6bd24c3caa
Otherwise the replica tests don't work. Signed-off-by: Adam Williamson <awilliam@redhat.com>
142 lines
7.0 KiB
Perl
142 lines
7.0 KiB
Perl
use base "installedtest";
|
|
use strict;
|
|
use testapi;
|
|
use lockapi;
|
|
use mmapi;
|
|
use tapnet;
|
|
use utils;
|
|
|
|
sub run {
|
|
my $self = shift;
|
|
# login
|
|
$self->root_console();
|
|
# use compose repo, disable u-t, etc. unless this is an upgrade
|
|
# test (in which case we're on the 'old' release at this point;
|
|
# one of the upgrade test modules does repo_setup later)
|
|
repo_setup() unless get_var("UPGRADE");
|
|
# use --enablerepo=fedora for Modular compose testing (we need to
|
|
# create and use a non-Modular repo to get some packages which
|
|
# aren't in Modular Server composes)
|
|
my $extraparams = '';
|
|
$extraparams = '--enablerepo=fedora' if (get_var("MODULAR"));
|
|
# we need a lot of entropy for this, and we don't care how good
|
|
# it is, so let's use haveged
|
|
assert_script_run "dnf ${extraparams} -y install haveged", 300;
|
|
assert_script_run 'systemctl start haveged.service';
|
|
# per ab, this should get us extra debug logging from the web UI
|
|
# in error_log
|
|
assert_script_run 'mkdir -p /etc/ipa';
|
|
assert_script_run 'printf "[global]\ndebug = True\n" > /etc/ipa/server.conf';
|
|
# read DNS server IPs from host's /etc/resolv.conf for passing to
|
|
# ipa-server-install / rolectl
|
|
my @forwards = get_host_dns();
|
|
# from here we branch: for F28 and earlier we use rolekit as
|
|
# always, for F29+ we deploy directly ourselves as rolekit is
|
|
# deprecated
|
|
my $version = get_var("VERSION");
|
|
# for upgrade tests we need to check CURRREL not VERSION
|
|
$version = get_var("CURRREL") if (get_var("UPGRADE"));
|
|
if ($version < 29 && $version ne 'Rawhide') {
|
|
# we are now gonna work around a stupid bug in rolekit. we want to
|
|
# pass it a list of ipv4 DNS forwarders and have no ipv6 DNS
|
|
# forwarders. but it won't allow you to have a dns_forwarders array
|
|
# with a "ipv4" list but no "ipv6" list, any values in the "ipv6"
|
|
# list must be contactable (so we can't use real IPv6 DNS servers
|
|
# as we have no IPv6 connectivity), and if you use an empty list
|
|
# as the "ipv6" value you often hit a weird DBus error "unable to
|
|
# guess signature from an empty list". Fortunately, rolekit doesn't
|
|
# actually check that the values in the lists are really IPv6 /
|
|
# IPv4, it just turns all the values in each list into --forwarder
|
|
# args for ipa-server-install. So we can just stuff IPv4 values
|
|
# into both lists. rolekit bug:
|
|
# https://github.com/libre-server/rolekit/issues/64
|
|
# it should be fixed relatively soon.
|
|
my $fourlist;
|
|
my $sixlist;
|
|
if (scalar @forwards == 1) {
|
|
# we've only got one server, so dupe it, best we can do
|
|
$fourlist = '["' . $forwards[0] . '"]';
|
|
$sixlist = $fourlist;
|
|
}
|
|
else {
|
|
# put the first value in the 'IPv4' list and all the others in
|
|
# the 'IPv6' list
|
|
$fourlist = '["' . shift(@forwards) . '"]';
|
|
$sixlist = '["' . join('","', @forwards) . '"]';
|
|
}
|
|
# this is hideous, but we need --allow-zone-overlap for reverse
|
|
# DNS stuff to work, and there's no good way to make rolekit do
|
|
# that. so we monkeypatch it in!
|
|
assert_script_run 'sed -i -e "s/\'ipa-server-install\', \'-U\',/\'ipa-server-install\', \'-U\', \'--allow-zone-overlap\',/" /usr/lib/rolekit/roles/domaincontroller/role.py';
|
|
# to check that worked right...
|
|
upload_logs "/usr/lib/rolekit/roles/domaincontroller/role.py";
|
|
# deploy the domain controller role, specifying an admin password
|
|
# and the list of DNS server IPs as JSON via stdin. If we don't do
|
|
# this, rolectl defaults to using the root servers as forwarders
|
|
# (it does not copy the settings from resolv.conf), which give the
|
|
# public results for mirrors.fedoraproject.org, some of which
|
|
# things running in phx2 cannot reach; we must make sure the phx2
|
|
# deployments use the phx2 nameservers.
|
|
assert_script_run 'echo \'{"admin_password":"monkeys123","reverse_zone":["2.0.10.in-addr.arpa"],"dns_forwarders":{"ipv4":' . $fourlist . ',"ipv6":' . $sixlist .'}}\' | rolectl deploy domaincontroller --name=domain.local --settings-stdin', 1200;
|
|
}
|
|
else {
|
|
# this is the other side of the version branch - we're on 29+,
|
|
# so no rolekit. First install the necessary packages
|
|
assert_script_run "dnf -y groupinstall freeipa-server", 600;
|
|
# configure the firewall
|
|
for my $service (qw(freeipa-ldap freeipa-ldaps dns)) {
|
|
assert_script_run "firewall-cmd --permanent --add-service $service";
|
|
}
|
|
assert_script_run "systemctl restart firewalld.service";
|
|
# deploy the server
|
|
my $args = "-U --realm=DOMAIN.LOCAL --domain=domain.local --ds-password=monkeys123 --admin-password=monkeys123 --setup-dns --reverse-zone=2.0.10.in-addr.arpa --allow-zone-overlap";
|
|
for my $fwd (@forwards) {
|
|
$args .= " --forwarder=$fwd";
|
|
}
|
|
assert_script_run "ipa-server-install $args", 1200;
|
|
# enable and start the systemd service
|
|
assert_script_run "systemctl enable ipa.service";
|
|
assert_script_run "systemctl start ipa.service", 300;
|
|
}
|
|
|
|
# kinit as admin
|
|
assert_script_run 'echo "monkeys123" | kinit admin';
|
|
# set up an OTP for client001 enrolment (it will enrol with a kickstart)
|
|
assert_script_run 'ipa host-add client001.domain.local --password=monkeys --force';
|
|
# create two user accounts, test1 and test2
|
|
assert_script_run 'echo "correcthorse" | ipa user-add test1 --first test --last one --password';
|
|
assert_script_run 'echo "correcthorse" | ipa user-add test2 --first test --last two --password';
|
|
# add a rule allowing access to all hosts and services
|
|
assert_script_run 'ipa hbacrule-add testrule --servicecat=all --hostcat=all';
|
|
# add test1 (but not test2) to the rule
|
|
assert_script_run 'ipa hbacrule-add-user testrule --users=test1';
|
|
# disable the default 'everyone everywhere' rule
|
|
assert_script_run 'ipa hbacrule-disable allow_all';
|
|
# allow immediate password changes (as we need to test this)
|
|
assert_script_run 'ipa pwpolicy-mod --minlife=0';
|
|
# magic voodoo crap to allow reverse DNS client sync to work
|
|
# https://docs.pagure.org/bind-dyndb-ldap/BIND9/SyncPTR.html
|
|
assert_script_run 'ipa dnszone-mod domain.local. --allow-sync-ptr=TRUE';
|
|
# kinit as each user and set a new password
|
|
assert_script_run 'printf "correcthorse\nbatterystaple\nbatterystaple" | kinit test1@DOMAIN.LOCAL';
|
|
assert_script_run 'printf "correcthorse\nbatterystaple\nbatterystaple" | kinit test2@DOMAIN.LOCAL';
|
|
# we're ready for children to enrol, now
|
|
mutex_create("freeipa_ready");
|
|
# if upgrade test, wait for children to enrol before upgrade
|
|
if (get_var("UPGRADE")) {
|
|
my $children = get_children();
|
|
my $child_id = (keys %$children)[0];
|
|
mutex_lock('client_enrolled', $child_id);
|
|
mutex_unlock('client_enrolled');
|
|
}
|
|
}
|
|
|
|
|
|
sub test_flags {
|
|
return { fatal => 1 };
|
|
}
|
|
|
|
1;
|
|
|
|
# vim: set sw=4 et:
|