diff --git a/tests/role_deploy_domain_controller.pm b/tests/role_deploy_domain_controller.pm index 3301f5cd..bcd97f02 100644 --- a/tests/role_deploy_domain_controller.pm +++ b/tests/role_deploy_domain_controller.pm @@ -28,49 +28,71 @@ sub run { assert_script_run 'mkdir -p /etc/ipa'; assert_script_run 'printf "[global]\ndebug = True\n" > /etc/ipa/server.conf'; # read DNS server IPs from host's /etc/resolv.conf for passing to - # rolectl + # ipa-server-install / rolectl my @forwards = get_host_dns(); - # we are now gonna work around a stupid bug in rolekit. we want to - # pass it a list of ipv4 DNS forwarders and have no ipv6 DNS - # forwarders. but it won't allow you to have a dns_forwarders array - # with a "ipv4" list but no "ipv6" list, any values in the "ipv6" - # list must be contactable (so we can't use real IPv6 DNS servers - # as we have no IPv6 connectivity), and if you use an empty list - # as the "ipv6" value you often hit a weird DBus error "unable to - # guess signature from an empty list". Fortunately, rolekit doesn't - # actually check that the values in the lists are really IPv6 / - # IPv4, it just turns all the values in each list into --forwarder - # args for ipa-server-install. So we can just stuff IPv4 values - # into both lists. rolekit bug: - # https://github.com/libre-server/rolekit/issues/64 - # it should be fixed relatively soon. - my $fourlist; - my $sixlist; - if (scalar @forwards == 1) { - # we've only got one server, so dupe it, best we can do - $fourlist = '["' . $forwards[0] . '"]'; - $sixlist = $fourlist; + # from here we branch: for F28 and earlier we use rolekit as + # always, for F29+ we deploy directly ourselves as rolekit is + # deprecated + my $version = get_var("VERSION"); + # for upgrade tests we need to check CURRREL not VERSION + $version = get_var("CURRREL") if (get_var("UPGRADE")); + if ($version < 29 && $version ne 'Rawhide') { + # we are now gonna work around a stupid bug in rolekit. we want to + # pass it a list of ipv4 DNS forwarders and have no ipv6 DNS + # forwarders. but it won't allow you to have a dns_forwarders array + # with a "ipv4" list but no "ipv6" list, any values in the "ipv6" + # list must be contactable (so we can't use real IPv6 DNS servers + # as we have no IPv6 connectivity), and if you use an empty list + # as the "ipv6" value you often hit a weird DBus error "unable to + # guess signature from an empty list". Fortunately, rolekit doesn't + # actually check that the values in the lists are really IPv6 / + # IPv4, it just turns all the values in each list into --forwarder + # args for ipa-server-install. So we can just stuff IPv4 values + # into both lists. rolekit bug: + # https://github.com/libre-server/rolekit/issues/64 + # it should be fixed relatively soon. + my $fourlist; + my $sixlist; + if (scalar @forwards == 1) { + # we've only got one server, so dupe it, best we can do + $fourlist = '["' . $forwards[0] . '"]'; + $sixlist = $fourlist; + } + else { + # put the first value in the 'IPv4' list and all the others in + # the 'IPv6' list + $fourlist = '["' . shift(@forwards) . '"]'; + $sixlist = '["' . join('","', @forwards) . '"]'; + } + # deploy the domain controller role, specifying an admin password + # and the list of DNS server IPs as JSON via stdin. If we don't do + # this, rolectl defaults to using the root servers as forwarders + # (it does not copy the settings from resolv.conf), which give the + # public results for mirrors.fedoraproject.org, some of which + # things running in phx2 cannot reach; we must make sure the phx2 + # deployments use the phx2 nameservers. + assert_script_run 'echo \'{"admin_password":"monkeys123","dns_forwarders":{"ipv4":' . $fourlist . ',"ipv6":' . $sixlist .'}}\' | rolectl deploy domaincontroller --name=domain.local --settings-stdin', 1200; } else { - # put the first value in the 'IPv4' list and all the others in - # the 'IPv6' list - $fourlist = '["' . shift(@forwards) . '"]'; - $sixlist = '["' . join('","', @forwards) . '"]'; - } - # deploy the domain controller role, specifying an admin password - # and the list of DNS server IPs as JSON via stdin. If we don't do - # this, rolectl defaults to using the root servers as forwarders - # (it does not copy the settings from resolv.conf), which give the - # public results for mirrors.fedoraproject.org, some of which - # things running in phx2 cannot reach; we must make sure the phx2 - # deployments use the phx2 nameservers. - assert_script_run 'echo \'{"admin_password":"monkeys123","dns_forwarders":{"ipv4":' . $fourlist . ',"ipv6":' . $sixlist .'}}\' | rolectl deploy domaincontroller --name=domain.local --settings-stdin', 1200; - # FIXME: workaround for RHBZ #1400293 on Fedora 24. Can be removed - # when Firefox is fixed. - my $release = lc(get_var('VERSION')); - if ($release ne "rawhide" && $release < 25) { - assert_script_run 'ipa-getcert resubmit -d /etc/httpd/alias -n Server-Cert -D $( uname -n )'; + # this is the other side of the version branch - we're on 29+, + # so no rolekit. First install the necessary packages + assert_script_run "dnf -y groupinstall freeipa-server", 600; + # configure the firewall + for my $service (qw(freeipa-ldap freeipa-ldaps dns)) { + assert_script_run "firewall-cmd --permanent --add-service $service"; + } + assert_script_run "systemctl restart firewalld.service"; + # deploy the server + my $args = "-U --realm=DOMAIN.LOCAL --domain=domain.local --ds-password=monkeys123 --admin-password=monkeys123 --setup-dns --no-reverse"; + for my $fwd (@forwards) { + $args .= " --forwarder=$fwd"; + } + assert_script_run "ipa-server-install $args", 1200; + # enable and start the systemd service + assert_script_run "systemctl enable ipa.service"; + assert_script_run "systemctl start ipa.service", 300; } + # kinit as admin assert_script_run 'echo "monkeys123" | kinit admin'; # set up an OTP for client001 enrolment (it will enrol with a kickstart) diff --git a/tests/role_deploy_domain_controller_check.pm b/tests/role_deploy_domain_controller_check.pm index 54dde7a2..e5751572 100644 --- a/tests/role_deploy_domain_controller_check.pm +++ b/tests/role_deploy_domain_controller_check.pm @@ -8,23 +8,41 @@ sub run { my $self = shift; # if this is an update, notify clients that we're now up again mutex_create('server_upgraded') if get_var("UPGRADE"); - # check the role status, should be 'running' - validate_script_output 'rolectl status domaincontroller/domain.local', sub { $_ =~ m/^running/ }; - # check the admin password is listed in 'settings' - validate_script_output 'rolectl settings domaincontroller/domain.local', sub {$_ =~m/dm_password = \w{5,}/ }; - # sanitize the settings - assert_script_run 'rolectl sanitize domaincontroller/domain.local'; - # check the password now shows as 'None' - validate_script_output 'rolectl settings domaincontroller/domain.local', sub {$_ =~ m/dm_password = None/ }; - # once child jobs are done, stop the role - wait_for_children; - assert_script_run 'rolectl stop domaincontroller/domain.local'; - # check role is stopped - validate_script_output 'rolectl status domaincontroller/domain.local', sub { $_ =~ m/^ready-to-start/ }; - # decommission the role - assert_script_run 'rolectl decommission domaincontroller/domain.local', 300; - # check role is decommissioned - validate_script_output 'rolectl list instances', sub { $_ eq "" }; + # from here we branch: for F28 and earlier we use rolekit as + # always, for F29+ we decommission directly ourselves as rolekit + # is deprecated + my $version = get_var("VERSION"); + # for upgrade tests we need to check CURRREL not VERSION + $version = get_var("CURRREL") if (get_var("UPGRADE")); + if ($version < 29 && $version ne 'Rawhide') { + # check the role status, should be 'running' + validate_script_output 'rolectl status domaincontroller/domain.local', sub { $_ =~ m/^running/ }; + # check the admin password is listed in 'settings' + validate_script_output 'rolectl settings domaincontroller/domain.local', sub {$_ =~m/dm_password = \w{5,}/ }; + # sanitize the settings + assert_script_run 'rolectl sanitize domaincontroller/domain.local'; + # check the password now shows as 'None' + validate_script_output 'rolectl settings domaincontroller/domain.local', sub {$_ =~ m/dm_password = None/ }; + # once child jobs are done, stop the role + wait_for_children; + assert_script_run 'rolectl stop domaincontroller/domain.local'; + # check role is stopped + validate_script_output 'rolectl status domaincontroller/domain.local', sub { $_ =~ m/^ready-to-start/ }; + # decommission the role + assert_script_run 'rolectl decommission domaincontroller/domain.local', 300; + # check role is decommissioned + validate_script_output 'rolectl list instances', sub { $_ eq "" }; + } + else { + # once child jobs are done, stop the server + wait_for_children; + assert_script_run 'systemctl stop ipa.service'; + # check server is stopped + assert_script_run '! systemctl is-active ipa.service'; + # decommission the server + assert_script_run 'ipa-server-install -U --uninstall', 300; + # FIXME check server is decommissioned...how? + } # run post-fail hook to upload logs - even when this test passes # there are often cases where we need to see the logs (e.g. client # test failed due to server issue)