Re: [Freeipa-devel] [PATCHES] 126-127 Use A/AAAA records instead of CNAME records in ipa-ca

[Jan Cholasta]

On 15.4.2013 21:16, Martin Kosek wrote:

Jan, can you please rebase the patch also for ipa-3-1? We will need to
fix this issue also for 3.1.


Yep.

--
Jan Cholasta
From eb97cc1e5fa6b1d2953b78c72e601e17a87be208 Mon Sep 17 00:00:00 2001
From: Jan Cholasta jchol...@redhat.com
Date: Mon, 15 Apr 2013 12:19:11 +0200
Subject: [PATCH 1/2] Use A/ records instead of CNAME records in ipa-ca.

https://fedorahosted.org/freeipa/ticket/3547
---
 install/share/bind.zone.db.template |   2 +-
 install/tools/ipa-ca-install|   2 +-
 install/tools/ipa-replica-manage|   1 +
 install/tools/ipa-upgradeconfig |  54 ---
 ipaserver/install/bindinstance.py   | 130 +---
 ipaserver/install/cainstance.py |   6 +-
 6 files changed, 142 insertions(+), 53 deletions(-)

diff --git a/install/share/bind.zone.db.template b/install/share/bind.zone.db.template
index 5ee71d6..6795bb0 100644
--- a/install/share/bind.zone.db.template
+++ b/install/share/bind.zone.db.template
@@ -26,4 +26,4 @@ _kpasswd._udp		IN SRV 0 100 464	$HOST
 $OPTIONAL_NTP
 
 ; CNAME for IPA CA replicas (used for CRL, OCSP)
-$IPA_CA_CNAME		IN CNAME		$HOST
+$IPA_CA_RECORD
diff --git a/install/tools/ipa-ca-install b/install/tools/ipa-ca-install
index f8f7e1d..2ebce60 100755
--- a/install/tools/ipa-ca-install
+++ b/install/tools/ipa-ca-install
@@ -85,7 +85,7 @@ def install_dns_records(config, options):
 try:
 api.Backend.ldap2.connect(bind_dn=DN(('cn', 'Directory Manager')),
   bind_pw=config.dirman_password)
-bind.add_ipa_ca_cname(config.host_name, config.domain_name)
+bind.add_ipa_ca_dns_records(config.host_name, config.domain_name)
 finally:
 if api.Backend.ldap2.isconnected():
  api.Backend.ldap2.disconnect()
diff --git a/install/tools/ipa-replica-manage b/install/tools/ipa-replica-manage
index e78f9d2..a339a50 100755
--- a/install/tools/ipa-replica-manage
+++ b/install/tools/ipa-replica-manage
@@ -697,6 +697,7 @@ def del_master(realm, hostname, options):
 api.Backend.ldap2.connect(ccache=ccache)
 bind = bindinstance.BindInstance()
 bind.remove_master_dns_records(hostname, realm, realm.lower())
+bind.remove_ipa_ca_dns_records(hostname, realm.lower())
 except Exception, e:
 print Failed to cleanup %s DNS entries: %s % (hostname, convert_error(e))
 print You may need to manually remove them from the tree
diff --git a/install/tools/ipa-upgradeconfig b/install/tools/ipa-upgradeconfig
index f71d834..8bd7ff2 100644
--- a/install/tools/ipa-upgradeconfig
+++ b/install/tools/ipa-upgradeconfig
@@ -628,31 +628,35 @@ def migrate_crl_publish_dir(ca):
  'request pki-ca restart')
 return True
 
-def add_server_cname_records():
-root_logger.info('[Add missing server CNAME records]')
+def add_ca_dns_records():
+root_logger.info('[Add missing CA DNS records]')
 
-if not sysupgrade.get_upgrade_state('dns', 'ipa_ca_cname'):
-try:
-api.Backend.ldap2.connect(autobind=True)
-except ipalib.errors.PublicError, e:
-root_logger.error(Cannot connect to LDAP to add DNS records: %s, e)
-else:
-ret = api.Command['dns_is_enabled']()
-if not ret['result']:
-root_logger.info('DNS is not configured')
-sysupgrade.set_upgrade_state('dns', 'ipa_ca_cname', True)
-return
-
-bind = bindinstance.BindInstance()
-# DNS is enabled, so let bindinstance find out if CA is enabled
-# and let it add the CNAME in that case
-bind.add_ipa_ca_cname(api.env.host, api.env.domain, ca_configured=None)
-sysupgrade.set_upgrade_state('dns', 'ipa_ca_cname', True)
-finally:
-if api.Backend.ldap2.isconnected():
- api.Backend.ldap2.disconnect()
-else:
-root_logger.info('IPA CA CNAME already processed')
+if sysupgrade.get_upgrade_state('dns', 'ipa_ca_records'):
+root_logger.info('IPA CA DNS records already processed')
+return
+
+try:
+api.Backend.ldap2.connect(autobind=True)
+except ipalib.errors.PublicError, e:
+root_logger.error(Cannot connect to LDAP to add DNS records: %s, e)
+return
+
+ret = api.Command['dns_is_enabled']()
+if not ret['result']:
+root_logger.info('DNS is not configured')
+sysupgrade.set_upgrade_state('dns', 'ipa_ca_records', True)
+return
+
+bind = bindinstance.BindInstance()
+
+bind.convert_ipa_ca_cnames(api.env.domain)
+
+# DNS is enabled, so let bindinstance find out if CA is enabled
+# and let it add the record in that case
+bind.add_ipa_ca_dns_records(api.env.host, api.env.domain,
+ca_configured=None)
+
+sysupgrade.set_upgrade_state('dns', 'ipa_ca_records', True)
 
 def main():
 
@@ -746,7 

Re: [Freeipa-devel] [PATCHES] 126-127 Use A/AAAA records instead of CNAME records in ipa-ca

[Martin Kosek]

On 04/16/2013 09:40 AM, Jan Cholasta wrote:
 On 15.4.2013 21:16, Martin Kosek wrote:
 Jan, can you please rebase the patch also for ipa-3-1? We will need to
 fix this issue also for 3.1.
 
 Yep.
 

Thanks. Pushed both to ipa-3-1.

Martin

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCHES] 126-127 Use A/AAAA records instead of CNAME records in ipa-ca

[Petr Viktorin]

On 04/15/2013 12:31 PM, Jan Cholasta wrote:

On 12.4.2013 16:55, Simo Sorce wrote:



- Original Message -

On 04/12/2013 03:50 PM, Petr Viktorin wrote:

A question: do we support users that *want* a CNAME in ipa-ca? AFAIK
that
is
the usual way to do load-balancing, which is the recommended setup
for big
installations.



Given that CNAME can only point to one host, I do not know how can it
be used
to load balance.

The idea with ipa-ca was to contain a number of A records, which
would create
a
load balancer to some extent as client software checking the OCSP/CRL
would
run
the request against one random A record and thus distribute the load
among
all
FreeIPA CAs.

As A cannot coexist with CNAME, we need to delete it. But it is true
that it
may be good idea to produce upgrade warning about it.


We should not delete it.
If the admin consciously changed the A name to a CNAME we should
respect that decision.
The problem is on upgrade I guess.
I think on upgrade from 3.1 we just need to document admins should
manually fix the record.
After the upgrade he'll remove the CNAME and instead add an A name
pointing to all the CA replicas manually ?

Simo.




I have changed the patch so that the CNAMEs are replaced with A/ if
and only if they all point to IPA masters, otherwise a warning is
printed. Is that OK?


OK with me, patch works well.
ACK unless Simo really wants to always skip the update.

--
Petr³

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCHES] 126-127 Use A/AAAA records instead of CNAME records in ipa-ca

[Simo Sorce]

 On 04/15/2013 12:31 PM, Jan Cholasta wrote:
  I have changed the patch so that the CNAMEs are replaced with A/ if
  and only if they all point to IPA masters, otherwise a warning is
  printed. Is that OK?
 
 OK with me, patch works well.
 ACK unless Simo really wants to always skip the update.

Looks great to me.

Simo.

-- 
Simo Sorce * Red Hat, Inc. * New York

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCHES] 126-127 Use A/AAAA records instead of CNAME records in ipa-ca

[Petr Viktorin]

On 04/15/2013 04:47 PM, Simo Sorce wrote:

On 04/15/2013 12:31 PM, Jan Cholasta wrote:

I have changed the patch so that the CNAMEs are replaced with A/ if
and only if they all point to IPA masters, otherwise a warning is
printed. Is that OK?


OK with me, patch works well.
ACK unless Simo really wants to always skip the update.


Looks great to me.

Simo.



OK, full ACK

--
Petr³

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCHES] 126-127 Use A/AAAA records instead of CNAME records in ipa-ca

[Martin Kosek]

On 04/15/2013 06:51 PM, Petr Viktorin wrote:

On 04/15/2013 04:47 PM, Simo Sorce wrote:

On 04/15/2013 12:31 PM, Jan Cholasta wrote:

I have changed the patch so that the CNAMEs are replaced with A/ if
and only if they all point to IPA masters, otherwise a warning is
printed. Is that OK?


OK with me, patch works well.
ACK unless Simo really wants to always skip the update.


Looks great to me.

Simo.



OK, full ACK



Pushed to master.

Jan, can you please rebase the patch also for ipa-3-1? We will need to fix this 
issue also for 3.1.


Martin

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCHES] 126-127 Use A/AAAA records instead of CNAME records in ipa-ca

[Petr Viktorin]

On 04/12/2013 01:24 PM, Jan Cholasta wrote:

Hi,

the attached patches fix https://fedorahosted.org/freeipa/ticket/3547.

Honza


We used short names in the CNAMEs:

$ ipa dnsrecord-find  idm.lab.eng.brq.redhat.com ipa-ca
  Record name: ipa-ca
  CNAME record: vm-109

Number of entries returned 1



But it seems the patch assumes a FQDN with a dot at the end. When 
upgrading a 3.1 server I get:


2013-04-12T12:16:43Z INFO   File 
/usr/lib/python2.7/site-packages/ipaserver/install/installutils.py, 
line 613, in run_script

return_value = main_function()

  File /usr/sbin/ipa-upgradeconfig, line 853, in main
add_ca_dns_records()

  File /usr/sbin/ipa-upgradeconfig, line 752, in add_ca_dns_records
bind.convert_ipa_ca_cnames(api.env.domain)

  File 
/usr/lib/python2.7/site-packages/ipaserver/install/bindinstance.py, 
line 785, in convert_ipa_ca_cnames

self.add_ipa_ca_dns_records(cname[:-1], domain_name, None)

  File 
/usr/lib/python2.7/site-packages/ipaserver/install/bindinstance.py, 
line 772, in add_ipa_ca_dns_records

host, zone = fqdn.split(., 1)

Unexpected error
ValueError: need more than 1 value to unpack

--
Petr³

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCHES] 126-127 Use A/AAAA records instead of CNAME records in ipa-ca

[Jan Cholasta]

On 12.4.2013 14:19, Petr Viktorin wrote:

On 04/12/2013 01:24 PM, Jan Cholasta wrote:

Hi,

the attached patches fix https://fedorahosted.org/freeipa/ticket/3547.

Honza


We used short names in the CNAMEs:

$ ipa dnsrecord-find  idm.lab.eng.brq.redhat.com ipa-ca
   Record name: ipa-ca
   CNAME record: vm-109

Number of entries returned 1



But it seems the patch assumes a FQDN with a dot at the end. When
upgrading a 3.1 server I get:

2013-04-12T12:16:43Z INFO   File
/usr/lib/python2.7/site-packages/ipaserver/install/installutils.py,
line 613, in run_script
 return_value = main_function()

   File /usr/sbin/ipa-upgradeconfig, line 853, in main
 add_ca_dns_records()

   File /usr/sbin/ipa-upgradeconfig, line 752, in add_ca_dns_records
 bind.convert_ipa_ca_cnames(api.env.domain)

   File
/usr/lib/python2.7/site-packages/ipaserver/install/bindinstance.py,
line 785, in convert_ipa_ca_cnames
 self.add_ipa_ca_dns_records(cname[:-1], domain_name, None)

   File
/usr/lib/python2.7/site-packages/ipaserver/install/bindinstance.py,
line 772, in add_ipa_ca_dns_records
 host, zone = fqdn.split(., 1)

Unexpected error
ValueError: need more than 1 value to unpack



Hmm, in my test setup the CNAMEs contained FQDNs. Fixed.

Updated patch attached.

--
Jan Cholasta
From 3cf70a8be0387d4fb525adbf3ed44334457652fe Mon Sep 17 00:00:00 2001
From: Jan Cholasta jchol...@redhat.com
Date: Fri, 12 Apr 2013 13:16:17 +0200
Subject: [PATCH 1/2] Use A/ records instead of CNAME records in ipa-ca.

https://fedorahosted.org/freeipa/ticket/3547
---
 install/share/bind.zone.db.template |  2 +-
 install/tools/ipa-ca-install|  2 +-
 install/tools/ipa-replica-manage|  1 +
 install/tools/ipa-upgradeconfig | 55 --
 ipaserver/install/bindinstance.py   | 91 +++--
 ipaserver/install/cainstance.py |  6 +--
 6 files changed, 104 insertions(+), 53 deletions(-)

diff --git a/install/share/bind.zone.db.template b/install/share/bind.zone.db.template
index 5ee71d6..6795bb0 100644
--- a/install/share/bind.zone.db.template
+++ b/install/share/bind.zone.db.template
@@ -26,4 +26,4 @@ _kpasswd._udp		IN SRV 0 100 464	$HOST
 $OPTIONAL_NTP
 
 ; CNAME for IPA CA replicas (used for CRL, OCSP)
-$IPA_CA_CNAME		IN CNAME		$HOST
+$IPA_CA_RECORD
diff --git a/install/tools/ipa-ca-install b/install/tools/ipa-ca-install
index f8f7e1d..2ebce60 100755
--- a/install/tools/ipa-ca-install
+++ b/install/tools/ipa-ca-install
@@ -85,7 +85,7 @@ def install_dns_records(config, options):
 try:
 api.Backend.ldap2.connect(bind_dn=DN(('cn', 'Directory Manager')),
   bind_pw=config.dirman_password)
-bind.add_ipa_ca_cname(config.host_name, config.domain_name)
+bind.add_ipa_ca_dns_records(config.host_name, config.domain_name)
 finally:
 if api.Backend.ldap2.isconnected():
  api.Backend.ldap2.disconnect()
diff --git a/install/tools/ipa-replica-manage b/install/tools/ipa-replica-manage
index 636529c..5d5b5eb 100755
--- a/install/tools/ipa-replica-manage
+++ b/install/tools/ipa-replica-manage
@@ -718,6 +718,7 @@ def del_master(realm, hostname, options):
 api.Backend.ldap2.connect(ccache=ccache)
 bind = bindinstance.BindInstance()
 bind.remove_master_dns_records(hostname, realm, realm.lower())
+bind.remove_ipa_ca_dns_records(hostname, realm.lower())
 except Exception, e:
 print Failed to cleanup %s DNS entries: %s % (hostname, e)
 print You may need to manually remove them from the tree
diff --git a/install/tools/ipa-upgradeconfig b/install/tools/ipa-upgradeconfig
index c690544..95231af 100644
--- a/install/tools/ipa-upgradeconfig
+++ b/install/tools/ipa-upgradeconfig
@@ -727,31 +727,36 @@ def migrate_crl_publish_dir(ca):
  'request pki-ca restart')
 return True
 
-def add_server_cname_records():
-root_logger.info('[Add missing server CNAME records]')
+def add_ca_dns_records():
+root_logger.info('[Add missing CA DNS records]')
 
-if not sysupgrade.get_upgrade_state('dns', 'ipa_ca_cname'):
-try:
-api.Backend.ldap2.connect(autobind=True)
-except ipalib.errors.PublicError, e:
-root_logger.error(Cannot connect to LDAP to add DNS records: %s, e)
-else:
-ret = api.Command['dns_is_enabled']()
-if not ret['result']:
-root_logger.info('DNS is not configured')
-sysupgrade.set_upgrade_state('dns', 'ipa_ca_cname', True)
-return
-
-bind = bindinstance.BindInstance()
-# DNS is enabled, so let bindinstance find out if CA is enabled
-# and let it add the CNAME in that case
-bind.add_ipa_ca_cname(api.env.host, api.env.domain, ca_configured=None)
-sysupgrade.set_upgrade_state('dns', 

Re: [Freeipa-devel] [PATCHES] 126-127 Use A/AAAA records instead of CNAME records in ipa-ca

[Martin Kosek]

On 04/12/2013 02:30 PM, Jan Cholasta wrote:
 On 12.4.2013 14:19, Petr Viktorin wrote:
 On 04/12/2013 01:24 PM, Jan Cholasta wrote:
 Hi,

 the attached patches fix https://fedorahosted.org/freeipa/ticket/3547.

 Honza

 We used short names in the CNAMEs:

 $ ipa dnsrecord-find  idm.lab.eng.brq.redhat.com ipa-ca
Record name: ipa-ca
CNAME record: vm-109
 
 Number of entries returned 1
 


 But it seems the patch assumes a FQDN with a dot at the end. When
 upgrading a 3.1 server I get:

 2013-04-12T12:16:43Z INFO   File
 /usr/lib/python2.7/site-packages/ipaserver/install/installutils.py,
 line 613, in run_script
  return_value = main_function()

File /usr/sbin/ipa-upgradeconfig, line 853, in main
  add_ca_dns_records()

File /usr/sbin/ipa-upgradeconfig, line 752, in add_ca_dns_records
  bind.convert_ipa_ca_cnames(api.env.domain)

File
 /usr/lib/python2.7/site-packages/ipaserver/install/bindinstance.py,
 line 785, in convert_ipa_ca_cnames
  self.add_ipa_ca_dns_records(cname[:-1], domain_name, None)

File
 /usr/lib/python2.7/site-packages/ipaserver/install/bindinstance.py,
 line 772, in add_ipa_ca_dns_records
  host, zone = fqdn.split(., 1)

 Unexpected error
 ValueError: need more than 1 value to unpack

 
 Hmm, in my test setup the CNAMEs contained FQDNs. Fixed.

IIRC, ipa-ca will contain FQDNs if the server is from different domain in DNS.
I.e. for example if managed domain is example.com, but one replica runs in
domain testrelm.com.

This is something that needs to be supportedtested too.

Martin

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCHES] 126-127 Use A/AAAA records instead of CNAME records in ipa-ca

[Petr Viktorin]

On 04/12/2013 02:30 PM, Jan Cholasta wrote:

On 12.4.2013 14:19, Petr Viktorin wrote:

On 04/12/2013 01:24 PM, Jan Cholasta wrote:

Hi,

the attached patches fix https://fedorahosted.org/freeipa/ticket/3547.

Honza


We used short names in the CNAMEs:

$ ipa dnsrecord-find  idm.lab.eng.brq.redhat.com ipa-ca
   Record name: ipa-ca
   CNAME record: vm-109

Number of entries returned 1



But it seems the patch assumes a FQDN with a dot at the end. When
upgrading a 3.1 server I get:

2013-04-12T12:16:43Z INFO   File
/usr/lib/python2.7/site-packages/ipaserver/install/installutils.py,
line 613, in run_script
 return_value = main_function()

   File /usr/sbin/ipa-upgradeconfig, line 853, in main
 add_ca_dns_records()

   File /usr/sbin/ipa-upgradeconfig, line 752, in add_ca_dns_records
 bind.convert_ipa_ca_cnames(api.env.domain)

   File
/usr/lib/python2.7/site-packages/ipaserver/install/bindinstance.py,
line 785, in convert_ipa_ca_cnames
 self.add_ipa_ca_dns_records(cname[:-1], domain_name, None)

   File
/usr/lib/python2.7/site-packages/ipaserver/install/bindinstance.py,
line 772, in add_ipa_ca_dns_records
 host, zone = fqdn.split(., 1)

Unexpected error
ValueError: need more than 1 value to unpack



Hmm, in my test setup the CNAMEs contained FQDNs. Fixed.

Updated patch attached.


A question: do we support users that *want* a CNAME in ipa-ca? AFAIK 
that is the usual way to do load-balancing, which is the recommended 
setup for big installations.



With this patch, if there is one, ca-install will fail as it tries to 
add the A record:


$ ipa dnsrecord-find  idm.lab.eng.brq.redhat.com ipa-ca
  Record name: ipa-ca
  CNAME record: ca.load-balancer.example.com.
$ ipa-ca-install
[...]
ValidationError: invalid 'cnamerecord': Gettext('CNAME record is not 
allowed to coexist with any other record (RFC 1034, section 3.6.2)', 
domain='ipa', localedir=None)


Even if we don't supoport CNAMEs here, I think this we should print a 
big warning in this case rather than fail.




Upgrade state is machine-local, so every time an old master is upgraded, 
any CNAME would get replaced:


$ ipa dnsrecord-find  idm.lab.eng.brq.redhat.com ipa-ca
  Record name: ipa-ca
  CNAME record: ca.load-balancer.example.com.

Number of entries returned 1

$ sudo ipa-upgradeconfig
...
$ ipa dnsrecord-find  idm.lab.eng.brq.redhat.com ipa-ca
  Record name: ipa-ca
  A record: 10.34.47.109

Number of entries returned 1


We should at least highlight this in the release notes, as it deletes 
users' data.



--
Petr³

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCHES] 126-127 Use A/AAAA records instead of CNAME records in ipa-ca

[Martin Kosek]

On 04/12/2013 03:50 PM, Petr Viktorin wrote:
 On 04/12/2013 02:30 PM, Jan Cholasta wrote:
 On 12.4.2013 14:19, Petr Viktorin wrote:
 On 04/12/2013 01:24 PM, Jan Cholasta wrote:
 Hi,

 the attached patches fix https://fedorahosted.org/freeipa/ticket/3547.

 Honza

 We used short names in the CNAMEs:

 $ ipa dnsrecord-find  idm.lab.eng.brq.redhat.com ipa-ca
Record name: ipa-ca
CNAME record: vm-109
 
 Number of entries returned 1
 


 But it seems the patch assumes a FQDN with a dot at the end. When
 upgrading a 3.1 server I get:

 2013-04-12T12:16:43Z INFO   File
 /usr/lib/python2.7/site-packages/ipaserver/install/installutils.py,
 line 613, in run_script
  return_value = main_function()

File /usr/sbin/ipa-upgradeconfig, line 853, in main
  add_ca_dns_records()

File /usr/sbin/ipa-upgradeconfig, line 752, in add_ca_dns_records
  bind.convert_ipa_ca_cnames(api.env.domain)

File
 /usr/lib/python2.7/site-packages/ipaserver/install/bindinstance.py,
 line 785, in convert_ipa_ca_cnames
  self.add_ipa_ca_dns_records(cname[:-1], domain_name, None)

File
 /usr/lib/python2.7/site-packages/ipaserver/install/bindinstance.py,
 line 772, in add_ipa_ca_dns_records
  host, zone = fqdn.split(., 1)

 Unexpected error
 ValueError: need more than 1 value to unpack


 Hmm, in my test setup the CNAMEs contained FQDNs. Fixed.

 Updated patch attached.
 
 A question: do we support users that *want* a CNAME in ipa-ca? AFAIK that is
 the usual way to do load-balancing, which is the recommended setup for big
 installations.
 

Given that CNAME can only point to one host, I do not know how can it be used
to load balance.

The idea with ipa-ca was to contain a number of A records, which would create a
load balancer to some extent as client software checking the OCSP/CRL would run
the request against one random A record and thus distribute the load among all
FreeIPA CAs.

As A cannot coexist with CNAME, we need to delete it. But it is true that it
may be good idea to produce upgrade warning about it.

Martin

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCHES] 126-127 Use A/AAAA records instead of CNAME records in ipa-ca

[Petr Viktorin]

On 04/12/2013 03:58 PM, Martin Kosek wrote:

On 04/12/2013 03:50 PM, Petr Viktorin wrote:

On 04/12/2013 02:30 PM, Jan Cholasta wrote:

On 12.4.2013 14:19, Petr Viktorin wrote:

On 04/12/2013 01:24 PM, Jan Cholasta wrote:

Hi,

the attached patches fix https://fedorahosted.org/freeipa/ticket/3547.

Honza


We used short names in the CNAMEs:

$ ipa dnsrecord-find  idm.lab.eng.brq.redhat.com ipa-ca
Record name: ipa-ca
CNAME record: vm-109

Number of entries returned 1



But it seems the patch assumes a FQDN with a dot at the end. When
upgrading a 3.1 server I get:

2013-04-12T12:16:43Z INFO   File
/usr/lib/python2.7/site-packages/ipaserver/install/installutils.py,
line 613, in run_script
  return_value = main_function()

File /usr/sbin/ipa-upgradeconfig, line 853, in main
  add_ca_dns_records()

File /usr/sbin/ipa-upgradeconfig, line 752, in add_ca_dns_records
  bind.convert_ipa_ca_cnames(api.env.domain)

File
/usr/lib/python2.7/site-packages/ipaserver/install/bindinstance.py,
line 785, in convert_ipa_ca_cnames
  self.add_ipa_ca_dns_records(cname[:-1], domain_name, None)

File
/usr/lib/python2.7/site-packages/ipaserver/install/bindinstance.py,
line 772, in add_ipa_ca_dns_records
  host, zone = fqdn.split(., 1)

Unexpected error
ValueError: need more than 1 value to unpack



Hmm, in my test setup the CNAMEs contained FQDNs. Fixed.

Updated patch attached.


A question: do we support users that *want* a CNAME in ipa-ca? AFAIK that is
the usual way to do load-balancing, which is the recommended setup for big
installations.



Given that CNAME can only point to one host, I do not know how can it be used
to load balance.


The host behind the CNAME can still have multiple A records, and/or the 
record(s) can point to real load balancers that distribute traffic to 
several servers, taking into account how busy each one is and excluding 
ones that are down.


From the discussions I'm under the impression that this is the proper 
big enterprise solution, which we don't do only because we don't want 
to integrate a load balancer into IPA. That's why I'm asking if/how we 
want to support it.



The idea with ipa-ca was to contain a number of A records, which would create a
load balancer to some extent as client software checking the OCSP/CRL would run
the request against one random A record and thus distribute the load among all
FreeIPA CAs.

As A cannot coexist with CNAME, we need to delete it. But it is true that it
may be good idea to produce upgrade warning about it.

Martin




--
Petr³

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCHES] 126-127 Use A/AAAA records instead of CNAME records in ipa-ca

[Dmitri Pal]

On 04/12/2013 10:09 AM, Petr Viktorin wrote:
 On 04/12/2013 03:58 PM, Martin Kosek wrote:
 On 04/12/2013 03:50 PM, Petr Viktorin wrote:
 On 04/12/2013 02:30 PM, Jan Cholasta wrote:
 On 12.4.2013 14:19, Petr Viktorin wrote:
 On 04/12/2013 01:24 PM, Jan Cholasta wrote:
 Hi,

 the attached patches fix
 https://fedorahosted.org/freeipa/ticket/3547.

 Honza

 We used short names in the CNAMEs:

 $ ipa dnsrecord-find  idm.lab.eng.brq.redhat.com ipa-ca
 Record name: ipa-ca
 CNAME record: vm-109
 
 Number of entries returned 1
 


 But it seems the patch assumes a FQDN with a dot at the end. When
 upgrading a 3.1 server I get:

 2013-04-12T12:16:43Z INFO   File
 /usr/lib/python2.7/site-packages/ipaserver/install/installutils.py,
 line 613, in run_script
   return_value = main_function()

 File /usr/sbin/ipa-upgradeconfig, line 853, in main
   add_ca_dns_records()

 File /usr/sbin/ipa-upgradeconfig, line 752, in
 add_ca_dns_records
   bind.convert_ipa_ca_cnames(api.env.domain)

 File
 /usr/lib/python2.7/site-packages/ipaserver/install/bindinstance.py,
 line 785, in convert_ipa_ca_cnames
   self.add_ipa_ca_dns_records(cname[:-1], domain_name, None)

 File
 /usr/lib/python2.7/site-packages/ipaserver/install/bindinstance.py,
 line 772, in add_ipa_ca_dns_records
   host, zone = fqdn.split(., 1)

 Unexpected error
 ValueError: need more than 1 value to unpack


 Hmm, in my test setup the CNAMEs contained FQDNs. Fixed.

 Updated patch attached.

 A question: do we support users that *want* a CNAME in ipa-ca? AFAIK
 that is
 the usual way to do load-balancing, which is the recommended setup
 for big
 installations.


 Given that CNAME can only point to one host, I do not know how can it
 be used
 to load balance.

 The host behind the CNAME can still have multiple A records, and/or
 the record(s) can point to real load balancers that distribute
 traffic to several servers, taking into account how busy each one is
 and excluding ones that are down.

 From the discussions I'm under the impression that this is the proper
 big enterprise solution, which we don't do only because we don't
 want to integrate a load balancer into IPA. That's why I'm asking
 if/how we want to support it.


It should work without load balancer with just DNS but if big customer
wants to put a load balancer he should be able to.


 The idea with ipa-ca was to contain a number of A records, which
 would create a
 load balancer to some extent as client software checking the OCSP/CRL
 would run
 the request against one random A record and thus distribute the load
 among all
 FreeIPA CAs.

 As A cannot coexist with CNAME, we need to delete it. But it is true
 that it
 may be good idea to produce upgrade warning about it.

 Martin





-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager for IdM portfolio
Red Hat Inc.


---
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/



___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel