On 1.7.2015 12:35, Martin Basti wrote: > On 30/06/15 22:09, Petr Spacek wrote: >> On 30.6.2015 16:04, Martin Basti wrote: >>> On 30/06/15 10:25, Martin Basti wrote: >>>> On 29/06/15 15:16, Martin Basti wrote: >>>>> On 25/06/15 13:46, Petr Spacek wrote: >>>>>> On 17.6.2015 13:37, Martin Basti wrote: >>>>>>> On 17/06/15 13:26, Petr Spacek wrote: >>>>>>>> On 16.6.2015 15:40, Martin Basti wrote: >>>>>>>>> On 05/06/15 12:54, Petr Spacek wrote: >>>>>>>>>> On 20.5.2015 18:00, Martin Basti wrote: >>>>>>>>>>> This patch allows to disable DNSSEC key master on IPA server, or >>>>>>>>>>> replace >>>>>>>>>>> current DNSSEC key master with another IPA server. >>>>>>>>>>> >>>>>>>>>>> Only for master branch. >>>>>>>>>>> >>>>>>>>>>> https://fedorahosted.org/freeipa/ticket/4657 >>>>>>>>>>> >>>>>>>>>>> Patches attached. >>>>>>>>>> NACK. This happens on DNSSEC key master: >>>>>>>>>> $ ipa-dns-install --disable-dnssec-master >>>>>>>>>> >>>>>>>>>> Do you want to disable current DNSSEC key master? [no]: yes >>>>>>>>>> Unexpected error - see /var/log/ipaserver-install.log for details: >>>>>>>>>> TypeError: sequence item 0: expected string, DNSName found >>>>>>>>>> 2015-06-05T10:52:35Z DEBUG File >>>>>>>>>> "/usr/lib/python2.7/site-packages/ipaserver/install/installutils.py", >>>>>>>>>> line >>>>>>>>>> 733, in run_script >>>>>>>>>> return_value = main_function() >>>>>>>>>> >>>>>>>>>> File "/sbin/ipa-dns-install", line 128, in main >>>>>>>>>> dns_installer.disable_dnssec_master(options.unattended) >>>>>>>>>> >>>>>>>>>> File >>>>>>>>>> "/usr/lib/python2.7/site-packages/ipaserver/install/dns.py", >>>>>>>>>> line >>>>>>>>>> 112, >>>>>>>>>> in disable_dnssec_master >>>>>>>>>> ", ".join(dnssec_zones)) >>>>>>>>>> >>>>>>>>>> 2015-06-05T10:52:35Z DEBUG The ipa-dns-install command failed, >>>>>>>>>> exception: >>>>>>>>>> TypeError: sequence item 0: expected string, DNSName found >>>>>>>>>> >>>>>>>>> Updated patches attached. >>>>>>>>> >>>>>>>>> Due new installers, more changes were required. >>>>>>>> Sorry, NACK, I'm not able to apply this patch set to current master >>>>>>>> (69607250b9762a6c9b657dd31653b03d54a7b411). >>>>>>>> >>>>>>> Rebased patches attached. >>>>>> NACK. >>>>>> >>>>>> >>>>>> 0) ipa-dns-install --replace-dnssec-master always puts file into >>>>>> /root/ipa-kasp.db. >>>>>> >>>>>> It would be better to put it into local working directory or >>>>>> /var/lib/ipa (as >>>>>> with replica files). >>>>>> >>>>>> >>>>>> 1) I installed DNSSEC key master role on the vm-134 but DNSSEC services >>>>>> were >>>>>> not stopped by ipactl stop: >>>>>> >>>>>> [root@vm-134 review]# ipactl stop >>>>>> Stopping ipa-otpd Service >>>>>> Stopping httpd Service >>>>>> Stopping ipa_memcached Service >>>>>> Stopping kadmin Service >>>>>> Stopping krb5kdc Service >>>>>> Stopping Directory Service >>>>>> ipa: INFO: The ipactl command was successful >>>>>> >>>>>> [root@vm-134 review]# ipactl start >>>>>> Starting Directory Service >>>>>> Starting krb5kdc Service >>>>>> Starting kadmin Service >>>>>> Starting named Service >>>>>> Starting ipa_memcached Service >>>>>> Starting httpd Service >>>>>> Starting ipa-otpd Service >>>>>> Starting ipa-ods-exporter Service >>>>>> Starting ods-enforcerd Service >>>>>> Starting ipa-dnskeysyncd Service >>>>>> >>>>>> Subsequent ipactl stop worked fine, only the first one is affected. >>>>>> >>>>>> >>>>>> 2a) vm-134 was the original master. I ran this: >>>>>> >>>>>> [root@vm-134 review]# ipa-dns-install >>>>>> --replace-dnssec-master=vm-090.abc.idm.lab.eng.brq.redhat.com >>>>>> >>>>>> ... and then attempted to install master to vm-059: >>>>>> [root@vm-059 review]# ipa-dns-install --dnssec-master >>>>>> >>>>>> This command was accepted despite of missing --kasp-db option and wrong >>>>>> replica name. >>>>>> >>>>>> It should error out and tell the user to run the command with --kasp-db >>>>>> option. >>>>>> >>>>>> Even better, we could get rid of explicit replica name specification in >>>>>> --replace-dnssec-master option and allow to run installation with >>>>>> --kasp-db on >>>>>> any replica as long as the kasp.db file is provided. >>>>>> >>>>>> >>>>>> >>>>>> 2b) Attempt to move DNSSEC key master from vm-134 to vm-090 *without* >>>>>> specifying --kasp-db option was accepted. >>>>>> >>>>>> [root@vm-090 review]# ipa-dns-install --dnssec-master >>>>>> >>>>>> As in case (2a), it should print what user is supposed to do. >>>>>> >>>>>> I propose following text: >>>>>> >>>>>> Current DNSSEC key master <vm-134.abc.idm.lab.eng.brq.redhat.com> is >>>>>> being >>>>>> moved to different server. >>>>>> >>>>>> You need to copy kasp.db file from >>>>>> <vm-134.abc.idm.lab.eng.brq.redhat.com> >>>>>> and >>>>>> run following command to complete the transition: >>>>>> >>>>>> # ipa-dns-install --dnssec-master --kasp-db=/path/to/the/copied/kasp.db >>>>>> >>>>>> >>>>>> >>>>>> 3) [root@vm-134 review]# ipa-dns-install >>>>>> --replace-dnssec-master=vm-090.abc.idm.lab.eng.brq.redhat.com >>>>>> does not remove ISMASTER option from file /etc/sysconfig/ipa-dnskeysyncd >>>>>> . >>>>>> >>>>>> >>>>>> 4) [root@vm-134 review]# ipa-dns-install >>>>>> --replace-dnssec-master=vm-090.abc.idm.lab.eng.brq.redhat.com >>>>>> >>>>>> it is possible to run >>>>>> >>>>>> [root@vm-134 review]# ipa-dns-install --dnssec-master >>>>>> >>>>>> again without --kasp-db and it is accepted. >>>>>> >>>>>> Moreover, in this case ipaConfigString "NEW_DNSSEC_MASTER" is not >>>>>> properly >>>>>> removed from >>>>>> cn=DNSKeySync,cn=vm-090.abc.idm.lab.eng.brq.redhat.com,cn=masters,cn=ipa,cn=etc,dc=ipa,dc=example. >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> 5) Sequence of commands >>>>>> [root@vm-134 review]# ipa-dns-install >>>>>> --replace-dnssec-master=vm-090.abc.idm.lab.eng.brq.redhat.com >>>>>> >>>>>> [root@vm-090 review]# ipa-replica-manage del >>>>>> vm-134.abc.idm.lab.eng.brq.redhat.com >>>>>> >>>>>> allows me to run >>>>>> [root@vm-090 review]# ipa-dns-install --dnssec-master >>>>>> >>>>>> without --kasp-db option, it does not throw an error, and the information >>>>>> that >>>>>> some other master existed somewhere is lost. >>>>>> >>>>>> It would be probably better to replace this and to use some global >>>>>> attribute >>>>>> in cn=dns so similar problems do not happen. >>>>>> >>>>>> >>>>>> >>>>>> 6) The migration itself seems to work, KASP DB seems to work properly, >>>>>> however >>>>>> it is necessary to run 'ods-ksmutil zonelist' command *before* all the >>>>>> daemons >>>>>> on the new master are (re)started. This needs do be done to re-generate >>>>>> file >>>>>> /etc/opendnssec/zonelist.xml from the new (copied) DB. >>>>>> >>>>>> Here please be careful about file permissions. >>>>>> >>>>>> The command should be ran under 'ods' user to avoid permission >>>>>> clobbering. >>>>>> >>>>>> >>>>>> Thank you for your hard work on this! >>>>>> >>>>> New patches attached. >>>>> >>>>> Major part of the code was changed. >>>>> >>>>> Please apply patch 268 first. >>>>> >>>>> >>>>> >>>>> >>>>> >>>> Updated patches attached. >>>> >>>> I just changed the error log to debug log >>>> ipautil.run(cmd, runas=ods_enforcerd.get_user_name()) >>>> - except CalledProcessError as e: >>>> - root_logger.error("%s", e) >>>> + except CalledProcessError: >>>> + root_logger.debug("OpenDNSSEC database has not been >>>> updated") >>>> >>>> As this is not error during uninstall. >>>> >>>> -- >>>> Martin Basti >>>> >>>> >>> Updated patches attached. >> Cond-NACK. Moving master does not work without additional patching. I'm >> attaching fix for this + some polish for messages. >> >> Please review my amendments, it can be pushed if you are okay with my >> changes. >> > Thank you, it works. I did 2 small changes > > 1) > In patch 51 i moved the check to parser, and fixed error message to proper > option > > 2) > in patch 50 I switched: > if api.env.host not in dnssec_masters and dnssec_masters: > > to > if dnssec_masters and api.env.host not in dnssec_masters: > > These patches belong to master branch only. > All patches attached.
Seems reasonable, ACK. -- Petr^2 Spacek -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code