diff options
author | Martin Basti <mbasti@redhat.com> | 2014-10-16 16:34:00 +0200 |
---|---|---|
committer | Martin Kosek <mkosek@redhat.com> | 2014-10-21 12:23:03 +0200 |
commit | e798bad646f648748872a841f282462d28af795f (patch) | |
tree | b457418a13b4e1536d60fbd47c17aa2283a101b9 | |
parent | 8f2f5dfbdf6864b7f522aaf2fcf4e337488c87c8 (diff) | |
download | freeipa-e798bad646f648748872a841f282462d28af795f.tar.gz freeipa-e798bad646f648748872a841f282462d28af795f.tar.xz freeipa-e798bad646f648748872a841f282462d28af795f.zip |
DNSSEC: installation
Tickets:
https://fedorahosted.org/freeipa/ticket/3801
https://fedorahosted.org/freeipa/ticket/4417
Design:
https://fedorahosted.org/bind-dyndb-ldap/wiki/BIND9/Design/DNSSEC
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: David Kupka <dkupka@redhat.com>
-rwxr-xr-x | install/tools/ipa-dns-install | 56 | ||||
-rwxr-xr-x | install/tools/ipa-replica-install | 12 | ||||
-rwxr-xr-x | install/tools/ipa-server-install | 10 |
3 files changed, 69 insertions, 9 deletions
diff --git a/install/tools/ipa-dns-install b/install/tools/ipa-dns-install index be9930746..73afadf56 100755 --- a/install/tools/ipa-dns-install +++ b/install/tools/ipa-dns-install @@ -23,7 +23,8 @@ from optparse import OptionGroup, SUPPRESS_HELP import krbV -from ipaserver.install import service, bindinstance, ntpinstance, httpinstance +from ipaserver.install import (service, bindinstance, ntpinstance, + httpinstance, dnskeysyncinstance, opendnssecinstance, odsexporterinstance) from ipaserver.install.installutils import * from ipaserver.install import installutils from ipapython import version @@ -56,6 +57,8 @@ def parse_options(): default=False, help="Do not create new reverse DNS zone") parser.add_option("--no-dnssec-validation", dest="no_dnssec_validation", action="store_true", default=False, help="Disable DNSSEC validation") + parser.add_option("--dnssec-master", dest="dnssec_master", action="store_true", + default=False, help="Setup server to be DNSSEC key master") parser.add_option("--zonemgr", action="callback", callback=bindinstance.zonemgr_callback, type="string", help="DNS zone manager e-mail address. Defaults to hostmaster@DOMAIN") @@ -99,14 +102,40 @@ def main(): print "" print "This includes:" print " * Configure DNS (bind)" + print " * Configure SoftHSM (required by DNSSEC)" + print " * Configure ipa-dnskeysyncd (required by DNSSEC)" + if options.dnssec_master: + print " * Configure ipa-ods-exporter (required by DNSSEC key master)" + print " * Configure OpenDNSSEC (required by DNSSEC key master)" + print " * Generate DNSSEC master key (required by DNSSEC key master)" + print "" + print "NOTE: DNSSEC zone signing is not enabled by default" + print "" + if options.dnssec_master: + print "DNSSEC support is experimental!" + print "" + print "Plan carefully, current version doesn't allow you to move DNSSEC" + print "key master to different server and master cannot be uninstalled" + print "" print "" print "To accept the default shown in brackets, press the Enter key." print "" + if options.dnssec_master and not options.unattended and not ipautil.user_input( + "Do you want to setup this IPA server as DNSSEC key master?", + False): + sys.exit("Aborted") + # Check bind packages are installed - if not bindinstance.check_inst(options.unattended): + if not (bindinstance.check_inst(options.unattended) and + dnskeysyncinstance.check_inst()): sys.exit("Aborting installation.") + if options.dnssec_master: + # check opendnssec packages are installed + if not opendnssecinstance.check_inst(): + sys.exit("Aborting installation") + # Initialize the ipalib api cfg = dict( in_server=True, @@ -115,9 +144,6 @@ def main(): api.bootstrap(**cfg) api.finalize() - if bindinstance.named_conf_exists(): - sys.exit("\nDNS is already configured in this IPA server.") - # Create a BIND instance if options.unattended and not options.dm_password: sys.exit("\nIn unattended mode you need to provide at least the -p option") @@ -135,6 +161,14 @@ def main(): except errors.ACIError: sys.exit("Password is not valid!") + ods = opendnssecinstance.OpenDNSSECInstance(fstore, dm_password) + if options.dnssec_master: + dnssec_masters = ods.get_masters() + # we can reinstall current server if it is dnssec master + if not api.env.host in dnssec_masters and dnssec_masters: + print "DNSSEC key master(s):", u','.join(dnssec_masters) + sys.exit("Only one DNSSEC key master is supported in current version.") + ip_addresses = get_server_ip_address(api.env.host, fstore, options.unattended, True, options.ip_addresses) @@ -180,6 +214,18 @@ def main(): no_dnssec_validation=options.no_dnssec_validation) bind.create_instance() + # on dnssec master this must be installed last + dnskeysyncd = dnskeysyncinstance.DNSKeySyncInstance(fstore, dm_password) + dnskeysyncd.create_instance(api.env.host, api.env.realm) + if options.dnssec_master: + ods_exporter = odsexporterinstance.ODSExporterInstance(fstore, dm_password) + + ods_exporter.create_instance(api.env.host, api.env.realm) + ods.create_instance(api.env.host, api.env.realm) + + dnskeysyncd.start_dnskeysyncd() + bind.start_named() + # Restart http instance to make sure that python-dns has the right resolver # https://bugzilla.redhat.com/show_bug.cgi?id=800368 http = httpinstance.HTTPInstance(fstore) diff --git a/install/tools/ipa-replica-install b/install/tools/ipa-replica-install index 51809b140..8f0ce8666 100755 --- a/install/tools/ipa-replica-install +++ b/install/tools/ipa-replica-install @@ -33,7 +33,7 @@ from ipapython import ipautil from ipaserver.install import dsinstance, installutils, krbinstance, service from ipaserver.install import bindinstance, httpinstance, ntpinstance -from ipaserver.install import memcacheinstance +from ipaserver.install import memcacheinstance, dnskeysyncinstance from ipaserver.install import otpdinstance from ipaserver.install.replication import replica_conn_check, ReplicationManager from ipaserver.install.installutils import ( @@ -275,7 +275,12 @@ def install_bind(config, options): config.reverse_zones, ca_configured=options.setup_ca, no_dnssec_validation=options.no_dnssec_validation) bind.create_instance() - + print "" + dnskeysyncd = dnskeysyncinstance.DNSKeySyncInstance( + dm_password=config.dirman_password) + dnskeysyncd.create_instance(api.env.host, api.env.realm) + dnskeysyncd.start_dnskeysyncd() + bind.start_named() print "" bind.check_global_configuration() print "" @@ -351,7 +356,8 @@ def check_dirsrv(): sys.exit(1) def check_bind(): - if not bindinstance.check_inst(unattended=True): + if not (bindinstance.check_inst(unattended=True) and + dnskeysyncinstance.check_inst()): print "Aborting installation" sys.exit(1) diff --git a/install/tools/ipa-server-install b/install/tools/ipa-server-install index 39662db0c..005aec617 100755 --- a/install/tools/ipa-server-install +++ b/install/tools/ipa-server-install @@ -49,6 +49,9 @@ except ImportError: from ipaserver.install import dsinstance from ipaserver.install import krbinstance from ipaserver.install import bindinstance +from ipaserver.install import dnskeysyncinstance +from ipaserver.install import opendnssecinstance +from ipaserver.install import odsexporterinstance from ipaserver.install import httpinstance from ipaserver.install import ntpinstance from ipaserver.install import certs @@ -894,7 +897,8 @@ def main(): # check bind packages are installed if options.setup_dns: - if not bindinstance.check_inst(options.unattended): + if not (bindinstance.check_inst(options.unattended) and + dnskeysyncinstance.check_inst()): sys.exit("Aborting installation") # Don't require an external DNS to say who we are if we are @@ -1284,6 +1288,10 @@ def main(): api.Backend.ldap2.connect(bind_dn=DN(('cn', 'Directory Manager')), bind_pw=dm_password) bind.create_instance() + dnskeysyncd = dnskeysyncinstance.DNSKeySyncInstance(fstore, dm_password) + dnskeysyncd.create_instance(api.env.host, api.env.realm) + dnskeysyncd.start_dnskeysyncd() + bind.start_named() print "" bind.check_global_configuration() print "" |