From 52590d6fa581e3b53e2c9350dc307a1f360c40a3 Mon Sep 17 00:00:00 2001 From: Martin Basti Date: Mon, 13 Jun 2016 20:41:24 +0200 Subject: [PATCH] DNS Locations: dnsserver: put server_id option into named.conf The option server_id is required for DNS location feature, otherwise it will not work. https://fedorahosted.org/freeipa/ticket/2008 Reviewed-By: Petr Spacek Reviewed-By: Jan Cholasta --- freeipa.spec.in | 2 +- install/share/bind.named.conf.template | 1 + install/updates/40-dns.update | 6 --- .../updates/90-post_upgrade_plugins.update | 1 + ipaserver/install/plugins/dns.py | 52 +++++++++++++++++++ ipaserver/install/server/upgrade.py | 23 ++++++++ 6 files changed, 78 insertions(+), 7 deletions(-) diff --git a/freeipa.spec.in b/freeipa.spec.in index 5f391f1b9..0d5c745d5 100644 --- a/freeipa.spec.in +++ b/freeipa.spec.in @@ -251,7 +251,7 @@ Summary: IPA integrated DNS server with support for automatic DNSSEC signing Group: System Environment/Base BuildArch: noarch Requires: %{name}-server = %{version}-%{release} -Requires: bind-dyndb-ldap >= 6.0-4 +Requires: bind-dyndb-ldap >= 10.0 %if 0%{?fedora} >= 21 Requires: bind >= 9.9.6-3 Requires: bind-utils >= 9.9.6-3 diff --git a/install/share/bind.named.conf.template b/install/share/bind.named.conf.template index eb6d4ae27..571df0270 100644 --- a/install/share/bind.named.conf.template +++ b/install/share/bind.named.conf.template @@ -51,6 +51,7 @@ dynamic-db "ipa" { arg "uri ldapi://%2fvar%2frun%2fslapd-$SERVER_ID.socket"; arg "base cn=dns, $SUFFIX"; arg "fake_mname $FQDN."; + arg "server_id $FQDN"; arg "auth_method sasl"; arg "sasl_mech GSSAPI"; arg "sasl_user DNS/$FQDN"; diff --git a/install/updates/40-dns.update b/install/updates/40-dns.update index 50f8b79ec..4c0824b83 100644 --- a/install/updates/40-dns.update +++ b/install/updates/40-dns.update @@ -33,9 +33,3 @@ default: nsslapd-plugintype: preoperation default: nsslapd-pluginvendor: Red Hat, Inc. default: nsslapd-pluginversion: 1.0 default: nsslapd-plugin-depends-on-type: database - -# add dns servers container -dn: cn=servers,cn=dns,$SUFFIX -default: objectClass: nsContainer -default: objectClass: top -default: cn: servers diff --git a/install/updates/90-post_upgrade_plugins.update b/install/updates/90-post_upgrade_plugins.update index ccb72efa4..1208268df 100644 --- a/install/updates/90-post_upgrade_plugins.update +++ b/install/updates/90-post_upgrade_plugins.update @@ -26,3 +26,4 @@ plugin: update_managed_permissions plugin: update_read_replication_agreements_permission plugin: update_idrange_baserid plugin: update_passync_privilege_update +plugin: update_dnsserver_configuration_into_ldap diff --git a/ipaserver/install/plugins/dns.py b/ipaserver/install/plugins/dns.py index 2399264c2..4fa30661e 100644 --- a/ipaserver/install/plugins/dns.py +++ b/ipaserver/install/plugins/dns.py @@ -28,6 +28,7 @@ from ipalib import Updater from ipapython.dn import DN from ipapython import dnsutil from ipapython.ipa_log_manager import root_logger +from ipaserver.install import sysupgrade from ipaserver.plugins.dns import dns_container_exists register = Registry() @@ -491,3 +492,54 @@ class update_dnsforward_emptyzones(DNSUpdater): self.update_global_ldap_forwarder() return False, [] + + +@register() +class update_dnsserver_configuration_into_ldap(DNSUpdater): + """ + DNS Locations feature requires to have DNS configuration stored in LDAP DB. + Create DNS server configuration in LDAP for each old server + """ + def execute(self, **options): + ldap = self.api.Backend.ldap2 + if sysupgrade.get_upgrade_state('dns', 'server_config_to_ldap'): + self.log.debug('upgrade is not needed') + return False, [] + + dns_container_dn = DN(self.api.env.container_dns, self.api.env.basedn) + try: + ldap.get_entry(dns_container_dn) + except errors.NotFound: + self.log.debug('DNS container not found, nothing to upgrade') + sysupgrade.set_upgrade_state('dns', 'server_config_to_ldap', True) + return False, [] + + result = self.api.Command.server_show(self.api.env.host)['result'] + if not 'DNS server' in result.get('enabled_role_servrole', []): + self.log.debug('This server is not DNS server, nothing to upgrade') + sysupgrade.set_upgrade_state('dns', 'server_config_to_ldap', True) + return False, [] + + # create container first, if doesn't exist + entry = ldap.make_entry( + DN(self.api.env.container_dnsservers, self.api.env.basedn), + { + u'objectclass': [u'top', u'nsContainer'], + u'cn': [u'servers'] + } + ) + try: + ldap.add_entry(entry) + except errors.DuplicateEntry: + self.log.debug('cn=dnsservers container already exists') + + try: + self.api.Command.dnsserver_add(self.api.env.host) + except errors.DuplicateEntry: + self.log.debug("DNS server configuration already exists " + "in LDAP database") + else: + self.log.debug("DNS server configuration has been sucessfully " + "created in LDAP database") + sysupgrade.set_upgrade_state('dns', 'server_config_to_ldap', True) + return False, [] diff --git a/ipaserver/install/server/upgrade.py b/ipaserver/install/server/upgrade.py index eacd43939..b4b6243ac 100644 --- a/ipaserver/install/server/upgrade.py +++ b/ipaserver/install/server/upgrade.py @@ -842,6 +842,28 @@ def named_update_global_forwarder_policy(): return True +def named_add_server_id(): + """ + DNS Locations feature requires to have configured server_id in IPA section + of named.conf + :return: if named.conf has been changed + """ + bind = bindinstance.BindInstance() + if not bindinstance.named_conf_exists() or not bind.is_configured(): + # DNS service may not be configured + root_logger.info('DNS is not configured') + return False + + if sysupgrade.get_upgrade_state('named.conf', 'add_server_id'): + # upgrade was done already + return False + + root_logger.info('[Adding server_id to named.conf]') + bindinstance.named_conf_set_directive('server_id', api.env.host) + sysupgrade.set_upgrade_state('named.conf', 'add_server_id', True) + return True + + def certificate_renewal_update(ca, ds, http): """ Update certmonger certificate renewal configuration. @@ -1680,6 +1702,7 @@ def upgrade_configuration(): named_update_global_forwarder_policy(), mask_named_regular(), fix_dyndb_ldap_workdir_permissions(), + named_add_server_id(), ) if any(named_conf_changes):