Support OpenDNSSEC 2.1: new ods-signer protocol

The communication between ods-signer and the socket-activated process has changed with OpenDNSSEC 2.1. Adapt ipa-ods-exporter to support also the new protocol. The internal database was also modified. Add a wrapper calling the right code (table names hab=ve changed, as well as table columns). With OpenDNSSEC the policy also needs to be explicitely loaded after ods-enforcer-db-setup has been run, with ods-enforcer policy import The command ods-ksmutil notify must be replace with ods-enforce flush. Related: https://pagure.io/freeipa/issue/8214 Reviewed-By: Christian Heimes <cheimes@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2025-02-25 18:55:28 -06:00 · 2020-03-05 15:54:40 +01:00
parent 6cb3b11a61
commit fc4ccfa5c3
8 changed files with 266 additions and 34 deletions
--- a/ipaplatform/base/tasks.py
+++ b/ipaplatform/base/tasks.py
@@ -298,6 +298,36 @@ class BaseTaskNamespace:
            cmd = [paths.ODS_ENFORCER_DB_SETUP]
        return ipautil.run(cmd, stdin="y", runas=constants.ODS_USER)

+    def run_ods_notify(self, **kwargs):
+        """Notify ods-enforcerd to reload its conf."""
+        if paths.ODS_KSMUTIL is not None and os.path.exists(paths.ODS_KSMUTIL):
+            # OpenDNSSEC 1.4
+            cmd = [paths.ODS_KSMUTIL, 'notify']
+        else:
+            # OpenDNSSEC 2.x
+            cmd = [paths.ODS_ENFORCER, 'flush']
+
+        # run commands as ODS user
+        if os.geteuid() == 0:
+            kwargs['runas'] = constants.ODS_USER
+
+        return ipautil.run(cmd, **kwargs)
+
+    def run_ods_policy_import(self, **kwargs):
+        """Run OpenDNSSEC manager command to import policy."""
+        # This step is needed with OpenDNSSEC 2.1 only
+        if paths.ODS_KSMUTIL is not None and os.path.exists(paths.ODS_KSMUTIL):
+            # OpenDNSSEC 1.4
+            return
+
+        # OpenDNSSEC 2.x
+        cmd = [paths.ODS_ENFORCER, 'policy', 'import']
+
+        # run commands as ODS user
+        if os.geteuid() == 0:
+            kwargs['runas'] = constants.ODS_USER
+        ipautil.run(cmd, **kwargs)
+
    def run_ods_manager(self, params, **kwargs):
        """Run OpenDNSSEC manager command (ksmutil, enforcer)