Mercurial Mercurial > upstream > oracle > pkg-gate / annotate
summary | shortlog | changelog | graph | tags | bookmarks | branches | files | changeset | file | latest | revisions | annotate | diff | comparison | raw | help
Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
doc/system_repository.txt
author Brock Pytlik <brock.pytlik@oracle.com>
Wed, 27 Apr 2011 20:30:32 -0700
changeset 2310 ce10607d5332
child 2448 2a649d8c190d
permissions -rw-r--r--
11684 desire option to not propagate certs to non-global zones 17522 system repository should provide basic functionality 17523 Need a functioning sysdepo 17524 system depot should auto generate its configuration based on system image 17525 system depot should respond to versions/0 17526 system depot should provide publisher configuration 17527 caching should be enabled for system depot 17528 system depot should proxy http repositories 17529 system depot should proxy https repositories 17530 pkg client needs to be aware of the system repository 17531 pkg needs to cache system publisher information 17532 pkg should retrieve publisher information from the system repository when configured 17533 pkg needs to use the system repository as a proxy for http repositories 17534 pkg needs to use the system repository as a proxy for https repositories 17535 need an image property to indicate whether to use the system repository 17536 an image shouldn't require any configured publishers 17537 notion of preferred publisher should be removed 17538 pkg should be able to merge system publisher info with locally configured publishers 17539 pkg should notify that users cannot modify system publishers in certain ways 17540 pkg publisher needs to be updated to include information about system publishers 17541 pkg will need a way to specify alternate system repository urls 17547 file repositories need to be proxied by the system repository 17594 pkg set-publisher in GZ should refresh sysdepo service 17604 converting an imageconfig object to a string causes an infinite loop 17847 pkg set-publisher shouldn't allow -P along with --search-* 17911 pkg image-create should allow an image to be created without a publisher 18200 need a manpage for the sysrepo service
Ignore whitespace changes - Everywhere: Within whitespace: At end of lines:
2310
ce10607d5332 11684 desire option to not propagate certs to non-global zones
Brock Pytlik <brock.pytlik@oracle.com>
parents:
diff changeset 
     1
 
System Repository and Publishers
ce10607d5332 11684 desire option to not propagate certs to non-global zones
Brock Pytlik <brock.pytlik@oracle.com>
parents:
diff changeset 
     2
 












ce10607d5332
11684 desire option to not propagate certs to non-global zones



Brock Pytlik <brock.pytlik@oracle.com>


parents: 

diff
changeset




     3


Introduction: 













ce10607d5332
11684 desire option to not propagate certs to non-global zones



Brock Pytlik <brock.pytlik@oracle.com>


parents: 

diff
changeset




     4














ce10607d5332
11684 desire option to not propagate certs to non-global zones



Brock Pytlik <brock.pytlik@oracle.com>


parents: 

diff
changeset




     5


Linked images, and zones in particular, must keep certain packages













ce10607d5332
11684 desire option to not propagate certs to non-global zones



Brock Pytlik <brock.pytlik@oracle.com>


parents: 

diff
changeset




     6


in sync with the global zone in order to be functional. The global zone will













ce10607d5332
11684 desire option to not propagate certs to non-global zones



Brock Pytlik <brock.pytlik@oracle.com>


parents: 

diff
changeset




     7


constrain packages within the non-global zones and configure special publishers













ce10607d5332
11684 desire option to not propagate certs to non-global zones



Brock Pytlik <brock.pytlik@oracle.com>


parents: 

diff
changeset




     8


in the non-global zone (NGZ). These publishers (henceforth called system













ce10607d5332
11684 desire option to not propagate certs to non-global zones



Brock Pytlik <brock.pytlik@oracle.com>


parents: 

diff
changeset




     9


publishers) are special because the non-global zone cannot make certain kinds of













ce10607d5332
11684 desire option to not propagate certs to non-global zones



Brock Pytlik <brock.pytlik@oracle.com>


parents: 

diff
changeset




    10


modifications to them. Among the forbidden operations for the non-global zone on













ce10607d5332
11684 desire option to not propagate certs to non-global zones



Brock Pytlik <brock.pytlik@oracle.com>


parents: 

diff
changeset




    11


the system publishers are deleting, disabling, removing or replacing origins













ce10607d5332
11684 desire option to not propagate certs to non-global zones



Brock Pytlik <brock.pytlik@oracle.com>


parents: 

diff
changeset




    12


provided by the system repository, and any other operations which might prevent













ce10607d5332
11684 desire option to not propagate certs to non-global zones



Brock Pytlik <brock.pytlik@oracle.com>


parents: 

diff
changeset




    13


the solver from meeting the constraints imposed by the constraint package. The













ce10607d5332
11684 desire option to not propagate certs to non-global zones



Brock Pytlik <brock.pytlik@oracle.com>


parents: 

diff
changeset




    14


global zone must provide the means for the non-global zone to configure itself













ce10607d5332
11684 desire option to not propagate certs to non-global zones



Brock Pytlik <brock.pytlik@oracle.com>


parents: 

diff
changeset




    15


with system publishers by providing information like origins. The global zone













ce10607d5332
11684 desire option to not propagate certs to non-global zones



Brock Pytlik <brock.pytlik@oracle.com>


parents: 

diff
changeset




    16


also has to provide a connection to the system publishers' repositories which is













ce10607d5332
11684 desire option to not propagate certs to non-global zones



Brock Pytlik <brock.pytlik@oracle.com>


parents: 

diff
changeset




    17


available even in a scratch zone.













ce10607d5332
11684 desire option to not propagate certs to non-global zones



Brock Pytlik <brock.pytlik@oracle.com>


parents: 

diff
changeset




    18














ce10607d5332
11684 desire option to not propagate certs to non-global zones



Brock Pytlik <brock.pytlik@oracle.com>


parents: 

diff
changeset




    19














ce10607d5332
11684 desire option to not propagate certs to non-global zones



Brock Pytlik <brock.pytlik@oracle.com>


parents: 

diff
changeset




    20


The Data path:













ce10607d5332
11684 desire option to not propagate certs to non-global zones



Brock Pytlik <brock.pytlik@oracle.com>


parents: 

diff
changeset




    21














ce10607d5332
11684 desire option to not propagate certs to non-global zones



Brock Pytlik <brock.pytlik@oracle.com>


parents: 

diff
changeset




    22


The pkg client in the NGZ uses the system repository in the global zone as a













ce10607d5332
11684 desire option to not propagate certs to non-global zones



Brock Pytlik <brock.pytlik@oracle.com>


parents: 

diff
changeset




    23


proxy to the system publishers.  To ensure that a communication path between the













ce10607d5332
11684 desire option to not propagate certs to non-global zones



Brock Pytlik <brock.pytlik@oracle.com>


parents: 

diff
changeset




    24


pkg client in the NGZ and the system repository in the global zone always













ce10607d5332
11684 desire option to not propagate certs to non-global zones



Brock Pytlik <brock.pytlik@oracle.com>


parents: 

diff
changeset




    25


exists, the zone proxy client and the zone proxy daemon were created.













ce10607d5332
11684 desire option to not propagate certs to non-global zones



Brock Pytlik <brock.pytlik@oracle.com>


parents: 

diff
changeset




    26














ce10607d5332
11684 desire option to not propagate certs to non-global zones



Brock Pytlik <brock.pytlik@oracle.com>


parents: 

diff
changeset




    27


The zone proxy client runs in the NGZ. When started, it creates a socket which













ce10607d5332
11684 desire option to not propagate certs to non-global zones



Brock Pytlik <brock.pytlik@oracle.com>


parents: 

diff
changeset




    28


listens on an inet port on 127.0.0.1 in the NGZ. It passes the file descriptor













ce10607d5332
11684 desire option to not propagate certs to non-global zones



Brock Pytlik <brock.pytlik@oracle.com>


parents: 

diff
changeset




    29


for this socket to the zone proxy daemon in the global zone via a door call. The













ce10607d5332
11684 desire option to not propagate certs to non-global zones



Brock Pytlik <brock.pytlik@oracle.com>


parents: 

diff
changeset




    30


zone proxy daemon listens for connections on the file descriptor. When zone













ce10607d5332
11684 desire option to not propagate certs to non-global zones



Brock Pytlik <brock.pytlik@oracle.com>


parents: 

diff
changeset




    31


proxy daemon receives a connection, it proxies the connection to the system













ce10607d5332
11684 desire option to not propagate certs to non-global zones



Brock Pytlik <brock.pytlik@oracle.com>


parents: 

diff
changeset




    32


depot.  The system depot is an Apache instance running in the global zone which













ce10607d5332
11684 desire option to not propagate certs to non-global zones



Brock Pytlik <brock.pytlik@oracle.com>


parents: 

diff
changeset




    33


provides connectivity to and configuration of publishers.













ce10607d5332
11684 desire option to not propagate certs to non-global zones



Brock Pytlik <brock.pytlik@oracle.com>


parents: 

diff
changeset




    34














ce10607d5332
11684 desire option to not propagate certs to non-global zones



Brock Pytlik <brock.pytlik@oracle.com>


parents: 

diff
changeset




    35


The system depot acts as a proxy for the http and https repositories for













ce10607d5332
11684 desire option to not propagate certs to non-global zones



Brock Pytlik <brock.pytlik@oracle.com>


parents: 

diff
changeset




    36


the publishers it provides.  When proxying to https repositories, it uses the













ce10607d5332
11684 desire option to not propagate certs to non-global zones



Brock Pytlik <brock.pytlik@oracle.com>


parents: 

diff
changeset




    37


keys and certificates in the global zone to identify itself and verify the













ce10607d5332
11684 desire option to not propagate certs to non-global zones



Brock Pytlik <brock.pytlik@oracle.com>


parents: 

diff
changeset




    38


server's identity.  It also provides a http interface to the file repositories













ce10607d5332
11684 desire option to not propagate certs to non-global zones



Brock Pytlik <brock.pytlik@oracle.com>


parents: 

diff
changeset




    39


for the publishers it provides as well as serving publisher and image













ce10607d5332
11684 desire option to not propagate certs to non-global zones



Brock Pytlik <brock.pytlik@oracle.com>


parents: 

diff
changeset




    40


configuration via the syspub/0 response.













ce10607d5332
11684 desire option to not propagate certs to non-global zones



Brock Pytlik <brock.pytlik@oracle.com>


parents: 

diff
changeset




    41














ce10607d5332
11684 desire option to not propagate certs to non-global zones



Brock Pytlik <brock.pytlik@oracle.com>


parents: 

diff
changeset




    42














ce10607d5332
11684 desire option to not propagate certs to non-global zones



Brock Pytlik <brock.pytlik@oracle.com>


parents: 

diff
changeset




    43


Configuration:













ce10607d5332
11684 desire option to not propagate certs to non-global zones



Brock Pytlik <brock.pytlik@oracle.com>


parents: 

diff
changeset




    44














ce10607d5332
11684 desire option to not propagate certs to non-global zones



Brock Pytlik <brock.pytlik@oracle.com>


parents: 

diff
changeset




    45


The syspub/0 response is a p5s file.  The p5s file contains publisher













ce10607d5332
11684 desire option to not propagate certs to non-global zones



Brock Pytlik <brock.pytlik@oracle.com>


parents: 

diff
changeset




    46


configuration and image configuration.  Currently, the only image configuration













ce10607d5332
11684 desire option to not propagate certs to non-global zones



Brock Pytlik <brock.pytlik@oracle.com>


parents: 

diff
changeset




    47


it contains is the publisher search order for the provided publishers, but other













ce10607d5332
11684 desire option to not propagate certs to non-global zones



Brock Pytlik <brock.pytlik@oracle.com>


parents: 

diff
changeset




    48


information may be added to the response as needed.  In addition to the basic













ce10607d5332
11684 desire option to not propagate certs to non-global zones



Brock Pytlik <brock.pytlik@oracle.com>


parents: 

diff
changeset




    49


collection of publisher information, the p5s file also contains a list of urls













ce10607d5332
11684 desire option to not propagate certs to non-global zones



Brock Pytlik <brock.pytlik@oracle.com>


parents: 

diff
changeset




    50


which the pkg client should proxy to via the system depot instead of contacting













ce10607d5332
11684 desire option to not propagate certs to non-global zones



Brock Pytlik <brock.pytlik@oracle.com>


parents: 

diff
changeset




    51


them directly.  When creating a p5s file, the urls for origins and mirrors can













ce10607d5332
11684 desire option to not propagate certs to non-global zones



Brock Pytlik <brock.pytlik@oracle.com>


parents: 

diff
changeset




    52


be transformed.  HTTPS urls are transformed to HTTP urls since the system depot













ce10607d5332
11684 desire option to not propagate certs to non-global zones



Brock Pytlik <brock.pytlik@oracle.com>


parents: 

diff
changeset




    53


will be doing the SSL communication, not the pkg client.  File urls are













ce10607d5332
11684 desire option to not propagate certs to non-global zones



Brock Pytlik <brock.pytlik@oracle.com>


parents: 

diff
changeset




    54


transformed into HTTP urls with a special format.  The urls contain the special













ce10607d5332
11684 desire option to not propagate certs to non-global zones



Brock Pytlik <brock.pytlik@oracle.com>


parents: 

diff
changeset




    55


token "<sysrepo>" which the p5s parser knows to replace with the url of the zone













ce10607d5332
11684 desire option to not propagate certs to non-global zones



Brock Pytlik <brock.pytlik@oracle.com>


parents: 

diff
changeset




    56


proxy client.  The rest of the url contains the prefix of the publisher, then













ce10607d5332
11684 desire option to not propagate certs to non-global zones



Brock Pytlik <brock.pytlik@oracle.com>


parents: 

diff
changeset




    57


the sha1 hash of the global zone path to the file repository.













ce10607d5332
11684 desire option to not propagate certs to non-global zones



Brock Pytlik <brock.pytlik@oracle.com>


parents: 

diff
changeset




    58














ce10607d5332
11684 desire option to not propagate certs to non-global zones



Brock Pytlik <brock.pytlik@oracle.com>


parents: 

diff
changeset




    59


The information for the syspub/0 response comes from the global zone's image's













ce10607d5332
11684 desire option to not propagate certs to non-global zones



Brock Pytlik <brock.pytlik@oracle.com>


parents: 

diff
changeset




    60


configuration.  The pkg/sysrepo service is responsible transforming the image













ce10607d5332
11684 desire option to not propagate certs to non-global zones



Brock Pytlik <brock.pytlik@oracle.com>


parents: 

diff
changeset




    61


configuration into an Apache configuration file and causing the system depot to













ce10607d5332
11684 desire option to not propagate certs to non-global zones



Brock Pytlik <brock.pytlik@oracle.com>


parents: 

diff
changeset




    62


reread its configuration.  The global zone pkg client restarts the pkg/sysrepo













ce10607d5332
11684 desire option to not propagate certs to non-global zones



Brock Pytlik <brock.pytlik@oracle.com>


parents: 

diff
changeset




    63


servvice whenever the image's publisher configuration changes.















upstream/oracle/pkg-gate