On (04/03/16 16:48), Petr Spacek wrote: >On 4.3.2016 15:05, Rob Crittenden wrote: >> Petr Spacek wrote: >>> On 3.3.2016 18:15, Martin Basti wrote: >>>> >>>> >>>> On 03.03.2016 17:36, Petr Vobornik wrote: >>>>> On 03/03/2016 03:52 PM, Martin Basti wrote: >>>>>> Hello all, >>>>>> >>>>>> related tickets: >>>>>> https://fedorahosted.org/freeipa/ticket/5676 >>>>>> https://fedorahosted.org/freeipa/ticket/5675 >>>>>> https://fedorahosted.org/freeipa/ticket/5715 >>>>>> >>>>>> I'm trying to implement both tickets, but I don't like the way we >>>>>> decided on devel meeting anymore. >>>>>> >>>>>> https://fedorahosted.org/freeipa/ticket/5676#comment:1 >>>>>> >>>>>> 1) >>>>>> ipa host-del --updatedns >>>>>> >>>>>> I propose to only delete A, AAAA and related PTR records (SSHFP records >>>>>> explained later). The record are somehow managed by IPA >>>>>> >>>>>> I don't like the idea of having an extra option to specify record types >>>>>> that should be removed or a flag that will remove DNS entry completely. >>>>>> IMO that is duplication of dnsrecord-mod/del functionality, host-del >>>>>> should not be used for managing DNS. If somebody wants better >>>>>> granularity, the one should use 'dnsrecord-mod zone rec --type-rec=' or >>>>>> 'dnsrecord-del --del-all' >>>>> >>>>> AFAIK the proposal on devel meeting was: >>>>> >>>>> --update-dns will delete A, AAAA, SSHFP >>>>> --update-dns=all will delete the whole DNS record LDAP entry >>>>> >>>>> there was also a proposal for granularity, e.g., --update-dns=a,aaaa. >>>> Yes this looks for me like doing an alias for dnsrecord-del command >>>> >>>>> >>>>> Then it was agreed that --update-dns won't search for SRV records (not >>>>> mentioned here, so OK). >>>>> >>>>> PTR records weren't discussed or decision was not recorded. >>>> When we remove A/AAAA, then we should remove PTR as well >>>>> >>>>> The proposal above keeps backwards compatibility though it may not be >>>>> possible to do with current framework. Or do we have support for >>>>> multivalued >>>>> enum with default value(s) which acts as a flag? >>>> It needs big hacks in framework, to support is as Flag for old client and >>>> Enum >>>> for new clients >>>>> >>>>> If the new option type is too complicated to introduce, then I would >>>>> prefer >>>>> to keep current option(flag) with behavior matching proposal for >>>>> --update-dns or --update-dns=all. >>>> To use "--update-dns will delete A, AAAA, SSHFP" only was proposed by me >>>> here. >>>> >>>>> >>>>> Definitely big +1 on not introducing a new option. >>>>> >>>>> No need to over-engineer it. >>>>> >>>>> Not sure about PTR records. >>>>> >>>>>> >>>>>> Note: due backward compatibility --updatedns cannot be migrated to ENUM, >>>>>> new option needed >>>>> >>>>>> >>>>>> 2) >>>>>> SSHFP records and host-del (https://fedorahosted.org/freeipa/ticket/5715) >>>>>> >>>>>> host-del removes SSH keys from LDAP, thus there is no reason to keep >>>>>> SSHFP record in DNS, thus SSHFP records should be removed always (even >>>>>> without --updatedns option) >>>>> >>>>> ACK >>>>> >>>>>> >>>>>> 3) >>>>>> ipa-client-install --uninstall >>>>>> >>>>>> SSHFP record are always added via nsupdate to DNS, IMO during client >>>>>> uninstall all SSHFP record related to client should be removed via >>>>>> nsupdate too. >>>>> >>>>> IMHO not necessary will be solved either by #5676 and/or #5715(currently >>>>> uninstall indirectly calls ipa-host-disable) >>>> However host-disable does not do nsupdate, so it will work only for IPA >>>> DNS. >>>> So if nsupdate set SSHPF on non-IPA server, we do not have reverse >>>> operation >>>> in uninstall for that. >>>> >>>>> >>>>>> >>>>>> 4) >>>>>> https://fedorahosted.org/freeipa/ticket/5676 >>>>>> >>>>>> ipa-client-install --uninstall --delete-host #suggestions how to name >>>>>> option for removing host entry for ldap welcome >>>>>> >>>>>> Should this option call 'host-del' or 'host-del --updatedns'? >>>>>> >>>>>> I would like to avoid additional DNS related option to be added to >>>>>> ipa-client-install >>>>>> >>>>>> Also do we really want to implement this ticket? What is the gain there? >>>>> >>>>> The devel discussions which is recorded in >>>>> https://fedorahosted.org/freeipa/ticket/5676#comment:1 >>>>> >>>>> Suggests to change default behavior in ipa-client-install --uninstall so >>>>> that it will call: >>>>> >>>>> `ipa host-del --update-dns` instead of `ipa-join --unenroll`. So it will >>>>> also do #3. >>>>> >>>>> Further proposal in #5676 is to introduce a new option(--keephost ??) to >>>>> keep the host records, i.e., the old behavior. >>>>> >>>>> But comment: >>>>> """ >>>>> simo: maybe keeping backward compatibility is more important, discuss >>>>> later >>>>> if --remove option would be better >>>>> """ >>>>> suggest that further discussion is needed >>>> >>>> I agree with backward compatibility here. A current user may be very >>>> surprised >>>> that all DNS records of the host disappear. >>> >>> The general problem is that installation process (aka ipa-client-install) >>> is a >>> mess without documented design (at least when it comes to DNS parts) so it >>> is >>> quite hard to do the reverse on --uninstall. >>> >>> Given that were planning to implement integration with external DNS in >>> future >>> we might want to postpone ipa-client-install changes related to DNS and do >>> overhaul at once. >>> >>> For example host plugin will need changes as many assumptions about DNS >>> usage >>> are oversimplified or simply wrong so delaying changes might save some >>> headache caused by two behavior changes in two subsequent releases. >>> >> >> I'm not sure what you'd be looking for in ipa-client install but even if >> you knew exactly what changes were made I don't think it would be enough >> to do everything in uninstall. It wouldn't handle DNS changes made >> post-install, for example, so even if state was stored somewhere it >> could still result in left-over DNS entries. >> >> This is particularly important when considering client -> master >> promotion where a slew of DNS entries will be created. >> >> Or am I misunderstanding your point? > >You are right, it might be too stateful for 100% clean solution. > >Honestly the cleanest thing we could do is not touch DNS at all for clients. >It should be job of the provisioning system and I do not really understand why >the functionality was added to ipa-client-install and not to some other tool. >The same applies to DNS updates from SSSD - it is a job for NetworkManager (or >something else), not SSSD. > DNS updates are not enabled by default with ipa provider. ipa-client install configure it :-)
+1 for NetworkManager (or something else) LS -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code