[Freeipa-devel] [PATCH] Patch to allow IPA to work with dogtag 10 on f18
Petr Viktorin
pviktori at redhat.com
Wed Sep 12 12:46:48 UTC 2012
On 09/12/2012 04:42 AM, Ade Lee wrote:
> On Tue, 2012-09-11 at 14:45 -0400, Rob Crittenden wrote:
>> Petr Viktorin wrote:
>>> On 09/11/2012 04:38 PM, Rob Crittenden wrote:
>>>> Ade Lee wrote:
>>>>> On Tue, 2012-09-11 at 08:59 -0400, Rob Crittenden wrote:
>>>>>> Petr Viktorin wrote:
>>>>>>> On 09/11/2012 04:04 AM, Ade Lee wrote:
>>>>>>>> On Mon, 2012-09-10 at 16:58 -0400, Rob Crittenden wrote:
>>>>>>>>> Petr Viktorin wrote:
>>>>>>>>>> Attaching rebased and squashed patches. I've done some testing with
>>>>>>>>>> them
>>>>>>>>>> but please test some more.
>>>>>>>>>>
>>>>>>>>>
>>>>>>>>> Most of these aren't IPA issues, but dogtag issues. I'll try to
>>>>>>>>> split
>>>>>>>>> them out.
>>>>>>>>>
>>>>>>>>> IPA:
>>>>>>>>>
>>>>>>>>> For the configuration files in install/conf to be updated at rpm
>>>>>>>>> update
>>>>>>>>> time the VERSION needs to be incremented.
>>>>>>>
>>>>>>> These files should stay the same since on upgrade we're still using a
>>>>>>> Dogtag 9 style instance. The Dogtag 10 ports are only used in new
>>>>>>> installs.
>>>>>>>
>>>>>>>>> The ipa package lacks any updated dogtag dependencies, so I abused
>>>>>>>>> it.
>>>>>>>
>>>>>>> What should the updated dependencies be? Since it should work with
>>>>>>> both
>>>>>>> dogtag 9 and 10, I don't see how they should change.
>>>>>>
>>>>>> I don't know either, but we need to prevent people from installing
>>>>>> incompatible package combinations.
>>>>>>
>>>>> Would'nt the Conflicts: ipa < 3.0 in pki-ca mentioned below satisfy this
>>>>> requirement? The main concern is that you must have ipa 3.0 if you have
>>>>> dogtag 10.
>>>>>
>>>>> Given that dogtag is consumed by IPA though, it makes more sense to put
>>>>> the relevant conflicts in IPA rather than in dogtag. So in this case,
>>>>> that would mean putting Conflicts: pki-ca >= 10.0 in IPA 2.x.
>>>>> Recall that dogtag 10 will only be officially available in f18+.
>>>>
>>>> That isn't enough. If a F-17 user with IPA 2.2 installed upgrades to
>>>> F-18 they would be able to install dogtag 10 and blow up their IPA
>>>> server.
>>>>
> We can add the Conflicts: freeipa-server < 3.0 to the dogtag packages
> (likely in pki-base).
>
> But we should also add explicit dependencies to ipa.
>
> For ipa 2.2, Conflicts: pki-ca >= 10.0, Requires: pki-ca >= 9.x
> For ipa 3, Requires: pki-ca >= 10.0
Unfortunately we need to support IPA 3.0 with Dogtag 9.
> This is of course assumes that ipa 3 is only officially released on f18
> (which is what will happen for dogtag 10). Just because we can support
> d9 on ipa 3 does not mean we should.
>
> As it is, in this case, we will have to support IPA 3 + d10, IPA 3 + d10
> + d9-style instance, IPA 2.x + d9.
We also need to test replication between various combinations of these.
--
Petr³
More information about the Freeipa-devel
mailing list