mirror of
https://pagure.io/fedora-qa/os-autoinst-distri-fedora.git
synced 2024-12-22 10:23:09 +00:00
Disable dnssec on FreeIPA server for upgrades (#1999321)
To work around #1999321, we'll disable dnssec validation on the FreeIPA server when doing an upgrade to Fedora 35 or later. This sucks but I can't find a better option. Signed-off-by: Adam Williamson <awilliam@redhat.com>
This commit is contained in:
parent
60bfdd53b9
commit
2ec41b1f43
@ -14,14 +14,9 @@ sub run {
|
|||||||
# test (in which case we're on the 'old' release at this point;
|
# test (in which case we're on the 'old' release at this point;
|
||||||
# one of the upgrade test modules does repo_setup later)
|
# one of the upgrade test modules does repo_setup later)
|
||||||
repo_setup() unless get_var("UPGRADE");
|
repo_setup() unless get_var("UPGRADE");
|
||||||
# use --enablerepo=fedora for Modular compose testing (we need to
|
|
||||||
# create and use a non-Modular repo to get some packages which
|
|
||||||
# aren't in Modular Server composes)
|
|
||||||
my $extraparams = '';
|
|
||||||
$extraparams = '--enablerepo=fedora' if (get_var("MODULAR"));
|
|
||||||
# we need a lot of entropy for this, and we don't care how good
|
# we need a lot of entropy for this, and we don't care how good
|
||||||
# it is, so let's use haveged
|
# it is, so let's use haveged
|
||||||
assert_script_run "dnf ${extraparams} -y install haveged", 300;
|
assert_script_run "dnf -y install haveged", 300;
|
||||||
assert_script_run 'systemctl start haveged.service';
|
assert_script_run 'systemctl start haveged.service';
|
||||||
# per ab, this should get us extra debug logging from the web UI
|
# per ab, this should get us extra debug logging from the web UI
|
||||||
# in error_log
|
# in error_log
|
||||||
@ -39,6 +34,10 @@ sub run {
|
|||||||
assert_script_run "systemctl restart firewalld.service";
|
assert_script_run "systemctl restart firewalld.service";
|
||||||
# deploy the server
|
# deploy the server
|
||||||
my $args = "-U --auto-forwarders --realm=TEST.OPENQA.FEDORAPROJECT.ORG --domain=test.openqa.fedoraproject.org --ds-password=monkeys123 --admin-password=monkeys123 --setup-dns --reverse-zone=2.16.172.in-addr.arpa --allow-zone-overlap";
|
my $args = "-U --auto-forwarders --realm=TEST.OPENQA.FEDORAPROJECT.ORG --domain=test.openqa.fedoraproject.org --ds-password=monkeys123 --admin-password=monkeys123 --setup-dns --reverse-zone=2.16.172.in-addr.arpa --allow-zone-overlap";
|
||||||
|
# FIXME: this is a workaround for #1999321 - we just have to turn
|
||||||
|
# off dnssec on the server end to avoid hitting it
|
||||||
|
my $relnum = get_release_number;
|
||||||
|
$args .= ' --no-dnssec-validation' if (get_var("UPGRADE") && $relnum > 34);
|
||||||
assert_script_run "ipa-server-install $args", 1200;
|
assert_script_run "ipa-server-install $args", 1200;
|
||||||
# enable and start the systemd service
|
# enable and start the systemd service
|
||||||
assert_script_run "systemctl enable ipa.service";
|
assert_script_run "systemctl enable ipa.service";
|
||||||
|
Loading…
Reference in New Issue
Block a user