[Freeipa-devel] [PATCHES] Replica Promotion #2888
Simo Sorce
simo at redhat.com
Tue Aug 25 18:40:15 UTC 2015
On Mon, 2015-08-03 at 18:43 -0400, Simo Sorce wrote:
> Hello freeipa-devel,
>
> this patcheset implement the main piece of the replica promotion
> feature.
>
> It first introduces the custodia modules, custodia is a service that
> allows to securely transfer secrets between FreeIPA instances, using
> asymetric crypto and LDAP published keys to insure confidentiality.
>
> These patches intentionally duplicate some code in the installer in
> order to avoid regression in the "classic" installer code path, in the
> hope that the promotion functionality will not unintentionally break the
> classic prepare/install code paths.
>
> To use test this patchset you need the jwcrypto and custodia python
> packages. Jwcrypto ins in fedora rawhide already (built today for f22
> too) and Custodia is under review. I prepared two copr repositories for
> now so people can build.
> Use dnf copr enable simo/jwcrypto and dnf copr enable simo/custodia on
> your devel VMs to get the proper packages (dnf install custodia will
> suffice to drag in all dependencies).
>
> To test do NOT follow the usual path of creating a replica file on the
> master server with the ipa-replica-prepare tool.
> Instead prepare a machine and run:
> ipa-client-install
> ipa-replica-install --promote
>
> That should be it.
>
> You can optionally test the --setup-dns install option, but --setup-ca
> and --seyup-kra do not work yet.
>
> If you kinit admin right after the client install, you'll be asked no
> passwords.
>
> Note that you need to raise the domain level to 1 before you can use the
> replica promotion code as it is intended to be used with the topology
> plugin activated.
>
> This patchset depends on the previous one sent last week.
>
> Cheers,
> Simo.
>
FYI I am withdrawing this patchset. I have worked with Ludwig and Petr
and greatly improved and fixes this original patchset and changed it
considerably in the process, we'll soon propose a new patchset instead.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
More information about the Freeipa-devel
mailing list