Re: [Freeipa-devel] [PATCHES 0252-0253, 268, 50 - 51] DNSSEC: allow to move DNSSEC key master to another IPA server
On 07/01/2015 12:47 PM, Petr Spacek wrote: On 1.7.2015 12:35, Martin Basti wrote: On 30/06/15 22:09, Petr Spacek wrote: On 30.6.2015 16:04, Martin Basti wrote: On 30/06/15 10:25, Martin Basti wrote: On 29/06/15 15:16, Martin Basti wrote: On 25/06/15 13:46, Petr Spacek wrote: On 17.6.2015 13:37, Martin Basti wrote: On 17/06/15 13:26, Petr Spacek wrote: On 16.6.2015 15:40, Martin Basti wrote: On 05/06/15 12:54, Petr Spacek wrote: On 20.5.2015 18:00, Martin Basti wrote: This patch allows to disable DNSSEC key master on IPA server, or replace current DNSSEC key master with another IPA server. Only for master branch. https://fedorahosted.org/freeipa/ticket/4657 Patches attached. NACK. This happens on DNSSEC key master: $ ipa-dns-install --disable-dnssec-master Do you want to disable current DNSSEC key master? [no]: yes Unexpected error - see /var/log/ipaserver-install.log for details: TypeError: sequence item 0: expected string, DNSName found 2015-06-05T10:52:35Z DEBUG File /usr/lib/python2.7/site-packages/ipaserver/install/installutils.py, line 733, in run_script return_value = main_function() File /sbin/ipa-dns-install, line 128, in main dns_installer.disable_dnssec_master(options.unattended) File /usr/lib/python2.7/site-packages/ipaserver/install/dns.py, line 112, in disable_dnssec_master , .join(dnssec_zones)) 2015-06-05T10:52:35Z DEBUG The ipa-dns-install command failed, exception: TypeError: sequence item 0: expected string, DNSName found Updated patches attached. Due new installers, more changes were required. Sorry, NACK, I'm not able to apply this patch set to current master (69607250b9762a6c9b657dd31653b03d54a7b411). Rebased patches attached. NACK. 0) ipa-dns-install --replace-dnssec-master always puts file into /root/ipa-kasp.db. It would be better to put it into local working directory or /var/lib/ipa (as with replica files). 1) I installed DNSSEC key master role on the vm-134 but DNSSEC services were not stopped by ipactl stop: [root@vm-134 review]# ipactl stop Stopping ipa-otpd Service Stopping httpd Service Stopping ipa_memcached Service Stopping kadmin Service Stopping krb5kdc Service Stopping Directory Service ipa: INFO: The ipactl command was successful [root@vm-134 review]# ipactl start Starting Directory Service Starting krb5kdc Service Starting kadmin Service Starting named Service Starting ipa_memcached Service Starting httpd Service Starting ipa-otpd Service Starting ipa-ods-exporter Service Starting ods-enforcerd Service Starting ipa-dnskeysyncd Service Subsequent ipactl stop worked fine, only the first one is affected. 2a) vm-134 was the original master. I ran this: [root@vm-134 review]# ipa-dns-install --replace-dnssec-master=vm-090.abc.idm.lab.eng.brq.redhat.com ... and then attempted to install master to vm-059: [root@vm-059 review]# ipa-dns-install --dnssec-master This command was accepted despite of missing --kasp-db option and wrong replica name. It should error out and tell the user to run the command with --kasp-db option. Even better, we could get rid of explicit replica name specification in --replace-dnssec-master option and allow to run installation with --kasp-db on any replica as long as the kasp.db file is provided. 2b) Attempt to move DNSSEC key master from vm-134 to vm-090 *without* specifying --kasp-db option was accepted. [root@vm-090 review]# ipa-dns-install --dnssec-master As in case (2a), it should print what user is supposed to do. I propose following text: Current DNSSEC key master vm-134.abc.idm.lab.eng.brq.redhat.com is being moved to different server. You need to copy kasp.db file from vm-134.abc.idm.lab.eng.brq.redhat.com and run following command to complete the transition: # ipa-dns-install --dnssec-master --kasp-db=/path/to/the/copied/kasp.db 3) [root@vm-134 review]# ipa-dns-install --replace-dnssec-master=vm-090.abc.idm.lab.eng.brq.redhat.com does not remove ISMASTER option from file /etc/sysconfig/ipa-dnskeysyncd . 4) [root@vm-134 review]# ipa-dns-install --replace-dnssec-master=vm-090.abc.idm.lab.eng.brq.redhat.com it is possible to run [root@vm-134 review]# ipa-dns-install --dnssec-master again without --kasp-db and it is accepted. Moreover, in this case ipaConfigString NEW_DNSSEC_MASTER is not properly removed from cn=DNSKeySync,cn=vm-090.abc.idm.lab.eng.brq.redhat.com,cn=masters,cn=ipa,cn=etc,dc=ipa,dc=example. 5) Sequence of commands [root@vm-134 review]# ipa-dns-install --replace-dnssec-master=vm-090.abc.idm.lab.eng.brq.redhat.com [root@vm-090 review]# ipa-replica-manage del vm-134.abc.idm.lab.eng.brq.redhat.com allows me to run [root@vm-090 review]# ipa-dns-install --dnssec-master without --kasp-db option, it does not throw an error, and the information that some other master existed somewhere is lost. It would be probably better
Re: [Freeipa-devel] [PATCHES 0252-0253, 268, 50 - 51] DNSSEC: allow to move DNSSEC key master to another IPA server
On 30/06/15 22:09, Petr Spacek wrote: On 30.6.2015 16:04, Martin Basti wrote: On 30/06/15 10:25, Martin Basti wrote: On 29/06/15 15:16, Martin Basti wrote: On 25/06/15 13:46, Petr Spacek wrote: On 17.6.2015 13:37, Martin Basti wrote: On 17/06/15 13:26, Petr Spacek wrote: On 16.6.2015 15:40, Martin Basti wrote: On 05/06/15 12:54, Petr Spacek wrote: On 20.5.2015 18:00, Martin Basti wrote: This patch allows to disable DNSSEC key master on IPA server, or replace current DNSSEC key master with another IPA server. Only for master branch. https://fedorahosted.org/freeipa/ticket/4657 Patches attached. NACK. This happens on DNSSEC key master: $ ipa-dns-install --disable-dnssec-master Do you want to disable current DNSSEC key master? [no]: yes Unexpected error - see /var/log/ipaserver-install.log for details: TypeError: sequence item 0: expected string, DNSName found 2015-06-05T10:52:35Z DEBUG File /usr/lib/python2.7/site-packages/ipaserver/install/installutils.py, line 733, in run_script return_value = main_function() File /sbin/ipa-dns-install, line 128, in main dns_installer.disable_dnssec_master(options.unattended) File /usr/lib/python2.7/site-packages/ipaserver/install/dns.py, line 112, in disable_dnssec_master , .join(dnssec_zones)) 2015-06-05T10:52:35Z DEBUG The ipa-dns-install command failed, exception: TypeError: sequence item 0: expected string, DNSName found Updated patches attached. Due new installers, more changes were required. Sorry, NACK, I'm not able to apply this patch set to current master (69607250b9762a6c9b657dd31653b03d54a7b411). Rebased patches attached. NACK. 0) ipa-dns-install --replace-dnssec-master always puts file into /root/ipa-kasp.db. It would be better to put it into local working directory or /var/lib/ipa (as with replica files). 1) I installed DNSSEC key master role on the vm-134 but DNSSEC services were not stopped by ipactl stop: [root@vm-134 review]# ipactl stop Stopping ipa-otpd Service Stopping httpd Service Stopping ipa_memcached Service Stopping kadmin Service Stopping krb5kdc Service Stopping Directory Service ipa: INFO: The ipactl command was successful [root@vm-134 review]# ipactl start Starting Directory Service Starting krb5kdc Service Starting kadmin Service Starting named Service Starting ipa_memcached Service Starting httpd Service Starting ipa-otpd Service Starting ipa-ods-exporter Service Starting ods-enforcerd Service Starting ipa-dnskeysyncd Service Subsequent ipactl stop worked fine, only the first one is affected. 2a) vm-134 was the original master. I ran this: [root@vm-134 review]# ipa-dns-install --replace-dnssec-master=vm-090.abc.idm.lab.eng.brq.redhat.com ... and then attempted to install master to vm-059: [root@vm-059 review]# ipa-dns-install --dnssec-master This command was accepted despite of missing --kasp-db option and wrong replica name. It should error out and tell the user to run the command with --kasp-db option. Even better, we could get rid of explicit replica name specification in --replace-dnssec-master option and allow to run installation with --kasp-db on any replica as long as the kasp.db file is provided. 2b) Attempt to move DNSSEC key master from vm-134 to vm-090 *without* specifying --kasp-db option was accepted. [root@vm-090 review]# ipa-dns-install --dnssec-master As in case (2a), it should print what user is supposed to do. I propose following text: Current DNSSEC key master vm-134.abc.idm.lab.eng.brq.redhat.com is being moved to different server. You need to copy kasp.db file from vm-134.abc.idm.lab.eng.brq.redhat.com and run following command to complete the transition: # ipa-dns-install --dnssec-master --kasp-db=/path/to/the/copied/kasp.db 3) [root@vm-134 review]# ipa-dns-install --replace-dnssec-master=vm-090.abc.idm.lab.eng.brq.redhat.com does not remove ISMASTER option from file /etc/sysconfig/ipa-dnskeysyncd . 4) [root@vm-134 review]# ipa-dns-install --replace-dnssec-master=vm-090.abc.idm.lab.eng.brq.redhat.com it is possible to run [root@vm-134 review]# ipa-dns-install --dnssec-master again without --kasp-db and it is accepted. Moreover, in this case ipaConfigString NEW_DNSSEC_MASTER is not properly removed from cn=DNSKeySync,cn=vm-090.abc.idm.lab.eng.brq.redhat.com,cn=masters,cn=ipa,cn=etc,dc=ipa,dc=example. 5) Sequence of commands [root@vm-134 review]# ipa-dns-install --replace-dnssec-master=vm-090.abc.idm.lab.eng.brq.redhat.com [root@vm-090 review]# ipa-replica-manage del vm-134.abc.idm.lab.eng.brq.redhat.com allows me to run [root@vm-090 review]# ipa-dns-install --dnssec-master without --kasp-db option, it does not throw an error, and the information that some other master existed somewhere is lost. It would be probably better to replace this and to use some global attribute in cn=dns so similar problems do not happen. 6) The migration itself seems to work, KASP DB seems to work properly, however it is necessary to run
Re: [Freeipa-devel] [PATCHES 0252-0253, 268, 50 - 51] DNSSEC: allow to move DNSSEC key master to another IPA server
On 1.7.2015 12:35, Martin Basti wrote: On 30/06/15 22:09, Petr Spacek wrote: On 30.6.2015 16:04, Martin Basti wrote: On 30/06/15 10:25, Martin Basti wrote: On 29/06/15 15:16, Martin Basti wrote: On 25/06/15 13:46, Petr Spacek wrote: On 17.6.2015 13:37, Martin Basti wrote: On 17/06/15 13:26, Petr Spacek wrote: On 16.6.2015 15:40, Martin Basti wrote: On 05/06/15 12:54, Petr Spacek wrote: On 20.5.2015 18:00, Martin Basti wrote: This patch allows to disable DNSSEC key master on IPA server, or replace current DNSSEC key master with another IPA server. Only for master branch. https://fedorahosted.org/freeipa/ticket/4657 Patches attached. NACK. This happens on DNSSEC key master: $ ipa-dns-install --disable-dnssec-master Do you want to disable current DNSSEC key master? [no]: yes Unexpected error - see /var/log/ipaserver-install.log for details: TypeError: sequence item 0: expected string, DNSName found 2015-06-05T10:52:35Z DEBUG File /usr/lib/python2.7/site-packages/ipaserver/install/installutils.py, line 733, in run_script return_value = main_function() File /sbin/ipa-dns-install, line 128, in main dns_installer.disable_dnssec_master(options.unattended) File /usr/lib/python2.7/site-packages/ipaserver/install/dns.py, line 112, in disable_dnssec_master , .join(dnssec_zones)) 2015-06-05T10:52:35Z DEBUG The ipa-dns-install command failed, exception: TypeError: sequence item 0: expected string, DNSName found Updated patches attached. Due new installers, more changes were required. Sorry, NACK, I'm not able to apply this patch set to current master (69607250b9762a6c9b657dd31653b03d54a7b411). Rebased patches attached. NACK. 0) ipa-dns-install --replace-dnssec-master always puts file into /root/ipa-kasp.db. It would be better to put it into local working directory or /var/lib/ipa (as with replica files). 1) I installed DNSSEC key master role on the vm-134 but DNSSEC services were not stopped by ipactl stop: [root@vm-134 review]# ipactl stop Stopping ipa-otpd Service Stopping httpd Service Stopping ipa_memcached Service Stopping kadmin Service Stopping krb5kdc Service Stopping Directory Service ipa: INFO: The ipactl command was successful [root@vm-134 review]# ipactl start Starting Directory Service Starting krb5kdc Service Starting kadmin Service Starting named Service Starting ipa_memcached Service Starting httpd Service Starting ipa-otpd Service Starting ipa-ods-exporter Service Starting ods-enforcerd Service Starting ipa-dnskeysyncd Service Subsequent ipactl stop worked fine, only the first one is affected. 2a) vm-134 was the original master. I ran this: [root@vm-134 review]# ipa-dns-install --replace-dnssec-master=vm-090.abc.idm.lab.eng.brq.redhat.com ... and then attempted to install master to vm-059: [root@vm-059 review]# ipa-dns-install --dnssec-master This command was accepted despite of missing --kasp-db option and wrong replica name. It should error out and tell the user to run the command with --kasp-db option. Even better, we could get rid of explicit replica name specification in --replace-dnssec-master option and allow to run installation with --kasp-db on any replica as long as the kasp.db file is provided. 2b) Attempt to move DNSSEC key master from vm-134 to vm-090 *without* specifying --kasp-db option was accepted. [root@vm-090 review]# ipa-dns-install --dnssec-master As in case (2a), it should print what user is supposed to do. I propose following text: Current DNSSEC key master vm-134.abc.idm.lab.eng.brq.redhat.com is being moved to different server. You need to copy kasp.db file from vm-134.abc.idm.lab.eng.brq.redhat.com and run following command to complete the transition: # ipa-dns-install --dnssec-master --kasp-db=/path/to/the/copied/kasp.db 3) [root@vm-134 review]# ipa-dns-install --replace-dnssec-master=vm-090.abc.idm.lab.eng.brq.redhat.com does not remove ISMASTER option from file /etc/sysconfig/ipa-dnskeysyncd . 4) [root@vm-134 review]# ipa-dns-install --replace-dnssec-master=vm-090.abc.idm.lab.eng.brq.redhat.com it is possible to run [root@vm-134 review]# ipa-dns-install --dnssec-master again without --kasp-db and it is accepted. Moreover, in this case ipaConfigString NEW_DNSSEC_MASTER is not properly removed from cn=DNSKeySync,cn=vm-090.abc.idm.lab.eng.brq.redhat.com,cn=masters,cn=ipa,cn=etc,dc=ipa,dc=example. 5) Sequence of commands [root@vm-134 review]# ipa-dns-install --replace-dnssec-master=vm-090.abc.idm.lab.eng.brq.redhat.com [root@vm-090 review]# ipa-replica-manage del vm-134.abc.idm.lab.eng.brq.redhat.com allows me to run [root@vm-090 review]# ipa-dns-install --dnssec-master without --kasp-db option, it does not throw an error, and the information that some other master existed somewhere is lost. It would be probably better to replace this and to use some global