a901fce4ab
Summary: again, added as a non-fatal module for realmd_join_cockpit as it's convenient to do it here. Also abstract a couple of ipa bits into a new exporter package in the style of SUSE's mm_network, rather than using ill-fitting class inheritance as we have before - we should probably convert our existing class based stuff to work this way. Also a few minor tweaks and clean-ups of the other tests: The path in console_login() where we detect login of a regular user when we want root or vice versa and log out was actually broken because it would 'wait' for the result of the 'exit' command, which obviously doesn't work (as it relies on running another command afterwards, and we're no longer at a shell). This commit no longer actually uses that path, but I spotted the bug with an earlier version of this which did, and we may as well keep the fix. /var/log/lastlog is an apparently-extremely-large sparse file. A couple of times it seemed to cause tar to run very slowly while creating the /var/log archive for upload on failure. It's no use for diagnosing bugs, so we may as well exclude it from the archive. I caught cockpit webUI login failing one time when testing the test, so threw in a wait_still_screen before starting to type the URL, as we have for the FreeIPA webUI. I also caught a timing issue with the openQA webUI policy add step; the test flips from the Users screen to the HBAC screen then clicks the 'add' button, but there's actually an identical 'add' button on *both* screens, so it could wind up trying to click the one on the Users screen instead, if the web UI took a few milliseconds to switch. So we throw in a needle match to make sure we're actually on the HBAC screen before clicking the button. We make the freeipa_webui test a 'milestone' so that if the new test fails, restoring to the last-known-good milestone doesn't take so long; it actually seems like openQA can get confused and try to cancel the test if restoring the milestone takes a *really* long time, and wind up with a zombie qemu process, which isn't good. This seems to avoid that happening. Test Plan: In the simple case, just run all the FreeIPA-related tests on Fedora 24 (as Rawhide is broken) and make sure they all work properly. To get a bit more advanced you can throw in an `assert_script_run 'false'` in either of the non-fatal tests to break it and make sure things go properly when that happens (the last milestone should be restored - which should be right after freeipa_webui, sitting at tty1 - and run properly; things are set up so each test starts with root logged in on tty1). Reviewers: jskladan, garretraziel Reviewed By: garretraziel Subscribers: tflink Differential Revision: https://phab.qadevel.cloud.fedoraproject.org/D935
118 lines
5.8 KiB
Perl
118 lines
5.8 KiB
Perl
use base "installedtest";
|
|
use strict;
|
|
use testapi;
|
|
use lockapi;
|
|
use mmapi;
|
|
|
|
sub run {
|
|
my $self=shift;
|
|
# boot with kernel params to ensure interface is 'eth0' and not whatever
|
|
# systemd feels like calling it today
|
|
$self->do_bootloader(postinstall=>1, params=>"net.ifnames=0 biosdevname=0");
|
|
$self->boot_to_login_screen("text_console_login", 5, 60);
|
|
# login
|
|
$self->root_console();
|
|
# clone host's /etc/hosts (for phx2 internal routing to work)
|
|
# must come *before* setup_tap_static or else it would overwrite
|
|
# its changes
|
|
$self->clone_host_file("/etc/hosts");
|
|
# set up networking
|
|
$self->setup_tap_static("10.0.2.100", "ipa001.domain.local");
|
|
# clone host's resolv.conf to get name resolution
|
|
$self->clone_host_file("/etc/resolv.conf");
|
|
# we don't want updates-testing for validation purposes
|
|
assert_script_run 'dnf config-manager --set-disabled updates-testing';
|
|
# we need a lot of entropy for this, and we don't care how good
|
|
# it is, so let's use haveged
|
|
assert_script_run 'dnf -y install haveged', 300;
|
|
assert_script_run 'systemctl start haveged.service';
|
|
# read DNS server IPs from host's /etc/resolv.conf for passing to
|
|
# rolectl
|
|
my @forwards = $self->get_host_dns();
|
|
# we are now gonna work around a stupid bug in rolekit. we want to
|
|
# pass it a list of ipv4 DNS forwarders and have no ipv6 DNS
|
|
# forwarders. but it won't allow you to have a dns_forwarders array
|
|
# with a "ipv4" list but no "ipv6" list, any values in the "ipv6"
|
|
# list must be contactable (so we can't use real IPv6 DNS servers
|
|
# as we have no IPv6 connectivity), and if you use an empty list
|
|
# as the "ipv6" value you often hit a weird DBus error "unable to
|
|
# guess signature from an empty list". Fortunately, rolekit doesn't
|
|
# actually check that the values in the lists are really IPv6 /
|
|
# IPv4, it just turns all the values in each list into --forwarder
|
|
# args for ipa-server-install. So we can just stuff IPv4 values
|
|
# into both lists. rolekit bug:
|
|
# https://github.com/libre-server/rolekit/issues/64
|
|
# it should be fixed relatively soon.
|
|
my $fourlist;
|
|
my $sixlist;
|
|
if (scalar @forwards == 1) {
|
|
# we've only got one server, so dupe it, best we can do
|
|
$fourlist = '["' . $forwards[0] . '"]';
|
|
$sixlist = $fourlist;
|
|
}
|
|
else {
|
|
# put the first value in the 'IPv4' list and all the others in
|
|
# the 'IPv6' list
|
|
$fourlist = '["' . shift(@forwards) . '"]';
|
|
$sixlist = '["' . join('","', @forwards) . '"]';
|
|
}
|
|
# deploy the domain controller role, specifying an admin password
|
|
# and the list of DNS server IPs as JSON via stdin. If we don't do
|
|
# this, rolectl defaults to using the root servers as forwarders
|
|
# (it does not copy the settings from resolv.conf), which give the
|
|
# public results for mirrors.fedoraproject.org, some of which
|
|
# things running in phx2 cannot reach; we must make sure the phx2
|
|
# deployments use the phx2 nameservers.
|
|
assert_script_run 'echo \'{"admin_password":"monkeys123","dns_forwarders":{"ipv4":' . $fourlist . ',"ipv6":' . $sixlist .'}}\' | rolectl deploy domaincontroller --name=domain.local --settings-stdin', 1200;
|
|
# check the role status, should be 'running'
|
|
validate_script_output 'rolectl status domaincontroller/domain.local', sub { $_ =~ m/^running/ };
|
|
# check the admin password is listed in 'settings'
|
|
validate_script_output 'rolectl settings domaincontroller/domain.local', sub {$_ =~m/dm_password = \w{5,}/ };
|
|
# sanitize the settings
|
|
assert_script_run 'rolectl sanitize domaincontroller/domain.local';
|
|
# check the password now shows as 'None'
|
|
validate_script_output 'rolectl settings domaincontroller/domain.local', sub {$_ =~ m/dm_password = None/ };
|
|
# kinit as admin
|
|
assert_script_run 'echo "monkeys123" | kinit admin';
|
|
# set up an OTP for client001 enrolment (it will enrol with a kickstart)
|
|
assert_script_run 'ipa host-add client001.domain.local --password=monkeys --force';
|
|
# create two user accounts, test1 and test2
|
|
assert_script_run 'echo "correcthorse" | ipa user-add test1 --first test --last one --password';
|
|
assert_script_run 'echo "correcthorse" | ipa user-add test2 --first test --last two --password';
|
|
# add a rule allowing access to all hosts and services
|
|
assert_script_run 'ipa hbacrule-add testrule --servicecat=all --hostcat=all';
|
|
# add test1 (but not test2) to the rule
|
|
assert_script_run 'ipa hbacrule-add-user testrule --users=test1';
|
|
# disable the default 'everyone everywhere' rule
|
|
assert_script_run 'ipa hbacrule-disable allow_all';
|
|
# allow immediate password changes (as we need to test this)
|
|
assert_script_run 'ipa pwpolicy-mod --minlife=0';
|
|
# kinit as each user and set a new password
|
|
assert_script_run 'printf "correcthorse\nbatterystaple\nbatterystaple" | kinit test1@DOMAIN.LOCAL';
|
|
assert_script_run 'printf "correcthorse\nbatterystaple\nbatterystaple" | kinit test2@DOMAIN.LOCAL';
|
|
# we're all ready for other jobs to run!
|
|
mutex_create('freeipa_ready');
|
|
wait_for_children;
|
|
# once child jobs are done, stop the role
|
|
assert_script_run 'rolectl stop domaincontroller/domain.local';
|
|
# check role is stopped
|
|
validate_script_output 'rolectl status domaincontroller/domain.local', sub { $_ =~ m/^ready-to-start/ };
|
|
# decommission the role
|
|
assert_script_run 'rolectl decommission domaincontroller/domain.local', 120;
|
|
# check role is decommissioned
|
|
validate_script_output 'rolectl list instances', sub { $_ eq "" };
|
|
}
|
|
|
|
|
|
sub test_flags {
|
|
# without anything - rollback to 'lastgood' snapshot if failed
|
|
# 'fatal' - whole test suite is in danger if this fails
|
|
# 'milestone' - after this test succeeds, update 'lastgood'
|
|
# 'important' - if this fails, set the overall state to 'fail'
|
|
return { fatal => 1 };
|
|
}
|
|
|
|
1;
|
|
|
|
# vim: set sw=4 et:
|