[Freeipa-devel] Remaining issues before adding Debian platform support

Mon Oct 5 17:00:32 UTC 2015

On 10/05/2015 05:00 PM, Timo Aaltonen wrote:
> 	Hi
>
>    I'm not sure if the goal is to be able to build IPA on Debian from
> git/tarballs, but here's a list of what would need to be fixed first to
> get there:
>
> - places where usernames have been hardcoded need something like
> ipaplatform/base/paths.py:
>    apache -> www-data in:
>    * ipaserver/install/httpinstance.py
>    * ipaserver/install/ipa_server_certinstall.py
>    * ipaserver/install/cainstance.py
>    * ipaserver/install/certs.py
this can be extracted to ipaplatform/base/constants.py

>    named -> bind in:
>    * ipaserver/install/bindinstance.py
this is quite tricky,
for named_user the right location is to ipaplatform/base/constants.py

for service, you can look in ipaplatform/redhat/services.py there is 
already mapping named to named.pkcs11, we can do something similar in 
debian platform specification, debian_system_units['named'] = 'bind.service'
However if you want to replace named with bind completely, it requires 
much more changes.

>
> - config/service files that use hardcoded paths in them need to be moved
> to a template, and use paths.py macros:
>    * install/conf/ipa.conf
>    * init/systemd/ipa_memcached.service
>
> - same but with hardcoded usernames
>    * init/ipa_memcached.conf
A discussion with other developer is needed how to resolve these files
>
> - ipaserver/install/httpinstance.py needs to run "a2enmod/a2dismod nss"
> because libapache2-mod-nss doesn't enable it on install (can't remember
> why, but there was a good reason..)
We did installer changes, Honza may know if this is possible.

>
> - various places using Fedora-specific libpaths (/usr/lib vs.
> /usr/lib64), whereas on Debian these are /usr/lib/<tuple>, see
> https://wiki.debian.org/Multiarch/Tuples
I might be wrong, but I found different issues:
>    * ipaserver/install/ldapupdate.py
this affects update files, and the same issue is for ldif files
We can replace path '/var/lib(64)' with substitute variable in those 
files, and create a platform specific method to determine the correct 
path, or just substitute with value from ipaplatform/base/paths
>    * ipapython/certmonger.py
>    * ipaserver/install/certs.py
>    * ipaserver/install/ipa_backup.py
>    * ipaserver/install/ipa_restore.py
Here for libpath we can use ipaplatform task.py or path.py if it is enough
The occurrences of /var/lib/ipa/backup should be in ipaplatform/paths
>
> - ntp daemon defaults use a different variable name (OPTIONS vs
> NTPD_OPTS), and quotes (" vs. ')
>    * ipaserver/install/ntpinstance.py
IMO here also default pools should be excluded to constants as a list of 
ntp servers per platform.
OPTIONS can be excluded to ipaplatform/constants.py
Probably the " or ' issue can be handled in the same way
>
> - "Include conf.d/ipa-rewrite.conf" in httpinstance.py needs to use an
> absolute path with HTTPD_CONF_D, or HTTPD_CONF_D repurposed to only have
> 'conf.d' on Fedora and then conf-enabled on Debian
ok
>
> - install/share/bind.named.conf.template needs to drop the default zone
> on Debian, since that's already configured via includes (-> bind fails
> to start), so a template file with an exception for Debian would fix it
The solution here can be augeas, but I'm not sure if we will able to 
move to augeas soon enough.
This is the same issue as with ipa.conf
>
> - Makefile needs to use --install-layout=deb for setup.py
>
> - ipa-client/ipa-install/ipa-client-automount needs to check for
> variable named 'NEED_GSSD' on debian, so ipaplatform/base/vars.py? (same
> for NTPD_OPTS)
Leaving this for others.
>
>
> There.. that should be all I think :) Oh, forgot that currently dnssec
> needs to be disabled by some heavy patching, because 9.10.x isn't
> packaged yet..
I'm willing to send patch to disable DNSSEC installation if you want.
Is there a chance to get 9.10.x with pkcs11 support?
Can you please open a ticket?

Thank you for this investigation
Martin^2