[Freeipa-devel] [PATCHES 0252-0253, 268, 50 - 51] DNSSEC: allow to move DNSSEC key master to another IPA server

Tomas Babej tbabej at redhat.com
Tue Jul 7 06:38:44 UTC 2015 


On 07/01/2015 12:47 PM, Petr Spacek wrote:
> On 1.7.2015 12:35, Martin Basti wrote:
>> On 30/06/15 22:09, Petr Spacek wrote:
>>> On 30.6.2015 16:04, Martin Basti wrote:
>>>> On 30/06/15 10:25, Martin Basti wrote:
>>>>> On 29/06/15 15:16, Martin Basti wrote:
>>>>>> On 25/06/15 13:46, Petr Spacek wrote:
>>>>>>> On 17.6.2015 13:37, Martin Basti wrote:
>>>>>>>> On 17/06/15 13:26, Petr Spacek wrote:
>>>>>>>>> On 16.6.2015 15:40, Martin Basti wrote:
>>>>>>>>>> On 05/06/15 12:54, Petr Spacek wrote:
>>>>>>>>>>> On 20.5.2015 18:00, Martin Basti wrote:
>>>>>>>>>>>> This patch allows to disable DNSSEC key master on IPA server, or
>>>>>>>>>>>> replace
>>>>>>>>>>>> current DNSSEC key master with another IPA server.
>>>>>>>>>>>>
>>>>>>>>>>>> Only for master branch.
>>>>>>>>>>>>
>>>>>>>>>>>> https://fedorahosted.org/freeipa/ticket/4657
>>>>>>>>>>>>
>>>>>>>>>>>> Patches attached.
>>>>>>>>>>> NACK. This happens on DNSSEC key master:
>>>>>>>>>>> $ ipa-dns-install --disable-dnssec-master
>>>>>>>>>>>
>>>>>>>>>>> Do you want to disable current DNSSEC key master? [no]: yes
>>>>>>>>>>> Unexpected error - see /var/log/ipaserver-install.log for details:
>>>>>>>>>>> TypeError: sequence item 0: expected string, DNSName found
>>>>>>>>>>>        2015-06-05T10:52:35Z DEBUG   File
>>>>>>>>>>> "/usr/lib/python2.7/site-packages/ipaserver/install/installutils.py",
>>>>>>>>>>> line
>>>>>>>>>>> 733, in run_script
>>>>>>>>>>>         return_value = main_function()
>>>>>>>>>>>
>>>>>>>>>>>       File "/sbin/ipa-dns-install", line 128, in main
>>>>>>>>>>> dns_installer.disable_dnssec_master(options.unattended)
>>>>>>>>>>>
>>>>>>>>>>>       File "/usr/lib/python2.7/site-packages/ipaserver/install/dns.py",
>>>>>>>>>>> line
>>>>>>>>>>> 112,
>>>>>>>>>>> in disable_dnssec_master
>>>>>>>>>>>         ", ".join(dnssec_zones))
>>>>>>>>>>>
>>>>>>>>>>> 2015-06-05T10:52:35Z DEBUG The ipa-dns-install command failed,
>>>>>>>>>>> exception:
>>>>>>>>>>> TypeError: sequence item 0: expected string, DNSName found
>>>>>>>>>>>
>>>>>>>>>> Updated patches attached.
>>>>>>>>>>
>>>>>>>>>> Due new installers, more changes were required.
>>>>>>>>> Sorry, NACK, I'm not able to apply this patch set to current master
>>>>>>>>> (69607250b9762a6c9b657dd31653b03d54a7b411).
>>>>>>>>>
>>>>>>>> Rebased patches attached.
>>>>>>> NACK.
>>>>>>>
>>>>>>>
>>>>>>> 0) ipa-dns-install --replace-dnssec-master always puts file into
>>>>>>> /root/ipa-kasp.db.
>>>>>>>
>>>>>>> It would be better to put it into local working directory or
>>>>>>> /var/lib/ipa (as
>>>>>>> with replica files).
>>>>>>>
>>>>>>>
>>>>>>> 1) I installed DNSSEC key master role on the vm-134 but DNSSEC services
>>>>>>> were
>>>>>>> not stopped by ipactl stop:
>>>>>>>
>>>>>>> [root at vm-134 review]# ipactl stop
>>>>>>> Stopping ipa-otpd Service
>>>>>>> Stopping httpd Service
>>>>>>> Stopping ipa_memcached Service
>>>>>>> Stopping kadmin Service
>>>>>>> Stopping krb5kdc Service
>>>>>>> Stopping Directory Service
>>>>>>> ipa: INFO: The ipactl command was successful
>>>>>>>
>>>>>>> [root at vm-134 review]# ipactl start
>>>>>>> Starting Directory Service
>>>>>>> Starting krb5kdc Service
>>>>>>> Starting kadmin Service
>>>>>>> Starting named Service
>>>>>>> Starting ipa_memcached Service
>>>>>>> Starting httpd Service
>>>>>>> Starting ipa-otpd Service
>>>>>>> Starting ipa-ods-exporter Service
>>>>>>> Starting ods-enforcerd Service
>>>>>>> Starting ipa-dnskeysyncd Service
>>>>>>>
>>>>>>> Subsequent ipactl stop worked fine, only the first one is affected.
>>>>>>>
>>>>>>>
>>>>>>> 2a) vm-134 was the original master. I ran this:
>>>>>>>
>>>>>>> [root at vm-134 review]# ipa-dns-install
>>>>>>> --replace-dnssec-master=vm-090.abc.idm.lab.eng.brq.redhat.com
>>>>>>>
>>>>>>> ... and then attempted to install master to vm-059:
>>>>>>> [root at vm-059 review]# ipa-dns-install --dnssec-master
>>>>>>>
>>>>>>> This command was accepted despite of missing --kasp-db option and wrong
>>>>>>> replica name.
>>>>>>>
>>>>>>> It should error out and tell the user to run the command with --kasp-db
>>>>>>> option.
>>>>>>>
>>>>>>> Even better, we could get rid of explicit replica name specification in
>>>>>>> --replace-dnssec-master option and allow to run installation with
>>>>>>> --kasp-db on
>>>>>>> any replica as long as the kasp.db file is provided.
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> 2b) Attempt to move DNSSEC key master from vm-134 to vm-090 *without*
>>>>>>> specifying --kasp-db option was accepted.
>>>>>>>
>>>>>>> [root at vm-090 review]# ipa-dns-install --dnssec-master
>>>>>>>
>>>>>>> As in case (2a), it should print what user is supposed to do.
>>>>>>>
>>>>>>> I propose following text:
>>>>>>>
>>>>>>> Current DNSSEC key master <vm-134.abc.idm.lab.eng.brq.redhat.com> is being
>>>>>>> moved to different server.
>>>>>>>
>>>>>>> You need to copy kasp.db file from <vm-134.abc.idm.lab.eng.brq.redhat.com>
>>>>>>> and
>>>>>>> run following command to complete the transition:
>>>>>>>
>>>>>>> # ipa-dns-install --dnssec-master --kasp-db=/path/to/the/copied/kasp.db
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> 3) [root at vm-134 review]# ipa-dns-install
>>>>>>> --replace-dnssec-master=vm-090.abc.idm.lab.eng.brq.redhat.com
>>>>>>> does not remove ISMASTER option from file /etc/sysconfig/ipa-dnskeysyncd .
>>>>>>>
>>>>>>>
>>>>>>> 4) [root at vm-134 review]# ipa-dns-install
>>>>>>> --replace-dnssec-master=vm-090.abc.idm.lab.eng.brq.redhat.com
>>>>>>>
>>>>>>> it is possible to run
>>>>>>>
>>>>>>> [root at vm-134 review]# ipa-dns-install --dnssec-master
>>>>>>>
>>>>>>> again without --kasp-db and it is accepted.
>>>>>>>
>>>>>>> Moreover, in this case ipaConfigString "NEW_DNSSEC_MASTER" is not properly
>>>>>>> removed from
>>>>>>> cn=DNSKeySync,cn=vm-090.abc.idm.lab.eng.brq.redhat.com,cn=masters,cn=ipa,cn=etc,dc=ipa,dc=example.
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> 5) Sequence of commands
>>>>>>> [root at vm-134 review]# ipa-dns-install
>>>>>>> --replace-dnssec-master=vm-090.abc.idm.lab.eng.brq.redhat.com
>>>>>>>
>>>>>>> [root at vm-090 review]# ipa-replica-manage del
>>>>>>> vm-134.abc.idm.lab.eng.brq.redhat.com
>>>>>>>
>>>>>>> allows me to run
>>>>>>> [root at vm-090 review]# ipa-dns-install --dnssec-master
>>>>>>>
>>>>>>> without --kasp-db option, it does not throw an error, and the information
>>>>>>> that
>>>>>>> some other master existed somewhere is lost.
>>>>>>>
>>>>>>> It would be probably better to replace this and to use some global
>>>>>>> attribute
>>>>>>> in cn=dns so similar problems do not happen.
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> 6) The migration itself seems to work, KASP DB seems to work properly,
>>>>>>> however
>>>>>>> it is necessary to run 'ods-ksmutil zonelist' command *before* all the
>>>>>>> daemons
>>>>>>> on the new master are (re)started. This needs do be done to re-generate
>>>>>>> file
>>>>>>> /etc/opendnssec/zonelist.xml from the new (copied) DB.
>>>>>>>
>>>>>>> Here please be careful about file permissions.
>>>>>>>
>>>>>>> The command should be ran under 'ods' user to avoid permission clobbering.
>>>>>>>
>>>>>>>
>>>>>>> Thank you for your hard work on this!
>>>>>>>
>>>>>> New patches attached.
>>>>>>
>>>>>> Major part of the code was changed.
>>>>>>
>>>>>> Please apply patch 268 first.
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>> Updated patches attached.
>>>>>
>>>>> I just changed the error log to debug log
>>>>>                   ipautil.run(cmd, runas=ods_enforcerd.get_user_name())
>>>>> -            except CalledProcessError as e:
>>>>> -                root_logger.error("%s", e)
>>>>> +            except CalledProcessError:
>>>>> +                root_logger.debug("OpenDNSSEC database has not been
>>>>> updated")
>>>>>
>>>>> As this is not error during uninstall.
>>>>>
>>>>> -- 
>>>>> Martin Basti
>>>>>
>>>>>
>>>> Updated patches attached.
>>> Cond-NACK. Moving master does not work without additional patching. I'm
>>> attaching fix for this + some polish for messages.
>>>
>>> Please review my amendments, it can be pushed if you are okay with my changes.
>>>
>> Thank you, it works. I did 2 small changes
>>
>> 1)
>> In patch 51 i moved the check to parser, and fixed error message to proper option
>>
>> 2)
>> in patch 50 I switched:
>> if api.env.host not in dnssec_masters and dnssec_masters:
>>
>> to
>> if dnssec_masters and api.env.host not in dnssec_masters:
>>
>> These patches belong to master branch only.
>> All patches attached.
> 
> Seems reasonable, ACK.
> 

Pushed to master: 8ee975b276d0728130a148b01f9bfc0b77524ae0

More information about the Freeipa-devel mailing list