On 10/05/2015 07:00 PM, Martin Basti wrote: > > > On 10/05/2015 05:00 PM, Timo Aaltonen wrote: >> Hi >> >> I'm not sure if the goal is to be able to build IPA on Debian from >> git/tarballs, but here's a list of what would need to be fixed first to >> get there: >> >> - places where usernames have been hardcoded need something like >> ipaplatform/base/paths.py: >> apache -> www-data in: >> * ipaserver/install/httpinstance.py >> * ipaserver/install/ipa_server_certinstall.py >> * ipaserver/install/cainstance.py >> * ipaserver/install/certs.py > this can be extracted to ipaplatform/base/constants.py >
Yes, constants.py can be leveraged for this purpose. We added it not that long ago, so you may have missed it. Task left here is to actually abstract those values. >> named -> bind in: >> * ipaserver/install/bindinstance.py > this is quite tricky, > for named_user the right location is to ipaplatform/base/constants.py > > for service, you can look in ipaplatform/redhat/services.py there is > already mapping named to named.pkcs11, we can do something similar in > debian platform specification, debian_system_units['named'] = > 'bind.service' Correct. Debian should define its own services.py where the name of the service can be overridden. > However if you want to replace named with bind completely, it requires > much more changes. > Martin, what are the effort necessary here? >> >> - config/service files that use hardcoded paths in them need to be moved >> to a template, and use paths.py macros: >> * install/conf/ipa.conf >> * init/systemd/ipa_memcached.service >> >> - same but with hardcoded usernames >> * init/ipa_memcached.conf > A discussion with other developer is needed how to resolve these files Converting to templates sounds resonable to me. We already have machinery to do this (ipautil.template_file), so this is a straightforward change. >> >> - ipaserver/install/httpinstance.py needs to run "a2enmod/a2dismod nss" >> because libapache2-mod-nss doesn't enable it on install (can't remember >> why, but there was a good reason..) > We did installer changes, Honza may know if this is possible. This may be a step which calls out to a platform task - by default, this would be an empty operation, on Debian, it would run whatever pre-setup steps needed. I wonder if we should generalize this, but probably not before a need arises. >> >> - various places using Fedora-specific libpaths (/usr/lib vs. >> /usr/lib64), whereas on Debian these are /usr/lib/<tuple>, see >> https://wiki.debian.org/Multiarch/Tuples > I might be wrong, but I found different issues: >> * ipaserver/install/ldapupdate.py > this affects update files, and the same issue is for ldif files > We can replace path '/var/lib(64)' with substitute variable in those > files, and create a platform specific method to determine the correct > path, or just substitute with value from ipaplatform/base/paths >> * ipapython/certmonger.py >> * ipaserver/install/certs.py >> * ipaserver/install/ipa_backup.py >> * ipaserver/install/ipa_restore.py > Here for libpath we can use ipaplatform task.py or path.py if it is enough > The occurrences of /var/lib/ipa/backup should be in ipaplatform/paths Constants or Paths namespace should handle this case. >> >> - ntp daemon defaults use a different variable name (OPTIONS vs >> NTPD_OPTS), and quotes (" vs. ') >> * ipaserver/install/ntpinstance.py > IMO here also default pools should be excluded to constants as a list of > ntp servers per platform. > OPTIONS can be excluded to ipaplatform/constants.py > Probably the " or ' issue can be handled in the same way Constants can probably handle this, if not, a platform specific task can be used. >> >> - "Include conf.d/ipa-rewrite.conf" in httpinstance.py needs to use an >> absolute path with HTTPD_CONF_D, or HTTPD_CONF_D repurposed to only have >> 'conf.d' on Fedora and then conf-enabled on Debian > ok Probably a full path should be used here. >> >> - install/share/bind.named.conf.template needs to drop the default zone >> on Debian, since that's already configured via includes (-> bind fails >> to start), so a template file with an exception for Debian would fix it > The solution here can be augeas, but I'm not sure if we will able to > move to augeas soon enough. > This is the same issue as with ipa.conf We don't need to wait for augueas, just have a platform task (doing nothing on Fedora) that will alter the named.conf file during its generation. >> >> - Makefile needs to use --install-layout=deb for setup.py I guess we can have a platform env variable for the Makefile? >> >> - ipa-client/ipa-install/ipa-client-automount needs to check for >> variable named 'NEED_GSSD' on debian, so ipaplatform/base/vars.py? (same >> for NTPD_OPTS) > Leaving this for others. It can be abstracted into a platform specific task. >> >> >> There.. that should be all I think :) Oh, forgot that currently dnssec >> needs to be disabled by some heavy patching, because 9.10.x isn't >> packaged yet.. Thanks for enumerating the issues Timo, I filed a ticket summing this up: https://fedorahosted.org/freeipa/ticket/5343 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code