Re: [Pki-devel] [PATCH] 0042 Upgrade: add scriptlet to add profile schema
On 6/18/2015 4:31 AM, Fraser Tweedale wrote:
Attached patch adds upgrade scriptlet to add the certprofile schema.
This must be in the next build.
Side note: future cleanup should probably now remove the profiles
attributeTypes and objectClass from the main schema.ldif, and the
install script updated to import all the various schema files. This
should make schema updates easier to do, and hard to forget! in the
future.
Thanks,
Fraser
One issue, all upgrade scripts must be idempotent, so the script should
either check before modifying each item, or ignore failures of each
modification (I think ldapmodify has a -c option). This is necessary
because the script may need to run again, and also it's needed by
replica to avoid conflicts with changes coming from master.
There are several restrictions imposed by the simultaneous database &
package upgrade which should be document somewhere, and this applies to
both standalone Dogtag and IPA:
1. The all DS replicas must be running when the package is installed,
otherwise the upgrade will fail.
2. The upgrade must be done one server at a time, and the changes must
be completely replicated before upgrading another replica, otherwise the
changes might collide.
3. The changes must be backward compatible, otherwise replicas that have
not been upgraded yet may have a problem.
4. Changes to the database/configuration in all replicas should be
limited or prevented until all replicas are upgraded, otherwise it may
cause inconsistencies.
5. If nuxwdog is enabled, the password.conf may not exist. The
password.conf must be restored at least temporarily, otherwise the
upgrade will fail.
6. Upgrade failures may not be known immediately unless the admin checks
the upgrade log, or discovers that some functionalities are not working.
7. It's not possible to dry-run database upgrade. Depending on the
changes, it may not be possible to revert database changes. The admin
should be advised to create a backup before upgrade.
8. The admin should be careful with yum/dnf updates since it could
trigger unplanned upgrade.
If the one issue above is fixed, and these restrictions are acceptable,
it's ACKed.
In the next update I suggest we move all schema files into
/usr/share/pki/server/schema.
Just a note, with a post-install database upgrade these restrictions may
not exist or can be handled in a better way. If possible we might want
to support both mechanisms: simultaneous upgrade for IPA or for certain
scenarios, and post-install upgrade for Dogtag in general.
--
Endi S. Dewata