2016-05-04 18:53:11 +00:00
|
|
|
use base "installedtest";
|
|
|
|
use strict;
|
|
|
|
use testapi;
|
|
|
|
use lockapi;
|
|
|
|
use mmapi;
|
|
|
|
|
|
|
|
sub run {
|
|
|
|
my $self=shift;
|
|
|
|
# boot with kernel params to ensure interface is 'eth0' and not whatever
|
|
|
|
# systemd feels like calling it today
|
add a cockpit realmd FreeIPA join test
Summary:
This requires a few other changes:
* turn clone_host_resolv into clone_host_file, letting you clone
any given host file (cloning /etc/hosts seems to make both
server deployment and client enrolment faster/more reliable)
* allow loading of multiple POSTINSTALL tests (so we can share
the freeipa_client_postinstall test). Note this is compatible,
existing uses will work fine
* move initial password change for the IPA test users into the
server deployment test (so the client tests don't conflict over
doing that)
* add GRUB_POSTINSTALL, for specifying boot parameters for boot of
the installed system, and make it work by tweaking _console_wait
_login (doesn't work for _graphical_wait_login yet, as I didn't
need that)
* make the static networking config for tap tests into a library
function so the tests can share it
* handle ABRT problem dirs showing up in /var/spool/abrt as well
as /var/tmp/abrt (because the enrol attempt hits #1330766 and
the crash report shows up in /var/spool/abrt, don't ask me why
the difference, I just work here)
* specify the DNS servers from the worker host's resolv.conf as
the forwarders for the FreeIPA server when deploying it; if we
don't do this, rolekit defaults to using the root servers as
forwarders(!) and thus we get the public, not phx2-appropriate,
results for e.g. mirrors.fedoraproject.org, some of which the
workers can't reach, so PackageKit package install always fails
(boy, was it fun figuring THAT mess out)
Even after all that, the test still doesn't actually pass, but
I'm reasonably confident this is because it's hitting actual bugs,
not because it's broken. It runs into #1330766 nearly every time
(I think I saw *one* time the enrolment actually succeeded), and
seems to run into a subsequent bug I hadn't seen before when
trying to work around that by trying the join again (see
https://bugzilla.redhat.com/show_bug.cgi?id=1330766#c37 ).
Test Plan:
Run the test, see what happens. If you're really lucky,
it'll actually pass. But you'll probably run into #1330766#c37,
I'm mostly posting for comment. You'll need a tap-capable openQA
instance to test this.
Reviewers: jskladan, garretraziel
Reviewed By: garretraziel
Subscribers: tflink
Differential Revision: https://phab.qadevel.cloud.fedoraproject.org/D880
2016-06-07 20:00:39 +00:00
|
|
|
$self->do_bootloader(postinstall=>1, params=>"net.ifnames=0 biosdevname=0");
|
2016-05-04 18:53:11 +00:00
|
|
|
$self->boot_to_login_screen("text_console_login", 5, 60);
|
|
|
|
# login
|
|
|
|
$self->root_console();
|
add a cockpit realmd FreeIPA join test
Summary:
This requires a few other changes:
* turn clone_host_resolv into clone_host_file, letting you clone
any given host file (cloning /etc/hosts seems to make both
server deployment and client enrolment faster/more reliable)
* allow loading of multiple POSTINSTALL tests (so we can share
the freeipa_client_postinstall test). Note this is compatible,
existing uses will work fine
* move initial password change for the IPA test users into the
server deployment test (so the client tests don't conflict over
doing that)
* add GRUB_POSTINSTALL, for specifying boot parameters for boot of
the installed system, and make it work by tweaking _console_wait
_login (doesn't work for _graphical_wait_login yet, as I didn't
need that)
* make the static networking config for tap tests into a library
function so the tests can share it
* handle ABRT problem dirs showing up in /var/spool/abrt as well
as /var/tmp/abrt (because the enrol attempt hits #1330766 and
the crash report shows up in /var/spool/abrt, don't ask me why
the difference, I just work here)
* specify the DNS servers from the worker host's resolv.conf as
the forwarders for the FreeIPA server when deploying it; if we
don't do this, rolekit defaults to using the root servers as
forwarders(!) and thus we get the public, not phx2-appropriate,
results for e.g. mirrors.fedoraproject.org, some of which the
workers can't reach, so PackageKit package install always fails
(boy, was it fun figuring THAT mess out)
Even after all that, the test still doesn't actually pass, but
I'm reasonably confident this is because it's hitting actual bugs,
not because it's broken. It runs into #1330766 nearly every time
(I think I saw *one* time the enrolment actually succeeded), and
seems to run into a subsequent bug I hadn't seen before when
trying to work around that by trying the join again (see
https://bugzilla.redhat.com/show_bug.cgi?id=1330766#c37 ).
Test Plan:
Run the test, see what happens. If you're really lucky,
it'll actually pass. But you'll probably run into #1330766#c37,
I'm mostly posting for comment. You'll need a tap-capable openQA
instance to test this.
Reviewers: jskladan, garretraziel
Reviewed By: garretraziel
Subscribers: tflink
Differential Revision: https://phab.qadevel.cloud.fedoraproject.org/D880
2016-06-07 20:00:39 +00:00
|
|
|
# clone host's /etc/hosts (for phx2 internal routing to work)
|
|
|
|
# must come *before* setup_tap_static or else it would overwrite
|
|
|
|
# its changes
|
|
|
|
$self->clone_host_file("/etc/hosts");
|
|
|
|
# set up networking
|
|
|
|
$self->setup_tap_static("10.0.2.100", "ipa001.domain.local");
|
2016-05-04 18:53:11 +00:00
|
|
|
# clone host's resolv.conf to get name resolution
|
add a cockpit realmd FreeIPA join test
Summary:
This requires a few other changes:
* turn clone_host_resolv into clone_host_file, letting you clone
any given host file (cloning /etc/hosts seems to make both
server deployment and client enrolment faster/more reliable)
* allow loading of multiple POSTINSTALL tests (so we can share
the freeipa_client_postinstall test). Note this is compatible,
existing uses will work fine
* move initial password change for the IPA test users into the
server deployment test (so the client tests don't conflict over
doing that)
* add GRUB_POSTINSTALL, for specifying boot parameters for boot of
the installed system, and make it work by tweaking _console_wait
_login (doesn't work for _graphical_wait_login yet, as I didn't
need that)
* make the static networking config for tap tests into a library
function so the tests can share it
* handle ABRT problem dirs showing up in /var/spool/abrt as well
as /var/tmp/abrt (because the enrol attempt hits #1330766 and
the crash report shows up in /var/spool/abrt, don't ask me why
the difference, I just work here)
* specify the DNS servers from the worker host's resolv.conf as
the forwarders for the FreeIPA server when deploying it; if we
don't do this, rolekit defaults to using the root servers as
forwarders(!) and thus we get the public, not phx2-appropriate,
results for e.g. mirrors.fedoraproject.org, some of which the
workers can't reach, so PackageKit package install always fails
(boy, was it fun figuring THAT mess out)
Even after all that, the test still doesn't actually pass, but
I'm reasonably confident this is because it's hitting actual bugs,
not because it's broken. It runs into #1330766 nearly every time
(I think I saw *one* time the enrolment actually succeeded), and
seems to run into a subsequent bug I hadn't seen before when
trying to work around that by trying the join again (see
https://bugzilla.redhat.com/show_bug.cgi?id=1330766#c37 ).
Test Plan:
Run the test, see what happens. If you're really lucky,
it'll actually pass. But you'll probably run into #1330766#c37,
I'm mostly posting for comment. You'll need a tap-capable openQA
instance to test this.
Reviewers: jskladan, garretraziel
Reviewed By: garretraziel
Subscribers: tflink
Differential Revision: https://phab.qadevel.cloud.fedoraproject.org/D880
2016-06-07 20:00:39 +00:00
|
|
|
$self->clone_host_file("/etc/resolv.conf");
|
2016-05-04 18:53:11 +00:00
|
|
|
# we don't want updates-testing for validation purposes
|
|
|
|
assert_script_run 'dnf config-manager --set-disabled updates-testing';
|
|
|
|
# we need a lot of entropy for this, and we don't care how good
|
|
|
|
# it is, so let's use haveged
|
|
|
|
assert_script_run 'dnf -y install haveged', 120;
|
|
|
|
assert_script_run 'systemctl start haveged.service';
|
add a cockpit realmd FreeIPA join test
Summary:
This requires a few other changes:
* turn clone_host_resolv into clone_host_file, letting you clone
any given host file (cloning /etc/hosts seems to make both
server deployment and client enrolment faster/more reliable)
* allow loading of multiple POSTINSTALL tests (so we can share
the freeipa_client_postinstall test). Note this is compatible,
existing uses will work fine
* move initial password change for the IPA test users into the
server deployment test (so the client tests don't conflict over
doing that)
* add GRUB_POSTINSTALL, for specifying boot parameters for boot of
the installed system, and make it work by tweaking _console_wait
_login (doesn't work for _graphical_wait_login yet, as I didn't
need that)
* make the static networking config for tap tests into a library
function so the tests can share it
* handle ABRT problem dirs showing up in /var/spool/abrt as well
as /var/tmp/abrt (because the enrol attempt hits #1330766 and
the crash report shows up in /var/spool/abrt, don't ask me why
the difference, I just work here)
* specify the DNS servers from the worker host's resolv.conf as
the forwarders for the FreeIPA server when deploying it; if we
don't do this, rolekit defaults to using the root servers as
forwarders(!) and thus we get the public, not phx2-appropriate,
results for e.g. mirrors.fedoraproject.org, some of which the
workers can't reach, so PackageKit package install always fails
(boy, was it fun figuring THAT mess out)
Even after all that, the test still doesn't actually pass, but
I'm reasonably confident this is because it's hitting actual bugs,
not because it's broken. It runs into #1330766 nearly every time
(I think I saw *one* time the enrolment actually succeeded), and
seems to run into a subsequent bug I hadn't seen before when
trying to work around that by trying the join again (see
https://bugzilla.redhat.com/show_bug.cgi?id=1330766#c37 ).
Test Plan:
Run the test, see what happens. If you're really lucky,
it'll actually pass. But you'll probably run into #1330766#c37,
I'm mostly posting for comment. You'll need a tap-capable openQA
instance to test this.
Reviewers: jskladan, garretraziel
Reviewed By: garretraziel
Subscribers: tflink
Differential Revision: https://phab.qadevel.cloud.fedoraproject.org/D880
2016-06-07 20:00:39 +00:00
|
|
|
# read DNS server IPs from host's /etc/resolv.conf for passing to
|
|
|
|
# rolectl
|
|
|
|
my @forwards;
|
|
|
|
open(FH, '<', "/etc/resolv.conf");
|
|
|
|
while (<FH>) {
|
|
|
|
if ($_ =~ m/^nameserver +(.+)/) {
|
|
|
|
push @forwards, $1;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
# we are now gonna work around a stupid bug in rolekit. we want to
|
|
|
|
# pass it a list of ipv4 DNS forwarders and have no ipv6 DNS
|
|
|
|
# forwarders. but it won't allow you to have a dns_forwarders array
|
|
|
|
# with a "ipv4" list but no "ipv6" list, any values in the "ipv6"
|
|
|
|
# list must be contactable (so we can't use real IPv6 DNS servers
|
|
|
|
# as we have no IPv6 connectivity), and if you use an empty list
|
|
|
|
# as the "ipv6" value you often hit a weird DBus error "unable to
|
|
|
|
# guess signature from an empty list". Fortunately, rolekit doesn't
|
|
|
|
# actually check that the values in the lists are really IPv6 /
|
|
|
|
# IPv4, it just turns all the values in each list into --forwarder
|
|
|
|
# args for ipa-server-install. So we can just stuff IPv4 values
|
|
|
|
# into both lists. rolekit bug:
|
|
|
|
# https://github.com/libre-server/rolekit/issues/64
|
|
|
|
# it should be fixed relatively soon.
|
|
|
|
my $fourlist;
|
|
|
|
my $sixlist;
|
|
|
|
if (scalar @forwards == 1) {
|
|
|
|
# we've only got one server, so dupe it, best we can do
|
|
|
|
$fourlist = '["' . $forwards[0] . '"]';
|
|
|
|
$sixlist = $fourlist;
|
|
|
|
}
|
|
|
|
else {
|
|
|
|
# put the first value in the 'IPv4' list and all the others in
|
|
|
|
# the 'IPv6' list
|
|
|
|
$fourlist = '["' . shift(@forwards) . '"]';
|
|
|
|
$sixlist = '["' . join('","', @forwards) . '"]';
|
|
|
|
}
|
|
|
|
# deploy the domain controller role, specifying an admin password
|
|
|
|
# and the list of DNS server IPs as JSON via stdin. If we don't do
|
|
|
|
# this, rolectl defaults to using the root servers as forwarders
|
|
|
|
# (it does not copy the settings from resolv.conf), which give the
|
|
|
|
# public results for mirrors.fedoraproject.org, some of which
|
|
|
|
# things running in phx2 cannot reach; we must make sure the phx2
|
|
|
|
# deployments use the phx2 nameservers.
|
|
|
|
assert_script_run 'echo \'{"admin_password":"monkeys123","dns_forwarders":{"ipv4":' . $fourlist . ',"ipv6":' . $sixlist .'}}\' | rolectl deploy domaincontroller --name=domain.local --settings-stdin', 1200;
|
2016-05-04 18:53:11 +00:00
|
|
|
# check the role status, should be 'running'
|
|
|
|
validate_script_output 'rolectl status domaincontroller/domain.local', sub { $_ =~ m/^running/ };
|
|
|
|
# check the admin password is listed in 'settings'
|
|
|
|
validate_script_output 'rolectl settings domaincontroller/domain.local', sub {$_ =~m/dm_password = \w{5,}/ };
|
|
|
|
# sanitize the settings
|
|
|
|
assert_script_run 'rolectl sanitize domaincontroller/domain.local';
|
|
|
|
# check the password now shows as 'None'
|
|
|
|
validate_script_output 'rolectl settings domaincontroller/domain.local', sub {$_ =~ m/dm_password = None/ };
|
|
|
|
# kinit as admin
|
|
|
|
assert_script_run 'echo "monkeys123" | kinit admin';
|
|
|
|
# set up an OTP for client001 enrolment (it will enrol with a kickstart)
|
|
|
|
assert_script_run 'ipa host-add client001.domain.local --password=monkeys --force';
|
|
|
|
# create two user accounts, test1 and test2
|
|
|
|
assert_script_run 'echo "correcthorse" | ipa user-add test1 --first test --last one --password';
|
|
|
|
assert_script_run 'echo "correcthorse" | ipa user-add test2 --first test --last two --password';
|
|
|
|
# add a rule allowing access to all hosts and services
|
|
|
|
assert_script_run 'ipa hbacrule-add testrule --servicecat=all --hostcat=all';
|
|
|
|
# add test1 (but not test2) to the rule
|
|
|
|
assert_script_run 'ipa hbacrule-add-user testrule --users=test1';
|
|
|
|
# disable the default 'everyone everywhere' rule
|
|
|
|
assert_script_run 'ipa hbacrule-disable allow_all';
|
add a cockpit realmd FreeIPA join test
Summary:
This requires a few other changes:
* turn clone_host_resolv into clone_host_file, letting you clone
any given host file (cloning /etc/hosts seems to make both
server deployment and client enrolment faster/more reliable)
* allow loading of multiple POSTINSTALL tests (so we can share
the freeipa_client_postinstall test). Note this is compatible,
existing uses will work fine
* move initial password change for the IPA test users into the
server deployment test (so the client tests don't conflict over
doing that)
* add GRUB_POSTINSTALL, for specifying boot parameters for boot of
the installed system, and make it work by tweaking _console_wait
_login (doesn't work for _graphical_wait_login yet, as I didn't
need that)
* make the static networking config for tap tests into a library
function so the tests can share it
* handle ABRT problem dirs showing up in /var/spool/abrt as well
as /var/tmp/abrt (because the enrol attempt hits #1330766 and
the crash report shows up in /var/spool/abrt, don't ask me why
the difference, I just work here)
* specify the DNS servers from the worker host's resolv.conf as
the forwarders for the FreeIPA server when deploying it; if we
don't do this, rolekit defaults to using the root servers as
forwarders(!) and thus we get the public, not phx2-appropriate,
results for e.g. mirrors.fedoraproject.org, some of which the
workers can't reach, so PackageKit package install always fails
(boy, was it fun figuring THAT mess out)
Even after all that, the test still doesn't actually pass, but
I'm reasonably confident this is because it's hitting actual bugs,
not because it's broken. It runs into #1330766 nearly every time
(I think I saw *one* time the enrolment actually succeeded), and
seems to run into a subsequent bug I hadn't seen before when
trying to work around that by trying the join again (see
https://bugzilla.redhat.com/show_bug.cgi?id=1330766#c37 ).
Test Plan:
Run the test, see what happens. If you're really lucky,
it'll actually pass. But you'll probably run into #1330766#c37,
I'm mostly posting for comment. You'll need a tap-capable openQA
instance to test this.
Reviewers: jskladan, garretraziel
Reviewed By: garretraziel
Subscribers: tflink
Differential Revision: https://phab.qadevel.cloud.fedoraproject.org/D880
2016-06-07 20:00:39 +00:00
|
|
|
# kinit as each user and set a new password
|
|
|
|
assert_script_run 'printf "correcthorse\nbatterystaple\nbatterystaple" | kinit test1@DOMAIN.LOCAL';
|
|
|
|
assert_script_run 'printf "correcthorse\nbatterystaple\nbatterystaple" | kinit test2@DOMAIN.LOCAL';
|
2016-05-04 18:53:11 +00:00
|
|
|
# we're all ready for other jobs to run!
|
|
|
|
mutex_create('freeipa_ready');
|
|
|
|
wait_for_children;
|
|
|
|
# once child jobs are done, stop the role
|
|
|
|
assert_script_run 'rolectl stop domaincontroller/domain.local';
|
|
|
|
# check role is stopped
|
|
|
|
validate_script_output 'rolectl status domaincontroller/domain.local', sub { $_ =~ m/^ready-to-start/ };
|
|
|
|
# decommission the role
|
|
|
|
assert_script_run 'rolectl decommission domaincontroller/domain.local', 120;
|
|
|
|
# check role is decommissioned
|
|
|
|
validate_script_output 'rolectl list instances', sub { $_ eq "" };
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
sub test_flags {
|
|
|
|
# without anything - rollback to 'lastgood' snapshot if failed
|
|
|
|
# 'fatal' - whole test suite is in danger if this fails
|
|
|
|
# 'milestone' - after this test succeeds, update 'lastgood'
|
|
|
|
# 'important' - if this fails, set the overall state to 'fail'
|
|
|
|
return { fatal => 1 };
|
|
|
|
}
|
|
|
|
|
|
|
|
1;
|
|
|
|
|
|
|
|
# vim: set sw=4 et:
|