f59343403a
Summary: These require openQA tap networking to allow the server and client boxes to communicate, and require masquerading (NAT) so the server at least can reach a repository (dnf/rolekit really, really do not want to work without a repo connection). They use the 'parallel' test support to have the server deploy run first while the client enrol test waits at the grub menu until the server is done before it goes ahead. This is all deployed and working on stg. The really tricky bit was getting all the openvswitch and firewall config right in ansible. We *could* do the server deploy test as a follow-on from the default install test to save the install, but then we'd have to teach it to change the hostname and set up static networking post-install. I'm not sure if it's worth doing that. This requires the corresponding openqa_fedora_tools commit that adds the hard disks (containing the kickstarts - it's possible to get them from remote during install, but we have to set up name resolution or hard code the IP of the server). Test Plan: Deploy this and the openqa_fedora_tools commit, generate the disks, configure the networking (good luck! See the docs in openqa_fedora_tools) and see if you can run the tests. If you're using Docker, uh...sorry. You somehow need to set things up so the workers can use tap interfaces that can talk to each other and are NATed to the outside world. Have fun. I can talk you through it on IRC... Reviewers: jskladan, garretraziel Reviewed By: garretraziel Subscribers: tflink Differential Revision: https://phab.qadevel.cloud.fedoraproject.org/D831
78 lines
3.7 KiB
Perl
78 lines
3.7 KiB
Perl
use base "installedtest";
|
|
use strict;
|
|
use testapi;
|
|
use lockapi;
|
|
use mmapi;
|
|
|
|
sub run {
|
|
my $self=shift;
|
|
# boot with kernel params to ensure interface is 'eth0' and not whatever
|
|
# systemd feels like calling it today
|
|
$self->do_bootloader(1, "net.ifnames=0 biosdevname=0");
|
|
$self->boot_to_login_screen("text_console_login", 5, 60);
|
|
# login
|
|
$self->root_console();
|
|
# set hostname
|
|
assert_script_run 'hostnamectl set-hostname ipa001.domain.local';
|
|
# add entry to /etc/hosts
|
|
assert_script_run 'echo "10.0.2.100 ipa001.domain.local ipa001" >> /etc/hosts';
|
|
# bring up network. DEFROUTE is *vital* here
|
|
assert_script_run 'printf "DEVICE=eth0\nBOOTPROTO=none\nIPADDR=10.0.2.100\nGATEWAY=10.0.2.2\nPREFIX=24\nDEFROUTE=yes" > /etc/sysconfig/network-scripts/ifcfg-eth0';
|
|
script_run "systemctl restart NetworkManager.service";
|
|
# clone host's resolv.conf to get name resolution
|
|
$self->clone_host_resolv();
|
|
# we don't want updates-testing for validation purposes
|
|
assert_script_run 'dnf config-manager --set-disabled updates-testing';
|
|
# we need a lot of entropy for this, and we don't care how good
|
|
# it is, so let's use haveged
|
|
assert_script_run 'dnf -y install haveged', 120;
|
|
assert_script_run 'systemctl start haveged.service';
|
|
# deploy the domain controller role
|
|
assert_script_run 'echo \'{"admin_password":"monkeys123"}\' | rolectl deploy domaincontroller --name=domain.local --settings-stdin', 1200;
|
|
# check the role status, should be 'running'
|
|
validate_script_output 'rolectl status domaincontroller/domain.local', sub { $_ =~ m/^running/ };
|
|
# check the admin password is listed in 'settings'
|
|
validate_script_output 'rolectl settings domaincontroller/domain.local', sub {$_ =~m/dm_password = \w{5,}/ };
|
|
# sanitize the settings
|
|
assert_script_run 'rolectl sanitize domaincontroller/domain.local';
|
|
# check the password now shows as 'None'
|
|
validate_script_output 'rolectl settings domaincontroller/domain.local', sub {$_ =~ m/dm_password = None/ };
|
|
# kinit as admin
|
|
assert_script_run 'echo "monkeys123" | kinit admin';
|
|
# set up an OTP for client001 enrolment (it will enrol with a kickstart)
|
|
assert_script_run 'ipa host-add client001.domain.local --password=monkeys --force';
|
|
# create two user accounts, test1 and test2
|
|
assert_script_run 'echo "correcthorse" | ipa user-add test1 --first test --last one --password';
|
|
assert_script_run 'echo "correcthorse" | ipa user-add test2 --first test --last two --password';
|
|
# add a rule allowing access to all hosts and services
|
|
assert_script_run 'ipa hbacrule-add testrule --servicecat=all --hostcat=all';
|
|
# add test1 (but not test2) to the rule
|
|
assert_script_run 'ipa hbacrule-add-user testrule --users=test1';
|
|
# disable the default 'everyone everywhere' rule
|
|
assert_script_run 'ipa hbacrule-disable allow_all';
|
|
# we're all ready for other jobs to run!
|
|
mutex_create('freeipa_ready');
|
|
wait_for_children;
|
|
# once child jobs are done, stop the role
|
|
assert_script_run 'rolectl stop domaincontroller/domain.local';
|
|
# check role is stopped
|
|
validate_script_output 'rolectl status domaincontroller/domain.local', sub { $_ =~ m/^ready-to-start/ };
|
|
# decommission the role
|
|
assert_script_run 'rolectl decommission domaincontroller/domain.local', 120;
|
|
# check role is decommissioned
|
|
validate_script_output 'rolectl list instances', sub { $_ eq "" };
|
|
}
|
|
|
|
|
|
sub test_flags {
|
|
# without anything - rollback to 'lastgood' snapshot if failed
|
|
# 'fatal' - whole test suite is in danger if this fails
|
|
# 'milestone' - after this test succeeds, update 'lastgood'
|
|
# 'important' - if this fails, set the overall state to 'fail'
|
|
return { fatal => 1 };
|
|
}
|
|
|
|
1;
|
|
|
|
# vim: set sw=4 et:
|