Fix named.conf update bug NAMED_DNSSEC_VALIDATION

Commit a5cbdb57e5 introduced a bug when updating IPA from 4.8.6 to 4.8.7. NAMED_DNSSEC_VALIDATION template variable was not declared. Fixes: https://pagure.io/freeipa/issue/8363 Signed-off-by: Christian Heimes <cheimes@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2025-02-25 18:55:28 -06:00 · 2020-06-09 15:08:20 +02:00 · 2020-06-09 15:08:20 +02:00 · 379b560c75
commit 379b560c75
parent e6fda6f0fb
3 changed files with 44 additions and 1 deletions
--- a/ipaserver/install/server/upgrade.py
+++ b/ipaserver/install/server/upgrade.py
@ -594,6 +594,15 @@ def named_add_ipa_ext_conf_file():
        logger.info('DNS is not configured.')
        return False

+    # migrate value from named.conf
+    dnssec_validation = bindinstance.named_conf_get_directive(
+        "dnssec-validation",
+        bindinstance.NAMED_SECTION_OPTIONS,
+        str_val=False
+    )
+    if dnssec_validation is None:
+        dnssec_validation = "yes"
+
    tasks = [
        bindinstance.named_add_ext_conf_file(
            paths.NAMED_CUSTOM_CFG_SRC,
@ -601,7 +610,10 @@ def named_add_ipa_ext_conf_file():
        ),
        bindinstance.named_add_ext_conf_file(
            paths.NAMED_CUSTOM_OPTIONS_CFG_SRC,
-            paths.NAMED_CUSTOM_OPTIONS_CONFIG
+            paths.NAMED_CUSTOM_OPTIONS_CONFIG,
+            dict(
+                NAMED_DNSSEC_VALIDATION=dnssec_validation
+            )
        )
    ]

--- a/ipatests/prci_definitions/gating.yaml
+++ b/ipatests/prci_definitions/gating.yaml
@ -286,3 +286,15 @@ jobs:
        template: *ci-master-latest
        timeout: 3600
        topology: *master_1repl_1client
+
+  fedora-latest/test_upgrade:
+    requires: [fedora-latest/build]
+    priority: 100
+    job:
+      class: RunPytest
+      args:
+        build_url: '{fedora-latest/build_url}'
+        test_suite: test_integration/test_upgrade.py
+        template: *ci-master-latest
+        timeout: 3600
+        topology: *master_1repl
--- a/ipatests/test_integration/test_upgrade.py
+++ b/ipatests/test_integration/test_upgrade.py
@ -8,6 +8,8 @@ Module provides tests to verify that the upgrade script works.

 import base64
 from cryptography.hazmat.primitives import serialization
+
+from ipaplatform.paths import paths
 from ipapython.dn import DN
 from ipatests.test_integration.base import IntegrationTest
 from ipatests.pytest_ipa.integration import tasks
@ -65,3 +67,20 @@ class TestUpgrade(IntegrationTest):
        except ValueError:
            raise AssertionError('%s contains a double-encoded cert'
                                 % entry.dn)
+
+    def test_update_named_conf(self):
+        tasks.install_dns(self.master)
+        # remove files to force a migration
+        self.master.run_command(
+            [
+                "rm",
+                "-f",
+                paths.NAMED_CUSTOM_CONFIG,
+                paths.NAMED_CUSTOM_OPTIONS_CONFIG,
+            ]
+        )
+        self.master.run_command(['ipa-server-upgrade'])
+        txt = self.master.get_file_contents(
+            paths.NAMED_CUSTOM_OPTIONS_CONFIG, encoding="utf-8"
+        )
+        assert "dnssec-validation yes;" in txt