diff --git a/0066-ipatests-on-rhel10-do-not-install-firefox.patch b/0066-ipatests-on-rhel10-do-not-install-firefox.patch new file mode 100644 index 0000000..9a4bb9e --- /dev/null +++ b/0066-ipatests-on-rhel10-do-not-install-firefox.patch @@ -0,0 +1,41 @@ +From d0dd2e8393f4b49edc67f8036a19d8b2d4e28938 Mon Sep 17 00:00:00 2001 +From: Florence Blanc-Renaud +Date: Fri, 31 Jan 2025 13:09:22 +0100 +Subject: [PATCH] ipatests: on rhel10 do not install firefox + +Firefox will be installed as a pre-requisite as it either comes +as a flatpak or a tar file. The flatpak is not compatible with +geckodriver as explained in geckodriver release notes +(https://github.com/mozilla/geckodriver/releases/tag/v0.35.0) + +Signed-off-by: Florence Blanc-Renaud +Reviewed-By: Rob Crittenden +Reviewed-By: Michal Polovka +--- + ipatests/pytest_ipa/integration/create_keycloak.py | 10 +++++++--- + 1 file changed, 7 insertions(+), 3 deletions(-) + +diff --git a/ipatests/pytest_ipa/integration/create_keycloak.py b/ipatests/pytest_ipa/integration/create_keycloak.py +index addade7594d7a1b8edefdb8c67ec4bc7abe70ef4..7f0850ca704b3d4c9748a8e46cad1fff7c31f112 100644 +--- a/ipatests/pytest_ipa/integration/create_keycloak.py ++++ b/ipatests/pytest_ipa/integration/create_keycloak.py +@@ -9,9 +9,13 @@ from ipatests.pytest_ipa.integration import tasks + def setup_keycloakserver(host, version='26.1.0'): + dir = "/opt/keycloak" + password = host.config.admin_password +- tasks.install_packages(host, ["unzip", "java-21-openjdk-headless", +- "openssl", "maven", "wget", +- "firefox", "xorg-x11-server-Xvfb"]) ++ packages = ["unzip", "java-21-openjdk-headless", "openssl", "maven", "wget"] ++ # For RHEL 10 we don't install firefox as it is not shipped any more ++ # as a rpm. The infra handles the installation from a zip file ++ if not (tasks.get_platform(host) == "rhel" ++ and tasks.get_platform_version(host)[0] == 10): ++ packages.extend(["firefox", "xorg-x11-server-Xvfb"]) ++ tasks.install_packages(host, packages) + # add keycloak system user/group and folder + url = "https://github.com/keycloak/keycloak/releases/download/{0}/keycloak-{0}.zip".format(version) # noqa: E501 + host.run_command(["wget", url, "-O", "{0}-{1}.zip".format(dir, version)]) +-- +2.48.1 + diff --git a/0067-Configure-the-pki-tomcatd-service-systemd-timeout.patch b/0067-Configure-the-pki-tomcatd-service-systemd-timeout.patch new file mode 100644 index 0000000..ca4bc30 --- /dev/null +++ b/0067-Configure-the-pki-tomcatd-service-systemd-timeout.patch @@ -0,0 +1,55 @@ +From 47ce0982249ee7ce12b38eae5ce3ee6a9b5df52e Mon Sep 17 00:00:00 2001 +From: Rob Crittenden +Date: Tue, 4 Feb 2025 12:54:48 -0500 +Subject: [PATCH] Configure the pki-tomcatd service systemd timeout + +IPA defines a startup timeout that is primarily used +during installation to extend service start-up timeouts +on slower systems. + +This tends to work ok when runing pki-spawn but can fail when +systemd is starting the tomcat service. + +Use the value of startup_timeout to set TimeoutStartSec in +the pki-tomcat systemd override file ipa.conf. This will +preserve the necessary startup_timeout for all future restarts. + +This was seen with a very slow HSM where installation was successful +(pki-spawn) but pki-tomcatd startup timed out at the end of the +installation. + +To increase the value in installation one needs to create the file +/etc/ipa/installer.conf with contents: + +[global] +startup_timeout = 300 (or whatever) + +Fixes: https://pagure.io/freeipa/issue/9743 + +Signed-off-by: Rob Crittenden +Reviewed-By: Florence Blanc-Renaud +Reviewed-By: Alexander Bokovoy +--- + ipaserver/install/cainstance.py | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py +index 76718036dbd317651edc98ce631405e42bf814d7..c8ecde8f2e9649d57012fcda937ee5816105df4e 100644 +--- a/ipaserver/install/cainstance.py ++++ b/ipaserver/install/cainstance.py +@@ -713,7 +713,12 @@ class CAInstance(DogtagInstance): + f.write('[Service]\n') + f.write('Environment=LC_ALL=C.UTF-8\n') + f.write('ExecStartPost={}\n'.format(paths.IPA_PKI_WAIT_RUNNING)) ++ f.write('TimeoutStartSec=%d\n' % api.env.startup_timeout) + tasks.systemd_daemon_reload() ++ logger.info( ++ "Set start up timeout of pki-tomcatd service to %d seconds", ++ api.env.startup_timeout ++ ) + + def safe_backup_config(self): + """ +-- +2.48.1 + diff --git a/0068-Align-startup_timeout-with-the-systemd-default-and-d.patch b/0068-Align-startup_timeout-with-the-systemd-default-and-d.patch new file mode 100644 index 0000000..c0d15af --- /dev/null +++ b/0068-Align-startup_timeout-with-the-systemd-default-and-d.patch @@ -0,0 +1,84 @@ +From 22cbc5ed4889d6c66e2916d5acde582b1868fbc9 Mon Sep 17 00:00:00 2001 +From: Rob Crittenden +Date: Mon, 10 Feb 2025 10:45:39 -0500 +Subject: [PATCH] Align startup_timeout with the systemd default and document + it + +We had it set to 120 seconds while the systemd default is 90. +They should be the same because the first one that times out "wins". + +Move where during the installation we create the systemd override +file so that the timeout will be applied across all subsequent +server starts during and post installation. + +Fixes: https://pagure.io/freeipa/issue/9743 + +Signed-off-by: Rob Crittenden +Reviewed-By: Florence Blanc-Renaud +Reviewed-By: Alexander Bokovoy +--- + client/man/default.conf.5 | 2 +- + ipalib/constants.py | 5 +++-- + ipaserver/install/cainstance.py | 3 ++- + 3 files changed, 6 insertions(+), 4 deletions(-) + +diff --git a/client/man/default.conf.5 b/client/man/default.conf.5 +index e0aec21f725d88ce2ba3cf52901fb15575892cde..461c60134124ed3e31e17ac350576487fda4c46e 100644 +--- a/client/man/default.conf.5 ++++ b/client/man/default.conf.5 +@@ -191,7 +191,7 @@ Specifies the IPA Server hostname. + Skip client vs. server API version checking. Can lead to errors/strange behavior when newer clients talk to older servers. Use with caution. + .TP + .B startup_timeout