Bug 1468477 - nsd-keygen unit does not generate keys if it's already started
nsd-keygen unit does not generate keys if it's already started
Status: NEW
Product: Fedora EPEL
Classification: Fedora
Component: nsd (Show other bugs)
epel7
Unspecified Linux
unspecified Severity medium
: ---
: ---
Assigned To: Paul Wouters
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2017-07-07 04:17 EDT by Eugene Peregudov
Modified: 2017-07-07 05:03 EDT (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed:
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Eugene Peregudov 2017-07-07 04:17:17 EDT
Description of problem:

nsd-keygen unit does not generate keys if it's already started

Version-Release number of selected component (if applicable):

nsd-4.1.16-1.el7.x86_64

Steps to Reproduce:
1. Clean install nsd from EPEL7
Installed:
  nsd.x86_64 0:4.1.16-1.el7

2. Check status of nsd and nsd-keygen systemd units
# systemctl status nsd
● nsd.service - NSD DNS Server
   Loaded: loaded (/usr/lib/systemd/system/nsd.service; disabled; vendor preset: disabled)
   Active: inactive (dead)
# systemctl status nsd-keygen
● nsd-keygen.service - NSD Control Key And Certificate Generator
   Loaded: loaded (/usr/lib/systemd/system/nsd-keygen.service; enabled; vendor preset: disabled)
   Active: inactive (dead)
Condition: start condition failed at Fri 2017-07-07 10:58:07 MSK; 2min 44s ago

3.Start\stop nsd service, and check for generated keys

# systemctl start nsd
# systemctl stop nsd
# systemctl status nsd-keygen
● nsd-keygen.service - NSD Control Key And Certificate Generator
   Loaded: loaded (/usr/lib/systemd/system/nsd-keygen.service; enabled; vendor preset: disabled)
   Active: active (exited) since Fri 2017-07-07 11:00:57 MSK; 14s ago
  Process: 12737 ExecStart=/sbin/restorecon /etc/nsd/* (code=exited, status=0/SUCCESS)
  Process: 12725 ExecStart=/usr/sbin/nsd-control-setup -d /etc/nsd/ (code=exited, status=0/SUCCESS)
 Main PID: 12737 (code=exited, status=0/SUCCESS)
   CGroup: /system.slice/nsd-keygen.service

nsd-control-setup[12725]: unable to write 'random state'
nsd-control-setup[12725]: e is 65537 (0x10001)
nsd-control-setup[12725]: create nsd_server.pem (self signed certificate)
nsd-control-setup[12725]: create nsd_control.pem (signed client certificate)
nsd-control-setup[12725]: Signature ok
nsd-control-setup[12725]: subject=/CN=nsd-control
nsd-control-setup[12725]: Getting CA Private Key
nsd-control-setup[12725]: unable to write 'random state'
nsd-control-setup[12725]: Setup success. Certificates created. Enable in nsd.conf file to use
systemd[1]: Started NSD Control Key And Certificate Generator.

4. Remove keys 
# rm -f /etc/nsd/nsd_*

5. Start nsd service again

# systemctl start nsd
# systemctl status nsd
● nsd.service - NSD DNS Server
   Loaded: loaded (/usr/lib/systemd/system/nsd.service; disabled; vendor preset: disabled)
   Active: failed (Result: exit-code) since Fri 2017-07-07 11:07:56 MSK; 2s ago
  Process: 13185 ExecStart=/usr/sbin/nsd -d -c /etc/nsd/nsd.conf $NSD_EXTRA_OPTS (code=exited, status=1/FAILURE)
 Main PID: 13185 (code=exited, status=1/FAILURE)

systemd[1]: Starting NSD DNS Server...
nsd[13185]: [2017-07-07 11:07:56.874] nsd[13185]: notice: nsd starting (NSD 4.1.16)
nsd[13185]: [2017-07-07 11:07:56.876] nsd[13185]: error: Error for server-cert-file: /etc/nsd/nsd_server.pem
nsd[13185]: [2017-07-07 11:07:56.876] nsd[13185]: error: Error in SSL_CTX use_certificate_file crypto error:02001002:system library:...r directory
nsd[13185]: [2017-07-07 11:07:56.876] nsd[13185]: error: and additionally crypto error:20074002:BIO routines:FILE_CTRL:system lib
nsd[13185]: [2017-07-07 11:07:56.876] nsd[13185]: error: and additionally crypto error:140AD002:SSL routines:SSL_CTX_use_certificate...:system lib
nsd[13185]: [2017-07-07 11:07:56.876] nsd[13185]: error: could not perform remote control setup
systemd[1]: nsd.service: main process exited, code=exited, status=1/FAILURE
systemd[1]: Unit nsd.service entered failed state.
systemd[1]: nsd.service failed.

Actual results:

nsd service failed

Expected results:

nsd-keygen regenerates keys, and nsd started correctly

Additional info:

I think that nsd-keygen.service unit should be part of nsd.service unit, so it's stopping and restarting along with nsd.service

I tested that behavior with PartOf=nsd.service and it's working as expected:

# systemctl cat nsd-keygen

# /usr/lib/systemd/system/nsd-keygen.service
[Unit]
Description=NSD Control Key And Certificate Generator
After=syslog.target
Before=nsd.service
ConditionPathExists=!/etc/nsd/nsd_control.key

[Service]
Type=oneshot
Group=nsd
ExecStart=/usr/sbin/nsd-control-setup -d /etc/nsd/
ExecStart=/sbin/restorecon /etc/nsd/*
RemainAfterExit=yes

[Install]
WantedBy=multi-user.target

# /etc/systemd/system/nsd-keygen.service.d/part.conf
[Unit]
PartOf=nsd.service
Comment 1 Tuomo Soini 2017-07-07 05:03:09 EDT
Yes, that is correct fix, that changes nsd-keygen.service to follow nsd.service on stop and restart.

Note You need to log in before you can comment on or make changes to this bug.