[Freeipa-devel] [PATCH] Changes to use a single database for dogtag and IPA

Mon Oct 1 14:09:52 UTC 2012

On 10/01/2012 03:35 PM, Petr Viktorin wrote:
> On 09/27/2012 10:26 AM, Petr Viktorin wrote:
>> On 09/20/2012 05:58 AM, Ade Lee wrote:
>>> Changes to use a single database for dogtag and IPA
>>>
>>>      New servers that are installed with dogtag 10 instances will use
>>>      a single database instance for dogtag and IPA, albeit with different
>>>      suffixes.  Dogtag will communicate with the instance through a
>>>      database user with permissions to modify the dogtag  suffix only.
>>>      This user will authenticate using client auth using the subsystem
>>> cert
>>>      for the instance.
>>>
>>>      This patch includes changes to allow the creation of masters and
>>> clones
>>>      with single ds instances.
>>>
>>> I have tested being able to create a master and a clone using f17 and
>>> dogtag 10.  Note that you will need to use the latest builds on the
>>> dogtag repo to get some changes that were checked in today.  We'll kick
>>> off another official f18 dogtag build in a day or so.
>>>
>>> This is a pretty big change - so I expect many issues to come up as
>>> things get tested.  But as this will take awhile to get resolved, its
>>> better to get this out for review as fast as possible.
>>>
>>> Happy reviewing.
>>>
>>> Ade
>>>
>>>
>>
>> Attaching a rebased patch with a couple of style issues fixed.
>> - PEP8 compliance (remove trailing whitespace, use parentheses rather
>> than \ for line continuation, wrap touched lines at 80 characters)
>> - for files, use the with statement instead of the "open/close sandwich"
>> - don't mix tabs and spaces in install/share/certmap.conf.template
>>
>> I've also adjusted the spec file, as we need dogtag 10.0 and pki-server
>> now obsoletes pki-setup.
>>
>>
>> I still need selinux in permissive mode to install on f17, and I still
>> need to exclude *.i686 packages when updating.
>>
> 
> Are the following limitations expected?
> 
> IPA and Dogtag have to be updated simultaneously; it's not possible to have
> current IPA master with Dogtag 10, or IPA with this patch with D9.
> 
> It is not possible to create a replica from a machine with a single DS to an
> older version without the patch -- the older version will try the wrong ports.

In this case, I think we are covered - we do not support installation of a
replica with a lower version than the master where the replica info file was
created. Rob's patch 26dfbe61dd399e9c34f6f5bdeb25a197f1f461cb should ensure
this for next version release. For 3.0 I think we will have to settle with a
note in Documentation.

We just need to make sure, that 3.0 replica made out of 2.x master will work.

Martin