#9613 After backup/restore of dnssec master, zones are not signed
Closed: fixed 6 months ago by frenaud. Opened 7 months ago by frenaud.

Issue

After doing a backup/restore of the DNSSEC master, the zones are not signed any more.

Steps to Reproduce

# hostnamectl set-hostname server.ipa.test
# IPADDR=`hostname -I | cut -d' ' -f1`
# echo "$IPADDR server.ipa.test" >> /etc/hosts

# dnf update -y
# dnf install -y freeipa-server-dns

# ipa-server-install --domain ipa.test --realm IPA.TEST --setup-dns --forwarder 10.11.5.160 -a Secret123 -p Secret123 -U
# echo Secret123 | kinit admin
# ipa-dns-install --dnssec-master  --forwarder 10.11.5.160 -U
# ipa dnszone-add dnssec.test. --skip-overlap-check --dnssec true --ttl 1 --default-ttl 1

# ipa-backup
(note the backup dir)
# ipa-server-install --uninstall -U

# ipa-restore /path/to/backup

Actual behavior

After the restore, the zones are not signed any more.

Expected behavior

After restore, the zones should be signed.

Version/Release/Distribution

IPA from master branch (2024-06-26).

Additional info:

Seen in nightly test PR3783 with the attached logs and report.

The issue seems related to the missing socket file /var/run/opendnssec/engine.sock. The journal shows the following error:

Jun 26 09:59:33 master.ipa.test ipa-ods-exporter[26762]: ipa-ods-exporter: INFO     master2ldap_zone_keys: keys in local HSM & LDAP: {'0xadf34c1e5d167f82927bcef58f0bdfe8', '0x42b910a94e6a3ab91db33c1985601da3', '0x1f427c7e8cf3e8f447a59bb9318a6c88', '0x544fc43d5c9cdc4800c50e3e52594e4f', '0x28f4c5af1a33653e9f2f07e486a234e4', '0x010e1fcb9e8e486b8453eeb48bbfe075', '0x089646b504395d8b2a7755fc460a4467', '0x0eefc50f71fdb39957c07bdac0b72ec5'}
Jun 26 09:59:33 master.ipa.test ipa-dnskeysyncd[26778]: Traceback (most recent call last):
Jun 26 09:59:33 master.ipa.test ipa-dnskeysyncd[26778]:   File "/usr/libexec/ipa/ipa-dnskeysyncd", line 130, in <module>
Jun 26 09:59:33 master.ipa.test ipa-dnskeysyncd[26778]:     while ldap_connection.syncrepl_poll(all=1, msgid=ldap_search):
Jun 26 09:59:33 master.ipa.test ipa-dnskeysyncd[26778]:           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Jun 26 09:59:33 master.ipa.test ipa-dnskeysyncd[26778]:   File "/usr/lib64/python3.12/site-packages/ldap/syncrepl.py", line 464, in syncrepl_poll
Jun 26 09:59:33 master.ipa.test ipa-dnskeysyncd[26778]:     self.syncrepl_refreshdone()
Jun 26 09:59:33 master.ipa.test ipa-dnskeysyncd[26778]:   File "/usr/lib/python3.12/site-packages/ipaserver/dnssec/keysyncer.py", line 127, in syncrepl_refreshdone
Jun 26 09:59:33 master.ipa.test ipa-dnskeysyncd[26778]:     self.hsm_master_sync()
Jun 26 09:59:33 master.ipa.test ipa-dnskeysyncd[26778]:   File "/usr/lib/python3.12/site-packages/ipaserver/dnssec/keysyncer.py", line 202, in hsm_master_sync
Jun 26 09:59:33 master.ipa.test ipa-dnskeysyncd[26778]:     ipautil.run([paths.ODS_SIGNER, 'ipa-hsm-update'])
Jun 26 09:59:33 master.ipa.test ipa-dnskeysyncd[26778]:   File "/usr/lib/python3.12/site-packages/ipapython/ipautil.py", line 594, in run
Jun 26 09:59:33 master.ipa.test ipa-dnskeysyncd[26778]:     raise CalledProcessError(
Jun 26 09:59:33 master.ipa.test ipa-dnskeysyncd[26778]: ipapython.ipautil.CalledProcessError: CalledProcessError(Command ['/usr/sbin/ods-signer', 'ipa-hsm-update'] returned non-zero exit status 201: 'Unable to connect to engine. connect() failed: No such file or directory ("/var/run/opendnssec/engine.sock")\n')

The uninstaller removes this file since commit https://github.com/freeipa/freeipa/commit/8293b74eca851981c7b61b6dd6505f4799e3c8ce and the restore does not re-create it.

The above commit only puts in light a defect in ipa-restore: ipa-restore should be able to restore a backup to a different machine where the socket does not exist.


Metadata Update from @frenaud:
- Issue tagged with: test-failure

7 months ago

Metadata Update from @frenaud:
- Issue assigned to frenaud

7 months ago

Metadata Update from @frenaud:
- Custom field on_review adjusted to https://github.com/freeipa/freeipa/pull/7411

7 months ago

master:

  • 9110050 ipa-ods-enforcer: stop must also stop the socket
  • 88a392c Uninstall: stop sssd-kcm before removing KCM ccaches database
  • 0be8d04 test_replica_install_after_restore: kinit after restore

ipa-4-12:

  • 2f902ef ipa-ods-enforcer: stop must also stop the socket
  • 6fe268a Uninstall: stop sssd-kcm before removing KCM ccaches database
  • d635d70 test_replica_install_after_restore: kinit after restore

Metadata Update from @frenaud:
- Issue close_status updated to: fixed
- Issue status updated to: Closed (was: Open)

6 months ago

ipa-4-11:

  • 5c09ac9 ipa-ods-enforcer: stop must also stop the socket
  • c4ba077 Uninstall: stop sssd-kcm before removing KCM ccaches database
  • 3b927bb test_replica_install_after_restore: kinit after restore

Log in to comment on this ticket.

Metadata