Bug #1413388 “[SRU] upgrade of MAAS removes local config for bin...” : Bugs : MAAS

Bug Description

On an Ubuntu 14.04 host, I recently upgraded MAAS from
1.5.2+bzr2282-0ubuntu0.2 to 1.5.4+bzr2294-0ubuntu1.2. This is a
production environment which uses MAAS to control both DNS and DHCP.

During the upgrade MAAS silently (without prompting) rewrote
/etc/bind/named.conf.options. However, in the process, it dropped
some of our local config and broke DNS resolution for all clients in
this environment. Specifically, it removed and did not re-add a
forwarders entry.

I've attached 3 files: the original named.conf.options, the version
left after the MAAS upgrade and an artifical diff between the two to
show what's actually changed (i.e. ignoring MAAS rearranging things,
messing up whitespace and removing comments).

[Impact]
In 1.7+, MAAS started managing DNS forwarders as part of its DNS management feature. However, if a user in 1.5 would manually modify their configuration file to add forwaders, after an upgrade to 1.7+, DNS would en up broken. This adds the ability for MAAS to upgrade the DNS configuration correctly and migrate the manually configuration to the MAAS managed configuration.

[Test Case]

Without the fix:
1. Install maas 1.5
2. Configure MAAS to manage DNS/DHCP
3. Manually edit /etc/bind/named.conf.options and add forwaders, allow-cache, allow-recursion and allow-cache-query options.
4. Upgrade to MAAS 1.7 with proposed fix.
5. MAAS will migrate the DNS forwarders config into MAAS' DB.
6. MAAS won't write allow-cache, allow-recursion, allow-cache-query.

[Regression Potential]
Minimal. This has been tested extensively in various environments, both on fresh installs and upgrades.

See original description

Tags: Edit Tag help

Related branches

lp:~rbanffy/maas/bug-1413388-edit_named_options

lp:~mpontillo/maas/remove-iscpy-1.7

Merged into lp:maas/1.7 at revision 3373

Andres Rodriguez (community): Needs Information on 2015-07-01

Raphaël Badin (community): Approve on 2015-07-01

lp:~rvb/maas/packaging.utopic-1413388

Merged into lp:~maas-maintainers/maas/packaging.utopic at revision 364

Ricardo Bánffy (community): Approve on 2015-07-02

lp:~rvb/maas/packaging-1.8-1413388

Merged into lp:~maas-maintainers/maas/packaging-1.8 at revision 409

Mike Pontillo (community): Approve on 2015-07-04

Ricardo Bánffy (community): Approve on 2015-07-02

lp:~rvb/maas/packaging-1413388

Merged into lp:~maas-maintainers/maas/packaging at revision 413

Ricardo Bánffy (community): Approve on 2015-07-02

lp:~mpontillo/maas/remove-iscpy-trunk

Merged into lp:maas/trunk at revision 4068

Gavin Panella (community): Approve on 2015-07-03

lp:~mpontillo/maas/remove-iscpy-1.8

Merged into lp:maas/1.8 at revision 4014

Mike Pontillo (community): Approve on 2015-07-04

lp:~mpontillo/maas/migrate-dns-settings-trunk

Merged into lp:maas/trunk at revision 4077

Raphaël Badin (community): Approve on 2015-07-07

lp:~andreserl/maas/fix_lp1413388_1.7

Merged into lp:~maas-maintainers/maas/packaging.utopic at revision 365

Mike Pontillo (community): Approve on 2015-07-07

lp:~andreserl/maas/fix_lp1413388_1.8

Merged into lp:~maas-maintainers/maas/packaging-1.8 at revision 410

Mike Pontillo (community): Approve on 2015-07-07

lp:~andreserl/maas/fix_lp1413388

Merged into lp:~maas-maintainers/maas/packaging at revision 414

Mike Pontillo (community): Approve on 2015-07-07

lp:~mpontillo/maas/migrate-dns-settings-1.8

Merged into lp:maas/1.8 at revision 4018

Mike Pontillo (community): Approve on 2015-07-08

Andres Rodriguez (community): Approve on 2015-07-08

Superseded for merging into lp:maas/trunk

MAAS Maintainers: Pending requested 2015-07-08

lp:~mpontillo/maas/migrate-dns-settings-1.7

Merged into lp:maas/1.7 at revision 3375

Andres Rodriguez (community): Approve on 2015-07-08

Superseded for merging into lp:maas/trunk

MAAS Maintainers: Pending requested 2015-07-08

Diff: 13596 lines (+10612/-113) (has conflicts)

106 files modified

Makefile (+7/-0)
contrib/maas-http.conf (+19/-0)
docs/changelog.rst (+163/-0)
docs/conf.py (+1/-1)
etc/maas/pserv.yaml.OTHER (+25/-0)
etc/maas/templates/commissioning-user-data/user_data_poweroff.template (+31/-0)
required-packages/base (+5/-0)
src/maas/development.py (+12/-1)
src/maas/settings.py (+6/-0)
src/maascli/api.py (+5/-0)
src/maascli/tests/test_api.py (+48/-0)
src/maasserver/api/doc.py (+11/-0)
src/maasserver/api/doc_handler.py (+5/-0)
src/maasserver/api/ip_addresses.py (+138/-0)
src/maasserver/api/nodegroups.py (+17/-0)
src/maasserver/api/nodes.py (+77/-1)
src/maasserver/api/pxeconfig.py (+19/-0)
src/maasserver/api/support.py (+16/-6)
src/maasserver/api/tests/test_doc.py (+79/-0)
src/maasserver/api/tests/test_ipaddresses.py (+274/-71)
src/maasserver/api/tests/test_node.py (+70/-0)
src/maasserver/api/tests/test_nodegroup.py (+75/-0)
src/maasserver/api/tests/test_pxeconfig.py (+17/-0)
src/maasserver/api/tests/test_support.py (+10/-0)
src/maasserver/api/tests/test_version.py (+8/-0)
src/maasserver/api/version.py (+13/-0)
src/maasserver/clusterrpc/tests/test_boot_images.py (+24/-0)
src/maasserver/dns/config.py (+28/-0)
src/maasserver/dns/tests/test_config.py (+11/-0)
src/maasserver/exceptions.py (+9/-0)
src/maasserver/fields.py (+26/-0)
src/maasserver/forms.py (+32/-1)
src/maasserver/forms_settings.py (+17/-0)
src/maasserver/management/commands/edit_named_options.py (+24/-0)
src/maasserver/models/config.py (+5/-0)
src/maasserver/models/macaddress.py (+74/-0)
src/maasserver/models/node.py (+102/-0)
src/maasserver/models/nodegroup.py (+27/-0)
src/maasserver/models/signals/power.py (+10/-0)
src/maasserver/models/tests/test_bootsource.py (+6/-0)
src/maasserver/models/tests/test_macaddress.py (+90/-0)
src/maasserver/models/tests/test_node.py (+159/-18)
src/maasserver/models/tests/test_nodegroup.py (+11/-0)
src/maasserver/rpc/nodes.py (+14/-0)
src/maasserver/rpc/tests/test_nodes.py (+32/-0)
src/maasserver/start_up.py (+93/-0)
src/maasserver/static/js/node_check.js.OTHER (+186/-0)
src/maasserver/static/js/node_views.js.OTHER (+680/-0)
src/maasserver/static/js/tests/test_node_check.html.OTHER (+36/-0)
src/maasserver/static/js/tests/test_node_check.js.OTHER (+128/-0)
src/maasserver/static/js/tests/test_node_views.html.OTHER (+55/-0)
src/maasserver/static/js/tests/test_node_views.js.OTHER (+1035/-0)
src/maasserver/static/js/utils.js.OTHER (+350/-0)
src/maasserver/templates/maasserver/base.html (+85/-0)
src/maasserver/templates/maasserver/node_actions.html (+29/-0)
src/maasserver/templates/maasserver/node_event_list_snippet.html.OTHER (+32/-0)
src/maasserver/templates/maasserver/node_view.html.OTHER (+292/-0)
src/maasserver/templates/maasserver/node_view_mac_display.html (+10/-0)
src/maasserver/templates/maasserver/nodes_listing.html.OTHER (+111/-0)
src/maasserver/templates/maasserver/snippets.html.OTHER (+67/-0)
src/maasserver/testing/factory.py (+30/-0)
src/maasserver/tests/test_dhcp.py (+11/-0)
src/maasserver/tests/test_fields.py (+38/-0)
src/maasserver/tests/test_forms_network.py (+76/-0)
src/maasserver/tests/test_forms_node.py (+9/-0)
src/maasserver/tests/test_js.py (+11/-0)
src/maasserver/tests/test_start_up.py (+64/-0)
src/maasserver/utils/isc.py (+286/-0)
src/maasserver/utils/mac.py (+34/-0)
src/maasserver/utils/tests/test_isc.py (+182/-0)
src/maasserver/utils/tests/test_mac.py (+35/-0)
src/maasserver/utils/tests/test_version.py (+217/-0)
src/maasserver/utils/version.py (+131/-0)
src/maasserver/views/nodes.py (+377/-6)
src/maasserver/views/tags.py.OTHER (+52/-0)
src/maasserver/views/tests/test_nodes.py.OTHER (+2766/-0)
src/maasserver/views/tests/test_rpc.py (+16/-2)
src/maasserver/views/tests/test_snippets.py (+47/-0)
src/maastesting/fixtures.py (+37/-0)
src/metadataserver/api.py (+10/-2)
src/metadataserver/models/commissioningscript.py (+41/-4)
src/metadataserver/models/tests/test_noderesults.py (+99/-0)
src/metadataserver/tests/test_api.py (+5/-0)
src/metadataserver/user_data/poweroff.py (+37/-0)
src/provisioningserver/boot/tests/test_boot.py (+7/-0)
src/provisioningserver/boot/tests/test_windows.py (+11/-0)
src/provisioningserver/boot/windows.py (+6/-0)
src/provisioningserver/config.py (+24/-0)
src/provisioningserver/dns/tests/test_config.py (+14/-0)
src/provisioningserver/drivers/hardware/tests/test_ucsm.py (+6/-0)
src/provisioningserver/drivers/hardware/ucsm.py (+21/-0)
src/provisioningserver/drivers/hardware/virsh.py (+12/-0)
src/provisioningserver/drivers/osystem/custom.py (+19/-0)
src/provisioningserver/drivers/osystem/tests/test_custom.py (+20/-0)
src/provisioningserver/plugin.py (+148/-0)
src/provisioningserver/rpc/boot_images.py (+22/-0)
src/provisioningserver/rpc/cluster.py (+4/-0)
src/provisioningserver/rpc/clusterservice.py (+34/-0)
src/provisioningserver/rpc/power.py (+38/-0)
src/provisioningserver/rpc/tests/test_boot_images.py (+53/-0)
src/provisioningserver/rpc/tests/test_clusterservice.py (+205/-0)
src/provisioningserver/rpc/tests/test_power.py (+57/-0)
src/provisioningserver/tests/test_config.py (+152/-0)
src/provisioningserver/tests/test_plugin.py (+5/-0)
src/provisioningserver/tests/test_plugin_services.py.OTHER (+87/-0)
utilities/update-new-and-modified-copyright (+15/-0)

lp:~mpontillo/maas/dns-template-changes-trunk

Merged into lp:maas/trunk at revision 4082

Raphaël Badin (community): Approve on 2015-07-09

Andres Rodriguez (community): Approve on 2015-07-09

lp:~mpontillo/maas/dns-template-changes-1.7

Merged into lp:maas/1.7 at revision 3376

Mike Pontillo (community): Approve on 2015-07-09

lp:~mpontillo/maas/dns-template-changes-1.8

Merged into lp:maas/1.8 at revision 4019

Mike Pontillo (community): Approve on 2015-07-09

lp:ubuntu/wily-proposed/maas

lp:ubuntu/trusty-proposed/maas

lp:ubuntu/vivid-proposed/maas

lp:ubuntu/utopic-proposed/maas

lp:~andreserl/maas/packaging_lp1413388_1.7

Merged into lp:~maas-maintainers/maas/packaging.utopic at revision 366

Andres Rodriguez (community): Approve on 2015-07-13

lp:~andreserl/maas/packaging_lp1413388_1.8

Merged into lp:~maas-maintainers/maas/packaging-1.8 at revision 411

Andres Rodriguez (community): Approve on 2015-07-13

James Troup (elmo) wrote on 2015-01-21:

Artifical diff of before and after MAAS upgrade Edit (729 bytes, text/x-diff)

James Troup (elmo) wrote on 2015-01-21:

Original named.conf.options prior to MAAS upgrade Edit (863 bytes, text/plain)

James Troup (elmo) wrote on 2015-01-21:

named.conf.options after the MAAS upgrade Edit (467 bytes, text/plain)

Andres Rodriguez (andreserl) on 2015-01-21

Changed in maas:
importance:	Undecided → Critical
status:	New → Confirmed
tags:	added: dns

Raphaël Badin (rvb) wrote on 2015-01-22:

The culprit is the fix for https://bugs.launchpad.net/maas/+bug/1275649.

It creates a `edit_named_options` Django command that is run in postinst: that command is there to edit the named.conf.options file so that it includes the maas forwarders config. This command is supposed to parse the existing named.conf.options file and only add the required stanza but I suppose that this didn't work in your case.

Raphaël Badin (rvb) wrote on 2015-01-22:

> This command is supposed to parse the existing named.conf.options file and only add the required stanza but I suppose that this
> didn't work in your case.

Well, more precisely, it seems the `edit_named_options` assumes it can clobber the 'forwarders' option.

Andres Rodriguez (andreserl) on 2015-02-10

Changed in maas:
milestone:	none → next

Andres Rodriguez (andreserl) on 2015-03-31

Changed in maas:
milestone:	next → 1.8.0

Ricardo Bánffy (rbanffy) on 2015-04-02

Changed in maas:
assignee:	nobody → Ricardo Bánffy (rbanffy)
status:	Confirmed → In Progress

Ricardo Bánffy (rbanffy) on 2015-04-02

Changed in maas:
assignee:	Ricardo Bánffy (rbanffy) → nobody
status:	In Progress → Triaged
status:	Triaged → Confirmed

Mike Pontillo (mpontillo) on 2015-04-03

Changed in maas:
assignee:	nobody → Mike Pontillo (mpontillo)

Mike Pontillo (mpontillo) on 2015-04-07

Changed in maas:
assignee:	Mike Pontillo (mpontillo) → nobody

Mike Pontillo (mpontillo) on 2015-04-13

Changed in maas:
assignee:	nobody → Mike Pontillo (mpontillo)

Raphaël Badin (rvb) on 2015-06-12

Changed in maas:
assignee:	Mike Pontillo (mpontillo) → nobody
milestone:	1.8.0 → 1.8.1

Tom Haddon (mthaddon) wrote on 2015-06-12:

Confirmed this is still an issue going from 1.5.4+bzr2294-0ubuntu1.3 to 1.7.5+bzr3369-0ubuntu1~14.04.1 (in trusty-proposed).

Christian Reis (kiko) wrote on 2015-06-12:

Confirming, though if this looks too risky for 1.7 we may just have to release note it.

Barry Price (barryprice) wrote on 2015-06-13:

These is a second issue here - the upgrades also adds the include mentioned in James's attachment:

include "/etc/bind/maas/named.conf.options.inside.maas";

This file, in my case, contained three lines:

allow-query { any; };
allow-recursion { trusted; };
allow-query-cache { trusted; };

Since our original config already set values for both allow-query and allow-query-cache, bind9 refused to start post-upgrade until I either commented out the duplicate line in the include file, or in our own config.

James Troup (elmo) wrote on 2015-06-30:

This just broke ProdStack 4½ and all production services in it (including jujucharms, git.launchpad.net, SSO etc.).

Andres Rodriguez (andreserl) on 2015-06-30

Changed in maas:
milestone:	1.8.1 → 1.9.0
assignee:	nobody → Mike Pontillo (mpontillo)

Mike Pontillo (mpontillo) wrote on 2015-06-30:

#10

What I'd like to do is address the issue with the forwarders and DNSSEC issues first, since the MAAS configuration already contains options to set these. (at least it does in 1.8; in 1.7, only forwarders are allowed to be set) My plan is to ensure that these values are properly migrated from the BIND config to MAAS settings, rather than being silently deleted.

Barry, may I ask what values you had in the original config for allow-query, allow-recursion, and allow-query-cache? (were they set to something other than what MAAS set them to? If so, we may need a separate bug to address this. If not, it might be safe to simply delete these values from the original config - like we do with forwarders and DNSSEC - so that BIND doesn't crash on startup.) We'll need to study these options to see what the pitfalls are here.

Mike Pontillo (mpontillo) wrote on 2015-06-30:

#11

By the way, we're also planning on adding comments regarding the pitfalls of changing the now-MAAS-managed named.conf.options to the header, before we write out the generated configuration.

Mike Pontillo (mpontillo) on 2015-07-01

Changed in maas:
status:	Confirmed → Triaged

Mike Pontillo (mpontillo) wrote on 2015-07-09:

#12

We just landed a series of changes (which should make it to 1.7.6 and 1.8.1) to:

* Ignore the "allow-query", "allow-recursion", and "allow-query-cache" options when writing the MAAS DNS options file, if they are already present within named.conf.options.

* Migrate the "forwarders" and "dnssec-validation" options from the user's configuration to the MAAS database, if they are present within named.conf.options during an upgrade or install of maas-region-controller. (note that if maas-region-controller-min is being used, the command to migrate these options may need to run by manually, since packaging does not assume that a database is on the same machine as the regiond in that case; that is, "maas-region-admin edit_named_options --migrate-conflicting-options".)

Sadly, we don't preserve the original comments inside named.conf.options, but that is a significant amount of additional effort.

Hopefully this will resolve the issue for everyone.

Changed in maas:
status:	Triaged → Fix Committed

Andres Rodriguez (andreserl) on 2015-07-10

summary:

- upgrade of MAAS removes local config for bind and breaks DNS
+ [SRU] upgrade of MAAS removes local config for bind and breaks DNS

Andres Rodriguez (andreserl) on 2015-07-10

description:

updated

Launchpad Janitor (janitor) wrote on 2015-07-10:

#13

This bug was fixed in the package maas - 1.7.6+bzr3376-0ubuntu1

---------------
maas (1.7.6+bzr3376-0ubuntu1) wily; urgency=medium

  * New upstream release 1.7.6 bzr3376:
    - Accept list of forwarders for upstream_dns rather than just
      one. (LP: #1470585)
    - Fix upgrade issue where it would remove custom DNS config,
      potentially breaking DNS. (LP: #1413388)

  [ Raphaël Badin ]
  * Drop dependency on python-iscpy: the code has been integrated into
    MAAS. (LP: #1413388).

  [ Andres Rodriguez ]
  * Refactor maas-dns upgrade code so it doesn't break local DNS config
    and it gets migrated (LP: #1413388)

-- Andres Rodriguez <email address hidden> Fri, 03 Jul 2015 00:11:50 -0400

Changed in maas (Ubuntu Wily):
status:	New → Fix Released

Adam Conrad (adconrad) wrote on 2015-07-13: Please test proposed package

#14

Hello James, or anyone else affected,

Accepted maas into trusty-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/maas/1.7.6+bzr3376-0ubuntu2~14.04.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Changed in maas (Ubuntu Trusty):
status:	New → Fix Committed
tags:	added: verification-needed
Changed in maas (Ubuntu Utopic):
status:	New → Fix Committed

Adam Conrad (adconrad) wrote on 2015-07-13:

#15

Hello James, or anyone else affected,

Accepted maas into utopic-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/maas/1.7.6+bzr3376-0ubuntu2~14.10.1 in a few hours, and then in the -proposed repository.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Changed in maas (Ubuntu Vivid):
status:	New → Fix Committed

Adam Conrad (adconrad) wrote on 2015-07-13:

#16

Hello James, or anyone else affected,

Accepted maas into vivid-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/maas/1.7.6+bzr3376-0ubuntu2~15.04.1 in a few hours, and then in the -proposed repository.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Mike Pontillo (mpontillo) wrote on 2015-07-14:

#17

I tested by installing bind9 on Trusty, then installing maas 1.7.6+bzr3376-0ubuntu2~14.04.1.

I verified that the forwarders were properly migrated to the MAAS configuration, as long as at least one cluster interface was set to be managing DNS.

The forwarders are migrated into the MAAS database, and values such as allow-query, allow-recursion, and allow-query-cache (which MAAS had previously always written into /etc/bind/maas/named.conf.options.inside.maas) are now only written if the values are not already present in /etc/bind/named.conf.options.

Hopefully this solves the issue for everyone.

Andres Rodriguez (andreserl) wrote on 2015-07-14:

#18

I've tested this in trusty, utopic and vivid. Confirm it works as expected as per Mike above.

tags:

added: verification-done
removed: verification-needed

Launchpad Janitor (janitor) wrote on 2015-07-28:

#20

This bug was fixed in the package maas - 1.7.6+bzr3376-0ubuntu2~14.04.1

---------------
maas (1.7.6+bzr3376-0ubuntu2~14.04.1) trusty; urgency=medium

  * debian/control: Make maas-dns a Dependy of maas-region-controller.
  * debian/maas-region-controller.postinst: Ensure DNS config migration is
    always run. (LP: #1413388)

-- Andres Rodriguez <email address hidden> Fri, 10 Jul 2015 13:47:40 -0400

Changed in maas (Ubuntu Trusty):
status:	Fix Committed → Fix Released

Adam Conrad (adconrad) wrote on 2015-07-28: Update Released

#19

The verification of the Stable Release Update for maas has completed successfully and the package has now been released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

Launchpad Janitor (janitor) wrote on 2015-07-28:

#21

This bug was fixed in the package maas - 1.7.6+bzr3376-0ubuntu2~15.04.1

---------------
maas (1.7.6+bzr3376-0ubuntu2~15.04.1) vivid; urgency=medium

  * debian/control: Make maas-dns a Dependy of maas-region-controller.
  * debian/maas-region-controller.postinst: Ensure DNS config migration is
    always run. (LP: #1413388)

-- Andres Rodriguez <email address hidden> Fri, 10 Jul 2015 13:47:40 -0400

Changed in maas (Ubuntu Vivid):
status:	Fix Committed → Fix Released

Andres Rodriguez (andreserl) on 2015-07-31

no longer affects:

maas (Ubuntu Utopic)

David Lawson (deej) wrote on 2015-08-17:

#22

When upgrading from 1.5 to 1.7.6+bzr3376-0ubuntu2~14.04.1 using maas-region-controller-min it's not clear when we should be running "maas-region-admin edit_named_options --migrate-conflicting-options", should this be prior to the upgrade? As it was, I had to edit named.conf.options and remove the forwarders option manually, then reload rndc, running the migrate-conflicting-options command post-upgrade resulted in rndc failing to reload because forwarders was defined in multiple places.

Junien Fridrick (axino) wrote on 2015-08-24:

#23

Also : would running "maas-region-admin edit_named_options --migrate-conflicting-options" without "forwarders" in named.conf.options remove the forwarder setting from the MAAS database ?

Thanks

Andres Rodriguez (andreserl) on 2015-10-22

Changed in maas:
status:	Fix Committed → Fix Released
status:	Fix Released → Fix Committed

Andres Rodriguez (andreserl) on 2016-01-05

Changed in maas:
status:	Fix Committed → Fix Released

MAAS

[SRU] upgrade of MAAS removes local config for bind and breaks DNS

Bug Description

Related branches

Other bug subscribers

Bug attachments