After doing a backup/restore of the DNSSEC master, the zones are not signed any more.
# hostnamectl set-hostname server.ipa.test # IPADDR=`hostname -I | cut -d' ' -f1` # echo "$IPADDR server.ipa.test" >> /etc/hosts # dnf update -y # dnf install -y freeipa-server-dns # ipa-server-install --domain ipa.test --realm IPA.TEST --setup-dns --forwarder 10.11.5.160 -a Secret123 -p Secret123 -U # echo Secret123 | kinit admin # ipa-dns-install --dnssec-master --forwarder 10.11.5.160 -U # ipa dnszone-add dnssec.test. --skip-overlap-check --dnssec true --ttl 1 --default-ttl 1 # ipa-backup (note the backup dir) # ipa-server-install --uninstall -U # ipa-restore /path/to/backup
After the restore, the zones are not signed any more.
After restore, the zones should be signed.
IPA from master branch (2024-06-26).
Seen in nightly test PR3783 with the attached logs and report.
The issue seems related to the missing socket file /var/run/opendnssec/engine.sock. The journal shows the following error:
Jun 26 09:59:33 master.ipa.test ipa-ods-exporter[26762]: ipa-ods-exporter: INFO master2ldap_zone_keys: keys in local HSM & LDAP: {'0xadf34c1e5d167f82927bcef58f0bdfe8', '0x42b910a94e6a3ab91db33c1985601da3', '0x1f427c7e8cf3e8f447a59bb9318a6c88', '0x544fc43d5c9cdc4800c50e3e52594e4f', '0x28f4c5af1a33653e9f2f07e486a234e4', '0x010e1fcb9e8e486b8453eeb48bbfe075', '0x089646b504395d8b2a7755fc460a4467', '0x0eefc50f71fdb39957c07bdac0b72ec5'} Jun 26 09:59:33 master.ipa.test ipa-dnskeysyncd[26778]: Traceback (most recent call last): Jun 26 09:59:33 master.ipa.test ipa-dnskeysyncd[26778]: File "/usr/libexec/ipa/ipa-dnskeysyncd", line 130, in <module> Jun 26 09:59:33 master.ipa.test ipa-dnskeysyncd[26778]: while ldap_connection.syncrepl_poll(all=1, msgid=ldap_search): Jun 26 09:59:33 master.ipa.test ipa-dnskeysyncd[26778]: ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Jun 26 09:59:33 master.ipa.test ipa-dnskeysyncd[26778]: File "/usr/lib64/python3.12/site-packages/ldap/syncrepl.py", line 464, in syncrepl_poll Jun 26 09:59:33 master.ipa.test ipa-dnskeysyncd[26778]: self.syncrepl_refreshdone() Jun 26 09:59:33 master.ipa.test ipa-dnskeysyncd[26778]: File "/usr/lib/python3.12/site-packages/ipaserver/dnssec/keysyncer.py", line 127, in syncrepl_refreshdone Jun 26 09:59:33 master.ipa.test ipa-dnskeysyncd[26778]: self.hsm_master_sync() Jun 26 09:59:33 master.ipa.test ipa-dnskeysyncd[26778]: File "/usr/lib/python3.12/site-packages/ipaserver/dnssec/keysyncer.py", line 202, in hsm_master_sync Jun 26 09:59:33 master.ipa.test ipa-dnskeysyncd[26778]: ipautil.run([paths.ODS_SIGNER, 'ipa-hsm-update']) Jun 26 09:59:33 master.ipa.test ipa-dnskeysyncd[26778]: File "/usr/lib/python3.12/site-packages/ipapython/ipautil.py", line 594, in run Jun 26 09:59:33 master.ipa.test ipa-dnskeysyncd[26778]: raise CalledProcessError( Jun 26 09:59:33 master.ipa.test ipa-dnskeysyncd[26778]: ipapython.ipautil.CalledProcessError: CalledProcessError(Command ['/usr/sbin/ods-signer', 'ipa-hsm-update'] returned non-zero exit status 201: 'Unable to connect to engine. connect() failed: No such file or directory ("/var/run/opendnssec/engine.sock")\n')
The uninstaller removes this file since commit https://github.com/freeipa/freeipa/commit/8293b74eca851981c7b61b6dd6505f4799e3c8ce and the restore does not re-create it.
The above commit only puts in light a defect in ipa-restore: ipa-restore should be able to restore a backup to a different machine where the socket does not exist.
Metadata Update from @frenaud: - Issue tagged with: test-failure
Metadata Update from @frenaud: - Issue assigned to frenaud
Metadata Update from @frenaud: - Custom field on_review adjusted to https://github.com/freeipa/freeipa/pull/7411
master:
ipa-4-12:
Metadata Update from @frenaud: - Issue close_status updated to: fixed - Issue status updated to: Closed (was: Open)
ipa-4-11:
Log in to comment on this ticket.