[Pkg-freeipa-devel] freeipa: Changes to 'master-next'
Timo Aaltonen
tjaalton at moszumanska.debian.org
Tue Mar 8 18:42:27 UTC 2016
debian/changelog | 12
debian/control | 3
debian/freeipa-server.dirs | 1
debian/freeipa-server.install | 5
debian/patches/add-debian-platform.diff | 59
debian/patches/create-sysconfig-ods.diff | 12
debian/patches/disable-dnssec-support.patch | 524 -------
debian/patches/fix-dnssec-services.diff | 34
debian/patches/fix-opendnssec-conf-template.diff | 24
debian/patches/ipaplatform-Move-remaining-user-group-constants-to-i.patch | 672 ++++++++++
debian/patches/series | 4
debian/rules | 8
12 files changed, 804 insertions(+), 554 deletions(-)
New commits:
commit 33d4d1bc6293b0d176a52dcf6a49c84c931e0221
Author: Timo Aaltonen <tjaalton at debian.org>
Date: Tue Mar 8 20:42:03 2016 +0200
control: Bump dep on bind9-dyndb-ldap.
diff --git a/debian/changelog b/debian/changelog
index 758ac5b..09dcdc4 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -74,6 +74,7 @@ freeipa (4.3.0-1) UNRELEASED; urgency=medium
DNSSEC.
* create-sysconfig-ods.diff: Create an empty file for opendnssec
daemons, until opendnssec itself is fixed.
+ * control: Bump dep on bind9-dyndb-ldap.
-- Timo Aaltonen <tjaalton at debian.org> Sat, 03 Oct 2015 08:56:31 +0300
diff --git a/debian/control b/debian/control
index 28cbfdc..4fd2fcb 100644
--- a/debian/control
+++ b/debian/control
@@ -124,7 +124,7 @@ Replaces: freeipa-server (<< 4.3.0-1)
Depends:
freeipa-server (>= ${source:Version}),
bind9,
- bind9-dyndb-ldap (>= 6.0-4~),
+ bind9-dyndb-ldap (>= 8.0-2),
${misc:Depends},
${python:Depends},
${shlibs:Depends}
commit 6aa54b0920148af8403e66390eed1de8775c246f
Author: Timo Aaltonen <tjaalton at debian.org>
Date: Tue Mar 8 20:37:33 2016 +0200
create-sysconfig-ods.diff: Create an empty file for opendnssec daemons, until opendnssec itself is fixed.
diff --git a/debian/changelog b/debian/changelog
index d0e896d..758ac5b 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -72,6 +72,8 @@ freeipa (4.3.0-1) UNRELEASED; urgency=medium
* control: Add python-systemd to server depends.
* rules, platform, server.dirs, server.install: Add support for
DNSSEC.
+ * create-sysconfig-ods.diff: Create an empty file for opendnssec
+ daemons, until opendnssec itself is fixed.
-- Timo Aaltonen <tjaalton at debian.org> Sat, 03 Oct 2015 08:56:31 +0300
diff --git a/debian/patches/create-sysconfig-ods.diff b/debian/patches/create-sysconfig-ods.diff
new file mode 100644
index 0000000..23129ed
--- /dev/null
+++ b/debian/patches/create-sysconfig-ods.diff
@@ -0,0 +1,12 @@
+--- a/ipaserver/install/opendnssecinstance.py
++++ b/ipaserver/install/opendnssecinstance.py
+@@ -212,6 +212,9 @@ class OpenDNSSECInstance(service.Service
+ if not self.fstore.has_file(paths.SYSCONFIG_ODS):
+ self.fstore.backup_file(paths.SYSCONFIG_ODS)
+
++ # create the configfile, opendnssec-enforcer doesn't ship it
++ open(paths.SYSCONFIG_ODS, 'a').close()
++
+ installutils.set_directive(paths.SYSCONFIG_ODS,
+ 'SOFTHSM2_CONF',
+ paths.DNSSEC_SOFTHSM2_CONF,
diff --git a/debian/patches/series b/debian/patches/series
index e19bec1..d0a09d3 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -17,3 +17,4 @@ fix-replicainstall.diff
ipaplatform-Move-remaining-user-group-constants-to-i.patch
fix-dnssec-services.diff
fix-opendnssec-conf-template.diff
+create-sysconfig-ods.diff
commit b1491835b7fbbcdfca48eb42ab5665e605cfe985
Author: Timo Aaltonen <tjaalton at debian.org>
Date: Tue Mar 8 19:13:25 2016 +0200
rules, platform, server.dirs, server.install: Add support for DNSSEC.
diff --git a/debian/changelog b/debian/changelog
index de1e005..d0e896d 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -70,6 +70,8 @@ freeipa (4.3.0-1) UNRELEASED; urgency=medium
* fix-opendnssec-conf-template.diff: Use ODS_USER/ODS_GROUP constants
in the template.
* control: Add python-systemd to server depends.
+ * rules, platform, server.dirs, server.install: Add support for
+ DNSSEC.
-- Timo Aaltonen <tjaalton at debian.org> Sat, 03 Oct 2015 08:56:31 +0300
diff --git a/debian/freeipa-server.dirs b/debian/freeipa-server.dirs
index 9195b3c..3f6b8f6 100644
--- a/debian/freeipa-server.dirs
+++ b/debian/freeipa-server.dirs
@@ -1,2 +1,3 @@
etc/ipa/custodia
+etc/ipa/dnssec
var/lib/ipa/backup
diff --git a/debian/freeipa-server.install b/debian/freeipa-server.install
index 9f87878..fe86838 100644
--- a/debian/freeipa-server.install
+++ b/debian/freeipa-server.install
@@ -1,4 +1,6 @@
etc/default/ipa_memcached
+etc/default/ipa-dnskeysyncd
+etc/default/ipa-ods-exporter
etc/ipa/html/*
etc/ipa/kdcproxy
etc/dbus-1/system.d/org.freeipa.server.conf
@@ -25,7 +27,10 @@ usr/lib/certmonger/dogtag-ipa-ca-renew-agent-submit
usr/lib/certmonger/ipa-server-guard
usr/lib/ipa/certmonger/*
usr/lib/ipa/generate-rndc-key.sh
+usr/lib/ipa/ipa-dnskeysync-replica
+usr/lib/ipa/ipa-dnskeysyncd
usr/lib/ipa/ipa-httpd-kdcproxy
+usr/lib/ipa/ipa-ods-exporter
usr/lib/ipa/ipa-otpd
usr/lib/ipa/oddjob/org.freeipa.server.conncheck
usr/sbin/ipa-advise
diff --git a/debian/patches/add-debian-platform.diff b/debian/patches/add-debian-platform.diff
index 0936775..51054d0 100644
--- a/debian/patches/add-debian-platform.diff
+++ b/debian/patches/add-debian-platform.diff
@@ -31,7 +31,7 @@ Date: Fri Mar 1 12:21:00 2013 +0200
+"""
--- /dev/null
+++ b/ipaplatform/debian/paths.py
-@@ -0,0 +1,353 @@
+@@ -0,0 +1,355 @@
+# Authors:
+# Timo Aaltonen <tjaalton at ubuntu.com>
+#
@@ -58,7 +58,9 @@ Date: Fri Mar 1 12:21:00 2013 +0200
+
+# Fallback to default path definitions
+from ipaplatform.base.paths import BasePathNamespace
++import sysconfig
+
++MULTIARCH = sysconfig.get_config_var('MULTIARCH')
+
+class DebianPathNamespace(BasePathNamespace):
+# BASH = "/bin/bash"
@@ -114,7 +116,7 @@ Date: Fri Mar 1 12:21:00 2013 +0200
+ NAMED_VAR_DIR = "/var/cache/bind"
+ NAMED_KEYTAB = "/etc/bind/named.keytab"
+ NAMED_RFC1912_ZONES = "/etc/bind/named.conf.default-zones"
-+ NAMED_ROOT_KEY = "/etc/bind/named.root.key"
++ NAMED_ROOT_KEY = "/etc/bind/bind.keys"
+ NAMED_BINDKEYS_FILE = "/etc/bind/named.iscdlv.key"
+ NAMED_MANAGED_KEYS_DIR = "/var/cache/bind/dynamic"
+# NSLCD_CONF = "/etc/nslcd.conf"
@@ -153,15 +155,15 @@ Date: Fri Mar 1 12:21:00 2013 +0200
+ SYSCONFIG_DIRSRV_INSTANCE = "/etc/default/dirsrv-%s"
+ SYSCONFIG_DIRSRV_SYSTEMD = "/etc/default/dirsrv.systemd"
+ SYSCONFIG_IPA_DNSKEYSYNCD = "/etc/default/ipa-dnskeysyncd"
-+ SYSOCNFIG_IPA_ODS_EXPORTER = "/etc/default/ipa-ods-exporter"
++ SYSCONFIG_IPA_ODS_EXPORTER = "/etc/default/ipa-ods-exporter"
+# SYSCONFIG_HTTPD = "/etc/sysconfig/httpd"
+ SYSCONFIG_KRB5KDC_DIR = "/etc/default/krb5-kdc"
-+# SYSCONFIG_NAMED = "/etc/sysconfig/named"
++ SYSCONFIG_NAMED = "/etc/default/bind9"
+# SYSCONFIG_NETWORK = "/etc/sysconfig/network"
+# SYSCONFIG_NETWORK_IPABKP = "/etc/sysconfig/network.ipabkp"
+ SYSCONFIG_NFS = "/etc/default/nfs-common"
+ SYSCONFIG_NTPD = "/etc/default/ntp"
-+#FIXME SYSCONFIG_ODS = "/etc/sysconfig/ods"
++ SYSCONFIG_ODS = "/etc/default/opendnssec"
+ SYSCONFIG_PKI = "/etc/dogtag/"
+ SYSCONFIG_PKI_TOMCAT = "/etc/default/pki-tomcat"
+ SYSCONFIG_PKI_TOMCAT_PKI_TOMCAT_DIR = "/etc/dogtag/tomcat/pki-tomcat"
@@ -170,7 +172,7 @@ Date: Fri Mar 1 12:21:00 2013 +0200
+# SYSTEMD_IPA_SERVICE = "/etc/systemd/system/multi-user.target.wants/ipa.service"
+# SYSTEMD_SSSD_SERVICE = "/etc/systemd/system/multi-user.target.wants/sssd.service"
+# SYSTEMD_PKI_TOMCAT_SERVICE = "/etc/systemd/system/pki-tomcatd.target.wants/pki-tomcatd at pki-tomcat.service"
-+#FIXME DNSSEC_TRUSTED_KEY = "/etc/trusted-key.key"
++ DNSSEC_TRUSTED_KEY = "/etc/bind/trusted-key.key"
+# HOME_DIR = "/home"
+# ROOT_IPA_CACHE = "/root/.ipa_cache"
+# ROOT_PKI = "/root/.pki"
@@ -221,11 +223,11 @@ Date: Fri Mar 1 12:21:00 2013 +0200
+# BIN_CURL = "/usr/bin/curl"
+# ZIP = "/usr/bin/zip"
+ BIND_LDAP_SO = "/usr/share/doc/bind9-dyndb-ldap/copyright"
-+# BIND_LDAP_DNS_IPA_WORKDIR = "/var/named/dyndb-ldap/ipa/"
-+# BIND_LDAP_DNS_ZONE_WORKDIR = "/var/named/dyndb-ldap/ipa/master/"
++ BIND_LDAP_DNS_IPA_WORKDIR = "/var/cache/bind/dyndb-ldap/ipa/"
++ BIND_LDAP_DNS_ZONE_WORKDIR = "/var/cache/bind/dyndb-ldap/ipa/master/"
+# USR_LIB_DIRSRV = "/usr/lib/dirsrv"
+# LIB_FIREFOX = "/usr/lib/firefox"
-+#FIXME LIBSOFTHSM2_SO = "/usr/lib/pkcs11/libsofthsm2.so"
++ LIBSOFTHSM2_SO = "/usr/lib/%s/softhsm/libsofthsm2.so" % MULTIARCH
+ LIB_SYSTEMD_SYSTEMD_DIR = "/lib/systemd/system/"
+# BIND_LDAP_SO_64 = "/usr/lib64/bind/ldap.so"
+# USR_LIB_DIRSRV_64 = "/usr/lib64/dirsrv"
@@ -358,7 +360,7 @@ Date: Fri Mar 1 12:21:00 2013 +0200
+# LOG_SECURE = "/var/log/secure"
+ NAMED_RUN = "/var/cache/bind/data/named.run"
+ VAR_OPENDNSSEC_DIR = "/var/lib/opendnssec"
-+ OPENDNSSEC_KASP_DB = "/var/lib/opendnssec/kasp.db"
++ OPENDNSSEC_KASP_DB = "/var/lib/opendnssec/db/kasp.db"
+ IPA_ODS_EXPORTER_CCACHE = "/var/lib/opendnssec/tmp/ipa-ods-exporter.ccache"
+# VAR_RUN_DIRSRV_DIR = "/var/run/dirsrv"
+ KRB5CC_HTTPD = "/var/run/apache2/ipa/krbcache/krb5ccache"
@@ -387,7 +389,7 @@ Date: Fri Mar 1 12:21:00 2013 +0200
+paths = DebianPathNamespace()
--- /dev/null
+++ b/ipaplatform/debian/services.py
-@@ -0,0 +1,204 @@
+@@ -0,0 +1,194 @@
+# Authors:
+# Timo Aaltonen <tjaalton at ubuntu.com>
+#
@@ -425,8 +427,15 @@ Date: Fri Mar 1 12:21:00 2013 +0200
+# to their actual systemd service names
+debian_system_units = redhat_services.redhat_system_units
+
++debian_system_units['named-regular'] = 'bind9.service'
++debian_system_units['named-pkcs11'] = 'bind9-pkcs11.service'
++debian_system_units['named'] = debian_system_units['named-pkcs11']
+debian_system_units['pki-tomcatd'] = 'pki-tomcatd.service'
+debian_system_units['pki_tomcatd'] = debian_system_units['pki-tomcatd']
++debian_system_units['ods-enforcerd'] = 'opendnssec-enforcer.service'
++debian_system_units['ods_enforcerd'] = debian_system_units['ods-enforcerd']
++debian_system_units['ods-signerd'] = 'opendnssec-signer.service'
++debian_system_units['ods_signerd'] = debian_system_units['ods-signerd']
+
+# Service classes that implement Debian-specific behaviour
+
@@ -528,25 +537,10 @@ Date: Fri Mar 1 12:21:00 2013 +0200
+ def disable(self):
+ return True
+
-+
+class DebianSSHService(DebianSysvService):
+ def get_config_dir(self, instance_name=""):
+ return '/etc/ssh'
+
-+class DebianNamedService(DebianSysvService):
-+ def get_user_name(self):
-+ return u'bind'
-+
-+ def get_group_name(self):
-+ return u'bind'
-+
-+ def get_binary_path(self):
-+ return paths.NAMED
-+
-+ def get_package_name(self):
-+ return u'bind9'
-+
-+
+# Function that constructs proper Debian-specific server classes for services
+# of specified name
+
@@ -565,8 +559,6 @@ Date: Fri Mar 1 12:21:00 2013 +0200
+ return DebianSysvService("krb5-kdc")
+ if name == 'messagebus':
+ return DebianSysvService("dbus")
-+ if name == 'named':
-+ return DebianNamedService("bind9")
+ if name == 'ntpd':
+ return DebianSysvService("ntp")
+ if name == 'smb':
diff --git a/debian/rules b/debian/rules
index 7b9679b..2a65dd6 100755
--- a/debian/rules
+++ b/debian/rules
@@ -78,7 +78,15 @@ ifneq ($(ONLY_CLIENT), 1)
touch $(DESTDIR)/usr/share/ipa/html/krbrealm.con
install -m 0644 init/ipa_memcached.conf $(DESTDIR)/etc/default/ipa_memcached
+ install -m 0644 init/ipa-dnskeysyncd.conf $(DESTDIR)/etc/default/ipa-dnskeysyncd
+ install -m 0644 init/ipa-ods-exporter.conf $(DESTDIR)/etc/default/ipa-ods-exporter
install -m 0644 install/share/kdcproxy.conf $(DESTDIR)/etc/ipa/kdcproxy/kdcproxy.conf
+ install -m 0755 daemons/dnssec/ipa-dnskeysync-replica $(DESTDIR)/usr/lib/ipa/
+ install -m 0755 daemons/dnssec/ipa-dnskeysyncd $(DESTDIR)/usr/lib/ipa/
+ install -m 0644 daemons/dnssec/ipa-dnskeysyncd.service $(DESTDIR)/lib/systemd/system
+ install -m 0755 daemons/dnssec/ipa-ods-exporter $(DESTDIR)/usr/lib/ipa/
+ install -m 0644 daemons/dnssec/ipa-ods-exporter.service $(DESTDIR)/lib/systemd/system
+ install -m 0644 daemons/dnssec/ipa-ods-exporter.socket $(DESTDIR)/lib/systemd/system
install -m 0644 init/systemd/ipa_memcached.service $(DESTDIR)/lib/systemd/system
install -m 0644 init/systemd/ipa.service $(DESTDIR)/lib/systemd/system
install -m 0644 init/systemd/ipa-custodia.service $(DESTDIR)/lib/systemd/system
commit 7511e94bacc9265d2cf8ec7ab2dfaa5f4c804650
Author: Timo Aaltonen <tjaalton at debian.org>
Date: Tue Mar 8 19:05:58 2016 +0200
control: Add python-systemd to server depends.
diff --git a/debian/changelog b/debian/changelog
index 06c8ed7..de1e005 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -69,6 +69,7 @@ freeipa (4.3.0-1) UNRELEASED; urgency=medium
exporter units.
* fix-opendnssec-conf-template.diff: Use ODS_USER/ODS_GROUP constants
in the template.
+ * control: Add python-systemd to server depends.
-- Timo Aaltonen <tjaalton at debian.org> Sat, 03 Oct 2015 08:56:31 +0300
diff --git a/debian/control b/debian/control
index 4946daa..28cbfdc 100644
--- a/debian/control
+++ b/debian/control
@@ -102,6 +102,7 @@ Depends:
python-ipaserver (= ${source:Version}),
python-gssapi,
python-ldap (>= 2.4.22),
+ python-systemd,
slapi-nis (>= 0.54.2),
softhsm2,
systemd-sysv,
commit d656cacbf2b470f95f37d598121410f69a8f0b10
Author: Timo Aaltonen <tjaalton at debian.org>
Date: Tue Mar 8 19:05:12 2016 +0200
fix-opendnssec-conf-template.diff: Use ODS_USER/ODS_GROUP constants in the template.
diff --git a/debian/changelog b/debian/changelog
index 1856060..06c8ed7 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -67,6 +67,8 @@ freeipa (4.3.0-1) UNRELEASED; urgency=medium
various bits to use ipaplatform.constants.
* fix-dnssec-services.diff: Debianize ipa-dnskeysyncd & ipa-ods-
exporter units.
+ * fix-opendnssec-conf-template.diff: Use ODS_USER/ODS_GROUP constants
+ in the template.
-- Timo Aaltonen <tjaalton at debian.org> Sat, 03 Oct 2015 08:56:31 +0300
diff --git a/debian/patches/fix-opendnssec-conf-template.diff b/debian/patches/fix-opendnssec-conf-template.diff
new file mode 100644
index 0000000..8727b8b
--- /dev/null
+++ b/debian/patches/fix-opendnssec-conf-template.diff
@@ -0,0 +1,24 @@
+--- a/install/share/opendnssec_conf.template
++++ b/install/share/opendnssec_conf.template
+@@ -28,8 +28,8 @@
+
+ <Enforcer>
+ <Privileges>
+- <User>ods</User>
+- <Group>ods</Group>
++ <User>$ODS_USER</User>
++ <Group>$ODS_GROUP</Group>
+ </Privileges>
+
+ <Datastore><SQLite>$KASP_DB</SQLite></Datastore>
+--- a/ipaserver/install/opendnssecinstance.py
++++ b/ipaserver/install/opendnssecinstance.py
+@@ -80,6 +80,8 @@ class OpenDNSSECInstance(service.Service
+ 'SOFTHSM_LIB': paths.LIBSOFTHSM2_SO,
+ 'TOKEN_LABEL': dnskeysyncinstance.softhsm_token_label,
+ 'KASP_DB': paths.OPENDNSSEC_KASP_DB,
++ 'ODS_USER': ODS_USER,
++ 'ODS_GROUP': ODS_GROUP,
+ }
+ self.kasp_file_dict = {}
+ self.extra_config = [KEYMASTER]
diff --git a/debian/patches/series b/debian/patches/series
index 6eeb4dc..e19bec1 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -16,3 +16,4 @@ fix-custodia-conf.diff
fix-replicainstall.diff
ipaplatform-Move-remaining-user-group-constants-to-i.patch
fix-dnssec-services.diff
+fix-opendnssec-conf-template.diff
commit 632f38cc7d4294780f05ae875c8c125982d751b7
Author: Timo Aaltonen <tjaalton at debian.org>
Date: Tue Mar 8 18:59:32 2016 +0200
fix-dnssec-services.diff: Debianize ipa-dnskeysyncd & ipa-ods- exporter units.
diff --git a/debian/changelog b/debian/changelog
index bee373c..1856060 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -65,6 +65,8 @@ freeipa (4.3.0-1) UNRELEASED; urgency=medium
* fix-replicainstall.diff: Use ldap instead of ldaps for conncheck.
* ipaplatform-Move-remaining-user-group-constants-to-i.patch: Port
various bits to use ipaplatform.constants.
+ * fix-dnssec-services.diff: Debianize ipa-dnskeysyncd & ipa-ods-
+ exporter units.
-- Timo Aaltonen <tjaalton at debian.org> Sat, 03 Oct 2015 08:56:31 +0300
diff --git a/debian/patches/fix-dnssec-services.diff b/debian/patches/fix-dnssec-services.diff
new file mode 100644
index 0000000..4bf5c91
--- /dev/null
+++ b/debian/patches/fix-dnssec-services.diff
@@ -0,0 +1,34 @@
+--- a/daemons/dnssec/ipa-dnskeysyncd.service
++++ b/daemons/dnssec/ipa-dnskeysyncd.service
+@@ -2,11 +2,11 @@
+ Description=IPA key daemon
+
+ [Service]
+-EnvironmentFile=/etc/sysconfig/ipa-dnskeysyncd
+-ExecStart=/usr/libexec/ipa/ipa-dnskeysyncd
+-User=ods
+-Group=named
+-SupplementaryGroups=ods
++EnvironmentFile=/etc/default/ipa-dnskeysyncd
++ExecStart=/usr/lib/ipa/ipa-dnskeysyncd
++User=opendnssec
++Group=bind
++SupplementaryGroups=opendnssec
+ PrivateTmp=yes
+ Restart=on-failure
+ RestartSec=60s
+--- a/daemons/dnssec/ipa-ods-exporter.service
++++ b/daemons/dnssec/ipa-ods-exporter.service
+@@ -4,9 +4,9 @@ Wants=ipa-ods-exporter.socket
+ After=ipa-ods-exporter.socket
+
+ [Service]
+-EnvironmentFile=/etc/sysconfig/ipa-ods-exporter
+-ExecStart=/usr/libexec/ipa/ipa-ods-exporter
+-User=ods
++EnvironmentFile=/etc/default/ipa-ods-exporter
++ExecStart=/usr/lib/ipa/ipa-ods-exporter
++User=opendnssec
+ PrivateTmp=yes
+ Restart=on-failure
+ RestartSec=60s
diff --git a/debian/patches/series b/debian/patches/series
index e4b6c3b..6eeb4dc 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -15,3 +15,4 @@ use-httpd-user.diff
fix-custodia-conf.diff
fix-replicainstall.diff
ipaplatform-Move-remaining-user-group-constants-to-i.patch
+fix-dnssec-services.diff
commit 95b02105139d104e5e495dd138641b43f40292bf
Author: Timo Aaltonen <tjaalton at debian.org>
Date: Tue Mar 8 18:53:29 2016 +0200
ipaplatform-Move-remaining-user-group-constants-to-i.patch: Port various bits to use ipaplatform.constants.
diff --git a/debian/changelog b/debian/changelog
index 5de6f5a..bee373c 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -63,6 +63,8 @@ freeipa (4.3.0-1) UNRELEASED; urgency=medium
on postrm.
* control: Add zip to python-ipaserver depends.
* fix-replicainstall.diff: Use ldap instead of ldaps for conncheck.
+ * ipaplatform-Move-remaining-user-group-constants-to-i.patch: Port
+ various bits to use ipaplatform.constants.
-- Timo Aaltonen <tjaalton at debian.org> Sat, 03 Oct 2015 08:56:31 +0300
diff --git a/debian/patches/disable-dnssec-support.patch b/debian/patches/disable-dnssec-support.patch
deleted file mode 100644
index 24781ce..0000000
--- a/debian/patches/disable-dnssec-support.patch
+++ /dev/null
@@ -1,524 +0,0 @@
-From 80cae5f5ea38528caab01efae9100659e2ebb86e Mon Sep 17 00:00:00 2001
-From: Jan Cholasta <jcholast at redhat.com>
-Date: Tue, 21 Oct 2014 14:25:50 +0200
-Subject: [PATCH] Disable DNSSEC support
-
----
- install/share/bind.named.conf.template | 2 +-
- install/tools/ipa-dns-install | 52 ++++------------------------------
- install/tools/ipa-replica-install | 16 ++++-------
- install/tools/ipa-replica-manage | 12 --------
- install/tools/ipa-server-install | 40 +++-----------------------
- install/tools/ipa-upgradeconfig | 10 -------
- ipalib/plugins/dns.py | 4 ++-
- ipaplatform/redhat/services.py | 6 ++--
- ipapython/Makefile | 2 +-
- ipapython/setup.py.in | 2 +-
- ipaserver/install/bindinstance.py | 25 ----------------
- 11 files changed, 24 insertions(+), 147 deletions(-)
-
---- a/install/share/bind.named.conf.template
-+++ b/install/share/bind.named.conf.template
-@@ -18,12 +18,8 @@ options {
- pid-file "$NAMED_PID";
-
- dnssec-enable yes;
-- dnssec-validation yes;
-+ dnssec-validation no;
-
-- /* Path to ISC DLV key */
-- bindkeys-file "$BINDKEYS_FILE";
--
-- managed-keys-directory "$MANAGED_KEYS_DIR";
- };
-
- /* If you want to enable debugging, eg. using the 'rndc trace' command,
-@@ -40,7 +36,6 @@ logging {
-
-
- include "$RFC1912_ZONES";
--include "$ROOT_KEY";
-
- dynamic-db "ipa" {
- library "ldap.so";
---- a/install/tools/ipa-dns-install
-+++ b/install/tools/ipa-dns-install
-@@ -23,8 +23,7 @@ from optparse import OptionGroup, SUPPRE
-
- import krbV
-
--from ipaserver.install import (service, bindinstance, ntpinstance,
-- httpinstance, dnskeysyncinstance, opendnssecinstance, odsexporterinstance)
-+from ipaserver.install import service, bindinstance, ntpinstance, httpinstance
- from ipaserver.install.installutils import *
- from ipaserver.install import installutils
- from ipapython import version
-@@ -54,10 +53,6 @@ def parse_options():
- help="The reverse DNS zone to use. This option can be used multiple times")
- parser.add_option("--no-reverse", dest="no_reverse", action="store_true",
- default=False, help="Do not create new reverse DNS zone")
-- parser.add_option("--no-dnssec-validation", dest="no_dnssec_validation", action="store_true",
-- default=False, help="Disable DNSSEC validation")
-- parser.add_option("--dnssec-master", dest="dnssec_master", action="store_true",
-- default=False, help="Setup server to be DNSSEC key master")
- parser.add_option("--zonemgr", action="callback", callback=bindinstance.zonemgr_callback,
- type="string",
- help="DNS zone manager e-mail address. Defaults to hostmaster at DOMAIN")
-@@ -67,6 +62,10 @@ def parse_options():
- options, args = parser.parse_args()
- safe_options = parser.get_safe_opts(options)
-
-+ # Disable DNSSEC support
-+ options.no_dnssec_validation = False
-+ options.dnssec_master = False
-+
- if options.forwarders and options.no_forwarders:
- parser.error("You cannot specify a --forwarder option together with --no-forwarders")
- elif options.reverse_zones and options.no_reverse:
-@@ -101,21 +100,6 @@ def main():
- print ""
- print "This includes:"
- print " * Configure DNS (bind)"
-- print " * Configure SoftHSM (required by DNSSEC)"
-- print " * Configure ipa-dnskeysyncd (required by DNSSEC)"
-- if options.dnssec_master:
-- print " * Configure ipa-ods-exporter (required by DNSSEC key master)"
-- print " * Configure OpenDNSSEC (required by DNSSEC key master)"
-- print " * Generate DNSSEC master key (required by DNSSEC key master)"
-- print ""
-- print "NOTE: DNSSEC zone signing is not enabled by default"
-- print ""
-- if options.dnssec_master:
-- print "DNSSEC support is experimental!"
-- print ""
-- print "Plan carefully, current version doesn't allow you to move DNSSEC"
-- print "key master to different server and master cannot be uninstalled"
-- print ""
- print ""
- print "To accept the default shown in brackets, press the Enter key."
- print ""
-@@ -126,15 +110,9 @@ def main():
- sys.exit("Aborted")
-
- # Check bind packages are installed
-- if not (bindinstance.check_inst(options.unattended) and
-- dnskeysyncinstance.check_inst()):
-+ if not bindinstance.check_inst(options.unattended):
- sys.exit("Aborting installation.")
-
-- if options.dnssec_master:
-- # check opendnssec packages are installed
-- if not opendnssecinstance.check_inst():
-- sys.exit("Aborting installation")
--
- # Initialize the ipalib api
- cfg = dict(
- in_server=True,
-@@ -160,15 +138,6 @@ def main():
- except errors.ACIError:
- sys.exit("Password is not valid!")
-
-- ods = opendnssecinstance.OpenDNSSECInstance(fstore, dm_password,
-- start_tls=True)
-- if options.dnssec_master:
-- dnssec_masters = ods.get_masters()
-- # we can reinstall current server if it is dnssec master
-- if not api.env.host in dnssec_masters and dnssec_masters:
-- print "DNSSEC key master(s):", u','.join(dnssec_masters)
-- sys.exit("Only one DNSSEC key master is supported in current version.")
--
- ip_addresses = get_server_ip_address(api.env.host, fstore,
- options.unattended, True, options.ip_addresses)
-
-@@ -179,13 +148,6 @@ def main():
- else:
- dns_forwarders = read_dns_forwarders()
-
-- # test DNSSEC forwarders
-- if dns_forwarders:
-- if (not bindinstance.check_forwarders(dns_forwarders, root_logger)
-- and not options.no_dnssec_validation):
-- options.no_dnssec_validation = True
-- print "WARNING: DNSSEC validation will be disabled"
--
- root_logger.debug("will use dns_forwarders: %s\n", str(dns_forwarders))
-
- if bind.dm_password:
-@@ -214,19 +176,6 @@ def main():
- no_dnssec_validation=options.no_dnssec_validation)
- bind.create_instance()
-
-- # on dnssec master this must be installed last
-- dnskeysyncd = dnskeysyncinstance.DNSKeySyncInstance(fstore, dm_password,
-- start_tls=True)
-- dnskeysyncd.create_instance(api.env.host, api.env.realm)
-- if options.dnssec_master:
-- ods_exporter = odsexporterinstance.ODSExporterInstance(fstore,
-- dm_password,
-- start_tls=True)
--
-- ods_exporter.create_instance(api.env.host, api.env.realm)
-- ods.create_instance(api.env.host, api.env.realm)
--
-- dnskeysyncd.start_dnskeysyncd()
- bind.start_named()
-
- # Restart http instance to make sure that python-dns has the right resolver
---- a/install/tools/ipa-replica-install
-+++ b/install/tools/ipa-replica-install
-@@ -33,7 +33,7 @@ from ipapython import ipautil
-
- from ipaserver.install import dsinstance, installutils, krbinstance, service
- from ipaserver.install import bindinstance, httpinstance, ntpinstance
--from ipaserver.install import memcacheinstance, dnskeysyncinstance
-+from ipaserver.install import memcacheinstance
- from ipaserver.install import otpdinstance
- from ipaserver.install.replication import replica_conn_check, ReplicationManager
- from ipaserver.install.installutils import (ReplicaConfig, expand_replica_info,
-@@ -115,8 +115,6 @@ def parse_options():
- metavar="REVERSE_ZONE")
- dns_group.add_option("--no-reverse", dest="no_reverse", action="store_true",
- default=False, help="Do not create new reverse DNS zone")
-- dns_group.add_option("--no-dnssec-validation", dest="no_dnssec_validation", action="store_true",
-- default=False, help="Disable DNSSEC validation")
- dns_group.add_option("--no-host-dns", dest="no_host_dns", action="store_true",
- default=False,
- help="Do not use DNS for hostname lookup during installation")
-@@ -127,6 +125,9 @@ def parse_options():
- options, args = parser.parse_args()
- safe_options = parser.get_safe_opts(options)
-
-+ # Disable DNSSEC support
-+ options.no_dnssec_validation = False
-+
- if len(args) != 1:
- parser.error("you must provide a file generated by ipa-replica-prepare")
-
-@@ -139,8 +140,6 @@ def parse_options():
- parser.error("You cannot specify a --reverse-zone option without the --setup-dns option")
- if options.no_reverse:
- parser.error("You cannot specify a --no-reverse option without the --setup-dns option")
-- if options.no_dnssec_validation:
-- parser.error("You cannot specify a --no-dnssec-validation option without the --setup-dns option")
- elif options.forwarders and options.no_forwarders:
- parser.error("You cannot specify a --forwarder option together with --no-forwarders")
- elif not options.forwarders and not options.no_forwarders:
-@@ -274,10 +273,6 @@ def install_bind(config, options):
- no_dnssec_validation=options.no_dnssec_validation)
- bind.create_instance()
- print ""
-- dnskeysyncd = dnskeysyncinstance.DNSKeySyncInstance(
-- dm_password=config.dirman_password)
-- dnskeysyncd.create_instance(api.env.host, api.env.realm)
-- dnskeysyncd.start_dnskeysyncd()
- bind.start_named()
- print ""
- bind.check_global_configuration()
-@@ -354,8 +349,7 @@ def check_dirsrv():
- sys.exit(1)
-
- def check_bind():
-- if not (bindinstance.check_inst(unattended=True) and
-- dnskeysyncinstance.check_inst()):
-+ if not bindinstance.check_inst(unattended=True):
- print "Aborting installation"
- sys.exit(1)
-
---- a/install/tools/ipa-replica-manage
-+++ b/install/tools/ipa-replica-manage
-@@ -29,7 +29,6 @@ import socket
- from ipapython import ipautil
- from ipaserver.install import replication, dsinstance, installutils
- from ipaserver.install import bindinstance, cainstance, certs
--from ipaserver.install import opendnssecinstance, dnskeysyncinstance
- from ipaserver.plugins import ldap2
- from ipapython import version, ipaldap
- from ipalib import api, errors, util
-@@ -695,14 +694,6 @@ def del_master(realm, hostname, options)
- if not options.force and not ipautil.user_input("Continue to delete?", False):
- sys.exit("Deletion aborted")
-
-- # test if replica is not DNSSEC master
-- # allow to delete it if is last DNS server
-- if 'DNS' in this_services and other_dns and not options.force:
-- dnssec_masters = opendnssecinstance.get_dnssec_key_masters(delrepl.conn)
-- if hostname in dnssec_masters:
-- print "Replica is active DNSSEC key master. Uninstall could break your DNS system."
-- sys.exit("Deletion aborted")
--
- # Pick CA renewal master
- ca = cainstance.CAInstance(api.env.realm, certs.NSS_DIR)
- if ca.is_renewal_master(hostname):
-@@ -757,9 +748,6 @@ def del_master(realm, hostname, options)
- bind.remove_master_dns_records(hostname, realm, realm.lower())
- bind.remove_ipa_ca_dns_records(hostname, realm.lower())
- bind.remove_server_ns_records(hostname)
--
-- keysyncd = dnskeysyncinstance.DNSKeySyncInstance()
-- keysyncd.remove_replica_public_keys(hostname)
- except Exception, e:
- print "Failed to cleanup %s DNS entries: %s" % (hostname, e)
- print "You may need to manually remove them from the tree"
---- a/install/tools/ipa-server-install
-+++ b/install/tools/ipa-server-install
-@@ -49,9 +49,6 @@ except ImportError:
- from ipaserver.install import dsinstance
- from ipaserver.install import krbinstance
- from ipaserver.install import bindinstance
--from ipaserver.install import dnskeysyncinstance
--from ipaserver.install import opendnssecinstance
--from ipaserver.install import odsexporterinstance
- from ipaserver.install import httpinstance
- from ipaserver.install import ntpinstance
- from ipaserver.install import certs
-@@ -290,8 +287,6 @@ def parse_options():
- action="append", default=[], metavar="REVERSE_ZONE")
- dns_group.add_option("--no-reverse", dest="no_reverse", action="store_true",
- default=False, help="Do not create reverse DNS zone")
-- dns_group.add_option("--no-dnssec-validation", dest="no_dnssec_validation", action="store_true",
-- default=False, help="Disable DNSSEC validation")
- dns_group.add_option("--zonemgr", action="callback", callback=bindinstance.zonemgr_callback,
- type="string",
- help="DNS zone manager e-mail address. Defaults to hostmaster at DOMAIN")
-@@ -311,6 +306,9 @@ def parse_options():
- options, args = parser.parse_args()
- safe_options = parser.get_safe_opts(options)
-
-+ # Disable DNSSEC support
-+ options.no_dnssec_validation = False
-+
- if options.dm_password is not None:
- try:
- validate_dm_password(options.dm_password)
-@@ -337,8 +335,6 @@ def parse_options():
- parser.error("You cannot specify a --reverse-zone option without the --setup-dns option")
- if options.no_reverse:
- parser.error("You cannot specify a --no-reverse option without the --setup-dns option")
-- if options.no_dnssec_validation:
-- parser.error("You cannot specify a --no-dnssec-validation option without the --setup-dns option")
- elif options.forwarders and options.no_forwarders:
- parser.error("You cannot specify a --forwarder option together with --no-forwarders")
- elif options.reverse_zones and options.no_reverse:
-@@ -578,17 +574,7 @@ def uninstall():
- api.env.realm, certs.NSS_DIR, dogtag_constants=dogtag_constants)
- if ca_instance.is_configured():
- ca_instance.uninstall()
--
-- ods = opendnssecinstance.OpenDNSSECInstance(fstore)
-- if ods.is_configured():
-- ods.uninstall()
--
-- ods_exporter = odsexporterinstance.ODSExporterInstance(fstore)
-- if ods_exporter.is_configured():
-- ods_exporter.uninstall()
--
- bindinstance.BindInstance(fstore).uninstall()
-- dnskeysyncinstance.DNSKeySyncInstance(fstore).uninstall()
- httpinstance.HTTPInstance(fstore).uninstall()
- krbinstance.KrbInstance(fstore).uninstall()
- dsinstance.DsInstance(fstore=fstore).uninstall()
-@@ -746,20 +732,6 @@ def main():
- "agreements.\n\n")
- print textwrap.fill(msg, width=80, replace_whitespace=False)
- else:
--
-- # test if server is DNSSEC key master
-- masters = opendnssecinstance.get_dnssec_key_masters(conn)
-- if api.env.host in masters:
-- print "This server is active DNSSEC key master. Uninstall could break your DNS system."
-- if not (options.unattended or user_input("Are you sure you "
-- "want to continue "
-- "with the uninstall "
-- "procedure?",
-- False)):
-- print ""
-- print "Aborting uninstall operation."
-- sys.exit(1)
--
- rm = replication.ReplicationManager(
- realm=api.env.realm,
- hostname=api.env.host,
-@@ -908,8 +880,7 @@ def main():
-
- # check bind packages are installed
- if options.setup_dns:
-- if not (bindinstance.check_inst(options.unattended) and
-- dnskeysyncinstance.check_inst()):
-+ if not bindinstance.check_inst(options.unattended):
- sys.exit("Aborting installation")
-
- # Don't require an external DNS to say who we are if we are
-@@ -1298,9 +1269,6 @@ def main():
- api.Backend.ldap2.connect(bind_dn=DN(('cn', 'Directory Manager')), bind_pw=dm_password)
-
- bind.create_instance()
-- dnskeysyncd = dnskeysyncinstance.DNSKeySyncInstance(fstore, dm_password)
-- dnskeysyncd.create_instance(api.env.host, api.env.realm)
-- dnskeysyncd.start_dnskeysyncd()
- bind.start_named()
- print ""
- bind.check_global_configuration()
---- a/install/tools/ipa-upgradeconfig
-+++ b/install/tools/ipa-upgradeconfig
-@@ -54,7 +54,6 @@ from ipaserver.install import cainstance
- from ipaserver.install import certs
- from ipaserver.install import otpdinstance
- from ipaserver.install import sysupgrade
--from ipaserver.install import dnskeysyncinstance
-
-
- def parse_options():
-@@ -1436,14 +1435,6 @@ def main():
- except ipalib.errors.DuplicateEntry:
- pass
-
-- # install DNSKeySync service only if DNS is configured on server
-- if bindinstance.named_conf_exists():
-- dnskeysyncd = dnskeysyncinstance.DNSKeySyncInstance(fstore, ldapi=True)
-- if not dnskeysyncd.is_configured():
-- ds.start()
-- dnskeysyncd.create_instance(fqdn, api.env.realm)
-- dnskeysyncd.start_dnskeysyncd()
--
- cleanup_kdc(fstore)
- cleanup_adtrust(fstore)
- setup_firefox_extension(fstore)
-@@ -1457,13 +1448,6 @@ def main():
- named_enable_serial_autoincrement(),
- named_update_gssapi_configuration(),
- named_update_pid_file(),
-- named_enable_dnssec(),
-- named_validate_dnssec(),
-- named_bindkey_file_option(),
-- named_managed_keys_dir_option(),
-- named_root_key_include(),
-- mask_named_regular(),
-- fix_dyndb_ldap_workdir_permissions(),
- )
-
- if any(named_conf_changes):
---- a/ipalib/plugins/dns.py
-+++ b/ipalib/plugins/dns.py
-@@ -2617,7 +2617,9 @@ class dnszone(DNSZoneBase):
- if options['idnssecinlinesigning'] is True:
- messages.add_message(options['version'], result,
- messages.DNSSECWarning(
-- additional_info=_("Visit 'http://www.freeipa.org/page/Releases/4.1.0#DNSSEC_Support'.")
-+ additional_info=_("Manual configuration needed, please "
-+ "visit 'http://www.freeipa.org/page/Releases/4.0.0#"
-+ "Experimental_DNSSEC_Support'")
- ))
- else:
- messages.add_message(options['version'], result,
---- a/ipaplatform/redhat/services.py
-+++ b/ipaplatform/redhat/services.py
-@@ -69,7 +69,7 @@ redhat_system_units['ipa-otpd'] = 'ipa-o
- redhat_system_units['ipa-dnskeysyncd'] = 'ipa-dnskeysyncd.service'
- redhat_system_units['named-regular'] = 'named.service'
- redhat_system_units['named-pkcs11'] = 'named-pkcs11.service'
--redhat_system_units['named'] = redhat_system_units['named-pkcs11']
-+redhat_system_units['named'] = redhat_system_units['named-regular']
- redhat_system_units['ods-enforcerd'] = 'ods-enforcerd.service'
- redhat_system_units['ods_enforcerd'] = redhat_system_units['ods-enforcerd']
- redhat_system_units['ods-signerd'] = 'ods-signerd.service'
-@@ -243,10 +243,10 @@ class RedHatNamedService(RedHatService):
- return u'named'
-
- def get_binary_path(self):
-- return paths.NAMED_PKCS11
-+ return paths.NAMED
-
- def get_package_name(self):
-- return u"bind-pkcs11"
-+ return u"bind"
-
-
- class RedHatODSEnforcerdService(RedHatService):
---- a/ipapython/Makefile
-+++ b/ipapython/Makefile
-@@ -3,7 +3,7 @@ PACKAGEDIR ?= $(DESTDIR)/$(PYTHONLIBDIR)
- CONFIGDIR ?= $(DESTDIR)/etc/ipa
- TESTS = $(wildcard test/*.py)
-
--SUBDIRS = py_default_encoding ipap11helper
-+SUBDIRS = py_default_encoding
-
- all:
- @for subdir in $(SUBDIRS); do \
---- a/ipapython/setup.py.in
-+++ b/ipapython/setup.py.in
-@@ -65,7 +65,7 @@ def setup_package():
- classifiers=filter(None, CLASSIFIERS.split('\n')),
- platforms = ["Linux", "Solaris", "Unix"],
- package_dir = {'ipapython': ''},
-- packages = [ "ipapython", "ipapython.dnssec" ],
-+ packages = [ "ipapython" ],
- )
- finally:
- del sys.path[0]
---- a/ipaserver/install/bindinstance.py
-+++ b/ipaserver/install/bindinstance.py
-@@ -552,7 +552,6 @@ class BindInstance(service.Service):
- self.sub_dict = None
- self.reverse_zones = []
- self.dm_password = dm_password
-- self.named_regular = services.service('named-regular')
-
- if fstore:
- self.fstore = fstore
-@@ -661,8 +660,6 @@ class BindInstance(service.Service):
- if self.get_state("running") is None:
- # first time store status
- self.backup_state("running", self.is_running())
-- self.backup_state("named-regular-running",
-- self.named_regular.is_running())
- self.restart()
- except Exception as e:
- root_logger.error("Named service failed to start (%s)", e)
-@@ -671,8 +668,6 @@ class BindInstance(service.Service):
- def __enable(self):
- if self.get_state("enabled") is None:
- self.backup_state("enabled", self.is_running())
-- self.backup_state("named-regular-enabled",
-- self.named_regular.is_running())
- # We do not let the system start IPA components on its own,
- # Instead we reply on the IPA init script to start only enabled
- # components as found in our LDAP configuration tree
-@@ -683,17 +678,6 @@ class BindInstance(service.Service):
- # don't crash, just report error
- root_logger.error("DNS service already exists")
-
-- # disable named, we need to run named-pkcs11 only
-- try:
-- self.named_regular.stop()
-- except Exception as e:
-- root_logger.debug("Unable to stop named (%s)", e)
--
-- try:
-- self.named_regular.mask()
-- except Exception as e:
-- root_logger.debug("Unable to mask named (%s)", e)
--
- def __setup_sub_dict(self):
- if self.forwarders:
- fwds = "\n"
-@@ -1176,8 +1160,6 @@ class BindInstance(service.Service):
-
- running = self.restore_state("running")
- enabled = self.restore_state("enabled")
More information about the Pkg-freeipa-devel
mailing list