diff options
author | Martin Basti <mbasti@redhat.com> | 2015-05-13 14:45:32 +0200 |
---|---|---|
committer | Tomas Babej <tbabej@redhat.com> | 2015-07-07 08:37:15 +0200 |
commit | e151492560db25fa13c2a3edf5e2139dc6629047 (patch) | |
tree | 1cfb5a1a48dd522e265d425695122858a9366288 /ipaserver/install/opendnssecinstance.py | |
parent | b258bcee8337063259aa38b4387b9bb5721fb380 (diff) | |
download | freeipa-e151492560db25fa13c2a3edf5e2139dc6629047.tar.gz freeipa-e151492560db25fa13c2a3edf5e2139dc6629047.tar.xz freeipa-e151492560db25fa13c2a3edf5e2139dc6629047.zip |
DNSSEC: allow to disable/replace DNSSEC key master
This commit allows to replace or disable DNSSEC key master
Replacing DNSSEC master requires to copy kasp.db file manually by user
ipa-dns-install:
--disable-dnssec-master DNSSEC master will be disabled
--dnssec-master --kasp-db=FILE This configure new DNSSEC master server, kasp.db from old server is required for sucessful replacement
--force Skip checks
https://fedorahosted.org/freeipa/ticket/4657
Reviewed-By: Petr Spacek <pspacek@redhat.com>
Diffstat (limited to 'ipaserver/install/opendnssecinstance.py')
-rw-r--r-- | ipaserver/install/opendnssecinstance.py | 98 |
1 files changed, 88 insertions, 10 deletions
diff --git a/ipaserver/install/opendnssecinstance.py b/ipaserver/install/opendnssecinstance.py index 538475985..d68691fa3 100644 --- a/ipaserver/install/opendnssecinstance.py +++ b/ipaserver/install/opendnssecinstance.py @@ -9,6 +9,9 @@ import os import pwd import grp import stat +import shutil + +from subprocess import CalledProcessError import _ipap11helper @@ -31,7 +34,7 @@ def get_dnssec_key_masters(conn): """ assert conn is not None - dn = DN(('cn', 'masters'), ('cn', 'ipa'), ('cn', 'etc'), api.env.basedn) + dn = DN(api.env.container_masters, api.env.basedn) filter_attrs = { u'cn': u'DNSSEC', @@ -62,7 +65,7 @@ def check_inst(): class OpenDNSSECInstance(service.Service): def __init__(self, fstore=None, dm_password=None, ldapi=False, - start_tls=False, autobind=ipaldap.AUTOBIND_DISABLED): + start_tls=False, autobind=ipaldap.AUTOBIND_ENABLED): service.Service.__init__( self, "ods-enforcerd", service_desc="OpenDNSSEC enforcer daemon", @@ -94,12 +97,14 @@ class OpenDNSSECInstance(service.Service): self.ldap_connect() return get_dnssec_key_masters(self.admin_conn) - def create_instance(self, fqdn, realm_name, generate_master_key=True): + def create_instance(self, fqdn, realm_name, generate_master_key=True, + kasp_db_file=None): self.backup_state("enabled", self.is_enabled()) self.backup_state("running", self.is_running()) self.fqdn = fqdn self.realm = realm_name self.suffix = ipautil.realm_to_suffix(self.realm) + self.kasp_db_file = kasp_db_file try: self.stop() @@ -152,6 +157,21 @@ class OpenDNSSECInstance(service.Service): except errors.DuplicateEntry: root_logger.error("DNSSEC service already exists") + # add the KEYMASTER identifier into ipaConfigString + # this is needed for the re-enabled DNSSEC master + dn = DN(('cn', 'DNSSEC'), ('cn', self.fqdn), api.env.container_masters, + api.env.basedn) + try: + entry = self.admin_conn.get_entry(dn, ['ipaConfigString']) + except errors.NotFound as e: + root_logger.error( + "DNSSEC service entry not found in the LDAP (%s)", e) + else: + config = entry.setdefault('ipaConfigString', []) + if KEYMASTER not in config: + config.append(KEYMASTER) + self.admin_conn.update_entry(entry) + def __setup_conf_files(self): if not self.fstore.has_file(paths.OPENDNSSEC_CONF_FILE): self.fstore.backup_file(paths.OPENDNSSEC_CONF_FILE) @@ -250,7 +270,7 @@ class OpenDNSSECInstance(service.Service): def __setup_dnssec(self): # run once only - if self.get_state("KASP_DB_configured"): + if self.get_state("KASP_DB_configured") and not self.kasp_db_file: root_logger.debug("Already configured, skipping step") return @@ -259,13 +279,33 @@ class OpenDNSSECInstance(service.Service): if not self.fstore.has_file(paths.OPENDNSSEC_KASP_DB): self.fstore.backup_file(paths.OPENDNSSEC_KASP_DB) - command = [ - paths.ODS_KSMUTIL, - 'setup' - ] + if self.kasp_db_file: + # copy user specified kasp.db to proper location and set proper + # privileges + shutil.copy(self.kasp_db_file, paths.OPENDNSSEC_KASP_DB) + os.chown(paths.OPENDNSSEC_KASP_DB, self.ods_uid, self.ods_gid) + os.chmod(paths.OPENDNSSEC_KASP_DB, 0660) + + # regenerate zonelist.xml + ods_enforcerd = services.knownservices.ods_enforcerd + cmd = [paths.ODS_KSMUTIL, 'zonelist', 'export'] + stdout, stderr, retcode = ipautil.run(cmd, + runas=ods_enforcerd.get_user_name()) + with open(paths.OPENDNSSEC_ZONELIST_FILE, 'w') as zonelistf: + zonelistf.write(stdout) + os.chown(paths.OPENDNSSEC_ZONELIST_FILE, + self.ods_uid, self.ods_gid) + os.chmod(paths.OPENDNSSEC_ZONELIST_FILE, 0660) - ods_enforcerd = services.knownservices.ods_enforcerd - ipautil.run(command, stdin="y", runas=ods_enforcerd.get_user_name()) + else: + # initialize new kasp.db + command = [ + paths.ODS_KSMUTIL, + 'setup' + ] + + ods_enforcerd = services.knownservices.ods_enforcerd + ipautil.run(command, stdin="y", runas=ods_enforcerd.get_user_name()) def __setup_dnskeysyncd(self): # set up dnskeysyncd this is DNSSEC master @@ -286,6 +326,44 @@ class OpenDNSSECInstance(service.Service): running = self.restore_state("running") enabled = self.restore_state("enabled") + # stop DNSSEC services before backing up kasp.db + try: + self.stop() + except Exception: + pass + + ods_exporter = services.service('ipa-ods-exporter') + try: + ods_exporter.stop() + except Exception: + pass + + # remove directive from ipa-dnskeysyncd, this server is not DNSSEC + # master anymore + installutils.set_directive(paths.SYSCONFIG_IPA_DNSKEYSYNCD, + 'ISMASTER', None, + quotes=False, separator='=') + + if ipautil.file_exists(paths.OPENDNSSEC_KASP_DB): + + # force to export data + ods_enforcerd = services.knownservices.ods_enforcerd + cmd = [paths.IPA_ODS_EXPORTER, 'ipa-full-update'] + try: + ipautil.run(cmd, runas=ods_enforcerd.get_user_name()) + except CalledProcessError: + root_logger.debug("OpenDNSSEC database has not been updated") + + try: + shutil.copy(paths.OPENDNSSEC_KASP_DB, + paths.IPA_KASP_DB_BACKUP) + except IOError as e: + root_logger.error( + "Unable to backup OpenDNSSEC database: %s", e) + else: + root_logger.info("OpenDNSSEC database backed up in %s", + paths.IPA_KASP_DB_BACKUP) + for f in [paths.OPENDNSSEC_CONF_FILE, paths.OPENDNSSEC_KASP_FILE, paths.OPENDNSSEC_KASP_DB, paths.SYSCONFIG_ODS]: try: |