[Freeipa-devel] [PATCH 0052] Create server-dns sub-package
Simo Sorce
simo at redhat.com
Fri Jul 17 12:57:47 UTC 2015
----- Original Message -----
> From: "Petr Spacek" <pspacek at redhat.com>
> To: "Alexander Bokovoy" <abokovoy at redhat.com>, "Jan Cholasta" <jcholast at redhat.com>
> Cc: "Simo Sorce" <simo at redhat.com>, freeipa-devel at redhat.com
> Sent: Thursday, July 16, 2015 7:47:57 AM
> Subject: Re: [Freeipa-devel] [PATCH 0052] Create server-dns sub-package
>
> On 16.7.2015 08:33, Alexander Bokovoy wrote:
> > On Thu, 16 Jul 2015, Jan Cholasta wrote:
> >> Dne 15.7.2015 v 19:39 Simo Sorce napsal(a):
> >>> ----- Original Message -----
> >>>> From: "Petr Spacek" <pspacek at redhat.com>
> >>>> To: "Jan Cholasta" <jcholast at redhat.com>, freeipa-devel at redhat.com,
> >>>> "Alexander Bokovoy" <abokovoy at redhat.com>
> >>>> Cc: "Simo Sorce" <simo at redhat.com>
> >>>> Sent: Tuesday, July 14, 2015 10:33:41 AM
> >>>> Subject: Re: [Freeipa-devel] [PATCH 0052] Create server-dns sub-package
> >>>>
> >>>> On 14.7.2015 16:29, Jan Cholasta wrote:
> >>>>> Dne 14.7.2015 v 14:33 Petr Spacek napsal(a):
> >>>>>> On 2.7.2015 09:56, Petr Spacek wrote:
> >>>>>>> On 2.7.2015 09:36, Alexander Bokovoy wrote:
> >>>>>>>> On Thu, 02 Jul 2015, Jan Cholasta wrote:
> >>>>>>>>>>>>> Can this be done without adding server-core?
> >>>>>>>>>>>> I'm not aware of such method (except of adding all DNS
> >>>>>>>>>>>> dependencies
> >>>>>>>>>>>> as
> >>>>>>>>>>>> Requires straight into freeipa-server package).
> >>>>>>>>>>>>
> >>>>>>>>>>>>> Because it's not server core,
> >>>>>>>>>>>>> it's the whole thing! Or maybe just rename it to server-common?
> >>>>>>>>>>>>
> >>>>>>>>>>>> I'm fine with 'common'. Ticket 4058 calls for sub-package for CA
> >>>>>>>>>>>> too
> >>>>>>>>>>>> so my
> >>>>>>>>>>>> idea was to create 'core' package which will be gradually
> >>>>>>>>>>>> reduced
> >>>>>>>>>>>> more and more.
> >>>>>>>>>>>
> >>>>>>>>>>> Well, I don't like the fact that in order to install IPA server
> >>>>>>>>>>> without DNS you have to install freeipa-server-core instead of
> >>>>>>>>>>> just
> >>>>>>>>>>> freeipa-server. Fedora packaging guidelines [1] state that the
> >>>>>>>>>>> metapackage should be named freeipa-server-compat, so I guess
> >>>>>>>>>>> renaming
> >>>>>>>>>>> freeipa-server to freeipa-server-compat and freeipa-server-core
> >>>>>>>>>>> to
> >>>>>>>>>>> freeipa-server is good enough.
> >>>>>>>>>> I think you are misunderstanding what the guidelines say. -compat
> >>>>>>>>>> subpackage is something that only contains Requires: and
> >>>>>>>>>> Obsoletes:,
> >>>>>>>>>> to
> >>>>>>>>>> help to pull the right packages. It is not supposed to be a
> >>>>>>>>>> full-featured package with content.
> >>>>>>>>>
> >>>>>>>>> With Petr's patch, freeipa-server is exactly that - a metapackage
> >>>>>>>>> with
> >>>>>>>>> requires and obsoletes only - hence my suggestion to rename it
> >>>>>>>>> according to
> >>>>>>>>> the guidelines.
> >>>>>>>> That's not good.
> >>>>>>>>
> >>>>>>>>>> I think we are good enough with freeipa-server-dns. We have the
> >>>>>>>>>> same
> >>>>>>>>>> situation with freeipa-server-trust-ad -- it is not required by
> >>>>>>>>>> the
> >>>>>>>>>> main
> >>>>>>>>>> package and pulls in Samba-related bits. We also don't have any
> >>>>>>>>>> -compat
> >>>>>>>>>> or metapackage for it.
> >>>>>>>>>
> >>>>>>>>> freeipa-server-dns is fine, what is IMO not fine is that it *is*
> >>>>>>>>> required by
> >>>>>>>>> the main freeipa-server package, *unlike* freeipa-server-trust-ad.
> >>>>>>>>>
> >>>>>>>>> We don't have a compat metapackage for freeipa-server-trust-ad,
> >>>>>>>>> because
> >>>>>>>>> there are no upgrade issues with it, which is what Petr is trying
> >>>>>>>>> to
> >>>>>>>>> solve
> >>>>>>>>> with his patch.
> >>>>>>>> So, the issue is that for installed bind+bind-dyndb-ldap combination
> >>>>>>>> we
> >>>>>>>> need to switch to bind-pkcs11+bind-dyndb-ldap. Maybe instead of
> >>>>>>>> modifying main freeipa package we could modify bind-dyndb-ldap
> >>>>>>>> package
> >>>>>>>> to require bind-pkcs11 and corresponding bits of freeipa packages?
> >>>>>>>
> >>>>>>> Unfortunately, no.
> >>>>>>> - bind-dyndb-ldap itself is used & supported even without FreeIPA.
> >>>>>>> - bind-pkcs11 depends on properly configured SoftHSM (or other
> >>>>>>> PKCS#11
> >>>>>>> provider)
> >>>>>>> => upgrade could break non-FreeIPA installations.
> >>>>>>>
> >>>>>>> I'm attempting to rework the patch now, stay tuned.
> >>>>>>
> >>>>>> Apparently this thread was abandoned during my PTO so I'm sending new
> >>>>>> patch
> >>>>>> here. It includes the -compat package and works with YUM and DNF.
> >>>>>
> >>>>> I don't like that freeipa-server got renamed to freeipa-server-core,
> >>>>> but I
> >>>>> won't push against it if Alexander and others (CCing Simo) are OK with
> >>>>> it.
> >>>>
> >>>> For the record, I was not able to make it work without the rename.
> >>>
> >>> My opinion is that if we run dnf install freeipa-server, then we need to
> >>> get freeipa server packages.
> >>> If this is what happens I am ok with patches, otherwise I am not.
> >>
> >> Without the patch, "dnf install freeipa-server" installs freeipa server
> >> without DNS dependencies.
> >>
> >> With the first version of the patch, "dnf install freeipa-server" installs
> >> freeipa server with all DNS dependencies. To install freeipa server
> >> without
> >> DNS dependencies, you need to run "dnf install freeipa-server-core". (Note
> >> that with this patch freeipa-server is a meta-package with no files.)
> >>
> >> With the second version of the patch, "dnf install freeipa-server" fails,
> >> because there is no freeipa-server anymore. To install freeipa server
> >> without DNS dependencies, you need to run "dnf install
> >> freeipa-server-core".
> > Can we do
> > Provides: freeipa-server
> > in freeipa-server-compat?
>
> If I understood Honza correctly, he was objecting to this alias because it
> would pull in DNS dependencies.
>
> So I tried to add this Provides to freeipa-server-core package but I'm not
> able to make this alias to work with DNF at all. With old Yum it pulls in
> freeipa-server-dns instead of -core because the "Obsoletes" apparently has
> higher priority than Provides. (No, "Provides" with explicit version does not
> change anything.)
>
> The only text I found about this is the advice 'do not do it' :-)
>
> https://fedoraproject.org/wiki/Upgrade_paths_%E2%80%94_renaming_or_splitting_packages#Do_I_need_to_Provide_my_old_package_names.3F
>
> In other words, I'm not able to make to make the alias freeipa-server working
> with the second version of my patch.
>
> Again, this problem is related only to the second/alternative version of the
> patch where freeipa-server package does not pull in DNS dependencies. "dnf
> install freeipa-server" works with first version of my patch which pulls in
> DNS depencies.
>
>
> I'm more than happy to take advice how to fix that. For now I would say that
> first version of the patch is okay. It will solve the upgrade and we can
> remove the 'Requires' in the next release because it will not be necessary
> for
> upgrade anymore.
This would be wrong, if someone skips a version than all breaks.
Lot's of people skip an interim Fedora version in order to update only once a
year, so this is common. We should not break these cases.
Simo.
More information about the Freeipa-devel
mailing list