diff --git a/freeipa-4.8-opendnssec-2.1-support.patch b/freeipa-4.8-opendnssec-2.1-support.patch new file mode 100644 index 0000000..c4d3942 --- /dev/null +++ b/freeipa-4.8-opendnssec-2.1-support.patch @@ -0,0 +1,124 @@ +From 1836688dde1bbc746365f85b803a53afe7f83a47 Mon Sep 17 00:00:00 2001 +From: Florence Blanc-Renaud +Date: Mon, 2 Mar 2020 16:49:48 +0100 +Subject: [PATCH 1/3] Support opendnssec 2.1.6 + +The installation of IPA DNS server is using ods-ksmutil, but +openddnssec 2.1.6 does not ship any more /usr/bin/ods-ksmutil. The tool +is replaced by /usr/sbin/ods-enforcer and /usr/sbin/ods-enforcer-db-setup. + +The master branch currently supports fedora 30+, but fedora 30 and 31 are +still shipping opendnssec 1.4 while fedora 32+ is shipping opendnssec 2.1.6. +Because of this, the code needs to check at run-time if the ods-ksmutil +command is available. If the file is missing, the code falls back to +the new ods-enforcer and ods-enforcer-db-setup commands. + +This commit defines paths.ODS_ENFORCER and paths.ODS_ENFORCER_DB_SETUP +for all platforms, but the commands are used only if ods-ksmutil is not found. + +Fixes: https://pagure.io/freeipa/issue/8214 +--- + ipaplatform/base/paths.py | 4 ++-- + ipaplatform/base/tasks.py | 6 ++++-- + ipaplatform/debian/paths.py | 2 -- + 3 files changed, 6 insertions(+), 6 deletions(-) + +diff --git a/ipaplatform/base/paths.py b/ipaplatform/base/paths.py +index f3a95500e3..0efe8b5a90 100644 +--- a/ipaplatform/base/paths.py ++++ b/ipaplatform/base/paths.py +@@ -190,8 +190,8 @@ class BasePathNamespace: + NSUPDATE = "/usr/bin/nsupdate" + ODS_KSMUTIL = "/usr/bin/ods-ksmutil" + ODS_SIGNER = "/usr/sbin/ods-signer" +- ODS_ENFORCER = None +- ODS_ENFORCER_DB_SETUP = None ++ ODS_ENFORCER = "/usr/sbin/ods-enforcer" ++ ODS_ENFORCER_DB_SETUP = "/usr/sbin/ods-enforcer-db-setup" + OPENSSL = "/usr/bin/openssl" + PK12UTIL = "/usr/bin/pk12util" + SOFTHSM2_UTIL = "/usr/bin/softhsm2-util" +diff --git a/ipaplatform/base/tasks.py b/ipaplatform/base/tasks.py +index 86617a07f5..d36039aa23 100644 +--- a/ipaplatform/base/tasks.py ++++ b/ipaplatform/base/tasks.py +@@ -290,9 +290,11 @@ def unconfigure_dns_resolver(self, fstore=None): + def run_ods_setup(self): + """Initialize a new kasp.db + """ +- if paths.ODS_KSMUTIL is not None: ++ if paths.ODS_KSMUTIL is not None and os.path.exists(paths.ODS_KSMUTIL): ++ # OpenDNSSEC 1.4 + cmd = [paths.ODS_KSMUTIL, 'setup'] + else: ++ # OpenDNSSEC 2.x + cmd = [paths.ODS_ENFORCER_DB_SETUP] + return ipautil.run(cmd, stdin="y", runas=constants.ODS_USER) + +@@ -305,7 +307,7 @@ def run_ods_manager(self, params, **kwargs): + """ + assert params[0] != 'setup' + +- if paths.ODS_KSMUTIL is not None: ++ if paths.ODS_KSMUTIL is not None and os.path.exists(paths.ODS_KSMUTIL): + # OpenDNSSEC 1.4 + cmd = [paths.ODS_KSMUTIL] + else: +diff --git a/ipaplatform/debian/paths.py b/ipaplatform/debian/paths.py +index 764b5a2815..3a28c70ff4 100644 +--- a/ipaplatform/debian/paths.py ++++ b/ipaplatform/debian/paths.py +@@ -67,8 +67,6 @@ class DebianPathNamespace(BasePathNamespace): + SBIN_SERVICE = "/usr/sbin/service" + CERTMONGER_COMMAND_TEMPLATE = "/usr/lib/ipa/certmonger/%s" + ODS_KSMUTIL = None +- ODS_ENFORCER = "/usr/sbin/ods-enforcer" +- ODS_ENFORCER_DB_SETUP = "/usr/sbin/ods-enforcer-db-setup" + UPDATE_CA_TRUST = "/usr/sbin/update-ca-certificates" + BIND_LDAP_DNS_IPA_WORKDIR = "/var/cache/bind/dyndb-ldap/ipa/" + BIND_LDAP_DNS_ZONE_WORKDIR = "/var/cache/bind/dyndb-ldap/ipa/master/" + +From 70acce828f46d9d6516b590a9b84d379359b8204 Mon Sep 17 00:00:00 2001 +From: Florence Blanc-Renaud +Date: Tue, 3 Mar 2020 08:00:58 +0100 +Subject: [PATCH 3/3] Remove the from opendnssec conf + +In opendnssec 2.1.6, the element is not supported in the +configuration file. + +Related: https://pagure.io/freeipa/issue/8214 +--- + install/share/opendnssec_conf.template | 2 +- + ipaserver/install/opendnssecinstance.py | 6 ++++++ + 2 files changed, 7 insertions(+), 1 deletion(-) + +diff --git a/install/share/opendnssec_conf.template b/install/share/opendnssec_conf.template +index 3d01fb4156..5658693ac3 100644 +--- a/install/share/opendnssec_conf.template ++++ b/install/share/opendnssec_conf.template +@@ -33,7 +33,7 @@ + + + $KASP_DB +- PT3600S ++ $INTERVAL + + + +diff --git a/ipaserver/install/opendnssecinstance.py b/ipaserver/install/opendnssecinstance.py +index df39705a44..6354521b4e 100644 +--- a/ipaserver/install/opendnssecinstance.py ++++ b/ipaserver/install/opendnssecinstance.py +@@ -179,6 +179,12 @@ def __setup_conf_files(self): + # add pin to template + sub_conf_dict = self.conf_file_dict + sub_conf_dict['PIN'] = pin ++ if paths.ODS_KSMUTIL is not None and os.path.exists(paths.ODS_KSMUTIL): ++ # OpenDNSSEC 1.4 ++ sub_conf_dict['INTERVAL'] = 'PT3600S' ++ else: ++ # OpenDNSSEC 2.x ++ sub_conf_dict['INTERVAL'] = '' + + ods_conf_txt = ipautil.template_file( + os.path.join(paths.USR_SHARE_IPA_DIR, "opendnssec_conf.template"), diff --git a/freeipa.spec b/freeipa.spec index 218c55a..2bb4ad4 100644 --- a/freeipa.spec +++ b/freeipa.spec @@ -143,7 +143,7 @@ Name: %{package_name} Version: %{IPA_VERSION} -Release: 7%{?dist} +Release: 8%{?dist} Summary: The Identity, Policy and Audit system License: GPLv3+ @@ -158,6 +158,7 @@ Patch1: krb5-kdb-fixes.patch Patch2: krb5-1.18-support.patch Patch3: krb5-1.18-support-constraint-delegation.patch Patch4: krb5-pg8200.patch +Patch5: freeipa-4.8-opendnssec-2.1-support.patch # For the timestamp trick in patch application BuildRequires: diffstat @@ -450,7 +451,7 @@ Requires: bind >= 9.11.0-6.P2 Requires: bind-utils >= 9.11.0-6.P2 Requires: bind-pkcs11 >= 9.11.0-6.P2 Requires: bind-pkcs11-utils >= 9.11.0-6.P2 -Requires: opendnssec >= 1.4.6-4 +Requires: opendnssec >= 2.1.6-3 %{?systemd_requires} Provides: %{alt_name}-server-dns = %{version} @@ -1364,6 +1365,10 @@ fi %changelog +* Tue Mar 03 2020 Alexander Bokovoy - 4.8.4-8 +- Support opendnssec 2.1 +- Resolves: #1809492 + * Mon Feb 17 2020 François Cami - 4.8.4-7 - Fix audit_as_req() callback usage - Resolves: #1803786