On 08/15/2012 03:54 PM, Ade Lee wrote: > On Wed, 2012-08-15 at 13:24 +0200, Martin Kosek wrote: >> On 08/08/2012 10:05 PM, Ade Lee wrote: >>> Hi, >>> >>> Dogtag 10 is being released on f18, and has a number of changes that >>> will affect IPA. In particular, the following changes will affect >>> current IPA code. >>> >>> * The directory layout of the dogtag instance has changed. Instead of >>> using separate tomcat instances to host different subsystems, the >>> standard dogtag installation will allow one to install a CA. KRA, OCSP >>> and TKS within the same instance. There have been corresponding changes >>> in the directory layout, as well as the default instance name >>> (pki-tomcat instead of pki-ca), and startup daemon (pki-tomcatd, instead >>> of pki-cad, pki-krad etc.) >>> >>> * The default instance will use only four ports (HTTPS, HTTP, AJP and >>> tomcat shutdown port) rather than the 6 previously used. The default >>> ports will be changed to the standard tomcat ports. As these ports are >>> local to the ipa server machine, this should not cause too much >>> disruption. >>> >>> * There is a new single step installer written in python. >>> (pkispawn/destroy) vs. pkicreate/pkisilent/pkiremove. >>> >>> * Dogtag 10 runs on tomcat7 - with a new corresponding version of >>> tomcatjss. >>> >>> The attached patch integrates all the above changes in IPA installation >>> and maintenance code. Once the patch is applied, users will be able to: >>> >>> 1. run ipa-server-install to completion on f18 with dogtag 10. >>> 2. install a new replica on f18 on dogtag 10. >>> 3. upgrade an f17 machine with an existing IPA instance to f18/ dogtag >>> 10 - and have that old-style dogtag instance continue to run correctly. >>> This will require the installation of the latest version of tomcatjss as >>> well as the installation of tomcat6. The old-style instance will >>> continue to use tomcat6. >>> 4. in addition, the new cert renewal code has been patched and should >>> continue to work. >>> >>> What is not yet completed / supported: >>> >>> 1. Installation with an external CA is not yet completed in the new >>> installer. We plan to complete this soon. >>> >>> 2. There is some IPA upgrade code that has not yet been touched >>> (install/tools/ipa-upgradeconfig). >>> >>> 3. A script needs to be written to allow admins to convert their >>> old-style dogtag instances to new style instances, as well as code to >>> periodically prompt admins to do this. >>> >>> 4. Installation of old-style instances using pkicreate/pkisilent on >>> dogtag 10 will no longer be supported, and will be disabled soon. >>> >>> 5. The pki-selinux policy has been updated to reflect these changes, >>> but is still in flux. In fact, it is our intention to place the dogtag >>> selinux policy in the base selinux policy for f18. In the meantime, it >>> may be necessary to run installs in permissive mode. >>> >>> The dogtag 10 code will be released shortly into f18. Prior to that >>> though, we have placed the new dogtag 10 and tomcatjss code in a >>> developer repo that is located at >>> http://nkinder.fedorapeople.org/dogtag-devel/ >>> >>> Testing can be done on both f18 and f17 - although the target platform - >>> and the only platform for which official builds will be created is f18. >>> >>> Thanks, >>> Ade >>> >> >> Hi Ade, >> >> Thanks for the patch, I started with review and integration tests (currently >> running on Fedora 17 with Nathan's repo). >> >> Installation on single master was smooth, it worked just fine, even with >> enforced SELinux, without any error - kudos to you and the whole dogtag team. >> The resulting logs and the structure of your log directory seems improved. I >> believe that the brand new Python installers will make it easier to debug >> issues with dogtag installation when they come. When I tried our unit tests >> or >> some simple cert operation, it worked fine as well. >> >> Now the bad news, or rather few issues and suggestions I found: >> >> 1) As we already discussed on IRC, tomcat 7 was not pulled automatically on >> Fedora 17 when I updated pki-ca, you somewhere miss a Requires. >> > We have a dogtag patch that is currently in review that will address > this. Once this is in, tomcatjss >=7.0.0 will be required for f17+, > rather than f18+ > >> 2) I had installed IPA with dogtag10 on master. However, CA installation on a >> replica (ipa-ca-install) with dogtag9 failed - is this expectable? >> > Yes. The current IPA patch is designed to work with dogtag 10 only, > which will be officially available on f18+. So if you update to dogtag > 10, you must have this patch and visa versa. We probably need to add > the relevant requires to IPA to enforce this. > > If you have an existing dogtag 9 instance, and you upgrade to the new > dogtag 10 and patched IPA, then that instance will continue to work. > But any new instances would be created using dogtag 10. > >> 3) I had installed IPA with dogtag10 on master. Replica had dogtag10 as well >> and I got the following error: >> >> # ipa-ca-install /home/mkosek/replica-info-vm-114.idm.lab.bos.redhat.com.gpg >> ... >> Configuring certificate server: Estimated time 3 minutes 30 seconds >> [1/14]: creating certificate server user >> [2/14]: configuring certificate server instance >> >> Your system may be partly configured. >> Run /usr/sbin/ipa-server-install --uninstall to clean up. >> >> Unexpected error - see /var/log/ipareplica-ca-install.log for details: >> IOError: [Errno 2] No such file or directory: >> '/var/lib/pki/pki-tomcat/alias/ca_backup_keys.p12' >> >> Root cause: >> ... >> File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", >> line >> 625, in __spawn_instance >> "/root/cacert.p12") >> ... >> > I need to look into this. I had fixed ipa-replica-install, rather than > ipa-ca-install to create replicas. I didn't know ipa-ca-install > existed! Should not be too bad to fix though - most likely just need to > move files to the right place.
Ok, thanks! Btw. CA on replica can be either installed during ipa-replica-install time (when --setup-ca option is passed, you probably used that one) and the aforementioned ipa-ca-install run after ipa-replica-install. > >> 4) What ports does replica need to be open on the master when installing a >> CA? >> Currently, ipa-replica-conncheck does a port check and checks only for 7389, >> i.e. a port of backend LDAP instance for CA. >> > Well, right now - the ports required are 80,443 (to get to the CA) and > 7389 (for the backend LDAP of the CA). Later, when I submit the patch > to merge the CA and IPA databases, the ldap port required will be 389. Then it is OK, these all ports are already covered in ipa-replica-conncheck. > >> >> Now to the patch itself. >> >> 5) The patch needs a rebase >> > Yup - will rebase in my next submission. > >> 6) The patch itself looks and works fine (with the issues I wrote above), but >> there is currently a lot of hard-coded file paths, instance names or ports. I >> think it would be really great to move most of this to the platform code >> (ipapython/platform/). I think that ideal solution would allow us to choose >> if >> we want to build FreeIPA with dogtag9 or dogtag10 environment in a build >> time. >> >> I am not saying that it is something you would need to do, its just a >> proposal >> also for other developers. This step would enable us to: >> a) Consolidate CA ports, file paths, instance names etc. to one place >> b) Easily build IPA to non-Fedora platforms where we still need to use >> dogtag9 >> > > This is a great idea. The hard-coded paths etc. are all following the > conventions that were already present. I think you should open a ticket > for this - and we should address this in a separate patch. I will let other developers comment on this proposal, if we get some agreement, I will open a ticket. I have also found 2 more issues: 7) pki-deploy package does not require any other pki-* package, this does not look ok. This way I was able to have pki-ca-9.* and pki-deploy-10.* installed at one time. I doubt it would work that way. 8) Did you test upgrade from installed IPA+dogtag9 to patchedIPA+dogtag10? I did that on Fedora 17 and pki-ca did not start after upgrade. Attaching logs my VM after I tried to (re)start pki-ca. Martin
_______________________________________________ Freeipa-devel mailing list Freeipafirstname.lastname@example.org https://www.redhat.com/mailman/listinfo/freeipa-devel