[Fedora-directory-devel] Read only config

Pete Rowley prowley at redhat.com
Sat Feb 10 01:01:31 UTC 2007 

Pete Rowley wrote:
> Richard Megginson wrote:
>> Andrew Bartlett wrote:
>>> On Fri, 2007-02-09 at 12:40 -0600, Dennis Gilmore wrote:
>>>  
>>>> On Friday 09 February 2007 11:37, Richard Megginson wrote:
>>>>   
>>>>> Howard Chu wrote:
>>>>>     
>>>>>>> Date: Fri, 09 Feb 2007 08:15:11 -0700
>>>>>>>
>>>>>>> From: Richard Megginson <rmeggins at redhat.com>
>>>>>>>
>>>>>>> Andrew Bartlett wrote:
>>>>>>>         
>>>>>>>>> On Thu, 2007-02-08 at 20:23 -0800, Pete Rowley wrote:
>>>>>>>>>
>>>>>>>>> The debian folks (who take FHS seriously)won't buy that.  The
>>>>>>>>>               
>>>>>>>> real test
>>>>>>>>
>>>>>>>>           
>>>>>>>>> is the ability to have a read only /etc.  This sounds like a 
>>>>>>>>> /var/lib
>>>>>>>>> thing.  >
>>>>>>>>>               
>> I think there are two things which are required by Fedora DS to 
>> satisfy the requirements.
>> 1) Need to be able to specify, during configure, the default path for 
>> instance specific writable config files.  This would allow you to do 
>> something like:
>> ./configure --with-instconfigdir=/var/lib/fedora-ds ....
>> If not specified, the default would be 
>> $(sysconfigdir)/$(PACKAGE_NAME).  When you specify this, you can use 
>> ds_newinst.pl to create a new instance without having to specify 
>> config_dir=/var/lib/fedora-ds/slapd-instance in your .inf file.  I 
>> think this would solve the immediate problem.
>>
>> However, the real problem here is that you may want to run your 
>> server with a read-only config for security reasons. so
>> 2) Need to be able to run the server with read-only config.  The 
>> first time the server starts up, it would need to have a writable 
>> config dir, but after that, it should be able to run with a read-only 
>> config.  This would involve several changes to the server, and would 
>> necessitate adding another server directory to store state 
>> information (or just use the dbdir for this).  I think the uuid gen 
>> and csn gen (and now the dna plugin) need to store state information 
>> which is now stored in dse.ldif.  We would have to move this 
>> information to some other location.
> We might consider having a particular subtree for dynamic 
> configuration i.e. that which is updated automatically with persistent 
> run time state changes rather than as a consequence of direct admin 
> initiated  config changes, we could then make that a separate 
> back-ldif backend with its own location.
Or, for performance reasons - dbm.

-- 
Pete

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3241 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/fedora-directory-devel/attachments/20070209/df926668/attachment.bin>

More information about the Fedora-directory-devel mailing list