Re: [Freeipa-devel] [PATCH 0104-0109] DNS upgrade: change forwarding policy to "only" if private IPs are used
On 20.05.2016 12:19, Petr Spacek wrote: On 11.5.2016 12:08, Martin Basti wrote: On 03.05.2016 14:59, Petr Spacek wrote: Hello, DNS upgrade: change forwarding policy to "only" if private IPs are used. https://fedorahosted.org/freeipa/ticket/5710 This is the upgrade part. I will add one more patch to print a warning in dnsforwardzone* commands to avoid surprises. Please do not close the ticket yet. 1) Upgrade failed with 'BindInstance' object has no attribute 'named_conf_get_directive' IPA server upgrade failed: Inspect /var/log/ipaupgrade.log and run command ipa-server-upgrade manually. ('IPA upgrade failed.', 1) The ipa-server-upgrade command failed. See /var/log/ipaupgrade.log for more information 2016-05-11T08:26:20Z ERROR Upgrade failed with 'BindInstance' object has no attribute 'named_conf_get_directive' 2016-05-11T08:26:20Z DEBUG Traceback (most recent call last): File "/usr/lib/python2.7/site-packages/ipaserver/install/upgradeinstance.py", line 213, in __upgrade self.modified = (ld.update(self.files) or self.modified) File "/usr/lib/python2.7/site-packages/ipaserver/install/ldapupdate.py", line 917, in update self._run_updates(all_updates) File "/usr/lib/python2.7/site-packages/ipaserver/install/ldapupdate.py", line 889, in _run_updates self._run_update_plugin(update['plugin']) File "/usr/lib/python2.7/site-packages/ipaserver/install/ldapupdate.py", line 862, in _run_update_plugin restart_ds, updates = self.api.Updater[plugin_name]() File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 1418, in __call__ return self.execute(**options) File "/usr/lib/python2.7/site-packages/ipaserver/install/plugins/dns.py", line 547, in execute self.update_global_named_conf_forwarder(bind) File "/usr/lib/python2.7/site-packages/ipaserver/install/plugins/dns.py", line 508, in update_global_named_conf_forwarder if bind.named_conf_get_directive( AttributeError: 'BindInstance' object has no attribute 'named_conf_get_directive' 2016-05-11T08:26:20Z DEBUG Traceback (most recent call last): File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 447, in start_creation run_step(full_msg, method) File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 437, in run_step method() File "/usr/lib/python2.7/site-packages/ipaserver/install/upgradeinstance.py", line 221, in __upgrade raise RuntimeError(e) RuntimeError: 'BindInstance' object has no attribute 'named_conf_get_directive' PATCH * Add ipaDNSVersion option to dnsconfig* commands and use new attribute * 2) +Int('ipadnsversion?', +label=_('IPA DNS version'), +), Shouldn't be this part of System: Read DNS Configuration permission? 3) -def postprocess_result(self, result): +def postprocess_result(self, result, show_version): if not any(param in result['result'] for param in self.params): result['summary'] = unicode(_('Global DNS configuration is empty')) show_version param was added but I don't see it used in this patch. 4) +Int('ipadnsversion?', +label=_('IPA DNS version'), +), Could we add comment here that this option is accessible only from installers and upgrade? 5) +for config_option in container_entry.get("ipaConfigString", []): +matched = re.match("^DNSVersion\s+(?P\d+)$", + config_option, flags=re.I) +if matched: +version = int(matched.group("version")) Shouldn't we print error if version cannot be parsed? PATCH * DNS upgrade: separate backup logic to make it reusable * LGTM PATCH * Add function ipapython.dnsutil.related_to_auto_empty_zone() * 7) I'm curious why do you need to check superdomains? PATCH * DNS upgrade: change forwarding policy to = only for conflicting forward zones* 8) +self.log.debug('Zone %s was sucessfully modified to use ' + 'forward policy "only"', zone['idnsname'][0]) <---missing empty line> +def execute(self, **options): PATCH * DNS upgrade: change global forwarding policy in LDAP to "only" if private IPs are used * 9) - dnsutil.related_to_auto_empty_zone(zone.get('idnsname')[0]) +dnsutil.related_to_auto_empty_zone( +dnsutil.DNSName(zone.get('idnsname')[0])) Should be in previous commit 10) -return +return False, [] This should be fixed in the previous commit PATCH * DNS upgrade: change global forwarding policy in named.conf to "only" if private IPs are used * 11) IMO this is an upgrade of configuration and this should be in ipaserver/install/server/upgrade.py, upgrade plugins are used only for updating of LDAP values Unless you really want to use this as precedence, but then it requires broader discussion. 12) bind.named_conf_get_directive should be bindinstance.named_conf_get_directive see 1) This new patchse
Re: [Freeipa-devel] [PATCH 0104-0109] DNS upgrade: change forwarding policy to "only" if private IPs are used
On 11.5.2016 12:08, Martin Basti wrote: > > > On 03.05.2016 14:59, Petr Spacek wrote: >> Hello, >> >> DNS upgrade: change forwarding policy to "only" if private IPs are used. >> >> https://fedorahosted.org/freeipa/ticket/5710 >> >> This is the upgrade part. I will add one more patch to print a warning in >> dnsforwardzone* commands to avoid surprises. Please do not close the ticket >> yet. >> >> >> > > 1) > Upgrade failed with 'BindInstance' object has no attribute > 'named_conf_get_directive' > IPA server upgrade failed: Inspect /var/log/ipaupgrade.log and run command > ipa-server-upgrade manually. > ('IPA upgrade failed.', 1) > The ipa-server-upgrade command failed. See /var/log/ipaupgrade.log for more > information > > 2016-05-11T08:26:20Z ERROR Upgrade failed with 'BindInstance' object has no > attribute 'named_conf_get_directive' > 2016-05-11T08:26:20Z DEBUG Traceback (most recent call last): > File > "/usr/lib/python2.7/site-packages/ipaserver/install/upgradeinstance.py", line > 213, in __upgrade > self.modified = (ld.update(self.files) or self.modified) > File "/usr/lib/python2.7/site-packages/ipaserver/install/ldapupdate.py", > line 917, in update > self._run_updates(all_updates) > File "/usr/lib/python2.7/site-packages/ipaserver/install/ldapupdate.py", > line 889, in _run_updates > self._run_update_plugin(update['plugin']) > File "/usr/lib/python2.7/site-packages/ipaserver/install/ldapupdate.py", > line 862, in _run_update_plugin > restart_ds, updates = self.api.Updater[plugin_name]() > File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 1418, in > __call__ > return self.execute(**options) > File "/usr/lib/python2.7/site-packages/ipaserver/install/plugins/dns.py", > line 547, in execute > self.update_global_named_conf_forwarder(bind) > File "/usr/lib/python2.7/site-packages/ipaserver/install/plugins/dns.py", > line 508, in update_global_named_conf_forwarder > if bind.named_conf_get_directive( > AttributeError: 'BindInstance' object has no attribute > 'named_conf_get_directive' > > 2016-05-11T08:26:20Z DEBUG Traceback (most recent call last): > File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line > 447, in start_creation > run_step(full_msg, method) > File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line > 437, in run_step > method() > File > "/usr/lib/python2.7/site-packages/ipaserver/install/upgradeinstance.py", line > 221, in __upgrade > raise RuntimeError(e) > RuntimeError: 'BindInstance' object has no attribute > 'named_conf_get_directive' > > PATCH * Add ipaDNSVersion option to dnsconfig* commands and use new attribute > * > 2) > +Int('ipadnsversion?', > +label=_('IPA DNS version'), > +), > > Shouldn't be this part of System: Read DNS Configuration permission? > > 3) > -def postprocess_result(self, result): > +def postprocess_result(self, result, show_version): > if not any(param in result['result'] for param in self.params): > result['summary'] = unicode(_('Global DNS configuration is > empty')) > > show_version param was added but I don't see it used in this patch. > > 4) > +Int('ipadnsversion?', > +label=_('IPA DNS version'), > +), > > Could we add comment here that this option is accessible only from installers > and upgrade? > > 5) > +for config_option in container_entry.get("ipaConfigString", []): > +matched = re.match("^DNSVersion\s+(?P\d+)$", > + config_option, flags=re.I) > +if matched: > +version = int(matched.group("version")) > > Shouldn't we print error if version cannot be parsed? > > PATCH * DNS upgrade: separate backup logic to make it reusable * > > LGTM > > PATCH * Add function ipapython.dnsutil.related_to_auto_empty_zone() * > > 7) > I'm curious why do you need to check superdomains? > > PATCH * DNS upgrade: change forwarding policy to = only for conflicting > forward zones* > > 8) > +self.log.debug('Zone %s was sucessfully modified to use ' > + 'forward policy "only"', zone['idnsname'][0]) > <---missing empty line> > +def execute(self, **options): > > PATCH * DNS upgrade: change global forwarding policy in LDAP to "only" if > private IPs are used * > 9) > - dnsutil.related_to_auto_empty_zone(zone.get('idnsname')[0]) > +dnsutil.related_to_auto_empty_zone( > +dnsutil.DNSName(zone.get('idnsname')[0])) > > Should be in previous commit > > 10) > -return > +return False, [] > This should be fixed in the previous commit > > PATCH * DNS upgrade: change global forwarding policy in named.conf to "only" > if private IPs are used * > 11) > IMO this is an upgrade of configuration and this should be in > ipaserver/install/server/upgrade.py, upgrade plugins are used only for > upda
Re: [Freeipa-devel] [PATCH 0104-0109] DNS upgrade: change forwarding policy to "only" if private IPs are used
On 03.05.2016 14:59, Petr Spacek wrote: Hello, DNS upgrade: change forwarding policy to "only" if private IPs are used. https://fedorahosted.org/freeipa/ticket/5710 This is the upgrade part. I will add one more patch to print a warning in dnsforwardzone* commands to avoid surprises. Please do not close the ticket yet. 1) Upgrade failed with 'BindInstance' object has no attribute 'named_conf_get_directive' IPA server upgrade failed: Inspect /var/log/ipaupgrade.log and run command ipa-server-upgrade manually. ('IPA upgrade failed.', 1) The ipa-server-upgrade command failed. See /var/log/ipaupgrade.log for more information 2016-05-11T08:26:20Z ERROR Upgrade failed with 'BindInstance' object has no attribute 'named_conf_get_directive' 2016-05-11T08:26:20Z DEBUG Traceback (most recent call last): File "/usr/lib/python2.7/site-packages/ipaserver/install/upgradeinstance.py", line 213, in __upgrade self.modified = (ld.update(self.files) or self.modified) File "/usr/lib/python2.7/site-packages/ipaserver/install/ldapupdate.py", line 917, in update self._run_updates(all_updates) File "/usr/lib/python2.7/site-packages/ipaserver/install/ldapupdate.py", line 889, in _run_updates self._run_update_plugin(update['plugin']) File "/usr/lib/python2.7/site-packages/ipaserver/install/ldapupdate.py", line 862, in _run_update_plugin restart_ds, updates = self.api.Updater[plugin_name]() File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 1418, in __call__ return self.execute(**options) File "/usr/lib/python2.7/site-packages/ipaserver/install/plugins/dns.py", line 547, in execute self.update_global_named_conf_forwarder(bind) File "/usr/lib/python2.7/site-packages/ipaserver/install/plugins/dns.py", line 508, in update_global_named_conf_forwarder if bind.named_conf_get_directive( AttributeError: 'BindInstance' object has no attribute 'named_conf_get_directive' 2016-05-11T08:26:20Z DEBUG Traceback (most recent call last): File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 447, in start_creation run_step(full_msg, method) File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 437, in run_step method() File "/usr/lib/python2.7/site-packages/ipaserver/install/upgradeinstance.py", line 221, in __upgrade raise RuntimeError(e) RuntimeError: 'BindInstance' object has no attribute 'named_conf_get_directive' PATCH * Add ipaDNSVersion option to dnsconfig* commands and use new attribute * 2) +Int('ipadnsversion?', +label=_('IPA DNS version'), +), Shouldn't be this part of System: Read DNS Configuration permission? 3) -def postprocess_result(self, result): +def postprocess_result(self, result, show_version): if not any(param in result['result'] for param in self.params): result['summary'] = unicode(_('Global DNS configuration is empty')) show_version param was added but I don't see it used in this patch. 4) +Int('ipadnsversion?', +label=_('IPA DNS version'), +), Could we add comment here that this option is accessible only from installers and upgrade? 5) +for config_option in container_entry.get("ipaConfigString", []): +matched = re.match("^DNSVersion\s+(?P\d+)$", + config_option, flags=re.I) +if matched: +version = int(matched.group("version")) Shouldn't we print error if version cannot be parsed? PATCH * DNS upgrade: separate backup logic to make it reusable * LGTM PATCH * Add function ipapython.dnsutil.related_to_auto_empty_zone() * 7) I'm curious why do you need to check superdomains? PATCH * DNS upgrade: change forwarding policy to = only for conflicting forward zones* 8) +self.log.debug('Zone %s was sucessfully modified to use ' + 'forward policy "only"', zone['idnsname'][0]) <---missing empty line> +def execute(self, **options): PATCH * DNS upgrade: change global forwarding policy in LDAP to "only" if private IPs are used * 9) - dnsutil.related_to_auto_empty_zone(zone.get('idnsname')[0]) +dnsutil.related_to_auto_empty_zone( +dnsutil.DNSName(zone.get('idnsname')[0])) Should be in previous commit 10) -return +return False, [] This should be fixed in the previous commit PATCH * DNS upgrade: change global forwarding policy in named.conf to "only" if private IPs are used * 11) IMO this is an upgrade of configuration and this should be in ipaserver/install/server/upgrade.py, upgrade plugins are used only for updating of LDAP values Unless you really want to use this as precedence, but then it requires broader discussion. 12) bind.named_conf_get_directive should be bindinstance.named_conf_get_directive see 1) Martin^2 -- Manage your subscription for the Freeipa-devel maili
[Freeipa-devel] [PATCH 0104-0109] DNS upgrade: change forwarding policy to "only" if private IPs are used
Hello, DNS upgrade: change forwarding policy to "only" if private IPs are used. https://fedorahosted.org/freeipa/ticket/5710 This is the upgrade part. I will add one more patch to print a warning in dnsforwardzone* commands to avoid surprises. Please do not close the ticket yet. -- Petr^2 Spacek From b1d75807e0f8a117fe4b28f1c83054bb3ff1db6c Mon Sep 17 00:00:00 2001 From: Petr Spacek Date: Mon, 25 Apr 2016 14:07:16 +0200 Subject: [PATCH] Add ipaDNSVersion option to dnsconfig* commands and use new attribute Ad-hoc LDAP calls in DNS upgrade code were hard to maintain and ipaConfigString was bad idea from the very beginning as it was hard to manipulate the number in it. To avoid problems in future we are introducing new ipaDNSVersion attribute which is used on cn=dns instead of ipaConfigString. Original value of ipaConfigString is kept in the tree for now so older upgraders see it and do not execute the upgrade procedure again. The attribute can be changed only by installer/upgrade so it is not exposed in dnsconfig_mod API. Command dnsconfig_show displays it only if --all option was used. https://fedorahosted.org/freeipa/ticket/5710 --- install/share/60ipadns.ldif| 2 + install/share/dns.ldif | 4 +- install/updates/40-dns.update | 1 - install/updates/90-post_upgrade_plugins.update | 1 + ipalib/plugins/dns.py | 20 +-- ipaserver/install/plugins/dns.py | 73 -- 6 files changed, 77 insertions(+), 24 deletions(-) diff --git a/install/share/60ipadns.ldif b/install/share/60ipadns.ldif index e0ed0ab869cea0478d9640bb509c6267abed1a01..71b99d4d03c34591dc83a5706d300727f3f77f30 100644 --- a/install/share/60ipadns.ldif +++ b/install/share/60ipadns.ldif @@ -70,9 +70,11 @@ attributeTypes: ( 2.16.840.1.113730.3.8.5.25 NAME 'idnsSecKeyRevoke' DESC 'DNSKE attributeTypes: ( 2.16.840.1.113730.3.8.5.26 NAME 'idnsSecKeySep' DESC 'DNSKEY SEP flag (equivalent to bit 15): RFC 4035' EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE X-ORIGIN 'IPA v4.1' ) attributeTypes: ( 2.16.840.1.113730.3.8.5.27 NAME 'idnsSecAlgorithm' DESC 'DNSKEY algorithm: string used as mnemonic' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE X-ORIGIN 'IPA v4.1' ) attributeTypes: ( 2.16.840.1.113730.3.8.5.28 NAME 'idnsSecKeyRef' DESC 'PKCS#11 URI of the key' EQUALITY caseExactMatch SINGLE-VALUE SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'IPA v4.1' ) +attributeTypes: ( 2.16.840.1.113730.3.8.11.74 NAME 'ipaDNSVersion' DESC 'IPA DNS data version' EQUALITY integerMatch ORDERING integerOrderingMatch SINGLE-VALUE SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 X-ORIGIN 'IPA v4.3' ) objectClasses: ( 2.16.840.1.113730.3.8.6.0 NAME 'idnsRecord' DESC 'dns Record, usually a host' SUP top STRUCTURAL MUST idnsName MAY ( cn $ idnsAllowDynUpdate $ dNSTTL $ dNSClass $ aRecord $ aAAARecord $ a6Record $ nSRecord $ cNAMERecord $ pTRRecord $ sRVRecord $ tXTRecord $ mXRecord $ mDRecord $ hInfoRecord $ mInfoRecord $ aFSDBRecord $ SigRecord $ KeyRecord $ LocRecord $ nXTRecord $ nAPTRRecord $ kXRecord $ certRecord $ dNameRecord $ dSRecord $ sSHFPRecord $ rRSIGRecord $ nSECRecord $ DLVRecord $ TLSARecord $ UnknownRecord $ RPRecord $ APLRecord $ IPSECKEYRecord $ DHCIDRecord $ HIPRecord $ SPFRecord ) ) objectClasses: ( 2.16.840.1.113730.3.8.6.1 NAME 'idnsZone' DESC 'Zone class' SUP idnsRecord STRUCTURAL MUST ( idnsZoneActive $ idnsSOAmName $ idnsSOArName $ idnsSOAserial $ idnsSOArefresh $ idnsSOAretry $ idnsSOAexpire $ idnsSOAminimum ) MAY ( idnsUpdatePolicy $ idnsAllowQuery $ idnsAllowTransfer $ idnsAllowSyncPTR $ idnsForwardPolicy $ idnsForwarders $ idnsSecInlineSigning $ nSEC3PARAMRecord ) ) objectClasses: ( 2.16.840.1.113730.3.8.6.2 NAME 'idnsConfigObject' DESC 'DNS global config options' STRUCTURAL MAY ( idnsForwardPolicy $ idnsForwarders $ idnsAllowSyncPTR $ idnsZoneRefresh $ idnsPersistentSearch ) ) objectClasses: ( 2.16.840.1.113730.3.8.12.18 NAME 'ipaDNSZone' SUP top AUXILIARY MUST idnsName MAY managedBy X-ORIGIN 'IPA v3' ) objectClasses: ( 2.16.840.1.113730.3.8.6.3 NAME 'idnsForwardZone' DESC 'Forward Zone class' SUP top STRUCTURAL MUST ( idnsName $ idnsZoneActive ) MAY ( idnsForwarders $ idnsForwardPolicy ) ) objectClasses: ( 2.16.840.1.113730.3.8.6.4 NAME 'idnsSecKey' DESC 'DNSSEC key metadata' STRUCTURAL MUST ( idnsSecKeyRef $ idnsSecKeyCreated $ idnsSecAlgorithm ) MAY ( idnsSecKeyPublish $ idnsSecKeyActivate $ idnsSecKeyInactive $ idnsSecKeyDelete $ idnsSecKeyZone $ idnsSecKeyRevoke $ idnsSecKeySep $ cn ) X-ORIGIN 'IPA v4.1' ) +objectClasses: ( 2.16.840.1.113730.3.8.12.36 NAME 'ipaDNSContainer' DESC 'IPA DNS container' AUXILIARY MUST ( ipaDNSVersion ) X-ORIGIN 'IPA v4.3' ) diff --git a/install/share/dns.ldif b/install/share/dns.ldif index 42b41a8d706a8a3fd826320aff6c9333264128fc..d71e2ad7d7ca530247198d9db71aebd497d0c121 100644 --- a/install/s