IntenseWebs/freeipa
3
0
Fork 0
mirror of https://salsa.debian.org/freeipa-team/freeipa.git synced 2025-02-25 18:55:28 -06:00
Code Issues Packages Projects Releases Wiki Activity

Remove support for IPA deployments with no persistent search

Browse Source 
Drops the code from ipa-server-install, ipa-dns-install and the
BindInstance itself. Also changed ipa-upgradeconfig script so
that it does not set zone_refresh to 0 on upgrades, as the option
is deprecated.

https://fedorahosted.org/freeipa/ticket/3632
This commit is contained in:
Tomas Babej 2013-08-09 11:55:49 +02:00 committed by Martin Kosek
parent 49a621a257
commit 69394bab5a
16 changed files with 104 additions and 187 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
API.txt
View File

@ -673,7 +673,7 @@ option: Str('delattr*', cli_name='delattr', exclude='webui')
option: Bool('idnsallowsyncptr', attribute=True, autofill=False, cli_name='allow_sync_ptr', multivalue=False, required=False)
option: Str('idnsforwarders', attribute=True, autofill=False, cli_name='forwarder', csv=True, multivalue=True, required=False)
option: StrEnum('idnsforwardpolicy', attribute=True, autofill=False, cli_name='forward_policy', multivalue=False, required=False, values=(u'only', u'first', u'none'))
option: Int('idnszonerefresh', attribute=True, autofill=False, cli_name='zone_refresh', minvalue=0, multivalue=False, required=False)
option: DeprecatedParam('idnszonerefresh', attribute=True, autofill=False, cli_name='zone_refresh', multivalue=False, required=False)
option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui')
option: Flag('rights', autofill=True, default=False)
option: Str('setattr*', cli_name='setattr', exclude='webui')

2
freeipa.spec.in
View File

@ -156,7 +156,7 @@ Obsoletes: freeipa-server-selinux < 3.3.0
# IPA but if it is configured we need a way to require versions
# that work for us.
%if 0%{?fedora} >= 18
Conflicts: bind-dyndb-ldap < 2.3-2
Conflicts: bind-dyndb-ldap < 3.5
%else
Conflicts: bind-dyndb-ldap < 1.1.0-0.12.rc1
%endif

2
install/share/bind.named.conf.template
View File

@ -44,7 +44,5 @@ dynamic-db "ipa" {
arg "auth_method sasl";
arg "sasl_mech GSSAPI";
arg "sasl_user DNS/$FQDN";
arg "zone_refresh $ZONE_REFRESH";
arg "psearch $PERSISTENT_SEARCH";
arg "serial_autoincrement $SERIAL_AUTOINCREMENT";
};

24
install/tools/ipa-dns-install
View File

@ -52,16 +52,6 @@ def parse_options():
parser.add_option("--zonemgr", action="callback", callback=bindinstance.zonemgr_callback,
type="string",
help="DNS zone manager e-mail address. Defaults to hostmaster@DOMAIN")
# this option name has been deprecated, persistent search has been enabled by default
parser.add_option("--zone-notif", dest="zone_notif",
action="store_true", default=False, help=SUPPRESS_HELP)
parser.add_option("--no-persistent-search", dest="persistent_search",
default=True, action="store_false",
help="Do not enable persistent search feature in the name server")
parser.add_option("--zone-refresh", dest="zone_refresh",
default=0, type="int",
help="When set to non-zero the name server will use DNS zone "
"detection based on polling instead of a persistent search")
parser.add_option("--no-serial-autoincrement", dest="serial_autoincrement",
default=True, action="store_false",
help="Do not enable SOA serial autoincrement")
@ -80,18 +70,6 @@ def parse_options():
if not options.forwarders and not options.no_forwarders:
parser.error("You must specify at least one --forwarder option or --no-forwarders option")
if options.zone_refresh < 0:
parser.error("negative numbers not allowed for --zone-refresh")
elif options.zone_refresh > 0:
options.persistent_search = False # mutually exclusive features
if options.zone_notif:
print >>sys.stderr, "WARNING: --zone-notif option is deprecated and has no effect"
if options.serial_autoincrement and not options.persistent_search:
parser.error('persistent search feature is required for '
'DNS SOA serial autoincrement')
return safe_options, options
def main():
@ -232,8 +210,6 @@ def main():
bind.setup(api.env.host, ip_address, api.env.realm, api.env.domain,
dns_forwarders, conf_ntp, reverse_zone, zonemgr=options.zonemgr,
zone_refresh=options.zone_refresh,
persistent_search=options.persistent_search,
serial_autoincrement=options.serial_autoincrement)
bind.create_instance()

24
install/tools/ipa-server-install
View File

@ -207,16 +207,6 @@ def parse_options():
dns_group.add_option("--zonemgr", action="callback", callback=bindinstance.zonemgr_callback,
type="string",
help="DNS zone manager e-mail address. Defaults to hostmaster@DOMAIN")
# this option name has been deprecated, persistent search has been enabled by default
dns_group.add_option("--zone-notif", dest="zone_notif",
action="store_true", default=False, help=SUPPRESS_HELP)
dns_group.add_option("--no-persistent-search", dest="persistent_search",
default=True, action="store_false",
help="Do not enable persistent search feature in the name server")
dns_group.add_option("--zone-refresh", dest="zone_refresh",
default=0, type="int",
help="When set to non-zero the name server will use DNS zone "
"detection based on polling instead of a persistent search")
dns_group.add_option("--no-host-dns", dest="no_host_dns", action="store_true",
default=False,
help="Do not use DNS for hostname lookup during installation")
@ -326,18 +316,6 @@ def parse_options():
#Automatically disable pkinit w/ dogtag until that is supported
options.setup_pkinit = False
if options.zone_refresh < 0:
parser.error("negative numbers not allowed for --zone-refresh")
elif options.zone_refresh > 0:
options.persistent_search = False # mutually exclusive features
if options.serial_autoincrement and not options.persistent_search:
parser.error('persistent search feature is required for '
'DNS SOA serial autoincrement')
if options.zone_notif:
print >>sys.stderr, "WARNING: --zone-notif option is deprecated and has no effect"
return safe_options, options
def signal_handler(signum, frame):
@ -1159,8 +1137,6 @@ def main():
bind = bindinstance.BindInstance(fstore, dm_password)
bind.setup(host_name, ip_address, realm_name, domain_name, dns_forwarders,
options.conf_ntp, reverse_zone, zonemgr=options.zonemgr,
zone_refresh=options.zone_refresh,
persistent_search=options.persistent_search,
serial_autoincrement=options.serial_autoincrement,
ca_configured=setup_ca)
if options.setup_dns:

137
install/tools/ipa-upgradeconfig
View File

@ -325,58 +325,76 @@ def upgrade_ipa_profile(ca, domain, fqdn):
return False
def named_enable_psearch():
def named_remove_deprecated_options():
"""
From IPA 3.0, persistent search is a preferred mechanism for new DNS zone
detection and is also needed for other features (DNSSEC, SOA serial
updates). Enable psearch and make sure connections attribute is right.
This step is done just once for a case when user switched the persistent
search back to disabled.
From IPA 3.3, persistent search is a default mechanism for new DNS zone
detection.
When some change in named.conf is done, this functions returns True
Remove psearch, zone_refresh and cache_ttl options, as they have been
deprecated in bind-dyndb-ldap configuration file.
When some change in named.conf is done, this functions returns True.
"""
changed = False
root_logger.info('[Enabling persistent search in DNS]')
root_logger.info('[Removing deprecated DNS configuration options]')
if not bindinstance.named_conf_exists():
# DNS service may not be configured
root_logger.info('DNS is not configured')
return
return False
deprecated_options = ['zone_refresh', 'psearch', 'cache_ttl']
removed_options = []
try:
psearch = bindinstance.named_conf_get_directive('psearch')
# Remove all the deprecated options
for option in deprecated_options:
value = bindinstance.named_conf_get_directive(option)
if value is not None:
bindinstance.named_conf_set_directive(option, None)
removed_options.append(option)
except IOError, e:
root_logger.debug('Cannot retrieve psearch option from %s: %s',
bindinstance.NAMED_CONF, e)
return
else:
psearch = None if psearch is None else psearch.lower()
if not sysupgrade.get_upgrade_state('named.conf', 'psearch_enabled'):
if psearch != "yes":
try:
bindinstance.named_conf_set_directive('zone_refresh', 0)
bindinstance.named_conf_set_directive('psearch', 'yes')
except IOError, e:
root_logger.error('Cannot enable psearch in %s: %s',
bindinstance.NAMED_CONF, e)
else:
changed = True
psearch = "yes"
sysupgrade.set_upgrade_state('named.conf', 'psearch_enabled', True)
root_logger.debug('Persistent search enabled')
root_logger.error('Cannot modify DNS configuration in %s: %s',
bindinstance.NAMED_CONF, e)
# Log only the changed options
if not removed_options:
root_logger.debug('No changes made')
return False
root_logger.debug('The following configuration options have been removed: '
'{options}'.format(options = ', '.join(removed_options)))
return True
def named_set_minimum_connections():
"""
Sets the minimal number of connections.
When some change in named.conf is done, this functions returns True.
"""
changed = False
root_logger.info('[Ensuring minimal number of connections]')
if not bindinstance.named_conf_exists():
# DNS service may not be configured
root_logger.info('DNS is not configured')
return changed
# make sure number of connections is right
minimum_connections = 2
if psearch == 'yes':
# serial_autoincrement increased the minimal number of connections to 4
minimum_connections = 4
minimum_connections = 4
try:
connections = bindinstance.named_conf_get_directive('connections')
except IOError, e:
root_logger.debug('Cannot retrieve connections option from %s: %s',
bindinstance.NAMED_CONF, e)
return
return changed
try:
if connections is not None:
connections = int(connections)
@ -388,7 +406,7 @@ def named_enable_psearch():
if connections is not None and connections < minimum_connections:
try:
bindinstance.named_conf_set_directive('connections',
minimum_connections)
minimum_connections)
root_logger.debug('Connections set to %d', minimum_connections)
except IOError, e:
root_logger.error('Cannot update connections in %s: %s',
@ -398,8 +416,10 @@ def named_enable_psearch():
if not changed:
root_logger.debug('No changes made')
return changed
def named_enable_serial_autoincrement():
"""
Serial autoincrement is a requirement for zone transfers or DNSSEC. It
@ -417,7 +437,6 @@ def named_enable_serial_autoincrement():
return changed
try:
psearch = bindinstance.named_conf_get_directive('psearch')
serial_autoincrement = bindinstance.named_conf_get_directive(
'serial_autoincrement')
except IOError, e:
@ -425,28 +444,23 @@ def named_enable_serial_autoincrement():
bindinstance.NAMED_CONF, e)
return changed
else:
psearch = None if psearch is None else psearch.lower()
serial_autoincrement = None if serial_autoincrement is None \
else serial_autoincrement.lower()
# enable SOA serial autoincrement
if not sysupgrade.get_upgrade_state('named.conf', 'autoincrement_enabled'):
if psearch != "yes": # psearch is required
root_logger.error('Persistent search is disabled, '
'serial autoincrement cannot be enabled')
else:
if serial_autoincrement != 'yes':
try:
bindinstance.named_conf_set_directive('serial_autoincrement', 'yes')
except IOError, e:
root_logger.error('Cannot enable serial_autoincrement in %s: %s',
bindinstance.NAMED_CONF, e)
return changed
else:
root_logger.debug('Serial autoincrement enabled')
changed = True
if serial_autoincrement != 'yes':
try:
bindinstance.named_conf_set_directive('serial_autoincrement', 'yes')
except IOError, e:
root_logger.error('Cannot enable serial_autoincrement in %s: %s',
bindinstance.NAMED_CONF, e)
return changed
else:
root_logger.debug('Serial autoincrement is alredy enabled')
root_logger.debug('Serial autoincrement enabled')
changed = True
else:
root_logger.debug('Serial autoincrement is alredy enabled')
sysupgrade.set_upgrade_state('named.conf', 'autoincrement_enabled', True)
else:
root_logger.debug('Skip serial autoincrement check')
@ -1049,12 +1063,18 @@ def main():
cleanup_kdc(fstore)
setup_firefox_extension(fstore)
add_ca_dns_records()
changed_psearch = named_enable_psearch()
changed_autoincrement = named_enable_serial_autoincrement()
changed_gssapi_conf = named_update_gssapi_configuration()
changed_pid_file_conf = named_update_pid_file()
if (changed_psearch or changed_autoincrement or changed_gssapi_conf
or changed_pid_file_conf):
# Any of the following functions returns True iff the named.conf file
# has been altered
named_conf_changes = (
named_remove_deprecated_options(),
named_set_minimum_connections(),
named_enable_serial_autoincrement(),
named_update_gssapi_configuration(),
named_update_pid_file(),
)
if any(named_conf_changes):
# configuration has changed, restart the name server
root_logger.info('Changes to named.conf have been made, restart named')
bind = bindinstance.BindInstance(fstore)
@ -1062,6 +1082,7 @@ def main():
bind.restart()
except ipautil.CalledProcessError, e:
root_logger.error("Failed to restart %s: %s", bind.service_name, e)
ca_restart = any([
ca_restart,
enable_certificate_renewal(ca),

6
install/tools/man/ipa-dns-install.1
View File

@ -49,12 +49,6 @@ Do not create new reverse DNS zone. If used on a replica and a reverse DNS zone
\fB\-\-zonemgr\fR
The e\-mail address of the DNS zone manager. Defaults to hostmaster@DOMAIN
.TP
\fB\-\-no\-persistent\-search\fR
Do not enable persistent search mechanism for updating the list of DNS zones in the name server. When persistent search is disabled and \fB\-\-zone\-refresh\fR option is not set to non-zero value, new zones won't be resolvable until the name server is reloaded.
.TP
\fB\-\-zone\-refresh=\fIZONE_REFRESH\fR
When set to non-zero value, persistent search zone update mechanism will be disabled and the name server will use a polling mechanism to load new DNS zones every \fIZONE_REFRESH\fR seconds.
.TP
\fB\-\-no\-serial\-autoincrement\fR
Do not enable SOA serial autoincrement feature. SOA serial will have to be updated automatically or other DNS features like zone transfer od DNSSEC will not function properly. This feature requires persistent search zone update mechanism.
.TP

6
install/tools/man/ipa-server-install.1
View File

@ -146,12 +146,6 @@ Do not create reverse DNS zone
\fB\-\-zonemgr\fR
The e\-mail address of the DNS zone manager. Defaults to hostmaster@DOMAIN
.TP
\fB\-\-no\-persistent\-search\fR
Do not enable persistent search mechanism for updating the list of DNS zones in the name server. When persistent search is disabled and \fB\-\-zone\-refresh\fR option is not set to non-zero value, new zones won't be resolvable until the name server is reloaded.
.TP
\fB\-\-zone\-refresh=\fIZONE_REFRESH\fR
When set to non-zero value, persistent search zone update mechanism will be disabled and the name server will use a polling mechanism to load new DNS zones every \fIZONE_REFRESH\fR seconds.
.TP
\fB\-\-no\-host\-dns\fR
Do not use DNS for hostname lookup during installation
.TP

3
install/ui/src/freeipa/dns.js
View File

@ -82,8 +82,7 @@ return {
label: '@i18n:objects.dnsconfig.forward_none'
}
]
},
'idnszonerefresh'
}
]
}
],

5
install/ui/test/data/dnsconfig_mod.json
View File

@ -9,8 +9,6 @@
"idnsallowsyncptr": "rscwo",
"idnsforwarders": "rscwo",
"idnsforwardpolicy": "rscwo",
"idnspersistentsearch": "rscwo",
"idnszonerefresh": "rscwo",
"nsaccountlock": "rscwo",
"objectclass": "rscwo"
},
@ -26,9 +24,6 @@
"idnsforwardpolicy": [
"first"
],
"idnszonerefresh": [
"20"
],
"objectclass": [
"idnsConfigObject",
"nsContainer",

5
install/ui/test/data/dnsconfig_show.json
View File

@ -9,8 +9,6 @@
"idnsallowsyncptr": "rscwo",
"idnsforwarders": "rscwo",
"idnsforwardpolicy": "rscwo",
"idnspersistentsearch": "rscwo",
"idnszonerefresh": "rscwo",
"nsaccountlock": "rscwo",
"objectclass": "rscwo"
},
@ -27,9 +25,6 @@
"idnsforwardpolicy": [
"first"
],
"idnszonerefresh": [
"20"
],
"objectclass": [
"idnsConfigObject",
"nsContainer",

11
install/ui/test/data/ipa_init_commands.json
View File

@ -2842,17 +2842,6 @@
"name": "idnsallowsyncptr",
"type": "bool"
},
{
"attribute": true,
"class": "Int",
"doc": "An interval between regular polls of the name server for new DNS zones",
"flags": [],
"label": "Zone refresh interval",
"maxvalue": 2147483647,
"minvalue": 0,
"name": "idnszonerefresh",
"type": "int"
},
{
"name": "setattr"
},

15
install/ui/test/data/ipa_init_objects.json
View File

@ -812,7 +812,6 @@
"idnsforwarders",
"idnsforwardpolicy",
"idnsname",
"idnspersistentsearch",
"idnssoaexpire",
"idnssoaminimum",
"idnssoamname",
@ -822,7 +821,6 @@
"idnssoaserial",
"idnsupdatepolicy",
"idnszoneactive",
"idnszonerefresh",
"inetdomainbasedn",
"inetdomainstatus",
"inetsubscriberaccountid",
@ -1726,8 +1724,7 @@
"default_attributes": [
"idnsforwardpolicy",
"idnsforwarders",
"idnsallowsyncptr",
"idnszonerefresh"
"idnsallowsyncptr"
],
"hidden_attributes": [
"objectclass",
@ -1798,16 +1795,6 @@
"label": "Allow PTR sync",
"name": "idnsallowsyncptr",
"type": "bool"
},
{
"class": "Int",
"doc": "An interval between regular polls of the name server for new DNS zones",
"flags": [],
"label": "Zone refresh interval",
"maxvalue": 2147483647,
"minvalue": 0,
"name": "idnszonerefresh",
"type": "int"
}
],
"uuid_attribute": ""

10
ipalib/plugins/dns.py
View File

@ -28,7 +28,8 @@ import dns.name
from ipalib.request import context
from ipalib import api, errors, output
from ipalib import Command
from ipalib.parameters import Flag, Bool, Int, Decimal, Str, StrEnum, Any
from ipalib.parameters import (Flag, Bool, Int, Decimal, Str, StrEnum, Any,
DeprecatedParam)
from ipalib.plugins.baseldap import *
from ipalib import _, ngettext
from ipalib.util import (validate_zonemgr, normalize_zonemgr, normalize_zone,
@ -2978,8 +2979,7 @@ class dnsconfig(LDAPObject):
"""
object_name = _('DNS configuration options')
default_attributes = [
'idnsforwardpolicy', 'idnsforwarders', 'idnsallowsyncptr',
'idnszonerefresh'
'idnsforwardpolicy', 'idnsforwarders', 'idnsallowsyncptr'
]
label = _('DNS Global Configuration')
@ -3006,11 +3006,9 @@ class dnsconfig(LDAPObject):
label=_('Allow PTR sync'),
doc=_('Allow synchronization of forward (A, AAAA) and reverse (PTR) records'),
),
Int('idnszonerefresh?',
DeprecatedParam('idnszonerefresh?',
cli_name='zone_refresh',
label=_('Zone refresh interval'),
doc=_('An interval between regular polls of the name server for new DNS zones'),
minvalue=0,
),
)

38
ipaserver/install/bindinstance.py
View File

@ -463,8 +463,7 @@ class BindInstance(service.Service):
def setup(self, fqdn, ip_address, realm_name, domain_name, forwarders, ntp,
reverse_zone, named_user="named", zonemgr=None,
zone_refresh=0, persistent_search=True, serial_autoincrement=True,
ca_configured=None):
serial_autoincrement=True, ca_configured=None):
self.named_user = named_user
self.fqdn = fqdn
self.ip_address = ip_address
@ -475,8 +474,6 @@ class BindInstance(service.Service):
self.suffix = ipautil.realm_to_suffix(self.realm)
self.ntp = ntp
self.reverse_zone = reverse_zone
self.zone_refresh = zone_refresh
self.persistent_search = persistent_search
self.serial_autoincrement = serial_autoincrement
self.ca_configured = ca_configured
@ -593,24 +590,23 @@ class BindInstance(service.Service):
else:
ipa_ca = ""
boolean_var = {}
for var in ('persistent_search', 'serial_autoincrement'):
boolean_var[var] = "yes" if getattr(self, var, False) else "no"
def bool_to_yesno(var):
return "yes" if var else "no"
self.sub_dict = dict(FQDN=self.fqdn,
IP=self.ip_address,
DOMAIN=self.domain,
HOST=self.host,
REALM=self.realm,
SERVER_ID=realm_to_serverid(self.realm),
FORWARDERS=fwds,
SUFFIX=self.suffix,
OPTIONAL_NTP=optional_ntp,
ZONEMGR=self.zonemgr,
ZONE_REFRESH=self.zone_refresh,
IPA_CA_RECORD=ipa_ca,
PERSISTENT_SEARCH=boolean_var['persistent_search'],
SERIAL_AUTOINCREMENT=boolean_var['serial_autoincrement'],)
self.sub_dict = dict(
FQDN=self.fqdn,
IP=self.ip_address,
DOMAIN=self.domain,
HOST=self.host,
REALM=self.realm,
SERVER_ID=realm_to_serverid(self.realm),
FORWARDERS=fwds,
SUFFIX=self.suffix,
OPTIONAL_NTP=optional_ntp,
ZONEMGR=self.zonemgr,
IPA_CA_RECORD=ipa_ca,
SERIAL_AUTOINCREMENT=bool_to_yesno(self.serial_autoincrement),
)
def __setup_dns_container(self):
self._ldap_mod("dns.ldif", self.sub_dict)

1
ipatests/test_xmlrpc/test_dns_plugin.py
View File

@ -83,7 +83,6 @@ class test_dns(Declarative):
('dnsconfig_mod', [], {'idnsforwarders' : None,
'idnsforwardpolicy' : None,
'idnsallowsyncptr' : None,
'idnszonerefresh' : None,
}),
('permission_del', [dnszone1_permission], {'force': True}),
]