[Freeipa-devel] Remaining issues before adding Debian platform support
Tomas Babej
tbabej at redhat.com
Tue Oct 6 11:17:48 UTC 2015
On 10/05/2015 07:00 PM, Martin Basti wrote:
>
>
> On 10/05/2015 05:00 PM, Timo Aaltonen wrote:
>> Hi
>>
>> I'm not sure if the goal is to be able to build IPA on Debian from
>> git/tarballs, but here's a list of what would need to be fixed first to
>> get there:
>>
>> - places where usernames have been hardcoded need something like
>> ipaplatform/base/paths.py:
>> apache -> www-data in:
>> * ipaserver/install/httpinstance.py
>> * ipaserver/install/ipa_server_certinstall.py
>> * ipaserver/install/cainstance.py
>> * ipaserver/install/certs.py
> this can be extracted to ipaplatform/base/constants.py
>
Yes, constants.py can be leveraged for this purpose. We added it not
that long ago, so you may have missed it.
Task left here is to actually abstract those values.
>> named -> bind in:
>> * ipaserver/install/bindinstance.py
> this is quite tricky,
> for named_user the right location is to ipaplatform/base/constants.py
>
> for service, you can look in ipaplatform/redhat/services.py there is
> already mapping named to named.pkcs11, we can do something similar in
> debian platform specification, debian_system_units['named'] =
> 'bind.service'
Correct. Debian should define its own services.py where the name of the
service can be overridden.
> However if you want to replace named with bind completely, it requires
> much more changes.
>
Martin, what are the effort necessary here?
>>
>> - config/service files that use hardcoded paths in them need to be moved
>> to a template, and use paths.py macros:
>> * install/conf/ipa.conf
>> * init/systemd/ipa_memcached.service
>>
>> - same but with hardcoded usernames
>> * init/ipa_memcached.conf
> A discussion with other developer is needed how to resolve these files
Converting to templates sounds resonable to me. We already have
machinery to do this (ipautil.template_file), so this is a
straightforward change.
>>
>> - ipaserver/install/httpinstance.py needs to run "a2enmod/a2dismod nss"
>> because libapache2-mod-nss doesn't enable it on install (can't remember
>> why, but there was a good reason..)
> We did installer changes, Honza may know if this is possible.
This may be a step which calls out to a platform task - by default, this
would be an empty operation, on Debian, it would run whatever pre-setup
steps needed.
I wonder if we should generalize this, but probably not before a need
arises.
>>
>> - various places using Fedora-specific libpaths (/usr/lib vs.
>> /usr/lib64), whereas on Debian these are /usr/lib/<tuple>, see
>> https://wiki.debian.org/Multiarch/Tuples
> I might be wrong, but I found different issues:
>> * ipaserver/install/ldapupdate.py
> this affects update files, and the same issue is for ldif files
> We can replace path '/var/lib(64)' with substitute variable in those
> files, and create a platform specific method to determine the correct
> path, or just substitute with value from ipaplatform/base/paths
>> * ipapython/certmonger.py
>> * ipaserver/install/certs.py
>> * ipaserver/install/ipa_backup.py
>> * ipaserver/install/ipa_restore.py
> Here for libpath we can use ipaplatform task.py or path.py if it is enough
> The occurrences of /var/lib/ipa/backup should be in ipaplatform/paths
Constants or Paths namespace should handle this case.
>>
>> - ntp daemon defaults use a different variable name (OPTIONS vs
>> NTPD_OPTS), and quotes (" vs. ')
>> * ipaserver/install/ntpinstance.py
> IMO here also default pools should be excluded to constants as a list of
> ntp servers per platform.
> OPTIONS can be excluded to ipaplatform/constants.py
> Probably the " or ' issue can be handled in the same way
Constants can probably handle this, if not, a platform specific task can
be used.
>>
>> - "Include conf.d/ipa-rewrite.conf" in httpinstance.py needs to use an
>> absolute path with HTTPD_CONF_D, or HTTPD_CONF_D repurposed to only have
>> 'conf.d' on Fedora and then conf-enabled on Debian
> ok
Probably a full path should be used here.
>>
>> - install/share/bind.named.conf.template needs to drop the default zone
>> on Debian, since that's already configured via includes (-> bind fails
>> to start), so a template file with an exception for Debian would fix it
> The solution here can be augeas, but I'm not sure if we will able to
> move to augeas soon enough.
> This is the same issue as with ipa.conf
We don't need to wait for augueas, just have a platform task (doing
nothing on Fedora) that will alter the named.conf file during its
generation.
>>
>> - Makefile needs to use --install-layout=deb for setup.py
I guess we can have a platform env variable for the Makefile?
>>
>> - ipa-client/ipa-install/ipa-client-automount needs to check for
>> variable named 'NEED_GSSD' on debian, so ipaplatform/base/vars.py? (same
>> for NTPD_OPTS)
> Leaving this for others.
It can be abstracted into a platform specific task.
>>
>>
>> There.. that should be all I think :) Oh, forgot that currently dnssec
>> needs to be disabled by some heavy patching, because 9.10.x isn't
>> packaged yet..
Thanks for enumerating the issues Timo, I filed a ticket summing this up:
https://fedorahosted.org/freeipa/ticket/5343
More information about the Freeipa-devel
mailing list