websms/freeipa
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Import Upstream version 4.12.4

Browse Source
This commit is contained in:
geos_one
2025-08-12 22:28:56 +02:00
parent 03a8170b15
commit 9181ee2487
1629 changed files with 874094 additions and 554378 deletions
Download Patch File Download Diff File Expand all files Collapse all files

102
ipaserver/install/bindinstance.py
View File

@@ -23,7 +23,6 @@ from __future__ import print_function
import logging
import tempfile
import os
import pwd
import netaddr
import re
import shutil
@@ -356,7 +355,7 @@ def add_zone(name, zonemgr=None, dns_backup=None, ns_hostname=None,
else:
update_policy = get_dns_forward_zone_update_policy(api.env.realm)
if zonemgr is None:
if not zonemgr:
zonemgr = 'hostmaster.%s' % name
if ns_hostname:
@@ -663,7 +662,7 @@ class BindInstance(service.Service):
self.no_dnssec_validation = False
self.sub_dict = None
self.reverse_zones = ()
self.named_regular = services.service('named-regular', api)
self.named_conflict = services.service('named-conflict', api)
suffix = ipautil.dn_attribute_property('_suffix')
@@ -683,7 +682,7 @@ class BindInstance(service.Service):
self.forward_policy = forward_policy
self.reverse_zones = reverse_zones
if zonemgr is not None:
if not zonemgr:
self.zonemgr = 'hostmaster.%s' % normalize_zone(self.domain)
else:
self.zonemgr = normalize_zonemgr(zonemgr)
@@ -761,8 +760,11 @@ class BindInstance(service.Service):
self.step("setting up records for other masters", self.__add_others)
# all zones must be created before this step
self.step("adding NS record to the zones", self.__add_self_ns)
# The service entry is used for LDAPI autobind. The keytab is no
# longer used to authenticate the server. The server still needs
# the keytab to handle incoming nsupdate requests with TSIG.
self.step("setting up kerberos principal", self.__setup_principal)
self.step("setting up LDAPI autobind", self.setup_autobind)
self.step("setting up named.conf", self.setup_named_conf)
self.step("setting up server configuration",
self.__setup_server_configuration)
@@ -770,7 +772,7 @@ class BindInstance(service.Service):
# named has to be started after softhsm initialization
# self.step("restarting named", self.__start)
self.step("configuring named to start on boot", self.__enable)
self.step("configuring named to start on boot", self.switch_service)
self.step(
"changing resolv.conf to point to ourselves",
self.setup_resolv_conf
@@ -783,19 +785,16 @@ class BindInstance(service.Service):
def __start(self):
try:
if self.get_state("running") is None:
# first time store status
self.backup_state("running", self.is_running())
self.restart()
except Exception as e:
logger.error("Named service failed to start (%s)", e)
print("named service failed to start")
def switch_service(self):
self.mask_conflict()
self.__enable()
def __enable(self):
if self.get_state("enabled") is None:
self.backup_state("enabled", self.is_running())
self.backup_state("named-regular-enabled",
self.named_regular.is_running())
# We do not let the system start IPA components on its own,
# Instead we reply on the IPA init script to start only enabled
# components as found in our LDAP configuration tree
@@ -806,20 +805,19 @@ class BindInstance(service.Service):
# don't crash, just report error
logger.error("DNS service already exists")
# disable named, we need to run named-pkcs11 only
if self.get_state("named-regular-running") is None:
# first time store status
self.backup_state("named-regular-running",
self.named_regular.is_running())
def mask_conflict(self):
# disable named-conflict (either named or named-pkcs11)
try:
self.named_regular.stop()
self.named_conflict.stop()
except Exception as e:
logger.debug("Unable to stop named (%s)", e)
logger.debug("Unable to stop %s (%s)",
self.named_conflict.systemd_name, e)
try:
self.named_regular.mask()
self.named_conflict.mask()
except Exception as e:
logger.debug("Unable to mask named (%s)", e)
logger.debug("Unable to mask %s (%s)",
self.named_conflict.systemd_name, e)
def _get_dnssec_validation(self):
"""get dnssec-validation value
@@ -889,6 +887,7 @@ class BindInstance(service.Service):
NAMED_CONF=paths.NAMED_CONF,
NAMED_CUSTOM_CONF=paths.NAMED_CUSTOM_CONF,
NAMED_CUSTOM_OPTIONS_CONF=paths.NAMED_CUSTOM_OPTIONS_CONF,
NAMED_LOGGING_OPTIONS_CONF=paths.NAMED_LOGGING_OPTIONS_CONF,
NAMED_DATA_DIR=constants.NAMED_DATA_DIR,
NAMED_ZONE_COMMENT=constants.NAMED_ZONE_COMMENT,
NAMED_DNSSEC_VALIDATION=self._get_dnssec_validation(),
@@ -1001,8 +1000,7 @@ class BindInstance(service.Service):
dns_principal = p
# Make sure access is strictly reserved to the named user
pent = pwd.getpwnam(self.service_user)
os.chown(self.keytab, pent.pw_uid, pent.pw_gid)
self.service_user.chown(self.keytab)
os.chmod(self.keytab, 0o400)
# modify the principal so that it is marked as an ipa service so that
@@ -1034,6 +1032,11 @@ class BindInstance(service.Service):
dns_principal, str(e))
raise
def setup_autobind(self):
self.add_autobind_entry(
constants.NAMED_USER, constants.NAMED_GROUP, self.principal
)
def setup_named_conf(self, backup=False):
"""Create, update, or migrate named configuration files
@@ -1048,7 +1051,7 @@ class BindInstance(service.Service):
"""
# files are owned by root:named and are readable by user and group
uid = 0
gid = pwd.getpwnam(constants.NAMED_USER).pw_gid
gid = constants.NAMED_GROUP.gid
mode = 0o640
changed = False
@@ -1088,7 +1091,11 @@ class BindInstance(service.Service):
(
paths.NAMED_CUSTOM_OPTIONS_CONF_SRC,
paths.NAMED_CUSTOM_OPTIONS_CONF
)
),
(
paths.NAMED_LOGGING_OPTIONS_CONF_SRC,
paths.NAMED_LOGGING_OPTIONS_CONF,
),
)
for src, dest in user_configs:
if not os.path.exists(dest):
@@ -1127,18 +1134,18 @@ class BindInstance(service.Service):
def setup_resolv_conf(self):
searchdomains = [self.domain]
nameservers = []
nameservers = set()
resolve1_enabled = dnsforwarders.detect_resolve1_resolv_conf()
for ip_address in self.ip_addresses:
if ip_address.version == 4:
nameservers.append("127.0.0.1")
nameservers.add("127.0.0.1")
elif ip_address.version == 6:
nameservers.append("::1")
nameservers.add("::1")
try:
tasks.configure_dns_resolver(
nameservers, searchdomains,
sorted(nameservers), searchdomains,
resolve1_enabled=resolve1_enabled, fstore=self.fstore
)
except IOError as e:
@@ -1318,11 +1325,6 @@ class BindInstance(service.Service):
if self.is_configured():
self.print_msg("Unconfiguring %s" % self.service_name)
running = self.restore_state("running")
enabled = self.restore_state("enabled")
named_regular_running = self.restore_state("named-regular-running")
named_regular_enabled = self.restore_state("named-regular-enabled")
self.dns_backup.clear_records(self.api.Backend.ldap2.isconnected())
try:
@@ -1337,26 +1339,24 @@ class BindInstance(service.Service):
ipautil.rmtree(paths.BIND_LDAP_DNS_IPA_WORKDIR)
# disabled by default, by ldap_configure()
if enabled:
self.enable()
else:
self.disable()
self.disable()
self.stop()
if running:
self.restart()
else:
self.stop()
self.named_regular.unmask()
if named_regular_enabled:
self.named_regular.enable()
if named_regular_running:
self.named_regular.start()
self.named_conflict.unmask()
ipautil.remove_file(paths.NAMED_CONF_BAK)
ipautil.remove_file(paths.NAMED_CUSTOM_CONF)
ipautil.remove_file(paths.NAMED_CUSTOM_OPTIONS_CONF)
ipautil.remove_file(paths.NAMED_LOGGING_OPTIONS_CONF)
ipautil.remove_file(paths.RNDC_KEY)
ipautil.remove_file(
os.path.join(paths.NAMED_VAR_DIR, "_default.tsigkeys")
)
try:
while self.fstore.restore_file(self.keytab):
pass
except ValueError:
pass
ipautil.remove_keytab(self.keytab)
ipautil.remove_ccache(run_as=self.service_user)