On 20.05.2016 12:19, Petr Spacek wrote:
On 11.5.2016 12:08, Martin Basti wrote:

On 03.05.2016 14:59, Petr Spacek wrote:
Hello,

DNS upgrade: change forwarding policy to "only" if private IPs are used.

https://fedorahosted.org/freeipa/ticket/5710

This is the upgrade part. I will add one more patch to print a warning in
dnsforwardzone* commands to avoid surprises. Please do not close the ticket
yet.



1)
Upgrade failed with 'BindInstance' object has no attribute
'named_conf_get_directive'
IPA server upgrade failed: Inspect /var/log/ipaupgrade.log and run command
ipa-server-upgrade manually.
('IPA upgrade failed.', 1)
The ipa-server-upgrade command failed. See /var/log/ipaupgrade.log for more
information

2016-05-11T08:26:20Z ERROR Upgrade failed with 'BindInstance' object has no
attribute 'named_conf_get_directive'
2016-05-11T08:26:20Z DEBUG Traceback (most recent call last):
   File
"/usr/lib/python2.7/site-packages/ipaserver/install/upgradeinstance.py", line
213, in __upgrade
     self.modified = (ld.update(self.files) or self.modified)
   File "/usr/lib/python2.7/site-packages/ipaserver/install/ldapupdate.py",
line 917, in update
     self._run_updates(all_updates)
   File "/usr/lib/python2.7/site-packages/ipaserver/install/ldapupdate.py",
line 889, in _run_updates
     self._run_update_plugin(update['plugin'])
   File "/usr/lib/python2.7/site-packages/ipaserver/install/ldapupdate.py",
line 862, in _run_update_plugin
     restart_ds, updates = self.api.Updater[plugin_name]()
   File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 1418, in
__call__
     return self.execute(**options)
   File "/usr/lib/python2.7/site-packages/ipaserver/install/plugins/dns.py",
line 547, in execute
     self.update_global_named_conf_forwarder(bind)
   File "/usr/lib/python2.7/site-packages/ipaserver/install/plugins/dns.py",
line 508, in update_global_named_conf_forwarder
     if bind.named_conf_get_directive(
AttributeError: 'BindInstance' object has no attribute 
'named_conf_get_directive'

2016-05-11T08:26:20Z DEBUG Traceback (most recent call last):
   File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line
447, in start_creation
     run_step(full_msg, method)
   File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line
437, in run_step
     method()
   File
"/usr/lib/python2.7/site-packages/ipaserver/install/upgradeinstance.py", line
221, in __upgrade
     raise RuntimeError(e)
RuntimeError: 'BindInstance' object has no attribute 'named_conf_get_directive'

PATCH * Add ipaDNSVersion option to dnsconfig* commands and use new attribute *
2)
+        Int('ipadnsversion?',
+            label=_('IPA DNS version'),
+        ),

Shouldn't be this part of System: Read DNS Configuration permission?

3)
-    def postprocess_result(self, result):
+    def postprocess_result(self, result, show_version):
          if not any(param in result['result'] for param in self.params):
              result['summary'] = unicode(_('Global DNS configuration is 
empty'))

show_version param was added but I don't see it used in this patch.

4)
+        Int('ipadnsversion?',
+            label=_('IPA DNS version'),
+        ),

Could we add comment here that this option is accessible only from installers
and upgrade?

5)
+        for config_option in container_entry.get("ipaConfigString", []):
+            matched = re.match("^DNSVersion\s+(?P<version>\d+)$",
+                               config_option, flags=re.I)
+            if matched:
+                version = int(matched.group("version"))

Shouldn't we print error if version cannot be parsed?

PATCH  * DNS upgrade: separate backup logic to make it reusable *

LGTM

PATCH * Add function ipapython.dnsutil.related_to_auto_empty_zone() *

7)
I'm curious why do you need to check superdomains?

PATCH * DNS upgrade: change forwarding policy to = only for conflicting
forward zones*

8)
+            self.log.debug('Zone %s was sucessfully modified to use '
+                           'forward policy "only"', zone['idnsname'][0])
<---missing empty line---->
+    def execute(self, **options):

PATCH * DNS upgrade: change global forwarding policy in LDAP to "only" if
private IPs are used *
9)
- dnsutil.related_to_auto_empty_zone(zone.get('idnsname')[0])
+                dnsutil.related_to_auto_empty_zone(
+                    dnsutil.DNSName(zone.get('idnsname')[0]))

Should be in previous commit

10)
-            return
+            return False, []
This should be fixed in the previous commit

PATCH * DNS upgrade: change global forwarding policy in named.conf to "only"
if private IPs are used *
11)
IMO this is an upgrade of configuration and this should be in
ipaserver/install/server/upgrade.py, upgrade plugins are used only for
updating of LDAP values

Unless you really want to use this as precedence, but then it requires broader
discussion.

12)

bind.named_conf_get_directive
should be
bindinstance.named_conf_get_directive

see 1)
This new patchset completely obsoletes the old one. I had to reshuffle few
things to to make the split between server config & LDAP upgrade possible.

Hopefully I addressed all your comment.


commits
* Move IP address resolution from ipaserver.install.installutils to ipapython.dnsutil * and * Turn verify_host_resolvable() into a wrapper around ipapython.dnsutil *

cause regression in case that dns.python resolver returns NoNameservers exception, it is handled as 'Internal server error'

In original code every exception was caught and transformed to DNSNotARecordError.

So we have following options:
* keep the old behavior in 'resolve_rrsets' and catch all exceptions there
* or catch all DNS errors in 'verify_host_resolvable' and raise it as new PublicError (DNSGenericError (doesn't exist) for example)


E               InternalError: an internal error has occurred

../ipalib/rpc.py:1100: InternalError
test_forwardzone_delegation_warnings.test_command[0017: dnsrecord_mod: Delete (using dnsrecord-mod) NS record which delegates zone u'fw.sub2.sub.dnszone.test.' from zone u'dnszone.test' (expected warning for u'fw.sub2.sub.dnszone.test.')]

[Wed May 25 12:17:00.172143 2016] [wsgi:error] [pid 62789] Traceback (most recent call last): [Wed May 25 12:17:00.172152 2016] [wsgi:error] [pid 62789] File "/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 350, in wsgi_execute [Wed May 25 12:17:00.172158 2016] [wsgi:error] [pid 62789] result = self.Command[name](*args, **options) [Wed May 25 12:17:00.172164 2016] [wsgi:error] [pid 62789] File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 434, in __call__ [Wed May 25 12:17:00.172168 2016] [wsgi:error] [pid 62789] return self.__do_call(*args, **options) [Wed May 25 12:17:00.172173 2016] [wsgi:error] [pid 62789] File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 460, in __do_call [Wed May 25 12:17:00.172178 2016] [wsgi:error] [pid 62789] ret = self.run(*args, **options) [Wed May 25 12:17:00.172183 2016] [wsgi:error] [pid 62789] File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 777, in run [Wed May 25 12:17:00.172189 2016] [wsgi:error] [pid 62789] return self.execute(*args, **options) [Wed May 25 12:17:00.172194 2016] [wsgi:error] [pid 62789] File "/usr/lib/python2.7/site-packages/ipalib/plugins/dns.py", line 3774, in execute [Wed May 25 12:17:00.172199 2016] [wsgi:error] [pid 62789] result = super(dnsrecord_add, self).execute(*keys, **options) [Wed May 25 12:17:00.172204 2016] [wsgi:error] [pid 62789] File "/usr/lib/python2.7/site-packages/ipalib/plugins/baseldap.py", line 1230, in execute
[Wed May 25 12:17:00.172209 2016] [wsgi:error] [pid 62789] *keys, **options)
[Wed May 25 12:17:00.172213 2016] [wsgi:error] [pid 62789] File "/usr/lib/python2.7/site-packages/ipalib/plugins/dns.py", line 3719, in pre_callback [Wed May 25 12:17:00.172229 2016] [wsgi:error] [pid 62789] self.obj.run_precallback_validators(dn, entry_attrs, *keys, **options) [Wed May 25 12:17:00.172237 2016] [wsgi:error] [pid 62789] File "/usr/lib/python2.7/site-packages/ipalib/plugins/dns.py", line 3135, in run_precallback_validators [Wed May 25 12:17:00.172242 2016] [wsgi:error] [pid 62789] rtype_cb(ldap, dn, entry_attrs, *keys, **options) [Wed May 25 12:17:00.172247 2016] [wsgi:error] [pid 62789] File "/usr/lib/python2.7/site-packages/ipalib/plugins/dns.py", line 3057, in _nsrecord_pre_callback [Wed May 25 12:17:00.172252 2016] [wsgi:error] [pid 62789] check_ns_rec_resolvable(keys[0], DNSName(nsrecord), self.log) [Wed May 25 12:17:00.172256 2016] [wsgi:error] [pid 62789] File "/usr/lib/python2.7/site-packages/ipalib/plugins/dns.py", line 1577, in check_ns_rec_resolvable [Wed May 25 12:17:00.172261 2016] [wsgi:error] [pid 62789] verify_host_resolvable(name) [Wed May 25 12:17:00.172265 2016] [wsgi:error] [pid 62789] File "/usr/lib/python2.7/site-packages/ipalib/util.py", line 70, in verify_host_resolvable [Wed May 25 12:17:00.172270 2016] [wsgi:error] [pid 62789] if not resolve_ip_addresses(fqdn): [Wed May 25 12:17:00.172274 2016] [wsgi:error] [pid 62789] File "/usr/lib/python2.7/site-packages/ipapython/dnsutil.py", line 328, in resolve_ip_addresses [Wed May 25 12:17:00.172278 2016] [wsgi:error] [pid 62789] rrsets = resolve_rrsets(fqdn, ['A', 'AAAA']) [Wed May 25 12:17:00.172282 2016] [wsgi:error] [pid 62789] File "/usr/lib/python2.7/site-packages/ipapython/dnsutil.py", line 305, in resolve_rrsets [Wed May 25 12:17:00.172287 2016] [wsgi:error] [pid 62789] answer = dns.resolver.query(fqdn, rdtype) [Wed May 25 12:17:00.172292 2016] [wsgi:error] [pid 62789] File "/usr/lib/python2.7/site-packages/dns/resolver.py", line 1029, in query [Wed May 25 12:17:00.172296 2016] [wsgi:error] [pid 62789] raise_on_no_answer, source_port) [Wed May 25 12:17:00.172301 2016] [wsgi:error] [pid 62789] File "/usr/lib/python2.7/site-packages/dns/resolver.py", line 856, in query [Wed May 25 12:17:00.172328 2016] [wsgi:error] [pid 62789] raise NoNameservers(request=request, errors=errors)

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to