From 71c6d2f1eb9610a0e0a994a6cfd78fdf9bb9d1fa Mon Sep 17 00:00:00 2001 From: Adam Misnyovszki Date: Fri, 18 Apr 2014 15:44:11 +0200 Subject: Call generate-rndc-key.sh during ipa-server-install Since systemd has by default a 2 minute timeout to start a service, the end of ipa-server-install might fail because starting named times out. This patch ensures that generate-rndc-key.sh runs before named service restart. Also, warning message is displayed before KDC install and generate-rndc-key.sh, if there is a lack of entropy, to notify the user that the process could take more time than expected. Modifications done by Martin Kosek: - removed whitespace at the end of installutils.py - the warning in krbinstance.py moved right before the step requiring entropy - slightly reworded the warning message https://fedorahosted.org/freeipa/ticket/4210 Reviewed-By: Martin Kosek --- ipaserver/install/bindinstance.py | 7 +++++++ ipaserver/install/installutils.py | 20 +++++++++++++++++++- ipaserver/install/krbinstance.py | 3 +++ 3 files changed, 29 insertions(+), 1 deletion(-) diff --git a/ipaserver/install/bindinstance.py b/ipaserver/install/bindinstance.py index 613af5c91..c5ff76726 100644 --- a/ipaserver/install/bindinstance.py +++ b/ipaserver/install/bindinstance.py @@ -523,6 +523,9 @@ class BindInstance(service.Service): if installutils.record_in_hosts(self.ip_address, self.fqdn) is None: installutils.add_record_to_hosts(self.ip_address, self.fqdn) + # Make sure generate-rndc-key.sh runs before named restart + self.step("generating rndc key file", self.__generate_rndc_key) + if self.first_instance: self.step("adding DNS container", self.__setup_dns_container) @@ -820,6 +823,10 @@ class BindInstance(service.Service): except IOError as e: root_logger.error('Could not write to resolv.conf: %s', e) + def __generate_rndc_key(self): + installutils.check_entropy() + ipautil.run(['/usr/libexec/generate-rndc-key.sh']) + def add_master_dns_records(self, fqdn, ip_address, realm_name, domain_name, reverse_zone, ntp=False, ca_configured=None): self.fqdn = fqdn diff --git a/ipaserver/install/installutils.py b/ipaserver/install/installutils.py index daf81e890..7f15d3769 100644 --- a/ipaserver/install/installutils.py +++ b/ipaserver/install/installutils.py @@ -41,7 +41,7 @@ from ipalib.util import validate_hostname from ipapython import config from ipalib import errors from ipapython.dn import DN -from ipaserver.install import certs +from ipaserver.install import certs, service from ipapython import services as ipaservices # Used to determine install status @@ -846,3 +846,21 @@ def stopped_service(service, instance_name=""): finally: root_logger.debug('Starting %s%s.', service, log_instance_name) ipaservices.knownservices[service].start(instance_name) + +def check_entropy(): + ''' + Checks if the system has enough entropy, if not, displays warning message + ''' + try: + with open('/proc/sys/kernel/random/entropy_avail', 'r') as efname: + if int(efname.read()) < 200: + emsg = 'WARNING: Your system is running out of entropy, ' \ + 'you may experience long delays' + service.print_msg(emsg) + root_logger.debug(emsg) + except IOError as e: + root_logger.debug("Could not open /proc/sys/kernel/random/entropy_avail: %s" % \ + e) + except ValueError as e: + root_logger.debug("Invalid value in /proc/sys/kernel/random/entropy_avail %s" % \ + e) diff --git a/ipaserver/install/krbinstance.py b/ipaserver/install/krbinstance.py index caa70a447..1cfaf3732 100644 --- a/ipaserver/install/krbinstance.py +++ b/ipaserver/install/krbinstance.py @@ -326,6 +326,9 @@ class KrbInstance(service.Service): os.chmod(path, chmod) def __init_ipa_kdb(self): + # kdb5_util may take a very long time when entropy is low + installutils.check_entropy() + #populate the directory with the realm structure args = ["kdb5_util", "create", "-s", "-r", self.realm, -- cgit