diff options
author | Martin Basti <mbasti@redhat.com> | 2016-06-12 18:05:48 +0200 |
---|---|---|
committer | Martin Basti <mbasti@redhat.com> | 2016-06-17 15:22:24 +0200 |
commit | 45a93265740fdfc14e6ee8785f844f8d34508fc4 (patch) | |
tree | 2b17e7e5b9b0ac21ec599f4295860f28a2eca778 /ipaserver | |
parent | e23159596e1851f156461d00b9f9f99dc698e12b (diff) | |
download | freeipa-45a93265740fdfc14e6ee8785f844f8d34508fc4.tar.gz freeipa-45a93265740fdfc14e6ee8785f844f8d34508fc4.tar.xz freeipa-45a93265740fdfc14e6ee8785f844f8d34508fc4.zip |
DNS Locations: use dns_update_service_records in installers
use the dns_update_system_records command to set proper DNS records
https://fedorahosted.org/freeipa/ticket/2008
Reviewed-By: Petr Spacek <pspacek@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Diffstat (limited to 'ipaserver')
-rw-r--r-- | ipaserver/install/bindinstance.py | 142 | ||||
-rw-r--r-- | ipaserver/install/ca.py | 2 | ||||
-rw-r--r-- | ipaserver/install/dns.py | 3 | ||||
-rw-r--r-- | ipaserver/install/server/replicainstall.py | 8 | ||||
-rw-r--r-- | ipaserver/install/server/upgrade.py | 7 |
5 files changed, 44 insertions, 118 deletions
diff --git a/ipaserver/install/bindinstance.py b/ipaserver/install/bindinstance.py index 78e753592..9df4f7ad9 100644 --- a/ipaserver/install/bindinstance.py +++ b/ipaserver/install/bindinstance.py @@ -30,6 +30,10 @@ import time import ldap import six +from ipaserver.dns_data_management import ( + IPASystemRecords, + IPADomainIsNotManagedByIPAError, +) from ipaserver.install import installutils from ipaserver.install import service from ipaserver.install import sysupgrade @@ -692,7 +696,6 @@ class BindInstance(service.Service): self.step("setting up records for other masters", self.__add_others) # all zones must be created before this step self.step("adding NS record to the zones", self.__add_self_ns) - self.step("setting up CA record", self.__add_ipa_ca_record) self.step("setting up kerberos principal", self.__setup_principal) self.step("setting up named.conf", self.__setup_named_conf) @@ -858,15 +861,7 @@ class BindInstance(service.Service): else: host_in_rr = normalize_zone(fqdn) - srv_records = ( - ("_ldap._tcp", "0 100 389 %s" % host_in_rr), - ("_kerberos._tcp", "0 100 88 %s" % host_in_rr), - ("_kerberos._udp", "0 100 88 %s" % host_in_rr), - ("_kerberos-master._tcp", "0 100 88 %s" % host_in_rr), - ("_kerberos-master._udp", "0 100 88 %s" % host_in_rr), - ("_kpasswd._tcp", "0 100 464 %s" % host_in_rr), - ("_kpasswd._udp", "0 100 464 %s" % host_in_rr), - ) + srv_records = () if self.ntp: srv_records += ( ("_ntp._udp", "0 100 123 %s" % host_in_rr), @@ -916,63 +911,6 @@ class BindInstance(service.Service): root_logger.debug("Adding DNS records for master %s" % fqdn) self.__add_master_records(fqdn, addrs) - def __add_ipa_ca_records(self, fqdn, addrs, ca_configured): - if ca_configured is False: - root_logger.debug("CA is not configured") - return - elif ca_configured is None: - # we do not know if CA is configured for this host and we can - # add the CA record. So we need to find out - root_logger.debug("Check if CA is enabled for this host") - base_dn = DN(('cn', fqdn), ('cn', 'masters'), ('cn', 'ipa'), - ('cn', 'etc'), self.api.env.basedn) - ldap_filter = '(&(objectClass=ipaConfigObject)(cn=CA))' - try: - self.api.Backend.ldap2.find_entries(filter=ldap_filter, base_dn=base_dn) - except ipalib.errors.NotFound: - root_logger.debug("CA is not configured") - return - else: - root_logger.debug("CA is configured for this host") - - try: - for addr in addrs: - add_fwd_rr(self.domain, IPA_CA_RECORD, addr, api=self.api) - except errors.ValidationError: - # there is a CNAME record in ipa-ca, we can't add A/AAAA records - pass - - def __add_ipa_ca_record(self): - self.__add_ipa_ca_records(self.fqdn, self.ip_addresses, - self.ca_configured) - - if self.first_instance: - ldap = self.api.Backend.ldap2 - try: - entries = ldap.get_entries( - DN(('cn', 'masters'), ('cn', 'ipa'), ('cn', 'etc'), - self.api.env.basedn), - ldap.SCOPE_SUBTREE, '(&(objectClass=ipaConfigObject)(cn=CA))', - ['dn']) - except errors.NotFound: - root_logger.debug('No server with CA found') - entries = [] - - for entry in entries: - fqdn = entry.dn[1]['cn'] - if fqdn == self.fqdn: - continue - - host, zone = fqdn.split('.', 1) - if dns_zone_exists(zone, self.api): - addrs = get_fwd_rr(zone, host, api=self.api) - else: - addrs = dnsutil.resolve_ip_addresses(fqdn) - # hack, will go away with locations - addrs = [str(addr) for addr in addrs] - - self.__add_ipa_ca_records(fqdn, addrs, True) - def __setup_principal(self): dns_principal = "DNS/" + self.fqdn + "@" + self.realm installutils.kadmin_addprinc(dns_principal) @@ -1088,28 +1026,14 @@ class BindInstance(service.Service): self.zonemgr = 'hostmaster.%s' % self.domain self.__add_self() - self.__add_ipa_ca_record() - def add_ipa_ca_dns_records(self, fqdn, domain_name, ca_configured=True): - host, zone = fqdn.split(".", 1) - if dns_zone_exists(zone, self.api): - addrs = get_fwd_rr(zone, host, api=self.api) - else: - addrs = dnsutil.resolve_ip_addresses(fqdn) - # hack, will go away with locations - addrs = [str(addr) for addr in addrs] - - self.domain = domain_name - - self.__add_ipa_ca_records(fqdn, addrs, ca_configured) - - def convert_ipa_ca_cnames(self, domain_name): + def remove_ipa_ca_cnames(self, domain_name): # get ipa-ca CNAMEs cnames = get_rr(domain_name, IPA_CA_RECORD, "CNAME", api=self.api) if not cnames: return - root_logger.info('Converting IPA CA CNAME records to A/AAAA records') + root_logger.info('Removing IPA CA CNAME records') # create CNAME to FQDN mapping cname_fqdn = {} @@ -1136,34 +1060,21 @@ class BindInstance(service.Service): fqdn = cname_fqdn[cname] if fqdn not in masters: root_logger.warning( - "Cannot convert IPA CA CNAME records to A/AAAA records, " - "please convert them manually if necessary") + "Cannot remove IPA CA CNAME please remove them manually " + "if necessary") return # delete all CNAMEs for cname in cnames: del_rr(domain_name, IPA_CA_RECORD, "CNAME", cname, api=self.api) - # add A/AAAA records - for cname in cnames: - fqdn = cname_fqdn[cname] - self.add_ipa_ca_dns_records(fqdn, domain_name, None) - def remove_master_dns_records(self, fqdn, realm_name, domain_name): host, zone = fqdn.split(".", 1) self.host = host self.fqdn = fqdn self.domain = domain_name - suffix = ipautil.realm_to_suffix(realm_name) resource_records = ( - ("_ldap._tcp", "SRV", "0 100 389 %s" % self.host_in_rr), - ("_kerberos._tcp", "SRV", "0 100 88 %s" % self.host_in_rr), - ("_kerberos._udp", "SRV", "0 100 88 %s" % self.host_in_rr), - ("_kerberos-master._tcp", "SRV", "0 100 88 %s" % self.host_in_rr), - ("_kerberos-master._udp", "SRV", "0 100 88 %s" % self.host_in_rr), - ("_kpasswd._tcp", "SRV", "0 100 464 %s" % self.host_in_rr), - ("_kpasswd._udp", "SRV", "0 100 464 %s" % self.host_in_rr), ("_ntp._udp", "SRV", "0 100 123 %s" % self.host_in_rr), ) @@ -1179,18 +1090,7 @@ class BindInstance(service.Service): record = get_reverse_record_name(rzone, rdata) del_rr(rzone, record, "PTR", normalize_zone(fqdn), api=self.api) - - def remove_ipa_ca_dns_records(self, fqdn, domain_name): - host, zone = fqdn.split(".", 1) - if dns_zone_exists(zone, self.api): - addrs = get_fwd_rr(zone, host, api=self.api) - else: - addrs = dnsutil.resolve_ip_addresses(fqdn) - # hack, will go away with locations - addrs = [str(addr) for addr in addrs] - - for addr in addrs: - del_fwd_rr(domain_name, IPA_CA_RECORD, addr, api=self.api) + self.update_system_records() def remove_server_ns_records(self, fqdn): """ @@ -1224,6 +1124,28 @@ class BindInstance(service.Service): root_logger.debug("record %s in zone %s", record, zone) del_ns_rr(zone, record, ns_rdata, api=self.api) + def update_system_records(self): + self.print_msg("Updating DNS system records") + system_records = IPASystemRecords(self.api) + try: + ( + (_ipa_rec, failed_ipa_rec), + (_loc_rec, failed_loc_rec) + ) = system_records.update_dns_records() + except IPADomainIsNotManagedByIPAError: + root_logger.error( + "IPA domain is not managed by IPA, please update records " + "manually") + else: + if failed_ipa_rec or failed_loc_rec: + root_logger.error("Update of following records failed:") + for attr in (failed_ipa_rec, failed_loc_rec): + for rname, node, error in attr: + for record, e in IPASystemRecords.records_list_from_node( + rname, node + ): + root_logger.error("%s (%s)", record, e) + def check_global_configuration(self): """ Check global DNS configuration in LDAP server and inform user when it diff --git a/ipaserver/install/ca.py b/ipaserver/install/ca.py index ac72c7688..bce804ac1 100644 --- a/ipaserver/install/ca.py +++ b/ipaserver/install/ca.py @@ -253,7 +253,7 @@ def install_step_1(standalone, replica_config, options): # Install CA DNS records if bindinstance.dns_container_exists(host_name, basedn, dm_password): bind = bindinstance.BindInstance(dm_password=dm_password) - bind.add_ipa_ca_dns_records(host_name, domain_name) + bind.update_system_records() def uninstall(): diff --git a/ipaserver/install/dns.py b/ipaserver/install/dns.py index 0fb869a7b..2ea11739e 100644 --- a/ipaserver/install/dns.py +++ b/ipaserver/install/dns.py @@ -359,6 +359,9 @@ def install(standalone, replica, options, api=api): dnskeysyncd.start_dnskeysyncd() bind.start_named() + # this must be done when bind is started and operational + bind.update_system_records() + if standalone: print("==============================================================================") print("Setup complete") diff --git a/ipaserver/install/server/replicainstall.py b/ipaserver/install/server/replicainstall.py index f59788047..3801f7949 100644 --- a/ipaserver/install/server/replicainstall.py +++ b/ipaserver/install/server/replicainstall.py @@ -840,9 +840,11 @@ def install(installer): if config.setup_ca: services.knownservices['pki_tomcatd'].restart('pki-tomcat') + api.Backend.ldap2.connect(autobind=True) if options.setup_dns: - api.Backend.ldap2.connect(autobind=True) dns.install(False, True, options) + else: + api.Command.dns_update_system_records() # Restart httpd to pick up the new IPA configuration service.print_msg("Restarting the web server") @@ -1469,9 +1471,11 @@ def promote(installer): server_api.bootstrap(in_server=True, context='installer') server_api.finalize() + server_api.Backend.ldap2.connect(autobind=True) if options.setup_dns: - server_api.Backend.ldap2.connect(autobind=True) dns.install(False, True, options, server_api) + else: + server_api.Command.dns_update_system_records() # Everything installed properly, activate ipa service. services.knownservices.ipa.enable() diff --git a/ipaserver/install/server/upgrade.py b/ipaserver/install/server/upgrade.py index 044e36494..eacd43939 100644 --- a/ipaserver/install/server/upgrade.py +++ b/ipaserver/install/server/upgrade.py @@ -1105,12 +1105,9 @@ def add_ca_dns_records(): bind = bindinstance.BindInstance() - bind.convert_ipa_ca_cnames(api.env.domain) + bind.remove_ipa_ca_cnames(api.env.domain) - # DNS is enabled, so let bindinstance find out if CA is enabled - # and let it add the record in that case - bind.add_ipa_ca_dns_records(api.env.host, api.env.domain, - ca_configured=None) + bind.update_system_records() sysupgrade.set_upgrade_state('dns', 'ipa_ca_records', True) |