FreeIPA packaging tries to be modular. For example, we have freeipa-server-trust-ad package which installs all requirements for AD integration for server.
freeipa-server-trust-ad
However, we miss such packages for other optional modules, like DNS or PKI. Someone may want to install just core FreeIPA server without any additional services, but our freeipa-server package still pulls quite beefy pki-ca package.
freeipa-server
pki-ca
If we update the server be more modular with regards to PKI, admins could install core FreeIPA (CA-less) server with significantly less packages.
I would imagine that following new packages are created:
Upgrades should not be difficult, we would simply set Obsoletes freeipa-server < VERSION to the new FreeIPA server of version VERSION and it should install both packages (and thus not breaking existent FreeIPA+CA deployments) and still avoid having strict Requires.
Obsoletes freeipa-server < VERSION
Requires
This RFE would benefit both admins wanting to run just CA-less FreeIPA, clarity of the requirement and also porting to other platforms like Debian which may not package the freeipa-server-ca part and still have FreeIPA core available.
freeipa-server-ca
Perhaps freeipa-server-webui should be split out as well?
That's a good point. I already saw requests to disable Web UI on a host.
Question is, if an RPM package is the right format (compared to say, a CLI tool), Web UI will be needed in 90% of the cases when server is installed, so I am just wondering if having to explicitly install freeipa-server-webui every time wouldn't be more annoying than beneficial.
Replying to [comment:4 mkosek]:
That's a good point. I already saw requests to disable Web UI on a host. Question is, if an RPM package is the right format (compared to say, a CLI tool), Web UI will be needed in 90% of the cases when server is installed, so I am just wondering if having to explicitly install freeipa-server-webui every time wouldn't be more annoying than beneficial.
Is there a way to install the UI by default and remove it if it is not needed?
If it were a separate sub-package then yes, it probably would be fairly easy. This would require extracting the UI portions of the Apache configuration into a separate configuration file. So these would be removed when the package is removed, Apache restart in %post, and UI gone without affecting the CLI.
Replying to [comment:6 rcritten]:
Yup, that was my line of thinking as well.
However, we would need to use some sort of soft dependency, right? So that freeipa-server-webui package is installed along with freeipa-server package but with ability to being uninstalled afterwards (or being excluded from the initial install). And I was not sure if RPM is capable of that...
It may have to be done via a similar handling of bind and bind-dyndb-ldap detection. It would be more ugly in this case though.
Hm, maybe the cleanest solution would be to do it via YUM package groups, i.e. do split the Web UI to a separate subpackage + enhance the FreeIPA Server group in Fedora.
This is how it reads now:
$ yum groupinfo 'FreeIPA Server' Loaded plugins: langpacks, refresh-packagekit There is no installed groups file. Maybe run: yum groups mark convert (see man yum) Group: FreeIPA Server Group-Id: freeipa-server Description: Provides central directory services for identity, policy management and auditing. Mandatory Packages: +freeipa-server Default Packages: +bind-dyndb-ldap +freeipa-server-strict +freeipa-server-trust-ad
We would just add freeipa-server-webui, freeipa-server-ca to default packages and freeipa-server-dns to Optional packages.
WRT to Web UI separation: We may want to split ipalib/plugins/internal.py into two. The one with i18n_messages would be part of Web UI and json_metadata command would be part of core server.
3.5 and can be pushed to 3.6
on hold
Duplicate ticket with additional information: #4332. The ticket recommends even going further and installing sub-packages automatically when a subsystem (e.g. DNS) is selected.
Slightly related tickets aimed for smaller Dogtag dependency:
Someone, please take this
Ticket has been cloned to Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1206586
Too late to be included in 4.2 - moving to later release.
master:
ipa-4-2:
Metadata Update from @mkosek: - Issue assigned to tbabej - Issue set to the milestone: FreeIPA 4.5 backlog
Thank you taking time to submit this request for FreeIPA. Unfortunately this bug was not given priority and the team lacks the capacity to work on it at this time.
Given that we are unable to fulfil this request I am closing the issue as wontfix. To request re-consideration of this decision please reopen this issue and provide additional technical details about its importance to you.
Metadata Update from @rcritten: - Issue close_status updated to: wontfix - Issue status updated to: Closed (was: Open)
Login to comment on this ticket.