c168dbc3ceaf DNS Locations: set proper 
substitution variable
* 1997733cdf60bbd5fee8a5286d567580fa4e0198 DNS Locations: require to 
restart named-pkcs11 affter location change
* 8dde1201ed9b0ca839ffe7421be7efd04b666e11 DNS Locations: show warning 
if there is no DNS servers in location
* b2931210eb794e52eac4b0e295fcbdfc5bb07f87 DNS Locations: prevent to 
remove used locations
* bbf8227e3fd678d4bd6659a12055ba3dbe1c8230 DNS Locations: do not 
generate location records for unused locations
* 3c50e42036427d7c5e36828f24bd3c180e18a677 DNS Locations: location-del: 
remove location record
* 4155eb7b13b20605886ba79c02c232f83a7b439c DNS Locations: Rename 
ipalocationweight to ipaserviceweight
* 313e63e3e4ba1aa3dd2ae5de54f6d277329fffee DNS Locations: generate NTP 
records
* 88ac58a1ce0641e65bcc7934020f85ef39d8e82b upgrade: don't fail if zone 
does not exists in in find
* e82ce439c4c8a4d2f5b4ef384158de93de1644cc DNS Location: add list of 
roles and DNS servers to location-show
* 8253727de1f823bb6c06d4687019e64dab825ec3 DNS Locations: dnsserver: 
print specific error when DNS is not installed

More information about the Freeipa-devel mailing list