125 lines
5.1 KiB
Diff
125 lines
5.1 KiB
Diff
From 1836688dde1bbc746365f85b803a53afe7f83a47 Mon Sep 17 00:00:00 2001
|
|
From: Florence Blanc-Renaud <flo@redhat.com>
|
|
Date: Mon, 2 Mar 2020 16:49:48 +0100
|
|
Subject: [PATCH 1/3] Support opendnssec 2.1.6
|
|
|
|
The installation of IPA DNS server is using ods-ksmutil, but
|
|
openddnssec 2.1.6 does not ship any more /usr/bin/ods-ksmutil. The tool
|
|
is replaced by /usr/sbin/ods-enforcer and /usr/sbin/ods-enforcer-db-setup.
|
|
|
|
The master branch currently supports fedora 30+, but fedora 30 and 31 are
|
|
still shipping opendnssec 1.4 while fedora 32+ is shipping opendnssec 2.1.6.
|
|
Because of this, the code needs to check at run-time if the ods-ksmutil
|
|
command is available. If the file is missing, the code falls back to
|
|
the new ods-enforcer and ods-enforcer-db-setup commands.
|
|
|
|
This commit defines paths.ODS_ENFORCER and paths.ODS_ENFORCER_DB_SETUP
|
|
for all platforms, but the commands are used only if ods-ksmutil is not found.
|
|
|
|
Fixes: https://pagure.io/freeipa/issue/8214
|
|
---
|
|
ipaplatform/base/paths.py | 4 ++--
|
|
ipaplatform/base/tasks.py | 6 ++++--
|
|
ipaplatform/debian/paths.py | 2 --
|
|
3 files changed, 6 insertions(+), 6 deletions(-)
|
|
|
|
diff --git a/ipaplatform/base/paths.py b/ipaplatform/base/paths.py
|
|
index f3a95500e3..0efe8b5a90 100644
|
|
--- a/ipaplatform/base/paths.py
|
|
+++ b/ipaplatform/base/paths.py
|
|
@@ -190,8 +190,8 @@ class BasePathNamespace:
|
|
NSUPDATE = "/usr/bin/nsupdate"
|
|
ODS_KSMUTIL = "/usr/bin/ods-ksmutil"
|
|
ODS_SIGNER = "/usr/sbin/ods-signer"
|
|
- ODS_ENFORCER = None
|
|
- ODS_ENFORCER_DB_SETUP = None
|
|
+ ODS_ENFORCER = "/usr/sbin/ods-enforcer"
|
|
+ ODS_ENFORCER_DB_SETUP = "/usr/sbin/ods-enforcer-db-setup"
|
|
OPENSSL = "/usr/bin/openssl"
|
|
PK12UTIL = "/usr/bin/pk12util"
|
|
SOFTHSM2_UTIL = "/usr/bin/softhsm2-util"
|
|
diff --git a/ipaplatform/base/tasks.py b/ipaplatform/base/tasks.py
|
|
index 86617a07f5..d36039aa23 100644
|
|
--- a/ipaplatform/base/tasks.py
|
|
+++ b/ipaplatform/base/tasks.py
|
|
@@ -290,9 +290,11 @@ def unconfigure_dns_resolver(self, fstore=None):
|
|
def run_ods_setup(self):
|
|
"""Initialize a new kasp.db
|
|
"""
|
|
- if paths.ODS_KSMUTIL is not None:
|
|
+ if paths.ODS_KSMUTIL is not None and os.path.exists(paths.ODS_KSMUTIL):
|
|
+ # OpenDNSSEC 1.4
|
|
cmd = [paths.ODS_KSMUTIL, 'setup']
|
|
else:
|
|
+ # OpenDNSSEC 2.x
|
|
cmd = [paths.ODS_ENFORCER_DB_SETUP]
|
|
return ipautil.run(cmd, stdin="y", runas=constants.ODS_USER)
|
|
|
|
@@ -305,7 +307,7 @@ def run_ods_manager(self, params, **kwargs):
|
|
"""
|
|
assert params[0] != 'setup'
|
|
|
|
- if paths.ODS_KSMUTIL is not None:
|
|
+ if paths.ODS_KSMUTIL is not None and os.path.exists(paths.ODS_KSMUTIL):
|
|
# OpenDNSSEC 1.4
|
|
cmd = [paths.ODS_KSMUTIL]
|
|
else:
|
|
diff --git a/ipaplatform/debian/paths.py b/ipaplatform/debian/paths.py
|
|
index 764b5a2815..3a28c70ff4 100644
|
|
--- a/ipaplatform/debian/paths.py
|
|
+++ b/ipaplatform/debian/paths.py
|
|
@@ -67,8 +67,6 @@ class DebianPathNamespace(BasePathNamespace):
|
|
SBIN_SERVICE = "/usr/sbin/service"
|
|
CERTMONGER_COMMAND_TEMPLATE = "/usr/lib/ipa/certmonger/%s"
|
|
ODS_KSMUTIL = None
|
|
- ODS_ENFORCER = "/usr/sbin/ods-enforcer"
|
|
- ODS_ENFORCER_DB_SETUP = "/usr/sbin/ods-enforcer-db-setup"
|
|
UPDATE_CA_TRUST = "/usr/sbin/update-ca-certificates"
|
|
BIND_LDAP_DNS_IPA_WORKDIR = "/var/cache/bind/dyndb-ldap/ipa/"
|
|
BIND_LDAP_DNS_ZONE_WORKDIR = "/var/cache/bind/dyndb-ldap/ipa/master/"
|
|
|
|
From 70acce828f46d9d6516b590a9b84d379359b8204 Mon Sep 17 00:00:00 2001
|
|
From: Florence Blanc-Renaud <flo@redhat.com>
|
|
Date: Tue, 3 Mar 2020 08:00:58 +0100
|
|
Subject: [PATCH 3/3] Remove the <Interval> from opendnssec conf
|
|
|
|
In opendnssec 2.1.6, the <Interval> element is not supported in the
|
|
configuration file.
|
|
|
|
Related: https://pagure.io/freeipa/issue/8214
|
|
---
|
|
install/share/opendnssec_conf.template | 2 +-
|
|
ipaserver/install/opendnssecinstance.py | 6 ++++++
|
|
2 files changed, 7 insertions(+), 1 deletion(-)
|
|
|
|
diff --git a/install/share/opendnssec_conf.template b/install/share/opendnssec_conf.template
|
|
index 3d01fb4156..5658693ac3 100644
|
|
--- a/install/share/opendnssec_conf.template
|
|
+++ b/install/share/opendnssec_conf.template
|
|
@@ -33,7 +33,7 @@
|
|
</Privileges>
|
|
|
|
<Datastore><SQLite>$KASP_DB</SQLite></Datastore>
|
|
- <Interval>PT3600S</Interval>
|
|
+ $INTERVAL
|
|
<!-- <ManualKeyGeneration/> -->
|
|
<!-- <RolloverNotification>P14D</RolloverNotification> -->
|
|
|
|
diff --git a/ipaserver/install/opendnssecinstance.py b/ipaserver/install/opendnssecinstance.py
|
|
index df39705a44..6354521b4e 100644
|
|
--- a/ipaserver/install/opendnssecinstance.py
|
|
+++ b/ipaserver/install/opendnssecinstance.py
|
|
@@ -179,6 +179,12 @@ def __setup_conf_files(self):
|
|
# add pin to template
|
|
sub_conf_dict = self.conf_file_dict
|
|
sub_conf_dict['PIN'] = pin
|
|
+ if paths.ODS_KSMUTIL is not None and os.path.exists(paths.ODS_KSMUTIL):
|
|
+ # OpenDNSSEC 1.4
|
|
+ sub_conf_dict['INTERVAL'] = '<Interval>PT3600S</Interval>'
|
|
+ else:
|
|
+ # OpenDNSSEC 2.x
|
|
+ sub_conf_dict['INTERVAL'] = '<!-- Interval not used in 2x -->'
|
|
|
|
ods_conf_txt = ipautil.template_file(
|
|
os.path.join(paths.USR_SHARE_IPA_DIR, "opendnssec_conf.template"),
|