Bug 847716
Summary: | [RFE] The TTL value for FreeIPA dynamic DNS updates should be configurable | ||||||
---|---|---|---|---|---|---|---|
Product: | Red Hat Enterprise Linux 7 | Reporter: | James Hogarth <james.hogarth> | ||||
Component: | sssd | Assignee: | Jakub Hrozek <jhrozek> | ||||
Status: | CLOSED CURRENTRELEASE | QA Contact: | Kaushik Banerjee <kbanerje> | ||||
Severity: | unspecified | Docs Contact: | |||||
Priority: | medium | ||||||
Version: | 7.0 | CC: | dpal, grajaiya, jgalipea, jhrozek, ksiddiqu | ||||
Target Milestone: | rc | Keywords: | FutureFeature | ||||
Target Release: | --- | ||||||
Hardware: | Unspecified | ||||||
OS: | Unspecified | ||||||
Whiteboard: | |||||||
Fixed In Version: | sssd-1.10.0-1.el7.alpha1 | Doc Type: | Enhancement | ||||
Doc Text: |
Feature: The SSSD has a new option ipa_dyndns_ttl
Reason: Previously, the TTL (Time-To-Live) attribute of a DNS record during a DNS dynamic update was hardcoded to 86400 seconds. However, some environments need to set a different value.
Result (if any): The DNS records are now added with the TTL value the ipa_dyndns_ttl option sets. The option defaults to 1200 seconds.
|
Story Points: | --- | ||||
Clone Of: | Environment: | ||||||
Last Closed: | 2014-06-13 11:32:29 UTC | Type: | Bug | ||||
Regression: | --- | Mount Type: | --- | ||||
Documentation: | --- | CRM: | |||||
Verified Versions: | Category: | --- | |||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
Cloudforms Team: | --- | Target Upstream Version: | |||||
Embargoed: | |||||||
Attachments: |
|
Upstream ticket: https://fedorahosted.org/sssd/ticket/1476 Devel and Quality Engineering have reviewed this request and determined that it will be best solved by a more complete solution in a later release. We would rather see the value be configurable, rather than adjusting it to a different hard-coded value. Please provide implementation details and use cases for this new configuration option. (In reply to comment #9) > Please provide implementation details and use cases for this new > configuration option. Set the ipa_dyndns_ttl option to a value in seconds. Update the client's addres using the dyndns functionality. Then view the DNS record on the server, in particular its TTL value. It should match the one provided with the config option. Not sure what implementation details you are looking for, but there is nothing user visible apart from the single option. Internally, what the option does is that its value is used as the TTL instead of the previously hardcoded value of 86400 seconds. As the guy that originally reported this and wrote the patch ;-) Use case: Hostname that changes IP more frequently than once per day... This could be a test VM being rebuilt (which is where I encountered this) or a laptop user moving between subnets. How to use: Set the option as mentioned above and as detailed in --help and the man page. There was a corresponding patch to ipa-client-install on the freeipa-client side to configure this option on install but I don't think it was ever committed... It might be worth checking to avoid the edge case of the initial DNS update by ipa-client-install setting the TTL high (if memory serves though it was only something like 1200 seconds). However that has no impact on the functionality of this in sssd 1.10 Thanks for the details, James, that's going to help our QE test the feature! No problem... Apologies in not having more detail but I'm in a restaurant right now.. As one note though it's best to test the feature either looking straight at the IPA server with a utility like dig or to watch the 'fail' event the old host record still needs to be in a DNS cache somewhere on or between the system being used for the DNS query and the IPA server... If there's any additional information useful I'll be able to respond tomorrow or Thursday. Thank you James! Temporarily moving bugs to MODIFIED to work around errata tool bug Verified. IPA version: ============ ------------[RPMs & OS: [RedHat - x86_64]--------- | ipa-client-3.3.3-15.el7.x86_64 | sssd-1.11.2-19.el7.x86_64 -------------------------------------------------- Snippet from automation log: =========================== :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: [ LOG ] :: ipaclientinstall_bug_847716 The TTL value for FreeIPA dynamic DNS updates should be configurable bz847716 :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: [ LOG ] :: uninstall_fornexttest starts :: [ LOG ] :: sssd.conf for testing BZ 819982 does not exists :: [ LOG ] :: checking for '^nameserver 10.16.46.51' in /etc/resolv.conf :: [ PASS ] :: Running 'ssh root.46.51 "echo Secret123|kinit admin;ipa host-del amd-pike-05.testrelm.com"' (Expected 0,1,2, got 0) :: [ PASS ] :: Running 'sleep 60' (Expected 0, got 0) :: [ LOG ] :: uninstall_fornexttest ends :: [ LOG ] :: EXECUTING: ipa-client-install --domain=testrelm.com --realm=TESTRELM.COM -p admin -w Secret123 --unattended --server=hp-dl380pgen8-02-vm-2.testrelm.com --enable-dns-updates --mkhomedir :: [ PASS ] :: Installing ipa client and configuring - with all params (Expected 0, got 0) :: [ LOG ] :: execute expect file: /tmp/kinit.10792.exp :: [ LOG ] :: Success: kinit as [admin] with password [Secret123] was successful. :: [ PASS ] :: Kinit as admin user (Expected 0, got 0) :: [ PASS ] :: Capturing TTL value (Expected 0, got 0) :: [ PASS ] :: Running 'cat /tmp/bz847716.txt' (Expected 0, got 0) :: [ PASS ] :: File '/tmp/bz847716.txt' should contain 'Time to live: 1200' :: [ PASS ] :: Assigning em1:0 with ip 192.168.0.1 (Expected 0, got 0) :: [ PASS ] :: Capturning ifconfig output (Expected 0, got 0) :: [ PASS ] :: Running 'cat /tmp/bz847716.txt' (Expected 0, got 0) :: [ PASS ] :: File '/tmp/bz847716.txt' should contain 'em1:0' :: [ PASS ] :: File '/tmp/bz847716.txt' should contain '192.168.0.1' :: [ PASS ] :: Running 'sed '/cache_credentials/ a debug_level = 0x200' /etc/sssd/sssd.conf > /tmp/sssd.conf' (Expected 0, got 0) :: [ PASS ] :: Running 'cp /tmp/sssd.conf /etc/sssd/sssd.conf' (Expected 0, got 0) :: [ PASS ] :: Running 'sed '/ipa_dyndns_update/ a ipa_dyndns_iface = em1:0' /etc/sssd/sssd.conf > /tmp/sssd.conf' (Expected 0, got 0) :: [ PASS ] :: Running 'cp /tmp/sssd.conf /etc/sssd/sssd.conf' (Expected 0, got 0) :: [ PASS ] :: Running 'cat /etc/sssd/sssd.conf' (Expected 0, got 0) :: [ PASS ] :: Capturing TTL value after ip change (Expected 0, got 0) :: [ PASS ] :: Running 'cat /tmp/bz847716.txt' (Expected 0, got 0) :: [ PASS ] :: File '/tmp/bz847716.txt' should contain 'Time to live: 1200' :: [ PASS ] :: File '/tmp/bz847716.txt' should contain '192.168.0.1' :: [ PASS ] :: Running 'rm -rf /tmp/bz847716.txt' (Expected 0, got 0) :: [ LOG ] :: Duration: 1m 17s :: [ LOG ] :: Assertions: 22 good, 0 bad :: [ PASS ] :: RESULT: ipaclientinstall_bug_847716 The TTL value for FreeIPA dynamic DNS updates should be configurable bz847716 This request was resolved in Red Hat Enterprise Linux 7.0. Contact your manager or support representative in case you have further questions about the request. |
Created attachment 603961 [details] This is a proposed patch for RHEL6 to bring the TTL of SSSD inline with the TTL set by ipa-client-install. Description of problem: The TTL on the record added by SSSD is much longer than that put in place by ipa-client-install (86400 seconds instead of 1200). Version-Release number of selected component (if applicable): sssd-1.8.0-32.el6.x86_64 How reproducible: 100% Steps to Reproduce: 1) Add a client to IPA including the --enable-dns-updates argument. 2) Verify that the TTL is 1200 seconds on the record after it has been added as per the value in the ipa-client-install python script. 3) Arrange for the IP address to change in some way on the client. 4) Restart the client Actual results: TTL of record will be 86400 seconds Expected results: TTL of record should be 1200 seconds Additional info: Although for most use cases 1 day would be fine for a rapid VM churn environment (eg fresh build host created each time in continuous integration or something similar) this could cause incorrect resolution... and is a confusion for the user given the change from the initial TTL put in place... in addition a systems administrator could not override this since the record is deleted and added by SSSD and as a consequence ipa dnsrecord-mod would only have an effect until update and not maintain the TTL afterwards...