freeipa/daemons/dnssec/ipa-dnskeysyncd.in
Rob Crittenden cef6a90288 dnssec daemons: read the dns context config file for debug state
This had been hardcoded to debug=True but it spams the logs
with a lot of unnecessary information.

Allow it to be enabled for troubleshooting purposes but keep it
disabled by default.

Enabling debug would involve created /etc/ipa/dns.conf:

[global]
debug = True

I didn't add a more generic mechanism because for now we only need
the value of debug and it introduces a lot of type conversion
headaches. ipalib handles this automatically but to duplicate this
would be corner-case city.

Fixes: https://pagure.io/freeipa/issue/9128

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2022-06-02 11:17:57 +02:00

135 lines
3.9 KiB
Python

#!/usr/bin/python3
#
# Copyright (C) 2014 FreeIPA Contributors see COPYING for license
#
import logging
import sys
import ldap
import ldapurl
import os
import signal
import time
from ipalib import api
from ipalib.install.kinit import kinit_keytab
from ipapython.dn import DN
from ipapython.ipa_log_manager import standard_logging_setup
from ipapython import ipaldap
from ipapython.ipautil import get_config_debug
from ipaplatform.paths import paths
from ipaserver.dnssec.keysyncer import KeySyncer
logger = logging.getLogger(os.path.basename(__file__))
def fixup_dnssec_utils(self):
try:
os.stat(self.DNSSEC_KEYFROMLABEL)
except FileNotFoundError:
try:
os.stat(self.DNSSEC_KEYFROMLABEL_9_17)
except FileNotFoundError:
pass
else:
self.DNSSEC_KEYFROMLABEL = self.DNSSEC_KEYFROMLABEL_9_17
fixup_dnssec_utils(paths)
# IPA framework initialization
debug = get_config_debug('dns')
standard_logging_setup(debug=debug, verbose=True)
if not debug:
logger.info("To increase debugging set debug=True in dns.conf "
"See default.conf(5) for details")
api.bootstrap(context='dns', confdir=paths.ETC_IPA, in_server=True)
api.finalize()
# Global state
watcher_running = True
ldap_connection = False
DAEMONNAME = 'ipa-dnskeysyncd'
PRINCIPAL = None # not initialized yet
WORKDIR = '/tmp' # private temp
KEYTAB_FB = paths.IPA_DNSKEYSYNCD_KEYTAB
# Shutdown handler
def commenceShutdown(signum, stack):
# Declare the needed global variables
global watcher_running
global ldap_connection # pylint: disable=global-variable-not-assigned
logger.info('Signal %s received: Shutting down!', signum)
# We are no longer running
watcher_running = False
# Tear down the server connection
if ldap_connection:
ldap_connection.close_db()
del ldap_connection
# Shutdown
sys.exit(0)
os.umask(0o07)
# Signal handlers
signal.signal(signal.SIGTERM, commenceShutdown)
signal.signal(signal.SIGINT, commenceShutdown)
# Kerberos initialization
PRINCIPAL = str('%s/%s' % (DAEMONNAME, api.env.host))
logger.debug('Kerberos principal: %s', PRINCIPAL)
ccache_filename = os.path.join(WORKDIR, 'ipa-dnskeysyncd.ccache')
try:
kinit_keytab(PRINCIPAL, KEYTAB_FB, ccache_filename, attempts=5)
except Exception as ex:
logger.critical("Kerberos authentication failed: %s", ex)
# signal failure and let init system to restart the daemon
sys.exit(1)
os.environ['KRB5CCNAME'] = ccache_filename
# LDAP initialization
basedn = DN(api.env.container_dns, api.env.basedn)
ldap_url = ldapurl.LDAPUrl(api.env.ldap_uri)
ldap_url.dn = str(basedn)
ldap_url.scope = ldapurl.LDAP_SCOPE_SUBTREE
ldap_url.filterstr = '(|(objectClass=idnsZone)(objectClass=idnsSecKey)(objectClass=ipk11PublicKey))'
logger.debug('LDAP URL: %s', ldap_url.unparse())
# Real work
while watcher_running:
# Prepare the LDAP server connection (triggers the connection as well)
ldap_connection = KeySyncer(ldap_url.initializeUrl(), ipa_api=api)
# Now we login to the LDAP server
try:
logger.info('LDAP bind...')
ldap_connection.sasl_interactive_bind_s("", ipaldap.SASL_GSSAPI)
except ldap.INVALID_CREDENTIALS as e:
logger.exception('Login to LDAP server failed: %s', e)
sys.exit(1)
except (ldap.SERVER_DOWN, ldap.CONNECT_ERROR) as e:
logger.exception('LDAP server is down, going to retry: %s', e)
time.sleep(5)
continue
# Commence the syncing
logger.info('Commencing sync process')
ldap_search = ldap_connection.syncrepl_search(
ldap_url.dn,
ldap_url.scope,
mode='refreshAndPersist',
attrlist=ldap_url.attrs,
filterstr=ldap_url.filterstr
)
try:
while ldap_connection.syncrepl_poll(all=1, msgid=ldap_search):
pass
except (ldap.SERVER_DOWN, ldap.CONNECT_ERROR) as e:
logger.error('syncrepl_poll: LDAP error (%s)', e)
sys.exit(1)