rpms/ipa
6
0
Fork 0
Code Issues Pull Requests Releases Activity

ipa-4.12.2-14

Browse Source 
- Resolves: RHEL-78766 Include latest fixes in python3-ipatests package
- Resolves: RHEL-77965 ipa-server-install failing on slow hsm

Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
This commit is contained in:
Florence Blanc-Renaud 2025-02-11 18:08:52 +01:00
parent 837c02b504
commit 73e3a943d0
4 changed files with 188 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

41
0066-ipatests-on-rhel10-do-not-install-firefox.patch Normal file
View File

@ -0,0 +1,41 @@
From d0dd2e8393f4b49edc67f8036a19d8b2d4e28938 Mon Sep 17 00:00:00 2001
From: Florence Blanc-Renaud <flo@redhat.com>
Date: Fri, 31 Jan 2025 13:09:22 +0100
Subject: [PATCH] ipatests: on rhel10 do not install firefox
Firefox will be installed as a pre-requisite as it either comes
as a flatpak or a tar file. The flatpak is not compatible with
geckodriver as explained in geckodriver release notes
(https://github.com/mozilla/geckodriver/releases/tag/v0.35.0)
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Michal Polovka <mpolovka@redhat.com>
---
ipatests/pytest_ipa/integration/create_keycloak.py | 10 +++++++---
1 file changed, 7 insertions(+), 3 deletions(-)
diff --git a/ipatests/pytest_ipa/integration/create_keycloak.py b/ipatests/pytest_ipa/integration/create_keycloak.py
index addade7594d7a1b8edefdb8c67ec4bc7abe70ef4..7f0850ca704b3d4c9748a8e46cad1fff7c31f112 100644
--- a/ipatests/pytest_ipa/integration/create_keycloak.py
+++ b/ipatests/pytest_ipa/integration/create_keycloak.py
@@ -9,9 +9,13 @@ from ipatests.pytest_ipa.integration import tasks
def setup_keycloakserver(host, version='26.1.0'):
dir = "/opt/keycloak"
password = host.config.admin_password
- tasks.install_packages(host, ["unzip", "java-21-openjdk-headless",
- "openssl", "maven", "wget",
- "firefox", "xorg-x11-server-Xvfb"])
+ packages = ["unzip", "java-21-openjdk-headless", "openssl", "maven", "wget"]
+ # For RHEL 10 we don't install firefox as it is not shipped any more
+ # as a rpm. The infra handles the installation from a zip file
+ if not (tasks.get_platform(host) == "rhel"
+ and tasks.get_platform_version(host)[0] == 10):
+ packages.extend(["firefox", "xorg-x11-server-Xvfb"])
+ tasks.install_packages(host, packages)
# add keycloak system user/group and folder
url = "https://github.com/keycloak/keycloak/releases/download/{0}/keycloak-{0}.zip".format(version) # noqa: E501
host.run_command(["wget", url, "-O", "{0}-{1}.zip".format(dir, version)])
--
2.48.1

55
0067-Configure-the-pki-tomcatd-service-systemd-timeout.patch Normal file
View File

@ -0,0 +1,55 @@
From 47ce0982249ee7ce12b38eae5ce3ee6a9b5df52e Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: Tue, 4 Feb 2025 12:54:48 -0500
Subject: [PATCH] Configure the pki-tomcatd service systemd timeout
IPA defines a startup timeout that is primarily used
during installation to extend service start-up timeouts
on slower systems.
This tends to work ok when runing pki-spawn but can fail when
systemd is starting the tomcat service.
Use the value of startup_timeout to set TimeoutStartSec in
the pki-tomcat systemd override file ipa.conf. This will
preserve the necessary startup_timeout for all future restarts.
This was seen with a very slow HSM where installation was successful
(pki-spawn) but pki-tomcatd startup timed out at the end of the
installation.
To increase the value in installation one needs to create the file
/etc/ipa/installer.conf with contents:
[global]
startup_timeout = 300 (or whatever)
Fixes: https://pagure.io/freeipa/issue/9743
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
---
ipaserver/install/cainstance.py | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py
index 76718036dbd317651edc98ce631405e42bf814d7..c8ecde8f2e9649d57012fcda937ee5816105df4e 100644
--- a/ipaserver/install/cainstance.py
+++ b/ipaserver/install/cainstance.py
@@ -713,7 +713,12 @@ class CAInstance(DogtagInstance):
f.write('[Service]\n')
f.write('Environment=LC_ALL=C.UTF-8\n')
f.write('ExecStartPost={}\n'.format(paths.IPA_PKI_WAIT_RUNNING))
+ f.write('TimeoutStartSec=%d\n' % api.env.startup_timeout)
tasks.systemd_daemon_reload()
+ logger.info(
+ "Set start up timeout of pki-tomcatd service to %d seconds",
+ api.env.startup_timeout
+ )
def safe_backup_config(self):
"""
--
2.48.1

84
0068-Align-startup_timeout-with-the-systemd-default-and-d.patch Normal file
View File

@ -0,0 +1,84 @@
From 22cbc5ed4889d6c66e2916d5acde582b1868fbc9 Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: Mon, 10 Feb 2025 10:45:39 -0500
Subject: [PATCH] Align startup_timeout with the systemd default and document
it
We had it set to 120 seconds while the systemd default is 90.
They should be the same because the first one that times out "wins".
Move where during the installation we create the systemd override
file so that the timeout will be applied across all subsequent
server starts during and post installation.
Fixes: https://pagure.io/freeipa/issue/9743
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
---
client/man/default.conf.5 | 2 +-
ipalib/constants.py | 5 +++--
ipaserver/install/cainstance.py | 3 ++-
3 files changed, 6 insertions(+), 4 deletions(-)
diff --git a/client/man/default.conf.5 b/client/man/default.conf.5
index e0aec21f725d88ce2ba3cf52901fb15575892cde..461c60134124ed3e31e17ac350576487fda4c46e 100644
--- a/client/man/default.conf.5
+++ b/client/man/default.conf.5
@@ -191,7 +191,7 @@ Specifies the IPA Server hostname.
Skip client vs. server API version checking. Can lead to errors/strange behavior when newer clients talk to older servers. Use with caution.
.TP
.B startup_timeout <time in seconds>
-Controls the amount of time waited when starting a service. The default value is 120 seconds.
+Controls the amount of time waited when starting a service. The default value is 90 seconds, the same as the default systemd startup timeout. If configuring a CA the startup_timeout value will be added as an override for TimeoutStartSec in systemd. If installation times out when starting the CA create /etc/ipa/installer.conf with this value set.
.TP
.B startup_traceback <boolean>
If the IPA server fails to start and this value is True the server will attempt to generate a python traceback to make identifying the underlying problem easier.
diff --git a/ipalib/constants.py b/ipalib/constants.py
index c90caa22149ec3d93d45fcb5480f7401e4555799..2e4c9a8336efae9e02febd6d04ec226c84af255f 100644
--- a/ipalib/constants.py
+++ b/ipalib/constants.py
@@ -189,8 +189,9 @@ DEFAULT_CONFIG = (
# Time to wait for a service to start, in seconds.
# Note that systemd has a DefaultTimeoutStartSec of 90 seconds. Higher
- # values are not effective unless systemd is reconfigured, too.
- ('startup_timeout', 120),
+ # values are not effective unless systemd is reconfigured, too. Or you
+ # can update the systemd service file with its own TimeoutStartSec.
+ ('startup_timeout', 90),
# How long http connection should wait for reply [seconds].
('http_timeout', 30),
# How long to wait for an entry to appear on a replica
diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py
index c8ecde8f2e9649d57012fcda937ee5816105df4e..3466c308829a576589874015542da9ea88bc2a2f 100644
--- a/ipaserver/install/cainstance.py
+++ b/ipaserver/install/cainstance.py
@@ -453,6 +453,7 @@ class CAInstance(DogtagInstance):
if promote:
self.step("destroying installation admin user",
self.teardown_admin)
+ self.step("updating IPA configuration", update_ipa_conf)
# Materialize config changes and new ACLs
self.step("starting certificate server instance",
self.start_instance)
@@ -480,7 +481,6 @@ class CAInstance(DogtagInstance):
self.step("configure certificate renewals", self.configure_renewal)
self.step("Configure HTTP to proxy connections",
self.http_proxy)
- self.step("updating IPA configuration", update_ipa_conf)
self.step("enabling CA instance", self.__enable_instance)
if not promote:
if self.clone:
@@ -2453,6 +2453,7 @@ def update_ipa_conf(ca_host=None):
parser.set('global', 'enable_ra', 'True')
parser.set('global', 'ra_plugin', 'dogtag')
parser.set('global', 'dogtag_version', '10')
+ parser.set('global', 'startup_timeout', api.env.startup_timeout)
if ca_host is None:
parser.remove_option('global', 'ca_host')
else:
--
2.48.1

9
freeipa.spec
View File

@ -207,7 +207,7 @@
Name: %{package_name}
Version: %{IPA_VERSION}
Release: 13%{?rc_version:.%rc_version}%{?dist}
Release: 14%{?rc_version:.%rc_version}%{?dist}
Summary: The Identity, Policy and Audit system
License: GPL-3.0-or-later
@ -303,6 +303,9 @@ Patch0062: 0062-ipa-otpd-do-not-pass-OIDC-client-secret-if-there-is-.patch
Patch0063: 0063-Migrate-Keycloak-tests-to-JDK-21-and-Keycloak-26.patch
Patch0064: 0064-Apply-certmonger_timeout-to-start_tracking-and-reque.patch
Patch0065: 0065-Add-DNS-over-TLS-support.patch
Patch0066: 0066-ipatests-on-rhel10-do-not-install-firefox.patch
Patch0067: 0067-Configure-the-pki-tomcatd-service-systemd-timeout.patch
Patch0068: 0068-Align-startup_timeout-with-the-systemd-default-and-d.patch
Patch1001: 1001-Change-branding-to-IPA-and-Identity-Management.patch
%endif
%endif
@ -1948,6 +1951,10 @@ fi
%endif
%changelog
* Tue Feb 11 2025 Florence Blanc-Renaud <flo@redhat.com> - 4.12.2-14
- Resolves: RHEL-78766 Include latest fixes in python3-ipatests package
- Resolves: RHEL-77965 ipa-server-install failing on slow hsm
* Tue Feb 11 2025 Thomas Woerner <twoerner@redhat.com> - 4.12.2-13
- Resolves: RHEL-67912 Add DNS over TLS Support, Require bind 32:9.18.33-2 and new bind-dyndb-ldap 11.11-1