[Freeipa-devel] [PATCH 0052] Create server-dns sub-package

Tue Jul 14 14:46:29 UTC 2015

On Tue, 14 Jul 2015, Petr Spacek wrote:
>On 14.7.2015 16:29, Jan Cholasta wrote:
>> Dne 14.7.2015 v 14:33 Petr Spacek napsal(a):
>>> On 2.7.2015 09:56, Petr Spacek wrote:
>>>> On 2.7.2015 09:36, Alexander Bokovoy wrote:
>>>>> On Thu, 02 Jul 2015, Jan Cholasta wrote:
>>>>>>>>>> Can this be done without adding server-core?
>>>>>>>>> I'm not aware of such method (except of adding all DNS dependencies as
>>>>>>>>> Requires straight into freeipa-server package).
>>>>>>>>>
>>>>>>>>>> Because it's not server core,
>>>>>>>>>> it's the whole thing! Or maybe just rename it to server-common?
>>>>>>>>>
>>>>>>>>> I'm fine with 'common'. Ticket 4058 calls for sub-package for CA too
>>>>>>>>> so my
>>>>>>>>> idea was to create 'core' package which will be gradually reduced
>>>>>>>>> more and more.
>>>>>>>>
>>>>>>>> Well, I don't like the fact that in order to install IPA server
>>>>>>>> without DNS you have to install freeipa-server-core instead of just
>>>>>>>> freeipa-server. Fedora packaging guidelines [1] state that the
>>>>>>>> metapackage should be named freeipa-server-compat, so I guess renaming
>>>>>>>> freeipa-server to freeipa-server-compat and freeipa-server-core to
>>>>>>>> freeipa-server is good enough.
>>>>>>> I think you are misunderstanding what the guidelines say. -compat
>>>>>>> subpackage is something that only contains Requires: and Obsoletes:, to
>>>>>>> help to pull the right packages. It is not supposed to be a
>>>>>>> full-featured package with content.
>>>>>>
>>>>>> With Petr's patch, freeipa-server is exactly that - a metapackage with
>>>>>> requires and obsoletes only - hence my suggestion to rename it according to
>>>>>> the guidelines.
>>>>> That's not good.
>>>>>
>>>>>>> I think we are good enough with freeipa-server-dns. We have the same
>>>>>>> situation with freeipa-server-trust-ad -- it is not required by the main
>>>>>>> package and pulls in Samba-related bits. We also don't have any -compat
>>>>>>> or metapackage for it.
>>>>>>
>>>>>> freeipa-server-dns is fine, what is IMO not fine is that it *is* required by
>>>>>> the main freeipa-server package, *unlike* freeipa-server-trust-ad.
>>>>>>
>>>>>> We don't have a compat metapackage for freeipa-server-trust-ad, because
>>>>>> there are no upgrade issues with it, which is what Petr is trying to solve
>>>>>> with his patch.
>>>>> So, the issue is that for installed bind+bind-dyndb-ldap combination we
>>>>> need to switch to bind-pkcs11+bind-dyndb-ldap. Maybe instead of
>>>>> modifying main freeipa package we could modify bind-dyndb-ldap package
>>>>> to require bind-pkcs11 and corresponding bits of freeipa packages?
>>>>
>>>> Unfortunately, no.
>>>> - bind-dyndb-ldap itself is used & supported even without FreeIPA.
>>>> - bind-pkcs11 depends on properly configured SoftHSM (or other PKCS#11
>>>> provider)
>>>> => upgrade could break non-FreeIPA installations.
>>>>
>>>> I'm attempting to rework the patch now, stay tuned.
>>>
>>> Apparently this thread was abandoned during my PTO so I'm sending new patch
>>> here. It includes the -compat package and works with YUM and DNF.
>>
>> I don't like that freeipa-server got renamed to freeipa-server-core, but I
>> won't push against it if Alexander and others (CCing Simo) are OK with it.
>
>For the record, I was not able to make it work without the rename.
This is on my review list for this week.
-- 
/ Alexander Bokovoy