[Freeipa-devel] [PATCH] Changes to use a single database for dogtag and IPA
Martin Kosek
mkosek at redhat.com
Mon Oct 1 14:09:52 UTC 2012
On 10/01/2012 03:35 PM, Petr Viktorin wrote:
> On 09/27/2012 10:26 AM, Petr Viktorin wrote:
>> On 09/20/2012 05:58 AM, Ade Lee wrote:
>>> Changes to use a single database for dogtag and IPA
>>>
>>> New servers that are installed with dogtag 10 instances will use
>>> a single database instance for dogtag and IPA, albeit with different
>>> suffixes. Dogtag will communicate with the instance through a
>>> database user with permissions to modify the dogtag suffix only.
>>> This user will authenticate using client auth using the subsystem
>>> cert
>>> for the instance.
>>>
>>> This patch includes changes to allow the creation of masters and
>>> clones
>>> with single ds instances.
>>>
>>> I have tested being able to create a master and a clone using f17 and
>>> dogtag 10. Note that you will need to use the latest builds on the
>>> dogtag repo to get some changes that were checked in today. We'll kick
>>> off another official f18 dogtag build in a day or so.
>>>
>>> This is a pretty big change - so I expect many issues to come up as
>>> things get tested. But as this will take awhile to get resolved, its
>>> better to get this out for review as fast as possible.
>>>
>>> Happy reviewing.
>>>
>>> Ade
>>>
>>>
>>
>> Attaching a rebased patch with a couple of style issues fixed.
>> - PEP8 compliance (remove trailing whitespace, use parentheses rather
>> than \ for line continuation, wrap touched lines at 80 characters)
>> - for files, use the with statement instead of the "open/close sandwich"
>> - don't mix tabs and spaces in install/share/certmap.conf.template
>>
>> I've also adjusted the spec file, as we need dogtag 10.0 and pki-server
>> now obsoletes pki-setup.
>>
>>
>> I still need selinux in permissive mode to install on f17, and I still
>> need to exclude *.i686 packages when updating.
>>
>
> Are the following limitations expected?
>
> IPA and Dogtag have to be updated simultaneously; it's not possible to have
> current IPA master with Dogtag 10, or IPA with this patch with D9.
>
> It is not possible to create a replica from a machine with a single DS to an
> older version without the patch -- the older version will try the wrong ports.
In this case, I think we are covered - we do not support installation of a
replica with a lower version than the master where the replica info file was
created. Rob's patch 26dfbe61dd399e9c34f6f5bdeb25a197f1f461cb should ensure
this for next version release. For 3.0 I think we will have to settle with a
note in Documentation.
We just need to make sure, that 3.0 replica made out of 2.x master will work.
Martin
More information about the Freeipa-devel
mailing list