freeipa

Clone
Source Code
GIT

#1374 ipa-client-install needs to be usable on non-RH/Fedora platforms
Closed: Fixed None Opened 12 years ago by sgallagh.

Closed: Fixed
Reopen Issue

Right now, there are several barriers in place to other distributions implementing the ipa-client.

  1. ipa-client is built out of the FreeIPA tarball, which requires a lot of dependencies available only on Fedora-derived OSes.
  2. The ipa-client-install script relies on the availability of authconfig, which is only designed to work on Fedora/RH.

If we want to be able to support clients running on Debian, Ubuntu, Mandriva, SUSE, etc. we need to make the following changes.

  1. ipa-client should be distributed in its own tarball, separate from the server
  2. ipa-client should be modified to be pluggable. Any place where we call out to authconfig should be turned into a callback into a user-supplied external script (defaulting to authconfig) that can perform the platform-specific actions as requested.

The biggest problem with a separate ipa-client tarball is what to include in it and how to install the result.

There is a shared component, ipa-python, that contains common code used by client and server. This currently builds as a separate package, ipa-python. There is also the admintools component, I suspect that would be desirable as well. It would be very heavy-weight to build these independently.

On RHEL 5.6/6.0 I got around this by pushing the required ipa-python bits into the ipa-client python package. This required some import changes. We didn't ship the ipa tool.

Perhaps we can take that spec file and use it as a demonstration on how to package.

The suggestion on making authconfig is a good one. We would require 2 modes, installation and uninstallation.

The code in FreeIPA 2.1.3 and master now supports abstraction of authconfig code. One can make a plugin in ipapython/platform/ to override behavior of authconfig calls. The interface towards the Authconfig class is simple and expects that original authconfig options are accepted by the class with enable()/disable() methods. How actual configuration is done is left for implementation. Thus, one can use manual page of authconfig to consult expected input parameters and write proper implementation for platforms not supported by authconfig itself.

We do not distribute ipa-client-install in a separate tarball though. I would consider it a job of a platform package maintainer to take full FreeIPA tarball and build only relevant parts of it -- this is more reasonable because there is fair amount of common Python code (ipapython) that is shared between server and client side. In addition, ipapython.platform must be extended with a new plugin to support new platform, and whole FreeIPA should be configured with it which is done at top level Makefile.

I'm closing this bug after discussion with Stephen Gallagher as we have already all needed helpers for packagers to discover how to properly package client only:

  1. Makefile has client-related targets: client, client-install, client-rpms
  2. Extensibility guide has a chapter on porting FreeIPA to different platforms that explains how to introduce support for required system features.
  3. Makefile client-dirs target explains which directories are required to be created in the target client package in order to have ipa-client-install working. 'client-dirs' target is called by 'client-install' target.

Rename component.

Metadata Update from @sgallagh:
- Issue assigned to abbra
- Issue set to the milestone: FreeIPA 3.0 Core Effort - 2011/11
7 years ago

Login to comment on this ticket.

Metadata
None
None
None
normal
None
None
None
None
enhancement
None
None
Client
None
0
None
None
None
None
0
None
None
None
Powered by Pagure 5.13.3
DocumentationFile an IssueAboutSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.