#6873 opendnssec setup fails with 2.0.x
Opened 2 years ago by tjaalton. Modified 10 months ago

Debian/Ubuntu has opendnssec 2.0.x now, but running 'ipa-dns-install --dnssec-master' now fails with:

2017-04-19T08:00:54Z DEBUG   [5/8]: setting up OpenDNSSEC
2017-04-19T08:00:54Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state'
2017-04-19T08:00:54Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state'
2017-04-19T08:00:54Z DEBUG Saving StateFile to '/var/lib/ipa/sysrestore/sysrestore.state'
2017-04-19T08:00:54Z DEBUG Backing up system configuration file '/var/lib/opendnssec/db/kasp.db'
2017-04-19T08:00:54Z DEBUG   -> Not backing up - '/var/lib/opendnssec/db/kasp.db' doesn't exist
2017-04-19T08:00:54Z DEBUG Starting external process
2017-04-19T08:00:54Z DEBUG args=/usr/bin/ods-ksmutil setup
2017-04-19T08:00:54Z DEBUG runas=opendnssec (UID 128, GID 135)
2017-04-19T08:00:54Z DEBUG Process finished, return code=201
2017-04-19T08:00:54Z DEBUG stdout=
2017-04-19T08:00:54Z DEBUG stderr=<13>Apr 19 11:00:54 ods-ksmutil: The ODS-KSMUTIL command is DEPRECATED and should be replaced by ods-enforcer in the caller with pid 27328: /usr/bin/python2 -E /usr/sbin/ipa-dns-install --dnssec-master
Unable to connect to engine. connect() failed: No such file or directory ("/run/opendnssec/enforcer.sock")

Checking the upstream changelog suggests that 'ods-enforcer-db-setup' should be used instead, but running that gives.

*WARNING* This will erase all data in the database; are you sure? [y/N] y
/etc/opendnssec/conf.xml:11: element AllowExtraction: Relax-NG validity error : Element Repository has extra content: AllowExtraction
/etc/opendnssec/conf.xml:7: element Repository: Relax-NG validity error : Element RepositoryList has extra content: Repository
Error: unable to load configuration!

getting rid of the "<allowextraction/>" line makes it pass.


Metadata Update from @mbasti:
- Issue assigned to mbasti

2 years ago

while checking where ods-ksmutil is run, I found that ipapython/dnssec/odsmgr.py calls it directly, and not with paths.ODS_KSMUTIL

further issues with 2.0, the zonelist.xml looks like this:

<?xml version="1.0" encoding="UTF-8"?>
<ZoneList>
  <!--

********* Important changes to zonelist.xml in 2.0 ***************

In 2.0, the zonelist.xml file is no longer automatically updated when zones
are added or deleted  via the command line by using the 'ods-enforcer zone add'
command. However, in 2.0 it is possible to force an update of the zonelist.xml
file by using the new 'xml' flag. This is in contrast to the behaviour in 1.4
where zonelist.xml was always updated, unless the 'no-xml' flag was used.

As a result in 2.0 the contents of the enforcer database should be considered
the 'master' for the list of currently configured zones, not the zonelist.xml
file as the file can easily become out of sync with the database.

The contents of the database can be listed using:
  ods-enforcer zone list
and exported using the command
  ods-enforcer zonelist export
The contents of the database can still be updated in bulk from the zonelist.xml
file by using the command:
  ods-enforcer zonelist import    (or ods-enforcer update zonelist)

-->
</ZoneList>

and journalctl has

huhti 19 13:21:54 zesty.tyrell ipa-dnskeysyncd[31694]: ipa         : INFO     Commencing sync process
huhti 19 13:21:54 zesty.tyrell ipa-dnskeysyncd[31694]: ipa.ipapython.dnssec.keysyncer.KeySyncer: INFO     Initial LDAP dump is done, sychronizing with ODS and BIND
huhti 19 13:21:54 zesty.tyrell ods-enforcerd[30706]: INFO: The XML in /etc/opendnssec/zonelist.xml.new is valid
huhti 19 13:21:54 zesty.tyrell ods-enforcerd[30706]: [zonelist_export_cmd] zonelist exported to /etc/opendnssec/zonelist.xml successfully
huhti 19 13:21:54 zesty.tyrell ipa-dnskeysyncd[31694]: Traceback (most recent call last):
huhti 19 13:21:54 zesty.tyrell ipa-dnskeysyncd[31694]:   File "/usr/lib/ipa/ipa-dnskeysyncd", line 110, in <module>
huhti 19 13:21:54 zesty.tyrell ipa-dnskeysyncd[31694]:     while ldap_connection.syncrepl_poll(all=1, msgid=ldap_search):
huhti 19 13:21:54 zesty.tyrell ipa-dnskeysyncd[31694]:   File "/usr/lib/python2.7/dist-packages/ldap/syncrepl.py", line 409, in syncrepl_poll
huhti 19 13:21:54 zesty.tyrell ipa-dnskeysyncd[31694]:     self.syncrepl_refreshdone()
huhti 19 13:21:54 zesty.tyrell ipa-dnskeysyncd[31694]:   File "/usr/lib/python2.7/dist-packages/ipapython/dnssec/keysyncer.py", line 114, in syncrepl_refreshdone
huhti 19 13:21:54 zesty.tyrell ipa-dnskeysyncd[31694]:     self.ods_sync()
huhti 19 13:21:54 zesty.tyrell ipa-dnskeysyncd[31694]:   File "/usr/lib/python2.7/dist-packages/ipapython/dnssec/keysyncer.py", line 172, in ods_sync
huhti 19 13:21:54 zesty.tyrell ipa-dnskeysyncd[31694]:     self.odsmgr.sync()
huhti 19 13:21:54 zesty.tyrell ipa-dnskeysyncd[31694]:   File "/usr/lib/python2.7/dist-packages/ipapython/dnssec/odsmgr.py", line 177, in sync
huhti 19 13:21:54 zesty.tyrell ipa-dnskeysyncd[31694]:     zl_ods = self.get_ods_zonelist()
huhti 19 13:21:54 zesty.tyrell ipa-dnskeysyncd[31694]:   File "/usr/lib/python2.7/dist-packages/ipapython/dnssec/odsmgr.py", line 134, in get_ods_zonelist
huhti 19 13:21:54 zesty.tyrell ipa-dnskeysyncd[31694]:     reader = ODSZoneListReader(stdout)
huhti 19 13:21:54 zesty.tyrell ipa-dnskeysyncd[31694]:   File "/usr/lib/python2.7/dist-packages/ipapython/dnssec/odsmgr.py", line 62, in __init__
huhti 19 13:21:54 zesty.tyrell ipa-dnskeysyncd[31694]:     xml = etree.fromstring(zonelist_text)
huhti 19 13:21:54 zesty.tyrell ipa-dnskeysyncd[31694]:   File "src/lxml/lxml.etree.pyx", line 3213, in lxml.etree.fromstring (src/lxml/lxml.etree.c:79010)
huhti 19 13:21:54 zesty.tyrell ipa-dnskeysyncd[31694]:   File "src/lxml/parser.pxi", line 1848, in lxml.etree._parseMemoryDocument (src/lxml/lxml.etree.c:118341)
huhti 19 13:21:54 zesty.tyrell ipa-dnskeysyncd[31694]:   File "src/lxml/parser.pxi", line 1736, in lxml.etree._parseDoc (src/lxml/lxml.etree.c:117021)
huhti 19 13:21:54 zesty.tyrell ipa-dnskeysyncd[31694]:   File "src/lxml/parser.pxi", line 1102, in lxml.etree._BaseParser._parseDoc (src/lxml/lxml.etree.c:111265)
huhti 19 13:21:54 zesty.tyrell ipa-dnskeysyncd[31694]:   File "src/lxml/parser.pxi", line 595, in lxml.etree._ParserContext._handleParseResultDoc (src/lxml/lxml.etree.c:105109)
huhti 19 13:21:54 zesty.tyrell ipa-dnskeysyncd[31694]:   File "src/lxml/parser.pxi", line 706, in lxml.etree._handleParseResult (src/lxml/lxml.etree.c:106817)
huhti 19 13:21:54 zesty.tyrell ipa-dnskeysyncd[31694]:   File "src/lxml/parser.pxi", line 635, in lxml.etree._raiseParseError (src/lxml/lxml.etree.c:105671)
huhti 19 13:21:54 zesty.tyrell ipa-dnskeysyncd[31694]:   File "<string>", line 1
huhti 19 13:21:54 zesty.tyrell ipa-dnskeysyncd[31694]: lxml.etree.XMLSyntaxError: Start tag expected, '<' not found, line 1, column 1

If I understand it correctly there is a risk that fix will be not backwards compatible with older opendnssec. Given that opendnssec 2.0.x is not available for FreeIPA referential distribution - Fedora, fix for this is not rushed to not break/block development.

That said, patch is welcome because it will be needed sometime (maybe soon - therefore choosing next major version 4.7).

Metadata Update from @pvoborni:
- Issue set to the milestone: FreeIPA 4.7

2 years ago

Metadata Update from @mbasti:
- Issue assigned to tkrizek (was: mbasti)

2 years ago

Here's a patch based on the Debian package patch and further updated. This will get ipa-dnskeysyncd to run again once OpenDNSSec 2.0.x is installed.

There's also some other steps to upgrade existing installs.

/usr/share/opendnssec/convert_sqlite3 -i INPUT -o OUTPUT
ods-migrate
cp /etc/opendnssec/zonelist.xml /var/lib/opendnssec/enforcer/zones.xml

Patch:

---
 install/share/opendnssec_conf.template  | 1 -
 ipaplatform/base/paths.py               | 3 ++-
 ipaserver/dnssec/odsmgr.py              | 8 +++++---
 ipaserver/install/opendnssecinstance.py | 9 ++-------
 4 files changed, 9 insertions(+), 12 deletions(-)

diff --git a/install/share/opendnssec_conf.template b/install/share/opendnssec_conf.template
index 3d01fb415..1dc346863 100644
--- a/install/share/opendnssec_conf.template
+++ b/install/share/opendnssec_conf.template
@@ -8,7 +8,6 @@
            <Module>$SOFTHSM_LIB</Module>
            <TokenLabel>$TOKEN_LABEL</TokenLabel>
            <PIN>$PIN</PIN>
-            <AllowExtraction/>
        </Repository>

    </RepositoryList>
diff --git a/ipaplatform/base/paths.py b/ipaplatform/base/paths.py
index de3cdce44..78f762bab 100644
--- a/ipaplatform/base/paths.py
+++ b/ipaplatform/base/paths.py
@@ -168,7 +168,8 @@ class BasePathNamespace(object):
     NET = "/usr/bin/net"
     BIN_NISDOMAINNAME = "/usr/bin/nisdomainname"
     NSUPDATE = "/usr/bin/nsupdate"
-    ODS_KSMUTIL = "/usr/bin/ods-ksmutil"
+    ODS_ENFORCER = "/usr/bin/ods-enforcer"
+    ODS_ENFORCER_SETUP = "/usr/bin/ods-enforcer-db-setup"
     ODS_SIGNER = "/usr/sbin/ods-signer"
     OPENSSL = "/usr/bin/openssl"
     PK12UTIL = "/usr/bin/pk12util"
diff --git a/ipaserver/dnssec/odsmgr.py b/ipaserver/dnssec/odsmgr.py
index 0308408e0..6852ee4f9 100644
--- a/ipaserver/dnssec/odsmgr.py
+++ b/ipaserver/dnssec/odsmgr.py
@@ -10,6 +10,7 @@ except ImportError:
     from xml.etree import ElementTree as etree

 from ipapython import ipa_log_manager, ipautil
+from ipaplatform.paths import paths

 # hack: zone object UUID is stored as path to imaginary zone file
 ENTRYUUID_PREFIX = "/var/lib/ipa/dns/zone/entryUUID/"
@@ -129,17 +130,18 @@ class ODSMgr(object):
         self.zl_ldap = LDAPZoneListReader()

     def ksmutil(self, params):
-        """Call ods-ksmutil with given parameters and return stdout.
+        """Call ods-enforcer with given parameters and return stdout.

         Raises CalledProcessError if returncode != 0.
         """
-        cmd = ['ods-ksmutil'] + params
+        cmd = ['ods-enforcer'] + params
         result = ipautil.run(cmd, capture_output=True)
         return result.output

     def get_ods_zonelist(self):
         stdout = self.ksmutil(['zonelist', 'export'])
-        reader = ODSZoneListReader(stdout)
+        with open(paths.OPENDNSSEC_ZONELIST_FILE) as f
+            reader = ODSZoneListReader(f.read())
         return reader

     def add_ods_zone(self, uuid, name):
diff --git a/ipaserver/install/opendnssecinstance.py b/ipaserver/install/opendnssecinstance.py
index bc2974a2c..e090d1661 100644
--- a/ipaserver/install/opendnssecinstance.py
+++ b/ipaserver/install/opendnssecinstance.py
@@ -277,20 +277,15 @@ class OpenDNSSECInstance(service.Service):
             os.chmod(paths.OPENDNSSEC_KASP_DB, 0o660)

             # regenerate zonelist.xml
-            cmd = [paths.ODS_KSMUTIL, 'zonelist', 'export']
+            cmd = [paths.ODS_ENFORCER, 'zonelist', 'export']
             result = ipautil.run(cmd,
                                  runas=constants.ODS_USER,
                                  capture_output=True)
-            with open(paths.OPENDNSSEC_ZONELIST_FILE, 'w') as zonelistf:
-                zonelistf.write(result.output)
-                os.chown(paths.OPENDNSSEC_ZONELIST_FILE,
-                         self.ods_uid, self.ods_gid)
-                os.chmod(paths.OPENDNSSEC_ZONELIST_FILE, 0o660)

         else:
             # initialize new kasp.db
             command = [
-                paths.ODS_KSMUTIL,
+                paths.ODS_ENFORCER_SETUP,
                 'setup'
             ]

-- 
2.13.2

Thank you for the patch! It looks very good.

could you please create a PR on github? https://github.com/freeipa/freeipa

However we must get opendnssec 2.0 into fedora and RHEL/CEntos before we can merge this upstream, until that ubuntu must include this as a downstream patch.

Also upgrades from older openddnsec must be included in ipa upgrades.

2 years ago

isn't the first hunk wrong with opendnssec 2.1.3 which added back support for AllowExtraction?

and 'ods-enforcer' in odsmgr.py should be replaced with paths.ODS_ENFORCER

Yes and I believe that's corrected in the github PR.

On Oct 9, 2017, at 12:32 AM, Timo Aaltonen pagure@pagure.io wrote:

tjaalton added a new comment to an issue you are following:
and 'ods-enforcer' in odsmgr.py should be replaced with paths.ODS_ENFORCER

To reply, visit the link below or just reply to this email
https://pagure.io/freeipa/issue/6873

Metadata Update from @rcritten:
- Issue set to the milestone: FreeIPA 4.7.1 (was: FreeIPA 4.7)

2 years ago

FreeIPA 4.7 has been released, moving to FreeIPA 4.7.1 milestone

Metadata Update from @tkrizek:
- Assignee reset

10 months ago

Login to comment on this ticket.

Metadata