From 9e16adadb5af917655c54c6e03f838be223ee8cd Mon Sep 17 00:00:00 2001 From: Adam Williamson Date: Wed, 22 Sep 2021 14:34:23 -0700 Subject: [PATCH] Disable dnssec on FreeIPA server for upgrades (#1999321) To work around #1999321, we'll disable dnssec validation on the FreeIPA server when doing an upgrade to Fedora 35 or later. This sucks but I can't find a better option. Signed-off-by: Adam Williamson --- tests/role_deploy_domain_controller.pm | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) diff --git a/tests/role_deploy_domain_controller.pm b/tests/role_deploy_domain_controller.pm index 6d3d673e..88173d08 100644 --- a/tests/role_deploy_domain_controller.pm +++ b/tests/role_deploy_domain_controller.pm @@ -14,11 +14,6 @@ sub run { # test (in which case we're on the 'old' release at this point; # one of the upgrade test modules does repo_setup later) repo_setup() unless get_var("UPGRADE"); - # use --enablerepo=fedora for Modular compose testing (we need to - # create and use a non-Modular repo to get some packages which - # aren't in Modular Server composes) - my $extraparams = ''; - $extraparams = '--enablerepo=fedora' if (get_var("MODULAR")); # we need a lot of entropy for this, and we don't care how good # it is, so let's use haveged assert_script_run "dnf ${extraparams} -y install haveged", 300; @@ -39,6 +34,10 @@ sub run { assert_script_run "systemctl restart firewalld.service"; # deploy the server my $args = "-U --auto-forwarders --realm=TEST.OPENQA.FEDORAPROJECT.ORG --domain=test.openqa.fedoraproject.org --ds-password=monkeys123 --admin-password=monkeys123 --setup-dns --reverse-zone=2.16.172.in-addr.arpa --allow-zone-overlap"; + # FIXME: this is a workaround for #1999321 - we just have to turn + # off dnssec on the server end to avoid hitting it + my $relnum = get_release_number; + $args .= ' --no-dnssec-validation' if (get_var("UPGRADE") && $relnum > 34); assert_script_run "ipa-server-install $args", 1200; # enable and start the systemd service assert_script_run "systemctl enable ipa.service";