Convert domain controller test not to use rolekit

Rolekit is going away. At least for the F29 cycle, though, we
still want to test basically the same functionality. This ports
the 'domain controller role' test to use ipa-server-install
directly rather than rolectl.

Signed-off-by: Adam Williamson <awilliam@redhat.com>
This commit is contained in:
Adam Williamson 2018-07-09 15:43:05 -07:00
parent 1c1b33840f
commit 7e7016ea14
2 changed files with 96 additions and 56 deletions

View File

@ -28,49 +28,71 @@ sub run {
assert_script_run 'mkdir -p /etc/ipa'; assert_script_run 'mkdir -p /etc/ipa';
assert_script_run 'printf "[global]\ndebug = True\n" > /etc/ipa/server.conf'; assert_script_run 'printf "[global]\ndebug = True\n" > /etc/ipa/server.conf';
# read DNS server IPs from host's /etc/resolv.conf for passing to # read DNS server IPs from host's /etc/resolv.conf for passing to
# rolectl # ipa-server-install / rolectl
my @forwards = get_host_dns(); my @forwards = get_host_dns();
# we are now gonna work around a stupid bug in rolekit. we want to # from here we branch: for F28 and earlier we use rolekit as
# pass it a list of ipv4 DNS forwarders and have no ipv6 DNS # always, for F29+ we deploy directly ourselves as rolekit is
# forwarders. but it won't allow you to have a dns_forwarders array # deprecated
# with a "ipv4" list but no "ipv6" list, any values in the "ipv6" my $version = get_var("VERSION");
# list must be contactable (so we can't use real IPv6 DNS servers # for upgrade tests we need to check CURRREL not VERSION
# as we have no IPv6 connectivity), and if you use an empty list $version = get_var("CURRREL") if (get_var("UPGRADE"));
# as the "ipv6" value you often hit a weird DBus error "unable to if ($version < 29 && $version ne 'Rawhide') {
# guess signature from an empty list". Fortunately, rolekit doesn't # we are now gonna work around a stupid bug in rolekit. we want to
# actually check that the values in the lists are really IPv6 / # pass it a list of ipv4 DNS forwarders and have no ipv6 DNS
# IPv4, it just turns all the values in each list into --forwarder # forwarders. but it won't allow you to have a dns_forwarders array
# args for ipa-server-install. So we can just stuff IPv4 values # with a "ipv4" list but no "ipv6" list, any values in the "ipv6"
# into both lists. rolekit bug: # list must be contactable (so we can't use real IPv6 DNS servers
# https://github.com/libre-server/rolekit/issues/64 # as we have no IPv6 connectivity), and if you use an empty list
# it should be fixed relatively soon. # as the "ipv6" value you often hit a weird DBus error "unable to
my $fourlist; # guess signature from an empty list". Fortunately, rolekit doesn't
my $sixlist; # actually check that the values in the lists are really IPv6 /
if (scalar @forwards == 1) { # IPv4, it just turns all the values in each list into --forwarder
# we've only got one server, so dupe it, best we can do # args for ipa-server-install. So we can just stuff IPv4 values
$fourlist = '["' . $forwards[0] . '"]'; # into both lists. rolekit bug:
$sixlist = $fourlist; # https://github.com/libre-server/rolekit/issues/64
# it should be fixed relatively soon.
my $fourlist;
my $sixlist;
if (scalar @forwards == 1) {
# we've only got one server, so dupe it, best we can do
$fourlist = '["' . $forwards[0] . '"]';
$sixlist = $fourlist;
}
else {
# put the first value in the 'IPv4' list and all the others in
# the 'IPv6' list
$fourlist = '["' . shift(@forwards) . '"]';
$sixlist = '["' . join('","', @forwards) . '"]';
}
# deploy the domain controller role, specifying an admin password
# and the list of DNS server IPs as JSON via stdin. If we don't do
# this, rolectl defaults to using the root servers as forwarders
# (it does not copy the settings from resolv.conf), which give the
# public results for mirrors.fedoraproject.org, some of which
# things running in phx2 cannot reach; we must make sure the phx2
# deployments use the phx2 nameservers.
assert_script_run 'echo \'{"admin_password":"monkeys123","dns_forwarders":{"ipv4":' . $fourlist . ',"ipv6":' . $sixlist .'}}\' | rolectl deploy domaincontroller --name=domain.local --settings-stdin', 1200;
} }
else { else {
# put the first value in the 'IPv4' list and all the others in # this is the other side of the version branch - we're on 29+,
# the 'IPv6' list # so no rolekit. First install the necessary packages
$fourlist = '["' . shift(@forwards) . '"]'; assert_script_run "dnf -y groupinstall freeipa-server", 600;
$sixlist = '["' . join('","', @forwards) . '"]'; # configure the firewall
} for my $service (qw(freeipa-ldap freeipa-ldaps dns)) {
# deploy the domain controller role, specifying an admin password assert_script_run "firewall-cmd --permanent --add-service $service";
# and the list of DNS server IPs as JSON via stdin. If we don't do }
# this, rolectl defaults to using the root servers as forwarders assert_script_run "systemctl restart firewalld.service";
# (it does not copy the settings from resolv.conf), which give the # deploy the server
# public results for mirrors.fedoraproject.org, some of which my $args = "-U --realm=DOMAIN.LOCAL --domain=domain.local --ds-password=monkeys123 --admin-password=monkeys123 --setup-dns --no-reverse";
# things running in phx2 cannot reach; we must make sure the phx2 for my $fwd (@forwards) {
# deployments use the phx2 nameservers. $args .= " --forwarder=$fwd";
assert_script_run 'echo \'{"admin_password":"monkeys123","dns_forwarders":{"ipv4":' . $fourlist . ',"ipv6":' . $sixlist .'}}\' | rolectl deploy domaincontroller --name=domain.local --settings-stdin', 1200; }
# FIXME: workaround for RHBZ #1400293 on Fedora 24. Can be removed assert_script_run "ipa-server-install $args", 1200;
# when Firefox is fixed. # enable and start the systemd service
my $release = lc(get_var('VERSION')); assert_script_run "systemctl enable ipa.service";
if ($release ne "rawhide" && $release < 25) { assert_script_run "systemctl start ipa.service", 300;
assert_script_run 'ipa-getcert resubmit -d /etc/httpd/alias -n Server-Cert -D $( uname -n )';
} }
# kinit as admin # kinit as admin
assert_script_run 'echo "monkeys123" | kinit admin'; assert_script_run 'echo "monkeys123" | kinit admin';
# set up an OTP for client001 enrolment (it will enrol with a kickstart) # set up an OTP for client001 enrolment (it will enrol with a kickstart)

View File

@ -8,23 +8,41 @@ sub run {
my $self = shift; my $self = shift;
# if this is an update, notify clients that we're now up again # if this is an update, notify clients that we're now up again
mutex_create('server_upgraded') if get_var("UPGRADE"); mutex_create('server_upgraded') if get_var("UPGRADE");
# check the role status, should be 'running' # from here we branch: for F28 and earlier we use rolekit as
validate_script_output 'rolectl status domaincontroller/domain.local', sub { $_ =~ m/^running/ }; # always, for F29+ we decommission directly ourselves as rolekit
# check the admin password is listed in 'settings' # is deprecated
validate_script_output 'rolectl settings domaincontroller/domain.local', sub {$_ =~m/dm_password = \w{5,}/ }; my $version = get_var("VERSION");
# sanitize the settings # for upgrade tests we need to check CURRREL not VERSION
assert_script_run 'rolectl sanitize domaincontroller/domain.local'; $version = get_var("CURRREL") if (get_var("UPGRADE"));
# check the password now shows as 'None' if ($version < 29 && $version ne 'Rawhide') {
validate_script_output 'rolectl settings domaincontroller/domain.local', sub {$_ =~ m/dm_password = None/ }; # check the role status, should be 'running'
# once child jobs are done, stop the role validate_script_output 'rolectl status domaincontroller/domain.local', sub { $_ =~ m/^running/ };
wait_for_children; # check the admin password is listed in 'settings'
assert_script_run 'rolectl stop domaincontroller/domain.local'; validate_script_output 'rolectl settings domaincontroller/domain.local', sub {$_ =~m/dm_password = \w{5,}/ };
# check role is stopped # sanitize the settings
validate_script_output 'rolectl status domaincontroller/domain.local', sub { $_ =~ m/^ready-to-start/ }; assert_script_run 'rolectl sanitize domaincontroller/domain.local';
# decommission the role # check the password now shows as 'None'
assert_script_run 'rolectl decommission domaincontroller/domain.local', 300; validate_script_output 'rolectl settings domaincontroller/domain.local', sub {$_ =~ m/dm_password = None/ };
# check role is decommissioned # once child jobs are done, stop the role
validate_script_output 'rolectl list instances', sub { $_ eq "" }; wait_for_children;
assert_script_run 'rolectl stop domaincontroller/domain.local';
# check role is stopped
validate_script_output 'rolectl status domaincontroller/domain.local', sub { $_ =~ m/^ready-to-start/ };
# decommission the role
assert_script_run 'rolectl decommission domaincontroller/domain.local', 300;
# check role is decommissioned
validate_script_output 'rolectl list instances', sub { $_ eq "" };
}
else {
# once child jobs are done, stop the server
wait_for_children;
assert_script_run 'systemctl stop ipa.service';
# check server is stopped
assert_script_run '! systemctl is-active ipa.service';
# decommission the server
assert_script_run 'ipa-server-install -U --uninstall', 300;
# FIXME check server is decommissioned...how?
}
# run post-fail hook to upload logs - even when this test passes # run post-fail hook to upload logs - even when this test passes
# there are often cases where we need to see the logs (e.g. client # there are often cases where we need to see the logs (e.g. client
# test failed due to server issue) # test failed due to server issue)