Re: [Freeipa-devel] [PATCH 0030][DOC] Chapter 1 and 2 updates to documentation
Thanks, Petr. What is the project's preference here as far as (if they were correct) having documentation flow from RHEL to the Fedora docs? It seems to me that really the upstream should be Freeipa Docs that flows into RHEL docs (with mods for RH needs)? On Mon, Aug 11, 2014 at 1:44 AM, Petr Spacek pspa...@redhat.com wrote: Hello, I did proof-reading of patch 0030. It seems that you have canibalized RHEL docs which is a bit unfortunate, they are not entirely correct. RHEL docs are being review and fixed right now so it would be better to wait until RHEL guide is fixed. On 9.8.2014 04:44, Gabe Alford wrote: - Patch 0030 update DNS instructions, installation options/examples, prerequisites, replica information, etc. I started to read the patch and found following: + notetitleNOTE/title para - It is recommended that a separate DNS domain be allocated for the IPA; server. While not required (clients from other domains can still be enrolled in the IPA; domain), this is a convenience for overall DNS management. - /para - /listitem - /itemizedlist - notetitleTIP/title + If the IPA; server is configured to host its own DNS server, the IPA; DNS service processes all DNS queries. The IPA; DNS records take precedence, and any previous existing DNS configuration is ignored. + /para + para + All systems within the domain must be configured to use the IPA;-managed DNS server. + /para + /note + /section This is incorrect (and really important). This text should say that if IdM is a DNS server then there has to be correct delegation from parent domain to IdM servers. I.e. if IdM domain is ipa.example.com. is has to be delegated properly from example.com. domain. This follows normal rules for DNS, nothing special. + importanttitleIMPORTANT/title + para + This must be a valid DNS name, which means only numbers, alphabetic characters, underscores(_), and hyphens (-) are allowed. Other characters in the hostname will cause DNS failures. + /para + /important Underscore is not allowed. (Even if it is technically possible docs shouldn't encourage people to do that.) + listitem + para + The A and PTR records do not need to match the IPA; server. + /para + /listitem The A and PTR records do not need to match for the server. Forward DNS record (A, ) need to match. -screen[root@server ~]# iptables -A INPUT -p tcp --dport 389 -j ACCEPT/screen +screen[root@server ~]# firewalld -A INPUT -p tcp --dport 389 -j ACCEPT/screen This is wrong. One cannot just replace iptables command with firewalld and hope it works. I would rather skip this command at all and just point to firewalld man page. And so on and so on. At this point I have realized that the same mistakes are in RHEL docs so it would be better to drop the patch and wait until RHEL docs are fixed. In future, please use IP address ranges reserved for documentation: IPv6: http://tools.ietf.org/html/rfc3849 IPv4: http://tools.ietf.org/html/rfc5737 It prevents people from screwing real networks when doing copypaste. (This concern is well based. Copypaste mistakes in the past caused huge routing problems on public Internet.) Thank you for understanding - and have a nice day! -- Petr^2 Spacek ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0101, 106] Tests: host plugin (Allow to add host if AAAA record exists)
On 08/07/2014 05:40 PM, Martin Basti wrote: On 07/08/14 17:05, Martin Basti wrote: On 07/08/14 16:27, Petr Viktorin wrote: On 08/07/2014 02:33 PM, Martin Basti wrote: On 28/07/14 14:11, Petr Viktorin wrote: On 07/09/2014 06:29 PM, Martin Basti wrote: Patch attached. Ticket: https://fedorahosted.org/freeipa/ticket/4164 Looks works fine for me. Can you also add a test for this? Tests attached. I also added tests with --ip-address parameter. This works, thanks! I have some comments however: Variables like `name5` can have more descriptive names, so that you can look at the test definition and actually know what's being tested. Some of the tests are independent (both in the sense that they don't need the other tests to be run, and that they test a different thing than the others); those can be in separate classes. There are better things to do in IPA than making the tests perfect, so ACK if you want to push this as is. Please wait, I will fix the names then, it'll be fast. Updated patch attached. ACK, pushed to: master: 4b5a4882497ce7c3ecdf8f898fc695b2309df1b5 ipa-4-1: 4b5a4882497ce7c3ecdf8f898fc695b2309df1b5 ipa-4-0: 2fa1555722ed875a32d3480ea08c5ad420a015a6 -- PetrĀ³ ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] - Add DRM to IPA
On 08/09/2014 01:36 AM, Rob Crittenden wrote: Ade Lee wrote: Attached is a new patch. I believe I have addressed all the issues raided by pviktori, edewata and rcrit. Ar! Please let me know if I missed something! Incidentally, to get all this to work, you should use the latest Dogtag 10.2 build, which also contains a fix for pkidestroy that is not yet merged in. A COPR build is currently underway at: http://copr.fedoraproject.org/coprs/vakwetu/dogtag/build/24804/ Some whitespace issues: Applying: Add a DRM to IPA /home/rcrit/redhat/freeipa/.git/rebase-apply/patch:3774: trailing whitespace. This relies on the DRM client to generate a wrapping key /home/rcrit/redhat/freeipa/.git/rebase-apply/patch:3292: new blank line at EOF. + warning: 2 lines add whitespace errors. lying: Add a DRM to IPA /home/rcrit/redhat/freeipa/.git/rebase-apply/patch:3774: trailing whitespace. This relies on the DRM client to generate a wrapping key /home/rcrit/redhat/freeipa/.git/rebase-apply/patch:3292: new blank line at EOF. + warning: 2 lines add whitespace errors. I do hope you're planning on adding a minimum build dep at some point? Still seeing AVCs during install: time-Fri Aug 8 19:13:35 2014 type=SYSCALL msg=audit(1407539615.743:1503): arch=c03e syscall=1 success=no exit=-13 a0=3 a1=210cb30 a2=2d a3=7fff1caa83f0 items=0 ppid=12121 pid=12307 auid=4294967295 uid=994 gid=993 euid=994 suid=994 fsuid=994 egid=993 sgid=993 fsgid=993 tty=(none) ses=4294967295 comm=cp exe=/usr/bin/cp subj=system_u:system_r:pki_tomcat_t:s0 key=(null) type=AVC msg=audit(1407539615.743:1503): avc: denied { setfscreate } for pid=12307 comm=cp scontext=system_u:system_r:pki_tomcat_t:s0 tcontext=system_u:system_r:pki_tomcat_t:s0 tclass=process time-Fri Aug 8 19:13:35 2014 type=SYSCALL msg=audit(1407539615.743:1504): arch=c03e syscall=190 success=no exit=-13 a0=4 a1=7fff1caa8590 a2=210c8f0 a3=2d items=0 ppid=12121 pid=12307 auid=4294967295 uid=994 gid=993 euid=994 suid=994 fsuid=994 egid=993 sgid=993 fsgid=993 tty=(none) ses=4294967295 comm=cp exe=/usr/bin/cp subj=system_u:system_r:pki_tomcat_t:s0 key=(null) type=AVC msg=audit(1407539615.743:1504): avc: denied { relabelfrom } for pid=12307 comm=cp name=CS.cfg.bak.20140808191335 dev=dm-0 ino=430828 scontext=system_u:system_r:pki_tomcat_t:s0 tcontext=system_u:object_r:pki_tomcat_etc_rw_t:s0 tclass=file time-Fri Aug 8 19:13:35 2014 type=SYSCALL msg=audit(1407539615.744:1505): arch=c03e syscall=88 success=no exit=-13 a0=7fffd3c0daa7 a1=7fffd3c0daea a2=0 a3=7fffd3c0b9b0 items=0 ppid=12121 pid=12308 auid=4294967295 uid=994 gid=993 euid=994 suid=994 fsuid=994 egid=993 sgid=993 fsgid=993 tty=(none) ses=4294967295 comm=ln exe=/usr/bin/ln subj=system_u:system_r:pki_tomcat_t:s0 key=(null) type=AVC msg=audit(1407539615.744:1505): avc: denied { create } for pid=12308 comm=ln name=CS.cfg.bak scontext=system_u:system_r:pki_tomcat_t:s0 tcontext=system_u:object_r:pki_tomcat_etc_rw_t:s0 tclass=lnk_file The new estimated time was dead on :-) There was a fairly long wait after Done configuring DRM server (pki-tomcatd). and the install was done. I thought we always displayed text when restarting (e.g. handled by the service wrapper) but I guess not. It would be nice to know what is going on. Re-running ipa-drm-install results in a scary error: ]# ipa-drm-install Usage: ipa-drm-install [options] [replica_file] ipa-drm-install: error: DRM is already installed. Your system may be partly configured. Run /usr/sbin/ipa_drm_install.py --uninstall to clean up. Right, you don't want to override handle_error here. Instead, wrap the body of run() in try: except: self.log.error(self.FAIL_MESSAGE) raise (Yes, bare `except` and bare `raise`) I used self.log.error() instead of print, because I think at least the Your system may be partly configured. part of the FAIL_MESSAGE should end up in the log, not just on screen. And now onto the code... class drm _create_pem_file isnt' exactly descriptive and there is no method documentation. _setup. Just a nit: do you want to hardcode the port? I think I'd prefer it come via the constructor and default to 443. It may be worth beefing up the return value docs ala what John did in the dogtag section. I notice, for example, you always return a tuple and one value as None in store_secret. I assume there is a reason for that but it isn't obvious. This happens elsewhere too. Should the copyright dates on existing files be changed? I don't think they should be, but I'm hardly an expert. I just did a cursory look-see in the code and things generally looked ok. I'm hoping Petr^3 will take a closer look. rob I also see a scary error I can't make heads or tails of when trying to install DRM on a replica: $ sudo ipa-drm-install Your system may be partly configured. Run /usr/sbin/ipa_drm_install.py --uninstall to clean up. HTTPConnectionPool(host='localhost', port=8080):