Bug 978952 - oo-register-dns still uses key to update dns record when BIND_KRB_* is used in openshift-origin-dns-nsupdate.conf
oo-register-dns still uses key to update dns record when BIND_KRB_* is used i...
Status: CLOSED ERRATA
Product: OpenShift Container Platform
Classification: Red Hat
Component: Pod (Show other bugs)
1.2.0
Unspecified Unspecified
low Severity low
: ---
: ---
Assigned To: John W. Lamb
libra bugs
Luke Meyer
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2013-06-27 07:16 EDT by Johnny Liu
Modified: 2017-03-08 12 EST (History)
3 users (show)

See Also:
Fixed In Version: openshift-origin-broker-util-1.9.11-1
Doc Type: Bug Fix
Doc Text:
Although the nsupdate DNS plug-in can use Kerberos credentials to update a DNS server, the oo-register-dns script was not updated with this capability. This caused the oo-register-dns script to fail when updating the DNS server. This has been fixed and users now have the option to use Kerberos credentials to update a DNS server.
Story Points: ---
Clone Of:
Environment:
Last Closed: 2013-09-25 11:29:35 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
jolamb: needinfo+


Attachments (Terms of Use)

  None (edit)
Description Johnny Liu 2013-06-27 07:16:50 EDT
Description of problem:
# cat /etc/openshift/plugins.d/openshift-origin-dns-nsupdate.conf
BIND_SERVER="192.168.59.168"
BIND_PORT=53
BIND_ZONE="osetestv2.com"
BIND_KRB_PRINCIPAL="DNS/ns1.osetestv2.com"
BIND_KRB_KEYTAB="/var/named/dns.keytab"

# cat /usr/sbin/oo-register-dns
<--snip-->
command =<<-EOF
server #{server}
update delete #{node_hostname}.#{node_domain} A
update add #{node_hostname}.#{node_domain} 180 A #{ip}
send
EOF

system "nsupdate -k #{key} <<EOF\n#{command}\nEOF"

In the above code, when BIND_KRB_* is used in openshift-origin-dns-nsupdate.conf, oo-register-dns still uses key to update dns record.


Version-Release number of selected component (if applicable):
openshift-origin-broker-util-1.9.7-1.2.el6op.noarch

How reproducible:
Always

Steps to Reproduce:
1.
2.
3.

Actual results:


Expected results:


Additional info:
Comment 2 Luke Meyer 2013-06-27 12:22:41 EDT
We should make oo-register-dns aware of krb config.
Comment 3 John W. Lamb 2013-09-05 14:59:44 EDT
This may already be fixed upstream. Could you try running the origin-server version of oo-register-dns with the "-g | --gss-tsig" option? You can grab it here: https://raw.github.com/openshift/origin-server/master/broker-util/oo-register-dns
Comment 4 Johnny Liu 2013-09-10 08:54:51 EDT
Yes, the upstream already fix this issue.

#  kinit -kt /var/named/move0905.com.dns.keytab DNS/ns1.move0905.com

# klist 
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: DNS/ns1.move0905.com@EXAMPLE.COM

Valid starting     Expires            Service principal
09/10/13 05:50:58  09/11/13 05:50:58  krbtgt/EXAMPLE.COM@EXAMPLE.COM
	renew until 09/10/13 05:50:58
# getenforce 
Enforcing

# ruby oo-register-dns -g -h node3 -n 10.66.9.223 -d move0905.com
Comment 6 John W. Lamb 2013-09-10 15:09:30 EDT
commit b0873b13092efa3702ba5aac7dbeb933f9568b52
Author: Jan Pazdziora <jpazdziora@redhat.com>
Date:   Fri May 31 17:24:36 2013 +0200

    Add option to use GSS-TSIG Kerberos credentials to bind.
Comment 8 Johnny Liu 2013-09-11 01:34:23 EDT
Verified this bug with openshift-origin-broker-util-1.9.11-1.el6op.noarch, and PASS.

Detailed steps refer to comments 4.
Comment 11 errata-xmlrpc 2013-09-25 11:29:35 EDT
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2013-1275.html

Note You need to log in before you can comment on or make changes to this bug.