New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
2019 03 19 update ds create #49
Conversation
|
||
/home/admin/local_ca/ | ||
``` |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
really nice howto. BTW what mean that last line with path? You can add some # comments
there, so it is still executable.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There are some fixes on the certificate inclusion for the ds configuration in an other PR, are these included in this PR or are they irrelevant? #48
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Those fixes will partially work, and will partially break. The Server-Cert change will break (basically, 389 expects it to be Server-Cert), but the "pkpass" change would work. So that PR will need a refactor I think in light of this change.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
So thinking about it, a possible solution is to ask for the ca, cert and key all as .pem, then we do the pkcs12 generation on your behalf to guarantee it's named correctly?
|
||
``` | ||
rake test:unit |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
one trick to also check if package builds is local run of osc with rake osc:build
``` | ||
~/.y2log | ||
/var/log/YaST2/y2log |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
the first one is when you run as user and second when run as root.
README.md
Outdated
``` | ||
|
||
For example logging you can execute YaST with debugging environment variables. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I do not get much this sentece. If you want to mention that you can enable debug logging with Y2DEBUG=1 I would write it more explicitely.
@@ -9,20 +9,20 @@ | |||
# this program; if not, contact SUSE LINUX GmbH. | |||
|
|||
# Authors: Howard Guo <hguo@suse.com> | |||
# William Brown <wbrown@suse.de> |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
btw we are slightly moving away from this practice as git blame or git log or github contributors already provide this info.
|
||
[backend-userroot] | ||
sample_entries = yes | ||
suffix = #{suffix} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
just hint, you can use e.g. ERB files https://www.stuartellis.name/articles/erb/ to have it as separate file.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is too complex for me at the moment, as I don't know that much. I'd rather do a change like that in a follow up.
stdin, stdouterr, result = Open3.popen2e('/usr/sbin/dscreate', '-v', 'from-file', '-n', DS_SETUP_INI_PATH) | ||
stdouterr.readlines.map { |l| append_to_log(l) } | ||
|
||
if result.value.exitstatus != 0 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
above your append to log do only debug logging. So in case of failure. I really suggest here to log to info or warn when customers report a bug, it is useful.
if !ok | ||
Popup.Error(_('Failed to enable TLS! Log output may be found in %s') % [DS_SETUP_LOG_PATH]) | ||
raise | ||
Popup.Error(_('Failed to set up new instance! Log output may be found in ~/.y2log or /var/log/YaST/y2log')) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
it is message for user. So I would mention only /var/log/YaST/y2log as in production this module runs as root.
Updated based on feedback. |
I am ok with it and drop my changes, however i do miss following:
|
dscreate does the systemctl enable for 389, I am not aware of what kerberos is doing ...
I'm not really sure about the kerberos parts here, my goal in this PR is to make 389 work correctly.
See above, only interest in this PR is making 389 work. If there are krb issues, we should open new issues.
No, the current assumption is there is no p12 password (as has been for a long time). There was a seperate pr that allowed requesting the p12 password, and I'd like to integrate that in the future as an option.
dscreate generates it as part of the installation process.
No, that's an "auth client" configuration concern. Not a server install concern.
Yes, for the moment the UI now lists that it must be named Server-Cert, however, a current thought is that we should allow the user to submit PEM formatted key/cert, and we generate the p12 for import into certutil. |
Hey there, @jreidinger I think I have addressed all your comments, do you mind reviewing again? |
Thanks for the approval! Do you mind merging this (squash + merge if possible). |
@Firstyear well, you should be able to do it yourself. If not, I will add you as owner to those repos you maintain. |
I can't do it myself, that's why I was asking :) if you could add me as owner, that would be great. I should ask my team also who else may need access as there was some offers of assistance within the samba team at suse labs to help with this. |
@Firstyear done, you should get invitation which will grant you admin right. So you can add also another contributors. |
✔️ Public Jenkins job #6 successfully finished |
* Update ds installer based on latest python tooling for ds packages, as supported by upstream.
* Update ds installer based on latest python tooling for ds packages, as supported by upstream.
This is a major update to the yast DS integration. This changes from the legacy perl setup, to the new python setup. It also is a large code cleanup and improvements to the process in general.