Re: [Freeipa-devel] [PATCH 0030][DOC] Chapter 1 and 2 updates to documentation

2014-08-11 Thread Gabe Alford 
Thanks, Petr.

What is the project's preference here as far as (if they were correct)
having documentation flow from RHEL to the Fedora docs? It seems to me that
really the upstream should be Freeipa Docs that flows into RHEL docs (with
mods for RH needs)?




On Mon, Aug 11, 2014 at 1:44 AM, Petr Spacek pspa...@redhat.com wrote:

 Hello,

 I did proof-reading of patch 0030. It seems that you have canibalized RHEL
 docs which is a bit unfortunate, they are not entirely correct.

 RHEL docs are being review and fixed right now so it would be better to
 wait until RHEL guide is fixed.


 On 9.8.2014 04:44, Gabe Alford wrote:

 - Patch 0030 update DNS instructions, installation options/examples,
 prerequisites, replica information, etc.


 I started to read the patch and found following:

  +   notetitleNOTE/title
 para
 -   It is recommended
 that a separate DNS domain be allocated for the IPA; server. While not
 required (clients from other domains can still be enrolled in the IPA;
 domain), this is a convenience for overall DNS management.
 -   /para
 -   /listitem
 -   /itemizedlist
 -   notetitleTIP/title
 +   If the IPA; server is
 configured to host its own DNS server, the IPA; DNS service processes all
 DNS queries. The IPA; DNS records take precedence, and any previous
 existing DNS configuration is ignored.
 +   /para
 +   para
 +   All systems within the
 domain must be configured to use the IPA;-managed DNS server.
 +   /para
 +   /note
 +   /section


 This is incorrect (and really important). This text should say that if IdM
 is a DNS server then there has to be correct delegation from parent domain
 to IdM servers.

 I.e. if IdM domain is ipa.example.com. is has to be delegated properly
 from example.com. domain. This follows normal rules for DNS, nothing
 special.


  +
 importanttitleIMPORTANT/title
 +   para
 +
 This must be a valid DNS name, which means only numbers, alphabetic
 characters, underscores(_), and hyphens (-) are allowed. Other characters
 in the hostname will cause DNS failures.
 +   /para
 +   /important

 Underscore is not allowed. (Even if it is technically possible docs
 shouldn't encourage people to do that.)


  +   listitem
 +   para
 +   The A and
 PTR records do not need to match the IPA; server.
 +   /para
 +   /listitem

 The A and PTR records do not need to match for the server. Forward DNS
 record (A, ) need to match.

  -screen[root@server ~]# iptables -A INPUT -p tcp --dport 389 -j
 ACCEPT/screen
 +screen[root@server ~]# firewalld -A INPUT -p tcp --dport 389 -j
 ACCEPT/screen


 This is wrong. One cannot just replace iptables command with firewalld
 and hope it works. I would rather skip this command at all and just point
 to firewalld man page.

 And so on and so on.

 At this point I have realized that the same mistakes are in RHEL docs so
 it would be better to drop the patch and wait until RHEL docs are fixed.

 In future, please use IP address ranges reserved for documentation:
 IPv6: http://tools.ietf.org/html/rfc3849
 IPv4: http://tools.ietf.org/html/rfc5737

 It prevents people from screwing real networks when doing copypaste.
 (This concern is well based. Copypaste mistakes in the past caused huge
 routing problems on public Internet.)

 Thank you for understanding - and have a nice day!

 --
 Petr^2 Spacek

 ___
 Freeipa-devel mailing list
 Freeipa-devel@redhat.com
 https://www.redhat.com/mailman/listinfo/freeipa-devel

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH 0101, 106] Tests: host plugin (Allow to add host if AAAA record exists)

2014-08-11 Thread Petr Viktorin 

On 08/07/2014 05:40 PM, Martin Basti wrote:

On 07/08/14 17:05, Martin Basti wrote:

On 07/08/14 16:27, Petr Viktorin wrote:

On 08/07/2014 02:33 PM, Martin Basti wrote:

On 28/07/14 14:11, Petr Viktorin wrote:

On 07/09/2014 06:29 PM, Martin Basti wrote:

Patch attached.
Ticket: https://fedorahosted.org/freeipa/ticket/4164



Looks  works fine for me.
Can you also add a test for this?



Tests attached.
I also added tests with --ip-address parameter.



This works, thanks!
I have some comments however:

Variables like `name5` can have more descriptive names, so that you
can look at the test definition and actually know what's being tested.

Some of the tests are independent (both in the sense that they don't
need the other tests to be run, and that they test a different thing
than the others); those can be in separate classes.


There are better things to do in IPA than making the tests perfect,
so ACK if you want to push this as is.


Please wait, I will fix the names then, it'll be fast.


Updated patch attached.



ACK, pushed to:
master: 4b5a4882497ce7c3ecdf8f898fc695b2309df1b5
ipa-4-1: 4b5a4882497ce7c3ecdf8f898fc695b2309df1b5
ipa-4-0: 2fa1555722ed875a32d3480ea08c5ad420a015a6


--
PetrĀ³

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH] - Add DRM to IPA

2014-08-11 Thread Petr Viktorin 

On 08/09/2014 01:36 AM, Rob Crittenden wrote:

Ade Lee wrote:

Attached is a new patch.  I believe I have addressed all the issues
raided by pviktori, edewata and rcrit.

Ar!

Please let me know if I missed something!

Incidentally, to get all this to work, you should use the latest Dogtag
10.2 build, which also contains a fix for pkidestroy that is not yet
merged in.  A COPR build is currently underway at:

http://copr.fedoraproject.org/coprs/vakwetu/dogtag/build/24804/


Some whitespace issues:

Applying: Add a DRM to IPA
/home/rcrit/redhat/freeipa/.git/rebase-apply/patch:3774: trailing
whitespace.
 This relies on the DRM client to generate a wrapping key
/home/rcrit/redhat/freeipa/.git/rebase-apply/patch:3292: new blank line
at EOF.
+
warning: 2 lines add whitespace errors.
lying: Add a DRM to IPA
/home/rcrit/redhat/freeipa/.git/rebase-apply/patch:3774: trailing
whitespace.
 This relies on the DRM client to generate a wrapping key
/home/rcrit/redhat/freeipa/.git/rebase-apply/patch:3292: new blank line
at EOF.
+
warning: 2 lines add whitespace errors.

I do hope you're planning on adding a minimum build dep at some point?

Still seeing AVCs during install:


time-Fri Aug  8 19:13:35 2014
type=SYSCALL msg=audit(1407539615.743:1503): arch=c03e syscall=1
success=no exit=-13 a0=3 a1=210cb30 a2=2d a3=7fff1caa83f0 items=0
ppid=12121 pid=12307 auid=4294967295 uid=994 gid=993 euid=994 suid=994
fsuid=994 egid=993 sgid=993 fsgid=993 tty=(none) ses=4294967295
comm=cp exe=/usr/bin/cp subj=system_u:system_r:pki_tomcat_t:s0
key=(null)
type=AVC msg=audit(1407539615.743:1503): avc:  denied  { setfscreate }
for  pid=12307 comm=cp scontext=system_u:system_r:pki_tomcat_t:s0
tcontext=system_u:system_r:pki_tomcat_t:s0 tclass=process

time-Fri Aug  8 19:13:35 2014
type=SYSCALL msg=audit(1407539615.743:1504): arch=c03e syscall=190
success=no exit=-13 a0=4 a1=7fff1caa8590 a2=210c8f0 a3=2d items=0
ppid=12121 pid=12307 auid=4294967295 uid=994 gid=993 euid=994 suid=994
fsuid=994 egid=993 sgid=993 fsgid=993 tty=(none) ses=4294967295
comm=cp exe=/usr/bin/cp subj=system_u:system_r:pki_tomcat_t:s0
key=(null)
type=AVC msg=audit(1407539615.743:1504): avc:  denied  { relabelfrom }
for  pid=12307 comm=cp name=CS.cfg.bak.20140808191335 dev=dm-0
ino=430828 scontext=system_u:system_r:pki_tomcat_t:s0
tcontext=system_u:object_r:pki_tomcat_etc_rw_t:s0 tclass=file

time-Fri Aug  8 19:13:35 2014
type=SYSCALL msg=audit(1407539615.744:1505): arch=c03e syscall=88
success=no exit=-13 a0=7fffd3c0daa7 a1=7fffd3c0daea a2=0 a3=7fffd3c0b9b0
items=0 ppid=12121 pid=12308 auid=4294967295 uid=994 gid=993 euid=994
suid=994 fsuid=994 egid=993 sgid=993 fsgid=993 tty=(none) ses=4294967295
comm=ln exe=/usr/bin/ln subj=system_u:system_r:pki_tomcat_t:s0
key=(null)
type=AVC msg=audit(1407539615.744:1505): avc:  denied  { create } for
pid=12308 comm=ln name=CS.cfg.bak
scontext=system_u:system_r:pki_tomcat_t:s0
tcontext=system_u:object_r:pki_tomcat_etc_rw_t:s0 tclass=lnk_file

The new estimated time was dead on :-)

There was a fairly long wait after Done configuring DRM server
(pki-tomcatd). and the install was done. I thought we always displayed
text when restarting (e.g. handled by the service wrapper) but I guess
not. It would be nice to know what is going on.

Re-running ipa-drm-install results in a scary error:

]# ipa-drm-install
Usage: ipa-drm-install [options] [replica_file]

ipa-drm-install: error: DRM is already installed.

Your system may be partly configured.
Run /usr/sbin/ipa_drm_install.py --uninstall to clean up.


Right, you don't want to override handle_error here. Instead, wrap the 
body of run() in


try:

except:
self.log.error(self.FAIL_MESSAGE)
raise

(Yes, bare `except` and bare `raise`)

I used self.log.error() instead of print, because I think at least the 
Your system may be partly configured. part of the FAIL_MESSAGE should 
end up in the log, not just on screen.



And now onto the code...

class drm

_create_pem_file isnt' exactly descriptive and there is no method
documentation.

_setup. Just a nit: do you want to hardcode the port? I think I'd prefer
it come via the constructor and default to 443.

It may be worth beefing up the return value docs ala what John did in
the dogtag section. I notice, for example, you always return a tuple and
one value as None in store_secret. I assume there is a reason for that
but it isn't obvious. This happens elsewhere too.

Should the copyright dates on existing files be changed? I don't think
they should be, but I'm hardly an expert.

I just did a cursory look-see in the code and things generally looked
ok. I'm hoping Petr^3 will take a closer look.

rob



I also see a scary error I can't make heads or tails of when trying to 
install DRM on a replica:


$ sudo ipa-drm-install

Your system may be partly configured.
Run /usr/sbin/ipa_drm_install.py --uninstall to clean up.

HTTPConnectionPool(host='localhost', port=8080):