Re: [Freeipa-users] export entire ldap/kerberos/etc onto a new host
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 02/02/2011 05:15 PM, Ian Stokes-Rees wrote: Or perhaps there is a very long road of beta versions that will come out over the next several years before a final 2.0 release appears. While I can't comment on the final release schedule for FreeIPA v2, I would like to point you at http://fedoraproject.org/wiki/Features/FreeIPAv2 What you should take away from this is that FreeIPA v2 is expected to be feature-complete by the Fedora 15 Feature Freeze date (February 8th) and must be in its final state by March 22nd in order to be released in Fedora 15. So it's probably safe to assume that 2.0 is not several years away. I'd say we're looking at weeks, not months or years at this point. - -- Stephen Gallagher RHCE 804006346421761 Delivering value year after year. Red Hat ranks #1 in value among software vendors. http://www.redhat.com/promo/vendor/ -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAk1KpxkACgkQeiVVYja6o6O8cgCfZANts75bzbj6A5NVYsVtfAi1 2FsAn3sAhotQ/ehHQ6wJ3jgSXEhQoUbv =3uiC -END PGP SIGNATURE- ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] export entire ldap/kerberos/etc onto a new host
While I can't comment on the final release schedule for FreeIPA v2, I would like to point you at http://fedoraproject.org/wiki/Features/FreeIPAv2 What you should take away from this is that FreeIPA v2 is expected to be feature-complete by the Fedora 15 Feature Freeze date (February 8th) and must be in its final state by March 22nd in order to be released in Fedora 15. So it's probably safe to assume that 2.0 is not "several years" away. I'd say we're looking at weeks, not months or years at this point. Thanks for that link. I see: Targeted release: Fedora 15 Last updated: 01/12/11 Percentage of completion: 80% In a way, I find this even more worrying since it sounds like FreeIPA will either be pushed out too early (can schema migration be left out, or be implemented but untested?) or will miss Fedora 15 and we won't see it until Fedora 16 (end of summer or autumn). I don't see how something as fundamental as a directory server can be mostly finalized (feature freeze, and bug fix only state) in a few weeks when the developers themselves say "we reset our FreeIPA DS from scratch every day", suggesting that no one (?) has tested it in an operational state with real users and systems for an extended period (at least days, but really for weeks or more). If you think one frustrated group (us) right now is annoying, just wait to see what happens if FreeIPA v2.0 *does* go out with Fedora 15 in a few months and lots of people eagerly install it only to discover in the following months that it wasn't ready or that they can't upgrade/migrate their DS contents. Ian As a postscript, a few weeks ago FreeIPA had 20% left to complete before v2.0 was ready. Even if we are kind and estimate that this last 20% will take only 20% of the effort (rather than 80% which we're all familiar with is much more common by the 80/20 rule) it would suggest that about 2 months are required to complete it. Does it suggest that everything that has ever been done to produce FreeIPA v2.0 has been done in the past 10 months (starting March 2010)? Or has the team working on it grown substantially over the past year? ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] export entire ldap/kerberos/etc onto a new host
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 02/03/2011 10:29 AM, Ian Stokes-Rees wrote: While I can't comment on the final release schedule for FreeIPA v2, I would like to point you at http://fedoraproject.org/wiki/Features/FreeIPAv2 What you should take away from this is that FreeIPA v2 is expected to be feature-complete by the Fedora 15 Feature Freeze date (February 8th) and must be in its final state by March 22nd in order to be released in Fedora 15. So it's probably safe to assume that 2.0 is not several years away. I'd say we're looking at weeks, not months or years at this point. Thanks for that link. I see: * Targeted release: Fedora 15 http://fedoraproject.org/wiki/Releases/15 * Last updated: 01/12/11 * Percentage of completion: 80% In a way, I find this even more worrying since it sounds like FreeIPA will either be pushed out too early (can schema migration be left out, or be implemented but untested?) or will miss Fedora 15 and we won't see it until Fedora 16 (end of summer or autumn). - From the earlier points of the discussion, schema migration is planned for upgrades from 2.0.0 to future versions. It's only something that was left out of the alpha/beta process because things were still in churn and those releases were never intended to be in production. Once 2.0.0 is baked, obviously the upgrade path will need to be clean. I don't see how something as fundamental as a directory server can be mostly finalized (feature freeze, and bug fix only state) in a few weeks when the developers themselves say we reset our FreeIPA DS from scratch every day, suggesting that no one (?) has tested it in an operational state with real users and systems for an extended period (at least days, but really for weeks or more). If you think one frustrated group (us) right now is annoying, just wait to see what happens if FreeIPA v2.0 *does* go out with Fedora 15 in a few months and lots of people eagerly install it only to discover in the following months that it wasn't ready or that they can't upgrade/migrate their DS contents. Feature freeze means that FreeIPA will not be adding new functionality after this point (which includes schema changes) and will be focusing only on stability and bugfixes until final release. Ian As a postscript, a few weeks ago FreeIPA had 20% left to complete before v2.0 was ready. Even if we are kind and estimate that this last 20% will take only 20% of the effort (rather than 80% which we're all familiar with is much more common by the 80/20 rule) it would suggest that about 2 months are required to complete it. Does it suggest that everything that has ever been done to produce FreeIPA v2.0 has been done in the past 10 months (starting March 2010)? Or has the team working on it grown substantially over the past year? That 80% is the amount of Fedora-related effort, not the upstream completion effort. It hasn't been updated, but I'd ballpark us at nearly about 95% now. - -- Stephen Gallagher RHCE 804006346421761 Delivering value year after year. Red Hat ranks #1 in value among software vendors. http://www.redhat.com/promo/vendor/ -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAk1Kyy4ACgkQeiVVYja6o6MuZACfXboYMLY9Ur/Qai2xxkId5/xe OvUAmgJdwxG0aKHQKPRsiZ0lLb3HINBQ =H6hd -END PGP SIGNATURE- ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] export entire ldap/kerberos/etc onto a new host
On 02/03/2011 10:51 AM, Peter Doherty wrote: On Feb 3, 2011, at 10:35 , Stephen Gallagher wrote: - From the earlier points of the discussion, schema migration is planned for upgrades from 2.0.0 to future versions. It's only something that was left out of the alpha/beta process because things were still in churn and those releases were never intended to be in production. Once 2.0.0 is baked, obviously the upgrade path will need to be clean. Is there a plan to include the ability for users of 1.2 to migrate to 2.0? I'd consider setting up and using 1.2 right now if I know that I can migrate to 2.0 when the stable release comes out. This is a use case that we have in mind. v1 is treated as an external DS thought. This migration is planned through the migrate-ds + SSSD or special page to migrate passwords. The v1 and v2 schemas are drastically different but v1 just has users and groups and migrate-ds script takes care of it. This is well covered in the migration guide. The in place update are planned starting v2 meaning that either the bits just can be refreshed on each of the replicas gradually (if schema or related logic is not affected) or will require a rolling upgrade. The rolling upgrade is needed for the cases when there are schema changes and newer replicas can't talk to the old replicas due to potential data corruption cause by schema mismatch. The rolling upgrade procedure will effectively cause a split of the domain. Replicas that still carry old bits and schema will talk to each other and updated replicas will talk to each other. The rolling upgrade procedure fill involve updating replicas one by one so that they move from one set to another. Finally when all replicas are updated they all will be talking to each other again. The changes caused by the client and administrative activity will be propagated to the set of updated replicas as any new converted replica will carry the chunk of changes it already knows about. Upgrades are very complex procedures especially in the replicated environments. There is no silver bullet technology that will make things simple. We though this part through but do not plan supporting rolling upgrades till the next version of IPA (probably 2.1). The foundation for such approach is there. But the tools to actually update in place are not yet implemented. They are a part of the subsequent release. Thanks Dmitri -Peter ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users