Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 3 Next »

  • In V5 there is no install -nocopy so we need to unpack to a location in \ProgramData and run the installer from there

  • The rest of the user interface could stay the same (we use property driver installs)

    • I’d dearly like to dump all the AD stuff (which involves LDAP jiggery pokery)

  • What are we going to do about Jetty?

Jetty and Windows

It is important to note about the windows jetty

  1. There is exactly one user configurable file “idp.ini”. this contains the paths to access the keystores

  2. The assumption is that the user doesn’t care about jetty beyond “it has to be there” so optimal solutions do no matter

  3. We have always aimed for the “It kinda-works once the installation is done”. I think this is wrong and we should rely on explicit post install stages (after all the user is expected to put in a proper user facing cert).

The Installation

If the Windows Installer does install jetty it

  • Installs an unpacked jetty-home alongside the idp.

  • Install & configures Procrun (an apache projects to allow you to run java programs as daemons).

    • They keep threatendng to end of life it and assure people that there are much nice solutions (my particular favorite recommendation is the one that allows you to inject arbitrary shell scrips to be run at system startup because that's really safe and secure). Frankly if it is ever end of lifed it would be quicker to write the 200 lines of C to do it ourselves.

    • The only interesting thing here is that it does require that jetty not fork.

  • Installs a jetty-base inside the idp (as a peer to conf &c)

The Jetty base that is used in the installer comes from the same repo is built from an entirely different branch (“10-windows”) from the “11” branch (noting that the windows branch has been shown to work on jetty11 and jetty 10).

The substantive changes between the “11” branch and the “windows” branch are

  • idp-backchannel.xml: The default credentials location is different. I cannot remember why but there is reason

  • Some minor difference in idp.xml which I could collect

  • And 6 files

jetty-ssl-context.xml (windows Only)

This is a changed version of the one distributed with jetty and its maintenance represents the biggest ongoing cost.
https://shibboleth.atlassian.net/wiki/spaces/DEV/pages/2937454597/JettyBase10ForWindows#etc/jetty-ssl-context.xml describes what needs to be done. As I recall it is all because at one stage (probably even now) Jetty got confused about

  • Absolute vs relative paths (which really matters on windows)

  • How to do defaulting of values. I think that there are 3 ways to do defaults now

idp.ini.windows

The installer turns this into idp.ini on a fresh install. It is modified to contain any collected passwords

idp-system.ini

Contains the “don't tinker with these” settings from the mainline idp.ini

idp.ini.rewrite.property.names

This deals with the issue when jetty rename properties (or indeed if one of our xml files changes a property name). The name changes this file it contains are made to an existing idp.ini

idp-backchannel.ini, idp.ini (not windows)

These are subsumed into idp.ini.windows and idp-system.ini

Installing Jetty base

Install the jetty base is made complicated since

  • The Jetty project changes property names and we may need to rewrite the user’s idp.ini. This is historic

  • We need to merge in things like passwords

  • We create a keystore for the https port with a self signed cert in it.

  • Its all done with ant (which feels old)

  • But basically it ‘just works’ .

Other shit

I cannot remember why but for historic reasons we install into the 32 bit folder. Of course this is java so we are actually keyed into what JM is installed.

What are the costs?

Cranking a windows release is pretty quick (Download the IdP, Jetty, Jetty base and procrun and run two bat files). I have a note that it might be nice to bundle that into a maven plugin so it can be done by anyone with a windows machine. Critically this would allow us to use the enforcer to do the signature checks on Jetty and procrun

The costs are the ancillary ones:

And we have this costs every time that the IdP ships and every time that jetty ships. Subjectively, it is the jetty changes that are the biggest pain because they are no made on our timeline.

So what are the options?

  • Walk away from shipping jetty on any platform

    • I am so bored with Jetty and this installer that this appeals to me. I’ll support the real installer for ever but….

  • Bludgeon what we have now into working with V5.

    • The path of least resistance but it does mean that we need to carry on shipping windows specific files (jettty-ant.xml) in the idp. I could even fix that at the same time.

  • Bludgeon what we have into two packages. One for the IdP and one for jetty

    • More work to get there, and we still have the same costs with every jetty release.

  • Try to bring the jetty base's together.

    • I have no idea what the problems would be and the wounds from last time still hurt, but I have a gut feeling that the real problem is that on Windows we cannot allow jetty to fork (I don’t even know whether that is because of Windows or because of procrun)

If we were starting with a clean slate

  • I would be looking to extensions to the plugin and module infrastructure so that the user basically said “plugin -I jetty”

  • Is there some sort of inversion whereby the IdP itself starts jetty and we start the IdP in some clever way.

    • Again I have no issue with walking away from procrun which is overly complicated for our needs and may well get in our way.

I think we need to think about what we are doing with Jetty at a project level, then I can fit windows around it.

…. And we haven’t even talked about jetty12. If this really works it does change the game. Or at least the questions.

  • No labels