[Freeipa-devel] [PATCHSET] Replica promotion patches
Simo Sorce
simo at redhat.com
Wed Aug 26 21:27:12 UTC 2015
This patchset implements https://fedorahosted.org/freeipa/ticket/2888
and introduces a number of required changes and dependencies to achieve
this goal.
This work requires the custodia project to securely transfer keys
between ipa servers.
This work is not 100% complete, it still misses the ability to install
kra instances and the ability to install a CA (via ipa-ca-install) with
externally signed certs.
However it is massive enough that warrants review and pushing, the resat
of the changes can be applied later as this work should not disrupt the
classic install methods.
In order to build my previous patches (530-533) are needed as well as a
number of updated components.
I used the following coprs for testing:
simo/jwcrypto
simo/custodia
abbra/sssd-kkdcproxy (for sssd 1.13.1)
lkrispen/389-ds-current (for 389 > 1.3.4.4)
vakwetu/dogtag_10.2.7_test_builds (for dogtag 10.2.7)
mkosek/freeipa-4.2-fedora-22 (misc)
fedora/updates-testing (python-gssapi 1.1.2)
Ludwig's copr is necessary to have a functional DNA plugin in replicas,
eventually his patches should be committed in 389-ds-base 1.3.4.4 when
it will be released.
We are aware of a dogtag bug https://fedorahosted.org/pki/ticket/1580
that may cause installation issues in some case (re-install of a
replica).
The domain must be raised to level 1 in order to use replica promotion.
In order to promote a replica the server must be first joined as a
regular client to the domain.
This is the flow I usually use for testing:
# ipa-client-install
# kinit admin
# ipa-replica-install --promote --setup-ca
<perform operations like add user, get keytabs, get certificates,
etc...>
These patches are also available in this git tree rebnase on current
master:
https://fedorapeople.org/cgit/simo/public_git/freeipa.git/log/?h=custodia-review
Simo.
--
Simo Sorce * Red Hat, Inc * New York
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-simo-534-2-Remove-unused-arguments.patch
Type: text/x-patch
Size: 6816 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20150826/925161c9/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-simo-535-2-Simplify-the-install_replica_ca-function.patch
Type: text/x-patch
Size: 2025 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20150826/925161c9/attachment-0001.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-simo-536-2-IPA-Custodia-Daemon.patch
Type: text/x-patch
Size: 23478 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20150826/925161c9/attachment-0002.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-simo-537-2-Add-Custodia-Client-code.patch
Type: text/x-patch
Size: 4464 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20150826/925161c9/attachment-0003.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-simo-538-2-Install-ipa-custodia-with-the-rest-of-ipa.patch
Type: text/x-patch
Size: 17407 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20150826/925161c9/attachment-0004.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-simo-539-2-Require-a-DS-version-that-has-working-DNA-plugin.patch
Type: text/x-patch
Size: 1666 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20150826/925161c9/attachment-0005.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-simo-540-2-Implement-replica-promotion-functionality.patch
Type: text/x-patch
Size: 56061 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20150826/925161c9/attachment-0006.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-simo-541-2-Change-DNS-installer-code-to-use-passed-in-api.patch
Type: text/x-patch
Size: 18821 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20150826/925161c9/attachment-0007.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-simo-542-2-Allow-ipa-replica-conncheck-to-use-default-creds.patch
Type: text/x-patch
Size: 9892 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20150826/925161c9/attachment-0008.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-simo-543-2-Add-function-to-extract-CA-certs-for-install.patch
Type: text/x-patch
Size: 4415 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20150826/925161c9/attachment-0009.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-simo-544-2-topology-manage-ca-replication-agreements.patch
Type: text/x-patch
Size: 7303 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20150826/925161c9/attachment-0010.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-simo-545-2-enable-topology-plugin-on-upgrade.patch
Type: text/x-patch
Size: 4554 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20150826/925161c9/attachment-0011.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-simo-546-2-topology-plugin-configuration-workaround.patch
Type: text/x-patch
Size: 1927 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20150826/925161c9/attachment-0012.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-simo-547-2-handle-multiple-managed-suffixes.patch
Type: text/x-patch
Size: 28232 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20150826/925161c9/attachment-0013.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-simo-548-2-Allow-to-setup-the-CA-when-promoting-a-replica.patch
Type: text/x-patch
Size: 29801 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20150826/925161c9/attachment-0014.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-simo-549-2-Make-checks-for-existing-credentials-reusable.patch
Type: text/x-patch
Size: 8359 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20150826/925161c9/attachment-0015.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-simo-550-2-Add-low-level-helper-to-get-domain-level.patch
Type: text/x-patch
Size: 1309 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20150826/925161c9/attachment-0016.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-simo-551-2-Allow-ipa-ca-install-to-use-the-new-promotion-code.patch
Type: text/x-patch
Size: 7811 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20150826/925161c9/attachment-0017.bin>
More information about the Freeipa-devel
mailing list