On 16.7.2015 13:47, Petr Spacek wrote:
> On 16.7.2015 08:33, Alexander Bokovoy wrote:
>> On Thu, 16 Jul 2015, Jan Cholasta wrote:
>>> Dne 15.7.2015 v 19:39 Simo Sorce napsal(a):
>>>> ----- Original Message -----
>>>>> From: "Petr Spacek" <pspa...@redhat.com>
>>>>> To: "Jan Cholasta" <jchol...@redhat.com>, freeipa-devel@redhat.com,
>>>>> "Alexander Bokovoy" <aboko...@redhat.com>
>>>>> Cc: "Simo Sorce" <s...@redhat.com>
>>>>> Sent: Tuesday, July 14, 2015 10:33:41 AM
>>>>> Subject: Re: [Freeipa-devel] [PATCH 0052] Create server-dns sub-package
>>>>> On 14.7.2015 16:29, Jan Cholasta wrote:
>>>>>> Dne 14.7.2015 v 14:33 Petr Spacek napsal(a):
>>>>>>> On 2.7.2015 09:56, Petr Spacek wrote:
>>>>>>>> On 2.7.2015 09:36, Alexander Bokovoy wrote:
>>>>>>>>> On Thu, 02 Jul 2015, Jan Cholasta wrote:
>>>>>>>>>>>>>> Can this be done without adding server-core?
>>>>>>>>>>>>> I'm not aware of such method (except of adding all DNS 
>>>>>>>>>>>>> dependencies
>>>>>>>>>>>>> as
>>>>>>>>>>>>> Requires straight into freeipa-server package).
>>>>>>>>>>>>>> Because it's not server core,
>>>>>>>>>>>>>> it's the whole thing! Or maybe just rename it to server-common?
>>>>>>>>>>>>> I'm fine with 'common'. Ticket 4058 calls for sub-package for CA 
>>>>>>>>>>>>> too
>>>>>>>>>>>>> so my
>>>>>>>>>>>>> idea was to create 'core' package which will be gradually reduced
>>>>>>>>>>>>> more and more.
>>>>>>>>>>>> Well, I don't like the fact that in order to install IPA server
>>>>>>>>>>>> without DNS you have to install freeipa-server-core instead of just
>>>>>>>>>>>> freeipa-server. Fedora packaging guidelines [1] state that the
>>>>>>>>>>>> metapackage should be named freeipa-server-compat, so I guess
>>>>>>>>>>>> renaming
>>>>>>>>>>>> freeipa-server to freeipa-server-compat and freeipa-server-core to
>>>>>>>>>>>> freeipa-server is good enough.
>>>>>>>>>>> I think you are misunderstanding what the guidelines say. -compat
>>>>>>>>>>> subpackage is something that only contains Requires: and Obsoletes:,
>>>>>>>>>>> to
>>>>>>>>>>> help to pull the right packages. It is not supposed to be a
>>>>>>>>>>> full-featured package with content.
>>>>>>>>>> With Petr's patch, freeipa-server is exactly that - a metapackage 
>>>>>>>>>> with
>>>>>>>>>> requires and obsoletes only - hence my suggestion to rename it
>>>>>>>>>> according to
>>>>>>>>>> the guidelines.
>>>>>>>>> That's not good.
>>>>>>>>>>> I think we are good enough with freeipa-server-dns. We have the same
>>>>>>>>>>> situation with freeipa-server-trust-ad -- it is not required by the
>>>>>>>>>>> main
>>>>>>>>>>> package and pulls in Samba-related bits. We also don't have any
>>>>>>>>>>> -compat
>>>>>>>>>>> or metapackage for it.
>>>>>>>>>> freeipa-server-dns is fine, what is IMO not fine is that it *is*
>>>>>>>>>> required by
>>>>>>>>>> the main freeipa-server package, *unlike* freeipa-server-trust-ad.
>>>>>>>>>> We don't have a compat metapackage for freeipa-server-trust-ad, 
>>>>>>>>>> because
>>>>>>>>>> there are no upgrade issues with it, which is what Petr is trying to
>>>>>>>>>> solve
>>>>>>>>>> with his patch.
>>>>>>>>> So, the issue is that for installed bind+bind-dyndb-ldap combination 
>>>>>>>>> we
>>>>>>>>> need to switch to bind-pkcs11+bind-dyndb-ldap. Maybe instead of
>>>>>>>>> modifying main freeipa package we could modify bind-dyndb-ldap package
>>>>>>>>> to require bind-pkcs11 and corresponding bits of freeipa packages?
>>>>>>>> Unfortunately, no.
>>>>>>>> - bind-dyndb-ldap itself is used & supported even without FreeIPA.
>>>>>>>> - bind-pkcs11 depends on properly configured SoftHSM (or other PKCS#11
>>>>>>>> provider)
>>>>>>>> => upgrade could break non-FreeIPA installations.
>>>>>>>> I'm attempting to rework the patch now, stay tuned.
>>>>>>> Apparently this thread was abandoned during my PTO so I'm sending new
>>>>>>> patch
>>>>>>> here. It includes the -compat package and works with YUM and DNF.
>>>>>> I don't like that freeipa-server got renamed to freeipa-server-core, but 
>>>>>> I
>>>>>> won't push against it if Alexander and others (CCing Simo) are OK with 
>>>>>> it.
>>>>> For the record, I was not able to make it work without the rename.
>>>> My opinion is that if we run dnf install freeipa-server, then we need to
>>>> get freeipa server packages.
>>>> If this is what happens I am ok with patches, otherwise I am not.
>>> Without the patch, "dnf install freeipa-server" installs freeipa server
>>> without DNS dependencies.
>>> With the first version of the patch, "dnf install freeipa-server" installs
>>> freeipa server with all DNS dependencies. To install freeipa server without
>>> DNS dependencies, you need to run "dnf install freeipa-server-core". (Note
>>> that with this patch freeipa-server is a meta-package with no files.)
>>> With the second version of the patch, "dnf install freeipa-server" fails,
>>> because there is no freeipa-server anymore. To install freeipa server
>>> without DNS dependencies, you need to run "dnf install freeipa-server-core".
>> Can we do
>> Provides: freeipa-server
>> in freeipa-server-compat?
> If I understood Honza correctly, he was objecting to this alias because it
> would pull in DNS dependencies.
> So I tried to add this Provides to freeipa-server-core package but I'm not
> able to make this alias to work with DNF at all. With old Yum it pulls in
> freeipa-server-dns instead of -core because the "Obsoletes" apparently has
> higher priority than Provides. (No, "Provides" with explicit version does not
> change anything.)
> The only text I found about this is the advice 'do not do it' :-)
> https://fedoraproject.org/wiki/Upgrade_paths_%E2%80%94_renaming_or_splitting_packages#Do_I_need_to_Provide_my_old_package_names.3F
> In other words, I'm not able to make to make the alias freeipa-server working
> with the second version of my patch.
> Again, this problem is related only to  the second/alternative version of the
> patch where freeipa-server package does not pull in DNS dependencies. "dnf
> install freeipa-server" works with first version of my patch which pulls in
> DNS depencies.
> I'm more than happy to take advice how to fix that. For now I would say that
> first version of the patch is okay. It will solve the upgrade and we can
> remove the 'Requires' in the next release because it will not be necessary for
> upgrade anymore.

Third version of the patch is attached, please view.

- freeipa-server package continues to exist and does not include DNS 
- freeipa-server-dns package is new and requires all DNS dependencies
- install freeipa-server will not pull DNS dependencies
- upgrade from freeipa-server < 4.2.0 will pull freeipa-server-dns package

It turns out that nobody noticed missing Obsoletes in freeipa-server package.

Please review.

Note: Condition "Obsoletes: %{name}-server < 4.2.0"
should be amended per-distro/per-repo so it contains latest version number
which was available in form of RPM packages for that distro/repo (COPR).

Petr^2 Spacek
From c8486993b0b624ab7aa7b118e8ee7e420dd97891 Mon Sep 17 00:00:00 2001
From: Petr Spacek <pspa...@redhat.com>
Date: Thu, 16 Jul 2015 15:09:45 +0200
Subject: [PATCH] Create server-dns sub-package.

This allows us to automatically pull in package bind-pkcs11
and thus create upgrade path for on CentOS 7.1 -> 7.2.

IPA previously had no requires on BIND packages and these had to be
installed manually before first ipa-dns-install run.
We need to pull additional bind-pkcs11 package during RPM upgrade
so ipa-dns-install cannot help with this.

 freeipa.spec.in | 51 +++++++++++++++++++++++++++++++++++----------------
 1 file changed, 35 insertions(+), 16 deletions(-)

diff --git a/freeipa.spec.in b/freeipa.spec.in
index fabfaee619d4cf0203b2f87d7fe804c2e72026f3..60c28fd5d8b4c14f5fd583735db469a65cdb5331 100644
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -165,25 +165,13 @@ Requires: %{etc_systemd_dir}
 Conflicts: %{alt_name}-server
 Obsoletes: %{alt_name}-server < %{version}
+# upgrade path from monolithic -server to -server + -server-dns
+Obsoletes: %{name}-server < 4.2.0
 # With FreeIPA 3.3, package freeipa-server-selinux was obsoleted as the
 # entire SELinux policy is stored in the system policy
 Obsoletes: freeipa-server-selinux < 3.3.0
-# We have a soft-requires on bind. It is an optional part of
-# IPA but if it is configured we need a way to require versions
-# that work for us.
-Conflicts: bind-dyndb-ldap < 6.0-4
-%if 0%{?fedora} >= 21
-Conflicts: bind < 9.9.6-3
-Conflicts: bind-utils < 9.9.6-3
-Conflicts: bind < 9.9.4-21
-Conflicts: bind-utils < 9.9.4-21
-Conflicts: opendnssec < 1.4.6-4
 # Versions of nss-pam-ldapd < 0.8.4 require a mapping from uniqueMember to
 # member.
 Conflicts: nss-pam-ldapd < 0.8.4
@@ -197,6 +185,35 @@ to install this package (in other words, most people should NOT install
 this package).
+%package server-dns
+Summary: IPA integrated DNS server with support for automatic DNSSEC signing
+Group: System Environment/Base
+Requires: %{name}-server = %{version}-%{release}
+Requires: bind-dyndb-ldap >= 6.0-4
+%if 0%{?fedora} >= 21
+Requires: bind >= 9.9.6-3
+Requires: bind-utils >= 9.9.6-3
+Requires: bind-pkcs11 >= 9.9.6-3
+Requires: bind-pkcs11-utils >= 9.9.6-3
+Requires: bind >= 9.9.4-21
+Requires: bind-utils >= 9.9.4-21
+Requires: bind-pkcs11 >= 9.9.4-21
+Requires: bind-pkcs11-utils >= 9.9.4-21
+Requires: opendnssec >= 1.4.6-4
+Conflicts: %{alt_name}-server-dns
+Obsoletes: %{alt_name}-server-dns < %{version}
+# upgrade path from monolithic -server to -server + -server-dns
+Obsoletes: %{name}-server < 4.2.0
+%description server-dns
+IPA integrated DNS server with support for automatic DNSSEC signing.
+Integrated DNS server is BIND 9. OpenDNSSEC provides key management.
 %package server-trust-ad
 Summary: Virtual package to install packages required for Active Directory trusts
 Group: System Environment/Base
@@ -683,7 +700,6 @@ fi
@@ -857,7 +873,6 @@ fi
@@ -873,6 +888,10 @@ fi
+%files server-dns
 %files server-trust-ad

Manage your subscription for the Freeipa-devel mailing list:
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to