[Kolab-devel] Debian Packages for Kolab

Jeroen van Meeuwen (Kolab Systems) vanmeeuwen at kolabsys.com
Thu Oct 24 22:28:17 CEST 2013


On 2013-10-24 14:20, Paul Boddie wrote:
> Hello,
> 
> I recently shared some thoughts on the Kolab packages with Torsten 
> Grote and
> Hugo Roy (and also in a blog article), and I thought I should post some 
> of
> them here for further discussion.
> 

Hi Paul,

thanks for providing your thanks and feedback, it is much appreciated. 
Please find some of my thoughts and comments inline.

> First of all, credit is due to Paul Klos for getting the packages into 
> a form
> that allowed me (and others) to try them out. I doubt that I would have 
> been
> so motivated to try Kolab if the software hadn't been available in 
> packaged
> form.
> 

Agreed, many kudos go out to Paul Klos.

Rest assured, we bought him dinner (very "gezellig" BTW), and I don't 
think he's going to need to pay for any beers during FOSDEM ;-)

> The setup-kolab script should be integrated into package 
> post-installation
> and/or be robust enough to be run several times in potentially 
> different ways.
> Consider the scripts provided with PostgreSQL on Debian for doing
> administration, for example: https://wiki.debian.org/PostgreSql
> 

Firstly, we have to acknowledge where "setup-kolab", the beast that it 
currently is, has come from.

In the days this utility was authored (I myself was and still am the 
author/maintainer), an entirely refactored stack for Kolab became 
available, driven by Kolab Systems itself (as an investment) as well as 
customers whom had gladly paid for the costs of Kolab Systems setting it 
all up for them otherwise (i.e., no "setup-kolab" was required from a 
commercial perspective, and in fact a "setup-kolab" bites chunks off of 
our revenue).

But, for us to be able to finally declare the OpenPKG distribution 
method to be obsolete (it occupied a lot of our corporate resources in 
those days), the community has obviously needed some assistance in 
setting up Kolab -- if not simply for the sense of being able to provide 
some set of similar features in setting up Kolab, like there was with 
the OpenPKG distribution method).

This spawned the need for (at least) a one-shot setup utility, which is 
the "setup-kolab" you are looking at today.

It's far from perfect, both in its level of applicability to various 
use-cases as well as deployment scenarios, and far from perfect in its 
current code model(ling) (perhaps).

> In other words, setup-kolab shouldn't be a "one shot" program which 
> doesn't
> like being run again, or where it isn't clear what it does if it is run 
> again.
> Although an all-in-one approach to setting stuff up can be beneficial, 
> I think
> it needs to be complemented by approaches that allow people to keep 
> their
> existing configuration. Maybe setup-kolab does this, but I didn't get 
> this
> impression. (I also wonder if a choice of sensible defaults might 
> reduce the
> need for setup-kolab, but I accept that various policy matters have to 
> be
> specified somewhere, and so setup-kolab may not be completely 
> redundant.)
> 

Now, "setup-kolab" is far from perfect in many regards, but it has 
always aimed to only touch the system settings that Kolab Groupware (the 
solution) would actually care about. Proof is in the fact, for example, 
that you can provide any /etc/postfix/main.cf and find only those 
settings changed that bear relevance for Kolab. In this regard, we 
intend to do preserve existing configuration to whatever extent possible 
-- improvements notwithstanding, of course.

There are few parts where "only touching the settings it cares about" 
are simply not feasible;

   - Augeas (the technology of choice here) does not support the level of 
complexity for Roundcube configuration,

   - Augeas does not support headerless .ini files (for example, 
/etc/imapd.conf),

   - Agueas is sometimes too outdated to provide the features we would 
otherwise use,

   - there are one or two more I can't remember from the top of my head 
right now.

As you have mentioned, the areas that "setup-kolab" right now does not 
serve as well, as it possibly could or even should, are;

   - it does not yet quite perfectly well set up a Kolab Groupware server 
in an existing infrastructure, where you may already have a central 
authentication, authorization and user/group information database (like 
LDAP), a database server (be it MySQL, or PostGres),

   - similarly, it really, really wants to use LDAP, and sets up the rest 
of all of it to do the same. As such, it sets you up without the CAS, 
Kerberos, etc.

   - it does not "check" the current system before actually going about 
trying to set anything up, and this problem is two-fold;

     - it doesn't recognize a previous setup-kolab job having failed 
mid-way, nor
     - does it check or recognize (for example) /dev/shm not being 
available with the right permissions.

   - it also doesn't manage, or even offers to manage, SSL/TLS related 
stuff,

   - it also doesn't manage, or even offers to manage, firewalling 
related stuff,

   - it also doesn't recognize a particular node that "setup-kolab" is 
being run on may have only a limited set of roles (such as, "this is an 
LDAP server").

These, among other things, are items that the openSUSE supporters of 
Kolab have circumvented with scripts to be executed prior to running 
"setup-kolab". It is our intention to facilitate them in bringing these 
nifty things back upstream, while bearing in mind that we do ship for 7 
entirely different Linux and GNU/Linux distributions.

> The authentication aspects of Kolab might be better supported using 
> things
> other than passwords where appropriate. I imagine that this can be 
> tricky for
> the Web applications, but for server-side tasks where the administrator 
> has
> root already (and can therefore read and write various configuration 
> files),
> having key-based logins (or even trust-based logins) might be cleaner 
> than
> having passwords in configuration files. Looking at Debian packages 
> with
> similar application architectures might be informative.
> 
> On this front, I aim to look a bit more at the other groupware systems
> provided by Debian [*] such as Citadel, SOGo and OpenChange. Other 
> kinds of
> systems are also relevant here because managing credentials is a 
> widespread
> problem. Suggestions are appreciated!
> 

Firstly, I have to say that Kolab is not at all locked in with 389 
Directory Server.

It may seem that way because a default "yum install kolab" or "aptitude 
install kolab" includes 389 DS, and there are reasons to do so, as I can 
list reasons why 389 DS is far superior to, say, OpenLDAP in 99% of 
deployment cases, but any such argument is moot, irrelevant and futile.

I have absolutely zero objections against abstracting the Debian and/or 
Ubuntu packages in such a way that in no way does an "aptitude install 
kolab" pull in 389 DS, as long as at least the equivalent of the current 
"setup-kolab" can be made to do the same it does with 389 DS today, but 
with OpenLDAP (or whichever).

> [*] https://wiki.debian.org/Groupware
> 
> It's a bit unfortunate that Kolab prefers 389 to other LDAP servers and 
> has
> preferences for other things that effectively make those things 
> unsupported.

When you say "other LDAP servers", I cannot but be very curious about 
what it is you regret about 389 DS, and prefer in other LDAP servers, as 
well as what LDAP servers are included with "other LDAP servers" 
exactly.

We actually support a wide variety of LDAP server technologies, 
including all the way back to Sun DS versions declared EOL, as well as 
OpenLDAP, Novell eDirectory and M$ Active Directory.

We also support a  wide variety of authentication databases and 
protocols, among which (preferably) FreeIPA, plain old Kerberos, (H)OTP, 
*SQL, plaintext databases, PAM -- it's just not something a 
"setup-kolab" has been made responsible for achieving.

> I imagine it could take a lot of work to support everything that could
> potentially support Kolab, but having seen issues with Exim and 
> Postfix, it
> might be nice to allow existing choices to be respected (and also not 
> require
> people to start from scratch).

I don't understand how switching an MTA from "foo" to "bar" in order to 
deploy a rather well featured Groupware environment is necessarily 
invoking people to "start from scratch", but I sure appreciate that 
Kolab should "Just Work(TM)" equally well with sendmail, exim, qmail or 
whatever else may already be on a system.

That said, the package management becomes a problem. Should I only 
require an MTA, then features for Kolab that we do not provide Exim 
integration with / for basically would mean that *ALL* "aptitude install 
kolab" deployments would lack those features, since Exim is the default 
for Debian -- regardless of whether the system was or was not some sort 
of mail server before running "setup-kolab".

> There shouldn't be any reason why installing
> Kolab wouldn't be adding the "icing to the cake" provided by 
> already-installed
> mail, IMAP and LDAP infrastructure, in other words adding the extra 
> facilities
> of Kolab, even if one might insist that only new "instances" (of 
> mailboxes,
> databases and so on) or migrated ones would be usable by Kolab.
> 

I've done this sort of exercise many, many times before, and they are 
likely to be a large part of my (and my colleague's) agenda for quite 
some while to come. Bearing in mind that it lacks the publicly 
documented HOWTO you might be looking for, it is (even with such HOWTOs) 
also rather complex to automate.

We DON'T require Cyrus IMAP, nor 389 DS, nor the apache webserver, nor 
MySQL.

This is *solely* what happens if you simply "aptitude install kolab" - 
the one entirely empty meta-package *solely* intended for the 
installation of a default Kolab Groupware stack on what is probably 
otherwise an unoccupied system.

Please note that *NONE* of the actual Kolab Groupware software 
components installed require another functional component to be of a 
particular type of technology (bugs in packaging notwithstanding). For 
example, 'kolab-server' does not require 'kolab-ldap' nor '389-ds', and 
in fact it requires no '*ldap*' thing or technology whatsoever.

Other issues (you may find pull in dependencies you were not expecting) 
are PHP lacking support for the getEffectiveRights LDAP controls 
extensions, pulling in Mozilla LDAP tools.

> Again, the other groupware packages may support choices of 
> dependencies, and
> it will be interesting to see how they manage this. For example, the 
> citadel-
> server package configuration mentions the following:
> 
> Suggests: postfix | exim4 | citadel-mta | mail-transport-agent
> 
> Of course, actually supporting multiple dependency options may require 
> more
> work because it's unlikely that all these things work in the same way 
> and will
> thus need explicit support in Kolab.
> 

This is work that, I have to admit, Kolab Systems does either for 
customers, or because it would enhance the entire groupware solution as 
a whole.

We do not actively seek integration with exim4, nor qmail, nor sendmail, 
for as far as we are concerned, there is no reason to do so.

Other than that, community's preferences (which I have to say are very 
valid(!), in their own merits(!), while I'm also saying you cannot 
expect us to do that for you[1]), are the community's to work on and try 
to implement.

[1] https://kolab.org/blog/grote/2013/10/23/call-participation

Frankly, with all due respect, Kolab Systems -- Ye Vendor and by far, 
far and away the largest contributor to all components that make up 
Kolab Groupware, including the packaging, including those you have for 
Debian/Ubuntu systems -- is actually looking more in to feature 
enhancements that go a little beyond whether or not Dovecot or Exim may 
be installed on anyone's given system. Just to name a few;

   - Instant Messaging,
   - Voice and Video (Conferencing),
   - Properly(!) implemented web-client decryption and signing of 
communications,
   - Relations between email threads, files, tasks, events and notes 
(which may get you to "Project Management").

These are chunks of effort a community (member) cannot (typically) 
afford to substantially contribute to, and therefore require the full 
attention of a custodian, a guardian, like Kolab Systems.

> Finally, I wonder whether targeting "sid" (unstable) rather than 
> "wheezy"
> (stable) isn't best for packaging work given that the Debian packaging
> community usually prefers this, and also things like the 389 packages 
> are
> already in "sid" but must presumably be backported to "wheezy" to 
> provide
> Kolab packages. Naturally, backported packages can be made available as 
> a
> consequence of the main packaging effort.
> 

For package integration, somebody (sunweaver, you know who you are), has 
already made valuable suggestions to the packaging that we do, and it 
might indeed be better to target Sid.

However, up and until now we target systems that might feasibly run 
actual Kolab Groupware deployments in real life (like we don't target 
Fedora Rawhide).

> Any comments on the above?
> 

Your feedback is very, very much appreciated.

Your thoughts are along the exact same lines of where ultimately I would 
like to see pykolab's "setup-kolab", but other things as well[2], end 
up, as well as where other people, elsewhere, have already been 
scripting some stuff[3].

[2] https://lists.kolab.org/pipermail/devel/2012-March/013280.html
[3] 
https://build.opensuse.org/package/show/server:Kolab:UNSTABLE/kolab-scripts

I'm a strong fan of multiple people collaborating to achieve the same or 
similar goals -- in over a decade of Free Software contributions, I have 
yet to actually decline a patch submitted to me, and I have yet to 
disallow SCM commit privileges to anyone who requested them.

To me, "no" is an invalid answer, but I believe "how?" is a valid 
question in return. It is about consensus about what your goals are, and 
matching those with my goals and other people's goals, in some way - 
possibly a difficult process in and by itself.

I think to achieve our goals in these cases, for "setup-kolab" and 
friends alike, we have to address the following;

   - What is the flow we would like to see "setup-kolab" complete?

     I'm thinking there's the obvious answer file seeding the dialog's 
answers, but perhaps also;

       - a check on the current system status (software available, etc.) 
in order to determine what individual components need to be set up for 
Kolab, possibly including the establishment of what roles this node may 
fulfill given that certain software may or may not be installed on the 
current system.

   - What can we do in each of the steps in such a flow, modeling what 
happens in the next step(s) of the flow?

     I.e. detect a previous run of setup-kolab (perhaps having failed) 
rolling forward (re-attempting) what else it needed to do, or

     I.e. replace and/or amend/extend "setup_mta" with more specific 
"setup_postfix" and "setup_sendmail", each of which to be executed only 
when appropriate.

   - etc., etc., (...)

If we could work together on at least defining what "setup-kolab" should 
actually be like, then I'm fairly confident we can also achieve that 
(I'm a pretty decent hacker after all, if I may say so myself). If we 
can't work together however, it is unlikely to ever happen.

Yours sincerely,

Kind regards,

Jeroen van Meeuwen

-- 
Systems Architect, Kolab Systems AG

e: vanmeeuwen at kolabsys.com
m: +44 74 2516 3817
w: http://www.kolabsys.com

pgp: 9342 BF08


More information about the devel mailing list