2016-06-28 19:00:13 +00:00
|
|
|
use base "installedtest";
|
|
|
|
use strict;
|
|
|
|
use testapi;
|
|
|
|
use lockapi;
|
2018-07-18 22:53:54 +00:00
|
|
|
use mmapi;
|
2017-01-18 07:15:44 +00:00
|
|
|
use tapnet;
|
|
|
|
use utils;
|
2016-06-28 19:00:13 +00:00
|
|
|
|
2023-05-17 21:03:44 +00:00
|
|
|
# Adapted from Fedora's OpenQA tests, with some modifications. This will need
|
|
|
|
# to be maintained per major version as necessary.
|
|
|
|
# label@rockylinux.org
|
|
|
|
|
|
|
|
use feature "switch";
|
|
|
|
|
2016-06-28 19:00:13 +00:00
|
|
|
sub run {
|
2023-02-12 22:59:37 +00:00
|
|
|
my $self = shift;
|
2018-07-18 22:53:54 +00:00
|
|
|
# use FreeIPA server or replica as DNS server
|
2023-05-17 21:03:44 +00:00
|
|
|
my $version_major = get_version_major;
|
|
|
|
my $relnum = get_release_number;
|
|
|
|
my $ipa_admin_password = 'b1U3OnyX!';
|
2023-03-17 17:04:54 +00:00
|
|
|
my $server = 'ipa001.test.openqa.rockylinux.org';
|
2020-07-17 20:42:48 +00:00
|
|
|
my $server_ip = '172.16.2.100';
|
2018-07-18 22:53:54 +00:00
|
|
|
my $server_mutex = 'freeipa_ready';
|
2023-05-17 21:03:44 +00:00
|
|
|
my $ipa_install_cmd;
|
|
|
|
my @ipa_firewall_services;
|
|
|
|
given ($version_major) {
|
|
|
|
when ('8') {
|
|
|
|
$ipa_install_cmd = 'dnf --assumeyes module install idm:DL1/{dns,client,server,common}';
|
|
|
|
@ipa_firewall_services = qw(http https kerberos kpasswd ldap ldaps dns);
|
|
|
|
}
|
|
|
|
when ('9') {
|
|
|
|
$ipa_install_cmd = 'dnf --assumeyes install ipa-server ipa-client ipa-server-dns sssd sssd-ipa';
|
|
|
|
@ipa_firewall_services = qw(freeipa-4 dns);
|
|
|
|
}
|
|
|
|
default {
|
|
|
|
$ipa_install_cmd = 'dnf --assumeyes install ipa-server ipa-client ipa-server-dns sssd sssd-ipa';
|
|
|
|
@ipa_firewall_services = qw(freeipa-4 dns);
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
|
2018-07-18 22:53:54 +00:00
|
|
|
if (get_var("FREEIPA_REPLICA")) {
|
2023-03-17 17:04:54 +00:00
|
|
|
$server = 'ipa002.test.openqa.rockylinux.org';
|
2020-07-17 20:42:48 +00:00
|
|
|
$server_ip = '172.16.2.106';
|
2018-07-18 22:53:54 +00:00
|
|
|
}
|
|
|
|
if (get_var("FREEIPA_REPLICA_CLIENT")) {
|
2023-03-17 17:04:54 +00:00
|
|
|
$server = 'ipa003.test.openqa.rockylinux.org';
|
2020-07-17 20:42:48 +00:00
|
|
|
$server_ip = '172.16.2.107';
|
2018-07-18 22:53:54 +00:00
|
|
|
$server_mutex = 'replica_ready';
|
|
|
|
}
|
2020-08-21 22:56:44 +00:00
|
|
|
# this gets us the name of the first connection in the list,
|
|
|
|
# which should be what we want
|
|
|
|
my $connection = script_output "nmcli --fields NAME con show | head -2 | tail -1";
|
|
|
|
assert_script_run "nmcli con mod '$connection' ipv4.dns '$server_ip'";
|
2020-09-17 23:01:15 +00:00
|
|
|
assert_script_run "nmcli con down '$connection'";
|
|
|
|
assert_script_run "nmcli con up '$connection'";
|
|
|
|
|
2018-07-18 22:53:54 +00:00
|
|
|
# wait for the server or replica to be ready (do it now just to be
|
|
|
|
# sure name resolution is working before we proceed)
|
|
|
|
mutex_lock $server_mutex;
|
|
|
|
mutex_unlock $server_mutex;
|
Test upgrade of FreeIPA server and client deployment
Summary:
This adds an upgrade variant of the FreeIPA tests, with only
the simplest client enrolment (sssd) for now. The server test
starts from the N-1 release and deploys the domain controller
role. The client test similarly starts from the N-1 release
and, when the server is deployed, enrols as a domain client.
Then the server upgrades itself, while the client waits (as the
server is its name server). Then the client upgrades itself,
while the server does some self-checks. The server then waits
for the client to do its checks before decommissioning itself,
as usual. So, summary: *deployment* of both server and client
occurs on N-1, then both are upgraded, then the actual *checks*
occur on N.
In my testing, this all more or less works, except the role
decommission step fails. This failure seems to be a genuine one
so far as I can tell; I intend to file a bug for it soon.
Test Plan:
Run the new tests, check they work. Run the existing
FreeIPA tests (both the compose and the update variants), check
they both behave the same.
Reviewers: jsedlak, jskladan
Reviewed By: jsedlak
Subscribers: tflink
Differential Revision: https://phab.qa.fedoraproject.org/D1204
2017-05-17 19:39:45 +00:00
|
|
|
# use compose repo, disable u-t, etc. unless this is an upgrade
|
|
|
|
# test (in which case we're on the 'old' release at this point;
|
|
|
|
# one of the upgrade test modules does repo_setup later)
|
|
|
|
repo_setup() unless get_var("UPGRADE");
|
2016-06-28 19:00:13 +00:00
|
|
|
# do the enrolment
|
2018-07-18 22:53:54 +00:00
|
|
|
if (get_var("FREEIPA_REPLICA")) {
|
|
|
|
# here we're enrolling not just as a client, but as a replica
|
|
|
|
# install server packages
|
2023-05-17 21:03:44 +00:00
|
|
|
assert_script_run "$ipa_install_cmd", 600;
|
2018-07-18 22:53:54 +00:00
|
|
|
|
|
|
|
# we need a lot of entropy for this, and we don't care how good
|
|
|
|
# it is, so let's use haveged
|
2023-05-17 21:03:44 +00:00
|
|
|
assert_script_run "dnf --assumeyes install rng-tools", 300;
|
|
|
|
assert_script_run 'systemctl start rngd.service';
|
2018-07-18 22:53:54 +00:00
|
|
|
|
|
|
|
# configure the firewall
|
2023-05-17 21:03:44 +00:00
|
|
|
for my $service (@ipa_firewall_services) {
|
2018-07-18 22:53:54 +00:00
|
|
|
assert_script_run "firewall-cmd --permanent --add-service $service";
|
|
|
|
}
|
|
|
|
assert_script_run "systemctl restart firewalld.service";
|
|
|
|
|
|
|
|
# deploy as a replica
|
2020-10-09 17:49:49 +00:00
|
|
|
my ($ip, $hostname) = split(/ /, get_var("POST_STATIC"));
|
2023-09-29 02:48:56 +00:00
|
|
|
my $args = "--ip-address=$ip --setup-dns --auto-forwarders --setup-ca --allow-zone-overlap -U --principal admin --admin-password '$ipa_admin_password'";
|
2018-09-07 22:56:11 +00:00
|
|
|
assert_script_run "ipa-replica-install $args", 1500;
|
2018-07-18 22:53:54 +00:00
|
|
|
|
|
|
|
# enable and start the systemd service
|
|
|
|
assert_script_run "systemctl enable ipa.service";
|
|
|
|
assert_script_run "systemctl start ipa.service", 300;
|
|
|
|
|
|
|
|
# report that we're ready to go
|
|
|
|
mutex_create('replica_ready');
|
|
|
|
|
|
|
|
# wait for the client test
|
|
|
|
wait_for_children;
|
|
|
|
}
|
|
|
|
else {
|
2023-05-17 21:03:44 +00:00
|
|
|
assert_script_run "echo '$ipa_admin_password' | realm join --user=admin ${server}", 300;
|
2018-07-18 22:53:54 +00:00
|
|
|
}
|
2017-03-16 19:36:33 +00:00
|
|
|
# set sssd debugging level higher (useful for debugging failures)
|
|
|
|
# optional as it's not really part of the test
|
2017-11-24 00:01:58 +00:00
|
|
|
script_run "dnf -y install sssd-tools", 220;
|
2018-11-30 22:58:53 +00:00
|
|
|
script_run "sss_debuglevel 9";
|
Test upgrade of FreeIPA server and client deployment
Summary:
This adds an upgrade variant of the FreeIPA tests, with only
the simplest client enrolment (sssd) for now. The server test
starts from the N-1 release and deploys the domain controller
role. The client test similarly starts from the N-1 release
and, when the server is deployed, enrols as a domain client.
Then the server upgrades itself, while the client waits (as the
server is its name server). Then the client upgrades itself,
while the server does some self-checks. The server then waits
for the client to do its checks before decommissioning itself,
as usual. So, summary: *deployment* of both server and client
occurs on N-1, then both are upgraded, then the actual *checks*
occur on N.
In my testing, this all more or less works, except the role
decommission step fails. This failure seems to be a genuine one
so far as I can tell; I intend to file a bug for it soon.
Test Plan:
Run the new tests, check they work. Run the existing
FreeIPA tests (both the compose and the update variants), check
they both behave the same.
Reviewers: jsedlak, jskladan
Reviewed By: jsedlak
Subscribers: tflink
Differential Revision: https://phab.qa.fedoraproject.org/D1204
2017-05-17 19:39:45 +00:00
|
|
|
# if upgrade test, report that we're enrolled
|
|
|
|
mutex_create('client_enrolled') if get_var("UPGRADE");
|
|
|
|
# if this is an upgrade test, wait for server to be upgraded before
|
|
|
|
# continuing, as we rely on it for name resolution
|
|
|
|
if (get_var("UPGRADE")) {
|
|
|
|
mutex_lock "server_upgraded";
|
|
|
|
mutex_unlock "server_upgraded";
|
|
|
|
}
|
2016-06-28 19:00:13 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
sub test_flags {
|
2023-02-12 22:59:37 +00:00
|
|
|
return {fatal => 1};
|
2016-06-28 19:00:13 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
1;
|
|
|
|
|
|
|
|
# vim: set sw=4 et:
|