Test a fix for rhbz#1902811

2020-12-16 08:11:09 +02:00 · 2020-12-16 08:11:09 +02:00 · d10972a2bf
commit d10972a2bf
parent d1d2d3bc50
2 changed files with 81 additions and 2 deletions
--- a/freeipa-refactor-dnssec-paths.patch
+++ b/freeipa-refactor-dnssec-paths.patch
@ -0,0 +1,75 @@
+From 44669a5a35970020d492cba644d0584bcc68774f Mon Sep 17 00:00:00 2001
+From: Christian Heimes <cheimes@redhat.com>
+Date: Mon, 14 Dec 2020 17:44:38 +0100
+Subject: [PATCH] Change mkdir logic in DNSSEC
+
+- Create /var/named/dyndb-ldap/ipa/master/ early
+- Assume that /var/named/dyndb-ldap/ipa/master/ exists in BINDMgr.sync()
+
+Signed-off-by: Christian Heimes <cheimes@redhat.com>
+---
+ ipaserver/dnssec/bindmgr.py             |  7 +++----
+ ipaserver/install/dnskeysyncinstance.py | 19 +++++++++++++------
+ ipaserver/install/server/upgrade.py     |  1 +
+ 3 files changed, 17 insertions(+), 10 deletions(-)
+
+diff --git a/ipaserver/dnssec/bindmgr.py b/ipaserver/dnssec/bindmgr.py
+index 4f7cad89344..a15c0e601a2 100644
+--- a/ipaserver/dnssec/bindmgr.py
+++ b/ipaserver/dnssec/bindmgr.py
+@@ -182,10 +182,9 @@ def sync_zone(self, zone):
+         zone_path = os.path.join(paths.BIND_LDAP_DNS_ZONE_WORKDIR,
+                 self.get_zone_dir_name(zone))
+         try:
+-            os.makedirs(zone_path)
+-        except OSError as e:
+-            if e.errno != errno.EEXIST:
+-                raise e
+            os.mkdir(zone_path, 0o770)
+        except FileExistsError:
+            pass
+ 
+         # fix HSM permissions
+         # TODO: move out
+diff --git a/ipaserver/install/dnskeysyncinstance.py b/ipaserver/install/dnskeysyncinstance.py
+index 26c1d9c7516..16870b73b5c 100644
+--- a/ipaserver/install/dnskeysyncinstance.py
+++ b/ipaserver/install/dnskeysyncinstance.py
+@@ -66,12 +66,19 @@ def set_dyndb_ldap_workdir_permissions(self):
+         """
+         Setting up correct permissions to allow write/read access for daemons
+         """
+-        if not os.path.exists(paths.BIND_LDAP_DNS_IPA_WORKDIR):
+-            os.mkdir(paths.BIND_LDAP_DNS_IPA_WORKDIR, 0o770)
+-        # dnssec daemons require to have access into the directory
+-        os.chmod(paths.BIND_LDAP_DNS_IPA_WORKDIR, 0o770)
+-        os.chown(paths.BIND_LDAP_DNS_IPA_WORKDIR, self.named_uid,
+-                 self.named_gid)
+        directories = [
+            paths.BIND_LDAP_DNS_IPA_WORKDIR,
+            paths.BIND_LDAP_DNS_ZONE_WORKDIR,
+        ]
+        for directory in directories:
+            try:
+                os.mkdir(directory, 0o770)
+            except FileExistsError:
+                pass
+            else:
+                os.chmod(directory, 0o770)
+            # dnssec daemons require to have access into the directory
+            os.chown(directory, self.named_uid, self.named_gid)
+ 
+     def remove_replica_public_keys(self, replica_fqdn):
+         ldap = api.Backend.ldap2
+diff --git a/ipaserver/install/server/upgrade.py b/ipaserver/install/server/upgrade.py
+index 18891d53c7d..c453e16b08a 100644
+--- a/ipaserver/install/server/upgrade.py
+++ b/ipaserver/install/server/upgrade.py
+@@ -1749,6 +1749,7 @@ def upgrade_configuration():
+             else:
+                 if dnssec_set_openssl_engine(dnskeysyncd):
+                     dnskeysyncd.start_dnskeysyncd()
+            dnskeysyncd.set_dyndb_ldap_workdir_permissions()
+ 
+     cleanup_kdc(fstore)
+     cleanup_adtrust(fstore)
--- a/freeipa.spec
+++ b/freeipa.spec
@ -176,7 +176,7 @@

 Name:           %{package_name}
 Version:        %{IPA_VERSION}
-Release:        0.5%{?rc_version:.%rc_version}%{?dist}
+Release:        0.6%{?rc_version:.%rc_version}%{?dist}
 Summary:        The Identity, Policy and Audit system

 License:        GPLv3+
@ -193,6 +193,8 @@ Source1:        https://releases.pagure.org/freeipa/freeipa-%{version}%{?rc_vers
 # product-name.png
 # RHEL spec file only: END: Change branding to IPA and Identity Management

+Patch0001: freeipa-refactor-dnssec-paths.patch
+
 # RHEL spec file only: START
 %if 0%{?rhel} == 8 && %{NON_DEVELOPER_BUILD}
 Patch1001:      1001-Change-branding-to-IPA-and-Identity-Management.patch
@ -201,7 +203,6 @@ Patch1003:      1003-Revert-WebUI-use-python3-rjsmin-to-minify-JavaScript.patch
 %endif
 # RHEL spec file only: END

-
 # For the timestamp trick in patch application
 BuildRequires:  diffstat

@ -1675,6 +1676,9 @@ fi
 %endif

 %changelog
+* Wed Dec 16 07:52:00 EET 2020 Alexander Bokovoy <abokovoy@redhat.com> - 4.9.0-0.6.rc3
+- Refactor DNSSEC paths creation code (upstream PR#5340)
+
 * Thu Dec 10 20:06:03 EET 2020 Alexander Bokovoy <abokovoy@redhat.com> - 4.9.0-0.5.rc3
 - FreeIPA 4.9.0 release candidate 3
 - Enforce C.UTF-8 locale in systemd service units