[Freeipa-devel] Re: FreeIPA nightly tests as PRs
On 02/23/2018 05:26 PM, Robbie Harwood via FreeIPA-devel wrote: > Petr Vobornik via FreeIPA-devel > writes: > >> Felipe made nightly testing working as PRs in freeipa main Git Hub >> repo. > Is there really not a better way to do this than spamming freeipa-devel > with two more PRs every day? +1, it messes up the PR queue, too, either make it use the same PR or use another repo. The current state is unbearable. > > Travis has cronjob support; wouldn't this be a better fit there? Why > does it need to be a PR? I second the opinion that github PR is just a bad place to place nightly CI run results to and it already shows. > > Like I suspect many users, I will be muting these. > > Thanks, > --Robbie > > > ___ > FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org > To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org -- Standa Láznička A Red Hat person PGP: 8B00 620A 713B 714E B4CB 4767 C98C 4149 36B1 A7F3 signature.asc Description: OpenPGP digital signature ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#1616][closed] Move DNS related files to server-dns package
URL: https://github.com/freeipa/freeipa/pull/1616 Author: tiran Title: #1616: Move DNS related files to server-dns package Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/1616/head:pr1616 git checkout pr1616 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#1627][closed] [Backport][ipa-4-6] Don't return None on mismatched interactive passwords
URL: https://github.com/freeipa/freeipa/pull/1627 Author: tiran Title: #1627: [Backport][ipa-4-6] Don't return None on mismatched interactive passwords Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/1627/head:pr1627 git checkout pr1627 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#1628][closed] [Backport][ipa-4-6] ipa host-add: do not raise exception when reverse record not added
URL: https://github.com/freeipa/freeipa/pull/1628 Author: tiran Title: #1628: [Backport][ipa-4-6] ipa host-add: do not raise exception when reverse record not added Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/1628/head:pr1628 git checkout pr1628 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#1524][closed] tests: ca-less to ca-full - remove certupdate
URL: https://github.com/freeipa/freeipa/pull/1524 Author: Rezney Title: #1524: tests: ca-less to ca-full - remove certupdate Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/1524/head:pr1524 git checkout pr1524 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#1635][opened] Encrypt httpd key stored on disk
URL: https://github.com/freeipa/freeipa/pull/1635
Author: stlaz
Title: #1635: Encrypt httpd key stored on disk
Action: opened
PR body:
"""
This commit adds configuration for HTTPD to encrypt/decrypt its
key which we currently store in clear on the disc.
A password-reading script is added for mod_ssl. This script is
extensible for the future use of directory server with the
expectation that key encryption/decription will be handled
similarly by its configuration.
https://pagure.io/freeipa/issue/7421
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/1635/head:pr1635
git checkout pr1635
From ff1e674278b55034801c6b41f84b7388d06258f4 Mon Sep 17 00:00:00 2001
From: Stanislav Laznicka
Date: Mon, 26 Feb 2018 10:15:05 +0100
Subject: [PATCH] Encrypt httpd key stored on disk
This commit adds configuration for HTTPD to encrypt/decrypt its
key which we currently store in clear on the disc.
A password-reading script is added for mod_ssl. This script is
extensible for the future use of directory server with the
expectation that key encryption/decription will be handled
similarly by its configuration.
https://pagure.io/freeipa/issue/7421
---
freeipa.spec.in | 2 ++
install/tools/Makefile.am | 2 ++
install/tools/ipa-httppswd.sh | 1 +
install/tools/ipa-pwdreader.sh | 7 +++
ipalib/x509.py | 10 --
ipaplatform/base/paths.py | 2 ++
ipaserver/install/httpinstance.py | 16 ++--
ipaserver/install/ipa_server_certinstall.py | 17 ++---
8 files changed, 50 insertions(+), 7 deletions(-)
create mode 12 install/tools/ipa-httppswd.sh
create mode 100644 install/tools/ipa-pwdreader.sh
diff --git a/freeipa.spec.in b/freeipa.spec.in
index cf35e67c81..a913c39954 100644
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -1305,6 +1305,8 @@ fi
%{_libexecdir}/ipa/ipa-dnskeysync-replica
%{_libexecdir}/ipa/ipa-ods-exporter
%{_libexecdir}/ipa/ipa-httpd-kdcproxy
+%{_libexecdir}/ipa/ipa-pwdreader.sh
+%{_libexecdir}/ipa/ipa-httppswd.sh
%{_libexecdir}/ipa/ipa-pki-retrieve-key
%{_libexecdir}/ipa/ipa-otpd
%dir %{_libexecdir}/ipa/oddjob
diff --git a/install/tools/Makefile.am b/install/tools/Makefile.am
index 6b9a64a3d2..1e11a144de 100644
--- a/install/tools/Makefile.am
+++ b/install/tools/Makefile.am
@@ -37,4 +37,6 @@ dist_app_SCRIPTS = \
ipa-custodia-check \
ipa-httpd-kdcproxy \
ipa-pki-retrieve-key \
+ ipa-httppswd.sh \
+ ipa-pwdreader.sh \
$(NULL)
diff --git a/install/tools/ipa-httppswd.sh b/install/tools/ipa-httppswd.sh
new file mode 12
index 00..297e031c1e
--- /dev/null
+++ b/install/tools/ipa-httppswd.sh
@@ -0,0 +1 @@
+ipa-pwdreader.sh
\ No newline at end of file
diff --git a/install/tools/ipa-pwdreader.sh b/install/tools/ipa-pwdreader.sh
new file mode 100644
index 00..e5ec8ec04d
--- /dev/null
+++ b/install/tools/ipa-pwdreader.sh
@@ -0,0 +1,7 @@
+#!/bin/bash
+HTTP_PASSWD_LOC="/var/lib/ipa/certs/httpd_passwd.txt"
+
+if [ "$(basename $0)" == "ipa-httppswd.sh" ] && \
+[ -f "$HTTP_PASSWD_LOC" ]; then
+cat "$HTTP_PASSWD_LOC"
+fi
diff --git a/ipalib/x509.py b/ipalib/x509.py
index b49bc96622..7986ddbf5f 100644
--- a/ipalib/x509.py
+++ b/ipalib/x509.py
@@ -569,20 +569,26 @@ def write_certificate_list(certs, filename):
raise errors.FileError(reason=str(e))
-def write_pem_private_key(priv_key, filename):
+def write_pem_private_key(priv_key, filename, passwd=None):
"""
Write a private key to a file in PEM format. Will force 0x600 permissions
on file.
:param priv_key: cryptography ``PrivateKey`` object
+:param passwd: ``bytes`` representing the password to store the
+private key with
"""
+if passwd is not None:
+enc_alg = serialization.BestAvailableEncryption(passwd)
+else:
+enc_alg = serialization.NoEncryption()
try:
with open(filename, 'wb') as fp:
os.fchmod(fp.fileno(), 0o600)
fp.write(priv_key.private_bytes(
Encoding.PEM,
PrivateFormat.TraditionalOpenSSL,
-serialization.NoEncryption()))
+encryption_algorithm=enc_alg))
except (IOError, OSError) as e:
raise errors.FileError(reason=str(e))
diff --git a/ipaplatform/base/paths.py b/ipaplatform/base/paths.py
index 69bf9a2f31..9d25739411 100644
--- a/ipaplatform/base/paths.py
+++ b/ipaplatform/base/paths.py
@@ -53,6 +53,7 @@ class BasePathNamespace(object):
HTTPD_SSL_CONF = "/etc/httpd/conf.d/ssl.conf"
HTTPD_CERT_FILE = "/var/lib/ipa/certs/httpd.crt"
HTTPD_KEY_FILE = "/var/lib/ipa/certs/httpd.key"
+HTTPD_PASSWD_FILE = "/var/lib/ipa/certs/httpd_passwd.txt"
# only used on Fedora
HTTPD_IPA_WSGI_MODULES_CONF = None
OLD_IPA_KEYTAB = "/etc/httpd/conf/ipa.keytab"
@@ -211,6 +212,7 @@
[Freeipa-devel] Re: FreeIPA nightly tests as PRs
Hi thanks for the feedback, comments inline On Mon, Feb 26, 2018 at 8:59 AM, Standa Laznicka wrote: > On 02/23/2018 05:26 PM, Robbie Harwood via FreeIPA-devel wrote: > > Petr Vobornik via FreeIPA-devel > writes: > > Felipe made nightly testing working as PRs in freeipa main Git Hub > repo. > > Is there really not a better way to do this than spamming freeipa-devel > with two more PRs every day? I guess it can be optimized a bit so that notification mails are a bit more useful. I agree that notification mails about opening and closing PR don't bring any added value. Maybe it can be suppressed in https://github.com/freeipa/freeipa-tools/tree/master/github-email-notifications On the other hand, what is desired is to show results of nightly testing to project maintainers and contributors. Because tests are useful only if their results are visible and it drives actions. Therefore I find beneficial to send a mail with test failures. This is not working yet. A possible technical solution might be to create a task depending on all other tasks which would get the results and would create a comment with them thus creating a notification mail. > > > +1, it messes up the PR queue, too, either make it use the same PR or use > another repo. The current state is unbearable. I don't see a benefit in moving it to other repo. It would lose the visibility and therefore would become half-useless. Reusing PRs could be a way to limit some noise. But if I'm correct old prs are shown back in the queue. IMO the goal here should be to show nightly testing on a first PR page. One way is to have fewer PRs ;). Other optimization could be e.g. to have weekly nightly prs - meaning one PR would be updated 5-7 times. IMO it is also useless to run nightly testing over weekend as no one is currently pushing any patches during the time. So I'd test on Friday evening and then on a Monday evening. Could you describe in more details what you mean by "messes up the PR queue" or "unbearable? These are quite hard words but their meaning is not specific. Could be interpreted in many ways. It's good to express feeling but it is hard to grasp. What is the effect it creates from your perspective? > > > Travis has cronjob support; wouldn't this be a better fit there? Why > does it need to be a PR? PR is a way how to show results and coordinate test runners. The testing infra used for it doesn't currently work without PR. How it works now: https://github.com/freeipa/freeipa-pr-ci/tree/master/doc I have no idea how travis cron jobs work. But if it uses Travis infra then it is a no-go as Travis cannot handle our load. > > > I second the opinion that github PR is just a bad place to place nightly CI > run results to and it already shows. Could you explain what you mean by "it already shows"? > > > Like I suspect many users, I will be muting these. > > Thanks, > --Robbie -- Petr Vobornik ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] Re: FreeIPA nightly tests as PRs
On 02/26/2018 10:32 AM, Petr Vobornik wrote: > Hi thanks for the feedback, comments inline > > On Mon, Feb 26, 2018 at 8:59 AM, Standa Laznicka wrote: >> On 02/23/2018 05:26 PM, Robbie Harwood via FreeIPA-devel wrote: >> >> Petr Vobornik via FreeIPA-devel >> writes: >> >> Felipe made nightly testing working as PRs in freeipa main Git Hub >> repo. >> >> Is there really not a better way to do this than spamming freeipa-devel >> with two more PRs every day? > I guess it can be optimized a bit so that notification mails are a bit > more useful. I agree that notification mails about opening and closing > PR don't bring any added value. Maybe it can be suppressed in > https://github.com/freeipa/freeipa-tools/tree/master/github-email-notifications > > On the other hand, what is desired is to show results of nightly > testing to project maintainers and contributors. Because tests are > useful only if their results are visible and it drives actions. > Therefore I find beneficial to send a mail with test failures. This is > not working yet. A possible technical solution might be to create a > task depending on all other tasks which would get the results and > would create a comment with them thus creating a notification mail. > >> >> +1, it messes up the PR queue, too, either make it use the same PR or use >> another repo. The current state is unbearable. > I don't see a benefit in moving it to other repo. It would lose the > visibility and therefore would become half-useless. I doubt the number of people who actually looked at the logs of failing tests exceeds 2. From a user perspective, the results are just hard to view and understand because the UI of a github PR is not supposed to be used to view results of a great number of complicated integration tests. > > Reusing PRs could be a way to limit some noise. But if I'm correct old > prs are shown back in the queue. IMO the goal here should be to show > nightly testing on a first PR page. One way is to have fewer PRs ;). > Other optimization could be e.g. to have weekly nightly prs - meaning > one PR would be updated 5-7 times. Sounds definitely better than what we have now, although it removes the possibility too view history. > > IMO it is also useless to run nightly testing over weekend as no one > is currently pushing any patches during the time. So I'd test on > Friday evening and then on a Monday evening. > > Could you describe in more details what you mean by "messes up the PR > queue" or "unbearable? Of course - unbearable = people don't want to deal with their mailboxes being spammed; messes up the PR queue = creates unnecessary pull requests (keeping in mind that the value of a PR is in new code). > These are quite hard words but their meaning is > not specific.Could be interpreted in many ways. It's good to express > feeling but it is hard to grasp. What is the effect it creates from > your perspective? ^- > >> >> Travis has cronjob support; wouldn't this be a better fit there? Why >> does it need to be a PR? > PR is a way how to show results and coordinate test runners. The > testing infra used for it doesn't currently work without PR. How it > works now: https://github.com/freeipa/freeipa-pr-ci/tree/master/doc I > have no idea how travis cron jobs work. But if it uses Travis infra > then it is a no-go as Travis cannot handle our load. > >> >> I second the opinion that github PR is just a bad place to place nightly CI >> run results to and it already shows. > Could you explain what you mean by "it already shows"? ^- and also -v > >> >> Like I suspect many users, I will be muting these. >> >> Thanks, >> --Robbie > -- Standa Láznička A Red Hat person PGP: 8B00 620A 713B 714E B4CB 4767 C98C 4149 36B1 A7F3 signature.asc Description: OpenPGP digital signature ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] Re: authconfig replacement design
On (23/02/18 13:08), Martin Kosek via FreeIPA-devel wrote: >On 02/21/2018 03:39 PM, Rob Crittenden via FreeIPA-devel wrote: - install client a) if we replace rpm dependancy on authconfig with aushselect we can go only this way: new installations done with authselect. if --no-sssd option is provided, then fail. >>> --no-sssd option is already deprecated and should not be used, you don't >>> have to think about that scenario. You can therefore go the a) way and >>> remove the option as a whole so that you can be sure it won't fiddle >>> with new installations. >> I can't seem to find anywhere that this deprecation was announced or >> discussed other than the ticket and commit, >> dfc271fdf4514481c11c342fabda135feeb44de6. >> >> Did anyone ask users, or anyone, if they use this option? >> >> In any case it isn't even clear that the option *is* deprecated. It just >> doesn't show as an option to ipa-client -install (hiding is not >> deprecating). >> >> IMHO to properly deprecate something it should yell loudly whenever >> invoked with a dire warning that it will disappear in the future. > >This mostly seems as a review feedback that could have come in >https://pagure.io/freeipa/issue/5860 >but did not. But it does not change anything on the fact that the option >is deprecated. > >> There is also no man page mention of deprecation, in fact the option is >> still there. >> >> So even if the deprecation is fine and considered, removing the option >> completely has had no visible discussion. > >Let's discuss it then. From Fedora/RHEL point of view, I do not see big >value in spending much time in maintaining, supporting or developing >non-SSSD scenarios. Fedora itself does not support these scenarios any >more, after the authselect Fedora change. These very corner cases are >left for manual administrator configuration. > >The non-SSSD work and code should be left to FreeIPA platform code, for >platforms that do not use or want to use SSSD. Which platform do you have in mind? Because I do not know any platform/distribution which has freeipa-client and does not have sssd. LS ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] Re: IPA's NTP service
Hi, * During client installation, the installer calls "/usr/bin/timeout ntpd -qgc " in order to synchronize the clock with either a/ one of the servers specified in --ntp-server b/ a NTP server found in the DNS (_ntp._udp in the domain) or c/ the master This command does not configure the NTP service but rather performs a one-time synchronization even if the offset is big. Did you check if chrony offers a similar option? * In the design doc you mention calling a command line that will perform the config of chronyd but we have no information on this command line (which options, what does it do exactly...) * For the upgrade, the plan is to remove ntpd service configuration. We should perform this only if ntp was configured by ipa-client-install (if the config was existing before client install and the client was installed with -N, then FreeIPA is not managing the time and the upgrade should not mess with it either). * For the config of ntp, we were checking if chronyd was already configured and required --force-ntp to remove chronyd conf and configure ntpd instead. In the current proposal, the behavior is not identical because we do not offer --force-chrony. Is it on purpose? * Test plan: you can already add a few scenarii, like: fresh install with -N and ntp already setup fresh install with -N and chrony already setup fresh install with -N and without any time conf fresh install without any time option and ntp already setup fresh install without any time option and chrony already setup fresh install without any time option and without any time conf upgrade on instance installed with -N and ntp already setup upgrade on instance installed with -N and chrony already setup upgrade on instance installed with -N and without any time conf upgrade on instance installed without any time option and ntp already setup upgrade on instance installed without any time option and chrony already setup upgrade on instance installed without any time option and without any time conf Flo On 01/24/2018 04:25 PM, Tibor Dudlák via FreeIPA-devel wrote: Hello FreeIPA-devel listfellow beings! I would like to continue the discussion started in [1], and find itssolution. While using the Single-Sign-on authentication provided via anMIT Kerberos KDC there must not be any significant clock skew between server and clients so a time synchronization service is required. Red Hat Enterprise Linux is about to deprecate ntpd service and will support chronyd instead. This will happen in release 8 and by this time we should agree on some changes in IPA-whether to remove or replace the already used ntpd service. I would like to sum up thischange in a design page but there shouldbe an agreementfirst. IPA,as is,checks the system configuration and if there is anNTP service configured and running then it forces ntpd, meaning it disablesany other NTP service. It also altersits configuration, and restartsthe NTP service instance. We may now want to consider, as the time sync servicechange is required, to NOT configureaservice that is not a part oftheidentity management such as NTP, and leave it to system/IPA administrators. IPA install script may only check wheterthere is an NTP service running and if not, it wouldask the administrator to configure it before the IPA installation. Upgrade of IPA might be more complicated because there will be thentpd service entry in LDAP,and the service will be up and running. I would suggest that we do not remove any working ntpd service already configured but only disown it from IPA's LDAP tree. I will be glad for any input from you people and hopefully there will be an acceptable solution for this soon :) Thanks! [1] https://www.redhat.com/archives/freeipa-devel/2016-November/msg00807.html -- Tibor Dudlák Identity management - FreeIPA Brno, TPB-C, 2C407 Red Hat ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] Re: FreeIPA nightly tests as PRs
On 02/23/2018 09:02 AM, Petr Vobornik wrote: Hi all, Felipe made nightly testing working as PRs in freeipa main Git Hub repo. e.g.: https://github.com/freeipa/freeipa/pull/1624 https://github.com/freeipa/freeipa/pull/1623 This is good. We can see the results publicly in comparison to "upstream Jenkins". I also believe that it will be more stable. But time will tell it. A disadvantage is more noise in mail notifications, but that is not that drastic. Let's discuss some aspects. First one is definitions of the tests (.freeipa-pr-ci.yaml) and how to extend them. We currently use 3 definitions: * gating, the definition in repo * nightly master tests * nighly rawhide tests Gating definition is in repo. But both nightly are not. What is the way how other team members can extend this definition? Where are they kept? Could we also put them into a repo? What about the following solution: 1. create a directory with tests definitions, e.g. /ipatests/definitions 2. put these 3 files there - gating - nightly_master - nightly_rawhide 3. make .freeipa-pr-ci.yaml a symlink to /ipatest/definitions/gating 4. for nightly testing do PR which would change only the symlink Sounds a good solution for me. We could go that way. This would require a small change in the github/openclose_pr script, but that's easy. Benefits: - anybody can extend nightly test suite - the nighlty test suite can be extended right away in a PR which adds the tests - nightly tests won't fail on merge conflict when somebody extends current gating spec Possible alternative is to make it more complex and use something like includes instead of symlinks, but that would need update of PR-CI and I don't see a real benefit in comparison to the symlink solution. ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] Re: authconfig replacement design
On 02/26/2018 01:16 PM, Lukas Slebodnik wrote: > On (23/02/18 13:08), Martin Kosek via FreeIPA-devel wrote: >> On 02/21/2018 03:39 PM, Rob Crittenden via FreeIPA-devel wrote: > - install client > a) if we replace rpm dependancy on authconfig with aushselect we can > go only this way: new installations done with authselect. if --no-sssd > option is provided, then fail. --no-sssd option is already deprecated and should not be used, you don't have to think about that scenario. You can therefore go the a) way and remove the option as a whole so that you can be sure it won't fiddle with new installations. >>> I can't seem to find anywhere that this deprecation was announced or >>> discussed other than the ticket and commit, >>> dfc271fdf4514481c11c342fabda135feeb44de6. >>> >>> Did anyone ask users, or anyone, if they use this option? >>> >>> In any case it isn't even clear that the option *is* deprecated. It just >>> doesn't show as an option to ipa-client -install (hiding is not >>> deprecating). >>> >>> IMHO to properly deprecate something it should yell loudly whenever >>> invoked with a dire warning that it will disappear in the future. >> >> This mostly seems as a review feedback that could have come in >> https://pagure.io/freeipa/issue/5860 >> but did not. But it does not change anything on the fact that the option >> is deprecated. >> >>> There is also no man page mention of deprecation, in fact the option is >>> still there. >>> >>> So even if the deprecation is fine and considered, removing the option >>> completely has had no visible discussion. >> >> Let's discuss it then. From Fedora/RHEL point of view, I do not see big >> value in spending much time in maintaining, supporting or developing >> non-SSSD scenarios. Fedora itself does not support these scenarios any >> more, after the authselect Fedora change. These very corner cases are >> left for manual administrator configuration. >> >> The non-SSSD work and code should be left to FreeIPA platform code, for >> platforms that do not use or want to use SSSD. > > Which platform do you have in mind? I did not have any specific Platform in mind in this case. I am not aware of platform that has freeipa-client and does not have SSSD. > Because I do not know any platform/distribution which has freeipa-client > and does not have sssd. I see, thanks for info. Reading this, I would be quite fine with removing all the --no-sssd functionality from client installer and leaving people who want to configure FreeIPA with nss-pam-ldapd for manual configuration. We have some ipa-advise plugins for configuring nss-pam-ldapd "authconfig-free" code already anyway. Martin ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] Re: FreeIPA developement good practices
On 02/07/2018 06:29 PM, Petr Vobornik via FreeIPA-devel wrote: On Wed, Feb 7, 2018 at 5:52 PM, Florence Blanc-Renaud via FreeIPA-devel wrote: Hi all, in order to promote good development practices, I would like to write a wiki page stating FreeIPA expectations and helping contributors to remain on track (or extend the Contribute/Code wiki page). The topics include a description explaining our use of the tools (such as github, pagure etc), but also general development habits that everyone should enforce. A draft is available below for your comments/suggestions. Hi Flo, good stuff. Btw when I was reviewing https://www.freeipa.org/page/Contribute/Code today, it reminded me that we already have some basis there. E.g. https://www.freeipa.org/page/Coding_Best_Practices but this page is quite specific to only some project aspects and lacks more general ideas. Hi, thanks for the comments and suggestions. I added the text in the existing wiki page https://www.freeipa.org/page/Contribute/Code Feel free to edit and extend the page if you have additional ideas. Thanks, Flo ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#1636][opened] Upgrade HTTPd's alias db to SQL
URL: https://github.com/freeipa/freeipa/pull/1636
Author: tiran
Title: #1636: Upgrade HTTPd's alias db to SQL
Action: opened
PR body:
"""
https://pagure.io/freeipa/issue/7354
Signed-off-by: Christian Heimes
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/1636/head:pr1636
git checkout pr1636
From 0ff98ad91b2d0fc752abb58696b0da6d3f66d19c Mon Sep 17 00:00:00 2001
From: Christian Heimes
Date: Mon, 26 Feb 2018 18:09:23 +0100
Subject: [PATCH] Upgrade HTTPd's alias db to SQL
https://pagure.io/freeipa/issue/7354
Signed-off-by: Christian Heimes
---
ipaserver/install/certs.py | 16
ipaserver/install/server/upgrade.py | 18 ++
2 files changed, 18 insertions(+), 16 deletions(-)
diff --git a/ipaserver/install/certs.py b/ipaserver/install/certs.py
index 50b9716453..9417319c26 100644
--- a/ipaserver/install/certs.py
+++ b/ipaserver/install/certs.py
@@ -687,22 +687,6 @@ def is_ipa_issued_cert(self, api, nickname):
return is_ipa_issued_cert(api, cert)
-def needs_upgrade_format(self):
-"""Check if NSSDB file format needs upgrade
-
-Only upgrade if it's an existing dbm database and default
-database type is no 'dbm'.
-"""
-return (
-self.nssdb.dbtype == 'dbm' and
-self.exists()
-)
-
-def upgrade_format(self):
-"""Upgrade NSSDB to new file format
-"""
-self.nssdb.convert_db()
-
class _CrossProcessLock(object):
_DATETIME_FORMAT = '%Y%m%d%H%M%S%f'
diff --git a/ipaserver/install/server/upgrade.py b/ipaserver/install/server/upgrade.py
index 57fddc6e29..eafa70ffba 100644
--- a/ipaserver/install/server/upgrade.py
+++ b/ipaserver/install/server/upgrade.py
@@ -209,6 +209,21 @@ def check_certs():
else:
logger.debug('Certificate file exists')
+
+def convert_httpd_nssdb():
+"""Convert HTTPD's NSSDB as early as possible
+"""
+db = certs.CertDB(api.env.realm, nssdir=paths.HTTPD_ALIAS_DIR)
+if db.nssdb.dbtype == 'sql':
+logger.debug('%s is already a SQL database', paths.HTTPD_ALIAS_DIR)
+return
+with installutils.stopped_service('httpd'):
+logger.info(
+'Converting NSSDB %s to SQL format', paths.HTTPD_ALIAS_DIR
+)
+db.nssdb.convert_db(rename_old=True)
+
+
def update_dbmodules(realm, filename=paths.KRB5_CONF):
newfile = []
found_dbrealm = False
@@ -1619,6 +1634,9 @@ def upgrade_configuration():
fqdn = api.env.host
+# convert NSSDB right away
+convert_httpd_nssdb()
+
# Ok, we are an IPA server, do the additional tests
ds_serverid = installutils.realm_to_serverid(api.env.realm)
ds = dsinstance.DsInstance()
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] Re: FreeIPA nightly tests as PRs
On 02/26/2018 06:32 AM, Petr Vobornik wrote: Hi thanks for the feedback, comments inline On Mon, Feb 26, 2018 at 8:59 AM, Standa Laznicka wrote: On 02/23/2018 05:26 PM, Robbie Harwood via FreeIPA-devel wrote: Petr Vobornik via FreeIPA-devel writes: Felipe made nightly testing working as PRs in freeipa main Git Hub repo. Is there really not a better way to do this than spamming freeipa-devel with two more PRs every day? I guess it can be optimized a bit so that notification mails are a bit more useful. I agree that notification mails about opening and closing PR don't bring any added value. Maybe it can be suppressed in https://github.com/freeipa/freeipa-tools/tree/master/github-email-notifications On the other hand, what is desired is to show results of nightly testing to project maintainers and contributors. Because tests are useful only if their results are visible and it drives actions. Therefore I find beneficial to send a mail with test failures. This is not working yet. A possible technical solution might be to create a task depending on all other tasks which would get the results and would create a comment with them thus creating a notification mail. +1, it messes up the PR queue, too, either make it use the same PR or use another repo. The current state is unbearable. I don't see a benefit in moving it to other repo. It would lose the visibility and therefore would become half-useless. Actually, if we want to use the PR CI resources, we can't move it to another repo. The runners points to freeipa/freeipa repo. PR CI was designed to watch the PRs list, so it would not be simple to do not use this way of running tests. IMHO the easiest way is: - Run nightly PRs two or three times per week (Mon and Friday or Mon, Wed, Fry) - Keep the PRs on freeipa/freeipa repo - people create some filter in their email client if they don't want to receive the notifications As Petr already mentioned, it's important to keep them on GitHub because it's easy to have a historic, it keep them public available and it already uses all of our infrastructure. If we "hide" the results, we would have the same problem that Jenkins has: it's not easy to see the results. Reusing PRs could be a way to limit some noise. But if I'm correct old prs are shown back in the queue. IMO the goal here should be to show nightly testing on a first PR page. One way is to have fewer PRs ;). Other optimization could be e.g. to have weekly nightly prs - meaning one PR would be updated 5-7 times. IMO it is also useless to run nightly testing over weekend as no one is currently pushing any patches during the time. So I'd test on Friday evening and then on a Monday evening. Could you describe in more details what you mean by "messes up the PR queue" or "unbearable? These are quite hard words but their meaning is not specific. Could be interpreted in many ways. It's good to express feeling but it is hard to grasp. What is the effect it creates from your perspective? Travis has cronjob support; wouldn't this be a better fit there? Why does it need to be a PR? PR is a way how to show results and coordinate test runners. The testing infra used for it doesn't currently work without PR. How it works now: https://github.com/freeipa/freeipa-pr-ci/tree/master/doc I have no idea how travis cron jobs work. But if it uses Travis infra then it is a no-go as Travis cannot handle our load. I second the opinion that github PR is just a bad place to place nightly CI run results to and it already shows. Could you explain what you mean by "it already shows"? Like I suspect many users, I will be muting these. Thanks, --Robbie ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#1633][closed] [testing_master] Nightly PR
URL: https://github.com/freeipa/freeipa/pull/1633 Author: freeipa-pr-ci Title: #1633: [testing_master] Nightly PR Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/1633/head:pr1633 git checkout pr1633 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#1637][opened] Don't try to backup CS.cfg during upgrade if CA is not configured
URL: https://github.com/freeipa/freeipa/pull/1637
Author: rcritten
Title: #1637: Don't try to backup CS.cfg during upgrade if CA is not configured
Action: opened
PR body:
"""
https://pagure.io/freeipa/issue/7409
Signed-off-by: Rob Crittenden
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/1637/head:pr1637
git checkout pr1637
From 79858d2b770d23e0947d6fb8cfd3f9e39768d18b Mon Sep 17 00:00:00 2001
From: Rob Crittenden
Date: Mon, 26 Feb 2018 16:13:58 -0500
Subject: [PATCH] Don't try to backup CS.cfg during upgrade if CA is not
configured
https://pagure.io/freeipa/issue/7409
Signed-off-by: Rob Crittenden
---
ipaserver/install/server/upgrade.py | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/ipaserver/install/server/upgrade.py b/ipaserver/install/server/upgrade.py
index 57fddc6e29..724bb82a38 100644
--- a/ipaserver/install/server/upgrade.py
+++ b/ipaserver/install/server/upgrade.py
@@ -1658,7 +1658,8 @@ def upgrade_configuration():
with installutils.stopped_service('pki-tomcatd', 'pki-tomcat'):
# Dogtag must be stopped to be able to backup CS.cfg config
-ca.backup_config()
+if ca.is_configured():
+ca.backup_config()
# migrate CRL publish dir before the location in ipa.conf is updated
ca_restart = migrate_crl_publish_dir(ca)
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#1634][closed] [testing_rawhide] Nightly PR
URL: https://github.com/freeipa/freeipa/pull/1634 Author: freeipa-pr-ci Title: #1634: [testing_rawhide] Nightly PR Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/1634/head:pr1634 git checkout pr1634 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#1638][opened] [testing_rawhide] Nightly PR
URL: https://github.com/freeipa/freeipa/pull/1638
Author: freeipa-pr-ci
Title: #1638: [testing_rawhide] Nightly PR
Action: opened
PR body:
"""
None
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/1638/head:pr1638
git checkout pr1638
From 6495ab8b73f9bb3ea8203efdb02bb9fafe685e2b Mon Sep 17 00:00:00 2001
From: root
Date: Mon, 26 Feb 2018 23:00:09 +
Subject: [PATCH] automated commit
---
.freeipa-pr-ci.yaml | 247 +++-
1 file changed, 226 insertions(+), 21 deletions(-)
diff --git a/.freeipa-pr-ci.yaml b/.freeipa-pr-ci.yaml
index b98a27835c..28ab4cdb92 100644
--- a/.freeipa-pr-ci.yaml
+++ b/.freeipa-pr-ci.yaml
@@ -11,9 +11,21 @@ topologies:
name: master_1repl_1client
cpu: 4
memory: 6700
+ ipaserver: &ipaserver
+name: ipaserver
+cpu: 1
+memory: 2400
+ master_2repl_1client: &master_2repl_1client
+name: master_2repl_1client
+cpu: 5
+memory: 9100
+ master_3repl_1client: &master_3repl_1client
+name: master_3repl_1client
+cpu: 6
+memory: 11500
jobs:
- fedora-27/build:
+ fedora-rawhide/build:
requires: []
priority: 100
job:
@@ -21,44 +33,237 @@ jobs:
args:
git_repo: '{git_repo}'
git_refspec: '{git_refspec}'
-template: &ci-master-f27
- name: freeipa/ci-master-f27
- version: 1.0.2
+template: &ci-master-frawhide
+ name: freeipa/ci-master-frawhide
+ version: 0.0.4
timeout: 1800
topology: *build
- fedora-27/simple_replication:
-requires: [fedora-27/build]
+ fedora-rawhide/test_server_del:
+requires: [fedora-rawhide/build]
priority: 50
job:
class: RunPytest
args:
-build_url: '{fedora-27/build_url}'
-test_suite: test_integration/test_simple_replication.py
-template: *ci-master-f27
-timeout: 3600
+build_url: '{fedora-rawhide/build_url}'
+test_suite: test_integration/test_server_del.py
+template: *ci-master-frawhide
+timeout: 8000
+topology: *master_2repl_1client
+
+ fedora-rawhide/test_installation:
+requires: [fedora-rawhide/build]
+priority: 50
+job:
+ class: RunPytest
+ args:
+build_url: '{fedora-rawhide/build_url}'
+test_suite: test_integration/test_installation.py
+template: *ci-master-frawhide
+timeout: 18000
+topology: *master_3repl_1client
+
+ fedora-rawhide/TestServerInstall:
+requires: [fedora-rawhide/build]
+priority: 50
+job:
+ class: RunPytest
+ args:
+build_url: '{fedora-rawhide/build_url}'
+test_suite: test_integration/test_caless.py::TestServerInstall
+template: *ci-master-frawhide
+timeout: 12000
+topology: *master_1repl
+
+ fedora-rawhide/TestReplicaInstall:
+requires: [fedora-rawhide/build]
+priority: 50
+job:
+ class: RunPytest
+ args:
+build_url: '{fedora-rawhide/build_url}'
+test_suite: test_integration/test_caless.py::TestReplicaInstall
+template: *ci-master-frawhide
+timeout: 5400
+topology: *master_1repl
+
+ fedora-rawhide/TestClientInstall:
+requires: [fedora-rawhide/build]
+priority: 50
+job:
+ class: RunPytest
+ args:
+build_url: '{fedora-rawhide/build_url}'
+test_suite: test_integration/test_caless.py::TestClientInstall
+template: *ci-master-frawhide
+timeout: 5400
topology: *master_1repl
- fedora-27/caless:
-requires: [fedora-27/build]
+ fedora-rawhide/TestIPACommands:
+requires: [fedora-rawhide/build]
priority: 50
job:
class: RunPytest
args:
-build_url: '{fedora-27/build_url}'
+build_url: '{fedora-rawhide/build_url}'
+test_suite: test_integration/test_caless.py::TestIPACommands
+template: *ci-master-frawhide
+timeout: 5400
+topology: *master_1repl
+
+ fedora-rawhide/TestCertInstall:
+requires: [fedora-rawhide/build]
+priority: 50
+job:
+ class: RunPytest
+ args:
+build_url: '{fedora-rawhide/build_url}'
+test_suite: test_integration/test_caless.py::TestCertInstall
+template: *ci-master-frawhide
+timeout: 5400
+topology: *master_1repl
+
+ fedora-rawhide/TestPKINIT:
+requires: [fedora-rawhide/build]
+priority: 50
+job:
+ class: RunPytest
+ args:
+build_url: '{fedora-rawhide/build_url}'
+test_suite: test_integration/test_caless.py::TestPKINIT
+template: *ci-master-frawhide
+timeout: 5400
+topology: *master_1repl
+
+ fedora-rawhide/TestServerReplicaCALessToCAFull:
+requires: [fedora-rawhide/build]
+priority: 50
+job:
+ class: RunPytest
+ args:
+build_url: '{fedora-rawhide/build_url}'
test_suite: test_inte
[Freeipa-devel] [freeipa PR#1639][opened] [testing_master] Nightly PR
URL: https://github.com/freeipa/freeipa/pull/1639
Author: freeipa-pr-ci
Title: #1639: [testing_master] Nightly PR
Action: opened
PR body:
"""
None
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/1639/head:pr1639
git checkout pr1639
From e7a62d233e9ba53b45b74254b28e8c5a3fc4e939 Mon Sep 17 00:00:00 2001
From: root
Date: Tue, 27 Feb 2018 03:11:04 +
Subject: [PATCH] automated commit
---
.freeipa-pr-ci.yaml | 234 ++--
1 file changed, 225 insertions(+), 9 deletions(-)
diff --git a/.freeipa-pr-ci.yaml b/.freeipa-pr-ci.yaml
index b98a27835c..65565f9657 100644
--- a/.freeipa-pr-ci.yaml
+++ b/.freeipa-pr-ci.yaml
@@ -11,6 +11,18 @@ topologies:
name: master_1repl_1client
cpu: 4
memory: 6700
+ ipaserver: &ipaserver
+name: ipaserver
+cpu: 1
+memory: 2400
+ master_2repl_1client: &master_2repl_1client
+name: master_2repl_1client
+cpu: 5
+memory: 9100
+ master_3repl_1client: &master_3repl_1client
+name: master_3repl_1client
+cpu: 6
+memory: 11500
jobs:
fedora-27/build:
@@ -23,23 +35,107 @@ jobs:
git_refspec: '{git_refspec}'
template: &ci-master-f27
name: freeipa/ci-master-f27
- version: 1.0.2
+ version: 1.0.3
timeout: 1800
topology: *build
- fedora-27/simple_replication:
+ fedora-27/test_server_del:
requires: [fedora-27/build]
priority: 50
job:
class: RunPytest
args:
build_url: '{fedora-27/build_url}'
-test_suite: test_integration/test_simple_replication.py
+test_suite: test_integration/test_server_del.py
template: *ci-master-f27
-timeout: 3600
+timeout: 8000
+topology: *master_2repl_1client
+
+ fedora-27/test_installation:
+requires: [fedora-27/build]
+priority: 50
+job:
+ class: RunPytest
+ args:
+build_url: '{fedora-27/build_url}'
+test_suite: test_integration/test_installation.py
+template: *ci-master-f27
+timeout: 18000
+topology: *master_3repl_1client
+
+ fedora-27/TestServerInstall:
+requires: [fedora-27/build]
+priority: 50
+job:
+ class: RunPytest
+ args:
+build_url: '{fedora-27/build_url}'
+test_suite: test_integration/test_caless.py::TestServerInstall
+template: *ci-master-f27
+timeout: 12000
+topology: *master_1repl
+
+ fedora-27/TestReplicaInstall:
+requires: [fedora-27/build]
+priority: 50
+job:
+ class: RunPytest
+ args:
+build_url: '{fedora-27/build_url}'
+test_suite: test_integration/test_caless.py::TestReplicaInstall
+template: *ci-master-f27
+timeout: 5400
+topology: *master_1repl
+
+ fedora-27/TestClientInstall:
+requires: [fedora-27/build]
+priority: 50
+job:
+ class: RunPytest
+ args:
+build_url: '{fedora-27/build_url}'
+test_suite: test_integration/test_caless.py::TestClientInstall
+template: *ci-master-f27
+timeout: 5400
topology: *master_1repl
- fedora-27/caless:
+ fedora-27/TestIPACommands:
+requires: [fedora-27/build]
+priority: 50
+job:
+ class: RunPytest
+ args:
+build_url: '{fedora-27/build_url}'
+test_suite: test_integration/test_caless.py::TestIPACommands
+template: *ci-master-f27
+timeout: 5400
+topology: *master_1repl
+
+ fedora-27/TestCertInstall:
+requires: [fedora-27/build]
+priority: 50
+job:
+ class: RunPytest
+ args:
+build_url: '{fedora-27/build_url}'
+test_suite: test_integration/test_caless.py::TestCertInstall
+template: *ci-master-f27
+timeout: 5400
+topology: *master_1repl
+
+ fedora-27/TestPKINIT:
+requires: [fedora-27/build]
+priority: 50
+job:
+ class: RunPytest
+ args:
+build_url: '{fedora-27/build_url}'
+test_suite: test_integration/test_caless.py::TestPKINIT
+template: *ci-master-f27
+timeout: 5400
+topology: *master_1repl
+
+ fedora-27/TestServerReplicaCALessToCAFull:
requires: [fedora-27/build]
priority: 50
job:
@@ -48,17 +144,137 @@ jobs:
build_url: '{fedora-27/build_url}'
test_suite: test_integration/test_caless.py::TestServerReplicaCALessToCAFull
template: *ci-master-f27
-timeout: 3600
+timeout: 5400
topology: *master_1repl
- fedora-27/external_ca:
+ fedora-27/TestBackupAndRestore:
requires: [fedora-27/build]
priority: 50
job:
class: RunPytest
args:
build_url: '{fedora-27/build_url}'
-test_suite: test_integration/test_external_ca.py
+test_suite: test_integration/test_backup_and_restore.py::TestBackupAndRestore
template: *ci-master-f27
-timeout: 360
