On 10/05/2015 07:00 PM, Martin Basti wrote:
> On 10/05/2015 05:00 PM, Timo Aaltonen wrote:
>>     Hi
>>    I'm not sure if the goal is to be able to build IPA on Debian from
>> git/tarballs, but here's a list of what would need to be fixed first to
>> get there:
>> - places where usernames have been hardcoded need something like
>> ipaplatform/base/paths.py:
>>    apache -> www-data in:
>>    * ipaserver/install/httpinstance.py
>>    * ipaserver/install/ipa_server_certinstall.py
>>    * ipaserver/install/cainstance.py
>>    * ipaserver/install/certs.py
> this can be extracted to ipaplatform/base/constants.py

Yes, constants.py can be leveraged for this purpose. We added it not
that long ago, so you may have missed it.

Task left here is to actually abstract those values.

>>    named -> bind in:
>>    * ipaserver/install/bindinstance.py
> this is quite tricky,
> for named_user the right location is to ipaplatform/base/constants.py
> for service, you can look in ipaplatform/redhat/services.py there is
> already mapping named to named.pkcs11, we can do something similar in
> debian platform specification, debian_system_units['named'] =
> 'bind.service'

Correct. Debian should define its own services.py where the name of the
service can be overridden.

> However if you want to replace named with bind completely, it requires
> much more changes.

Martin, what are the effort necessary here?

>> - config/service files that use hardcoded paths in them need to be moved
>> to a template, and use paths.py macros:
>>    * install/conf/ipa.conf
>>    * init/systemd/ipa_memcached.service
>> - same but with hardcoded usernames
>>    * init/ipa_memcached.conf
> A discussion with other developer is needed how to resolve these files

Converting to templates sounds resonable to me. We already have
machinery to do this (ipautil.template_file), so this is a
straightforward change.

>> - ipaserver/install/httpinstance.py needs to run "a2enmod/a2dismod nss"
>> because libapache2-mod-nss doesn't enable it on install (can't remember
>> why, but there was a good reason..)
> We did installer changes, Honza may know if this is possible.

This may be a step which calls out to a platform task - by default, this
would be an empty operation, on Debian, it would run whatever pre-setup
steps needed.

I wonder if we should generalize this, but probably not before a need

>> - various places using Fedora-specific libpaths (/usr/lib vs.
>> /usr/lib64), whereas on Debian these are /usr/lib/<tuple>, see
>> https://wiki.debian.org/Multiarch/Tuples
> I might be wrong, but I found different issues:
>>    * ipaserver/install/ldapupdate.py
> this affects update files, and the same issue is for ldif files
> We can replace path '/var/lib(64)' with substitute variable in those
> files, and create a platform specific method to determine the correct
> path, or just substitute with value from ipaplatform/base/paths
>>    * ipapython/certmonger.py
>>    * ipaserver/install/certs.py
>>    * ipaserver/install/ipa_backup.py
>>    * ipaserver/install/ipa_restore.py
> Here for libpath we can use ipaplatform task.py or path.py if it is enough
> The occurrences of /var/lib/ipa/backup should be in ipaplatform/paths

Constants or Paths namespace should handle this case.

>> - ntp daemon defaults use a different variable name (OPTIONS vs
>> NTPD_OPTS), and quotes (" vs. ')
>>    * ipaserver/install/ntpinstance.py
> IMO here also default pools should be excluded to constants as a list of
> ntp servers per platform.
> OPTIONS can be excluded to ipaplatform/constants.py
> Probably the " or ' issue can be handled in the same way

Constants can probably handle this, if not, a platform specific task can
be used.

>> - "Include conf.d/ipa-rewrite.conf" in httpinstance.py needs to use an
>> absolute path with HTTPD_CONF_D, or HTTPD_CONF_D repurposed to only have
>> 'conf.d' on Fedora and then conf-enabled on Debian
> ok

Probably a full path should be used here.

>> - install/share/bind.named.conf.template needs to drop the default zone
>> on Debian, since that's already configured via includes (-> bind fails
>> to start), so a template file with an exception for Debian would fix it
> The solution here can be augeas, but I'm not sure if we will able to
> move to augeas soon enough.
> This is the same issue as with ipa.conf

We don't need to wait for augueas, just have a platform task (doing
nothing on Fedora) that will alter the named.conf file during its

>> - Makefile needs to use --install-layout=deb for setup.py

I guess we can have a platform env variable for the Makefile?

>> - ipa-client/ipa-install/ipa-client-automount needs to check for
>> variable named 'NEED_GSSD' on debian, so ipaplatform/base/vars.py? (same
>> for NTPD_OPTS)
> Leaving this for others.

It can be abstracted into a platform specific task.

>> There.. that should be all I think :) Oh, forgot that currently dnssec
>> needs to be disabled by some heavy patching, because 9.10.x isn't
>> packaged yet..

Thanks for enumerating the issues Timo, I filed a ticket summing this up:


Manage your subscription for the Freeipa-devel mailing list:
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to