Bug 1007700

Summary: oo-accept-broker and oo-register-dns will fail when using unauthenticated DNS updates
Product: OpenShift Container Platform Reporter: Johnny Liu <jialiu>
Component: NodeAssignee: Miciah Dashiel Butler Masters <mmasters>
Status: CLOSED ERRATA QA Contact: libra bugs <libra-bugs>
Severity: medium Docs Contact:
Priority: medium    
Version: 1.2.1CC: bleanhar, jdetiber, libra-onpremise-devel, yanpzhan
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: openshift-origin-broker-util-1.9.17-1.el6op Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
: 1015255 (view as bug list) Environment:
Last Closed: 2014-06-04 00:39:25 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On: 1015255    
Bug Blocks:    

Description Johnny Liu 2013-09-13 07:22:40 UTC 
Description of problem:
According to BZ#990645, dns-nsupdate plugin already support unauthenticated DNS.
But oo-accept-broker and oo-register-dns are not updated, so they will fail when using unauthenticated DNS updates.

Version-Release number of selected component (if applicable):
openshift-origin-broker-util-1.9.12-1.el6op.noarch

How reproducible:
Always

Steps to Reproduce:
1.Set up unauthenticated DNS server
2.Modify /etc/openshift/plugins.d/openshift-origin-dns-nsupdate.conf like the following:
# cat /etc/openshift/plugins.d/openshift-origin-dns-nsupdate.conf
BIND_SERVER=192.168.59.150
BIND_PORT=53
BIND_ZONE="rhn.com"
3.Create app successfully.
4.Run oo-accept-broker and oo-register-dns

Actual results:
# oo-accept-broker 
NOTICE: SELinux is Enforcing
NOTICE: SELinux is  Enforcing
FAIL: wrong number of values returned from ruby code
keys: 2; values: 0
#####

			puts Rails.application.config.dns[:krb_keytab]
			puts Rails.application.config.dns[:krb_principal]
#####

#####
kinit: Cannot contact any KDC for realm 'EXAMPLE.COM' while getting initial credentials
tkey query failed: GSSAPI error: Major = Unspecified GSS failure.  Minor code may provide more information, Minor = Credentials cache file '/tmp/krb5cc_0' not found.
FAIL: error adding txt record name testrecord.rhn.com to server 192.168.59.150: krb0
	-- is the nameserver running, reachable, and krb auth working?
FAIL: txt record testrecord.rhn.com does not resolve on server 192.168.59.150
kinit: Cannot contact any KDC for realm 'EXAMPLE.COM' while getting initial credentials
tkey query failed: GSSAPI error: Major = Unspecified GSS failure.  Minor code may provide more information, Minor = Credentials cache file '/tmp/krb5cc_0' not found.
FAIL: error deleteing txt record name testrecord.rhn.com to server 192.168.59.150: krb0
	-- is the nameserver running, reachable, and krb auth working?
4 ERRORS

# oo-register-dns -h node5 -n 10.5.5.5 -d rhn.com
; TSIG error with server: tsig indicates error
update failed: NOTAUTH(BADKEY)


Expected results:
oo-accept-broker and oo-register-dns should support unauthenticated DNS updates

Additional info:
Comment 2 Miciah Dashiel Butler Masters 2013-10-03 18:15:01 UTC 
Pull request:   https://github.com/openshift/enterprise-server/pull/147
Comment 3 Miciah Dashiel Butler Masters 2014-01-20 15:48:35 UTC 
Related pull-request: https://github.com/openshift/enterprise-server/pull/203
Comment 5 Yanping Zhang 2014-05-21 08:51:45 UTC 
Verified on puddle 1-2-RHSCL11-2014-05-20

Verified steps:
1.Set up unauthenticated DNS server
notice:in unauthorized DNS env you need delete the default key file: /var/named/<domain name>.key
2.Create app successfully.
3.Run oo-accept-broker and oo-register-dns
# oo-accept-broker 
# oo-register-dns -h node5 -n 10.5.5.5 -d ose12zscl11.example.com

Actual results:
step3: without error or fail output info.
Comment 7 errata-xmlrpc 2014-06-04 00:39:25 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2014-0598.html