1
0
mirror of https://pagure.io/fedora-qa/os-autoinst-distri-fedora.git synced 2024-12-22 10:23:09 +00:00

Disable dnssec on FreeIPA server for upgrades (#1999321)

To work around #1999321, we'll disable dnssec validation on the
FreeIPA server when doing an upgrade to Fedora 35 or later.
This sucks but I can't find a better option.

Signed-off-by: Adam Williamson <awilliam@redhat.com>
This commit is contained in:
Adam Williamson 2021-09-22 14:34:23 -07:00
parent 60bfdd53b9
commit 2ec41b1f43

View File

@ -14,14 +14,9 @@ sub run {
# test (in which case we're on the 'old' release at this point;
# one of the upgrade test modules does repo_setup later)
repo_setup() unless get_var("UPGRADE");
# use --enablerepo=fedora for Modular compose testing (we need to
# create and use a non-Modular repo to get some packages which
# aren't in Modular Server composes)
my $extraparams = '';
$extraparams = '--enablerepo=fedora' if (get_var("MODULAR"));
# we need a lot of entropy for this, and we don't care how good
# it is, so let's use haveged
assert_script_run "dnf ${extraparams} -y install haveged", 300;
assert_script_run "dnf -y install haveged", 300;
assert_script_run 'systemctl start haveged.service';
# per ab, this should get us extra debug logging from the web UI
# in error_log
@ -39,6 +34,10 @@ sub run {
assert_script_run "systemctl restart firewalld.service";
# deploy the server
my $args = "-U --auto-forwarders --realm=TEST.OPENQA.FEDORAPROJECT.ORG --domain=test.openqa.fedoraproject.org --ds-password=monkeys123 --admin-password=monkeys123 --setup-dns --reverse-zone=2.16.172.in-addr.arpa --allow-zone-overlap";
# FIXME: this is a workaround for #1999321 - we just have to turn
# off dnssec on the server end to avoid hitting it
my $relnum = get_release_number;
$args .= ' --no-dnssec-validation' if (get_var("UPGRADE") && $relnum > 34);
assert_script_run "ipa-server-install $args", 1200;
# enable and start the systemd service
assert_script_run "systemctl enable ipa.service";