URL: https://github.com/freeipa/freeipa/pull/5144
Author: tiran
Title: #5144: Reduce runtime of server installer by nearly a minute
Action: opened
PR body:
"""
This experimental patch speeds up installer by tightening poll/sleep loops, reducing timeouts for DNS and NTP to a sensible value, avoiding duplicate work.
## Add helper for poll/sleep loops with timeout
The Sleeper class is a helper that makes poll/sleep loops with timeout
easier to write. It takes care of edge cases and does not oversleep
timeout deadline.
## Faster certmonger wait_for_request()
wait_for_request() now waits 0.5 instead of 5 seconds. This shoves off
15 to 20 seconds from ipa-server-install while marginally increased
load on the system.
## Remove root-autobind configuration
The new lib389-based installer configured 389-DS with LDAPI support and
autobind for root.
cn=root-autobind,cn=config entry is no longer needed.
## Skip offline dse.ldif patching by default
The installer now stop and patches dse.ldif only when the option
--dirsrv-config-file is used. LDBM nsslapd-db-locks are increased in a
new step.
This speeds up installer by 4 or more seconds on a fast system.
## Retry chronyc waitsync only once
It's unlikely that a third chrony synchronization attempt is going to
succeed after the the first two attempts have failed. Only retry chronyc
waitsync once. Each retry adds a 10 second delay.
This speed up installer by 10 seconds on systems without fully
configured chronyd or no chronyd (e.g. containers).
## Reduce CA record DNS timeout to 10s
30 seconds is still a lot of time for a DNS query. Clients typically
do not wait that long. OpenSSH uses 10 seconds for reverse DNS lookup.
That's considered a long timeout already. It's unlikely that a DNS query
is going to succeed after 10 seconds of failed lookups.
At this point during the installer IPA's BIND DNS instance has been
running long enough to be fully available, too.
The changeset reduces installation time by 40 seconds when ipa-ca DNS
has not been created yet.
See: https://pagure.io/freeipa/issue/6176
## Skip duplicate import of cert profiles
All supported Dogtag versions import the cert profiles during pkispawn
when using the LDAP profile backend.
This reduces the installation time by 9 to 14 seconds
## Use single update LDIF for indices
Index definitions were split across four files. indices.ldif contained
the initial subset of indices. Three update files partly duplicated the
indices and partly added new indices.
All indices are now defined in a single update file that is sorted
alphanumerically.
The changeset avoids two additional index tasks and reduces installation
time by 5 to 10 seconds.
Fixes: https://pagure.io/freeipa/issue/8493
## Remove magic sleep from create_index_task
11 years ago 5ad91a0781 added a magic sleep to work around a rare deadlock
bug in memberOf plugin. Thierry is not aware of any outstanding issues
with memberOf plugin that could lead to a deadlock.
## Add timings to install logs
The logging manager now adds timings for installation steps to the
installer logs. The information can be extracted and dumped to a CSV
file with a simple grep command:
grep -Po 'TIMING: \K.*' /var/log/ipaserver.log > ipaserver.csv
## Use separate install logs for AD and DNS instance
ipa-dns-install and ipa-adtrust-install no longer overwrite
ipaserver-install.log. Instead they use a separate log file.
Add AD-Trust, DNS, KRA, and replica log files to backups.
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/5144/head:pr5144
git checkout pr5144
URL: https://github.com/freeipa/freeipa/pull/5182
Author: tiran
Title: #5182: Speed up cainstance.migrate_profiles_to_ldap
Action: opened
PR body:
"""
The ra_certprofile API is slow. It takes ~200ms to migrate and enable a
profile even when the profile already available. The migration step
slows down the installer and upgrader by about 12 to 15 seconds.
Skip all profiles that have been imported by Dogtag already.
Related: https://pagure.io/freeipa/issue/8522
Related: https://pagure.io/freeipa/issue/8521
Signed-off-by: Christian Heimes <cheimes(a)redhat.com>
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/5182/head:pr5182
git checkout pr5182
URL: https://github.com/freeipa/freeipa/pull/5198
Author: fcami
Title: #5198: tox.ini: Extend max-line-length from 80 to 88+
Action: opened
PR body:
"""
Change tox.ini's 80c character limit to 88.
- 88 is the limit for a font size of 14 on a FHD (1920x1200) screen
with two editors side-by-side.
- A too-high number can become an issue for potential contributors
with eyesight problems. So we want to avoid that.
Fixes: https://pagure.io/freeipa/issue/8546
Signed-off-by: François Cami <fcami(a)redhat.com>
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/5198/head:pr5198
git checkout pr5198
URL: https://github.com/freeipa/freeipa/pull/5193
Author: flo-renaud
Title: #5193: [Backport][ipa-4-8] ipatests: run freeipa-healthcheck on hidden replica
Action: opened
PR body:
"""
This PR was opened automatically because PR #5184 was pushed to master and backport to ipa-4-8 is required.
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/5193/head:pr5193
git checkout pr5193
URL: https://github.com/freeipa/freeipa/pull/5195
Author: flo-renaud
Title: #5195: [Backport][ipa-4-8] ipatests: properly handle journalctl return code
Action: opened
PR body:
"""
This PR was opened automatically because PR #5194 was pushed to master and backport to ipa-4-8 is required.
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/5195/head:pr5195
git checkout pr5195
URL: https://github.com/freeipa/freeipa/pull/5194
Author: flo-renaud
Title: #5194: ipatests: properly handle journalctl return code
Action: opened
PR body:
"""
The test test_installation.py::TestInstallMaster::test_selinux_avcs
is failing when no AVCs are detected because it is calling
journalctl --full --grep=AVC--since=yesterday
and the command exits with return code 1.
Call the command with raiseonerr=False to support this case.
Fixes: https://pagure.io/freeipa/issue/8541
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/5194/head:pr5194
git checkout pr5194
URL: https://github.com/freeipa/freeipa/pull/5192
Author: flo-renaud
Title: #5192: [Backport][ipa-4-8] rpmspec: ensure ipa snippet for sshd is always included
Action: opened
PR body:
"""
This PR was opened automatically because PR #5190 was pushed to master and backport to ipa-4-8 is required.
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/5192/head:pr5192
git checkout pr5192
URL: https://github.com/freeipa/freeipa/pull/5190
Author: flo-renaud
Title: #5190: rpmspec: ensure ipa snippet for sshd is always included
Action: opened
PR body:
"""
Whn openssh-server > 8.2 is installed, ipa rpmspec moves its
configuration directives to /etc/ssh/sshd_config.d/04-ipa.conf
but doesn't check that the 04-ipa.conf is included from
/etc/ssh/sshd_config.
The fixes ensures that the snippet is always included, either
through the line Include /etc/ssh/sshd_config.d/*.conf or
directly with Include /etc/ssh/sshd_config.d/04-ipa.conf
Fixes: https://pagure.io/freeipa/issue/8535
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/5190/head:pr5190
git checkout pr5190
URL: https://github.com/freeipa/freeipa/pull/5189
Author: tiran
Title: #5189: [Backport][ipa-4-8] Lookup ipa-ca record with NSS
Action: opened
PR body:
"""
Manual backport of PR #5174
DNS data management now uses NSS's getaddrinfo() instead of direct DNS
queries to resolve the ipa-ca record. This fixes missing ipa-ca records
when the current hostname is not resolvable in DNS but has correct
records in /etc/hosts.
Reduce timeout to 15 seconds and tighten timeout loop.
The changeset can speed up installation by almost 60 seconds.
ipa-server-install without built-in DNS calls into DNS data management
twice with a timeout of 30 seconds for each call.
Fixes: https://pagure.io/freeipa/issue/8529
Related: https://pagure.io/freeipa/issue/8521
Related: https://pagure.io/freeipa/issue/8501
Signed-off-by: Christian Heimes <cheimes(a)redhat.com>
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/5189/head:pr5189
git checkout pr5189