[Freeipa-devel] pytest 4+

2019-07-05 Thread Levin Stanislav via FreeIPA-devel 
Hello All.


Maybe you know, recently pytest 5 has been released.

The major change is:

> This release is a Python3.5+ only release.
https://docs.pytest.org/en/latest/py27-py34-deprecation.html


But FreeIPA utilizes pytest 3.9.3 and even fails on pytest 4+
(https://pagure.io/freeipa/issue/7989).

So, is the IPA test suite bound to pytest 3? For instance, this could be
some old environments (OS, distro version), etc., which I couldn't know.
Please, take a look at the mentioned ticket.

Thanks.





signature.asc
Description: OpenPGP digital signature
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org

[Freeipa-devel] Re: 4.7.1 release planning

2018-09-27 Thread Levin Stanislav via FreeIPA-devel 
Hello,

'ru' translation has been already updated by Olesya Gerasimenko.

Thank you for your patience and excuse me for inconveniences.


27.09.2018 10:16, Alexander Bokovoy via FreeIPA-devel пишет:
> On ke, 12 syys 2018, Alexander Bokovoy via FreeIPA-devel wrote:
>> Hi,
>>
>> Let us plan for 4.7.1 release.
>>
>> My suggestion is to have a release in two weeks, around September 26th.
>>
>> Do you have patches that should go into 4.7.1 but haven't been pushed to
>> ipa-4-7 branch yet?
>>
>> We need to update Zanata -- now that web UI changes are in master it is
>> time to push them for translation.
>>
>> Any specific concerns?
> I updated Zanata master and ipa-4-7 branches this morning with the
> current set of PO files for translation.
>
> There are many new strings to translate especially around Web UI due to
> refactoring done by Stanislav Levin, these needs attention from the
> translators.
>
> I hope we can do 4.7.1-RC1 in one week and then, if things go well,
> 4.7.1-RC2 or final in two weeks. Let us target final translation updates
> to RC2 but if you are able to complete them before, that's even better.
>
>
>
>
>



signature.asc
Description: OpenPGP digital signature
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org

[Freeipa-devel] Re: IPA's NTP service

2018-01-24 Thread Levin Stanislav via FreeIPA-devel 
Hello All.


There are several good NTP servers/clients. And different Linux
distributions

use them (not only ntpd or chronyd). But FreeIPA chose ntpd strictly. It
is a

bottleneck for a platform porting. Perhaps, FreeIPA should allow to select

administrator which one to use and should support it (like install and
work).


Thank you.



24.01.2018 18:57, Simo Sorce via FreeIPA-devel пишет:
> On Wed, 2018-01-24 at 16:25 +0100, Tibor Dudlák via FreeIPA-devel
> wrote:
>> Hello FreeIPA-devel list fellow beings!
>>
>> I would like to continue the discussion started in [1], and find its
>> solution.
>>
>> While using the Single-Sign-on authentication provided via an MIT Kerberos
>> KDC  there must not be any significant clock skew between server and
>> clients so a time synchronization service is required.
>>
>> Red Hat Enterprise Linux is about to deprecate ntpd service and will
>> support chronyd instead. This will happen in release 8 and by this time we
>> should agree on some changes in IPA - whether to remove or replace the 
>> already
>> used ntpd service. I would like to sum up this change in a design page but
>> there should be an agreement first.
>>
>> IPA, as is, checks the system configuration and if there is an NTP service
>> configured and running then it forces ntpd, meaning it disables any other
>> NTP service. It also alters its configuration, and restarts the NTP service
>> instance.
>>
>> We may now want to consider, as the time sync service change is required,
>> to NOT configure a service that is not a part of the identity management
>> such as NTP, and leave it to system/IPA administrators.
> Let me explain why we do this:
> As you noted above kerberos will fail to work properly if clocks drift
> too much, so we wanted to provide a simple way to keep the whole domain
> in sync. We also had plans to keep the domain in sync *securely* as an
> attacker could create Denial pf Service attacks by subtly drifting
> different machines clocks.
>
> ntpd was the only one that offered hooks to sign NTP packets (which
> were used by Samba only at the time and required compile time changes
> when we started) using kerberos keys, so the original plan was to
> eventually get there. Unfortunately we never prioritized this work.
>
> So given the above we initially decided to make IPA servers also ntp
> servers and configure client to use IPA server as time sources.
>
> This is just to give an overview of the reasons behind choosing ntpd
> specifically and why it was overriding ntp config on servers/clients
>
>> IPA install script may only check wheter there is an NTP service running
>> and if not, it would ask the administrator to configure it before the IPA
>> installation.
> I do not think we need this strictly for the first server, these days
> time keeping is more important in general and servers tend to be
> already kept in sync, either via virt devices, or ntp.
> however what we may want to do is, instead, to check the time
> synchronization on clients (and therefore future ipa replicas, as ipa
> client install is always done fist now), by dissecting a kerberos reply
> from the server that carries the server time (I think this information
> is actually stored in the ccache after a successful kinit, so we could
> just inspect the ccache as well).
>
> If we detect a drift bigger than X (where X < 5 min), we could fail the
> install and ask the admin to check the client and server time are
> synchronized.
>
>> Upgrade of IPA might be more complicated because there will be the ntpd
>> service entry in LDAP, and the service will be up and running. I would
>> suggest that we do not remove any working ntpd service already configured
>> but only disown it from IPA's LDAP tree.
> Why would we need to disown it ?
> I think it is ok to proposed that in new installs (even in an existing
> domain) new servers will stop configuring ntp by default, but I see no
> reason to touch existing servers.
>
> however I think we should *retain* the option to install and configure
> ntpd, it is very convenient for tests and custom installs/pocs, where
> you want to minimize the amount of prepping to do, and want something
> that "just works".
>
> If ntpd is dropped from a distribution I would assume we'll use the
> platform portability code to replace ntpd with whatever other
> NTP/timesync server/client is appropriate for the platform when the
> option to install NTP is requested.
>
> HTH,
> Simo.
>
>> I will be glad for any input from you people and hopefully there will be an
>> acceptable solution for this soon :)
>>
>> Thanks!
>>
>> [1]
>> https://www.redhat.com/archives/freeipa-devel/2016-November/msg00807.html
>>
>> ___
>> FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
>> To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org

___
FreeIPA-devel mailing list --