October 2020 - FreeIPA-devel - Fedora Mailing-Lists

[freeipa PR#5144][opened] Reduce runtime of server installer by nearly a minute

by tiran

URL: https://github.com/freeipa/freeipa/pull/5144 Author: tiran Title: #5144: Reduce runtime of server installer by nearly a minute Action: opened PR body: """ This experimental patch speeds up installer by tightening poll/sleep loops, reducing timeouts for DNS and NTP to a sensible value, avoiding duplicate work. ## Add helper for poll/sleep loops with timeout The Sleeper class is a helper that makes poll/sleep loops with timeout easier to write. It takes care of edge cases and does not oversleep timeout deadline. ## Faster certmonger wait_for_request() wait_for_request() now waits 0.5 instead of 5 seconds. This shoves off 15 to 20 seconds from ipa-server-install while marginally increased load on the system. ## Remove root-autobind configuration The new lib389-based installer configured 389-DS with LDAPI support and autobind for root. cn=root-autobind,cn=config entry is no longer needed. ## Skip offline dse.ldif patching by default The installer now stop and patches dse.ldif only when the option --dirsrv-config-file is used. LDBM nsslapd-db-locks are increased in a new step. This speeds up installer by 4 or more seconds on a fast system. ## Retry chronyc waitsync only once It's unlikely that a third chrony synchronization attempt is going to succeed after the the first two attempts have failed. Only retry chronyc waitsync once. Each retry adds a 10 second delay. This speed up installer by 10 seconds on systems without fully configured chronyd or no chronyd (e.g. containers). ## Reduce CA record DNS timeout to 10s 30 seconds is still a lot of time for a DNS query. Clients typically do not wait that long. OpenSSH uses 10 seconds for reverse DNS lookup. That's considered a long timeout already. It's unlikely that a DNS query is going to succeed after 10 seconds of failed lookups. At this point during the installer IPA's BIND DNS instance has been running long enough to be fully available, too. The changeset reduces installation time by 40 seconds when ipa-ca DNS has not been created yet. See: https://pagure.io/freeipa/issue/6176 ## Skip duplicate import of cert profiles All supported Dogtag versions import the cert profiles during pkispawn when using the LDAP profile backend. This reduces the installation time by 9 to 14 seconds ## Use single update LDIF for indices Index definitions were split across four files. indices.ldif contained the initial subset of indices. Three update files partly duplicated the indices and partly added new indices. All indices are now defined in a single update file that is sorted alphanumerically. The changeset avoids two additional index tasks and reduces installation time by 5 to 10 seconds. Fixes: https://pagure.io/freeipa/issue/8493 ## Remove magic sleep from create_index_task 11 years ago 5ad91a0781 added a magic sleep to work around a rare deadlock bug in memberOf plugin. Thierry is not aware of any outstanding issues with memberOf plugin that could lead to a deadlock. ## Add timings to install logs The logging manager now adds timings for installation steps to the installer logs. The information can be extracted and dumped to a CSV file with a simple grep command: grep -Po 'TIMING: \K.*' /var/log/ipaserver.log > ipaserver.csv ## Use separate install logs for AD and DNS instance ipa-dns-install and ipa-adtrust-install no longer overwrite ipaserver-install.log. Instead they use a separate log file. Add AD-Trust, DNS, KRA, and replica log files to backups. """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/5144/head:pr5144 git checkout pr5144

3 years, 6 months

1
1
0 / 0

[freeipa PR#5182][opened] Speed up cainstance.migrate_profiles_to_ldap

by tiran

URL: https://github.com/freeipa/freeipa/pull/5182 Author: tiran Title: #5182: Speed up cainstance.migrate_profiles_to_ldap Action: opened PR body: """ The ra_certprofile API is slow. It takes ~200ms to migrate and enable a profile even when the profile already available. The migration step slows down the installer and upgrader by about 12 to 15 seconds. Skip all profiles that have been imported by Dogtag already. Related: https://pagure.io/freeipa/issue/8522 Related: https://pagure.io/freeipa/issue/8521 Signed-off-by: Christian Heimes <cheimes(a)redhat.com> """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/5182/head:pr5182 git checkout pr5182

3 years, 6 months

1
1
0 / 0

[freeipa PR#5198][opened] tox.ini: Extend max-line-length from 80 to 88+

by fcami

URL: https://github.com/freeipa/freeipa/pull/5198 Author: fcami Title: #5198: tox.ini: Extend max-line-length from 80 to 88+ Action: opened PR body: """ Change tox.ini's 80c character limit to 88. - 88 is the limit for a font size of 14 on a FHD (1920x1200) screen with two editors side-by-side. - A too-high number can become an issue for potential contributors with eyesight problems. So we want to avoid that. Fixes: https://pagure.io/freeipa/issue/8546 Signed-off-by: François Cami <fcami(a)redhat.com> """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/5198/head:pr5198 git checkout pr5198

3 years, 6 months

1
0
0 / 0

[freeipa PR#5193][opened] [Backport][ipa-4-8] ipatests: run freeipa-healthcheck on hidden replica

by flo-renaud

URL: https://github.com/freeipa/freeipa/pull/5193 Author: flo-renaud Title: #5193: [Backport][ipa-4-8] ipatests: run freeipa-healthcheck on hidden replica Action: opened PR body: """ This PR was opened automatically because PR #5184 was pushed to master and backport to ipa-4-8 is required. """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/5193/head:pr5193 git checkout pr5193

3 years, 6 months

1
1
0 / 0

[freeipa PR#5195][opened] [Backport][ipa-4-8] ipatests: properly handle journalctl return code

by flo-renaud

URL: https://github.com/freeipa/freeipa/pull/5195 Author: flo-renaud Title: #5195: [Backport][ipa-4-8] ipatests: properly handle journalctl return code Action: opened PR body: """ This PR was opened automatically because PR #5194 was pushed to master and backport to ipa-4-8 is required. """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/5195/head:pr5195 git checkout pr5195

3 years, 6 months

1
1
0 / 0

[freeipa PR#5194][opened] ipatests: properly handle journalctl return code

by flo-renaud

URL: https://github.com/freeipa/freeipa/pull/5194 Author: flo-renaud Title: #5194: ipatests: properly handle journalctl return code Action: opened PR body: """ The test test_installation.py::TestInstallMaster::test_selinux_avcs is failing when no AVCs are detected because it is calling journalctl --full --grep=AVC--since=yesterday and the command exits with return code 1. Call the command with raiseonerr=False to support this case. Fixes: https://pagure.io/freeipa/issue/8541 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/5194/head:pr5194 git checkout pr5194

3 years, 6 months

1
1
0 / 0

[freeipa PR#5192][opened] [Backport][ipa-4-8] rpmspec: ensure ipa snippet for sshd is always included

by flo-renaud

URL: https://github.com/freeipa/freeipa/pull/5192 Author: flo-renaud Title: #5192: [Backport][ipa-4-8] rpmspec: ensure ipa snippet for sshd is always included Action: opened PR body: """ This PR was opened automatically because PR #5190 was pushed to master and backport to ipa-4-8 is required. """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/5192/head:pr5192 git checkout pr5192

3 years, 6 months

1
1
0 / 0

[freeipa PR#5184][opened] ipatests: run freeipa-healthcheck on hidden replica

by fcami

URL: https://github.com/freeipa/freeipa/pull/5184 Author: fcami Title: #5184: ipatests: run freeipa-healthcheck on hidden replica Action: opened PR body: """ Make sure freeipa-healthcheck can run on FreeIPA clusters with hidden replica. Fixes: https://pagure.io/freeipa/issue/8536 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/5184/head:pr5184 git checkout pr5184

3 years, 6 months

2
1
0 / 0

[freeipa PR#5190][opened] rpmspec: ensure ipa snippet for sshd is always included

by flo-renaud

URL: https://github.com/freeipa/freeipa/pull/5190 Author: flo-renaud Title: #5190: rpmspec: ensure ipa snippet for sshd is always included Action: opened PR body: """ Whn openssh-server > 8.2 is installed, ipa rpmspec moves its configuration directives to /etc/ssh/sshd_config.d/04-ipa.conf but doesn't check that the 04-ipa.conf is included from /etc/ssh/sshd_config. The fixes ensures that the snippet is always included, either through the line Include /etc/ssh/sshd_config.d/*.conf or directly with Include /etc/ssh/sshd_config.d/04-ipa.conf Fixes: https://pagure.io/freeipa/issue/8535 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/5190/head:pr5190 git checkout pr5190

3 years, 6 months

1
1
0 / 0

[freeipa PR#5189][opened] [Backport][ipa-4-8] Lookup ipa-ca record with NSS

by tiran

URL: https://github.com/freeipa/freeipa/pull/5189 Author: tiran Title: #5189: [Backport][ipa-4-8] Lookup ipa-ca record with NSS Action: opened PR body: """ Manual backport of PR #5174 DNS data management now uses NSS's getaddrinfo() instead of direct DNS queries to resolve the ipa-ca record. This fixes missing ipa-ca records when the current hostname is not resolvable in DNS but has correct records in /etc/hosts. Reduce timeout to 15 seconds and tighten timeout loop. The changeset can speed up installation by almost 60 seconds. ipa-server-install without built-in DNS calls into DNS data management twice with a timeout of 30 seconds for each call. Fixes: https://pagure.io/freeipa/issue/8529 Related: https://pagure.io/freeipa/issue/8521 Related: https://pagure.io/freeipa/issue/8501 Signed-off-by: Christian Heimes <cheimes(a)redhat.com> """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/5189/head:pr5189 git checkout pr5189

3 years, 6 months

2
1
0 / 0

2024

2023

2022

2021

2020

2019

2018

2017

FreeIPA-devel October 2020