Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.
Bug 564526
| Summary: | Create various 'meta' packages for Dogtag PKI Suite . . . | ||||||
|---|---|---|---|---|---|---|---|
| Product: | [Retired] Dogtag Certificate System | Reporter: | Matthew Harmsen <mharmsen> | ||||
| Component: | Infrastructure | Assignee: | Matthew Harmsen <mharmsen> | ||||
| Status: | CLOSED EOL | QA Contact: | Ben Levenson <benl> | ||||
| Severity: | medium | Docs Contact: | |||||
| Priority: | high | ||||||
| Version: | 1.3 | CC: | dpal, jgalipea | ||||
| Target Milestone: | --- | ||||||
| Target Release: | --- | ||||||
| Hardware: | All | ||||||
| OS: | Linux | ||||||
| Whiteboard: | |||||||
| Fixed In Version: | Doc Type: | Bug Fix | |||||
| Doc Text: | Story Points: | --- | |||||
| Clone Of: | Environment: | ||||||
| Last Closed: | 2020-03-27 18:37:57 UTC | Type: | --- | ||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | --- | |||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||
| Embargoed: | |||||||
| Bug Depends On: | |||||||
| Bug Blocks: | 541012 | ||||||
| Attachments: |
|
||||||
(In reply to comment #0) > Create the following 'meta' packages to conveniently allow for a complete > installation of the entire Dogtag PKI Suite as well as easy installation > options for individual Dogtag PKI servers: > > * dogtag-pki I understand the need for dogtag-pki as a top level meta package to pull in anything and everything we want. > * dogtag-pki-ca > * dogtag-pki-kra > * dogtag-pki-ocsp > * dogtag-pki-ra > * dogtag-pki-tks > * dogtag-pki-tps What are the above 6 packages gonna do that their corresponding packages aren't doing already , like pki-ca, pki-kra ... etc ? (In reply to comment #1) > (In reply to comment #0) > > Create the following 'meta' packages to conveniently allow for a complete > > installation of the entire Dogtag PKI Suite as well as easy installation > > options for individual Dogtag PKI servers: > > > > * dogtag-pki > > I understand the need for dogtag-pki as a top level meta package to pull > in anything and everything we want. > > > * dogtag-pki-ca > > * dogtag-pki-kra > > * dogtag-pki-ocsp > > * dogtag-pki-ra > > * dogtag-pki-tks > > * dogtag-pki-tps > > What are the above 6 packages gonna do that their corresponding packages > aren't doing already , like pki-ca, pki-kra ... etc ? > > * dogtag-pki-ca > > * dogtag-pki-kra > > * dogtag-pki-ocsp > > * dogtag-pki-tks Will also pull in pki-console. > > * dogtag-pki-ra > > * dogtag-pki-tps Will also pull in pki-native-tools. (In reply to comment #3) > (In reply to comment #1) > > (In reply to comment #0) > > > Create the following 'meta' packages to conveniently allow for a complete > > > installation of the entire Dogtag PKI Suite as well as easy installation > > > options for individual Dogtag PKI servers: > > > > > > * dogtag-pki > > > > I understand the need for dogtag-pki as a top level meta package to pull > > in anything and everything we want. > > > > > * dogtag-pki-ca > > > * dogtag-pki-kra > > > * dogtag-pki-ocsp > > > * dogtag-pki-ra > > > * dogtag-pki-tks > > > * dogtag-pki-tps > > > > What are the above 6 packages gonna do that their corresponding packages > > aren't doing already , like pki-ca, pki-kra ... etc ? > > > > * dogtag-pki-ca > > > * dogtag-pki-kra > > > * dogtag-pki-ocsp > > > * dogtag-pki-tks > > Will also pull in pki-console. Hm. Is there any reason why we won't make pki-ca infact depend on pki-console thereby avoiding having to maintain this extra layer... > > > > * dogtag-pki-ra > > > * dogtag-pki-tps > > Will also pull in pki-native-tools. Hm. This seems more like a Bug. pki-native-tools has 'sslget' which is crucial for RA,TPS installation,configuration to work. If pki-ra,pki-tps isn't pulling in pki-native-tools, hows the current config wizard working ?. (In reply to comment #4) > (In reply to comment #3) > > (In reply to comment #1) > > > (In reply to comment #0) > > > > Create the following 'meta' packages to conveniently allow for a complete > > > > installation of the entire Dogtag PKI Suite as well as easy installation > > > > options for individual Dogtag PKI servers: > > > > > > > > * dogtag-pki > > > > > > I understand the need for dogtag-pki as a top level meta package to pull > > > in anything and everything we want. > > > > > > > * dogtag-pki-ca > > > > * dogtag-pki-kra > > > > * dogtag-pki-ocsp > > > > * dogtag-pki-ra > > > > * dogtag-pki-tks > > > > * dogtag-pki-tps > > > > > > What are the above 6 packages gonna do that their corresponding packages > > > aren't doing already , like pki-ca, pki-kra ... etc ? > > > > > > * dogtag-pki-ca > > > > * dogtag-pki-kra > > > > * dogtag-pki-ocsp > > > > * dogtag-pki-tks > > > > Will also pull in pki-console. > > Hm. Is there any reason why we won't make pki-ca infact depend on pki-console > thereby avoiding having to maintain this extra layer... > I think that this is still up for debate --- while it is not absolutely critical that the subsystems contain a 'pki-console' on the same machine, I don't see the harm in this (especially since pki-console is an alternative means of administration for the server). I guess the only problem would be if a customer would want to deploy console on a separate machine from the PKI subsystem (e. g. - CA itself), although we could always "document" that pki-console is not a "hard"-requirement. If this is allowed, we obviously would not have any need for these four 'meta' packages. > > > > > > * dogtag-pki-ra > > > > * dogtag-pki-tps > > > > Will also pull in pki-native-tools. > > Hm. This seems more like a Bug. pki-native-tools has 'sslget' which is > crucial for RA,TPS installation,configuration to work. If pki-ra,pki-tps > isn't pulling in pki-native-tools, hows the current config wizard working ?. I suspect that no one has attempted testing either of these packages standalone in some time -- I suspect that it is a bug that needs to be addressed (and would thus remove any need for these two 'meta' packages. (In reply to comment #5) > (In reply to comment #4) > > (In reply to comment #3) > > > (In reply to comment #1) > > > > (In reply to comment #0) > > > > > Create the following 'meta' packages to conveniently allow for a complete > > > > > installation of the entire Dogtag PKI Suite as well as easy installation > > > > > options for individual Dogtag PKI servers: > > > > > > > > > > * dogtag-pki > > > > > > > > I understand the need for dogtag-pki as a top level meta package to pull > > > > in anything and everything we want. > > > > > > > > > * dogtag-pki-ca > > > > > * dogtag-pki-kra > > > > > * dogtag-pki-ocsp > > > > > * dogtag-pki-ra > > > > > * dogtag-pki-tks > > > > > * dogtag-pki-tps > > > > > > > > What are the above 6 packages gonna do that their corresponding packages > > > > aren't doing already , like pki-ca, pki-kra ... etc ? > > > > > > > > * dogtag-pki-ca > > > > > * dogtag-pki-kra > > > > > * dogtag-pki-ocsp > > > > > * dogtag-pki-tks > > > > > > Will also pull in pki-console. > > > > Hm. Is there any reason why we won't make pki-ca infact depend on pki-console > > thereby avoiding having to maintain this extra layer... > > > > I think that this is still up for debate --- while it is not absolutely > critical that the subsystems contain a 'pki-console' on the same machine, I > don't see the harm in this (especially since pki-console is an alternative > means of administration for the server). Right. > I guess the only problem would be if > a customer would want to deploy console on a separate machine from the PKI > subsystem (e. g. - CA itself), the answer for that is 'yum install pki-console' ? > although we could always "document" that > pki-console is not a "hard"-requirement. If this is allowed, we obviously > would not have any need for these four 'meta' packages. > +1 for not doing this work with the exception to of course do the top level pki meta package :) > > > > > > > > * dogtag-pki-ra > > > > > * dogtag-pki-tps > > > > > > Will also pull in pki-native-tools. > > > > Hm. This seems more like a Bug. pki-native-tools has 'sslget' which is > > crucial for RA,TPS installation,configuration to work. If pki-ra,pki-tps > > isn't pulling in pki-native-tools, hows the current config wizard working ?. > > I suspect that no one has attempted testing either of these packages standalone > in some time -- I suspect that it is a bug that needs to be addressed (and > would thus remove any need for these two 'meta' packages. Recently when I was adding karma to a pki-tps package, I installed pki-tps. I'm sure it pulled in pki-native-tools. But yeah a quick cross check of spec files would confirm. (In reply to comment #6) > (In reply to comment #5) > > (In reply to comment #4) > > > (In reply to comment #3) > > > > (In reply to comment #1) > > > > > (In reply to comment #0) > > > > > > Create the following 'meta' packages to conveniently allow for a complete > > > > > > installation of the entire Dogtag PKI Suite as well as easy installation > > > > > > options for individual Dogtag PKI servers: > > > > > > > > > > > > * dogtag-pki > > > > > > > > > > I understand the need for dogtag-pki as a top level meta package to pull > > > > > in anything and everything we want. > > > > > > > > > > > * dogtag-pki-ca > > > > > > * dogtag-pki-kra > > > > > > * dogtag-pki-ocsp > > > > > > * dogtag-pki-ra > > > > > > * dogtag-pki-tks > > > > > > * dogtag-pki-tps > > > > > > > > > > What are the above 6 packages gonna do that their corresponding packages > > > > > aren't doing already , like pki-ca, pki-kra ... etc ? > > > > > > > > > > * dogtag-pki-ca > > > > > > * dogtag-pki-kra > > > > > > * dogtag-pki-ocsp > > > > > > * dogtag-pki-tks > > > > > > > > Will also pull in pki-console. > > > > > > Hm. Is there any reason why we won't make pki-ca infact depend on pki-console > > > thereby avoiding having to maintain this extra layer... > > > > > > > I think that this is still up for debate --- while it is not absolutely > > critical that the subsystems contain a 'pki-console' on the same machine, I > > don't see the harm in this (especially since pki-console is an alternative > > means of administration for the server). > > Right. > > > I guess the only problem would be if > > a customer would want to deploy console on a separate machine from the PKI > > subsystem (e. g. - CA itself), > > the answer for that is 'yum install pki-console' ? > Yes. This should always work if you want a machine that ONLY contains pki-console. However, the point that I was trying to make was that if we "require" pki-console from pki-ca, etc., it will always be available on the machine that hosts the 'pki-ca' --- IPA has no need to use pki-console, so for them it is just an extra un-necessary package. Andrew is seeking further comment from IPA. > > although we could always "document" that > > pki-console is not a "hard"-requirement. If this is allowed, we obviously > > would not have any need for these four 'meta' packages. > > > > +1 for not doing this work with the exception to of course do the top level pki > meta package :) > > > > > > > > > > > * dogtag-pki-ra > > > > > > * dogtag-pki-tps > > > > > > > > Will also pull in pki-native-tools. > > > > > > Hm. This seems more like a Bug. pki-native-tools has 'sslget' which is > > > crucial for RA,TPS installation,configuration to work. If pki-ra,pki-tps > > > isn't pulling in pki-native-tools, hows the current config wizard working ?. > > > > I suspect that no one has attempted testing either of these packages standalone > > in some time -- I suspect that it is a bug that needs to be addressed (and > > would thus remove any need for these two 'meta' packages. > > Recently when I was adding karma to a pki-tps package, I installed pki-tps. I'm > sure it pulled in pki-native-tools. But yeah a quick cross check of spec files > would confirm. I suspect that you install this on a machine where a CA was already installed; pki-ca requires pki-common which requires pki-java-tools which requires pki-native-tools. (In reply to comment #7) > > the answer for that is 'yum install pki-console' ? > > > > Yes. This should always work if you want a machine that ONLY contains > pki-console. However, the point that I was trying to make was that if we > "require" pki-console from pki-ca, etc., it will always be available on the > machine that hosts the 'pki-ca' --- IPA has no need to use pki-console, so for > them it is just an extra un-necessary package. > > Andrew is seeking further comment from IPA. if it is just one package, I don't really see the burden. I guess we should compare this against the burden of having to maintain 5 other meta packages ... > > I suspect that you install this on a machine where a CA was already installed; > pki-ca requires pki-common which requires pki-java-tools which requires > pki-native-tools. That could be quite true. But yeah, we should rather fix this issue at the pki-ra,pki-tps spec file level if there's really no other extra things to pull in. Created attachment 394670 [details]
'meta' package
attachment (id=394670) +awnuk Please rename build_meta to build_dogtag for consistency. # cd pki/dogtag # svn status | grep -v ^$ | grep -v ^P | grep -v ^X | grep -v ^? A meta A meta/dogtag-pki.spec A meta/LICENSE A meta/build_dogtag # svn commit Adding dogtag/meta Adding dogtag/meta/LICENSE Adding dogtag/meta/build_dogtag Adding dogtag/meta/dogtag-pki.spec Transmitting file data ... Committed revision 976. |
Create the following 'meta' packages to conveniently allow for a complete installation of the entire Dogtag PKI Suite as well as easy installation options for individual Dogtag PKI servers: * dogtag-pki * dogtag-pki-ca * dogtag-pki-kra * dogtag-pki-ocsp * dogtag-pki-ra * dogtag-pki-tks * dogtag-pki-tps