Failure in dnf install during PRCI tests

[flo-renaud]

The nightly tests that perform dnf install started recently to fail with the following error:

Error: Error downloading packages:
  Curl error (6): Couldn't resolve host name for https://mirrors.fedoraproject.org/metalink?repo=fedora-32&arch=x86_64 [Could not resolve host: mirrors.fedoraproject.org]
Exit code: 1
ipa: ERROR: stderr: Error: Error downloading packages:

The issue may be linked to commit df43a00: prevent NetworkManager from updating /etc/resolv.conf

The test have the following scenario:

• install IPA with embedded DNS
• do a backup
• uninstall IPA
• uninstall a package, for instance ipa-server-trust-ad
• try to restore IPA -> expected failure as a required pkg is missing
• reinstall the pkg -> unexpected failure

See for instance PR 4646, especially the test test_backup_and_restore_TestBackupAndRestoreTrust.

[fcami]

This also blocks PRs that would use tasks.install_packages like freeipa/freeipa#4676
@f-trivino could you please schedule time to fix this? Thanks!

[f-trivino]

I'm testing dnf install here:

freeipa-pr-ci2/freeipa#190

with

testing-fedora/test_backup_and_restore_TestBackupReinstallRestoreWithDNS
testing-fedora/test_backup_and_restore_TestBackupAndRestoreWithDNSSEC
testing-fedora/test_backup_and_restore_TestBackupAndRestoreTrust

[rcritten]

Any update on this? It is blocking some tests needed for expiring password notifications.

[f-trivino]

I've tested pr-ci without commit: df43a00 and worksfine, the issue is not there.

https://github.com/bhavikbhavsar/freeipa/pulls

I send revert: #367

[wladich]

Without df43a00 NM is adding DNS server provided by dhcp on the first line of resolv.conf.
According to https://linux.die.net/man/5/resolv.conf, "The algorithm used is to try a name server, and if the query times out, try the next".

So it looks like that all our tests are actually not using IPA-configured DNS for any queries from master.
The fact that they pass can be explained with two observations:

1. All IPA topology members are mentioned in /etc/hosts.
2. Some tests do change contents of resolv.conf just before the test so that NM is unlikely to change it and break the test.

So the problem seems to be that IPA DNS is not forwarding queries to configured forwarder for some reason.

Why df43a00 was proposed:
There are new tests in freeipa/freeipa#4614 which rely on reading SRV records from AD domain via IPA DNS used as a forwarder. And I really do not want to follow the pattern of mangling resolv.conf inside the test as it is definitely not the way how users are expected to use the product.

[wladich]

The previous comment is wrong:

• resolv.conf on IPA master should not be updated thanks to config file provided by ipa-server-install
• ipatests: add test for kdcproxy handling reply split to several TCP packets freeipa#4614 experiences problems due to resolv.conf being modified only on client machines.

So I will modify the patch to alter only client machines.

[wladich]

PR for modifying NM config only on ipa clients: #373

[netoarmando]

PR #373 is closed and the way the DNS forwarder address is defined has changed by #410.