diff --git a/docs/source/advanced/domain_name_resolution/domain_name_resolution.rst b/docs/source/advanced/domain_name_resolution/domain_name_resolution.rst index 063be13f2f..e8b1d7fa78 100644 --- a/docs/source/advanced/domain_name_resolution/domain_name_resolution.rst +++ b/docs/source/advanced/domain_name_resolution/domain_name_resolution.rst @@ -90,6 +90,16 @@ For example: :: Edit **/etc/resolv.conf** to contain the cluster domain value you set in the site table's **domain** attribute above, and to point to the same DNS server you will be using for your nodes (if you are using DNS). +By default xCAT uses HMAC-MD5 as the DNS signing algorithm. It's possible that a different algorithm is required or desired for your installation. You can set the omapi-algorithm value in the site table to choose a different algorithm. :: + + chdef -t site omapi-algorithm=HMAC-SHA256 + +If you choose to update the algorithm, you will also need to supply a new secret for the omapi entry in the passwd table. This can be done using the dnssec-keygen command. For example something like :: + + dnssec-keygen -a HMAC-SHA256 -b 128 -n host xcat_key + +This should generate files with the needed key. This key will need to be entered into the passwd table and the DNS and DHCP files will need to be recreated (makedns, makedhcp) to use the new method. + Option #1: Running DNS on Your Management Node ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ @@ -163,6 +173,14 @@ The **domain** and **nameservers** values must be set correctly in **/etc/resolv Alternatively, you can set site.externaldns=1 and run ``makedns`` +It's possible that the external DNS provider will not allow you to choose the key name and they may provide both the key name and the secret to you. I this case you will need to update the passwd table with the proper key and username. You will also need to set the site table value for omapi-username to match the username used in the passwd table :: + + chdef -t site omapi-username=mydnsuser + tabdump -w key==omapi passwd + #key,username,password,cryptmethod,authdomain,comments,disable + "omapi","mydnsuser","",,,, + + Option #3: Run DNS on Management Node and Service Nodes ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ diff --git a/xCAT-server/lib/xcat/plugins/ddns.pm b/xCAT-server/lib/xcat/plugins/ddns.pm index ab0414d88c..eaa19ccc77 100644 --- a/xCAT-server/lib/xcat/plugins/ddns.pm +++ b/xCAT-server/lib/xcat/plugins/ddns.pm @@ -579,8 +579,13 @@ sub process_request { } } } + my $omapiuser = "xcat_key"; + my @omapiu = xCAT::TableUtils->get_site_attribute("omapi-username"); + if ($omapiu[0]){ + $omapiuser = $omapiu[0]; + } my $passtab = xCAT::Table->new('passwd'); - my $pent = $passtab->getAttribs({ key => 'omapi', username => 'xcat_key' }, ['password']); + my $pent = $passtab->getAttribs({ key => 'omapi', username => $omapiuser }, ['password']); if ($pent and $pent->{password}) { $ctx->{privkey} = $pent->{password}; } #do not warn/error here yet, if we can't generate or extract, we'll know later @@ -1119,6 +1124,11 @@ sub update_namedconf { my $gotkey = 0; my %didzones; + my $omapiuser = "xcat_key"; + my @omapiu = xCAT::TableUtils->get_site_attribute("omapi-username"); + if ($omapiu[0]){ + $omapiuser = $omapiu[0]; + } if (-r $namedlocation) { my @currnamed = (); open($nameconf, "<", $namedlocation); @@ -1194,7 +1204,7 @@ sub update_namedconf { $i++; $line = $currnamed[$i]; push @candidate, $line; - if ($line =~ /key xcat_key/) { + if ($line =~ /key $omapiuser/) { $needreplace = 0; } } while ($line !~ /^\};/); #skip the old file zone @@ -1203,7 +1213,7 @@ sub update_namedconf { next; } $ctx->{restartneeded} = 1; - push @newnamed, "zone \"$currzone\" in {\n", "\ttype master;\n", "\tallow-update {\n", "\t\tkey xcat_key;\n"; + push @newnamed, "zone \"$currzone\" in {\n", "\ttype master;\n", "\tallow-update {\n", "\t\tkey $omapiuser;\n"; my @list; if (not $ctx->{adzones}->{$currzone}) { if ($ctx->{dnsupdaters}) { @@ -1239,12 +1249,12 @@ sub update_namedconf { } while ($line !~ /^\};/); } - } elsif ($line =~ /^key xcat_key/) { + } elsif ($line =~ /^key $omapiuser/) { $gotkey = 1; if ($ctx->{privkey}) { #for now, assume the field is correct - #push @newnamed,"key xcat_key {\n","\talgorithm hmac-md5;\n","\tsecret \"".$ctx->{privkey}."\";\n","};\n\n"; + #push @newnamed,"key $omapiuser {\n","\talgorithm hmac-md5;\n","\tsecret \"".$ctx->{privkey}."\";\n","};\n\n"; push @newnamed, $line; do { $i++; @@ -1256,7 +1266,7 @@ sub update_namedconf { while ($line !~ /^\};/) { #skip the old file zone if ($line =~ /secret \"([^"]*)\"/) { my $passtab = xCAT::Table->new("passwd", -create => 1); - $passtab->setAttribs({ key => "omapi", username => "xcat_key" }, { password => $1 }); + $passtab->setAttribs({ key => "omapi", username => "$omapiuser" }, { password => $1 }); } $i++; $line = $currnamed[$i]; @@ -1282,13 +1292,6 @@ sub update_namedconf { push @newnamed, "\t\t$_;\n"; } push @newnamed, "\t};\n"; - my $bind_version_cmd="/usr/sbin/named -v | cut -d' ' -f2 | grep -Eo '[0-9]+\.[0-9]+\.[0-9]+'"; - my @bind_version =xCAT::Utils->runcmd($bind_version_cmd, 0); - # Turn off DNSSEC if running with bind vers 9.16.6 or higher - if ((scalar @bind_version > 0) && (xCAT::Utils::CheckVersion($bind_version[0], "9.16.6") >= 0)) { - push @newnamed, "\tdnssec-enable no;\n"; - push @newnamed, "\tdnssec-validation no;\n"; - } } if ($ctx->{forwardmode}){ @@ -1352,13 +1355,26 @@ sub update_namedconf { } } + # Get HMAC algorithum from site table, if set + my $omapialgorithm = "HMAC-MD5"; + my @omapia=xCAT::TableUtils->get_site_attribute("omapi-algorithm"); + if ($omapia[0]){ + $omapialgorithm=$omapia[0]; + } + my $omapiuser = "xcat_key"; + my @omapiu = xCAT::TableUtils->get_site_attribute("omapi-username"); + if ($omapiu[0]){ + $omapiuser = $omapiu[0]; + } + + unless ($slave) { unless ($gotkey) { unless ($ctx->{privkey}) { #need to generate one $ctx->{privkey} = encode_base64(genpassword(32)); chomp($ctx->{privkey}); } - push @newnamed, "key xcat_key {\n", "\talgorithm hmac-md5;\n", "\tsecret \"" . $ctx->{privkey} . "\";\n", "};\n\n"; + push @newnamed, "key $omapiuser {\n", "\talgorithm $omapialgorithm;\n", "\tsecret \"" . $ctx->{privkey} . "\";\n", "};\n\n"; $ctx->{restartneeded} = 1; } } @@ -1374,7 +1390,7 @@ sub update_namedconf { push @newnamed, "\ttype slave;\n"; push @newnamed, "\tmasters { $output[0]; };\n"; } else { - push @newnamed, "\ttype master;\n", "\tallow-update {\n", "\t\tkey xcat_key;\n", "\t};\n"; + push @newnamed, "\ttype master;\n", "\tallow-update {\n", "\t\tkey $omapiuser;\n", "\t};\n"; foreach (@{ $ctx->{dnsupdaters} }) { push @newnamed, "\t\t$_;\n"; } @@ -1401,7 +1417,7 @@ sub update_namedconf { push @newnamed, "\ttype slave;\n"; push @newnamed, "\tmasters { $output[0]; };\n"; } else { - push @newnamed, "\ttype master;\n", "\tallow-update {\n", "\t\tkey xcat_key;\n"; + push @newnamed, "\ttype master;\n", "\tallow-update {\n", "\t\tkey $omapiuser;\n"; foreach (@{ $ctx->{adservers} }) { push @newnamed, "\t\t$_;\n"; } @@ -1461,10 +1477,15 @@ sub add_or_delete_records { my $ctx = shift; xCAT::SvrUtils::sendmsg("Updating DNS records, this may take several minutes for a large cluster.", $callback); + my $omapiuser = "xcat_key"; + my @omapiu = xCAT::TableUtils->get_site_attribute("omapi-username"); + if ($omapiu[0]){ + $omapiuser = $omapiu[0]; + } unless ($ctx->{privkey}) { my $passtab = xCAT::Table->new('passwd'); - my $pent = $passtab->getAttribs({ key => 'omapi', username => 'xcat_key' }, ['password']); + my $pent = $passtab->getAttribs({ key => 'omapi', username => $omapiuser }, ['password']); if ($pent and $pent->{password}) { $ctx->{privkey} = $pent->{password}; } else { @@ -1549,6 +1570,31 @@ sub add_or_delete_records { return 1; } + # Get HMAC algorithum from site table, if set + my $omapialgorithm = "HMAC-MD5"; + my @omapia=xCAT::TableUtils->get_site_attribute("omapi-algorithm"); + if ($omapia[0]){ + $omapialgorithm=$omapia[0]; + } + my $omapiuser = "xcat_key"; + my @omapiu = xCAT::TableUtils->get_site_attribute("omapi-username"); + if ($omapiu[0]){ + $omapiuser = $omapiu[0]; + } + my $RR_key_type=157; # Default to MD5 + if ($omapialgorithm =~ /HMAC-SHA1/i) { + $RR_key_type=161; + } elsif ($omapialgorithm =~ /HMAC-SHA224/i) { + $RR_key_type=162; + } elsif ($omapialgorithm =~ /HMAC-SHA256/i) { + $RR_key_type=163; + } elsif ($omapialgorithm =~ /HMAC-SHA384/i) { + $RR_key_type=164; + } elsif ($omapialgorithm =~ /HMAC-SHA512/i) { + $RR_key_type=165; + } + my $keyrr = new Net::DNS::RR("$omapiuser. IN KEY 512 3 ".$RR_key_type.' '.$ctx->{privkey}); + my $resolver = Net::DNS::Resolver->new(nameservers => [$ip]); my $entry; my $numreqs = 300; # limit to 300 updates in a payload, something broke at 644 on a certain sample, choosing 300 for now @@ -1562,9 +1608,9 @@ sub add_or_delete_records { $numreqs -= 1; if ($numreqs == 0) { - # sometimes even the xcat_key is correct, but named still replies NOTAUTH, so retry + # sometimes even the key is correct, but named still replies NOTAUTH, so retry for (1 .. 3) { - $update->sign_tsig("xcat_key", $ctx->{privkey}); + $update->sign_tsig($keyrr); $numreqs = 300; my $reply = $resolver->send($update); if ($reply) { @@ -1584,9 +1630,9 @@ sub add_or_delete_records { } } if ($numreqs != 300) { #either no entries at all to begin with or a perfect multiple of 300 - # sometimes even the xcat_key is correct, but named still replies NOTAUTH, so retry + # sometimes even the key is correct, but named still replies NOTAUTH, so retry for (1 .. 3) { - $update->sign_tsig("xcat_key", $ctx->{privkey}); + $update->sign_tsig($keyrr); my $reply = $resolver->send($update); if ($reply) { if ($reply->header->rcode eq 'NOTAUTH') { diff --git a/xCAT-server/lib/xcat/plugins/dhcp.pm b/xCAT-server/lib/xcat/plugins/dhcp.pm index b20080960b..cd9e8d0235 100644 --- a/xCAT-server/lib/xcat/plugins/dhcp.pm +++ b/xCAT-server/lib/xcat/plugins/dhcp.pm @@ -186,10 +186,24 @@ sub listnode } } + # Get path for omshell from site table, if set + my $omshellbin="/usr/bin/omshell"; + my @oms=xCAT::TableUtils->get_site_attribute("omshell"); + if ($oms[0]){ + $omshellbin=$oms[0]; + } + # Get HMAC algorithum from site table, if set + my $omapialgorithm = "HMAC-MD5"; + my @omapia=xCAT::TableUtils->get_site_attribute("omapi-algorithm"); + if ($omapia[0]){ + $omapialgorithm=$omapia[0]; + } + # open ipv4 omshell file handles - $OMOUT will contain the response - open2($OMOUT, $OMIN, "/usr/bin/omshell "); + open2($OMOUT, $OMIN, "$omshellbin "); # setup omapi for the connection and check for the node requested + print $OMIN "key-algorithm $omapialgorithm\n"; print $OMIN "key " . $omapiuser . " \"" . $omapikey . "\"\n"; @@ -252,9 +266,10 @@ sub listnode # if using IPv6 addresses check using omshell IPv6 port if ($usingipv6) { - open2($OMOUT6, $OMIN6, "/usr/bin/omshell "); + open2($OMOUT6, $OMIN6, "$omshellbin "); print $OMOUT6 "port 7912\n"; print $OMOUT6 "connect\n"; + print $OMOUT6 "key-algorithm $omapialgorithm\n"; print $OMIN6 "key " . $omapiuser . " \"" . $omapikey . "\"\n"; @@ -2029,9 +2044,22 @@ sub process_request return; } # TODO sane err + # Get path for omshell from site table, if set + my $omshellbin="/usr/bin/omshell"; + my @oms=xCAT::TableUtils->get_site_attribute("omshell"); + if ($oms[0]){ + $omshellbin=$oms[0]; + } + # Get HMAC algorithum from site table, if set + my $omapialgorithm = "HMAC-MD5"; + my @omapia=xCAT::TableUtils->get_site_attribute("omapi-algorithm"); + if ($omapia[0]){ + $omapialgorithm=$omapia[0]; + } + #Have nodes to update - #open2($omshellout,$omshell,"/usr/bin/omshell"); - open($omshell, "|/usr/bin/omshell > /dev/null"); + open($omshell, "|$omshellbin > /dev/null"); + print $omshell "key-algorithm $omapialgorithm\n"; print $omshell "key " . $ent->{username} . " \"" . $ent->{password} . "\"\n"; @@ -2040,11 +2068,12 @@ sub process_request } print $omshell "connect\n"; if ($usingipv6) { - open($omshell6, "|/usr/bin/omshell > /dev/null"); + open($omshell6, "|$omshellbin > /dev/null"); if ($::XCATSITEVALS{externaldhcpservers}) { print $omshell "server $::XCATSITEVALS{externaldhcpservers}\n"; } print $omshell6 "port 7912\n"; + print $omshell6 "key-algorithm $omapialgorithm\n"; print $omshell6 "key " . $ent->{username} . " \"" . $ent->{password} . "\"\n"; @@ -2366,17 +2395,23 @@ sub addnet6 $ddnsdomain = $netcfgs{$net}->{ddnsdomain}; } if ($::XCATSITEVALS{dnshandler} =~ /ddns/) { + my $omapiuser = "xcat_key"; + my @omapiu = xCAT::TableUtils->get_site_attribute("omapi-username"); + if ($omapiu[0]){ + $omapiuser = $omapiu[0]; + } + if ($ddnsdomain) { push @netent, " ddns-domainname \"" . $ddnsdomain . "\";\n"; push @netent, " zone $ddnsdomain. {\n"; } else { push @netent, " zone $netdomain. {\n"; } - push @netent, " primary $ddnserver; key xcat_key; \n"; + push @netent, " primary $ddnserver; key $omapiuser; \n"; push @netent, " }\n"; foreach (getzonesfornet($net)) { push @netent, " zone $_ {\n"; - push @netent, " primary $ddnserver; key xcat_key; \n"; + push @netent, " primary $ddnserver; key $omapiuser; \n"; push @netent, " }\n"; } } @@ -2693,6 +2728,11 @@ sub addnet $ddnsdomain = $netcfgs{$net}->{ddnsdomain}; } if ($::XCATSITEVALS{dnshandler} =~ /ddns/) { + my $omapiuser = "xcat_key"; + my @omapiu = xCAT::TableUtils->get_site_attribute("omapi-username"); + if ($omapiu[0]){ + $omapiuser = $omapiu[0]; + } if ($ddnsdomain) { push @netent, " ddns-domainname \"" . $ddnsdomain . "\";\n"; push @netent, " zone $ddnsdomain. {\n"; @@ -2701,14 +2741,14 @@ sub addnet } if ($ddnserver) { - push @netent, " primary $ddnserver; key xcat_key; \n"; + push @netent, " primary $ddnserver; key $omapiuser; \n"; } push @netent, " }\n"; foreach (getzonesfornet($net, $mask)) { push @netent, " zone $_ {\n"; if ($ddnserver) { - push @netent, " primary $ddnserver; key xcat_key; \n"; + push @netent, " primary $ddnserver; key $omapiuser; \n"; } push @netent, " }\n"; } @@ -2953,6 +2993,19 @@ sub writeout sub newconfig6 { if ($::XCATSITEVALS{externaldhcpservers}) { return; } + # Get HMAC algorithum from site table, if set + my $omapialgorithm = "HMAC-MD5"; + my @omapia=xCAT::TableUtils->get_site_attribute("omapi-algorithm"); + if ($omapia[0]){ + $omapialgorithm=$omapia[0]; + } + my $omapiuser = "xcat_key"; + my @omapiu = xCAT::TableUtils->get_site_attribute("omapi-username"); + if ($omapiu[0]){ + $omapiuser = $omapiu[0]; + } + + #phase 1, basic working #phase 2, ddns too, evaluate other stuff from dhcpv4 as applicable push @dhcp6conf, "#xCAT generated dhcp configuration\n"; @@ -2962,11 +3015,11 @@ sub newconfig6 { # push @dhcp6conf, "update-static-leases on;\n"; push @dhcp6conf, "omapi-port 7912;\n"; #Enable omapi... - push @dhcp6conf, "key xcat_key {\n"; - push @dhcp6conf, " algorithm hmac-md5;\n"; + push @dhcp6conf, "key $omapiuser {\n"; + push @dhcp6conf, " algorithm $omapialgorithm;\n"; my $passtab = xCAT::Table->new('passwd', -create => 1); (my $passent) = - $passtab->getAttribs({ key => 'omapi', username => 'xcat_key' }, 'password'); + $passtab->getAttribs({ key => 'omapi', username => $omapiuser }, 'password'); my $secret = encode_base64(genpassword(32)); #Random from set of 62^32 chomp $secret; if ($passent->{password}) { $secret = $passent->{password}; } @@ -2979,12 +3032,12 @@ sub newconfig6 { } ); $passtab->setAttribs({ key => 'omapi' }, - { username => 'xcat_key', password => $secret }); + { username => $omapiuser, password => $secret }); } push @dhcp6conf, " secret \"" . $secret . "\";\n"; push @dhcp6conf, "};\n"; - push @dhcp6conf, "omapi-key xcat_key;\n"; + push @dhcp6conf, "omapi-key $omapiuser;\n"; #that is all for pristine ipv6 config } @@ -2994,6 +3047,18 @@ sub newconfig if ($::XCATSITEVALS{externaldhcpservers}) { return; } return newconfig_aix() if ($^O eq 'aix'); + # Get HMAC algorithum from site table, if set + my $omapialgorithm = "HMAC-MD5"; + my @omapia=xCAT::TableUtils->get_site_attribute("omapi-algorithm"); + if ($omapia[0]){ + $omapialgorithm=$omapia[0]; + } + my $omapiuser = "xcat_key"; + my @omapiu = xCAT::TableUtils->get_site_attribute("omapi-username"); + if ($omapiu[0]){ + $omapiuser = $omapiu[0]; + } + # This function puts a standard header in and enough to make omapi work. my $passtab = xCAT::Table->new('passwd', -create => 1); push @dhcpconf, "#xCAT generated dhcp configuration\n"; @@ -3025,10 +3090,10 @@ sub newconfig push @dhcpconf, "option cumulus-provision-url code 239 = text;\n"; push @dhcpconf, "\n"; push @dhcpconf, "omapi-port 7911;\n"; #Enable omapi... - push @dhcpconf, "key xcat_key {\n"; - push @dhcpconf, " algorithm hmac-md5;\n"; + push @dhcpconf, "key $omapiuser {\n"; + push @dhcpconf, " algorithm $omapialgorithm;\n"; (my $passent) = - $passtab->getAttribs({ key => 'omapi', username => 'xcat_key' }, 'password'); + $passtab->getAttribs({ key => 'omapi', username => $omapiuser }, 'password'); my $secret = encode_base64(genpassword(32)); #Random from set of 62^32 chomp $secret; if ($passent->{password}) { $secret = $passent->{password}; } @@ -3041,12 +3106,12 @@ sub newconfig } ); $passtab->setAttribs({ key => 'omapi' }, - { username => 'xcat_key', password => $secret }); + { username => $omapiuser, password => $secret }); } push @dhcpconf, " secret \"" . $secret . "\";\n"; push @dhcpconf, "};\n"; - push @dhcpconf, "omapi-key xcat_key;\n"; + push @dhcpconf, "omapi-key $omapiuser;\n"; push @dhcpconf, ('class "pxe" {' . "\n", " match if substring (option vendor-class-identifier, 0, 9) = \"PXEClient\";\n", " ddns-updates off;\n", " max-lease-time 600;\n", "}\n"); }