DNSSEC: opendnssec services

Tickets: https://fedorahosted.org/freeipa/ticket/3801 https://fedorahosted.org/freeipa/ticket/4417 Design: https://fedorahosted.org/bind-dyndb-ldap/wiki/BIND9/Design/DNSSEC Reviewed-By: Jan Cholasta <jcholast@redhat.com> Reviewed-By: David Kupka <dkupka@redhat.com>
author: Martin Basti <mbasti@redhat.com> 2014-10-16 16:03:46 +0200
committer: Martin Kosek <mkosek@redhat.com> 2014-10-21 12:23:03 +0200
commit: 9101cfa60f715d03bcb4b0c88a69899b102a16bc (patch)
tree: c5a19a2598769ada5e24d8630e8012249d691886 /ipaserver/install/odsexporterinstance.py
parent: eb548147413d63ca368bb92aaca126fd59fc0bee (diff)
download: freeipa-9101cfa60f715d03bcb4b0c88a69899b102a16bc.tar.gz
freeipa-9101cfa60f715d03bcb4b0c88a69899b102a16bc.tar.xz
freeipa-9101cfa60f715d03bcb4b0c88a69899b102a16bc.zip
1 files changed, 179 insertions, 0 deletions
diff --git a/ipaserver/install/odsexporterinstance.py b/ipaserver/install/odsexporterinstance.py
new file mode 100644
index 000000000..57b1451c0
--- /dev/null
+++ b/ipaserver/install/odsexporterinstance.py
@@ -0,0 +1,179 @@
+#
+# Copyright (C) 2014  FreeIPA Contributors see COPYING for license
+#
+
+import service
+import installutils
+import os
+import pwd
+import grp
+
+import ldap
+
+from ipapython.ipa_log_manager import *
+from ipapython.dn import DN
+from ipapython import sysrestore, ipautil, ipaldap
+from ipaplatform.paths import paths
+from ipaplatform import services
+from ipalib import errors
+
+
+class ODSExporterInstance(service.Service):
+    def __init__(self, fstore=None, dm_password=None):
+        service.Service.__init__(
+            self, "ipa-ods-exporter",
+            service_desc="IPA OpenDNSSEC exporter daemon",
+            dm_password=dm_password,
+            ldapi=False,
+            autobind=ipaldap.AUTOBIND_DISABLED
+        )
+        self.dm_password = dm_password
+        self.ods_uid = None
+        self.ods_gid = None
+        self.enable_if_exists = False
+
+        if fstore:
+            self.fstore = fstore
+        else:
+            self.fstore = sysrestore.FileStore(paths.SYSRESTORE)
+
+    suffix = ipautil.dn_attribute_property('_suffix')
+
+    def create_instance(self, fqdn, realm_name):
+        self.backup_state("enabled", self.is_enabled())
+        self.backup_state("running", self.is_running())
+        self.fqdn = fqdn
+        self.realm = realm_name
+        self.suffix = ipautil.realm_to_suffix(self.realm)
+
+        try:
+            self.stop()
+        except:
+            pass
+
+        # get a connection to the DS
+        self.ldap_connect()
+        # checking status step must be first
+        self.step("checking status", self.__check_dnssec_status)
+        self.step("setting up DNS Key Exporter", self.__setup_key_exporter)
+        self.step("setting up kerberos principal", self.__setup_principal)
+        self.step("disabling default signer daemon", self.__disable_signerd)
+        self.step("starting DNS Key Exporter", self.__start)
+        self.step("configuring DNS Key Exporter to start on boot", self.__enable)
+        self.start_creation()
+
+    def __check_dnssec_status(self):
+        ods_enforcerd = services.knownservices.ods_enforcerd
+
+        try:
+            self.ods_uid = pwd.getpwnam(ods_enforcerd.get_user_name()).pw_uid
+        except KeyError:
+            raise RuntimeError("OpenDNSSEC UID not found")
+
+        try:
+            self.ods_gid = grp.getgrnam(ods_enforcerd.get_group_name()).gr_gid
+        except KeyError:
+            raise RuntimeError("OpenDNSSEC GID not found")
+
+    def __enable(self):
+
+        try:
+            self.ldap_enable('DNSKeyExporter', self.fqdn, self.dm_password,
+                             self.suffix)
+        except errors.DuplicateEntry:
+            root_logger.error("DNSKeyExporter service already exists")
+        self.enable()
+
+    def __setup_key_exporter(self):
+        installutils.set_directive(paths.SYSOCNFIG_IPA_ODS_EXPORTER,
+                                   'SOFTHSM2_CONF',
+                                   paths.DNSSEC_SOFTHSM2_CONF,
+                                   quotes=False, separator='=')
+
+    def __setup_principal(self):
+        assert self.ods_uid is not None
+        dns_exporter_principal = "ipa-ods-exporter/" + self.fqdn + "@" + self.realm
+        installutils.kadmin_addprinc(dns_exporter_principal)
+
+        # Store the keytab on disk
+        installutils.create_keytab(paths.IPA_ODS_EXPORTER_KEYTAB, dns_exporter_principal)
+        p = self.move_service(dns_exporter_principal)
+        if p is None:
+            # the service has already been moved, perhaps we're doing a DNS reinstall
+            dns_exporter_principal_dn = DN(
+                ('krbprincipalname', dns_exporter_principal),
+                ('cn', 'services'), ('cn', 'accounts'), self.suffix)
+        else:
+            dns_exporter_principal_dn = p
+
+        # Make sure access is strictly reserved to the ods user
+        os.chmod(paths.IPA_ODS_EXPORTER_KEYTAB, 0440)
+        os.chown(paths.IPA_ODS_EXPORTER_KEYTAB, 0, self.ods_gid)
+
+        dns_group = DN(('cn', 'DNS Servers'), ('cn', 'privileges'),
+                       ('cn', 'pbac'), self.suffix)
+        mod = [(ldap.MOD_ADD, 'member', dns_exporter_principal_dn)]
+
+        try:
+            self.admin_conn.modify_s(dns_group, mod)
+        except ldap.TYPE_OR_VALUE_EXISTS:
+            pass
+        except Exception, e:
+            root_logger.critical("Could not modify principal's %s entry: %s"
+                                 % (dns_exporter_principal_dn, str(e)))
+            raise
+
+        # limit-free connection
+
+        mod = [(ldap.MOD_REPLACE, 'nsTimeLimit', '-1'),
+               (ldap.MOD_REPLACE, 'nsSizeLimit', '-1'),
+               (ldap.MOD_REPLACE, 'nsIdleTimeout', '-1'),
+               (ldap.MOD_REPLACE, 'nsLookThroughLimit', '-1')]
+        try:
+            self.admin_conn.modify_s(dns_exporter_principal_dn, mod)
+        except Exception, e:
+            root_logger.critical("Could not set principal's %s LDAP limits: %s"
+                                 % (dns_exporter_principal_dn, str(e)))
+            raise
+
+    def __disable_signerd(self):
+        signerd_service = services.knownservices.ods_signerd
+
+        self.backup_state("singerd_running", signerd_service.is_running())
+        self.backup_state("singerd_enabled", signerd_service.is_enabled())
+
+        # disable default opendnssec signer daemon
+        signerd_service.stop()
+        signerd_service.mask()
+
+    def __start(self):
+        self.start()
+
+    def uninstall(self):
+        if not self.is_configured():
+            return
+
+        self.print_msg("Unconfiguring %s" % self.service_name)
+
+        running = self.restore_state("running")
+        enabled = self.restore_state("enabled")
+
+        if enabled is not None and not enabled:
+            self.disable()
+
+        if running is not None and running:
+            self.start()
+
+        # restore state of dnssec default signer daemon
+        signerd_enabled = self.restore_state("singerd_enabled")
+        signerd_running = self.restore_state("singerd_runnning")
+        signerd_service = services.knownservices.ods_signerd
+
+        signerd_service.unmask()
+
+        # service was stopped and disabled by setup
+        if signerd_enabled:
+            signerd_service.enable()
+
+        if signerd_running:
+            signerd_service.start()
author	Martin Basti <mbasti@redhat.com>	2014-10-16 16:03:46 +0200
committer	Martin Kosek <mkosek@redhat.com>	2014-10-21 12:23:03 +0200
commit	9101cfa60f715d03bcb4b0c88a69899b102a16bc (patch)
tree	c5a19a2598769ada5e24d8630e8012249d691886 /ipaserver/install/odsexporterinstance.py
parent	eb548147413d63ca368bb92aaca126fd59fc0bee (diff)
download	freeipa-9101cfa60f715d03bcb4b0c88a69899b102a16bc.tar.gz freeipa-9101cfa60f715d03bcb4b0c88a69899b102a16bc.tar.xz freeipa-9101cfa60f715d03bcb4b0c88a69899b102a16bc.zip