Request to incorporate install blocker fixes.

As root installer , I want permission changes on several files and some install timings so that installation doesn't fail on Ubuntu 18.04 LTS aka 'bionic'.

Issue

The permissions on several files block successful installation and first admin login of FreeIPA

Steps to Reproduce

1. Install all the necessary support packages, prep as per given advice (/etc/hosts and the like)
2. apt install freeipa-server-dns
3. run 'ipa-server-install --setup-dns
4. Note failures cured by fixes below.

Actual behavior

Install fails with complaints about DNS, permission issues, failure to wait for services to provide service after having been started. Even after all the fixes below... the ui checkbox which should be font-awsome square or square with a check is one of two unicode numbers within a square. Appears to be ssl related.

Expected behavior

Normal, complaint-free install, checkboxes are not unicode values within a square.

Version/Release/Distribution

4.7 pre1

Additional info:

Here's a set of work-arounds that avoid all the issues. It would be nice if the installer dropped no-longer-needed dependencies and otherwise avoided the need for these.

apt install freeipa-server-dns python-psutil haveged
#add dependencies to avoid later install fails and lengthy entropy gathering delays.

#Going for integrated DNS, get the high-overhead network manager and system resolver out.
systemctl disable systemd-resolved
systemctl disable network-manager
systemctl disable NetworkManager
mv /lib/systemd/system/NetworkManager.service NetworkManager.service.res
rm /etc/resolv.conf #It's a link to a stub resolver, replace it with
cat > /etc/resolv.con
nameserver 127.0.0.1
search your.domain
^D

clean the netplan directory, set up very simple file:
/etc/netplan/01-networkd.yaml with the below (change addresses and domains to yours):

network:
version: 2
renderer: networkd
ethernets:
ens3:
addresses:
- 192.168.who.knows/24
gateway4: 192.168.my.gateway
nameservers:
search: [privatesubdomain.domain.com, domain.com]
addresses: [127.0.0.1]

Then give these commands to avoid various install blocking complaints:

usermod bind -aG softhsm
mkdir /var/lib/softhsm/tokens
chown root:softhsm /var/lib/softhsm/tokens
chmod 0770 /var/lib/softhsm/tokens
chmod g+s /var/lib/softhsm/tokens

#see https://pagure.io/bind-dyndb-ldap/c/4fb51bac7f4f739975a2afb857b686869eff92b6?branch=master
#to learn the dependency on named-pkcs11 is a legacy workaround for a fixed fedora issue.
mv /usr/sbin/named-pkcs11 /usr/sbin/named-pkcs11-dpkg-dist
cp /usr/sbin/named /usr/sbin/named-pkcs11
#Without the above, assertions about an empty domain crash named-pkcs11.

To these two files, add right after 'import time', add 'import psutil'.
/usr/lib/python2.7/dist-packages/ipaserver/install/cainstance.py
/usr/lib/python2.7/dist-packages/ipaserver/install/bindinstance.py

To these, add
while psutil.cpu_percent() > 9: time.sleep(2)

in the following places:

right after self.restart() in start in bindinstance.py . Avoids crash due to dns lookup failure.
and __inside the loop following time.sleep(80) in migrate_profiles_to_ldap

I think the whole 'time.sleep(...) notion is a very non-robust way to ensure the recently (re) started service is available for the immediately following setup code. Better to set up a routine which measures system resources then returns when nearly idle, and blocks the installer from running should it detect a busy system.

The assumption here is the only process of consequence running is the installer. There are other race conditions that lead to install failure, but setting 3 or more processor cores and 4gb of memory avoids them. Without the above two changes complaints about no ipa_ca entry happen, failure to install SSH.. records, or just a bailout around installer step 24/28.

Reboot, then ipa-install-server --setup-dns --no-forwarders finishes without error.

chgrp ipaapi /var/lib/krb5kdc #so freeipa admin log in can find key.
chmod g+rx /var/lib/krb5kdc