Re: [Freeipa-devel] python-ipaserver & freeipa-server-trust-ad split
On 20.02.2017 20:24, Alexander Bokovoy wrote: > On la, 18 helmi 2017, Timo Aaltonen wrote: >> >> Hi, >> >> So Fedora puts all of dist-packages/ipaserver/* in python-ipaserver, >> but dcerpc.py imports python-samba which -ipaserver does not depend on. >> So I've kept dcerpc.py and adtrustinstance.py in freeipa-server-trust-ad >> on Debian, but now with 4.4.3 (because of fd8c17252fbc) it seems that >> ipa-server-install wants to import adtrustinstance and fails to run if >> it's not installed. >> >> Traceback (most recent call last): >> File "/usr/sbin/ipa-server-install", line 25, in >>from ipaserver.install.server import Server >> File >> "/usr/lib/python2.7/dist-packages/ipaserver/install/server/__init__.py", >> line 8, in >>from .upgrade import upgrade_check, upgrade >> File >> "/usr/lib/python2.7/dist-packages/ipaserver/install/server/upgrade.py", >> line 49, in >>from ipaserver.install import adtrustinstance >> ImportError: cannot import name adtrustinstance >> >> >> So what to do here? I can't remember exactly what problems I hit when >> everything was in python-ipaserver while testing 4.3.0, but I think they >> were about the samba stuff.. and don't want to test again without asking >> first. Should the upgrader stuff be split? > I think we simply can move ipa_smb_conf_exists() to ipapython or ipalib. > It only needs to read a config file and check a signature. Signature > could be > moved to constants. Then ipa_smb_conf_exists() can be imported in both > upgrade tool and in adtrustinstance. > > Want to make a PR? Well, maybe I'll first try moving adtrustinstance/dcerpc stuff back to python-ipaserver and see if something breaks with the current version and then perhaps fix that instead. t -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] python-ipaserver & freeipa-server-trust-ad split
Hi, So Fedora puts all of dist-packages/ipaserver/* in python-ipaserver, but dcerpc.py imports python-samba which -ipaserver does not depend on. So I've kept dcerpc.py and adtrustinstance.py in freeipa-server-trust-ad on Debian, but now with 4.4.3 (because of fd8c17252fbc) it seems that ipa-server-install wants to import adtrustinstance and fails to run if it's not installed. Traceback (most recent call last): File "/usr/sbin/ipa-server-install", line 25, in from ipaserver.install.server import Server File "/usr/lib/python2.7/dist-packages/ipaserver/install/server/__init__.py", line 8, in from .upgrade import upgrade_check, upgrade File "/usr/lib/python2.7/dist-packages/ipaserver/install/server/upgrade.py", line 49, in from ipaserver.install import adtrustinstance ImportError: cannot import name adtrustinstance So what to do here? I can't remember exactly what problems I hit when everything was in python-ipaserver while testing 4.3.0, but I think they were about the samba stuff.. and don't want to test again without asking first. Should the upgrader stuff be split? -- t -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] Design document: Integration Improvements
On 21.11.2016 11:32, Christian Heimes wrote: > On 2016-11-21 10:26, Jan Cholasta wrote: >> On 11.11.2016 18:28, Christian Heimes wrote: >>> On 2016-11-11 17:46, Martin Basti wrote: On 11.11.2016 15:25, Christian Heimes wrote: > Hello, > > I have released the first version of a new design document. It > describes > how I'm going to improve integration of FreeIPA's client libraries > (ipalib, ipapython, ipaclient, ipaplatform) for third party developers. > > http://www.freeipa.org/page/V4/Integration_Improvements > > Regards, > Christian > > > Hello, I have a few questions: 1) dynamic platform files Currently all RHEL/fedora-derived platforms work with the same rhel/fedora packages. How do you want to achieve this with dynamic platform files, do you want to keep mappings between platforms and platform file? What about distributions that have in /etc/release just mess? >>> >>> I don't use /etc/releases but /etc/os-release. There is no mapping >>> involved. If a distribution has no /etc/os-release or a messed up >>> /etc/os-release, then it needs to be fixed by the distribution. It's a >>> common standard and all relevant distributions support this standard. >>> >>> RHEL has ID=rhel and no ID_LIKE -> ipaplatform.rhel >>> >>> Fedora has ID=fedora and no ID_LIKE -> ipaplatform.fedora >>> >>> CentOS has ID=centos and ID_LIKE="rhel fedora" >>> -> ipaplatform.rhel >>> >>> Even my Raspberry has an /etc/os-release with ID=raspbian and >>> ID_LIKE=debian -> error, soon ipaplatform.debian >> >> There is more to ipaplatform than /etc/os-release offers. How do you >> differentiate between e.g. "Debian with SysV init" and "Debian with >> systemd"? > > Timo, > > do you support FreeIPA on Debian variants with SysV init? No, it shouldn't be possible to run it with SysV either because at least 389 depends on systemd and doesn't ship sysvinit scripts. -- t signature.asc Description: OpenPGP digital signature -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] Configuring ipa-otpd error when selinux isenable
On 08.11.2016 05:51, 郑磊 wrote: > The problem is solved. The reason is that the path of ExecStart program > is incorrect in the /lib/systemd/system/ipa-otpd@.service file. Need to > make the following changes: > [Unit] > Description=ipa-otpd service > > [Service] > EnvironmentFile=/etc/ipa/default.conf > ExecStart=/usr/lib/ipa-otpd $ldap_uri > StandardInput=socket > StandardOutput=socket > StandardError=syslog > > change to > > [Unit] > Description=ipa-otpd service > > [Service] > EnvironmentFile=/etc/ipa/default.conf > ExecStart=/usr/lib/ipa/ipa-otpd $ldap_uri > StandardInput=socket > StandardOutput=socket > StandardError=syslog > > Note: my system is Ubuntu. this is LP:#1628884 and fixed in 4.3.2-2 -- t -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] Heimdal Kerberos support for client
On 13.10.2016 18:56, Petr Spacek wrote: > On 12.10.2016 20:22, Rob Crittenden wrote: >> Petr Spacek wrote: >>> Hello list, >>> >>> I just noticed that client/configure.ac contains some checks to detect and >>> support Heimdal Kerberos libraries. >>> >>> Was it tested? Does it work? Can I drop it? :-) >>> >> >> Wow, that's some old code. >> >> Only Simo would know if it was ever tested or ever worked. >> >> I suppose since theoretically the client can be built separately >> theoretically >> it might do the right thing in some cases. >> >> Seems like enough of a corner case to me that I'd remove it, given it is >> likely untested these last 9 years or so. > > Simo told me on IRC that we could remove it. According to Alexander, Ubuntu is > building IPA packages against MIT Kerberos so it should be okay. Yes, everything I've touched uses MIT on Debian/Ubuntu. -- t -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] Build system refactoring - design document
On 07.10.2016 12:56, Petr Spacek wrote: > Dear FreeIPA developers and packagers, > > you can find first version of the Build system refactoring design document on: > http://www.freeipa.org/page/V4/Build_system_refactoring > > If you do not care about implementation details, please be so kind and quickly > scan through chapter > http://www.freeipa.org/page/V4/Build_system_refactoring#Feature_Management > > I'm not an FreeIPA packager so I might miss some important thing which needs > to be configurable. > > > Also, I would appreciate ideas how to handle build versioning: > http://www.freeipa.org/page/V4/Build_system_refactoring#Versioning > > My main questions are: > * What is triggering IPA upgrade? > * Would it be sufficient to bump release in RPM? (I mean - theoretically. > Could the code be modified to detect this?) > > Here I'm trying to avoid unnecessary rebuilds caused by changes to > IPA_VENDOR_VERSION during each build. > > > Timo, what can I do to help you with packaging for Ubuntu/Debian? If you mean build system -wise, there isn't anything that I need, at least if you migrate to autotools which sounds great. This is the debian/rules of the current package, so if you'll have a proper 'make clean' (as suggested already) and a one-pass build then that's pretty much what I'd "need". https://anonscm.debian.org/cgit/pkg-freeipa/freeipa.git/tree/debian/rules -- t -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 0441] Configure httpd service from installer
21.04.2016, 20:50, Martin Basti kirjoitti: > > > On 21.04.2016 19:28, Stanislav Laznicka wrote: >> On 04/21/2016 11:19 AM, Martin Basti wrote: >>> >>> >>> On 20.04.2016 17:27, Martin Basti wrote: >>>> >>>> >>>> On 24.03.2016 14:27, Martin Basti wrote: >>>>> >>>>> >>>>> On 24.03.2016 13:55, Jan Cholasta wrote: >>>>>> On 18.3.2016 23:27, Timo Aaltonen wrote: >>>>>>> On 17.03.2016 18:36, Martin Basti wrote: >>>>>>>> https://fedorahosted.org/freeipa/ticket/5681 >>>>>>> >>>>>>> would be nicer if ipa-httpd.conf was a template with the current >>>>>>> hardcoded values replaced with platform paths.. >>>>>> >>>>>> +1, I would also prefer if the file was renamed to >>>>>> init/systemd/httpd.conf rather than install/share/ipa-httpd.conf. >>>>> ipa-httpd.conf.template should be in /user/share/ipa, directory >>>>> init/systemd copied only to rpm and then copied to >>>>> /etc/systemd/system AFAIK >>>>> >>>>>> >>>>>>> >>>>>>> >>>>>>> not relevant to this patch, but there are others candidates for >>>>>>> templates like: >>>>>>> >>>>>>> daemons/dnssec/ipa-dnskeysyncd.service >>>>>>> daemons/dnssec/ipa-ods-exporter.service >>>>>>> install/conf/ipa.conf >>>>>> >>>>> >>>> >>>> Updated patch attached, sorry for delay. >>>> >>>> >>> Updated patch attached (fixed unused import). >>> >>> >> >> Seems to work as expected. However, wouldn't it be better to use >> installutils.remove_file instead of remove_httpd_service_ipa_conf (or >> at least log the possible error during os.unlink) to get the same >> behavior as with the other config files? > > It could be, but because I created platform specific method for adding > httpd service config, it seems natural to me to create inverse operation > platform specific too. > I have no strong opinion about this, Timo what might be better, you use > platform specific code more than we? :) Well, with this patch in I'd just reuse the methods from RedHatTaskNamespace() just like some others are being used right now. Systemd is all I support anyway. -- t -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 0012-0013] Improve ipaplatform.constants
22.03.2016, 21:10, Timo Aaltonen kirjoitti: > 18.03.2016, 12:30, Timo Aaltonen kirjoitti: >> >> Fix some hardcoded uid/gid strings to help with porting. > > rebased and simplified against current master. bah, the second patch needs to use constants.{ODS_USER,ODS_GROUP} now. -- t -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [PATCH 0015] use ipaplatform.paths in kdc.conf.template
https://fedorahosted.org/freeipa/ticket/5343 -- t From 5798e8c04e716bc6fad01c8ea87473a1859eea28 Mon Sep 17 00:00:00 2001 From: Timo Aaltonen Date: Wed, 23 Mar 2016 00:32:52 +0200 Subject: [PATCH] Fix kdc.conf.template to use ipaplatform.paths. https://fedorahosted.org/freeipa/ticket/5343 --- install/share/kdc.conf.template | 10 +- ipaplatform/base/paths.py| 3 +++ ipaserver/install/krbinstance.py | 7 ++- 3 files changed, 14 insertions(+), 6 deletions(-) diff --git a/install/share/kdc.conf.template b/install/share/kdc.conf.template index 0a51162..296b75b 100644 --- a/install/share/kdc.conf.template +++ b/install/share/kdc.conf.template @@ -8,10 +8,10 @@ master_key_type = aes256-cts max_life = 7d max_renewable_life = 14d - acl_file = /var/kerberos/krb5kdc/kadm5.acl - dict_file = /usr/share/dict/words + acl_file = $KRB5KDC_KADM5_ACL + dict_file = $DICT_WORDS default_principal_flags = +preauth -; admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab - pkinit_identity = FILE:/var/kerberos/krb5kdc/kdc.pem - pkinit_anchors = FILE:/var/kerberos/krb5kdc/cacert.pem +; admin_keytab = $KRB5KDC_KADM5_KEYTAB + pkinit_identity = FILE:$KDC_PEM + pkinit_anchors = FILE:$CACERT_PEM } diff --git a/ipaplatform/base/paths.py b/ipaplatform/base/paths.py index 6f5806d..1b79015 100644 --- a/ipaplatform/base/paths.py +++ b/ipaplatform/base/paths.py @@ -237,10 +237,13 @@ class BasePathNamespace(object): SCHEMA_COMPAT_ULDIF = "/usr/share/ipa/schema_compat.uldif" IPA_JS_PLUGINS_DIR = "/usr/share/ipa/ui/js/plugins" UPDATES_DIR = "/usr/share/ipa/updates/" +DICT_WORDS = "/usr/share/dict/words" CACHE_IPA_SESSIONS = "/var/cache/ipa/sessions" VAR_KERBEROS_KRB5KDC_DIR = "/var/kerberos/krb5kdc/" VAR_KRB5KDC_K5_REALM = "/var/kerberos/krb5kdc/.k5." CACERT_PEM = "/var/kerberos/krb5kdc/cacert.pem" +KRB5KDC_KADM5_ACL = "/var/kerberos/krb5kdc/kadm5.acl" +KRB5KDC_KADM5_KEYTAB = "/var/kerberos/krb5kdc/kadm5.keytab" KRB5KDC_KDC_CONF = "/var/kerberos/krb5kdc/kdc.conf" KDC_PEM = "/var/kerberos/krb5kdc/kdc.pem" VAR_LIB = "/var/lib" diff --git a/ipaserver/install/krbinstance.py b/ipaserver/install/krbinstance.py index 03e3ed8..f560a6e 100644 --- a/ipaserver/install/krbinstance.py +++ b/ipaserver/install/krbinstance.py @@ -221,7 +221,12 @@ class KrbInstance(service.Service): DOMAIN=self.domain, HOST=self.host, SERVER_ID=installutils.realm_to_serverid(self.realm), - REALM=self.realm) + REALM=self.realm, + KRB5KDC_KADM5_ACL=paths.KRB5KDC_KADM5_ACL, + DICT_WORDS=paths.DICT_WORDS, + KRB5KDC_KADM5_KEYTAB=paths.KRB5KDC_KADM5_KEYTAB, + KDC_PEM=paths.KDC_PEM, + CACERT_PEM=paths.CACERT_PEM) # IPA server/KDC is not a subdomain of default domain # Proper domain-realm mapping needs to be specified -- 2.7.3 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 0099] Look up HTTPD_USER's UID and GID during installation.
22.03.2016, 14:36, David Kupka kirjoitti: > https://fedorahosted.org/freeipa/ticket/5712 sweet, thanks! -- t -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 0029] Move user/group constants for PKI and DS into ipaplatform
22.03.2016, 19:30, Martin Basti kirjoitti: > > > On 22.03.2016 10:43, Martin Basti wrote: >> >> >> On 18.03.2016 11:53, Christian Heimes wrote: >>> On 2016-03-18 10:22, Martin Basti wrote: >>>> >>>> On 29.02.2016 16:02, David Kupka wrote: >>>>> Hello Christian, >>>>> sorry for letting this patch rot for so long. I've forget about it >>>>> the minute Fraser replied. >>>>> To compensate a little I've fixed pep8 error, rebased it and >>>>> attaching two versions for master and for 4.3 branch. >>>>> I haven't found any missing cases and it works for me. If you're OK >>>>> with the modified patches it can be pushed. >>>>> >>>>> David >>>>> >>>>> - Original Message - >>>>> From: "Christian Heimes" >>>>> To: "Fraser Tweedale" >>>>> Cc: "freeipa-devel" >>>>> Sent: Wednesday, January 20, 2016 11:57:42 AM >>>>> Subject: Re: [Freeipa-devel] [PATCH 0029] Move user/group constants >>>>> for PKI and DS into ipaplatform >>>>> >>>>> On 2016-01-20 02:54, Fraser Tweedale wrote: >>>>>> On Tue, Jan 19, 2016 at 02:20:27PM +0100, Christian Heimes wrote: >>>>>>> ipaplatform.constants has platform specific names for a couple of >>>>>>> system >>>>>>> users like Apache HTTPD. The user names for PKI_USER, PKI_GROUP, >>>>>>> DS_USER >>>>>>> and DS_GROUP are defined in other modules. Similar to #5587 the >>>>>>> patch my >>>>>>> patch moves the constants into the platform module. >>>>>>> >>>>>>> https://fedorahosted.org/freeipa/ticket/5619 >>>>>> I see a few remaining cases: >>>>>> >>>>>> ipaserver/install/dsinstance.py >>>>>> 712:pent = pwd.getpwnam("dirsrv") >>>>>> >>>>>> ipatests/test_integration/test_backup_and_restore.py >>>>>> 167:self.master.run_command(['userdel', 'dirsrv']) >>>>>> 168:self.master.run_command(['userdel', 'pkiuser']) >>>>>> >>>>>> ipaplatform/redhat/tasks.py >>>>>> 441:if name == 'pkiuser': >>>>>> >>>>>> When these are included, ACK. >>>>> Good catch! >>>>> >>>>> My new patch takes care of remaining cases. >>>>> >>>>> >>>>> >>>>> >>>> Christian do you agree with proposed changes, can we push it? >>>> Martin^2 >>> Oh, the patch is still open? ACK! >>> >>> >> Pushed to ipa-4-3: e3bf65f2df9c50873f0967b96a6a2a5975a87f79 >> Pushed to master: 49be6c8d3cc20902dbe8e92a74e31aed2fd21d9f >> > too-late-NACK > > This patch broke ipa-restore. > > please not that 2 modules are imported as same name in ipa_restore.py > from ipalib import api, errors, constants > from ipaplatform.constants import constants > > 2016-03-22T16:56:27Z DEBUG File > "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 171, in > execute > return_value = self.run() > File > "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_restore.py", > line 218, in run > self.backup_dir, constants.FQDN) this should fix it -- t From d161e7ad51c90be6643a2851d5d21e1ae8a375dd Mon Sep 17 00:00:00 2001 From: Timo Aaltonen Date: Tue, 22 Mar 2016 21:05:39 +0200 Subject: [PATCH] ipa_restore: Import only FQDN from ipalib.constants --- ipaserver/install/ipa_restore.py | 9 + 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/ipaserver/install/ipa_restore.py b/ipaserver/install/ipa_restore.py index 214409e..2656536 100644 --- a/ipaserver/install/ipa_restore.py +++ b/ipaserver/install/ipa_restore.py @@ -27,7 +27,8 @@ import itertools from six.moves.configparser import SafeConfigParser -from ipalib import api, errors, constants +from ipalib import api, errors +from ipalib.constants import FQDN from ipapython import version, ipautil, certdb from ipapython.ipautil import run, user_input from ipapython import admintool @@ -215,7 +216,7 @@ class Restore(admintool.AdminTool): self.backup_dir = os.path.join(paths.IPA_BACKUP_DIR, self.backup_dir) self.log.info("Preparing restore from %s on %s", - self.backup_dir, constants.FQDN) + self.backup_dir, FQDN) self.header = os.path.join(self.backup_dir, 'header') @@ -278,10 +279,10 @@ class Restore(admintool.AdminTool): self.log.info("Performing %s restore from %s backup" % (restore_type, self.backup_type)) -if self.backup_host != constants.FQDN: +if self.backup_host != FQDN: raise admintool.ScriptError( "Host name %s does not match backup name %s" % -(constants.FQDN, self.backup_host)) +(FQDN, self.backup_host)) if self.backup_ipa_version != str(version.VERSION): self.log.warning( -- 2.7.3 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 0012-0013] Improve ipaplatform.constants
18.03.2016, 12:30, Timo Aaltonen kirjoitti: > > Fix some hardcoded uid/gid strings to help with porting. rebased and simplified against current master. -- t From 424d3cf28f92a624b9970701a341dfa26370f616 Mon Sep 17 00:00:00 2001 From: Timo Aaltonen Date: Fri, 18 Mar 2016 12:22:33 +0200 Subject: [PATCH] ipaplatform: Move remaining user/group constants to ipaplatform.constants. Use ipaplatform.constants in every corner instead of importing other bits or calling some platform specific things, and remove most of the remaining hardcoded uid's. --- install/oddjob/com.redhat.idm.trust-fetch-domains | 3 ++- ipaplatform/base/constants.py | 5 + ipaplatform/base/services.py | 12 --- ipaplatform/redhat/services.py| 26 --- ipaserver/install/bindinstance.py | 2 +- ipaserver/install/dns.py | 4 ++-- ipaserver/install/dnskeysyncinstance.py | 9 ipaserver/install/dogtaginstance.py | 1 - ipaserver/install/httpinstance.py | 2 +- ipaserver/install/odsexporterinstance.py | 5 +++-- ipaserver/install/opendnssecinstance.py | 15 +++-- 11 files changed, 27 insertions(+), 57 deletions(-) diff --git a/install/oddjob/com.redhat.idm.trust-fetch-domains b/install/oddjob/com.redhat.idm.trust-fetch-domains index 6e8bfc6..7c70c41 100755 --- a/install/oddjob/com.redhat.idm.trust-fetch-domains +++ b/install/oddjob/com.redhat.idm.trust-fetch-domains @@ -8,6 +8,7 @@ from ipapython.dn import DN from ipalib.config import Env from ipalib.constants import DEFAULT_CONFIG from ipapython.ipautil import kinit_keytab +from ipaplatform.constants import constants import sys import os import pwd @@ -31,7 +32,7 @@ def retrieve_keytab(api, ccache_name, oneway_keytab_name, oneway_principal): raiseonerr=False) # Make sure SSSD is able to read the keytab try: -sssd = pwd.getpwnam('sssd') +sssd = pwd.getpwnam(constants.SSSD_USER) os.chown(oneway_keytab_name, sssd[2], sssd[3]) except KeyError as e: # If user 'sssd' does not exist, we don't need to chown from root to sssd diff --git a/ipaplatform/base/constants.py b/ipaplatform/base/constants.py index 52af124..3e1c4c6 100644 --- a/ipaplatform/base/constants.py +++ b/ipaplatform/base/constants.py @@ -12,12 +12,17 @@ class BaseConstantsNamespace(object): DS_GROUP = 'dirsrv' HTTPD_USER = "apache" IPA_DNS_PACKAGE_NAME = "freeipa-server-dns" +KDCPROXY_USER = "kdcproxy" NAMED_USER = "named" +NAMED_GROUP = "named" PKI_USER = 'pkiuser' PKI_GROUP = 'pkiuser' # ntpd init variable used for daemon options NTPD_OPTS_VAR = "OPTIONS" # quote used for daemon options NTPD_OPTS_QUOTE = "\"" +ODS_USER = "ods" +ODS_GROUP = "ods" # nfsd init variable used to enable kerberized NFS SECURE_NFS_VAR = "SECURE_NFS" +SSSD_USER = "sssd" diff --git a/ipaplatform/base/services.py b/ipaplatform/base/services.py index 11d0c2a..641a654 100644 --- a/ipaplatform/base/services.py +++ b/ipaplatform/base/services.py @@ -181,18 +181,6 @@ class PlatformService(object): def get_config_dir(self, instance_name=""): return -def get_user_name(self, instance_name=""): -return - -def get_group_name(self, instance_name=""): -return - -def get_binary_path(self): -return - -def get_package_name(self): -return - class SystemdService(PlatformService): SYSTEMD_SRV_TARGET = "%s.target.wants" diff --git a/ipaplatform/redhat/services.py b/ipaplatform/redhat/services.py index 3c18dbc..92dae45 100644 --- a/ipaplatform/redhat/services.py +++ b/ipaplatform/redhat/services.py @@ -223,28 +223,6 @@ class RedHatCAService(RedHatService): self.wait_until_running() -class RedHatNamedService(RedHatService): -def get_user_name(self): -return u'named' - -def get_group_name(self): -return u'named' - -def get_binary_path(self): -return paths.NAMED_PKCS11 - -def get_package_name(self): -return u"bind-pkcs11" - - -class RedHatODSEnforcerdService(RedHatService): -def get_user_name(self): -return u'ods' - -def get_group_name(self): -return u'ods' - - # Function that constructs proper Red Hat OS family-specific server classes for # services of specified name @@ -257,10 +235,6 @@ def redhat_service_class_factory(name): return RedHatSSHService(name) if name in ('pki-tomcatd', 'pki_tomcatd'): return RedHatCAService(name) -if name ==
Re: [Freeipa-devel] [PATCH 537] ipapython: port p11helper C code to Python
18.03.2016, 09:45, Jan Cholasta kirjoitti: > On 18.3.2016 05:16, Timo Aaltonen wrote: >> 07.01.2016, 10:50, Jan Cholasta kirjoitti: >>> Hi, >>> >>> the attached patch ports the _ipap11helper module to python-cffi. >>> >>> Combined with my patch 536 [1], this makes ipapython architecture >>> independent. >> >> don't know why it works for you, but ipa-ods-exporter and >> ipa-dnskeysync-replica both still try to import _ipap11helper, which >> fails: >> >> maalis 18 05:45:46 trusty.tyrell ipa-ods-exporter[8788]: Traceback >> (most recent call last): >> maalis 18 05:45:46 trusty.tyrell ipa-ods-exporter[8788]: File >> "/usr/lib/ipa/ipa-ods-exporter", line 4 >> maalis 18 05:45:46 trusty.tyrell ipa-ods-exporter[8788]: import >> _ipap11helper >> maalis 18 05:45:46 trusty.tyrell ipa-ods-exporter[8788]: ImportError: >> No module named _ipap11helper >> maalis 18 05:45:46 trusty.tyrell systemd[1]: ipa-ods-exporter.service: >> Main process exited, code=exited >> maalis 18 05:45:46 trusty.tyrell systemd[1]: ipa-ods-exporter.service: >> Unit entered failed state. >> maalis 18 05:45:46 trusty.tyrell systemd[1]: ipa-ods-exporter.service: >> Failed with result 'exit-code'. >> maalis 18 05:46:47 trusty.tyrell systemd[1]: ipa-ods-exporter.service: >> Service hold-off time over, sche >> maalis 18 05:46:47 trusty.tyrell systemd[1]: Stopped IPA OpenDNSSEC >> Signer replacement. >> >> dropping the import makes it work again here.. this is with fairly >> current ipa-4-3 branch. > > Patch attached. > > Pylint does not detect this obvious error for some reason. can't beat git grep :) I've tested with essentially the same patch, so it works. -- t -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 537] ipapython: port p11helper C code to Python
07.01.2016, 10:50, Jan Cholasta kirjoitti: > Hi, > > the attached patch ports the _ipap11helper module to python-cffi. > > Combined with my patch 536 [1], this makes ipapython architecture > independent. don't know why it works for you, but ipa-ods-exporter and ipa-dnskeysync-replica both still try to import _ipap11helper, which fails: maalis 18 05:45:46 trusty.tyrell ipa-ods-exporter[8788]: Traceback (most recent call last): maalis 18 05:45:46 trusty.tyrell ipa-ods-exporter[8788]: File "/usr/lib/ipa/ipa-ods-exporter", line 4 maalis 18 05:45:46 trusty.tyrell ipa-ods-exporter[8788]: import _ipap11helper maalis 18 05:45:46 trusty.tyrell ipa-ods-exporter[8788]: ImportError: No module named _ipap11helper maalis 18 05:45:46 trusty.tyrell systemd[1]: ipa-ods-exporter.service: Main process exited, code=exited maalis 18 05:45:46 trusty.tyrell systemd[1]: ipa-ods-exporter.service: Unit entered failed state. maalis 18 05:45:46 trusty.tyrell systemd[1]: ipa-ods-exporter.service: Failed with result 'exit-code'. maalis 18 05:46:47 trusty.tyrell systemd[1]: ipa-ods-exporter.service: Service hold-off time over, sche maalis 18 05:46:47 trusty.tyrell systemd[1]: Stopped IPA OpenDNSSEC Signer replacement. dropping the import makes it work again here.. this is with fairly current ipa-4-3 branch. -- t -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [PATCH 0012-0013] Improve ipaplatform.constants
Fix some hardcoded uid/gid strings to help with porting. -- t From aa2d433b3dbadd94a2ed84909335f54fea91ce2c Mon Sep 17 00:00:00 2001 From: Timo Aaltonen Date: Fri, 18 Mar 2016 12:22:33 +0200 Subject: [PATCH 1/2] ipaplatform: Move remaining user/group constants to ipaplatform.constants. Use ipaplatform.constants in every corner instead of importing other bits or calling some platform specific things, and remove most of the remaining hardcoded uid's. --- install/oddjob/com.redhat.idm.trust-fetch-domains | 5 - install/share/copy-schema-to-ca.py| 6 -- ipaplatform/base/constants.py | 8 +++ ipaplatform/base/services.py | 12 --- ipaplatform/redhat/services.py| 26 --- ipaserver/install/bindinstance.py | 5 +++-- ipaserver/install/cainstance.py | 6 -- ipaserver/install/certs.py| 3 ++- ipaserver/install/dns.py | 6 -- ipaserver/install/dnskeysyncinstance.py | 13 ipaserver/install/dogtaginstance.py | 1 - ipaserver/install/dsinstance.py | 18 ipaserver/install/httpinstance.py | 2 +- ipaserver/install/ipa_backup.py | 7 +++--- ipaserver/install/ipa_restore.py | 9 +--- ipaserver/install/ipa_server_certinstall.py | 3 ++- ipaserver/install/krainstance.py | 5 - ipaserver/install/krbinstance.py | 7 -- ipaserver/install/odsexporterinstance.py | 9 +--- ipaserver/install/opendnssecinstance.py | 19 +++-- ipaserver/install/server/upgrade.py | 6 -- 21 files changed, 91 insertions(+), 85 deletions(-) diff --git a/install/oddjob/com.redhat.idm.trust-fetch-domains b/install/oddjob/com.redhat.idm.trust-fetch-domains index ea82e08..3b84b78 100755 --- a/install/oddjob/com.redhat.idm.trust-fetch-domains +++ b/install/oddjob/com.redhat.idm.trust-fetch-domains @@ -8,6 +8,7 @@ from ipapython.dn import DN from ipalib.config import Env from ipalib.constants import DEFAULT_CONFIG from ipapython.ipautil import kinit_keytab +from ipaplatform.constants import constants import sys import os, pwd @@ -17,6 +18,8 @@ import gssapi if six.PY3: unicode = str +SSSD_USER = constants.SSSD_USER + def retrieve_keytab(api, ccache_name, oneway_keytab_name, oneway_principal): getkeytab_args = ["/usr/sbin/ipa-getkeytab", "-s", api.env.host, @@ -30,7 +33,7 @@ def retrieve_keytab(api, ccache_name, oneway_keytab_name, oneway_principal): raiseonerr=False) # Make sure SSSD is able to read the keytab try: -sssd = pwd.getpwnam('sssd') +sssd = pwd.getpwnam(SSSD_USER) os.chown(oneway_keytab_name, sssd[2], sssd[3]) except KeyError as e: # If user 'sssd' does not exist, we don't need to chown from root to sssd diff --git a/install/share/copy-schema-to-ca.py b/install/share/copy-schema-to-ca.py index 10fd3d7..e5df93d 100755 --- a/install/share/copy-schema-to-ca.py +++ b/install/share/copy-schema-to-ca.py @@ -19,9 +19,9 @@ from hashlib import sha1 from ipapython import ipautil from ipapython.ipa_log_manager import root_logger, standard_logging_setup -from ipaserver.install.dsinstance import DS_USER, schema_dirname -from ipaserver.install.cainstance import PKI_USER +from ipaserver.install.dsinstance import schema_dirname from ipalib import api +from ipaplatform.constants import constants try: from ipaplatform import services @@ -43,6 +43,8 @@ SCHEMA_FILENAMES = ( "05rfc2247.ldif", ) +DS_USER = constants.DS_USER +PKI_USER = constants.PKI_USER def _sha1_file(filename): with open(filename, 'rb') as f: diff --git a/ipaplatform/base/constants.py b/ipaplatform/base/constants.py index 50f8a3e..7154b28 100644 --- a/ipaplatform/base/constants.py +++ b/ipaplatform/base/constants.py @@ -8,12 +8,20 @@ This base platform module exports platform dependant constants. class BaseConstantsNamespace(object): +DS_USER = "dirsrv" +DS_GROUP = "dirsrv" HTTPD_USER = "apache" IPA_DNS_PACKAGE_NAME = "freeipa-server-dns" +KDCPROXY_USER = "kdcproxy" NAMED_USER = "named" +NAMED_GROUP = "named" # ntpd init variable used for daemon options NTPD_OPTS_VAR = "OPTIONS" # quote used for daemon options NTPD_OPTS_QUOTE = "\"" +ODS_USER = "ods" +ODS_GROUP = "ods" +PKI_USER = "pkiuser" # nfsd init variable used to enable kerberized NFS SECURE_NFS_VAR = "SECURE_NFS" +SSSD_USER = "sssd" diff --git a/ipaplatform/base/ser
Re: [Freeipa-devel] [PATCH 0441] Configure httpd service from installer
On 17.03.2016 18:36, Martin Basti wrote: https://fedorahosted.org/freeipa/ticket/5681 would be nicer if ipa-httpd.conf was a template with the current hardcoded values replaced with platform paths.. not relevant to this patch, but there are others candidates for templates like: daemons/dnssec/ipa-dnskeysyncd.service daemons/dnssec/ipa-ods-exporter.service install/conf/ipa.conf -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 0011] Move freeipa certmonger helpers to libexecdir.
18.02.2016, 18:51, Timo Aaltonen kirjoitti: > 18.02.2016, 18:41, Timo Aaltonen kirjoitti: >> 18.02.2016, 13:33, Martin Kosek kirjoitti: >>> On 02/18/2016 10:10 AM, David Kupka wrote: >>>> From 9952937f207f9a0afae8211276f1b7d7e762fd4e Mon Sep 17 00:00:00 2001 >>>> From: Timo Aaltonen >>>> Date: Tue, 19 Jan 2016 12:37:56 +0100 >>>> Subject: [PATCH] Move freeipa certmonger helpers to libexecdir. >>>> >>>> The scripts in this directory are simple python scripts, nothing >>>> arch-specific >>>> in them. Having them under libexec would simplify the code a bit too, since >>>> there would be no need to worry about lib vs lib64 (which also cause >>>> trouble >>>> on Debian). >>> >>> Isn't this the patch which moves our scripts in different location and thus >>> breaks existing certmonger tracking requests *after upgrade*? >> >> Yes, there are two solutions that I can think of >> >> - add symlinks /usr/lib{,64}/certmonger -> /usr/libexec/certmonger >> - modify existing tracking requests to use the new path >> >> the first might suffice with a transition period? > > also, I assumed certmonger would move it's own scripts.. if not, just > symlink the ipa ones not the whole dir. Riiight, especially as the certmonger helpers are native binaries, so those won't move :) I hope to continue on porting 4.3 soon and revisit this again.. -- t -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 0011] Move freeipa certmonger helpers to libexecdir.
18.02.2016, 18:41, Timo Aaltonen kirjoitti: > 18.02.2016, 13:33, Martin Kosek kirjoitti: >> On 02/18/2016 10:10 AM, David Kupka wrote: >>> From 9952937f207f9a0afae8211276f1b7d7e762fd4e Mon Sep 17 00:00:00 2001 >>> From: Timo Aaltonen >>> Date: Tue, 19 Jan 2016 12:37:56 +0100 >>> Subject: [PATCH] Move freeipa certmonger helpers to libexecdir. >>> >>> The scripts in this directory are simple python scripts, nothing >>> arch-specific >>> in them. Having them under libexec would simplify the code a bit too, since >>> there would be no need to worry about lib vs lib64 (which also cause trouble >>> on Debian). >> >> Isn't this the patch which moves our scripts in different location and thus >> breaks existing certmonger tracking requests *after upgrade*? > > Yes, there are two solutions that I can think of > > - add symlinks /usr/lib{,64}/certmonger -> /usr/libexec/certmonger > - modify existing tracking requests to use the new path > > the first might suffice with a transition period? also, I assumed certmonger would move it's own scripts.. if not, just symlink the ipa ones not the whole dir. -- t -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 0011] Move freeipa certmonger helpers to libexecdir.
18.02.2016, 13:33, Martin Kosek kirjoitti: > On 02/18/2016 10:10 AM, David Kupka wrote: >> From 9952937f207f9a0afae8211276f1b7d7e762fd4e Mon Sep 17 00:00:00 2001 >> From: Timo Aaltonen >> Date: Tue, 19 Jan 2016 12:37:56 +0100 >> Subject: [PATCH] Move freeipa certmonger helpers to libexecdir. >> >> The scripts in this directory are simple python scripts, nothing >> arch-specific >> in them. Having them under libexec would simplify the code a bit too, since >> there would be no need to worry about lib vs lib64 (which also cause trouble >> on Debian). > > Isn't this the patch which moves our scripts in different location and thus > breaks existing certmonger tracking requests *after upgrade*? Yes, there are two solutions that I can think of - add symlinks /usr/lib{,64}/certmonger -> /usr/libexec/certmonger - modify existing tracking requests to use the new path the first might suffice with a transition period? -- t -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 0006-0010] Low hanging fruit for #5343 -- platform abstractions
On 07.10.2015 17:26, Martin Basti wrote: > thanks comments inline Hey, I hope these versions address the issues in the first batch.. -- t commit 8fd0109b13eb87db2cfd22fe412e3adc4c0db9c3 Author: Timo Aaltonen Date: Tue Oct 6 16:02:37 2015 +0300 ipaplatform: Add HTTPD_USER to constants, and use it. diff --git a/ipaplatform/base/constants.py b/ipaplatform/base/constants.py index cef829e..3f78822 100644 --- a/ipaplatform/base/constants.py +++ b/ipaplatform/base/constants.py @@ -8,4 +8,5 @@ This base platform module exports platform dependant constants. class BaseConstantsNamespace(object): +HTTPD_USER = "apache" IPA_DNS_PACKAGE_NAME = "freeipa-server-dns" diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py index c478881..6deaef5 100644 --- a/ipaserver/install/cainstance.py +++ b/ipaserver/install/cainstance.py @@ -48,6 +48,7 @@ from ipalib import pkcs10, x509 from ipalib import errors from ipaplatform import services +from ipaplatform.constants import constants from ipaplatform.paths import paths from ipaplatform.tasks import tasks @@ -1103,7 +1104,7 @@ class CAInstance(DogtagInstance): os.chmod(self.ra_agent_db + "/key3.db", 0o640) os.chmod(self.ra_agent_db + "/secmod.db", 0o640) -pent = pwd.getpwnam("apache") +pent = pwd.getpwnam(constants.HTTPD_USER) os.chown(self.ra_agent_db + "/cert8.db", 0, pent.pw_gid ) os.chown(self.ra_agent_db + "/key3.db", 0, pent.pw_gid ) os.chown(self.ra_agent_db + "/secmod.db", 0, pent.pw_gid ) diff --git a/ipaserver/install/certs.py b/ipaserver/install/certs.py index 3e07ee3..f321561 100644 --- a/ipaserver/install/certs.py +++ b/ipaserver/install/certs.py @@ -42,6 +42,7 @@ from ipalib import pkcs10, x509, api from ipalib.errors import CertificateOperationError from ipalib.text import _ from ipaplatform import services +from ipaplatform.constants import constants from ipaplatform.paths import paths # Apache needs access to this database so we need to create it @@ -518,8 +519,7 @@ class CertDB(object): f.write(pwdfile.read()) f.close() pwdfile.close() -# TODO: replace explicit uid by a platform-specific one -self.set_perms(self.pwd_conf, uid="apache") +self.set_perms(self.pwd_conf, uid=constants.HTTPD_USER) def find_root_cert(self, nickname): """ diff --git a/ipaserver/install/httpinstance.py b/ipaserver/install/httpinstance.py index ee4853a..a7fdfb1 100644 --- a/ipaserver/install/httpinstance.py +++ b/ipaserver/install/httpinstance.py @@ -41,6 +41,7 @@ import ipapython.errors from ipaserver.install import sysupgrade from ipalib import api from ipalib import errors +from ipaplatform.constants import constants from ipaplatform.tasks import tasks from ipaplatform.paths import paths from ipaplatform import services @@ -52,7 +53,7 @@ SELINUX_BOOLEAN_SETTINGS = dict( ) KDCPROXY_USER = 'kdcproxy' - +HTTPD_USER = constants.HTTPD_USER def httpd_443_configured(): """ @@ -188,14 +189,14 @@ class HTTPInstance(service.Service): self.move_service(self.principal) self.add_cert_to_service() -pent = pwd.getpwnam("apache") +pent = pwd.getpwnam(HTTPD_USER) os.chown(paths.IPA_KEYTAB, pent.pw_uid, pent.pw_gid) def remove_httpd_ccache(self): # Clean up existing ccache # Make sure that empty env is passed to avoid passing KRB5CCNAME from # current env -ipautil.run(['kdestroy', '-A'], runas='apache', raiseonerr=False, env={}) +ipautil.run(['kdestroy', '-A'], runas=HTTPD_USER, raiseonerr=False, env={}) def __configure_http(self): target_fname = paths.HTTPD_IPA_CONF @@ -324,7 +325,7 @@ class HTTPInstance(service.Service): os.chmod(certs.NSS_DIR + "/secmod.db", 0o660) os.chmod(certs.NSS_DIR + "/pwdfile.txt", 0o660) -pent = pwd.getpwnam("apache") +pent = pwd.getpwnam(HTTPD_USER) os.chown(certs.NSS_DIR + "/cert8.db", 0, pent.pw_gid ) os.chown(certs.NSS_DIR + "/key3.db", 0, pent.pw_gid ) os.chown(certs.NSS_DIR + "/secmod.db", 0, pent.pw_gid ) @@ -493,7 +494,7 @@ class HTTPInstance(service.Service): pass # Remove the ccache file for the HTTPD service -ipautil.run([paths.KDESTROY, '-c', paths.KRB5CC_HTTPD], runas='apache', +ipautil.run([paths.KDESTROY, '-c', paths.KRB5CC_HTTPD], runas=HTTPD_USER, raiseonerr=False) # Remove the configuration files we create diff --git a/ipaserver/install/ipa_server_certinstall.py b/ipaserver/install/ipa_server_certinstall.py index e90b2ab..
[Freeipa-devel] [PATCH 0006-0010] Low hanging fruit for #5343 -- platform abstractions
Hi So here's the first batch of quick patches for ticket #5343. They're only compile-tested so far (so no stupid mistakes I hope), as I don't have 4.2+ working yet. Wonder how the quotes in the last patch work, but at least make-lint didn't laugh too hard.. -- t From 15b30829c53a7e02ddc997c17559d755b751c9d6 Mon Sep 17 00:00:00 2001 From: Timo Aaltonen Date: Tue, 6 Oct 2015 16:02:37 +0300 Subject: [PATCH 1/2] ipaplatform: Add HTTPD_USER to constants https://fedorahosted.org/freeipa/ticket/5343 --- ipaplatform/base/constants.py | 1 + ipaserver/install/cainstance.py | 3 ++- ipaserver/install/certs.py | 3 ++- ipaserver/install/httpinstance.py | 11 ++- ipaserver/install/ipa_server_certinstall.py | 3 ++- 5 files changed, 13 insertions(+), 8 deletions(-) diff --git a/ipaplatform/base/constants.py b/ipaplatform/base/constants.py index cef829e2d3886db00ae6d0299ddcf325d1add80e..3f78822f99d9fbe815901301f4e6855105e73eea 100644 --- a/ipaplatform/base/constants.py +++ b/ipaplatform/base/constants.py @@ -8,4 +8,5 @@ This base platform module exports platform dependant constants. class BaseConstantsNamespace(object): +HTTPD_USER = "apache" IPA_DNS_PACKAGE_NAME = "freeipa-server-dns" diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py index c4788816ab702e9409c9bc44a91fcbd95dce018d..6deaef57c025cb55da9fcaf7620a54565f6701c7 100644 --- a/ipaserver/install/cainstance.py +++ b/ipaserver/install/cainstance.py @@ -48,6 +48,7 @@ from ipalib import pkcs10, x509 from ipalib import errors from ipaplatform import services +from ipaplatform.constants import constants from ipaplatform.paths import paths from ipaplatform.tasks import tasks @@ -1103,7 +1104,7 @@ class CAInstance(DogtagInstance): os.chmod(self.ra_agent_db + "/key3.db", 0o640) os.chmod(self.ra_agent_db + "/secmod.db", 0o640) -pent = pwd.getpwnam("apache") +pent = pwd.getpwnam(constants.HTTPD_USER) os.chown(self.ra_agent_db + "/cert8.db", 0, pent.pw_gid ) os.chown(self.ra_agent_db + "/key3.db", 0, pent.pw_gid ) os.chown(self.ra_agent_db + "/secmod.db", 0, pent.pw_gid ) diff --git a/ipaserver/install/certs.py b/ipaserver/install/certs.py index 3e07ee398fa47beb02f54940a0246d58ae2267ae..d85344ede993840845af63c377525699425a9382 100644 --- a/ipaserver/install/certs.py +++ b/ipaserver/install/certs.py @@ -42,6 +42,7 @@ from ipalib import pkcs10, x509, api from ipalib.errors import CertificateOperationError from ipalib.text import _ from ipaplatform import services +from ipaplatform.constants import constants from ipaplatform.paths import paths # Apache needs access to this database so we need to create it @@ -519,7 +520,7 @@ class CertDB(object): f.close() pwdfile.close() # TODO: replace explicit uid by a platform-specific one -self.set_perms(self.pwd_conf, uid="apache") +self.set_perms(self.pwd_conf, uid=constants.HTTPD_USER) def find_root_cert(self, nickname): """ diff --git a/ipaserver/install/httpinstance.py b/ipaserver/install/httpinstance.py index ee4853a3f9a8a42bd050fd8b208fc2419c323512..a7fdfb1a21a8c62f57503cfaca68b30e4f26244f 100644 --- a/ipaserver/install/httpinstance.py +++ b/ipaserver/install/httpinstance.py @@ -41,6 +41,7 @@ import ipapython.errors from ipaserver.install import sysupgrade from ipalib import api from ipalib import errors +from ipaplatform.constants import constants from ipaplatform.tasks import tasks from ipaplatform.paths import paths from ipaplatform import services @@ -52,7 +53,7 @@ SELINUX_BOOLEAN_SETTINGS = dict( ) KDCPROXY_USER = 'kdcproxy' - +HTTPD_USER = constants.HTTPD_USER def httpd_443_configured(): """ @@ -188,14 +189,14 @@ class HTTPInstance(service.Service): self.move_service(self.principal) self.add_cert_to_service() -pent = pwd.getpwnam("apache") +pent = pwd.getpwnam(HTTPD_USER) os.chown(paths.IPA_KEYTAB, pent.pw_uid, pent.pw_gid) def remove_httpd_ccache(self): # Clean up existing ccache # Make sure that empty env is passed to avoid passing KRB5CCNAME from # current env -ipautil.run(['kdestroy', '-A'], runas='apache', raiseonerr=False, env={}) +ipautil.run(['kdestroy', '-A'], runas=HTTPD_USER, raiseonerr=False, env={}) def __configure_http(self): target_fname = paths.HTTPD_IPA_CONF @@ -324,7 +325,7 @@ class HTTPInstance(service.Service): os.chmod(certs.NSS_DIR + "/secmod.db", 0o660) os.chmod(certs.NSS_DIR + "/pwdfile.txt", 0o660) -pent = pwd.getpwnam("apache") +pent = pw
[Freeipa-devel] Remaining issues before adding Debian platform support
Hi I'm not sure if the goal is to be able to build IPA on Debian from git/tarballs, but here's a list of what would need to be fixed first to get there: - places where usernames have been hardcoded need something like ipaplatform/base/paths.py: apache -> www-data in: * ipaserver/install/httpinstance.py * ipaserver/install/ipa_server_certinstall.py * ipaserver/install/cainstance.py * ipaserver/install/certs.py named -> bind in: * ipaserver/install/bindinstance.py - config/service files that use hardcoded paths in them need to be moved to a template, and use paths.py macros: * install/conf/ipa.conf * init/systemd/ipa_memcached.service - same but with hardcoded usernames * init/ipa_memcached.conf - ipaserver/install/httpinstance.py needs to run "a2enmod/a2dismod nss" because libapache2-mod-nss doesn't enable it on install (can't remember why, but there was a good reason..) - various places using Fedora-specific libpaths (/usr/lib vs. /usr/lib64), whereas on Debian these are /usr/lib/, see https://wiki.debian.org/Multiarch/Tuples * ipaserver/install/ldapupdate.py * ipapython/certmonger.py * ipaserver/install/certs.py * ipaserver/install/ipa_backup.py * ipaserver/install/ipa_restore.py - ntp daemon defaults use a different variable name (OPTIONS vs NTPD_OPTS), and quotes (" vs. ') * ipaserver/install/ntpinstance.py - "Include conf.d/ipa-rewrite.conf" in httpinstance.py needs to use an absolute path with HTTPD_CONF_D, or HTTPD_CONF_D repurposed to only have 'conf.d' on Fedora and then conf-enabled on Debian - install/share/bind.named.conf.template needs to drop the default zone on Debian, since that's already configured via includes (-> bind fails to start), so a template file with an exception for Debian would fix it - Makefile needs to use --install-layout=deb for setup.py - ipa-client/ipa-install/ipa-client-automount needs to check for variable named 'NEED_GSSD' on debian, so ipaplatform/base/vars.py? (same for NTPD_OPTS) There.. that should be all I think :) Oh, forgot that currently dnssec needs to be disabled by some heavy patching, because 9.10.x isn't packaged yet.. -- t -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCHES] from Debian
On 05.10.2015 16:08, Timo Aaltonen wrote: > > Hi > > Here are a few prep patches to get off the list before getting to > discuss how to add Debian platform support.. Here's one more. -- t From 65df37b7b31c0689e452112130236c3fe43971a2 Mon Sep 17 00:00:00 2001 From: Timo Aaltonen Date: Mon, 5 Oct 2015 17:37:49 +0300 Subject: [PATCH] httpinstance: Replace a hardcoded path to password.conf with HTTPD_PASSWORD_CONF --- ipaserver/install/httpinstance.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ipaserver/install/httpinstance.py b/ipaserver/install/httpinstance.py index 4269d3697c1fb17ddb4b3c69a1b41c51c9daf713..ee4853a3f9a8a42bd050fd8b208fc2419c323512 100644 --- a/ipaserver/install/httpinstance.py +++ b/ipaserver/install/httpinstance.py @@ -244,7 +244,7 @@ class HTTPInstance(service.Service): installutils.set_directive(paths.HTTPD_NSS_CONF, 'NSSRequireSafeNegotiation', 'on', False) def __set_mod_nss_passwordfile(self): -installutils.set_directive(paths.HTTPD_NSS_CONF, 'NSSPassPhraseDialog', 'file:/etc/httpd/conf/password.conf') +installutils.set_directive(paths.HTTPD_NSS_CONF, 'NSSPassPhraseDialog', 'file:' + paths.HTTPD_PASSWORD_CONF) def __add_include(self): """This should run after __set_mod_nss_port so is already backed up""" -- 2.5.0 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCHES] from Debian
On 05.10.2015 16:37, Martin Basti wrote: > > > On 10/05/2015 03:31 PM, Simo Sorce wrote: >> On 05/10/15 09:08, Timo Aaltonen wrote: >>> >>> Hi >>> >>>Here are a few prep patches to get off the list before getting to >>> discuss how to add Debian platform support.. >>> >> >> LGTM. >> >> Simo. >> >> > > IMO this should be written in this way (I didn't test) > > ipautil.run([paths.GENERATE_RNDC_KEY]) Yes you're right, here's an updated version. -- t From 49f2158b4be10b3e82392eda55909f94ee581c1a Mon Sep 17 00:00:00 2001 From: Timo Aaltonen Date: Sat, 3 Oct 2015 11:40:15 +0300 Subject: [PATCH] paths: Add GENERATE_RNDC_KEY. --- ipaplatform/base/paths.py | 1 + ipaserver/install/bindinstance.py | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/ipaplatform/base/paths.py b/ipaplatform/base/paths.py index a272143d0053451c017c0df613951cc0e6d52c54..0d2c4c17769ef643ba2d6c9991d910cf6e00858d 100644 --- a/ipaplatform/base/paths.py +++ b/ipaplatform/base/paths.py @@ -210,6 +210,7 @@ class BasePathNamespace(object): DOGTAG_IPA_CA_RENEW_AGENT_SUBMIT = "/usr/libexec/certmonger/dogtag-ipa-ca-renew-agent-submit" DOGTAG_IPA_RENEW_AGENT_SUBMIT = "/usr/libexec/certmonger/dogtag-ipa-renew-agent-submit" IPA_SERVER_GUARD = "/usr/libexec/certmonger/ipa-server-guard" +GENERATE_RNDC_KEY = "/usr/libexec/generate-rndc-key.sh" IPA_DNSKEYSYNCD_REPLICA = "/usr/libexec/ipa/ipa-dnskeysync-replica" IPA_DNSKEYSYNCD = "/usr/libexec/ipa/ipa-dnskeysyncd" IPA_ODS_EXPORTER = "/usr/libexec/ipa/ipa-ods-exporter" diff --git a/ipaserver/install/bindinstance.py b/ipaserver/install/bindinstance.py index 771f13b00e37a6bf510ff46fe880240c84356761..9a9ef1af8a7b1cf438994489c895aec37102547b 100644 --- a/ipaserver/install/bindinstance.py +++ b/ipaserver/install/bindinstance.py @@ -1002,7 +1002,7 @@ class BindInstance(service.Service): def __generate_rndc_key(self): installutils.check_entropy() -ipautil.run(['/usr/libexec/generate-rndc-key.sh']) +ipautil.run([paths.GENERATE_RNDC_KEY]) def add_master_dns_records(self, fqdn, ip_addresses, realm_name, domain_name, reverse_zones, ntp=False, ca_configured=None): -- 2.5.0 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [PATCHES] from Debian
Hi Here are a few prep patches to get off the list before getting to discuss how to add Debian platform support.. From 49f2158b4be10b3e82392eda55909f94ee581c1a Mon Sep 17 00:00:00 2001 From: Timo Aaltonen Date: Sat, 3 Oct 2015 11:40:15 +0300 Subject: [PATCH] paths: Add GENERATE_RNDC_KEY. --- ipaplatform/base/paths.py | 1 + ipaserver/install/bindinstance.py | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/ipaplatform/base/paths.py b/ipaplatform/base/paths.py index a272143d0053451c017c0df613951cc0e6d52c54..0d2c4c17769ef643ba2d6c9991d910cf6e00858d 100644 --- a/ipaplatform/base/paths.py +++ b/ipaplatform/base/paths.py @@ -210,6 +210,7 @@ class BasePathNamespace(object): DOGTAG_IPA_CA_RENEW_AGENT_SUBMIT = "/usr/libexec/certmonger/dogtag-ipa-ca-renew-agent-submit" DOGTAG_IPA_RENEW_AGENT_SUBMIT = "/usr/libexec/certmonger/dogtag-ipa-renew-agent-submit" IPA_SERVER_GUARD = "/usr/libexec/certmonger/ipa-server-guard" +GENERATE_RNDC_KEY = "/usr/libexec/generate-rndc-key.sh" IPA_DNSKEYSYNCD_REPLICA = "/usr/libexec/ipa/ipa-dnskeysync-replica" IPA_DNSKEYSYNCD = "/usr/libexec/ipa/ipa-dnskeysyncd" IPA_ODS_EXPORTER = "/usr/libexec/ipa/ipa-ods-exporter" diff --git a/ipaserver/install/bindinstance.py b/ipaserver/install/bindinstance.py index 771f13b00e37a6bf510ff46fe880240c84356761..9a9ef1af8a7b1cf438994489c895aec37102547b 100644 --- a/ipaserver/install/bindinstance.py +++ b/ipaserver/install/bindinstance.py @@ -1002,7 +1002,7 @@ class BindInstance(service.Service): def __generate_rndc_key(self): installutils.check_entropy() -ipautil.run(['/usr/libexec/generate-rndc-key.sh']) +ipautil.run(paths.GENERATE_RNDC_KEY) def add_master_dns_records(self, fqdn, ip_addresses, realm_name, domain_name, reverse_zones, ntp=False, ca_configured=None): -- 2.5.0 From 9fc6a372c37d5fa0c514de49d262d26130b6bb5c Mon Sep 17 00:00:00 2001 From: Benjamin Drung Date: Mon, 5 Oct 2015 15:41:30 +0300 Subject: [PATCH] Fix hyphen-used-as-minus-sign warning (found by lintian) See https://lintian.debian.org/tags/hyphen-used-as-minus-sign.html for an explanation. --- install/tools/man/ipa-adtrust-install.1 | 2 +- install/tools/man/ipa-replica-conncheck.1 | 6 +++--- install/tools/man/ipa-server-install.1| 2 +- ipatests/man/ipa-test-config.1| 4 ++-- ipatests/man/ipa-test-task.1 | 2 +- 5 files changed, 8 insertions(+), 8 deletions(-) diff --git a/install/tools/man/ipa-adtrust-install.1 b/install/tools/man/ipa-adtrust-install.1 index 2658f1957d1161963bf6af75e5a086a01b95c52f..06378b5983e55bb6c34971b0f5129246f9f14fd3 100644 --- a/install/tools/man/ipa-adtrust-install.1 +++ b/install/tools/man/ipa-adtrust-install.1 @@ -117,7 +117,7 @@ The name of the user with administrative privileges for this IPA server. Default \fB\-a\fR, \fB\-\-admin\-password\fR=\fIpassword\fR The password of the user with administrative privileges for this IPA server. Will be asked interactively if \fB\-U\fR is not specified. .TP -The credentials of the admin user will be used to obtain Kerberos ticket before configuring cross-realm trusts support and afterwards, to ensure that the ticket contains MS-PAC information required to actually add a trust with Active Directory domain via 'ipa trust-add --type=ad' command. +The credentials of the admin user will be used to obtain Kerberos ticket before configuring cross-realm trusts support and afterwards, to ensure that the ticket contains MS-PAC information required to actually add a trust with Active Directory domain via 'ipa trust\-add \-\-type=ad' command. .TP \fB\-\-enable\-compat\fR Enables support for trusted domains users for old clients through Schema Compatibility plugin. diff --git a/install/tools/man/ipa-replica-conncheck.1 b/install/tools/man/ipa-replica-conncheck.1 index 566322cf035bbb51d1ba8b14166a1b61375015da..e948d7919c772305ef2f0b5b7b50de2b908ff9e0 100644 --- a/install/tools/man/ipa-replica-conncheck.1 +++ b/install/tools/man/ipa-replica-conncheck.1 @@ -70,13 +70,13 @@ Output only errors .SH "EXAMPLES" .TP -\fBipa-replica-conncheck -m master.example.com\fR +\fBipa\-replica\-conncheck \-m master.example.com\fR Run a replica machine connection check against a remote master \fImaster.example.com\fR. If the connection to the remote master machine is successful the program will switch to listening mode and prompt for running the master machine part. The second part check the connection from master to replica. .TP -\fBipa-replica-conncheck -R replica.example.com\fR +\fBipa\-replica\-conncheck \-R replica.example.com\fR Run a master machine connection check part. This is either run automatically by replica part of the connection check program (when \fI-a\fR option is set) or manually by the user. A running ipa-replica-co
Re: [Freeipa-devel] issues with Debian port
On 24.10.2014 11:19, Petr Vobornik wrote: > On 23.10.2014 23:38, Timo Aaltonen wrote: >> >> >> Oh and the web UI is blank when I try it. Does the client install fail >> have >> something to do with it? >> > > Client install fail should not affect displaying of Web UI. > > What do you mean by blank? > Are Web UI files downloaded? > Is there a JavaScript error? > > Can be checked in browser developer tools, in console and network tab. > > Web UI debugging help: > https://pvoborni.fedorapeople.org/doc/#!/guide/Debugging The debugging hint was key, I've now gone back to using embedded dojo/jsquery instead of linking to system versions which didn't work because the apache config didn't allow accessing them. and the UI is looking rather nice ;) -- t ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] issues with Debian port
On 24.10.2014 00:47, Alexander Bokovoy wrote: > On Fri, 24 Oct 2014, Timo Aaltonen wrote: > Since dirsrv@.service is instance-based, when instance is missing we > rewrite dirsrv@.service to be dirsrv.target. This means 'start whatever > is requiring this synchronization point'. Enabling instances of dirsrv > means they are symlinked as dependencies on dirsrv.target: > > # ls -l /etc/systemd/system/dirsrv.target.wants/ > total 0 > lrwxrwxrwx. 1 root root 39 Oct 20 17:56 dirsrv@IPACLOUD-TEST.service -> > /usr/lib/systemd/system/dirsrv@.service right, I hadn't changed LIB_SYSTEMD_SYSTEMD_DIR in paths.py.. doing that fixed this issue, thanks! >> Oh and the web UI is blank when I try it. Does the client install fail >> have >> something to do with it? > check /var/log/ipaclient-install.log Well it fails because it can't connect to the server: 2014-10-23T22:10:57Z DEBUG approved_usage = SSL Server intended_usage = SSL Server 2014-10-23T22:10:57Z DEBUG cert valid True for "CN=sid.tyrell,O=SID" 2014-10-23T22:10:57Z DEBUG handshake complete, peer = 192.168.1.31:443 2014-10-23T22:10:57Z ERROR Cannot connect to the server due to generic error: Authentication method not supported: sasl mechanism not supported I thought it was because of the dirsrv restart failing before this step, but after fixing it the failure is still the same.. -- t ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] issues with Debian port
Some updates: - rebased to 4.0.4, thanks for the release :) - mod_nss issues got fixed, silly me.. On 21.10.2014 18:36, Timo Aaltonen wrote: > client install will fail with: > > 2014-10-21T08:29:30Z INFO trying https://sid.tyrell/ipa/json > 2014-10-21T08:29:30Z DEBUG Created connection context.rpcclient > 2014-10-21T08:29:30Z DEBUG Try RPC connection > 2014-10-21T08:29:30Z INFO Forwarding 'ping' to json server > 'https://sid.tyrell/ipa/json' > 2014-10-21T08:29:30Z ERROR Cannot connect to the server due to generic > error: error marshalling data for XML-RPC transport: argument 2 must be > string or None, not int This is because I hadn't ported a patch from the ubuntu branch which got applied some six months ago.. d'oh. The issue is that our pykerberos is newer, and needs this: diff --git a/ipalib/rpc.py b/ipalib/rpc.py index 81e7aa3..ce5f2a0 100644 --- a/ipalib/rpc.py +++ b/ipalib/rpc.py @@ -380,7 +380,7 @@ class KerbTransport(SSLTransport): service = "HTTP@" + host.split(':')[0] try: -(rc, vc) = kerberos.authGSSClientInit(service, self.flags) +(rc, vc) = kerberos.authGSSClientInit(service, gssflags=self.flags) except kerberos.GSSError, e: self._handle_exception(e) now client install on the server almost works, but only almost because.. > Also, I'm reusing the RedHatService() stuff for services that have > native systemd jobs, but in the later phases of install (and during > uninstall) ipactl is trying to (re)start 'dirsv@.service' and not > 'dirsrv@REALM.service' like in the dirsrv phase.. any hints here would > be welcome as well. Otherwise I'll just use DebianSysvService() for > dirsrv too.. ..this is still something I haven't figured out. Dirsrv restart after LDAP updates fail, so client install on the server will fail because it can't get SASL up. Something for tomorrow then.. still got until Sunday to get this fixed and uploaded and then accepted to unstable by ftpmasters, or it won't migrate to Jessie in time for the freeze. But that's an eternity! :) Oh and the web UI is blank when I try it. Does the client install fail have something to do with it? -- t ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] issues with Debian port
On 20.10.2014 09:47, Martin Kosek wrote: > As usual, let us know if you hit problems with porting FreeIPA there or > extending our platform-independent code. Right, so I've hit a blocker issue I'm not so sure about.. client install will fail with: 2014-10-21T08:29:30Z INFO trying https://sid.tyrell/ipa/json 2014-10-21T08:29:30Z DEBUG Created connection context.rpcclient 2014-10-21T08:29:30Z DEBUG Try RPC connection 2014-10-21T08:29:30Z INFO Forwarding 'ping' to json server 'https://sid.tyrell/ipa/json' 2014-10-21T08:29:30Z ERROR Cannot connect to the server due to generic error: error marshalling data for XML-RPC transport: argument 2 must be string or None, not int I see that 3.3.x still used the old xml method and that worked just fine. Guess I could patch things to use xmlclient again.. Also, I'm reusing the RedHatService() stuff for services that have native systemd jobs, but in the later phases of install (and during uninstall) ipactl is trying to (re)start 'dirsv@.service' and not 'dirsrv@REALM.service' like in the dirsrv phase.. any hints here would be welcome as well. Otherwise I'll just use DebianSysvService() for dirsrv too.. -- t ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] Dogtag 10.2.0 is now in Debian
On 18.10.2014 18:39, Timo Aaltonen wrote: > > Hi! > > I'm happy to announce that Dogtag (version 10.2.0) has finally entered > Debian unstable repository this week. Assuming there won't be any nasty > surprises, the next stable release ("Jessie") will include it. Many > thanks to Ade Lee who did the first pass of packaging the long chain of > dependencies, up to and including RESTEasy. forgot the link https://packages.qa.debian.org/d/dogtag-pki.html there's a small update coming early next week -- t ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] Dogtag 10.2.0 is now in Debian
Hi! I'm happy to announce that Dogtag (version 10.2.0) has finally entered Debian unstable repository this week. Assuming there won't be any nasty surprises, the next stable release ("Jessie") will include it. Many thanks to Ade Lee who did the first pass of packaging the long chain of dependencies, up to and including RESTEasy. and next week there should be another announcement.. -- t ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 693 webui-build: use /usr/share/java/js.jar instead of rhino.jar
On 01.07.2014 19:20, Petr Vobornik wrote: > /usr/share/java/rhino.jar is a Fedora's symlink to /usr/share/java/js.jar > > Debian doesn't have it. Direct usage of upstream /usr/share/java/js.jar > should work on both systems. yup, tested on Debian and checked fedora rhino rpm that it has both. thanks! -- t ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] freeipa and Debian multiarch triplet
23.06.2014 11:32, Martin Kosek kirjoitti: > On 06/19/2014 10:18 AM, Timo Aaltonen wrote: >> >> Hi >> >> While porting the client code for current master I noticed that there >> are some hardcodings to use /usr/lib{,64} paths for various things. This >> is problematic for Debian and it's derivatives, since we use "proper >> multiarch(tm)" which means paths like >> /usr/lib/{i386-linux-gnu,x86_64-linux-gnu} and other GNU triplets. I'd >> need to force freeipa to build only on these two archs by setting FOO = >> /usr/lib/i386-linux-gnu and FOO_64 = /usr/lib/x86_64-linux-gnu. >> >> Ideas for solving it cleanly so that at least freeipa-client would be >> possible to build on other archs too? For the server at least 389 needs >> updates too, since it hardcodes paths the same way. > > Apparently there were not many ideas on this topic. In case you have some idea > how we could fix the ipaplatform package so that is serves you (or other > platform consumers) better we are still open to changes - 4.0 is not released > yet. Well, maybe I was worrying too much, since for instance the firefox path is always /usr/lib/firefox on debian, so LIB64_FIREFOX can be whatever since LIB_FIREFOX will always match the correct path.. but I need to check the rest too. Applying the remaining ipaplatform patches to master would allow me to finish Debian client support, first draft anyway :) -- t ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] freeipa and Debian multiarch triplet
Hi While porting the client code for current master I noticed that there are some hardcodings to use /usr/lib{,64} paths for various things. This is problematic for Debian and it's derivatives, since we use "proper multiarch(tm)" which means paths like /usr/lib/{i386-linux-gnu,x86_64-linux-gnu} and other GNU triplets. I'd need to force freeipa to build only on these two archs by setting FOO = /usr/lib/i386-linux-gnu and FOO_64 = /usr/lib/x86_64-linux-gnu. Ideas for solving it cleanly so that at least freeipa-client would be possible to build on other archs too? For the server at least 389 needs updates too, since it hardcodes paths the same way. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCHES 202-222] Ipaplatform refactoring
On 17.06.2014 15:15, Tomas Babej wrote: > > On 06/17/2014 12:03 PM, Timo Aaltonen wrote: >> On 17.06.2014 11:16, Martin Kosek wrote: >>> On 06/16/2014 07:50 PM, Petr Viktorin wrote: >>>> On 06/16/2014 02:53 PM, Tomas Babej wrote: >>>>> On 06/10/2014 05:07 PM, Petr Viktorin wrote: >>>>>> On 06/10/2014 10:13 AM, Tomas Babej wrote: >>>>>>> On 06/06/2014 01:04 PM, Petr Viktorin wrote: >>>>>>>> On 06/05/2014 03:14 PM, Petr Viktorin wrote: >>>>>>>>> On 06/04/2014 11:42 AM, Tomas Babej wrote: >>>>>>>>>> Hi, >>>>>>>>>> >>>>>>>>>> the following set of patches implements the ticket: >>>>>>>>>> >>>>>>>>>> https://fedorahosted.org/freeipa/ticket/4052 >>>>>>>>>> >>>>>> [...] >>>> 0202: OK >>>> 0203: OK >>>> 0204: OK >>>> 0205: OK >>>> 0206: OK >>>> 0207: OK >>>> (sorry for the conflict!) >>>> >>>> 0208: OK >>>> 0209: OK >>>> 0210: OK >>>> 0211: OK >>>> 0212: OK >>>> 0213: OK >>>> 0214: OK >>>> 0215: OK >>>> 0216: OK >>>> 0217: OK >>>> 0218: OK >>>> 0219: OK >>>> 0220: OK >>>> 0221: OK >>>> 0222: OK >>>> >>>> modify_nsswitch_pam_stack and modify_pam_to_use_krb5 are missing the `self` >>>> argument. >>>> >>>> Rebasing this all the time must be painful, so to avoid another review >>>> round-trip I've had Tomáš ACK the attached four-liner on IRC. >>> Thanks guys! >>> >>> I looked at the changes and have couple questions: >>> >>> 1) What is the motivation for keeping AuthConfig infrastructure around? I >>> thought it is replaced by the tasks concept that are easier to customize in >>> other platforms. IMO, it just obfuscates the process. >>> >>> How is >>> def modify_pam_to_use_krb5(self, statestore): >>> auth_config = FedoraAuthConfig() >>> statestore.backup_state('authconfig', 'krb5', True) >>> auth_config.enable("krb5") >>> auth_config.add_option("nostart") >>> auth_config.execute() >>> more readable than >>> def modify_pam_to_use_krb5(self, statestore): >>> statestore.backup_state('authconfig', 'krb5', True) >>> ipautil.run("authconfig --enablekrb5 --nostart") >>> ? And this was just the easy example. Also, documentation in AuthConfig base >>> class refers to nonexistent paths. >>> >>> 2) There are still many non-converted paths in ipa-client installers: >>> >>> $ git grep "bin/" ipa-client/ >>> ... >>> ipa-client/ipa-install/ipa-client-install:SSH_AUTHORIZEDKEYSCOMMAND = >>> '/usr/bin/sss_ssh_authorizedkeys' >>> ipa-client/ipa-install/ipa-client-install:SSH_PROXYCOMMAND = >>> '/usr/bin/sss_ssh_knownhostsproxy' >>> ipa-client/ipa-install/ipa-client-install:(sout, serr, returncode) = >>> run(["/usr/bin/certutil", "-L", "-d", "/etc/pki/nssdb", "-n", nickname], >>> raiseonerr=False) >>> ipa-client/ipa-install/ipa-client-install: >>> run(["/usr/bin/certutil", >>> "-D", "-d", "/etc/pki/nssdb", "-n", "IPA CA"]) >>> ipa-client/ipa-install/ipa-client-install: >>> run(["/usr/bin/certutil", >>> "-D", "-d", "/etc/pki/nssdb", "-n", client_nss_nickname]) >>> ... >>> >>> We should convert at least those as ipa-client will be the most platformized >>> module (more than the server, IMO). >> and many others all over the place, just 'git grep /etc/' >> >> working on the debian client patches now.. >> >> > > Attached is a new version of patch 226, and a new patch 228, which moves > the paths from installers to the paths module. > > I greped the repository, and I do not see many paths lurking around any > more, there are only some in the error messages (as these can't be > reliably replaced automatically, and will need some manual love). > > If you see any forgotten paths, which should be added to the module, let > me know. Sure thing! Looks more complete now, and at least the paths I was patching before (in ipa-client-automount) are fixed. -- t ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCHES 202-222] Ipaplatform refactoring
On 17.06.2014 11:16, Martin Kosek wrote: > On 06/16/2014 07:50 PM, Petr Viktorin wrote: >> On 06/16/2014 02:53 PM, Tomas Babej wrote: >>> On 06/10/2014 05:07 PM, Petr Viktorin wrote: On 06/10/2014 10:13 AM, Tomas Babej wrote: >> > On 06/06/2014 01:04 PM, Petr Viktorin wrote: >> On 06/05/2014 03:14 PM, Petr Viktorin wrote: >>> On 06/04/2014 11:42 AM, Tomas Babej wrote: Hi, the following set of patches implements the ticket: https://fedorahosted.org/freeipa/ticket/4052 [...] >>> >> >> 0202: OK >> 0203: OK >> 0204: OK >> 0205: OK >> 0206: OK >> 0207: OK >> (sorry for the conflict!) >> >> 0208: OK >> 0209: OK >> 0210: OK >> 0211: OK >> 0212: OK >> 0213: OK >> 0214: OK >> 0215: OK >> 0216: OK >> 0217: OK >> 0218: OK >> 0219: OK >> 0220: OK >> 0221: OK >> 0222: OK >> >> modify_nsswitch_pam_stack and modify_pam_to_use_krb5 are missing the `self` >> argument. >> >> Rebasing this all the time must be painful, so to avoid another review >> round-trip I've had Tomáš ACK the attached four-liner on IRC. > > Thanks guys! > > I looked at the changes and have couple questions: > > 1) What is the motivation for keeping AuthConfig infrastructure around? I > thought it is replaced by the tasks concept that are easier to customize in > other platforms. IMO, it just obfuscates the process. > > How is > def modify_pam_to_use_krb5(self, statestore): > auth_config = FedoraAuthConfig() > statestore.backup_state('authconfig', 'krb5', True) > auth_config.enable("krb5") > auth_config.add_option("nostart") > auth_config.execute() > more readable than > def modify_pam_to_use_krb5(self, statestore): > statestore.backup_state('authconfig', 'krb5', True) > ipautil.run("authconfig --enablekrb5 --nostart") > ? And this was just the easy example. Also, documentation in AuthConfig base > class refers to nonexistent paths. > > 2) There are still many non-converted paths in ipa-client installers: > > $ git grep "bin/" ipa-client/ > ... > ipa-client/ipa-install/ipa-client-install:SSH_AUTHORIZEDKEYSCOMMAND = > '/usr/bin/sss_ssh_authorizedkeys' > ipa-client/ipa-install/ipa-client-install:SSH_PROXYCOMMAND = > '/usr/bin/sss_ssh_knownhostsproxy' > ipa-client/ipa-install/ipa-client-install:(sout, serr, returncode) = > run(["/usr/bin/certutil", "-L", "-d", "/etc/pki/nssdb", "-n", nickname], > raiseonerr=False) > ipa-client/ipa-install/ipa-client-install: > run(["/usr/bin/certutil", > "-D", "-d", "/etc/pki/nssdb", "-n", "IPA CA"]) > ipa-client/ipa-install/ipa-client-install: > run(["/usr/bin/certutil", > "-D", "-d", "/etc/pki/nssdb", "-n", client_nss_nickname]) > ... > > We should convert at least those as ipa-client will be the most platformized > module (more than the server, IMO). and many others all over the place, just 'git grep /etc/' working on the debian client patches now.. -- t ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] Debian client support
On 28.11.2013 22:26, Lukas Slebodnik wrote: > On (05/09/13 23:25), Lukas Slebodnik wrote: >> On (03/09/13 00:43), Timo Aaltonen wrote: >>> >>> This fixes https://fedorahosted.org/freeipa/ticket/1887 >>> and >>> https://fedorahosted.org/freeipa/ticket/2455 >>> >>> the first three patches fix some bugs in how python is used >>> fourth patch checks if dbus is already running before trying to start it >>> fifth fixes some compilation warnings >>> sixth finally adds the Debian platform module >>> >>> >>> >>> there are also distro patches that aren't upstreamable as-is, that do >>> stuff like >>> - give--install-layout=deb to setup.py >>> - disable make-testcert since it needs a server running >>> - fix hardcoded NFS related paths and a variable in ipa-client-automount >>> - fix ldap.conf path in ipa-client-install >>> - fix ntpdate options in ntpconf.py (Debian doesn't patch ntpdate like >>> Fedora) >>> - change nss includes in ipa_pwd.c ( not ) >> Solution is simple. Use pkg-config generated NSS_CFLAGS >> >> bash$ pkg-config --cflags nss >> -I/usr/include/nss -I/usr/include/nspr >> bash$ uname -a >> Linux positron 3.10-2-686-pae #1 SMP Debian 3.10.5-1 (2013-08-07) i686 >> GNU/Linux >> >> bash$pkg-config --cflags nss >> -I/usr/include/nss3 -I/usr/include/nspr4 >> bash$uname -a >> Linux unused-4-233.brq.redhat.com 3.10.10-200.fc19.x86_64 #1 SMP Thu Aug 29 >> 19:05:45 UTC 2013 x86_64 x86_64 x86_64 GNU/Linux >> >> It works in sssd. I can send a patch. >> >> LS >> > Attached patch should fix problem with compilation on different distros. > > debian: > http://anonscm.debian.org/gitweb/?p=pkg-freeipa/freeipa.git;a=blob;f=debian/patches/fix-nss-include.diff;h=1dac0709ed7344c7546c55225365c9434e6a930a;hb=HEAD > arch: > https://github.com/chenxiaolong/ArchLinux-Packages/blob/master/freeipa/0006_Fix_nss_includes.patch > > Timo can you test patch on debian/ubuntu? finally did last week, so Tested-by: Timo Aaltonen ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] Building FreeIPA on Debian Unstable
On 06.12.2013 18:39, Adam Young wrote: > >>> And...that was pretty much as far as I got. >> with the updated repo + updates from the ppa the build succeeds but >> tests fail, and those are harder for me to parse. Full build log at >> >> http://pastebin.com/G40VMENn > Your first error is: > > Failure: ImportError (No module named samba) ... ERROR > > followed by missing ipaclient and pyasn1 modules. > > There seem to be a slew of Kerberos errors, which indicate that the > Kerberos server was not getting set up to run correctly...which may in > fact be due to the Directory server not running correctly. I'd start > with ensuring 389, then Kerberos, don't have any path dependnceis that > are different between Debian and Fedora. The radius issue might be > enough to mess up Kerberos, but I doubt it. Indeed, and actually the failure in this case is running make-test at all, since it won't ever succeed during package build.. It was already disabled for client build, but now it's disabled for server too. -- t ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] Building FreeIPA on Debian Unstable
On 31.10.2013 21:19, Adam Young wrote: > I'm about to take off for a week, and want to make sure that I don't > lose the momentum I've put in so far. I spent agood portion of > yesterday and today trying to get a Debian build going, and I think that > this is worth sharing with the larger team. Since FreeIPA has been RPM > focused thus far, I suspect that there is a need to prime-the-pump on > Debian development. Thanks! The debian packaging of 2.2.x managed to compile the server bits too, but I hadn't tested any newer versions, just built the client for those.. so it bitrot over the time. > 1. Installed Debian testing in a VM via an ISO. I've had this VM for a > while, so really just had to clone it and boot it. > 2. Set the repos to be the sid (unstable) repos instead of Jessie > (testing) by editing the file /etc/apt/sources.list and replacing > jessie with sid > 3. created a file /etc/apt/apt.conf with just the following line: > APT::Default-Release "unstable"; > 4.apt-get dist-upgrade > 5. Reboot. > 6. Loggd in and cloned the debian repo: > git clone git://anonscm.debian.org/git/pkg-freeipa/freeipa.git > > Technically, that is a lie...I had another FreeIPA repo already cloned, > so instead I edited the .git/config file to add support for the above > repo, and then did a fetch and checkout of the debian-unstable branch. > > > OK...now I am in trial and error state. I've tried doing two different > tasks, both related, but I am not sure how. > > > I used this as a guide > http://www.debian.org/doc/manuals/maint-guide/build.en.html > > > To build the package I ran: > > dpkg-buildpackage You can limit building just the binaries by giving it '-b' argument, then it won't complain about the missing tarball either. also, 'debuild' is a wrapper for dpkg-buildpackage which is what I'm using.. and then there's git-buildpackage but I've still not 'migrated' to that, but it does have some features to overcome the usual errors when working with a git repo (not having a clean tree, uncommitted changes etc). Just running debuild/dpkg-buildpackage is enough for quick'n'dirty testing though. > Which told me about all of the missing packages. I had to modify the > control file as some of the packages are no longer supporting the same > files. Onechange I made, which is suspect is shown here: > > diff --git a/debian/control b/debian/control > index 66aedb4..e69cf6c 100644 > --- a/debian/control > +++ b/debian/control > @@ -33,9 +33,7 @@ Build-Depends: quilt, debhelper (>= 9), dh-autoreconf, > python-support, > # server > 389-ds-base-dev (>= 1.1.3), > - libndr-dev, > - libndr-standard-dev, > - libsamba-util-dev, > + samba-dev, > libsvrcore-dev, > libtevent-dev, > uuid-dev, I've updated the git repo with various changes, including the above. Too bad the machine hosting the repos will be down for maintenance for some days since it had some disk issues corrupting the RAID.. I'll probably push it to github or sth so we can work on stuff until alioth.d.o is fixed. > Eventully this failed because I need a tarball to build a package. In > FreeIPA, this is done via > > make tarballs > > but that failed early on. Rob's suggestion was to run > > make version-update tarballs > > which seemed to fix the issue somewhat. You can also use 'uscan --download-current' to fetch the tarball. > The dpkg-buildpackage seems to be applying patches in place in the git > repo. I suspect that I should be running it with different command line > switches telling it where to put the interim files etc. > > I was able to fake out the process above by doing > > cd .. > tar -zcf freeipa_3.2.1.orig.tar.gz freeipa > > and re-running dpkg-buildpackage. That was how I identified that the > the krad.h files were not in libkrb-dev. I comment them out with the > below patch: I've pushed an updated krb5 package to the freeipa team PPA (for 'trusty') that should work just fine on sid too: https://launchpad.net/~freeipa/+archive/ppa ok I lied, the upload got rejected for some reason but I'll sort it out.. Also, something I had completely forgotten since two years ago.. xmlrpc-c in Debian is obsolete (1.16.xx), and the package is pretty much abandoned by the maintainer (who also went AWOL since) so I updated it to 1.33.06 and pushed to the PPA. Hopefully it'll get sponsored to sid soon.. > And...that was pretty much as far as I got. with the updated repo + updates from the ppa the build succeeds but tests fail, and those are harder for me to parse. Full build log at http://pastebin.com/G40VMENn > Once we get a working process we can clean up the documentation. > > Looks like we need 1.12 of Kerberos to get Radius support, worth pinging > the Debian krb supporters to see if they have a package in the works. I filed a bug about it, we'll see how it goes. Maybe 1.12 is ready soon enough. http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=729291 Also, since I submitted the patches for client support I did
Re: [Freeipa-devel] Less.js for RCUE adoption
On 09.10.2013 17:04, Petr Viktorin wrote: > On 10/09/2013 01:36 PM, Petr Vobornik wrote: >> Hi list, >> >> I've started to work on RCUE adoption [1][2][3][4][5]. >> >> RCUE uses Less CSS [6] so that means that technology for #3875 ([Web UI] >> Use CSS preprocessor (LESS/SASS/Stylus))[6] is pretty much chosen. >> >> Topic of this mail is to choose Less CSS implementation we will use >> during build. >> >> First some info. The main implementation of Less CSS is written in >> JavaScript as a Node.js module. There are also official builds for >> Rhino. Rhino versions are working up to version 1.3.3, they are broken >> since version 1.4. There is some upstream effort to make it work again. >> Implementations in different languages exist as well, but they may not >> implement every feature. >> >> Fedora has a Node.js package (nodejs-less[8]) and Python implementation >> (python-lesscpy[9]). Debian should contain these two as well. Problems >> might come with other targeted distributions. >> >> I tried to run less-rhino-1.3.3.js[10] in Rhino and python-lesscpy, both >> on RCUE reference implementation. Both tools seems to produce >> functionally equivalent CSS (checked by visual inspection of diff). >> >> For Fedora: >> - if we want to use the latest and greatest we should use Node.js >> package. Since Node.js reputation is not good I expect that this won't >> be the chosen solution. >> - if we want to avoid Node.js we can bundle less-rhino-1.3.3.js[10] or >> we can use python-lesscpy. python-lesscpy works better with Fedora >> packaging philosophy. > > +1 for python-lesscpy, for this reason. > >> For others: >> - bundle less-rhino if official package is not present > > This is really up to the other distros, but I don't see why another > Python dependency should be a problem. > > I'm CCing Timo Aaltonen; we'll need some non-Fedora people to answer > these questions. as mentioned, python-lesscpy is in Debian/Ubuntu now, so as long as any bundled solution can be disabled that's enough for me. -- t ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [SSSD] FreeIPA on Debian
On 03.09.2013 23:30, Nathan Kinder wrote: > On 09/01/2013 01:35 PM, Timo Aaltonen wrote: >> On 01.09.2013 21:43, Dmitri Pal wrote: >>> On 09/01/2013 02:20 PM, Timo Aaltonen wrote: >>>> On 31.08.2013 00:04, Dmitri Pal wrote: >>>>> Hello, >>>>> >>>>> Sorry for cross posting to 4 different lists but it seems that this is >>>>> the best way to include most of people who might be interested in this >>>>> discussion. >>>>> >>>>> The question of "When FreeIPA will be available on Debian?" has been >>>>> coming up periodically on the list(s) without any resolution. >>>>> However it >>>>> is clear that it would be beneficial for the community and the >>>>> project. >>>> Hi, >>>> >>>> As you know, I've been packaging stuff for the past two years with the >>>> goal of eventually having FreeIPA server on Debian/Ubuntu. A lot has >>>> been accomplished, but quite a bit is still missing too.. >>>> >>>>> May be it is time to try again? >>>>> Let us see why it yet has not happened? >>>>> >>>>> 1) Some components need to be ported to Debian especially Dogtag and a >>>>> slew of its new RESTEasy dependencies. This requires time and quite an >>>>> effort from someone familiar with the domain. >>>> Yes, this is the biggest blocker. Dogtag 9 is packaged in git and >>>> working, but I'm not going to push that to the distro. It can be used >>>> for testing the IPA server though, before we have Dogtag 10. Once the >>>> prereqs are in place the Dogtag git should be easy to rebase with 10.x. >>>> >>>> I did start packaging some of the dependencies, but hit a wall when >>>> some >>>> maven component needed a different release than another one.. AIUI this >>>> is a known issue with maven based projects.. > I would like to organize the effort to get Dogtag 10 ported to Debian. > I know that there are a lot of dependencies needed for this to happen. > I can create and maintain a wiki page to track all of the work that is > needed to get this porting done. Do you have a list of Dogtag 10 > dependencies that are not currently packaged for Debian that I can use > as a starting point? Once we have a clear outline of what is needed, we > can start trying to divide up and schedule the work. Alright, nice! This is the list I sent to debian-java a year ago, roughly in dependency order: codehaus-parent keytool-maven-plugin maven-help-plugin maven-idea-plugin maven-jarsigner-plugin maven-jxr maven-source-plugin geronimo-parent-poms geronimo-annotation plexus-mail-sender maven-release plexus-resources maven-checkstyle-plugin maven-pmd-plugin maven-anno-plugin maven-reporting-api maven-changes-plugin maven-deploy-plugin apache-james-project javamail base64coder gdata-java sonatype-oss-parent forge-parent mojo-parent maven-plugin-build-helper relaxngcc xsom glassfish-fastinfoset jvnet-parent glassfish-jaxb-api glassfish-dtd-parser stax-ex istack-commons rngom glassfish-jaxb maven-jaxb2-plugin jboss-parent jandex jboss-specs-parent jboss-annotations jetty-parent jetty-toolchain jetty-version-maven-plugin scannotation snakeyml resteasy There might be errors, now that I know that the fedora package of resteasy doesn't built everything to make the deps a bit easier? And at least codehaus-parent, mojo-parent and jetty-parent are packaged and pushed to git.debian.org but since I'm not a DD (yet) I can't upload them. The debian java policy means that the actual package names are like 'libmojo-parent-java' etc., in case you try to find a package. > Do you have more details on the maven issue you were running up against? if my notes are to be trusted, it was that keytool-maven-plugin wants v16 of mojo-parent, and not v30 that is in git now.. -- t ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] Debian client support
On 03.09.2013 12:00, Petr Viktorin wrote: > On 09/02/2013 11:43 PM, Timo Aaltonen wrote: >> >> This fixes https://fedorahosted.org/freeipa/ticket/1887 >> and >> https://fedorahosted.org/freeipa/ticket/2455 > > Thank you! > >> the first three patches fix some bugs in how python is used > > These look okay, I'll check when other build errors are fixed. > >> fourth patch checks if dbus is already running before trying to start it > > Please handle this in platform/debian/service.py. > > Is this only for D-Bus or do all start() methods for Debian need this? > If it's all of them, add it in DebianService.start. > If it's just D-Bus you'll want to make a special service there, like > DebianSSHService. > >> fifth fixes some compilation warnings > > Looks good to my eyes, perhaps a C expert can look at this one too. > I wonder why these warnings aren't enabled in our builds, though. > >> sixth finally adds the Debian platform module > > Please add copyright headers to the new files. > > in debian/auth.py:DebianAuthConfig.execute, you should use a dictionary > for env: > env = {'DEBCONF_FRONTEND': 'noninteractive'} > > You need to import ipautil to use ipautil.run in auth.py. This trips > pylint and prevents building the code for me. Do you include pylint in > your build procedure? > > platform/debian/auth.py: Git complains about a new blank line at EOF Ok I have the platform module patch updated, but testing is blocked because client join fails with '401' error (authorization). This worked fine in June, still investigating what's wrong this time.. thanks for the review! -- t ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] Debian client support
This fixes https://fedorahosted.org/freeipa/ticket/1887 and https://fedorahosted.org/freeipa/ticket/2455 the first three patches fix some bugs in how python is used fourth patch checks if dbus is already running before trying to start it fifth fixes some compilation warnings sixth finally adds the Debian platform module there are also distro patches that aren't upstreamable as-is, that do stuff like - give--install-layout=deb to setup.py - disable make-testcert since it needs a server running - fix hardcoded NFS related paths and a variable in ipa-client-automount - fix ldap.conf path in ipa-client-install - fix ntpdate options in ntpconf.py (Debian doesn't patch ntpdate like Fedora) - change nss includes in ipa_pwd.c ( not ) dunno what to do about those, the packaging can keep on carrying those but if you have ideas how to make them configurable so that upstream git/tarball could be used for development/testing on Debian then that would be nice. t From b08da1b7712f9621283719b190134586e59fb333 Mon Sep 17 00:00:00 2001 From: Timo Aaltonen Date: Tue, 3 Sep 2013 00:01:12 +0300 Subject: [PATCH 1/6] Use /usr/bin/python as fallback python path --- Makefile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Makefile b/Makefile index a21cf7e33275fd1a783e89baf237c8dcd8db6508..428f19b1a83da8c424893ea35c901f52dafaf546 100644 --- a/Makefile +++ b/Makefile @@ -50,7 +50,7 @@ ifneq ($(DEVELOPER_MODE),0) LINT_OPTIONS=--no-fail endif -PYTHON ?= $(shell rpm -E %__python) +PYTHON ?= $(shell rpm -E %__python || echo /usr/bin/python) all: bootstrap-autogen server tests @for subdir in $(SUBDIRS); do \ -- 1.8.3.2 From 7360486d7ed343202062716c0eb4f731923bb509 Mon Sep 17 00:00:00 2001 From: Timo Aaltonen Date: Tue, 3 Sep 2013 00:03:12 +0300 Subject: [PATCH 2/6] Don't search platform path Don't use Python.h from the platform specific path --- ipapython/py_default_encoding/setup.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ipapython/py_default_encoding/setup.py b/ipapython/py_default_encoding/setup.py index de2478c1962aba7a78919efdb266bf0600965905..6a1af628272c6cd3eaa755c5728a7a5d020050ec 100644 --- a/ipapython/py_default_encoding/setup.py +++ b/ipapython/py_default_encoding/setup.py @@ -22,7 +22,7 @@ from distutils.sysconfig import get_python_inc import sys import os -python_header = os.path.join(get_python_inc(plat_specific=1), 'Python.h') +python_header = os.path.join(get_python_inc(plat_specific=0), 'Python.h') if not os.path.exists(python_header): sys.exit("Cannot find Python development packages that provide Python.h") -- 1.8.3.2 From be86f0a9bbc3196aa8808243aba6d7e68c6d083b Mon Sep 17 00:00:00 2001 From: Nick Hatch Date: Tue, 3 Sep 2013 00:08:13 +0300 Subject: [PATCH 3/6] Don't exclude symlinks when loading plugins --- ipalib/util.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ipalib/util.py b/ipalib/util.py index 3c52e4fd9a3e08d160dd4ae7076590be8b869d2c..e14077487e979f077ddc1f9e925678884a64b5b5 100644 --- a/ipalib/util.py +++ b/ipalib/util.py @@ -81,7 +81,7 @@ def find_modules_in_dir(src_dir): if not name.endswith(suffix): continue pyfile = os.path.join(src_dir, name) -if os.path.islink(pyfile) or not os.path.isfile(pyfile): +if not os.path.isfile(pyfile): continue module = name[:-len(suffix)] if module == '__init__': -- 1.8.3.2 From 34d002d5483b9853a8329215ab12c946b8df7525 Mon Sep 17 00:00:00 2001 From: Nick Hatch Date: Tue, 3 Sep 2013 00:10:30 +0300 Subject: [PATCH 4/6] Check dbus before starting it Check to see if the messagebus (dbus) is running before attempting to start it --- ipa-client/ipa-install/ipa-client-install | 18 ++ 1 file changed, 10 insertions(+), 8 deletions(-) diff --git a/ipa-client/ipa-install/ipa-client-install b/ipa-client/ipa-install/ipa-client-install index 280edd793326150c416fe1b82f9866435e9c6509..7241a3421e348666c47f03a9b4fdac472b2ccabb 100755 --- a/ipa-client/ipa-install/ipa-client-install +++ b/ipa-client/ipa-install/ipa-client-install @@ -372,10 +372,11 @@ def uninstall(options, env): # Always start certmonger. We can't untrack something if it isn't # running messagebus = ipaservices.knownservices.messagebus -try: -messagebus.start() -except Exception, e: -log_service_error(messagebus.service_name, 'start', e) +if not messagebus.is_running(): +try: +messagebus.start() +except Exception, e: +log_service_error(messagebus.service_name, 'start', e) cmonger = ipaservices.knownservices.certmonger try: @@ -970,10 +971,11 @@ def configure_certmonger(fstore, subject_base, cli_realm, hostname, options, principal = 'host/%s@%s' % (hostname, cli_realm) messagebus = ipaservices.knownservi
Re: [Freeipa-devel] [SSSD] FreeIPA on Debian
On 01.09.2013 21:43, Dmitri Pal wrote: > On 09/01/2013 02:20 PM, Timo Aaltonen wrote: >> On 31.08.2013 00:04, Dmitri Pal wrote: >>> Hello, >>> >>> Sorry for cross posting to 4 different lists but it seems that this is >>> the best way to include most of people who might be interested in this >>> discussion. >>> >>> The question of "When FreeIPA will be available on Debian?" has been >>> coming up periodically on the list(s) without any resolution. However it >>> is clear that it would be beneficial for the community and the project. >> Hi, >> >> As you know, I've been packaging stuff for the past two years with the >> goal of eventually having FreeIPA server on Debian/Ubuntu. A lot has >> been accomplished, but quite a bit is still missing too.. >> >>> May be it is time to try again? >>> Let us see why it yet has not happened? >>> >>> 1) Some components need to be ported to Debian especially Dogtag and a >>> slew of its new RESTEasy dependencies. This requires time and quite an >>> effort from someone familiar with the domain. >> Yes, this is the biggest blocker. Dogtag 9 is packaged in git and >> working, but I'm not going to push that to the distro. It can be used >> for testing the IPA server though, before we have Dogtag 10. Once the >> prereqs are in place the Dogtag git should be easy to rebase with 10.x. >> >> I did start packaging some of the dependencies, but hit a wall when some >> maven component needed a different release than another one.. AIUI this >> is a known issue with maven based projects.. >> >> Other blockers off the top of my head include: >> >> - support for shared certificate database in NSS >> * patches sent to the Debian bug (#537866), maintainer isn't too >> responsive > > How can we help? I don't think you can, guess it just needs some perseverance on my side.. >> - dyndb support in bind >> * haven't asked the maintainer to add it to bind9, it might happen > > Are you talking about byndb maintainer or bind9 Debian maintainer? > May be we should connect the two? the debian bind maintainer, I heard from the dyndb maintainer that bind10 might support it natively, but getting that in Debian might still be further in the future, so if we'd need dyndb by early next year it's probably needed to have it via bind9 first. >>> 3) Someone needs to own packages in Debian and maintain them, someone >>> with good knowledge of the distro and time to take ownership of about 50 >>> packages. >> I'm doing this on my spare time, which has meant obvious delays in >> shipping something. Would be great to have more skillful people (pun >> intended) on the pkg-freeipa team.. > > Are you the only person there so far? pretty much, there have been some debian developers sponsoring packages to the distro (I'm not a DD yet), but they've all fled before too long :) -- t ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [SSSD] FreeIPA on Debian
On 31.08.2013 00:04, Dmitri Pal wrote: > Hello, > > Sorry for cross posting to 4 different lists but it seems that this is > the best way to include most of people who might be interested in this > discussion. > > The question of "When FreeIPA will be available on Debian?" has been > coming up periodically on the list(s) without any resolution. However it > is clear that it would be beneficial for the community and the project. Hi, As you know, I've been packaging stuff for the past two years with the goal of eventually having FreeIPA server on Debian/Ubuntu. A lot has been accomplished, but quite a bit is still missing too.. > May be it is time to try again? > Let us see why it yet has not happened? > > 1) Some components need to be ported to Debian especially Dogtag and a > slew of its new RESTEasy dependencies. This requires time and quite an > effort from someone familiar with the domain. Yes, this is the biggest blocker. Dogtag 9 is packaged in git and working, but I'm not going to push that to the distro. It can be used for testing the IPA server though, before we have Dogtag 10. Once the prereqs are in place the Dogtag git should be easy to rebase with 10.x. I did start packaging some of the dependencies, but hit a wall when some maven component needed a different release than another one.. AIUI this is a known issue with maven based projects.. Other blockers off the top of my head include: - support for shared certificate database in NSS * patches sent to the Debian bug (#537866), maintainer isn't too responsive - dyndb support in bind * haven't asked the maintainer to add it to bind9, it might happen - porting the IPA server installer for Debian * this has been discussed on the list at some point, and I guess upstream knows best how the code needs to be organized to make it happen.. > 2) The code needs to be changed in installer and potentially in other > places as it might have had some Fedorizms blended in yep, and I need to send the platform module for the client soon, the latest version seems to be working fine. > 3) Someone needs to own packages in Debian and maintain them, someone > with good knowledge of the distro and time to take ownership of about 50 > packages. I'm doing this on my spare time, which has meant obvious delays in shipping something. Would be great to have more skillful people (pun intended) on the pkg-freeipa team.. > Can we pull it off together this time? > Say we plan for some Dogtag and IPA domain experts to work on the port > during Nov 13 - Feb 14 and address 1) and 2). Would there be any > interest to join forces with them? Would there be anyone to take on item > 3) from the list above? I could send an email to debian-devel@ asking if someone is interested in helping us out. And maybe blog about it too (on planet.ubuntu.com).. -- t ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] installation freeipa on centos and ubuntu 13
On 16.05.2013 10:34, Martin Kosek wrote: > On 05/16/2013 07:50 AM, daiEric wrote: >> hi, all >> where I can find the document about the installation freeipa on centos 6.3 >> and >> Ubuntu 13.04 >> >> thanks and best regards >> Eric dai >> > > Hello Eric, > > I do not know about CentOS, but you can find RHEL guide for FreeIPA here: > https://access.redhat.com/knowledge/docs/en-US/Red_Hat_Enterprise_Linux/6/html-single/Identity_Management_Guide/index.html > > As for Ubuntu, I do not think that FreeIPA is packaged there yet. There were > some actions in the past to make that happen but it has not finished yet. If > you just want to try FreeIPA, I would recommend using Fedora 18. freeipa-client is available, 13.04 has 3.1.2. It should work without too much fuss, and if not then file a bug on launchpad, or poke me on #ubuntu-freeipa (@freenode). -- t ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] convert the base platform modules into packages
On 05.12.2012 15:01, Timo Aaltonen wrote: On 17.10.2012 16:43, Petr Viktorin wrote: On 09/21/2012 04:57 PM, Timo Aaltonen wrote: Ok, so this is the first step before we can start to rewrite bits from ipaserver/install to make them support other distros. There are no real functional changes yet. had some dependency issues installing the resulting rpm's, so didn't test the install scripts but they should work :) Hello, I recommend giving the -M flag to git format-patch, so it's easier to see changes in the patch. Your split of the fedora16 code into two modules is unfortunate: each tries to import the other one, and one is the other's parent. This would need special care to get working correctly. The best option here would probably be to put restore_context & check_selinux_status into a separate submodule, so you don't need to import fedora16 from services. Furthermore, in fedora16/__init__.py, you have: from ipapython.platform.fedora16.service import * This imports everything from that module, including e.g. "redhat" or "os". Please avoid star imports. List all the imported names explicitly, or import the module and then use qualified names. Other than that, after a trivial rebase the patch seems to work fine on Fedora. Thanks! And finally, here is version 2. fixed all the above, I think.. make-lint passes, make rpms too. Here's v3, thanks to your rebase to an even more current master :) >From 0f2be82c20411c5db2627702715dda73d9ed3cb3 Mon Sep 17 00:00:00 2001 From: Timo Aaltonen Date: Wed, 5 Dec 2012 14:58:06 +0200 Subject: [PATCH] convert the base platform modules into packages --- freeipa.spec.in|8 + ipapython/platform/{base.py => base/__init__.py} |0 ipapython/platform/{ => base}/systemd.py |5 +- ipapython/platform/fedora16/__init__.py| 49 ipapython/platform/fedora16/selinux.py | 26 ++ .../platform/{fedora16.py => fedora16/service.py} | 42 +--- .../platform/{fedora18.py => fedora18/__init__.py} |0 ipapython/platform/redhat.py | 258 ipapython/platform/redhat/__init__.py | 129 ++ ipapython/platform/redhat/auth.py | 49 ipapython/platform/redhat/service.py | 123 ++ ipapython/setup.py.in |7 +- 12 files changed, 399 insertions(+), 297 deletions(-) rename ipapython/platform/{base.py => base/__init__.py} (100%) rename ipapython/platform/{ => base}/systemd.py (99%) create mode 100644 ipapython/platform/fedora16/__init__.py create mode 100644 ipapython/platform/fedora16/selinux.py rename ipapython/platform/{fedora16.py => fedora16/service.py} (81%) rename ipapython/platform/{fedora18.py => fedora18/__init__.py} (100%) delete mode 100644 ipapython/platform/redhat.py create mode 100644 ipapython/platform/redhat/__init__.py create mode 100644 ipapython/platform/redhat/auth.py create mode 100644 ipapython/platform/redhat/service.py diff --git a/freeipa.spec.in b/freeipa.spec.in index 8a095db..33fb678 100644 --- a/freeipa.spec.in +++ b/freeipa.spec.in @@ -724,8 +724,16 @@ fi %doc COPYING README Contributors.txt %dir %{python_sitelib}/ipapython %dir %{python_sitelib}/ipapython/platform +%dir %{python_sitelib}/ipapython/platform/base +%dir %{python_sitelib}/ipapython/platform/fedora16 +%dir %{python_sitelib}/ipapython/platform/fedora18 +%dir %{python_sitelib}/ipapython/platform/redhat %{python_sitelib}/ipapython/*.py* %{python_sitelib}/ipapython/platform/*.py* +%{python_sitelib}/ipapython/platform/base/*.py* +%{python_sitelib}/ipapython/platform/fedora16/*.py* +%{python_sitelib}/ipapython/platform/fedora18/*.py* +%{python_sitelib}/ipapython/platform/redhat/*.py* %dir %{python_sitelib}/ipalib %{python_sitelib}/ipalib/* %{python_sitearch}/default_encoding_utf8.so diff --git a/ipapython/platform/base.py b/ipapython/platform/base/__init__.py similarity index 100% rename from ipapython/platform/base.py rename to ipapython/platform/base/__init__.py diff --git a/ipapython/platform/systemd.py b/ipapython/platform/base/systemd.py similarity index 99% rename from ipapython/platform/systemd.py rename to ipapython/platform/base/systemd.py index bb6c009..9846560 100644 --- a/ipapython/platform/systemd.py +++ b/ipapython/platform/base/systemd.py @@ -17,9 +17,12 @@ # along with this program. If not, see <http://www.gnu.org/licenses/>. # +import os +import shutil +import sys + from ipapython import ipautil from ipapython.platform import base -import sys, os, shutil from ipalib import api class SystemdService(base.PlatformService): diff --git a/ipapython/platform/fedora16/__init__.py b/ipapython/platform/fedora16/__init__.py new file mode 100644 index 000..c730348 --- /dev/null +++ b/ipapython/platform/fedora16/__init__.py @@ -0,
Re: [Freeipa-devel] [PATCH] convert the base platform modules into packages
On 17.10.2012 16:43, Petr Viktorin wrote: On 09/21/2012 04:57 PM, Timo Aaltonen wrote: Ok, so this is the first step before we can start to rewrite bits from ipaserver/install to make them support other distros. There are no real functional changes yet. had some dependency issues installing the resulting rpm's, so didn't test the install scripts but they should work :) Hello, I recommend giving the -M flag to git format-patch, so it's easier to see changes in the patch. Your split of the fedora16 code into two modules is unfortunate: each tries to import the other one, and one is the other's parent. This would need special care to get working correctly. The best option here would probably be to put restore_context & check_selinux_status into a separate submodule, so you don't need to import fedora16 from services. Furthermore, in fedora16/__init__.py, you have: from ipapython.platform.fedora16.service import * This imports everything from that module, including e.g. "redhat" or "os". Please avoid star imports. List all the imported names explicitly, or import the module and then use qualified names. Other than that, after a trivial rebase the patch seems to work fine on Fedora. Thanks! And finally, here is version 2. fixed all the above, I think.. make-lint passes, make rpms too. -- t >From 0fee25e0d7facd8fc1ee374590412c4d7ab26058 Mon Sep 17 00:00:00 2001 From: Timo Aaltonen Date: Wed, 5 Dec 2012 14:58:06 +0200 Subject: [PATCH] convert the base platform modules into packages --- freeipa.spec.in|6 + ipapython/platform/{base.py => base/__init__.py} |0 ipapython/platform/fedora16/__init__.py| 46 ipapython/platform/fedora16/selinux.py | 26 ++ .../platform/{fedora16.py => fedora16/service.py} | 34 +-- ipapython/platform/redhat.py | 249 ipapython/platform/redhat/__init__.py | 120 ++ ipapython/platform/redhat/auth.py | 49 ipapython/platform/redhat/service.py | 126 ++ ipapython/setup.py.in |6 +- 10 files changed, 381 insertions(+), 281 deletions(-) rename ipapython/platform/{base.py => base/__init__.py} (100%) create mode 100644 ipapython/platform/fedora16/__init__.py create mode 100644 ipapython/platform/fedora16/selinux.py rename ipapython/platform/{fedora16.py => fedora16/service.py} (84%) delete mode 100644 ipapython/platform/redhat.py create mode 100644 ipapython/platform/redhat/__init__.py create mode 100644 ipapython/platform/redhat/auth.py create mode 100644 ipapython/platform/redhat/service.py diff --git a/freeipa.spec.in b/freeipa.spec.in index 870aaa6..a14a9f9 100644 --- a/freeipa.spec.in +++ b/freeipa.spec.in @@ -713,8 +713,14 @@ fi %doc COPYING README Contributors.txt %dir %{python_sitelib}/ipapython %dir %{python_sitelib}/ipapython/platform +%dir %{python_sitelib}/ipapython/platform/base +%dir %{python_sitelib}/ipapython/platform/fedora16 +%dir %{python_sitelib}/ipapython/platform/redhat %{python_sitelib}/ipapython/*.py* %{python_sitelib}/ipapython/platform/*.py* +%{python_sitelib}/ipapython/platform/base/*.py* +%{python_sitelib}/ipapython/platform/fedora16/*.py* +%{python_sitelib}/ipapython/platform/redhat/*.py* %dir %{python_sitelib}/ipalib %{python_sitelib}/ipalib/* %{python_sitearch}/default_encoding_utf8.so diff --git a/ipapython/platform/base.py b/ipapython/platform/base/__init__.py similarity index 100% rename from ipapython/platform/base.py rename to ipapython/platform/base/__init__.py diff --git a/ipapython/platform/fedora16/__init__.py b/ipapython/platform/fedora16/__init__.py new file mode 100644 index 000..7c45b5d --- /dev/null +++ b/ipapython/platform/fedora16/__init__.py @@ -0,0 +1,46 @@ +# Author: Alexander Bokovoy +# +# Copyright (C) 2011 Red Hat +# see file 'COPYING' for use and warranty information +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see <http://www.gnu.org/licenses/>. +# + +from ipapython.platform import base, redhat +from ipapython.platform.fedora16.service import f16_service, Fedora16Services +from ipapython.platform.fedora16.selinux import f16_restore_context, f16_check_selinux_status + +# All what we allow exporting directly from this
Re: [Freeipa-devel] Dojo and Web UI in 3.2
29.10.2012 21:19, Dmitri Pal kirjoitti: > What is the packaging situation? Is Dojo packaged for Fedora and other > distros? Dojo (1.7.2) is packaged on Debian and Ubuntu, and looks like it's on Fedora as well: http://pkgs.fedoraproject.org/cgit/dojo.git t ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] convert the base platform modules into packages
Ok, so this is the first step before we can start to rewrite bits from ipaserver/install to make them support other distros. There are no real functional changes yet. had some dependency issues installing the resulting rpm's, so didn't test the install scripts but they should work :) >From c28ad06c64c2f3a7040021cb4935696bad3996f2 Mon Sep 17 00:00:00 2001 From: Timo Aaltonen Date: Wed, 29 Aug 2012 13:52:59 +0300 Subject: [PATCH] convert the base platform modules into packages Signed-off-by: Timo Aaltonen --- freeipa.spec.in |6 + ipapython/platform/base.py | 175 --- ipapython/platform/base/__init__.py | 175 +++ ipapython/platform/fedora16.py | 159 - ipapython/platform/fedora16/__init__.py | 49 +++ ipapython/platform/fedora16/service.py | 132 ++ ipapython/platform/redhat.py| 230 --- ipapython/platform/redhat/__init__.py | 120 ipapython/platform/redhat/auth.py | 49 +++ ipapython/platform/redhat/service.py| 106 ++ ipapython/setup.py.in |6 +- 11 files changed, 642 insertions(+), 565 deletions(-) delete mode 100644 ipapython/platform/base.py create mode 100644 ipapython/platform/base/__init__.py delete mode 100644 ipapython/platform/fedora16.py create mode 100644 ipapython/platform/fedora16/__init__.py create mode 100644 ipapython/platform/fedora16/service.py delete mode 100644 ipapython/platform/redhat.py create mode 100644 ipapython/platform/redhat/__init__.py create mode 100644 ipapython/platform/redhat/auth.py create mode 100644 ipapython/platform/redhat/service.py diff --git a/freeipa.spec.in b/freeipa.spec.in index ef9678e..4ce88e5 100644 --- a/freeipa.spec.in +++ b/freeipa.spec.in @@ -734,8 +734,14 @@ fi %doc COPYING README Contributors.txt %dir %{python_sitelib}/ipapython %dir %{python_sitelib}/ipapython/platform +%dir %{python_sitelib}/ipapython/platform/base +%dir %{python_sitelib}/ipapython/platform/fedora16 +%dir %{python_sitelib}/ipapython/platform/redhat %{python_sitelib}/ipapython/*.py* %{python_sitelib}/ipapython/platform/*.py* +%{python_sitelib}/ipapython/platform/base/*.py* +%{python_sitelib}/ipapython/platform/fedora16/*.py* +%{python_sitelib}/ipapython/platform/redhat/*.py* %dir %{python_sitelib}/ipalib %{python_sitelib}/ipalib/* %{python_sitearch}/default_encoding_utf8.so diff --git a/ipapython/platform/base.py b/ipapython/platform/base.py deleted file mode 100644 index a1e6b4e..000 --- a/ipapython/platform/base.py +++ /dev/null @@ -1,175 +0,0 @@ -# Authors: Alexander Bokovoy -# -# Copyright (C) 2011 Red Hat -# see file 'COPYING' for use and warranty information -# -# This program is free software; you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see <http://www.gnu.org/licenses/>. - -from ipalib.plugable import MagicDict - -# Canonical names of services as IPA wants to see them. As we need to have -# *some* naming, set them as in Red Hat distributions. Actual implementation -# should make them available through knownservices. and take care of -# re-mapping internally, if needed -wellknownservices = ['certmonger', 'dirsrv', 'httpd', 'ipa', 'krb5kdc', - 'messagebus', 'nslcd', 'nscd', 'ntpd', 'portmap', - 'rpcbind', 'kadmin', 'sshd', 'autofs', 'rpcgssd', - 'rpcidmapd', 'pki_tomcatd', 'pki-cad'] - - -# The common ports for these services. This is used to wait for the -# service to become available. -wellknownports = { -'dirsrv@PKI-IPA.service': [7389], -'PKI-IPA': [7389], -'dirsrv': [389], # this is only used if the incoming instance name is blank -'pki-cad': [9180], -'pki-tomcatd@pki-tomcat.service': [8080], -'pki-tomcat': [8080], -'pki-tomcatd': [8080], # used if the incoming instance name is blank -} - -class AuthConfig(object): -""" -AuthConfig class implements system-independent interface to configure -system authentication resources. In Red Hat systems this is done with -authconfig(8) util
Re: [Freeipa-devel] [PATCH] Patch to allow IPA to work with dogtag 10 on f18
On 28.08.2012 16:40, Petr Viktorin wrote: > On 08/17/2012 06:04 PM, Ade Lee wrote: >> On Fri, 2012-08-17 at 09:34 -0400, Ade Lee wrote: >>> On Thu, 2012-08-16 at 18:45 +0200, Martin Kosek wrote: On 08/16/2012 01:28 PM, Ade Lee wrote: > Patch attached this time. I should know better than to do this in the > middle of the night .. > > On Thu, 2012-08-16 at 09:12 +0200, Martin Kosek wrote: >> On 08/16/2012 07:53 AM, Ade Lee wrote: >>> On Wed, 2012-08-15 at 23:41 -0400, Ade Lee wrote: On Wed, 2012-08-15 at 16:34 +0200, Martin Kosek wrote: > On 08/15/2012 03:54 PM, Ade Lee wrote: >> On Wed, 2012-08-15 at 13:24 +0200, Martin Kosek wrote: >>> On 08/08/2012 10:05 PM, Ade Lee wrote: Hi, Dogtag 10 is being released on f18, and has a number of changes that will affect IPA. In particular, the following changes will affect current IPA code. * The directory layout of the dogtag instance has changed. Instead of using separate tomcat instances to host different subsystems, the standard dogtag installation will allow one to install a CA. KRA, OCSP and TKS within the same instance. There have been corresponding changes in the directory layout, as well as the default instance name (pki-tomcat instead of pki-ca), and startup daemon (pki-tomcatd, instead of pki-cad, pki-krad etc.) * The default instance will use only four ports (HTTPS, HTTP, AJP and tomcat shutdown port) rather than the 6 previously used. The default ports will be changed to the standard tomcat ports. As these ports are local to the ipa server machine, this should not cause too much disruption. * There is a new single step installer written in python. (pkispawn/destroy) vs. pkicreate/pkisilent/pkiremove. * Dogtag 10 runs on tomcat7 - with a new corresponding version of tomcatjss. The attached patch integrates all the above changes in IPA installation and maintenance code. Once the patch is applied, users will be able to: 1. run ipa-server-install to completion on f18 with dogtag 10. 2. install a new replica on f18 on dogtag 10. 3. upgrade an f17 machine with an existing IPA instance to f18/ dogtag 10 - and have that old-style dogtag instance continue to run correctly. This will require the installation of the latest version of tomcatjss as well as the installation of tomcat6. The old-style instance will continue to use tomcat6. 4. in addition, the new cert renewal code has been patched and should continue to work. What is not yet completed / supported: 1. Installation with an external CA is not yet completed in the new installer. We plan to complete this soon. 2. There is some IPA upgrade code that has not yet been touched (install/tools/ipa-upgradeconfig). 3. A script needs to be written to allow admins to convert their old-style dogtag instances to new style instances, as well as code to periodically prompt admins to do this. 4. Installation of old-style instances using pkicreate/pkisilent on dogtag 10 will no longer be supported, and will be disabled soon. 5. The pki-selinux policy has been updated to reflect these changes, but is still in flux. In fact, it is our intention to place the dogtag selinux policy in the base selinux policy for f18. In the meantime, it may be necessary to run installs in permissive mode. The dogtag 10 code will be released shortly into f18. Prior to that though, we have placed the new dogtag 10 and tomcatjss code in a developer repo that is located at http://nkinder.fedorapeople.org/dogtag-devel/ Testing can be done on both f18 and f17 - although the target platform - and the only platform for which official builds will be created is f18. Thanks, Ade >>> >>> Hi Ade,