Bug 1649398 - [RFE] split python utilities to their own binary package
Summary: [RFE] split python utilities to their own binary package
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: bind
Version: rawhide
Hardware: All
OS: Linux
unspecified
low
Target Milestone: ---
Assignee: Petr Menšík
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2018-11-13 14:55 UTC by Luca BRUNO
Modified: 2019-05-10 00:47 UTC (History)
11 users (show)

Fixed In Version: bind-9.11.6-5.P1.fc30
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2019-05-10 00:47:27 UTC
Type: Bug


Attachments (Terms of Use)

Description Luca BRUNO 2018-11-13 14:55:58 UTC
Description of problem:

bind-utils package currently provides a few utilities that depends on python3 and a bunch of other python modules. From a quick look on F29, the set of those utilities is quite small and consist of:
 * /usr/sbin/dnssec-checkds
 * /usr/sbin/dnssec-coverage
 * /usr/sbin/dnssec-keymgr

In order to trim down the web of python dependencies on fedora-coreos images, it would be nice if those utilities could be split to their own dedicated binary package (bind-python-utils perhaps?).

Comment 1 Petr Menšík 2018-11-13 20:26:01 UTC
Sure, I thought about that more than once. I think splitting would be useful, especially because those utilities are way less used than most common dig and host.

Anyway, it is possible dependencies may grow because of bug #1564776. Not a python dependencies however.

Comment 2 Luca BRUNO 2018-11-13 21:49:00 UTC
In our specific case, native dependencies (I'm thinking of libprotobuf here) are a bit less of problem compare to user-exposed interpreters.

Anyway, thanks for the quick followup. If you need any kind of review/feedback/help on this, feel free to reach to any of the people in the current CC set.

Comment 3 Tomáš Hozza 2018-11-14 08:09:28 UTC
Please don't name them bind-python-utils. It will make much more sense to have utilities split by use case and named them by use case, not by the language they are written in. These are not python modules.

Comment 4 Dusty Mabe 2018-12-12 15:59:40 UTC
Hi Petr. Do you know if the splitting out of python deps will make it into Fedora 30? We'd like to use this in Fedora CoreOS for Fedora 30 if possible.

Comment 5 Petr Menšík 2019-01-16 19:57:16 UTC
Tomas is right, these are not tools to work in python. I checked how they have it organized in Debian. There are dnssec tools in bind9utils [1] package and dnsutils [2] with basic client commands like host, dig etc. I think most packages that depend on bind-utils require host or dig.

It is a question what to move outside. I think bind-dnssec-utils with most of tools in /usr/sbin would make sense. They are related more to named service and working with zone files and their keys. 

Packages that require bind-utils are on f29:

389-ds-base-legacy-tools-0:1.4.0.16-1.fc29.x86_64
389-ds-base-legacy-tools-0:1.4.0.20-1.fc29.x86_64
bash-argsparse-0:1.7-7.fc29.noarch
bontmia-0:0.14-20.fc29.noarch
cabal-install-0:2.0.0.1-10.fc29.x86_64
check-mk-agent-0:1.4.0p31-4.fc29.x86_64
clamav-unofficial-sigs-0:3.7.2-6.fc29.noarch
clamav-unofficial-sigs-0:5.6.2-3.fc29.noarch
doc-0:2.2.3-11.fc29.noarch
freeipa-client-0:4.7.0-3.fc29.x86_64
freeipa-client-0:4.7.2-1.fc29.x86_64
freeipa-server-dns-0:4.7.0-3.fc29.noarch
freeipa-server-dns-0:4.7.2-1.fc29.noarch
gnome-nettool-0:3.8.1-15.fc29.x86_64
inxi-0:3.0.24-1.fc29.noarch
inxi-0:3.0.29-1.fc29.noarch
lbd-0:0.4-5.fc29.noarch
nagios-plugins-dig-0:2.2.1-14.20180725git3429dad.fc29.x86_64
nagios-plugins-dns-0:2.2.1-14.20180725git3429dad.fc29.x86_64
neofetch-0:5.0.0-2.fc29.noarch
nmbscan-0:1.2.6-15.fc29.noarch
origin-sdn-ovs-0:3.11.0-0.alpha1.0.fc29.x86_64
system-config-bind-0:4.0.15-16.fc29.noarch
testssl-0:2.9.5-3.fc29.noarch

I did check that:
bash-argsparse uses host
bontmia uses host
inxi uses dig
lbd uses host
nagios-plugins-dig uses dig
nagios-plugins-dns uses nslookup (!)
neofetch uses dig
gnome-nettool uses dig


I am confident at least freeipa-server-dns would require some dnssec tools or key generation tools. Not sure about freeipa-client. It would be simple to move some tools into separate subpackage, but not so without breaking something.
Alternative would be forking two separate utils and bind-utils would still require both of them, so backward compatibility is rock-solid. I admit I do not have enough time for communicating all these changes with all dependent packages. Not yet sure how to solve it. I may fork simple utilities into bind-dnsutils and leave bind-utils to require both bind-dnsutils and bind-dnssec-utils. Seems overcomplicated but safe enough.

1. https://packages.debian.org/sid/amd64/bind9utils/filelist
2. https://packages.debian.org/sid/amd64/dnsutils/filelist

Comment 6 Petr Menšík 2019-01-17 13:09:15 UTC
I think I have found some solution, bind-utils would Suggest bind-dnssec-utils for some time. It allows to not install bind-dnssec-utils, but should install both for all existing users [1]. I would drop the suggests when I am confident requires for bind-utils require just what has left inside. Have it in my test repository for now, because I have to first rebase to BIND 9.11.5 and it is not yet prepared. It should build inside COPR after while [2] (note some other features are enabled too).

1. https://src.fedoraproject.org/fork/pemensik/rpms/bind/c/2830e00b88ea8bb956e0cdeb6f205fc72741b167?branch=master-beta
2. https://copr.fedorainfracloud.org/coprs/pemensik/bind/

Comment 7 Dusty Mabe 2019-01-17 14:40:04 UTC
thanks for working on this petr

Comment 8 Petr Menšík 2019-01-31 15:33:17 UTC
Ok, checked packages in more automated way.

Used these commands on rawhide:
dnf install $(dnf repoquery --whatrequires bind-utils)
rpm -ql bind-utils | grep '/usr/s\?bin' | while read BINARY; do BS=$(basename -- "$BINARY"); echo "$BS"; [ "$BINARY" != "/usr/bin/host" ] && BINARY=$(basename -- "$BINARY"); grep -w "$BINARY" -r /usr/bin /usr/sbin /usr/lib*; done | tee found.log

According to that, FreeIPA requires just nsupdate and dnsec-keyfromlabel-pkcs11. Because freeipa uses dnsec-keyfromlabel-pkcs11 binary, it does not require bind-dnssec-utils that provides dnssec-keyfromlabel. It could require it later if *-pkcs11 variants are deprecated, but that is not yet comming.

It seems no other tool tries to use any command from /usr/sbin. I think it is safe to just split dnssec tools away.

Comment 9 Sinny Kumari 2019-02-13 11:53:02 UTC
Thanks a lot Petr for creating bind-dnssec-utils sub-package and moving Python utilities from bind-utils to the new sub-pacakge! I see that latest bind-utils-9.11.5-8.P1.fc30 sub-package available in Fedora 30 doesn't contain Python dependent utilities now.

Comment 10 Fedora Update System 2019-05-06 14:55:27 UTC
bind-9.11.6-5.P1.fc30 has been submitted as an update to Fedora 30. https://bodhi.fedoraproject.org/updates/FEDORA-2019-493dfcda55

Comment 11 Fedora Update System 2019-05-06 21:04:07 UTC
bind-9.11.6-5.P1.fc30 has been pushed to the Fedora 30 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-493dfcda55

Comment 12 Fedora Update System 2019-05-10 00:47:27 UTC
bind-9.11.6-5.P1.fc30 has been pushed to the Fedora 30 stable repository. If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.