On 23.6.2016 16:38, Martin Basti wrote:
> Patches attached.
>
>
> https://fedorahosted.org/freeipa/ticket/2008
>
>
> freeipa-mbasti-0538-Revert-DNS-Locations-do-not-generate-location-record.patch
>
>
> From 28499422115cbfbb343033511319c7c8710e1ff5 Mon Sep 17 00:00:00 2001
> From: Martin Basti <mba...@redhat.com>
> Date: Tue, 21 Jun 2016 18:04:13 +0200
> Subject: [PATCH 1/4] Revert "DNS Locations: do not generate location records
> for unused locations"
>
> This reverts commit bbf8227e3fd678d4bd6659a12055ba3dbe1c8230.
>
> After deeper investigation, we found out that empty locations are needed
> for clients, because clients may have cached records for longer time for
> that particular location. Only way how to remove location is to remove
> it using location-del
>
> https://fedorahosted.org/freeipa/ticket/2008
> ---
> ipaserver/dns_data_management.py | 11 ++++-------
> 1 file changed, 4 insertions(+), 7 deletions(-)
>
> diff --git a/ipaserver/dns_data_management.py
> b/ipaserver/dns_data_management.py
> index
> a9e9c0a3856961b5494c8d3ca30ddb2e4aa5c523..eac2e7d1a5618ea92372bd81b7d12752791ef117
> 100644
> --- a/ipaserver/dns_data_management.py
> +++ b/ipaserver/dns_data_management.py
> @@ -68,7 +68,6 @@ class IPASystemRecords(object):
> self.api_instance = api_instance
> self.domain_abs =
> DNSName(self.api_instance.env.domain).make_absolute()
> self.servers_data = {}
> - self.used_locations = set()
> self.__init_data()
>
> def reload_data(self):
> @@ -92,7 +91,6 @@ class IPASystemRecords(object):
>
> def __init_data(self):
> self.servers_data = {}
> - self.used_locations = set()
>
> servers_result = self.api_instance.Command.server_find(
> pkey_only=True)['result']
> @@ -104,8 +102,6 @@ class IPASystemRecords(object):
> 'location': location,
> 'roles': roles,
> }
> - if location:
> - self.used_locations.add(location)
>
> def __add_srv_records(
> self, zone_obj, hostname, rname_port_map,
> @@ -353,12 +349,13 @@ class IPASystemRecords(object):
> pkey_only=True)['result']
> servers = [s['cn'][0] for s in servers_result]
>
> - # generate only records for used location, records for unassigned
> - # locations are useless
> + locations_result =
> self.api_instance.Command.location_find()['result']
> + locations = [l['idnsname'][0] for l in locations_result]
> +
> for server in servers:
> self._get_location_dns_records_for_server(
> zone_obj, server,
> - self.used_locations, roles=roles,
> + locations, roles=roles,
> include_master_role=include_master_role)
> return zone_obj
>
> -- 2.5.5
>
>
> freeipa-mbasti-0539-DNS-Locations-hide-option-no-msdcs-in-adtrust-instal.patch
>
>
> From 37cae4f05cd3c0a2c4de037402938a5437dbc072 Mon Sep 17 00:00:00 2001
> From: Martin Basti <mba...@redhat.com>
> Date: Tue, 21 Jun 2016 18:17:55 +0200
> Subject: [PATCH 2/4] DNS Locations: hide option --no-msdcs in adtrust-install
>
> Since DNS location mechanism is active, this option has no effect,
> because records are generate dynamically.
>
> https://fedorahosted.org/freeipa/ticket/2008
> ---
> install/tools/ipa-adtrust-install | 10 +++++++---
> ipaserver/install/adtrustinstance.py | 21 ++++++++-------------
> 2 files changed, 15 insertions(+), 16 deletions(-)
>
> diff --git a/install/tools/ipa-adtrust-install
> b/install/tools/ipa-adtrust-install
> index
> 5babcdb7cb169e4a944acca55739064e0464d41e..5ba72a65d00ca683239a4ff3c5e7cfdc62c0bb6c
> 100755
> --- a/install/tools/ipa-adtrust-install
> +++ b/install/tools/ipa-adtrust-install
> @@ -29,6 +29,8 @@ import ldap
>
> import six
>
> +from optparse import SUPPRESS_HELP
> +
> from ipaserver.install import adtrustinstance
> from ipaserver.install.installutils import (
> read_password,
> @@ -54,9 +56,11 @@ def parse_options():
> default=False, help="print debugging information")
> parser.add_option("--netbios-name", dest="netbios_name",
> help="NetBIOS name of the IPA domain")
> +
> + # no-msdcs has not effect, option is here just for backward compatibility
> parser.add_option("--no-msdcs", dest="no_msdcs", action="store_true",
> - default=False, help="Do not create DNS service records
> " \
> - "for Windows in managed DNS
> server")
> + default=False, help=SUPPRESS_HELP)
> +
> parser.add_option("--rid-base", dest="rid_base", type=int, default=1000,
> help="Start value for mapping UIDs and GIDs to RIDs")
> parser.add_option("--secondary-rid-base", dest="secondary_rid_base",
> @@ -390,7 +394,7 @@ def main():
> smb.setup(api.env.host, api.env.realm,
> netbios_name, reset_netbios_name,
> options.rid_base, options.secondary_rid_base,
> - options.no_msdcs, options.add_sids,
> + options.add_sids,
> enable_compat = options.enable_compat)
> smb.find_local_id_range()
> smb.create_instance()
> diff --git a/ipaserver/install/adtrustinstance.py
> b/ipaserver/install/adtrustinstance.py
> index
> 6ab15df27216580d440ce72386113d6872c046b2..0114a33a046b863b7e901c3d6f02044f18c45f85
> 100644
> --- a/ipaserver/install/adtrustinstance.py
> +++ b/ipaserver/install/adtrustinstance.py
> @@ -124,7 +124,6 @@ class ADTRUSTInstance(service.Service):
> def __init__(self, fstore=None):
> self.netbios_name = None
> self.reset_netbios_name = None
> - self.no_msdcs = None
> self.add_sids = None
> self.smbd_user = None
> self.smb_dn_pwd = None
> @@ -585,17 +584,14 @@ class ADTRUSTInstance(service.Service):
>
> err_msg = None
>
> - if self.no_msdcs:
> - err_msg = '--no-msdcs was given, special DNS service records ' \
> - 'are not added to local DNS server'
> + ret = api.Command['dns_is_enabled']()
> + if not ret['result']:
> + err_msg = "DNS management was not enabled at install time."
> else:
> - ret = api.Command['dns_is_enabled']()
> - if not ret['result']:
> - err_msg = "DNS management was not enabled at install time."
> - else:
> - if not dns_zone_exists(zone):
> - err_msg = "DNS zone %s cannot be managed " \
> - "as it is not defined in IPA" % zone
> + if not dns_zone_exists(zone):
> + err_msg = (
> + "DNS zone %s cannot be managed as it is not defined in "
> + "IPA" % zone)
>
> if err_msg:
> self.print_msg(err_msg)
> @@ -766,7 +762,7 @@ class ADTRUSTInstance(service.Service):
>
> def setup(self, fqdn, realm_name, netbios_name,
> reset_netbios_name, rid_base, secondary_rid_base,
> - no_msdcs=False, add_sids=False, smbd_user="samba",
> + add_sids=False, smbd_user="samba",
> enable_compat=False):
> self.fqdn = fqdn
> self.realm = realm_name
> @@ -774,7 +770,6 @@ class ADTRUSTInstance(service.Service):
> self.reset_netbios_name = reset_netbios_name
> self.rid_base = rid_base
> self.secondary_rid_base = secondary_rid_base
> - self.no_msdcs = no_msdcs
> self.add_sids = add_sids
> self.enable_compat = enable_compat
> self.smbd_user = smbd_user
> -- 2.5.5
>
>
> freeipa-mbasti-0540-DNS-Locations-optimization-use-server-find-to-get-in.patch
>
>
> From 86a3e48bd2494867cdf538d6902ef65cbaada1af Mon Sep 17 00:00:00 2001
> From: Martin Basti <mba...@redhat.com>
> Date: Wed, 22 Jun 2016 13:12:52 +0200
> Subject: [PATCH 3/4] DNS Locations: optimization: use server-find to get
> information
>
> Because separated calls for of server-show, getting server data is quite
> slow. This commit replaces several server-show with one server-find
> command. There are future plans to improve speed of server-find that
> will be beneficial for DNS locations.
>
> https://fedorahosted.org/freeipa/ticket/2008
> ---
> ipaserver/dns_data_management.py | 10 ++++------
> 1 file changed, 4 insertions(+), 6 deletions(-)
>
> diff --git a/ipaserver/dns_data_management.py
> b/ipaserver/dns_data_management.py
> index
> eac2e7d1a5618ea92372bd81b7d12752791ef117..e7f65958fb908426ad186b327c3e8cb8f37d66f4
> 100644
> --- a/ipaserver/dns_data_management.py
> +++ b/ipaserver/dns_data_management.py
> @@ -78,8 +78,7 @@ class IPASystemRecords(object):
> """
> self.__init_data()
>
> - def __get_server_attrs(self, hostname):
> - server_result =
> self.api_instance.Command.server_show(hostname)['result']
> + def __get_server_attrs(self, server_result):
> weight = int(server_result.get('ipaserviceweight', [u'100'])[0])
> location = server_result.get('ipalocation_location', [None])[0]
> roles = set(server_result.get('enabled_role_servrole', ()))
> @@ -93,11 +92,10 @@ class IPASystemRecords(object):
> self.servers_data = {}
>
> servers_result = self.api_instance.Command.server_find(
> - pkey_only=True)['result']
> - servers = [s['cn'][0] for s in servers_result]
> - for s in servers:
> + no_members=False)['result']
> + for s in servers_result:
> weight, location, roles = self.__get_server_attrs(s)
> - self.servers_data[s] = {
> + self.servers_data[s['cn'][0]] = {
> 'weight': weight,
> 'location': location,
> 'roles': roles,
> -- 2.5.5
>
>
> freeipa-mbasti-0541-DNS-Locations-cleanup-of-bininstance.patch
>
>
> From 6161501cc11a25b811bd56ba0244b00eaa9edbe0 Mon Sep 17 00:00:00 2001
> From: Martin Basti <mba...@redhat.com>
> Date: Thu, 23 Jun 2016 14:50:11 +0200
> Subject: [PATCH 4/4] DNS Locations: cleanup of bininstance
>
> We don't need anymore:
> * sample of zone file - list of all records required by IPa will be
> provided
>
> * NTP related params - DNS records will be updated automatically,
> based on LDAP values
>
> * CA related params - DNS records will be updated automatically based
> * on LDAP values
>
> https://fedorahosted.org/freeipa/ticket/2008
> ---
> install/share/bind.zone.db.template | 29 ---------------
> ipaserver/dns_data_management.py | 9 +++++
> ipaserver/install/bindinstance.py | 58
> ++++++++----------------------
> ipaserver/install/dns.py | 5 ++-
> ipaserver/install/server/install.py | 8 ++---
> ipaserver/install/server/replicainstall.py | 4 +--
> 6 files changed, 30 insertions(+), 83 deletions(-)
> delete mode 100644 install/share/bind.zone.db.template
>
> diff --git a/install/share/bind.zone.db.template
> b/install/share/bind.zone.db.template
> deleted file mode 100644
> index
> ec175c60825869ea9b86f7d1351a96189028b5d4..0000000000000000000000000000000000000000
> --- a/install/share/bind.zone.db.template
> +++ /dev/null
> @@ -1,29 +0,0 @@
> -$$ORIGIN $DOMAIN.
> -$$TTL 86400
> -@ IN SOA $DOMAIN. $ZONEMGR (
> - 01 ; serial
> - 3H ; refresh
> - 15M ; retry
> - 1W ; expiry
> - 1D ) ; minimum
> -
> - IN NS $HOST
> -$HOST IN A $IP
> -;
> -; ldap servers
> -_ldap._tcp IN SRV 0 100 389 $HOST
> -
> -;kerberos realm
> -_kerberos IN TXT $REALM
> -
> -; kerberos servers
> -_kerberos._tcp IN SRV 0 100 88 $HOST
> -_kerberos._udp IN SRV 0 100 88 $HOST
> -_kerberos-master._tcp IN SRV 0 100 88 $HOST
> -_kerberos-master._udp IN SRV 0 100 88 $HOST
> -_kpasswd._tcp IN SRV 0 100 464 $HOST
> -_kpasswd._udp IN SRV 0 100 464 $HOST
> -$OPTIONAL_NTP
> -
> -; CNAME for IPA CA replicas (used for CRL, OCSP)
> -$IPA_CA_RECORD
> diff --git a/ipaserver/dns_data_management.py
> b/ipaserver/dns_data_management.py
> index
> e7f65958fb908426ad186b327c3e8cb8f37d66f4..48717c7c478ea4ea62e6cdfe169fd9fe99c0880b
> 100644
> --- a/ipaserver/dns_data_management.py
> +++ b/ipaserver/dns_data_management.py
> @@ -477,3 +477,12 @@ class IPASystemRecords(object):
> )
> )
> return records
> +
> + @classmethod
> + def records_list_from_zone(cls, zone_obj, sort=True):
> + records = []
> + for name, node in zone_obj.items():
> + records.extend(IPASystemRecords.records_list_from_node(name,
> node))
> + if sort:
> + records.sort()
> + return records
> diff --git a/ipaserver/install/bindinstance.py
> b/ipaserver/install/bindinstance.py
> index
> 08c32f4837a5b4f72b78a52002a58c888db6cc91..a63b2dfd329f7cf535c2cf6e2d83b5c86fdddacf
> 100644
> --- a/ipaserver/install/bindinstance.py
> +++ b/ipaserver/install/bindinstance.py
> @@ -623,9 +623,9 @@ class BindInstance(service.Service):
> suffix = ipautil.dn_attribute_property('_suffix')
>
> def setup(self, fqdn, ip_addresses, realm_name, domain_name, forwarders,
> - forward_policy, ntp, reverse_zones,
> + forward_policy, reverse_zones,
> named_user=constants.NAMED_USER, zonemgr=None,
> - ca_configured=None, no_dnssec_validation=False):
> + no_dnssec_validation=False):
> self.named_user = named_user
> self.fqdn = fqdn
> self.ip_addresses = ip_addresses
> @@ -635,9 +635,7 @@ class BindInstance(service.Service):
> self.forward_policy = forward_policy
> self.host = fqdn.split(".")[0]
> self.suffix = ipautil.realm_to_suffix(self.realm)
> - self.ntp = ntp
> self.reverse_zones = reverse_zones
> - self.ca_configured = ca_configured
> self.no_dnssec_validation=no_dnssec_validation
>
> if not zonemgr:
> @@ -666,12 +664,17 @@ class BindInstance(service.Service):
> def host_in_default_domain(self):
> return normalize_zone(self.host_domain) ==
> normalize_zone(self.domain)
>
> - def create_sample_bind_zone(self):
> - bind_txt = ipautil.template_file(ipautil.SHARE_DIR +
> "bind.zone.db.template", self.sub_dict)
> - [bind_fd, bind_name] = tempfile.mkstemp(".db","sample.zone.")
> - os.write(bind_fd, bind_txt)
> - os.close(bind_fd)
> - print("Sample zone file for bind has been created in "+bind_name)
> + def create_file_with_system_records(self):
> + system_records = IPASystemRecords(self.api)
> + text = u'\n'.join(
> + IPASystemRecords.records_list_from_zone(
> + system_records.get_base_records()
> + )
> + )
> + [fd, name] = tempfile.mkstemp(".db","ipa.system.records.")
> + os.write(fd, text)
> + os.close(fd)
> + print("Please add records in this file to your DNS system:", name)
>
> def create_instance(self):
>
> @@ -761,41 +764,10 @@ class BindInstance(service.Service):
> root_logger.debug("Unable to mask named (%s)", e)
>
> def __setup_sub_dict(self):
> - if self.forwarders:
> - fwds = "\n"
> - for forwarder in self.forwarders:
> - fwds += "\t\t%s;\n" % forwarder
> - fwds += "\t"
> - else:
> - fwds = " "
> -
> - if self.ntp:
> - optional_ntp = "\n;ntp server\n"
> - optional_ntp += "_ntp._udp\t\tIN SRV 0 100 123\t%s" %
> self.host_in_rr
> - else:
> - optional_ntp = ""
> -
> - ipa_ca = ""
> - for addr in self.ip_addresses:
> - if addr.version in (4, 6):
> - ipa_ca += "%s\t\t\tIN %s\t\t\t%s\n" % (
> - IPA_CA_RECORD,
> - "A" if addr.version == 4 else "AAAA",
> - str(addr))
> -
> self.sub_dict = dict(
> FQDN=self.fqdn,
> - IP=[str(ip) for ip in self.ip_addresses],
> - DOMAIN=self.domain,
> - HOST=self.host,
> - REALM=self.realm,
> SERVER_ID=installutils.realm_to_serverid(self.realm),
> - FORWARDERS=fwds,
> - FORWARD_POLICY=self.forward_policy,
> SUFFIX=self.suffix,
> - OPTIONAL_NTP=optional_ntp,
> - ZONEMGR=self.zonemgr,
> - IPA_CA_RECORD=ipa_ca,
> BINDKEYS_FILE=paths.NAMED_BINDKEYS_FILE,
> MANAGED_KEYS_DIR=paths.NAMED_MANAGED_KEYS_DIR,
> ROOT_KEY=paths.NAMED_ROOT_KEY,
> @@ -1026,16 +998,14 @@ class BindInstance(service.Service):
> ipautil.run([paths.GENERATE_RNDC_KEY])
>
> def add_master_dns_records(self, fqdn, ip_addresses, realm_name,
> domain_name,
> - reverse_zones, ntp=False, ca_configured=None):
> + reverse_zones):
> self.fqdn = fqdn
> self.ip_addresses = ip_addresses
> self.realm = realm_name
> self.domain = domain_name
> self.host = fqdn.split(".")[0]
> self.suffix = ipautil.realm_to_suffix(self.realm)
> - self.ntp = ntp
> self.reverse_zones = reverse_zones
> - self.ca_configured = ca_configured
> self.first_instance = False
> self.zonemgr = 'hostmaster.%s' % self.domain
>
> diff --git a/ipaserver/install/dns.py b/ipaserver/install/dns.py
> index
> 2ea11739e07c73132bddee01309af618532e9815..44ebd39dfa7f1d947061c3b4c0347242f8502be0
> 100644
> --- a/ipaserver/install/dns.py
> +++ b/ipaserver/install/dns.py
> @@ -329,10 +329,9 @@ def install(standalone, replica, options, api=api):
> bind = bindinstance.BindInstance(fstore, ldapi=True, api=api,
> autobind=AUTOBIND_ENABLED)
> bind.setup(api.env.host, ip_addresses, api.env.realm, api.env.domain,
> - options.forwarders, options.forward_policy, conf_ntp,
> + options.forwarders, options.forward_policy,
> reverse_zones, zonemgr=options.zonemgr,
> - no_dnssec_validation=options.no_dnssec_validation,
> - ca_configured=options.setup_ca)
> + no_dnssec_validation=options.no_dnssec_validation)
>
> if standalone and not options.unattended:
> print("")
> diff --git a/ipaserver/install/server/install.py
> b/ipaserver/install/server/install.py
> index
> 930cca7b31ca06c04ab92deff49b6a4f198c2b6e..c28c095fb3cccd4cd412c0496374050434e438a1
> 100644
> --- a/ipaserver/install/server/install.py
> +++ b/ipaserver/install/server/install.py
> @@ -848,17 +848,17 @@ def install(installer):
> if setup_ca:
> services.knownservices['pki_tomcatd'].restart('pki-tomcat')
>
> + api.Backend.ldap2.connect(autobind=True)
> if options.setup_dns:
> - api.Backend.ldap2.connect(autobind=True)
> dns.install(False, False, options)
> else:
> # Create a BIND instance
> bind = bindinstance.BindInstance(fstore, dm_password)
> bind.setup(host_name, ip_addresses, realm_name,
> - domain_name, (), 'first', not options.no_ntp, (),
> - zonemgr=options.zonemgr, ca_configured=setup_ca,
> + domain_name, (), 'first', (),
> + zonemgr=options.zonemgr,
> no_dnssec_validation=options.no_dnssec_validation)
> - bind.create_sample_bind_zone()
> + bind.create_file_with_system_records()
>
> # Restart httpd to pick up the new IPA configuration
> service.print_msg("Restarting the web server")
> diff --git a/ipaserver/install/server/replicainstall.py
> b/ipaserver/install/server/replicainstall.py
> index
> 52b2ea5b0691cd99c6cb566af5a15af3b2dffb14..0277d324a60b2893dda57119453dabf5df28ea10
> 100644
> --- a/ipaserver/install/server/replicainstall.py
> +++ b/ipaserver/install/server/replicainstall.py
> @@ -210,9 +210,7 @@ def install_dns_records(config, options, remote_api):
> str(ip),
> config.realm_name,
> config.domain_name,
> - reverse_zone,
> - not options.no_ntp,
> - options.setup_ca)
> + reverse_zone)
> except errors.NotFound as e:
> root_logger.debug('Replica DNS records could not be added '
> 'on master: %s', str(e))
> -- 2.5.5
While testing this patch I've found out that ipa-dns-install does not work
idempotently anymore and explodes when re-run.
I'm not sure what is the root cause yet.
# ipa-dns-install --forwarder 10.34.78.1
WARNING: yacc table file version is out of date
The log file for this installation can be found in
/var/log/ipaserver-install.log
==============================================================================
This program will setup DNS for the FreeIPA Server.
This includes:
* Configure DNS (bind)
* Configure SoftHSM (required by DNSSEC)
* Configure ipa-dnskeysyncd (required by DNSSEC)
NOTE: DNSSEC zone signing is not enabled by default
To accept the default shown in brackets, press the Enter key.
Checking DNS forwarders, please wait ...
Do you want to search for missing reverse zones? [yes]:
The following operations may take some minutes to complete.
Please wait until the prompt is returned.
Configuring DNS (named)
[1/8]: generating rndc key file
[2/8]: setting up our own record
ipa : ERROR DNS query for
vm-058-082.abc.idm.lab.eng.brq.redhat.com. A failed: The DNS operation timed
out after 30.0012078285 seconds
[error] DNSResolverError: The DNS operation timed out after 30.0012078285
seconds
Unexpected error - see /var/log/ipaserver-install.log for details:
DNSResolverError: The DNS operation timed out after 30.0012078285 seconds
2016-06-23T15:41:54Z DEBUG [2/8]: setting up our own record
2016-06-23T15:41:54Z DEBUG raw:
dnszone_show(u'abc.idm.lab.eng.brq.redhat.com', version=u'2.199')
2016-06-23T15:41:54Z DEBUG dnszone_show(<DNS name
abc.idm.lab.eng.brq.redhat.com.>, rights=False, all=False, raw=False,
version=u'2.199')
2016-06-23T15:42:24Z ERROR DNS query for
vm-058-082.abc.idm.lab.eng.brq.redhat.com. A failed: The DNS operation timed
out after 30.0012078285 seconds
2016-06-23T15:42:24Z DEBUG Traceback (most recent call last):
File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line
448, in start_creation
run_step(full_msg, method)
File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line
438, in run_step
method()
File "/usr/lib/python2.7/site-packages/ipaserver/install/bindinstance.py",
line 860, in __add_self
self.__add_master_records(self.fqdn, self.ip_addresses)
File "/usr/lib/python2.7/site-packages/ipaserver/install/bindinstance.py",
line 843, in __add_master_records
verify_host_resolvable(fqdn)
File "/usr/lib/python2.7/site-packages/ipalib/util.py", line 76, in
verify_host_resolvable
raise errors.DNSResolverError(exception=ex)
DNSResolverError: The DNS operation timed out after 30.0012078285 seconds
I was not able to test replica installation because of some weird ACI problem
somewhere, replica install is failing with ACIError while adding ldap/replica
principal. This is probably a regression from some other patchset.
https://fedorahosted.org/freeipa/ticket/5996
--
Petr^2 Spacek
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
