a9704de4bd
I noticed today that if we deploy FreeIPA with dnssec validation enabled, dnf can't resolve dl.fedoraproject.org afterwards, which is a problem because it means we wind up falling through to random mirrors for metadata and package download once the server is deployed, which can be slow and give old packages. This seems to be why the server upgrade test on F33 is sometimes failing because we get an older FreeIPA package on upgrade, even though the newer one has been stable for a week. It's difficult to pin down exactly where this bug is and fix it, I've mailed some folks to try and work it out, but until that's figured out, let's just disable dnssec validation. Signed-off-by: Adam Williamson <awilliam@redhat.com>
87 lines
4.0 KiB
Perl
87 lines
4.0 KiB
Perl
use base "installedtest";
|
|
use strict;
|
|
use testapi;
|
|
use lockapi;
|
|
use mmapi;
|
|
use tapnet;
|
|
use utils;
|
|
|
|
sub run {
|
|
my $self = shift;
|
|
# login
|
|
$self->root_console();
|
|
# use compose repo, disable u-t, etc. unless this is an upgrade
|
|
# test (in which case we're on the 'old' release at this point;
|
|
# one of the upgrade test modules does repo_setup later)
|
|
repo_setup() unless get_var("UPGRADE");
|
|
# use --enablerepo=fedora for Modular compose testing (we need to
|
|
# create and use a non-Modular repo to get some packages which
|
|
# aren't in Modular Server composes)
|
|
my $extraparams = '';
|
|
$extraparams = '--enablerepo=fedora' if (get_var("MODULAR"));
|
|
# we need a lot of entropy for this, and we don't care how good
|
|
# it is, so let's use haveged
|
|
assert_script_run "dnf ${extraparams} -y install haveged", 300;
|
|
assert_script_run 'systemctl start haveged.service';
|
|
# per ab, this should get us extra debug logging from the web UI
|
|
# in error_log
|
|
assert_script_run 'mkdir -p /etc/ipa';
|
|
assert_script_run 'printf "[global]\ndebug = True\n" > /etc/ipa/server.conf';
|
|
# per ab, this gets us more debugging for bind
|
|
assert_script_run 'mkdir -p /etc/systemd/system/named-pkcs11.service.d';
|
|
assert_script_run 'printf "[Service]\nEnvironment=OPTIONS=-d5\n" > /etc/systemd/system/named-pkcs11.service.d/debug.conf';
|
|
# First install the necessary packages
|
|
assert_script_run "dnf -y groupinstall freeipa-server", 600;
|
|
# configure the firewall
|
|
for my $service (qw(freeipa-ldap freeipa-ldaps dns)) {
|
|
assert_script_run "firewall-cmd --permanent --add-service $service";
|
|
}
|
|
assert_script_run "systemctl restart firewalld.service";
|
|
# deploy the server
|
|
my $args = "-U --auto-forwarders --realm=DOMAIN.LOCAL --domain=domain.local --ds-password=monkeys123 --admin-password=monkeys123 --setup-dns --no-dnssec-validation --reverse-zone=2.16.172.in-addr.arpa --allow-zone-overlap";
|
|
assert_script_run "ipa-server-install $args", 1200;
|
|
# enable and start the systemd service
|
|
assert_script_run "systemctl enable ipa.service";
|
|
assert_script_run "systemctl start ipa.service", 300;
|
|
|
|
# kinit as admin
|
|
assert_script_run 'echo "monkeys123" | kinit admin';
|
|
# set up an OTP for client001 enrolment (it will enrol with a kickstart)
|
|
assert_script_run 'ipa host-add client001.domain.local --password=monkeys --force';
|
|
# create two user accounts, test1 and test2
|
|
assert_script_run 'echo "correcthorse" | ipa user-add test1 --first test --last one --password';
|
|
assert_script_run 'echo "correcthorse" | ipa user-add test2 --first test --last two --password';
|
|
# add a rule allowing access to all hosts and services
|
|
assert_script_run 'ipa hbacrule-add testrule --servicecat=all --hostcat=all';
|
|
# add test1 (but not test2) to the rule
|
|
assert_script_run 'ipa hbacrule-add-user testrule --users=test1';
|
|
# disable the default 'everyone everywhere' rule
|
|
assert_script_run 'ipa hbacrule-disable allow_all';
|
|
# allow immediate password changes (as we need to test this)
|
|
assert_script_run 'ipa pwpolicy-mod --minlife=0';
|
|
# magic voodoo crap to allow reverse DNS client sync to work
|
|
# https://docs.pagure.org/bind-dyndb-ldap/BIND9/SyncPTR.html
|
|
assert_script_run 'ipa dnszone-mod domain.local. --allow-sync-ptr=TRUE';
|
|
# kinit as each user and set a new password
|
|
assert_script_run 'printf "correcthorse\nbatterystaple\nbatterystaple" | kinit test1@DOMAIN.LOCAL';
|
|
assert_script_run 'printf "correcthorse\nbatterystaple\nbatterystaple" | kinit test2@DOMAIN.LOCAL';
|
|
# we're ready for children to enrol, now
|
|
mutex_create("freeipa_ready");
|
|
# if upgrade test, wait for children to enrol before upgrade
|
|
if (get_var("UPGRADE")) {
|
|
my $children = get_children();
|
|
my $child_id = (keys %$children)[0];
|
|
mutex_lock('client_enrolled', $child_id);
|
|
mutex_unlock('client_enrolled');
|
|
}
|
|
}
|
|
|
|
|
|
sub test_flags {
|
|
return { fatal => 1 };
|
|
}
|
|
|
|
1;
|
|
|
|
# vim: set sw=4 et:
|