[Freeipa-devel] [PATCHES] Replica Promotion #2888
Simo Sorce
simo at redhat.com
Mon Aug 3 22:43:43 UTC 2015
Hello freeipa-devel,
this patcheset implement the main piece of the replica promotion
feature.
It first introduces the custodia modules, custodia is a service that
allows to securely transfer secrets between FreeIPA instances, using
asymetric crypto and LDAP published keys to insure confidentiality.
These patches intentionally duplicate some code in the installer in
order to avoid regression in the "classic" installer code path, in the
hope that the promotion functionality will not unintentionally break the
classic prepare/install code paths.
To use test this patchset you need the jwcrypto and custodia python
packages. Jwcrypto ins in fedora rawhide already (built today for f22
too) and Custodia is under review. I prepared two copr repositories for
now so people can build.
Use dnf copr enable simo/jwcrypto and dnf copr enable simo/custodia on
your devel VMs to get the proper packages (dnf install custodia will
suffice to drag in all dependencies).
To test do NOT follow the usual path of creating a replica file on the
master server with the ipa-replica-prepare tool.
Instead prepare a machine and run:
ipa-client-install
ipa-replica-install --promote
That should be it.
You can optionally test the --setup-dns install option, but --setup-ca
and --seyup-kra do not work yet.
If you kinit admin right after the client install, you'll be asked no
passwords.
Note that you need to raise the domain level to 1 before you can use the
replica promotion code as it is intended to be used with the topology
plugin activated.
This patchset depends on the previous one sent last week.
Cheers,
Simo.
--
Simo Sorce * Red Hat, Inc * New York
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-simo-533-1-IPA-Custodia-Daemon.patch
Type: text/x-patch
Size: 23476 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20150803/54f27001/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-simo-534-1-Add-Custodia-Client-code.patch
Type: text/x-patch
Size: 4462 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20150803/54f27001/attachment-0001.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-simo-535-1-Install-ipa-custodia-with-the-rest-of-ipa.patch
Type: text/x-patch
Size: 17032 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20150803/54f27001/attachment-0002.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-simo-536-1-Implement-replica-promotion-functionality.patch
Type: text/x-patch
Size: 51035 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20150803/54f27001/attachment-0003.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-simo-537-1-Change-DNS-installer-code-to-use-passed-in-api.patch
Type: text/x-patch
Size: 18809 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20150803/54f27001/attachment-0004.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-simo-538-1-Allow-ipa-replica-conncheck-to-use-default-creds.patch
Type: text/x-patch
Size: 9888 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20150803/54f27001/attachment-0005.bin>
More information about the Freeipa-devel
mailing list