[Freeipa-devel] [PATCH 0090] show optionally configured components in server-find/show command output

Petr Vobornik pvoborni at redhat.com
Fri Nov 6 10:06:04 UTC 2015 

On 11/06/2015 10:15 AM, Petr Spacek wrote:
> On 6.11.2015 09:25, Martin Kosek wrote:
>> On 11/05/2015 07:02 PM, Petr Vobornik wrote:
>>>> On 11/02/2015 12:37 PM, Martin Kosek wrote:
>>>>>> On 11/02/2015 06:10 AM, Jan Cholasta wrote:
>>>>>>>> Hi,
>>>>>>>>
>>>>>>>> On 22.10.2015 10:44, Martin Babinsky wrote:
>>>>>>>>>> https://fedorahosted.org/freeipa/ticket/5181
>>>>>>>>
>>>>>>>> This should be handled by a separate object plugin:
>>>>>>>>
>>>>>>>> $ ipa servercomponent-find master.ipa.test
>>>>>>>> ---------------------------
>>>>>>>> 6 server components matched
>>>>>>>> ---------------------------
>>>>>>>>     Component name: CA
>>>>>>>>     Enabled: TRUE
>>>>>>>>     Start order: 50
>>>>>>>>
>>>>>>>>     Component name: KDC
>>>>>>>>     Enabled: TRUE
>>>>>>>>     Start order: 10
>>>>>>>>
>>>>>>>>     Component name: KPASSWD
>>>>>>>>     Enabled: TRUE
>>>>>>>>     Start order: 20
>>>>>>>>
>>>>>>>>     Component name: MEMCACHE
>>>>>>>>     Enabled: TRUE
>>>>>>>>     Start order: 39
>>>>>>>>
>>>>>>>>     Component name: OTPD
>>>>>>>>     Enabled: TRUE
>>>>>>>>     Start order: 80
>>>>>>>>
>>>>>>>>     Component name: HTTP
>>>>>>>>     Enabled: TRUE
>>>>>>>>     Start order: 40
>>>>>>>> ----------------------------
>>>>>>>> Number of entries returned 6
>>>>>>>> ----------------------------
>>>>>>>>
>>>>>>>> This will allow us to consolidate all the ad-hoc component-related code
>>>>>>>> scattered throughout IPA (search for enable component, enable/disable
>>>>>>>> component, ...) into IPA command calls.
>>>>>>>>
>>>>>>>> I'm not opposed to showing a summary in server-show (although we don't do
>>>>>>>> anything like this for any other hierarchical objects), but it should be done
>>>>>>>> just for the users' sake, not for internal use (the ticket suggests to use this
>>>>>>>> for topology visualisation).
>>>>>>>>
>>>>>>>> BTW as far as the scalability of the current solution goes, you should have a
>>>>>>>> list of all the *non*-optional components and display everything else.
>>>>>>
>>>>>> The API proposal should be in line with our future extensions of the API. We
>>>>>> for example want to move "ipa-csreplica-manage" set-renewal-master command to
>>>>>> API call. Or DNSSEC generation master. Or we may want to change some other
>>>>>> flag/role of a master via this interface.
>>>>>>
>>>>>> So we will need something like
>>>>>> $ ipa server-add-role ipa.example.com --role "ca-renewal-master"
>>>>>> or
>>>>>> $ ipa servercomponent-add-role ipa.example.com CA --role=renewal-master
>>>>
>>>> Depends on usage. If we want to internally unify manipulation with configs for
>>>> component we can create low-level commands which won't be exposed to CLI.
>>>>
>>>> E.g. ipa servercomponent-find ipa.example.com
>>>> Component name: ADTRUST
>>>> Config: enabledService, startOrder 60
>>>>
>>>> <other services>
>>>>
>>>> This is all what Web UI needs.
>>>>
>>>>
>>>>  From user perspective, for CLI, something different is better. Martin used term
>>>> 'role', lets go with that.
>>>>
>>>> Idea 1:
>>>> $ ipa server-show ipa.example.com --roles
>>>> Server name: vm-073.idm.lab.eng.brq.redhat.com
>>>>    Managed suffix: dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com, o=ipaca
>>>>    Min domain level: 0
>>>>    Max domain level: 1
>>>>    Role: dns-server, cs-server, ca-renewal-master, trust-controller
>>>>
>>>> --all would imply --roles
>> I am thinking "Roles" could be printed out even in default listing. It looks as
>> an important piece of information you want to know about your master. I also
>> originally used that with servercomponent, you moved it to server itself. It
>> makes also sense.
>>
>> We will need a design for this servercomponent/roles anyway, to agree on the
>> API with all stakeholders.
>>
>>>> $ ipa server-add-role ipa.example.com --roles=ca-renewal-master
>
> Just keep in mind that 'role' design requires yet another layer of indirection
> because there is no 1:1 mapping between services and roles. E.g. 'DNSSEC key
> master' role consists of several services, as 'DNS server' role etc.
>
> Also, we can get into trouble because role 'DNS server' in IPA 4.2 can contain
> different set of services than 'DNS server' in IPA 5.0 etc.
>
> For these reasons I question necessity of 'role' abstraction. Is it worth?
>

IMO yes. Current patch is better than nothing but roles are more 
friendly, components are implementation detail.

Showing only CNs on components doesn't show all info. E.g.

ipa server-show `hostname`
   Server name: ipa.example.com
   Managed suffix: dc=example,dc=com, o=ipaca
   Min domain level: 0
   Max domain level: 1
   Optional components: CA, DNS, DNSKeySync, ADTRUST, EXTID, KRA

This doesn't show that the server is actually also a ca-renewal-master. 
  What is the command I can use to solve: "show me what server is the 
ca-renewal-master"?

Then what's the difference between ADTRUST and EXTID? One is smb, second 
winbind but from user perspective it is the same thing - AD Trusts 
controller.

Could there be DNS without DNSKeySync?
-- 
Petr Vobornik

More information about the Freeipa-devel mailing list