<html>
<head>
<meta content="text/html; charset=windows-1252"
http-equiv="Content-Type">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<div class="moz-cite-prefix">On 29/06/15 15:16, Martin Basti wrote:<br>
</div>
<blockquote cite="mid:55914517.7090404@redhat.com" type="cite">On
25/06/15 13:46, Petr Spacek wrote:
<br>
<blockquote type="cite">On 17.6.2015 13:37, Martin Basti wrote:
<br>
<blockquote type="cite">On 17/06/15 13:26, Petr Spacek wrote:
<br>
<blockquote type="cite">On 16.6.2015 15:40, Martin Basti
wrote:
<br>
<blockquote type="cite">On 05/06/15 12:54, Petr Spacek
wrote:
<br>
<blockquote type="cite">On 20.5.2015 18:00, Martin Basti
wrote:
<br>
<blockquote type="cite">This patch allows to disable
DNSSEC key master on IPA server, or replace
<br>
current DNSSEC key master with another IPA server.
<br>
<br>
Only for master branch.
<br>
<br>
<a class="moz-txt-link-freetext" href="https://fedorahosted.org/freeipa/ticket/4657">https://fedorahosted.org/freeipa/ticket/4657</a>
<br>
<br>
Patches attached.
<br>
</blockquote>
NACK. This happens on DNSSEC key master:
<br>
$ ipa-dns-install --disable-dnssec-master
<br>
<br>
Do you want to disable current DNSSEC key master? [no]:
yes
<br>
Unexpected error - see /var/log/ipaserver-install.log
for details:
<br>
TypeError: sequence item 0: expected string, DNSName
found
<br>
2015-06-05T10:52:35Z DEBUG File
<br>
"/usr/lib/python2.7/site-packages/ipaserver/install/installutils.py",
line
<br>
733, in run_script
<br>
return_value = main_function()
<br>
<br>
File "/sbin/ipa-dns-install", line 128, in main
<br>
dns_installer.disable_dnssec_master(options.unattended)
<br>
<br>
File
"/usr/lib/python2.7/site-packages/ipaserver/install/dns.py",
line
<br>
112,
<br>
in disable_dnssec_master
<br>
", ".join(dnssec_zones))
<br>
<br>
2015-06-05T10:52:35Z DEBUG The ipa-dns-install command
failed, exception:
<br>
TypeError: sequence item 0: expected string, DNSName
found
<br>
<br>
</blockquote>
Updated patches attached.
<br>
<br>
Due new installers, more changes were required.
<br>
</blockquote>
Sorry, NACK, I'm not able to apply this patch set to current
master
<br>
(69607250b9762a6c9b657dd31653b03d54a7b411).
<br>
<br>
</blockquote>
Rebased patches attached.
<br>
</blockquote>
NACK.
<br>
<br>
<br>
0) ipa-dns-install --replace-dnssec-master always puts file into
<br>
/root/ipa-kasp.db.
<br>
<br>
It would be better to put it into local working directory or
/var/lib/ipa (as
<br>
with replica files).
<br>
<br>
<br>
1) I installed DNSSEC key master role on the vm-134 but DNSSEC
services were
<br>
not stopped by ipactl stop:
<br>
<br>
[root@vm-134 review]# ipactl stop
<br>
Stopping ipa-otpd Service
<br>
Stopping httpd Service
<br>
Stopping ipa_memcached Service
<br>
Stopping kadmin Service
<br>
Stopping krb5kdc Service
<br>
Stopping Directory Service
<br>
ipa: INFO: The ipactl command was successful
<br>
<br>
[root@vm-134 review]# ipactl start
<br>
Starting Directory Service
<br>
Starting krb5kdc Service
<br>
Starting kadmin Service
<br>
Starting named Service
<br>
Starting ipa_memcached Service
<br>
Starting httpd Service
<br>
Starting ipa-otpd Service
<br>
Starting ipa-ods-exporter Service
<br>
Starting ods-enforcerd Service
<br>
Starting ipa-dnskeysyncd Service
<br>
<br>
Subsequent ipactl stop worked fine, only the first one is
affected.
<br>
<br>
<br>
2a) vm-134 was the original master. I ran this:
<br>
<br>
[root@vm-134 review]# ipa-dns-install
<br>
--replace-dnssec-master=vm-090.abc.idm.lab.eng.brq.redhat.com
<br>
<br>
... and then attempted to install master to vm-059:
<br>
[root@vm-059 review]# ipa-dns-install --dnssec-master
<br>
<br>
This command was accepted despite of missing --kasp-db option
and wrong
<br>
replica name.
<br>
<br>
It should error out and tell the user to run the command with
--kasp-db option.
<br>
<br>
Even better, we could get rid of explicit replica name
specification in
<br>
--replace-dnssec-master option and allow to run installation
with --kasp-db on
<br>
any replica as long as the kasp.db file is provided.
<br>
<br>
<br>
<br>
2b) Attempt to move DNSSEC key master from vm-134 to vm-090
*without*
<br>
specifying --kasp-db option was accepted.
<br>
<br>
[root@vm-090 review]# ipa-dns-install --dnssec-master
<br>
<br>
As in case (2a), it should print what user is supposed to do.
<br>
<br>
I propose following text:
<br>
<br>
Current DNSSEC key master
<vm-134.abc.idm.lab.eng.brq.redhat.com> is being
<br>
moved to different server.
<br>
<br>
You need to copy kasp.db file from
<vm-134.abc.idm.lab.eng.brq.redhat.com> and
<br>
run following command to complete the transition:
<br>
<br>
# ipa-dns-install --dnssec-master
--kasp-db=/path/to/the/copied/kasp.db
<br>
<br>
<br>
<br>
3) [root@vm-134 review]# ipa-dns-install
<br>
--replace-dnssec-master=vm-090.abc.idm.lab.eng.brq.redhat.com
<br>
does not remove ISMASTER option from file
/etc/sysconfig/ipa-dnskeysyncd .
<br>
<br>
<br>
4) [root@vm-134 review]# ipa-dns-install
<br>
--replace-dnssec-master=vm-090.abc.idm.lab.eng.brq.redhat.com
<br>
<br>
it is possible to run
<br>
<br>
[root@vm-134 review]# ipa-dns-install --dnssec-master
<br>
<br>
again without --kasp-db and it is accepted.
<br>
<br>
Moreover, in this case ipaConfigString "NEW_DNSSEC_MASTER" is
not properly
<br>
removed from
<br>
cn=DNSKeySync,cn=vm-090.abc.idm.lab.eng.brq.redhat.com,cn=masters,cn=ipa,cn=etc,dc=ipa,dc=example.
<br>
<br>
<br>
<br>
5) Sequence of commands
<br>
[root@vm-134 review]# ipa-dns-install
<br>
--replace-dnssec-master=vm-090.abc.idm.lab.eng.brq.redhat.com
<br>
<br>
[root@vm-090 review]# ipa-replica-manage del
vm-134.abc.idm.lab.eng.brq.redhat.com
<br>
<br>
allows me to run
<br>
[root@vm-090 review]# ipa-dns-install --dnssec-master
<br>
<br>
without --kasp-db option, it does not throw an error, and the
information that
<br>
some other master existed somewhere is lost.
<br>
<br>
It would be probably better to replace this and to use some
global attribute
<br>
in cn=dns so similar problems do not happen.
<br>
<br>
<br>
<br>
6) The migration itself seems to work, KASP DB seems to work
properly, however
<br>
it is necessary to run 'ods-ksmutil zonelist' command *before*
all the daemons
<br>
on the new master are (re)started. This needs do be done to
re-generate file
<br>
/etc/opendnssec/zonelist.xml from the new (copied) DB.
<br>
<br>
Here please be careful about file permissions.
<br>
<br>
The command should be ran under 'ods' user to avoid permission
clobbering.
<br>
<br>
<br>
Thank you for your hard work on this!
<br>
<br>
</blockquote>
New patches attached.
<br>
<br>
Major part of the code was changed.
<br>
<br>
Please apply patch 268 first.
<br>
<br>
<br>
<br>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
</blockquote>
Updated patches attached.<br>
<br>
I just changed the error log to debug log<br>
ipautil.run(cmd,
runas=ods_enforcerd.get_user_name())<br>
- except CalledProcessError as e:<br>
- root_logger.error("%s", e)<br>
+ except CalledProcessError:<br>
+ root_logger.debug("OpenDNSSEC database has not been
updated")<br>
<br>
As this is not error during uninstall.<br>
<br>
<pre class="moz-signature" cols="72">--
Martin Basti</pre>
</body>
</html>