October 2017 - FreeIPA-devel - Fedora Mailing-Lists

by Martin Kosek

Hello all, I would like to start a discussion regarding the migration of current FreeIPA services that are running on OpenShift v2 that was obsoleted [1] and will go soon EOL (the ultimate cut-off date is Dec 31, 2017). After a short discussion I had with several FreeIPA developers, the preference remained with keeping this application on OpenShift (v3 generation), as it will let us easily maintain it on a PaaS, without having to care about maintaining our own infra. It will be also easy to delegate maintenance powers to more people. Given above, I have now set up a Pro account with OpenShift v3 and migrated the base FreeIPA wiki as an application there, with today snapshot of data and images. When the POC deployment is ready and approved on this list, I can switch the current wiki to readonly and request change of "www.freeipa.org" DNS records to get it to production. The POC wiki is running in [2], with OpenShift application sources being stored in a public git repo [3]. Eventually, the OpenShift could be configured to rebuild the wiki after a git push to [3], to enable easy changes to wiki to it's maintainers. Let me know if there are any concerns about having the wiki sources public. The secrets and keys are of course not in the repo, but configured via OpenShift environment variable. The POC now runs pretty well, the only issue I found so far is linking the wiki user authentication with Fedora auth. The problem is that the current OpenID plugin [4] is deprecated and does not run with modern PHP version and I could not get the new OpenID Connect one [5] to work reliably with our wiki and Fedora OIDC service. I either received authentication errors or later problems with linking the authenticated user to current account. So for now I gave up and enabled simple password auth by password again. Feedback welcome! Thanks, Martin [1] https://blog.openshift.com/migrate-to-v3-v2-eol/ [2] https://freeipa-org-wiki-freeipa.b9ad.pro-us-east-1.openshiftapps.com [3] https://github.com/freeipa/freeipa-wiki [4] https://www.mediawiki.org/wiki/Extension:OpenID [5] https://www.mediawiki.org/wiki/Extension:OpenID_Connect -- Martin Kosek <mkosek(a)redhat.com> Manager, Software Engineering - Identity Management Team Red Hat, Inc.

6 years, 5 months

3
4
0 / 0

[freeipa PR#1148][opened] Use namespace-aware meta importer for ipaplatform

by tiran

URL: https://github.com/freeipa/freeipa/pull/1148 Author: tiran Title: #1148: Use namespace-aware meta importer for ipaplatform Action: opened PR body: """ Instead of symlinks and build-time configuration the ipaplatform module is now able to auto-detect platforms on import time. The meta importer uses the platform 'ID' from /etc/os-releases. It falls back to 'ID_LIKE' on platforms like CentOS, which has ID=centos and ID_LIKE="rhel fedora". The meta importer is able to handle namespace packages and the ipaplatform package has been turned into a namespace package in order to support external platform specifications. https://fedorahosted.org/freeipa/ticket/6474 Signed-off-by: Christian Heimes <cheimes(a)redhat.com> """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/1148/head:pr1148 git checkout pr1148

6 years, 5 months

1
1
0 / 0

[freeipa PR#1142][opened] [tests] Fix ca_less integration tests

by Akasurde

URL: https://github.com/freeipa/freeipa/pull/1142 Author: Akasurde Title: #1142: [tests] Fix ca_less integration tests Action: opened PR body: """ This fix adds additional prompt which was missing previously in test_interactive_missing_ds_pkcs_password and test_interactive_missing_http_pkcs_password under CA-less integration testsuite. Fixes: https://pagure.io/freeipa/issue/7182 Signed-off-by: Abhijeet Kasurde <akasurde(a)redhat.com> """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/1142/head:pr1142 git checkout pr1142

6 years, 5 months

2
1
0 / 0

[freeipa PR#1144][opened] Fix for https://pagure.io/freeipa/issue/6884 as agreed in BZ.

by germanparente

URL: https://github.com/freeipa/freeipa/pull/1144 Author: germanparente Title: #1144: Fix for https://pagure.io/freeipa/issue/6884 as agreed in BZ. Action: opened PR body: """ The definitive fix to deal with the DS CVE would be to remove the ipaPermTargetFilter: (objectclass=<objectclass value>) from the "Remove <Object>" permissions during ipa-server-upgrade, for instance, and re-run the task to generate the acl's (if this not done automatically when modifying the permission entry). this has been also discussed in BZ1441262 https://bugzilla.redhat.com/show_bug.cgi?id=1441262 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/1144/head:pr1144 git checkout pr1144

6 years, 5 months

2
1
0 / 0

[freeipa PR#903][opened] Warning the user when using a loopback IP as forwarder

by felipevolpone

URL: https://github.com/freeipa/freeipa/pull/903 Author: felipevolpone Title: #903: Warning the user when using a loopback IP as forwarder Action: opened PR body: """ Now, the user can pass a loopback IP in the --forwarder option. Previously, an error would be raised, now we just show a warning message. Fixes: https://pagure.io/freeipa/issue/5801 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/903/head:pr903 git checkout pr903

6 years, 5 months

1
1
0 / 0

[NSS Default File Format SQL in Fedora 28]

by Alexander Bokovoy

Hi, FYI. We are going to affected by this change, so we should start looking into possible breaks in Rawhide 'soon'. -- / Alexander Bokovoy

6 years, 5 months

4
6
0 / 0

[freeipa PR#1027][opened] prci: add external_ca test

by tomaskrizek

URL: https://github.com/freeipa/freeipa/pull/1027 Author: tomaskrizek Title: #1027: prci: add external_ca test Action: opened PR body: """ Add external_ca to the PR CI test suite. Signed-off-by: Tomas Krizek <tkrizek(a)redhat.com> """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/1027/head:pr1027 git checkout pr1027

6 years, 5 months

1
1
0 / 0

[freeipa PR#1217][opened] [Backport][ipa-4-5] Include the CA basic constraint in CSRs when renewing a CA

by pvoborni

URL: https://github.com/freeipa/freeipa/pull/1217 Author: pvoborni Title: #1217: [Backport][ipa-4-5] Include the CA basic constraint in CSRs when renewing a CA Action: opened PR body: """ Opened manually as backport of #963 manual changes done on cherry-pick are: ```diff diff --cc ipaserver/install/ipa_cacert_manage.py index fcbf091,86243d3..0000000 --- a/ipaserver/install/ipa_cacert_manage.py +++ b/ipaserver/install/ipa_cacert_manage.py @@@ -309,8 -302,9 +309,9 @@@ class CACertManage(admintool.AdminTool) def resubmit_request(self, ca='dogtag-ipa-ca-renew-agent', profile=''): timeout = api.env.startup_timeout + 60 - logger.debug("resubmitting certmonger request '%s'", self.request_id) + self.log.debug("resubmitting certmonger request '%s'", self.request_id) - certmonger.resubmit_request(self.request_id, ca=ca, profile=profile) + certmonger.resubmit_request(self.request_id, ca=ca, profile=profile, + is_ca=True) try: state = certmonger.wait_for_request(self.request_id, timeout) except RuntimeError: ``` (there was conflict in logging) """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/1217/head:pr1217 git checkout pr1217

6 years, 5 months

2
1
0 / 0

GitHub pull requests - Travis CI

by Standa Laznicka

Hello, Please note that due to the problems Travis CI has with their internet provider, the builds of our PRs tend to fail: https://www.traviscistatus.com/ Also, since they are switching from `pep8` to `pycodestyle` binary, you need to rebase your pull requests on current master and wait with backports until the respective `.travis.yaml` backports are pushed: ipa-4-6: https://github.com/freeipa/freeipa/pull/1199 ipa-4-5: https://github.com/freeipa/freeipa/pull/1201 Sorry for the inconvenience, Standa

6 years, 5 months

1
0
0 / 0

[freeipa PR#1185][opened] Time skew support

by abbra

URL: https://github.com/freeipa/freeipa/pull/1185 Author: abbra Title: #1185: Time skew support Action: opened PR body: """ Backport for ipa-4-6, waiting for the CI to complete. The original pull request 1155 was already pushed. """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/1185/head:pr1185 git checkout pr1185

6 years, 6 months

1
1
0 / 0

2024

2023

2022

2021

2020

2019

2018

2017

FreeIPA-devel October 2017