Re: [Freeipa-devel] [PATCHES 0252-0253] DNSSEC: allow to move DNSSEC key master to another IPA server
On 17.6.2015 13:37, Martin Basti wrote: On 17/06/15 13:26, Petr Spacek wrote: On 16.6.2015 15:40, Martin Basti wrote: On 05/06/15 12:54, Petr Spacek wrote: On 20.5.2015 18:00, Martin Basti wrote: This patch allows to disable DNSSEC key master on IPA server, or replace current DNSSEC key master with another IPA server. Only for master branch. https://fedorahosted.org/freeipa/ticket/4657 Patches attached. NACK. This happens on DNSSEC key master: $ ipa-dns-install --disable-dnssec-master Do you want to disable current DNSSEC key master? [no]: yes Unexpected error - see /var/log/ipaserver-install.log for details: TypeError: sequence item 0: expected string, DNSName found 2015-06-05T10:52:35Z DEBUG File /usr/lib/python2.7/site-packages/ipaserver/install/installutils.py, line 733, in run_script return_value = main_function() File /sbin/ipa-dns-install, line 128, in main dns_installer.disable_dnssec_master(options.unattended) File /usr/lib/python2.7/site-packages/ipaserver/install/dns.py, line 112, in disable_dnssec_master , .join(dnssec_zones)) 2015-06-05T10:52:35Z DEBUG The ipa-dns-install command failed, exception: TypeError: sequence item 0: expected string, DNSName found Updated patches attached. Due new installers, more changes were required. Sorry, NACK, I'm not able to apply this patch set to current master (69607250b9762a6c9b657dd31653b03d54a7b411). Rebased patches attached. NACK. 0) ipa-dns-install --replace-dnssec-master always puts file into /root/ipa-kasp.db. It would be better to put it into local working directory or /var/lib/ipa (as with replica files). 1) I installed DNSSEC key master role on the vm-134 but DNSSEC services were not stopped by ipactl stop: [root@vm-134 review]# ipactl stop Stopping ipa-otpd Service Stopping httpd Service Stopping ipa_memcached Service Stopping kadmin Service Stopping krb5kdc Service Stopping Directory Service ipa: INFO: The ipactl command was successful [root@vm-134 review]# ipactl start Starting Directory Service Starting krb5kdc Service Starting kadmin Service Starting named Service Starting ipa_memcached Service Starting httpd Service Starting ipa-otpd Service Starting ipa-ods-exporter Service Starting ods-enforcerd Service Starting ipa-dnskeysyncd Service Subsequent ipactl stop worked fine, only the first one is affected. 2a) vm-134 was the original master. I ran this: [root@vm-134 review]# ipa-dns-install --replace-dnssec-master=vm-090.abc.idm.lab.eng.brq.redhat.com ... and then attempted to install master to vm-059: [root@vm-059 review]# ipa-dns-install --dnssec-master This command was accepted despite of missing --kasp-db option and wrong replica name. It should error out and tell the user to run the command with --kasp-db option. Even better, we could get rid of explicit replica name specification in --replace-dnssec-master option and allow to run installation with --kasp-db on any replica as long as the kasp.db file is provided. 2b) Attempt to move DNSSEC key master from vm-134 to vm-090 *without* specifying --kasp-db option was accepted. [root@vm-090 review]# ipa-dns-install --dnssec-master As in case (2a), it should print what user is supposed to do. I propose following text: Current DNSSEC key master vm-134.abc.idm.lab.eng.brq.redhat.com is being moved to different server. You need to copy kasp.db file from vm-134.abc.idm.lab.eng.brq.redhat.com and run following command to complete the transition: # ipa-dns-install --dnssec-master --kasp-db=/path/to/the/copied/kasp.db 3) [root@vm-134 review]# ipa-dns-install --replace-dnssec-master=vm-090.abc.idm.lab.eng.brq.redhat.com does not remove ISMASTER option from file /etc/sysconfig/ipa-dnskeysyncd . 4) [root@vm-134 review]# ipa-dns-install --replace-dnssec-master=vm-090.abc.idm.lab.eng.brq.redhat.com it is possible to run [root@vm-134 review]# ipa-dns-install --dnssec-master again without --kasp-db and it is accepted. Moreover, in this case ipaConfigString NEW_DNSSEC_MASTER is not properly removed from cn=DNSKeySync,cn=vm-090.abc.idm.lab.eng.brq.redhat.com,cn=masters,cn=ipa,cn=etc,dc=ipa,dc=example. 5) Sequence of commands [root@vm-134 review]# ipa-dns-install --replace-dnssec-master=vm-090.abc.idm.lab.eng.brq.redhat.com [root@vm-090 review]# ipa-replica-manage del vm-134.abc.idm.lab.eng.brq.redhat.com allows me to run [root@vm-090 review]# ipa-dns-install --dnssec-master without --kasp-db option, it does not throw an error, and the information that some other master existed somewhere is lost. It would be probably better to replace this and to use some global attribute in cn=dns so similar problems do not happen. 6) The migration itself seems to work, KASP DB seems to work properly, however it is necessary to run 'ods-ksmutil zonelist' command *before* all the daemons on the new master are (re)started. This needs do be done to re-generate file /etc/opendnssec/zonelist.xml from the new
Re: [Freeipa-devel] [PATCHES 0252-0253] DNSSEC: allow to move DNSSEC key master to another IPA server
On 17/06/15 13:26, Petr Spacek wrote: On 16.6.2015 15:40, Martin Basti wrote: On 05/06/15 12:54, Petr Spacek wrote: On 20.5.2015 18:00, Martin Basti wrote: This patch allows to disable DNSSEC key master on IPA server, or replace current DNSSEC key master with another IPA server. Only for master branch. https://fedorahosted.org/freeipa/ticket/4657 Patches attached. NACK. This happens on DNSSEC key master: $ ipa-dns-install --disable-dnssec-master Do you want to disable current DNSSEC key master? [no]: yes Unexpected error - see /var/log/ipaserver-install.log for details: TypeError: sequence item 0: expected string, DNSName found 2015-06-05T10:52:35Z DEBUG File /usr/lib/python2.7/site-packages/ipaserver/install/installutils.py, line 733, in run_script return_value = main_function() File /sbin/ipa-dns-install, line 128, in main dns_installer.disable_dnssec_master(options.unattended) File /usr/lib/python2.7/site-packages/ipaserver/install/dns.py, line 112, in disable_dnssec_master , .join(dnssec_zones)) 2015-06-05T10:52:35Z DEBUG The ipa-dns-install command failed, exception: TypeError: sequence item 0: expected string, DNSName found Updated patches attached. Due new installers, more changes were required. Sorry, NACK, I'm not able to apply this patch set to current master (69607250b9762a6c9b657dd31653b03d54a7b411). Rebased patches attached. -- Martin Basti From 5f19362a7aa18e0a19f6871249e4a40d6052 Mon Sep 17 00:00:00 2001 From: Martin Basti mba...@redhat.com Date: Wed, 13 May 2015 14:45:32 +0200 Subject: [PATCH 1/2] DNSSEC: allow to disable/replace DNSSEC key master This commit allows to replace or disable DNSSEC key master Replacing DNSSEC master requires to copy kasp.db file manually by user ipa-dns-install: --disable-dnssec-master DNSSEC master will be disabled --replace-dnssec-master=IPA_SERVER DNSSEC master will be replaced, by IPA_SERVER (required to rerun ipa-dns-install wit appropriate options). --dnssec-master --kasp-db=FILE This configure new DNSSEC master server, kasp.db from old server is required https://fedorahosted.org/freeipa/ticket/4657 --- install/tools/ipa-dns-install | 18 +++ ipaplatform/base/paths.py | 1 + ipaserver/install/dns.py | 240 - ipaserver/install/odsexporterinstance.py | 12 +- ipaserver/install/opendnssecinstance.py| 69 +++-- ipaserver/install/server/install.py| 23 +++ ipaserver/install/server/replicainstall.py | 31 +++- 7 files changed, 373 insertions(+), 21 deletions(-) diff --git a/install/tools/ipa-dns-install b/install/tools/ipa-dns-install index fd9311657e813988310db2be604ca68d26936af5..0f640c3e85b1a5eb717be5082c2fdf030ec4eec5 100755 --- a/install/tools/ipa-dns-install +++ b/install/tools/ipa-dns-install @@ -61,6 +61,17 @@ def parse_options(): help=DNS zone manager e-mail address. Defaults to hostmaster@DOMAIN) parser.add_option(-U, --unattended, dest=unattended, action=store_true, default=False, help=unattended installation never prompts the user) +parser.add_option(--disable-dnssec-master, dest=disable_dnssec_master, + action=store_true, default=False, help=Disable the + DNSSEC master on this server) +parser.add_option(--replace-dnssec-master, dest=replace_dnssec_master, + type=string, metavar=IPA_DNS_SERVER_HOSTNAME, + action=store, help=Replace the current DNSSEC master + with the specified IPA server) +parser.add_option(--kasp-db, dest=kasp_db_file, type=string, + metavar=FILE, action=store, help=Copy OpenDNSSEC + metadata from the specified file (will not create a new + kasp.db file)) options, args = parser.parse_args() safe_options = parser.get_safe_opts(options) @@ -70,10 +81,17 @@ def parse_options(): elif options.reverse_zones and options.no_reverse: parser.error(You cannot specify a --reverse-zone option together with --no-reverse) +if options.disable_dnssec_master and options.replace_dnssec_master: +parser.error(You cannot specify a --disable-dnssec-master option + together with --replace-dnssec-master) + if options.unattended: if not options.forwarders and not options.no_forwarders: parser.error(You must specify at least one --forwarder option or --no-forwarders option) +if options.kasp_db_file and not ipautil.file_exists(options.kasp_db_file): +parser.error(File %s does not exist % options.kasp_db_file) + if options.dm_password: print (WARNING: Option -p/--ds-password is deprecated and should not be used anymore.) diff --git a/ipaplatform/base/paths.py b/ipaplatform/base/paths.py index
Re: [Freeipa-devel] [PATCHES 0252-0253] DNSSEC: allow to move DNSSEC key master to another IPA server
On 16.6.2015 15:40, Martin Basti wrote: On 05/06/15 12:54, Petr Spacek wrote: On 20.5.2015 18:00, Martin Basti wrote: This patch allows to disable DNSSEC key master on IPA server, or replace current DNSSEC key master with another IPA server. Only for master branch. https://fedorahosted.org/freeipa/ticket/4657 Patches attached. NACK. This happens on DNSSEC key master: $ ipa-dns-install --disable-dnssec-master Do you want to disable current DNSSEC key master? [no]: yes Unexpected error - see /var/log/ipaserver-install.log for details: TypeError: sequence item 0: expected string, DNSName found 2015-06-05T10:52:35Z DEBUG File /usr/lib/python2.7/site-packages/ipaserver/install/installutils.py, line 733, in run_script return_value = main_function() File /sbin/ipa-dns-install, line 128, in main dns_installer.disable_dnssec_master(options.unattended) File /usr/lib/python2.7/site-packages/ipaserver/install/dns.py, line 112, in disable_dnssec_master , .join(dnssec_zones)) 2015-06-05T10:52:35Z DEBUG The ipa-dns-install command failed, exception: TypeError: sequence item 0: expected string, DNSName found Updated patches attached. Due new installers, more changes were required. Sorry, NACK, I'm not able to apply this patch set to current master (69607250b9762a6c9b657dd31653b03d54a7b411). -- Petr^2 Spacek -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCHES 0252-0253] DNSSEC: allow to move DNSSEC key master to another IPA server
On 05/06/15 12:54, Petr Spacek wrote: On 20.5.2015 18:00, Martin Basti wrote: This patch allows to disable DNSSEC key master on IPA server, or replace current DNSSEC key master with another IPA server. Only for master branch. https://fedorahosted.org/freeipa/ticket/4657 Patches attached. NACK. This happens on DNSSEC key master: $ ipa-dns-install --disable-dnssec-master Do you want to disable current DNSSEC key master? [no]: yes Unexpected error - see /var/log/ipaserver-install.log for details: TypeError: sequence item 0: expected string, DNSName found 2015-06-05T10:52:35Z DEBUG File /usr/lib/python2.7/site-packages/ipaserver/install/installutils.py, line 733, in run_script return_value = main_function() File /sbin/ipa-dns-install, line 128, in main dns_installer.disable_dnssec_master(options.unattended) File /usr/lib/python2.7/site-packages/ipaserver/install/dns.py, line 112, in disable_dnssec_master , .join(dnssec_zones)) 2015-06-05T10:52:35Z DEBUG The ipa-dns-install command failed, exception: TypeError: sequence item 0: expected string, DNSName found Updated patches attached. Due new installers, more changes were required. -- Martin Basti From 6a9488489786215500af1d0a706380f296999ea0 Mon Sep 17 00:00:00 2001 From: Martin Basti mba...@redhat.com Date: Wed, 13 May 2015 14:45:32 +0200 Subject: [PATCH 1/2] DNSSEC: allow to disable/replace DNSSEC key master This commit allows to replace or disable DNSSEC key master Replacing DNSSEC master requires to copy kasp.db file manually by user ipa-dns-install: --disable-dnssec-master DNSSEC master will be disabled --replace-dnssec-master=IPA_SERVER DNSSEC master will be replaced, by IPA_SERVER (required to rerun ipa-dns-install wit appropriate options). --dnssec-master --kasp-db=FILE This configure new DNSSEC master server, kasp.db from old server is required https://fedorahosted.org/freeipa/ticket/4657 --- install/tools/ipa-dns-install | 18 +++ ipaplatform/base/paths.py | 1 + ipaserver/install/dns.py | 240 - ipaserver/install/odsexporterinstance.py | 12 +- ipaserver/install/opendnssecinstance.py| 69 +++-- ipaserver/install/server/install.py| 23 +++ ipaserver/install/server/replicainstall.py | 31 +++- 7 files changed, 373 insertions(+), 21 deletions(-) diff --git a/install/tools/ipa-dns-install b/install/tools/ipa-dns-install index fd9311657e813988310db2be604ca68d26936af5..0f640c3e85b1a5eb717be5082c2fdf030ec4eec5 100755 --- a/install/tools/ipa-dns-install +++ b/install/tools/ipa-dns-install @@ -61,6 +61,17 @@ def parse_options(): help=DNS zone manager e-mail address. Defaults to hostmaster@DOMAIN) parser.add_option(-U, --unattended, dest=unattended, action=store_true, default=False, help=unattended installation never prompts the user) +parser.add_option(--disable-dnssec-master, dest=disable_dnssec_master, + action=store_true, default=False, help=Disable the + DNSSEC master on this server) +parser.add_option(--replace-dnssec-master, dest=replace_dnssec_master, + type=string, metavar=IPA_DNS_SERVER_HOSTNAME, + action=store, help=Replace the current DNSSEC master + with the specified IPA server) +parser.add_option(--kasp-db, dest=kasp_db_file, type=string, + metavar=FILE, action=store, help=Copy OpenDNSSEC + metadata from the specified file (will not create a new + kasp.db file)) options, args = parser.parse_args() safe_options = parser.get_safe_opts(options) @@ -70,10 +81,17 @@ def parse_options(): elif options.reverse_zones and options.no_reverse: parser.error(You cannot specify a --reverse-zone option together with --no-reverse) +if options.disable_dnssec_master and options.replace_dnssec_master: +parser.error(You cannot specify a --disable-dnssec-master option + together with --replace-dnssec-master) + if options.unattended: if not options.forwarders and not options.no_forwarders: parser.error(You must specify at least one --forwarder option or --no-forwarders option) +if options.kasp_db_file and not ipautil.file_exists(options.kasp_db_file): +parser.error(File %s does not exist % options.kasp_db_file) + if options.dm_password: print (WARNING: Option -p/--ds-password is deprecated and should not be used anymore.) diff --git a/ipaplatform/base/paths.py b/ipaplatform/base/paths.py index e6b19181929b54f6d83701a0fdbc3c4a54364082..b8c27f09d6812982a38d26ef596c0539cb1b8a8b 100644 --- a/ipaplatform/base/paths.py +++ b/ipaplatform/base/paths.py @@ -143,6 +143,7 @@ class BasePathNamespace(object): KRA_AGENT_PEM = /etc/httpd/alias/kra-agent.pem