Add a FreeIPA replication job set
This adds a set of jobs to test FreeIPA replication. We deploy a server, deploy a replica of that server, then enrol a client against the replica and run the client tests. At first I was planning to add the replica testing into the main set of FreeIPA tests, but the test ordering/blocking (via mutexes and barriers and what-have-you) just turns into a big nightmare that way. This way seems rather simpler to deal with. Signed-off-by: Adam Williamson <awilliam@redhat.com>
This commit is contained in:
parent
f2ea77a930
commit
9df64398ee
86
templates
86
templates
@ -754,6 +754,39 @@
|
|||||||
},
|
},
|
||||||
test_suite => { name => "realmd_join_sssd" },
|
test_suite => { name => "realmd_join_sssd" },
|
||||||
},
|
},
|
||||||
|
{
|
||||||
|
machine => { name => "64bit" },
|
||||||
|
prio => 20,
|
||||||
|
product => {
|
||||||
|
arch => "x86_64",
|
||||||
|
distri => "fedora",
|
||||||
|
flavor => "Server-dvd-iso",
|
||||||
|
version => "*",
|
||||||
|
},
|
||||||
|
test_suite => { name => "server_freeipa_replication_master" },
|
||||||
|
},
|
||||||
|
{
|
||||||
|
machine => { name => "64bit" },
|
||||||
|
prio => 20,
|
||||||
|
product => {
|
||||||
|
arch => "x86_64",
|
||||||
|
distri => "fedora",
|
||||||
|
flavor => "Server-dvd-iso",
|
||||||
|
version => "*",
|
||||||
|
},
|
||||||
|
test_suite => { name => "server_freeipa_replication_replica" },
|
||||||
|
},
|
||||||
|
{
|
||||||
|
machine => { name => "64bit" },
|
||||||
|
prio => 20,
|
||||||
|
product => {
|
||||||
|
arch => "x86_64",
|
||||||
|
distri => "fedora",
|
||||||
|
flavor => "Server-dvd-iso",
|
||||||
|
version => "*",
|
||||||
|
},
|
||||||
|
test_suite => { name => "server_freeipa_replication_client" },
|
||||||
|
},
|
||||||
{
|
{
|
||||||
machine => { name => "64bit" },
|
machine => { name => "64bit" },
|
||||||
prio => 20,
|
prio => 20,
|
||||||
@ -5363,6 +5396,59 @@
|
|||||||
{ key => "WORKER_CLASS", value => "tap" },
|
{ key => "WORKER_CLASS", value => "tap" },
|
||||||
],
|
],
|
||||||
},
|
},
|
||||||
|
{
|
||||||
|
name => "server_freeipa_replication_master",
|
||||||
|
settings => [
|
||||||
|
{ key => "POSTINSTALL", value => "role_deploy_domain_controller role_deploy_domain_controller_check" },
|
||||||
|
{ key => "USER_LOGIN", value => "false" },
|
||||||
|
{ key => "ROOT_PASSWORD", value => "weakpassword" },
|
||||||
|
{ key => "GRUB_POSTINSTALL", value => "net.ifnames=0 biosdevname=0" },
|
||||||
|
{ key => "FREEIPA_REPLICA_MASTER", value => "1" },
|
||||||
|
{ key => "START_AFTER_TEST", value => "install_default_upload" },
|
||||||
|
{ key => "BOOTFROM", value => "c" },
|
||||||
|
{ key => "HDD_1", value => "disk_%FLAVOR%_%MACHINE%.qcow2" },
|
||||||
|
{ key => "GRUB", value => "net.ifnames=0 biosdevname=0" },
|
||||||
|
{ key => "POST_STATIC", value => "10.0.2.106 ipa002.domain.local" },
|
||||||
|
{ key => "NICTYPE", value => "tap" },
|
||||||
|
{ key => "WORKER_CLASS", value => "tap" },
|
||||||
|
],
|
||||||
|
},
|
||||||
|
{
|
||||||
|
name => "server_freeipa_replication_replica",
|
||||||
|
settings => [
|
||||||
|
{ key => "POSTINSTALL", value => "realmd_join_sssd" },
|
||||||
|
{ key => "USER_LOGIN", value => "false" },
|
||||||
|
{ key => "ROOT_PASSWORD", value => "weakpassword" },
|
||||||
|
{ key => "GRUB_POSTINSTALL", value => "net.ifnames=0 biosdevname=0" },
|
||||||
|
{ key => "FREEIPA_REPLICA", value => "1" },
|
||||||
|
{ key => "START_AFTER_TEST", value => "install_default_upload" },
|
||||||
|
{ key => "PARALLEL_WITH", value => "server_freeipa_replication_master" },
|
||||||
|
{ key => "BOOTFROM", value => "c" },
|
||||||
|
{ key => "HDD_1", value => "disk_%FLAVOR%_%MACHINE%.qcow2" },
|
||||||
|
{ key => "GRUB", value => "net.ifnames=0 biosdevname=0" },
|
||||||
|
{ key => "POST_STATIC", value => "10.0.2.107 ipa003.domain.local" },
|
||||||
|
{ key => "NICTYPE", value => "tap" },
|
||||||
|
{ key => "WORKER_CLASS", value => "tap" },
|
||||||
|
],
|
||||||
|
},
|
||||||
|
{
|
||||||
|
name => "server_freeipa_replication_client",
|
||||||
|
settings => [
|
||||||
|
{ key => "POSTINSTALL", value => "realmd_join_sssd freeipa_client" },
|
||||||
|
{ key => "USER_LOGIN", value => "false" },
|
||||||
|
{ key => "ROOT_PASSWORD", value => "weakpassword" },
|
||||||
|
{ key => "GRUB_POSTINSTALL", value => "net.ifnames=0 biosdevname=0" },
|
||||||
|
{ key => "FREEIPA_REPLICA_CLIENT", value => "1" },
|
||||||
|
{ key => "START_AFTER_TEST", value => "install_default_upload" },
|
||||||
|
{ key => "PARALLEL_WITH", value => "server_freeipa_replication_replica" },
|
||||||
|
{ key => "BOOTFROM", value => "c" },
|
||||||
|
{ key => "HDD_1", value => "disk_%FLAVOR%_%MACHINE%.qcow2" },
|
||||||
|
{ key => "GRUB", value => "net.ifnames=0 biosdevname=0" },
|
||||||
|
{ key => "POST_STATIC", value => "10.0.2.108 client005.domain.local" },
|
||||||
|
{ key => "NICTYPE", value => "tap" },
|
||||||
|
{ key => "WORKER_CLASS", value => "tap" },
|
||||||
|
],
|
||||||
|
},
|
||||||
{
|
{
|
||||||
name => "server_role_deploy_database_server",
|
name => "server_role_deploy_database_server",
|
||||||
settings => [
|
settings => [
|
||||||
|
@ -2,25 +2,82 @@ use base "installedtest";
|
|||||||
use strict;
|
use strict;
|
||||||
use testapi;
|
use testapi;
|
||||||
use lockapi;
|
use lockapi;
|
||||||
|
use mmapi;
|
||||||
use tapnet;
|
use tapnet;
|
||||||
use utils;
|
use utils;
|
||||||
|
|
||||||
sub run {
|
sub run {
|
||||||
my $self=shift;
|
my $self=shift;
|
||||||
# use FreeIPA server as DNS server
|
# use FreeIPA server or replica as DNS server
|
||||||
assert_script_run "printf 'search domain.local\nnameserver 10.0.2.100' > /etc/resolv.conf";
|
my $server = 'ipa001.domain.local';
|
||||||
|
my $server_ip = '10.0.2.100';
|
||||||
|
my $server_mutex = 'freeipa_ready';
|
||||||
|
if (get_var("FREEIPA_REPLICA")) {
|
||||||
|
$server = 'ipa002.domain.local';
|
||||||
|
$server_ip = '10.0.2.106';
|
||||||
|
}
|
||||||
|
if (get_var("FREEIPA_REPLICA_CLIENT")) {
|
||||||
|
$server = 'ipa003.domain.local';
|
||||||
|
$server_ip = '10.0.2.107';
|
||||||
|
$server_mutex = 'replica_ready';
|
||||||
|
}
|
||||||
|
assert_script_run "printf 'search domain.local\nnameserver ${server_ip}' > /etc/resolv.conf";
|
||||||
assert_script_run "sed -i -e '/^DNS.*/d' /etc/sysconfig/network-scripts/ifcfg-eth0";
|
assert_script_run "sed -i -e '/^DNS.*/d' /etc/sysconfig/network-scripts/ifcfg-eth0";
|
||||||
assert_script_run "printf '\nDNS1=10.0.2.100\n' >> /etc/sysconfig/network-scripts/ifcfg-eth0";
|
assert_script_run "printf '\nDNS1=${server_ip}\n' >> /etc/sysconfig/network-scripts/ifcfg-eth0";
|
||||||
# wait for the server to be ready (do it now just to make sure name
|
# wait for the server or replica to be ready (do it now just to be
|
||||||
# resolution is working before we proceed)
|
# sure name resolution is working before we proceed)
|
||||||
mutex_lock "freeipa_ready";
|
mutex_lock $server_mutex;
|
||||||
mutex_unlock "freeipa_ready";
|
mutex_unlock $server_mutex;
|
||||||
# use compose repo, disable u-t, etc. unless this is an upgrade
|
# use compose repo, disable u-t, etc. unless this is an upgrade
|
||||||
# test (in which case we're on the 'old' release at this point;
|
# test (in which case we're on the 'old' release at this point;
|
||||||
# one of the upgrade test modules does repo_setup later)
|
# one of the upgrade test modules does repo_setup later)
|
||||||
repo_setup() unless get_var("UPGRADE");
|
repo_setup() unless get_var("UPGRADE");
|
||||||
# do the enrolment
|
# do the enrolment
|
||||||
assert_script_run "echo 'monkeys123' | realm join --user=admin ipa001.domain.local", 300;
|
if (get_var("FREEIPA_REPLICA")) {
|
||||||
|
# here we're enrolling not just as a client, but as a replica
|
||||||
|
# install server packages
|
||||||
|
assert_script_run "dnf -y groupinstall freeipa-server", 600;
|
||||||
|
|
||||||
|
# we need a lot of entropy for this, and we don't care how good
|
||||||
|
# it is, so let's use haveged
|
||||||
|
assert_script_run "dnf -y install haveged", 300;
|
||||||
|
assert_script_run 'systemctl start haveged.service';
|
||||||
|
|
||||||
|
# read DNS server IPs from host's /etc/resolv.conf for passing to
|
||||||
|
# ipa-replica-install
|
||||||
|
my @forwards = get_host_dns();
|
||||||
|
|
||||||
|
# configure the firewall
|
||||||
|
for my $service (qw(freeipa-ldap freeipa-ldaps dns)) {
|
||||||
|
assert_script_run "firewall-cmd --permanent --add-service $service";
|
||||||
|
}
|
||||||
|
assert_script_run "systemctl restart firewalld.service";
|
||||||
|
|
||||||
|
# deploy as a replica
|
||||||
|
my $args = "--setup-dns --setup-ca --allow-zone-overlap -U --principal admin --admin-password monkeys123";
|
||||||
|
for my $fwd (@forwards) {
|
||||||
|
$args .= " --forwarder=$fwd";
|
||||||
|
}
|
||||||
|
assert_script_run "ipa-replica-install $args", 1200;
|
||||||
|
|
||||||
|
# don't use the other server for our DNS lookups any more, as we
|
||||||
|
# should be independent of it
|
||||||
|
my ($ip, $hostname) = split(/ /, get_var("POST_STATIC"));
|
||||||
|
setup_tap_static($ip, $hostname);
|
||||||
|
|
||||||
|
# enable and start the systemd service
|
||||||
|
assert_script_run "systemctl enable ipa.service";
|
||||||
|
assert_script_run "systemctl start ipa.service", 300;
|
||||||
|
|
||||||
|
# report that we're ready to go
|
||||||
|
mutex_create('replica_ready');
|
||||||
|
|
||||||
|
# wait for the client test
|
||||||
|
wait_for_children;
|
||||||
|
}
|
||||||
|
else {
|
||||||
|
assert_script_run "echo 'monkeys123' | realm join --user=admin ${server}", 300;
|
||||||
|
}
|
||||||
# set sssd debugging level higher (useful for debugging failures)
|
# set sssd debugging level higher (useful for debugging failures)
|
||||||
# optional as it's not really part of the test
|
# optional as it's not really part of the test
|
||||||
script_run "dnf -y install sssd-tools", 220;
|
script_run "dnf -y install sssd-tools", 220;
|
||||||
|
@ -88,7 +88,7 @@ sub run {
|
|||||||
}
|
}
|
||||||
assert_script_run "systemctl restart firewalld.service";
|
assert_script_run "systemctl restart firewalld.service";
|
||||||
# deploy the server
|
# deploy the server
|
||||||
my $args = "-U --realm=DOMAIN.LOCAL --domain=domain.local --ds-password=monkeys123 --admin-password=monkeys123 --setup-dns --no-reverse";
|
my $args = "-U --realm=DOMAIN.LOCAL --domain=domain.local --ds-password=monkeys123 --admin-password=monkeys123 --setup-dns --reverse-zone=2.0.10.in-addr.arpa --allow-zone-overlap";
|
||||||
for my $fwd (@forwards) {
|
for my $fwd (@forwards) {
|
||||||
$args .= " --forwarder=$fwd";
|
$args .= " --forwarder=$fwd";
|
||||||
}
|
}
|
||||||
@ -113,6 +113,9 @@ sub run {
|
|||||||
assert_script_run 'ipa hbacrule-disable allow_all';
|
assert_script_run 'ipa hbacrule-disable allow_all';
|
||||||
# allow immediate password changes (as we need to test this)
|
# allow immediate password changes (as we need to test this)
|
||||||
assert_script_run 'ipa pwpolicy-mod --minlife=0';
|
assert_script_run 'ipa pwpolicy-mod --minlife=0';
|
||||||
|
# magic voodoo crap to allow reverse DNS client sync to work
|
||||||
|
# https://docs.pagure.org/bind-dyndb-ldap/BIND9/SyncPTR.html
|
||||||
|
assert_script_run 'ipa dnszone-mod domain.local. --allow-sync-ptr=TRUE';
|
||||||
# kinit as each user and set a new password
|
# kinit as each user and set a new password
|
||||||
assert_script_run 'printf "correcthorse\nbatterystaple\nbatterystaple" | kinit test1@DOMAIN.LOCAL';
|
assert_script_run 'printf "correcthorse\nbatterystaple\nbatterystaple" | kinit test1@DOMAIN.LOCAL';
|
||||||
assert_script_run 'printf "correcthorse\nbatterystaple\nbatterystaple" | kinit test2@DOMAIN.LOCAL';
|
assert_script_run 'printf "correcthorse\nbatterystaple\nbatterystaple" | kinit test2@DOMAIN.LOCAL';
|
||||||
|
@ -39,6 +39,8 @@ sub run {
|
|||||||
assert_script_run '! systemctl is-active ipa.service';
|
assert_script_run '! systemctl is-active ipa.service';
|
||||||
# decommission the server
|
# decommission the server
|
||||||
assert_script_run 'ipa-server-install -U --uninstall', 300;
|
assert_script_run 'ipa-server-install -U --uninstall', 300;
|
||||||
|
# try and un-garble the screen that the above garbles...
|
||||||
|
assert_script_run 'clear';
|
||||||
# FIXME check server is decommissioned...how?
|
# FIXME check server is decommissioned...how?
|
||||||
}
|
}
|
||||||
# run post-fail hook to upload logs - even when this test passes
|
# run post-fail hook to upload logs - even when this test passes
|
||||||
|
Loading…
Reference in New Issue
Block a user