[Opendnssec-user] CentOS RPM distribution

Ville Mattila vmattila at csc.fi
Thu Apr 15 12:47:25 UTC 2010


On Tue, 13 Apr 2010, Rachid Zarouali wrote:

> I do agree with you,
> but as far as i remember EPEL provides packages that does not exist in RHEL5 official upstream.

EPEL is even more strict:  From EPEL FAQ [1]:
"Does EPEL replace packages provided within Red Hat Enterprise Linux
or layered products?

No. EPEL is purely a complimentary repository that provide add-on

[1] http://fedoraproject.org/wiki/EPEL/FAQ#Does_EPEL_replace_packages_provided_within_Red_Hat_Enterprise_Linux_or_layered_products.3F

> we are using sqlite 3.4.2 and rpm and all sqlite aware apps are working perfectly :-)
> if you want to keep the official sqlite and install the 3.4.2 version it would need more work in both sides.
> for sqlite you will need to install in separate directories. create binary with version ....
> for opendnssec you will need to link it to the sqlite version you have build.
> ....
> i see two options:
> 1°) chroot opendnssec and all of his dependencies

Interesting option.  There must exist some tools for automating chroot
initialization from RPM preinstall scriptlets etc?

> 2°) static link between opendnssec and sqlite 3.4.2

Well I did this.  The packages are available here:
(signed with my key EA8840E6 available from
http://staff.csc.fi/vmattila/ and public keyservers)

You can make your own conclusions on the quality of the hacks required
for static linking.  The packages seem to work but I doubt no EPEL
package maintainer would ever accept them..

There are some other enhancements wrt the
opendnssec-1.0.0/contrib/opendnssec.spec, too.  Could they be considered
for inclusion there?  Changelog below:

* Thu Apr 15 2010 Ville Mattila <vmattila at csc.fi> - 1.0.0-4
- sqlite3 tool is used by ods-ksmutil, thus include it in the package
   as $libexecdir/opendnssec/sqlite3 (statically linked, patch #201)

* Tue Apr 13 2010 Ville Mattila <vmattila at csc.fi> - 1.0.0-3
- Fix for conditional installation of configuration files (patch #3)
- Workaround SQLite version dependency problem for RHEL/CentOS 5 builds
   with 'rpmbuild --with static_sqlite' flag to build and install
   sqlite-3.6.20 into a temporary location and statically link the
   into enforcer daemon and ods-ksmutil.

* Mon Apr 12 2010 Ville Mattila <vmattila at csc.fi> - 1.0.0-2
- Update to 1.0.0.
- Updates to Requires: and BuildRequires: definitions
- Move headers and libhsm.so into separate package opendnssec-devel.
- Use /var/lib/opendnssec instead of /var/opendnssec (FHS / Fedora EPEL
   compliance, stealed patch #0 from Debian/Ubuntu package by Ondřej
- Changes to default config (copied from Debian/Ubuntu packaging):
   + conf.xml: Make make enforcer and signer to run as user opendnssec
     config has <Privileges> commented out, thus daemons would be started
     as root).
   + conf.xml: Comment out <Repository name="softHSM">
   + signconf.xml: Comment out <Zone name="opendnssec.org">
- Create opendnssec user account and group in %pre if they don't exist
   (otherwise RPM would make root:root the owner of /var/lib/opendnssec).
- Add chkconfig: and description: tags in tools/ods-control.in to make
   it chkconfig(8) compliant.
- Run 'chkconfig --add ods-control' and 'chkconfig --del ods-control'
   when installing (rpm -i) and removing (rpm -e) the package, not when
   upgrading (rpm -U).
- Assign /etc/opendnssec and the config files to root:opendnssec with
   umask 007 instead (I thinks it's best not to give anyone but root
   write access anywhere in /etc).
- Use config(noreplace) protection for configuration files.
- Explicitly define the directories for libraries in
   config validation schemas in /usr/share/opendnssec etc.
- Remove /usr/share/opendnssec.spec from the package.
- Ditch the *.la files.
- Plus some other minor cleanups.


More information about the Opendnssec-user mailing list