[Freeipa-devel] [PATCHSET] Replica promotion patches
Tomas Babej
tbabej at redhat.com
Mon Aug 31 13:54:38 UTC 2015
On 08/31/2015 02:56 PM, Simo Sorce wrote:
> On Mon, 2015-08-31 at 14:45 +0200, Tomas Babej wrote:
>>
>> On 08/26/2015 11:27 PM, Simo Sorce wrote:
>>> This patchset implements https://fedorahosted.org/freeipa/ticket/2888
>>> and introduces a number of required changes and dependencies to achieve
>>> this goal.
>>> This work requires the custodia project to securely transfer keys
>>> between ipa servers.
>>>
>>> This work is not 100% complete, it still misses the ability to install
>>> kra instances and the ability to install a CA (via ipa-ca-install) with
>>> externally signed certs.
>>>
>>> However it is massive enough that warrants review and pushing, the resat
>>> of the changes can be applied later as this work should not disrupt the
>>> classic install methods.
>>>
>>> In order to build my previous patches (530-533) are needed as well as a
>>> number of updated components.
>>>
>>> I used the following coprs for testing:
>>> simo/jwcrypto
>>> simo/custodia
>>> abbra/sssd-kkdcproxy (for sssd 1.13.1)
>>> lkrispen/389-ds-current (for 389 > 1.3.4.4)
>>> vakwetu/dogtag_10.2.7_test_builds (for dogtag 10.2.7)
>>> mkosek/freeipa-4.2-fedora-22 (misc)
>>> fedora/updates-testing (python-gssapi 1.1.2)
>>>
>>> Ludwig's copr is necessary to have a functional DNA plugin in replicas,
>>> eventually his patches should be committed in 389-ds-base 1.3.4.4 when
>>> it will be released.
>>>
>>> We are aware of a dogtag bug https://fedorahosted.org/pki/ticket/1580
>>> that may cause installation issues in some case (re-install of a
>>> replica).
>>>
>>> The domain must be raised to level 1 in order to use replica promotion.
>>>
>>> In order to promote a replica the server must be first joined as a
>>> regular client to the domain.
>>>
>>> This is the flow I usually use for testing:
>>>
>>> # ipa-client-install
>>> # kinit admin
>>> # ipa-replica-install --promote --setup-ca
>>> <perform operations like add user, get keytabs, get certificates,
>>> etc...>
>>>
>>> These patches are also available in this git tree rebnase on current
>>> master:
>>> https://fedorapeople.org/cgit/simo/public_git/freeipa.git/log/?h=custodia-review
>>>
>>> Simo.
>>>
>>>
>>>
>>
>> I'm running in a issue when upgrading RPMs:
>
> What version are you upgrading from ?
>
> Also do you have logs telling which update is failing ? I can guess it
> is the topology stuff but that would be surprising.
>
> Simo.
>
It was a master devel machine with some wear&tear on it, clean 4.2.
install does not blow up on upgrade for me.
Will investigate further.
More information about the Freeipa-devel
mailing list