FreeIPA: disable dnssec validation till weird bug is fixed

I noticed today that if we deploy FreeIPA with dnssec validation
enabled, dnf can't resolve dl.fedoraproject.org afterwards, which
is a problem because it means we wind up falling through to
random mirrors for metadata and package download once the server
is deployed, which can be slow and give old packages. This seems
to be why the server upgrade test on F33 is sometimes failing
because we get an older FreeIPA package on upgrade, even though
the newer one has been stable for a week.

It's difficult to pin down exactly where this bug is and fix it,
I've mailed some folks to try and work it out, but until that's
figured out, let's just disable dnssec validation.

Signed-off-by: Adam Williamson <awilliam@redhat.com>
This commit is contained in:
Adam Williamson 2020-10-23 11:38:01 -07:00
parent 0d8ceec820
commit a9704de4bd
2 changed files with 2 additions and 2 deletions

View File

@ -56,7 +56,7 @@ sub run {
# deploy as a replica
my ($ip, $hostname) = split(/ /, get_var("POST_STATIC"));
my $args = "--ip-address=$ip --setup-dns --auto-forwarders --setup-ca --allow-zone-overlap -U --principal admin --admin-password monkeys123";
my $args = "--ip-address=$ip --setup-dns --no-dnssec-validation --auto-forwarders --setup-ca --allow-zone-overlap -U --principal admin --admin-password monkeys123";
assert_script_run "ipa-replica-install $args", 1500;
# enable and start the systemd service

View File

@ -38,7 +38,7 @@ sub run {
}
assert_script_run "systemctl restart firewalld.service";
# deploy the server
my $args = "-U --auto-forwarders --realm=DOMAIN.LOCAL --domain=domain.local --ds-password=monkeys123 --admin-password=monkeys123 --setup-dns --reverse-zone=2.16.172.in-addr.arpa --allow-zone-overlap";
my $args = "-U --auto-forwarders --realm=DOMAIN.LOCAL --domain=domain.local --ds-password=monkeys123 --admin-password=monkeys123 --setup-dns --no-dnssec-validation --reverse-zone=2.16.172.in-addr.arpa --allow-zone-overlap";
assert_script_run "ipa-server-install $args", 1200;
# enable and start the systemd service
assert_script_run "systemctl enable ipa.service";