On 17.6.2015 13:37, Martin Basti wrote: > On 17/06/15 13:26, Petr Spacek wrote: >> On 16.6.2015 15:40, Martin Basti wrote: >>> On 05/06/15 12:54, Petr Spacek wrote: >>>> On 20.5.2015 18:00, Martin Basti wrote: >>>>> This patch allows to disable DNSSEC key master on IPA server, or replace >>>>> current DNSSEC key master with another IPA server. >>>>> >>>>> Only for master branch. >>>>> >>>>> https://fedorahosted.org/freeipa/ticket/4657 >>>>> >>>>> Patches attached. >>>> NACK. This happens on DNSSEC key master: >>>> $ ipa-dns-install --disable-dnssec-master >>>> >>>> Do you want to disable current DNSSEC key master? [no]: yes >>>> Unexpected error - see /var/log/ipaserver-install.log for details: >>>> TypeError: sequence item 0: expected string, DNSName found >>>> 2015-06-05T10:52:35Z DEBUG File >>>> "/usr/lib/python2.7/site-packages/ipaserver/install/installutils.py", line >>>> 733, in run_script >>>> return_value = main_function() >>>> >>>> File "/sbin/ipa-dns-install", line 128, in main >>>> dns_installer.disable_dnssec_master(options.unattended) >>>> >>>> File "/usr/lib/python2.7/site-packages/ipaserver/install/dns.py", line >>>> 112, >>>> in disable_dnssec_master >>>> ", ".join(dnssec_zones)) >>>> >>>> 2015-06-05T10:52:35Z DEBUG The ipa-dns-install command failed, exception: >>>> TypeError: sequence item 0: expected string, DNSName found >>>> >>> Updated patches attached. >>> >>> Due new installers, more changes were required. >> Sorry, NACK, I'm not able to apply this patch set to current master >> (69607250b9762a6c9b657dd31653b03d54a7b411). >> > Rebased patches attached.
NACK. 0) ipa-dns-install --replace-dnssec-master always puts file into /root/ipa-kasp.db. It would be better to put it into local working directory or /var/lib/ipa (as with replica files). 1) I installed DNSSEC key master role on the vm-134 but DNSSEC services were not stopped by ipactl stop: [root@vm-134 review]# ipactl stop Stopping ipa-otpd Service Stopping httpd Service Stopping ipa_memcached Service Stopping kadmin Service Stopping krb5kdc Service Stopping Directory Service ipa: INFO: The ipactl command was successful [root@vm-134 review]# ipactl start Starting Directory Service Starting krb5kdc Service Starting kadmin Service Starting named Service Starting ipa_memcached Service Starting httpd Service Starting ipa-otpd Service Starting ipa-ods-exporter Service Starting ods-enforcerd Service Starting ipa-dnskeysyncd Service Subsequent ipactl stop worked fine, only the first one is affected. 2a) vm-134 was the original master. I ran this: [root@vm-134 review]# ipa-dns-install --replace-dnssec-master=vm-090.abc.idm.lab.eng.brq.redhat.com ... and then attempted to install master to vm-059: [root@vm-059 review]# ipa-dns-install --dnssec-master This command was accepted despite of missing --kasp-db option and wrong replica name. It should error out and tell the user to run the command with --kasp-db option. Even better, we could get rid of explicit replica name specification in --replace-dnssec-master option and allow to run installation with --kasp-db on any replica as long as the kasp.db file is provided. 2b) Attempt to move DNSSEC key master from vm-134 to vm-090 *without* specifying --kasp-db option was accepted. [root@vm-090 review]# ipa-dns-install --dnssec-master As in case (2a), it should print what user is supposed to do. I propose following text: Current DNSSEC key master <vm-134.abc.idm.lab.eng.brq.redhat.com> is being moved to different server. You need to copy kasp.db file from <vm-134.abc.idm.lab.eng.brq.redhat.com> and run following command to complete the transition: # ipa-dns-install --dnssec-master --kasp-db=/path/to/the/copied/kasp.db 3) [root@vm-134 review]# ipa-dns-install --replace-dnssec-master=vm-090.abc.idm.lab.eng.brq.redhat.com does not remove ISMASTER option from file /etc/sysconfig/ipa-dnskeysyncd . 4) [root@vm-134 review]# ipa-dns-install --replace-dnssec-master=vm-090.abc.idm.lab.eng.brq.redhat.com it is possible to run [root@vm-134 review]# ipa-dns-install --dnssec-master again without --kasp-db and it is accepted. Moreover, in this case ipaConfigString "NEW_DNSSEC_MASTER" is not properly removed from cn=DNSKeySync,cn=vm-090.abc.idm.lab.eng.brq.redhat.com,cn=masters,cn=ipa,cn=etc,dc=ipa,dc=example. 5) Sequence of commands [root@vm-134 review]# ipa-dns-install --replace-dnssec-master=vm-090.abc.idm.lab.eng.brq.redhat.com [root@vm-090 review]# ipa-replica-manage del vm-134.abc.idm.lab.eng.brq.redhat.com allows me to run [root@vm-090 review]# ipa-dns-install --dnssec-master without --kasp-db option, it does not throw an error, and the information that some other master existed somewhere is lost. It would be probably better to replace this and to use some global attribute in cn=dns so similar problems do not happen. 6) The migration itself seems to work, KASP DB seems to work properly, however it is necessary to run 'ods-ksmutil zonelist' command *before* all the daemons on the new master are (re)started. This needs do be done to re-generate file /etc/opendnssec/zonelist.xml from the new (copied) DB. Here please be careful about file permissions. The command should be ran under 'ods' user to avoid permission clobbering. Thank you for your hard work on this! -- Petr^2 Spacek -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
