#6565 FreeIPA server install fails (and existing servers probably fail to start) due to changes in 'dyndb' feature on merge to upstream BIND
Closed: Fixed None Opened 7 years ago by pvoborni.

Ticket was cloned from Red Hat Bugzilla (product Fedora): Bug 1403352

Prior to the release of BIND 9.11, Fedora and RHEL carried a downstream patch
implementing a feature called 'dyndb' or 'dynamic-db'. For e.g., here's F25's
patch:

http://pkgs.fedoraproject.org/cgit/rpms/bind.git/tree/bind-9.10-dyndb.patch?h=f
25

FreeIPA sets up this feature (I don't know what it's for, or what it does, but
I know we use it) when you do a default ipa-server-install deployment.

In BIND 9.11, the feature was merged into upstream, but with significant
changes. pspacek says "The API accepted upstream is totally incompatible with
the old API we used".

BIND 9.11 has landed in Fedora Rawhide and the downstream patch has been
dropped, so Fedora Rawhide is now using "The API accepted upstream" rather than
"the old API we used". However, freeipa doesn't appear to have been adapted to
this.

Our openQA test that just does a pretty default FreeIPA server deployment (via
rolekit) fails:

https://openqa.fedoraproject.org/tests/50976

if you check the logs (which can be downloaded at https://openqa.fedoraproject.
org/tests/50976/file/role_deploy_domain_controller-var_log.tar.gz ), this is
because (actually this log extract is from a couple of days ago, but it's the
same failure):

Dec 07 11:57:26 ipa001.domain.local systemd[1]: Starting Berkeley Internet Name
Domain (DNS) with native PKCS#11...
Dec 07 11:57:26 ipa001.domain.local bash[9698]: /etc/named.conf:46: unknown
option 'dynamic-db'
Dec 07 11:57:26 ipa001.domain.local systemd[1]: named-pkcs11.service: Control
process exited, code=exited status=1

As part of the changes to the feature when merged upstream, the config file
directive name was changed from 'dynamic-db' to 'dyndb'. Apparently this isn't
the only change, though. It sounds like ipa-server-install will need changing
to make the named.conf modifications in the new format, and we will also need
to migrate existing named.conf to the new format when BIND is upgraded from a <
9.11 build with the Fedora/RHEL downstream patches to >= 9.11 with the upstream
implementation...

Proposing as a Fedora 26 Alpha blocker, per criterion "Release-blocking roles
and the supported role configuration interfaces must meet the core functional
Role Definition Requirements to the extent that supported roles can be
successfully deployed, started, stopped, brought to a working configuration,
and queried." - https://fedoraproject.org/wiki/Fedora_25_Alpha_Release_Criteria
#Role_functional_requirements (I didn't copy the criteria for F26 yet) - this
bug makes it impossible to deploy the domain controller role, which is a
release-blocking role.

PR https://github.com/freeipa/freeipa/pull/351 fixes new IPA installations.

Existing IPA configurations should be fixed as a part of bind-dyndb-ldap update https://fedorahosted.org/bind-dyndb-ldap/ticket/169

master:

  • c26dd80 Remove obsolete serial_autoincrement from named.conf parsing
  • e8a2abd named.conf template: update API for bind 9.11
  • 5de7065 bump required version of BIND, bind-dyndb-ldap

master:

  • 52582ae PEP8: fix line length for regexs in bindinstance
  • 2f4442f bindinstance: fix named.conf parsing regexs

master:

  • 6cb7bca Bump required version of bind-dyndb-ldap to 11.0-2

Metadata Update from @pvoborni:
- Issue assigned to tkrizek
- Issue set to the milestone: FreeIPA 4.5

7 years ago

Login to comment on this ticket.

Metadata