URL: https://github.com/freeipa/freeipa/pull/2321 Author: Tiboris Title: #2321: [Backport][ipa-4-7] ipa-server-install: do not perform forwarder validation with --no-dnssec-validation Action: opened
PR body: """ This PR was opened automatically because PR #2310 was pushed to master and backport to ipa-4-7 is required. """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/2321/head:pr2321 git checkout pr2321
From cfb45d2b1af23d9e178baf34f9a503c83603384d Mon Sep 17 00:00:00 2001 From: Florence Blanc-Renaud <f...@redhat.com> Date: Fri, 31 Aug 2018 10:09:15 +0200 Subject: [PATCH 1/2] ipa-server-install: do not perform forwarder validation with --no-dnssec-validation ipa-server-install is checking if the forwarder(s) specified with --forwarder argument support DNSSEC. When the --no-dnssec-validation option is added, the installer should not perform the check. Fixes: https://pagure.io/freeipa/issue/7666 --- ipaserver/install/dns.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/ipaserver/install/dns.py b/ipaserver/install/dns.py index c7c22176c5..9c28d1b065 100644 --- a/ipaserver/install/dns.py +++ b/ipaserver/install/dns.py @@ -292,8 +292,8 @@ def install_check(standalone, api, replica, options, hostname): # test DNSSEC forwarders if options.forwarders: - if (not bindinstance.check_forwarders(options.forwarders) - and not options.no_dnssec_validation): + if not options.no_dnssec_validation \ + and not bindinstance.check_forwarders(options.forwarders): options.no_dnssec_validation = True print("WARNING: DNSSEC validation will be disabled") From c63df10c97e195a855533d59f8b2d195815ef663 Mon Sep 17 00:00:00 2001 From: Florence Blanc-Renaud <f...@redhat.com> Date: Fri, 31 Aug 2018 10:12:01 +0200 Subject: [PATCH 2/2] tests: add test for server install with --no-dnssec-validation Add 2 tests related to the checks performed by ipa-server-install when --forwarder is specified: - if the forwarder is not reachable and we require dnssec validation, the installer must refuse to go on and exit on error. - if the forwarder is not reachable but --no-dnssec-validation is provided, the installer must continue. Related to https://pagure.io/freeipa/issue/7666 --- ipatests/test_integration/test_dnssec.py | 44 ++++++++++++++++++++++++ 1 file changed, 44 insertions(+) diff --git a/ipatests/test_integration/test_dnssec.py b/ipatests/test_integration/test_dnssec.py index 368b1ffc49..18b806e8ef 100644 --- a/ipatests/test_integration/test_dnssec.py +++ b/ipatests/test_integration/test_dnssec.py @@ -550,3 +550,47 @@ def test_migrate_dnssec_master(self): self.master.ip, example3_test_zone, timeout=200 ), ("Zone %s is not signed (master)" % example3_test_zone) + + +class TestInstallNoDnssecValidation(IntegrationTest): + """test installation of the master with + --no-dnssec-validation + + Test for issue 7666: ipa-server-install --setup-dns is failing + if using --no-dnssec-validation and --forwarder, when the + specified forwarder does not support DNSSEC. + The forwarder should not be checked for DNSSEC support when + --no-dnssec-validation argument is specified. + In order to reproduce the conditions, the test is using a dummy + IP address for the forwarder (i.e. there is no BIND service available + at this IP address). To make sure of that, the test is using the IP of + a replica (that is not yet setup). + """ + num_replicas = 1 + + @classmethod + def install(cls, mh): + cls.install_args = [ + 'ipa-server-install', + '-n', cls.master.domain.name, + '-r', cls.master.domain.realm, + '-p', cls.master.config.dirman_password, + '-a', cls.master.config.admin_password, + '-U', + '--setup-dns', + '--forwarder', cls.replicas[0].ip, + '--auto-reverse' + ] + + def test_install_withDnssecValidation(self): + cmd = self.master.run_command(self.install_args, raiseonerr=False) + # The installer checks that the forwarder supports DNSSEC + # but the forwarder does not answer => expect failure + assert cmd.returncode != 0 + + def test_install_noDnssecValidation(self): + # With the --no-dnssec-validation, the installer does not check + # whether the forwarder supports DNSSEC => success even if the + # forwarder is not reachable + self.master.run_command( + self.install_args + ['--no-dnssec-validation'])
_______________________________________________ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org