[Freeipa-devel] host-del & client uninstall: additional discussion related to DNS needed

Petr Spacek pspacek at redhat.com
Fri Mar 4 15:48:35 UTC 2016 

On 4.3.2016 15:05, Rob Crittenden wrote:
> Petr Spacek wrote:
>> On 3.3.2016 18:15, Martin Basti wrote:
>>>
>>>
>>> On 03.03.2016 17:36, Petr Vobornik wrote:
>>>> On 03/03/2016 03:52 PM, Martin Basti wrote:
>>>>> Hello all,
>>>>>
>>>>> related tickets:
>>>>> https://fedorahosted.org/freeipa/ticket/5676
>>>>> https://fedorahosted.org/freeipa/ticket/5675
>>>>> https://fedorahosted.org/freeipa/ticket/5715
>>>>>
>>>>> I'm trying to implement both tickets, but I don't like the way we
>>>>> decided on devel meeting anymore.
>>>>>
>>>>> https://fedorahosted.org/freeipa/ticket/5676#comment:1
>>>>>
>>>>> 1)
>>>>> ipa host-del --updatedns
>>>>>
>>>>> I propose to only delete A, AAAA and related PTR records (SSHFP records
>>>>> explained later). The record are somehow managed by IPA
>>>>>
>>>>> I don't like the idea of having an extra option to specify record types
>>>>> that should be removed or a flag that will remove DNS entry completely.
>>>>> IMO that is duplication of dnsrecord-mod/del functionality, host-del
>>>>> should not be used for managing DNS. If somebody wants better
>>>>> granularity, the one should use 'dnsrecord-mod zone rec --type-rec=' or
>>>>> 'dnsrecord-del --del-all'
>>>>
>>>> AFAIK the proposal on devel meeting was:
>>>>
>>>> --update-dns will delete A, AAAA, SSHFP
>>>> --update-dns=all will delete the whole DNS record LDAP entry
>>>>
>>>> there was also a proposal for granularity, e.g., --update-dns=a,aaaa.
>>> Yes this looks for me like doing an alias for dnsrecord-del command
>>>
>>>>
>>>> Then it was agreed that --update-dns won't search for SRV records (not
>>>> mentioned here, so OK).
>>>>
>>>> PTR records weren't discussed or decision was not recorded.
>>> When we remove A/AAAA, then we should remove PTR as well
>>>>
>>>> The proposal above keeps backwards compatibility though it may not be
>>>> possible to do with current framework. Or do we have support for multivalued
>>>> enum with default value(s) which acts as a flag?
>>> It needs big hacks in framework, to support is as Flag for old client and Enum
>>> for new clients
>>>>
>>>> If the new option type is too complicated to introduce, then I would prefer
>>>> to keep current option(flag) with behavior matching proposal for
>>>> --update-dns or --update-dns=all.
>>> To use "--update-dns will delete A, AAAA, SSHFP" only was proposed by me here.
>>>
>>>>
>>>> Definitely big +1 on not introducing a new option.
>>>>
>>>> No need to over-engineer it.
>>>>
>>>> Not sure about PTR records.
>>>>
>>>>>
>>>>> Note: due backward compatibility --updatedns cannot be migrated to ENUM,
>>>>> new option needed
>>>>
>>>>>
>>>>> 2)
>>>>> SSHFP records and host-del (https://fedorahosted.org/freeipa/ticket/5715)
>>>>>
>>>>> host-del removes SSH keys from LDAP, thus there is no reason to keep
>>>>> SSHFP record in DNS, thus SSHFP records should be removed always (even
>>>>> without --updatedns option)
>>>>
>>>> ACK
>>>>
>>>>>
>>>>> 3)
>>>>> ipa-client-install --uninstall
>>>>>
>>>>> SSHFP record are always added via nsupdate to DNS, IMO during client
>>>>> uninstall all SSHFP record related to client should be removed via
>>>>> nsupdate too.
>>>>
>>>> IMHO not necessary will be solved either by #5676 and/or #5715(currently
>>>> uninstall indirectly calls ipa-host-disable)
>>> However host-disable does not do nsupdate, so it will work only for IPA DNS.
>>> So if nsupdate set SSHPF on non-IPA server, we do not have reverse operation
>>> in uninstall for that.
>>>
>>>>
>>>>>
>>>>> 4)
>>>>> https://fedorahosted.org/freeipa/ticket/5676
>>>>>
>>>>> ipa-client-install --uninstall --delete-host    #suggestions how to name
>>>>> option for removing host entry for ldap welcome
>>>>>
>>>>> Should this option call 'host-del' or 'host-del --updatedns'?
>>>>>
>>>>> I would like to avoid additional DNS related option to be added to
>>>>> ipa-client-install
>>>>>
>>>>> Also do we really want to implement this ticket? What is the gain there?
>>>>
>>>> The devel discussions which is recorded in
>>>> https://fedorahosted.org/freeipa/ticket/5676#comment:1
>>>>
>>>> Suggests to change default behavior in ipa-client-install --uninstall so
>>>> that it will call:
>>>>
>>>> `ipa host-del --update-dns` instead of `ipa-join --unenroll`. So it will
>>>> also do #3.
>>>>
>>>> Further proposal in #5676 is to introduce a new option(--keephost ??) to
>>>> keep the host records, i.e., the old behavior.
>>>>
>>>> But comment:
>>>> """
>>>> simo: maybe keeping backward compatibility is more important, discuss later
>>>> if --remove option would be better
>>>> """
>>>> suggest that further discussion is needed
>>>
>>> I agree with backward compatibility here. A current user may be very surprised
>>> that all DNS records of the host disappear.
>>
>> The general problem is that installation process (aka ipa-client-install) is a
>> mess without documented design (at least when it comes to DNS parts) so it is
>> quite hard to do the reverse on --uninstall.
>>
>> Given that were planning to implement integration with external DNS in future
>> we might want to postpone ipa-client-install changes related to DNS and do
>> overhaul at once.
>>
>> For example host plugin will need changes as many assumptions about DNS usage
>> are oversimplified or simply wrong so delaying changes might save some
>> headache caused by two behavior changes in two subsequent releases.
>>
> 
> I'm not sure what you'd be looking for in ipa-client install but even if
> you knew exactly what changes were made I don't think it would be enough
> to do everything in uninstall. It wouldn't handle DNS changes made
> post-install, for example, so even if state was stored somewhere it
> could still result in left-over DNS entries.
> 
> This is particularly important when considering client -> master
> promotion where a slew of DNS entries will be created.
> 
> Or am I misunderstanding your point?

You are right, it might be too stateful for 100% clean solution.

Honestly the cleanest thing we could do is not touch DNS at all for clients.
It should be job of the provisioning system and I do not really understand why
the functionality was added to ipa-client-install and not to some other tool.
The same applies to DNS updates from SSSD - it is a job for NetworkManager (or
something else), not SSSD.

If we wanted to leave the functionality as it is we should do something like this:
* If ipa-client-install adds a new record type which was not present at the
targer name before installation, we should delete it during uninstall. This
should handle the cases where IP address or SSH key changed after the install.
(This applies to cases where A record for client.example.com did not exist
before.)

* We should not delete record types which existed before the install as they
were obviously provisioned by something else.


Speaking of server promotion, if we do service record management right (I
intend to do this when implementing IPA integration with external DNS servers)
we should be able to find all the records which were automatically created and
delete them.


Reference to invalid assumptions was to host plugin mess mentioned in other
thread. Unfortunately the mess is not limited to host plugin so it will be a
lot of work.

-- 
Petr^2 Spacek

More information about the Freeipa-devel mailing list