rpms/ipa
7
0
Fork 0
Code Issues Pull Requests Releases Activity

Support OpenDNSSEC 2.1

Browse Source 
Resolves: #1809492
This commit is contained in:
Alexander Bokovoy 2020-03-03 17:01:29 +02:00
parent 485092e39c
commit 7bdea0a373
2 changed files with 131 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

124
freeipa-4.8-opendnssec-2.1-support.patch Normal file
View File

@ -0,0 +1,124 @@
From 1836688dde1bbc746365f85b803a53afe7f83a47 Mon Sep 17 00:00:00 2001
From: Florence Blanc-Renaud <flo@redhat.com>
Date: Mon, 2 Mar 2020 16:49:48 +0100
Subject: [PATCH 1/3] Support opendnssec 2.1.6
The installation of IPA DNS server is using ods-ksmutil, but
openddnssec 2.1.6 does not ship any more /usr/bin/ods-ksmutil. The tool
is replaced by /usr/sbin/ods-enforcer and /usr/sbin/ods-enforcer-db-setup.
The master branch currently supports fedora 30+, but fedora 30 and 31 are
still shipping opendnssec 1.4 while fedora 32+ is shipping opendnssec 2.1.6.
Because of this, the code needs to check at run-time if the ods-ksmutil
command is available. If the file is missing, the code falls back to
the new ods-enforcer and ods-enforcer-db-setup commands.
This commit defines paths.ODS_ENFORCER and paths.ODS_ENFORCER_DB_SETUP
for all platforms, but the commands are used only if ods-ksmutil is not found.
Fixes: https://pagure.io/freeipa/issue/8214
---
ipaplatform/base/paths.py | 4 ++--
ipaplatform/base/tasks.py | 6 ++++--
ipaplatform/debian/paths.py | 2 --
3 files changed, 6 insertions(+), 6 deletions(-)
diff --git a/ipaplatform/base/paths.py b/ipaplatform/base/paths.py
index f3a95500e3..0efe8b5a90 100644
--- a/ipaplatform/base/paths.py
+++ b/ipaplatform/base/paths.py
@@ -190,8 +190,8 @@ class BasePathNamespace:
NSUPDATE = "/usr/bin/nsupdate"
ODS_KSMUTIL = "/usr/bin/ods-ksmutil"
ODS_SIGNER = "/usr/sbin/ods-signer"
- ODS_ENFORCER = None
- ODS_ENFORCER_DB_SETUP = None
+ ODS_ENFORCER = "/usr/sbin/ods-enforcer"
+ ODS_ENFORCER_DB_SETUP = "/usr/sbin/ods-enforcer-db-setup"
OPENSSL = "/usr/bin/openssl"
PK12UTIL = "/usr/bin/pk12util"
SOFTHSM2_UTIL = "/usr/bin/softhsm2-util"
diff --git a/ipaplatform/base/tasks.py b/ipaplatform/base/tasks.py
index 86617a07f5..d36039aa23 100644
--- a/ipaplatform/base/tasks.py
+++ b/ipaplatform/base/tasks.py
@@ -290,9 +290,11 @@ def unconfigure_dns_resolver(self, fstore=None):
def run_ods_setup(self):
"""Initialize a new kasp.db
"""
- if paths.ODS_KSMUTIL is not None:
+ if paths.ODS_KSMUTIL is not None and os.path.exists(paths.ODS_KSMUTIL):
+ # OpenDNSSEC 1.4
cmd = [paths.ODS_KSMUTIL, 'setup']
else:
+ # OpenDNSSEC 2.x
cmd = [paths.ODS_ENFORCER_DB_SETUP]
return ipautil.run(cmd, stdin="y", runas=constants.ODS_USER)
@@ -305,7 +307,7 @@ def run_ods_manager(self, params, **kwargs):
"""
assert params[0] != 'setup'
- if paths.ODS_KSMUTIL is not None:
+ if paths.ODS_KSMUTIL is not None and os.path.exists(paths.ODS_KSMUTIL):
# OpenDNSSEC 1.4
cmd = [paths.ODS_KSMUTIL]
else:
diff --git a/ipaplatform/debian/paths.py b/ipaplatform/debian/paths.py
index 764b5a2815..3a28c70ff4 100644
--- a/ipaplatform/debian/paths.py
+++ b/ipaplatform/debian/paths.py
@@ -67,8 +67,6 @@ class DebianPathNamespace(BasePathNamespace):
SBIN_SERVICE = "/usr/sbin/service"
CERTMONGER_COMMAND_TEMPLATE = "/usr/lib/ipa/certmonger/%s"
ODS_KSMUTIL = None
- ODS_ENFORCER = "/usr/sbin/ods-enforcer"
- ODS_ENFORCER_DB_SETUP = "/usr/sbin/ods-enforcer-db-setup"
UPDATE_CA_TRUST = "/usr/sbin/update-ca-certificates"
BIND_LDAP_DNS_IPA_WORKDIR = "/var/cache/bind/dyndb-ldap/ipa/"
BIND_LDAP_DNS_ZONE_WORKDIR = "/var/cache/bind/dyndb-ldap/ipa/master/"
From 70acce828f46d9d6516b590a9b84d379359b8204 Mon Sep 17 00:00:00 2001
From: Florence Blanc-Renaud <flo@redhat.com>
Date: Tue, 3 Mar 2020 08:00:58 +0100
Subject: [PATCH 3/3] Remove the <Interval> from opendnssec conf
In opendnssec 2.1.6, the <Interval> element is not supported in the
configuration file.
Related: https://pagure.io/freeipa/issue/8214
---
install/share/opendnssec_conf.template | 2 +-
ipaserver/install/opendnssecinstance.py | 6 ++++++
2 files changed, 7 insertions(+), 1 deletion(-)
diff --git a/install/share/opendnssec_conf.template b/install/share/opendnssec_conf.template
index 3d01fb4156..5658693ac3 100644
--- a/install/share/opendnssec_conf.template
+++ b/install/share/opendnssec_conf.template
@@ -33,7 +33,7 @@
</Privileges>
<Datastore><SQLite>$KASP_DB</SQLite></Datastore>
- <Interval>PT3600S</Interval>
+ $INTERVAL
<!-- <ManualKeyGeneration/> -->
<!-- <RolloverNotification>P14D</RolloverNotification> -->
diff --git a/ipaserver/install/opendnssecinstance.py b/ipaserver/install/opendnssecinstance.py
index df39705a44..6354521b4e 100644
--- a/ipaserver/install/opendnssecinstance.py
+++ b/ipaserver/install/opendnssecinstance.py
@@ -179,6 +179,12 @@ def __setup_conf_files(self):
# add pin to template
sub_conf_dict = self.conf_file_dict
sub_conf_dict['PIN'] = pin
+ if paths.ODS_KSMUTIL is not None and os.path.exists(paths.ODS_KSMUTIL):
+ # OpenDNSSEC 1.4
+ sub_conf_dict['INTERVAL'] = '<Interval>PT3600S</Interval>'
+ else:
+ # OpenDNSSEC 2.x
+ sub_conf_dict['INTERVAL'] = '<!-- Interval not used in 2x -->'
ods_conf_txt = ipautil.template_file(
os.path.join(paths.USR_SHARE_IPA_DIR, "opendnssec_conf.template"),

9
freeipa.spec
View File

@ -143,7 +143,7 @@
Name: %{package_name} Name: %{package_name}
Version: %{IPA_VERSION} Version: %{IPA_VERSION}
Release: 7%{?dist} Release: 8%{?dist}
Summary: The Identity, Policy and Audit system Summary: The Identity, Policy and Audit system
License: GPLv3+ License: GPLv3+
@ -158,6 +158,7 @@ Patch1: krb5-kdb-fixes.patch
Patch2: krb5-1.18-support.patch Patch2: krb5-1.18-support.patch
Patch3: krb5-1.18-support-constraint-delegation.patch Patch3: krb5-1.18-support-constraint-delegation.patch
Patch4: krb5-pg8200.patch Patch4: krb5-pg8200.patch
Patch5: freeipa-4.8-opendnssec-2.1-support.patch
# For the timestamp trick in patch application # For the timestamp trick in patch application
BuildRequires: diffstat BuildRequires: diffstat
@ -450,7 +451,7 @@ Requires: bind >= 9.11.0-6.P2
Requires: bind-utils >= 9.11.0-6.P2 Requires: bind-utils >= 9.11.0-6.P2
Requires: bind-pkcs11 >= 9.11.0-6.P2 Requires: bind-pkcs11 >= 9.11.0-6.P2
Requires: bind-pkcs11-utils >= 9.11.0-6.P2 Requires: bind-pkcs11-utils >= 9.11.0-6.P2
Requires: opendnssec >= 1.4.6-4 Requires: opendnssec >= 2.1.6-3
%{?systemd_requires} %{?systemd_requires}
Provides: %{alt_name}-server-dns = %{version} Provides: %{alt_name}-server-dns = %{version}
@ -1364,6 +1365,10 @@ fi
%changelog %changelog
* Tue Mar 03 2020 Alexander Bokovoy <abokovoy@redhat.com> - 4.8.4-8
- Support opendnssec 2.1
- Resolves: #1809492
* Mon Feb 17 2020 François Cami <fcami@redhat.com> - 4.8.4-7 * Mon Feb 17 2020 François Cami <fcami@redhat.com> - 4.8.4-7
- Fix audit_as_req() callback usage - Fix audit_as_req() callback usage
- Resolves: #1803786 - Resolves: #1803786