Create the following 'meta' packages to conveniently allow for a complete installation of the entire Dogtag PKI Suite as well as easy installation options for individual Dogtag PKI servers: * dogtag-pki * dogtag-pki-ca * dogtag-pki-kra * dogtag-pki-ocsp * dogtag-pki-ra * dogtag-pki-tks * dogtag-pki-tps
(In reply to comment #0) > Create the following 'meta' packages to conveniently allow for a complete > installation of the entire Dogtag PKI Suite as well as easy installation > options for individual Dogtag PKI servers: > > * dogtag-pki I understand the need for dogtag-pki as a top level meta package to pull in anything and everything we want. > * dogtag-pki-ca > * dogtag-pki-kra > * dogtag-pki-ocsp > * dogtag-pki-ra > * dogtag-pki-tks > * dogtag-pki-tps What are the above 6 packages gonna do that their corresponding packages aren't doing already , like pki-ca, pki-kra ... etc ?
(In reply to comment #1) > (In reply to comment #0) > > Create the following 'meta' packages to conveniently allow for a complete > > installation of the entire Dogtag PKI Suite as well as easy installation > > options for individual Dogtag PKI servers: > > > > * dogtag-pki > > I understand the need for dogtag-pki as a top level meta package to pull > in anything and everything we want. > > > * dogtag-pki-ca > > * dogtag-pki-kra > > * dogtag-pki-ocsp > > * dogtag-pki-ra > > * dogtag-pki-tks > > * dogtag-pki-tps > > What are the above 6 packages gonna do that their corresponding packages > aren't doing already , like pki-ca, pki-kra ... etc ? > > * dogtag-pki-ca > > * dogtag-pki-kra > > * dogtag-pki-ocsp > > * dogtag-pki-tks Will also pull in pki-console. > > * dogtag-pki-ra > > * dogtag-pki-tps Will also pull in pki-native-tools.
(In reply to comment #3) > (In reply to comment #1) > > (In reply to comment #0) > > > Create the following 'meta' packages to conveniently allow for a complete > > > installation of the entire Dogtag PKI Suite as well as easy installation > > > options for individual Dogtag PKI servers: > > > > > > * dogtag-pki > > > > I understand the need for dogtag-pki as a top level meta package to pull > > in anything and everything we want. > > > > > * dogtag-pki-ca > > > * dogtag-pki-kra > > > * dogtag-pki-ocsp > > > * dogtag-pki-ra > > > * dogtag-pki-tks > > > * dogtag-pki-tps > > > > What are the above 6 packages gonna do that their corresponding packages > > aren't doing already , like pki-ca, pki-kra ... etc ? > > > > * dogtag-pki-ca > > > * dogtag-pki-kra > > > * dogtag-pki-ocsp > > > * dogtag-pki-tks > > Will also pull in pki-console. Hm. Is there any reason why we won't make pki-ca infact depend on pki-console thereby avoiding having to maintain this extra layer... > > > > * dogtag-pki-ra > > > * dogtag-pki-tps > > Will also pull in pki-native-tools. Hm. This seems more like a Bug. pki-native-tools has 'sslget' which is crucial for RA,TPS installation,configuration to work. If pki-ra,pki-tps isn't pulling in pki-native-tools, hows the current config wizard working ?.
(In reply to comment #4) > (In reply to comment #3) > > (In reply to comment #1) > > > (In reply to comment #0) > > > > Create the following 'meta' packages to conveniently allow for a complete > > > > installation of the entire Dogtag PKI Suite as well as easy installation > > > > options for individual Dogtag PKI servers: > > > > > > > > * dogtag-pki > > > > > > I understand the need for dogtag-pki as a top level meta package to pull > > > in anything and everything we want. > > > > > > > * dogtag-pki-ca > > > > * dogtag-pki-kra > > > > * dogtag-pki-ocsp > > > > * dogtag-pki-ra > > > > * dogtag-pki-tks > > > > * dogtag-pki-tps > > > > > > What are the above 6 packages gonna do that their corresponding packages > > > aren't doing already , like pki-ca, pki-kra ... etc ? > > > > > > * dogtag-pki-ca > > > > * dogtag-pki-kra > > > > * dogtag-pki-ocsp > > > > * dogtag-pki-tks > > > > Will also pull in pki-console. > > Hm. Is there any reason why we won't make pki-ca infact depend on pki-console > thereby avoiding having to maintain this extra layer... > I think that this is still up for debate --- while it is not absolutely critical that the subsystems contain a 'pki-console' on the same machine, I don't see the harm in this (especially since pki-console is an alternative means of administration for the server). I guess the only problem would be if a customer would want to deploy console on a separate machine from the PKI subsystem (e. g. - CA itself), although we could always "document" that pki-console is not a "hard"-requirement. If this is allowed, we obviously would not have any need for these four 'meta' packages. > > > > > > * dogtag-pki-ra > > > > * dogtag-pki-tps > > > > Will also pull in pki-native-tools. > > Hm. This seems more like a Bug. pki-native-tools has 'sslget' which is > crucial for RA,TPS installation,configuration to work. If pki-ra,pki-tps > isn't pulling in pki-native-tools, hows the current config wizard working ?. I suspect that no one has attempted testing either of these packages standalone in some time -- I suspect that it is a bug that needs to be addressed (and would thus remove any need for these two 'meta' packages.
(In reply to comment #5) > (In reply to comment #4) > > (In reply to comment #3) > > > (In reply to comment #1) > > > > (In reply to comment #0) > > > > > Create the following 'meta' packages to conveniently allow for a complete > > > > > installation of the entire Dogtag PKI Suite as well as easy installation > > > > > options for individual Dogtag PKI servers: > > > > > > > > > > * dogtag-pki > > > > > > > > I understand the need for dogtag-pki as a top level meta package to pull > > > > in anything and everything we want. > > > > > > > > > * dogtag-pki-ca > > > > > * dogtag-pki-kra > > > > > * dogtag-pki-ocsp > > > > > * dogtag-pki-ra > > > > > * dogtag-pki-tks > > > > > * dogtag-pki-tps > > > > > > > > What are the above 6 packages gonna do that their corresponding packages > > > > aren't doing already , like pki-ca, pki-kra ... etc ? > > > > > > > > * dogtag-pki-ca > > > > > * dogtag-pki-kra > > > > > * dogtag-pki-ocsp > > > > > * dogtag-pki-tks > > > > > > Will also pull in pki-console. > > > > Hm. Is there any reason why we won't make pki-ca infact depend on pki-console > > thereby avoiding having to maintain this extra layer... > > > > I think that this is still up for debate --- while it is not absolutely > critical that the subsystems contain a 'pki-console' on the same machine, I > don't see the harm in this (especially since pki-console is an alternative > means of administration for the server). Right. > I guess the only problem would be if > a customer would want to deploy console on a separate machine from the PKI > subsystem (e. g. - CA itself), the answer for that is 'yum install pki-console' ? > although we could always "document" that > pki-console is not a "hard"-requirement. If this is allowed, we obviously > would not have any need for these four 'meta' packages. > +1 for not doing this work with the exception to of course do the top level pki meta package :) > > > > > > > > * dogtag-pki-ra > > > > > * dogtag-pki-tps > > > > > > Will also pull in pki-native-tools. > > > > Hm. This seems more like a Bug. pki-native-tools has 'sslget' which is > > crucial for RA,TPS installation,configuration to work. If pki-ra,pki-tps > > isn't pulling in pki-native-tools, hows the current config wizard working ?. > > I suspect that no one has attempted testing either of these packages standalone > in some time -- I suspect that it is a bug that needs to be addressed (and > would thus remove any need for these two 'meta' packages. Recently when I was adding karma to a pki-tps package, I installed pki-tps. I'm sure it pulled in pki-native-tools. But yeah a quick cross check of spec files would confirm.
(In reply to comment #6) > (In reply to comment #5) > > (In reply to comment #4) > > > (In reply to comment #3) > > > > (In reply to comment #1) > > > > > (In reply to comment #0) > > > > > > Create the following 'meta' packages to conveniently allow for a complete > > > > > > installation of the entire Dogtag PKI Suite as well as easy installation > > > > > > options for individual Dogtag PKI servers: > > > > > > > > > > > > * dogtag-pki > > > > > > > > > > I understand the need for dogtag-pki as a top level meta package to pull > > > > > in anything and everything we want. > > > > > > > > > > > * dogtag-pki-ca > > > > > > * dogtag-pki-kra > > > > > > * dogtag-pki-ocsp > > > > > > * dogtag-pki-ra > > > > > > * dogtag-pki-tks > > > > > > * dogtag-pki-tps > > > > > > > > > > What are the above 6 packages gonna do that their corresponding packages > > > > > aren't doing already , like pki-ca, pki-kra ... etc ? > > > > > > > > > > * dogtag-pki-ca > > > > > > * dogtag-pki-kra > > > > > > * dogtag-pki-ocsp > > > > > > * dogtag-pki-tks > > > > > > > > Will also pull in pki-console. > > > > > > Hm. Is there any reason why we won't make pki-ca infact depend on pki-console > > > thereby avoiding having to maintain this extra layer... > > > > > > > I think that this is still up for debate --- while it is not absolutely > > critical that the subsystems contain a 'pki-console' on the same machine, I > > don't see the harm in this (especially since pki-console is an alternative > > means of administration for the server). > > Right. > > > I guess the only problem would be if > > a customer would want to deploy console on a separate machine from the PKI > > subsystem (e. g. - CA itself), > > the answer for that is 'yum install pki-console' ? > Yes. This should always work if you want a machine that ONLY contains pki-console. However, the point that I was trying to make was that if we "require" pki-console from pki-ca, etc., it will always be available on the machine that hosts the 'pki-ca' --- IPA has no need to use pki-console, so for them it is just an extra un-necessary package. Andrew is seeking further comment from IPA. > > although we could always "document" that > > pki-console is not a "hard"-requirement. If this is allowed, we obviously > > would not have any need for these four 'meta' packages. > > > > +1 for not doing this work with the exception to of course do the top level pki > meta package :) > > > > > > > > > > > * dogtag-pki-ra > > > > > > * dogtag-pki-tps > > > > > > > > Will also pull in pki-native-tools. > > > > > > Hm. This seems more like a Bug. pki-native-tools has 'sslget' which is > > > crucial for RA,TPS installation,configuration to work. If pki-ra,pki-tps > > > isn't pulling in pki-native-tools, hows the current config wizard working ?. > > > > I suspect that no one has attempted testing either of these packages standalone > > in some time -- I suspect that it is a bug that needs to be addressed (and > > would thus remove any need for these two 'meta' packages. > > Recently when I was adding karma to a pki-tps package, I installed pki-tps. I'm > sure it pulled in pki-native-tools. But yeah a quick cross check of spec files > would confirm. I suspect that you install this on a machine where a CA was already installed; pki-ca requires pki-common which requires pki-java-tools which requires pki-native-tools.
(In reply to comment #7) > > the answer for that is 'yum install pki-console' ? > > > > Yes. This should always work if you want a machine that ONLY contains > pki-console. However, the point that I was trying to make was that if we > "require" pki-console from pki-ca, etc., it will always be available on the > machine that hosts the 'pki-ca' --- IPA has no need to use pki-console, so for > them it is just an extra un-necessary package. > > Andrew is seeking further comment from IPA. if it is just one package, I don't really see the burden. I guess we should compare this against the burden of having to maintain 5 other meta packages ... > > I suspect that you install this on a machine where a CA was already installed; > pki-ca requires pki-common which requires pki-java-tools which requires > pki-native-tools. That could be quite true. But yeah, we should rather fix this issue at the pki-ra,pki-tps spec file level if there's really no other extra things to pull in.
Created attachment 394670 [details] 'meta' package
attachment (id=394670) +awnuk Please rename build_meta to build_dogtag for consistency.
# cd pki/dogtag # svn status | grep -v ^$ | grep -v ^P | grep -v ^X | grep -v ^? A meta A meta/dogtag-pki.spec A meta/LICENSE A meta/build_dogtag # svn commit Adding dogtag/meta Adding dogtag/meta/LICENSE Adding dogtag/meta/build_dogtag Adding dogtag/meta/dogtag-pki.spec Transmitting file data ... Committed revision 976.