ipa/freeipa-refactor-dnssec-paths.patch

76 lines
3.0 KiB
Diff
Raw Normal View History

2020-12-16 06:11:09 +00:00
From 44669a5a35970020d492cba644d0584bcc68774f Mon Sep 17 00:00:00 2001
From: Christian Heimes <cheimes@redhat.com>
Date: Mon, 14 Dec 2020 17:44:38 +0100
Subject: [PATCH] Change mkdir logic in DNSSEC
- Create /var/named/dyndb-ldap/ipa/master/ early
- Assume that /var/named/dyndb-ldap/ipa/master/ exists in BINDMgr.sync()
Signed-off-by: Christian Heimes <cheimes@redhat.com>
---
ipaserver/dnssec/bindmgr.py | 7 +++----
ipaserver/install/dnskeysyncinstance.py | 19 +++++++++++++------
ipaserver/install/server/upgrade.py | 1 +
3 files changed, 17 insertions(+), 10 deletions(-)
diff --git a/ipaserver/dnssec/bindmgr.py b/ipaserver/dnssec/bindmgr.py
index 4f7cad89344..a15c0e601a2 100644
--- a/ipaserver/dnssec/bindmgr.py
+++ b/ipaserver/dnssec/bindmgr.py
@@ -182,10 +182,9 @@ def sync_zone(self, zone):
zone_path = os.path.join(paths.BIND_LDAP_DNS_ZONE_WORKDIR,
self.get_zone_dir_name(zone))
try:
- os.makedirs(zone_path)
- except OSError as e:
- if e.errno != errno.EEXIST:
- raise e
+ os.mkdir(zone_path, 0o770)
+ except FileExistsError:
+ pass
# fix HSM permissions
# TODO: move out
diff --git a/ipaserver/install/dnskeysyncinstance.py b/ipaserver/install/dnskeysyncinstance.py
index 26c1d9c7516..16870b73b5c 100644
--- a/ipaserver/install/dnskeysyncinstance.py
+++ b/ipaserver/install/dnskeysyncinstance.py
@@ -66,12 +66,19 @@ def set_dyndb_ldap_workdir_permissions(self):
"""
Setting up correct permissions to allow write/read access for daemons
"""
- if not os.path.exists(paths.BIND_LDAP_DNS_IPA_WORKDIR):
- os.mkdir(paths.BIND_LDAP_DNS_IPA_WORKDIR, 0o770)
- # dnssec daemons require to have access into the directory
- os.chmod(paths.BIND_LDAP_DNS_IPA_WORKDIR, 0o770)
- os.chown(paths.BIND_LDAP_DNS_IPA_WORKDIR, self.named_uid,
- self.named_gid)
+ directories = [
+ paths.BIND_LDAP_DNS_IPA_WORKDIR,
+ paths.BIND_LDAP_DNS_ZONE_WORKDIR,
+ ]
+ for directory in directories:
+ try:
+ os.mkdir(directory, 0o770)
+ except FileExistsError:
+ pass
+ else:
+ os.chmod(directory, 0o770)
+ # dnssec daemons require to have access into the directory
+ os.chown(directory, self.named_uid, self.named_gid)
def remove_replica_public_keys(self, replica_fqdn):
ldap = api.Backend.ldap2
diff --git a/ipaserver/install/server/upgrade.py b/ipaserver/install/server/upgrade.py
index 18891d53c7d..c453e16b08a 100644
--- a/ipaserver/install/server/upgrade.py
+++ b/ipaserver/install/server/upgrade.py
@@ -1749,6 +1749,7 @@ def upgrade_configuration():
else:
if dnssec_set_openssl_engine(dnskeysyncd):
dnskeysyncd.start_dnskeysyncd()
+ dnskeysyncd.set_dyndb_ldap_workdir_permissions()
cleanup_kdc(fstore)
cleanup_adtrust(fstore)