[Freeipa-devel] [PATCH 0052] Create server-dns sub-package

Thu Jul 16 11:47:57 UTC 2015

On 16.7.2015 08:33, Alexander Bokovoy wrote:
> On Thu, 16 Jul 2015, Jan Cholasta wrote:
>> Dne 15.7.2015 v 19:39 Simo Sorce napsal(a):
>>> ----- Original Message -----
>>>> From: "Petr Spacek" <pspacek at redhat.com>
>>>> To: "Jan Cholasta" <jcholast at redhat.com>, freeipa-devel at redhat.com,
>>>> "Alexander Bokovoy" <abokovoy at redhat.com>
>>>> Cc: "Simo Sorce" <simo at redhat.com>
>>>> Sent: Tuesday, July 14, 2015 10:33:41 AM
>>>> Subject: Re: [Freeipa-devel] [PATCH 0052] Create server-dns sub-package
>>>>
>>>> On 14.7.2015 16:29, Jan Cholasta wrote:
>>>>> Dne 14.7.2015 v 14:33 Petr Spacek napsal(a):
>>>>>> On 2.7.2015 09:56, Petr Spacek wrote:
>>>>>>> On 2.7.2015 09:36, Alexander Bokovoy wrote:
>>>>>>>> On Thu, 02 Jul 2015, Jan Cholasta wrote:
>>>>>>>>>>>>> Can this be done without adding server-core?
>>>>>>>>>>>> I'm not aware of such method (except of adding all DNS dependencies
>>>>>>>>>>>> as
>>>>>>>>>>>> Requires straight into freeipa-server package).
>>>>>>>>>>>>
>>>>>>>>>>>>> Because it's not server core,
>>>>>>>>>>>>> it's the whole thing! Or maybe just rename it to server-common?
>>>>>>>>>>>>
>>>>>>>>>>>> I'm fine with 'common'. Ticket 4058 calls for sub-package for CA too
>>>>>>>>>>>> so my
>>>>>>>>>>>> idea was to create 'core' package which will be gradually reduced
>>>>>>>>>>>> more and more.
>>>>>>>>>>>
>>>>>>>>>>> Well, I don't like the fact that in order to install IPA server
>>>>>>>>>>> without DNS you have to install freeipa-server-core instead of just
>>>>>>>>>>> freeipa-server. Fedora packaging guidelines [1] state that the
>>>>>>>>>>> metapackage should be named freeipa-server-compat, so I guess
>>>>>>>>>>> renaming
>>>>>>>>>>> freeipa-server to freeipa-server-compat and freeipa-server-core to
>>>>>>>>>>> freeipa-server is good enough.
>>>>>>>>>> I think you are misunderstanding what the guidelines say. -compat
>>>>>>>>>> subpackage is something that only contains Requires: and Obsoletes:,
>>>>>>>>>> to
>>>>>>>>>> help to pull the right packages. It is not supposed to be a
>>>>>>>>>> full-featured package with content.
>>>>>>>>>
>>>>>>>>> With Petr's patch, freeipa-server is exactly that - a metapackage with
>>>>>>>>> requires and obsoletes only - hence my suggestion to rename it
>>>>>>>>> according to
>>>>>>>>> the guidelines.
>>>>>>>> That's not good.
>>>>>>>>
>>>>>>>>>> I think we are good enough with freeipa-server-dns. We have the same
>>>>>>>>>> situation with freeipa-server-trust-ad -- it is not required by the
>>>>>>>>>> main
>>>>>>>>>> package and pulls in Samba-related bits. We also don't have any
>>>>>>>>>> -compat
>>>>>>>>>> or metapackage for it.
>>>>>>>>>
>>>>>>>>> freeipa-server-dns is fine, what is IMO not fine is that it *is*
>>>>>>>>> required by
>>>>>>>>> the main freeipa-server package, *unlike* freeipa-server-trust-ad.
>>>>>>>>>
>>>>>>>>> We don't have a compat metapackage for freeipa-server-trust-ad, because
>>>>>>>>> there are no upgrade issues with it, which is what Petr is trying to
>>>>>>>>> solve
>>>>>>>>> with his patch.
>>>>>>>> So, the issue is that for installed bind+bind-dyndb-ldap combination we
>>>>>>>> need to switch to bind-pkcs11+bind-dyndb-ldap. Maybe instead of
>>>>>>>> modifying main freeipa package we could modify bind-dyndb-ldap package
>>>>>>>> to require bind-pkcs11 and corresponding bits of freeipa packages?
>>>>>>>
>>>>>>> Unfortunately, no.
>>>>>>> - bind-dyndb-ldap itself is used & supported even without FreeIPA.
>>>>>>> - bind-pkcs11 depends on properly configured SoftHSM (or other PKCS#11
>>>>>>> provider)
>>>>>>> => upgrade could break non-FreeIPA installations.
>>>>>>>
>>>>>>> I'm attempting to rework the patch now, stay tuned.
>>>>>>
>>>>>> Apparently this thread was abandoned during my PTO so I'm sending new
>>>>>> patch
>>>>>> here. It includes the -compat package and works with YUM and DNF.
>>>>>
>>>>> I don't like that freeipa-server got renamed to freeipa-server-core, but I
>>>>> won't push against it if Alexander and others (CCing Simo) are OK with it.
>>>>
>>>> For the record, I was not able to make it work without the rename.
>>>
>>> My opinion is that if we run dnf install freeipa-server, then we need to
>>> get freeipa server packages.
>>> If this is what happens I am ok with patches, otherwise I am not.
>>
>> Without the patch, "dnf install freeipa-server" installs freeipa server
>> without DNS dependencies.
>>
>> With the first version of the patch, "dnf install freeipa-server" installs
>> freeipa server with all DNS dependencies. To install freeipa server without
>> DNS dependencies, you need to run "dnf install freeipa-server-core". (Note
>> that with this patch freeipa-server is a meta-package with no files.)
>>
>> With the second version of the patch, "dnf install freeipa-server" fails,
>> because there is no freeipa-server anymore. To install freeipa server
>> without DNS dependencies, you need to run "dnf install freeipa-server-core".
> Can we do
> Provides: freeipa-server
> in freeipa-server-compat?

If I understood Honza correctly, he was objecting to this alias because it
would pull in DNS dependencies.

So I tried to add this Provides to freeipa-server-core package but I'm not
able to make this alias to work with DNF at all. With old Yum it pulls in
freeipa-server-dns instead of -core because the "Obsoletes" apparently has
higher priority than Provides. (No, "Provides" with explicit version does not
change anything.)

The only text I found about this is the advice 'do not do it' :-)

https://fedoraproject.org/wiki/Upgrade_paths_%E2%80%94_renaming_or_splitting_packages#Do_I_need_to_Provide_my_old_package_names.3F

In other words, I'm not able to make to make the alias freeipa-server working
with the second version of my patch.

Again, this problem is related only to  the second/alternative version of the
patch where freeipa-server package does not pull in DNS dependencies. "dnf
install freeipa-server" works with first version of my patch which pulls in
DNS depencies.

I'm more than happy to take advice how to fix that. For now I would say that
first version of the patch is okay. It will solve the upgrade and we can
remove the 'Requires' in the next release because it will not be necessary for
upgrade anymore.

-- 
Petr^2 Spacek