[Freeipa-devel] [PATCHES] 126-127 Use A/AAAA records instead of CNAME records in ipa-ca
Petr Viktorin
pviktori at redhat.com
Fri Apr 12 13:50:47 UTC 2013
On 04/12/2013 02:30 PM, Jan Cholasta wrote:
> On 12.4.2013 14:19, Petr Viktorin wrote:
>> On 04/12/2013 01:24 PM, Jan Cholasta wrote:
>>> Hi,
>>>
>>> the attached patches fix <https://fedorahosted.org/freeipa/ticket/3547>.
>>>
>>> Honza
>>
>> We used short names in the CNAMEs:
>>
>> $ ipa dnsrecord-find idm.lab.eng.brq.redhat.com ipa-ca
>> Record name: ipa-ca
>> CNAME record: vm-109
>> ----------------------------
>> Number of entries returned 1
>> ----------------------------
>>
>>
>> But it seems the patch assumes a FQDN with a dot at the end. When
>> upgrading a 3.1 server I get:
>>
>> 2013-04-12T12:16:43Z INFO File
>> "/usr/lib/python2.7/site-packages/ipaserver/install/installutils.py",
>> line 613, in run_script
>> return_value = main_function()
>>
>> File "/usr/sbin/ipa-upgradeconfig", line 853, in main
>> add_ca_dns_records()
>>
>> File "/usr/sbin/ipa-upgradeconfig", line 752, in add_ca_dns_records
>> bind.convert_ipa_ca_cnames(api.env.domain)
>>
>> File
>> "/usr/lib/python2.7/site-packages/ipaserver/install/bindinstance.py",
>> line 785, in convert_ipa_ca_cnames
>> self.add_ipa_ca_dns_records(cname[:-1], domain_name, None)
>>
>> File
>> "/usr/lib/python2.7/site-packages/ipaserver/install/bindinstance.py",
>> line 772, in add_ipa_ca_dns_records
>> host, zone = fqdn.split(".", 1)
>>
>> Unexpected error
>> ValueError: need more than 1 value to unpack
>>
>
> Hmm, in my test setup the CNAMEs contained FQDNs. Fixed.
>
> Updated patch attached.
A question: do we support users that *want* a CNAME in ipa-ca? AFAIK
that is the usual way to do load-balancing, which is the recommended
setup for big installations.
With this patch, if there is one, ca-install will fail as it tries to
add the A record:
$ ipa dnsrecord-find idm.lab.eng.brq.redhat.com ipa-ca
Record name: ipa-ca
CNAME record: ca.load-balancer.example.com.
$ ipa-ca-install
[...]
ValidationError: invalid 'cnamerecord': Gettext('CNAME record is not
allowed to coexist with any other record (RFC 1034, section 3.6.2)',
domain='ipa', localedir=None)
Even if we don't supoport CNAMEs here, I think this we should print a
big warning in this case rather than fail.
Upgrade state is machine-local, so every time an old master is upgraded,
any CNAME would get replaced:
$ ipa dnsrecord-find idm.lab.eng.brq.redhat.com ipa-ca
Record name: ipa-ca
CNAME record: ca.load-balancer.example.com.
----------------------------
Number of entries returned 1
----------------------------
$ sudo ipa-upgradeconfig
...
$ ipa dnsrecord-find idm.lab.eng.brq.redhat.com ipa-ca
Record name: ipa-ca
A record: 10.34.47.109
----------------------------
Number of entries returned 1
----------------------------
We should at least highlight this in the release notes, as it deletes
users' data.
--
Petr³
More information about the Freeipa-devel
mailing list