[Freeipa-devel] [PATCHES 0252-0253, 268, 50 - 51] DNSSEC: allow to move DNSSEC key master to another IPA server

Martin Basti mbasti at redhat.com
Wed Jul 1 10:35:14 UTC 2015 

On 30/06/15 22:09, Petr Spacek wrote:
> On 30.6.2015 16:04, Martin Basti wrote:
>> On 30/06/15 10:25, Martin Basti wrote:
>>> On 29/06/15 15:16, Martin Basti wrote:
>>>> On 25/06/15 13:46, Petr Spacek wrote:
>>>>> On 17.6.2015 13:37, Martin Basti wrote:
>>>>>> On 17/06/15 13:26, Petr Spacek wrote:
>>>>>>> On 16.6.2015 15:40, Martin Basti wrote:
>>>>>>>> On 05/06/15 12:54, Petr Spacek wrote:
>>>>>>>>> On 20.5.2015 18:00, Martin Basti wrote:
>>>>>>>>>> This patch allows to disable DNSSEC key master on IPA server, or replace
>>>>>>>>>> current DNSSEC key master with another IPA server.
>>>>>>>>>>
>>>>>>>>>> Only for master branch.
>>>>>>>>>>
>>>>>>>>>> https://fedorahosted.org/freeipa/ticket/4657
>>>>>>>>>>
>>>>>>>>>> Patches attached.
>>>>>>>>> NACK. This happens on DNSSEC key master:
>>>>>>>>> $ ipa-dns-install --disable-dnssec-master
>>>>>>>>>
>>>>>>>>> Do you want to disable current DNSSEC key master? [no]: yes
>>>>>>>>> Unexpected error - see /var/log/ipaserver-install.log for details:
>>>>>>>>> TypeError: sequence item 0: expected string, DNSName found
>>>>>>>>>        2015-06-05T10:52:35Z DEBUG   File
>>>>>>>>> "/usr/lib/python2.7/site-packages/ipaserver/install/installutils.py",
>>>>>>>>> line
>>>>>>>>> 733, in run_script
>>>>>>>>>         return_value = main_function()
>>>>>>>>>
>>>>>>>>>       File "/sbin/ipa-dns-install", line 128, in main
>>>>>>>>> dns_installer.disable_dnssec_master(options.unattended)
>>>>>>>>>
>>>>>>>>>       File "/usr/lib/python2.7/site-packages/ipaserver/install/dns.py",
>>>>>>>>> line
>>>>>>>>> 112,
>>>>>>>>> in disable_dnssec_master
>>>>>>>>>         ", ".join(dnssec_zones))
>>>>>>>>>
>>>>>>>>> 2015-06-05T10:52:35Z DEBUG The ipa-dns-install command failed, exception:
>>>>>>>>> TypeError: sequence item 0: expected string, DNSName found
>>>>>>>>>
>>>>>>>> Updated patches attached.
>>>>>>>>
>>>>>>>> Due new installers, more changes were required.
>>>>>>> Sorry, NACK, I'm not able to apply this patch set to current master
>>>>>>> (69607250b9762a6c9b657dd31653b03d54a7b411).
>>>>>>>
>>>>>> Rebased patches attached.
>>>>> NACK.
>>>>>
>>>>>
>>>>> 0) ipa-dns-install --replace-dnssec-master always puts file into
>>>>> /root/ipa-kasp.db.
>>>>>
>>>>> It would be better to put it into local working directory or /var/lib/ipa (as
>>>>> with replica files).
>>>>>
>>>>>
>>>>> 1) I installed DNSSEC key master role on the vm-134 but DNSSEC services were
>>>>> not stopped by ipactl stop:
>>>>>
>>>>> [root at vm-134 review]# ipactl stop
>>>>> Stopping ipa-otpd Service
>>>>> Stopping httpd Service
>>>>> Stopping ipa_memcached Service
>>>>> Stopping kadmin Service
>>>>> Stopping krb5kdc Service
>>>>> Stopping Directory Service
>>>>> ipa: INFO: The ipactl command was successful
>>>>>
>>>>> [root at vm-134 review]# ipactl start
>>>>> Starting Directory Service
>>>>> Starting krb5kdc Service
>>>>> Starting kadmin Service
>>>>> Starting named Service
>>>>> Starting ipa_memcached Service
>>>>> Starting httpd Service
>>>>> Starting ipa-otpd Service
>>>>> Starting ipa-ods-exporter Service
>>>>> Starting ods-enforcerd Service
>>>>> Starting ipa-dnskeysyncd Service
>>>>>
>>>>> Subsequent ipactl stop worked fine, only the first one is affected.
>>>>>
>>>>>
>>>>> 2a) vm-134 was the original master. I ran this:
>>>>>
>>>>> [root at vm-134 review]# ipa-dns-install
>>>>> --replace-dnssec-master=vm-090.abc.idm.lab.eng.brq.redhat.com
>>>>>
>>>>> ... and then attempted to install master to vm-059:
>>>>> [root at vm-059 review]# ipa-dns-install --dnssec-master
>>>>>
>>>>> This command was accepted despite of missing --kasp-db option and wrong
>>>>> replica name.
>>>>>
>>>>> It should error out and tell the user to run the command with --kasp-db
>>>>> option.
>>>>>
>>>>> Even better, we could get rid of explicit replica name specification in
>>>>> --replace-dnssec-master option and allow to run installation with
>>>>> --kasp-db on
>>>>> any replica as long as the kasp.db file is provided.
>>>>>
>>>>>
>>>>>
>>>>> 2b) Attempt to move DNSSEC key master from vm-134 to vm-090 *without*
>>>>> specifying --kasp-db option was accepted.
>>>>>
>>>>> [root at vm-090 review]# ipa-dns-install --dnssec-master
>>>>>
>>>>> As in case (2a), it should print what user is supposed to do.
>>>>>
>>>>> I propose following text:
>>>>>
>>>>> Current DNSSEC key master <vm-134.abc.idm.lab.eng.brq.redhat.com> is being
>>>>> moved to different server.
>>>>>
>>>>> You need to copy kasp.db file from <vm-134.abc.idm.lab.eng.brq.redhat.com>
>>>>> and
>>>>> run following command to complete the transition:
>>>>>
>>>>> # ipa-dns-install --dnssec-master --kasp-db=/path/to/the/copied/kasp.db
>>>>>
>>>>>
>>>>>
>>>>> 3) [root at vm-134 review]# ipa-dns-install
>>>>> --replace-dnssec-master=vm-090.abc.idm.lab.eng.brq.redhat.com
>>>>> does not remove ISMASTER option from file /etc/sysconfig/ipa-dnskeysyncd .
>>>>>
>>>>>
>>>>> 4) [root at vm-134 review]# ipa-dns-install
>>>>> --replace-dnssec-master=vm-090.abc.idm.lab.eng.brq.redhat.com
>>>>>
>>>>> it is possible to run
>>>>>
>>>>> [root at vm-134 review]# ipa-dns-install --dnssec-master
>>>>>
>>>>> again without --kasp-db and it is accepted.
>>>>>
>>>>> Moreover, in this case ipaConfigString "NEW_DNSSEC_MASTER" is not properly
>>>>> removed from
>>>>> cn=DNSKeySync,cn=vm-090.abc.idm.lab.eng.brq.redhat.com,cn=masters,cn=ipa,cn=etc,dc=ipa,dc=example.
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> 5) Sequence of commands
>>>>> [root at vm-134 review]# ipa-dns-install
>>>>> --replace-dnssec-master=vm-090.abc.idm.lab.eng.brq.redhat.com
>>>>>
>>>>> [root at vm-090 review]# ipa-replica-manage del
>>>>> vm-134.abc.idm.lab.eng.brq.redhat.com
>>>>>
>>>>> allows me to run
>>>>> [root at vm-090 review]# ipa-dns-install --dnssec-master
>>>>>
>>>>> without --kasp-db option, it does not throw an error, and the information
>>>>> that
>>>>> some other master existed somewhere is lost.
>>>>>
>>>>> It would be probably better to replace this and to use some global attribute
>>>>> in cn=dns so similar problems do not happen.
>>>>>
>>>>>
>>>>>
>>>>> 6) The migration itself seems to work, KASP DB seems to work properly,
>>>>> however
>>>>> it is necessary to run 'ods-ksmutil zonelist' command *before* all the
>>>>> daemons
>>>>> on the new master are (re)started. This needs do be done to re-generate file
>>>>> /etc/opendnssec/zonelist.xml from the new (copied) DB.
>>>>>
>>>>> Here please be careful about file permissions.
>>>>>
>>>>> The command should be ran under 'ods' user to avoid permission clobbering.
>>>>>
>>>>>
>>>>> Thank you for your hard work on this!
>>>>>
>>>> New patches attached.
>>>>
>>>> Major part of the code was changed.
>>>>
>>>> Please apply patch 268 first.
>>>>
>>>>
>>>>
>>>>
>>>>
>>> Updated patches attached.
>>>
>>> I just changed the error log to debug log
>>>                   ipautil.run(cmd, runas=ods_enforcerd.get_user_name())
>>> -            except CalledProcessError as e:
>>> -                root_logger.error("%s", e)
>>> +            except CalledProcessError:
>>> +                root_logger.debug("OpenDNSSEC database has not been updated")
>>>
>>> As this is not error during uninstall.
>>>
>>> -- 
>>> Martin Basti
>>>
>>>
>> Updated patches attached.
> Cond-NACK. Moving master does not work without additional patching. I'm
> attaching fix for this + some polish for messages.
>
> Please review my amendments, it can be pushed if you are okay with my changes.
>
Thank you, it works. I did 2 small changes

1)
In patch 51 i moved the check to parser, and fixed error message to 
proper option

2)
in patch 50 I switched:
if api.env.host not in dnssec_masters and dnssec_masters:

to
if dnssec_masters and api.env.host not in dnssec_masters:

These patches belong to master branch only.
All patches attached.

-- 
Martin Basti

-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-mbasti-0252.7-DNSSEC-allow-to-disable-replace-DNSSEC-key-master.patch
Type: text/x-patch
Size: 25215 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20150701/627f02c1/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-mbasti-0253.7-DNSSEC-update-message.patch
Type: text/x-patch
Size: 4256 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20150701/627f02c1/attachment-0001.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-mbasti-0268-Allow-to-run-subprocess-with-suplementary-groups.patch
Type: text/x-patch
Size: 3182 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20150701/627f02c1/attachment-0002.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-pspacek-0050.2-DNSSEC-ipa-dns-install-Detect-existing-master-server.patch
Type: text/x-patch
Size: 2860 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20150701/627f02c1/attachment-0003.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-pspacek-0051.2-DNSSEC-Detect-attempt-to-install-disable-master-at-t.patch
Type: text/x-patch
Size: 1151 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20150701/627f02c1/attachment-0004.bin>

More information about the Freeipa-devel mailing list