Kolab as a Server Role on Fedora with rolekit   June 11th, 2015

This post originates in the idea from Stephen Gallagher, who is working on rolekit: “rolekit is a daemon for Linux systems providing a stable D-BUS interface to manage the deployment of [Fedora] Server Roles”.
The code of Rolekit is available here: https://github.com/sgallagher/rolekit

On his blog, Stephen stated in this post:

A few that I’d love to see (but don’t have time to start on yet):

  • A fileserver role that manages Samba and NFS file-shares (maybe [s]ftp as well).
  • A mail and/or groupware server role built atop something like Kolab
  • A backup server

This made me wonder, how would that be, if Kolab became a Server Role for Fedora, and could be installed from the Fedora repositories? Through my work on OpenPetra and Mono I got involved with Fedora, and noticed that the Fedora community tries out new technology, proves if it works, and then the technology will eventually end up in other distributions as well.

First steps

On IRC, we agreed that the first step would be to create a Copr repo, that contains the Kolab packages, and to write this blog post describing how to install and configure Kolab.

Creating the Copr Repo

So, here is the Copr repository for Fedora 22: https://copr.fedoraproject.org/coprs/tpokorra/kolab/

I created it by getting the src rpm packages from the Kolab repository, from 3.4 and 3.4 updates, in this order:

  • kolab-utils
  • roundcubemail-plugins-kolab
  • kolab-webadmin
  • kolab
  • pykolab
  • chwala
  • iRony
  • kolab-freebusy
  • roundcubemail-skin-chameleon
  • php-Net-LDAP3
  • roundcubemail
  • kolab-syncroton
  • roundcubemail-plugin-contextmenu
  • kolab-schema
  • kolab-autodiscover
  • python-sievelib
  • php-pear-Net-LDAP2
  • cyrus-imapd

The packages libkolab and libkolabxml and kdepim are already in Fedora, and I did not update them:

Cyrus Imapd is also in Fedora, https://admin.fedoraproject.org/pkgdb/package/cyrus-imapd/, but not on the latest version. So I used version 2.5 from Kolab.

Roundcubemail is uptodate in Fedora, https://admin.fedoraproject.org/pkgdb/package/roundcubemail, but somehow does not provide roundcubemail(core) >= 1.1 as required by some Kolab packages. So I also used the package from Kolab.

I have patched the pykolab package, and backported some features to extend the setup-kolab command so that it can be used non-interactively, which is probably required to be integrated into rolekit. In Kolab 3.5 (release planned for August 2015), those features will be included.

Installing Kolab from the Copr Repo

I have tested this with Fedora 22.

Please disable SELinux, since there isn’t a SELinux policy available yet for Kolab.
Jeroen van Meeuwen has worked on it a while ago, but it probably needs updating and testing: https://github.com/kanarip/kolab-selinux

Another thing: the server should have a FQDN, eg. kolab.example.org. See the installation instructions for details.

dnf install dnf-plugins-core
dnf copr enable tpokorra/kolab
dnf install kolab
mytz=Europe/Brussels
pwd=test
setup-kolab --default --mysqlserver=new --timezone=$mytz --directory-manager-pwd=$pwd

On my setup, I need to add this line to /etc/kolab/kolab.conf, in section [kolab-wap], because I am running it inside an LXC container with an iptables tunnel for port 80, and the Kolab webadmin does not calculate the url for the API properly:

api_url = http://localhost/kolab-webadmin/api

You also need to add these lines to /etc/roundcubemail/config.inc.php (this will be fixed in Kolab 3.5):

    # required for php 5.6, see https://bbs.archlinux.org/viewtopic.php?id=193012 and http://php.net/manual/de/context.ssl.php
    # production environment requires real security settings!!!
    $config['imap_conn_options']=array(
            'ssl'=>array(
            'verify_peer_name'=>false,
            'verify_peer'=>false,
            'allow_self_signed'=>true));
    $config['smtp_conn_options']=array(
            'ssl'=>array(
            'verify_peer_name'=>false,
            'verify_peer'=>false,
            'allow_self_signed'=>true));

After this, the Kolab Server should run, and you can go to http://localhost/kolab-webadmin and login with the user “cn=Directory Manager” (without the quotes) and the password that you specified as parameter for setup-kolab.

The webmail runs at http://localhost/roundcubemail

Conclusion

I hope this shows the possibilities, and what amount of work still needs to be done.

I guess the existing packages in Fedora should be kept uptodate, and missing Kolab packages need to be added to Fedora as well.

Work on SELinux policy is also required (see above).

The other thing: with the server role Kolab, how much should the role define how the server is configured securely? In Kolab Upstream, we documented how to secure the server, but left it to the Sysadmin to actually enforce security, because the Kolab community cannot take responsibility for the server.

I have a number of scripts, that might be useful for rolekit: https://github.com/TBits/KolabScripts There is eg. a script for setting up a self-signed SSL Certificate, etc.

Tags: , ,
This entry was posted on Thursday, June 11th, 2015 at 7:30 am and is filed under Software Development. You can follow any responses to this entry through the RSS 2.0 feed.Both comments and pings are currently closed.

No Responses