mirror of
https://salsa.debian.org/freeipa-team/freeipa.git
synced 2025-01-12 01:01:55 -06:00
DNS Locations: use dns_update_service_records in installers
use the dns_update_system_records command to set proper DNS records https://fedorahosted.org/freeipa/ticket/2008 Reviewed-By: Petr Spacek <pspacek@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com>
This commit is contained in:
parent
e23159596e
commit
45a9326574
@ -286,7 +286,7 @@ def del_master(realm, hostname, options):
|
||||
if bindinstance.dns_container_exists(options.host, api.env.basedn,
|
||||
dm_password=options.dirman_passwd):
|
||||
bind = bindinstance.BindInstance()
|
||||
bind.remove_ipa_ca_dns_records(hostname, realm.lower())
|
||||
bind.update_system_records()
|
||||
except Exception as e:
|
||||
print("Failed to cleanup %s DNS entries: %s" % (hostname, e))
|
||||
print("You may need to manually remove them from the tree")
|
||||
|
@ -898,7 +898,6 @@ def cleanup_server_dns_entries(realm, hostname, suffix, options):
|
||||
dm_password=options.dirman_passwd):
|
||||
bind = bindinstance.BindInstance()
|
||||
bind.remove_master_dns_records(hostname, realm, realm.lower())
|
||||
bind.remove_ipa_ca_dns_records(hostname, realm.lower())
|
||||
bind.remove_server_ns_records(hostname)
|
||||
|
||||
keysyncd = dnskeysyncinstance.DNSKeySyncInstance()
|
||||
|
@ -30,6 +30,10 @@ import time
|
||||
import ldap
|
||||
import six
|
||||
|
||||
from ipaserver.dns_data_management import (
|
||||
IPASystemRecords,
|
||||
IPADomainIsNotManagedByIPAError,
|
||||
)
|
||||
from ipaserver.install import installutils
|
||||
from ipaserver.install import service
|
||||
from ipaserver.install import sysupgrade
|
||||
@ -692,7 +696,6 @@ class BindInstance(service.Service):
|
||||
self.step("setting up records for other masters", self.__add_others)
|
||||
# all zones must be created before this step
|
||||
self.step("adding NS record to the zones", self.__add_self_ns)
|
||||
self.step("setting up CA record", self.__add_ipa_ca_record)
|
||||
|
||||
self.step("setting up kerberos principal", self.__setup_principal)
|
||||
self.step("setting up named.conf", self.__setup_named_conf)
|
||||
@ -858,15 +861,7 @@ class BindInstance(service.Service):
|
||||
else:
|
||||
host_in_rr = normalize_zone(fqdn)
|
||||
|
||||
srv_records = (
|
||||
("_ldap._tcp", "0 100 389 %s" % host_in_rr),
|
||||
("_kerberos._tcp", "0 100 88 %s" % host_in_rr),
|
||||
("_kerberos._udp", "0 100 88 %s" % host_in_rr),
|
||||
("_kerberos-master._tcp", "0 100 88 %s" % host_in_rr),
|
||||
("_kerberos-master._udp", "0 100 88 %s" % host_in_rr),
|
||||
("_kpasswd._tcp", "0 100 464 %s" % host_in_rr),
|
||||
("_kpasswd._udp", "0 100 464 %s" % host_in_rr),
|
||||
)
|
||||
srv_records = ()
|
||||
if self.ntp:
|
||||
srv_records += (
|
||||
("_ntp._udp", "0 100 123 %s" % host_in_rr),
|
||||
@ -916,63 +911,6 @@ class BindInstance(service.Service):
|
||||
root_logger.debug("Adding DNS records for master %s" % fqdn)
|
||||
self.__add_master_records(fqdn, addrs)
|
||||
|
||||
def __add_ipa_ca_records(self, fqdn, addrs, ca_configured):
|
||||
if ca_configured is False:
|
||||
root_logger.debug("CA is not configured")
|
||||
return
|
||||
elif ca_configured is None:
|
||||
# we do not know if CA is configured for this host and we can
|
||||
# add the CA record. So we need to find out
|
||||
root_logger.debug("Check if CA is enabled for this host")
|
||||
base_dn = DN(('cn', fqdn), ('cn', 'masters'), ('cn', 'ipa'),
|
||||
('cn', 'etc'), self.api.env.basedn)
|
||||
ldap_filter = '(&(objectClass=ipaConfigObject)(cn=CA))'
|
||||
try:
|
||||
self.api.Backend.ldap2.find_entries(filter=ldap_filter, base_dn=base_dn)
|
||||
except ipalib.errors.NotFound:
|
||||
root_logger.debug("CA is not configured")
|
||||
return
|
||||
else:
|
||||
root_logger.debug("CA is configured for this host")
|
||||
|
||||
try:
|
||||
for addr in addrs:
|
||||
add_fwd_rr(self.domain, IPA_CA_RECORD, addr, api=self.api)
|
||||
except errors.ValidationError:
|
||||
# there is a CNAME record in ipa-ca, we can't add A/AAAA records
|
||||
pass
|
||||
|
||||
def __add_ipa_ca_record(self):
|
||||
self.__add_ipa_ca_records(self.fqdn, self.ip_addresses,
|
||||
self.ca_configured)
|
||||
|
||||
if self.first_instance:
|
||||
ldap = self.api.Backend.ldap2
|
||||
try:
|
||||
entries = ldap.get_entries(
|
||||
DN(('cn', 'masters'), ('cn', 'ipa'), ('cn', 'etc'),
|
||||
self.api.env.basedn),
|
||||
ldap.SCOPE_SUBTREE, '(&(objectClass=ipaConfigObject)(cn=CA))',
|
||||
['dn'])
|
||||
except errors.NotFound:
|
||||
root_logger.debug('No server with CA found')
|
||||
entries = []
|
||||
|
||||
for entry in entries:
|
||||
fqdn = entry.dn[1]['cn']
|
||||
if fqdn == self.fqdn:
|
||||
continue
|
||||
|
||||
host, zone = fqdn.split('.', 1)
|
||||
if dns_zone_exists(zone, self.api):
|
||||
addrs = get_fwd_rr(zone, host, api=self.api)
|
||||
else:
|
||||
addrs = dnsutil.resolve_ip_addresses(fqdn)
|
||||
# hack, will go away with locations
|
||||
addrs = [str(addr) for addr in addrs]
|
||||
|
||||
self.__add_ipa_ca_records(fqdn, addrs, True)
|
||||
|
||||
def __setup_principal(self):
|
||||
dns_principal = "DNS/" + self.fqdn + "@" + self.realm
|
||||
installutils.kadmin_addprinc(dns_principal)
|
||||
@ -1088,28 +1026,14 @@ class BindInstance(service.Service):
|
||||
self.zonemgr = 'hostmaster.%s' % self.domain
|
||||
|
||||
self.__add_self()
|
||||
self.__add_ipa_ca_record()
|
||||
|
||||
def add_ipa_ca_dns_records(self, fqdn, domain_name, ca_configured=True):
|
||||
host, zone = fqdn.split(".", 1)
|
||||
if dns_zone_exists(zone, self.api):
|
||||
addrs = get_fwd_rr(zone, host, api=self.api)
|
||||
else:
|
||||
addrs = dnsutil.resolve_ip_addresses(fqdn)
|
||||
# hack, will go away with locations
|
||||
addrs = [str(addr) for addr in addrs]
|
||||
|
||||
self.domain = domain_name
|
||||
|
||||
self.__add_ipa_ca_records(fqdn, addrs, ca_configured)
|
||||
|
||||
def convert_ipa_ca_cnames(self, domain_name):
|
||||
def remove_ipa_ca_cnames(self, domain_name):
|
||||
# get ipa-ca CNAMEs
|
||||
cnames = get_rr(domain_name, IPA_CA_RECORD, "CNAME", api=self.api)
|
||||
if not cnames:
|
||||
return
|
||||
|
||||
root_logger.info('Converting IPA CA CNAME records to A/AAAA records')
|
||||
root_logger.info('Removing IPA CA CNAME records')
|
||||
|
||||
# create CNAME to FQDN mapping
|
||||
cname_fqdn = {}
|
||||
@ -1136,34 +1060,21 @@ class BindInstance(service.Service):
|
||||
fqdn = cname_fqdn[cname]
|
||||
if fqdn not in masters:
|
||||
root_logger.warning(
|
||||
"Cannot convert IPA CA CNAME records to A/AAAA records, "
|
||||
"please convert them manually if necessary")
|
||||
"Cannot remove IPA CA CNAME please remove them manually "
|
||||
"if necessary")
|
||||
return
|
||||
|
||||
# delete all CNAMEs
|
||||
for cname in cnames:
|
||||
del_rr(domain_name, IPA_CA_RECORD, "CNAME", cname, api=self.api)
|
||||
|
||||
# add A/AAAA records
|
||||
for cname in cnames:
|
||||
fqdn = cname_fqdn[cname]
|
||||
self.add_ipa_ca_dns_records(fqdn, domain_name, None)
|
||||
|
||||
def remove_master_dns_records(self, fqdn, realm_name, domain_name):
|
||||
host, zone = fqdn.split(".", 1)
|
||||
self.host = host
|
||||
self.fqdn = fqdn
|
||||
self.domain = domain_name
|
||||
suffix = ipautil.realm_to_suffix(realm_name)
|
||||
|
||||
resource_records = (
|
||||
("_ldap._tcp", "SRV", "0 100 389 %s" % self.host_in_rr),
|
||||
("_kerberos._tcp", "SRV", "0 100 88 %s" % self.host_in_rr),
|
||||
("_kerberos._udp", "SRV", "0 100 88 %s" % self.host_in_rr),
|
||||
("_kerberos-master._tcp", "SRV", "0 100 88 %s" % self.host_in_rr),
|
||||
("_kerberos-master._udp", "SRV", "0 100 88 %s" % self.host_in_rr),
|
||||
("_kpasswd._tcp", "SRV", "0 100 464 %s" % self.host_in_rr),
|
||||
("_kpasswd._udp", "SRV", "0 100 464 %s" % self.host_in_rr),
|
||||
("_ntp._udp", "SRV", "0 100 123 %s" % self.host_in_rr),
|
||||
)
|
||||
|
||||
@ -1179,18 +1090,7 @@ class BindInstance(service.Service):
|
||||
record = get_reverse_record_name(rzone, rdata)
|
||||
del_rr(rzone, record, "PTR", normalize_zone(fqdn),
|
||||
api=self.api)
|
||||
|
||||
def remove_ipa_ca_dns_records(self, fqdn, domain_name):
|
||||
host, zone = fqdn.split(".", 1)
|
||||
if dns_zone_exists(zone, self.api):
|
||||
addrs = get_fwd_rr(zone, host, api=self.api)
|
||||
else:
|
||||
addrs = dnsutil.resolve_ip_addresses(fqdn)
|
||||
# hack, will go away with locations
|
||||
addrs = [str(addr) for addr in addrs]
|
||||
|
||||
for addr in addrs:
|
||||
del_fwd_rr(domain_name, IPA_CA_RECORD, addr, api=self.api)
|
||||
self.update_system_records()
|
||||
|
||||
def remove_server_ns_records(self, fqdn):
|
||||
"""
|
||||
@ -1224,6 +1124,28 @@ class BindInstance(service.Service):
|
||||
root_logger.debug("record %s in zone %s", record, zone)
|
||||
del_ns_rr(zone, record, ns_rdata, api=self.api)
|
||||
|
||||
def update_system_records(self):
|
||||
self.print_msg("Updating DNS system records")
|
||||
system_records = IPASystemRecords(self.api)
|
||||
try:
|
||||
(
|
||||
(_ipa_rec, failed_ipa_rec),
|
||||
(_loc_rec, failed_loc_rec)
|
||||
) = system_records.update_dns_records()
|
||||
except IPADomainIsNotManagedByIPAError:
|
||||
root_logger.error(
|
||||
"IPA domain is not managed by IPA, please update records "
|
||||
"manually")
|
||||
else:
|
||||
if failed_ipa_rec or failed_loc_rec:
|
||||
root_logger.error("Update of following records failed:")
|
||||
for attr in (failed_ipa_rec, failed_loc_rec):
|
||||
for rname, node, error in attr:
|
||||
for record, e in IPASystemRecords.records_list_from_node(
|
||||
rname, node
|
||||
):
|
||||
root_logger.error("%s (%s)", record, e)
|
||||
|
||||
def check_global_configuration(self):
|
||||
"""
|
||||
Check global DNS configuration in LDAP server and inform user when it
|
||||
|
@ -253,7 +253,7 @@ def install_step_1(standalone, replica_config, options):
|
||||
# Install CA DNS records
|
||||
if bindinstance.dns_container_exists(host_name, basedn, dm_password):
|
||||
bind = bindinstance.BindInstance(dm_password=dm_password)
|
||||
bind.add_ipa_ca_dns_records(host_name, domain_name)
|
||||
bind.update_system_records()
|
||||
|
||||
|
||||
def uninstall():
|
||||
|
@ -359,6 +359,9 @@ def install(standalone, replica, options, api=api):
|
||||
dnskeysyncd.start_dnskeysyncd()
|
||||
bind.start_named()
|
||||
|
||||
# this must be done when bind is started and operational
|
||||
bind.update_system_records()
|
||||
|
||||
if standalone:
|
||||
print("==============================================================================")
|
||||
print("Setup complete")
|
||||
|
@ -840,9 +840,11 @@ def install(installer):
|
||||
if config.setup_ca:
|
||||
services.knownservices['pki_tomcatd'].restart('pki-tomcat')
|
||||
|
||||
api.Backend.ldap2.connect(autobind=True)
|
||||
if options.setup_dns:
|
||||
api.Backend.ldap2.connect(autobind=True)
|
||||
dns.install(False, True, options)
|
||||
else:
|
||||
api.Command.dns_update_system_records()
|
||||
|
||||
# Restart httpd to pick up the new IPA configuration
|
||||
service.print_msg("Restarting the web server")
|
||||
@ -1469,9 +1471,11 @@ def promote(installer):
|
||||
server_api.bootstrap(in_server=True, context='installer')
|
||||
server_api.finalize()
|
||||
|
||||
server_api.Backend.ldap2.connect(autobind=True)
|
||||
if options.setup_dns:
|
||||
server_api.Backend.ldap2.connect(autobind=True)
|
||||
dns.install(False, True, options, server_api)
|
||||
else:
|
||||
server_api.Command.dns_update_system_records()
|
||||
|
||||
# Everything installed properly, activate ipa service.
|
||||
services.knownservices.ipa.enable()
|
||||
|
@ -1105,12 +1105,9 @@ def add_ca_dns_records():
|
||||
|
||||
bind = bindinstance.BindInstance()
|
||||
|
||||
bind.convert_ipa_ca_cnames(api.env.domain)
|
||||
bind.remove_ipa_ca_cnames(api.env.domain)
|
||||
|
||||
# DNS is enabled, so let bindinstance find out if CA is enabled
|
||||
# and let it add the record in that case
|
||||
bind.add_ipa_ca_dns_records(api.env.host, api.env.domain,
|
||||
ca_configured=None)
|
||||
bind.update_system_records()
|
||||
|
||||
sysupgrade.set_upgrade_state('dns', 'ipa_ca_records', True)
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user