Missing ipa-fas package

[rrotondo]

Unable to make ipa-server fully work with a self-service portal as noggin because ipa-fas package is missing.

[adelton]

If this is a reasonable functionality to have in a FreeIPA / IPA / IdM server, we should likely add it to all relevant Dockerfiles (where the package exists in the distribution).

However, I'm a bit worried about the implications and the way this behaves across multiple systems. What will happen if you have an IPA master which has the package / plugin installed, and you will add a replica which will not have it? Will the replication still work? Will it work but not propagate the extra attributes? And what if you add the plugin to the replica later -- will it get those extra attributes later? The https://github.com/fedora-infra/freeipa-fas says

The plugin must be installed on all FreeIPA servers, preferable before the server/replica is installed.

It is however not clear if this is "... to ensure full extra functionality provided by this plugin", or if even operations that don't use the extra schema attributes might be negatively affected if this requirement is not met.

We would also need to ensure the correct upgrade procedure:

Installation requires a server upgrade ipa-server-upgrade and restart of services ipactl restart. The post transaction hook of the RPM package takes care of both. A server upgrade can take a while and can disrupt normal operations on the machine. It is advised to serialize the operation and install the plugin on one server at a time.

In containers there is no post-transaction rpm hook to do it, so that is certainly a possible complication.

[abbra]

Anyone who wants to use additional packages needs to realize they have to maintain their own images. This is already a case for all other container images, so there is nothing different here.

With existing Github actions and other tools it is trivial to do automated rebuild and rebase on top of existing upstream image. I keep my custom Silverblue images, for example, this way -- standard Fedora images do not include packages needed for FreeIPA clients.

[adelton]

That is true but it is a question of baseline functionality, as well as risk.

We added EPN via https://github.com/freeipa/freeipa-container/pull/535 (for https://github.com/freeipa/freeipa-container/issues/527) so we have a precedent of adding small optional utilities.

OTOH, unlike freeipa-fas, freeipa-client-epn comes from the same src.rpm as the FreeIPA server, so there is a difference in the pedigree of the tool ...

[abbra]

Correct, freeipa-client-epn is exposing the same functionality that already is present in IPA. Not everyone needs freeipa-fas and noggin deployed. There are quite a few external plugins to IPA, it is best to have a custom image that is rolling over on top of this one to provide customized experience you'd need.

[adelton]

@rrotondo Per @abbra's recommendation, we tend to not want to carry *ipa-fas in this repository and images built from it.

But I'd be happy to help you get the rebase automation and image build set up, and if some refactoring of the GitHub Actions might be useful to achieve that easily, do that as well. Let us know if anything it needed for that.

[rrotondo]

Dear @adelton thank you for your support, I totally understand your concern. In the beginning I wanted to suggest a tag to be present on docker hub for those who need *ipa-fas but I didn't know how to put in a Dockerfile (I think tag cannot be defined there) to make the pull request. So I created a different dockerfile. In any case I've already provided my organisation with the custom image, and, as @abbra said, I'll take care of maintain it. Regards