diff --git a/freeipa-refactor-dnssec-paths.patch b/freeipa-refactor-dnssec-paths.patch new file mode 100644 index 0000000..f13d4f1 --- /dev/null +++ b/freeipa-refactor-dnssec-paths.patch @@ -0,0 +1,75 @@ +From 44669a5a35970020d492cba644d0584bcc68774f Mon Sep 17 00:00:00 2001 +From: Christian Heimes +Date: Mon, 14 Dec 2020 17:44:38 +0100 +Subject: [PATCH] Change mkdir logic in DNSSEC + +- Create /var/named/dyndb-ldap/ipa/master/ early +- Assume that /var/named/dyndb-ldap/ipa/master/ exists in BINDMgr.sync() + +Signed-off-by: Christian Heimes +--- + ipaserver/dnssec/bindmgr.py | 7 +++---- + ipaserver/install/dnskeysyncinstance.py | 19 +++++++++++++------ + ipaserver/install/server/upgrade.py | 1 + + 3 files changed, 17 insertions(+), 10 deletions(-) + +diff --git a/ipaserver/dnssec/bindmgr.py b/ipaserver/dnssec/bindmgr.py +index 4f7cad89344..a15c0e601a2 100644 +--- a/ipaserver/dnssec/bindmgr.py ++++ b/ipaserver/dnssec/bindmgr.py +@@ -182,10 +182,9 @@ def sync_zone(self, zone): + zone_path = os.path.join(paths.BIND_LDAP_DNS_ZONE_WORKDIR, + self.get_zone_dir_name(zone)) + try: +- os.makedirs(zone_path) +- except OSError as e: +- if e.errno != errno.EEXIST: +- raise e ++ os.mkdir(zone_path, 0o770) ++ except FileExistsError: ++ pass + + # fix HSM permissions + # TODO: move out +diff --git a/ipaserver/install/dnskeysyncinstance.py b/ipaserver/install/dnskeysyncinstance.py +index 26c1d9c7516..16870b73b5c 100644 +--- a/ipaserver/install/dnskeysyncinstance.py ++++ b/ipaserver/install/dnskeysyncinstance.py +@@ -66,12 +66,19 @@ def set_dyndb_ldap_workdir_permissions(self): + """ + Setting up correct permissions to allow write/read access for daemons + """ +- if not os.path.exists(paths.BIND_LDAP_DNS_IPA_WORKDIR): +- os.mkdir(paths.BIND_LDAP_DNS_IPA_WORKDIR, 0o770) +- # dnssec daemons require to have access into the directory +- os.chmod(paths.BIND_LDAP_DNS_IPA_WORKDIR, 0o770) +- os.chown(paths.BIND_LDAP_DNS_IPA_WORKDIR, self.named_uid, +- self.named_gid) ++ directories = [ ++ paths.BIND_LDAP_DNS_IPA_WORKDIR, ++ paths.BIND_LDAP_DNS_ZONE_WORKDIR, ++ ] ++ for directory in directories: ++ try: ++ os.mkdir(directory, 0o770) ++ except FileExistsError: ++ pass ++ else: ++ os.chmod(directory, 0o770) ++ # dnssec daemons require to have access into the directory ++ os.chown(directory, self.named_uid, self.named_gid) + + def remove_replica_public_keys(self, replica_fqdn): + ldap = api.Backend.ldap2 +diff --git a/ipaserver/install/server/upgrade.py b/ipaserver/install/server/upgrade.py +index 18891d53c7d..c453e16b08a 100644 +--- a/ipaserver/install/server/upgrade.py ++++ b/ipaserver/install/server/upgrade.py +@@ -1749,6 +1749,7 @@ def upgrade_configuration(): + else: + if dnssec_set_openssl_engine(dnskeysyncd): + dnskeysyncd.start_dnskeysyncd() ++ dnskeysyncd.set_dyndb_ldap_workdir_permissions() + + cleanup_kdc(fstore) + cleanup_adtrust(fstore) diff --git a/freeipa.spec b/freeipa.spec index 0f09a30..120a174 100644 --- a/freeipa.spec +++ b/freeipa.spec @@ -176,7 +176,7 @@ Name: %{package_name} Version: %{IPA_VERSION} -Release: 0.5%{?rc_version:.%rc_version}%{?dist} +Release: 0.6%{?rc_version:.%rc_version}%{?dist} Summary: The Identity, Policy and Audit system License: GPLv3+ @@ -193,6 +193,8 @@ Source1: https://releases.pagure.org/freeipa/freeipa-%{version}%{?rc_vers # product-name.png # RHEL spec file only: END: Change branding to IPA and Identity Management +Patch0001: freeipa-refactor-dnssec-paths.patch + # RHEL spec file only: START %if 0%{?rhel} == 8 && %{NON_DEVELOPER_BUILD} Patch1001: 1001-Change-branding-to-IPA-and-Identity-Management.patch @@ -201,7 +203,6 @@ Patch1003: 1003-Revert-WebUI-use-python3-rjsmin-to-minify-JavaScript.patch %endif # RHEL spec file only: END - # For the timestamp trick in patch application BuildRequires: diffstat @@ -1675,6 +1676,9 @@ fi %endif %changelog +* Wed Dec 16 07:52:00 EET 2020 Alexander Bokovoy - 4.9.0-0.6.rc3 +- Refactor DNSSEC paths creation code (upstream PR#5340) + * Thu Dec 10 20:06:03 EET 2020 Alexander Bokovoy - 4.9.0-0.5.rc3 - FreeIPA 4.9.0 release candidate 3 - Enforce C.UTF-8 locale in systemd service units