Re: [Freeipa-devel] [PATCHES] 126-127 Use A/AAAA records instead of CNAME records in ipa-ca
On 15.4.2013 21:16, Martin Kosek wrote: Jan, can you please rebase the patch also for ipa-3-1? We will need to fix this issue also for 3.1. Yep. -- Jan Cholasta From eb97cc1e5fa6b1d2953b78c72e601e17a87be208 Mon Sep 17 00:00:00 2001 From: Jan Cholasta jchol...@redhat.com Date: Mon, 15 Apr 2013 12:19:11 +0200 Subject: [PATCH 1/2] Use A/ records instead of CNAME records in ipa-ca. https://fedorahosted.org/freeipa/ticket/3547 --- install/share/bind.zone.db.template | 2 +- install/tools/ipa-ca-install| 2 +- install/tools/ipa-replica-manage| 1 + install/tools/ipa-upgradeconfig | 54 --- ipaserver/install/bindinstance.py | 130 +--- ipaserver/install/cainstance.py | 6 +- 6 files changed, 142 insertions(+), 53 deletions(-) diff --git a/install/share/bind.zone.db.template b/install/share/bind.zone.db.template index 5ee71d6..6795bb0 100644 --- a/install/share/bind.zone.db.template +++ b/install/share/bind.zone.db.template @@ -26,4 +26,4 @@ _kpasswd._udp IN SRV 0 100 464 $HOST $OPTIONAL_NTP ; CNAME for IPA CA replicas (used for CRL, OCSP) -$IPA_CA_CNAME IN CNAME $HOST +$IPA_CA_RECORD diff --git a/install/tools/ipa-ca-install b/install/tools/ipa-ca-install index f8f7e1d..2ebce60 100755 --- a/install/tools/ipa-ca-install +++ b/install/tools/ipa-ca-install @@ -85,7 +85,7 @@ def install_dns_records(config, options): try: api.Backend.ldap2.connect(bind_dn=DN(('cn', 'Directory Manager')), bind_pw=config.dirman_password) -bind.add_ipa_ca_cname(config.host_name, config.domain_name) +bind.add_ipa_ca_dns_records(config.host_name, config.domain_name) finally: if api.Backend.ldap2.isconnected(): api.Backend.ldap2.disconnect() diff --git a/install/tools/ipa-replica-manage b/install/tools/ipa-replica-manage index e78f9d2..a339a50 100755 --- a/install/tools/ipa-replica-manage +++ b/install/tools/ipa-replica-manage @@ -697,6 +697,7 @@ def del_master(realm, hostname, options): api.Backend.ldap2.connect(ccache=ccache) bind = bindinstance.BindInstance() bind.remove_master_dns_records(hostname, realm, realm.lower()) +bind.remove_ipa_ca_dns_records(hostname, realm.lower()) except Exception, e: print Failed to cleanup %s DNS entries: %s % (hostname, convert_error(e)) print You may need to manually remove them from the tree diff --git a/install/tools/ipa-upgradeconfig b/install/tools/ipa-upgradeconfig index f71d834..8bd7ff2 100644 --- a/install/tools/ipa-upgradeconfig +++ b/install/tools/ipa-upgradeconfig @@ -628,31 +628,35 @@ def migrate_crl_publish_dir(ca): 'request pki-ca restart') return True -def add_server_cname_records(): -root_logger.info('[Add missing server CNAME records]') +def add_ca_dns_records(): +root_logger.info('[Add missing CA DNS records]') -if not sysupgrade.get_upgrade_state('dns', 'ipa_ca_cname'): -try: -api.Backend.ldap2.connect(autobind=True) -except ipalib.errors.PublicError, e: -root_logger.error(Cannot connect to LDAP to add DNS records: %s, e) -else: -ret = api.Command['dns_is_enabled']() -if not ret['result']: -root_logger.info('DNS is not configured') -sysupgrade.set_upgrade_state('dns', 'ipa_ca_cname', True) -return - -bind = bindinstance.BindInstance() -# DNS is enabled, so let bindinstance find out if CA is enabled -# and let it add the CNAME in that case -bind.add_ipa_ca_cname(api.env.host, api.env.domain, ca_configured=None) -sysupgrade.set_upgrade_state('dns', 'ipa_ca_cname', True) -finally: -if api.Backend.ldap2.isconnected(): - api.Backend.ldap2.disconnect() -else: -root_logger.info('IPA CA CNAME already processed') +if sysupgrade.get_upgrade_state('dns', 'ipa_ca_records'): +root_logger.info('IPA CA DNS records already processed') +return + +try: +api.Backend.ldap2.connect(autobind=True) +except ipalib.errors.PublicError, e: +root_logger.error(Cannot connect to LDAP to add DNS records: %s, e) +return + +ret = api.Command['dns_is_enabled']() +if not ret['result']: +root_logger.info('DNS is not configured') +sysupgrade.set_upgrade_state('dns', 'ipa_ca_records', True) +return + +bind = bindinstance.BindInstance() + +bind.convert_ipa_ca_cnames(api.env.domain) + +# DNS is enabled, so let bindinstance find out if CA is enabled +# and let it add the record in that case +bind.add_ipa_ca_dns_records(api.env.host, api.env.domain, +ca_configured=None) + +sysupgrade.set_upgrade_state('dns', 'ipa_ca_records', True) def main(): @@ -746,7
Re: [Freeipa-devel] [PATCHES] 126-127 Use A/AAAA records instead of CNAME records in ipa-ca
On 04/16/2013 09:40 AM, Jan Cholasta wrote: On 15.4.2013 21:16, Martin Kosek wrote: Jan, can you please rebase the patch also for ipa-3-1? We will need to fix this issue also for 3.1. Yep. Thanks. Pushed both to ipa-3-1. Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCHES] 126-127 Use A/AAAA records instead of CNAME records in ipa-ca
On 04/15/2013 12:31 PM, Jan Cholasta wrote: On 12.4.2013 16:55, Simo Sorce wrote: - Original Message - On 04/12/2013 03:50 PM, Petr Viktorin wrote: A question: do we support users that *want* a CNAME in ipa-ca? AFAIK that is the usual way to do load-balancing, which is the recommended setup for big installations. Given that CNAME can only point to one host, I do not know how can it be used to load balance. The idea with ipa-ca was to contain a number of A records, which would create a load balancer to some extent as client software checking the OCSP/CRL would run the request against one random A record and thus distribute the load among all FreeIPA CAs. As A cannot coexist with CNAME, we need to delete it. But it is true that it may be good idea to produce upgrade warning about it. We should not delete it. If the admin consciously changed the A name to a CNAME we should respect that decision. The problem is on upgrade I guess. I think on upgrade from 3.1 we just need to document admins should manually fix the record. After the upgrade he'll remove the CNAME and instead add an A name pointing to all the CA replicas manually ? Simo. I have changed the patch so that the CNAMEs are replaced with A/ if and only if they all point to IPA masters, otherwise a warning is printed. Is that OK? OK with me, patch works well. ACK unless Simo really wants to always skip the update. -- Petr³ ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCHES] 126-127 Use A/AAAA records instead of CNAME records in ipa-ca
On 04/15/2013 12:31 PM, Jan Cholasta wrote: I have changed the patch so that the CNAMEs are replaced with A/ if and only if they all point to IPA masters, otherwise a warning is printed. Is that OK? OK with me, patch works well. ACK unless Simo really wants to always skip the update. Looks great to me. Simo. -- Simo Sorce * Red Hat, Inc. * New York ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCHES] 126-127 Use A/AAAA records instead of CNAME records in ipa-ca
On 04/15/2013 04:47 PM, Simo Sorce wrote: On 04/15/2013 12:31 PM, Jan Cholasta wrote: I have changed the patch so that the CNAMEs are replaced with A/ if and only if they all point to IPA masters, otherwise a warning is printed. Is that OK? OK with me, patch works well. ACK unless Simo really wants to always skip the update. Looks great to me. Simo. OK, full ACK -- Petr³ ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCHES] 126-127 Use A/AAAA records instead of CNAME records in ipa-ca
On 04/15/2013 06:51 PM, Petr Viktorin wrote: On 04/15/2013 04:47 PM, Simo Sorce wrote: On 04/15/2013 12:31 PM, Jan Cholasta wrote: I have changed the patch so that the CNAMEs are replaced with A/ if and only if they all point to IPA masters, otherwise a warning is printed. Is that OK? OK with me, patch works well. ACK unless Simo really wants to always skip the update. Looks great to me. Simo. OK, full ACK Pushed to master. Jan, can you please rebase the patch also for ipa-3-1? We will need to fix this issue also for 3.1. Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCHES] 126-127 Use A/AAAA records instead of CNAME records in ipa-ca
On 04/12/2013 01:24 PM, Jan Cholasta wrote: Hi, the attached patches fix https://fedorahosted.org/freeipa/ticket/3547. Honza We used short names in the CNAMEs: $ ipa dnsrecord-find idm.lab.eng.brq.redhat.com ipa-ca Record name: ipa-ca CNAME record: vm-109 Number of entries returned 1 But it seems the patch assumes a FQDN with a dot at the end. When upgrading a 3.1 server I get: 2013-04-12T12:16:43Z INFO File /usr/lib/python2.7/site-packages/ipaserver/install/installutils.py, line 613, in run_script return_value = main_function() File /usr/sbin/ipa-upgradeconfig, line 853, in main add_ca_dns_records() File /usr/sbin/ipa-upgradeconfig, line 752, in add_ca_dns_records bind.convert_ipa_ca_cnames(api.env.domain) File /usr/lib/python2.7/site-packages/ipaserver/install/bindinstance.py, line 785, in convert_ipa_ca_cnames self.add_ipa_ca_dns_records(cname[:-1], domain_name, None) File /usr/lib/python2.7/site-packages/ipaserver/install/bindinstance.py, line 772, in add_ipa_ca_dns_records host, zone = fqdn.split(., 1) Unexpected error ValueError: need more than 1 value to unpack -- Petr³ ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCHES] 126-127 Use A/AAAA records instead of CNAME records in ipa-ca
On 12.4.2013 14:19, Petr Viktorin wrote: On 04/12/2013 01:24 PM, Jan Cholasta wrote: Hi, the attached patches fix https://fedorahosted.org/freeipa/ticket/3547. Honza We used short names in the CNAMEs: $ ipa dnsrecord-find idm.lab.eng.brq.redhat.com ipa-ca Record name: ipa-ca CNAME record: vm-109 Number of entries returned 1 But it seems the patch assumes a FQDN with a dot at the end. When upgrading a 3.1 server I get: 2013-04-12T12:16:43Z INFO File /usr/lib/python2.7/site-packages/ipaserver/install/installutils.py, line 613, in run_script return_value = main_function() File /usr/sbin/ipa-upgradeconfig, line 853, in main add_ca_dns_records() File /usr/sbin/ipa-upgradeconfig, line 752, in add_ca_dns_records bind.convert_ipa_ca_cnames(api.env.domain) File /usr/lib/python2.7/site-packages/ipaserver/install/bindinstance.py, line 785, in convert_ipa_ca_cnames self.add_ipa_ca_dns_records(cname[:-1], domain_name, None) File /usr/lib/python2.7/site-packages/ipaserver/install/bindinstance.py, line 772, in add_ipa_ca_dns_records host, zone = fqdn.split(., 1) Unexpected error ValueError: need more than 1 value to unpack Hmm, in my test setup the CNAMEs contained FQDNs. Fixed. Updated patch attached. -- Jan Cholasta From 3cf70a8be0387d4fb525adbf3ed44334457652fe Mon Sep 17 00:00:00 2001 From: Jan Cholasta jchol...@redhat.com Date: Fri, 12 Apr 2013 13:16:17 +0200 Subject: [PATCH 1/2] Use A/ records instead of CNAME records in ipa-ca. https://fedorahosted.org/freeipa/ticket/3547 --- install/share/bind.zone.db.template | 2 +- install/tools/ipa-ca-install| 2 +- install/tools/ipa-replica-manage| 1 + install/tools/ipa-upgradeconfig | 55 -- ipaserver/install/bindinstance.py | 91 +++-- ipaserver/install/cainstance.py | 6 +-- 6 files changed, 104 insertions(+), 53 deletions(-) diff --git a/install/share/bind.zone.db.template b/install/share/bind.zone.db.template index 5ee71d6..6795bb0 100644 --- a/install/share/bind.zone.db.template +++ b/install/share/bind.zone.db.template @@ -26,4 +26,4 @@ _kpasswd._udp IN SRV 0 100 464 $HOST $OPTIONAL_NTP ; CNAME for IPA CA replicas (used for CRL, OCSP) -$IPA_CA_CNAME IN CNAME $HOST +$IPA_CA_RECORD diff --git a/install/tools/ipa-ca-install b/install/tools/ipa-ca-install index f8f7e1d..2ebce60 100755 --- a/install/tools/ipa-ca-install +++ b/install/tools/ipa-ca-install @@ -85,7 +85,7 @@ def install_dns_records(config, options): try: api.Backend.ldap2.connect(bind_dn=DN(('cn', 'Directory Manager')), bind_pw=config.dirman_password) -bind.add_ipa_ca_cname(config.host_name, config.domain_name) +bind.add_ipa_ca_dns_records(config.host_name, config.domain_name) finally: if api.Backend.ldap2.isconnected(): api.Backend.ldap2.disconnect() diff --git a/install/tools/ipa-replica-manage b/install/tools/ipa-replica-manage index 636529c..5d5b5eb 100755 --- a/install/tools/ipa-replica-manage +++ b/install/tools/ipa-replica-manage @@ -718,6 +718,7 @@ def del_master(realm, hostname, options): api.Backend.ldap2.connect(ccache=ccache) bind = bindinstance.BindInstance() bind.remove_master_dns_records(hostname, realm, realm.lower()) +bind.remove_ipa_ca_dns_records(hostname, realm.lower()) except Exception, e: print Failed to cleanup %s DNS entries: %s % (hostname, e) print You may need to manually remove them from the tree diff --git a/install/tools/ipa-upgradeconfig b/install/tools/ipa-upgradeconfig index c690544..95231af 100644 --- a/install/tools/ipa-upgradeconfig +++ b/install/tools/ipa-upgradeconfig @@ -727,31 +727,36 @@ def migrate_crl_publish_dir(ca): 'request pki-ca restart') return True -def add_server_cname_records(): -root_logger.info('[Add missing server CNAME records]') +def add_ca_dns_records(): +root_logger.info('[Add missing CA DNS records]') -if not sysupgrade.get_upgrade_state('dns', 'ipa_ca_cname'): -try: -api.Backend.ldap2.connect(autobind=True) -except ipalib.errors.PublicError, e: -root_logger.error(Cannot connect to LDAP to add DNS records: %s, e) -else: -ret = api.Command['dns_is_enabled']() -if not ret['result']: -root_logger.info('DNS is not configured') -sysupgrade.set_upgrade_state('dns', 'ipa_ca_cname', True) -return - -bind = bindinstance.BindInstance() -# DNS is enabled, so let bindinstance find out if CA is enabled -# and let it add the CNAME in that case -bind.add_ipa_ca_cname(api.env.host, api.env.domain, ca_configured=None) -sysupgrade.set_upgrade_state('dns',
Re: [Freeipa-devel] [PATCHES] 126-127 Use A/AAAA records instead of CNAME records in ipa-ca
On 04/12/2013 02:30 PM, Jan Cholasta wrote: On 12.4.2013 14:19, Petr Viktorin wrote: On 04/12/2013 01:24 PM, Jan Cholasta wrote: Hi, the attached patches fix https://fedorahosted.org/freeipa/ticket/3547. Honza We used short names in the CNAMEs: $ ipa dnsrecord-find idm.lab.eng.brq.redhat.com ipa-ca Record name: ipa-ca CNAME record: vm-109 Number of entries returned 1 But it seems the patch assumes a FQDN with a dot at the end. When upgrading a 3.1 server I get: 2013-04-12T12:16:43Z INFO File /usr/lib/python2.7/site-packages/ipaserver/install/installutils.py, line 613, in run_script return_value = main_function() File /usr/sbin/ipa-upgradeconfig, line 853, in main add_ca_dns_records() File /usr/sbin/ipa-upgradeconfig, line 752, in add_ca_dns_records bind.convert_ipa_ca_cnames(api.env.domain) File /usr/lib/python2.7/site-packages/ipaserver/install/bindinstance.py, line 785, in convert_ipa_ca_cnames self.add_ipa_ca_dns_records(cname[:-1], domain_name, None) File /usr/lib/python2.7/site-packages/ipaserver/install/bindinstance.py, line 772, in add_ipa_ca_dns_records host, zone = fqdn.split(., 1) Unexpected error ValueError: need more than 1 value to unpack Hmm, in my test setup the CNAMEs contained FQDNs. Fixed. IIRC, ipa-ca will contain FQDNs if the server is from different domain in DNS. I.e. for example if managed domain is example.com, but one replica runs in domain testrelm.com. This is something that needs to be supportedtested too. Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCHES] 126-127 Use A/AAAA records instead of CNAME records in ipa-ca
On 04/12/2013 02:30 PM, Jan Cholasta wrote: On 12.4.2013 14:19, Petr Viktorin wrote: On 04/12/2013 01:24 PM, Jan Cholasta wrote: Hi, the attached patches fix https://fedorahosted.org/freeipa/ticket/3547. Honza We used short names in the CNAMEs: $ ipa dnsrecord-find idm.lab.eng.brq.redhat.com ipa-ca Record name: ipa-ca CNAME record: vm-109 Number of entries returned 1 But it seems the patch assumes a FQDN with a dot at the end. When upgrading a 3.1 server I get: 2013-04-12T12:16:43Z INFO File /usr/lib/python2.7/site-packages/ipaserver/install/installutils.py, line 613, in run_script return_value = main_function() File /usr/sbin/ipa-upgradeconfig, line 853, in main add_ca_dns_records() File /usr/sbin/ipa-upgradeconfig, line 752, in add_ca_dns_records bind.convert_ipa_ca_cnames(api.env.domain) File /usr/lib/python2.7/site-packages/ipaserver/install/bindinstance.py, line 785, in convert_ipa_ca_cnames self.add_ipa_ca_dns_records(cname[:-1], domain_name, None) File /usr/lib/python2.7/site-packages/ipaserver/install/bindinstance.py, line 772, in add_ipa_ca_dns_records host, zone = fqdn.split(., 1) Unexpected error ValueError: need more than 1 value to unpack Hmm, in my test setup the CNAMEs contained FQDNs. Fixed. Updated patch attached. A question: do we support users that *want* a CNAME in ipa-ca? AFAIK that is the usual way to do load-balancing, which is the recommended setup for big installations. With this patch, if there is one, ca-install will fail as it tries to add the A record: $ ipa dnsrecord-find idm.lab.eng.brq.redhat.com ipa-ca Record name: ipa-ca CNAME record: ca.load-balancer.example.com. $ ipa-ca-install [...] ValidationError: invalid 'cnamerecord': Gettext('CNAME record is not allowed to coexist with any other record (RFC 1034, section 3.6.2)', domain='ipa', localedir=None) Even if we don't supoport CNAMEs here, I think this we should print a big warning in this case rather than fail. Upgrade state is machine-local, so every time an old master is upgraded, any CNAME would get replaced: $ ipa dnsrecord-find idm.lab.eng.brq.redhat.com ipa-ca Record name: ipa-ca CNAME record: ca.load-balancer.example.com. Number of entries returned 1 $ sudo ipa-upgradeconfig ... $ ipa dnsrecord-find idm.lab.eng.brq.redhat.com ipa-ca Record name: ipa-ca A record: 10.34.47.109 Number of entries returned 1 We should at least highlight this in the release notes, as it deletes users' data. -- Petr³ ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCHES] 126-127 Use A/AAAA records instead of CNAME records in ipa-ca
On 04/12/2013 03:50 PM, Petr Viktorin wrote: On 04/12/2013 02:30 PM, Jan Cholasta wrote: On 12.4.2013 14:19, Petr Viktorin wrote: On 04/12/2013 01:24 PM, Jan Cholasta wrote: Hi, the attached patches fix https://fedorahosted.org/freeipa/ticket/3547. Honza We used short names in the CNAMEs: $ ipa dnsrecord-find idm.lab.eng.brq.redhat.com ipa-ca Record name: ipa-ca CNAME record: vm-109 Number of entries returned 1 But it seems the patch assumes a FQDN with a dot at the end. When upgrading a 3.1 server I get: 2013-04-12T12:16:43Z INFO File /usr/lib/python2.7/site-packages/ipaserver/install/installutils.py, line 613, in run_script return_value = main_function() File /usr/sbin/ipa-upgradeconfig, line 853, in main add_ca_dns_records() File /usr/sbin/ipa-upgradeconfig, line 752, in add_ca_dns_records bind.convert_ipa_ca_cnames(api.env.domain) File /usr/lib/python2.7/site-packages/ipaserver/install/bindinstance.py, line 785, in convert_ipa_ca_cnames self.add_ipa_ca_dns_records(cname[:-1], domain_name, None) File /usr/lib/python2.7/site-packages/ipaserver/install/bindinstance.py, line 772, in add_ipa_ca_dns_records host, zone = fqdn.split(., 1) Unexpected error ValueError: need more than 1 value to unpack Hmm, in my test setup the CNAMEs contained FQDNs. Fixed. Updated patch attached. A question: do we support users that *want* a CNAME in ipa-ca? AFAIK that is the usual way to do load-balancing, which is the recommended setup for big installations. Given that CNAME can only point to one host, I do not know how can it be used to load balance. The idea with ipa-ca was to contain a number of A records, which would create a load balancer to some extent as client software checking the OCSP/CRL would run the request against one random A record and thus distribute the load among all FreeIPA CAs. As A cannot coexist with CNAME, we need to delete it. But it is true that it may be good idea to produce upgrade warning about it. Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCHES] 126-127 Use A/AAAA records instead of CNAME records in ipa-ca
On 04/12/2013 03:58 PM, Martin Kosek wrote: On 04/12/2013 03:50 PM, Petr Viktorin wrote: On 04/12/2013 02:30 PM, Jan Cholasta wrote: On 12.4.2013 14:19, Petr Viktorin wrote: On 04/12/2013 01:24 PM, Jan Cholasta wrote: Hi, the attached patches fix https://fedorahosted.org/freeipa/ticket/3547. Honza We used short names in the CNAMEs: $ ipa dnsrecord-find idm.lab.eng.brq.redhat.com ipa-ca Record name: ipa-ca CNAME record: vm-109 Number of entries returned 1 But it seems the patch assumes a FQDN with a dot at the end. When upgrading a 3.1 server I get: 2013-04-12T12:16:43Z INFO File /usr/lib/python2.7/site-packages/ipaserver/install/installutils.py, line 613, in run_script return_value = main_function() File /usr/sbin/ipa-upgradeconfig, line 853, in main add_ca_dns_records() File /usr/sbin/ipa-upgradeconfig, line 752, in add_ca_dns_records bind.convert_ipa_ca_cnames(api.env.domain) File /usr/lib/python2.7/site-packages/ipaserver/install/bindinstance.py, line 785, in convert_ipa_ca_cnames self.add_ipa_ca_dns_records(cname[:-1], domain_name, None) File /usr/lib/python2.7/site-packages/ipaserver/install/bindinstance.py, line 772, in add_ipa_ca_dns_records host, zone = fqdn.split(., 1) Unexpected error ValueError: need more than 1 value to unpack Hmm, in my test setup the CNAMEs contained FQDNs. Fixed. Updated patch attached. A question: do we support users that *want* a CNAME in ipa-ca? AFAIK that is the usual way to do load-balancing, which is the recommended setup for big installations. Given that CNAME can only point to one host, I do not know how can it be used to load balance. The host behind the CNAME can still have multiple A records, and/or the record(s) can point to real load balancers that distribute traffic to several servers, taking into account how busy each one is and excluding ones that are down. From the discussions I'm under the impression that this is the proper big enterprise solution, which we don't do only because we don't want to integrate a load balancer into IPA. That's why I'm asking if/how we want to support it. The idea with ipa-ca was to contain a number of A records, which would create a load balancer to some extent as client software checking the OCSP/CRL would run the request against one random A record and thus distribute the load among all FreeIPA CAs. As A cannot coexist with CNAME, we need to delete it. But it is true that it may be good idea to produce upgrade warning about it. Martin -- Petr³ ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCHES] 126-127 Use A/AAAA records instead of CNAME records in ipa-ca
On 04/12/2013 10:09 AM, Petr Viktorin wrote: On 04/12/2013 03:58 PM, Martin Kosek wrote: On 04/12/2013 03:50 PM, Petr Viktorin wrote: On 04/12/2013 02:30 PM, Jan Cholasta wrote: On 12.4.2013 14:19, Petr Viktorin wrote: On 04/12/2013 01:24 PM, Jan Cholasta wrote: Hi, the attached patches fix https://fedorahosted.org/freeipa/ticket/3547. Honza We used short names in the CNAMEs: $ ipa dnsrecord-find idm.lab.eng.brq.redhat.com ipa-ca Record name: ipa-ca CNAME record: vm-109 Number of entries returned 1 But it seems the patch assumes a FQDN with a dot at the end. When upgrading a 3.1 server I get: 2013-04-12T12:16:43Z INFO File /usr/lib/python2.7/site-packages/ipaserver/install/installutils.py, line 613, in run_script return_value = main_function() File /usr/sbin/ipa-upgradeconfig, line 853, in main add_ca_dns_records() File /usr/sbin/ipa-upgradeconfig, line 752, in add_ca_dns_records bind.convert_ipa_ca_cnames(api.env.domain) File /usr/lib/python2.7/site-packages/ipaserver/install/bindinstance.py, line 785, in convert_ipa_ca_cnames self.add_ipa_ca_dns_records(cname[:-1], domain_name, None) File /usr/lib/python2.7/site-packages/ipaserver/install/bindinstance.py, line 772, in add_ipa_ca_dns_records host, zone = fqdn.split(., 1) Unexpected error ValueError: need more than 1 value to unpack Hmm, in my test setup the CNAMEs contained FQDNs. Fixed. Updated patch attached. A question: do we support users that *want* a CNAME in ipa-ca? AFAIK that is the usual way to do load-balancing, which is the recommended setup for big installations. Given that CNAME can only point to one host, I do not know how can it be used to load balance. The host behind the CNAME can still have multiple A records, and/or the record(s) can point to real load balancers that distribute traffic to several servers, taking into account how busy each one is and excluding ones that are down. From the discussions I'm under the impression that this is the proper big enterprise solution, which we don't do only because we don't want to integrate a load balancer into IPA. That's why I'm asking if/how we want to support it. It should work without load balancer with just DNS but if big customer wants to put a load balancer he should be able to. The idea with ipa-ca was to contain a number of A records, which would create a load balancer to some extent as client software checking the OCSP/CRL would run the request against one random A record and thus distribute the load among all FreeIPA CAs. As A cannot coexist with CNAME, we need to delete it. But it is true that it may be good idea to produce upgrade warning about it. Martin -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel