Spec URL: http://www.grid.tsl.uu.se/review/voms.spec SRPM URL: http://www.grid.tsl.uu.se/review/voms-1.9.11-1.fc11.src.rpm Description: In grid computing, and whenever the access to resources may be controlled by parties external to the resource provider, users may be grouped to Virtual Organizations (VOs). This package provides a VO Membership Service (VOMS), which informs on that association between users and their VOs: groups, roles and capabilities.
Hi Mattias, 1) First the simple rpmlint errors. voms.src:387: W: libdir-macro-in-noarch-package vomsjapi %{_libdir}/gcj/%{name} (Should be fixed) voms-devel.x86_64: W: no-dependency-on voms/voms-libs/libvoms (I'm not sure what this is) voms-devel.x86_64: W: no-documentation (okay) voms-server.x86_64: E: subsys-not-used /etc/rc.d/init.d/voms (should be easy enough to add or maybe it looks like a <vo> specific lock is created? Its tricky I don't know of anything else that launches multiple deamons per configuration) voms-server.x86_64: W: incoherent-init-script-name voms ('voms-server', 'voms-serverd') (okay) 2) Why is it? %package -n vomsjapi and not just %package japi 3) After installing voms-server # service voms start ls: cannot access /etc/voms: No such file or directory [root@globus x86_64]# echo $? 0 /etc/voms should be created and owned by the package. I guess (not checked) voms is the directory containing the <vo>/voms.conf files? If so maybe /etc/voms.d/ might be better? 3.1) Is it worth adding an example configuration and perhaps a README.Fedora to describe simply how to get up and running? Create database., ... 4) Given there is no need to run voms as root ( except host cert) is it a good idea to add a voms user and run as that? I realise it gets to a point where the init script ends up being written from scratch. 5) For my own education I expect in BuildRequires: globus-gssapi-gsi-devel%{?_isa} why/how is the %{?_isa} added? 6) Concerning EPEL support this is probably only difficult because of the bouncycastle requirment which requires a slew of missing dependencies. Could it be built without the javaapi support? It is a lot less important I would say. Steve.
(In reply to comment #1) > Hi Mattias, Hi! > 1) First the simple rpmlint errors. > > voms.src:387: W: libdir-macro-in-noarch-package vomsjapi %{_libdir}/gcj/%{name} > (Should be fixed) This is a false warning from rpmlint. The reason for the false warning is that rpmlint does not interpret specfile conditionals. All Java packages that follow the guidelines for packaging ahead-of-time compiled Java triggers this false warning. > voms-devel.x86_64: W: no-dependency-on voms/voms-libs/libvoms > (I'm not sure what this is) This warning is due to that the current rpmlint version does not support %{_isa} tags. This has been fixed in the rpmlint sources, but there is no new rpmlint release yet. This warning will go away when the next rpmlint version is released. > voms-devel.x86_64: W: no-documentation > (okay) > voms-server.x86_64: E: subsys-not-used /etc/rc.d/init.d/voms > (should be easy enough to add or maybe it looks like a <vo> specific lock > is created? Its tricky I don't know of anything else that launches > multiple deamons per configuration) The init.d script is using subsys, however the rpmlint check greps for the string "/var/lock/subsys", and the script in the voms package has "$VOMS_LOCATION_VAR/lock/subsys" where VOMS_LOCATION_VAR has been set to /var. > voms-server.x86_64: W: incoherent-init-script-name voms ('voms-server', > 'voms-serverd') > (okay) > 2) Why is it? > > %package -n vomsjapi > and not just > %package japi Fedora Java Packaging guidelines says: "If a package provides a single JAR file it must have the same name as the package itself." See: https://fedoraproject.org/wiki/Packaging:Java#Jar_file_naming > 3) After installing voms-server > # service voms start > ls: cannot access /etc/voms: No such file or directory > [root@globus x86_64]# echo $? > 0 > > /etc/voms should be created and owned by the package. Fixed. > I guess (not checked) voms is the directory containing the > <vo>/voms.conf files? If so maybe /etc/voms.d/ might be better? I'd rather not change this, since many scripts has this location hardcoded. > 3.1) Is it worth adding an example configuration and perhaps a README.Fedora > to describe simply how to get up and running? Create database., ... Fixed. > 4) Given there is no need to run voms as root ( except host cert) is > it a good idea to add a voms user and run as that? I realise it gets > to a point where the init script ends up being written from scratch. Fixed. No need to rewrite the script, only add a /etc/sysconfig/voms file defining the user - now included in the package. > 5) For my own education I expect in > BuildRequires: globus-gssapi-gsi-devel%{?_isa} > why/how is the %{?_isa} added? On a multilib installation (e.g. i386/x86_64) the "BuildRequires: globus-gssapi-gsi-devel" is satisfied by both the i386 and x86_64 RPM package. By adding the %{?_isa} you explicitly request the right version (provided the version of RPM used by the distribution is new enough to support it). > 6) Concerning EPEL support this is probably only difficult because > of the bouncycastle requirment which requires a slew of missing > dependencies. Could it be built without the javaapi support? It > is a lot less important I would say. EPEL packages can be built without the Java API. > Steve. New version is here: Spec URL: http://www.grid.tsl.uu.se/review/voms.spec SRPM URL: http://www.grid.tsl.uu.se/review/voms-1.9.11-2.fc11.src.rpm Mattias.
Hi, Wanted to follow through the README.Fedora or try the example configuration but could not see it anywhere? You have /etc/grid-security/voms and /etc/voms owned by uid voms but these should I say probably be root owned.
(In reply to comment #3) > Hi, > Wanted to follow through the README.Fedora or try the example configuration > but could not see it anywhere? The file is /usr/share/doc/voms-server-1.9.11/INSTALL.Fedora > You have > > /etc/grid-security/voms > and > /etc/voms > > owned by uid voms but these should I say probably be root owned. Could you please elaborate on this. I'm not saying they should not be changed, but I would like to know your reasoning.
Hi Mattias, Some of these are really upstream bugs. Yes the INSTALL.Fedora is there, my mistake. 1) The /usr/share/voms/voms_install_db --voms-vo=test --port=15000 \ --db-type=mysql --db-admin=root --db-pwd="" \ --sqlloc=/usr/lib64/voms/libvomsmysql.so fails if there are no CA's installed. rror opening Certificate /etc/grid-security/certificates/*.0 5899:error:02001002:system library:fopen:No such file or directory:bss_file.c:356:fopen('/etc/grid-security/certificates/*.0','r') 5899:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:358: unable to load certificate so adding a comment that there must be some CAs installed before voms_install_db is ran would make sense though not required. Quite why you need CAs to do this is not obvious. 2) Permissions on /etc/voms. I think it is normal for files only read by a deamon when they can be owned by root to be owned by root. That way if voms user is compromised the voms configuration can't be altered by the voms user. I think voms_install_db can and should be executed as root. You end up now with. voms:voms , a+r /etc/voms root:root , a+r /etc/voms/test root:voms , ug+r /etc/voms/test/voms.pass root:root , a+r /etc/voms/test/voms.conf given that /etc/voms/test is root owned I see little point anyway in having /etc/voms owned voms:voms 3) Permission on /etc/grid-security/voms Again this directory is populated by root even if hostkey/cert.pem file have to owned by voms. 4) $ voms-proxy-init --voms test Cannot find file or dir: /etc/vomses /etc/vomses should be probably be in the client package. 5) /usr/share/voms/voms_install_db -h displays --logformat format See the vomsd(8) man page for details. --logdateformat format See the vomsd(8) man page for details. should be voms not vomsd. 6) I'll take a look at the start up script later, some return codes need some work. But service now running and signing proxies for me. Steve
The init.d script. Largely inspired by: https://fedoraproject.org/wiki/Packaging:SysVInitScript again , this is all really upstream stuff. 1) Running start on running service should be a success. # /etc/init.d/voms start Starting voms(other): VOMS (2790) is already running [FAILED] Starting voms(test): VOMS (2806) is already running [FAILED] 2) Running stop on stopped service should be success. # /etc/init.d/voms stop Stopping voms(other): [FAILED] Stopping voms(test): [FAILED] 3) Generally there is a lot of white space and new lines between message and the [OK] or [FAIL] 4) If I start and then kill the daemons. # /etc/init.d/voms start Starting voms(other): [ OK ] Starting voms(test): [ OK ] it returns status okay. As for what should happen when one of the configured process is not running I guess that if any one is not running then status should return not running. 5) Adding some basic sanity checks makes sense. e.g [ ! -r $X509_USER_KEY ] && echo -n "$prog: No hostkey file" && failure && echo && exit 5 [ ! -r $X509_USER_CERT ] && echo -n "$prog: No hostcert file" && failure && echo && exit 5 same if /etc/voms is empty.
Sorry ignore (4) above. My mistake.
(In reply to comment #5) - Added sentence about CA certs to INSTALL.Fedora - /etc/voms now owned by root - /etc/grid-security-voms now owned by root - /etc/vomses added - installed by main package - Fixed man page references in /usr/share/voms/voms_install_db -h output (In reply to comment #6) The init script has been fixed: [root@ellert ~]# service voms start Starting voms(mytestvo): [ OK ] Starting voms(mytestvo2): [ OK ] [root@ellert ~]# service voms start Starting voms(mytestvo): VOMS (25049) is already running Starting voms(mytestvo2): VOMS (25065) is already running [root@ellert ~]# service voms stop Stopping voms(mytestvo): [ OK ] Stopping voms(mytestvo2): [ OK ] [root@ellert ~]# service voms stop Stopping voms(mytestvo): (already stopped) Stopping voms(mytestvo2): (already stopped) [root@ellert ~]# service voms restart Stopping voms(mytestvo): (already stopped) Stopping voms(mytestvo2): (already stopped) Starting voms(mytestvo): [ OK ] Starting voms(mytestvo2): [ OK ] [root@ellert ~]# service voms stop mytestvo Stopping voms(mytestvo): [ OK ] [root@ellert ~]# service voms condrestart Stopping voms(mytestvo2): [ OK ] Starting voms(mytestvo2): [ OK ] [root@ellert ~]# service voms status Status voms(mytestvo): stopped Status voms(mytestvo2): (pid 25382 25384) is running... New version is here: Spec URL: http://www.grid.tsl.uu.se/review/voms.spec SRPM URL: http://www.grid.tsl.uu.se/review/voms-1.9.11-3.fc11.src.rpm Mattias.
Formal review of voms package. # MUST: rpmlint must be run on every package. The output should be posted in the review.[1] $ rpmlint voms-1.9.11-3.fc11.src.rpm rpmbuild/RPMS/x86_64/voms- voms.src:438: W: libdir-macro-in-noarch-package vomsjapi %{_libdir}/gcj/%{name} Explained in comment #2 voms.x86_64: E: zero-length /etc/vomses Its and empty directory for a subsequent modular configuration - fine. But see point below. voms-devel.x86_64: W: no-dependency-on voms/voms-libs/libvoms Explained in comment #2 voms-devel.x86_64: W: no-documentation Fine voms-server.x86_64: W: non-standard-uid /var/log/voms voms voms-server.x86_64: W: non-standard-gid /var/log/voms voms Correct the voms service running as voms logs to /var/log/voms voms-server.x86_64: W: log-files-without-logrotate /var/log/voms voms handles its own logrotation. voms-server.x86_64: E: subsys-not-used /etc/rc.d/init.d/voms Explained in comment #2 voms-server.x86_64: W: incoherent-init-script-name voms ('voms-server', 'voms-serverd') Service is called vomsd. (In fact this really should be valid with rpmlint, will submit a bug later) 6 packages and 0 specfiles checked; 2 errors, 7 warnings. # MUST: The package must be named according to the Package Naming Guidelines . It does. # MUST: The spec file name must match the base package %{name}, in the format %{name}.spec unless your package has an exemption. [2] . It does # MUST: The package must meet the Packaging Guidelines . It does # MUST: The package must be licensed with a Fedora approved license and meet the Licensing Guidelines . It does ASL 2.0 # MUST: The License field in the package spec file must match the actual license. [3] Yes , # MUST: If (and only if) the source package includes the text of the license(s) in its own file, then that file, containing the text of the license(s) for the package must be included in %doc.[4] # MUST: The spec file must be written in American English. [5] It is # MUST: The spec file for the package MUST be legible. [6] It is # MUST: The sources used to build the package must match the upstream source, as provided in the spec URL. Reviewers should use md5sum for this task. If no upstream URL can be specified for this package, please see the Source URL Guidelines for how to deal with this. Yes CVS URL works. # MUST: The package MUST successfully compile and build into binary rpms on at least one primary architecture. [7] It built on my x86_64 f11 within mock. http://koji.fedoraproject.org/koji/taskinfo?taskID=1654893 # MUST: If the package does not successfully compile, build or work on an architecture, then those architectures should be listed in the spec in ExcludeArch. Each architecture listed in ExcludeArch MUST have a bug filed in bugzilla, describing the reason that the package does not compile/build/work on that architecture. The bug number MUST be placed in a comment, next to the corresponding ExcludeArch line. [8] http://koji.fedoraproject.org/koji/taskinfo?taskID=1654893 # MUST: All build dependencies must be listed in BuildRequires, except for any that are listed in the exceptions section of the Packaging Guidelines ; inclusion of those as BuildRequires is optional. Apply common sense. Yes # MUST: The spec file MUST handle locales properly. This is done by using the %find_lang macro. Using %{_datadir}/locale/* is strictly forbidden.[9] Not relavent. # MUST: Every binary RPM package (or subpackage) which stores shared library files (not just symlinks) in any of the dynamic linker's default paths, must call ldconfig in %post and %postun. [10] $ rpm -q --scripts voms postinstall program: /sbin/ldconfig postuninstall program: /sbin/ldconfig So fine. # MUST: If the package is designed to be relocatable, the packager must state this fact in the request for review, along with the rationalization for relocation of that specific package. Without this, use of Prefix: /usr is considered a blocker. [11] Not relavent. # MUST: A package must own all directories that it creates. If it does not create a directory that it uses, then it should require a package which does create that directory. [12] Hmm it looks lie /usr/share/m4 is created but not owned by this package. # MUST: A Fedora package must not list a file more than once in the spec file's %files listings. [13] It does not. # MUST: Permissions on files must be set properly. Executables should be set with executable permissions, for example. Every %files section must include a %defattr(...) line. [14] Yes # MUST: Each package must have a %clean section, which contains rm -rf %{buildroot} (or $RPM_BUILD_ROOT). [15] Yes # MUST: Each package must consistently use macros. [16] Yes # MUST: The package must contain code, or permissable content. [17] It does. # MUST: Large documentation files must go in a -doc subpackage. (The definition of large is left up to the packager's best judgement, but is not restricted to size. Large can refer to either size or quantity). [18] They are. # MUST: If a package includes something as %doc, it must not affect the runtime of the application. To summarize: If it is in %doc, the program must run properly if it is not present. [18] It does. # MUST: Header files must be in a -devel package. [19] They are. # MUST: Static libraries must be in a -static package. [20] Not relavent. # MUST: Packages containing pkgconfig(.pc) files must 'Requires: pkgconfig' (for directory ownership and usability). [21] Not relavent. # MUST: If a package contains library files with a suffix (e.g. libfoo.so.1.1), then library files that end in .so (without suffix) must go in a -devel package. [19] They are. # MUST: In the vast majority of cases, devel packages must require the base package using a fully versioned dependency: Requires: %{name} = %{version}-%{release} [22] It does. # MUST: Packages must NOT contain any .la libtool archives, these must be removed in the spec if they are built.[20] It does not. # MUST: Packages containing GUI applications must include a %{name}.desktop file, and that file must be properly installed with desktop-file-install in the %install section. If you feel that your packaged GUI application does not need a .desktop file, you must put a comment in the spec file with your explanation. [23] Not realvent. # MUST: Packages must not own files or directories already owned by other packages. The rule of thumb here is that the first package to be installed should own the files or directories that other packages may rely upon. This means, for example, that no package in Fedora should ever share ownership with any of the files or directories owned by the filesystem or man package. If you feel that you have a good reason to own a file or directory that another package owns, then please present that at package review time. [24] It does not. # MUST: At the beginning of %install, each package MUST run rm -rf %{buildroot} (or $RPM_BUILD_ROOT). [25] It does. # MUST: All filenames in rpm packages must be valid UTF-8. [26] # They are. So to wrap up two things: 1) On upgrade something odd happens. rpm -Uvh voms-* 1:voms warning: /etc/vomses created as /etc/vomses.rpmnew and results in $ ls -ld /etc/vomses /etc/vomses.rpmnew drwxr-xr-x. 2 root root 4096 2009-08-31 10:44 /etc/vomses -rw-r--r--. 1 root root 0 2009-09-04 15:35 /etc/vomses.rpmnew which is just odd. I would guess adding a %dir sorts this out but am unsure. %config(noreplace) %{_sysconfdir}/vomses 2) I think /usr/share/m4 containing /usr/share/m4/voms.mp4 is created by but not owned by the %file listing. 3) Lastly koji build --scratch dist-f12 voms-.....src.rpm http://koji.fedoraproject.org/koji/taskinfo?taskID=1654893 clearly has some build problems. Steve
(In reply to comment #9) > So to wrap up two things: > > 1) On upgrade something odd happens. > > rpm -Uvh voms-* > 1:voms warning: /etc/vomses created as /etc/vomses.rpmnew > > and results in > > $ ls -ld /etc/vomses /etc/vomses.rpmnew > drwxr-xr-x. 2 root root 4096 2009-08-31 10:44 /etc/vomses > -rw-r--r--. 1 root root 0 2009-09-04 15:35 /etc/vomses.rpmnew > > which is just odd. Version -2 of the package did not contain the /etc/vomses file, this file was added in version -3. You had already created /etc/vomses when testing the -2 version, and since /etc/vomses is tagged as a config file that should not be overwritten the new version form the package was created as /etc/vomses.rpmnew. This is exactly as it should be and is neither odd nor strange. > I would guess adding a %dir sorts this out but am unsure. > %config(noreplace) %{_sysconfdir}/vomses /etc/vomses is a file and not a directory, so tagging it as %dir is not appropriate. > 2) I think /usr/share/m4 containing /usr/share/m4/voms.mp4 is created by but > not > owned by the %file listing. Yet another "let's install files in weird places" issue from upstream. I have moved the file to the right place (usr/share/aclocal - where all other .m4 files are). I added a dependency on automake to the -devel package to depend on a package that owns this directory. Thank you for pointing this one out. > 3) Lastly > koji build --scratch dist-f12 voms-.....src.rpm > > http://koji.fedoraproject.org/koji/taskinfo?taskID=1654893 > > clearly has some build problems. Yes, the package needed porting to openssl 1.0. Porting has been done and the patch sent upstream. Koji scratch build is now OK: https://koji.fedoraproject.org/koji/taskinfo?taskID=1659459 > Steve New version is here: Spec URL: http://www.grid.tsl.uu.se/review/voms.spec SRPM URL: http://www.grid.tsl.uu.se/review/voms-1.9.11-4.fc11.src.rpm Mattias
Hi Mattias, This all looks good and am I am approving it. A great addition and my first package review. APPROVED Steve
Thank you for the review... New Package CVS Request ======================= Package Name: voms Short Description: Virtual Organization Membership Service Owners: ellert Branches: F-10 F-11 EL-4 EL-5 InitialCC:
cvs done.
voms-mysql-plugin-3.1.1-1.fc10,voms-1.9.11-4.fc10 has been submitted as an update for Fedora 10. http://admin.fedoraproject.org/updates/voms-mysql-plugin-3.1.1-1.fc10,voms-1.9.11-4.fc10
voms-mysql-plugin-3.1.1-1.fc11,voms-1.9.11-4.fc11 has been submitted as an update for Fedora 11. http://admin.fedoraproject.org/updates/voms-mysql-plugin-3.1.1-1.fc11,voms-1.9.11-4.fc11
voms-mysql-plugin-3.1.1-1.el4,voms-1.9.11-4.el4 has been submitted as an update for Fedora EPEL 4. http://admin.fedoraproject.org/updates/voms-mysql-plugin-3.1.1-1.el4,voms-1.9.11-4.el4
voms-mysql-plugin-3.1.1-1.el5,voms-1.9.11-4.el5 has been submitted as an update for Fedora EPEL 5. http://admin.fedoraproject.org/updates/voms-mysql-plugin-3.1.1-1.el5,voms-1.9.11-4.el5
voms-mysql-plugin-3.1.1-1.el4, voms-1.9.11-4.el4 has been pushed to the Fedora EPEL 4 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with su -c 'yum --enablerepo=updates-testing update voms-mysql-plugin voms'. You can provide feedback for this update here: http://admin.fedoraproject.org/updates/EL-4/FEDORA-EPEL-2009-0422
voms-mysql-plugin-3.1.1-1.el5, voms-1.9.11-4.el5 has been pushed to the Fedora EPEL 5 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with su -c 'yum --enablerepo=updates-testing update voms-mysql-plugin voms'. You can provide feedback for this update here: http://admin.fedoraproject.org/updates/EL-5/FEDORA-EPEL-2009-0428
voms-mysql-plugin-3.1.1-1.fc10, voms-1.9.11-4.fc10 has been pushed to the Fedora 10 stable repository. If problems still persist, please make note of it in this bug report.
voms-mysql-plugin-3.1.1-1.fc11, voms-1.9.11-4.fc11 has been pushed to the Fedora 11 stable repository. If problems still persist, please make note of it in this bug report.
voms-mysql-plugin-3.1.1-1.el4, voms-1.9.12.1-1.el4 has been pushed to the Fedora EPEL 4 stable repository. If problems still persist, please make note of it in this bug report.
voms-mysql-plugin-3.1.1-1.el5, voms-1.9.12.1-1.el5 has been pushed to the Fedora EPEL 5 stable repository. If problems still persist, please make note of it in this bug report.