[Freeipa-devel] [PATCH, 2.1] 0021 Fedora 16 and systemd support

Mon Oct 24 13:19:55 UTC 2011

On Tue, 2011-10-18 at 15:29 +0200, Martin Kosek wrote:
> On Tue, 2011-10-18 at 15:48 +0300, Alexander Bokovoy wrote:
> > On Tue, 18 Oct 2011, Alexander Bokovoy wrote:
> > > > ipa.init was removed from the git, but it was never moved to
> > > > init/SystemV/.
> > > It should have been moved (rm+new file). I'll check what's happening 
> > > there, maybe Simo's patch omitted that one?
> > > 
> > > http://koji.fedoraproject.org/koji/taskinfo?taskID=3437275 is current 
> > > scratch build of 2.1 for F-16. It is 2.1.2+diff up to current ipa-2-1 
> > > git tree + systemd patch.
> > I did another rebase and current version of systemd support for 
> > ipa-2-1 is in systemd-ipa-2-1 branch of my tree:
> > http://fedorapeople.org/gitweb?p=abbra/public_git/freeipa.git;a=shortlog;h=refs/heads/systemd-ipa-2-1
> > 
> 
> Yep, ipa.init is now correctly moved and I was able to compile ipa on
> both F-15 and F-16. I still have few question/issues:
> 
> 1) When ipa is not configured, it is ok that ipa.service status returns
> error. However, I still got ipa.service status error after the ipa was
> configured:
> 
> # systemctl status ipa.service
> ipa.service - Identity, Policy, Audit
> 	  Loaded: loaded (/lib/systemd/system/ipa.service; disabled)
> 	  Active: failed since Tue, 18 Oct 2011 09:04:41 -0400; 1min 50s ago
> 	Main PID: 18499 (code=exited, status=6)
> 	  CGroup: name=systemd:/system/ipa.service
> # /usr/sbin/ipactl status
> IPA is not configured (see man pages of ipa-server-install for help)
> 
> # ipa-server-install
> ...
> Applying LDAP updates
> Restarting IPA to initialize updates before performing deletes:
>   [1/2]: stopping directory server
>   [2/2]: starting directory server
> done configuring dirsrv.
> Restarting the directory server
> Restarting the KDC
> Restarting the web server
> Sample zone file for bind has been created in /tmp/sample.zone.teFbNR.db
> ==============================================================================
> Setup complete
> 
> Next steps:
> 	1. You must make sure these network ports are open:
> 		TCP Ports:
> 		  * 80, 443: HTTP/HTTPS
> 		  * 389, 636: LDAP/LDAPS
> 		  * 88, 464: kerberos
> 		UDP Ports:
> 		  * 88, 464: kerberos
> 		  * 123: ntp
> 
> 	2. You can now obtain a kerberos ticket using the command: 'kinit admin'
> 	   This ticket will allow you to use the IPA tools (e.g., ipa user-add)
> 	   and the web user interface.
> 
> Be sure to back up the CA certificate stored in /root/cacert.p12
> This file is required to create replicas. The password for this
> file is the Directory Manager password
> 
> # systemctl status ipa.service
> ipa.service - Identity, Policy, Audit
> 	  Loaded: loaded (/lib/systemd/system/ipa.service; enabled)
> 	  Active: failed since Tue, 18 Oct 2011 09:04:41 -0400; 6min ago
> 	Main PID: 18499 (code=exited, status=6)
> 	  CGroup: name=systemd:/system/ipa.service
> 
> 
> 
> 2) ipactl shows stopped dirsrv and CA service even though they should be
> up (cert-show command worked):
> 
> # ipactl status
> Directory Service: RUNNING
> KDC Service: RUNNING
> KPASSWD Service: STOPPED
> HTTP Service: RUNNING
> CA Service: STOPPED
> 
> When I restarted the ipa service, everything was OK including the status
> I mentioned in my previous mail:
> 
> # systemctl restart ipa.service
> # ipactl status
> Directory Service: RUNNING
> KDC Service: RUNNING
> KPASSWD Service: RUNNING
> HTTP Service: RUNNING
> CA Service: RUNNING
> 
> # systemctl status ipa.service
> ipa.service - Identity, Policy, Audit
> 	  Loaded: loaded (/lib/systemd/system/ipa.service; enabled)
> 	  Active: active (exited) since Tue, 18 Oct 2011 09:18:32 -0400; 2min 41s ago
> 	 Process: 20069 ExecStart=/usr/sbin/ipactl start (code=exited, status=0/SUCCESS)
> 	  CGroup: name=systemd:/system/ipa.service
> 
> 
> Martin
> 

Ok, final ACK :-) On Friday and today I did a final set of sanity tests
for both branches on F-15 and F-16. Minor issues found during the review
were fixed by Alexander and integrated to the patches.

There is just one pending issue I found - name server cannot talk to
dirsrv on F-16 due to changes in SElinux policy. It is being be tracked
here:

https://bugzilla.redhat.com/show_bug.cgi?id=748366

SELinux guys accepted the issue and it is being worked on.

Pushed to master, ipa-2-1. Good job!

Martin