Re: [Freeipa-devel] [PATCH 0104-0109] DNS upgrade: change forwarding policy to "only" if private IPs are used
On 20.05.2016 12:19, Petr Spacek wrote:
On 11.5.2016 12:08, Martin Basti wrote:
On 03.05.2016 14:59, Petr Spacek wrote:
Hello,
DNS upgrade: change forwarding policy to "only" if private IPs are used.
https://fedorahosted.org/freeipa/ticket/5710
This is the upgrade part. I will add one more patch to print a warning in
dnsforwardzone* commands to avoid surprises. Please do not close the ticket
yet.
1)
Upgrade failed with 'BindInstance' object has no attribute
'named_conf_get_directive'
IPA server upgrade failed: Inspect /var/log/ipaupgrade.log and run command
ipa-server-upgrade manually.
('IPA upgrade failed.', 1)
The ipa-server-upgrade command failed. See /var/log/ipaupgrade.log for more
information
2016-05-11T08:26:20Z ERROR Upgrade failed with 'BindInstance' object has no
attribute 'named_conf_get_directive'
2016-05-11T08:26:20Z DEBUG Traceback (most recent call last):
File
"/usr/lib/python2.7/site-packages/ipaserver/install/upgradeinstance.py", line
213, in __upgrade
self.modified = (ld.update(self.files) or self.modified)
File "/usr/lib/python2.7/site-packages/ipaserver/install/ldapupdate.py",
line 917, in update
self._run_updates(all_updates)
File "/usr/lib/python2.7/site-packages/ipaserver/install/ldapupdate.py",
line 889, in _run_updates
self._run_update_plugin(update['plugin'])
File "/usr/lib/python2.7/site-packages/ipaserver/install/ldapupdate.py",
line 862, in _run_update_plugin
restart_ds, updates = self.api.Updater[plugin_name]()
File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 1418, in
__call__
return self.execute(**options)
File "/usr/lib/python2.7/site-packages/ipaserver/install/plugins/dns.py",
line 547, in execute
self.update_global_named_conf_forwarder(bind)
File "/usr/lib/python2.7/site-packages/ipaserver/install/plugins/dns.py",
line 508, in update_global_named_conf_forwarder
if bind.named_conf_get_directive(
AttributeError: 'BindInstance' object has no attribute
'named_conf_get_directive'
2016-05-11T08:26:20Z DEBUG Traceback (most recent call last):
File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line
447, in start_creation
run_step(full_msg, method)
File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line
437, in run_step
method()
File
"/usr/lib/python2.7/site-packages/ipaserver/install/upgradeinstance.py", line
221, in __upgrade
raise RuntimeError(e)
RuntimeError: 'BindInstance' object has no attribute 'named_conf_get_directive'
PATCH * Add ipaDNSVersion option to dnsconfig* commands and use new attribute *
2)
+Int('ipadnsversion?',
+label=_('IPA DNS version'),
+),
Shouldn't be this part of System: Read DNS Configuration permission?
3)
-def postprocess_result(self, result):
+def postprocess_result(self, result, show_version):
if not any(param in result['result'] for param in self.params):
result['summary'] = unicode(_('Global DNS configuration is
empty'))
show_version param was added but I don't see it used in this patch.
4)
+Int('ipadnsversion?',
+label=_('IPA DNS version'),
+),
Could we add comment here that this option is accessible only from installers
and upgrade?
5)
+for config_option in container_entry.get("ipaConfigString", []):
+matched = re.match("^DNSVersion\s+(?P\d+)$",
+ config_option, flags=re.I)
+if matched:
+version = int(matched.group("version"))
Shouldn't we print error if version cannot be parsed?
PATCH * DNS upgrade: separate backup logic to make it reusable *
LGTM
PATCH * Add function ipapython.dnsutil.related_to_auto_empty_zone() *
7)
I'm curious why do you need to check superdomains?
PATCH * DNS upgrade: change forwarding policy to = only for conflicting
forward zones*
8)
+self.log.debug('Zone %s was sucessfully modified to use '
+ 'forward policy "only"', zone['idnsname'][0])
<---missing empty line>
+def execute(self, **options):
PATCH * DNS upgrade: change global forwarding policy in LDAP to "only" if
private IPs are used *
9)
- dnsutil.related_to_auto_empty_zone(zone.get('idnsname')[0])
+dnsutil.related_to_auto_empty_zone(
+dnsutil.DNSName(zone.get('idnsname')[0]))
Should be in previous commit
10)
-return
+return False, []
This should be fixed in the previous commit
PATCH * DNS upgrade: change global forwarding policy in named.conf to "only"
if private IPs are used *
11)
IMO this is an upgrade of configuration and this should be in
ipaserver/install/server/upgrade.py, upgrade plugins are used only for
updating of LDAP values
Unless you really want to use this as precedence, but then it requires broader
discussion.
12)
bind.named_conf_get_directive
should be
bindinstance.named_conf_get_directive
see 1)
This new patchse
Re: [Freeipa-devel] [PATCH 0104-0109] DNS upgrade: change forwarding policy to "only" if private IPs are used
On 11.5.2016 12:08, Martin Basti wrote:
>
>
> On 03.05.2016 14:59, Petr Spacek wrote:
>> Hello,
>>
>> DNS upgrade: change forwarding policy to "only" if private IPs are used.
>>
>> https://fedorahosted.org/freeipa/ticket/5710
>>
>> This is the upgrade part. I will add one more patch to print a warning in
>> dnsforwardzone* commands to avoid surprises. Please do not close the ticket
>> yet.
>>
>>
>>
>
> 1)
> Upgrade failed with 'BindInstance' object has no attribute
> 'named_conf_get_directive'
> IPA server upgrade failed: Inspect /var/log/ipaupgrade.log and run command
> ipa-server-upgrade manually.
> ('IPA upgrade failed.', 1)
> The ipa-server-upgrade command failed. See /var/log/ipaupgrade.log for more
> information
>
> 2016-05-11T08:26:20Z ERROR Upgrade failed with 'BindInstance' object has no
> attribute 'named_conf_get_directive'
> 2016-05-11T08:26:20Z DEBUG Traceback (most recent call last):
> File
> "/usr/lib/python2.7/site-packages/ipaserver/install/upgradeinstance.py", line
> 213, in __upgrade
> self.modified = (ld.update(self.files) or self.modified)
> File "/usr/lib/python2.7/site-packages/ipaserver/install/ldapupdate.py",
> line 917, in update
> self._run_updates(all_updates)
> File "/usr/lib/python2.7/site-packages/ipaserver/install/ldapupdate.py",
> line 889, in _run_updates
> self._run_update_plugin(update['plugin'])
> File "/usr/lib/python2.7/site-packages/ipaserver/install/ldapupdate.py",
> line 862, in _run_update_plugin
> restart_ds, updates = self.api.Updater[plugin_name]()
> File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 1418, in
> __call__
> return self.execute(**options)
> File "/usr/lib/python2.7/site-packages/ipaserver/install/plugins/dns.py",
> line 547, in execute
> self.update_global_named_conf_forwarder(bind)
> File "/usr/lib/python2.7/site-packages/ipaserver/install/plugins/dns.py",
> line 508, in update_global_named_conf_forwarder
> if bind.named_conf_get_directive(
> AttributeError: 'BindInstance' object has no attribute
> 'named_conf_get_directive'
>
> 2016-05-11T08:26:20Z DEBUG Traceback (most recent call last):
> File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line
> 447, in start_creation
> run_step(full_msg, method)
> File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line
> 437, in run_step
> method()
> File
> "/usr/lib/python2.7/site-packages/ipaserver/install/upgradeinstance.py", line
> 221, in __upgrade
> raise RuntimeError(e)
> RuntimeError: 'BindInstance' object has no attribute
> 'named_conf_get_directive'
>
> PATCH * Add ipaDNSVersion option to dnsconfig* commands and use new attribute
> *
> 2)
> +Int('ipadnsversion?',
> +label=_('IPA DNS version'),
> +),
>
> Shouldn't be this part of System: Read DNS Configuration permission?
>
> 3)
> -def postprocess_result(self, result):
> +def postprocess_result(self, result, show_version):
> if not any(param in result['result'] for param in self.params):
> result['summary'] = unicode(_('Global DNS configuration is
> empty'))
>
> show_version param was added but I don't see it used in this patch.
>
> 4)
> +Int('ipadnsversion?',
> +label=_('IPA DNS version'),
> +),
>
> Could we add comment here that this option is accessible only from installers
> and upgrade?
>
> 5)
> +for config_option in container_entry.get("ipaConfigString", []):
> +matched = re.match("^DNSVersion\s+(?P\d+)$",
> + config_option, flags=re.I)
> +if matched:
> +version = int(matched.group("version"))
>
> Shouldn't we print error if version cannot be parsed?
>
> PATCH * DNS upgrade: separate backup logic to make it reusable *
>
> LGTM
>
> PATCH * Add function ipapython.dnsutil.related_to_auto_empty_zone() *
>
> 7)
> I'm curious why do you need to check superdomains?
>
> PATCH * DNS upgrade: change forwarding policy to = only for conflicting
> forward zones*
>
> 8)
> +self.log.debug('Zone %s was sucessfully modified to use '
> + 'forward policy "only"', zone['idnsname'][0])
> <---missing empty line>
> +def execute(self, **options):
>
> PATCH * DNS upgrade: change global forwarding policy in LDAP to "only" if
> private IPs are used *
> 9)
> - dnsutil.related_to_auto_empty_zone(zone.get('idnsname')[0])
> +dnsutil.related_to_auto_empty_zone(
> +dnsutil.DNSName(zone.get('idnsname')[0]))
>
> Should be in previous commit
>
> 10)
> -return
> +return False, []
> This should be fixed in the previous commit
>
> PATCH * DNS upgrade: change global forwarding policy in named.conf to "only"
> if private IPs are used *
> 11)
> IMO this is an upgrade of configuration and this should be in
> ipaserver/install/server/upgrade.py, upgrade plugins are used only for
> upda
Re: [Freeipa-devel] [PATCH 0104-0109] DNS upgrade: change forwarding policy to "only" if private IPs are used
On 03.05.2016 14:59, Petr Spacek wrote:
Hello,
DNS upgrade: change forwarding policy to "only" if private IPs are used.
https://fedorahosted.org/freeipa/ticket/5710
This is the upgrade part. I will add one more patch to print a warning in
dnsforwardzone* commands to avoid surprises. Please do not close the ticket yet.
1)
Upgrade failed with 'BindInstance' object has no attribute
'named_conf_get_directive'
IPA server upgrade failed: Inspect /var/log/ipaupgrade.log and run
command ipa-server-upgrade manually.
('IPA upgrade failed.', 1)
The ipa-server-upgrade command failed. See /var/log/ipaupgrade.log for
more information
2016-05-11T08:26:20Z ERROR Upgrade failed with 'BindInstance' object has
no attribute 'named_conf_get_directive'
2016-05-11T08:26:20Z DEBUG Traceback (most recent call last):
File
"/usr/lib/python2.7/site-packages/ipaserver/install/upgradeinstance.py",
line 213, in __upgrade
self.modified = (ld.update(self.files) or self.modified)
File
"/usr/lib/python2.7/site-packages/ipaserver/install/ldapupdate.py", line
917, in update
self._run_updates(all_updates)
File
"/usr/lib/python2.7/site-packages/ipaserver/install/ldapupdate.py", line
889, in _run_updates
self._run_update_plugin(update['plugin'])
File
"/usr/lib/python2.7/site-packages/ipaserver/install/ldapupdate.py", line
862, in _run_update_plugin
restart_ds, updates = self.api.Updater[plugin_name]()
File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line
1418, in __call__
return self.execute(**options)
File
"/usr/lib/python2.7/site-packages/ipaserver/install/plugins/dns.py",
line 547, in execute
self.update_global_named_conf_forwarder(bind)
File
"/usr/lib/python2.7/site-packages/ipaserver/install/plugins/dns.py",
line 508, in update_global_named_conf_forwarder
if bind.named_conf_get_directive(
AttributeError: 'BindInstance' object has no attribute
'named_conf_get_directive'
2016-05-11T08:26:20Z DEBUG Traceback (most recent call last):
File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py",
line 447, in start_creation
run_step(full_msg, method)
File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py",
line 437, in run_step
method()
File
"/usr/lib/python2.7/site-packages/ipaserver/install/upgradeinstance.py",
line 221, in __upgrade
raise RuntimeError(e)
RuntimeError: 'BindInstance' object has no attribute
'named_conf_get_directive'
PATCH * Add ipaDNSVersion option to dnsconfig* commands and use new
attribute *
2)
+Int('ipadnsversion?',
+label=_('IPA DNS version'),
+),
Shouldn't be this part of System: Read DNS Configuration permission?
3)
-def postprocess_result(self, result):
+def postprocess_result(self, result, show_version):
if not any(param in result['result'] for param in self.params):
result['summary'] = unicode(_('Global DNS configuration is
empty'))
show_version param was added but I don't see it used in this patch.
4)
+Int('ipadnsversion?',
+label=_('IPA DNS version'),
+),
Could we add comment here that this option is accessible only from
installers and upgrade?
5)
+for config_option in container_entry.get("ipaConfigString", []):
+matched = re.match("^DNSVersion\s+(?P\d+)$",
+ config_option, flags=re.I)
+if matched:
+version = int(matched.group("version"))
Shouldn't we print error if version cannot be parsed?
PATCH * DNS upgrade: separate backup logic to make it reusable *
LGTM
PATCH * Add function ipapython.dnsutil.related_to_auto_empty_zone() *
7)
I'm curious why do you need to check superdomains?
PATCH * DNS upgrade: change forwarding policy to = only for conflicting
forward zones*
8)
+self.log.debug('Zone %s was sucessfully modified to use '
+ 'forward policy "only"', zone['idnsname'][0])
<---missing empty line>
+def execute(self, **options):
PATCH * DNS upgrade: change global forwarding policy in LDAP to "only"
if private IPs are used *
9)
- dnsutil.related_to_auto_empty_zone(zone.get('idnsname')[0])
+dnsutil.related_to_auto_empty_zone(
+dnsutil.DNSName(zone.get('idnsname')[0]))
Should be in previous commit
10)
-return
+return False, []
This should be fixed in the previous commit
PATCH * DNS upgrade: change global forwarding policy in named.conf to
"only" if private IPs are used *
11)
IMO this is an upgrade of configuration and this should be in
ipaserver/install/server/upgrade.py, upgrade plugins are used only for
updating of LDAP values
Unless you really want to use this as precedence, but then it requires
broader discussion.
12)
bind.named_conf_get_directive
should be
bindinstance.named_conf_get_directive
see 1)
Martin^2
--
Manage your subscription for the Freeipa-devel maili
[Freeipa-devel] [PATCH 0104-0109] DNS upgrade: change forwarding policy to "only" if private IPs are used
Hello, DNS upgrade: change forwarding policy to "only" if private IPs are used. https://fedorahosted.org/freeipa/ticket/5710 This is the upgrade part. I will add one more patch to print a warning in dnsforwardzone* commands to avoid surprises. Please do not close the ticket yet. -- Petr^2 Spacek From b1d75807e0f8a117fe4b28f1c83054bb3ff1db6c Mon Sep 17 00:00:00 2001 From: Petr Spacek Date: Mon, 25 Apr 2016 14:07:16 +0200 Subject: [PATCH] Add ipaDNSVersion option to dnsconfig* commands and use new attribute Ad-hoc LDAP calls in DNS upgrade code were hard to maintain and ipaConfigString was bad idea from the very beginning as it was hard to manipulate the number in it. To avoid problems in future we are introducing new ipaDNSVersion attribute which is used on cn=dns instead of ipaConfigString. Original value of ipaConfigString is kept in the tree for now so older upgraders see it and do not execute the upgrade procedure again. The attribute can be changed only by installer/upgrade so it is not exposed in dnsconfig_mod API. Command dnsconfig_show displays it only if --all option was used. https://fedorahosted.org/freeipa/ticket/5710 --- install/share/60ipadns.ldif| 2 + install/share/dns.ldif | 4 +- install/updates/40-dns.update | 1 - install/updates/90-post_upgrade_plugins.update | 1 + ipalib/plugins/dns.py | 20 +-- ipaserver/install/plugins/dns.py | 73 -- 6 files changed, 77 insertions(+), 24 deletions(-) diff --git a/install/share/60ipadns.ldif b/install/share/60ipadns.ldif index e0ed0ab869cea0478d9640bb509c6267abed1a01..71b99d4d03c34591dc83a5706d300727f3f77f30 100644 --- a/install/share/60ipadns.ldif +++ b/install/share/60ipadns.ldif @@ -70,9 +70,11 @@ attributeTypes: ( 2.16.840.1.113730.3.8.5.25 NAME 'idnsSecKeyRevoke' DESC 'DNSKE attributeTypes: ( 2.16.840.1.113730.3.8.5.26 NAME 'idnsSecKeySep' DESC 'DNSKEY SEP flag (equivalent to bit 15): RFC 4035' EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE X-ORIGIN 'IPA v4.1' ) attributeTypes: ( 2.16.840.1.113730.3.8.5.27 NAME 'idnsSecAlgorithm' DESC 'DNSKEY algorithm: string used as mnemonic' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE X-ORIGIN 'IPA v4.1' ) attributeTypes: ( 2.16.840.1.113730.3.8.5.28 NAME 'idnsSecKeyRef' DESC 'PKCS#11 URI of the key' EQUALITY caseExactMatch SINGLE-VALUE SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'IPA v4.1' ) +attributeTypes: ( 2.16.840.1.113730.3.8.11.74 NAME 'ipaDNSVersion' DESC 'IPA DNS data version' EQUALITY integerMatch ORDERING integerOrderingMatch SINGLE-VALUE SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 X-ORIGIN 'IPA v4.3' ) objectClasses: ( 2.16.840.1.113730.3.8.6.0 NAME 'idnsRecord' DESC 'dns Record, usually a host' SUP top STRUCTURAL MUST idnsName MAY ( cn $ idnsAllowDynUpdate $ dNSTTL $ dNSClass $ aRecord $ aAAARecord $ a6Record $ nSRecord $ cNAMERecord $ pTRRecord $ sRVRecord $ tXTRecord $ mXRecord $ mDRecord $ hInfoRecord $ mInfoRecord $ aFSDBRecord $ SigRecord $ KeyRecord $ LocRecord $ nXTRecord $ nAPTRRecord $ kXRecord $ certRecord $ dNameRecord $ dSRecord $ sSHFPRecord $ rRSIGRecord $ nSECRecord $ DLVRecord $ TLSARecord $ UnknownRecord $ RPRecord $ APLRecord $ IPSECKEYRecord $ DHCIDRecord $ HIPRecord $ SPFRecord ) ) objectClasses: ( 2.16.840.1.113730.3.8.6.1 NAME 'idnsZone' DESC 'Zone class' SUP idnsRecord STRUCTURAL MUST ( idnsZoneActive $ idnsSOAmName $ idnsSOArName $ idnsSOAserial $ idnsSOArefresh $ idnsSOAretry $ idnsSOAexpire $ idnsSOAminimum ) MAY ( idnsUpdatePolicy $ idnsAllowQuery $ idnsAllowTransfer $ idnsAllowSyncPTR $ idnsForwardPolicy $ idnsForwarders $ idnsSecInlineSigning $ nSEC3PARAMRecord ) ) objectClasses: ( 2.16.840.1.113730.3.8.6.2 NAME 'idnsConfigObject' DESC 'DNS global config options' STRUCTURAL MAY ( idnsForwardPolicy $ idnsForwarders $ idnsAllowSyncPTR $ idnsZoneRefresh $ idnsPersistentSearch ) ) objectClasses: ( 2.16.840.1.113730.3.8.12.18 NAME 'ipaDNSZone' SUP top AUXILIARY MUST idnsName MAY managedBy X-ORIGIN 'IPA v3' ) objectClasses: ( 2.16.840.1.113730.3.8.6.3 NAME 'idnsForwardZone' DESC 'Forward Zone class' SUP top STRUCTURAL MUST ( idnsName $ idnsZoneActive ) MAY ( idnsForwarders $ idnsForwardPolicy ) ) objectClasses: ( 2.16.840.1.113730.3.8.6.4 NAME 'idnsSecKey' DESC 'DNSSEC key metadata' STRUCTURAL MUST ( idnsSecKeyRef $ idnsSecKeyCreated $ idnsSecAlgorithm ) MAY ( idnsSecKeyPublish $ idnsSecKeyActivate $ idnsSecKeyInactive $ idnsSecKeyDelete $ idnsSecKeyZone $ idnsSecKeyRevoke $ idnsSecKeySep $ cn ) X-ORIGIN 'IPA v4.1' ) +objectClasses: ( 2.16.840.1.113730.3.8.12.36 NAME 'ipaDNSContainer' DESC 'IPA DNS container' AUXILIARY MUST ( ipaDNSVersion ) X-ORIGIN 'IPA v4.3' ) diff --git a/install/share/dns.ldif b/install/share/dns.ldif index 42b41a8d706a8a3fd826320aff6c9333264128fc..d71e2ad7d7ca530247198d9db71aebd497d0c121 100644 --- a/install/s
