[Freeipa-devel] [PATCH 0052] Create server-dns sub-package

Fri Jul 17 12:52:30 UTC 2015

----- Original Message -----
> From: "Jan Cholasta" <jcholast at redhat.com>
> To: "Simo Sorce" <simo at redhat.com>, "Petr Spacek" <pspacek at redhat.com>
> Cc: freeipa-devel at redhat.com, "Alexander Bokovoy" <abokovoy at redhat.com>
> Sent: Thursday, July 16, 2015 2:08:09 AM
> Subject: Re: [Freeipa-devel] [PATCH 0052] Create server-dns sub-package
> 
> Dne 15.7.2015 v 19:39 Simo Sorce napsal(a):
> > ----- Original Message -----
> >> From: "Petr Spacek" <pspacek at redhat.com>
> >> To: "Jan Cholasta" <jcholast at redhat.com>, freeipa-devel at redhat.com,
> >> "Alexander Bokovoy" <abokovoy at redhat.com>
> >> Cc: "Simo Sorce" <simo at redhat.com>
> >> Sent: Tuesday, July 14, 2015 10:33:41 AM
> >> Subject: Re: [Freeipa-devel] [PATCH 0052] Create server-dns sub-package
> >>
> >> On 14.7.2015 16:29, Jan Cholasta wrote:
> >>> Dne 14.7.2015 v 14:33 Petr Spacek napsal(a):
> >>>> On 2.7.2015 09:56, Petr Spacek wrote:
> >>>>> On 2.7.2015 09:36, Alexander Bokovoy wrote:
> >>>>>> On Thu, 02 Jul 2015, Jan Cholasta wrote:
> >>>>>>>>>>> Can this be done without adding server-core?
> >>>>>>>>>> I'm not aware of such method (except of adding all DNS
> >>>>>>>>>> dependencies
> >>>>>>>>>> as
> >>>>>>>>>> Requires straight into freeipa-server package).
> >>>>>>>>>>
> >>>>>>>>>>> Because it's not server core,
> >>>>>>>>>>> it's the whole thing! Or maybe just rename it to server-common?
> >>>>>>>>>>
> >>>>>>>>>> I'm fine with 'common'. Ticket 4058 calls for sub-package for CA
> >>>>>>>>>> too
> >>>>>>>>>> so my
> >>>>>>>>>> idea was to create 'core' package which will be gradually reduced
> >>>>>>>>>> more and more.
> >>>>>>>>>
> >>>>>>>>> Well, I don't like the fact that in order to install IPA server
> >>>>>>>>> without DNS you have to install freeipa-server-core instead of just
> >>>>>>>>> freeipa-server. Fedora packaging guidelines [1] state that the
> >>>>>>>>> metapackage should be named freeipa-server-compat, so I guess
> >>>>>>>>> renaming
> >>>>>>>>> freeipa-server to freeipa-server-compat and freeipa-server-core to
> >>>>>>>>> freeipa-server is good enough.
> >>>>>>>> I think you are misunderstanding what the guidelines say. -compat
> >>>>>>>> subpackage is something that only contains Requires: and Obsoletes:,
> >>>>>>>> to
> >>>>>>>> help to pull the right packages. It is not supposed to be a
> >>>>>>>> full-featured package with content.
> >>>>>>>
> >>>>>>> With Petr's patch, freeipa-server is exactly that - a metapackage
> >>>>>>> with
> >>>>>>> requires and obsoletes only - hence my suggestion to rename it
> >>>>>>> according to
> >>>>>>> the guidelines.
> >>>>>> That's not good.
> >>>>>>
> >>>>>>>> I think we are good enough with freeipa-server-dns. We have the same
> >>>>>>>> situation with freeipa-server-trust-ad -- it is not required by the
> >>>>>>>> main
> >>>>>>>> package and pulls in Samba-related bits. We also don't have any
> >>>>>>>> -compat
> >>>>>>>> or metapackage for it.
> >>>>>>>
> >>>>>>> freeipa-server-dns is fine, what is IMO not fine is that it *is*
> >>>>>>> required by
> >>>>>>> the main freeipa-server package, *unlike* freeipa-server-trust-ad.
> >>>>>>>
> >>>>>>> We don't have a compat metapackage for freeipa-server-trust-ad,
> >>>>>>> because
> >>>>>>> there are no upgrade issues with it, which is what Petr is trying to
> >>>>>>> solve
> >>>>>>> with his patch.
> >>>>>> So, the issue is that for installed bind+bind-dyndb-ldap combination
> >>>>>> we
> >>>>>> need to switch to bind-pkcs11+bind-dyndb-ldap. Maybe instead of
> >>>>>> modifying main freeipa package we could modify bind-dyndb-ldap package
> >>>>>> to require bind-pkcs11 and corresponding bits of freeipa packages?
> >>>>>
> >>>>> Unfortunately, no.
> >>>>> - bind-dyndb-ldap itself is used & supported even without FreeIPA.
> >>>>> - bind-pkcs11 depends on properly configured SoftHSM (or other PKCS#11
> >>>>> provider)
> >>>>> => upgrade could break non-FreeIPA installations.
> >>>>>
> >>>>> I'm attempting to rework the patch now, stay tuned.
> >>>>
> >>>> Apparently this thread was abandoned during my PTO so I'm sending new
> >>>> patch
> >>>> here. It includes the -compat package and works with YUM and DNF.
> >>>
> >>> I don't like that freeipa-server got renamed to freeipa-server-core, but
> >>> I
> >>> won't push against it if Alexander and others (CCing Simo) are OK with
> >>> it.
> >>
> >> For the record, I was not able to make it work without the rename.
> >
> > My opinion is that if we run dnf install freeipa-server, then we need to
> > get freeipa server packages.
> > If this is what happens I am ok with patches, otherwise I am not.
> 
> Without the patch, "dnf install freeipa-server" installs freeipa server
> without DNS dependencies.
> 
> With the first version of the patch, "dnf install freeipa-server"
> installs freeipa server with all DNS dependencies. To install freeipa
> server without DNS dependencies, you need to run "dnf install
> freeipa-server-core". (Note that with this patch freeipa-server is a
> meta-package with no files.)
> 
> With the second version of the patch, "dnf install freeipa-server"
> fails, because there is no freeipa-server anymore. To install freeipa
> server without DNS dependencies, you need to run "dnf install
> freeipa-server-core".

I do not find any of these alternatives satisfactory as they all break existing
automation that our users may have built.
However should nothing else come up the first version of the patch sounds better
than the second.

Simo.