Re: [Freeipa-devel] [PATCHES 0252-0253] DNSSEC: allow to move DNSSEC key master to another IPA server

2015-06-25 Thread Petr Spacek
On 17.6.2015 13:37, Martin Basti wrote:
 On 17/06/15 13:26, Petr Spacek wrote:
 On 16.6.2015 15:40, Martin Basti wrote:
 On 05/06/15 12:54, Petr Spacek wrote:
 On 20.5.2015 18:00, Martin Basti wrote:
 This patch allows to disable DNSSEC key master on IPA server, or replace
 current DNSSEC key master with another IPA server.

 Only for master branch.

 https://fedorahosted.org/freeipa/ticket/4657

 Patches attached.
 NACK. This happens on DNSSEC key master:
 $ ipa-dns-install --disable-dnssec-master

 Do you want to disable current DNSSEC key master? [no]: yes
 Unexpected error - see /var/log/ipaserver-install.log for details:
 TypeError: sequence item 0: expected string, DNSName found
  2015-06-05T10:52:35Z DEBUG   File
 /usr/lib/python2.7/site-packages/ipaserver/install/installutils.py, line
 733, in run_script
   return_value = main_function()

 File /sbin/ipa-dns-install, line 128, in main
   dns_installer.disable_dnssec_master(options.unattended)

 File /usr/lib/python2.7/site-packages/ipaserver/install/dns.py, line
 112,
 in disable_dnssec_master
   , .join(dnssec_zones))

 2015-06-05T10:52:35Z DEBUG The ipa-dns-install command failed, exception:
 TypeError: sequence item 0: expected string, DNSName found

 Updated patches attached.

 Due new installers, more changes were required.
 Sorry, NACK, I'm not able to apply this patch set to current master
 (69607250b9762a6c9b657dd31653b03d54a7b411).

 Rebased patches attached.

NACK.


0) ipa-dns-install --replace-dnssec-master always puts file into
/root/ipa-kasp.db.

It would be better to put it into local working directory or /var/lib/ipa (as
with replica files).


1) I installed DNSSEC key master role on the vm-134 but DNSSEC services were
not stopped by ipactl stop:

[root@vm-134 review]# ipactl stop
Stopping ipa-otpd Service
Stopping httpd Service
Stopping ipa_memcached Service
Stopping kadmin Service
Stopping krb5kdc Service
Stopping Directory Service
ipa: INFO: The ipactl command was successful

[root@vm-134 review]# ipactl start
Starting Directory Service
Starting krb5kdc Service
Starting kadmin Service
Starting named Service
Starting ipa_memcached Service
Starting httpd Service
Starting ipa-otpd Service
Starting ipa-ods-exporter Service
Starting ods-enforcerd Service
Starting ipa-dnskeysyncd Service

Subsequent ipactl stop worked fine, only the first one is affected.


2a) vm-134 was the original master. I ran this:

[root@vm-134 review]# ipa-dns-install
--replace-dnssec-master=vm-090.abc.idm.lab.eng.brq.redhat.com

... and then attempted to install master to vm-059:
[root@vm-059 review]# ipa-dns-install --dnssec-master

This command was accepted despite of missing --kasp-db option and wrong
replica name.

It should error out and tell the user to run the command with --kasp-db option.

Even better, we could get rid of explicit replica name specification in
--replace-dnssec-master option and allow to run installation with --kasp-db on
any replica as long as the kasp.db file is provided.



2b) Attempt to move DNSSEC key master from vm-134 to vm-090 *without*
specifying --kasp-db option was accepted.

[root@vm-090 review]# ipa-dns-install --dnssec-master

As in case (2a), it should print what user is supposed to do.

I propose following text:

Current DNSSEC key master vm-134.abc.idm.lab.eng.brq.redhat.com is being
moved to different server.

You need to copy kasp.db file from vm-134.abc.idm.lab.eng.brq.redhat.com and
run following command to complete the transition:

# ipa-dns-install --dnssec-master --kasp-db=/path/to/the/copied/kasp.db



3) [root@vm-134 review]# ipa-dns-install
--replace-dnssec-master=vm-090.abc.idm.lab.eng.brq.redhat.com
does not remove ISMASTER option from file /etc/sysconfig/ipa-dnskeysyncd .


4) [root@vm-134 review]# ipa-dns-install
--replace-dnssec-master=vm-090.abc.idm.lab.eng.brq.redhat.com

it is possible to run

[root@vm-134 review]# ipa-dns-install --dnssec-master

again without --kasp-db and it is accepted.

Moreover, in this case ipaConfigString NEW_DNSSEC_MASTER is not properly
removed from
cn=DNSKeySync,cn=vm-090.abc.idm.lab.eng.brq.redhat.com,cn=masters,cn=ipa,cn=etc,dc=ipa,dc=example.



5) Sequence of commands
[root@vm-134 review]# ipa-dns-install
--replace-dnssec-master=vm-090.abc.idm.lab.eng.brq.redhat.com

[root@vm-090 review]# ipa-replica-manage del 
vm-134.abc.idm.lab.eng.brq.redhat.com

allows me to run
[root@vm-090 review]# ipa-dns-install --dnssec-master

without --kasp-db option, it does not throw an error, and the information that
some other master existed somewhere is lost.

It would be probably better to replace this and to use some global attribute
in cn=dns so similar problems do not happen.



6) The migration itself seems to work, KASP DB seems to work properly, however
it is necessary to run 'ods-ksmutil zonelist' command *before* all the daemons
on the new master are (re)started. This needs do be done to re-generate file
/etc/opendnssec/zonelist.xml from the new 

Re: [Freeipa-devel] [PATCHES 0252-0253] DNSSEC: allow to move DNSSEC key master to another IPA server

2015-06-17 Thread Martin Basti

On 17/06/15 13:26, Petr Spacek wrote:

On 16.6.2015 15:40, Martin Basti wrote:

On 05/06/15 12:54, Petr Spacek wrote:

On 20.5.2015 18:00, Martin Basti wrote:

This patch allows to disable DNSSEC key master on IPA server, or replace
current DNSSEC key master with another IPA server.

Only for master branch.

https://fedorahosted.org/freeipa/ticket/4657

Patches attached.

NACK. This happens on DNSSEC key master:
$ ipa-dns-install --disable-dnssec-master

Do you want to disable current DNSSEC key master? [no]: yes
Unexpected error - see /var/log/ipaserver-install.log for details:
TypeError: sequence item 0: expected string, DNSName found
 
2015-06-05T10:52:35Z DEBUG   File

/usr/lib/python2.7/site-packages/ipaserver/install/installutils.py, line
733, in run_script
  return_value = main_function()

File /sbin/ipa-dns-install, line 128, in main
  dns_installer.disable_dnssec_master(options.unattended)

File /usr/lib/python2.7/site-packages/ipaserver/install/dns.py, line 112,
in disable_dnssec_master
  , .join(dnssec_zones))

2015-06-05T10:52:35Z DEBUG The ipa-dns-install command failed, exception:
TypeError: sequence item 0: expected string, DNSName found


Updated patches attached.

Due new installers, more changes were required.

Sorry, NACK, I'm not able to apply this patch set to current master
(69607250b9762a6c9b657dd31653b03d54a7b411).


Rebased patches attached.

--
Martin Basti

From 5f19362a7aa18e0a19f6871249e4a40d6052 Mon Sep 17 00:00:00 2001
From: Martin Basti mba...@redhat.com
Date: Wed, 13 May 2015 14:45:32 +0200
Subject: [PATCH 1/2] DNSSEC: allow to disable/replace DNSSEC key master

This commit allows to replace or disable DNSSEC key master

Replacing DNSSEC master requires to copy kasp.db file manually by user

ipa-dns-install:
--disable-dnssec-master  DNSSEC master will be disabled
--replace-dnssec-master=IPA_SERVER  DNSSEC master will be replaced, by
IPA_SERVER (required to rerun ipa-dns-install wit appropriate options).
--dnssec-master --kasp-db=FILE  This configure new DNSSEC master server,  kasp.db from old server is required

https://fedorahosted.org/freeipa/ticket/4657
---
 install/tools/ipa-dns-install  |  18 +++
 ipaplatform/base/paths.py  |   1 +
 ipaserver/install/dns.py   | 240 -
 ipaserver/install/odsexporterinstance.py   |  12 +-
 ipaserver/install/opendnssecinstance.py|  69 +++--
 ipaserver/install/server/install.py|  23 +++
 ipaserver/install/server/replicainstall.py |  31 +++-
 7 files changed, 373 insertions(+), 21 deletions(-)

diff --git a/install/tools/ipa-dns-install b/install/tools/ipa-dns-install
index fd9311657e813988310db2be604ca68d26936af5..0f640c3e85b1a5eb717be5082c2fdf030ec4eec5 100755
--- a/install/tools/ipa-dns-install
+++ b/install/tools/ipa-dns-install
@@ -61,6 +61,17 @@ def parse_options():
   help=DNS zone manager e-mail address. Defaults to hostmaster@DOMAIN)
 parser.add_option(-U, --unattended, dest=unattended, action=store_true,
   default=False, help=unattended installation never prompts the user)
+parser.add_option(--disable-dnssec-master, dest=disable_dnssec_master,
+  action=store_true, default=False, help=Disable the 
+  DNSSEC master on this server)
+parser.add_option(--replace-dnssec-master, dest=replace_dnssec_master,
+  type=string, metavar=IPA_DNS_SERVER_HOSTNAME,
+  action=store, help=Replace the current DNSSEC master 
+  with the specified IPA server)
+parser.add_option(--kasp-db, dest=kasp_db_file, type=string,
+  metavar=FILE, action=store, help=Copy OpenDNSSEC 
+  metadata from the specified file (will not create a new 
+  kasp.db file))
 
 options, args = parser.parse_args()
 safe_options = parser.get_safe_opts(options)
@@ -70,10 +81,17 @@ def parse_options():
 elif options.reverse_zones and options.no_reverse:
 parser.error(You cannot specify a --reverse-zone option together with --no-reverse)
 
+if options.disable_dnssec_master and options.replace_dnssec_master:
+parser.error(You cannot specify a --disable-dnssec-master option 
+ together with --replace-dnssec-master)
+
 if options.unattended:
 if not options.forwarders and not options.no_forwarders:
 parser.error(You must specify at least one --forwarder option or --no-forwarders option)
 
+if options.kasp_db_file and not ipautil.file_exists(options.kasp_db_file):
+parser.error(File %s does not exist % options.kasp_db_file)
+
 if options.dm_password:
 print (WARNING: Option -p/--ds-password is deprecated 
and should not be used anymore.)
diff --git a/ipaplatform/base/paths.py b/ipaplatform/base/paths.py
index 

Re: [Freeipa-devel] [PATCHES 0252-0253] DNSSEC: allow to move DNSSEC key master to another IPA server

2015-06-17 Thread Petr Spacek
On 16.6.2015 15:40, Martin Basti wrote:
 On 05/06/15 12:54, Petr Spacek wrote:
 On 20.5.2015 18:00, Martin Basti wrote:
 This patch allows to disable DNSSEC key master on IPA server, or replace
 current DNSSEC key master with another IPA server.

 Only for master branch.

 https://fedorahosted.org/freeipa/ticket/4657

 Patches attached.
 NACK. This happens on DNSSEC key master:
 $ ipa-dns-install --disable-dnssec-master

 Do you want to disable current DNSSEC key master? [no]: yes
 Unexpected error - see /var/log/ipaserver-install.log for details:
 TypeError: sequence item 0: expected string, DNSName found
 
 2015-06-05T10:52:35Z DEBUG   File
 /usr/lib/python2.7/site-packages/ipaserver/install/installutils.py, line
 733, in run_script
  return_value = main_function()

File /sbin/ipa-dns-install, line 128, in main
  dns_installer.disable_dnssec_master(options.unattended)

File /usr/lib/python2.7/site-packages/ipaserver/install/dns.py, line 
 112,
 in disable_dnssec_master
  , .join(dnssec_zones))

 2015-06-05T10:52:35Z DEBUG The ipa-dns-install command failed, exception:
 TypeError: sequence item 0: expected string, DNSName found

 Updated patches attached.
 
 Due new installers, more changes were required.

Sorry, NACK, I'm not able to apply this patch set to current master
(69607250b9762a6c9b657dd31653b03d54a7b411).

-- 
Petr^2 Spacek

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code


Re: [Freeipa-devel] [PATCHES 0252-0253] DNSSEC: allow to move DNSSEC key master to another IPA server

2015-06-16 Thread Martin Basti

On 05/06/15 12:54, Petr Spacek wrote:

On 20.5.2015 18:00, Martin Basti wrote:

This patch allows to disable DNSSEC key master on IPA server, or replace
current DNSSEC key master with another IPA server.

Only for master branch.

https://fedorahosted.org/freeipa/ticket/4657

Patches attached.

NACK. This happens on DNSSEC key master:
$ ipa-dns-install --disable-dnssec-master

Do you want to disable current DNSSEC key master? [no]: yes
Unexpected error - see /var/log/ipaserver-install.log for details:
TypeError: sequence item 0: expected string, DNSName found

2015-06-05T10:52:35Z DEBUG   File
/usr/lib/python2.7/site-packages/ipaserver/install/installutils.py, line
733, in run_script
 return_value = main_function()

   File /sbin/ipa-dns-install, line 128, in main
 dns_installer.disable_dnssec_master(options.unattended)

   File /usr/lib/python2.7/site-packages/ipaserver/install/dns.py, line 112,
in disable_dnssec_master
 , .join(dnssec_zones))

2015-06-05T10:52:35Z DEBUG The ipa-dns-install command failed, exception:
TypeError: sequence item 0: expected string, DNSName found


Updated patches attached.

Due new installers, more changes were required.

--
Martin Basti

From 6a9488489786215500af1d0a706380f296999ea0 Mon Sep 17 00:00:00 2001
From: Martin Basti mba...@redhat.com
Date: Wed, 13 May 2015 14:45:32 +0200
Subject: [PATCH 1/2] DNSSEC: allow to disable/replace DNSSEC key master

This commit allows to replace or disable DNSSEC key master

Replacing DNSSEC master requires to copy kasp.db file manually by user

ipa-dns-install:
--disable-dnssec-master  DNSSEC master will be disabled
--replace-dnssec-master=IPA_SERVER  DNSSEC master will be replaced, by
IPA_SERVER (required to rerun ipa-dns-install wit appropriate options).
--dnssec-master --kasp-db=FILE  This configure new DNSSEC master server,  kasp.db from old server is required

https://fedorahosted.org/freeipa/ticket/4657
---
 install/tools/ipa-dns-install  |  18 +++
 ipaplatform/base/paths.py  |   1 +
 ipaserver/install/dns.py   | 240 -
 ipaserver/install/odsexporterinstance.py   |  12 +-
 ipaserver/install/opendnssecinstance.py|  69 +++--
 ipaserver/install/server/install.py|  23 +++
 ipaserver/install/server/replicainstall.py |  31 +++-
 7 files changed, 373 insertions(+), 21 deletions(-)

diff --git a/install/tools/ipa-dns-install b/install/tools/ipa-dns-install
index fd9311657e813988310db2be604ca68d26936af5..0f640c3e85b1a5eb717be5082c2fdf030ec4eec5 100755
--- a/install/tools/ipa-dns-install
+++ b/install/tools/ipa-dns-install
@@ -61,6 +61,17 @@ def parse_options():
   help=DNS zone manager e-mail address. Defaults to hostmaster@DOMAIN)
 parser.add_option(-U, --unattended, dest=unattended, action=store_true,
   default=False, help=unattended installation never prompts the user)
+parser.add_option(--disable-dnssec-master, dest=disable_dnssec_master,
+  action=store_true, default=False, help=Disable the 
+  DNSSEC master on this server)
+parser.add_option(--replace-dnssec-master, dest=replace_dnssec_master,
+  type=string, metavar=IPA_DNS_SERVER_HOSTNAME,
+  action=store, help=Replace the current DNSSEC master 
+  with the specified IPA server)
+parser.add_option(--kasp-db, dest=kasp_db_file, type=string,
+  metavar=FILE, action=store, help=Copy OpenDNSSEC 
+  metadata from the specified file (will not create a new 
+  kasp.db file))
 
 options, args = parser.parse_args()
 safe_options = parser.get_safe_opts(options)
@@ -70,10 +81,17 @@ def parse_options():
 elif options.reverse_zones and options.no_reverse:
 parser.error(You cannot specify a --reverse-zone option together with --no-reverse)
 
+if options.disable_dnssec_master and options.replace_dnssec_master:
+parser.error(You cannot specify a --disable-dnssec-master option 
+ together with --replace-dnssec-master)
+
 if options.unattended:
 if not options.forwarders and not options.no_forwarders:
 parser.error(You must specify at least one --forwarder option or --no-forwarders option)
 
+if options.kasp_db_file and not ipautil.file_exists(options.kasp_db_file):
+parser.error(File %s does not exist % options.kasp_db_file)
+
 if options.dm_password:
 print (WARNING: Option -p/--ds-password is deprecated 
and should not be used anymore.)
diff --git a/ipaplatform/base/paths.py b/ipaplatform/base/paths.py
index e6b19181929b54f6d83701a0fdbc3c4a54364082..b8c27f09d6812982a38d26ef596c0539cb1b8a8b 100644
--- a/ipaplatform/base/paths.py
+++ b/ipaplatform/base/paths.py
@@ -143,6 +143,7 @@ class BasePathNamespace(object):
 KRA_AGENT_PEM = /etc/httpd/alias/kra-agent.pem