URL: https://github.com/freeipa/freeipa/pull/5313
Author: fcami
Title: #5313: Gracefully handle Nsds5replicalastupdateend's absence
Action: opened
PR body:
"""
https://pagure.io/freeipa/issue/8605
ipa-replica-manage: handle missing attributes
If nsds5replicalastupdateend is not yet present,
ipa-replica-manage will backtrace as it tries to retrieve that
attribute unconditionally.
Gracefully handle that situation.
ipa-replica-manage: always display nsds5replicalastinitstatus
If nsds5replicalastinitstatus is none, the status is not displayed.
Always displaying the last init status is more useful to the end-user.
ipalib/util.py: add print_replication_status
ipa-csreplica-manage, ipa-replica-manage: refactor
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/5313/head:pr5313
git checkout pr5313
URL: https://github.com/freeipa/freeipa/pull/5460
Author: wladich
Title: #5460: ipatests: use pexpect for controlling interactive command line utilities
Action: opened
PR body:
"""
This PR adds a tests-oriented wrapper for pexpect module
The pexpect module can be used for controlling and testing interactive command-line programs. The wrapper adds testing-oriented features like logging and automatic process termination and default check for process exit status.
Invocation of `ktutil` on systems with old version of `readline` is fixed using `pexpect`
Few tests in `test_adtrust_install` were refactored to utilize `pexpect` to improve the tests and provide usage example.
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/5460/head:pr5460
git checkout pr5460
URL: https://github.com/freeipa/freeipa/pull/5486
Author: stanislavlevin
Title: #5486: [ipatests][Azure Pipelines] Populate containers with self-AAAA records
Action: opened
PR body:
"""
- IPA server's AAAA records at embedded DNS mode depend on result of `get_server_ip_address` function(`ipaserver.install.installutils`), which in turn, relies on NSS. In case of Azure Pipelines, there are neither IPv6 records in '/etc/hosts' nor external DNS, which may provide such. This leads to the missing AAAA records for master and missing AAAA records for `ipa-ca` pointing to master in embedded DNS. In particular, tests `test_ipa_healthcheck_no_errors`, `test_ipa_dns_systemrecords_check` fail with:
```
[
{
"source": "ipahealthcheck.ipa.idns",
"check": "IPADNSSystemRecordsCheck",
"result": "WARNING",
"uuid": "b979a88a-6373-4990-bc83-ce724e9730b4",
"when": "20210120055054Z",
"duration": "0.032740",
"kw": {
"msg": "Got {count} ipa-ca AAAA records, expected {expected}",
"count": 1,
"expected": 2
}
}
]
```
where `ipa-ca` record exists only for replica.
Note: since the most of the code in setup_containers was touched it has been reformatted.
- Handle AAAA records in test_ipa_dns_systemrecords_check
Fixes: https://pagure.io/freeipa/issue/8683
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/5486/head:pr5486
git checkout pr5486
URL: https://github.com/freeipa/freeipa/pull/5071
Author: fcami
Title: #5071: 389-DS BDB: switch deadlock behavior to DB_LOCK_MINWRITE
Action: opened
PR body:
"""
Some IPA updates are expensive in term of processing and #page hit.
The likelihood to generate a DS Berkeley DB database deadlock can be high
for some common operations.
When a deadlock is detected one deadlocking thread needs to be
rejected to let the other(s) complete.
DB_LOCK_YOUNGEST (9) is the DS default: it means the most recent operation
fails in favor to the oldest one.
DB_LOCK_MINWRITE (6) means the reader(s) are rejected in favor
of the writers even if the reader(s) are older.
Switch the default for FreeIPA to DB_LOCK_MINWRITE for new installs and
also existing installs at update time.
This depends on the backend redesign (https://pagure.io/389-ds-base/issue/49476)
and therefore is valid on 389-DS 1.4.2.3 and higher.
Explanation provided by Thierry Bordaz.
Fixes: https://pagure.io/freeipa/issue/8479
Signed-off-by: François Cami <fcami(a)redhat.com>
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/5071/head:pr5071
git checkout pr5071
URL: https://github.com/freeipa/freeipa/pull/5444
Author: flo-renaud
Title: #5444: Various dnssec fixes
Action: opened
PR body:
"""
### dnssec: fix the key type with OpenDNSSEC 2.1
### ipatests: add a test for ZSK/KSK keytype in DNSKEY record
### OpenDNSSEC: fix timezone in key creation date
+ Run a temp commit using @tbordaz's fix for 389ds sync_repl issue
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/5444/head:pr5444
git checkout pr5444
URL: https://github.com/freeipa/freeipa/pull/5176
Author: fcami
Title: #5176: freeipa.spec.in: depend on libsss_sudo
Action: opened
PR body:
"""
On 10.10+ releases od Dogtag, the PKI installer will not depend
on sudo anymore. This opens the possibility of creating IPA servers
without a properly configured sudo.
Depend on libsss_sudo to make sure all IPA servers can have sudo.
Fixes: https://pagure.io/freeipa/issue/8530
Signed-off-by: François Cami <fcami(a)redhat.com>
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/5176/head:pr5176
git checkout pr5176
URL: https://github.com/freeipa/freeipa/pull/5485
Author: rcritten
Title: #5485: Ensure IPA is running (ideally) before uninstalling the KRA
Action: opened
PR body:
"""
Ensure IPA is running (ideally) before uninstalling the KRA
The KRA attempts to unregister itself from the security domain
which requires that IPA be running for this to succeed.
1. Move the KRA uninstall call prior to stopping all IPA
services
2. Try to start IPA if it isn't running and a KRA is configured
It isn't mandatory that IPA be running for the KRA uninstall to
succeed but it will suppress a pretty scary backtrace and error
message.
https://pagure.io/freeipa/issue/8550
Signed-off-by: Rob Crittenden <rcritten(a)redhat.com>
This also removes two deprecated API warnings from dogtag and changes a log level from info to debug to suppress unnecessary output.
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/5485/head:pr5485
git checkout pr5485