Re: [Freeipa-devel] [PATCH 0156] server upgrade: do not start BIND if it was not running before the upgrad

2016-08-11 Thread Martin Basti 



On 11.08.2016 15:10, Petr Spacek wrote:

Hello,

server upgrade: do not start BIND if it was not running before the upgrade

https://fedorahosted.org/freeipa/ticket/6206




ACK
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH 0156] server upgrade: do not start BIND if it was not running before the upgrad

2016-08-11 Thread Petr Spacek 
On 11.8.2016 15:17, Petr Spacek wrote:
> On 11.8.2016 15:10, Petr Spacek wrote:
>> Hello,
>>
>> server upgrade: do not start BIND if it was not running before the upgrade
>>
>> https://fedorahosted.org/freeipa/ticket/6206
> 
> Here is variant for master branch.

Grr, this is a wrong thread. Please ignore this.

-- 
Petr^2 Spacek

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH 0156] server upgrade: do not start BIND if it was not running before the upgrad

2016-08-11 Thread Petr Spacek 
On 11.8.2016 15:10, Petr Spacek wrote:
> Hello,
> 
> server upgrade: do not start BIND if it was not running before the upgrade
> 
> https://fedorahosted.org/freeipa/ticket/6206

Here is variant for master branch.

-- 
Petr^2 Spacek
From 4816abee9150db26b330fa4ce99b4fb8f51597a1 Mon Sep 17 00:00:00 2001
From: Petr Spacek 
Date: Thu, 11 Aug 2016 13:44:29 +0200
Subject: [PATCH] DNS server upgrade: do not fail when DNS server did not
 respond

Previously, update_dnsforward_emptyzones failed with an exeception if
DNS query failed for some reason. Now the error is logged and upgrade
continues.

I assume that this is okay because the DNS query is used as heuristics
of last resort in the upgrade logic and failure to do so should not have
catastrophics consequences: In the worst case, the admin needs to
manually change forwarding policy from 'first' to 'only'.

In the end I have decided not to auto-start BIND because BIND depends on
GSSAPI for authentication, which in turn depends on KDC ... Alternative
like reconfiguring BIND to use LDAPI+EXTERNAL and reconfiguring DS to
accept LDAP external bind from named user are too complicated.

https://fedorahosted.org/freeipa/ticket/6205
---
 ipaserver/install/plugins/dns.py | 14 --
 1 file changed, 12 insertions(+), 2 deletions(-)

diff --git a/ipaserver/install/plugins/dns.py b/ipaserver/install/plugins/dns.py
index 32247eedbac7fc7e00c7277ef0bc593a74cd22e4..7b06a5c0d3a59e5825af75fae87c9739a53d9913 100644
--- a/ipaserver/install/plugins/dns.py
+++ b/ipaserver/install/plugins/dns.py
@@ -17,6 +17,9 @@
 # You should have received a copy of the GNU General Public License
 # along with this program.  If not, see .
 
+from __future__ import absolute_import
+
+import dns.exception
 import re
 import traceback
 import time
@@ -489,8 +492,15 @@ class update_dnsforward_emptyzones(DNSUpdater):
 self.api.Command['dnsconfig_mod'](ipadnsversion=2)
 
 self.update_zones()
-if dnsutil.has_empty_zone_addresses(self.api.env.host):
-self.update_global_ldap_forwarder()
+try:
+if dnsutil.has_empty_zone_addresses(self.api.env.host):
+self.update_global_ldap_forwarder()
+except dns.exception.DNSException as ex:
+self.log.error('Skipping update of global DNS forwarder in LDAP: '
+   'Unable to determine if local server is using an '
+   'IP address belonging to an automatic empty zone. '
+   'Consider changing forwarding policy to "only". '
+   'DNS exception: %s', ex)
 
 return False, []
 
-- 
2.7.4

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [PATCH 0156] server upgrade: do not start BIND if it was not running before the upgrad

2016-08-11 Thread Petr Spacek 
Hello,

server upgrade: do not start BIND if it was not running before the upgrade

https://fedorahosted.org/freeipa/ticket/6206

-- 
Petr^2 Spacek
From a01799ca093cc5572c11d9f73c90b8ee71a48d70 Mon Sep 17 00:00:00 2001
From: Petr Spacek 
Date: Thu, 11 Aug 2016 15:10:04 +0200
Subject: [PATCH] server upgrade: do not start BIND if it was not running
 before the upgrade

https://fedorahosted.org/freeipa/ticket/6206
---
 ipaserver/install/server/upgrade.py | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/ipaserver/install/server/upgrade.py b/ipaserver/install/server/upgrade.py
index cc0af2b243d0c5693024e105fd0eab925b3f9b6c..d3ecde34f36d5adda730421d516110efd8ff29dd 100644
--- a/ipaserver/install/server/upgrade.py
+++ b/ipaserver/install/server/upgrade.py
@@ -1678,7 +1678,8 @@ def upgrade_configuration():
 root_logger.info('Changes to named.conf have been made, restart named')
 bind = bindinstance.BindInstance(fstore)
 try:
-bind.restart()
+if bind.is_running():
+bind.restart()
 except ipautil.CalledProcessError as e:
 root_logger.error("Failed to restart %s: %s", bind.service_name, e)
 
-- 
2.7.4

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code