On 17.6.2015 13:37, Martin Basti wrote:
> On 17/06/15 13:26, Petr Spacek wrote:
>> On 16.6.2015 15:40, Martin Basti wrote:
>>> On 05/06/15 12:54, Petr Spacek wrote:
>>>> On 20.5.2015 18:00, Martin Basti wrote:
>>>>> This patch allows to disable DNSSEC key master on IPA server, or replace
>>>>> current DNSSEC key master with another IPA server.
>>>>> Only for master branch.
>>>>> https://fedorahosted.org/freeipa/ticket/4657
>>>>> Patches attached.
>>>> NACK. This happens on DNSSEC key master:
>>>> $ ipa-dns-install --disable-dnssec-master
>>>> Do you want to disable current DNSSEC key master? [no]: yes
>>>> Unexpected error - see /var/log/ipaserver-install.log for details:
>>>> TypeError: sequence item 0: expected string, DNSName found
>>>>      2015-06-05T10:52:35Z DEBUG   File
>>>> "/usr/lib/python2.7/site-packages/ipaserver/install/installutils.py", line
>>>> 733, in run_script
>>>>       return_value = main_function()
>>>>     File "/sbin/ipa-dns-install", line 128, in main
>>>>       dns_installer.disable_dnssec_master(options.unattended)
>>>>     File "/usr/lib/python2.7/site-packages/ipaserver/install/dns.py", line
>>>> 112,
>>>> in disable_dnssec_master
>>>>       ", ".join(dnssec_zones))
>>>> 2015-06-05T10:52:35Z DEBUG The ipa-dns-install command failed, exception:
>>>> TypeError: sequence item 0: expected string, DNSName found
>>> Updated patches attached.
>>> Due new installers, more changes were required.
>> Sorry, NACK, I'm not able to apply this patch set to current master
>> (69607250b9762a6c9b657dd31653b03d54a7b411).
> Rebased patches attached.


0) ipa-dns-install --replace-dnssec-master always puts file into

It would be better to put it into local working directory or /var/lib/ipa (as
with replica files).

1) I installed DNSSEC key master role on the vm-134 but DNSSEC services were
not stopped by ipactl stop:

[root@vm-134 review]# ipactl stop
Stopping ipa-otpd Service
Stopping httpd Service
Stopping ipa_memcached Service
Stopping kadmin Service
Stopping krb5kdc Service
Stopping Directory Service
ipa: INFO: The ipactl command was successful

[root@vm-134 review]# ipactl start
Starting Directory Service
Starting krb5kdc Service
Starting kadmin Service
Starting named Service
Starting ipa_memcached Service
Starting httpd Service
Starting ipa-otpd Service
Starting ipa-ods-exporter Service
Starting ods-enforcerd Service
Starting ipa-dnskeysyncd Service

Subsequent ipactl stop worked fine, only the first one is affected.

2a) vm-134 was the original master. I ran this:

[root@vm-134 review]# ipa-dns-install

... and then attempted to install master to vm-059:
[root@vm-059 review]# ipa-dns-install --dnssec-master

This command was accepted despite of missing --kasp-db option and wrong
replica name.

It should error out and tell the user to run the command with --kasp-db option.

Even better, we could get rid of explicit replica name specification in
--replace-dnssec-master option and allow to run installation with --kasp-db on
any replica as long as the kasp.db file is provided.

2b) Attempt to move DNSSEC key master from vm-134 to vm-090 *without*
specifying --kasp-db option was accepted.

[root@vm-090 review]# ipa-dns-install --dnssec-master

As in case (2a), it should print what user is supposed to do.

I propose following text:

Current DNSSEC key master <vm-134.abc.idm.lab.eng.brq.redhat.com> is being
moved to different server.

You need to copy kasp.db file from <vm-134.abc.idm.lab.eng.brq.redhat.com> and
run following command to complete the transition:

# ipa-dns-install --dnssec-master --kasp-db=/path/to/the/copied/kasp.db

3) [root@vm-134 review]# ipa-dns-install
does not remove ISMASTER option from file /etc/sysconfig/ipa-dnskeysyncd .

4) [root@vm-134 review]# ipa-dns-install

it is possible to run

[root@vm-134 review]# ipa-dns-install --dnssec-master

again without --kasp-db and it is accepted.

Moreover, in this case ipaConfigString "NEW_DNSSEC_MASTER" is not properly
removed from

5) Sequence of commands
[root@vm-134 review]# ipa-dns-install

[root@vm-090 review]# ipa-replica-manage del 

allows me to run
[root@vm-090 review]# ipa-dns-install --dnssec-master

without --kasp-db option, it does not throw an error, and the information that
some other master existed somewhere is lost.

It would be probably better to replace this and to use some global attribute
in cn=dns so similar problems do not happen.

6) The migration itself seems to work, KASP DB seems to work properly, however
it is necessary to run 'ods-ksmutil zonelist' command *before* all the daemons
on the new master are (re)started. This needs do be done to re-generate file
/etc/opendnssec/zonelist.xml from the new (copied) DB.

Here please be careful about file permissions.

The command should be ran under 'ods' user to avoid permission clobbering.

Thank you for your hard work on this!

Petr^2 Spacek

Manage your subscription for the Freeipa-devel mailing list:
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to