Re: [Freeipa-devel] invoking ipa-certupdate from within installer
On Mon, Aug 22, 2016 at 10:00:57AM +0200, Jan Cholasta wrote: > Hi, > > On 22.8.2016 09:37, Fraser Tweedale wrote: > > #6019 requires adding tracking requests for existing lightweight CAs > > as part of replica installation. ipa-certupdate has logic to do > > this. > > > > Before I go ahead and implement, there are a few approaches I want > > to mention and seek feedback from team members before I commit to > > one. > > > > 1. invoke ipa-certupdate as a subprocess, from > > CAInstance.configure_replica. This is the simplest approach. Not > > much else to say about it, really :) > > > > 2. invoke ipa-certupdate's main() from the installer. This is > > slightly more work because currently it would fail due to API > > already having been initialised. > > > > 3. extract all logic for adding tracking requests such that it can > > be invoked separately; then refactor ipa-certupdate to call it as > > well as calling it from CAInstance.configure_replica. This is the > > most work. > > > > I lean towards (1) or (3). If you wish it to be done a certain way > > say your piece. > > (4) Extract the relevant code from ipa-certupdate into a separate function > and call it from CAInstance.configure_replica(). > > I would not go with (1) or (2) because it does more than track the certs. I > would also not go with (3) because it requires extensive changes not > suitable for 4.4. > (4) is exactly what I meant in (3) - (I was too vague). (3/4) it is. Thanks for input. -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] invoking ipa-certupdate from within installer
Hi, On 22.8.2016 09:37, Fraser Tweedale wrote: #6019 requires adding tracking requests for existing lightweight CAs as part of replica installation. ipa-certupdate has logic to do this. Before I go ahead and implement, there are a few approaches I want to mention and seek feedback from team members before I commit to one. 1. invoke ipa-certupdate as a subprocess, from CAInstance.configure_replica. This is the simplest approach. Not much else to say about it, really :) 2. invoke ipa-certupdate's main() from the installer. This is slightly more work because currently it would fail due to API already having been initialised. 3. extract all logic for adding tracking requests such that it can be invoked separately; then refactor ipa-certupdate to call it as well as calling it from CAInstance.configure_replica. This is the most work. I lean towards (1) or (3). If you wish it to be done a certain way say your piece. (4) Extract the relevant code from ipa-certupdate into a separate function and call it from CAInstance.configure_replica(). I would not go with (1) or (2) because it does more than track the certs. I would also not go with (3) because it requires extensive changes not suitable for 4.4. Thanks, Fraser Honza -- Jan Cholasta -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] invoking ipa-certupdate from within installer
#6019 requires adding tracking requests for existing lightweight CAs as part of replica installation. ipa-certupdate has logic to do this. Before I go ahead and implement, there are a few approaches I want to mention and seek feedback from team members before I commit to one. 1. invoke ipa-certupdate as a subprocess, from CAInstance.configure_replica. This is the simplest approach. Not much else to say about it, really :) 2. invoke ipa-certupdate's main() from the installer. This is slightly more work because currently it would fail due to API already having been initialised. 3. extract all logic for adding tracking requests such that it can be invoked separately; then refactor ipa-certupdate to call it as well as calling it from CAInstance.configure_replica. This is the most work. I lean towards (1) or (3). If you wish it to be done a certain way say your piece. Thanks, Fraser -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
