Originally we decided that the Moonshot software would be installed in
/opt/moonshot on Centos rather than in /usr where it would be if it were
native Centos packages.
There are some problems with doing this.
The most serious is that the Moonshot UI doesn't work either for
graphical logins or in headless mode for servers.
This is because the UI assumes that it will be connected into the
operating system's session dbus infrastructure.
However, since Moonshot is installed in its own directory tree, the OS
cannot find it.
In addition, in order to use moonshot with an application, that
application has to be rebuilt.
That's undesirable because it means you cannot use Moonshot with
packaged software.
It also means that the packaging work we're doing will not move us
closer to integrating moonshot into Fedora.
One of the main reasons we made that decision was that we ended up
needing our own build of Kerberos. The system Kerberos was too old.
That's no longer true. We can easily use the Centos Kerberos which is
in fact now newer than what we build.
Most of the Moonshot software is not software that you'd typically find
on a system:
* Shibboleth
* Xerces-c
* xml-security-c
Also, it's very likely we could easily use (possibly with a small build
option change) the official Shibboleth packages at this point.
The Moonshot specific bits (libradsec, mech_eap moonshot-ui and
trust-router) are things you'll only have if you are using Moonshot.
There are a few thorny bits.
The moonshot patched openssh should remain in its own directory. That's
easy to do.
I'm not entirely sure what to do with Freeradius. I think it's OK for it
to be in system directories because it's only required on RP proxies and
IDPs but not on normal servers or clients that happen to be using
moonshot.
The real sticking point is libevent.
Unfortunately libradsec requires libevent 2.x. Centos/RHEL ship with
libevent 1.x. They're not particularly compatible at the binary
level. So we definitely cannot replace the system library and we
definitely cannot use it.
I see a couple of possibilities:
1) Build a static libevent used only by libradsec. This will work fine
for Moonshot but would get in the way of anyone with more demanding
needs from libradsec.
2) Install libevent into /opt/moonshot and use it from there. This would
be kind of messy for anyone depending on libradsec who was not a plugin
loaded with RTLD_LOCAL. fortunately that's also fine for moonshot.
So, thoughts. Would it be reasonable to get rid of /opt/moonshot and
install in system directories where we can?
|