Hi, this patch modifies ipa-server-install to warn the user, if there is a lack of entropy, also runs generate-rndc-key.sh before named restart, to ensure, that it can start before systemd timeouts.
Thanks Adam
>From d405cea8dae5a03ab0f9d429d3251e8be9ae9fe2 Mon Sep 17 00:00:00 2001 From: Adam Misnyovszki <amisn...@redhat.com> Date: Wed, 16 Apr 2014 16:11:33 +0200 Subject: [PATCH] Call generate-rndc-key.sh during ipa-server-install Since systemd has by default a 2 minute timeout to start a service, the end of ipa-server-install might fail because starting named times out. This patch ensures that generate-rndc-key.sh runs before named service restart. Also, warning message is displayed before KDC install and generate-rndc-key.sh, if there is a lack of entropy, to notify the user that the process could take more time than expected. https://fedorahosted.org/freeipa/ticket/4210 --- install/tools/ipa-server-install | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/install/tools/ipa-server-install b/install/tools/ipa-server-install index 34393b7df0a95a76b0c2660dcaafca13b21d2dfb..0e8a21cecc50578bc8bea84df3b7dc7afca1624e 100755 --- a/install/tools/ipa-server-install +++ b/install/tools/ipa-server-install @@ -38,6 +38,7 @@ import nss.error import base64 import pwd import textwrap +import string from optparse import OptionGroup, OptionValueError try: @@ -568,6 +569,14 @@ def set_subject_in_config(realm_name, dm_password, suffix, subject_base): conn.update_entry(entry_attrs) conn.disconnect() +def check_entropy(): + try: + with open('/proc/sys/kernel/random/entropy_avail', 'r') as efname: + if string.atoi(efname.read()) < 200: + service.print_msg("WARNING: Your system is running out of entropy, expect long delays!") + except: + service.print_msg("Could not determine entropy, possible long delays") + def main(): global ds @@ -1119,6 +1128,7 @@ def main(): # This is done within stopped_service context, which restarts CA ca.enable_client_auth_to_db() + check_entropy() krb = krbinstance.KrbInstance(fstore) if options.pkinit_pkcs12: krb.create_instance(realm_name, host_name, domain_name, @@ -1175,6 +1185,12 @@ def main(): service.print_msg("Restarting the certificate server") ca.restart(dogtag.configured_constants().PKI_INSTANCE_NAME) + # Make sure generate-rndc-key.sh runs before named restart + if options.setup_dns: + check_entropy() + service.print_msg("Generate rndc key file") + run(['/usr/libexec/generate-rndc-key.sh']) + # Create a BIND instance bind = bindinstance.BindInstance(fstore, dm_password) bind.setup(host_name, ip_address, realm_name, domain_name, dns_forwarders, -- 1.9.0
_______________________________________________ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel