a bunch of changes

- add missing dependencies
- ship stub config files
- update platform code
- hack the path for dirsrv plugins (FIXME)
- use debian users for apache, bind
- add an initscript for ipa-memcached
- use dh_systemd
- ship generate-rndc-key.sh with the server

debian/control

@@ -9,6 +9,7 @@ Build-Depends:
  debhelper (>= 9),
  dh-autoreconf,
  dh-python,
+ dh-systemd,
  gettext,
  krb5-user,
  libcmocka-dev,
@@ -69,17 +70,19 @@ Depends:
  dogtag-pki-server-theme,
  freeipa-admintools (= ${binary:Version}),
  freeipa-client (= ${binary:Version}),
+ krb5-admin-server,
  krb5-kdc,
  krb5-kdc-ldap,
  krb5-pkinit,
  ldap-utils,
- libapache2-mod-auth-kerb,
+ libapache2-mod-auth-kerb (>= 5.4-2.2),
  libapache2-mod-nss,
  libapache2-mod-wsgi,
  libjs-dojo-core,
  libjs-jquery,
  libnss3-tools,
  libsasl2-modules-gssapi-mit,
+ memcached,
  ntp,
  pki-ca,
  python-freeipa (= ${binary:Version}),

debian/freeipa-server.install

@@ -1,6 +1,7 @@
+etc/apache2/conf-enabled/*
+etc/default/ipa-memcached
 etc/ipa/html/*
-lib/systemd/system/ipa-otpd.socket
-lib/systemd/system/ipa-otpd@.service
+lib/systemd/system/*
 usr/lib/*/certmonger/dogtag-ipa-ca-renew-agent-submit
 usr/lib/*/dirsrv/plugins/libipa_cldap.so
 usr/lib/*/dirsrv/plugins/libipa_dns.so
@@ -64,6 +65,7 @@ usr/share/ipa/*.uldif
 usr/share/ipa/advise/legacy/*.template
 usr/share/ipa/copy-schema-to-ca.py
 usr/share/ipa/ffextension/*
+usr/share/ipa/html/*
 usr/share/ipa/ipa-pki-proxy.conf
 usr/share/ipa/ipa-rewrite.conf
 usr/share/ipa/ipa.conf
@@ -95,3 +97,4 @@ var/lib/ipa/backup
 var/lib/ipa/pki-ca
 var/lib/ipa/sysrestore
 var/lib/ipa/sysupgrade
+debian/generate-dndc-key.sh	usr/share/ipa

debian/freeipa-server.ipa-memcached.init

@@ -0,0 +1,70 @@
+#! /bin/sh
+
+# Standard LSB functions
+. /lib/lsb/init-functions
+
+DAEMON=/usr/bin/memcached
+SOCKET_PATH=/var/run/ipa_memcached/ipa_memcached
+USER=www-data
+PIDFILE=/var/run/ipa_memcached/ipa_memcached.pid
+MAXCONN=1024
+CACHESIZE=64
+OPTIONS=""
+
+if [ -f /etc/default/ipa-memcached ];then
+    . /etc/default/ipa-memcached
+fi
+
+prog="ipa_memcached"
+pidfile=${PIDFILE-/var/run/ipa_memcached/ipa_memcached.pid}
+lockfile=${LOCKFILE-/var/lock/subsys/ipa_memcached}
+
+do_start () {
+    # Ensure that $pidfile directory has proper permissions and exists
+    piddir=`dirname $pidfile`
+    if [ ! -d $piddir ]; then
+	mkdir $piddir
+    fi
+    if [ "`stat -c %U $piddir`" != "$USER" ]; then
+	chown $USER $piddir
+    fi
+
+    start-stop-daemon --start --quiet --pidfile $PIDFILE --exec $DAEMON -- \
+        -d -s $SOCKET_PATH -u $USER -m $CACHESIZE -c $MAXCONN -P $PIDFILE $OPTIONS
+}
+
+do_stop () {
+    start-stop-daemon --stop --quiet --retry=TERM/30/KILL/5 --pidfile $PIDFILE --exec $DAEMON
+}
+
+# See how we were called.
+case "$1" in
+    start)
+        log_daemon_msg "Starting ipa-memcached"
+        do_start
+        case "$?" in
+                0) log_end_msg 0 ;;
+                1) log_progress_msg "already started"
+                   log_end_msg 0 ;;
+                *) log_end_msg 1 ;;
+        esac
+        ;;
+    stop)
+        log_daemon_msg "Stopping ipa-memcached"
+        do_stop
+        case "$?" in
+                0) log_end_msg 0 ;;
+                1) log_progress_msg "already stopped"
+                   log_end_msg 0 ;;
+                *) log_end_msg 1 ;;
+        esac
+        ;;
+    restart|force-reload)
+        $0 stop
+        $0 start
+        ;;
+    *)
+        echo $"Usage: $0 {start|stop|status|restart|force-reload}"
+        exit 2
+esac
+exit $?

debian/freeipa-server.postinst

@@ -0,0 +1,8 @@
+#!/bin/sh
+set -e
+
+if [ "$1" = configure ]; then
+    /usr/sbin/a2enmod auth_kerb expires headers proxy rewrite
+fi
+
+#DEBHELPER#

debian/generate-rndc-key.sh

@@ -0,0 +1,19 @@
+#!/bin/bash
+
+. /lib/lsb/init-functions
+
+# This script generates /etc/rndc.key if doesn't exist AND if there is no rndc.conf
+
+if [ ! -s /etc/rndc.key -a ! -s /etc/rndc.conf ]; then
+  echo -n $"Generating /etc/bind/rndc.key:"
+  if /usr/sbin/rndc-confgen -a -r /dev/urandom > /dev/null 2>&1; then
+    chmod 640 /etc/bind/rndc.key
+    chown root.bind /etc/bind/rndc.key
+    [ -x /sbin/restorecon ] && /sbin/restorecon /etc/bind/rndc.key
+    log_success_msg "/etc/bind/rndc.key generation"
+    echo
+  else
+    log_failure_msg $"/etc/bind/rndc.key generation"
+    echo
+  fi
+fi

debian/patches/add-debian-platform.diff

@@ -223,7 +223,7 @@ Date:   Fri Mar 1 12:21:00 2013 +0200
 +"""
 --- /dev/null
 +++ b/ipaplatform/debian/paths.py
-@@ -0,0 +1,34 @@
+@@ -0,0 +1,65 @@
 +# Authors:
 +#   Timo Aaltonen <tjaalton@ubuntu.com>
 +#
@@ -256,11 +256,42 @@ Date:   Fri Mar 1 12:21:00 2013 +0200
 +    OPENLDAP_LDAP_CONF = "/etc/ldap/ldap.conf"
 +    NSS_DB_DIR = "sql:/etc/pki/nssdb"
 +    SBIN_SERVICE = "/usr/sbin/service"
++    ETC_HTTPD_DIR = "/etc/apache2"
++    HTTPD_ALIAS_DIR = "/etc/apache2/nssdb"
++    ALIAS_CACERT_ASC = "/etc/apache2/nssdb/cacert.asc"
++    ALIAS_PWDFILE_TXT = "/etc/apache2/nssdb/pwdfile.txt"
++    HTTPD_CONF_D_DIR = "/etc/apache2/conf-enabled/"
++    HTTPD_IPA_PKI_PROXY_CONF = "/etc/apache2/conf-enabled/ipa-pki-proxy.conf"
++    HTTPD_IPA_REWRITE_CONF = "/etc/apache2/conf-enabled/ipa-rewrite.conf"
++    HTTPD_IPA_CONF = "/etc/apache2/conf-enabled/ipa.conf"
++    HTTPD_NSS_CONF = "/etc/apache2/mods-enabled/nss.conf"
++    HTTPD_SSL_CONF = "/etc/apache2/conf-enabled/ssl.conf"
++    IPA_KEYTAB = "/etc/apache2/ipa.keytab"
++    HTTPD_PASSWORD_CONF = "/etc/apache2/password.conf"
++    SYSCONFIG_PKI = "/etc/dogtag/"
++    SYSCONFIG_PKI_TOMCAT = "/etc/default/pki-tomcat"
++    SYSCONFIG_PKI_TOMCAT_PKI_TOMCAT_DIR = "/etc/dogtag/tomcat/pki-tomcat"
++    HTTPD = "/usr/sbin/apache2ctl"
++    BIND_LDAP_SO = "/usr/share/doc/bind-dyndb-ldap/copyright"
++    NAMED_CONF = "/etc/bind/named.conf.local"
++    NAMED_KEYTAB = "/etc/bind/named.keytab"
++    NAMED_RFC1912_ZONES = "/etc/bind/named.conf.default-zones"
++    ETC_DEBIAN_VERSION = "/etc/debian_version"
++    SYSCONFIG_NTPD = "/etc/default/ntp"
++    SETUP_DS_PL = "/usr/sbin/setup-ds"
++    VAR_KERBEROS_KRB5KDC_DIR = "/var/lib/krb5kdc/"
++    VAR_KRB5KDC_K5_REALM = "/var/lib/krb5kdc/.k5."
++    CACERT_PEM = "/var/lib/krb5kdc/cacert.pem"
++    KRB5KDC_KDC_CONF = "/var/lib/krb5kdc/kdc.conf"
++    KDC_PEM = "/var/lib/krb5kdc/kdc.pem"
++    VAR_LOG_HTTPD_DIR = "/var/log/apache2"
++    SYSCONFIG_KRB5KDC_DIR = "/etc/default/krb5-kdc"
++    GENERATE_RNDC_KEY = "/usr/share/ipa/generate-rndc-key.sh"
 +
 +paths = DebianPathNamespace()
 --- /dev/null
 +++ b/ipaplatform/debian/services.py
-@@ -0,0 +1,149 @@
+@@ -0,0 +1,161 @@
 +# Authors:
 +#   Timo Aaltonen <tjaalton@ubuntu.com>
 +#
@@ -302,11 +333,11 @@ Date:   Fri Mar 1 12:21:00 2013 +0200
 +        If this is a service we need to wait for do so.
 +        """
 +        ports = None
-+        if instance_name in base.wellknownports:
-+            ports = base.wellknownports[instance_name]
++        if instance_name in base_services.wellknownports:
++            ports = base_services.wellknownports[instance_name]
 +        else:
-+            if self.service_name in base.wellknownports:
-+                ports = base.wellknownports[self.service_name]
++            if self.service_name in base_services.wellknownports:
++                ports = base_services.wellknownports[self.service_name]
 +        if ports:
 +            ipautil.wait_for_open_ports('localhost', ports, api.env.startup_timeout)
 +    def stop(self, instance_name='', capture_output=True):
@@ -375,6 +406,9 @@ Date:   Fri Mar 1 12:21:00 2013 +0200
 +    def remove(self):
 +        return True
 +
++    def tune_nofile_platform(self):
++        return True
++
 +
 +class DebianSSHService(DebianService):
 +    def get_config_dir(self, instance_name=""):
@@ -384,6 +418,20 @@ Date:   Fri Mar 1 12:21:00 2013 +0200
 +# of specified name
 +
 +def debian_service_class_factory(name):
++    if name == 'httpd':
++        return DebianService("apache2")
++    if name == 'ipa_memcached':
++        return DebianService("ipa-memcached")
++    if name == 'kadmin':
++        return DebianService("krb5-admin-server")
++    if name == 'krb5kdc':
++        return DebianService("krb5-kdc")
++    if name == 'messagebus':
++        return DebianService("dbus")
++    if name == 'named':
++        return DebianService("bind9")
++    if name == 'ntpd':
++        return DebianService("ntp")
 +    if name == 'sshd':
 +        return DebianSSHService(name)
 +    return DebianService(name)
@@ -395,12 +443,7 @@ Date:   Fri Mar 1 12:21:00 2013 +0200
 +    def __init__(self):
 +        services = dict()
 +        for s in base_services.wellknownservices:
-+            if s == "messagebus":
-+                services[s] = debian_service_class_factory("dbus")
-+            elif s == "ntpd":
-+                services[s] = debian_service_class_factory("ntp")
-+            else:
-+                services[s] = debian_service_class_factory(s)
++            services[s] = debian_service_class_factory(s)
 +        # Call base class constructor. This will lock services to read-only
 +        super(DebianServices, self).__init__(services)
 +
@@ -471,3 +514,171 @@ Date:   Fri Mar 1 12:21:00 2013 +0200
  
          srv_vals = []
          srv_vals.append("0.%s.pool.ntp.org" % os)
+@@ -105,9 +107,9 @@ class NTPInstance(service.Service):
+         fd.close()
+         for line in lines:
+             sline = line.strip()
+-            if not sline.startswith('OPTIONS'):
++            if not sline.startswith('NTPD_OPTS'):
+                 continue
+-            sline = sline.replace('"', '')
++            sline = sline.replace('\'', '')
+             for opt in needopts:
+                 if sline.find(opt['val']) != -1:
+                     opt['need'] = False
+@@ -123,12 +125,12 @@ class NTPInstance(service.Service):
+             for line in lines:
+                 if not done:
+                     sline = line.strip()
+-                    if not sline.startswith('OPTIONS'):
++                    if not sline.startswith('NTPD_OPTS'):
+                         fd.write(line)
+                         continue
+-                    sline = sline.replace('"', '')
++                    sline = sline.replace('\'', '')
+                     (variable, opts) = sline.split('=', 1)
+-                    fd.write('OPTIONS="%s %s"\n' % (opts, ' '.join(newopts)))
++                    fd.write('NTPD_OPTS="%s %s"\n' % (opts, ' '.join(newopts)))
+                     done = True
+                 else:
+                     fd.write(line)
+--- a/setup.py
++++ b/setup.py
+@@ -80,6 +80,7 @@ setup(
+         'ipalib.plugins',
+         'ipaplatform',
+         'ipaplatform.base',
++        'ipaplatform.debian',
+         'ipaplatform.fedora',
+         'ipaserver',
+         'ipaserver.advise',
+--- a/ipaserver/install/ldapupdate.py
++++ b/ipaserver/install/ldapupdate.py
+@@ -247,9 +247,9 @@ class LDAPUpdate:
+         bits = platform.architecture()[0]
+ 
+         if bits == "64bit":
+-            return "64"
++            return "/x86_64-linux-gnu"
+         else:
+-            return ""
++            return "/i386-linux-gnu"
+ 
+     def _template_str(self, s):
+         try:
+--- a/ipaserver/install/httpinstance.py
++++ b/ipaserver/install/httpinstance.py
+@@ -202,14 +202,14 @@ class HTTPInstance(service.Service):
+         self.move_service(self.principal)
+         self.add_cert_to_service()
+ 
+-        pent = pwd.getpwnam("apache")
++        pent = pwd.getpwnam("www-data")
+         os.chown(paths.IPA_KEYTAB, pent.pw_uid, pent.pw_gid)
+ 
+     def remove_httpd_ccache(self):
+         # Clean up existing ccache
+         # Make sure that empty env is passed to avoid passing KRB5CCNAME from
+         # current env
+-        ipautil.run(['kdestroy', '-A'], runas='apache', raiseonerr=False, env={})
++        ipautil.run(['kdestroy', '-A'], runas='www-data', raiseonerr=False, env={})
+ 
+     def __configure_http(self):
+         target_fname = paths.HTTPD_IPA_CONF
+@@ -255,7 +255,7 @@ class HTTPInstance(service.Service):
+         installutils.set_directive(paths.HTTPD_NSS_CONF, 'NSSRequireSafeNegotiation', 'on', False)
+ 
+     def __set_mod_nss_passwordfile(self):
+-        installutils.set_directive(paths.HTTPD_NSS_CONF, 'NSSPassPhraseDialog', 'file:/etc/httpd/conf/password.conf')
++        installutils.set_directive(paths.HTTPD_NSS_CONF, 'NSSPassPhraseDialog', paths.HTTPD_PASSWORD_CONF)
+ 
+     def __add_include(self):
+         """This should run after __set_mod_nss_port so is already backed up"""
+@@ -300,7 +300,7 @@ class HTTPInstance(service.Service):
+         os.chmod(certs.NSS_DIR + "/secmod.db", 0660)
+         os.chmod(certs.NSS_DIR + "/pwdfile.txt", 0660)
+ 
+-        pent = pwd.getpwnam("apache")
++        pent = pwd.getpwnam("www-data")
+         os.chown(certs.NSS_DIR + "/cert8.db", 0, pent.pw_gid )
+         os.chown(certs.NSS_DIR + "/key3.db", 0, pent.pw_gid )
+         os.chown(certs.NSS_DIR + "/secmod.db", 0, pent.pw_gid )
+--- a/ipaserver/install/ipa_server_certinstall.py
++++ b/ipaserver/install/ipa_server_certinstall.py
+@@ -148,7 +148,7 @@ class ServerCertInstall(admintool.AdminT
+         os.chmod(os.path.join(dirname, 'key3.db'), 0640)
+         os.chmod(os.path.join(dirname, 'secmod.db'), 0640)
+ 
+-        pent = pwd.getpwnam("apache")
++        pent = pwd.getpwnam("www-data")
+         os.chown(os.path.join(dirname, 'cert8.db'), 0, pent.pw_gid)
+         os.chown(os.path.join(dirname, 'key3.db'), 0, pent.pw_gid)
+         os.chown(os.path.join(dirname, 'secmod.db'), 0, pent.pw_gid)
+--- a/ipaserver/install/cainstance.py
++++ b/ipaserver/install/cainstance.py
+@@ -1122,7 +1122,7 @@ class CAInstance(service.Service):
+         os.chmod(self.ra_agent_db + "/key3.db", 0640)
+         os.chmod(self.ra_agent_db + "/secmod.db", 0640)
+ 
+-        pent = pwd.getpwnam("apache")
++        pent = pwd.getpwnam("www-data")
+         os.chown(self.ra_agent_db + "/cert8.db", 0, pent.pw_gid )
+         os.chown(self.ra_agent_db + "/key3.db", 0, pent.pw_gid )
+         os.chown(self.ra_agent_db + "/secmod.db", 0, pent.pw_gid )
+--- a/ipaserver/install/certs.py
++++ b/ipaserver/install/certs.py
+@@ -740,7 +740,7 @@ class CertDB(object):
+         f.close()
+         pwdfile.close()
+         # TODO: replace explicit uid by a platform-specific one
+-        self.set_perms(self.pwd_conf, uid="apache")
++        self.set_perms(self.pwd_conf, uid="www-data")
+ 
+     def find_root_cert(self, nickname):
+         """
+--- a/init/ipa_memcached.conf
++++ b/init/ipa_memcached.conf
+@@ -1,5 +1,5 @@
+ SOCKET_PATH=/var/run/ipa_memcached/ipa_memcached
+-USER=apache
++USER=www-data
+ MAXCONN=1024
+ CACHESIZE=64
+ OPTIONS=
+--- a/init/systemd/ipa.conf.tmpfiles
++++ b/init/systemd/ipa.conf.tmpfiles
+@@ -1,2 +1,2 @@
+-d /var/run/ipa_memcached 0700 apache apache
++d /var/run/ipa_memcached 0700 www-data www-data
+ d /var/run/ipa 0700 root root
+--- a/ipaserver/install/bindinstance.py
++++ b/ipaserver/install/bindinstance.py
+@@ -482,7 +482,7 @@ class BindInstance(service.Service):
+     suffix = ipautil.dn_attribute_property('_suffix')
+ 
+     def setup(self, fqdn, ip_address, realm_name, domain_name, forwarders, ntp,
+-              reverse_zone, named_user="named", zonemgr=None,
++              reverse_zone, named_user="bind", zonemgr=None,
+               ca_configured=None):
+         self.named_user = named_user
+         self.fqdn = fqdn
+@@ -844,7 +844,7 @@ class BindInstance(service.Service):
+ 
+     def __generate_rndc_key(self):
+         installutils.check_entropy()
+-        ipautil.run(['/usr/libexec/generate-rndc-key.sh'])
++        ipautil.run(paths.GENERATE_RNDC_KEY)
+ 
+     def add_master_dns_records(self, fqdn, ip_address, realm_name, domain_name,
+                                reverse_zone, ntp=False, ca_configured=None):
+--- a/init/systemd/ipa_memcached.service
++++ b/init/systemd/ipa_memcached.service
+@@ -4,7 +4,7 @@ After=network.target
+ 
+ [Service]
+ Type=forking
+-EnvironmentFile=/etc/sysconfig/ipa_memcached
++EnvironmentFile=/etc/default/ipa-memcached
+ PIDFile=/var/run/ipa_memcached/ipa_memcached.pid
+ ExecStart=/usr/bin/memcached -d -s $SOCKET_PATH -u $USER -m $CACHESIZE -c $MAXCONN -P /var/run/ipa_memcached/ipa_memcached.pid $OPTIONS
+ 

debian/patches/series

@@ -5,7 +5,6 @@ port-ipa-client-automount.diff
 dont-check-for-systemd-pc.diff
 
 # send upstream
-add-debian-platform.diff
-
 fix-pykerberos-api.diff
 fix-match-hostname.diff
+add-debian-platform.diff

debian/rules

@@ -59,9 +59,6 @@ ifneq ($(ONLY_CLIENT), 1)
 #	make $(PLATFORM) IPA_VERSION_IS_GIT_SNAPSHOT=no install DESTDIR=$(DESTDIR)
 	cd ..
 
-	mkdir -p $(DESTDIR)/etc/bash_completion.d
-	install -m 0644 contrib/completion/ipa.bash_completion $(DESTDIR)/etc/bash_completion.d/ipa
-
 	chmod 755 $(DESTDIR)/usr/lib/*/ipa/certmonger/*
 
 	rm -f $(DESTDIR)/usr/share/ipa/ui/js/dojo/dojo.js \
@@ -70,6 +67,19 @@ ifneq ($(ONLY_CLIENT), 1)
 	ln -s /usr/share/javascript/jquery/jquery.js $(DESTDIR)/usr/share/ipa/ui/js/libs/jquery.js
 
 	mkdir -m 700 $(DESTDIR)/var/lib/ipa/backup
+
+	mkdir -p $(DESTDIR)/etc/apache2/conf-enabled \
+		 $(DESTDIR)/etc/bash_completion.d \
+		 $(DESTDIR)/etc/default \
+		 $(DESTDIR)/usr/share/ipa/html
+	touch $(DESTDIR)/etc/apache2/conf-enabled/ipa.conf
+	touch $(DESTDIR)/etc/apache2/conf-enabled/ipa-pki-proxy.conf
+	touch $(DESTDIR)/etc/apache2/conf-enabled/ipa-rewrite.conf
+	touch $(DESTDIR)/usr/share/ipa/html/krb5.ini
+	install -m 0644 contrib/completion/ipa.bash_completion $(DESTDIR)/etc/bash_completion.d/ipa
+	install -m 0755 init/ipa_memcached.conf $(DESTDIR)/etc/default/ipa-memcached
+	install -m 0644 init/systemd/ipa_memcached.service $(DESTDIR)/lib/systemd/system
+	install -m 0644 init/systemd/ipa.service $(DESTDIR)/lib/systemd/system
 else
 	make $(PLATFORM) IPA_VERSION_IS_GIT_SNAPSHOT=no client-install DESTDIR=$(DESTDIR)
 endif
@@ -85,4 +95,4 @@ override_dh_install:
 	dh_install --fail-missing
 
 %:
-	dh $@ --with autoreconf,python2
+	dh $@ --with autoreconf,python2,systemd