Re: [Freeipa-devel] [PATCHES 0187, 0188] DNSSEC ipa-dnskeysyncd fixes
Dne 23.1.2015 v 10:13 Martin Basti napsal(a): On 23/01/15 08:04, Jan Cholasta wrote: Hi, Dne 21.1.2015 v 13:39 Martin Basti napsal(a): Patch 188 catch ldap exceptions to prevent false positive abrt reports Patch 187 fixes issues with removing root zone Patches attached. Patch 187: Is there a reason only SERVER_DOWN and CONNECT_ERROR are handled, instead of any LDAPError? These are expected during IPA restart/start etc. Other ldap exceptions should not happen, so we can get abrt reports from users, if something is wrong. Makes sense. Patch 188: IMO it would be slightly better to do it like this: -name = name.relativize(dns.name.root) +if name != dns.name.root: +name = name.relativize(dns.name.root) This will not work. There is relativization for some zones before this step. I will try to clean the mess I found now in a new patch. Please do. It's an ACK then. Is this supposed to go in ipa-4-1 too or is it master only? -- Jan Cholasta ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCHES 0187, 0188] DNSSEC ipa-dnskeysyncd fixes
Dne 23.1.2015 v 10:25 Martin Basti napsal(a): On 23/01/15 10:23, Jan Cholasta wrote: Dne 23.1.2015 v 10:13 Martin Basti napsal(a): On 23/01/15 08:04, Jan Cholasta wrote: Hi, Dne 21.1.2015 v 13:39 Martin Basti napsal(a): Patch 188 catch ldap exceptions to prevent false positive abrt reports Patch 187 fixes issues with removing root zone Patches attached. Patch 187: Is there a reason only SERVER_DOWN and CONNECT_ERROR are handled, instead of any LDAPError? These are expected during IPA restart/start etc. Other ldap exceptions should not happen, so we can get abrt reports from users, if something is wrong. Makes sense. Patch 188: IMO it would be slightly better to do it like this: -name = name.relativize(dns.name.root) +if name != dns.name.root: +name = name.relativize(dns.name.root) This will not work. There is relativization for some zones before this step. I will try to clean the mess I found now in a new patch. Please do. It's an ACK then. Is this supposed to go in ipa-4-1 too or is it master only? Both please, thank you. Pushed to: master: 46c12159e6c27082e7bc46e96d3738eea68dba91 ipa-4-1: 64cf3071ca908b22e5ad402585d9690c1a7fc518 -- Jan Cholasta ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCHES 0187, 0188] DNSSEC ipa-dnskeysyncd fixes
On 23/01/15 08:04, Jan Cholasta wrote: Hi, Dne 21.1.2015 v 13:39 Martin Basti napsal(a): Patch 188 catch ldap exceptions to prevent false positive abrt reports Patch 187 fixes issues with removing root zone Patches attached. Patch 187: Is there a reason only SERVER_DOWN and CONNECT_ERROR are handled, instead of any LDAPError? These are expected during IPA restart/start etc. Other ldap exceptions should not happen, so we can get abrt reports from users, if something is wrong. Patch 188: IMO it would be slightly better to do it like this: -name = name.relativize(dns.name.root) +if name != dns.name.root: +name = name.relativize(dns.name.root) This will not work. There is relativization for some zones before this step. I will try to clean the mess I found now in a new patch. Honza -- Martin Basti ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCHES 0187, 0188] DNSSEC ipa-dnskeysyncd fixes
On 23/01/15 10:23, Jan Cholasta wrote: Dne 23.1.2015 v 10:13 Martin Basti napsal(a): On 23/01/15 08:04, Jan Cholasta wrote: Hi, Dne 21.1.2015 v 13:39 Martin Basti napsal(a): Patch 188 catch ldap exceptions to prevent false positive abrt reports Patch 187 fixes issues with removing root zone Patches attached. Patch 187: Is there a reason only SERVER_DOWN and CONNECT_ERROR are handled, instead of any LDAPError? These are expected during IPA restart/start etc. Other ldap exceptions should not happen, so we can get abrt reports from users, if something is wrong. Makes sense. Patch 188: IMO it would be slightly better to do it like this: -name = name.relativize(dns.name.root) +if name != dns.name.root: +name = name.relativize(dns.name.root) This will not work. There is relativization for some zones before this step. I will try to clean the mess I found now in a new patch. Please do. It's an ACK then. Is this supposed to go in ipa-4-1 too or is it master only? Both please, thank you. -- Martin Basti ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCHES 0187, 0188] DNSSEC ipa-dnskeysyncd fixes
Hi, Dne 21.1.2015 v 13:39 Martin Basti napsal(a): Patch 188 catch ldap exceptions to prevent false positive abrt reports Patch 187 fixes issues with removing root zone Patches attached. Patch 187: Is there a reason only SERVER_DOWN and CONNECT_ERROR are handled, instead of any LDAPError? Patch 188: IMO it would be slightly better to do it like this: -name = name.relativize(dns.name.root) +if name != dns.name.root: +name = name.relativize(dns.name.root) Honza -- Jan Cholasta ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCHES 0187, 0188] DNSSEC ipa-dnskeysyncd fixes
Patch 188 catch ldap exceptions to prevent false positive abrt reports
Patch 187 fixes issues with removing root zone
Patches attached.
--
Martin Basti
From baed3cbcc9d4cf1768a7f2eff96e9d0943bfc578 Mon Sep 17 00:00:00 2001
From: Martin Basti mba...@redhat.com
Date: Wed, 21 Jan 2015 13:32:44 +0100
Subject: [PATCH] DNSSEC catch ldap exceptions in ipa-dnskeysyncd
Server down exception causes lot of false positive abrt reports.
---
daemons/dnssec/ipa-dnskeysyncd | 8 ++--
1 file changed, 6 insertions(+), 2 deletions(-)
diff --git a/daemons/dnssec/ipa-dnskeysyncd b/daemons/dnssec/ipa-dnskeysyncd
index c7475bd65ba7ad38af99f2e8c3ae3bc8837f2c9b..e184d88b47ff7c7224c71057807e447e4b5e9e12 100755
--- a/daemons/dnssec/ipa-dnskeysyncd
+++ b/daemons/dnssec/ipa-dnskeysyncd
@@ -102,5 +102,9 @@ while watcher_running:
filterstr=ldap_url.filterstr
)
-while ldap_connection.syncrepl_poll(all=1, msgid=ldap_search):
-pass
+try:
+while ldap_connection.syncrepl_poll(all=1, msgid=ldap_search):
+pass
+except (ldap.SERVER_DOWN, ldap.CONNECT_ERROR) as e:
+log.exception('syncrepl_poll: LDAP error (%s)', e)
+sys.exit(1)
--
2.1.0
From b47299085fd04bb8ccc99e47b2a0e33d52fd1e8a Mon Sep 17 00:00:00 2001
From: Martin Basti mba...@redhat.com
Date: Wed, 21 Jan 2015 12:19:17 +0100
Subject: [PATCH] DNSSEC: fix root zone dns name conversion
Root zone was represented as '@', which was incorrect. ksmutil did not
accept it.
Now root zone is represented as '.'
---
ipapython/dnssec/odsmgr.py | 3 +++
1 file changed, 3 insertions(+)
diff --git a/ipapython/dnssec/odsmgr.py b/ipapython/dnssec/odsmgr.py
index a91b6c553d9ab7364258bd1ca24d236a3994ec6d..ed17351cad4db28caed2623aa4bec145d5bc4414 100644
--- a/ipapython/dnssec/odsmgr.py
+++ b/ipapython/dnssec/odsmgr.py
@@ -145,6 +145,9 @@ class ODSMgr(object):
def del_ods_zone(self, name):
# ods-ksmutil blows up if zone name has period at the end
name = name.relativize(dns.name.root)
+# detect if name is root zone
+if name == dns.name.empty:
+name = dns.name.root
cmd = ['zone', 'delete', '--zone', str(name)]
output = self.ksmutil(cmd)
self.log.info(output)
--
2.1.0
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
