[Freeipa-devel] [freeipa PR#872][synchronized] Add IPA-specific bind unit file

2017-06-15 Thread stlaz via FreeIPA-devel
   URL: https://github.com/freeipa/freeipa/pull/872
Author: stlaz
 Title: #872: Add IPA-specific bind unit file
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/872/head:pr872
git checkout pr872
From c8f0060ce4ac27db4db1771a65b9319fb6557cdc Mon Sep 17 00:00:00 2001
From: Stanislav Laznicka 
Date: Wed, 14 Jun 2017 07:46:16 +0200
Subject: [PATCH] Add IPA-specific bind unit file

During upgrade of Fedora 25 to 26, when FreeIPA is installed with
DNS, bind attempts to start before KDC which leads to a failed
start because it requires a ticket to connect to LDAP.

Add an own unit file with a dependency which sets bind to start
after the KDC service.

https://pagure.io/freeipa/issue/7018
---
 freeipa.spec.in  |  1 +
 init/systemd/Makefile.am |  2 +
 init/systemd/ipa-named-pkcs11.service.in | 27 
 ipaplatform/redhat/services.py   |  3 +-
 ipaserver/install/bindinstance.py| 66 
 ipaserver/install/server/upgrade.py  | 45 +--
 ipatests/pytest_plugins/integration/tasks.py |  4 +-
 ipatests/test_xmlrpc/test_location_plugin.py |  4 +-
 8 files changed, 114 insertions(+), 38 deletions(-)
 create mode 100644 init/systemd/ipa-named-pkcs11.service.in

diff --git a/freeipa.spec.in b/freeipa.spec.in
index 1446dfbb7c..00b2bb8ae1 100644
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -1220,6 +1220,7 @@ fi
 %attr(644,root,root) %{_unitdir}/ipa-dnskeysyncd.service
 %attr(644,root,root) %{_unitdir}/ipa-ods-exporter.socket
 %attr(644,root,root) %{_unitdir}/ipa-ods-exporter.service
+%attr(644,root,root) %{_unitdir}/ipa-named-pkcs11.service
 # END
 %attr(755,root,root) %{plugin_dir}/libipa_pwd_extop.so
 %attr(755,root,root) %{plugin_dir}/libipa_enrollment_extop.so
diff --git a/init/systemd/Makefile.am b/init/systemd/Makefile.am
index 945f6ac22a..c417caac87 100644
--- a/init/systemd/Makefile.am
+++ b/init/systemd/Makefile.am
@@ -3,10 +3,12 @@
 AUTOMAKE_OPTIONS = 1.7
 
 dist_noinst_DATA = 			\
+	ipa-named-pkcs11.service.in \
 	ipa-custodia.service.in		\
 	ipa.service.in
 
 systemdsystemunit_DATA = 	\
+	ipa-named-pkcs11.service \
 	ipa-custodia.service	\
 	ipa.service
 
diff --git a/init/systemd/ipa-named-pkcs11.service.in b/init/systemd/ipa-named-pkcs11.service.in
new file mode 100644
index 00..d89d9976e5
--- /dev/null
+++ b/init/systemd/ipa-named-pkcs11.service.in
@@ -0,0 +1,27 @@
+[Unit]
+Description=Berkeley Internet Name Domain (DNS) with native PKCS#11
+Wants=nss-lookup.target
+Wants=named-setup-rndc.service
+Before=nss-lookup.target
+After=network.target
+After=named-setup-rndc.service
+# we need to wait for KDC so that named may connect to LDAP via GSSAPI
+After=krb5kdc.service
+
+[Service]
+Type=forking
+EnvironmentFile=-/etc/sysconfig/named
+Environment=KRB5_KTNAME=/etc/named.keytab
+PIDFile=/run/named/named.pid
+
+ExecStartPre=/bin/bash -c 'if [ ! "$DISABLE_ZONE_CHECKING" == "yes" ]; then /usr/sbin/named-checkconf -z /etc/named.conf; else echo "Checking of zone files is disabled"; fi'
+ExecStart=/usr/sbin/named-pkcs11 -u named $OPTIONS
+
+ExecReload=/bin/sh -c '/usr/sbin/rndc reload > /dev/null 2>&1 || /bin/kill -HUP $MAINPID'
+
+ExecStop=/bin/sh -c '/usr/sbin/rndc stop > /dev/null 2>&1 || /bin/kill -TERM $MAINPID'
+
+PrivateTmp=true
+
+[Install]
+WantedBy=multi-user.target
diff --git a/ipaplatform/redhat/services.py b/ipaplatform/redhat/services.py
index 8fae1f3cc5..ee5060e28f 100644
--- a/ipaplatform/redhat/services.py
+++ b/ipaplatform/redhat/services.py
@@ -62,7 +62,8 @@
 redhat_system_units['ipa-otpd'] = 'ipa-otpd.socket'
 redhat_system_units['ipa-dnskeysyncd'] = 'ipa-dnskeysyncd.service'
 redhat_system_units['named-regular'] = 'named.service'
-redhat_system_units['named-pkcs11'] = 'named-pkcs11.service'
+redhat_system_units['named-pkcs11-regular'] = 'named-pkcs11.service'
+redhat_system_units['named-pkcs11'] = 'ipa-named-pkcs11.service'
 redhat_system_units['named'] = redhat_system_units['named-pkcs11']
 redhat_system_units['ods-enforcerd'] = 'ods-enforcerd.service'
 redhat_system_units['ods_enforcerd'] = redhat_system_units['ods-enforcerd']
diff --git a/ipaserver/install/bindinstance.py b/ipaserver/install/bindinstance.py
index 03dce56aa0..dbc014303e 100644
--- a/ipaserver/install/bindinstance.py
+++ b/ipaserver/install/bindinstance.py
@@ -619,7 +619,11 @@ def __init__(self, fstore=None, api=api):
 self.forwarders = None
 self.sub_dict = None
 self.reverse_zones = []
-self.named_regular = services.service('named-regular', api)
+# these DNS services should be disabled prior to setting up our own
+self.regular_dns_services = {
+'named': services.service('named-regular', api),
+'named-pkcs11': services.service('named-pkcs11-regular', api)
+}
 
 suffix = ipautil.dn_attribute_property('_suffix')
 
@@ -735,8 +73

[Freeipa-devel] [freeipa PR#872][synchronized] Add IPA-specific bind unit file

2017-06-15 Thread stlaz via FreeIPA-devel
   URL: https://github.com/freeipa/freeipa/pull/872
Author: stlaz
 Title: #872: Add IPA-specific bind unit file
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/872/head:pr872
git checkout pr872
From 37f46e4f72622a3458e43d1b960ea03cdf47a99a Mon Sep 17 00:00:00 2001
From: Stanislav Laznicka 
Date: Wed, 14 Jun 2017 07:46:16 +0200
Subject: [PATCH] Add IPA-specific bind unit file

During upgrade of Fedora 25 to 26, when FreeIPA is installed with
DNS, bind attempts to start before KDC which leads to a failed
start because it requires a ticket to connect to LDAP.

Add an own unit file with a dependency which sets bind to start
after the KDC service.

https://pagure.io/freeipa/issue/7018
---
 freeipa.spec.in  |  1 +
 init/systemd/Makefile.am |  2 +
 init/systemd/ipa-named-pkcs11.service.in | 27 
 ipaplatform/redhat/services.py   |  3 +-
 ipaserver/install/bindinstance.py| 66 
 ipaserver/install/server/upgrade.py  | 45 +--
 ipatests/pytest_plugins/integration/tasks.py |  4 +-
 ipatests/test_xmlrpc/test_location_plugin.py |  4 +-
 8 files changed, 114 insertions(+), 38 deletions(-)
 create mode 100644 init/systemd/ipa-named-pkcs11.service.in

diff --git a/freeipa.spec.in b/freeipa.spec.in
index 1446dfbb7c..00b2bb8ae1 100644
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -1220,6 +1220,7 @@ fi
 %attr(644,root,root) %{_unitdir}/ipa-dnskeysyncd.service
 %attr(644,root,root) %{_unitdir}/ipa-ods-exporter.socket
 %attr(644,root,root) %{_unitdir}/ipa-ods-exporter.service
+%attr(644,root,root) %{_unitdir}/ipa-named-pkcs11.service
 # END
 %attr(755,root,root) %{plugin_dir}/libipa_pwd_extop.so
 %attr(755,root,root) %{plugin_dir}/libipa_enrollment_extop.so
diff --git a/init/systemd/Makefile.am b/init/systemd/Makefile.am
index 945f6ac22a..c417caac87 100644
--- a/init/systemd/Makefile.am
+++ b/init/systemd/Makefile.am
@@ -3,10 +3,12 @@
 AUTOMAKE_OPTIONS = 1.7
 
 dist_noinst_DATA = 			\
+	ipa-named-pkcs11.service.in \
 	ipa-custodia.service.in		\
 	ipa.service.in
 
 systemdsystemunit_DATA = 	\
+	ipa-named-pkcs11.service \
 	ipa-custodia.service	\
 	ipa.service
 
diff --git a/init/systemd/ipa-named-pkcs11.service.in b/init/systemd/ipa-named-pkcs11.service.in
new file mode 100644
index 00..d89d9976e5
--- /dev/null
+++ b/init/systemd/ipa-named-pkcs11.service.in
@@ -0,0 +1,27 @@
+[Unit]
+Description=Berkeley Internet Name Domain (DNS) with native PKCS#11
+Wants=nss-lookup.target
+Wants=named-setup-rndc.service
+Before=nss-lookup.target
+After=network.target
+After=named-setup-rndc.service
+# we need to wait for KDC so that named may connect to LDAP via GSSAPI
+After=krb5kdc.service
+
+[Service]
+Type=forking
+EnvironmentFile=-/etc/sysconfig/named
+Environment=KRB5_KTNAME=/etc/named.keytab
+PIDFile=/run/named/named.pid
+
+ExecStartPre=/bin/bash -c 'if [ ! "$DISABLE_ZONE_CHECKING" == "yes" ]; then /usr/sbin/named-checkconf -z /etc/named.conf; else echo "Checking of zone files is disabled"; fi'
+ExecStart=/usr/sbin/named-pkcs11 -u named $OPTIONS
+
+ExecReload=/bin/sh -c '/usr/sbin/rndc reload > /dev/null 2>&1 || /bin/kill -HUP $MAINPID'
+
+ExecStop=/bin/sh -c '/usr/sbin/rndc stop > /dev/null 2>&1 || /bin/kill -TERM $MAINPID'
+
+PrivateTmp=true
+
+[Install]
+WantedBy=multi-user.target
diff --git a/ipaplatform/redhat/services.py b/ipaplatform/redhat/services.py
index 8fae1f3cc5..ee5060e28f 100644
--- a/ipaplatform/redhat/services.py
+++ b/ipaplatform/redhat/services.py
@@ -62,7 +62,8 @@
 redhat_system_units['ipa-otpd'] = 'ipa-otpd.socket'
 redhat_system_units['ipa-dnskeysyncd'] = 'ipa-dnskeysyncd.service'
 redhat_system_units['named-regular'] = 'named.service'
-redhat_system_units['named-pkcs11'] = 'named-pkcs11.service'
+redhat_system_units['named-pkcs11-regular'] = 'named-pkcs11.service'
+redhat_system_units['named-pkcs11'] = 'ipa-named-pkcs11.service'
 redhat_system_units['named'] = redhat_system_units['named-pkcs11']
 redhat_system_units['ods-enforcerd'] = 'ods-enforcerd.service'
 redhat_system_units['ods_enforcerd'] = redhat_system_units['ods-enforcerd']
diff --git a/ipaserver/install/bindinstance.py b/ipaserver/install/bindinstance.py
index 03dce56aa0..27f67fa83a 100644
--- a/ipaserver/install/bindinstance.py
+++ b/ipaserver/install/bindinstance.py
@@ -619,7 +619,11 @@ def __init__(self, fstore=None, api=api):
 self.forwarders = None
 self.sub_dict = None
 self.reverse_zones = []
-self.named_regular = services.service('named-regular', api)
+# these DNS services should be disabled prior to setting up our own
+self.regular_dns_services = {
+'named': services.service('named-regular', api),
+'named-pkcs11': services.service('named-pkcs11-regular', api)
+}
 
 suffix = ipautil.dn_attribute_property('_suffix')
 
@@ -735,8 +73

[Freeipa-devel] [freeipa PR#872][synchronized] Add IPA-specific bind unit file

2017-06-14 Thread stlaz via FreeIPA-devel
   URL: https://github.com/freeipa/freeipa/pull/872
Author: stlaz
 Title: #872: Add IPA-specific bind unit file
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/872/head:pr872
git checkout pr872
From 5cdf5d0cff1a743c8257528324acb153214cc044 Mon Sep 17 00:00:00 2001
From: Stanislav Laznicka 
Date: Wed, 14 Jun 2017 07:46:16 +0200
Subject: [PATCH] Add IPA-specific bind unit file

During upgrade of Fedora 25 to 26, when FreeIPA is installed with
DNS, bind attempts to start before KDC which leads to a failed
start because it requires a ticket to connect to LDAP.

Add an own unit file with a dependency which sets bind to start
after the KDC service.

https://pagure.io/freeipa/issue/7018
---
 freeipa.spec.in  |  1 +
 init/systemd/Makefile.am |  2 ++
 init/systemd/ipa-named-pkcs11.service.in | 27 ++
 ipaplatform/redhat/services.py   |  2 +-
 ipaserver/install/server/upgrade.py  | 34 
 ipatests/pytest_plugins/integration/tasks.py |  4 ++--
 ipatests/test_xmlrpc/test_location_plugin.py |  4 ++--
 7 files changed, 65 insertions(+), 9 deletions(-)
 create mode 100644 init/systemd/ipa-named-pkcs11.service.in

diff --git a/freeipa.spec.in b/freeipa.spec.in
index 1446dfbb7c..00b2bb8ae1 100644
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -1220,6 +1220,7 @@ fi
 %attr(644,root,root) %{_unitdir}/ipa-dnskeysyncd.service
 %attr(644,root,root) %{_unitdir}/ipa-ods-exporter.socket
 %attr(644,root,root) %{_unitdir}/ipa-ods-exporter.service
+%attr(644,root,root) %{_unitdir}/ipa-named-pkcs11.service
 # END
 %attr(755,root,root) %{plugin_dir}/libipa_pwd_extop.so
 %attr(755,root,root) %{plugin_dir}/libipa_enrollment_extop.so
diff --git a/init/systemd/Makefile.am b/init/systemd/Makefile.am
index 945f6ac22a..c417caac87 100644
--- a/init/systemd/Makefile.am
+++ b/init/systemd/Makefile.am
@@ -3,10 +3,12 @@
 AUTOMAKE_OPTIONS = 1.7
 
 dist_noinst_DATA = 			\
+	ipa-named-pkcs11.service.in \
 	ipa-custodia.service.in		\
 	ipa.service.in
 
 systemdsystemunit_DATA = 	\
+	ipa-named-pkcs11.service \
 	ipa-custodia.service	\
 	ipa.service
 
diff --git a/init/systemd/ipa-named-pkcs11.service.in b/init/systemd/ipa-named-pkcs11.service.in
new file mode 100644
index 00..d89d9976e5
--- /dev/null
+++ b/init/systemd/ipa-named-pkcs11.service.in
@@ -0,0 +1,27 @@
+[Unit]
+Description=Berkeley Internet Name Domain (DNS) with native PKCS#11
+Wants=nss-lookup.target
+Wants=named-setup-rndc.service
+Before=nss-lookup.target
+After=network.target
+After=named-setup-rndc.service
+# we need to wait for KDC so that named may connect to LDAP via GSSAPI
+After=krb5kdc.service
+
+[Service]
+Type=forking
+EnvironmentFile=-/etc/sysconfig/named
+Environment=KRB5_KTNAME=/etc/named.keytab
+PIDFile=/run/named/named.pid
+
+ExecStartPre=/bin/bash -c 'if [ ! "$DISABLE_ZONE_CHECKING" == "yes" ]; then /usr/sbin/named-checkconf -z /etc/named.conf; else echo "Checking of zone files is disabled"; fi'
+ExecStart=/usr/sbin/named-pkcs11 -u named $OPTIONS
+
+ExecReload=/bin/sh -c '/usr/sbin/rndc reload > /dev/null 2>&1 || /bin/kill -HUP $MAINPID'
+
+ExecStop=/bin/sh -c '/usr/sbin/rndc stop > /dev/null 2>&1 || /bin/kill -TERM $MAINPID'
+
+PrivateTmp=true
+
+[Install]
+WantedBy=multi-user.target
diff --git a/ipaplatform/redhat/services.py b/ipaplatform/redhat/services.py
index 8fae1f3cc5..279a117e03 100644
--- a/ipaplatform/redhat/services.py
+++ b/ipaplatform/redhat/services.py
@@ -62,7 +62,7 @@
 redhat_system_units['ipa-otpd'] = 'ipa-otpd.socket'
 redhat_system_units['ipa-dnskeysyncd'] = 'ipa-dnskeysyncd.service'
 redhat_system_units['named-regular'] = 'named.service'
-redhat_system_units['named-pkcs11'] = 'named-pkcs11.service'
+redhat_system_units['named-pkcs11'] = 'ipa-named-pkcs11.service'
 redhat_system_units['named'] = redhat_system_units['named-pkcs11']
 redhat_system_units['ods-enforcerd'] = 'ods-enforcerd.service'
 redhat_system_units['ods_enforcerd'] = redhat_system_units['ods-enforcerd']
diff --git a/ipaserver/install/server/upgrade.py b/ipaserver/install/server/upgrade.py
index 3e2abefc21..49a380e656 100644
--- a/ipaserver/install/server/upgrade.py
+++ b/ipaserver/install/server/upgrade.py
@@ -31,6 +31,7 @@
 from ipaclient.install.client import sssd_enable_service
 from ipaplatform import services
 from ipaplatform.tasks import tasks
+from ipaplatform.base.services import SystemdService
 from ipapython import ipautil, version, certdb
 from ipapython.ipa_log_manager import root_logger
 from ipapython import dnsutil
@@ -1592,6 +1593,28 @@ def disable_httpd_system_trust(http):
 db.add_cert(cert, nickname, trust_flags)
 
 
+def swap_bind_unit_files(fstore):
+"""
+IPA changed its unit file, stop named-pkcs11 service using the old and
+use the new instead
+"""
+root_logger.info('[Making bind use FreeIPA-specific unit file]')
+
+if