Drop old rolekit code from database and freeipa tests

RIP rolekit Signed-off-by: Adam Williamson <awilliam@redhat.com>
2020-01-10 14:25:45 -08:00 · 2020-01-10 14:25:45 -08:00 · fec49f05ec
commit fec49f05ec
parent fc93309b41
3 changed files with 71 additions and 180 deletions
--- a/tests/role_deploy_database_server.pm
+++ b/tests/role_deploy_database_server.pm
@ -10,55 +10,39 @@ sub run {
    my $self=shift;
    # use compose repo, disable u-t, etc.
    repo_setup();
-    # from here we branch: for F28 and earlier we use rolekit as
+    # deploy postgres directly ourselves. first, install packages...
-    # always, for F29+ we deploy directly ourselves as rolekit is
+    assert_script_run 'dnf -y install postgresql-server postgresql-contrib', 300;
-    # deprecated
+    # configure the firewall
-    my $version = get_var("VERSION");
+    assert_script_run "firewall-cmd --permanent --add-service postgresql";
-    # for upgrade tests we need to check CURRREL not VERSION
+    assert_script_run "systemctl restart firewalld.service";
-    $version = get_var("CURRREL") if (get_var("UPGRADE"));
+    # init the db
-    if ($version < 29 && $version ne 'Rawhide') {
+    assert_script_run "/usr/bin/postgresql-setup --initdb";
-        # deploy the database server role
+    # enable and start the systemd service
-        assert_script_run 'echo \'{"database":"openqa","owner":"openqa","password":"correcthorse"}\' | rolectl deploy databaseserver --settings-stdin', 300;
+    assert_script_run "systemctl enable postgresql.service";
-        # check the role status, should be 'running'
+    assert_script_run "systemctl start postgresql.service";
-        validate_script_output 'rolectl status databaseserver/1', sub { $_ =~ m/^running/ };
+    # create the owner
-        # check 'settings' output looks vaguely right
+    assert_script_run 'su postgres -c "/usr/bin/createuser openqa"';
-        validate_script_output 'rolectl settings databaseserver/1', sub {$_ =~ m/owner = openqa/ };
+    # create the database
-    }
+    assert_script_run 'su postgres -c "/usr/bin/createdb openqa -O openqa"';
-    else {
+    # set the password. oh, god, the quotes. THE QUOTES. trying to
-        # deploy postgres directly ourselves. first, install packages...
+    # get four layers of nested quotes properly escaped through
-        assert_script_run 'dnf -y install postgresql-server postgresql-contrib', 300;
+    # perl, bash and postgres is futile, so we write the command
-        # configure the firewall
+    # to a file and call psql on the file
-        assert_script_run "firewall-cmd --permanent --add-service postgresql";
+    assert_script_run 'echo "ALTER ROLE openqa WITH PASSWORD \'correcthorse\'" > /tmp/cmd';
-        assert_script_run "systemctl restart firewalld.service";
+    assert_script_run 'su postgres -c "psql openqa -f /tmp/cmd"';
-        # init the db
+    # adjust postgresql.conf to allow network connections; sloppy
-        assert_script_run "/usr/bin/postgresql-setup --initdb";
+    # version of how rolekit did it
-        # enable and start the systemd service
+    assert_script_run 'sed -i -e "s,.*listen_addresses *=.*,listen_addresses=\'*\',g" /var/lib/pgsql/data/postgresql.conf';
-        assert_script_run "systemctl enable postgresql.service";
+    # check that worked...
-        assert_script_run "systemctl start postgresql.service";
+    upload_logs "/var/lib/pgsql/data/postgresql.conf";
-        # create the owner
+    # adjust pg_hba.conf to use md5 authentication; sloppy version
-        assert_script_run 'su postgres -c "/usr/bin/createuser openqa"';
+    # of how rolekit did it
-        # create the database
+    assert_script_run 'sed -i -e "s,^host,#host,g" /var/lib/pgsql/data/pg_hba.conf';
-        assert_script_run 'su postgres -c "/usr/bin/createdb openqa -O openqa"';
+    assert_script_run 'echo "host    all             all             all                     md5" >> /var/lib/pgsql/data/pg_hba.conf';
-        # set the password. oh, god, the quotes. THE QUOTES. trying to
+    # check that worked...
-        # get four layers of nested quotes properly escaped through
+    upload_logs "/var/lib/pgsql/data/pg_hba.conf";
-        # perl, bash and postgres is futile, so we write the command
+    # restart the service
-        # to a file and call psql on the file
+    assert_script_run "systemctl restart postgresql.service";
        assert_script_run 'echo "ALTER ROLE openqa WITH PASSWORD \'correcthorse\'" > /tmp/cmd';
        assert_script_run 'su postgres -c "psql openqa -f /tmp/cmd"';
        # adjust postgresql.conf to allow network connections; sloppy
        # version of how rolekit did it
        assert_script_run 'sed -i -e "s,.*listen_addresses *=.*,listen_addresses=\'*\',g" /var/lib/pgsql/data/postgresql.conf';
        # check that worked...
        upload_logs "/var/lib/pgsql/data/postgresql.conf";
        # adjust pg_hba.conf to use md5 authentication; sloppy version
        # of how rolekit did it
        assert_script_run 'sed -i -e "s,^host,#host,g" /var/lib/pgsql/data/pg_hba.conf';
        assert_script_run 'echo "host    all             all             all                     md5" >> /var/lib/pgsql/data/pg_hba.conf';
        # check that worked...
        upload_logs "/var/lib/pgsql/data/pg_hba.conf";
        # restart the service
        assert_script_run "systemctl restart postgresql.service";
    }
    # check we can connect to the database and create a table
    assert_script_run 'su postgres -c "psql openqa -c \'CREATE TABLE test (testcol int);\'"';
    # check we can add a row to the table
@ -71,26 +55,14 @@ sub run {
    # we're all ready for other jobs to run!
    mutex_create('db_ready');
    wait_for_children;
-    if ($version < 29 && $version ne 'Rawhide') {
+    # once child jobs are done, decommission the server a bit
-        # once child jobs are done, stop the role
+    assert_script_run 'su postgres -c "/usr/bin/dropdb -w --if-exists openqa"';
-        assert_script_run 'rolectl stop databaseserver/1';
+    assert_script_run 'su postgres -c "/usr/bin/dropuser -w --if-exists openqa"';
-        # check role is stopped
+    # stop the server
-        validate_script_output 'rolectl status databaseserver/1', sub { $_ =~ m/^ready-to-start/ };
+    assert_script_run 'systemctl stop postgresql.service';
-        # decommission the role
+    # check server is stopped
-        assert_script_run 'rolectl decommission databaseserver/1', 120;
+    assert_script_run '! systemctl is-active postgresql.service';
-        # check role is decommissioned
+    # FIXME check server is decommissioned...how?
        validate_script_output 'rolectl list instances', sub { $_ eq "" };
    }
    else {
        # once child jobs are done, decommission the server a bit
        assert_script_run 'su postgres -c "/usr/bin/dropdb -w --if-exists openqa"';
        assert_script_run 'su postgres -c "/usr/bin/dropuser -w --if-exists openqa"';
        # stop the server
        assert_script_run 'systemctl stop postgresql.service';
        # check server is stopped
        assert_script_run '! systemctl is-active postgresql.service';
        # FIXME check server is decommissioned...how?
    }
 }
--- a/tests/role_deploy_domain_controller.pm
+++ b/tests/role_deploy_domain_controller.pm
@ -33,74 +33,22 @@ sub run {
    # read DNS server IPs from host's /etc/resolv.conf for passing to
    # ipa-server-install / rolectl
    my @forwards = get_host_dns();
-    # from here we branch: for F28 and earlier we use rolekit as
+    # First install the necessary packages
-    # always, for F29+ we deploy directly ourselves as rolekit is
+    assert_script_run "dnf -y groupinstall freeipa-server", 600;
-    # deprecated
+    # configure the firewall
-    my $version = get_var("VERSION");
+    for my $service (qw(freeipa-ldap freeipa-ldaps dns)) {
-    # for upgrade tests we need to check CURRREL not VERSION
+        assert_script_run "firewall-cmd --permanent --add-service $service";
    $version = get_var("CURRREL") if (get_var("UPGRADE"));
    if ($version < 29 && $version ne 'Rawhide') {
        # we are now gonna work around a stupid bug in rolekit. we want to
        # pass it a list of ipv4 DNS forwarders and have no ipv6 DNS
        # forwarders. but it won't allow you to have a dns_forwarders array
        # with a "ipv4" list but no "ipv6" list, any values in the "ipv6"
        # list must be contactable (so we can't use real IPv6 DNS servers
        # as we have no IPv6 connectivity), and if you use an empty list
        # as the "ipv6" value you often hit a weird DBus error "unable to
        # guess signature from an empty list". Fortunately, rolekit doesn't
        # actually check that the values in the lists are really IPv6 /
        # IPv4, it just turns all the values in each list into --forwarder
        # args for ipa-server-install. So we can just stuff IPv4 values
        # into both lists. rolekit bug:
        # https://github.com/libre-server/rolekit/issues/64
        # it should be fixed relatively soon.
        my $fourlist;
        my $sixlist;
        if (scalar @forwards == 1) {
            # we've only got one server, so dupe it, best we can do
            $fourlist = '["' . $forwards[0] . '"]';
            $sixlist = $fourlist;
        }
        else {
            # put the first value in the 'IPv4' list and all the others in
            # the 'IPv6' list
            $fourlist = '["' . shift(@forwards) . '"]';
            $sixlist = '["' . join('","', @forwards) . '"]';
        }
        # this is hideous, but we need --allow-zone-overlap for reverse
        # DNS stuff to work, and there's no good way to make rolekit do
        # that. so we monkeypatch it in!
        assert_script_run 'sed -i -e "s/\'ipa-server-install\', \'-U\',/\'ipa-server-install\', \'-U\', \'--allow-zone-overlap\',/" /usr/lib/rolekit/roles/domaincontroller/role.py';
        # to check that worked right...
        upload_logs "/usr/lib/rolekit/roles/domaincontroller/role.py";
        # deploy the domain controller role, specifying an admin password
        # and the list of DNS server IPs as JSON via stdin. If we don't do
        # this, rolectl defaults to using the root servers as forwarders
        # (it does not copy the settings from resolv.conf), which give the
        # public results for mirrors.fedoraproject.org, some of which
        # things running in phx2 cannot reach; we must make sure the phx2
        # deployments use the phx2 nameservers.
        assert_script_run 'echo \'{"admin_password":"monkeys123","reverse_zone":["2.0.10.in-addr.arpa"],"dns_forwarders":{"ipv4":' . $fourlist . ',"ipv6":' . $sixlist .'}}\' | rolectl deploy domaincontroller --name=domain.local --settings-stdin', 1200;
    }
-    else {
+    assert_script_run "systemctl restart firewalld.service";
-        # this is the other side of the version branch - we're on 29+,
+    # deploy the server
-        # so no rolekit. First  install the necessary packages
+    my $args = "-U --realm=DOMAIN.LOCAL --domain=domain.local --ds-password=monkeys123 --admin-password=monkeys123 --setup-dns --reverse-zone=2.0.10.in-addr.arpa --allow-zone-overlap";
-        assert_script_run "dnf -y groupinstall freeipa-server", 600;
+    for my $fwd (@forwards) {
-        # configure the firewall
+        $args .= " --forwarder=$fwd";
        for my $service (qw(freeipa-ldap freeipa-ldaps dns)) {
            assert_script_run "firewall-cmd --permanent --add-service $service";
        }
        assert_script_run "systemctl restart firewalld.service";
        # deploy the server
        my $args = "-U --realm=DOMAIN.LOCAL --domain=domain.local --ds-password=monkeys123 --admin-password=monkeys123 --setup-dns --reverse-zone=2.0.10.in-addr.arpa --allow-zone-overlap";
        for my $fwd (@forwards) {
            $args .= " --forwarder=$fwd";
        }
        assert_script_run "ipa-server-install $args", 1200;
        # enable and start the systemd service
        assert_script_run "systemctl enable ipa.service";
        assert_script_run "systemctl start ipa.service", 300;
    }
    assert_script_run "ipa-server-install $args", 1200;
    # enable and start the systemd service
    assert_script_run "systemctl enable ipa.service";
    assert_script_run "systemctl start ipa.service", 300;
    # kinit as admin
    assert_script_run 'echo "monkeys123" | kinit admin';
--- a/tests/role_deploy_domain_controller_check.pm
+++ b/tests/role_deploy_domain_controller_check.pm
@ -20,51 +20,22 @@ sub run {
    }
    # if this is an update, notify clients that we're now up again
    mutex_create('server_upgraded') if get_var("UPGRADE");
-    # from here we branch: for F28 and earlier we use rolekit as
+    # once child jobs are done, stop the server
-    # always, for F29+ we decommission directly ourselves as rolekit
+    wait_for_children;
-    # is deprecated
+    # run post-fail hook to upload logs - even when this test passes
-    my $version = get_var("VERSION");
+    # there are often cases where we need to see the logs (e.g. client
-    if ($version < 29 && $version ne 'Rawhide') {
+    # test failed due to server issue)
-        # check the role status, should be 'running'
+    $self->post_fail_hook();
-        validate_script_output 'rolectl status domaincontroller/domain.local', sub { $_ =~ m/^running/ };
+    assert_script_run 'systemctl stop ipa.service';
-        # check the admin password is listed in 'settings'
+    # check server is stopped
-        validate_script_output 'rolectl settings domaincontroller/domain.local', sub {$_ =~m/dm_password = \w{5,}/ };
+    assert_script_run '! systemctl is-active ipa.service';
-        # sanitize the settings
+    # decommission the server
-        assert_script_run 'rolectl sanitize domaincontroller/domain.local';
+    assert_script_run 'ipa-server-install -U --uninstall', 300;
-        # check the password now shows as 'None'
+    # try and un-garble the screen that the above sometimes garbles
-        validate_script_output 'rolectl settings domaincontroller/domain.local', sub {$_ =~ m/dm_password = None/ };
+    # ...we may be on tty1 or tty3 now, so flip between them
-        # once child jobs are done, stop the role
+    send_key "ctrl-alt-f1";
-        wait_for_children;
+    send_key "ctrl-alt-f3";
-        # run post-fail hook to upload logs - even when this test passes
+    # FIXME check server is decommissioned...how?
        # there are often cases where we need to see the logs (e.g. client
        # test failed due to server issue)
        $self->post_fail_hook();
        assert_script_run 'rolectl stop domaincontroller/domain.local';
        # check role is stopped
        validate_script_output 'rolectl status domaincontroller/domain.local', sub { $_ =~ m/^ready-to-start/ };
        # decommission the role
        assert_script_run 'rolectl decommission domaincontroller/domain.local', 300;
        # check role is decommissioned
        validate_script_output 'rolectl list instances', sub { $_ eq "" };
    }
    else {
        # once child jobs are done, stop the server
        wait_for_children;
        # run post-fail hook to upload logs - even when this test passes
        # there are often cases where we need to see the logs (e.g. client
        # test failed due to server issue)
        $self->post_fail_hook();
        assert_script_run 'systemctl stop ipa.service';
        # check server is stopped
        assert_script_run '! systemctl is-active ipa.service';
        # decommission the server
        assert_script_run 'ipa-server-install -U --uninstall', 300;
        # try and un-garble the screen that the above sometimes garbles
        # ...we may be on tty1 or tty3 now, so flip between them
        send_key "ctrl-alt-f1";
        send_key "ctrl-alt-f3";
        # FIXME check server is decommissioned...how?
    }
 }