FreeIPA-devel September 2020

freeipa-devel@lists.fedorahosted.org

2 participants
108 discussions

[freeipa PR#5055][opened] Add krbtpolicy for jittered lifetime
by rebeccc 22 Oct '20

22 Oct '20

URL: https://github.com/freeipa/freeipa/pull/5055 Author: rebeccc Title: #5055: Add krbtpolicy for jittered lifetime Action: opened PR body: """ Continuation of #5029 This KDC extension will create a jittered lifetime for services with a lifetime greater than 60 minutes. The lifetime will be set to a random number between max_life - 60 minutes and max_life. """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/5055/head:pr5055 git checkout pr5055

2 1

[freeipa PR#5144][opened] Reduce runtime of server installer by nearly a minute
by tiran 19 Oct '20

19 Oct '20

URL: https://github.com/freeipa/freeipa/pull/5144 Author: tiran Title: #5144: Reduce runtime of server installer by nearly a minute Action: opened PR body: """ This experimental patch speeds up installer by tightening poll/sleep loops, reducing timeouts for DNS and NTP to a sensible value, avoiding duplicate work. ## Add helper for poll/sleep loops with timeout The Sleeper class is a helper that makes poll/sleep loops with timeout easier to write. It takes care of edge cases and does not oversleep timeout deadline. ## Faster certmonger wait_for_request() wait_for_request() now waits 0.5 instead of 5 seconds. This shoves off 15 to 20 seconds from ipa-server-install while marginally increased load on the system. ## Remove root-autobind configuration The new lib389-based installer configured 389-DS with LDAPI support and autobind for root. cn=root-autobind,cn=config entry is no longer needed. ## Skip offline dse.ldif patching by default The installer now stop and patches dse.ldif only when the option --dirsrv-config-file is used. LDBM nsslapd-db-locks are increased in a new step. This speeds up installer by 4 or more seconds on a fast system. ## Retry chronyc waitsync only once It's unlikely that a third chrony synchronization attempt is going to succeed after the the first two attempts have failed. Only retry chronyc waitsync once. Each retry adds a 10 second delay. This speed up installer by 10 seconds on systems without fully configured chronyd or no chronyd (e.g. containers). ## Reduce CA record DNS timeout to 10s 30 seconds is still a lot of time for a DNS query. Clients typically do not wait that long. OpenSSH uses 10 seconds for reverse DNS lookup. That's considered a long timeout already. It's unlikely that a DNS query is going to succeed after 10 seconds of failed lookups. At this point during the installer IPA's BIND DNS instance has been running long enough to be fully available, too. The changeset reduces installation time by 40 seconds when ipa-ca DNS has not been created yet. See: https://pagure.io/freeipa/issue/6176 ## Skip duplicate import of cert profiles All supported Dogtag versions import the cert profiles during pkispawn when using the LDAP profile backend. This reduces the installation time by 9 to 14 seconds ## Use single update LDIF for indices Index definitions were split across four files. indices.ldif contained the initial subset of indices. Three update files partly duplicated the indices and partly added new indices. All indices are now defined in a single update file that is sorted alphanumerically. The changeset avoids two additional index tasks and reduces installation time by 5 to 10 seconds. Fixes: https://pagure.io/freeipa/issue/8493 ## Remove magic sleep from create_index_task 11 years ago 5ad91a0781 added a magic sleep to work around a rare deadlock bug in memberOf plugin. Thierry is not aware of any outstanding issues with memberOf plugin that could lead to a deadlock. ## Add timings to install logs The logging manager now adds timings for installation steps to the installer logs. The information can be extracted and dumped to a CSV file with a simple grep command: grep -Po 'TIMING: \K.*' /var/log/ipaserver.log > ipaserver.csv ## Use separate install logs for AD and DNS instance ipa-dns-install and ipa-adtrust-install no longer overwrite ipaserver-install.log. Instead they use a separate log file. Add AD-Trust, DNS, KRA, and replica log files to backups. """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/5144/head:pr5144 git checkout pr5144

1 1

[freeipa PR#5128][opened] ipatests: kinit_as_user: collect kdcinfo.REALM on failure
by fcami 09 Oct '20

09 Oct '20

URL: https://github.com/freeipa/freeipa/pull/5128 Author: fcami Title: #5128: ipatests: kinit_as_user: collect kdcinfo.REALM on failure Action: opened PR body: """ When requesting a tgt fails after a password reset, collecting: /var/lib/sss/pubconf/kdcinfo.$REALM will help determine how SSSD was selecting which KRB5KDC to use. Fixes: https://pagure.io/freeipa/issue/8510 Signed-off-by: François Cami <fcami(a)redhat.com> """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/5128/head:pr5128 git checkout pr5128

2 1

[freeipa PR#5167][opened] Speed up PKI installer steps
by tiran 05 Oct '20

05 Oct '20

URL: https://github.com/freeipa/freeipa/pull/5167 Author: tiran Title: #5167: Speed up PKI installer steps Action: opened PR body: """ ## Skip duplicate import of cert profiles All supported Dogtag versions import the cert profiles during pkispawn when using the LDAP profile backend. This reduces the installation time by 9 to 14 seconds ## Dogtag: Remove set_audit_renewal step The step set_audit_renewal modifies Dogtag's caSignedLogCert.cfg to bump renewal to 2 years. The problem was fixed in Dogtag upstream in 2012 before Dogtag 10.0 came out, see https://github.com/dogtagpki/pki/commit/f5b8ea5b087f642a0208c228dce6f700cd7… The update step would also no longer work. Profiles have been migrated to LDAP several FreeIPA releases ago. pkispawn populates LDAP with all of Dogtag's default profiles. FreeIPA does not overwrite any existing profiles. Win: 11 to 50 seconds ## Spawn PKI: Execute more steps early Move several steps to an earlier phase of CA spawn. RA and ACME agent ACLs are now configured while the server is down. This avoids yet another restart and saves between 11 and 50 seconds per installation. Total: ~30s to ~90s Related: https://pagure.io/freeipa/issue/8521 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/5167/head:pr5167 git checkout pr5167

1 1

[freeipa PR#5164][opened] Speed up DS related installer steps
by tiran 05 Oct '20

05 Oct '20

URL: https://github.com/freeipa/freeipa/pull/5164 Author: tiran Title: #5164: Speed up DS related installer steps Action: opened PR body: """ ## Remove root-autobind configuration The new lib389-based installer configured 389-DS with LDAPI support and autobind for root. cn=root-autobind,cn=config entry is no longer needed. ## Skip offline dse.ldif patching by default The installer now stop and patches dse.ldif only when the option --dirsrv-config-file is used. LDBM nsslapd-db-locks are increased in a new step. This speeds up installer by 4 or more seconds on a fast system. ## Remove magic sleep from create_index_task 11 years ago 5ad91a0781 added a magic sleep to work around a rare deadlock bug in memberOf plugin. Thierry is not aware of any outstanding issues with memberOf plugin that could lead to a deadlock. Total speedup: ~10s Related: https://pagure.io/freeipa/issue/8521 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/5164/head:pr5164 git checkout pr5164

1 1

[freeipa PR#5112][opened] Check ca_wrapped in ipa-custodia-check
by tiran 05 Oct '20

05 Oct '20

URL: https://github.com/freeipa/freeipa/pull/5112 Author: tiran Title: #5112: Check ca_wrapped in ipa-custodia-check Action: opened PR body: """ ca_wrapped uses Dogtag's pki tool (written in Java) to wrap key material. Add checks to custodia to verify that key wrapping works. Signed-off-by: Christian Heimes <cheimes(a)redhat.com> """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/5112/head:pr5112 git checkout pr5112

1 1

[freeipa PR#5135][opened] ipatests: ipa-healthcheck test fixes running on RHEL
by menonsudhir 01 Oct '20

01 Oct '20

URL: https://github.com/freeipa/freeipa/pull/5135 Author: menonsudhir Title: #5135: ipatests: ipa-healthcheck test fixes running on RHEL Action: opened PR body: """ ipatests: ipa-healthcheck test fixes running on RHEL 1. Added function in tasks.py to get healthcheck version. 2. Added if else condition to certain tests to check healthcheck version and then assert the expected test output """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/5135/head:pr5135 git checkout pr5135

1 1

[freeipa PR#5154][closed] Translations update from Weblate
by rcritten 30 Sep '20

30 Sep '20

URL: https://github.com/freeipa/freeipa/pull/5154 Author: weblate Title: #5154: Translations update from Weblate Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/5154/head:pr5154 git checkout pr5154

1 0

[freeipa PR#5166][opened] Retry chronyc waitsync only once
by tiran 30 Sep '20

30 Sep '20

URL: https://github.com/freeipa/freeipa/pull/5166 Author: tiran Title: #5166: Retry chronyc waitsync only once Action: opened PR body: """ It's unlikely that a third chrony synchronization attempt is going to succeed after the the first two attempts have failed. Only retry chronyc waitsync once. Each retry adds a 10 second delay. This speed up installer by 10 seconds on systems without fully configured chronyd or no chronyd (e.g. containers). Related: https://pagure.io/freeipa/issue/8521 Signed-off-by: Christian Heimes <cheimes(a)redhat.com> """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/5166/head:pr5166 git checkout pr5166

1 1

[freeipa PR#5168][opened] [Backport][ipa-4-8] configure_dns_resolver: call self.restore_context
by tiran 30 Sep '20

30 Sep '20

URL: https://github.com/freeipa/freeipa/pull/5168 Author: tiran Title: #5168: [Backport][ipa-4-8] configure_dns_resolver: call self.restore_context Action: opened PR body: """ This PR was opened automatically because PR #5162 was pushed to master and backport to ipa-4-8 is required. """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/5168/head:pr5168 git checkout pr5168

1 1

2026

2025

2024

2023

2022

2021

2020

2019

2018

2017

FreeIPA-devel September 2020