diff --git a/freeipa-bz1948034.patch b/freeipa-bz1948034.patch new file mode 100644 index 0000000..f36016e --- /dev/null +++ b/freeipa-bz1948034.patch @@ -0,0 +1,114 @@ +From 03f7731d39689ee6da7118fa4d5de01b4012c427 Mon Sep 17 00:00:00 2001 +From: Alexander Bokovoy +Date: Sat, 10 Apr 2021 15:40:22 +0300 +Subject: [PATCH] ipaserver/install/dns: handle SERVFAIL when checking reverse + zone + +systemd-resolved in Fedora 34+ returns SERVFAIL for reverse zone that +does not yet exist when we attempt to look it up before installation. +Assume that this is OK -- we are going to create the zone ourselves +during installation. + +Fixes: https://pagure.io/freeipa/issue/8794 + +Signed-off-by: Alexander Bokovoy +--- + ipapython/dnsutil.py | 6 ++++++ + ipaserver/install/bindinstance.py | 12 ++++++++++++ + ipaserver/install/dns.py | 12 +++++++++++- + 3 files changed, 29 insertions(+), 1 deletion(-) + +diff --git a/ipapython/dnsutil.py b/ipapython/dnsutil.py +index 63eb64dc1..67a5a5334 100644 +--- a/ipapython/dnsutil.py ++++ b/ipapython/dnsutil.py +@@ -125,6 +125,10 @@ class DNSZoneAlreadyExists(dns.exception.DNSException): + "and is handled by server(s): {ns}") + + ++class DNSNoNameservers(dns.resolver.NoNameservers): ++ pass ++ ++ + @six.python_2_unicode_compatible + class DNSName(dns.name.Name): + labels = None # make pylint happy +@@ -447,6 +451,8 @@ def check_zone_overlap(zone, raise_on_error=True): + except dns.exception.DNSException as e: + msg = ("DNS check for domain %s failed: %s." % (zone, e)) + if raise_on_error: ++ if isinstance(e, dns.resolver.NoNameservers): ++ raise DNSNoNameservers(**e.kwargs) from None + raise ValueError(msg) + else: + logger.warning('%s', msg) +diff --git a/ipaserver/install/bindinstance.py b/ipaserver/install/bindinstance.py +index 19941cd00..f1c9e0aa2 100644 +--- a/ipaserver/install/bindinstance.py ++++ b/ipaserver/install/bindinstance.py +@@ -312,6 +312,7 @@ def read_reverse_zone(default, ip_address, allow_zone_overlap=False): + logger.error("Reverse zone %s will not be used: %s", + zone, e) + continue ++ + break + + return normalize_zone(zone) +@@ -338,6 +339,12 @@ def get_auto_reverse_zones(ip_addresses, allow_zone_overlap=False): + default_reverse, ip) + logger.debug('%s', e) + continue ++ except dnsutil.DNSNoNameservers as e: ++ # Show warning and continue in case we've got SERVFAIL ++ # because we are supposedly going to create this reverse zone ++ logger.warning('%s', str(e)) ++ continue ++ + auto_zones.append((ip, default_reverse)) + return auto_zones + +@@ -505,6 +512,11 @@ def check_reverse_zones(ip_addresses, reverse_zones, options, unattended, + else: + logger.warning('%s', msg) + continue ++ except dnsutil.DNSNoNameservers as e: ++ # Show warning and continue in case we've got SERVFAIL ++ # because we are supposedly going to create this reverse zone ++ logger.warning('%s', str(e)) ++ continue + checked_reverse_zones.append(normalize_zone(rz)) + + # check that there is reverse zone for every IP +diff --git a/ipaserver/install/dns.py b/ipaserver/install/dns.py +index b51b92bfd..cbdaf99fd 100644 +--- a/ipaserver/install/dns.py ++++ b/ipaserver/install/dns.py +@@ -151,6 +151,10 @@ def install_check(standalone, api, replica, options, hostname): + logger.warning('%s', str(e)) + else: + raise e ++ except dnsutil.DNSNoNameservers as e: ++ # Show warning and continue in case we've got SERVFAIL ++ # because we are supposedly going to create this reverse zone ++ logger.warning('%s', str(e)) + + if standalone: + print("==============================================================================") +@@ -457,7 +461,13 @@ class DNSInstallInterface(hostname.HostNameInstallInterface): + def reverse_zones(self, values): + if not self.allow_zone_overlap: + for zone in values: +- check_zone_overlap(zone) ++ try: ++ check_zone_overlap(zone) ++ except dnsutil.DNSNoNameservers as e: ++ # Show warning and continue in case we've got SERVFAIL ++ # we are supposedly going to create this reverse zone ++ logger.warning('%s', str(e)) ++ continue + + no_reverse = knob( + None, +-- +2.31.1 + diff --git a/freeipa.spec b/freeipa.spec index 10e0e94..5b2fbfb 100644 --- a/freeipa.spec +++ b/freeipa.spec @@ -181,7 +181,7 @@ Name: %{package_name} Version: %{IPA_VERSION} -Release: 1%{?rc_version:.%rc_version}%{?dist} +Release: 2%{?rc_version:.%rc_version}%{?dist} Summary: The Identity, Policy and Audit system License: GPLv3+ @@ -192,6 +192,8 @@ Source0: https://releases.pagure.org/freeipa/freeipa-%{version}%{?rc_vers Source1: https://releases.pagure.org/freeipa/freeipa-%{version}%{?rc_version}.tar.gz.asc %endif +Patch0001: freeipa-bz1948034.patch + # RHEL spec file only: START: Change branding to IPA and Identity Management # Moved branding logos and background to redhat-logos-ipa-80.4: # header-logo.png, login-screen-background.jpg, login-screen-logo.png, @@ -1677,6 +1679,10 @@ fi %endif %changelog +* Mon Apr 12 2021 Alexander Bokovoy - 4.9.3-2 +- Handle failures to resolve non-existing reverse zones during deployment with systemd-resolved +- Resolves: rhbz#1948034 + * Wed Mar 31 2021 Alexander Bokovoy - 4.9.3-1 - Upstream release FreeIPA 4.9.3