[Pki-devel] [PATCH] 0105 Add pki-server ca-cert-db-upgrade command
Fraser Tweedale
ftweedal at redhat.com
Fri May 13 04:48:41 UTC 2016
On Tue, May 10, 2016 at 02:42:52PM -0400, Ade Lee wrote:
> The patch itself is fine.
>
> I'm just struggling with where this script should exist.
>
> pki-server ca-cert-db-upgrade seems like an awfully generic description
> for this operation - which basically provides a very specific db
> migration. For that matter, why not ca-db-upgrade?
>
My thinking was that, in the future, whatever DB upgrades are needed
for a subsystem could be added to the command.
So on that, I take your point re "ca-db-upgrade" and will cut a new
patch with that command name.
> What happens the next time someone needs to do a CA DB upgrade?
> I'm almost wondering if a separate pki-db tool is needed.
>
I think having it as part of pki-server(1) is a satisfactory fit.
> For that matter though, its possible that the database is quite large
> so attempting to do this automatically during upgrade is probably not
> advisable.
>
We can leave it as a manual step for now (for Dogtag itself).
ipa-server-install may need to run it. In the future, to avoid
unnecessary work, we can track which "steps" have been run (either
on disk or, preferably, in LDAP itself). Updates themselves should
be idempotent.
> Opening up for others to chime in ..
>
> Ade
>
> On Tue, 2016-05-10 at 08:32 +1000, Fraser Tweedale wrote:
> > On Mon, May 09, 2016 at 04:06:46PM -0400, Ade Lee wrote:
> > > Isn't all this predicated on a schema change that adds the issuer
> > > as an
> > > optional field for the certRecord?
> > >
> > The schema already exists but was unused.
> >
> > > Ade
> > >
> > > On Mon, 2016-05-09 at 17:15 +1000, Fraser Tweedale wrote:
> > > > Hi all,
> > > >
> > > > The following patch adds a pki-server subcommand for updating
> > > > certificate records to add the issuerName attribute.
> > > >
> > > > It is for #1667 (Database upgrade script to add issuerName
> > > > attribute
> > > > to all cert entries).
> > > >
> > > > Follow-up question: should I (and if so, how should I) also add
> > > > an
> > > > upgrade scriptlet to perform the upgrade for Dogtag CA subsystem
> > > > on
> > > > the host? Is there a precedent for invoking pki-server (or
> > > > subroutines thereof) from pki-server-upgrade scriptlets?
> > > >
> > > > Cheers,
> > > > Fraser
> > > > _______________________________________________
> > > > Pki-devel mailing list
> > > > Pki-devel at redhat.com
> > > > https://www.redhat.com/mailman/listinfo/pki-devel
More information about the Pki-devel
mailing list