Re: [Freeipa-devel] [PATCH, 2.1] 0021 Fedora 16 and systemd support
On Tue, 2011-10-18 at 15:29 +0200, Martin Kosek wrote: > On Tue, 2011-10-18 at 15:48 +0300, Alexander Bokovoy wrote: > > On Tue, 18 Oct 2011, Alexander Bokovoy wrote: > > > > ipa.init was removed from the git, but it was never moved to > > > > init/SystemV/. > > > It should have been moved (rm+new file). I'll check what's happening > > > there, maybe Simo's patch omitted that one? > > > > > > http://koji.fedoraproject.org/koji/taskinfo?taskID=3437275 is current > > > scratch build of 2.1 for F-16. It is 2.1.2+diff up to current ipa-2-1 > > > git tree + systemd patch. > > I did another rebase and current version of systemd support for > > ipa-2-1 is in systemd-ipa-2-1 branch of my tree: > > http://fedorapeople.org/gitweb?p=abbra/public_git/freeipa.git;a=shortlog;h=refs/heads/systemd-ipa-2-1 > > > > Yep, ipa.init is now correctly moved and I was able to compile ipa on > both F-15 and F-16. I still have few question/issues: > > 1) When ipa is not configured, it is ok that ipa.service status returns > error. However, I still got ipa.service status error after the ipa was > configured: > > # systemctl status ipa.service > ipa.service - Identity, Policy, Audit > Loaded: loaded (/lib/systemd/system/ipa.service; disabled) > Active: failed since Tue, 18 Oct 2011 09:04:41 -0400; 1min 50s ago > Main PID: 18499 (code=exited, status=6) > CGroup: name=systemd:/system/ipa.service > # /usr/sbin/ipactl status > IPA is not configured (see man pages of ipa-server-install for help) > > # ipa-server-install > ... > Applying LDAP updates > Restarting IPA to initialize updates before performing deletes: > [1/2]: stopping directory server > [2/2]: starting directory server > done configuring dirsrv. > Restarting the directory server > Restarting the KDC > Restarting the web server > Sample zone file for bind has been created in /tmp/sample.zone.teFbNR.db > == > Setup complete > > Next steps: > 1. You must make sure these network ports are open: > TCP Ports: > * 80, 443: HTTP/HTTPS > * 389, 636: LDAP/LDAPS > * 88, 464: kerberos > UDP Ports: > * 88, 464: kerberos > * 123: ntp > > 2. You can now obtain a kerberos ticket using the command: 'kinit admin' > This ticket will allow you to use the IPA tools (e.g., ipa user-add) > and the web user interface. > > Be sure to back up the CA certificate stored in /root/cacert.p12 > This file is required to create replicas. The password for this > file is the Directory Manager password > > # systemctl status ipa.service > ipa.service - Identity, Policy, Audit > Loaded: loaded (/lib/systemd/system/ipa.service; enabled) > Active: failed since Tue, 18 Oct 2011 09:04:41 -0400; 6min ago > Main PID: 18499 (code=exited, status=6) > CGroup: name=systemd:/system/ipa.service > > > > 2) ipactl shows stopped dirsrv and CA service even though they should be > up (cert-show command worked): > > # ipactl status > Directory Service: RUNNING > KDC Service: RUNNING > KPASSWD Service: STOPPED > HTTP Service: RUNNING > CA Service: STOPPED > > When I restarted the ipa service, everything was OK including the status > I mentioned in my previous mail: > > # systemctl restart ipa.service > # ipactl status > Directory Service: RUNNING > KDC Service: RUNNING > KPASSWD Service: RUNNING > HTTP Service: RUNNING > CA Service: RUNNING > > # systemctl status ipa.service > ipa.service - Identity, Policy, Audit > Loaded: loaded (/lib/systemd/system/ipa.service; enabled) > Active: active (exited) since Tue, 18 Oct 2011 09:18:32 -0400; 2min > 41s ago >Process: 20069 ExecStart=/usr/sbin/ipactl start (code=exited, > status=0/SUCCESS) > CGroup: name=systemd:/system/ipa.service > > > Martin > Ok, final ACK :-) On Friday and today I did a final set of sanity tests for both branches on F-15 and F-16. Minor issues found during the review were fixed by Alexander and integrated to the patches. There is just one pending issue I found - name server cannot talk to dirsrv on F-16 due to changes in SElinux policy. It is being be tracked here: https://bugzilla.redhat.com/show_bug.cgi?id=748366 SELinux guys accepted the issue and it is being worked on. Pushed to master, ipa-2-1. Good job! Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH, 2.1] 0021 Fedora 16 and systemd support
On Tue, 18 Oct 2011, Martin Kosek wrote: > 1) When ipa is not configured, it is ok that ipa.service status returns > error. However, I still got ipa.service status error after the ipa was > configured: > > # systemctl status ipa.service > ipa.service - Identity, Policy, Audit > Loaded: loaded (/lib/systemd/system/ipa.service; disabled) > Active: failed since Tue, 18 Oct 2011 09:04:41 -0400; 1min 50s ago > Main PID: 18499 (code=exited, status=6) > CGroup: name=systemd:/system/ipa.service > # /usr/sbin/ipactl status > IPA is not configured (see man pages of ipa-server-install for help) > > # ipa-server-install > ... > Applying LDAP updates > Restarting IPA to initialize updates before performing deletes: > [1/2]: stopping directory server > [2/2]: starting directory server > done configuring dirsrv. > Restarting the directory server > Restarting the KDC > Restarting the web server > Sample zone file for bind has been created in /tmp/sample.zone.teFbNR.db > == > Setup complete > > Next steps: > 1. You must make sure these network ports are open: > TCP Ports: > * 80, 443: HTTP/HTTPS > * 389, 636: LDAP/LDAPS > * 88, 464: kerberos > UDP Ports: > * 88, 464: kerberos > * 123: ntp > > 2. You can now obtain a kerberos ticket using the command: 'kinit admin' > This ticket will allow you to use the IPA tools (e.g., ipa user-add) > and the web user interface. > > Be sure to back up the CA certificate stored in /root/cacert.p12 > This file is required to create replicas. The password for this > file is the Directory Manager password > > # systemctl status ipa.service > ipa.service - Identity, Policy, Audit > Loaded: loaded (/lib/systemd/system/ipa.service; enabled) > Active: failed since Tue, 18 Oct 2011 09:04:41 -0400; 6min ago > Main PID: 18499 (code=exited, status=6) > CGroup: name=systemd:/system/ipa.service We were discussing with Simo yesterday that perhaps we need to do restart of ipa.service (on systemd platform only) explicitly after ipa-server-install. Right now the last action we do is ipa.enable(), i.e. just enable ipa.service. As all services were started before during ipa-server-install, we deemed not needed to do any restart in System V case. systemd, however, detects status based on its own tracking of events and there is no way to report status of the service other than systemd's internal state. So we might do implicit restart of ipa.service at the end of install. That would be another 5-10 seconds delay depending on the hardware. > 2) ipactl shows stopped dirsrv and CA service even though they should be > up (cert-show command worked): This might be related as well -- I've seen multiple times when ipa_kpasswd didn't start after ipa-server-install but works after restart. -- / Alexander Bokovoy ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH, 2.1] 0021 Fedora 16 and systemd support
On Tue, 2011-10-18 at 15:48 +0300, Alexander Bokovoy wrote: > On Tue, 18 Oct 2011, Alexander Bokovoy wrote: > > > ipa.init was removed from the git, but it was never moved to > > > init/SystemV/. > > It should have been moved (rm+new file). I'll check what's happening > > there, maybe Simo's patch omitted that one? > > > > http://koji.fedoraproject.org/koji/taskinfo?taskID=3437275 is current > > scratch build of 2.1 for F-16. It is 2.1.2+diff up to current ipa-2-1 > > git tree + systemd patch. > I did another rebase and current version of systemd support for > ipa-2-1 is in systemd-ipa-2-1 branch of my tree: > http://fedorapeople.org/gitweb?p=abbra/public_git/freeipa.git;a=shortlog;h=refs/heads/systemd-ipa-2-1 > Yep, ipa.init is now correctly moved and I was able to compile ipa on both F-15 and F-16. I still have few question/issues: 1) When ipa is not configured, it is ok that ipa.service status returns error. However, I still got ipa.service status error after the ipa was configured: # systemctl status ipa.service ipa.service - Identity, Policy, Audit Loaded: loaded (/lib/systemd/system/ipa.service; disabled) Active: failed since Tue, 18 Oct 2011 09:04:41 -0400; 1min 50s ago Main PID: 18499 (code=exited, status=6) CGroup: name=systemd:/system/ipa.service # /usr/sbin/ipactl status IPA is not configured (see man pages of ipa-server-install for help) # ipa-server-install ... Applying LDAP updates Restarting IPA to initialize updates before performing deletes: [1/2]: stopping directory server [2/2]: starting directory server done configuring dirsrv. Restarting the directory server Restarting the KDC Restarting the web server Sample zone file for bind has been created in /tmp/sample.zone.teFbNR.db == Setup complete Next steps: 1. You must make sure these network ports are open: TCP Ports: * 80, 443: HTTP/HTTPS * 389, 636: LDAP/LDAPS * 88, 464: kerberos UDP Ports: * 88, 464: kerberos * 123: ntp 2. You can now obtain a kerberos ticket using the command: 'kinit admin' This ticket will allow you to use the IPA tools (e.g., ipa user-add) and the web user interface. Be sure to back up the CA certificate stored in /root/cacert.p12 This file is required to create replicas. The password for this file is the Directory Manager password # systemctl status ipa.service ipa.service - Identity, Policy, Audit Loaded: loaded (/lib/systemd/system/ipa.service; enabled) Active: failed since Tue, 18 Oct 2011 09:04:41 -0400; 6min ago Main PID: 18499 (code=exited, status=6) CGroup: name=systemd:/system/ipa.service 2) ipactl shows stopped dirsrv and CA service even though they should be up (cert-show command worked): # ipactl status Directory Service: RUNNING KDC Service: RUNNING KPASSWD Service: STOPPED HTTP Service: RUNNING CA Service: STOPPED When I restarted the ipa service, everything was OK including the status I mentioned in my previous mail: # systemctl restart ipa.service # ipactl status Directory Service: RUNNING KDC Service: RUNNING KPASSWD Service: RUNNING HTTP Service: RUNNING CA Service: RUNNING # systemctl status ipa.service ipa.service - Identity, Policy, Audit Loaded: loaded (/lib/systemd/system/ipa.service; enabled) Active: active (exited) since Tue, 18 Oct 2011 09:18:32 -0400; 2min 41s ago Process: 20069 ExecStart=/usr/sbin/ipactl start (code=exited, status=0/SUCCESS) CGroup: name=systemd:/system/ipa.service Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH, 2.1] 0021 Fedora 16 and systemd support
On Tue, 2011-10-18 at 14:27 +0300, Alexander Bokovoy wrote: > On Tue, 18 Oct 2011, Martin Kosek wrote: > > ipa.init was removed from the git, but it was never moved to > > init/SystemV/. > It should have been moved (rm+new file). I'll check what's happening > there, maybe Simo's patch omitted that one? Can certainly be my mistake during the rebase. Patches didn't apply cleanly so I had to add all new files manually again to the patch. Maybe I missed ipa.init as it was moved ... Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH, 2.1] 0021 Fedora 16 and systemd support
On Tue, 18 Oct 2011, Alexander Bokovoy wrote: > > ipa.init was removed from the git, but it was never moved to > > init/SystemV/. > It should have been moved (rm+new file). I'll check what's happening > there, maybe Simo's patch omitted that one? > > http://koji.fedoraproject.org/koji/taskinfo?taskID=3437275 is current > scratch build of 2.1 for F-16. It is 2.1.2+diff up to current ipa-2-1 > git tree + systemd patch. I did another rebase and current version of systemd support for ipa-2-1 is in systemd-ipa-2-1 branch of my tree: http://fedorapeople.org/gitweb?p=abbra/public_git/freeipa.git;a=shortlog;h=refs/heads/systemd-ipa-2-1 -- / Alexander Bokovoy ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH, 2.1] 0021 Fedora 16 and systemd support
On Tue, 18 Oct 2011, Martin Kosek wrote: > I tested our most recent master with simo's rebased patch and your patch > 0004-Spin-for-connection-success-also-when-socket-is-not-.patch. It > looks very good, I hit just few issues: > > 1) ipa service reports inactive (dead) status even though LDAP server is > running: > > systemctl status ipa.service > ipa.service - Identity, Policy, Audit > Loaded: loaded (/lib/systemd/system/ipa.service; enabled) > Active: inactive (dead) since Mon, 17 Oct 2011 10:21:30 -0400; 15s ago >Process: 25194 ExecStop=/usr/sbin/ipactl stop (code=exited, > status=0/SUCCESS) >Process: 25173 ExecStart=/usr/sbin/ipactl start (code=exited, > status=0/SUCCESS) > CGroup: name=systemd:/system/ipa.service > > Maybe we should return "active" status when dirsrv is running? We can't. This is systemd's status which we can't influence. And you have stopped the service so it is properly showing it as 'inactive'. I still need to investigate such cases as in correct situation it should be: ipa.service - Identity, Policy, Audit Loaded: loaded (/lib/systemd/system/ipa.service; enabled) Active: active (exited) since Mon, 17 Oct 2011 07:03:17 -0400; 24h ago Process: 956 ExecStart=/usr/sbin/ipactl start (code=exited, status=0/SUCCESS) CGroup: name=systemd:/system/ipa.service Note that you have ExecStop for process 25194 (which is newer than 25173) -- which means you have stopped ipa.service yourself. It should have stopped dirsrv.target, though. Here is how it looks if I issue 'systemctl stop ipa.service': ipa.service - Identity, Policy, Audit Loaded: loaded (/lib/systemd/system/ipa.service; enabled) Active: inactive (dead) since Tue, 18 Oct 2011 07:24:30 -0400; 1s ago Process: 11004 ExecStop=/usr/sbin/ipactl stop (code=exited, status=0/SUCCESS) Process: 956 ExecStart=/usr/sbin/ipactl start (code=exited, status=0/SUCCESS) CGroup: name=systemd:/system/ipa.service And for dirsrv.target after that: # systemctl status dirsrv.target dirsrv.target - 389 Directory Server Loaded: loaded (/lib/systemd/system/dirsrv.target; disabled) Active: inactive (dead) > 2) I wasn't able to build IPA on F-15 after the patches were applied: > $ make rpms > ... > + install -m755 > init/SystemV/ipa.init > /home/mkosek/freeipa/rpmbuild/BUILDROOT/freeipa-2.99.0GITb607c5c-0.fc15.x86_64/etc/rc.d/init.d/ipa > install: cannot stat `init/SystemV/ipa.init': No such file or directory > error: Bad exit status from /var/tmp/rpm-tmp.nwbRUX (%install) > > ipa.init was removed from the git, but it was never moved to > init/SystemV/. It should have been moved (rm+new file). I'll check what's happening there, maybe Simo's patch omitted that one? http://koji.fedoraproject.org/koji/taskinfo?taskID=3437275 is current scratch build of 2.1 for F-16. It is 2.1.2+diff up to current ipa-2-1 git tree + systemd patch. -- / Alexander Bokovoy ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH, 2.1] 0021 Fedora 16 and systemd support
On Mon, 2011-10-17 at 14:21 +0300, Alexander Bokovoy wrote: > On Fri, 14 Oct 2011, Simo Sorce wrote: > > > > Attached a rebased patch with the modifications needed to apply it on > > > > master. > > > > > > > > Everything seem to work on master but I haven't tested ipa-2-1 so this > > > > is a partial ACK of the original patch as well. > > > > > > A bit of bad news, I restarted the machine and I am having issue > > > properly restarting services. > > > This patch is still better than nothing as otherwise nothing works at > > > all on f16, but we need to work out why starting services is unreliable. > > > > Ok found the issue and it is a bug in the conversion to systemd. > > I opened ticket #1990 for this. > > > > Attached find a rebased patch that fixes enough of the bug to let the > > server work (they keytab part), but it doesn't address the ulimit part. > KRB5_KTNAME was missing but LimitNOFile is available -- it is now > modified in dirsrv@.service file directly. The code in > ipapython/platform/fedora16.py goes to a great length to enable that > by copying file to /etc/systemd/system, modifying the config, and > relinking all dirsrv instances to it. That's how systemd is organized. > > Now, I think I found actual issue preventing proper restarts. > wait_for_socket() only considered 'connection refused' as valid error > when unable to connect and waiting up until timeout is gone. > Unfortunately, directory services start a bit slower than we had hoped > and by the time we attempt to connect to local AF_UNIX socket, there > is no actual socket on file system yet so we get: > > Oct 17 06:48:36 vm-114 ipactl[954]: Failed to read data from Directory > Service: Unknown error when retrieving list of services from LDAP: > [Errno 2] No such file or directory > Oct 17 06:48:36 vm-114 ipactl[954]: Shutting down > Oct 17 06:48:36 vm-114 ipactl[954]: Starting Directory Service > > After applying attached patch I now have fully working FreeIPA 2.1 git > on Fedora 16. > Hi Alexander, I tested our most recent master with simo's rebased patch and your patch 0004-Spin-for-connection-success-also-when-socket-is-not-.patch. It looks very good, I hit just few issues: 1) ipa service reports inactive (dead) status even though LDAP server is running: systemctl status ipa.service ipa.service - Identity, Policy, Audit Loaded: loaded (/lib/systemd/system/ipa.service; enabled) Active: inactive (dead) since Mon, 17 Oct 2011 10:21:30 -0400; 15s ago Process: 25194 ExecStop=/usr/sbin/ipactl stop (code=exited, status=0/SUCCESS) Process: 25173 ExecStart=/usr/sbin/ipactl start (code=exited, status=0/SUCCESS) CGroup: name=systemd:/system/ipa.service Maybe we should return "active" status when dirsrv is running? 2) I wasn't able to build IPA on F-15 after the patches were applied: $ make rpms ... + install -m755 init/SystemV/ipa.init /home/mkosek/freeipa/rpmbuild/BUILDROOT/freeipa-2.99.0GITb607c5c-0.fc15.x86_64/etc/rc.d/init.d/ipa install: cannot stat `init/SystemV/ipa.init': No such file or directory error: Bad exit status from /var/tmp/rpm-tmp.nwbRUX (%install) ipa.init was removed from the git, but it was never moved to init/SystemV/. Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH, 2.1] 0021 Fedora 16 and systemd support
On Mon, 2011-10-17 at 14:21 +0300, Alexander Bokovoy wrote: > On Fri, 14 Oct 2011, Simo Sorce wrote: > > > > Attached a rebased patch with the modifications needed to apply it on > > > > master. > > > > > > > > Everything seem to work on master but I haven't tested ipa-2-1 so this > > > > is a partial ACK of the original patch as well. > > > > > > A bit of bad news, I restarted the machine and I am having issue > > > properly restarting services. > > > This patch is still better than nothing as otherwise nothing works at > > > all on f16, but we need to work out why starting services is unreliable. > > > > Ok found the issue and it is a bug in the conversion to systemd. > > I opened ticket #1990 for this. > > > > Attached find a rebased patch that fixes enough of the bug to let the > > server work (they keytab part), but it doesn't address the ulimit part. > KRB5_KTNAME was missing but LimitNOFile is available -- it is now > modified in dirsrv@.service file directly. The code in > ipapython/platform/fedora16.py goes to a great length to enable that > by copying file to /etc/systemd/system, modifying the config, and > relinking all dirsrv instances to it. That's how systemd is organized. > > Now, I think I found actual issue preventing proper restarts. > wait_for_socket() only considered 'connection refused' as valid error > when unable to connect and waiting up until timeout is gone. > Unfortunately, directory services start a bit slower than we had hoped > and by the time we attempt to connect to local AF_UNIX socket, there > is no actual socket on file system yet so we get: > > Oct 17 06:48:36 vm-114 ipactl[954]: Failed to read data from Directory > Service: Unknown error when retrieving list of services from LDAP: > [Errno 2] No such file or directory > Oct 17 06:48:36 vm-114 ipactl[954]: Shutting down > Oct 17 06:48:36 vm-114 ipactl[954]: Starting Directory Service > > After applying attached patch I now have fully working FreeIPA 2.1 git > on Fedora 16. ACk, fixes my startup issue as well. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH, 2.1] 0021 Fedora 16 and systemd support
On Fri, 14 Oct 2011, Simo Sorce wrote: > > > Attached a rebased patch with the modifications needed to apply it on > > > master. > > > > > > Everything seem to work on master but I haven't tested ipa-2-1 so this > > > is a partial ACK of the original patch as well. > > > > A bit of bad news, I restarted the machine and I am having issue > > properly restarting services. > > This patch is still better than nothing as otherwise nothing works at > > all on f16, but we need to work out why starting services is unreliable. > > Ok found the issue and it is a bug in the conversion to systemd. > I opened ticket #1990 for this. > > Attached find a rebased patch that fixes enough of the bug to let the > server work (they keytab part), but it doesn't address the ulimit part. KRB5_KTNAME was missing but LimitNOFile is available -- it is now modified in dirsrv@.service file directly. The code in ipapython/platform/fedora16.py goes to a great length to enable that by copying file to /etc/systemd/system, modifying the config, and relinking all dirsrv instances to it. That's how systemd is organized. Now, I think I found actual issue preventing proper restarts. wait_for_socket() only considered 'connection refused' as valid error when unable to connect and waiting up until timeout is gone. Unfortunately, directory services start a bit slower than we had hoped and by the time we attempt to connect to local AF_UNIX socket, there is no actual socket on file system yet so we get: Oct 17 06:48:36 vm-114 ipactl[954]: Failed to read data from Directory Service: Unknown error when retrieving list of services from LDAP: [Errno 2] No such file or directory Oct 17 06:48:36 vm-114 ipactl[954]: Shutting down Oct 17 06:48:36 vm-114 ipactl[954]: Starting Directory Service After applying attached patch I now have fully working FreeIPA 2.1 git on Fedora 16. -- / Alexander Bokovoy >From cb5583ad8023d87fdbf863cd65032d0f11108bc0 Mon Sep 17 00:00:00 2001 From: Alexander Bokovoy Date: Mon, 17 Oct 2011 14:17:07 +0300 Subject: [PATCH 4/4] Spin for connection success also when socket is not (yet) available We were spinning for socket connection if attempt to connect returned errno 111 (connection refused). However, it is not enough for local AF_UNIX sockets as heavy applications might not be able to start yet and therefore the whole path might be missing. So spin for errno 2 (no such file or directory) as well. Partial fix for https://fedorahosted.org/freeipa/ticket/1990 --- ipaserver/install/installutils.py |2 +- 1 files changed, 1 insertions(+), 1 deletions(-) diff --git a/ipaserver/install/installutils.py b/ipaserver/install/installutils.py index 5cfc8f0376e25d9eb25206d54ac5bbea47aca9b2..0a36c354e1d2f901bfdef51c151d035ba8ee64ca 100644 --- a/ipaserver/install/installutils.py +++ b/ipaserver/install/installutils.py @@ -507,7 +507,7 @@ def wait_for_open_socket(socket_name, timeout=0): s.close() break; except socket.error, e: -if e.errno == 111: # 111: Connection refused +if e.errno in (2,111): # 111: Connection refused, 2: File not found if timeout and time.time() > op_timeout: # timeout exceeded raise e time.sleep(1) -- 1.7.6.4 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH, 2.1] 0021 Fedora 16 and systemd support
On Fri, 2011-10-14 at 16:14 -0400, Simo Sorce wrote: > On Fri, 2011-10-14 at 13:56 -0400, Simo Sorce wrote: > > On Mon, 2011-10-10 at 17:07 +0300, Alexander Bokovoy wrote: > > > On Mon, 10 Oct 2011, Alexander Bokovoy wrote: > > > > rebased, updated package dependencies, and verified against > > > > Fedora 16+updates-testing. > > > > > > > > This patch is for ipa-2-1 branch. I need to do few cosmetic changes in > > > > freeipa.spec.in to accomodate it to 3.0 (master branch) as ipa_kpasswd > > > > is gone there. > > > Forgot to add that altogether this patch fixes: > > > > > > https://fedorahosted.org/freeipa/ticket/1192 -- support systemd > > > https://fedorahosted.org/freeipa/ticket/1651 -- update F16 dependencies > > > https://fedorahosted.org/freeipa/ticket/1871 -- not setting HOSTNAME if > > > it was missing from the configuration file > > > > > > The latter one is integrated within the systemd patch because the same > > > function is re-used for editing systemd service files and > > > /etc/sysconfig/krb5kdc and it simply makes little sense to separate > > > them as without editing systemd services for dirsrv, one cannot start > > > dirsrv with number of file descriptors required by IPA defaults, and > > > krb5kdc configuration should be written properly before krb5kdc is > > > started as its systemd service unit uses parameters from the > > > configuration file. > > > > Attached a rebased patch with the modifications needed to apply it on > > master. > > > > Everything seem to work on master but I haven't tested ipa-2-1 so this > > is a partial ACK of the original patch as well. > > A bit of bad news, I restarted the machine and I am having issue > properly restarting services. > This patch is still better than nothing as otherwise nothing works at > all on f16, but we need to work out why starting services is unreliable. Ok found the issue and it is a bug in the conversion to systemd. I opened ticket #1990 for this. Attached find a rebased patch that fixes enough of the bug to let the server work (they keytab part), but it doesn't address the ulimit part. Simo. -- Simo Sorce * Red Hat, Inc * New York >From 60258f377a702c4fbf022dacc10e3d463be35618 Mon Sep 17 00:00:00 2001 From: Alexander Bokovoy Date: Mon, 10 Oct 2011 15:25:15 +0300 Subject: [PATCH] Add support for systemd environments and use it to support Fedora 16 https://fedorahosted.org/freeipa/ticket/1192 --- Makefile |2 +- freeipa.spec.in | 75 ++- init/systemd/ipa.service | 14 +++ install/tools/ipactl | 12 ++- ipa.init | 40 ipapython/config.py |2 +- ipapython/platform/base.py | 14 ++-- ipapython/platform/fedora16.py | 113 + ipapython/platform/redhat.py | 12 +- ipapython/platform/systemd.py| 204 ++ ipaserver/install/cainstance.py |4 +- ipaserver/install/dsinstance.py |6 +- ipaserver/install/krbinstance.py |2 +- 13 files changed, 437 insertions(+), 63 deletions(-) create mode 100644 init/systemd/ipa.service delete mode 100755 ipa.init create mode 100644 ipapython/platform/fedora16.py create mode 100644 ipapython/platform/systemd.py diff --git a/Makefile b/Makefile index 585c6fe1181e44906c05a67a317d66eb4eee445a..a024dea32d00ebedc47f4262f79defc2790aeebd 100644 --- a/Makefile +++ b/Makefile @@ -8,7 +8,7 @@ PRJ_PREFIX=freeipa RPMBUILD ?= $(PWD)/rpmbuild TARGET ?= master -SUPPORTED_PLATFORM=redhat +SUPPORTED_PLATFORM ?= redhat # After updating the version in VERSION you should run the version-update # target. diff --git a/freeipa.spec.in b/freeipa.spec.in index 95f09d11a98c846b5f71b7892dbd779b85e8207b..c306c2bbce22784093fcdc2624ac713099863270 100644 --- a/freeipa.spec.in +++ b/freeipa.spec.in @@ -24,10 +24,17 @@ Source0:freeipa-%{version}.tar.gz BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) %if ! %{ONLY_CLIENT} +%if 0%{?fedora} >= 16 +BuildRequires: 389-ds-base-devel >= 1.2.10 +%else BuildRequires: 389-ds-base-devel >= 1.2.9 +%endif BuildRequires: svrcore-devel BuildRequires: /usr/share/selinux/devel/Makefile BuildRequires: policycoreutils >= %{POLICYCOREUTILSVER} +%if 0%{?fedora} >= 16 +BuildRequires: systemd-units +%endif %endif BuildRequires: nspr-devel BuildRequires: nss-devel @@ -89,7 +96,11 @@ Requires(pre): 389-ds-base >= 1.2.10-0.4.a4 Requires: openldap-clients Requires: nss Requires: nss-tools +%if 0%{?fedora} >= 16 +Requires: krb5-server >= 1.9.1-15 +%else Requires: krb5-server +%endif Requires: krb5-server-ldap Requires: krb5-pkinit-openssl Requires: cyrus-sasl-gssapi%{?_isa} @@ -102,6 +113,11 @@ Requires: python-ldap Requires: python-krbV Requires: acl Requires: python-pyasn1 >= 0.0.9a +%if 0%{?fedora} >= 16 +Requires: systemd-units >= 36-3 +Requires(pre): systemd-units +Requires(post): systemd-uni
Re: [Freeipa-devel] [PATCH, 2.1] 0021 Fedora 16 and systemd support
On Fri, 2011-10-14 at 13:56 -0400, Simo Sorce wrote: > On Mon, 2011-10-10 at 17:07 +0300, Alexander Bokovoy wrote: > > On Mon, 10 Oct 2011, Alexander Bokovoy wrote: > > > rebased, updated package dependencies, and verified against > > > Fedora 16+updates-testing. > > > > > > This patch is for ipa-2-1 branch. I need to do few cosmetic changes in > > > freeipa.spec.in to accomodate it to 3.0 (master branch) as ipa_kpasswd > > > is gone there. > > Forgot to add that altogether this patch fixes: > > > > https://fedorahosted.org/freeipa/ticket/1192 -- support systemd > > https://fedorahosted.org/freeipa/ticket/1651 -- update F16 dependencies > > https://fedorahosted.org/freeipa/ticket/1871 -- not setting HOSTNAME if it > > was missing from the configuration file > > > > The latter one is integrated within the systemd patch because the same > > function is re-used for editing systemd service files and > > /etc/sysconfig/krb5kdc and it simply makes little sense to separate > > them as without editing systemd services for dirsrv, one cannot start > > dirsrv with number of file descriptors required by IPA defaults, and > > krb5kdc configuration should be written properly before krb5kdc is > > started as its systemd service unit uses parameters from the > > configuration file. > > Attached a rebased patch with the modifications needed to apply it on > master. > > Everything seem to work on master but I haven't tested ipa-2-1 so this > is a partial ACK of the original patch as well. A bit of bad news, I restarted the machine and I am having issue properly restarting services. This patch is still better than nothing as otherwise nothing works at all on f16, but we need to work out why starting services is unreliable. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH, 2.1] 0021 Fedora 16 and systemd support
On Mon, 2011-10-10 at 17:07 +0300, Alexander Bokovoy wrote: > On Mon, 10 Oct 2011, Alexander Bokovoy wrote: > > rebased, updated package dependencies, and verified against > > Fedora 16+updates-testing. > > > > This patch is for ipa-2-1 branch. I need to do few cosmetic changes in > > freeipa.spec.in to accomodate it to 3.0 (master branch) as ipa_kpasswd > > is gone there. > Forgot to add that altogether this patch fixes: > > https://fedorahosted.org/freeipa/ticket/1192 -- support systemd > https://fedorahosted.org/freeipa/ticket/1651 -- update F16 dependencies > https://fedorahosted.org/freeipa/ticket/1871 -- not setting HOSTNAME if it > was missing from the configuration file > > The latter one is integrated within the systemd patch because the same > function is re-used for editing systemd service files and > /etc/sysconfig/krb5kdc and it simply makes little sense to separate > them as without editing systemd services for dirsrv, one cannot start > dirsrv with number of file descriptors required by IPA defaults, and > krb5kdc configuration should be written properly before krb5kdc is > started as its systemd service unit uses parameters from the > configuration file. Attached a rebased patch with the modifications needed to apply it on master. Everything seem to work on master but I haven't tested ipa-2-1 so this is a partial ACK of the original patch as well. Simo. -- Simo Sorce * Red Hat, Inc * New York >From 59bc35c496b4a6444e168d68da2a7c8c1508dc2a Mon Sep 17 00:00:00 2001 From: Alexander Bokovoy Date: Mon, 10 Oct 2011 15:25:15 +0300 Subject: [PATCH] Add support for systemd environments and use it to support Fedora 16 https://fedorahosted.org/freeipa/ticket/1192 --- Makefile|2 +- freeipa.spec.in | 75 ++- init/systemd/ipa.service| 14 +++ install/tools/ipactl| 12 ++- ipa.init| 40 ipapython/config.py |2 +- ipapython/platform/base.py | 14 ++-- ipapython/platform/fedora16.py | 113 + ipapython/platform/redhat.py| 12 +- ipapython/platform/systemd.py | 204 +++ ipaserver/install/cainstance.py |4 +- ipaserver/install/dsinstance.py |6 +- 12 files changed, 436 insertions(+), 62 deletions(-) create mode 100644 init/systemd/ipa.service delete mode 100755 ipa.init create mode 100644 ipapython/platform/fedora16.py create mode 100644 ipapython/platform/systemd.py diff --git a/Makefile b/Makefile index 585c6fe1181e44906c05a67a317d66eb4eee445a..a024dea32d00ebedc47f4262f79defc2790aeebd 100644 --- a/Makefile +++ b/Makefile @@ -8,7 +8,7 @@ PRJ_PREFIX=freeipa RPMBUILD ?= $(PWD)/rpmbuild TARGET ?= master -SUPPORTED_PLATFORM=redhat +SUPPORTED_PLATFORM ?= redhat # After updating the version in VERSION you should run the version-update # target. diff --git a/freeipa.spec.in b/freeipa.spec.in index 95f09d11a98c846b5f71b7892dbd779b85e8207b..c306c2bbce22784093fcdc2624ac713099863270 100644 --- a/freeipa.spec.in +++ b/freeipa.spec.in @@ -24,10 +24,17 @@ Source0:freeipa-%{version}.tar.gz BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) %if ! %{ONLY_CLIENT} +%if 0%{?fedora} >= 16 +BuildRequires: 389-ds-base-devel >= 1.2.10 +%else BuildRequires: 389-ds-base-devel >= 1.2.9 +%endif BuildRequires: svrcore-devel BuildRequires: /usr/share/selinux/devel/Makefile BuildRequires: policycoreutils >= %{POLICYCOREUTILSVER} +%if 0%{?fedora} >= 16 +BuildRequires: systemd-units +%endif %endif BuildRequires: nspr-devel BuildRequires: nss-devel @@ -89,7 +96,11 @@ Requires(pre): 389-ds-base >= 1.2.10-0.4.a4 Requires: openldap-clients Requires: nss Requires: nss-tools +%if 0%{?fedora} >= 16 +Requires: krb5-server >= 1.9.1-15 +%else Requires: krb5-server +%endif Requires: krb5-server-ldap Requires: krb5-pkinit-openssl Requires: cyrus-sasl-gssapi%{?_isa} @@ -102,6 +113,11 @@ Requires: python-ldap Requires: python-krbV Requires: acl Requires: python-pyasn1 >= 0.0.9a +%if 0%{?fedora} >= 16 +Requires: systemd-units >= 36-3 +Requires(pre): systemd-units +Requires(post): systemd-units +%endif %if 0%{?fedora} >= 15 Requires: selinux-policy >= 3.9.16-18 %else @@ -109,6 +125,12 @@ Requires: selinux-policy >= 3.9.7-27 %endif Requires(post): selinux-policy-base Requires: slapi-nis >= 0.21 +%if 0%{?fedora} >= 16 +Requires: pki-ca >= 9.0.15 +Requires: pki-silent >= 9.0.15 +# Only tomcat6 greater than this version provides proper systemd support +Requires: tomcat6 >= 6.0.32-17 +%else %if 0%{?fedora} >= 15 Requires: pki-ca >= 9.0.15 Requires: pki-silent >= 9.0.15 @@ -117,13 +139,19 @@ Requires: pki-setup >= 9.0.15 Requires: pki-ca >= 9.0.5 Requires: pki-silent >= 9.0.5 %endif +%endif Requires: dogtag-pki-common-theme Requires: dogtag-pki-ca-theme %if 0%{?rhel} Requires: subscription-manager %endif +%if 0%{?fedora} >= 16 +Requir
Re: [Freeipa-devel] [PATCH, 2.1] 0021 Fedora 16 and systemd support
On Mon, 10 Oct 2011, Alexander Bokovoy wrote: > rebased, updated package dependencies, and verified against > Fedora 16+updates-testing. > > This patch is for ipa-2-1 branch. I need to do few cosmetic changes in > freeipa.spec.in to accomodate it to 3.0 (master branch) as ipa_kpasswd > is gone there. Forgot to add that altogether this patch fixes: https://fedorahosted.org/freeipa/ticket/1192 -- support systemd https://fedorahosted.org/freeipa/ticket/1651 -- update F16 dependencies https://fedorahosted.org/freeipa/ticket/1871 -- not setting HOSTNAME if it was missing from the configuration file The latter one is integrated within the systemd patch because the same function is re-used for editing systemd service files and /etc/sysconfig/krb5kdc and it simply makes little sense to separate them as without editing systemd services for dirsrv, one cannot start dirsrv with number of file descriptors required by IPA defaults, and krb5kdc configuration should be written properly before krb5kdc is started as its systemd service unit uses parameters from the configuration file. -- / Alexander Bokovoy ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH, 2.1] 0021 Fedora 16 and systemd support
Hi, rebased, updated package dependencies, and verified against Fedora 16+updates-testing. This patch is for ipa-2-1 branch. I need to do few cosmetic changes in freeipa.spec.in to accomodate it to 3.0 (master branch) as ipa_kpasswd is gone there. -- / Alexander Bokovoy >From f71e9d5f59de43293b4162c933502fd80e5d3aa3 Mon Sep 17 00:00:00 2001 From: Alexander Bokovoy Date: Mon, 10 Oct 2011 15:25:15 +0300 Subject: [PATCH] Add support for systemd environments and use it to support Fedora 16 https://fedorahosted.org/freeipa/ticket/1192 --- Makefile |2 +- freeipa.spec.in | 77 ++- ipa.init => init/SystemV/ipa.init |0 init/systemd/ipa.service | 14 +++ init/systemd/ipa_kpasswd.service | 10 ++ install/tools/ipactl | 12 ++- ipapython/config.py |2 +- ipapython/ipautil.py | 90 ipapython/platform/base.py| 14 ++-- ipapython/platform/fedora16.py| 113 ipapython/platform/redhat.py | 61 ++- ipapython/platform/systemd.py | 204 + ipaserver/install/cainstance.py |4 +- ipaserver/install/dsinstance.py |6 +- ipaserver/install/krbinstance.py | 30 ++ 15 files changed, 552 insertions(+), 87 deletions(-) rename ipa.init => init/SystemV/ipa.init (100%) create mode 100644 init/systemd/ipa.service create mode 100644 init/systemd/ipa_kpasswd.service create mode 100644 ipapython/platform/fedora16.py create mode 100644 ipapython/platform/systemd.py diff --git a/Makefile b/Makefile index 9d8802587f9fa1130271d3824667d83b637ac9ee..3cd08e2e9dd6b65ae9ad82af08cc68979048b6cd 100644 --- a/Makefile +++ b/Makefile @@ -8,7 +8,7 @@ PRJ_PREFIX=freeipa RPMBUILD ?= $(PWD)/rpmbuild TARGET ?= master -SUPPORTED_PLATFORM=redhat +SUPPORTED_PLATFORM ?= redhat # After updating the version in VERSION you should run the version-update # target. diff --git a/freeipa.spec.in b/freeipa.spec.in index ed88e445aeb1783ea2011dc6ad62b5e3bf05db8e..927ec1cd839b1a2b2947f28ce754e98c2600b70d 100644 --- a/freeipa.spec.in +++ b/freeipa.spec.in @@ -24,10 +24,17 @@ Source0:freeipa-%{version}.tar.gz BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) %if ! %{ONLY_CLIENT} +%if 0%{?fedora} >= 16 +BuildRequires: 389-ds-base-devel >= 1.2.10 +%else BuildRequires: 389-ds-base-devel >= 1.2.9 +%endif BuildRequires: svrcore-devel BuildRequires: /usr/share/selinux/devel/Makefile BuildRequires: policycoreutils >= %{POLICYCOREUTILSVER} +%if 0%{?fedora} >= 16 +BuildRequires: systemd-units +%endif %endif BuildRequires: nspr-devel BuildRequires: nss-devel @@ -85,11 +92,19 @@ Requires: %{name}-python = %{version}-%{release} Requires: %{name}-client = %{version}-%{release} Requires: %{name}-admintools = %{version}-%{release} Requires: %{name}-server-selinux = %{version}-%{release} +%if 0%{?fedora} >= 16 +Requires(pre): 389-ds-base >= 1.2.10-0.1.a1 +%else Requires(pre): 389-ds-base >= 1.2.9.7-1 +%endif Requires: openldap-clients Requires: nss Requires: nss-tools +%if 0%{?fedora} >= 16 +Requires: krb5-server >= 1.9.1-15 +%else Requires: krb5-server +%endif Requires: krb5-server-ldap Requires: krb5-pkinit-openssl Requires: cyrus-sasl-gssapi%{?_isa} @@ -102,6 +117,11 @@ Requires: python-ldap Requires: python-krbV Requires: acl Requires: python-pyasn1 >= 0.0.9a +%if 0%{?fedora} >= 16 +Requires: systemd-units >= 36-3 +Requires(pre): systemd-units +Requires(post): systemd-units +%endif %if 0%{?fedora} >= 15 Requires: selinux-policy >= 3.9.16-18 %else @@ -109,6 +129,12 @@ Requires: selinux-policy >= 3.9.7-27 %endif Requires(post): selinux-policy-base Requires: slapi-nis >= 0.21 +%if 0%{?fedora} >= 16 +Requires: pki-ca >= 9.0.15 +Requires: pki-silent >= 9.0.15 +# Only tomcat6 greater than this version provides proper systemd support +Requires: tomcat6 >= 6.0.32-17 +%else %if 0%{?fedora} >= 15 Requires: pki-ca >= 9.0.15 Requires: pki-silent >= 9.0.15 @@ -117,13 +143,19 @@ Requires: pki-setup >= 9.0.15 Requires: pki-ca >= 9.0.5 Requires: pki-silent >= 9.0.5 %endif +%endif Requires: dogtag-pki-common-theme Requires: dogtag-pki-ca-theme %if 0%{?rhel} Requires: subscription-manager %endif +%if 0%{?fedora} >= 16 +Requires(preun): python systemd-units +Requires(postun): python systemd-units +%else Requires(preun): python initscripts chkconfig Requires(postun): python initscripts chkconfig +%endif # We have a soft-requires on bind. It is an optional part of # IPA but if it is configured we need a way to require versions @@ -252,6 +284,9 @@ package. %build export CFLAGS="$CFLAGS %{optflags}" export CPPFLAGS="$CPPFLAGS %{optflags}" +%if 0%{?fedora} >= 16 +export SUPPORTED_PLATFORM=fedora16 +%endif make version-update cd ipa-client; ../autogen.sh --prefix=%{_usr} --sysconfdir=%{_sysconfdir} --localstatedir=%{_localstatedir} --lib