DNS Locations: use dns_update_service_records in installers

use the dns_update_system_records command to set proper DNS records

https://fedorahosted.org/freeipa/ticket/2008

Reviewed-By: Petr Spacek <pspacek@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>

7 files changed, 45 insertions, 120 deletions

diff --git a/install/tools/ipa-csreplica-manage b/install/tools/ipa-csreplica-manage
index f271863b8..a0a61b540 100755
--- a/install/tools/ipa-csreplica-manage
+++ b/install/tools/ipa-csreplica-manage
@@ -286,7 +286,7 @@ def del_master(realm, hostname, options):
         if bindinstance.dns_container_exists(options.host, api.env.basedn,
                                              dm_password=options.dirman_passwd):
             bind = bindinstance.BindInstance()
-            bind.remove_ipa_ca_dns_records(hostname, realm.lower())
+            bind.update_system_records()
     except Exception as e:
         print("Failed to cleanup %s DNS entries: %s" % (hostname, e))
         print("You may need to manually remove them from the tree")
diff --git a/install/tools/ipa-replica-manage b/install/tools/ipa-replica-manage
index 095cca688..5a546e33c 100755
--- a/install/tools/ipa-replica-manage
+++ b/install/tools/ipa-replica-manage
@@ -898,7 +898,6 @@ def cleanup_server_dns_entries(realm, hostname, suffix, options):
                                              dm_password=options.dirman_passwd):
             bind = bindinstance.BindInstance()
             bind.remove_master_dns_records(hostname, realm, realm.lower())
-            bind.remove_ipa_ca_dns_records(hostname, realm.lower())
             bind.remove_server_ns_records(hostname)
 
             keysyncd = dnskeysyncinstance.DNSKeySyncInstance()
diff --git a/ipaserver/install/bindinstance.py b/ipaserver/install/bindinstance.py
index 78e753592..9df4f7ad9 100644
--- a/ipaserver/install/bindinstance.py
+++ b/ipaserver/install/bindinstance.py
@@ -30,6 +30,10 @@ import time
 import ldap
 import six
 
+from ipaserver.dns_data_management import (
+    IPASystemRecords,
+    IPADomainIsNotManagedByIPAError,
+)
 from ipaserver.install import installutils
 from ipaserver.install import service
 from ipaserver.install import sysupgrade
@@ -692,7 +696,6 @@ class BindInstance(service.Service):
             self.step("setting up records for other masters", self.__add_others)
         # all zones must be created before this step
         self.step("adding NS record to the zones", self.__add_self_ns)
-        self.step("setting up CA record", self.__add_ipa_ca_record)
 
         self.step("setting up kerberos principal", self.__setup_principal)
         self.step("setting up named.conf", self.__setup_named_conf)
@@ -858,15 +861,7 @@ class BindInstance(service.Service):
         else:
             host_in_rr = normalize_zone(fqdn)
 
-        srv_records = (
-            ("_ldap._tcp", "0 100 389 %s" % host_in_rr),
-            ("_kerberos._tcp", "0 100 88 %s" % host_in_rr),
-            ("_kerberos._udp", "0 100 88 %s" % host_in_rr),
-            ("_kerberos-master._tcp", "0 100 88 %s" % host_in_rr),
-            ("_kerberos-master._udp", "0 100 88 %s" % host_in_rr),
-            ("_kpasswd._tcp", "0 100 464 %s" % host_in_rr),
-            ("_kpasswd._udp", "0 100 464 %s" % host_in_rr),
-        )
+        srv_records = ()
         if self.ntp:
             srv_records += (
                 ("_ntp._udp", "0 100 123 %s" % host_in_rr),
@@ -916,63 +911,6 @@ class BindInstance(service.Service):
             root_logger.debug("Adding DNS records for master %s" % fqdn)
             self.__add_master_records(fqdn, addrs)
 
-    def __add_ipa_ca_records(self, fqdn, addrs, ca_configured):
-        if ca_configured is False:
-            root_logger.debug("CA is not configured")
-            return
-        elif ca_configured is None:
-            # we do not know if CA is configured for this host and we can
-            # add the CA record. So we need to find out
-            root_logger.debug("Check if CA is enabled for this host")
-            base_dn = DN(('cn', fqdn), ('cn', 'masters'), ('cn', 'ipa'),
-                         ('cn', 'etc'), self.api.env.basedn)
-            ldap_filter = '(&(objectClass=ipaConfigObject)(cn=CA))'
-            try:
-                self.api.Backend.ldap2.find_entries(filter=ldap_filter, base_dn=base_dn)
-            except ipalib.errors.NotFound:
-                root_logger.debug("CA is not configured")
-                return
-            else:
-                root_logger.debug("CA is configured for this host")
-
-        try:
-            for addr in addrs:
-                add_fwd_rr(self.domain, IPA_CA_RECORD, addr, api=self.api)
-        except errors.ValidationError:
-            # there is a CNAME record in ipa-ca, we can't add A/AAAA records
-            pass
-
-    def __add_ipa_ca_record(self):
-        self.__add_ipa_ca_records(self.fqdn, self.ip_addresses,
-                                  self.ca_configured)
-
-        if self.first_instance:
-            ldap = self.api.Backend.ldap2
-            try:
-                entries = ldap.get_entries(
-                    DN(('cn', 'masters'), ('cn', 'ipa'), ('cn', 'etc'),
-                       self.api.env.basedn),
-                    ldap.SCOPE_SUBTREE, '(&(objectClass=ipaConfigObject)(cn=CA))',
-                    ['dn'])
-            except errors.NotFound:
-                root_logger.debug('No server with CA found')
-                entries = []
-
-            for entry in entries:
-                fqdn = entry.dn[1]['cn']
-                if fqdn == self.fqdn:
-                    continue
-
-                host, zone = fqdn.split('.', 1)
-                if dns_zone_exists(zone, self.api):
-                    addrs = get_fwd_rr(zone, host, api=self.api)
-                else:
-                    addrs = dnsutil.resolve_ip_addresses(fqdn)
-                    # hack, will go away with locations
-                    addrs = [str(addr) for addr in addrs]
-
-                self.__add_ipa_ca_records(fqdn, addrs, True)
-
     def __setup_principal(self):
         dns_principal = "DNS/" + self.fqdn + "@" + self.realm
         installutils.kadmin_addprinc(dns_principal)
@@ -1088,28 +1026,14 @@ class BindInstance(service.Service):
         self.zonemgr = 'hostmaster.%s' % self.domain
 
         self.__add_self()
-        self.__add_ipa_ca_record()
 
-    def add_ipa_ca_dns_records(self, fqdn, domain_name, ca_configured=True):
-        host, zone = fqdn.split(".", 1)
-        if dns_zone_exists(zone, self.api):
-            addrs = get_fwd_rr(zone, host, api=self.api)
-        else:
-            addrs = dnsutil.resolve_ip_addresses(fqdn)
-            # hack, will go away with locations
-            addrs = [str(addr) for addr in addrs]
-
-        self.domain = domain_name
-
-        self.__add_ipa_ca_records(fqdn, addrs, ca_configured)
-
-    def convert_ipa_ca_cnames(self, domain_name):
+    def remove_ipa_ca_cnames(self, domain_name):
         # get ipa-ca CNAMEs
         cnames = get_rr(domain_name, IPA_CA_RECORD, "CNAME", api=self.api)
         if not cnames:
             return
 
-        root_logger.info('Converting IPA CA CNAME records to A/AAAA records')
+        root_logger.info('Removing IPA CA CNAME records')
 
         # create CNAME to FQDN mapping
         cname_fqdn = {}
@@ -1136,34 +1060,21 @@ class BindInstance(service.Service):
             fqdn = cname_fqdn[cname]
             if fqdn not in masters:
                 root_logger.warning(
-                    "Cannot convert IPA CA CNAME records to A/AAAA records, "
-                    "please convert them manually if necessary")
+                    "Cannot remove IPA CA CNAME please remove them manually "
+                    "if necessary")
                 return
 
         # delete all CNAMEs
         for cname in cnames:
             del_rr(domain_name, IPA_CA_RECORD, "CNAME", cname, api=self.api)
 
-        # add A/AAAA records
-        for cname in cnames:
-            fqdn = cname_fqdn[cname]
-            self.add_ipa_ca_dns_records(fqdn, domain_name, None)
-
     def remove_master_dns_records(self, fqdn, realm_name, domain_name):
         host, zone = fqdn.split(".", 1)
         self.host = host
         self.fqdn = fqdn
         self.domain = domain_name
-        suffix = ipautil.realm_to_suffix(realm_name)
 
         resource_records = (
-            ("_ldap._tcp", "SRV", "0 100 389 %s" % self.host_in_rr),
-            ("_kerberos._tcp", "SRV", "0 100 88 %s" % self.host_in_rr),
-            ("_kerberos._udp", "SRV", "0 100 88 %s" % self.host_in_rr),
-            ("_kerberos-master._tcp", "SRV", "0 100 88 %s" % self.host_in_rr),
-            ("_kerberos-master._udp", "SRV", "0 100 88 %s" % self.host_in_rr),
-            ("_kpasswd._tcp", "SRV", "0 100 464 %s" % self.host_in_rr),
-            ("_kpasswd._udp", "SRV", "0 100 464 %s" % self.host_in_rr),
             ("_ntp._udp", "SRV", "0 100 123 %s" % self.host_in_rr),
         )
 
@@ -1179,18 +1090,7 @@ class BindInstance(service.Service):
                 record = get_reverse_record_name(rzone, rdata)
                 del_rr(rzone, record, "PTR", normalize_zone(fqdn),
                        api=self.api)
-
-    def remove_ipa_ca_dns_records(self, fqdn, domain_name):
-        host, zone = fqdn.split(".", 1)
-        if dns_zone_exists(zone, self.api):
-            addrs = get_fwd_rr(zone, host, api=self.api)
-        else:
-            addrs = dnsutil.resolve_ip_addresses(fqdn)
-            # hack, will go away with locations
-            addrs = [str(addr) for addr in addrs]
-
-        for addr in addrs:
-            del_fwd_rr(domain_name, IPA_CA_RECORD, addr, api=self.api)
+        self.update_system_records()
 
     def remove_server_ns_records(self, fqdn):
         """
@@ -1224,6 +1124,28 @@ class BindInstance(service.Service):
                 root_logger.debug("record %s in zone %s", record, zone)
                 del_ns_rr(zone, record, ns_rdata, api=self.api)
 
+    def update_system_records(self):
+        self.print_msg("Updating DNS system records")
+        system_records = IPASystemRecords(self.api)
+        try:
+            (
+                (_ipa_rec, failed_ipa_rec),
+                (_loc_rec, failed_loc_rec)
+            ) = system_records.update_dns_records()
+        except IPADomainIsNotManagedByIPAError:
+            root_logger.error(
+                "IPA domain is not managed by IPA, please update records "
+                "manually")
+        else:
+            if failed_ipa_rec or failed_loc_rec:
+                root_logger.error("Update of following records failed:")
+                for attr in (failed_ipa_rec, failed_loc_rec):
+                    for rname, node, error in attr:
+                        for record, e in IPASystemRecords.records_list_from_node(
+                                rname, node
+                        ):
+                            root_logger.error("%s (%s)", record, e)
+
     def check_global_configuration(self):
         """
         Check global DNS configuration in LDAP server and inform user when it
diff --git a/ipaserver/install/ca.py b/ipaserver/install/ca.py
index ac72c7688..bce804ac1 100644
--- a/ipaserver/install/ca.py
+++ b/ipaserver/install/ca.py
@@ -253,7 +253,7 @@ def install_step_1(standalone, replica_config, options):
         # Install CA DNS records
         if bindinstance.dns_container_exists(host_name, basedn, dm_password):
             bind = bindinstance.BindInstance(dm_password=dm_password)
-            bind.add_ipa_ca_dns_records(host_name, domain_name)
+            bind.update_system_records()
 
 
 def uninstall():
diff --git a/ipaserver/install/dns.py b/ipaserver/install/dns.py
index 0fb869a7b..2ea11739e 100644
--- a/ipaserver/install/dns.py
+++ b/ipaserver/install/dns.py
@@ -359,6 +359,9 @@ def install(standalone, replica, options, api=api):
     dnskeysyncd.start_dnskeysyncd()
     bind.start_named()
 
+    # this must be done when bind is started and operational
+    bind.update_system_records()
+
     if standalone:
         print("==============================================================================")
         print("Setup complete")
diff --git a/ipaserver/install/server/replicainstall.py b/ipaserver/install/server/replicainstall.py
index f59788047..3801f7949 100644
--- a/ipaserver/install/server/replicainstall.py
+++ b/ipaserver/install/server/replicainstall.py
@@ -840,9 +840,11 @@ def install(installer):
     if config.setup_ca:
         services.knownservices['pki_tomcatd'].restart('pki-tomcat')
 
+    api.Backend.ldap2.connect(autobind=True)
     if options.setup_dns:
-        api.Backend.ldap2.connect(autobind=True)
         dns.install(False, True, options)
+    else:
+        api.Command.dns_update_system_records()
 
     # Restart httpd to pick up the new IPA configuration
     service.print_msg("Restarting the web server")
@@ -1469,9 +1471,11 @@ def promote(installer):
     server_api.bootstrap(in_server=True, context='installer')
     server_api.finalize()
 
+    server_api.Backend.ldap2.connect(autobind=True)
     if options.setup_dns:
-        server_api.Backend.ldap2.connect(autobind=True)
         dns.install(False, True, options, server_api)
+    else:
+        server_api.Command.dns_update_system_records()
 
     # Everything installed properly, activate ipa service.
     services.knownservices.ipa.enable()
diff --git a/ipaserver/install/server/upgrade.py b/ipaserver/install/server/upgrade.py
index 044e36494..eacd43939 100644
--- a/ipaserver/install/server/upgrade.py
+++ b/ipaserver/install/server/upgrade.py
@@ -1105,12 +1105,9 @@ def add_ca_dns_records():
 
     bind = bindinstance.BindInstance()
 
-    bind.convert_ipa_ca_cnames(api.env.domain)
+    bind.remove_ipa_ca_cnames(api.env.domain)
 
-    # DNS is enabled, so let bindinstance find out if CA is enabled
-    # and let it add the record in that case
-    bind.add_ipa_ca_dns_records(api.env.host, api.env.domain,
-                                ca_configured=None)
+    bind.update_system_records()
 
     sysupgrade.set_upgrade_state('dns', 'ipa_ca_records', True)