[Fedora-directory-devel] Read only config

Pete Rowley prowley at redhat.com
Sat Feb 10 00:56:46 UTC 2007 

Richard Megginson wrote:
> Andrew Bartlett wrote:
>> On Fri, 2007-02-09 at 12:40 -0600, Dennis Gilmore wrote:
>>  
>>> On Friday 09 February 2007 11:37, Richard Megginson wrote:
>>>    
>>>> Howard Chu wrote:
>>>>      
>>>>>> Date: Fri, 09 Feb 2007 08:15:11 -0700
>>>>>>
>>>>>> From: Richard Megginson <rmeggins at redhat.com>
>>>>>>
>>>>>> Andrew Bartlett wrote:
>>>>>>          
>>>>>>>> On Thu, 2007-02-08 at 20:23 -0800, Pete Rowley wrote:
>>>>>>>>
>>>>>>>> The debian folks (who take FHS seriously)won't buy that.  The
>>>>>>>>               
>>>>>>> real test
>>>>>>>
>>>>>>>            
>>>>>>>> is the ability to have a read only /etc.  This sounds like a 
>>>>>>>> /var/lib
>>>>>>>> thing.  >
>>>>>>>>               
> I think there are two things which are required by Fedora DS to 
> satisfy the requirements.
> 1) Need to be able to specify, during configure, the default path for 
> instance specific writable config files.  This would allow you to do 
> something like:
> ./configure --with-instconfigdir=/var/lib/fedora-ds ....
> If not specified, the default would be 
> $(sysconfigdir)/$(PACKAGE_NAME).  When you specify this, you can use 
> ds_newinst.pl to create a new instance without having to specify 
> config_dir=/var/lib/fedora-ds/slapd-instance in your .inf file.  I 
> think this would solve the immediate problem.
>
> However, the real problem here is that you may want to run your server 
> with a read-only config for security reasons. so
> 2) Need to be able to run the server with read-only config.  The first 
> time the server starts up, it would need to have a writable config 
> dir, but after that, it should be able to run with a read-only 
> config.  This would involve several changes to the server, and would 
> necessitate adding another server directory to store state information 
> (or just use the dbdir for this).  I think the uuid gen and csn gen 
> (and now the dna plugin) need to store state information which is now 
> stored in dse.ldif.  We would have to move this information to some 
> other location.
We might consider having a particular subtree for dynamic configuration 
i.e. that which is updated automatically with persistent run time state 
changes rather than as a consequence of direct admin initiated  config 
changes, we could then make that a separate back-ldif backend with its 
own location.

-- 
Pete

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3241 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/fedora-directory-devel/attachments/20070209/44999976/attachment.bin>

More information about the Fedora-directory-devel mailing list