Bug 1061941

Summary: The broker nsupdate plugin and oo-accept-broker need to allow additonal dns key algorithms
Product: OpenShift Container Platform Reporter: chris alfonso <calfonso>
Component: NodeAssignee: chris alfonso <calfonso>
Status: CLOSED ERRATA QA Contact: libra bugs <libra-bugs>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 2.0.0CC: adellape, bleanhar, cpelland, hbrock, jialiu, jolamb, libra-onpremise-devel, nwei, pruan, yanpzhan
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: openshift-origin-broker-util-1.17.6.3-1.el6op, rubygem-openshift-origin-dns-nsupdate-1.15.2-1.el6op Doc Type: Bug Fix
Doc Text:
OpenShift Enterprise DNS commands assumed DNS keys were created using the HMAC-MD5 algorithm, causing calls to the nsupdate utility to fail when the DNS key did not use HMAC-MD5. This bug fix adds support to the nsupdate plugin and the oo-accept-broker tool to include the key algorithm when nsupdate is called. DNS key algorithms other than HMAC-MD5 are now supported by OpenShift Enterprise tools.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2014-02-25 15:48:04 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description chris alfonso 2014-02-05 22:23:33 UTC 
Description of problem:
If the dns key is created with algorithm other than HMAC-MD5 (assumed to be the default), the nsupdate commands for adding/removing domain names fail for oo-accept-broker and the nsupdate_plugin.


How reproducible:
Change the algorithm used in the dnssec-key command when creating the bind key from soemthing other than HMAC-MD5, then try to use op-accept-broker. It won't work because the interactive nsupdate command needs the key attribute to specify what the algorithm is.
Comment 1 chris alfonso 2014-02-05 23:25:26 UTC 
The updated packages have landed in the latest internal puddle and are in enterprise-server/enterprise-2.0.
Comment 5 Nan Wei 2014-02-10 12:00:03 UTC 
openshift enterprise:

step 1: make sure old env exits the dns key which be create by HMAC-MD5.
step 2: create new dns key by other algorithm HMAC-SHA256.
step 3: delete existing app and throw some failure message.
[root@broker named]# rhc app delete apps7
This is a non-reversible action! Your application code and data will be permanently deleted if you continue!

Are you sure you want to delete the application 'apps7'? (yes|no): yes

Deleting application 'apps7' ... error deleting app record apps7-nweidomain.ose-20140115.com.cn
step 4: upgrade broker-util
openshift-origin-broker-util-1.17.6.3-1.el6op, 
rubygem-openshift-origin-dns-nsupdate-1.15.2-1.el6op
step 5: app delete successfully and run 'oo-accept-broker' pass
[root@br215 ~]# oo-accept-broker 
NOTICE: SELinux is Enforcing
NOTICE: SELinux is  Enforcing
pass
Comment 6 Nan Wei 2014-02-12 06:04:39 UTC 
sure, I have added testing dns key case.
Comment 8 errata-xmlrpc 2014-02-25 15:48:04 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2014-0209.html