diff --git a/templates b/templates index 5c8371fd..fbec8c6b 100755 --- a/templates +++ b/templates @@ -754,6 +754,39 @@ }, test_suite => { name => "realmd_join_sssd" }, }, + { + machine => { name => "64bit" }, + prio => 20, + product => { + arch => "x86_64", + distri => "fedora", + flavor => "Server-dvd-iso", + version => "*", + }, + test_suite => { name => "server_freeipa_replication_master" }, + }, + { + machine => { name => "64bit" }, + prio => 20, + product => { + arch => "x86_64", + distri => "fedora", + flavor => "Server-dvd-iso", + version => "*", + }, + test_suite => { name => "server_freeipa_replication_replica" }, + }, + { + machine => { name => "64bit" }, + prio => 20, + product => { + arch => "x86_64", + distri => "fedora", + flavor => "Server-dvd-iso", + version => "*", + }, + test_suite => { name => "server_freeipa_replication_client" }, + }, { machine => { name => "64bit" }, prio => 20, @@ -5363,6 +5396,59 @@ { key => "WORKER_CLASS", value => "tap" }, ], }, + { + name => "server_freeipa_replication_master", + settings => [ + { key => "POSTINSTALL", value => "role_deploy_domain_controller role_deploy_domain_controller_check" }, + { key => "USER_LOGIN", value => "false" }, + { key => "ROOT_PASSWORD", value => "weakpassword" }, + { key => "GRUB_POSTINSTALL", value => "net.ifnames=0 biosdevname=0" }, + { key => "FREEIPA_REPLICA_MASTER", value => "1" }, + { key => "START_AFTER_TEST", value => "install_default_upload" }, + { key => "BOOTFROM", value => "c" }, + { key => "HDD_1", value => "disk_%FLAVOR%_%MACHINE%.qcow2" }, + { key => "GRUB", value => "net.ifnames=0 biosdevname=0" }, + { key => "POST_STATIC", value => "10.0.2.106 ipa002.domain.local" }, + { key => "NICTYPE", value => "tap" }, + { key => "WORKER_CLASS", value => "tap" }, + ], + }, + { + name => "server_freeipa_replication_replica", + settings => [ + { key => "POSTINSTALL", value => "realmd_join_sssd" }, + { key => "USER_LOGIN", value => "false" }, + { key => "ROOT_PASSWORD", value => "weakpassword" }, + { key => "GRUB_POSTINSTALL", value => "net.ifnames=0 biosdevname=0" }, + { key => "FREEIPA_REPLICA", value => "1" }, + { key => "START_AFTER_TEST", value => "install_default_upload" }, + { key => "PARALLEL_WITH", value => "server_freeipa_replication_master" }, + { key => "BOOTFROM", value => "c" }, + { key => "HDD_1", value => "disk_%FLAVOR%_%MACHINE%.qcow2" }, + { key => "GRUB", value => "net.ifnames=0 biosdevname=0" }, + { key => "POST_STATIC", value => "10.0.2.107 ipa003.domain.local" }, + { key => "NICTYPE", value => "tap" }, + { key => "WORKER_CLASS", value => "tap" }, + ], + }, + { + name => "server_freeipa_replication_client", + settings => [ + { key => "POSTINSTALL", value => "realmd_join_sssd freeipa_client" }, + { key => "USER_LOGIN", value => "false" }, + { key => "ROOT_PASSWORD", value => "weakpassword" }, + { key => "GRUB_POSTINSTALL", value => "net.ifnames=0 biosdevname=0" }, + { key => "FREEIPA_REPLICA_CLIENT", value => "1" }, + { key => "START_AFTER_TEST", value => "install_default_upload" }, + { key => "PARALLEL_WITH", value => "server_freeipa_replication_replica" }, + { key => "BOOTFROM", value => "c" }, + { key => "HDD_1", value => "disk_%FLAVOR%_%MACHINE%.qcow2" }, + { key => "GRUB", value => "net.ifnames=0 biosdevname=0" }, + { key => "POST_STATIC", value => "10.0.2.108 client005.domain.local" }, + { key => "NICTYPE", value => "tap" }, + { key => "WORKER_CLASS", value => "tap" }, + ], + }, { name => "server_role_deploy_database_server", settings => [ diff --git a/tests/realmd_join_sssd.pm b/tests/realmd_join_sssd.pm index 3e67d901..3d1877f6 100644 --- a/tests/realmd_join_sssd.pm +++ b/tests/realmd_join_sssd.pm @@ -2,25 +2,82 @@ use base "installedtest"; use strict; use testapi; use lockapi; +use mmapi; use tapnet; use utils; sub run { my $self=shift; - # use FreeIPA server as DNS server - assert_script_run "printf 'search domain.local\nnameserver 10.0.2.100' > /etc/resolv.conf"; + # use FreeIPA server or replica as DNS server + my $server = 'ipa001.domain.local'; + my $server_ip = '10.0.2.100'; + my $server_mutex = 'freeipa_ready'; + if (get_var("FREEIPA_REPLICA")) { + $server = 'ipa002.domain.local'; + $server_ip = '10.0.2.106'; + } + if (get_var("FREEIPA_REPLICA_CLIENT")) { + $server = 'ipa003.domain.local'; + $server_ip = '10.0.2.107'; + $server_mutex = 'replica_ready'; + } + assert_script_run "printf 'search domain.local\nnameserver ${server_ip}' > /etc/resolv.conf"; assert_script_run "sed -i -e '/^DNS.*/d' /etc/sysconfig/network-scripts/ifcfg-eth0"; - assert_script_run "printf '\nDNS1=10.0.2.100\n' >> /etc/sysconfig/network-scripts/ifcfg-eth0"; - # wait for the server to be ready (do it now just to make sure name - # resolution is working before we proceed) - mutex_lock "freeipa_ready"; - mutex_unlock "freeipa_ready"; + assert_script_run "printf '\nDNS1=${server_ip}\n' >> /etc/sysconfig/network-scripts/ifcfg-eth0"; + # wait for the server or replica to be ready (do it now just to be + # sure name resolution is working before we proceed) + mutex_lock $server_mutex; + mutex_unlock $server_mutex; # use compose repo, disable u-t, etc. unless this is an upgrade # test (in which case we're on the 'old' release at this point; # one of the upgrade test modules does repo_setup later) repo_setup() unless get_var("UPGRADE"); # do the enrolment - assert_script_run "echo 'monkeys123' | realm join --user=admin ipa001.domain.local", 300; + if (get_var("FREEIPA_REPLICA")) { + # here we're enrolling not just as a client, but as a replica + # install server packages + assert_script_run "dnf -y groupinstall freeipa-server", 600; + + # we need a lot of entropy for this, and we don't care how good + # it is, so let's use haveged + assert_script_run "dnf -y install haveged", 300; + assert_script_run 'systemctl start haveged.service'; + + # read DNS server IPs from host's /etc/resolv.conf for passing to + # ipa-replica-install + my @forwards = get_host_dns(); + + # configure the firewall + for my $service (qw(freeipa-ldap freeipa-ldaps dns)) { + assert_script_run "firewall-cmd --permanent --add-service $service"; + } + assert_script_run "systemctl restart firewalld.service"; + + # deploy as a replica + my $args = "--setup-dns --setup-ca --allow-zone-overlap -U --principal admin --admin-password monkeys123"; + for my $fwd (@forwards) { + $args .= " --forwarder=$fwd"; + } + assert_script_run "ipa-replica-install $args", 1200; + + # don't use the other server for our DNS lookups any more, as we + # should be independent of it + my ($ip, $hostname) = split(/ /, get_var("POST_STATIC")); + setup_tap_static($ip, $hostname); + + # enable and start the systemd service + assert_script_run "systemctl enable ipa.service"; + assert_script_run "systemctl start ipa.service", 300; + + # report that we're ready to go + mutex_create('replica_ready'); + + # wait for the client test + wait_for_children; + } + else { + assert_script_run "echo 'monkeys123' | realm join --user=admin ${server}", 300; + } # set sssd debugging level higher (useful for debugging failures) # optional as it's not really part of the test script_run "dnf -y install sssd-tools", 220; diff --git a/tests/role_deploy_domain_controller.pm b/tests/role_deploy_domain_controller.pm index 57c165ee..ce153aaf 100644 --- a/tests/role_deploy_domain_controller.pm +++ b/tests/role_deploy_domain_controller.pm @@ -88,7 +88,7 @@ sub run { } assert_script_run "systemctl restart firewalld.service"; # deploy the server - my $args = "-U --realm=DOMAIN.LOCAL --domain=domain.local --ds-password=monkeys123 --admin-password=monkeys123 --setup-dns --no-reverse"; + my $args = "-U --realm=DOMAIN.LOCAL --domain=domain.local --ds-password=monkeys123 --admin-password=monkeys123 --setup-dns --reverse-zone=2.0.10.in-addr.arpa --allow-zone-overlap"; for my $fwd (@forwards) { $args .= " --forwarder=$fwd"; } @@ -113,6 +113,9 @@ sub run { assert_script_run 'ipa hbacrule-disable allow_all'; # allow immediate password changes (as we need to test this) assert_script_run 'ipa pwpolicy-mod --minlife=0'; + # magic voodoo crap to allow reverse DNS client sync to work + # https://docs.pagure.org/bind-dyndb-ldap/BIND9/SyncPTR.html + assert_script_run 'ipa dnszone-mod domain.local. --allow-sync-ptr=TRUE'; # kinit as each user and set a new password assert_script_run 'printf "correcthorse\nbatterystaple\nbatterystaple" | kinit test1@DOMAIN.LOCAL'; assert_script_run 'printf "correcthorse\nbatterystaple\nbatterystaple" | kinit test2@DOMAIN.LOCAL'; diff --git a/tests/role_deploy_domain_controller_check.pm b/tests/role_deploy_domain_controller_check.pm index d5d8d7a6..b5daba95 100644 --- a/tests/role_deploy_domain_controller_check.pm +++ b/tests/role_deploy_domain_controller_check.pm @@ -39,6 +39,8 @@ sub run { assert_script_run '! systemctl is-active ipa.service'; # decommission the server assert_script_run 'ipa-server-install -U --uninstall', 300; + # try and un-garble the screen that the above garbles... + assert_script_run 'clear'; # FIXME check server is decommissioned...how? } # run post-fail hook to upload logs - even when this test passes