On 2.7.2015 09:56, Petr Spacek wrote:
> On 2.7.2015 09:36, Alexander Bokovoy wrote:
>> On Thu, 02 Jul 2015, Jan Cholasta wrote:
>>>>>>> Can this be done without adding server-core?
>>>>>> I'm not aware of such method (except of adding all DNS dependencies as
>>>>>> Requires straight into freeipa-server package).
>>>>>>
>>>>>>> Because it's not server core,
>>>>>>> it's the whole thing! Or maybe just rename it to server-common?
>>>>>>
>>>>>> I'm fine with 'common'. Ticket 4058 calls for sub-package for CA too
>>>>>> so my
>>>>>> idea was to create 'core' package which will be gradually reduced
>>>>>> more and more.
>>>>>
>>>>> Well, I don't like the fact that in order to install IPA server
>>>>> without DNS you have to install freeipa-server-core instead of just
>>>>> freeipa-server. Fedora packaging guidelines [1] state that the
>>>>> metapackage should be named freeipa-server-compat, so I guess renaming
>>>>> freeipa-server to freeipa-server-compat and freeipa-server-core to
>>>>> freeipa-server is good enough.
>>>> I think you are misunderstanding what the guidelines say. -compat
>>>> subpackage is something that only contains Requires: and Obsoletes:, to
>>>> help to pull the right packages. It is not supposed to be a
>>>> full-featured package with content.
>>>
>>> With Petr's patch, freeipa-server is exactly that - a metapackage with
>>> requires and obsoletes only - hence my suggestion to rename it according to
>>> the guidelines.
>> That's not good.
>>
>>>> I think we are good enough with freeipa-server-dns. We have the same
>>>> situation with freeipa-server-trust-ad -- it is not required by the main
>>>> package and pulls in Samba-related bits. We also don't have any -compat
>>>> or metapackage for it.
>>>
>>> freeipa-server-dns is fine, what is IMO not fine is that it *is* required by
>>> the main freeipa-server package, *unlike* freeipa-server-trust-ad.
>>>
>>> We don't have a compat metapackage for freeipa-server-trust-ad, because
>>> there are no upgrade issues with it, which is what Petr is trying to solve
>>> with his patch.
>> So, the issue is that for installed bind+bind-dyndb-ldap combination we
>> need to switch to bind-pkcs11+bind-dyndb-ldap. Maybe instead of
>> modifying main freeipa package we could modify bind-dyndb-ldap package
>> to require bind-pkcs11 and corresponding bits of freeipa packages?
> 
> Unfortunately, no.
> - bind-dyndb-ldap itself is used & supported even without FreeIPA.
> - bind-pkcs11 depends on properly configured SoftHSM (or other PKCS#11 
> provider)
> => upgrade could break non-FreeIPA installations.
> 
> I'm attempting to rework the patch now, stay tuned.

Apparently this thread was abandoned during my PTO so I'm sending new patch
here. It includes the -compat package and works with YUM and DNF.

-- 
Petr^2 Spacek
From da282e4d516dbc73c6475474b9ce4cfb52c6d7c7 Mon Sep 17 00:00:00 2001
From: Petr Spacek <pspa...@redhat.com>
Date: Wed, 1 Jul 2015 14:06:37 +0200
Subject: [PATCH] Create server-dns sub-package.

This allows us to automatically pull in package bind-pkcs11
and thus create upgrade path for on CentOS 7.1 -> 7.2.

IPA previously had no requires on BIND packages and these had to be
installed manually before first ipa-dns-install run.
We need to pull additional bind-pkcs11 package during RPM upgrade
so ipa-dns-install cannot help with this.

https://fedorahosted.org/freeipa/ticket/4058
---
 freeipa.spec.in | 87 ++++++++++++++++++++++++++++++++++++++++-----------------
 1 file changed, 62 insertions(+), 25 deletions(-)

diff --git a/freeipa.spec.in b/freeipa.spec.in
index e78ad1a0851186c7fdb5ab0a4649b64b2b1e010f..b7f29bac6a9d5b4d1ad6ff6b2e433e474f33aa96 100644
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -109,9 +109,25 @@ user, virtual machines, groups, authentication credentials), Policy
 logs, analysis thereof).
 
 %if ! %{ONLY_CLIENT}
-%package server
+%package server-compat
 Summary: The IPA authentication server
 Group: System Environment/Base
+Requires: %{name}-server-core = %{version}-%{release}
+Requires: %{name}-server-dns = %{version}-%{release}
+# upgrade from monolithic freeipa-server to freeipa-server-core + freeipa-server-dns
+Obsoletes: %{name}-server < 4.2.0
+
+%description server-compat
+IPA server with integrated DNS. Main IPA server functionality is provided by
+ipa-server-core package. Integrated DNS server is in ipa-server-dns package.
+
+
+%package server-core
+Summary: The IPA authentication server
+Group: System Environment/Base
+# upgrade from monolithic freeipa-server to freeipa-server-core + freeipa-server-dns
+Conflicts: %{name}-server < 4.2.0
+
 Requires: %{name}-python = %{version}-%{release}
 Requires: %{name}-client = %{version}-%{release}
 Requires: %{name}-admintools = %{version}-%{release}
@@ -162,31 +178,18 @@ Requires: systemd-python
 Requires: %{etc_systemd_dir}
 
 Conflicts: %{alt_name}-server
-Obsoletes: %{alt_name}-server < %{version}
+Conflicts: %{alt_name}-server-core
+Obsoletes: %{alt_name}-server-core < %{version}
 
 # With FreeIPA 3.3, package freeipa-server-selinux was obsoleted as the
 # entire SELinux policy is stored in the system policy
 Obsoletes: freeipa-server-selinux < 3.3.0
 
-# We have a soft-requires on bind. It is an optional part of
-# IPA but if it is configured we need a way to require versions
-# that work for us.
-Conflicts: bind-dyndb-ldap < 6.0-4
-%if 0%{?fedora} >= 21
-Conflicts: bind < 9.9.6-3
-Conflicts: bind-utils < 9.9.6-3
-%else
-Conflicts: bind < 9.9.4-21
-Conflicts: bind-utils < 9.9.4-21
-%endif
-# DNSSEC
-Conflicts: opendnssec < 1.4.6-4
-
 # Versions of nss-pam-ldapd < 0.8.4 require a mapping from uniqueMember to
 # member.
 Conflicts: nss-pam-ldapd < 0.8.4
 
-%description server
+%description server-core
 IPA is an integrated solution to provide centrally managed Identity (machine,
 user, virtual machines, groups, authentication credentials), Policy
 (configuration settings, access control information) and Audit (events,
@@ -195,10 +198,37 @@ to install this package (in other words, most people should NOT install
 this package).
 
 
+%package server-dns
+Summary: IPA integrated DNS server (BIND 9) with DNSSEC support (OpenDNSSEC)
+Group: System Environment/Base
+Requires: %{name}-server-core = %{version}-%{release}
+
+Requires: bind-dyndb-ldap >= 6.0-4
+%if 0%{?fedora} >= 21
+Requires: bind >= 9.9.6-3
+Requires: bind-utils >= 9.9.6-3
+Requires: bind-pkcs11 >= 9.9.6-3
+Requires: bind-pkcs11-utils >= 9.9.6-3
+%else
+Requires: bind >= 9.9.4-21
+Requires: bind-utils >= 9.9.4-21
+Requires: bind-pkcs11 >= 9.9.4-21
+Requires: bind-pkcs11-utils >= 9.9.4-21
+%endif
+# DNSSEC
+Requires: opendnssec >= 1.4.6-4
+
+Obsoletes: %{alt_name}-server-dns < %{version}
+
+%description server-dns
+IPA integrated DNS server with support for automatic DNSSEC signing.
+DNS server implementation is BIND 9. DNSSEC signing is provided by OpenDNSSEC.
+
+
 %package server-trust-ad
 Summary: Virtual package to install packages required for Active Directory trusts
 Group: System Environment/Base
-Requires: %{name}-server = %version-%release
+Requires: %{name}-server-core = %version-%release
 Requires: m2crypto
 Requires: samba-python
 Requires: samba >= %{samba_version}
@@ -521,7 +551,7 @@ mkdir -p %{buildroot}%{_sysconfdir}/cron.d
 rm -rf %{buildroot}
 
 %if ! %{ONLY_CLIENT}
-%post server
+%post server-core
 # NOTE: systemd specific section
     /bin/systemctl --system daemon-reload 2>&1 || :
 # END
@@ -529,7 +559,7 @@ if [ $1 -gt 1 ] ; then
     /bin/systemctl condrestart certmonger.service 2>&1 || :
 fi
 
-%posttrans server
+%posttrans server-core
 # This must be run in posttrans so that updates from previous
 # execution that may no longer be shipped are not applied.
 /usr/sbin/ipa-server-upgrade --quiet >/dev/null || :
@@ -546,7 +576,7 @@ if [  $? -eq 0 ]; then
 fi
 # END
 
-%preun server
+%preun server-core
 if [ $1 = 0 ]; then
 # NOTE: systemd specific section
     /bin/systemctl --quiet stop ipa.service || :
@@ -554,7 +584,7 @@ if [ $1 = 0 ]; then
 # END
 fi
 
-%pre server
+%pre server-core
 # Stop ipa_kpasswd if it exists before upgrading so we don't have a
 # zombie process when we're done.
 if [ -e /usr/sbin/ipa_kpasswd ]; then
@@ -674,13 +704,15 @@ if [ -f '/etc/ssh/sshd_config' -a $restore -ge 2 ]; then
 fi
 
 %if ! %{ONLY_CLIENT}
-%files server -f server-python.list
+%files server-compat
+# metapackage
+
+%files server-core -f server-python.list
 %defattr(-,root,root,-)
 %doc COPYING README Contributors.txt
 %{_sbindir}/ipa-backup
 %{_sbindir}/ipa-restore
 %{_sbindir}/ipa-ca-install
-%{_sbindir}/ipa-dns-install
 %{_sbindir}/ipa-kra-install
 %{_sbindir}/ipa-server-install
 %{_sbindir}/ipa-replica-conncheck
@@ -852,7 +884,6 @@ fi
 %{_mandir}/man1/ipa-server-certinstall.1.gz
 %{_mandir}/man1/ipa-server-install.1.gz
 %{_mandir}/man1/ipa-server-upgrade.1.gz
-%{_mandir}/man1/ipa-dns-install.1.gz
 %{_mandir}/man1/ipa-ca-install.1.gz
 %{_mandir}/man1/ipa-kra-install.1.gz
 %{_mandir}/man1/ipa-compat-manage.1.gz
@@ -868,6 +899,12 @@ fi
 %{_mandir}/man1/ipa-cacert-manage.1.gz
 %{_mandir}/man1/ipa-winsync-migrate.1.gz
 
+
+%files server-dns
+%{_sbindir}/ipa-dns-install
+%{_mandir}/man1/ipa-dns-install.1.gz
+
+
 %files server-trust-ad
 %{_sbindir}/ipa-adtrust-install
 %{_usr}/share/ipa/smb.conf.empty
-- 
2.4.3

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to