From jerry at opendnssec.org Wed Feb 1 14:37:27 2012 From: jerry at opendnssec.org (=?iso-8859-1?Q?Jerry_Lundstr=F6m?=) Date: Wed, 1 Feb 2012 15:37:27 +0100 Subject: [Opendnssec-maintainers] Packaging next generation Enforcer with different database backends Message-ID: <9BB9F88A-7FBE-4FB1-994A-2203E9AF880F@opendnssec.org> Hi, In our new Enforcer we will have the possibility to have different database backends compiled in at the same time or selected with configure. We would like your feedback on this as package maintainers, what you would like and maybe how other software handle this. If its selected at configure time we would have different packages depending on what database backend the user whats to use (opendnssec-enforcer-sqlite | opendnssec-enforcer-mysql). I know this can be a bit of a problem on some distributions since their package management software does not allow the package to ask questions. If we go by compiling in all the different supported backends we would just have one package but that package would have a lot more dependencies, for all the different backends. Today its just SQLite and MySQL but there may be more in the future, and even if libmysqlclient is relative small the question still arises -"Why install something you don't use?". Cheers, Jerry -- Jerry Lundstr?m - OpenDNSSEC Developer http://www.opendnssec.org/ -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 495 bytes Desc: Message signed with OpenPGP using GPGMail URL: From ondrej at sury.org Wed Feb 1 14:49:33 2012 From: ondrej at sury.org (=?UTF-8?B?T25kxZllaiBTdXLDvQ==?=) Date: Wed, 1 Feb 2012 15:49:33 +0100 Subject: [Opendnssec-maintainers] Packaging next generation Enforcer with different database backends In-Reply-To: <9BB9F88A-7FBE-4FB1-994A-2203E9AF880F@opendnssec.org> References: <9BB9F88A-7FBE-4FB1-994A-2203E9AF880F@opendnssec.org> Message-ID: On Wed, Feb 1, 2012 at 15:37, Jerry Lundstr?m wrote: > Hi, > > In our new Enforcer we will have the possibility to have different database backends compiled in at the same time or selected with configure. > > We would like your feedback on this as package maintainers, what you would like and maybe how other software handle this. > > If its selected at configure time we would have different packages depending on what database backend the user whats to use (opendnssec-enforcer-sqlite | opendnssec-enforcer-mysql). I know this can be a bit of a problem on some distributions since their package management software does not allow the package to ask questions. That's the way Debian package is currently compiled. > If we go by compiling in all the different supported backends we would just have one package but that package would have a lot more dependencies, for all the different backends. Today its just SQLite and MySQL but there may be more in the future, and even if libmysqlclient is relative small the question still arises -"Why install something you don't use?". Ideally this would create plugins (.so) which can be dlopen()ed at runtime and you will not have to install all possible libraries. Or just keep the posibility to compile just one backend at the time and I'll handle that in my packaging scripts. O. -- ?Ond?ej Sur? From jaap at NLnetLabs.nl Wed Feb 1 15:03:03 2012 From: jaap at NLnetLabs.nl (Jaap Akkerhuis) Date: Wed, 01 Feb 2012 16:03:03 +0100 Subject: [Opendnssec-maintainers] Packaging next generation Enforcer with different database backends In-Reply-To: References: <9BB9F88A-7FBE-4FB1-994A-2203E9AF880F@opendnssec.org> Message-ID: <201202011503.q11F33w6068396@bartok.nlnetlabs.nl> Ideally this would create plugins (.so) which can be dlopen()ed at runtime and you will not have to install all possible libraries. But you still have to choose which one to install. Or just keep the posibility to compile just one backend at the time and I'll handle that in my packaging scripts. My preference wil be the last as well. It is a simple method and also straightforward for the user. jaap From ondrej at sury.org Wed Feb 1 15:05:24 2012 From: ondrej at sury.org (=?UTF-8?B?T25kxZllaiBTdXLDvQ==?=) Date: Wed, 1 Feb 2012 16:05:24 +0100 Subject: [Opendnssec-maintainers] Packaging next generation Enforcer with different database backends In-Reply-To: <201202011503.q11F33w6068396@bartok.nlnetlabs.nl> References: <9BB9F88A-7FBE-4FB1-994A-2203E9AF880F@opendnssec.org> <201202011503.q11F33w6068396@bartok.nlnetlabs.nl> Message-ID: On Wed, Feb 1, 2012 at 16:03, Jaap Akkerhuis wrote: > > ? ?Ideally this would create plugins (.so) which can be dlopen()ed at > ? ?runtime and you will not have to install all possible libraries. > > But you still have to choose which one to install. Yes, that was my way of saying - don't compile everything in one big bundle which cannot be separated. People will bitch about it :). O. -- ?Ond?ej Sur? From jerry at opendnssec.org Thu Feb 2 11:22:18 2012 From: jerry at opendnssec.org (=?iso-8859-1?Q?Jerry_Lundstr=F6m?=) Date: Thu, 2 Feb 2012 12:22:18 +0100 Subject: [Opendnssec-maintainers] Packaging next generation Enforcer with different database backends In-Reply-To: References: <9BB9F88A-7FBE-4FB1-994A-2203E9AF880F@opendnssec.org> <201202011503.q11F33w6068396@bartok.nlnetlabs.nl> Message-ID: <0080B2C0-ECEE-45B4-BD78-ABB200037FBD@opendnssec.org> On Feb 1, 2012, at 16:05 , Ond?ej Sur? wrote: > Yes, that was my way of saying - don't compile everything in one big > bundle which cannot be separated. People will bitch about it :). How about this: - If compiled without specifying database backend, use any/all backends found - If compiled with database backend specified, use only that or die if not found - If no database backend is found, die -- Jerry Lundstr?m - OpenDNSSEC Developer http://www.opendnssec.org/ -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 495 bytes Desc: Message signed with OpenPGP using GPGMail URL: From jerry at opendnssec.org Wed Feb 8 08:02:55 2012 From: jerry at opendnssec.org (=?ISO-8859-1?Q?Jerry_Lundstr=F6m?=) Date: Wed, 8 Feb 2012 09:02:55 +0100 Subject: [Opendnssec-maintainers] Packaging next generation Enforcer with different database backends In-Reply-To: <0080B2C0-ECEE-45B4-BD78-ABB200037FBD@opendnssec.org> References: <9BB9F88A-7FBE-4FB1-994A-2203E9AF880F@opendnssec.org> <201202011503.q11F33w6068396@bartok.nlnetlabs.nl> <0080B2C0-ECEE-45B4-BD78-ABB200037FBD@opendnssec.org> Message-ID: On Thu, Feb 2, 2012 at 12:22 PM, Jerry Lundstr?m wrote: > > How about this: > - If compiled without specifying database backend, use any/all backends found > - If compiled with database backend specified, use only that or die if not found > - If no database backend is found, die Any thoughts about this suggestion? /Jerry From ondrej at sury.org Wed Feb 8 08:04:23 2012 From: ondrej at sury.org (=?UTF-8?B?T25kxZllaiBTdXLDvQ==?=) Date: Wed, 8 Feb 2012 09:04:23 +0100 Subject: [Opendnssec-maintainers] Packaging next generation Enforcer with different database backends In-Reply-To: References: <9BB9F88A-7FBE-4FB1-994A-2203E9AF880F@opendnssec.org> <201202011503.q11F33w6068396@bartok.nlnetlabs.nl> <0080B2C0-ECEE-45B4-BD78-ABB200037FBD@opendnssec.org> Message-ID: On Wed, Feb 8, 2012 at 09:02, Jerry Lundstr?m wrote: > On Thu, Feb 2, 2012 at 12:22 PM, Jerry Lundstr?m wrote: >> >> How about this: >> - If compiled without specifying database backend, use any/all backends found >> - If compiled with database backend specified, use only that or die if not found >> - If no database backend is found, die > > Any thoughts about this suggestion? I still think that plugin (dlopen()) system would be much better, but I am fine with this as well. O. -- ?Ond?ej Sur? From jerry at opendnssec.org Wed Feb 8 08:17:09 2012 From: jerry at opendnssec.org (=?ISO-8859-1?Q?Jerry_Lundstr=F6m?=) Date: Wed, 8 Feb 2012 09:17:09 +0100 Subject: [Opendnssec-maintainers] Packaging next generation Enforcer with different database backends In-Reply-To: References: <9BB9F88A-7FBE-4FB1-994A-2203E9AF880F@opendnssec.org> <201202011503.q11F33w6068396@bartok.nlnetlabs.nl> <0080B2C0-ECEE-45B4-BD78-ABB200037FBD@opendnssec.org> Message-ID: On Wed, Feb 8, 2012 at 9:04 AM, Ond?ej Sur? wrote: > > I still think that plugin (dlopen()) system would be much better, but > I am fine with this as well. Yes it would and it is something we will look at in the future. /Jerry From jaap at NLnetLabs.nl Wed Feb 8 09:26:40 2012 From: jaap at NLnetLabs.nl (Jaap Akkerhuis) Date: Wed, 08 Feb 2012 10:26:40 +0100 Subject: [Opendnssec-maintainers] Packaging next generation Enforcer with different database backends In-Reply-To: References: <9BB9F88A-7FBE-4FB1-994A-2203E9AF880F@opendnssec.org> <201202011503.q11F33w6068396@bartok.nlnetlabs.nl> <0080B2C0-ECEE-45B4-BD78-ABB200037FBD@opendnssec.org> Message-ID: <201202080926.q189Qeds098107@bartok.nlnetlabs.nl> On Thu, Feb 2, 2012 at 12:22 PM, Jerry Lundstr?m wrote: > > How about this: > - If compiled without specifying database backend, use any/all backends found > - If compiled with database backend specified, use only that or die if not found > - If no database backend is found, die Any thoughts about this suggestion? I personally likes things to be more straigtforward and less dynamic. Here is a scenario: This pick the one you found might be a new way create problems, Suppose you have two back-ends available on the machine. One is used for production, the other for testing. One of the two is off-line for some reason. Someone updates the testing version of opendnssec, which one should it use? Whatever it fines or just the test version? Just a thought. jaap From jerry at opendnssec.org Wed Feb 8 09:29:59 2012 From: jerry at opendnssec.org (=?ISO-8859-1?Q?Jerry_Lundstr=F6m?=) Date: Wed, 8 Feb 2012 10:29:59 +0100 Subject: [Opendnssec-maintainers] Packaging next generation Enforcer with different database backends In-Reply-To: <201202080926.q189Qeds098107@bartok.nlnetlabs.nl> References: <9BB9F88A-7FBE-4FB1-994A-2203E9AF880F@opendnssec.org> <201202011503.q11F33w6068396@bartok.nlnetlabs.nl> <0080B2C0-ECEE-45B4-BD78-ABB200037FBD@opendnssec.org> <201202080926.q189Qeds098107@bartok.nlnetlabs.nl> Message-ID: On Wed, Feb 8, 2012 at 10:26 AM, Jaap Akkerhuis wrote: > > I personally likes things to be more straigtforward and less dynamic. > > Here is a scenario: This pick the one you found might be a new way > create problems, Suppose you have two back-ends available on the > machine. One is used for production, the other for testing. One of > the two is off-line for some reason. Someone updates the testing > version of opendnssec, which one should it use? Whatever it fines > or just the test version? It will use the one you configure in conf.xml, there can only be one configured database backend. /Jerry From jerry at opendnssec.org Tue Feb 14 14:43:17 2012 From: jerry at opendnssec.org (=?iso-8859-1?Q?Jerry_Lundstr=F6m?=) Date: Tue, 14 Feb 2012 15:43:17 +0100 Subject: [Opendnssec-maintainers] OpenDNSSEC 1.3.6 coming right up! Message-ID: <8060653B-D1B5-4ACA-9E48-B5719EAE0965@opendnssec.org> Hi all, OpenDNSSEC 1.3.6 is around the corner, will be released today or tomorrow. * OPENDNSSEC-33: Signer Engine: Check HSM connection before use, attempt to reconnect if it is not valid. * OPENDNSSEC-178: Signer Engine: Instead of waiting an arbitrary amount of time, let worker wait with pushing sign operations until the queue is non-full. * Signer Engine: Adjust some log messages. Bugfixes: * ods-control: Wrong exit status if Enforcer was already running. * OPENDNSSEC-56: ods-ksmutil had the wrong option for config file in the help usage text. * OPENDNSSEC-207: Signer Engine: Fix communication from a process not attached to a shell. * OPENDNSSEC-209: Signer Engine: Make output file adapter atomic by writing signed file to an intermediate file first. Cheers, Jerry -- Jerry Lundstr?m - OpenDNSSEC Developer http://www.opendnssec.org/ -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 495 bytes Desc: Message signed with OpenPGP using GPGMail URL: From jerry at opendnssec.org Wed Feb 15 12:45:12 2012 From: jerry at opendnssec.org (=?iso-8859-1?Q?Jerry_Lundstr=F6m?=) Date: Wed, 15 Feb 2012 13:45:12 +0100 Subject: [Opendnssec-maintainers] OpenDNSSEC 1.3.6 coming right up! In-Reply-To: <4F3BA5B7.3050102@redhat.com> References: <8060653B-D1B5-4ACA-9E48-B5719EAE0965@opendnssec.org> <4F3BA5B7.3050102@redhat.com> Message-ID: On Feb 15, 2012, at 13:31 , Paul Wouters wrote: > Do you have a link to the package pre-release for testing? No, but you can check out the branch: http://svn.opendnssec.org/branches/OpenDNSSEC-1.3/ . -- Jerry Lundstr?m - OpenDNSSEC Developer http://www.opendnssec.org/ -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 495 bytes Desc: Message signed with OpenPGP using GPGMail URL: From jaap at NLnetLabs.nl Wed Feb 15 12:55:48 2012 From: jaap at NLnetLabs.nl (Jaap Akkerhuis) Date: Wed, 15 Feb 2012 13:55:48 +0100 Subject: [Opendnssec-maintainers] OpenDNSSEC 1.3.6 coming right up! In-Reply-To: References: <8060653B-D1B5-4ACA-9E48-B5719EAE0965@opendnssec.org> <4F3BA5B7.3050102@redhat.com> Message-ID: <201202151255.q1FCtmBw025349@bartok.nlnetlabs.nl> > Do you have a link to the package pre-release for testing? No, but you can check out the branch: = http://svn.opendnssec.org/branches/OpenDNSSEC-1.3/ . That won't work for FreeBSD ports (and probably other systems). A FreeBSD port takes whatever the official distribution tarball (or whatever the form is) and then takes care of the system dependent parts. So for pre-release tests one wants to have a distribution release candidate tarbal. SOmething as close as possible to the final release. jaap From jakob at kirei.se Wed Feb 15 12:58:59 2012 From: jakob at kirei.se (Jakob Schlyter) Date: Wed, 15 Feb 2012 13:58:59 +0100 Subject: [Opendnssec-maintainers] OpenDNSSEC 1.3.6 coming right up! In-Reply-To: References: <8060653B-D1B5-4ACA-9E48-B5719EAE0965@opendnssec.org> <4F3BA5B7.3050102@redhat.com> Message-ID: <6725E24F-30EC-4FF7-B436-D68F57E33E2E@kirei.se> On 15 feb 2012, at 13:45, Jerry Lundstr?m wrote: > On Feb 15, 2012, at 13:31 , Paul Wouters wrote: > >> Do you have a link to the package pre-release for testing? > > No, but you can check out the branch: http://svn.opendnssec.org/branches/OpenDNSSEC-1.3/ . I will bake and release a tar ball of 1.3.6 later today. jakob From jerry at opendnssec.org Fri Feb 17 14:13:18 2012 From: jerry at opendnssec.org (=?iso-8859-1?Q?Jerry_Lundstr=F6m?=) Date: Fri, 17 Feb 2012 15:13:18 +0100 Subject: [Opendnssec-maintainers] OpenDNSSEC 1.3.6 coming right up! In-Reply-To: <6725E24F-30EC-4FF7-B436-D68F57E33E2E@kirei.se> References: <8060653B-D1B5-4ACA-9E48-B5719EAE0965@opendnssec.org> <4F3BA5B7.3050102@redhat.com> <6725E24F-30EC-4FF7-B436-D68F57E33E2E@kirei.se> Message-ID: <96D5FCC0-F7CF-4FA4-BA37-21F755FDE61E@opendnssec.org> Hi, Tarball is up! http://www.opendnssec.org/files/source/opendnssec-1.3.6.tar.gz Cheers -- Jerry Lundstr?m - OpenDNSSEC Developer http://www.opendnssec.org/ -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 495 bytes Desc: Message signed with OpenPGP using GPGMail URL: From pwouters at redhat.com Fri Feb 17 16:38:16 2012 From: pwouters at redhat.com (Paul Wouters) Date: Fri, 17 Feb 2012 11:38:16 -0500 Subject: [Opendnssec-maintainers] OpenDNSSEC 1.3.6 coming right up! In-Reply-To: <96D5FCC0-F7CF-4FA4-BA37-21F755FDE61E@opendnssec.org> References: <8060653B-D1B5-4ACA-9E48-B5719EAE0965@opendnssec.org> <4F3BA5B7.3050102@redhat.com> <6725E24F-30EC-4FF7-B436-D68F57E33E2E@kirei.se> <96D5FCC0-F7CF-4FA4-BA37-21F755FDE61E@opendnssec.org> Message-ID: <4F3E8278.6070901@redhat.com> On 02/17/2012 09:13 AM, Jerry Lundstr?m wrote: > Hi, > > Tarball is up! > > http://www.opendnssec.org/files/source/opendnssec-1.3.6.tar.gz It works for me, that is as well as 1.3.4. It still fails pretty badly with the user/group and I had to sprinkle a+w permissions all over /var/opendnssec I am still converting to initscripts/systemd that does not use ods-control. Because on some systems (like an HSM master) you want to run the enforcerd, but not the signerd. So from a packager point of view, you have to go ahead. There is no regression I noticed. Paul From jerry at opendnssec.org Sat Feb 18 13:39:34 2012 From: jerry at opendnssec.org (=?ISO-8859-1?Q?Jerry_Lundstr=F6m?=) Date: Sat, 18 Feb 2012 14:39:34 +0100 Subject: [Opendnssec-maintainers] OpenDNSSEC 1.3.6 coming right up! In-Reply-To: <4F3E8278.6070901@redhat.com> References: <8060653B-D1B5-4ACA-9E48-B5719EAE0965@opendnssec.org> <4F3BA5B7.3050102@redhat.com> <6725E24F-30EC-4FF7-B436-D68F57E33E2E@kirei.se> <96D5FCC0-F7CF-4FA4-BA37-21F755FDE61E@opendnssec.org> <4F3E8278.6070901@redhat.com> Message-ID: Hi Paul, On Fri, Feb 17, 2012 at 5:38 PM, Paul Wouters wrote: > It still fails pretty badly with the user/group and I had to sprinkle > a+w permissions all over /var/opendnssec Could you please make an issue for this on https://issues.opendnssec.org as I suggested on the user list? /Jerry