diff options
| author | Martin Basti <mbasti@redhat.com> | 2015-06-17 13:35:18 +0200 |
|---|---|---|
| committer | Tomas Babej <tbabej@redhat.com> | 2015-07-07 08:37:15 +0200 |
| commit | 2e4e8d759d339ca1a6aec63230fba54c9c4e96bf (patch) | |
| tree | b9e1c32e3b08e17aae9af3a75dcc33c5e4667ffe | |
| parent | e151492560db25fa13c2a3edf5e2139dc6629047 (diff) | |
| download | freeipa-2e4e8d759d339ca1a6aec63230fba54c9c4e96bf.tar.gz freeipa-2e4e8d759d339ca1a6aec63230fba54c9c4e96bf.tar.xz freeipa-2e4e8d759d339ca1a6aec63230fba54c9c4e96bf.zip | |
DNSSEC: update message
https://fedorahosted.org/freeipa/ticket/4657
Reviewed-By: Petr Spacek <pspacek@redhat.com>
| -rwxr-xr-x | install/tools/ipa-replica-manage | 1 | ||||
| -rw-r--r-- | ipaserver/install/dns.py | 28 |
2 files changed, 22 insertions, 7 deletions
diff --git a/install/tools/ipa-replica-manage b/install/tools/ipa-replica-manage index 366ecca2d..e525a02f4 100755 --- a/install/tools/ipa-replica-manage +++ b/install/tools/ipa-replica-manage @@ -663,6 +663,7 @@ def ensure_last_services(conn, hostname, masters, options): dnssec_masters = opendnssecinstance.get_dnssec_key_masters(conn) if hostname in dnssec_masters: print "Replica is active DNSSEC key master. Uninstall could break your DNS system." + print "Please disable or replace DNSSEC key master first." sys.exit("Deletion aborted") ca = cainstance.CAInstance(api.env.realm, certs.NSS_DIR) diff --git a/ipaserver/install/dns.py b/ipaserver/install/dns.py index 1382382b5..bd176c1ef 100644 --- a/ipaserver/install/dns.py +++ b/ipaserver/install/dns.py @@ -154,8 +154,15 @@ def install_check(standalone, replica, options, hostname): if dnssec_zones and not options.force: raise RuntimeError( "Cannot disable DNSSEC key master, DNSSEC signing is still " - "enabled for following zone(s): %s\n" - "Use --force option to skip this check." % + "enabled for following zone(s):\n" + "%s\n" + "It is possible to move DNSSEC key master role to a different " + "server by using --force option to skip this check.\n\n" + "WARNING: You have to immediatelly copy kasp.db file to a new " + "server and run command 'ipa-dns-install --dnssec-master " + "--kasp-db'.\n" + "Your DNS zones will become unavailable if you " + "do not reinstall the DNSSEC key master role immediatelly." % ", ".join([str(zone) for zone in dnssec_zones])) elif options.dnssec_master: # check opendnssec packages are installed @@ -186,8 +193,10 @@ def install_check(standalone, replica, options, hostname): suplementary_groups=[named.get_group_name()]) except CalledProcessError as e: root_logger.debug("%s", e) - raise RuntimeError("IPA server cannot be the new DNSSEC master " - "(some keys are missing)") + raise RuntimeError("This IPA server cannot be promoted to " + "DNSSEC master role because some keys were " + "not replicated from the original " + "DNSSEC master server") finally: if dnskeysyncd_running: dnskeysyncd.start() @@ -195,9 +204,14 @@ def install_check(standalone, replica, options, hostname): # some zones have --dnssec=true, make sure a user really want to # install new database raise RuntimeError( - "DNSSEC is enabled for following zone(s): %s\n" - "Please use option --kasp-db to keep current OpenDNSSEC " - "database or use --force option to skip this check." % + "DNSSEC signing is already enabled for following zone(s): %s\n" + "Installation cannot continue without the OpenDNSSEC database " + "file from the original DNSSEC master server.\n" + "Please use option --kasp-db to specify location " + "of the kasp.db file copied from the original " + "DNSSEC master server.\n" + "WARNING: Zones will become unavailable if you do not provide " + "the original kasp.db file." % ", ".join([str(zone) for zone in dnssec_zones])) |