Support OpenDNSSEC 2.1

Resolves: #1809492
2020-03-03 17:01:29 +02:00 · 2020-03-03 17:01:29 +02:00 · 7bdea0a373
commit 7bdea0a373
parent 485092e39c
2 changed files with 131 additions and 2 deletions
--- a/freeipa-4.8-opendnssec-2.1-support.patch
+++ b/freeipa-4.8-opendnssec-2.1-support.patch
@ -0,0 +1,124 @@
+From 1836688dde1bbc746365f85b803a53afe7f83a47 Mon Sep 17 00:00:00 2001
+From: Florence Blanc-Renaud <flo@redhat.com>
+Date: Mon, 2 Mar 2020 16:49:48 +0100
+Subject: [PATCH 1/3] Support opendnssec 2.1.6
+
+The installation of IPA DNS server is using ods-ksmutil, but
+openddnssec 2.1.6 does not ship any more /usr/bin/ods-ksmutil. The tool
+is replaced by /usr/sbin/ods-enforcer and /usr/sbin/ods-enforcer-db-setup.
+
+The master branch currently supports fedora 30+, but fedora 30 and 31 are
+still shipping opendnssec 1.4 while fedora 32+ is shipping opendnssec 2.1.6.
+Because of this, the code needs to check at run-time if the ods-ksmutil
+command is available. If the file is missing, the code falls back to
+the new ods-enforcer and ods-enforcer-db-setup commands.
+
+This commit defines paths.ODS_ENFORCER and paths.ODS_ENFORCER_DB_SETUP
+for all platforms, but the commands are used only if ods-ksmutil is not found.
+
+Fixes: https://pagure.io/freeipa/issue/8214
+---
+ ipaplatform/base/paths.py   | 4 ++--
+ ipaplatform/base/tasks.py   | 6 ++++--
+ ipaplatform/debian/paths.py | 2 --
+ 3 files changed, 6 insertions(+), 6 deletions(-)
+
+diff --git a/ipaplatform/base/paths.py b/ipaplatform/base/paths.py
+index f3a95500e3..0efe8b5a90 100644
+--- a/ipaplatform/base/paths.py
+++ b/ipaplatform/base/paths.py
+@@ -190,8 +190,8 @@ class BasePathNamespace:
+     NSUPDATE = "/usr/bin/nsupdate"
+     ODS_KSMUTIL = "/usr/bin/ods-ksmutil"
+     ODS_SIGNER = "/usr/sbin/ods-signer"
+-    ODS_ENFORCER = None
+-    ODS_ENFORCER_DB_SETUP = None
+    ODS_ENFORCER = "/usr/sbin/ods-enforcer"
+    ODS_ENFORCER_DB_SETUP = "/usr/sbin/ods-enforcer-db-setup"
+     OPENSSL = "/usr/bin/openssl"
+     PK12UTIL = "/usr/bin/pk12util"
+     SOFTHSM2_UTIL = "/usr/bin/softhsm2-util"
+diff --git a/ipaplatform/base/tasks.py b/ipaplatform/base/tasks.py
+index 86617a07f5..d36039aa23 100644
+--- a/ipaplatform/base/tasks.py
+++ b/ipaplatform/base/tasks.py
+@@ -290,9 +290,11 @@ def unconfigure_dns_resolver(self, fstore=None):
+     def run_ods_setup(self):
+         """Initialize a new kasp.db
+         """
+-        if paths.ODS_KSMUTIL is not None:
+        if paths.ODS_KSMUTIL is not None and os.path.exists(paths.ODS_KSMUTIL):
+            # OpenDNSSEC 1.4
+             cmd = [paths.ODS_KSMUTIL, 'setup']
+         else:
+            # OpenDNSSEC 2.x
+             cmd = [paths.ODS_ENFORCER_DB_SETUP]
+         return ipautil.run(cmd, stdin="y", runas=constants.ODS_USER)
+ 
+@@ -305,7 +307,7 @@ def run_ods_manager(self, params, **kwargs):
+         """
+         assert params[0] != 'setup'
+ 
+-        if paths.ODS_KSMUTIL is not None:
+        if paths.ODS_KSMUTIL is not None and os.path.exists(paths.ODS_KSMUTIL):
+             # OpenDNSSEC 1.4
+             cmd = [paths.ODS_KSMUTIL]
+         else:
+diff --git a/ipaplatform/debian/paths.py b/ipaplatform/debian/paths.py
+index 764b5a2815..3a28c70ff4 100644
+--- a/ipaplatform/debian/paths.py
+++ b/ipaplatform/debian/paths.py
+@@ -67,8 +67,6 @@ class DebianPathNamespace(BasePathNamespace):
+     SBIN_SERVICE = "/usr/sbin/service"
+     CERTMONGER_COMMAND_TEMPLATE = "/usr/lib/ipa/certmonger/%s"
+     ODS_KSMUTIL = None
+-    ODS_ENFORCER = "/usr/sbin/ods-enforcer"
+-    ODS_ENFORCER_DB_SETUP = "/usr/sbin/ods-enforcer-db-setup"
+     UPDATE_CA_TRUST = "/usr/sbin/update-ca-certificates"
+     BIND_LDAP_DNS_IPA_WORKDIR = "/var/cache/bind/dyndb-ldap/ipa/"
+     BIND_LDAP_DNS_ZONE_WORKDIR = "/var/cache/bind/dyndb-ldap/ipa/master/"
+
+From 70acce828f46d9d6516b590a9b84d379359b8204 Mon Sep 17 00:00:00 2001
+From: Florence Blanc-Renaud <flo@redhat.com>
+Date: Tue, 3 Mar 2020 08:00:58 +0100
+Subject: [PATCH 3/3] Remove the <Interval> from opendnssec conf
+
+In opendnssec 2.1.6, the <Interval> element is not supported in the
+configuration file.
+
+Related: https://pagure.io/freeipa/issue/8214
+---
+ install/share/opendnssec_conf.template  | 2 +-
+ ipaserver/install/opendnssecinstance.py | 6 ++++++
+ 2 files changed, 7 insertions(+), 1 deletion(-)
+
+diff --git a/install/share/opendnssec_conf.template b/install/share/opendnssec_conf.template
+index 3d01fb4156..5658693ac3 100644
+--- a/install/share/opendnssec_conf.template
+++ b/install/share/opendnssec_conf.template
+@@ -33,7 +33,7 @@
+ 		</Privileges>
+ 
+ 		<Datastore><SQLite>$KASP_DB</SQLite></Datastore>
+-		<Interval>PT3600S</Interval>
+		$INTERVAL
+ 		<!-- <ManualKeyGeneration/> -->
+ 		<!-- <RolloverNotification>P14D</RolloverNotification> -->
+ 
+diff --git a/ipaserver/install/opendnssecinstance.py b/ipaserver/install/opendnssecinstance.py
+index df39705a44..6354521b4e 100644
+--- a/ipaserver/install/opendnssecinstance.py
+++ b/ipaserver/install/opendnssecinstance.py
+@@ -179,6 +179,12 @@ def __setup_conf_files(self):
+         # add pin to template
+         sub_conf_dict = self.conf_file_dict
+         sub_conf_dict['PIN'] = pin
+        if paths.ODS_KSMUTIL is not None and os.path.exists(paths.ODS_KSMUTIL):
+            # OpenDNSSEC 1.4
+            sub_conf_dict['INTERVAL'] = '<Interval>PT3600S</Interval>'
+        else:
+            # OpenDNSSEC 2.x
+            sub_conf_dict['INTERVAL'] = '<!-- Interval not used in 2x -->'
+ 
+         ods_conf_txt = ipautil.template_file(
+             os.path.join(paths.USR_SHARE_IPA_DIR, "opendnssec_conf.template"),
--- a/freeipa.spec
+++ b/freeipa.spec
@ -143,7 +143,7 @@

 Name:           %{package_name}
 Version:        %{IPA_VERSION}
-Release:        7%{?dist}
+Release:        8%{?dist}
 Summary:        The Identity, Policy and Audit system

 License:        GPLv3+
@ -158,6 +158,7 @@ Patch1:         krb5-kdb-fixes.patch
 Patch2:         krb5-1.18-support.patch
 Patch3:         krb5-1.18-support-constraint-delegation.patch
 Patch4:         krb5-pg8200.patch
+Patch5:         freeipa-4.8-opendnssec-2.1-support.patch

 # For the timestamp trick in patch application
 BuildRequires:  diffstat
@ -450,7 +451,7 @@ Requires: bind >= 9.11.0-6.P2
 Requires: bind-utils >= 9.11.0-6.P2
 Requires: bind-pkcs11 >= 9.11.0-6.P2
 Requires: bind-pkcs11-utils >= 9.11.0-6.P2
-Requires: opendnssec >= 1.4.6-4
+Requires: opendnssec >= 2.1.6-3
 %{?systemd_requires}

 Provides: %{alt_name}-server-dns = %{version}
@ -1364,6 +1365,10 @@ fi


 %changelog
+* Tue Mar 03 2020 Alexander Bokovoy <abokovoy@redhat.com> - 4.8.4-8
+- Support opendnssec 2.1
+- Resolves: #1809492
+
 * Mon Feb 17 2020 François Cami <fcami@redhat.com> - 4.8.4-7
 - Fix audit_as_req() callback usage
 - Resolves: #1803786