Re: [Freeipa-devel] [PATCH, 2.1] 0021 Fedora 16 and systemd support

[Martin Kosek]

On Tue, 2011-10-18 at 15:29 +0200, Martin Kosek wrote:
 On Tue, 2011-10-18 at 15:48 +0300, Alexander Bokovoy wrote:
  On Tue, 18 Oct 2011, Alexander Bokovoy wrote:
ipa.init was removed from the git, but it was never moved to
init/SystemV/.
   It should have been moved (rm+new file). I'll check what's happening 
   there, maybe Simo's patch omitted that one?
   
   http://koji.fedoraproject.org/koji/taskinfo?taskID=3437275 is current 
   scratch build of 2.1 for F-16. It is 2.1.2+diff up to current ipa-2-1 
   git tree + systemd patch.
  I did another rebase and current version of systemd support for 
  ipa-2-1 is in systemd-ipa-2-1 branch of my tree:
  http://fedorapeople.org/gitweb?p=abbra/public_git/freeipa.git;a=shortlog;h=refs/heads/systemd-ipa-2-1
  
 
 Yep, ipa.init is now correctly moved and I was able to compile ipa on
 both F-15 and F-16. I still have few question/issues:
 
 1) When ipa is not configured, it is ok that ipa.service status returns
 error. However, I still got ipa.service status error after the ipa was
 configured:
 
 # systemctl status ipa.service
 ipa.service - Identity, Policy, Audit
 Loaded: loaded (/lib/systemd/system/ipa.service; disabled)
 Active: failed since Tue, 18 Oct 2011 09:04:41 -0400; 1min 50s ago
   Main PID: 18499 (code=exited, status=6)
 CGroup: name=systemd:/system/ipa.service
 # /usr/sbin/ipactl status
 IPA is not configured (see man pages of ipa-server-install for help)
 
 # ipa-server-install
 ...
 Applying LDAP updates
 Restarting IPA to initialize updates before performing deletes:
   [1/2]: stopping directory server
   [2/2]: starting directory server
 done configuring dirsrv.
 Restarting the directory server
 Restarting the KDC
 Restarting the web server
 Sample zone file for bind has been created in /tmp/sample.zone.teFbNR.db
 ==
 Setup complete
 
 Next steps:
   1. You must make sure these network ports are open:
   TCP Ports:
 * 80, 443: HTTP/HTTPS
 * 389, 636: LDAP/LDAPS
 * 88, 464: kerberos
   UDP Ports:
 * 88, 464: kerberos
 * 123: ntp
 
   2. You can now obtain a kerberos ticket using the command: 'kinit admin'
  This ticket will allow you to use the IPA tools (e.g., ipa user-add)
  and the web user interface.
 
 Be sure to back up the CA certificate stored in /root/cacert.p12
 This file is required to create replicas. The password for this
 file is the Directory Manager password
 
 # systemctl status ipa.service
 ipa.service - Identity, Policy, Audit
 Loaded: loaded (/lib/systemd/system/ipa.service; enabled)
 Active: failed since Tue, 18 Oct 2011 09:04:41 -0400; 6min ago
   Main PID: 18499 (code=exited, status=6)
 CGroup: name=systemd:/system/ipa.service
 
 
 
 2) ipactl shows stopped dirsrv and CA service even though they should be
 up (cert-show command worked):
 
 # ipactl status
 Directory Service: RUNNING
 KDC Service: RUNNING
 KPASSWD Service: STOPPED
 HTTP Service: RUNNING
 CA Service: STOPPED
 
 When I restarted the ipa service, everything was OK including the status
 I mentioned in my previous mail:
 
 # systemctl restart ipa.service
 # ipactl status
 Directory Service: RUNNING
 KDC Service: RUNNING
 KPASSWD Service: RUNNING
 HTTP Service: RUNNING
 CA Service: RUNNING
 
 # systemctl status ipa.service
 ipa.service - Identity, Policy, Audit
 Loaded: loaded (/lib/systemd/system/ipa.service; enabled)
 Active: active (exited) since Tue, 18 Oct 2011 09:18:32 -0400; 2min 
 41s ago
Process: 20069 ExecStart=/usr/sbin/ipactl start (code=exited, 
 status=0/SUCCESS)
 CGroup: name=systemd:/system/ipa.service
 
 
 Martin
 

Ok, final ACK :-) On Friday and today I did a final set of sanity tests
for both branches on F-15 and F-16. Minor issues found during the review
were fixed by Alexander and integrated to the patches.

There is just one pending issue I found - name server cannot talk to
dirsrv on F-16 due to changes in SElinux policy. It is being be tracked
here:

https://bugzilla.redhat.com/show_bug.cgi?id=748366

SELinux guys accepted the issue and it is being worked on.

Pushed to master, ipa-2-1. Good job!

Martin

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH, 2.1] 0021 Fedora 16 and systemd support

[Martin Kosek]

On Mon, 2011-10-17 at 14:21 +0300, Alexander Bokovoy wrote:
 On Fri, 14 Oct 2011, Simo Sorce wrote:
Attached a rebased patch with the modifications needed to apply it on
master.

Everything seem to work on master but I haven't tested ipa-2-1 so this
is a partial ACK of the original patch as well.
   
   A bit of bad news, I restarted the machine and I am having issue
   properly restarting services.
   This patch is still better than nothing as otherwise nothing works at
   all on f16, but we need to work out why starting services is unreliable.
  
  Ok found the issue and it is a bug in the conversion to systemd.
  I opened ticket #1990 for this.
  
  Attached find a rebased patch that fixes enough of the bug to let the
  server work (they keytab part), but it doesn't address the ulimit part.
 KRB5_KTNAME was missing but LimitNOFile is available -- it is now 
 modified in dirsrv@.service file directly. The code in 
 ipapython/platform/fedora16.py goes to a great length to enable that 
 by copying file to /etc/systemd/system, modifying the config, and 
 relinking all dirsrv instances to it. That's how systemd is organized.
 
 Now, I think I found actual issue preventing proper restarts. 
 wait_for_socket() only considered 'connection refused' as valid error 
 when unable to connect and waiting up until timeout is gone. 
 Unfortunately, directory services start a bit slower than we had hoped 
 and by the time we attempt to connect to local AF_UNIX socket, there 
 is no actual socket on file system yet so we get:
 
 Oct 17 06:48:36 vm-114 ipactl[954]: Failed to read data from Directory 
 Service: Unknown error when retrieving list of services from LDAP: 
 [Errno 2] No such file or directory
 Oct 17 06:48:36 vm-114 ipactl[954]: Shutting down
 Oct 17 06:48:36 vm-114 ipactl[954]: Starting Directory Service
 
 After applying attached patch I now have fully working FreeIPA 2.1 git 
 on Fedora 16.
 

Hi Alexander,

I tested our most recent master with simo's rebased patch and your patch
0004-Spin-for-connection-success-also-when-socket-is-not-.patch. It
looks very good, I hit just few issues:

1) ipa service reports inactive (dead) status even though LDAP server is
running:

systemctl status ipa.service
ipa.service - Identity, Policy, Audit
  Loaded: loaded (/lib/systemd/system/ipa.service; enabled)
  Active: inactive (dead) since Mon, 17 Oct 2011 10:21:30 -0400; 15s ago
 Process: 25194 ExecStop=/usr/sbin/ipactl stop (code=exited, 
status=0/SUCCESS)
 Process: 25173 ExecStart=/usr/sbin/ipactl start (code=exited, 
status=0/SUCCESS)
  CGroup: name=systemd:/system/ipa.service

Maybe we should return active status when dirsrv is running?

2) I wasn't able to build IPA on F-15 after the patches were applied:
$ make rpms
...
+ install -m755
init/SystemV/ipa.init 
/home/mkosek/freeipa/rpmbuild/BUILDROOT/freeipa-2.99.0GITb607c5c-0.fc15.x86_64/etc/rc.d/init.d/ipa
install: cannot stat `init/SystemV/ipa.init': No such file or directory
error: Bad exit status from /var/tmp/rpm-tmp.nwbRUX (%install)

ipa.init was removed from the git, but it was never moved to
init/SystemV/.

Martin

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH, 2.1] 0021 Fedora 16 and systemd support

[Alexander Bokovoy]

On Tue, 18 Oct 2011, Martin Kosek wrote:
 I tested our most recent master with simo's rebased patch and your patch
 0004-Spin-for-connection-success-also-when-socket-is-not-.patch. It
 looks very good, I hit just few issues:
 
 1) ipa service reports inactive (dead) status even though LDAP server is
 running:
 
 systemctl status ipa.service
 ipa.service - Identity, Policy, Audit
 Loaded: loaded (/lib/systemd/system/ipa.service; enabled)
 Active: inactive (dead) since Mon, 17 Oct 2011 10:21:30 -0400; 15s ago
Process: 25194 ExecStop=/usr/sbin/ipactl stop (code=exited, 
 status=0/SUCCESS)
Process: 25173 ExecStart=/usr/sbin/ipactl start (code=exited, 
 status=0/SUCCESS)
 CGroup: name=systemd:/system/ipa.service
 
 Maybe we should return active status when dirsrv is running?
We can't. This is systemd's status which we can't influence. And you 
have stopped the service so it is properly showing it as 'inactive'.

I still need to investigate such cases as in correct situation it should be:
ipa.service - Identity, Policy, Audit
  Loaded: loaded (/lib/systemd/system/ipa.service; enabled)
  Active: active (exited) since Mon, 17 Oct 2011 07:03:17 -0400; 24h ago
 Process: 956 ExecStart=/usr/sbin/ipactl start (code=exited, 
status=0/SUCCESS)
  CGroup: name=systemd:/system/ipa.service

Note that you have ExecStop for process 25194 (which is newer than 
25173) -- which means you have stopped ipa.service yourself.

It should have stopped dirsrv.target, though. Here is how it looks if 
I issue 'systemctl stop ipa.service':
ipa.service - Identity, Policy, Audit
  Loaded: loaded (/lib/systemd/system/ipa.service; enabled)
  Active: inactive (dead) since Tue, 18 Oct 2011 07:24:30 -0400; 1s ago
 Process: 11004 ExecStop=/usr/sbin/ipactl stop (code=exited, 
status=0/SUCCESS)
 Process: 956 ExecStart=/usr/sbin/ipactl start (code=exited, 
status=0/SUCCESS)
  CGroup: name=systemd:/system/ipa.service

And for dirsrv.target after that:
# systemctl status dirsrv.target
dirsrv.target - 389 Directory Server
  Loaded: loaded (/lib/systemd/system/dirsrv.target; disabled)
  Active: inactive (dead)


 2) I wasn't able to build IPA on F-15 after the patches were applied:
 $ make rpms
 ...
 + install -m755
 init/SystemV/ipa.init 
 /home/mkosek/freeipa/rpmbuild/BUILDROOT/freeipa-2.99.0GITb607c5c-0.fc15.x86_64/etc/rc.d/init.d/ipa
 install: cannot stat `init/SystemV/ipa.init': No such file or directory
 error: Bad exit status from /var/tmp/rpm-tmp.nwbRUX (%install)
 
 ipa.init was removed from the git, but it was never moved to
 init/SystemV/.
It should have been moved (rm+new file). I'll check what's happening 
there, maybe Simo's patch omitted that one?

http://koji.fedoraproject.org/koji/taskinfo?taskID=3437275 is current 
scratch build of 2.1 for F-16. It is 2.1.2+diff up to current ipa-2-1 
git tree + systemd patch.
-- 
/ Alexander Bokovoy

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH, 2.1] 0021 Fedora 16 and systemd support

[Alexander Bokovoy]

On Tue, 18 Oct 2011, Alexander Bokovoy wrote:
  ipa.init was removed from the git, but it was never moved to
  init/SystemV/.
 It should have been moved (rm+new file). I'll check what's happening 
 there, maybe Simo's patch omitted that one?
 
 http://koji.fedoraproject.org/koji/taskinfo?taskID=3437275 is current 
 scratch build of 2.1 for F-16. It is 2.1.2+diff up to current ipa-2-1 
 git tree + systemd patch.
I did another rebase and current version of systemd support for 
ipa-2-1 is in systemd-ipa-2-1 branch of my tree:
http://fedorapeople.org/gitweb?p=abbra/public_git/freeipa.git;a=shortlog;h=refs/heads/systemd-ipa-2-1

-- 
/ Alexander Bokovoy

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH, 2.1] 0021 Fedora 16 and systemd support

[Simo Sorce]

On Tue, 2011-10-18 at 14:27 +0300, Alexander Bokovoy wrote:
 On Tue, 18 Oct 2011, Martin Kosek wrote:

  ipa.init was removed from the git, but it was never moved to
  init/SystemV/.
 It should have been moved (rm+new file). I'll check what's happening 
 there, maybe Simo's patch omitted that one?

Can certainly be my mistake during the rebase. Patches didn't apply
cleanly so I had to add all new files manually again to the patch. Maybe
I missed ipa.init as it was moved ...

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH, 2.1] 0021 Fedora 16 and systemd support

[Martin Kosek]

On Tue, 2011-10-18 at 15:48 +0300, Alexander Bokovoy wrote:
 On Tue, 18 Oct 2011, Alexander Bokovoy wrote:
   ipa.init was removed from the git, but it was never moved to
   init/SystemV/.
  It should have been moved (rm+new file). I'll check what's happening 
  there, maybe Simo's patch omitted that one?
  
  http://koji.fedoraproject.org/koji/taskinfo?taskID=3437275 is current 
  scratch build of 2.1 for F-16. It is 2.1.2+diff up to current ipa-2-1 
  git tree + systemd patch.
 I did another rebase and current version of systemd support for 
 ipa-2-1 is in systemd-ipa-2-1 branch of my tree:
 http://fedorapeople.org/gitweb?p=abbra/public_git/freeipa.git;a=shortlog;h=refs/heads/systemd-ipa-2-1
 

Yep, ipa.init is now correctly moved and I was able to compile ipa on
both F-15 and F-16. I still have few question/issues:

1) When ipa is not configured, it is ok that ipa.service status returns
error. However, I still got ipa.service status error after the ipa was
configured:

# systemctl status ipa.service
ipa.service - Identity, Policy, Audit
  Loaded: loaded (/lib/systemd/system/ipa.service; disabled)
  Active: failed since Tue, 18 Oct 2011 09:04:41 -0400; 1min 50s ago
Main PID: 18499 (code=exited, status=6)
  CGroup: name=systemd:/system/ipa.service
# /usr/sbin/ipactl status
IPA is not configured (see man pages of ipa-server-install for help)

# ipa-server-install
...
Applying LDAP updates
Restarting IPA to initialize updates before performing deletes:
  [1/2]: stopping directory server
  [2/2]: starting directory server
done configuring dirsrv.
Restarting the directory server
Restarting the KDC
Restarting the web server
Sample zone file for bind has been created in /tmp/sample.zone.teFbNR.db
==
Setup complete

Next steps:
1. You must make sure these network ports are open:
TCP Ports:
  * 80, 443: HTTP/HTTPS
  * 389, 636: LDAP/LDAPS
  * 88, 464: kerberos
UDP Ports:
  * 88, 464: kerberos
  * 123: ntp

2. You can now obtain a kerberos ticket using the command: 'kinit admin'
   This ticket will allow you to use the IPA tools (e.g., ipa user-add)
   and the web user interface.

Be sure to back up the CA certificate stored in /root/cacert.p12
This file is required to create replicas. The password for this
file is the Directory Manager password

# systemctl status ipa.service
ipa.service - Identity, Policy, Audit
  Loaded: loaded (/lib/systemd/system/ipa.service; enabled)
  Active: failed since Tue, 18 Oct 2011 09:04:41 -0400; 6min ago
Main PID: 18499 (code=exited, status=6)
  CGroup: name=systemd:/system/ipa.service



2) ipactl shows stopped dirsrv and CA service even though they should be
up (cert-show command worked):

# ipactl status
Directory Service: RUNNING
KDC Service: RUNNING
KPASSWD Service: STOPPED
HTTP Service: RUNNING
CA Service: STOPPED

When I restarted the ipa service, everything was OK including the status
I mentioned in my previous mail:

# systemctl restart ipa.service
# ipactl status
Directory Service: RUNNING
KDC Service: RUNNING
KPASSWD Service: RUNNING
HTTP Service: RUNNING
CA Service: RUNNING

# systemctl status ipa.service
ipa.service - Identity, Policy, Audit
  Loaded: loaded (/lib/systemd/system/ipa.service; enabled)
  Active: active (exited) since Tue, 18 Oct 2011 09:18:32 -0400; 2min 
41s ago
 Process: 20069 ExecStart=/usr/sbin/ipactl start (code=exited, 
status=0/SUCCESS)
  CGroup: name=systemd:/system/ipa.service


Martin

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH, 2.1] 0021 Fedora 16 and systemd support

[Alexander Bokovoy]

On Tue, 18 Oct 2011, Martin Kosek wrote:
 1) When ipa is not configured, it is ok that ipa.service status returns
 error. However, I still got ipa.service status error after the ipa was
 configured:
 
 # systemctl status ipa.service
 ipa.service - Identity, Policy, Audit
 Loaded: loaded (/lib/systemd/system/ipa.service; disabled)
 Active: failed since Tue, 18 Oct 2011 09:04:41 -0400; 1min 50s ago
   Main PID: 18499 (code=exited, status=6)
 CGroup: name=systemd:/system/ipa.service
 # /usr/sbin/ipactl status
 IPA is not configured (see man pages of ipa-server-install for help)
 
 # ipa-server-install
 ...
 Applying LDAP updates
 Restarting IPA to initialize updates before performing deletes:
   [1/2]: stopping directory server
   [2/2]: starting directory server
 done configuring dirsrv.
 Restarting the directory server
 Restarting the KDC
 Restarting the web server
 Sample zone file for bind has been created in /tmp/sample.zone.teFbNR.db
 ==
 Setup complete
 
 Next steps:
   1. You must make sure these network ports are open:
   TCP Ports:
 * 80, 443: HTTP/HTTPS
 * 389, 636: LDAP/LDAPS
 * 88, 464: kerberos
   UDP Ports:
 * 88, 464: kerberos
 * 123: ntp
 
   2. You can now obtain a kerberos ticket using the command: 'kinit admin'
  This ticket will allow you to use the IPA tools (e.g., ipa user-add)
  and the web user interface.
 
 Be sure to back up the CA certificate stored in /root/cacert.p12
 This file is required to create replicas. The password for this
 file is the Directory Manager password
 
 # systemctl status ipa.service
 ipa.service - Identity, Policy, Audit
 Loaded: loaded (/lib/systemd/system/ipa.service; enabled)
 Active: failed since Tue, 18 Oct 2011 09:04:41 -0400; 6min ago
   Main PID: 18499 (code=exited, status=6)
 CGroup: name=systemd:/system/ipa.service
We were discussing with Simo yesterday that perhaps we need to do 
restart of ipa.service (on systemd platform only) explicitly after 
ipa-server-install.

Right now the last action we do is ipa.enable(), i.e. just enable 
ipa.service. As all services were started before during 
ipa-server-install, we deemed not needed to do any restart in System V 
case.

systemd, however, detects status based on its own tracking of events 
and there is no way to report status of the service other than 
systemd's internal state.

So we might do implicit restart of ipa.service at the end of install. 
That would be another 5-10 seconds delay depending on the hardware.

 2) ipactl shows stopped dirsrv and CA service even though they should be
 up (cert-show command worked):
This might be related as well -- I've seen multiple times when 
ipa_kpasswd didn't start after ipa-server-install but works after 
restart.
-- 
/ Alexander Bokovoy

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH, 2.1] 0021 Fedora 16 and systemd support

[Alexander Bokovoy]

On Fri, 14 Oct 2011, Simo Sorce wrote:
   Attached a rebased patch with the modifications needed to apply it on
   master.
   
   Everything seem to work on master but I haven't tested ipa-2-1 so this
   is a partial ACK of the original patch as well.
  
  A bit of bad news, I restarted the machine and I am having issue
  properly restarting services.
  This patch is still better than nothing as otherwise nothing works at
  all on f16, but we need to work out why starting services is unreliable.
 
 Ok found the issue and it is a bug in the conversion to systemd.
 I opened ticket #1990 for this.
 
 Attached find a rebased patch that fixes enough of the bug to let the
 server work (they keytab part), but it doesn't address the ulimit part.
KRB5_KTNAME was missing but LimitNOFile is available -- it is now 
modified in dirsrv@.service file directly. The code in 
ipapython/platform/fedora16.py goes to a great length to enable that 
by copying file to /etc/systemd/system, modifying the config, and 
relinking all dirsrv instances to it. That's how systemd is organized.

Now, I think I found actual issue preventing proper restarts. 
wait_for_socket() only considered 'connection refused' as valid error 
when unable to connect and waiting up until timeout is gone. 
Unfortunately, directory services start a bit slower than we had hoped 
and by the time we attempt to connect to local AF_UNIX socket, there 
is no actual socket on file system yet so we get:

Oct 17 06:48:36 vm-114 ipactl[954]: Failed to read data from Directory 
Service: Unknown error when retrieving list of services from LDAP: 
[Errno 2] No such file or directory
Oct 17 06:48:36 vm-114 ipactl[954]: Shutting down
Oct 17 06:48:36 vm-114 ipactl[954]: Starting Directory Service

After applying attached patch I now have fully working FreeIPA 2.1 git 
on Fedora 16.

-- 
/ Alexander Bokovoy
From cb5583ad8023d87fdbf863cd65032d0f11108bc0 Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy aboko...@redhat.com
Date: Mon, 17 Oct 2011 14:17:07 +0300
Subject: [PATCH 4/4] Spin for connection success also when socket is not
 (yet) available

We were spinning for socket connection if attempt to connect returned errno 111
(connection refused). However, it is not enough for local AF_UNIX sockets as
heavy applications might not be able to start yet and therefore the whole path
might be missing. So spin for errno 2 (no such file or directory) as well.

Partial fix for
  https://fedorahosted.org/freeipa/ticket/1990
---
 ipaserver/install/installutils.py |2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

diff --git a/ipaserver/install/installutils.py 
b/ipaserver/install/installutils.py
index 
5cfc8f0376e25d9eb25206d54ac5bbea47aca9b2..0a36c354e1d2f901bfdef51c151d035ba8ee64ca
 100644
--- a/ipaserver/install/installutils.py
+++ b/ipaserver/install/installutils.py
@@ -507,7 +507,7 @@ def wait_for_open_socket(socket_name, timeout=0):
 s.close()
 break;
 except socket.error, e:
-if e.errno == 111:  # 111: Connection refused
+if e.errno in (2,111):  # 111: Connection refused, 2: File not 
found
 if timeout and time.time()  op_timeout: # timeout exceeded
 raise e
 time.sleep(1)
-- 
1.7.6.4

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH, 2.1] 0021 Fedora 16 and systemd support

[Simo Sorce]

On Mon, 2011-10-17 at 14:21 +0300, Alexander Bokovoy wrote:
 On Fri, 14 Oct 2011, Simo Sorce wrote:
Attached a rebased patch with the modifications needed to apply it on
master.

Everything seem to work on master but I haven't tested ipa-2-1 so this
is a partial ACK of the original patch as well.
   
   A bit of bad news, I restarted the machine and I am having issue
   properly restarting services.
   This patch is still better than nothing as otherwise nothing works at
   all on f16, but we need to work out why starting services is unreliable.
  
  Ok found the issue and it is a bug in the conversion to systemd.
  I opened ticket #1990 for this.
  
  Attached find a rebased patch that fixes enough of the bug to let the
  server work (they keytab part), but it doesn't address the ulimit part.
 KRB5_KTNAME was missing but LimitNOFile is available -- it is now 
 modified in dirsrv@.service file directly. The code in 
 ipapython/platform/fedora16.py goes to a great length to enable that 
 by copying file to /etc/systemd/system, modifying the config, and 
 relinking all dirsrv instances to it. That's how systemd is organized.
 
 Now, I think I found actual issue preventing proper restarts. 
 wait_for_socket() only considered 'connection refused' as valid error 
 when unable to connect and waiting up until timeout is gone. 
 Unfortunately, directory services start a bit slower than we had hoped 
 and by the time we attempt to connect to local AF_UNIX socket, there 
 is no actual socket on file system yet so we get:
 
 Oct 17 06:48:36 vm-114 ipactl[954]: Failed to read data from Directory 
 Service: Unknown error when retrieving list of services from LDAP: 
 [Errno 2] No such file or directory
 Oct 17 06:48:36 vm-114 ipactl[954]: Shutting down
 Oct 17 06:48:36 vm-114 ipactl[954]: Starting Directory Service
 
 After applying attached patch I now have fully working FreeIPA 2.1 git 
 on Fedora 16.

ACk,
fixes my startup issue as well.

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH, 2.1] 0021 Fedora 16 and systemd support

[Simo Sorce]

On Mon, 2011-10-10 at 17:07 +0300, Alexander Bokovoy wrote:
 On Mon, 10 Oct 2011, Alexander Bokovoy wrote:
  rebased, updated package dependencies, and verified against 
  Fedora 16+updates-testing.
  
  This patch is for ipa-2-1 branch. I need to do few cosmetic changes in 
  freeipa.spec.in to accomodate it to 3.0 (master branch) as ipa_kpasswd 
  is gone there.
 Forgot to add that altogether this patch fixes:
 
 https://fedorahosted.org/freeipa/ticket/1192 -- support systemd
 https://fedorahosted.org/freeipa/ticket/1651 -- update F16 dependencies
 https://fedorahosted.org/freeipa/ticket/1871 -- not setting HOSTNAME if it 
 was missing from the configuration file
 
 The latter one is integrated within the systemd patch because the same 
 function is re-used for editing systemd service files and 
 /etc/sysconfig/krb5kdc and it simply makes little sense to separate 
 them as without editing systemd services for dirsrv, one cannot start 
 dirsrv with number of file descriptors required by IPA defaults, and 
 krb5kdc configuration should be written properly before krb5kdc is 
 started as its systemd service unit uses parameters from the 
 configuration file.

Attached a rebased patch with the modifications needed to apply it on
master.

Everything seem to work on master but I haven't tested ipa-2-1 so this
is a partial ACK of the original patch as well.

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York
From 59bc35c496b4a6444e168d68da2a7c8c1508dc2a Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy aboko...@redhat.com
Date: Mon, 10 Oct 2011 15:25:15 +0300
Subject: [PATCH] Add support for systemd environments and use it to support
 Fedora 16

https://fedorahosted.org/freeipa/ticket/1192
---
 Makefile|2 +-
 freeipa.spec.in |   75 ++-
 init/systemd/ipa.service|   14 +++
 install/tools/ipactl|   12 ++-
 ipa.init|   40 
 ipapython/config.py |2 +-
 ipapython/platform/base.py  |   14 ++--
 ipapython/platform/fedora16.py  |  113 +
 ipapython/platform/redhat.py|   12 +-
 ipapython/platform/systemd.py   |  204 +++
 ipaserver/install/cainstance.py |4 +-
 ipaserver/install/dsinstance.py |6 +-
 12 files changed, 436 insertions(+), 62 deletions(-)
 create mode 100644 init/systemd/ipa.service
 delete mode 100755 ipa.init
 create mode 100644 ipapython/platform/fedora16.py
 create mode 100644 ipapython/platform/systemd.py

diff --git a/Makefile b/Makefile
index 585c6fe1181e44906c05a67a317d66eb4eee445a..a024dea32d00ebedc47f4262f79defc2790aeebd 100644
--- a/Makefile
+++ b/Makefile
@@ -8,7 +8,7 @@ PRJ_PREFIX=freeipa
 RPMBUILD ?= $(PWD)/rpmbuild
 TARGET ?= master
 
-SUPPORTED_PLATFORM=redhat
+SUPPORTED_PLATFORM ?= redhat
 
 # After updating the version in VERSION you should run the version-update
 # target.
diff --git a/freeipa.spec.in b/freeipa.spec.in
index 95f09d11a98c846b5f71b7892dbd779b85e8207b..c306c2bbce22784093fcdc2624ac713099863270 100644
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -24,10 +24,17 @@ Source0:freeipa-%{version}.tar.gz
 BuildRoot:  %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
 
 %if ! %{ONLY_CLIENT}
+%if 0%{?fedora} = 16
+BuildRequires: 389-ds-base-devel = 1.2.10
+%else
 BuildRequires:  389-ds-base-devel = 1.2.9
+%endif
 BuildRequires:  svrcore-devel
 BuildRequires:  /usr/share/selinux/devel/Makefile
 BuildRequires:  policycoreutils = %{POLICYCOREUTILSVER}
+%if 0%{?fedora} = 16
+BuildRequires:  systemd-units 
+%endif
 %endif
 BuildRequires:  nspr-devel
 BuildRequires:  nss-devel
@@ -89,7 +96,11 @@ Requires(pre): 389-ds-base = 1.2.10-0.4.a4
 Requires: openldap-clients
 Requires: nss
 Requires: nss-tools
+%if 0%{?fedora} = 16
+Requires: krb5-server = 1.9.1-15
+%else
 Requires: krb5-server
+%endif
 Requires: krb5-server-ldap
 Requires: krb5-pkinit-openssl
 Requires: cyrus-sasl-gssapi%{?_isa}
@@ -102,6 +113,11 @@ Requires: python-ldap
 Requires: python-krbV
 Requires: acl
 Requires: python-pyasn1 = 0.0.9a
+%if 0%{?fedora} = 16
+Requires: systemd-units = 36-3
+Requires(pre): systemd-units
+Requires(post): systemd-units
+%endif
 %if 0%{?fedora} = 15
 Requires: selinux-policy = 3.9.16-18
 %else
@@ -109,6 +125,12 @@ Requires: selinux-policy = 3.9.7-27
 %endif
 Requires(post): selinux-policy-base
 Requires: slapi-nis = 0.21
+%if 0%{?fedora} = 16
+Requires: pki-ca = 9.0.15
+Requires: pki-silent = 9.0.15
+# Only tomcat6 greater than this version provides proper systemd support
+Requires: tomcat6 = 6.0.32-17
+%else
 %if 0%{?fedora} = 15
 Requires: pki-ca = 9.0.15
 Requires: pki-silent = 9.0.15
@@ -117,13 +139,19 @@ Requires: pki-setup  = 9.0.15
 Requires: pki-ca = 9.0.5
 Requires: pki-silent = 9.0.5
 %endif
+%endif
 Requires: dogtag-pki-common-theme
 Requires: dogtag-pki-ca-theme
 %if 0%{?rhel}
 Requires: subscription-manager
 %endif
+%if 0%{?fedora} = 16
+Requires(preun): python systemd-units

Re: [Freeipa-devel] [PATCH, 2.1] 0021 Fedora 16 and systemd support

[Simo Sorce]

On Fri, 2011-10-14 at 13:56 -0400, Simo Sorce wrote:
 On Mon, 2011-10-10 at 17:07 +0300, Alexander Bokovoy wrote:
  On Mon, 10 Oct 2011, Alexander Bokovoy wrote:
   rebased, updated package dependencies, and verified against 
   Fedora 16+updates-testing.
   
   This patch is for ipa-2-1 branch. I need to do few cosmetic changes in 
   freeipa.spec.in to accomodate it to 3.0 (master branch) as ipa_kpasswd 
   is gone there.
  Forgot to add that altogether this patch fixes:
  
  https://fedorahosted.org/freeipa/ticket/1192 -- support systemd
  https://fedorahosted.org/freeipa/ticket/1651 -- update F16 dependencies
  https://fedorahosted.org/freeipa/ticket/1871 -- not setting HOSTNAME if it 
  was missing from the configuration file
  
  The latter one is integrated within the systemd patch because the same 
  function is re-used for editing systemd service files and 
  /etc/sysconfig/krb5kdc and it simply makes little sense to separate 
  them as without editing systemd services for dirsrv, one cannot start 
  dirsrv with number of file descriptors required by IPA defaults, and 
  krb5kdc configuration should be written properly before krb5kdc is 
  started as its systemd service unit uses parameters from the 
  configuration file.
 
 Attached a rebased patch with the modifications needed to apply it on
 master.
 
 Everything seem to work on master but I haven't tested ipa-2-1 so this
 is a partial ACK of the original patch as well.

A bit of bad news, I restarted the machine and I am having issue
properly restarting services.
This patch is still better than nothing as otherwise nothing works at
all on f16, but we need to work out why starting services is unreliable.

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH, 2.1] 0021 Fedora 16 and systemd support

[Alexander Bokovoy]

On Mon, 10 Oct 2011, Alexander Bokovoy wrote:
 rebased, updated package dependencies, and verified against 
 Fedora 16+updates-testing.
 
 This patch is for ipa-2-1 branch. I need to do few cosmetic changes in 
 freeipa.spec.in to accomodate it to 3.0 (master branch) as ipa_kpasswd 
 is gone there.
Forgot to add that altogether this patch fixes:

https://fedorahosted.org/freeipa/ticket/1192 -- support systemd
https://fedorahosted.org/freeipa/ticket/1651 -- update F16 dependencies
https://fedorahosted.org/freeipa/ticket/1871 -- not setting HOSTNAME if it was 
missing from the configuration file

The latter one is integrated within the systemd patch because the same 
function is re-used for editing systemd service files and 
/etc/sysconfig/krb5kdc and it simply makes little sense to separate 
them as without editing systemd services for dirsrv, one cannot start 
dirsrv with number of file descriptors required by IPA defaults, and 
krb5kdc configuration should be written properly before krb5kdc is 
started as its systemd service unit uses parameters from the 
configuration file.
-- 
/ Alexander Bokovoy

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel