Re: [Freeipa-devel] [PATCH] 025 Detection of v1 server during ipa-client-install
On Fri, 2011-02-04 at 09:05 +0100, Jan Zelený wrote: Martin Kosek mko...@redhat.com wrote: When v2 IPA client is trying to join an IPA v1 server a strange exception is printed out to the user. This patch detects this by catching an XML-RPC error reported by ipa-join binary called in the process which fails on unexisting IPA server 'join' method. wget call had to be changed so that IPA client may get to the ipa-join step. --no-check-certificate had to be added as V1 server automatically redirects the request to self-signed secure connection. https://fedorahosted.org/freeipa/ticket/553 The patch is ok and applies correctly. My only thought was to download the certificate directly from https:///ca.crt instead of plain http, but there is probably no real benefit. ack Jan Jan, thanks for the review. And yes, I could not see a benefit too. Since the IPA sever certificate is not a confidential information the secure connection is not needed. And since we do not trust the server's certificate in this step of installation and --no-check-certificate is used, a secure connection would be used for server identity validation either. Therefore, I would ask for the patch to be pushed. Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 049 Make nsslib IPv6 aware
Jakub Hrozek jhro...@redhat.com wrote: On Thu, Feb 03, 2011 at 02:23:11PM +0100, Jan Zelený wrote: Jakub Hrozek jhro...@redhat.com wrote: Hi, attached is a patch to nsslib.py that changes its semantics so it is able to work with different address families. It is the last piece of IPv6 support. Aside from the hunks in the patch, I still need to set Requires: in the patch (don't know the exact version yet). Also, the attached patch always tries IPv4 first and only falls back to IPv6. I think there should be a config option that tells IPA to prefer one of the address families or use it exclusively for performance reasons. Please note that the patch requires the latest changes to python-nss in order to work correctly. Since John is still working on python-nss packages, this patch should be treated as a preview and not pushed even if it is deemed OK. At this stage, I'd like to get at least the general approach and code reviewed so I can fix it tomorrow. Thank you, Jakub The patch looks ok, all my questions answered off-list. Also tested with IPv4 (latest python-nss installed) and IPv6, both work fine. ACK Jan Thanks for the review. But attached is a new version of the patch that changes the semantics a little based on what's recommended by the new version of python-nss: don't construct the NetworkAddress object manually, but rather resolve the hostname using the AddrInfo object and then try connecting to the list of of NetworkAddress object manually. Changes consulted off-list, the patch looks good. Will do some more testing on RHEL6. Unless I find some issues, this patch is ACKed. Jan ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 026 HBAC plugin inconsistent output
On Mon, 2011-02-07 at 10:38 +0100, Jan Zelený wrote: Martin Kosek mko...@redhat.com wrote: This patch adds a proper summary text to HBAC command which is then printed out in CLI. Now, HBAC plugin output is consistent with other plugins. https://fedorahosted.org/freeipa/ticket/596 I believe API.txt should be updated (you change hbacrule_enable and hbacrule_disable return values), so NACK for now. Jan Patch has been rebased, API.txt updated along with some minor changes to achieve consistency between HBAC plugins. All tests pass. Martin From 3094da14dff0efb628259ce04aadcb0890349517 Mon Sep 17 00:00:00 2001 From: Martin Kosek mko...@redhat.com Date: Fri, 4 Feb 2011 14:03:30 +0100 Subject: [PATCH] HBAC plugin inconsistent output This patch adds a proper summary text to HBAC command which is then printed out in CLI. Now, HBAC plugin output is consistent with other plugins. https://fedorahosted.org/freeipa/ticket/596 --- API.txt | 12 +--- ipalib/plugins/hbacrule.py| 37 ++--- ipalib/plugins/hbacsvc.py | 14 +++--- ipalib/plugins/hbacsvcgroup.py| 10 +++--- tests/test_xmlrpc/test_hbacsvcgroup_plugin.py | 12 5 files changed, 56 insertions(+), 29 deletions(-) diff --git a/API.txt b/API.txt index 22578e9927f36fc24d34150c62b79afb7bbbde3f..826944bc81cc97dd3b74e5471b1e54aa70ec34a9 100644 --- a/API.txt +++ b/API.txt @@ -988,13 +988,17 @@ output: Output('summary', (type 'unicode', type 'NoneType'), 'User-friendly output: Output('result', type 'dict', 'list of deletions that failed') output: Output('value', type 'unicode', The primary_key value of the entry, e.g. 'jdoe' for a user) command: hbacrule_disable -args: 1,0,1 +args: 1,0,3 arg: Str('cn', attribute=True, cli_name='name', label=Gettext('Rule name', domain='ipa', localedir=None), multivalue=False, primary_key=True, query=True, required=True) -output: Output('result', None, None) +output: Output('summary', (type 'unicode', type 'NoneType'), 'User-friendly description of action performed') +output: Output('result', type 'bool', 'True means the operation was successful') +output: Output('value', type 'unicode', The primary_key value of the entry, e.g. 'jdoe' for a user) command: hbacrule_enable -args: 1,0,1 +args: 1,0,3 arg: Str('cn', attribute=True, cli_name='name', label=Gettext('Rule name', domain='ipa', localedir=None), multivalue=False, primary_key=True, query=True, required=True) -output: Output('result', None, None) +output: Output('summary', (type 'unicode', type 'NoneType'), 'User-friendly description of action performed') +output: Output('result', type 'bool', 'True means the operation was successful') +output: Output('value', type 'unicode', The primary_key value of the entry, e.g. 'jdoe' for a user) command: hbacrule_find args: 1,12,4 arg: Str('criteria?') diff --git a/ipalib/plugins/hbacrule.py b/ipalib/plugins/hbacrule.py index b834a141061a6a5b64dba97b24a32f77824ef0a4..cb4dbb4f3756272ce8b79f584af74c5e6b2b839d 100644 --- a/ipalib/plugins/hbacrule.py +++ b/ipalib/plugins/hbacrule.py @@ -211,6 +211,9 @@ class hbacrule_add(LDAPCreate): Create a new HBAC rule. + +msg_summary = _('Added HBAC rule %(value)s') + def pre_callback(self, ldap, dn, entry_attrs, attrs_list, *keys, **options): # HBAC rules are enabled by default entry_attrs['ipaenabledflag'] = 'TRUE' @@ -224,6 +227,8 @@ class hbacrule_del(LDAPDelete): Delete an HBAC rule. +msg_summary = _('Deleted HBAC rule %(value)s') + api.register(hbacrule_del) @@ -232,6 +237,8 @@ class hbacrule_mod(LDAPUpdate): Modify an HBAC rule. +msg_summary = _('Modified HBAC rule %(value)s') + def pre_callback(self, ldap, dn, entry_attrs, attrs_list, *keys, **options): try: (dn, entry_attrs) = ldap.get_entry(dn, attrs_list) @@ -256,6 +263,10 @@ class hbacrule_find(LDAPSearch): Search for HBAC rules. +msg_summary = ngettext( +'%(count)d HBAC rule matched', '%(count)d HBAC rules matched', 0 +) + api.register(hbacrule_find) @@ -271,6 +282,10 @@ class hbacrule_enable(LDAPQuery): Enable an HBAC rule. + +msg_summary = _('Enabled HBAC rule %(value)s') +has_output = output.standard_value + def execute(self, cn): ldap = self.obj.backend @@ -284,11 +299,10 @@ class hbacrule_enable(LDAPQuery): except errors.NotFound: self.obj.handle_not_found(cn) -return dict(result=True) - -def output_for_cli(self, textui, result, cn): -textui.print_name(self.name) -textui.print_dashed('Enabled HBAC rule %s.' % cn) +return dict( +result=True, +value=cn, +) api.register(hbacrule_enable) @@ -297,6 +311,10 @@ class hbacrule_disable(LDAPQuery): Disable an HBAC rule. + +msg_summary =
Re: [Freeipa-devel] [PATCH] 026 HBAC plugin inconsistent output
Martin Kosek mko...@redhat.com wrote: On Mon, 2011-02-07 at 10:38 +0100, Jan Zelený wrote: Martin Kosek mko...@redhat.com wrote: This patch adds a proper summary text to HBAC command which is then printed out in CLI. Now, HBAC plugin output is consistent with other plugins. https://fedorahosted.org/freeipa/ticket/596 I believe API.txt should be updated (you change hbacrule_enable and hbacrule_disable return values), so NACK for now. Jan Patch has been rebased, API.txt updated along with some minor changes to achieve consistency between HBAC plugins. All tests pass. Martin Looks good now, ack Jan ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 74 Fix crash in DNS installer.
Pavel Zuna pz...@redhat.com wrote: Fix #927 Pavel Ack Jan ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 705 make main selfservice aci visible
Rob Crittenden rcrit...@redhat.com wrote: The main aci that grants user's the ability to manage themselves wasn't visible to the selfservice plugin. Move the location of the aci and fix the description. ticket 934 rob ack Jan ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 050 Fix migration page
On 02/09/2011 02:09 PM, Jakub Hrozek wrote: During some UI rewrite, the password migration form completely lost the action= field and defaulted to GET instead of POST. ACK. Pavel ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] Fix of a small typo
Jakub Hrozek wrote: On Fri, Feb 04, 2011 at 06:41:41PM +0100, Jan Zeleny wrote: Trivial fix, can be pushed directly Jan Ack pushed to master ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 0009-Cross-brower-adjustments-for-the-action-panel
Adjusted for action panel for Safari and Chrome.From 00a2537e96dadd7dc538fb85dffd23b10f13a9ad Mon Sep 17 00:00:00 2001 From: System Administrator r...@dhcp-100-3-211.bos.redhat.com Date: Wed, 9 Feb 2011 09:45:31 -0500 Subject: [PATCH] Cross brower adjustments for the action-panel. --- ...i-s-target-feilds-adjusted-action-panel-s.patch | 367 install/ui/ipa.css | 35 ++- 2 files changed, 392 insertions(+), 10 deletions(-) create mode 100644 0001-Adjusted-aci-s-target-feilds-adjusted-action-panel-s.patch diff --git a/0001-Adjusted-aci-s-target-feilds-adjusted-action-panel-s.patch b/0001-Adjusted-aci-s-target-feilds-adjusted-action-panel-s.patch new file mode 100644 index 000..0e27624 --- /dev/null +++ b/0001-Adjusted-aci-s-target-feilds-adjusted-action-panel-s.patch @@ -0,0 +1,367 @@ +From ec84d1de06ab1af5fdedc952695750efab4cd212 Mon Sep 17 00:00:00 2001 +From: System Administrator r...@dhcp-100-3-211.bos.redhat.com +Date: Thu, 27 Jan 2011 15:05:16 -0500 +Subject: [PATCH] Adjusted aci's target feilds, adjusted action panel styles, adjusted Delegation and Configuration. + +--- + install/ui/caution.png | Bin 438 - 496 bytes + install/ui/check.png | Bin 3209 - 556 bytes + install/ui/ipa.css | 115 +-- + 3 files changed, 100 insertions(+), 15 deletions(-) + mode change 100755 = 100644 install/ui/caution.png + mode change 100755 = 100644 install/ui/check.png + +diff --git a/install/ui/caution.png b/install/ui/caution.png +old mode 100755 +new mode 100644 +index ce7a68ad960852235b2cb4815cf502cc74939e85..162c96d679bd83dfd9d63aa500ec3539a989e626 +GIT binary patch +delta 446 +zcmV;v0YUz@1MmZo83+ad001U0oQjblCw~EwNklZc-ovzfZzI6uxV(Efp3LHzyJk +zV;GFa)d7DDhTXxqB8V(43jg94iX0=?oP)4K;rB`G){t17)XdHP}%@(yWXL3KkTi +zzU1qBc|X4Q?n{B|x?mJql~iI}ond4Fck*GaFkjPOqRD|7^R(4OPh3UJg6@W`Fcg +z1h$@?qnk0o$Yn4}vt_e!iGEGcd|J=a8}kwI9RL|VuwHV3Sh|0_e@++o|mDB0l^Xn +zi;-GRc3zJn!~FvU1iwjE037Ent*L13*EYKJDs!EP+`)*%y`SwCjj;NFDoA+^5R +zD(@}%XCN1Xno+-BDKV$6x2dA3x7tLZG;aGj}V1%janTAr$ReIwc@GM6mqrd_P3V +zj^(b`7U`JCW)b`3@6Q9o!K-ehLtW{!C7Ht1QElWC}+$_5P|C-8xlE`tcxGlCj +zZ9oXjTjSPSri-1OY_`g3y(V`3Y5x1F(D0*ML5ORb`5R=LPS?p2V@hiN|b}~A +oNsoYcq2?Y_8995kCbO0Gd03qez|+`v3p{07*qoM6N$f(RbQr~m)} + +delta 387 +zcmV-}0et@O1GWQ@83+Ra000s3Y`BpjCw~CIP)t-s($Bj3@)517is;lT_xJbY(JJ!Z +zEB^ch_2nV-0b0UF{`ME`}Ga^@D%@;I`Y{rl?u`QrWg2=d=r|Ns5)+CBXD+4bdo +z+1c6j7DlIilCi;ySJA9{PFPGG5GEm`trT=;AHUHH}Tz3r=*6driSqF@aN~}p?{x% +z)6)V@2l(BEA!$e^WZ7y=;-e5?*IP!@!Lu8+ClW=aQEw_2-54#OwScek^Y{{8jp +z*DLkrAouGU($doN;V1w9|CiLGF#rGnj7da6RCwA{$k!HvFc3x22|^Ge9Ti)^-g}P +z|NmD+6I9N_%v~EYk?Y9;@}I9|XmC($m!NNApC;_-u`}gZm!K05Tia9Y)PM!NvF +z9$UP4;7MqvriltfK96p5l!9@1~`@B;VuK`Vlu`mn#S+aYo!nn?lH_GaD14bYTMO +hGp@yqm7yiFaSa8C`ZubbGHBh002ovPDHLkV1o9x=D`2} + +diff --git a/install/ui/check.png b/install/ui/check.png +old mode 100755 +new mode 100644 +index c3646db11272b689616ea1d3cba941fb582901c2..72a73c6c1bd35e76f82b92fd62af4ec79a99e7ca +GIT binary patch +delta 542 +zcmV+(0^$9M8LR}58Gi-001U0oQePd02yeSaefwW^{L9a%BKPWN%_+AW3auXJt}l +zVPtu6$z?nM00GWPL_t(|+N6?AC`3^d$IrYG1|u;OO_9RvEC`cABeC#a6osr6JEeRr +z21{!eA`2{NOtP3#7K)XS7)*$K%`g*^l`oztf%REm%x${eSN3o_qiQbIyHN!x*D~ +z4QztM)^`+GoBfD{I7mvFnI*x42X~Dh8S%TGt3!IA~DEQyo!mAIVzz{bNW1M{i5 +ztoO3F;}@}2_Q+4gJ=zmfo@_|GgZE@LGDs+4{gw=bRsdE(^0BH`jV=--6GFbX} +zRokn**vkqV(0?E{Ccp|YXuRkR|DLnz0Om|=mPOoA?_h2ucgK0--?Q~p%GgZgn` +z7%URgy0on1xP;LG*2`choS9#oN!_A`Pw!vvQALwQbFMI4W;4VW`hLq0FJ;Fky5N2 +zIvbo;to-U{pb0%BZc;E_u{fuTSus#DjbA2yv;h?SE`^R$z7a=VRh#j(JC1Y**|G +zwW8!UfUi6)Z@S?WWFCl-2xvHhyi+#o@34_)V1sOsD)VhNV^mvE=bMFo?QzAR1`7 +z8F!2l9jAzcnfgS1lBwR*gt4u1A)MeDE(G6^$Oku9~$Aroq3t5B2$d$?i)OVCn0{} +g*QGM~_!kji041n%hgxX5R{#J207*qoM6N$f{rx$2{9 + +literal 3209 +zcmV;440iL0P)h;3K|Lk000e1NJLTq000mG000gM0ssI2sZ9r9a7bBm000XU +z000XU0RWnu7ytkYPiaF#P*7-ZbZKLZ*U+Lqi~NaKm7Y-Iodc-oy)XH-+^7Crag +z^gIBfRsybQWXdwQbLP6pzAqfylh#{fb6;Z(vMMVS~$e@S=j*ftg6;UhiVD~V +zRPMtgQJLw%KPDaqifc@_vX$1wbwr9tn;0-j-K=43bUQ8j=JsX`tR;Dg7+#^K~H +zK!FM*Z~zbpvt%K2{UZSY_lS*DZ%Lz5oGu(+dayz)hRLFdTf59ghTmgWD0l;*T +zI7kC6aYYajzXpYKt=(8otP$50H6c_V9R4-;{Z@C0AMG7=FRxo%or10RUT+Ar%3j +zkpLhQWr#!oXgdI`sK^09Y^p6lP1rIRMx#05C~cW=H_Aw*bJ-5DTZ2n+x)QHX^p +z00esgV8|mQcmRZ%02D^@S3L16t`O%c004NIvOKvYIYoh62rY33S640`D9%Y2D-?i +z0%4j!F2Z@488U%158(66005wo6%pWr^Zj_v4zAA5HjcIqUoGmt2LBrVneh#Q1i +z007~1e$oCcFS8neI|hJl{-P!B1ZZ9hpmq0)X0i`JwE$+E?%_lS*MWK+n+1cgf +zk(8YLR(?VSAG6x!e78w{cQPuJpA|d;J)G{fihizM+Erb!p!tcr5w+a34~(Y=8s4G +zw+sLL9nJjNn*KJDiq^U5^;`1nvC-@r6P$!k}1U{(*I=Q-z@tBKHoI}uxdU5dyy@u +zU1J0GOD7Ombim^G008p4Z^6_k2m^pgW=D2|L;HjN1!DDfM!XOaR2~bL?kX$%CkSm +z2mk;?pn)o|K^yeJ7%adB9Ki+L!3+FgHiSYX#KJ-lLJDMn9CBbOtb#%)hRv`YDqt_v +zKpix|QD}yfa1JiQRk#j4a1Z)n2%fxynzVLC6RbVIkUx0b+_+BaR3cnT7Zv!AJxW +zizFb)h!jyGOOZ85F;a?DAXP{m@;!0_IfqEx{*7`05XF7hP+2Hl!3BQJ=6@fL%FCo +z8iYoo3(#bAF`ADSpqtQgvH8(HlgRxt7s3}k3K`kFu-2Q$QMFfPW!La{h336oX +zu_CMttHv6zR;ZNiS=X8v3CR#fknUxHUxJAYmRsNLWl*PS{AOARHt#5!wki2?K;t +z!Y3k=s7tgax)J%r7-BLphge7~Bi0g+6E6^Zh(p9TBoc{3GAFr^0!gu?RMHaCM$Fl
Re: [Freeipa-devel] [PATCH] 72 Set minimum for Kerberos policy max life and max renew
Jakub Hrozek wrote: On Mon, Feb 07, 2011 at 02:10:40PM +0100, Pavel Zuna wrote: On 02/07/2011 01:10 PM, Jakub Hrozek wrote: On Mon, Feb 07, 2011 at 11:13:56AM +0100, Pavel Zuna wrote: Fix #847 Pavel ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel Nack, please update API.txt Forgot about that, sorry. Version with updated API.txt attached. Pavel Ack pushed to master ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 74 Fix crash in DNS installer.
Jan Zelený wrote: Pavel Zunapz...@redhat.com wrote: Fix #927 Pavel Ack pushed to master ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 77 Update krbtpolicy doc to inform that restarting krb5kdc might be needed.
David O'Brien wrote: Rob Crittenden wrote: David O'Brien wrote: Dmitri Pal wrote: On 02/07/2011 06:46 PM, David O'Brien wrote: Jenny Galipeau wrote: Pavel Zuna wrote: It seems that restarting krb5kdc is only needed when changes to the global policy are made. Per-user policies take effect immediately for newly requested tickets. Can someone please confirm? Yes, in testing this is the behavior. If the help could specify that a ipactl restart is required after global policy change, that would be great. Thanks Jenny Please raise a suitable bugzilla to get this included in the user doc. So far I only have doc about restarting IPA services after ipa krbtpolicy-reset. Isn't it the same thing? I took changes to mean using krbtpolicy-mod and any others, not just -reset, which is the info I received last time. The bottom line is that any change to the global Kerberos ticket policy requires a restart of the KDC to see the changes (/sbin/service krb5kdc restart). IMHO restarting the entire IPA world for this is overkill. rob ok, so we're still talking about any changes to the global ticket policy, not just using ipa krbtpolicy-reset, which is what I had before. I'll update this bit and just recommend krb5kdc restart like you say. cheers ACK, pushed to master ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] Hosts, A recs, and AAAA recs
On 02/08/2011 11:30 PM, Simo Sorce wrote: On Tue, 08 Feb 2011 22:10:16 -0500 Adam Young ayo...@redhat.com wrote: The current process to add a host today is: Create an A record run add host We have --force which will allow us to add the host even if the A record doesn't exist, but do we have a way to say, add this host, A record, and record all at the same time? From a cloud perspective, it seems like we are going to get a lot of short lived VMs that will need all three at once. I can see a work flow like this: User requests a number of VMs. VMs get clones from templates and spun up VMs get IP address from DHCP server. DHCP server notifies IPA server of new hosts What do you mean by this ? Do you want to give the DHCP server the power to perform DNS updates ? Can be done although I am not sure DHCP Servers know how to do GSS-TSIG protected updates, we may have to open up DNS access control to accept everything from the DHCP Server. IPA server adds host entries, A and records Host entries must be added by the cloud engine as it needs to set the enrollment password it passes down to the VM. VM runs ipa-client install as part of firstboot ipa-client-install could also add DNS records, but there is a credential problem if it is an automated process. The IPA server might even get notified earlier. I could see the cloud provider pushing the info to ipa prior to cloning the VM. This might be a better choice as long as the cloud provider can also change the DHCP configuration to assign the right IP address to the VMs using the MAC address. How would we go about doing that today? I think we are missing the part that creates the VMs yet, so ... Simo. In the cloud the cloud provider gives a VM a name and IP that it knows about. It is completely different from what you want the machine to think about itself. I did some emulation of the bootstrapping sequence as a proof of concept to make sure we can enroll the host with a different hostname. To emulate the provisioning of a new VM in the cloud I created a new host in IPA with corresponding DNS entries. I gave it a generated static IP of 1.1.1.1. It created an OTP for me. Then I turned around and to the client added ipa to the resolve.conf of the client and ran the ipa-client-install passing in the OTP, ipa host name and machine name. That completed the provisioning. The cloud engine will be driving the creation of the DNS and host entries. IPA already has all capabilities that are needed. What you suggest seems to be an optimization that would save cloud engine a line in a script. Simo is right about firstboot - it is not implemented yet. -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] Hosts, A recs, and AAAA recs
On 02/09/2011 10:56 AM, Dmitri Pal wrote: On 02/08/2011 11:30 PM, Simo Sorce wrote: On Tue, 08 Feb 2011 22:10:16 -0500 Adam Youngayo...@redhat.com wrote: The current process to add a host today is: Create an A record run add host We have --force which will allow us to add the host even if the A record doesn't exist, but do we have a way to say, add this host, A record, and record all at the same time? From a cloud perspective, it seems like we are going to get a lot of short lived VMs that will need all three at once. I can see a work flow like this: User requests a number of VMs. VMs get clones from templates and spun up VMs get IP address from DHCP server. DHCP server notifies IPA server of new hosts What do you mean by this ? Do you want to give the DHCP server the power to perform DNS updates ? Can be done although I am not sure DHCP Servers know how to do GSS-TSIG protected updates, we may have to open up DNS access control to accept everything from the DHCP Server. IPA server adds host entries, A and records Host entries must be added by the cloud engine as it needs to set the enrollment password it passes down to the VM. VM runs ipa-client install as part of firstboot ipa-client-install could also add DNS records, but there is a credential problem if it is an automated process. The IPA server might even get notified earlier. I could see the cloud provider pushing the info to ipa prior to cloning the VM. This might be a better choice as long as the cloud provider can also change the DHCP configuration to assign the right IP address to the VMs using the MAC address. How would we go about doing that today? I think we are missing the part that creates the VMs yet, so ... Simo. In the cloud the cloud provider gives a VM a name and IP that it knows about. It is completely different from what you want the machine to think about itself. I did some emulation of the bootstrapping sequence as a proof of concept to make sure we can enroll the host with a different hostname. To emulate the provisioning of a new VM in the cloud I created a new host in IPA with corresponding DNS entries. I gave it a generated static IP of 1.1.1.1. It created an OTP for me. Then I turned around and to the client added ipa to the resolve.conf of the client and ran the ipa-client-install passing in the OTP, ipa host name and machine name. That completed the provisioning. The cloud engine will be driving the creation of the DNS and host entries. IPA already has all capabilities that are needed. What you suggest seems to be an optimization that would save cloud engine a line in a script. Simo is right about firstboot - it is not implemented yet. To create a new vm is just a matter of using libvirt's clone call. But I'm not sure if libvirt has the means to notify the IPA server new machine is about to come up, I'm going to give it the IP Address 10.1.1.1 What do you mean about firstboot? ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0009-Cross-brower-adjustments-for-the-action-panel
On 02/09/2011 09:57 AM, Kyle Baker wrote: Adjusted for action panel for Safari and Chrome. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel Removed the patch file embedded in the other patch file. ACK and pushed to master ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] Append realm name to service principal name.
The realm name is necessary to create the correct service. -- Endi S. Dewata From bac9a338355533d1bda3cf708c0c2d5baf63bf33 Mon Sep 17 00:00:00 2001 From: Endi S. Dewata edew...@redhat.com Date: Wed, 9 Feb 2011 10:56:25 -0600 Subject: [PATCH] Append realm name to service principal name. The realm name is necessary to create the correct service. --- install/ui/dialog.js |1 + install/ui/service.js | 54 +--- install/ui/widget.js |1 + 3 files changed, 30 insertions(+), 26 deletions(-) diff --git a/install/ui/dialog.js b/install/ui/dialog.js index b1f84a98bbd11a827415664d1357cdf90cb90fb3..9783c7b4cf8d2abb6c14f8635c99e83e3a5897fc 100644 --- a/install/ui/dialog.js +++ b/install/ui/dialog.js @@ -117,6 +117,7 @@ IPA.dialog = function(spec) { for (var i=0; ithat.fields.length; i++) { var field = that.fields[i]; +if (field.hidden) continue; var tr = $('tr/').appendTo(table); diff --git a/install/ui/service.js b/install/ui/service.js index 409aa5dfaede03ef85b9c6cec57fd258967cec01..4a6c13ff707a0102e9627881e9095dffd110da0f 100644 --- a/install/ui/service.js +++ b/install/ui/service.js @@ -23,35 +23,36 @@ /* REQUIRES: ipa.js, details.js, search.js, add.js, entity.js */ -IPA.entity_factories.service = function () { +IPA.entity_factories.service = function() { return IPA.entity({ -'name': 'service' +name: 'service' }). association({ -'name': 'host', -'add_method': 'add_host', -'remove_method': 'remove_host' +name: 'host', +add_method: 'add_host', +remove_method: 'remove_host' }). facet( IPA.search_facet(). column({name: 'krbprincipalname'}). dialog( IPA.service_add_dialog({ -'name': 'add', -'title': 'Add New Service' +name: 'add', +title: 'Add New Service', +width: '450px' }))). -facet( IPA.service_details_facet()). -facet( IPA.service_managedby_host_facet({ -'name': 'managedby_host', -'label': IPA.messages.association.managedby + +facet(IPA.service_details_facet()). +facet(IPA.service_managedby_host_facet({ +name: 'managedby_host', +label: IPA.messages.association.managedby + ' '+IPA.metadata['host'].label, -'other_entity': 'host' +other_entity: 'host' })); }; -IPA.service_select_widget = function (spec){ +IPA.service_select_widget = function(spec) { var that = IPA.text_widget(spec); var known_services = [, cifs, DNS, ftp, HTTP,imap, ldap, @@ -81,25 +82,26 @@ IPA.service_select_widget = function (spec){ /*TODO: the following labels etc. all need to be replaced with I18N strings */ -IPA.service_add_dialog = function (spec) { +IPA.service_add_dialog = function(spec) { spec = spec || {}; var that = IPA.add_dialog(spec). field(IPA.widget({ -name: 'krbprincipalname' +name: 'krbprincipalname', +hidden: true })). field(IPA.service_select_widget({ -'name': 'service', -'label': 'Service', -'size': 20, -'undo': false +name: 'service', +label: 'Service', +size: 20, +undo: false })). field(IPA.text_widget({ -'name': 'host', -'label': 'Host Name', -'size': 40, -'undo': false +name: 'host', +label: 'Host Name', +size: 40, +undo: false })). field(IPA.checkbox_widget({ name: 'force', @@ -117,7 +119,7 @@ IPA.service_add_dialog = function (spec) { field = that.get_field('host'); var host = field.save()[0]; -record['krbprincipalname'] = service+'/'+host; +record['krbprincipalname'] = service+'/'+host+'@'+IPA.env.realm; field = that.get_field('force'); record['force'] = field.save()[0]; @@ -127,7 +129,7 @@ IPA.service_add_dialog = function (spec) { }; -IPA.service_details_facet = function (spec) { +IPA.service_details_facet = function(spec) { spec = spec || {}; @@ -360,7 +362,7 @@ function service_certificate_status_widget(spec) { return that; } -IPA.service_managedby_host_facet = function (spec) { +IPA.service_managedby_host_facet = function(spec) { spec = spec || {}; diff --git a/install/ui/widget.js b/install/ui/widget.js index eb2f70cfc0407d36fa6dd04ef7a4e9acb2f82853..2c1bdb039b582b348dc97cc99762c6aa66d50d2f 100644 --- a/install/ui/widget.js +++ b/install/ui/widget.js @@ -35,6 +35,7 @@ IPA.widget = function(spec) { that.tooltip =
[Freeipa-devel] [PATCH] 706 remove certificate from service-find
Remove certificate as service a search option. There is no point on searching on binary objects. ticket 912 rob From 18f096dcad6faf6b6f447b188d870ed28007f25b Mon Sep 17 00:00:00 2001 From: Rob Crittenden rcrit...@redhat.com Date: Wed, 9 Feb 2011 13:24:47 -0500 Subject: [PATCH] Remove certificate as service a search option. ticket 912 --- ipalib/plugins/service.py |1 + 1 files changed, 1 insertions(+), 0 deletions(-) diff --git a/ipalib/plugins/service.py b/ipalib/plugins/service.py index bac58d3..cab1f7b 100644 --- a/ipalib/plugins/service.py +++ b/ipalib/plugins/service.py @@ -295,6 +295,7 @@ class service(LDAPObject): cli_name='certificate', label=_('Certificate'), doc=_('Base-64 encoded server certificate'), +flags=['no_search',], ) ) -- 1.7.3.4 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 707 fix wrapping prompt
At least in my xterm the prompt for Do you want to proceed and configure the system with fixed values with no DNS discovery? wraps around over itself. This patch shortens the message. ticket 940 rob freeipa-rcrit-707-client.patch Description: application/mbox ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 708 move nscd disablement code
Disable nscd before starting sssd. We used to disable it after configuring sssd which would cause a warning message to appear in /var/log/messages from sssd. This was in effect bogus because we killed nscd as the very next step after starting sssd but lets not confuse our users. ticket 743 rob freeipa-rcrit-708-nscd.patch Description: application/mbox ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 709 set minimum version of sssd to 1.5.1.
Title says it all. ticket 926 rob freeipa-rcrit-709-sssd.patch Description: application/mbox ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] Fedora 15 test day is moved to Feb 15th.
Hello, Please join us in testing FreeIPA v2 on Tuesday Feb 15th as a part of the Fedora 15 Test Day. Originally we planned to have a test day on Thursday February 10th (tomorrow) but for different reasons we had to delay this effort. The details of what to test and how to test will be published later this week. Please follow the changes on the Fedora test page [1] and on the FreeIPA wiki [2]. [1] https://fedoraproject.org/wiki/Test_Day:2011-02-15_FreeIPAv2 (incomplete as of Feb 9th) [2] www.freeipa.org -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] Hosts, A recs, and AAAA recs
On 02/09/2011 11:06 AM, Adam Young wrote: On 02/09/2011 10:56 AM, Dmitri Pal wrote: On 02/08/2011 11:30 PM, Simo Sorce wrote: On Tue, 08 Feb 2011 22:10:16 -0500 Adam Youngayo...@redhat.com wrote: The current process to add a host today is: Create an A record run add host We have --force which will allow us to add the host even if the A record doesn't exist, but do we have a way to say, add this host, A record, and record all at the same time? From a cloud perspective, it seems like we are going to get a lot of short lived VMs that will need all three at once. I can see a work flow like this: User requests a number of VMs. VMs get clones from templates and spun up VMs get IP address from DHCP server. DHCP server notifies IPA server of new hosts What do you mean by this ? Do you want to give the DHCP server the power to perform DNS updates ? Can be done although I am not sure DHCP Servers know how to do GSS-TSIG protected updates, we may have to open up DNS access control to accept everything from the DHCP Server. IPA server adds host entries, A and records Host entries must be added by the cloud engine as it needs to set the enrollment password it passes down to the VM. VM runs ipa-client install as part of firstboot ipa-client-install could also add DNS records, but there is a credential problem if it is an automated process. The IPA server might even get notified earlier. I could see the cloud provider pushing the info to ipa prior to cloning the VM. This might be a better choice as long as the cloud provider can also change the DHCP configuration to assign the right IP address to the VMs using the MAC address. How would we go about doing that today? I think we are missing the part that creates the VMs yet, so ... Simo. In the cloud the cloud provider gives a VM a name and IP that it knows about. It is completely different from what you want the machine to think about itself. I did some emulation of the bootstrapping sequence as a proof of concept to make sure we can enroll the host with a different hostname. To emulate the provisioning of a new VM in the cloud I created a new host in IPA with corresponding DNS entries. I gave it a generated static IP of 1.1.1.1. It created an OTP for me. Then I turned around and to the client added ipa to the resolve.conf of the client and ran the ipa-client-install passing in the OTP, ipa host name and machine name. That completed the provisioning. The cloud engine will be driving the creation of the DNS and host entries. IPA already has all capabilities that are needed. What you suggest seems to be an optimization that would save cloud engine a line in a script. Simo is right about firstboot - it is not implemented yet. To create a new vm is just a matter of using libvirt's clone call. But I'm not sure if libvirt has the means to notify the IPA server new machine is about to come up, I'm going to give it the IP Address 10.1.1.1 What do you mean about firstboot? I talking about a generic case. When you are bringing up machine in a cloud you can't assume libvirt. It can be Amazon cloud or Rackspace or GoGrid or something else. In such cases Cloud Engine will tell the cloud provider: here is the image, boot it and pass those parameters to it (parameters are passed in different ways for different cloud providers). On the first boot (and this is where the first boot comes from) the image comes up and executes First boot sequence. As a part of the sequence it connects to the configuration server to pull in its configuration. But before this it needs to register to IPA using passed in OTP. The cloud engine would pre-create the right entries on the IPA server side (host and DNS) and pass the OTP, its name and host name of the machine to the VM as parameters. The first boot script will do ipa-client-install with those parameters and then using obtained ticket connect to the configuration server. Since the VM is now authenticated the Configuration server would be able to tell VM what to do next and how to configure itself. Bottom line is that there is a third party called Cloud Engine that will orchestrate the process. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 710 fix test failures
The performance patch depended on self.env.mode != 'production'. env and mode aren't guaranteed to exist in the object so check for those and only skip the work if the mode is explicitly production. rob freeipa-rcrit-710-tests.patch Description: application/mbox ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] Moved add dialog into search facet.
On 02/08/2011 05:59 PM, Endi Sukma Dewata wrote: Previously the add dialog is added into entity. The dialog is only used by the search facet, so it's now moved into the search facet. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel ACK. Pushed to master ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] admiyo-0191-target-section-without-radio-buttons
On 2/9/2011 7:06 PM, Adam Young wrote: A few comments: 1. The functionality seems to be working, but the layout is a bit different. Previously the label (e.g. Filter) and the widget (e.g. text field) occupy the same line. Right now they occupy different lines and not aligned with the labels widgets above it (e.g. Permission name). I'd like the UXD team to review this change. 2. The jQuery selectors on lines 427, 462, 472 in aci.js are not qualified, so they will be doing a global search. I'd rather store the object reference somewhere and use it directly without searching for it again. For example, line 411 can be changed as follows: target_type.container = $('dl/', { Then line 427 can be changed as follows: target_type.container.css('display', 'block'); 3. The indentation of the target_types array in aci.js is inconsistent. 4. The IPA.hidden_widget doesn't seem to be used. Should this be removed? 5. For the changes in dialog.js, it's not necessary to check section.reset()'s presence before calling it. All sections will have a reset() function because it's inherited from the base class. 6. For the changes in widget.js, let's do this in a separate patch. We'll combine the create/setup in a more consistent way. 7. There are some jslint warnings. -- Endi S. Dewata ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel