Re: [Freeipa-devel] [PATCHES 0187, 0188] DNSSEC ipa-dnskeysyncd fixes
Dne 23.1.2015 v 10:13 Martin Basti napsal(a): On 23/01/15 08:04, Jan Cholasta wrote: Hi, Dne 21.1.2015 v 13:39 Martin Basti napsal(a): Patch 188 catch ldap exceptions to prevent false positive abrt reports Patch 187 fixes issues with removing root zone Patches attached. Patch 187: Is there a reason only SERVER_DOWN and CONNECT_ERROR are handled, instead of any LDAPError? These are expected during IPA restart/start etc. Other ldap exceptions should not happen, so we can get abrt reports from users, if something is wrong. Makes sense. Patch 188: IMO it would be slightly better to do it like this: -name = name.relativize(dns.name.root) +if name != dns.name.root: +name = name.relativize(dns.name.root) This will not work. There is relativization for some zones before this step. I will try to clean the mess I found now in a new patch. Please do. It's an ACK then. Is this supposed to go in ipa-4-1 too or is it master only? -- Jan Cholasta ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCHES 0187, 0188] DNSSEC ipa-dnskeysyncd fixes
Dne 23.1.2015 v 10:25 Martin Basti napsal(a): On 23/01/15 10:23, Jan Cholasta wrote: Dne 23.1.2015 v 10:13 Martin Basti napsal(a): On 23/01/15 08:04, Jan Cholasta wrote: Hi, Dne 21.1.2015 v 13:39 Martin Basti napsal(a): Patch 188 catch ldap exceptions to prevent false positive abrt reports Patch 187 fixes issues with removing root zone Patches attached. Patch 187: Is there a reason only SERVER_DOWN and CONNECT_ERROR are handled, instead of any LDAPError? These are expected during IPA restart/start etc. Other ldap exceptions should not happen, so we can get abrt reports from users, if something is wrong. Makes sense. Patch 188: IMO it would be slightly better to do it like this: -name = name.relativize(dns.name.root) +if name != dns.name.root: +name = name.relativize(dns.name.root) This will not work. There is relativization for some zones before this step. I will try to clean the mess I found now in a new patch. Please do. It's an ACK then. Is this supposed to go in ipa-4-1 too or is it master only? Both please, thank you. Pushed to: master: 46c12159e6c27082e7bc46e96d3738eea68dba91 ipa-4-1: 64cf3071ca908b22e5ad402585d9690c1a7fc518 -- Jan Cholasta ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCHES 0187, 0188] DNSSEC ipa-dnskeysyncd fixes
On 23/01/15 08:04, Jan Cholasta wrote: Hi, Dne 21.1.2015 v 13:39 Martin Basti napsal(a): Patch 188 catch ldap exceptions to prevent false positive abrt reports Patch 187 fixes issues with removing root zone Patches attached. Patch 187: Is there a reason only SERVER_DOWN and CONNECT_ERROR are handled, instead of any LDAPError? These are expected during IPA restart/start etc. Other ldap exceptions should not happen, so we can get abrt reports from users, if something is wrong. Patch 188: IMO it would be slightly better to do it like this: -name = name.relativize(dns.name.root) +if name != dns.name.root: +name = name.relativize(dns.name.root) This will not work. There is relativization for some zones before this step. I will try to clean the mess I found now in a new patch. Honza -- Martin Basti ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCHES 0187, 0188] DNSSEC ipa-dnskeysyncd fixes
On 23/01/15 10:23, Jan Cholasta wrote: Dne 23.1.2015 v 10:13 Martin Basti napsal(a): On 23/01/15 08:04, Jan Cholasta wrote: Hi, Dne 21.1.2015 v 13:39 Martin Basti napsal(a): Patch 188 catch ldap exceptions to prevent false positive abrt reports Patch 187 fixes issues with removing root zone Patches attached. Patch 187: Is there a reason only SERVER_DOWN and CONNECT_ERROR are handled, instead of any LDAPError? These are expected during IPA restart/start etc. Other ldap exceptions should not happen, so we can get abrt reports from users, if something is wrong. Makes sense. Patch 188: IMO it would be slightly better to do it like this: -name = name.relativize(dns.name.root) +if name != dns.name.root: +name = name.relativize(dns.name.root) This will not work. There is relativization for some zones before this step. I will try to clean the mess I found now in a new patch. Please do. It's an ACK then. Is this supposed to go in ipa-4-1 too or is it master only? Both please, thank you. -- Martin Basti ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCHES 0187, 0188] DNSSEC ipa-dnskeysyncd fixes
Hi, Dne 21.1.2015 v 13:39 Martin Basti napsal(a): Patch 188 catch ldap exceptions to prevent false positive abrt reports Patch 187 fixes issues with removing root zone Patches attached. Patch 187: Is there a reason only SERVER_DOWN and CONNECT_ERROR are handled, instead of any LDAPError? Patch 188: IMO it would be slightly better to do it like this: -name = name.relativize(dns.name.root) +if name != dns.name.root: +name = name.relativize(dns.name.root) Honza -- Jan Cholasta ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCHES 0187, 0188] DNSSEC ipa-dnskeysyncd fixes
Patch 188 catch ldap exceptions to prevent false positive abrt reports Patch 187 fixes issues with removing root zone Patches attached. -- Martin Basti From baed3cbcc9d4cf1768a7f2eff96e9d0943bfc578 Mon Sep 17 00:00:00 2001 From: Martin Basti mba...@redhat.com Date: Wed, 21 Jan 2015 13:32:44 +0100 Subject: [PATCH] DNSSEC catch ldap exceptions in ipa-dnskeysyncd Server down exception causes lot of false positive abrt reports. --- daemons/dnssec/ipa-dnskeysyncd | 8 ++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/daemons/dnssec/ipa-dnskeysyncd b/daemons/dnssec/ipa-dnskeysyncd index c7475bd65ba7ad38af99f2e8c3ae3bc8837f2c9b..e184d88b47ff7c7224c71057807e447e4b5e9e12 100755 --- a/daemons/dnssec/ipa-dnskeysyncd +++ b/daemons/dnssec/ipa-dnskeysyncd @@ -102,5 +102,9 @@ while watcher_running: filterstr=ldap_url.filterstr ) -while ldap_connection.syncrepl_poll(all=1, msgid=ldap_search): -pass +try: +while ldap_connection.syncrepl_poll(all=1, msgid=ldap_search): +pass +except (ldap.SERVER_DOWN, ldap.CONNECT_ERROR) as e: +log.exception('syncrepl_poll: LDAP error (%s)', e) +sys.exit(1) -- 2.1.0 From b47299085fd04bb8ccc99e47b2a0e33d52fd1e8a Mon Sep 17 00:00:00 2001 From: Martin Basti mba...@redhat.com Date: Wed, 21 Jan 2015 12:19:17 +0100 Subject: [PATCH] DNSSEC: fix root zone dns name conversion Root zone was represented as '@', which was incorrect. ksmutil did not accept it. Now root zone is represented as '.' --- ipapython/dnssec/odsmgr.py | 3 +++ 1 file changed, 3 insertions(+) diff --git a/ipapython/dnssec/odsmgr.py b/ipapython/dnssec/odsmgr.py index a91b6c553d9ab7364258bd1ca24d236a3994ec6d..ed17351cad4db28caed2623aa4bec145d5bc4414 100644 --- a/ipapython/dnssec/odsmgr.py +++ b/ipapython/dnssec/odsmgr.py @@ -145,6 +145,9 @@ class ODSMgr(object): def del_ods_zone(self, name): # ods-ksmutil blows up if zone name has period at the end name = name.relativize(dns.name.root) +# detect if name is root zone +if name == dns.name.empty: +name = dns.name.root cmd = ['zone', 'delete', '--zone', str(name)] output = self.ksmutil(cmd) self.log.info(output) -- 2.1.0 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel