os-autoinst-distri-rocky-mi.../tests/freeipa_client_postinstall.pm
Adam Williamson f59343403a add FreeIPA server role deploy and kickstart enrolment tests
Summary:
These require openQA tap networking to allow the server and
client boxes to communicate, and require masquerading (NAT) so
the server at least can reach a repository (dnf/rolekit really,
really do not want to work without a repo connection).

They use the 'parallel' test support to have the server deploy
run first while the client enrol test waits at the grub menu
until the server is done before it goes ahead.

This is all deployed and working on stg. The really tricky bit
was getting all the openvswitch and firewall config right in
ansible.

We *could* do the server deploy test as a follow-on from the
default install test to save the install, but then we'd have to
teach it to change the hostname and set up static networking
post-install. I'm not sure if it's worth doing that.

This requires the corresponding openqa_fedora_tools commit that
adds the hard disks (containing the kickstarts - it's possible
to get them from remote during install, but we have to set up
name resolution or hard code the IP of the server).

Test Plan:
Deploy this and the openqa_fedora_tools commit,
generate the disks, configure the networking (good luck! See
the docs in openqa_fedora_tools) and see if you can run the
tests. If you're using Docker, uh...sorry. You somehow need to
set things up so the workers can use tap interfaces that can
talk to each other and are NATed to the outside world. Have fun.
I can talk you through it on IRC...

Reviewers: jskladan, garretraziel

Reviewed By: garretraziel

Subscribers: tflink

Differential Revision: https://phab.qadevel.cloud.fedoraproject.org/D831
2016-05-04 11:53:11 -07:00

46 lines
1.8 KiB
Perl

use base "installedtest";
use strict;
use testapi;
sub run {
my $self=shift;
# check domain is listed in 'realm list'
validate_script_output 'realm list', sub { $_ =~ m/domain-name: domain\.local.*configured: kerberos-member/s };
# check we can see the admin user in getent
assert_script_run 'getent passwd admin@DOMAIN.LOCAL';
# check keytab entries
validate_script_output 'klist -k', sub { $_ =~ m/client001\.domain\.local\@DOMAIN.LOCAL/ };
# check we can kinit with the host principal
assert_script_run 'kinit -k host/client001.domain.local@DOMAIN.LOCAL';
# kinit as each user and set a new password
assert_script_run 'printf "correcthorse\nbatterystaple\nbatterystaple" | kinit test1@DOMAIN.LOCAL';
assert_script_run 'printf "correcthorse\nbatterystaple\nbatterystaple" | kinit test2@DOMAIN.LOCAL';
# switch to tty3
send_key "ctrl-alt-f3";
# try and login as test1, should work
$self->console_login(user=>'test1@DOMAIN.LOCAL', password=>'batterystaple');
type_string "exit\n";
# try and login as test2, should fail. we cannot use console_login
# as it takes 10 seconds to complete when login fails, and
# "permission denied" message doesn't last that long
sleep 2;
assert_screen "text_console_login";
type_string "test2\@DOMAIN.LOCAL\n";
assert_screen "console_password_required";
type_string "batterystaple\n";
assert_screen "login_permission_denied";
}
sub test_flags {
# without anything - rollback to 'lastgood' snapshot if failed
# 'fatal' - whole test suite is in danger if this fails
# 'milestone' - after this test succeeds, update 'lastgood'
# 'important' - if this fails, set the overall state to 'fail'
return { fatal => 1 };
}
1;
# vim: set sw=4 et: