os-autoinst-distri-rocky-mi.../tests/role_deploy_domain_controller.pm
Adam Williamson a9704de4bd FreeIPA: disable dnssec validation till weird bug is fixed
I noticed today that if we deploy FreeIPA with dnssec validation
enabled, dnf can't resolve dl.fedoraproject.org afterwards, which
is a problem because it means we wind up falling through to
random mirrors for metadata and package download once the server
is deployed, which can be slow and give old packages. This seems
to be why the server upgrade test on F33 is sometimes failing
because we get an older FreeIPA package on upgrade, even though
the newer one has been stable for a week.

It's difficult to pin down exactly where this bug is and fix it,
I've mailed some folks to try and work it out, but until that's
figured out, let's just disable dnssec validation.

Signed-off-by: Adam Williamson <awilliam@redhat.com>
2020-10-23 11:38:01 -07:00

87 lines
4.0 KiB
Perl

use base "installedtest";
use strict;
use testapi;
use lockapi;
use mmapi;
use tapnet;
use utils;
sub run {
my $self = shift;
# login
$self->root_console();
# use compose repo, disable u-t, etc. unless this is an upgrade
# test (in which case we're on the 'old' release at this point;
# one of the upgrade test modules does repo_setup later)
repo_setup() unless get_var("UPGRADE");
# use --enablerepo=fedora for Modular compose testing (we need to
# create and use a non-Modular repo to get some packages which
# aren't in Modular Server composes)
my $extraparams = '';
$extraparams = '--enablerepo=fedora' if (get_var("MODULAR"));
# we need a lot of entropy for this, and we don't care how good
# it is, so let's use haveged
assert_script_run "dnf ${extraparams} -y install haveged", 300;
assert_script_run 'systemctl start haveged.service';
# per ab, this should get us extra debug logging from the web UI
# in error_log
assert_script_run 'mkdir -p /etc/ipa';
assert_script_run 'printf "[global]\ndebug = True\n" > /etc/ipa/server.conf';
# per ab, this gets us more debugging for bind
assert_script_run 'mkdir -p /etc/systemd/system/named-pkcs11.service.d';
assert_script_run 'printf "[Service]\nEnvironment=OPTIONS=-d5\n" > /etc/systemd/system/named-pkcs11.service.d/debug.conf';
# First install the necessary packages
assert_script_run "dnf -y groupinstall freeipa-server", 600;
# configure the firewall
for my $service (qw(freeipa-ldap freeipa-ldaps dns)) {
assert_script_run "firewall-cmd --permanent --add-service $service";
}
assert_script_run "systemctl restart firewalld.service";
# deploy the server
my $args = "-U --auto-forwarders --realm=DOMAIN.LOCAL --domain=domain.local --ds-password=monkeys123 --admin-password=monkeys123 --setup-dns --no-dnssec-validation --reverse-zone=2.16.172.in-addr.arpa --allow-zone-overlap";
assert_script_run "ipa-server-install $args", 1200;
# enable and start the systemd service
assert_script_run "systemctl enable ipa.service";
assert_script_run "systemctl start ipa.service", 300;
# kinit as admin
assert_script_run 'echo "monkeys123" | kinit admin';
# set up an OTP for client001 enrolment (it will enrol with a kickstart)
assert_script_run 'ipa host-add client001.domain.local --password=monkeys --force';
# create two user accounts, test1 and test2
assert_script_run 'echo "correcthorse" | ipa user-add test1 --first test --last one --password';
assert_script_run 'echo "correcthorse" | ipa user-add test2 --first test --last two --password';
# add a rule allowing access to all hosts and services
assert_script_run 'ipa hbacrule-add testrule --servicecat=all --hostcat=all';
# add test1 (but not test2) to the rule
assert_script_run 'ipa hbacrule-add-user testrule --users=test1';
# disable the default 'everyone everywhere' rule
assert_script_run 'ipa hbacrule-disable allow_all';
# allow immediate password changes (as we need to test this)
assert_script_run 'ipa pwpolicy-mod --minlife=0';
# magic voodoo crap to allow reverse DNS client sync to work
# https://docs.pagure.org/bind-dyndb-ldap/BIND9/SyncPTR.html
assert_script_run 'ipa dnszone-mod domain.local. --allow-sync-ptr=TRUE';
# kinit as each user and set a new password
assert_script_run 'printf "correcthorse\nbatterystaple\nbatterystaple" | kinit test1@DOMAIN.LOCAL';
assert_script_run 'printf "correcthorse\nbatterystaple\nbatterystaple" | kinit test2@DOMAIN.LOCAL';
# we're ready for children to enrol, now
mutex_create("freeipa_ready");
# if upgrade test, wait for children to enrol before upgrade
if (get_var("UPGRADE")) {
my $children = get_children();
my $child_id = (keys %$children)[0];
mutex_lock('client_enrolled', $child_id);
mutex_unlock('client_enrolled');
}
}
sub test_flags {
return { fatal => 1 };
}
1;
# vim: set sw=4 et: