On 03/11/2013 09:39 AM, Petr Spacek wrote:
> On 11.3.2013 09:09, Martin Kosek wrote:
>> On 03/08/2013 09:49 AM, Petr Spacek wrote:
>>> On 8.3.2013 00:14, Rob Crittenden wrote:
>>>> Martin Kosek wrote:
>>>>> Remove obsolete BIND GSSAPI configuration options tkey-gssapi-credential
>>>>> and tkey-domain and replace them with tkey-gssapi-keytab which avoids
>>>>> unnecessary Kerberos checks on BIND startup and can cause issues when
>>>>> KDC is not available.
>>>>>
>>>>> Both new and current IPA installations are updated.
>>>>>
>>>>> https://fedorahosted.org/freeipa/ticket/3429
>>>>>
>>>>
>>>> Still reviewing this but I noticed that after upgrading my 3.1.99 server
>>>> pre-patch to with with-patch version the connections argument in named.conf
>>>> got set to 4 (courtesy of ipa-upgradeconfig). Should we be setting that to
>>>> 4
>>>> during the initial install too?
>>>
>>> For 3.2 it doesn't matter. Anything >= 2 should be okay, but more
>>> connections
>>> should not harm.
>>>
>>> Higher value should allow higher level of parallelism, it is one of tuning
>>> parameters. Value 4 was necessary to prevent deadlocks in some previous
>>> versions of bind-dyndb-ldap.
>>>
>>
>> Previously, when I implemented the upgrade script, I set connections arg only
>> if it was present in named.conf and thus bind-dyndb-ldap could not use a
>> reasonable default on its own decision.
>>
>> This was changed in e578183ea25a40aedf6dcc3e1ee4bcb19b73e70f and connections
>> is set always. Rob is correct, that in that case we might want to add it to
>> named.conf by default to make it consistent... or we could also fix upgrade
>> script to change connections only if it is present in named.conf.
>>
>> Petr, what does make more sense bind-dyndb-ldap wise?
>
> Default values should work. Personally I would include only "override" values
> in named.conf, but technically it doesn't matter.
>
> Note: Latest bind-dyndb-ldap versions refuse to start if configuration is
> insane. Fatal error will point admin to errors in configuration and should
> prevent surprises from auto-magically changed values.
>
> Invalid configurations - examples:
> connections < 1
> connections < 2 && psearch is enabled
> serial_autoincrement enabled && psearch disabled
>
Ok, lets set the connections argument only if it is in named.conf _and_ it is
lower than the required minimum. All patches attached.
Martin
From 323856232e40f9678a599a5392eb4826aca8954d Mon Sep 17 00:00:00 2001
From: Martin Kosek <mko...@redhat.com>
Date: Tue, 5 Mar 2013 12:02:58 +0100
Subject: [PATCH 1/2] Update named.conf parser
Refactor the named.conf parsing and editing functions in bindinstance
so that both "dynamic-db" and "options" sections of named.conf can
be read and updated
https://fedorahosted.org/freeipa/ticket/3429
---
ipaserver/install/bindinstance.py | 60 ++++++++++++++++++++++++++++-----------
1 file changed, 43 insertions(+), 17 deletions(-)
diff --git a/ipaserver/install/bindinstance.py b/ipaserver/install/bindinstance.py
index dff661dd600dfd7933d8094326209fb55884fd5b..057b73f88ba1984a9a82da0bf0fc63dbcf7d1cc9 100644
--- a/ipaserver/install/bindinstance.py
+++ b/ipaserver/install/bindinstance.py
@@ -43,8 +43,12 @@ from ipalib.util import (validate_zonemgr, normalize_zonemgr,
NAMED_CONF = '/etc/named.conf'
RESOLV_CONF = '/etc/resolv.conf'
+named_conf_ipa_start = 'dynamic-db "ipa"'
+named_conf_options_start = 'options {'
named_conf_ipa_re = re.compile(r'(?P<indent>\s*)arg\s+"(?P<name>\S+)\s(?P<value>[^"]+)";')
+named_conf_options_re = re.compile(r'(?P<indent>\s*)(?P<name>\S+)\s+"(?P<value>[^"]+)"\s*;')
named_conf_ipa_template = "%(indent)sarg \"%(name)s %(value)s\";\n"
+named_conf_options_template = "%(indent)s%(name)s \"%(value)s\";\n"
def check_inst(unattended):
has_bind = True
@@ -86,26 +90,36 @@ def named_conf_exists():
return True
return False
-def named_conf_get_directive(name):
+NAMED_SECTION_OPTIONS = "options"
+NAMED_SECTION_IPA = "ipa"
+def named_conf_get_directive(name, section=NAMED_SECTION_IPA):
"""Get a configuration option in bind-dyndb-ldap section of named.conf"""
+ if section == NAMED_SECTION_IPA:
+ named_conf_start = named_conf_ipa_start
+ named_conf_re = named_conf_ipa_re
+ elif section == NAMED_SECTION_OPTIONS:
+ named_conf_start = named_conf_options_start
+ named_conf_re = named_conf_options_re
+ else:
+ raise NotImplementedError('Section "%s" is not supported' % section)
with open(NAMED_CONF, 'r') as f:
- ipa_section = False
+ target_section = False
for line in f:
- if line.startswith('dynamic-db "ipa"'):
- ipa_section = True
+ if line.startswith(named_conf_start):
+ target_section = True
continue
if line.startswith('};'):
- if ipa_section:
+ if target_section:
break
- if ipa_section:
- match = named_conf_ipa_re.match(line)
+ if target_section:
+ match = named_conf_re.match(line)
if match and name == match.group('name'):
return match.group('value')
-def named_conf_set_directive(name, value):
+def named_conf_set_directive(name, value, section=NAMED_SECTION_IPA):
"""
Set configuration option in bind-dyndb-ldap section of named.conf.
@@ -117,25 +131,37 @@ def named_conf_set_directive(name, value):
"""
new_lines = []
+ if section == NAMED_SECTION_IPA:
+ named_conf_start = named_conf_ipa_start
+ named_conf_re = named_conf_ipa_re
+ named_conf_template = named_conf_ipa_template
+ elif section == NAMED_SECTION_OPTIONS:
+ named_conf_start = named_conf_options_start
+ named_conf_re = named_conf_options_re
+ named_conf_template = named_conf_options_template
+ else:
+ raise NotImplementedError('Section "%s" is not supported' % section)
+
with open(NAMED_CONF, 'r') as f:
- ipa_section = False
+ target_section = False
matched = False
last_indent = "\t"
for line in f:
- if line.startswith('dynamic-db "ipa"'):
- ipa_section = True
+ if line.startswith(named_conf_start):
+ target_section = True
if line.startswith('};'):
- if ipa_section and not matched:
+ if target_section and not matched and \
+ value is not None:
# create a new conf
- new_conf = named_conf_ipa_template \
+ new_conf = named_conf_template \
% dict(indent=last_indent,
name=name,
value=value)
new_lines.append(new_conf)
- ipa_section = False
+ target_section = False
- if ipa_section and not matched:
- match = named_conf_ipa_re.match(line)
+ if target_section and not matched:
+ match = named_conf_re.match(line)
if match:
last_indent = match.group('indent')
@@ -144,7 +170,7 @@ def named_conf_set_directive(name, value):
if value is not None:
if not isinstance(value, basestring):
value = str(value)
- new_conf = named_conf_ipa_template \
+ new_conf = named_conf_template \
% dict(indent=last_indent,
name=name,
value=value)
--
1.8.1.4
From 3a4575c77ff814ad4fbf2cd5f15a00ee0de51332 Mon Sep 17 00:00:00 2001
From: Martin Kosek <mko...@redhat.com>
Date: Tue, 5 Mar 2013 12:04:58 +0100
Subject: [PATCH 2/2] Use tkey-gssapi-keytab in named.conf
Remove obsolete BIND GSSAPI configuration options tkey-gssapi-credential
and tkey-domain and replace them with tkey-gssapi-keytab which avoids
unnecessary Kerberos checks on BIND startup and can cause issues when
KDC is not available.
Both new and current IPA installations are updated.
https://fedorahosted.org/freeipa/ticket/3429
---
install/share/bind.named.conf.template | 3 +-
install/tools/ipa-upgradeconfig | 69 +++++++++++++++++++++++++++++++++-
2 files changed, 69 insertions(+), 3 deletions(-)
diff --git a/install/share/bind.named.conf.template b/install/share/bind.named.conf.template
index 9fdd91319947f6cfd3034f8d2a4fe8bb60d1af77..b12df593ad902dfbe815c2292992f26204756cd8 100644
--- a/install/share/bind.named.conf.template
+++ b/install/share/bind.named.conf.template
@@ -14,8 +14,7 @@ options {
// Any host is permitted to issue recursive queries
allow-recursion { any; };
- tkey-gssapi-credential "DNS/$FQDN";
- tkey-domain "$REALM";
+ tkey-gssapi-keytab "/etc/named.keytab";
};
/* If you want to enable debugging, eg. using the 'rndc trace' command,
diff --git a/install/tools/ipa-upgradeconfig b/install/tools/ipa-upgradeconfig
index 9bd706ad0beb45ba7a4b20f30f564f5e234bd133..f310ff76d283e582b2191d26c9773b388f24482b 100644
--- a/install/tools/ipa-upgradeconfig
+++ b/install/tools/ipa-upgradeconfig
@@ -451,6 +451,72 @@ def named_enable_serial_autoincrement():
return changed
+def named_update_gssapi_configuration():
+ """
+ Update GSSAPI configuration in named.conf to a recent API.
+ tkey-gssapi-credential and tkey-domain is replaced with tkey-gssapi-keytab.
+ Details can be found in https://fedorahosted.org/freeipa/ticket/3429.
+
+ When some change in named.conf is done, this functions returns True
+ """
+
+ root_logger.info('[Updating GSSAPI configuration in DNS]')
+
+ if not bindinstance.named_conf_exists():
+ # DNS service may not be configured
+ root_logger.info('DNS is not configured')
+ return False
+
+ if sysupgrade.get_upgrade_state('named.conf', 'gssapi_updated'):
+ root_logger.debug('Skip GSSAPI configuration check')
+ return False
+
+ try:
+ gssapi_keytab = bindinstance.named_conf_get_directive('tkey-gssapi-keytab',
+ bindinstance.NAMED_SECTION_OPTIONS)
+ except IOError, e:
+ root_logger.error('Cannot retrieve tkey-gssapi-keytab option from %s: %s',
+ bindinstance.NAMED_CONF, e)
+ return False
+ else:
+ if gssapi_keytab:
+ root_logger.debug('GSSAPI configuration already updated')
+ sysupgrade.set_upgrade_state('named.conf', 'gssapi_updated', True)
+ return False
+
+ try:
+ tkey_credential = bindinstance.named_conf_get_directive('tkey-gssapi-credential',
+ bindinstance.NAMED_SECTION_OPTIONS)
+ tkey_domain = bindinstance.named_conf_get_directive('tkey-domain',
+ bindinstance.NAMED_SECTION_OPTIONS)
+ except IOError, e:
+ root_logger.error('Cannot retrieve tkey-gssapi-credential option from %s: %s',
+ bindinstance.NAMED_CONF, e)
+ return False
+
+ if not tkey_credential or not tkey_domain:
+ root_logger.error('Either tkey-gssapi-credential or tkey-domain is missing in %s. '
+ 'Skip update.', bindinstance.NAMED_CONF)
+ return False
+
+ try:
+ bindinstance.named_conf_set_directive('tkey-gssapi-credential', None,
+ bindinstance.NAMED_SECTION_OPTIONS)
+ bindinstance.named_conf_set_directive('tkey-domain', None,
+ bindinstance.NAMED_SECTION_OPTIONS)
+ bindinstance.named_conf_set_directive('tkey-gssapi-keytab', '/etc/named.keytab',
+ bindinstance.NAMED_SECTION_OPTIONS)
+ except IOError, e:
+ root_logger.error('Cannot update GSSAPI configuration in %s: %s',
+ bindinstance.NAMED_CONF, e)
+ return False
+ else:
+ root_logger.debug('GSSAPI configuration updated')
+
+ sysupgrade.set_upgrade_state('named.conf', 'gssapi_updated', True)
+ return True
+
+
def enable_certificate_renewal(ca):
"""
If the CA subsystem certificates are not being tracked for renewal then
@@ -741,7 +807,8 @@ def main():
add_server_cname_records()
changed_psearch = named_enable_psearch()
changed_autoincrement = named_enable_serial_autoincrement()
- if changed_psearch or changed_autoincrement:
+ changed_gssapi_conf = named_update_gssapi_configuration()
+ if changed_psearch or changed_autoincrement or changed_gssapi_conf:
# configuration has changed, restart the name server
root_logger.info('Changes to named.conf have been made, restart named')
bind = bindinstance.BindInstance(fstore)
--
1.8.1.4
From 8ff8fd93cb41da71dec868e2ccb5fccf0fda1d8e Mon Sep 17 00:00:00 2001
From: Martin Kosek <mko...@redhat.com>
Date: Wed, 13 Mar 2013 10:55:48 +0100
Subject: [PATCH] Do not force named connections on upgrades
We used to set connections argument for bind-dyndb-ldap even when
the attribute was not in named.conf. This is not necessary as
the bind-dyndb-ldap plugin chooses a sane default instead of us.
---
install/tools/ipa-upgradeconfig | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/install/tools/ipa-upgradeconfig b/install/tools/ipa-upgradeconfig
index f310ff76d283e582b2191d26c9773b388f24482b..f5652139d6e8632970e6c558275b69a61f2b0510 100644
--- a/install/tools/ipa-upgradeconfig
+++ b/install/tools/ipa-upgradeconfig
@@ -383,7 +383,7 @@ def named_enable_psearch():
# "connections" option, bail out
pass
else:
- if connections is None or connections < minimum_connections:
+ if connections is not None and connections < minimum_connections:
try:
bindinstance.named_conf_set_directive('connections',
minimum_connections)
--
1.8.1.4
_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
