[Freeipa-devel] [freeipa PR#6109][opened] [Backport][ipa-4-9] freeipa.spec: depend on bind-pkcs11-utils
URL: https://github.com/freeipa/freeipa/pull/6109 Author: fcami Title: #6109: [Backport][ipa-4-9] freeipa.spec: depend on bind-pkcs11-utils Action: opened PR body: """ This PR was opened automatically because PR #6074 was pushed to master and backport to ipa-4-9 is required. """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/6109/head:pr6109 git checkout pr6109 From b7b970aad93839413815947b8bafa5d4c8f24191 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fran=C3=A7ois=20Cami?= Date: Thu, 4 Nov 2021 12:01:38 +0100 Subject: [PATCH] freeipa.spec: depend on bind-dnssec-utils MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The OpenDNSSec integration code requires: /usr/sbin/dnssec-keyfromlabel-pkcs11 which is provided by bind-pkcs11-utils, but that package is only available on RHEL<9. With this change, freeipa-server-dns depends on bind-dnssec-utils on all Fedora releases and RHEL==9+, and uses: /usr/sbin/dnssec-keyfromlabel -E pkcs11 instead of dnssec-keyfromlabel-pkcs11. Fixes: https://pagure.io/freeipa/issue/9026 Signed-off-by: François Cami --- freeipa.spec.in | 4 +++- ipaplatform/base/paths.py | 2 +- ipaplatform/fedora/paths.py | 1 - ipaserver/dnssec/bindmgr.py | 1 + 4 files changed, 5 insertions(+), 3 deletions(-) diff --git a/freeipa.spec.in b/freeipa.spec.in index e20edb7bc60..8f5c370e561 100755 --- a/freeipa.spec.in +++ b/freeipa.spec.in @@ -576,9 +576,11 @@ Requires: %{name}-server = %{version}-%{release} Requires: bind-dyndb-ldap >= 11.2-2 Requires: bind >= %{bind_version} Requires: bind-utils >= %{bind_version} +# bind-dnssec-utils is required by the OpenDNSSec integration +# https://pagure.io/freeipa/issue/9026 +Requires: bind-dnssec-utils >= %{bind_version} %if %{with bind_pkcs11} Requires: bind-pkcs11 >= %{bind_version} -Requires: bind-pkcs11-utils >= %{bind_version} %else Requires: softhsm >= %{softhsm_version} Requires: openssl-pkcs11 >= %{openssl_pkcs11_version} diff --git a/ipaplatform/base/paths.py b/ipaplatform/base/paths.py index 42a47f1df37..7d21367ece0 100644 --- a/ipaplatform/base/paths.py +++ b/ipaplatform/base/paths.py @@ -259,7 +259,7 @@ class BasePathNamespace: IPA_PKI_RETRIEVE_KEY = "/usr/libexec/ipa/ipa-pki-retrieve-key" IPA_HTTPD_PASSWD_READER = "/usr/libexec/ipa/ipa-httpd-pwdreader" IPA_PKI_WAIT_RUNNING = "/usr/libexec/ipa/ipa-pki-wait-running" -DNSSEC_KEYFROMLABEL = "/usr/sbin/dnssec-keyfromlabel-pkcs11" +DNSSEC_KEYFROMLABEL = "/usr/sbin/dnssec-keyfromlabel" GETSEBOOL = "/usr/sbin/getsebool" GROUPADD = "/usr/sbin/groupadd" USERMOD = "/usr/sbin/usermod" diff --git a/ipaplatform/fedora/paths.py b/ipaplatform/fedora/paths.py index 92a948966b6..4e993c063e2 100644 --- a/ipaplatform/fedora/paths.py +++ b/ipaplatform/fedora/paths.py @@ -36,7 +36,6 @@ class FedoraPathNamespace(RedHatPathNamespace): NAMED_CRYPTO_POLICY_FILE = "/etc/crypto-policies/back-ends/bind.config" if HAS_NFS_CONF: SYSCONFIG_NFS = '/etc/nfs.conf' -DNSSEC_KEYFROMLABEL = "/usr/sbin/dnssec-keyfromlabel" paths = FedoraPathNamespace() diff --git a/ipaserver/dnssec/bindmgr.py b/ipaserver/dnssec/bindmgr.py index a15c0e601a2..0c79cc03d40 100644 --- a/ipaserver/dnssec/bindmgr.py +++ b/ipaserver/dnssec/bindmgr.py @@ -127,6 +127,7 @@ def install_key(self, zone, uuid, attrs, workdir): ) cmd = [ paths.DNSSEC_KEYFROMLABEL, +'-E', 'pkcs11', '-K', workdir, '-a', attrs['idnsSecAlgorithm'][0], '-l', uri ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[Freeipa-devel] [freeipa PR#6074][closed] freeipa.spec: depend on bind-pkcs11-utils
URL: https://github.com/freeipa/freeipa/pull/6074 Author: fcami Title: #6074: freeipa.spec: depend on bind-pkcs11-utils Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/6074/head:pr6074 git checkout pr6074 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[Freeipa-devel] [freeipa PR#5939][closed] ipaserver: disable resolved' stub resolver
URL: https://github.com/freeipa/freeipa/pull/5939 Author: fcami Title: #5939: ipaserver: disable resolved' stub resolver Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/5939/head:pr5939 git checkout pr5939 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[Freeipa-devel] [freeipa PR#6099][opened] [Backport][ipa-4-9] pwpolicy: change lifetime error message
URL: https://github.com/freeipa/freeipa/pull/6099 Author: fcami Title: #6099: [Backport][ipa-4-9] pwpolicy: change lifetime error message Action: opened PR body: """ This PR was opened automatically because PR #6086 was pushed to master and backport to ipa-4-9 is required. """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/6099/head:pr6099 git checkout pr6099 From e3e28bf680ec50e1ea538c4e3bbca9a2a5e2962f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fran=C3=A7ois=20Cami?= Date: Wed, 17 Nov 2021 15:08:35 +0100 Subject: [PATCH] pwpolicy: change lifetime error message MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit ipa pwpolicy-mod --minlife $min --maxlife $max accepts $max >= $min, yet the error message says: "Maximum password life must be greater than minimum." Change the error message so that it conveys the actual logic. Fixes: https://pagure.io/freeipa/issue/9038 Signed-off-by: François Cami --- ipaserver/plugins/pwpolicy.py | 5 - 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/ipaserver/plugins/pwpolicy.py b/ipaserver/plugins/pwpolicy.py index 9e20bb7a4dc..816faffe0f9 100644 --- a/ipaserver/plugins/pwpolicy.py +++ b/ipaserver/plugins/pwpolicy.py @@ -491,7 +491,10 @@ def validate_lifetime(self, entry_attrs, add=False, *keys): if minlife > maxlife: raise errors.ValidationError( name='maxlife', -error=_('Maximum password life must be greater than minimum.'), +error=_( +"Maximum password life must be equal to " +"or greater than the minimum." +), ) def add_cospriority(self, entry, pwpolicy_name, rights=True): ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[Freeipa-devel] [freeipa PR#6086][closed] pwpolicy: change lifetime error message
URL: https://github.com/freeipa/freeipa/pull/6086 Author: fcami Title: #6086: pwpolicy: change lifetime error message Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/6086/head:pr6086 git checkout pr6086 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[Freeipa-devel] [freeipa PR#6095][opened] subid: test with podman
URL: https://github.com/freeipa/freeipa/pull/6095 Author: fcami Title: #6095: subid: test with podman Action: opened PR body: """ podman can leverage FreeIPA-managed subids provided: - nsswitch.conf contains "subid: sss" - a real session is opened for that user (not su) podman provides also a way to test whether subids can be retrieved: $ podman unshare cat /proc/self/uid_map $ podman unshare cat /proc/self/gid_map Fixes: TBD Signed-off-by: François Cami """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/6095/head:pr6095 git checkout pr6095 From c9fafd1ce9ae716aa49c3b2ac2c691fe082caa96 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fran=C3=A7ois=20Cami?= Date: Thu, 18 Nov 2021 18:06:49 +0100 Subject: [PATCH] subid: test with podman MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit podman can leverage FreeIPA-managed subids provided: - nsswitch.conf contains "subid: sss" - a real session is opened for that user (not su) podman provides also a way to test whether subids can be retrieved: $ podman unshare cat /proc/self/uid_map $ podman unshare cat /proc/self/gid_map Fixes: TBD Signed-off-by: François Cami --- ipatests/test_integration/test_subids.py | 34 1 file changed, 34 insertions(+) diff --git a/ipatests/test_integration/test_subids.py b/ipatests/test_integration/test_subids.py index 28cd1f765cd..2898f8e9660 100644 --- a/ipatests/test_integration/test_subids.py +++ b/ipatests/test_integration/test_subids.py @@ -127,6 +127,40 @@ def test_auto_generate_subid(self): match = self._parse_result(result) self.assert_subid_info(uid, match) +def test_podman(self): +uid = "testuser_auto1" +passwd = "Secret123" + +# check that podman can retrieve the subids +nsswitch_conf = self.master.get_file_contents( +paths.NSSWITCH_CONF, +encoding="utf-8" +) +new_nsswitch_conf = nsswitch_conf + "\nsubid: sss files" +self.master.put_file_contents( +paths.NSSWITCH_CONF, +new_nsswitch_conf +) + +tasks.install_packages(self.master, ["podman"]) +cmds = ( +["podman", "unshare", "cat", "/proc/self/gid_map"], +["podman", "unshare", "cat", "/proc/self/uid_map"] +) +for cmd in cmds: +result = tasks.run_ssh_cmd( +to_host=self.master, +username=uid, +cmd=cmd, +auth_method="password", +password=passwd, +verbose=True +) +stdout = result[1] +# temp +print(cmd) +print(stdout) + def test_ipa_subid_script(self): tasks.kinit_admin(self.master) ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[Freeipa-devel] [freeipa PR#6086][opened] pwpolicy: change error message
URL: https://github.com/freeipa/freeipa/pull/6086 Author: fcami Title: #6086: pwpolicy: change error message Action: opened PR body: """ ipa pwpolicy-mod --minlife $min --maxlife $max accepts $max >= $min, yet the error message says: "Maximum password life must be greater than minimum." Change the error message so that it conveys the actual logic. Fixes: Signed-off-by: François Cami """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/6086/head:pr6086 git checkout pr6086 From 1a901aae7108bacf4be91211d32d1dc0ba5214b1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fran=C3=A7ois=20Cami?= Date: Wed, 17 Nov 2021 15:08:35 +0100 Subject: [PATCH] pwpolicy: change error message MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit ipa pwpolicy-mod --minlife $min --maxlife $max accepts $max >= $min, yet the error message says: "Maximum password life must be greater than minimum." Change the error message so that it conveys the actual logic. Fixes: TBD Signed-off-by: François Cami --- ipaserver/plugins/pwpolicy.py | 5 - 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/ipaserver/plugins/pwpolicy.py b/ipaserver/plugins/pwpolicy.py index 9e20bb7a4dc..a6a04d8a8cb 100644 --- a/ipaserver/plugins/pwpolicy.py +++ b/ipaserver/plugins/pwpolicy.py @@ -491,7 +491,10 @@ def validate_lifetime(self, entry_attrs, add=False, *keys): if minlife > maxlife: raise errors.ValidationError( name='maxlife', -error=_('Maximum password life must be greater than minimum.'), +error=_( +"Maximum password life must be equal " +"or greater than the minimum." +), ) def add_cospriority(self, entry, pwpolicy_name, rights=True): ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[Freeipa-devel] [freeipa PR#6074][opened] freeipa.spec: depend on bind-pkcs11-utils
URL: https://github.com/freeipa/freeipa/pull/6074 Author: fcami Title: #6074: freeipa.spec: depend on bind-pkcs11-utils Action: opened PR body: """ The OpenDNSSec integration code requires: /usr/sbin/dnssec-keyfromlabel-pkcs11 which is provided by bind-pkcs11-utils. Currently, bind-pkcs11-utils is only installed for RHEL<9. With this change, FreeIPA depends on bind-pkcs11-utils on all Fedora and RHEL versions. Fixes: https://pagure.io/freeipa/issue/9026 Signed-off-by: François Cami """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/6074/head:pr6074 git checkout pr6074 From bdc9746c48addd3126a675e05f0e56b43d5051f3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fran=C3=A7ois=20Cami?= Date: Thu, 4 Nov 2021 12:01:38 +0100 Subject: [PATCH] freeipa.spec: depend on bind-pkcs11-utils MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The OpenDNSSec integration code requires: /usr/sbin/dnssec-keyfromlabel-pkcs11 which is provided by bind-pkcs11-utils. Currently, bind-pkcs11-utils is only installed for RHEL<9. With this change, FreeIPA depends on bind-pkcs11-utils on all Fedora and RHEL versions. Fixes: https://pagure.io/freeipa/issue/9026 Signed-off-by: François Cami --- freeipa.spec.in | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/freeipa.spec.in b/freeipa.spec.in index 952c1ad1894..d4d94a4c273 100755 --- a/freeipa.spec.in +++ b/freeipa.spec.in @@ -124,13 +124,14 @@ # Fedora %endif +# Needed for OpenDNSSec integration +%global with_bind_pkcs11 1 + # BIND employs 'pkcs11' OpenSSL engine instead of native PKCS11 # Fedora 31+ uses OpenSSL engine, as well as Fedora ELN (RHEL9) %if 0%{?fedora} || 0%{?rhel} >= 9 %global openssl_pkcs11_version 0.4.10-6 %global softhsm_version 2.5.0-4 -%else -%global with_bind_pkcs11 1 %endif %if 0%{?rhel} == 8 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[Freeipa-devel] [freeipa PR#6001][opened] subid: update subid-match
URL: https://github.com/freeipa/freeipa/pull/6001 Author: fcami Title: #6001: subid: update subid-match Action: opened PR body: """ Previously, the subid-match command would output the full DN of the owner of the matched range. With this change, the UID of the owner is displayed, just like for other subid- commands. Fixes: Signed-off-by: François Cami """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/6001/head:pr6001 git checkout pr6001 From 7244bed1a1cee161b6dca7501af2b0cfb4ff478d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fran=C3=A7ois=20Cami?= Date: Thu, 2 Sep 2021 16:17:01 +0200 Subject: [PATCH] subid: update subid-match MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Previously, the subid-match command would output the full DN of the owner of the matched range. With this change, the UID of the owner is displayed, just like for other subid- commands. Fixes: Signed-off-by: François Cami --- ipaserver/plugins/subid.py | 1 + 1 file changed, 1 insertion(+) diff --git a/ipaserver/plugins/subid.py b/ipaserver/plugins/subid.py index 440f24ee627..132c85c7f19 100644 --- a/ipaserver/plugins/subid.py +++ b/ipaserver/plugins/subid.py @@ -524,6 +524,7 @@ def post_callback(self, ldap, entries, truncated, *args, **options): osubuid = options["ipasubuidnumber"] new_entries = [] for entry in entries: +self.obj.convert_owner(entry, options) esubuid = int(entry.single_value["ipasubuidnumber"]) esubcount = int(entry.single_value["ipasubuidcount"]) minsubuid = esubuid ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[Freeipa-devel] [freeipa PR#5992][opened] [Backport][ipa-4-9] Specify PKI installation log paths
URL: https://github.com/freeipa/freeipa/pull/5992 Author: fcami Title: #5992: [Backport][ipa-4-9] Specify PKI installation log paths Action: opened PR body: """ This PR was opened automatically because PR #5973 was pushed to master and backport to ipa-4-9 is required. """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/5992/head:pr5992 git checkout pr5992 From 4a3bb18c76b752b9442cae99887e630818a74d1a Mon Sep 17 00:00:00 2001 From: "Endi S. Dewata" Date: Thu, 12 Aug 2021 13:26:42 -0500 Subject: [PATCH] Specify PKI installation log paths The DogtagInstance.spawn_instance() and uninstall() have been modified to specify the paths of PKI installation logs using --log-file option on PKI 11.0.0 or later. This allows IPA to have a full control over the log files instead of relying on PKI's default log files. Fixes: https://pagure.io/freeipa/issue/8966 Signed-off-by: Endi Sukma Dewata --- ipaserver/install/dogtaginstance.py | 35 ++--- 1 file changed, 32 insertions(+), 3 deletions(-) diff --git a/ipaserver/install/dogtaginstance.py b/ipaserver/install/dogtaginstance.py index 644acd4eace..0d9aebb542f 100644 --- a/ipaserver/install/dogtaginstance.py +++ b/ipaserver/install/dogtaginstance.py @@ -36,8 +36,10 @@ import six +import pki from pki.client import PKIConnection import pki.system +import pki.util from ipalib import api, errors, x509 from ipalib.install import certmonger @@ -202,6 +204,18 @@ def spawn_instance(self, cfg_file, nolog_list=()): "-f", cfg_file, "--debug"] +# specify --log-file on PKI 11.0.0 or later + +pki_version = pki.util.Version(pki.specification_version()) +if pki_version >= pki.util.Version("11.0.0"): +timestamp = time.strftime( +"%Y%m%d%H%M%S", +time.localtime(time.time())) +log_file = os.path.join( +paths.VAR_LOG_PKI_DIR, +"pki-%s-spawn.%s.log" % (self.subsystem.lower(), timestamp)) +args.extend(["--log-file", log_file]) + with open(cfg_file) as f: logger.debug( 'Contents of pkispawn configuration file (%s):\n%s', @@ -290,10 +304,25 @@ def uninstall(self): if self.is_installed(): self.print_msg("Unconfiguring %s" % self.subsystem) +args = [paths.PKIDESTROY, +"-i", "pki-tomcat", +"-s", self.subsystem] + +# specify --log-file on PKI 11.0.0 or later + +pki_version = pki.util.Version(pki.specification_version()) +if pki_version >= pki.util.Version("11.0.0"): +timestamp = time.strftime( +"%Y%m%d%H%M%S", +time.localtime(time.time())) +log_file = os.path.join( +paths.VAR_LOG_PKI_DIR, +"pki-%s-destroy.%s.log" % (self.subsystem.lower(), timestamp)) +args.extend(["--log-file", log_file]) + try: -ipautil.run([paths.PKIDESTROY, - "-i", 'pki-tomcat', - "-s", self.subsystem]) +ipautil.run(args) + except ipautil.CalledProcessError as e: logger.critical("failed to uninstall %s instance %s", self.subsystem, e) ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[Freeipa-devel] [freeipa PR#5973][closed] Specify PKI installation log paths
URL: https://github.com/freeipa/freeipa/pull/5973 Author: edewata Title: #5973: Specify PKI installation log paths Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/5973/head:pr5973 git checkout pr5973 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[Freeipa-devel] [freeipa PR#5989][opened] [Backport][ipa-4-9] ipatests: use whole date for journalctl --since
URL: https://github.com/freeipa/freeipa/pull/5989 Author: fcami Title: #5989: [Backport][ipa-4-9] ipatests: use whole date for journalctl --since Action: opened PR body: """ This PR was opened automatically because PR #5984 was pushed to master and backport to ipa-4-9 is required. """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/5989/head:pr5989 git checkout pr5989 From eb1ff887e3a55c008a94d92d89dce84b2a4581e3 Mon Sep 17 00:00:00 2001 From: Florence Blanc-Renaud Date: Thu, 19 Aug 2021 10:51:01 +0200 Subject: [PATCH] ipatests: use whole date for journalctl --since When a test is executed around midnight and is checking the journal content with --since=date, it needs to specify the whole date (with day and time) to avoid missing entries. If for instance --since=23:59:00 is used and the current time is now 00:01:00, --since=23:59:00 would refer to a date in the future and no journal entry will be found. Fixes: https://pagure.io/freeipa/issue/8953 --- ipatests/test_integration/test_cert.py | 2 +- ipatests/test_integration/test_commands.py | 3 ++- ipatests/test_integration/test_nfs.py | 2 +- 3 files changed, 4 insertions(+), 3 deletions(-) diff --git a/ipatests/test_integration/test_cert.py b/ipatests/test_integration/test_cert.py index 9a90db5e2a2..7d51b76ee34 100644 --- a/ipatests/test_integration/test_cert.py +++ b/ipatests/test_integration/test_cert.py @@ -69,7 +69,7 @@ def install(cls, mh): # time to look into journal logs in # test_certmonger_ipa_responder_jsonrpc -cls.since = time.strftime('%H:%M:%S') +cls.since = time.strftime('%Y-%m-%d %H:%M:%S') def test_cacert_file_appear_with_option_F(self): """Test if getcert creates cacert file with -F option diff --git a/ipatests/test_integration/test_commands.py b/ipatests/test_integration/test_commands.py index 4d9a8165248..fd5d1b47264 100644 --- a/ipatests/test_integration/test_commands.py +++ b/ipatests/test_integration/test_commands.py @@ -1208,7 +1208,8 @@ def test_login_wrong_password(self, user_creation_deletion): # start to look at logs a bit before "now" # https://pagure.io/freeipa/issue/8432 since = time.strftime( -'%H:%M:%S', (datetime.now() - timedelta(seconds=10)).timetuple() +'%Y-%m-%d %H:%M:%S', +(datetime.now() - timedelta(seconds=10)).timetuple() ) password = 'WrongPassword' diff --git a/ipatests/test_integration/test_nfs.py b/ipatests/test_integration/test_nfs.py index 9a6153409d4..dc53a6da9ee 100644 --- a/ipatests/test_integration/test_nfs.py +++ b/ipatests/test_integration/test_nfs.py @@ -130,7 +130,7 @@ def test_krb5_nfs_manual_configuration(self): nfsclt = self.clients[1] # for journalctl --since -since = time.strftime('%H:%M:%S') +since = time.strftime('%Y-%m-%d %H:%M:%S') nfsclt.run_command(["systemctl", "restart", "rpc-gssd"]) time.sleep(WAIT_AFTER_INSTALL) mountpoints = ("/mnt/krb", "/mnt/std", "/home") ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[Freeipa-devel] [freeipa PR#5984][closed] ipatests: use whole date for journalctl --since
URL: https://github.com/freeipa/freeipa/pull/5984 Author: flo-renaud Title: #5984: ipatests: use whole date for journalctl --since Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/5984/head:pr5984 git checkout pr5984 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[Freeipa-devel] [freeipa PR#5988][closed] [Backport][ipa-4-9] Azure: Run pycodestyle check in Lint job
URL: https://github.com/freeipa/freeipa/pull/5988 Author: fcami Title: #5988: [Backport][ipa-4-9] Azure: Run pycodestyle check in Lint job Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/5988/head:pr5988 git checkout pr5988 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[Freeipa-devel] [freeipa PR#5988][opened] [Backport][ipa-4-9] Azure: Run pycodestyle check in Lint job
URL: https://github.com/freeipa/freeipa/pull/5988 Author: fcami Title: #5988: [Backport][ipa-4-9] Azure: Run pycodestyle check in Lint job Action: opened PR body: """ This PR was opened automatically because PR #5983 was pushed to master and backport to ipa-4-9 is required. """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/5988/head:pr5988 git checkout pr5988 From d0a652f638aad8bcce6ae0742225341ef8c22637 Mon Sep 17 00:00:00 2001 From: Stanislav Levin Date: Mon, 19 Apr 2021 17:20:47 +0300 Subject: [PATCH 1/2] Azure: Run pycodestyle check in Lint job - previously, fastlint make's target includes both the Pylint task and pycodestyle one. The purpose of this target is a fast checking only for changed Python files. This makes sense for pycodestyle, but limits Pylint due to a context(file) checking. The clients which call the code being linted are not checked at all. In Azure Pylint (for the whole codebase) is run in the Lint task, this makes fastlint extra for Azure. - `Quick code style check` task used distro's Pylint, while `Lint` task PyPI's one. This may cause different results and confuse a user. - `Build` task takes time longer than `Lint` one, so this change doesn't lead to increased CI time. - all Azure tests depend on Build and Lint tasks. Mostly it's no need to run tests due to a probably broken code. Fixes: https://pagure.io/freeipa/issue/8961 Signed-off-by: Stanislav Levin --- Makefile.am| 35 +- ipatests/azure/azure-pipelines.yml | 20 ++--- 2 files changed, 41 insertions(+), 14 deletions(-) diff --git a/Makefile.am b/Makefile.am index 321df05a7c4..abeaca7edbe 100644 --- a/Makefile.am +++ b/Makefile.am @@ -216,7 +216,7 @@ endif $(MAKE) $(AM_MAKEFLAGS) acilint apilint polint pylint jslint $(RPMLINT_TARGET) yamllint check @echo "All tests passed." -.PHONY: fastcheck fasttest fastlint +.PHONY: fastcheck fasttest fastlint fastcodestyle fastcheck: @$(MAKE) -j1 $(AM_MAKEFLAGS) fastlint $(RPMLINT_TARGET) yamllint fasttest apilint acilint @@ -229,7 +229,34 @@ fasttest: $(GENERATED_PYTHON_FILES) ipasetup.py --ignore $(abspath $(top_srcdir))/ipatests/test_integration \ --ignore $(abspath $(top_srcdir))/ipatests/test_xmlrpc -fastlint: $(GENERATED_PYTHON_FILES) ipasetup.py acilint apilint +fastcodestyle: $(GENERATED_PYTHON_FILES) ipasetup.py + @echo "Fast code style checking with $(PYTHON) from branch '$(GIT_BRANCH)'" + + @MERGEBASE=$$(git merge-base --fork-point $(GIT_BRANCH)); \ + PYFILES=$$(git diff --name-only --diff-filter=d $${MERGEBASE} \ + | grep -E '\.py$$' ); \ + INFILES=$$(git diff --name-only --diff-filter=d $${MERGEBASE} \ + | grep -E '\.in$$' \ + | xargs -n1 file 2>/dev/null | grep Python \ + | cut -d':' -f1; ); \ + if [ -n "$${PYFILES}" ] && [ -n "$${INFILES}" ]; then \ + FILES="$$( printf $${PYFILES}\\n$${INFILES} )" ; \ + elif [ -n "$${PYFILES}" ]; then \ + FILES="$${PYFILES}" ; \ + else \ + FILES="$${INFILES}" ; \ + fi ; \ + if [ -n "$${FILES}" ]; then \ + echo -e "Fast code style checking for files:\n$${FILES}\n"; \ + echo "pycodestyle"; \ + echo "---"; \ + git diff -U0 $${MERGEBASE} | \ + $(PYTHON) -m pycodestyle --diff || exit $$?; \ + else \ + echo "No modified Python files found"; \ + fi + +fastlint: $(GENERATED_PYTHON_FILES) ipasetup.py fastcodestyle acilint apilint if ! WITH_PYLINT @echo "ERROR: pylint not available"; exit 1 endif @@ -251,10 +278,6 @@ endif fi ; \ if [ -n "$${FILES}" ]; then \ echo -e "Fast linting files:\n$${FILES}\n"; \ - echo "pycodestyle"; \ - echo "---"; \ - git diff -U0 $${MERGEBASE} | \ - $(PYTHON) -m pycodestyle --diff || exit $$?; \ echo -e "\npylint"; \ echo "--"; \ $(PYTHON) -m pylint --version; \ diff --git a/ipatests/azure/azure-pipelines.yml b/ipatests/azure/azure-pipelines.yml index edf26ad77f8..a920f2852c5 100644 --- a/ipatests/azure/azure-pipelines.yml +++ b/ipatests/azure/azure-pipelines.yml @@ -20,12 +20,6 @@ jobs: steps: - template: templates/${{ variables.PREPARE_BUILD_TEMPLATE }} - template: templates/${{ variables.AUTOCONF_TEMPLATE }} -- script: | -set -e -git update-ref refs/heads/$(System.PullRequest.TargetBranch) origin/$(System.PullRequest.TargetBranch) -make V=0 "GIT_BRANCH=$(System.PullRequest.TargetBranch)" fastlint - displayName: Quick code style check - condition: eq(variables['Build.Reason'], 'PullRequest') - template: templates/${{ variables.BUILD_TEMPLATE }} - template: templates/publish-build.yml parameters: @@ -75,6 +69,12 @@ jobs: echo "Running make target 'lint'" make V=0 lint displayName: Lint sources +- script: | +set -e +git update-ref refs/heads/$(System.PullRequest.TargetBranch)
[Freeipa-devel] [freeipa PR#5983][closed] Azure: Run pycodestyle check in Lint job
URL: https://github.com/freeipa/freeipa/pull/5983 Author: stanislavlevin Title: #5983: Azure: Run pycodestyle check in Lint job Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/5983/head:pr5983 git checkout pr5983 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[Freeipa-devel] [freeipa PR#5987][opened] [Backport][ipa-4-9] freeipa.spec.in: update 389-DS version
URL: https://github.com/freeipa/freeipa/pull/5987 Author: fcami Title: #5987: [Backport][ipa-4-9] freeipa.spec.in: update 389-DS version Action: opened PR body: """ This PR was opened automatically because PR #5986 was pushed to master and backport to ipa-4-9 is required. """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/5987/head:pr5987 git checkout pr5987 From 0aea11b410b01d5c6e4b9548d5b1f5ffeab10059 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fran=C3=A7ois=20Cami?= Date: Fri, 20 Aug 2021 13:07:59 +0200 Subject: [PATCH] freeipa.spec.in: update 389-DS version MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: François Cami --- freeipa.spec.in | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/freeipa.spec.in b/freeipa.spec.in index 9440f3602c2..07ce6b29299 100755 --- a/freeipa.spec.in +++ b/freeipa.spec.in @@ -110,7 +110,7 @@ %if 0%{?fedora} < 34 %global ds_version 1.4.4.16-1 %else -%global ds_version 2.0.5-1 +%global ds_version 2.0.7-1 %endif # Fix for TLS 1.3 PHA, RHBZ#1775146 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[Freeipa-devel] [freeipa PR#5986][closed] freeipa.spec.in: update 389-DS version
URL: https://github.com/freeipa/freeipa/pull/5986 Author: fcami Title: #5986: freeipa.spec.in: update 389-DS version Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/5986/head:pr5986 git checkout pr5986 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[Freeipa-devel] [freeipa PR#5986][opened] freeipa.spec.in: update 389-DS version
URL: https://github.com/freeipa/freeipa/pull/5986 Author: fcami Title: #5986: freeipa.spec.in: update 389-DS version Action: opened PR body: """ Signed-off-by: François Cami """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/5986/head:pr5986 git checkout pr5986 From fa93c1f0dec8ae41a15d0856acbf5b579c12363e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fran=C3=A7ois=20Cami?= Date: Fri, 20 Aug 2021 13:07:59 +0200 Subject: [PATCH] freeipa.spec.in: update 389-DS version MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: François Cami --- freeipa.spec.in | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/freeipa.spec.in b/freeipa.spec.in index 9440f3602c2..07ce6b29299 100755 --- a/freeipa.spec.in +++ b/freeipa.spec.in @@ -110,7 +110,7 @@ %if 0%{?fedora} < 34 %global ds_version 1.4.4.16-1 %else -%global ds_version 2.0.5-1 +%global ds_version 2.0.7-1 %endif # Fix for TLS 1.3 PHA, RHBZ#1775146 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[Freeipa-devel] [freeipa PR#5959][opened] Fix string check in uninstall helper
URL: https://github.com/freeipa/freeipa/pull/5959 Author: fcami Title: #5959: Fix string check in uninstall helper Action: opened PR body: """ The install helpers used an invalid string check. ``('ubuntu')`` is not a tuple. It's a string with superfluous parenthesis. A single-item tuple would be ``('ubuntu',)``. It's recommended to use set literals to avoid such mistakes. Also check for 'debian' platform. Fixes: https://pagure.io/freeipa/issue/8937 Signed-off-by: Christian Heimes """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/5959/head:pr5959 git checkout pr5959 From 85a2adb8077ecf59dbd46cf589b0e356747bbb1e Mon Sep 17 00:00:00 2001 From: Christian Heimes Date: Tue, 27 Jul 2021 21:14:30 +0200 Subject: [PATCH] Fix string check in uninstall helper The install helpers used an invalid string check. ``('ubuntu')`` is not a tuple. It's a string with superfluous parenthesis. A single-item tuple would be ``('ubuntu',)``. It's recommended to use set literals to avoid such mistakes. Also check for 'debian' platform. Fixes: https://pagure.io/freeipa/issue/8937 Signed-off-by: Christian Heimes --- ipatests/pytest_ipa/integration/tasks.py | 37 ++-- 1 file changed, 16 insertions(+), 21 deletions(-) diff --git a/ipatests/pytest_ipa/integration/tasks.py b/ipatests/pytest_ipa/integration/tasks.py index 075c05cdeff..b01b52f5a0e 100755 --- a/ipatests/pytest_ipa/integration/tasks.py +++ b/ipatests/pytest_ipa/integration/tasks.py @@ -29,7 +29,6 @@ import collections import itertools import shutil -import shlex import copy import subprocess import tempfile @@ -2441,9 +2440,9 @@ def install_packages(host, pkgs): :param pkgs: packages to install, provided as a list of strings """ platform = get_platform(host) -if platform in ('rhel', 'fedora'): +if platform in {'rhel', 'fedora'}: install_cmd = ['/usr/bin/dnf', 'install', '-y'] -elif platform in ('ubuntu'): +elif platform in {'debian', 'ubuntu'}: install_cmd = ['apt-get', 'install', '-y'] else: raise ValueError('install_packages: unknown platform %s' % platform) @@ -2482,26 +2481,22 @@ def uninstall_packages(host, pkgs, nodeps=False): :param nodeps: ignore dependencies (dangerous!). """ platform = get_platform(host) -if platform not in ('rhel', 'fedora', 'ubuntu'): -raise ValueError('uninstall_packages: unknown platform %s' % platform) +if platform not in {"rhel", "fedora", "debian", "ubuntu"}: +raise ValueError(f"uninstall_packages: unknown platform {platform}") if nodeps: -if platform in ('rhel', 'fedora'): -cmd = "rpm -e --nodeps" -elif platform in ('ubuntu'): -cmd = "dpkg -P --force-depends" +if platform in {"rhel", "fedora"}: +cmd = ["rpm", "-e", "--nodeps"] +elif platform in {"debian", "ubuntu"}: +cmd = ["dpkg", "-P", "--force-depends"] for package in pkgs: -uninstall_cmd = shlex.split(cmd) -uninstall_cmd.append(package) # keep raiseonerr=True here. --fcami -host.run_command(uninstall_cmd) +host.run_command(cmd + [package]) else: -if platform in ('rhel', 'fedora'): -cmd = "/usr/bin/dnf remove -y" -elif platform in ('ubuntu'): -cmd = "apt-get remove -y" -uninstall_cmd = shlex.split(cmd) -uninstall_cmd.extend(pkgs) -host.run_command(uninstall_cmd, raiseonerr=False) +if platform in {"rhel", "fedora"}: +cmd = ["/usr/bin/dnf", "remove", "-y"] +elif platform in {"debian", "ubuntu"}: +cmd = ["apt-get", "remove", "-y"] +host.run_command(cmd + pkgs, raiseonerr=False) def wait_for_request(host, request_id, timeout=120): @@ -2789,11 +2784,11 @@ def run_ssh_cmd( def is_package_installed(host, pkg): platform = get_platform(host) -if platform in ('rhel', 'fedora'): +if platform in {'rhel', 'fedora'}: result = host.run_command( ['rpm', '-q', pkg], raiseonerr=False ) -elif platform in ['ubuntu']: +elif platform in {'debian', 'ubuntu'}: result = host.run_command( ['dpkg', '-s', pkg], raiseonerr=False ) ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[Freeipa-devel] [freeipa PR#5955][opened] Add index for dnahostname
URL: https://github.com/freeipa/freeipa/pull/5955 Author: fcami Title: #5955: Add index for dnahostname Action: opened PR body: """ There are 60+ searches for: Filter: (dnahostname=FQDN) at startup. Fixes: https://pagure.io/freeipa/issue/8945 Signed-off-by: François Cami """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/5955/head:pr5955 git checkout pr5955 From 0de8f05d3c395b0afff1084b3506f7d9806ef08f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fran=C3=A7ois=20Cami?= Date: Thu, 5 Aug 2021 15:46:53 +0200 Subject: [PATCH] Add index for dnahostname MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit There are 60+ searches for: Filter: (dnahostname=FQDN) at startup. Fixes: https://pagure.io/freeipa/issue/8945 Signed-off-by: François Cami --- install/updates/20-indices.update | 7 +++ 1 file changed, 7 insertions(+) diff --git a/install/updates/20-indices.update b/install/updates/20-indices.update index 42c16bc3a0d..4cd387e31f9 100644 --- a/install/updates/20-indices.update +++ b/install/updates/20-indices.update @@ -107,6 +107,13 @@ default:nsSystemIndex: false add:nsIndexType: eq add:nsIndexType: sub +dn: cn=dnahostname,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config +only:cn: dnahostname +default:objectClass: nsIndex +default:objectClass: top +default:nsSystemIndex: false +add:nsIndexType: eq + dn: cn=fqdn,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config only:cn: fqdn default:objectClass: nsIndex ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[Freeipa-devel] [freeipa PR#5954][opened] [Backport][ipa-4-9] ipatests: use krb5_trace in TestIpaAdTrustInstall
URL: https://github.com/freeipa/freeipa/pull/5954 Author: fcami Title: #5954: [Backport][ipa-4-9] ipatests: use krb5_trace in TestIpaAdTrustInstall Action: opened PR body: """ This PR was opened automatically because PR #5953 was pushed to master and backport to ipa-4-9 is required. """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/5954/head:pr5954 git checkout pr5954 From a7cd2992c67eb5c40392beffcec9fcfdadb7e263 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fran=C3=A7ois=20Cami?= Date: Thu, 5 Aug 2021 11:37:35 +0200 Subject: [PATCH] ipatests: use krb5_trace in TestIpaAdTrustInstall MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit tasks.create_active_user can fail in a subtle way when there are two IPA servers due to replication delays. Using the debug-enabled version of create_active_user helps determine whether there is another underlying issue and, in general, prevents the above problem. Fixes: https://pagure.io/freeipa/issue/8944 Signed-off-by: François Cami --- ipatests/test_integration/test_adtrust_install.py | 14 ++ 1 file changed, 10 insertions(+), 4 deletions(-) diff --git a/ipatests/test_integration/test_adtrust_install.py b/ipatests/test_integration/test_adtrust_install.py index 385a58e..f2322118640 100644 --- a/ipatests/test_integration/test_adtrust_install.py +++ b/ipatests/test_integration/test_adtrust_install.py @@ -257,8 +257,11 @@ def test_ipa_user_pac(self): user_princ = '@'.join([user, self.master.domain.realm]) passwd = 'Secret123' # Create a user with a password -tasks.create_active_user(self.master, user, passwd, extra_args=[ -'--homedir', '/home/{}'.format(user)]) +tasks.create_active_user( +self.master, user, passwd, +extra_args=["--homedir", "/home/{}".format(user)], +krb5_trace=True +) try: # Defaults: host/... principal for service # keytab in /etc/krb5.keytab @@ -282,8 +285,11 @@ def test_ipa_user_s4u2self_pac(self): user_princ = '@'.join([user, self.master.domain.realm]) passwd = 'Secret123' # Create a user with a password -tasks.create_active_user(self.master, user, passwd, extra_args=[ -'--homedir', '/home/{}'.format(user)]) +tasks.create_active_user( +self.master, user, passwd, +extra_args=["--homedir", "/home/{}".format(user)], +krb5_trace=True +) try: # Defaults: host/... principal for service # keytab in /etc/krb5.keytab ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[Freeipa-devel] [freeipa PR#5953][closed] ipatests: use krb5_trace in TestIpaAdTrustInstall
URL: https://github.com/freeipa/freeipa/pull/5953 Author: fcami Title: #5953: ipatests: use krb5_trace in TestIpaAdTrustInstall Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/5953/head:pr5953 git checkout pr5953 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[Freeipa-devel] [freeipa PR#5953][opened] ipatests: use krb5_trace in TestIpaAdTrustInstall
URL: https://github.com/freeipa/freeipa/pull/5953 Author: fcami Title: #5953: ipatests: use krb5_trace in TestIpaAdTrustInstall Action: opened PR body: """ tasks.create_active_user can fail in a subtle way when there are two IPA servers due to replication delays. Using the debug-enabled version of create_active_user helps determine whether there is another underlying issue and, in general, prevents the above problem. Fixes: https://pagure.io/freeipa/issue/8944 Signed-off-by: François Cami """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/5953/head:pr5953 git checkout pr5953 From 03350a11eb524269175ae4ff0b64a9e10be5558a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fran=C3=A7ois=20Cami?= Date: Thu, 5 Aug 2021 11:37:35 +0200 Subject: [PATCH] ipatests: use krb5_trace in TestIpaAdTrustInstall MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit tasks.create_active_user can fail in a subtle way when there are two IPA servers due to replication delays. Using the debug-enabled version of create_active_user helps determine whether there is another underlying issue and, in general, prevents the above problem. Fixes: https://pagure.io/freeipa/issue/8944 Signed-off-by: François Cami --- ipatests/test_integration/test_adtrust_install.py | 14 ++ 1 file changed, 10 insertions(+), 4 deletions(-) diff --git a/ipatests/test_integration/test_adtrust_install.py b/ipatests/test_integration/test_adtrust_install.py index 385a58e..f2322118640 100644 --- a/ipatests/test_integration/test_adtrust_install.py +++ b/ipatests/test_integration/test_adtrust_install.py @@ -257,8 +257,11 @@ def test_ipa_user_pac(self): user_princ = '@'.join([user, self.master.domain.realm]) passwd = 'Secret123' # Create a user with a password -tasks.create_active_user(self.master, user, passwd, extra_args=[ -'--homedir', '/home/{}'.format(user)]) +tasks.create_active_user( +self.master, user, passwd, +extra_args=["--homedir", "/home/{}".format(user)], +krb5_trace=True +) try: # Defaults: host/... principal for service # keytab in /etc/krb5.keytab @@ -282,8 +285,11 @@ def test_ipa_user_s4u2self_pac(self): user_princ = '@'.join([user, self.master.domain.realm]) passwd = 'Secret123' # Create a user with a password -tasks.create_active_user(self.master, user, passwd, extra_args=[ -'--homedir', '/home/{}'.format(user)]) +tasks.create_active_user( +self.master, user, passwd, +extra_args=["--homedir", "/home/{}".format(user)], +krb5_trace=True +) try: # Defaults: host/... principal for service # keytab in /etc/krb5.keytab ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[Freeipa-devel] [freeipa PR#5941][opened] [Backport][ipa-4-9] freeipa.spec.in: remove python3-pexpect from Requires
URL: https://github.com/freeipa/freeipa/pull/5941 Author: fcami Title: #5941: [Backport][ipa-4-9] freeipa.spec.in: remove python3-pexpect from Requires Action: opened PR body: """ This PR was opened automatically because PR #5931 was pushed to master and backport to ipa-4-9 is required. """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/5941/head:pr5941 git checkout pr5941 From 28d71c642e7e2f7ebdbc4fffc2890354598554c6 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fran=C3=A7ois=20Cami?= Date: Wed, 28 Jul 2021 18:47:02 +0200 Subject: [PATCH] freeipa.spec.in: remove python3-pexpect from Requires MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit python3-pexpect will be removed in RHEL9. Update BuildRequires/Requires accordingly. Fixes: https://pagure.io/freeipa/issue/8938 Signed-off-by: François Cami --- freeipa.spec.in | 14 ++ 1 file changed, 10 insertions(+), 4 deletions(-) diff --git a/freeipa.spec.in b/freeipa.spec.in index c33d2e216e5..9440f3602c2 100755 --- a/freeipa.spec.in +++ b/freeipa.spec.in @@ -328,11 +328,18 @@ BuildRequires: python3-m2r # Build dependencies for lint and fastcheck # %if %{with lint} -BuildRequires: git -%if 0%{?fedora} < 34 + +# python3-pexpect might not be available in RHEL9 +%if 0%{?fedora} || 0%{?rhel} < 9 +BuildRequires: python3-pexpect +%endif + # jsl is orphaned in Fedora 34+ +%if 0%{?fedora} < 34 BuildRequires: jsl %endif + +BuildRequires: git BuildRequires: nss-tools BuildRequires: rpmlint BuildRequires: softhsm @@ -357,7 +364,6 @@ BuildRequires: python3-lxml BuildRequires: python3-netaddr >= %{python_netaddr_version} BuildRequires: python3-netifaces BuildRequires: python3-paste -BuildRequires: python3-pexpect BuildRequires: python3-pki >= %{pki_version} BuildRequires: python3-polib BuildRequires: python3-pyasn1 @@ -878,11 +884,11 @@ Requires: python3-ipaclient = %{version}-%{release} Requires: python3-ipaserver = %{version}-%{release} Requires: iptables Requires: python3-cryptography >= 1.6 -Requires: python3-pexpect %if 0%{?fedora} # These packages do not exist on RHEL and for ipatests use # they are installed on the controller through other means Requires: ldns-utils +Requires: python3-pexpect # update-crypto-policies Requires: crypto-policies-scripts Requires: python3-polib ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[Freeipa-devel] [freeipa PR#5931][closed] freeipa.spec.in: remove python3-pexpect from Requires
URL: https://github.com/freeipa/freeipa/pull/5931 Author: fcami Title: #5931: freeipa.spec.in: remove python3-pexpect from Requires Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/5931/head:pr5931 git checkout pr5931 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[Freeipa-devel] [freeipa PR#5939][opened] ipaserver: disable resolved' stub resolver
URL: https://github.com/freeipa/freeipa/pull/5939 Author: fcami Title: #5939: ipaserver: disable resolved' stub resolver Action: opened PR body: """ Disable systemd-resolved stub resolver at install time. Use systemd-resolved' maintained list of upstream DNS servers instead. Rationale: systemd-resolved always resolves the FQDN to the local IP and vice-versa. This breaks DNS zone detection and especially reverse zone detection. This results in --auto-reverse being broken. On systemd-resolved enabled systems, there are four ways to configure resolv.conf: * a symlink to /run/systemd/resolve/stub-resolv.conf This is the default and uses both the 127.0.0.53 DNS stub plus the search domains. * a symlink to /usr/lib/systemd/resolv.conf This only contains the 127.0.0.53 DNS stub. * a symlink to /run/systemd/resolve/resolv.conf This contains the upstream DNS IPs and bypasses systemd-resolved. * Create and maintain /etc/resolv.conf directly. Solutions #1 and #2 break DNS zone detection. Solution #4 is not straightforward. Combine Solution3 and 4: copy the file containing the upstream DNS IPs so that it is properly maintained by NetworkManager after installation. Fixes: https://pagure.io/freeipa/issue/8700 Signed-off-by: François Cami """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/5939/head:pr5939 git checkout pr5939 From 2a6e13d81c4879098691fea237f79671c6c3174d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fran=C3=A7ois=20Cami?= Date: Mon, 2 Aug 2021 11:59:02 +0200 Subject: [PATCH] ipaserver: disable resolved' stub resolver MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Disable systemd-resolved stub resolver at install time. Use systemd-resolved' maintained list of upstream DNS servers instead. Rationale: systemd-resolved always resolves the FQDN to the local IP and vice-versa. This breaks DNS zone detection and especially reverse zone detection. This results in --auto-reverse being broken. On systemd-resolved enabled systems, there are four ways to configure resolv.conf: * a symlink to /run/systemd/resolve/stub-resolv.conf This is the default and uses both the 127.0.0.53 DNS stub plus the search domains. * a symlink to /usr/lib/systemd/resolv.conf This only contains the 127.0.0.53 DNS stub. * a symlink to /run/systemd/resolve/resolv.conf This contains the upstream DNS IPs and bypasses systemd-resolved. * Create and maintain /etc/resolv.conf directly. Solutions #1 and #2 break DNS zone detection. Solution #4 is not straightforward. Combine Solution3 and 4: copy the file containing the upstream DNS IPs so that it is properly maintained by NetworkManager after installation. Fixes: https://pagure.io/freeipa/issue/8700 Signed-off-by: François Cami --- ipaplatform/base/paths.py | 2 ++ ipaserver/install/dns.py | 12 2 files changed, 14 insertions(+) diff --git a/ipaplatform/base/paths.py b/ipaplatform/base/paths.py index de217d9efdb..bb239f7822f 100644 --- a/ipaplatform/base/paths.py +++ b/ipaplatform/base/paths.py @@ -136,6 +136,8 @@ class BasePathNamespace: PKI_ACME_REALM_CONF = "/etc/pki/pki-tomcat/acme/realm.conf" ETC_REDHAT_RELEASE = "/etc/redhat-release" RESOLV_CONF = "/etc/resolv.conf" +RESOLV_CONF_STUB_RESOLVED = "/run/systemd/resolve/stub-resolv.conf" +RESOLV_CONF_RESOLVED = "/run/systemd/resolve/resolv.conf" SAMBA_KEYTAB = "/etc/samba/samba.keytab" SMB_CONF = "/etc/samba/smb.conf" LIMITS_CONF = "/etc/security/limits.conf" diff --git a/ipaserver/install/dns.py b/ipaserver/install/dns.py index b51b92bfd4f..67e84706319 100644 --- a/ipaserver/install/dns.py +++ b/ipaserver/install/dns.py @@ -12,6 +12,8 @@ import enum import logging import os +import os.path +import shutil import sys import six @@ -143,6 +145,16 @@ def install_check(standalone, api, replica, options, hostname): if hst not in e.kwargs['ns']: raise ValueError(str(e)) +# https://pagure.io/freeipa/issue/8700 +# https://www.freedesktop.org/software/systemd/man/systemd-resolved.service.html +# Temporary copy the resolv.conf file containing the upstream DNS servers +# into /etc/resolv.conf so that systemd-resolved does not interfere with +# reverse zone detection. +if os.path.islink(paths.RESOLV_CONF): +if os.readlink(paths.RESOLV_CONF) == paths.RESOLV_CONF_STUB_RESOLVED: +os.unlink(paths.RESOLV_CONF) +shutil.copyfile(paths.RESOLV_CONF_RESOLVED, paths.RESOLV_CONF) + for reverse_zone in options.reverse_zones: try: dnsutil.check_zone_overlap(reverse_zone) ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org Fedora Code of Conduct:
[Freeipa-devel] [freeipa PR#5931][opened] freeipa.spec.in: remove python3-pexpect from Requires
URL: https://github.com/freeipa/freeipa/pull/5931 Author: fcami Title: #5931: freeipa.spec.in: remove python3-pexpect from Requires Action: opened PR body: """ python3-pexpect will be removed in RHEL9. Update BuildRequires/Requires accordingly. Fixes: https://pagure.io/freeipa/issue/8938 Signed-off-by: François Cami """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/5931/head:pr5931 git checkout pr5931 From 8e0fe810459f85aa0c5226e5db914e9a8b66d721 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fran=C3=A7ois=20Cami?= Date: Wed, 28 Jul 2021 18:47:02 +0200 Subject: [PATCH] freeipa.spec.in: remove python3-pexpect from Requires MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit python3-pexpect will be removed in RHEL9. Update BuildRequires/Requires accordingly. Fixes: https://pagure.io/freeipa/issue/8938 Signed-off-by: François Cami --- freeipa.spec.in | 14 ++ 1 file changed, 10 insertions(+), 4 deletions(-) diff --git a/freeipa.spec.in b/freeipa.spec.in index c33d2e216e5..9440f3602c2 100755 --- a/freeipa.spec.in +++ b/freeipa.spec.in @@ -328,11 +328,18 @@ BuildRequires: python3-m2r # Build dependencies for lint and fastcheck # %if %{with lint} -BuildRequires: git -%if 0%{?fedora} < 34 + +# python3-pexpect might not be available in RHEL9 +%if 0%{?fedora} || 0%{?rhel} < 9 +BuildRequires: python3-pexpect +%endif + # jsl is orphaned in Fedora 34+ +%if 0%{?fedora} < 34 BuildRequires: jsl %endif + +BuildRequires: git BuildRequires: nss-tools BuildRequires: rpmlint BuildRequires: softhsm @@ -357,7 +364,6 @@ BuildRequires: python3-lxml BuildRequires: python3-netaddr >= %{python_netaddr_version} BuildRequires: python3-netifaces BuildRequires: python3-paste -BuildRequires: python3-pexpect BuildRequires: python3-pki >= %{pki_version} BuildRequires: python3-polib BuildRequires: python3-pyasn1 @@ -878,11 +884,11 @@ Requires: python3-ipaclient = %{version}-%{release} Requires: python3-ipaserver = %{version}-%{release} Requires: iptables Requires: python3-cryptography >= 1.6 -Requires: python3-pexpect %if 0%{?fedora} # These packages do not exist on RHEL and for ipatests use # they are installed on the controller through other means Requires: ldns-utils +Requires: python3-pexpect # update-crypto-policies Requires: crypto-policies-scripts Requires: python3-polib ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[Freeipa-devel] [freeipa PR#5929][closed] ipatests: test removing BIND and the named user
URL: https://github.com/freeipa/freeipa/pull/5929 Author: fcami Title: #5929: ipatests: test removing BIND and the named user Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/5929/head:pr5929 git checkout pr5929 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[Freeipa-devel] [freeipa PR#5929][reopened] ipatests: test removing BIND and the named user
URL: https://github.com/freeipa/freeipa/pull/5929 Author: fcami Title: #5929: ipatests: test removing BIND and the named user Action: reopened To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/5929/head:pr5929 git checkout pr5929 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[Freeipa-devel] [freeipa PR#5930][opened] Azure: re-enable tests using forwarders
URL: https://github.com/freeipa/freeipa/pull/5930 Author: fcami Title: #5930: Azure: re-enable tests using forwarders Action: opened PR body: """ Since BIND was updated in Fedora, revert: b71009b31a1d4dc76af3052a1e826e0306525410 Related: https://pagure.io/freeipa/issue/8864 Signed-off-by: François Cami """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/5930/head:pr5930 git checkout pr5930 From 3d86d12db9a2f0915c8b1a85d1230a500b7839ad Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fran=C3=A7ois=20Cami?= Date: Wed, 28 Jul 2021 11:35:28 +0200 Subject: [PATCH] Azure: re-enable tests using forwarders MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Since BIND was updated in Fedora, revert: b71009b31a1d4dc76af3052a1e826e0306525410 Related: https://pagure.io/freeipa/issue/8864 Signed-off-by: François Cami --- .../azure/azure_definitions/gating-fedora.yml | 71 ++- 1 file changed, 36 insertions(+), 35 deletions(-) diff --git a/ipatests/azure/azure_definitions/gating-fedora.yml b/ipatests/azure/azure_definitions/gating-fedora.yml index 3c2fdc39b76..7dfce622c5d 100644 --- a/ipatests/azure/azure_definitions/gating-fedora.yml +++ b/ipatests/azure/azure_definitions/gating-fedora.yml @@ -11,14 +11,14 @@ default_resources: vms: - vm_jobs: -# - container_job: InstallMaster -#containers: -# resources: -#server: -# mem_limit: "3200m" -# memswap_limit: "4800m" -#tests: -#- test_integration/test_installation.py::TestInstallMaster + - container_job: InstallMaster +containers: + resources: +server: + mem_limit: "3200m" + memswap_limit: "4800m" +tests: +- test_integration/test_installation.py::TestInstallMaster - container_job: kerberos_flags containers: @@ -119,19 +119,19 @@ vms: - test_integration/test_external_ca.py::TestExternalCAConstraints - vm_jobs: -# - container_job: commands -#containers: -# replicas: 1 -# clients: 1 -# resources: -#server: -# mem_limit: "3500m" -# memswap_limit: "4000m" -#client: -# mem_limit: "768m" -# memswap_limit: "1024m" -#tests: -#- test_integration/test_commands.py + - container_job: commands +containers: + replicas: 1 + clients: 1 + resources: +server: + mem_limit: "3500m" + memswap_limit: "4000m" +client: + mem_limit: "768m" + memswap_limit: "1024m" +tests: +- test_integration/test_commands.py - container_job: membermanager tests: @@ -150,21 +150,22 @@ vms: #tests: #- test_integration/test_replica_promotion.py::TestSubCAkeyReplication -# - container_job: adtrust_install -#tests: -#- test_integration/test_adtrust_install.py -#containers: -# replicas: 1 + - container_job: adtrust_install +tests: +- test_integration/test_adtrust_install.py +containers: + replicas: 1 -# - container_job: advise -#containers: -# clients: 1 -# resources: -#client: -# mem_limit: "768m" -# memswap_limit: "1024m" -#tests: -#- test_integration/test_advise.py +- vm_jobs: + - container_job: advise +containers: + clients: 1 + resources: +client: + mem_limit: "768m" + memswap_limit: "1024m" +tests: +- test_integration/test_advise.py # - container_job: cert #tests: ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[Freeipa-devel] [freeipa PR#5929][closed] ipatests: test removing BIND and the named user
URL: https://github.com/freeipa/freeipa/pull/5929 Author: fcami Title: #5929: ipatests: test removing BIND and the named user Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/5929/head:pr5929 git checkout pr5929 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[Freeipa-devel] [freeipa PR#5929][opened] ipatests: test removing BIND and the named user
URL: https://github.com/freeipa/freeipa/pull/5929 Author: fcami Title: #5929: ipatests: test removing BIND and the named user Action: opened PR body: """ Test that FreeIPA can be installed if the named user does not exist. Related: https://github.com/freeipa/freeipa/pull/5927 Signed-off-by: François Cami """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/5929/head:pr5929 git checkout pr5929 From b2305a701317c2e3a0e76445fb1e72099a38dcbe Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fran=C3=A7ois=20Cami?= Date: Tue, 27 Jul 2021 18:25:32 +0200 Subject: [PATCH] ipatests: test removing BIND and the named user MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Test that FreeIPA can be installed if the named user does not exist. Related: https://github.com/freeipa/freeipa/pull/5927 Signed-off-by: François Cami --- ipatests/test_integration/test_installation.py | 15 +++ 1 file changed, 15 insertions(+) diff --git a/ipatests/test_integration/test_installation.py b/ipatests/test_integration/test_installation.py index 27f15dbe542..b2ef9e49010 100644 --- a/ipatests/test_integration/test_installation.py +++ b/ipatests/test_integration/test_installation.py @@ -178,13 +178,28 @@ def test_replica1_all_components_adtrust(self): class TestInstallWithCA1(InstallTestBase1): master_with_dns = False +@classmethod +def remove_named(cls, host): +# remove the bind package and make sure the named user does not exist. +# https://pagure.io/freeipa/issue/8936 +result = host.run_command(['id', 'named'], raiseonerr=False) +if result.returncode == 0: +tasks.uninstall_packages(host, 'bind') +host.run_command(['userdel', 'named']) +assert host.run_command( +['id', 'named'], raiseonerr=False +).returncode == 1 + @classmethod def install(cls, mh): +for tgt in (cls.master, cls.replicas[0]): +cls.remove_named(tgt) tasks.install_master(cls.master, setup_dns=cls.master_with_dns) @pytest.mark.skipif(config.domain_level == DOMAIN_LEVEL_0, reason='does not work on DOMAIN_LEVEL_0 by design') def test_replica1_ipa_kra_install(self): + super(TestInstallWithCA1, self).test_replica1_ipa_kra_install() @pytest.mark.skipif(config.domain_level == DOMAIN_LEVEL_0, ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[Freeipa-devel] [freeipa PR#5924][closed] [master] ipatests: bump prci boxes + move gating to f34
URL: https://github.com/freeipa/freeipa/pull/5924 Author: netoarmando Title: #5924: [master] ipatests: bump prci boxes + move gating to f34 Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/5924/head:pr5924 git checkout pr5924 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[Freeipa-devel] [freeipa PR#5925][closed] [ipa-4-9] ipatests: bump prci boxes + move gating to f34
URL: https://github.com/freeipa/freeipa/pull/5925 Author: netoarmando Title: #5925: [ipa-4-9] ipatests: bump prci boxes + move gating to f34 Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/5925/head:pr5925 git checkout pr5925 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[Freeipa-devel] [freeipa PR#5914][closed] ipatests: refactor test_ipa_cert_fix with tasks
URL: https://github.com/freeipa/freeipa/pull/5914 Author: fcami Title: #5914: ipatests: refactor test_ipa_cert_fix with tasks Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/5914/head:pr5914 git checkout pr5914 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[Freeipa-devel] [freeipa PR#5921][opened] [Backport][ipa-4-9] Azure: temporarily disable problematic tests #5916
URL: https://github.com/freeipa/freeipa/pull/5921 Author: fcami Title: #5921: [Backport][ipa-4-9] Azure: temporarily disable problematic tests #5916 Action: opened PR body: """ Manual backport of https://github.com/freeipa/freeipa/pull/5916 The PR-CI template required a cherry-pick. """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/5921/head:pr5921 git checkout pr5921 From 119e0fc3be848571f04282368ff297671c3b1180 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fran=C3=A7ois=20Cami?= Date: Thu, 22 Jul 2021 08:34:47 +0200 Subject: [PATCH 1/3] Azure: temporarily disable problematic tests, #1 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit test_installation.TestInstallMaster, test_advise, and test_integration.test_commands.TestIPACommand rely on DNS forwarders and hit a known BIND bug: https://gitlab.isc.org/isc-projects/bind9/-/issues/2728 quite often. This is blocking gating nearly completely. Disable these tests in gating until the bug is fixed and the related build is available in Fedora. Related: https://pagure.io/freeipa/issue/8864 Signed-off-by: François Cami Reviewed-By: Michal Polovka Reviewed-By: Stanislav Levin --- .../azure/azure_definitions/gating-fedora.yml | 73 +-- 1 file changed, 36 insertions(+), 37 deletions(-) diff --git a/ipatests/azure/azure_definitions/gating-fedora.yml b/ipatests/azure/azure_definitions/gating-fedora.yml index 70c15834c5c..346da2d52a4 100644 --- a/ipatests/azure/azure_definitions/gating-fedora.yml +++ b/ipatests/azure/azure_definitions/gating-fedora.yml @@ -11,14 +11,14 @@ default_resources: vms: - vm_jobs: - - container_job: InstallMaster -containers: - resources: -server: - mem_limit: "3200m" - memswap_limit: "4800m" -tests: -- test_integration/test_installation.py::TestInstallMaster +# - container_job: InstallMaster +#containers: +# resources: +#server: +# mem_limit: "3200m" +# memswap_limit: "4800m" +#tests: +#- test_integration/test_installation.py::TestInstallMaster - container_job: kerberos_flags containers: @@ -119,19 +119,19 @@ vms: - test_integration/test_external_ca.py::TestExternalCAConstraints - vm_jobs: - - container_job: commands -containers: - replicas: 1 - clients: 1 - resources: -server: - mem_limit: "3500m" - memswap_limit: "4000m" -client: - mem_limit: "768m" - memswap_limit: "1024m" -tests: -- test_integration/test_commands.py +# - container_job: commands +#containers: +# replicas: 1 +# clients: 1 +# resources: +#server: +# mem_limit: "3500m" +# memswap_limit: "4000m" +#client: +# mem_limit: "768m" +# memswap_limit: "1024m" +#tests: +#- test_integration/test_commands.py - container_job: membermanager tests: @@ -150,22 +150,21 @@ vms: tests: - test_integration/test_replica_promotion.py::TestSubCAkeyReplication - - container_job: adtrust_install -tests: -- test_integration/test_adtrust_install.py -containers: - replicas: 1 - -- vm_jobs: - - container_job: advise -containers: - clients: 1 - resources: -client: - mem_limit: "768m" - memswap_limit: "1024m" -tests: -- test_integration/test_advise.py +# - container_job: adtrust_install +#tests: +#- test_integration/test_adtrust_install.py +#containers: +# replicas: 1 + +# - container_job: advise +#containers: +# clients: 1 +# resources: +#client: +# mem_limit: "768m" +# memswap_limit: "1024m" +#tests: +#- test_integration/test_advise.py - container_job: cert tests: From 48c8ec68808c82846cd0a9fe6812ee7856409ce3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fran=C3=A7ois=20Cami?= Date: Thu, 22 Jul 2021 20:22:13 +0200 Subject: [PATCH 2/3] Azure: temporarily disable problematic tests, #2 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit test_cert and test_SubCAkeyReplication are randomly failing. The suspect for test_SubCAkeyReplication is an nss bug: https://bugzilla.redhat.com/show_bug.cgi?id=1985061 The reason for test_cert failures was not identified, the only relevant line in the log contains: 2021-07-22T17:37:21.0873339Z tests: cert, result: 1, time: 30:08.98 2021-07-22T17:37:21.0874172Z Command exited with non-zero status 1 Disable these tests in gating until the NSS bug is fixed and the related build is available in Fedora. Related: https://pagure.io/freeipa/issue/8864 Signed-off-by: François Cami Reviewed-By: Michal Polovka Reviewed-By: Stanislav Levin --- .../azure/azure_definitions/gating-fedora.yml | 30 +-- 1 file changed, 15 insertions(+), 15 deletions(-) diff --git
[Freeipa-devel] [freeipa PR#5916][closed] Azure: temporarily disable problematic tests
URL: https://github.com/freeipa/freeipa/pull/5916 Author: fcami Title: #5916: Azure: temporarily disable problematic tests Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/5916/head:pr5916 git checkout pr5916 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[Freeipa-devel] [freeipa PR#5916][opened] Azure: temporarily disable problematic tests
URL: https://github.com/freeipa/freeipa/pull/5916 Author: fcami Title: #5916: Azure: temporarily disable problematic tests Action: opened PR body: """ test_installation.TestInstallMaster and test_advise rely on DNS forwarders and hit a known BIND bug quite often. Disable these tests in gating until the bug is fixed. Related: https://pagure.io/freeipa/issue/8864 Signed-off-by: François Cami """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/5916/head:pr5916 git checkout pr5916 From dc66f98d9fc12bbb6e1afb74326e28116cd25628 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fran=C3=A7ois=20Cami?= Date: Thu, 22 Jul 2021 08:34:47 +0200 Subject: [PATCH] Azure: temporarily disable problematic tests MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit test_installation.TestInstallMaster and test_advise rely on DNS forwarders and hit a known BIND bug quite often. Disable these tests in gating until the bug is fixed. Related: https://pagure.io/freeipa/issue/8864 Signed-off-by: François Cami --- .../azure/azure_definitions/gating-fedora.yml | 35 +-- 1 file changed, 17 insertions(+), 18 deletions(-) diff --git a/ipatests/azure/azure_definitions/gating-fedora.yml b/ipatests/azure/azure_definitions/gating-fedora.yml index 70c15834c5c..b1b8e940ede 100644 --- a/ipatests/azure/azure_definitions/gating-fedora.yml +++ b/ipatests/azure/azure_definitions/gating-fedora.yml @@ -11,14 +11,14 @@ default_resources: vms: - vm_jobs: - - container_job: InstallMaster -containers: - resources: -server: - mem_limit: "3200m" - memswap_limit: "4800m" -tests: -- test_integration/test_installation.py::TestInstallMaster +# - container_job: InstallMaster +#containers: +# resources: +#server: +# mem_limit: "3200m" +# memswap_limit: "4800m" +#tests: +#- test_integration/test_installation.py::TestInstallMaster - container_job: kerberos_flags containers: @@ -156,16 +156,15 @@ vms: containers: replicas: 1 -- vm_jobs: - - container_job: advise -containers: - clients: 1 - resources: -client: - mem_limit: "768m" - memswap_limit: "1024m" -tests: -- test_integration/test_advise.py +# - container_job: advise +#containers: +# clients: 1 +# resources: +#client: +# mem_limit: "768m" +# memswap_limit: "1024m" +#tests: +#- test_integration/test_advise.py - container_job: cert tests: ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[Freeipa-devel] [freeipa PR#5914][opened] ipatests: refactor test_ipa_cert_fix with tasks
URL: https://github.com/freeipa/freeipa/pull/5914 Author: fcami Title: #5914: ipatests: refactor test_ipa_cert_fix with tasks Action: opened PR body: """ Fixes: https://pagure.io/freeipa/issue/8932 Signed-off-by: François Cami """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/5914/head:pr5914 git checkout pr5914 From bc270efb38d17b9c960b892c91eb17976343c485 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fran=C3=A7ois=20Cami?= Date: Wed, 21 Jul 2021 14:29:31 +0200 Subject: [PATCH] ipatests: refactor test_ipa_cert_fix with tasks MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Fixes: https://pagure.io/freeipa/issue/8932 Signed-off-by: François Cami --- .../test_integration/test_ipa_cert_fix.py | 26 ++- 1 file changed, 8 insertions(+), 18 deletions(-) diff --git a/ipatests/test_integration/test_ipa_cert_fix.py b/ipatests/test_integration/test_ipa_cert_fix.py index 33441c02234..1b9dbd81810 100644 --- a/ipatests/test_integration/test_ipa_cert_fix.py +++ b/ipatests/test_integration/test_ipa_cert_fix.py @@ -49,16 +49,6 @@ def check_status(host, cert_count, state, timeout=600): return count -def move_date(host, chrony_state, date_str): -"""Helper method to move the date on given host -:param host: The host on which date is to be moved -:param chrony_state: State to which chrony service to be moved -:param date_str: date string to move the date i.e 2years1month1days -""" -host.run_command(['systemctl', chrony_state, 'chronyd']) -host.run_command(['date', '-s', date_str]) - - @pytest.fixture def expire_cert_critical(): """ @@ -77,13 +67,13 @@ def _expire_cert_critical(host, setup_kra=False): tasks.install_kra(host) # move date to expire certs -move_date(host, 'stop', '+3Years+1day') +tasks.move_date(host, 'stop', '+3Years+1day') yield _expire_cert_critical host = hosts.pop('host') tasks.uninstall_master(host) -move_date(host, 'start', '-3Years-1day') +tasks.move_date(host, 'start', '-3Years-1day') class TestIpaCertFix(IntegrationTest): @@ -97,12 +87,12 @@ def uninstall(cls, mh): def expire_ca_cert(self): tasks.install_master(self.master, setup_dns=False, extra_args=['--no-ntp']) -move_date(self.master, 'stop', '+20Years+1day') +tasks.move_date(self.master, 'stop', '+20Years+1day') yield tasks.uninstall_master(self.master) -move_date(self.master, 'start', '-20Years-1day') +tasks.move_date(self.master, 'start', '-20Years-1day') def test_missing_csr(self, expire_cert_critical): """ @@ -363,7 +353,7 @@ def test_renew_expired_cert_replica(self): related: https://pagure.io/freeipa/issue/7885 """ -move_date(self.master, 'stop', '+3years+1days') +tasks.move_date(self.master, 'stop', '+3years+1days') # wait for cert expiry check_status(self.master, 8, "CA_UNREACHABLE") @@ -373,7 +363,7 @@ def test_renew_expired_cert_replica(self): check_status(self.master, 9, "MONITORING") # move system date to expire cert on replica -move_date(self.replicas[0], 'stop', '+3years+1days') +tasks.move_date(self.replicas[0], 'stop', '+3years+1days') # RA agent cert will be expired and in CA_UNREACHABLE state check_status(self.replicas[0], 1, "CA_UNREACHABLE") @@ -402,5 +392,5 @@ def test_renew_expired_cert_replica(self): check_status(self.master, 9, "MONITORING") # move date back on replica and master -move_date(self.replicas[0], 'start', '-3years-1days') -move_date(self.master, 'start', '-3years-1days') +tasks.move_date(self.replicas[0], 'start', '-3years-1days') +tasks.move_date(self.master, 'start', '-3years-1days') ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[Freeipa-devel] [freeipa PR#5913][opened] [Backport][ipa-4-9] test_acme: make password renewal more robust
URL: https://github.com/freeipa/freeipa/pull/5913 Author: fcami Title: #5913: [Backport][ipa-4-9] test_acme: make password renewal more robust Action: opened PR body: """ This PR was opened automatically because PR #5910 was pushed to master and backport to ipa-4-9 is required. """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/5913/head:pr5913 git checkout pr5913 From 8eea96cb7124e0b40be025272aea7498b2eb8701 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fran=C3=A7ois=20Cami?= Date: Tue, 20 Jul 2021 20:19:16 +0200 Subject: [PATCH 1/2] test_acme: refactor with tasks MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: François Cami --- ipatests/pytest_ipa/integration/tasks.py | 11 +++ ipatests/test_integration/test_acme.py | 19 --- 2 files changed, 15 insertions(+), 15 deletions(-) diff --git a/ipatests/pytest_ipa/integration/tasks.py b/ipatests/pytest_ipa/integration/tasks.py index 22c7ba7827b..c2e5486173b 100755 --- a/ipatests/pytest_ipa/integration/tasks.py +++ b/ipatests/pytest_ipa/integration/tasks.py @@ -2800,3 +2800,14 @@ def is_package_installed(host, pkg): 'is_package_installed: unknown platform %s' % platform ) return result.returncode == 0 + + +def move_date(host, chrony_cmd, date_str): +"""Helper method to move system date +:param host: host on which date is to be manipulated +:param chrony_cmd: systemctl command to apply to + chrony service, for instance 'start', 'stop' +:param date_str: date string to change the date i.e '3years2months1day1' +""" +host.run_command(['systemctl', chrony_cmd, 'chronyd']) +host.run_command(['date', '-s', date_str]) diff --git a/ipatests/test_integration/test_acme.py b/ipatests/test_integration/test_acme.py index d90f1ff7d41..b4aa1b3512b 100644 --- a/ipatests/test_integration/test_acme.py +++ b/ipatests/test_integration/test_acme.py @@ -35,17 +35,6 @@ CERTBOT_DNS_IPA_SCRIPT = '/usr/libexec/ipa/acme/certbot-dns-ipa' -def move_date(host, chrony_cmd, date_str): -"""Helper method to move system date -:param host: host on which date is to be manipulated -:param chrony_cmd: systemctl command to apply to - chrony service, for instance 'start', 'stop' -:param date_str: date string to change the date i.e '3years2months1day1' -""" -host.run_command(['systemctl', chrony_cmd, 'chronyd']) -host.run_command(['date', '-s', date_str]) - - def check_acme_status(host, exp_status, timeout=60): """Helper method to check the status of acme server""" for _i in range(0, timeout, 5): @@ -598,8 +587,8 @@ def issue_and_expire_cert(self): ) # move system date to expire acme cert for host in self.clients[0], self.master: -host.run_command(['kdestroy', '-A']) -move_date(host, 'stop', '+90days') +tasks.kdestroy_all(host) +tasks.move_date(host, 'stop', '+90days') self.clients[0].run_command( ['kinit', 'admin'], stdin_text=cmd_input.format( @@ -611,8 +600,8 @@ def issue_and_expire_cert(self): # move back date for host in self.clients[0], self.master: -host.run_command(['kdestroy', '-A']) -move_date(host, 'start', '-90days') +tasks.kdestroy_all(host) +tasks.move_date(host, 'start', '-90days') tasks.kinit_admin(host) @pytest.mark.skipif(skip_certbot_tests, reason='certbot not available') From c6f4e8f5e64da74ef6098e9c6e3634c6d5d8e8ea Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fran=C3=A7ois=20Cami?= Date: Tue, 20 Jul 2021 20:22:23 +0200 Subject: [PATCH 2/2] test_acme: make password renewal more robust MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit A kinit immediately following a password change can fail. Setting KRB5_TRACE and retrieving kdcinfo will help to understand the cause of failure. Fixes: https://pagure.io/freeipa/issue/8929 Signed-off-by: François Cami --- ipatests/test_integration/test_acme.py | 28 +- 1 file changed, 14 insertions(+), 14 deletions(-) diff --git a/ipatests/test_integration/test_acme.py b/ipatests/test_integration/test_acme.py index b4aa1b3512b..10195a95f93 100644 --- a/ipatests/test_integration/test_acme.py +++ b/ipatests/test_integration/test_acme.py @@ -576,25 +576,25 @@ def issue_and_expire_cert(self): # request a standalone acme cert certbot_standalone_cert(self.clients[0], self.acme_server) -cmd_input = ( -# Password for admin@{REALM}: -"{pwd}\n" -# Password expired. You must change it now. -# Enter new password: -"{pwd}\n" -# Enter it again: -"{pwd}\n" -) # move system date to
[Freeipa-devel] [freeipa PR#5910][closed] test_acme: make password renewal more robust
URL: https://github.com/freeipa/freeipa/pull/5910 Author: fcami Title: #5910: test_acme: make password renewal more robust Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/5910/head:pr5910 git checkout pr5910 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[Freeipa-devel] [freeipa PR#5912][opened] [Backport][ipa-4-9] tasks.py: fix flake8-reported issues
URL: https://github.com/freeipa/freeipa/pull/5912 Author: fcami Title: #5912: [Backport][ipa-4-9] tasks.py: fix flake8-reported issues Action: opened PR body: """ This PR was opened automatically because PR #5911 was pushed to master and backport to ipa-4-9 is required. """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/5912/head:pr5912 git checkout pr5912 From 2bb2652a351ee1529c16cc3c9f847359f0ad970c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fran=C3=A7ois=20Cami?= Date: Tue, 20 Jul 2021 20:29:00 +0200 Subject: [PATCH] tasks.py: fix flake8-reported issues MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Fixes: https://pagure.io/freeipa/issue/8931 Signed-off-by: François Cami --- ipatests/pytest_ipa/integration/tasks.py | 14 -- 1 file changed, 8 insertions(+), 6 deletions(-) diff --git a/ipatests/pytest_ipa/integration/tasks.py b/ipatests/pytest_ipa/integration/tasks.py index 22c7ba7827b..cd27cff37fb 100755 --- a/ipatests/pytest_ipa/integration/tasks.py +++ b/ipatests/pytest_ipa/integration/tasks.py @@ -597,7 +597,9 @@ def install_adtrust(host): dig_command = ['dig', 'SRV', '+short', '@localhost', '_ldap._tcp.%s' % host.domain.name] dig_output = '0 100 389 %s.' % host.hostname -dig_test = lambda x: re.search(re.escape(dig_output), x) + +def dig_test(x): +return re.search(re.escape(dig_output), x) run_repeatedly(host, dig_command, test=dig_test) @@ -2122,8 +2124,8 @@ def create_active_user(host, login, password, first='test', last='user', result = host.run_command( "KRB5_TRACE=/dev/stdout kinit %s" % login, stdin_text='{0}\n{1}\n{1}\n'.format( -temp_password, password, raiseonerr=False -) +temp_password, password +), raiseonerr=False ) # Retrieve kdc.$REALM after the password change, just in case SSSD # domain status flipped to online during the password change. @@ -2264,10 +2266,10 @@ def extract_key_refs(self, keytab, princ=None): [paths.KLIST, "-eK", "-k", keytab], log_stdout=False) keys_to_sync = [] -for l in result.stdout_text.splitlines(): -if (princ in l and any(e in l for e in self.valid_etypes)): +for line in result.stdout_text.splitlines(): +if (princ in line and any(e in line for e in self.valid_etypes)): -els = l.split() +els = line.split() els[-2] = els[-2].strip('()') els[-1] = els[-1].strip('()') keys_to_sync.append(KeyEntry._make(els)) ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[Freeipa-devel] [freeipa PR#5911][closed] tasks.py: fix flake8-reported issues
URL: https://github.com/freeipa/freeipa/pull/5911 Author: fcami Title: #5911: tasks.py: fix flake8-reported issues Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/5911/head:pr5911 git checkout pr5911 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[Freeipa-devel] [freeipa PR#5911][opened] tasks.py: fix flake8-reported issues
URL: https://github.com/freeipa/freeipa/pull/5911 Author: fcami Title: #5911: tasks.py: fix flake8-reported issues Action: opened PR body: """ Fixes: https://pagure.io/freeipa/issue/8931 Signed-off-by: François Cami """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/5911/head:pr5911 git checkout pr5911 From 0193e43552ae7c92c86e8eb04208ed1d6d08d388 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fran=C3=A7ois=20Cami?= Date: Tue, 20 Jul 2021 20:29:00 +0200 Subject: [PATCH] tasks.py: fix flake8-reported issues MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Fixes: https://pagure.io/freeipa/issue/8931 Signed-off-by: François Cami --- ipatests/pytest_ipa/integration/tasks.py | 14 -- 1 file changed, 8 insertions(+), 6 deletions(-) diff --git a/ipatests/pytest_ipa/integration/tasks.py b/ipatests/pytest_ipa/integration/tasks.py index 22c7ba7827b..cd27cff37fb 100755 --- a/ipatests/pytest_ipa/integration/tasks.py +++ b/ipatests/pytest_ipa/integration/tasks.py @@ -597,7 +597,9 @@ def install_adtrust(host): dig_command = ['dig', 'SRV', '+short', '@localhost', '_ldap._tcp.%s' % host.domain.name] dig_output = '0 100 389 %s.' % host.hostname -dig_test = lambda x: re.search(re.escape(dig_output), x) + +def dig_test(x): +return re.search(re.escape(dig_output), x) run_repeatedly(host, dig_command, test=dig_test) @@ -2122,8 +2124,8 @@ def create_active_user(host, login, password, first='test', last='user', result = host.run_command( "KRB5_TRACE=/dev/stdout kinit %s" % login, stdin_text='{0}\n{1}\n{1}\n'.format( -temp_password, password, raiseonerr=False -) +temp_password, password +), raiseonerr=False ) # Retrieve kdc.$REALM after the password change, just in case SSSD # domain status flipped to online during the password change. @@ -2264,10 +2266,10 @@ def extract_key_refs(self, keytab, princ=None): [paths.KLIST, "-eK", "-k", keytab], log_stdout=False) keys_to_sync = [] -for l in result.stdout_text.splitlines(): -if (princ in l and any(e in l for e in self.valid_etypes)): +for line in result.stdout_text.splitlines(): +if (princ in line and any(e in line for e in self.valid_etypes)): -els = l.split() +els = line.split() els[-2] = els[-2].strip('()') els[-1] = els[-1].strip('()') keys_to_sync.append(KeyEntry._make(els)) ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[Freeipa-devel] [freeipa PR#5910][opened] test_acme: make password renewal more robust
URL: https://github.com/freeipa/freeipa/pull/5910 Author: fcami Title: #5910: test_acme: make password renewal more robust Action: opened PR body: """ Fixes: https://pagure.io/freeipa/issue/8929 Signed-off-by: François Cami """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/5910/head:pr5910 git checkout pr5910 From 006d6bf64e6eb90ee0b554203b480b309fa03b48 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fran=C3=A7ois=20Cami?= Date: Tue, 20 Jul 2021 19:36:42 +0200 Subject: [PATCH] test_acme: make password renewal more robust MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: François Cami --- ipatests/pytest_ipa/integration/tasks.py | 11 ++ ipatests/test_integration/test_acme.py | 45 +--- 2 files changed, 27 insertions(+), 29 deletions(-) diff --git a/ipatests/pytest_ipa/integration/tasks.py b/ipatests/pytest_ipa/integration/tasks.py index 22c7ba7827b..c2e5486173b 100755 --- a/ipatests/pytest_ipa/integration/tasks.py +++ b/ipatests/pytest_ipa/integration/tasks.py @@ -2800,3 +2800,14 @@ def is_package_installed(host, pkg): 'is_package_installed: unknown platform %s' % platform ) return result.returncode == 0 + + +def move_date(host, chrony_cmd, date_str): +"""Helper method to move system date +:param host: host on which date is to be manipulated +:param chrony_cmd: systemctl command to apply to + chrony service, for instance 'start', 'stop' +:param date_str: date string to change the date i.e '3years2months1day1' +""" +host.run_command(['systemctl', chrony_cmd, 'chronyd']) +host.run_command(['date', '-s', date_str]) diff --git a/ipatests/test_integration/test_acme.py b/ipatests/test_integration/test_acme.py index d90f1ff7d41..3f54d31a148 100644 --- a/ipatests/test_integration/test_acme.py +++ b/ipatests/test_integration/test_acme.py @@ -35,17 +35,6 @@ CERTBOT_DNS_IPA_SCRIPT = '/usr/libexec/ipa/acme/certbot-dns-ipa' -def move_date(host, chrony_cmd, date_str): -"""Helper method to move system date -:param host: host on which date is to be manipulated -:param chrony_cmd: systemctl command to apply to - chrony service, for instance 'start', 'stop' -:param date_str: date string to change the date i.e '3years2months1day1' -""" -host.run_command(['systemctl', chrony_cmd, 'chronyd']) -host.run_command(['date', '-s', date_str]) - - def check_acme_status(host, exp_status, timeout=60): """Helper method to check the status of acme server""" for _i in range(0, timeout, 5): @@ -587,32 +576,30 @@ def issue_and_expire_cert(self): # request a standalone acme cert certbot_standalone_cert(self.clients[0], self.acme_server) -cmd_input = ( -# Password for admin@{REALM}: -"{pwd}\n" -# Password expired. You must change it now. -# Enter new password: -"{pwd}\n" -# Enter it again: -"{pwd}\n" -) # move system date to expire acme cert for host in self.clients[0], self.master: -host.run_command(['kdestroy', '-A']) -move_date(host, 'stop', '+90days') -self.clients[0].run_command( -['kinit', 'admin'], -stdin_text=cmd_input.format( -pwd=self.clients[0].config.admin_password -) +tasks.kdestroy_all(host) +tasks.move_date(host, 'stop', '+90days') + +tasks.get_kdcinfo(host) +# Note raiseonerr=False: +# the assert is located after kdcinfo retrieval. +result = host.run_command( +"KRB5_TRACE=/dev/stdout kinit %s" % 'admin', +stdin_text='{0}\n{0}\n{0}\n'.format("{pwd}"), +raiseonerr=False ) +# Retrieve kdc.$REALM after the password change, just in case SSSD +# domain status flipped to online during the password change. +tasks.get_kdcinfo(host) +assert result.returncode == 0 yield # move back date for host in self.clients[0], self.master: -host.run_command(['kdestroy', '-A']) -move_date(host, 'start', '-90days') +tasks.kdestroy_all(host) +tasks.move_date(host, 'start', '-90days') tasks.kinit_admin(host) @pytest.mark.skipif(skip_certbot_tests, reason='certbot not available') ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives:
[Freeipa-devel] [freeipa PR#5909][closed] [Backport][ipa-4-9] ipatests: smbclient "-k" => "--use-kerberos=desired"
URL: https://github.com/freeipa/freeipa/pull/5909 Author: fcami Title: #5909: [Backport][ipa-4-9] ipatests: smbclient "-k" => "--use-kerberos=desired" Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/5909/head:pr5909 git checkout pr5909 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[Freeipa-devel] [freeipa PR#5909][opened] [Backport][ipa-4-9] ipatests: smbclient "-k" => "--use-kerberos=desired"
URL: https://github.com/freeipa/freeipa/pull/5909 Author: fcami Title: #5909: [Backport][ipa-4-9] ipatests: smbclient "-k" => "--use-kerberos=desired" Action: opened PR body: """ Change documentation: https://download.samba.org/pub/samba/rc/samba-4.15.0rc1.WHATSNEW.txt As of Samba 4.15rc1, smbclient does not accept "-k" anymore. The "-k|--kerberos" option ("Try to authenticate with kerberos.") has been replaced with "--use-kerberos=required|desired|off". Fixes: https://pagure.io/freeipa/issue/8926 Signed-off-by: François Cami Reviewed-By: Michal Polovka """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/5909/head:pr5909 git checkout pr5909 From ec3ca1860f249ee6e517c3a87767280221b0588f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fran=C3=A7ois=20Cami?= Date: Mon, 19 Jul 2021 15:59:01 +0200 Subject: [PATCH] ipatests: smbclient "-k" => "--use-kerberos=desired" MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Change documentation: https://download.samba.org/pub/samba/rc/samba-4.15.0rc1.WHATSNEW.txt As of Samba 4.15rc1, smbclient does not accept "-k" anymore. The "-k|--kerberos" option ("Try to authenticate with kerberos.") has been replaced with "--use-kerberos=required|desired|off". Fixes: https://pagure.io/freeipa/issue/8926 Signed-off-by: François Cami Reviewed-By: Michal Polovka --- ipatests/test_integration/test_smb.py | 23 +-- 1 file changed, 21 insertions(+), 2 deletions(-) diff --git a/ipatests/test_integration/test_smb.py b/ipatests/test_integration/test_smb.py index 399ad62099e..b2b7ce2e4ed 100644 --- a/ipatests/test_integration/test_smb.py +++ b/ipatests/test_integration/test_smb.py @@ -166,9 +166,28 @@ def smb_sanity_check(self, user, client_mountpoint, share): encoding='utf-8') assert file_contents_at_server == test_string -# check access using smbclient utility +# Detect whether smbclient uses -k or --use-kerberos=required +# https://pagure.io/freeipa/issue/8926 +# then check access using smbclient. res = run_smb_client( -['smbclient', '-k', share['unc'], '-c', 'dir']) +[ +"smbclient", +"-h", +], raiseonerr=False +) +if "[-k|--kerberos]" in res.stderr_text: +smbclient_krb5_knob = "-k" +else: +smbclient_krb5_knob = "--use-kerberos=desired" +res = run_smb_client( +[ +"smbclient", +smbclient_krb5_knob, +share["unc"], +"-c", +"dir", +] +) assert test_dir in res.stdout_text # check file and dir removal from client side ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[Freeipa-devel] [freeipa PR#5907][closed] ipatests: smbclient "-k" => "--use-kerberos=required"
URL: https://github.com/freeipa/freeipa/pull/5907 Author: fcami Title: #5907: ipatests: smbclient "-k" => "--use-kerberos=required" Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/5907/head:pr5907 git checkout pr5907 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[Freeipa-devel] [freeipa PR#5907][opened] ipatests: smbclient "-k" => "--use-kerberos=required"
URL: https://github.com/freeipa/freeipa/pull/5907 Author: fcami Title: #5907: ipatests: smbclient "-k" => "--use-kerberos=required" Action: opened PR body: """ As of Samba 4.15rc1, smbclient does not accept -k anymore. The -k|--kerberos option ("Try to authenticate with kerberos." has been replaced with "--use-kerberos=required|desired|off". Change documentation: https://download.samba.org/pub/samba/rc/samba-4.15.0rc1.WHATSNEW.txt Fixes: https://pagure.io/freeipa/issue/8926 Signed-off-by: François Cami """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/5907/head:pr5907 git checkout pr5907 From c973cb6fcc28930d13651ac66a0c23d6ce7344f3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fran=C3=A7ois=20Cami?= Date: Mon, 19 Jul 2021 16:32:31 +0200 Subject: [PATCH] ipatests: smbclient "-k" => "--use-kerberos=required" MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit As of Samba 4.15rc1, smbclient does not accept -k anymore. The -k|--kerberos option ("Try to authenticate with kerberos." has been replaced with "--use-kerberos=required|desired|off". Change documentation: https://download.samba.org/pub/samba/rc/samba-4.15.0rc1.WHATSNEW.txt Fixes: https://pagure.io/freeipa/issue/8926 Signed-off-by: François Cami --- ipatests/test_integration/test_smb.py | 9 - 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/ipatests/test_integration/test_smb.py b/ipatests/test_integration/test_smb.py index 399ad62099e..4e6efb687a7 100644 --- a/ipatests/test_integration/test_smb.py +++ b/ipatests/test_integration/test_smb.py @@ -168,7 +168,14 @@ def smb_sanity_check(self, user, client_mountpoint, share): # check access using smbclient utility res = run_smb_client( -['smbclient', '-k', share['unc'], '-c', 'dir']) +[ +"smbclient", +"--use-kerberos=required", +share["unc"], +"-c", +"dir", +] +) assert test_dir in res.stdout_text # check file and dir removal from client side ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[Freeipa-devel] [freeipa PR#5852][opened] rpcserver.py: perf_counter_ns is Python 3.7+
URL: https://github.com/freeipa/freeipa/pull/5852 Author: fcami Title: #5852: rpcserver.py: perf_counter_ns is Python 3.7+ Action: opened PR body: """ perf_counter_ns is only available in Python 3.7 and later. Define a lambda for 3.6 and lower. Fixes: TBD Signed-off-by: François Cami """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/5852/head:pr5852 git checkout pr5852 From 381c709c2ab437bad39923be3e2fdc37a1165491 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fran=C3=A7ois=20Cami?= Date: Tue, 22 Jun 2021 20:18:07 +0200 Subject: [PATCH] rpcserver.py: perf_counter_ns is Python 3.7+ MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit perf_counter_ns is only available in Python 3.7 and later. Define a lambda for 3.6 and lower. Fixes: TBD Signed-off-by: François Cami --- ipaserver/rpcserver.py | 6 +- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/ipaserver/rpcserver.py b/ipaserver/rpcserver.py index b121316bf87..61225d7af28 100644 --- a/ipaserver/rpcserver.py +++ b/ipaserver/rpcserver.py @@ -31,6 +31,7 @@ import time import traceback from io import BytesIO +from sys import version_info from urllib.parse import parse_qs from xmlrpc.client import Fault @@ -68,10 +69,13 @@ from base64 import b64decode, b64encode from requests.auth import AuthBase - if six.PY3: unicode = str +# time.perf_counter_ns appeared in Python 3.7. +if version_info.major == 3 and version_info.minor < 7: +time.perf_counter_ns = lambda: int(time.perf_counter() * 10**9) + logger = logging.getLogger(__name__) HTTP_STATUS_SUCCESS = '200 Success' ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[Freeipa-devel] [freeipa PR#5638][closed] [Backport][ipa-4-9] ipa-client-install: output a warning if sudo is not present
URL: https://github.com/freeipa/freeipa/pull/5638 Author: rcritten Title: #5638: [Backport][ipa-4-9] ipa-client-install: output a warning if sudo is not present Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/5638/head:pr5638 git checkout pr5638 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[Freeipa-devel] [freeipa PR#5636][opened] ipa-client-install: output a warning if sudo is not present
URL: https://github.com/freeipa/freeipa/pull/5636 Author: fcami Title: #5636: ipa-client-install: output a warning if sudo is not present Action: opened PR body: """ Fixes: https://pagure.io/freeipa/issue/8530 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/5636/head:pr5636 git checkout pr5636 From 80b0859d5130dd66f2a51963096d177513e8499a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fran=C3=A7ois=20Cami?= Date: Mon, 15 Mar 2021 16:55:08 +0100 Subject: [PATCH 1/2] ipa-client-install: output a warning if sudo is not present (2) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Fixes: https://pagure.io/freeipa/issue/8530 Signed-off-by: François Cami --- ipaclient/install/client.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ipaclient/install/client.py b/ipaclient/install/client.py index 0e478fa26b7..9bdfbddafb2 100644 --- a/ipaclient/install/client.py +++ b/ipaclient/install/client.py @@ -2205,7 +2205,7 @@ def install_check(options): # available. if options.conf_sudo: try: -subprocess.Popen(['sudo -V']) +subprocess.Popen(['sudo', '-V']) except FileNotFoundError: logger.info( "The sudo binary does not seem to be present on this " From cb98e8e30a85aba8e0c7ae14d0d9a347d68f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fran=C3=A7ois=20Cami?= Date: Mon, 15 Mar 2021 17:00:05 +0100 Subject: [PATCH 2/2] ipatests: check for the "no sudo present" string absence MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit When sudo is installed, no warning should be output about sudo not being available (obviously). Check that the relevant string is not present. Fixes: https://pagure.io/freeipa/issue/8530 Signed-off-by: François Cami --- ipatests/test_integration/test_installation.py | 2 ++ 1 file changed, 2 insertions(+) diff --git a/ipatests/test_integration/test_installation.py b/ipatests/test_integration/test_installation.py index a50a59f1a9b..a5ff17a0d1e 100644 --- a/ipatests/test_integration/test_installation.py +++ b/ipatests/test_integration/test_installation.py @@ -1620,3 +1620,5 @@ def test_install_sudo_on_client(self): tasks.install_packages(self.clients[0], ['sudo']) for pkg in ('sudo', 'libsss_sudo'): assert tasks.is_package_installed(self.clients[0], pkg) +result = tasks.install_client(self.master, self.clients[0]) +assert self.no_sudo_str not in result.stderr_text ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[Freeipa-devel] [freeipa PR#5607][opened] ipatests: fix nightly_latest_testing_selinux template
URL: https://github.com/freeipa/freeipa/pull/5607 Author: fcami Title: #5607: ipatests: fix nightly_latest_testing_selinux template Action: opened PR body: """ The TestInstallWithoutSudo entry referenced fedora-latest instead of testing-fedora for its build dependency. Fix it. Fixes: https://pagure.io/freeipa/issue/8530 Signed-off-by: François Cami """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/5607/head:pr5607 git checkout pr5607 From 1348729b5379e6f034d9f9584c847a58be65a6bc Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fran=C3=A7ois=20Cami?= Date: Thu, 4 Mar 2021 10:10:10 +0100 Subject: [PATCH] ipatests: fix nightly_latest_testing_selinux template MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The TestInstallWithoutSudo entry referenced fedora-latest instead of testing-fedora for its build dependency. Fix it. Fixes: https://pagure.io/freeipa/issue/8530 Signed-off-by: François Cami --- ipatests/prci_definitions/nightly_latest_testing_selinux.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ipatests/prci_definitions/nightly_latest_testing_selinux.yaml b/ipatests/prci_definitions/nightly_latest_testing_selinux.yaml index 0bc1047df1d..bc6e60ac669 100644 --- a/ipatests/prci_definitions/nightly_latest_testing_selinux.yaml +++ b/ipatests/prci_definitions/nightly_latest_testing_selinux.yaml @@ -616,7 +616,7 @@ jobs: topology: *master_1repl testing-fedora/test_installation_TestInstallWithoutSudo: -requires: [fedora-latest/build] +requires: [testing-fedora/build] priority: 50 job: class: RunPytest ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[Freeipa-devel] [freeipa PR#5408][closed] upgrade.py: restart CS for 30 seconds until it is up
URL: https://github.com/freeipa/freeipa/pull/5408 Author: fcami Title: #5408: upgrade.py: restart CS for 30 seconds until it is up Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/5408/head:pr5408 git checkout pr5408 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[Freeipa-devel] [freeipa PR#5556][opened] ipatests: various enhancement to hidden replica tests
URL: https://github.com/freeipa/freeipa/pull/5556 Author: fcami Title: #5556: ipatests: various enhancement to hidden replica tests Action: opened PR body: """ https://github.com/freeipa/freeipa/pull/5183 redux. I cannot reopen the original PR because the branch was force-pushed. + ipatests: add wait_for_ipa_to_start wait_for_ipa_to_start(host) waits for ipactl to return RUNNING for all IPA services on the specified host. Related: https://pagure.io/freeipa/issue/8534 + ipatests: hiddenreplica: use wait_for_ipa_to_start after restore Use wait_for_ipa_to_start to wait until the restored replica is online. Related: https://pagure.io/freeipa/issue/8534 + ipatests: use wait_for_replication for hidden replica checks Previously, hidden replica checks were run without waiting for replication to complete, potentially leading to unstable behavior. Use wait_for_replication. Fixes: https://pagure.io/freeipa/issue/8534 + ipatests: hidden replica: misc fixes Split a test in two and add additional fixes. Related: https://pagure.io/freeipa/issue/8534 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/5556/head:pr5556 git checkout pr5556 From e76116f4341f7c30ce56f3e2b9bbe321fd46f509 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fran=C3=A7ois=20Cami?= Date: Tue, 9 Feb 2021 07:46:35 +0200 Subject: [PATCH 1/7] ipatests: tasks.py: add wait_for_ipa_to_start MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit wait_for_ipa_to_start(host) waits for ipactl to return RUNNING for all IPA services on the specified host. Related: https://pagure.io/freeipa/issue/8534 Signed-off-by: François Cami --- ipatests/pytest_ipa/integration/tasks.py | 22 ++ 1 file changed, 22 insertions(+) diff --git a/ipatests/pytest_ipa/integration/tasks.py b/ipatests/pytest_ipa/integration/tasks.py index 2fe78367fce..6b00183d14c 100755 --- a/ipatests/pytest_ipa/integration/tasks.py +++ b/ipatests/pytest_ipa/integration/tasks.py @@ -47,6 +47,7 @@ from cryptography.hazmat.primitives import serialization from cryptography.hazmat.primitives.asymmetric import rsa from cryptography.hazmat.backends import default_backend +from datetime import datetime, timedelta from ipapython import certdb from ipapython import ipautil @@ -2533,6 +2534,27 @@ def get_healthcheck_version(host): return healthcheck_version +def wait_for_ipa_to_start(host, timeout=60): +"""Wait up to timeout seconds for ipa to start on a given host. + +If DS is restarted, and SSSD must be online, please consider using +wait_for_sssd_domain_status_online(host) in the test after calling +this method. +""" +pattern = 'STOPPED' +interval = 1 +end_time = datetime.now() + timedelta(seconds=timeout) +for _i in range(0, timeout, interval): +if datetime.now() > end_time: +raise RuntimeError("Request timed out") +time.sleep(interval) +result = host.run_command( +[paths.IPACTL, "status"] +) +if pattern not in result.stdout_text: +break + + def run_ssh_cmd( from_host=None, to_host=None, username=None, cmd=None, auth_method=None, password=None, private_key_path=None, From 0dd1014a4e7b9b196099ec5b1b26af199f9db28d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fran=C3=A7ois=20Cami?= Date: Tue, 9 Feb 2021 08:36:33 +0200 Subject: [PATCH 2/7] ipatests: tasks.py: add dns_update_system_records MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Add a frontend to "ipa dns-update-system-records" to tasks.py. Related: https://pagure.io/freeipa/issue/8534 Signed-off-by: François Cami --- ipatests/pytest_ipa/integration/tasks.py | 10 ++ 1 file changed, 10 insertions(+) diff --git a/ipatests/pytest_ipa/integration/tasks.py b/ipatests/pytest_ipa/integration/tasks.py index 6b00183d14c..79701aa97ed 100755 --- a/ipatests/pytest_ipa/integration/tasks.py +++ b/ipatests/pytest_ipa/integration/tasks.py @@ -2555,6 +2555,16 @@ def wait_for_ipa_to_start(host, timeout=60): break +def dns_update_system_records(host): +"""Runs "ipa dns-update-system-records" on "host". +""" +kinit_admin(host) +result = host.run_command( +["ipa", "dns-update-system-records"] +) +return result + + def run_ssh_cmd( from_host=None, to_host=None, username=None, cmd=None, auth_method=None, password=None, private_key_path=None, From 4a247ece343ef02a4a40513a31d17d2ff0f53325 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fran=C3=A7ois=20Cami?= Date: Wed, 10 Feb 2021 06:50:17 +0200 Subject: [PATCH 3/7] ipatests: hiddenreplica: use wait_for_ipa_to_start after restore MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Use wait_for_ipa_to_start to wait until the restored
[Freeipa-devel] [freeipa PR#5533][opened] [Backport][ipa-4-9] freeipa.spec.in: client: depend on libsss_sudo
URL: https://github.com/freeipa/freeipa/pull/5533 Author: fcami Title: #5533: [Backport][ipa-4-9] freeipa.spec.in: client: depend on libsss_sudo Action: opened PR body: """ MANUAL BACKPORT of https://github.com/freeipa/freeipa/pull/5176 On 10.10+ releases of Dogtag, the PKI installer will not depend on sudo anymore. This opens the possibility of creating IPA servers without a properly configured sudo. In fact, even IPA clients should have sudo and libsss_sudo installed in most cases, so: add a weak dependency on libsss_sudo to freeipa-client. Fixes: https://pagure.io/freeipa/issue/8530 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/5533/head:pr5533 git checkout pr5533 From 2b49299b73cd9ef338fc5515cfb07e04b1709e53 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fran=C3=A7ois=20Cami?= Date: Fri, 11 Dec 2020 07:35:59 +0200 Subject: [PATCH 1/4] ipatests: add TestInstallWithoutSudo MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Test IPA servers and clients behavior when sudo is not installed. Fixes: https://pagure.io/freeipa/issue/8530 Signed-off-by: François Cami Reviewed-By: Alexander Bokovoy Reviewed-By: Armando Neto Reviewed-By: Michal Polovka --- .../nightly_ipa-4-9_latest.yaml | 12 .../nightly_ipa-4-9_latest_selinux.yaml | 15 - .../nightly_ipa-4-9_previous.yaml | 13 .../test_integration/test_installation.py | 66 +++ 4 files changed, 105 insertions(+), 1 deletion(-) diff --git a/ipatests/prci_definitions/nightly_ipa-4-9_latest.yaml b/ipatests/prci_definitions/nightly_ipa-4-9_latest.yaml index 3acd6a13c81..d91b16cab82 100644 --- a/ipatests/prci_definitions/nightly_ipa-4-9_latest.yaml +++ b/ipatests/prci_definitions/nightly_ipa-4-9_latest.yaml @@ -535,6 +535,18 @@ jobs: timeout: 10800 topology: *master_1repl + fedora-latest-ipa-4-9/test_installation_TestInstallWithoutSudo: +requires: [fedora-latest-ipa-4-9/build] +priority: 50 +job: + class: RunPytest + args: +build_url: '{fedora-latest-ipa-4-9/build_url}' +test_suite: test_integration/test_installation.py::TestInstallWithoutSudo +template: *ci-ipa-4-9-latest +timeout: 4800 +topology: *master_1repl_1client + fedora-latest-ipa-4-9/test_idviews: requires: [fedora-latest-ipa-4-9/build] priority: 50 diff --git a/ipatests/prci_definitions/nightly_ipa-4-9_latest_selinux.yaml b/ipatests/prci_definitions/nightly_ipa-4-9_latest_selinux.yaml index c01192cf5ae..e4bec2cb3ff 100644 --- a/ipatests/prci_definitions/nightly_ipa-4-9_latest_selinux.yaml +++ b/ipatests/prci_definitions/nightly_ipa-4-9_latest_selinux.yaml @@ -575,9 +575,22 @@ jobs: timeout: 10800 topology: *master_1repl - fedora-latest-ipa-4-9/test_idviews: + fedora-latest-ipa-4-9/test_installation_TestInstallWithoutSudo: requires: [fedora-latest-ipa-4-9/build] priority: 50 +job: + class: RunPytest + args: +build_url: '{fedora-latest-ipa-4-9/build_url}' +selinux_enforcing: True +test_suite: test_integration/test_installation.py::TestInstallWithoutSudo +template: *ci-ipa-4-9-latest +timeout: 4800 +topology: *master_1repl_1client + + fedora-latest/test_idviews: +requires: [fedora-latest/build] +priority: 50 job: class: RunADTests args: diff --git a/ipatests/prci_definitions/nightly_ipa-4-9_previous.yaml b/ipatests/prci_definitions/nightly_ipa-4-9_previous.yaml index a6ea24f6a88..a1f38deb1e1 100644 --- a/ipatests/prci_definitions/nightly_ipa-4-9_previous.yaml +++ b/ipatests/prci_definitions/nightly_ipa-4-9_previous.yaml @@ -535,6 +535,19 @@ jobs: timeout: 10800 topology: *master_1repl + fedora-previous-ipa-4-9/test_installation_TestInstallWithoutSudo: +requires: [fedora-previous-ipa-4-9/build] +priority: 50 +job: + class: RunPytest + args: +build_url: '{testing-fedora/build_url}' +update_packages: True +test_suite: test_integration/test_installation.py::TestInstallWithoutSudo +template: *ci-ipa-4-9-previous +timeout: 4800 +topology: *master_1repl_1client + fedora-previous-ipa-4-9/test_idviews: requires: [fedora-previous-ipa-4-9/build] priority: 50 diff --git a/ipatests/test_integration/test_installation.py b/ipatests/test_integration/test_installation.py index fca8860d9b9..1cd62c74f55 100644 --- a/ipatests/test_integration/test_installation.py +++ b/ipatests/test_integration/test_installation.py @@ -1537,3 +1537,69 @@ def test_replica_install_against_server(self): self.replicas[0].hostname], stdin_text=dirman_password) assert self.replicas[0].hostname not in cmd.stdout_text + + +class
[Freeipa-devel] [freeipa PR#5472][opened] Manual backport of 9f0ec27e9f13ed40b8e58162d99bf9b0e8b4afd5.
URL: https://github.com/freeipa/freeipa/pull/5472 Author: fcami Title: #5472: Manual backport of 9f0ec27e9f13ed40b8e58162d99bf9b0e8b4afd5. Action: opened PR body: """ Manual backport of 9f0ec27e9f13ed40b8e58162d99bf9b0e8b4afd5. Original commit message: ipaCASubjectDN is used by lightweight sub CA feature. ipaExternalMember is used by KRB driver to assemble MS-PAC records. ipaNTSecurityIdentifier was only index for "pres" and was missing an index on "eq". Samba and ipasam perform queries with SID string. memberPrincipal is used by S4U2Proxy constrained delegation and by ipa-custodia. Also note that dnaHostname, ipServiceProtocol, ipaCertSubject, and ipaKeyUsage are currently not index because an index would rarely used or have a poor selectivity. Signed-off-by: Christian Heimes The ipaNTSecurityIdentifier entry was missing in ipa-4-6 and is added by this commit. Fixes: https://pagure.io/freeipa/issue/8677 Signed-off-by: François Cami """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/5472/head:pr5472 git checkout pr5472 From b9fcb97dd0f0aef2b9618b217768a8a6f0657699 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fran=C3=A7ois=20Cami?= Date: Fri, 22 Jan 2021 14:35:59 +0200 Subject: [PATCH] Add more indices MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Manual backport of 9f0ec27e9f13ed40b8e58162d99bf9b0e8b4afd5. Original commit message: ipaCASubjectDN is used by lightweight sub CA feature. ipaExternalMember is used by KRB driver to assemble MS-PAC records. ipaNTSecurityIdentifier was only index for "pres" and was missing an index on "eq". Samba and ipasam perform queries with SID string. memberPrincipal is used by S4U2Proxy constrained delegation and by ipa-custodia. Also note that dnaHostname, ipServiceProtocol, ipaCertSubject, and ipaKeyUsage are currently not index because an index would rarely used or have a poor selectivity. Signed-off-by: Christian Heimes The ipaNTSecurityIdentifier entry was missing in ipa-4-6 and is added by this commit. Fixes: https://pagure.io/freeipa/issue/8677 Signed-off-by: François Cami --- install/updates/20-indices.update | 29 + 1 file changed, 29 insertions(+) diff --git a/install/updates/20-indices.update b/install/updates/20-indices.update index 6798f50c807..9c0a6552cf5 100644 --- a/install/updates/20-indices.update +++ b/install/updates/20-indices.update @@ -380,3 +380,32 @@ default: objectClass: top default: objectClass: nsIndex default: nsSystemIndex: false default: nsIndexType: eq + +dn: cn=ipaCASubjectDN,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config +only:cn: ipaCASubjectDN +default:objectClass: nsIndex +default:objectClass: top +default:nsSystemIndex: false +add:nsIndexType: eq + +dn: cn=ipaExternalMember,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config +only:cn: ipaExternalMember +default:objectClass: nsIndex +default:objectClass: top +default:nsSystemIndex: false +add:nsIndexType: eq + +dn: cn=memberPrincipal,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config +only:cn: memberPrincipal +default:objectClass: nsIndex +default:objectClass: top +default:nsSystemIndex: false +add:nsIndexType: eq + +dn: cn=ipaNTSecurityIdentifier,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config +only: cn: ipaNTSecurityIdentifier +default: objectClass: top +default: objectClass: nsIndex +default: nsSystemIndex: false +add: nsIndexType: eq +add: nsIndexType: pres \ No newline at end of file ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#5451][opened] ipatests: test_ipahealthcheck: fix division
URL: https://github.com/freeipa/freeipa/pull/5451 Author: fcami Title: #5451: ipatests: test_ipahealthcheck: fix division Action: opened PR body: """ df uses 1024 bytes as its default display value, but this can be tweaked by environment variables or a CLI knob. Force the output unit to 1024 bytes using the CLI and parse it accordingly. """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/5451/head:pr5451 git checkout pr5451 From d852e1da496fbc64f994e9d46d6740d44bfe3cdc Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fran=C3=A7ois=20Cami?= Date: Tue, 19 Jan 2021 15:25:44 +0100 Subject: [PATCH 1/2] ipatests: test_ipahealthcheck: fix division MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit df uses 1024 bytes as its default display value, but this can be tweaked by environment variables or a CLI knob. Force the output unit to 1024 bytes using the CLI and parse it accordingly. Signed-off-by: François Cami --- ipatests/test_integration/test_ipahealthcheck.py | 6 -- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/ipatests/test_integration/test_ipahealthcheck.py b/ipatests/test_integration/test_ipahealthcheck.py index 92ad1860e17..9cd0b250fa3 100644 --- a/ipatests/test_integration/test_ipahealthcheck.py +++ b/ipatests/test_integration/test_ipahealthcheck.py @@ -1952,8 +1952,10 @@ def create_jumbo_file(self): path = os.path.join('/tmp', str(uuid.uuid4())) # CI has a single big disk so we may end up allocating most of it. -result = self.master.run_command(['df', '--output=avail', '/tmp']) -free = (int(result.stdout_text.split('\n')[1]) // 1000) - 50 +result = self.master.run_command( +['df', '--block-size=1024', '--output=avail', '/tmp'] +) +free = (int(result.stdout_text.split('\n')[1]) // 1024) - 50 self.master.run_command(['fallocate', '-l', '%dMiB' % free, path]) yield From d039379a2a078b130de298b669bee0e8c4973216 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fran=C3=A7ois=20Cami?= Date: Tue, 19 Jan 2021 15:30:41 +0100 Subject: [PATCH 2/2] temp commit --- .freeipa-pr-ci.yaml| 2 +- ipatests/prci_definitions/temp_commit.yaml | 43 -- 2 files changed, 41 insertions(+), 4 deletions(-) diff --git a/.freeipa-pr-ci.yaml b/.freeipa-pr-ci.yaml index abcf8c5b634..80656690080 12 --- a/.freeipa-pr-ci.yaml +++ b/.freeipa-pr-ci.yaml @@ -1 +1 @@ -ipatests/prci_definitions/gating.yaml \ No newline at end of file +ipatests/prci_definitions/temp_commit.yaml \ No newline at end of file diff --git a/ipatests/prci_definitions/temp_commit.yaml b/ipatests/prci_definitions/temp_commit.yaml index b297cd4e319..65af2a8dd54 100644 --- a/ipatests/prci_definitions/temp_commit.yaml +++ b/ipatests/prci_definitions/temp_commit.yaml @@ -61,14 +61,51 @@ jobs: timeout: 1800 topology: *build - fedora-latest/temp_commit: + fedora-latest/test_ipahealthcheck: requires: [fedora-latest/build] priority: 50 job: class: RunPytest args: build_url: '{fedora-latest/build_url}' -test_suite: test_integration/test_REPLACEME.py +test_suite: test_integration/test_ipahealthcheck.py::TestIpaHealthCheck template: *ci-master-latest timeout: 3600 -topology: *master_1repl_1client +topology: *master_1repl + + fedora-latest/test_ipahealthcheck_nodns_extca_file: +requires: [fedora-latest/build] +priority: 50 +job: + class: RunPytest + args: +build_url: '{fedora-latest/build_url}' +test_suite: test_integration/test_ipahealthcheck.py::TestIpaHealthCheckWithoutDNS test_integration/test_ipahealthcheck.py::TestIpaHealthCheckWithExternalCA test_integration/test_ipahealthcheck.py::TestIpaHealthCheckFileCheck +template: *ci-master-latest +timeout: 5400 +topology: *master_1repl + + fedora-latest/test_ipahealthcheck_cli_fsspace: +requires: [fedora-latest/build] +priority: 50 +job: + class: RunPytest + args: +build_url: '{fedora-latest/build_url}' +test_suite: test_integration/test_ipahealthcheck.py::TestIpaHealthCLI test_integration/test_ipahealthcheck.py::TestIpaHealthCheckFilesystemSpace +template: *ci-master-latest +timeout: 3600 +topology: *master_1repl + + fedora-latest/test_ipahealthcheck_adtrust: +requires: [fedora-latest/build] +priority: 50 +job: + class: RunADTests + args: +build_url: '{fedora-latest/build_url}' +test_suite: test_integration/test_ipahealthcheck.py::TestIpaHealthCheckWithADtrust +template: *ci-master-latest +timeout: 4800 +topology: *adroot_adchild_adtree_master_1client + ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To
[Freeipa-devel] [freeipa PR#5408][opened] upgrade.py: restart CS for 30 seconds until it is up
URL: https://github.com/freeipa/freeipa/pull/5408 Author: fcami Title: #5408: upgrade.py: restart CS for 30 seconds until it is up Action: opened PR body: """ Restart CS as many times as necessary within a 30-second window to wait for DS to be ready. Fixes: https://pagure.io/freeipa/issue/8645 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/5408/head:pr5408 git checkout pr5408 From b5bd03194ff1b4cd5cdda71075904e9c074ea989 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fran=C3=A7ois=20Cami?= Date: Tue, 5 Jan 2021 15:47:31 +0100 Subject: [PATCH 1/2] upgrade.py: check that CS successfully restarted MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Check that the CA was properly restarted before migrating profiles. Fixes: https://pagure.io/freeipa/issue/8645 Signed-off-by: François Cami --- ipaserver/install/server/upgrade.py | 5 - 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/ipaserver/install/server/upgrade.py b/ipaserver/install/server/upgrade.py index af8eb458f3f..aa385b399d5 100644 --- a/ipaserver/install/server/upgrade.py +++ b/ipaserver/install/server/upgrade.py @@ -429,7 +429,10 @@ def ca_enable_ldap_profile_subsystem(ca): quotes=False, separator='=') -ca.restart('pki-tomcat') +try: +ca.restart('pki-tomcat') +except ipautil.CalledProcessError as e: +logger.error("Failed to restart %s: %s", ca.service_name, e) logger.info('[Migrating certificate profiles to LDAP]') cainstance.migrate_profiles_to_ldap() From 225e8956eb74f99ad512e3931745eb487fb31833 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fran=C3=A7ois=20Cami?= Date: Thu, 7 Jan 2021 17:32:25 +0100 Subject: [PATCH 2/2] upgrade.py: restart CS for 30 seconds until it is up MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Restart CS as many times as necessary within a 30-second window to wait for DS to be ready. Fixes: https://pagure.io/freeipa/issue/8645 Signed-off-by: François Cami --- ipaserver/install/server/upgrade.py | 31 + 1 file changed, 27 insertions(+), 4 deletions(-) diff --git a/ipaserver/install/server/upgrade.py b/ipaserver/install/server/upgrade.py index aa385b399d5..060818a8962 100644 --- a/ipaserver/install/server/upgrade.py +++ b/ipaserver/install/server/upgrade.py @@ -16,7 +16,10 @@ import stat import sys import tempfile +import time + from contextlib import contextmanager +from datetime import datetime from augeas import Augeas from ipalib import api, x509 @@ -429,10 +432,30 @@ def ca_enable_ldap_profile_subsystem(ca): quotes=False, separator='=') -try: -ca.restart('pki-tomcat') -except ipautil.CalledProcessError as e: -logger.error("Failed to restart %s: %s", ca.service_name, e) +logger.info( +'pki-tomcat configuration changed, restart pki-tomcat' +) +cur_date = datetime.now() +ca_is_running = ca.is_running() +retries = 0 +while not ca_is_running: +time.sleep(5) +try: +retries += 1 +ca.restart('pki-tomcat') +except ipautil.CalledProcessError as e: +if datetime.now() > cur_date + datetime.timedelta(seconds=30): +logger.error( +"Failed to restart %s: %s after %s retries", +ca.service_name, e, retries +) +sys.exit(1) +logger.info( +"Failed to restart %s: %s, retrying.", +ca.service_name, e +) +if ca.is_running(): +break logger.info('[Migrating certificate profiles to LDAP]') cainstance.migrate_profiles_to_ldap() ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#5366][opened] set SELinux back to Permissive in gating.xml
URL: https://github.com/freeipa/freeipa/pull/5366 Author: fcami Title: #5366: set SELinux back to Permissive in gating.xml Action: opened PR body: """ https://github.com/freeipa/freeipa/pull/5362 was merged with a commit meant to test the changes with gating in Enforcing mode, not to be merged. Whether we want to have gating in Enforcing mode has not been discussed with the team. I'm in favor of it but right before a release might not be the best time to do so. Signed-off-by: François Cami """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/5366/head:pr5366 git checkout pr5366 From 1e7fd34239fe46ea1fac38c6384e37c7ee06c466 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fran=C3=A7ois=20Cami?= Date: Fri, 18 Dec 2020 21:18:19 +0100 Subject: [PATCH] set SELinux back to Permissive in gating.xml MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: François Cami --- ipatests/prci_definitions/gating.yaml | 23 --- 1 file changed, 23 deletions(-) diff --git a/ipatests/prci_definitions/gating.yaml b/ipatests/prci_definitions/gating.yaml index 7488d32000b..375d8968167 100644 --- a/ipatests/prci_definitions/gating.yaml +++ b/ipatests/prci_definitions/gating.yaml @@ -41,7 +41,6 @@ jobs: job: class: RunPytest args: -selinux_enforcing: True build_url: '{fedora-latest/build_url}' test_suite: test_integration/test_installation.py::TestInstallMaster template: *ci-master-latest @@ -54,7 +53,6 @@ jobs: job: class: RunPytest args: -selinux_enforcing: True build_url: '{fedora-latest/build_url}' test_suite: test_integration/test_simple_replication.py template: *ci-master-latest @@ -67,7 +65,6 @@ jobs: job: class: RunPytest args: -selinux_enforcing: True build_url: '{fedora-latest/build_url}' test_suite: test_integration/test_caless.py::TestServerReplicaCALessToCAFull template: *ci-master-latest @@ -80,7 +77,6 @@ jobs: job: class: RunPytest args: -selinux_enforcing: True build_url: '{fedora-latest/build_url}' test_suite: test_integration/test_external_ca.py::TestExternalCA test_integration/test_external_ca.py::TestExternalCAConstraints template: *ci-master-latest @@ -93,7 +89,6 @@ jobs: job: class: RunPytest args: -selinux_enforcing: True build_url: '{fedora-latest/build_url}' test_suite: test_integration/test_external_ca.py::TestSelfExternalSelf test_integration/test_external_ca.py::TestExternalCAInstall template: *ci-master-latest @@ -106,7 +101,6 @@ jobs: job: class: RunPytest args: -selinux_enforcing: True build_url: '{fedora-latest/build_url}' test_suite: test_integration/test_external_ca.py::TestExternalCAProfileScenarios template: *ci-master-latest @@ -119,7 +113,6 @@ jobs: job: class: RunPytest args: -selinux_enforcing: True build_url: '{fedora-latest/build_url}' test_suite: test_integration/test_topologies.py template: *ci-master-latest @@ -132,7 +125,6 @@ jobs: job: class: RunPytest args: -selinux_enforcing: True build_url: '{fedora-latest/build_url}' test_suite: test_integration/test_sudo.py template: *ci-master-latest @@ -145,7 +137,6 @@ jobs: job: class: RunPytest args: -selinux_enforcing: True build_url: '{fedora-latest/build_url}' test_suite: test_integration/test_commands.py template: *ci-master-latest @@ -158,7 +149,6 @@ jobs: job: class: RunPytest args: -selinux_enforcing: True build_url: '{fedora-latest/build_url}' test_suite: test_integration/test_kerberos_flags.py template: *ci-master-latest @@ -171,7 +161,6 @@ jobs: job: class: RunPytest args: -selinux_enforcing: True build_url: '{fedora-latest/build_url}' test_suite: test_integration/test_forced_client_reenrollment.py template: *ci-master-latest @@ -184,7 +173,6 @@ jobs: job: class: RunPytest args: -selinux_enforcing: True build_url: '{fedora-latest/build_url}' test_suite: test_integration/test_advise.py template: *ci-master-latest @@ -197,7 +185,6 @@ jobs: job: class: RunPytest args: -selinux_enforcing: True build_url: '{fedora-latest/build_url}' test_suite: test_integration/test_testconfig.py template: *ci-master-latest @@ -210,7 +197,6 @@ jobs: job: class: RunPytest args: -selinux_enforcing: True build_url: '{fedora-latest/build_url}' test_suite:
[Freeipa-devel] [freeipa PR#5343][closed] PR-CI templates: add test_integration/test_installation_client.py
URL: https://github.com/freeipa/freeipa/pull/5343 Author: fcami Title: #5343: PR-CI templates: add test_integration/test_installation_client.py Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/5343/head:pr5343 git checkout pr5343 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#5343][opened] PR-CI templates: add test_integration/test_installation_client.py
URL: https://github.com/freeipa/freeipa/pull/5343 Author: fcami Title: #5343: PR-CI templates: add test_integration/test_installation_client.py Action: opened PR body: """ Fixes: https://pagure.io/freeipa/issue/8082 Signed-off-by: François Cami """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/5343/head:pr5343 git checkout pr5343 From 0ba1323e1ec535e3d0d8e4d593e2b7a6566e492a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fran=C3=A7ois=20Cami?= Date: Tue, 15 Dec 2020 12:46:48 +0100 Subject: [PATCH] PR-CI templates: add test_integration/test_installation_client.py MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Fixes: https://pagure.io/freeipa/issue/8082 Signed-off-by: François Cami --- ipatests/prci_definitions/nightly_latest.yaml | 12 .../prci_definitions/nightly_latest_389ds.yaml | 13 + ipatests/prci_definitions/nightly_latest_pki.yaml | 13 + .../prci_definitions/nightly_latest_selinux.yaml | 13 + .../prci_definitions/nightly_latest_testing.yaml | 13 + .../nightly_latest_testing_selinux.yaml| 14 ++ ipatests/prci_definitions/nightly_previous.yaml| 12 7 files changed, 90 insertions(+) diff --git a/ipatests/prci_definitions/nightly_latest.yaml b/ipatests/prci_definitions/nightly_latest.yaml index 60c69e0ed07..411edbede24 100644 --- a/ipatests/prci_definitions/nightly_latest.yaml +++ b/ipatests/prci_definitions/nightly_latest.yaml @@ -1100,6 +1100,18 @@ jobs: timeout: 7200 topology: *master_1repl_1client + fedora-latest/test_installation_client: +requires: [fedora-latest/build] +priority: 50 +job: + class: RunPytest + args: +build_url: '{fedora-latest/build_url}' +test_suite: test_integration/test_installation_client.py +template: *ci-master-latest +timeout: 3600 +topology: *master_3client + fedora-latest/test_user_permissions: requires: [fedora-latest/build] priority: 50 diff --git a/ipatests/prci_definitions/nightly_latest_389ds.yaml b/ipatests/prci_definitions/nightly_latest_389ds.yaml index 10590764deb..08f4f28f5d4 100644 --- a/ipatests/prci_definitions/nightly_latest_389ds.yaml +++ b/ipatests/prci_definitions/nightly_latest_389ds.yaml @@ -508,6 +508,19 @@ jobs: timeout: 7200 topology: *master_1repl_1client + 389ds-fedora/test_installation_client: +requires: [389ds-fedora/build] +priority: 50 +job: + class: RunPytest + args: +build_url: '{389ds-fedora/build_url}' +update_packages: True +test_suite: test_integration/test_installation_client.py +template: *389ds-master-latest +timeout: 3600 +topology: *master_3client + 389ds-fedora/customized_ds_config_install: requires: [389ds-fedora/build] priority: 50 diff --git a/ipatests/prci_definitions/nightly_latest_pki.yaml b/ipatests/prci_definitions/nightly_latest_pki.yaml index 4d77507e7fc..d5aa92471b1 100644 --- a/ipatests/prci_definitions/nightly_latest_pki.yaml +++ b/ipatests/prci_definitions/nightly_latest_pki.yaml @@ -707,6 +707,19 @@ jobs: timeout: 7200 topology: *master_1repl_1client + pki-fedora/test_installation_client: +requires: [fedora-latest/build] +priority: 50 +job: + class: RunPytest + args: +build_url: '{pki-fedora/build_url}' +update_packages: True +test_suite: test_integration/test_installation_client.py +template: *pki-master-latest +timeout: 3600 +topology: *master_3client + pki-fedora/test_webui_cert: requires: [pki-fedora/build] priority: 50 diff --git a/ipatests/prci_definitions/nightly_latest_selinux.yaml b/ipatests/prci_definitions/nightly_latest_selinux.yaml index e35b5628059..8a1b44181ab 100644 --- a/ipatests/prci_definitions/nightly_latest_selinux.yaml +++ b/ipatests/prci_definitions/nightly_latest_selinux.yaml @@ -1187,6 +1187,19 @@ jobs: timeout: 7200 topology: *master_1repl_1client + fedora-latest/test_installation_client: +requires: [fedora-latest/build] +priority: 50 +job: + class: RunPytest + args: +build_url: '{fedora-latest/build_url}' +selinux_enforcing: True +test_suite: test_integration/test_installation_client.py +template: *ci-master-latest +timeout: 3600 +topology: *master_3client + fedora-latest/test_user_permissions: requires: [fedora-latest/build] priority: 50 diff --git a/ipatests/prci_definitions/nightly_latest_testing.yaml b/ipatests/prci_definitions/nightly_latest_testing.yaml index f5c0c191070..cdf4886bd37 100644 --- a/ipatests/prci_definitions/nightly_latest_testing.yaml +++ b/ipatests/prci_definitions/nightly_latest_testing.yaml @@ -1187,6 +1187,19 @@ jobs:
[Freeipa-devel] [freeipa PR#5341][opened] ipa-client-install: unilaterally set dns_lookup_kdc to True
URL: https://github.com/freeipa/freeipa/pull/5341 Author: fcami Title: #5341: ipa-client-install: unilaterally set dns_lookup_kdc to True Action: opened PR body: """ Previously, dns_lookup_kdc was only set to True if DNS discovery worked or if the KDC was not specified on the command-line. Setting dns_lookup_kdc to False would result in a hardcoded configuration which is less reliable in the long run. For instance, adding a trust to an Active Directory forest after clients are enrolled would result in clients not being able to authenticate AD users. Recycling FreeIPA servers could prove problematic if the original hostnames are not reused too. Change summary: Always set dns_lookup_kdc to True on client enrollment. With this change, DNS SRV search will always be performed before looking into /etc/krb5.conf realm entries. Fixes: https://pagure.io/freeipa/issue/6523 Signed-off-by: François Cami """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/5341/head:pr5341 git checkout pr5341 From c3d2da66bcf0eaf6a97dc61f0a9c30a7b3c88b59 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fran=C3=A7ois=20Cami?= Date: Tue, 15 Dec 2020 09:50:57 +0100 Subject: [PATCH] ipa-client-install: unilaterally set dns_lookup_kdc to True MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Previously, dns_lookup_kdc was only set to True if DNS discovery worked or if the KDC was not specified on the command-line. Setting dns_lookup_kdc to False would result in a hardcoded configuration which is less reliable in the long run. For instance, adding a trust to an Active Directory forest after clients are enrolled would result in clients not being able to authenticate AD users. Recycling FreeIPA servers could prove problematic if the original hostnames are not reused too. Change summary: Always set dns_lookup_kdc to True on client enrollment. With this change, DNS SRV search will always be performed before looking into /etc/krb5.conf realm entries. Fixes: https://pagure.io/freeipa/issue/6523 Signed-off-by: François Cami --- ipaclient/install/client.py | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/ipaclient/install/client.py b/ipaclient/install/client.py index abb6bd30475..37d623f703a 100644 --- a/ipaclient/install/client.py +++ b/ipaclient/install/client.py @@ -693,16 +693,15 @@ def configure_krb5_conf( if not dnsok or not cli_kdc or force: libopts.extend([ krbconf.setOption('dns_lookup_realm', 'false'), -krbconf.setOption('dns_lookup_kdc', 'false') ]) else: libopts.extend([ krbconf.setOption('dns_lookup_realm', 'true'), -krbconf.setOption('dns_lookup_kdc', 'true') ]) libopts.extend([ krbconf.setOption('rdns', 'false'), krbconf.setOption('dns_canonicalize_hostname', 'false'), +krbconf.setOption('dns_lookup_kdc', 'true'), krbconf.setOption('ticket_lifetime', '24h'), krbconf.setOption('forwardable', 'true'), krbconf.setOption('udp_preference_limit', '0') ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#5196][closed] ipatests: invoke JRE with -Djava.security.debug=access:failure
URL: https://github.com/freeipa/freeipa/pull/5196 Author: fcami Title: #5196: ipatests: invoke JRE with -Djava.security.debug=access:failure Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/5196/head:pr5196 git checkout pr5196 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#5313][opened] Gracefully handle Nsds5replicalastupdateend's absence
URL: https://github.com/freeipa/freeipa/pull/5313 Author: fcami Title: #5313: Gracefully handle Nsds5replicalastupdateend's absence Action: opened PR body: """ https://pagure.io/freeipa/issue/8605 ipa-replica-manage: handle missing attributes If nsds5replicalastupdateend is not yet present, ipa-replica-manage will backtrace as it tries to retrieve that attribute unconditionally. Gracefully handle that situation. ipa-replica-manage: always display nsds5replicalastinitstatus If nsds5replicalastinitstatus is none, the status is not displayed. Always displaying the last init status is more useful to the end-user. ipalib/util.py: add print_replication_status ipa-csreplica-manage, ipa-replica-manage: refactor """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/5313/head:pr5313 git checkout pr5313 From 97e013bd3febdf9b2b2e9a22564c0c7e86b58e34 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fran=C3=A7ois=20Cami?= Date: Tue, 1 Dec 2020 14:50:17 +0200 Subject: [PATCH 1/4] ipa-replica-manage: always display nsds5replicalastinitstatus MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit If nsds5replicalastinitstatus is none, the status is not displayed. Always displaying the last init status is more useful to the end-user. Related: https://pagure.io/freeipa/issue/8605 Signed-off-by: François Cami --- install/tools/ipa-replica-manage.in | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/install/tools/ipa-replica-manage.in b/install/tools/ipa-replica-manage.in index a29c550d204..1486ada4265 100644 --- a/install/tools/ipa-replica-manage.in +++ b/install/tools/ipa-replica-manage.in @@ -238,8 +238,8 @@ def list_replicas(realm, host, replica, dirman_passwd, verbose, nolookup=False): if verbose: initstatus = entry.single_value.get('nsds5replicalastinitstatus') +print(" last init status: %s" % initstatus) if initstatus is not None: -print(" last init status: %s" % initstatus) print(" last init ended: %s" % str( ipautil.parse_generalized_time( entry.single_value['nsds5replicalastinitend']))) From 7c985d146f6d5b53e09f3aee9f1c072ac0af0617 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fran=C3=A7ois=20Cami?= Date: Tue, 1 Dec 2020 15:00:24 +0200 Subject: [PATCH 2/4] ipa-replica-manage: handle missing attributes MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit If nsds5replicalastupdateend is not yet present, ipa-replica-manage will backtrace as it tries to retrieve that attribute unconditionally. Gracefully handle that situation. Fixes: https://pagure.io/freeipa/issue/8605 Signed-off-by: François Cami --- install/tools/ipa-replica-manage.in | 18 -- 1 file changed, 12 insertions(+), 6 deletions(-) diff --git a/install/tools/ipa-replica-manage.in b/install/tools/ipa-replica-manage.in index 1486ada4265..2a77a404d83 100644 --- a/install/tools/ipa-replica-manage.in +++ b/install/tools/ipa-replica-manage.in @@ -242,12 +242,18 @@ def list_replicas(realm, host, replica, dirman_passwd, verbose, nolookup=False): if initstatus is not None: print(" last init ended: %s" % str( ipautil.parse_generalized_time( -entry.single_value['nsds5replicalastinitend']))) -print(" last update status: %s" % entry.single_value.get( -'nsds5replicalastupdatestatus')) -print(" last update ended: %s" % str( -ipautil.parse_generalized_time( -entry.single_value['nsds5replicalastupdateend']))) +entry.single_value['nsds5replicalastinitend'])) +) +updatestatus = entry.single_value.get( +'nsds5replicalastupdatestatus' +) +print(" last update status: %s" % updatestatus) +if updatestatus is not None: +print(" last update ended: %s" % str( +ipautil.parse_generalized_time( +entry.single_value['nsds5replicalastupdateend'] +)) +) def del_link(realm, replica1, replica2, dirman_passwd, force=False): From bd9feafde9a335a715288728cac55d46a1d64ea9 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fran=C3=A7ois=20Cami?= Date: Wed, 2 Dec 2020 12:12:11 +0100 Subject: [PATCH 3/4] ipalib/util.py: add print_replication_status MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: François Cami --- ipalib/util.py | 26 ++ 1 file changed, 26 insertions(+) diff --git a/ipalib/util.py b/ipalib/util.py index e3a510fc7a3..3791c1f0365 100644 --- a/ipalib/util.py +++ b/ipalib/util.py @@ -65,6 +65,7 @@ from
[Freeipa-devel] [freeipa PR#5198][opened] tox.ini: Extend max-line-length from 80 to 88+
URL: https://github.com/freeipa/freeipa/pull/5198 Author: fcami Title: #5198: tox.ini: Extend max-line-length from 80 to 88+ Action: opened PR body: """ Change tox.ini's 80c character limit to 88. - 88 is the limit for a font size of 14 on a FHD (1920x1200) screen with two editors side-by-side. - A too-high number can become an issue for potential contributors with eyesight problems. So we want to avoid that. Fixes: https://pagure.io/freeipa/issue/8546 Signed-off-by: François Cami """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/5198/head:pr5198 git checkout pr5198 From 1b8f76644e1bb34c8d8df881725122b97753dfd3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fran=C3=A7ois=20Cami?= Date: Thu, 15 Oct 2020 15:30:00 +0200 Subject: [PATCH] tox.ini: Extend max-line-length from 80 to 88+ MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Change tox.ini's 80c character limit to 88. - 88 is the limit for a font size of 14 on a FHD (1920x1200) screen with two editors side-by-side. - A too-high number can become an issue for potential contributors with eyesight problems. So we want to avoid that. Fixes: https://pagure.io/freeipa/issue/8546 Signed-off-by: François Cami --- tox.ini | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tox.ini b/tox.ini index 8ae432988d..d6bb59e2f5 100644 --- a/tox.ini +++ b/tox.ini @@ -56,6 +56,6 @@ commands= # E731 do not assign a lambda expression # E741 ambiguous variable name 'l' ignore = E203, E402, E231, W503, E731, E741 -max-line-length = 80 +max-line-length = 88 # exclude auto-generated remote plugins exclude=.git,.venv,build,_build,rpmbuild,2_49,2_114,2_156,2_164 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#5196][opened] ipatests: invoke JRE with -Djava.security.debug=access:failure
URL: https://github.com/freeipa/freeipa/pull/5196 Author: fcami Title: #5196: ipatests: invoke JRE with -Djava.security.debug=access:failure Action: opened PR body: """ ipatests: invoke JRE with -Djava.security.debug=access:failure DO NOT MERGE. https://github.com/dogtagpki/pki/issues/3299 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/5196/head:pr5196 git checkout pr5196 From 743114ada5bbc710f59e3e083f253e6321037c63 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fran=C3=A7ois=20Cami?= Date: Tue, 13 Oct 2020 19:03:25 +0200 Subject: [PATCH 1/2] temp commit --- .freeipa-pr-ci.yaml| 2 +- ipatests/prci_definitions/temp_commit.yaml | 368 - 2 files changed, 365 insertions(+), 5 deletions(-) diff --git a/.freeipa-pr-ci.yaml b/.freeipa-pr-ci.yaml index abcf8c5b63..8065669008 12 --- a/.freeipa-pr-ci.yaml +++ b/.freeipa-pr-ci.yaml @@ -1 +1 @@ -ipatests/prci_definitions/gating.yaml \ No newline at end of file +ipatests/prci_definitions/temp_commit.yaml \ No newline at end of file diff --git a/ipatests/prci_definitions/temp_commit.yaml b/ipatests/prci_definitions/temp_commit.yaml index ef2e4bfa90..445784b329 100644 --- a/ipatests/prci_definitions/temp_commit.yaml +++ b/ipatests/prci_definitions/temp_commit.yaml @@ -61,14 +61,374 @@ jobs: timeout: 1800 topology: *build - fedora-latest/temp_commit: + fedora-latest/test_installation_TestInstallWithCA_KRA1_01: requires: [fedora-latest/build] priority: 50 job: class: RunPytest args: build_url: '{fedora-latest/build_url}' -test_suite: test_integration/test_REPLACEME.py +test_suite: test_integration/test_installation.py::TestInstallWithCA_KRA1 template: *ci-master-latest -timeout: 3600 -topology: *master_1repl_1client +timeout: 10800 +topology: *master_3repl_1client + + fedora-latest/test_installation_TestInstallWithCA_KRA1_02: +requires: [fedora-latest/build] +priority: 50 +job: + class: RunPytest + args: +build_url: '{fedora-latest/build_url}' +test_suite: test_integration/test_installation.py::TestInstallWithCA_KRA1 +template: *ci-master-latest +timeout: 10800 +topology: *master_3repl_1client + + fedora-latest/test_installation_TestInstallWithCA_KRA1_03: +requires: [fedora-latest/build] +priority: 50 +job: + class: RunPytest + args: +build_url: '{fedora-latest/build_url}' +test_suite: test_integration/test_installation.py::TestInstallWithCA_KRA1 +template: *ci-master-latest +timeout: 10800 +topology: *master_3repl_1client + + fedora-latest/test_installation_TestInstallWithCA_KRA1_04: +requires: [fedora-latest/build] +priority: 50 +job: + class: RunPytest + args: +build_url: '{fedora-latest/build_url}' +test_suite: test_integration/test_installation.py::TestInstallWithCA_KRA1 +template: *ci-master-latest +timeout: 10800 +topology: *master_3repl_1client + + fedora-latest/test_installation_TestInstallWithCA_KRA1_05: +requires: [fedora-latest/build] +priority: 50 +job: + class: RunPytest + args: +build_url: '{fedora-latest/build_url}' +test_suite: test_integration/test_installation.py::TestInstallWithCA_KRA1 +template: *ci-master-latest +timeout: 10800 +topology: *master_3repl_1client + + fedora-latest/test_installation_TestInstallWithCA_KRA1_06: +requires: [fedora-latest/build] +priority: 50 +job: + class: RunPytest + args: +build_url: '{fedora-latest/build_url}' +test_suite: test_integration/test_installation.py::TestInstallWithCA_KRA1 +template: *ci-master-latest +timeout: 10800 +topology: *master_3repl_1client + + fedora-latest/test_installation_TestInstallWithCA_KRA1_07: +requires: [fedora-latest/build] +priority: 50 +job: + class: RunPytest + args: +build_url: '{fedora-latest/build_url}' +test_suite: test_integration/test_installation.py::TestInstallWithCA_KRA1 +template: *ci-master-latest +timeout: 10800 +topology: *master_3repl_1client + + fedora-latest/test_installation_TestInstallWithCA_KRA1_08: +requires: [fedora-latest/build] +priority: 50 +job: + class: RunPytest + args: +build_url: '{fedora-latest/build_url}' +test_suite: test_integration/test_installation.py::TestInstallWithCA_KRA1 +template: *ci-master-latest +timeout: 10800 +topology: *master_3repl_1client + + fedora-latest/test_installation_TestInstallWithCA_KRA1_09: +requires: [fedora-latest/build] +priority: 50 +job: + class: RunPytest + args: +build_url: '{fedora-latest/build_url}' +
[Freeipa-devel] [freeipa PR#5184][opened] ipatests: run freeipa-healthcheck on hidden replica
URL: https://github.com/freeipa/freeipa/pull/5184 Author: fcami Title: #5184: ipatests: run freeipa-healthcheck on hidden replica Action: opened PR body: """ Make sure freeipa-healthcheck can run on FreeIPA clusters with hidden replica. Fixes: https://pagure.io/freeipa/issue/8536 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/5184/head:pr5184 git checkout pr5184 From da9554a6ae085f86efa02d589cdb26087ee649f5 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fran=C3=A7ois=20Cami?= Date: Thu, 8 Oct 2020 17:47:34 +0200 Subject: [PATCH 1/2] ipatests: run freeipa-healthcheck on hidden replica MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Make sure freeipa-healthcheck can run on FreeIPA clusters with hidden replica. Fixes: https://pagure.io/freeipa/issue/8536 Signed-off-by: François Cami --- .../test_replica_promotion.py | 20 --- 1 file changed, 17 insertions(+), 3 deletions(-) diff --git a/ipatests/test_integration/test_replica_promotion.py b/ipatests/test_integration/test_replica_promotion.py index f0b72e1f8e..9d6ec5f993 100644 --- a/ipatests/test_integration/test_replica_promotion.py +++ b/ipatests/test_integration/test_replica_promotion.py @@ -11,13 +11,16 @@ import pytest from ipatests.test_integration.base import IntegrationTest +from ipatests.test_integration.test_ipahealthcheck import run_healthcheck from ipatests.pytest_ipa.integration import tasks from ipatests.pytest_ipa.integration.tasks import ( -assert_error, replicas_cleanup) +assert_error, replicas_cleanup +) from ipatests.pytest_ipa.integration.firewall import Firewall from ipatests.pytest_ipa.integration.env_config import get_global_config from ipalib.constants import ( -DOMAIN_LEVEL_1, IPA_CA_NICKNAME, CA_SUFFIX_NAME) +DOMAIN_LEVEL_1, IPA_CA_NICKNAME, CA_SUFFIX_NAME +) from ipaplatform.paths import paths from ipapython import certdb from ipatests.test_integration.test_dns_locations import ( @@ -887,11 +890,22 @@ def _check_config(self, enabled=(), hidden=()): assert values.get(hservice, set()) == hidden def test_hidden_replica_install(self): -# TODO: check that all services are running on hidden replica self._check_server_role(self.master, 'enabled') self._check_server_role(self.replicas[0], 'hidden') self._check_dnsrecords([self.master], [self.replicas[0]]) self._check_config([self.master], [self.replicas[0]]) +# A DNA range is needed on the replica for ipa-healthcheck to work. +tasks.user_add(self.replicas[0], testuser) +returncode0, _unused = run_healthcheck( +self.master, +failures_only=True +) +returncode1, _unused = run_healthcheck( +self.replicas[0], +failures_only=True +) +assert returncode0 == 0 +assert returncode1 == 0 def test_hide_master_fails(self): # verify state From 5aa4f16d5888f1170af4786847a408e76d7c3dc3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fran=C3=A7ois=20Cami?= Date: Thu, 8 Oct 2020 20:50:16 +0200 Subject: [PATCH 2/2] temp commit --- .freeipa-pr-ci.yaml| 2 +- ipatests/prci_definitions/temp_commit.yaml | 9 + 2 files changed, 6 insertions(+), 5 deletions(-) diff --git a/.freeipa-pr-ci.yaml b/.freeipa-pr-ci.yaml index abcf8c5b63..8065669008 12 --- a/.freeipa-pr-ci.yaml +++ b/.freeipa-pr-ci.yaml @@ -1 +1 @@ -ipatests/prci_definitions/gating.yaml \ No newline at end of file +ipatests/prci_definitions/temp_commit.yaml \ No newline at end of file diff --git a/ipatests/prci_definitions/temp_commit.yaml b/ipatests/prci_definitions/temp_commit.yaml index ef2e4bfa90..68e79ff28c 100644 --- a/ipatests/prci_definitions/temp_commit.yaml +++ b/ipatests/prci_definitions/temp_commit.yaml @@ -61,14 +61,15 @@ jobs: timeout: 1800 topology: *build - fedora-latest/temp_commit: + fedora-latest/test_replica_promotion_TestHiddenReplicaPromotion: requires: [fedora-latest/build] priority: 50 job: class: RunPytest args: build_url: '{fedora-latest/build_url}' -test_suite: test_integration/test_REPLACEME.py +test_suite: test_integration/test_replica_promotion.py::TestHiddenReplicaPromotion template: *ci-master-latest -timeout: 3600 -topology: *master_1repl_1client +timeout: 7200 +topology: *master_2repl_1client + ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives:
[Freeipa-devel] [freeipa PR#5183][opened] ipatests: various enhancement to hidden replica tests
URL: https://github.com/freeipa/freeipa/pull/5183 Author: fcami Title: #5183: ipatests: various enhancement to hidden replica tests Action: opened PR body: """ ipatests: hidden replica: misc fixes Split a test in two and add additional fixes. ipatests: run freeipa-healthcheck on hidden replica ipatests: use wait_for_replication for hidden replica checks Previously, hidden replica checks were run without waiting for replication to complete, potentially leading to unstable behavior. Use wait_for_replication. """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/5183/head:pr5183 git checkout pr5183 From 60b3b048a3cb5b649fde0836b8c29e6d2e026053 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fran=C3=A7ois=20Cami?= Date: Thu, 8 Oct 2020 17:41:45 +0200 Subject: [PATCH 1/3] ipatests: use wait_for_replication for hidden replica checks MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Previously, hidden replica checks were run without waiting for replication to complete, potentially leading to unstable behavior. Use wait_for_replication. Fixes: Signed-off-by: François Cami --- ipatests/test_integration/test_replica_promotion.py | 4 1 file changed, 4 insertions(+) diff --git a/ipatests/test_integration/test_replica_promotion.py b/ipatests/test_integration/test_replica_promotion.py index f0b72e1f8e..5525ddfacc 100644 --- a/ipatests/test_integration/test_replica_promotion.py +++ b/ipatests/test_integration/test_replica_promotion.py @@ -922,6 +922,8 @@ def test_hidden_replica_promote(self): self.replicas[0].hostname, '--state=enabled' ]) self._check_server_role(self.replicas[0], 'enabled') +ldap = self.replicas[0].ldap_connect() +tasks.wait_for_replication(ldap) self._check_dnsrecords([self.master, self.replicas[0]]) self._check_config([self.master, self.replicas[0]]) @@ -938,6 +940,8 @@ def test_hidden_replica_demote(self): self.replicas[0].hostname, '--state=hidden' ]) self._check_server_role(self.replicas[0], 'hidden') +ldap = self.replicas[0].ldap_connect() +tasks.wait_for_replication(ldap) self._check_dnsrecords([self.master], [self.replicas[0]]) def test_replica_from_hidden(self): From 593a446e60f9ec9fb3b536b8f84da4fd1b2d17d3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fran=C3=A7ois=20Cami?= Date: Thu, 8 Oct 2020 17:47:34 +0200 Subject: [PATCH 2/3] ipatests: run freeipa-healthcheck on hidden replica MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Fixes: Signed-off-by: François Cami --- .../test_integration/test_replica_promotion.py | 16 ++-- 1 file changed, 14 insertions(+), 2 deletions(-) diff --git a/ipatests/test_integration/test_replica_promotion.py b/ipatests/test_integration/test_replica_promotion.py index 5525ddfacc..e0a9dd9d13 100644 --- a/ipatests/test_integration/test_replica_promotion.py +++ b/ipatests/test_integration/test_replica_promotion.py @@ -10,6 +10,8 @@ import pytest +from test_ipahealthcheck import run_healthcheck + from ipatests.test_integration.base import IntegrationTest from ipatests.pytest_ipa.integration import tasks from ipatests.pytest_ipa.integration.tasks import ( @@ -17,7 +19,8 @@ from ipatests.pytest_ipa.integration.firewall import Firewall from ipatests.pytest_ipa.integration.env_config import get_global_config from ipalib.constants import ( -DOMAIN_LEVEL_1, IPA_CA_NICKNAME, CA_SUFFIX_NAME) +DOMAIN_LEVEL_1, IPA_CA_NICKNAME, CA_SUFFIX_NAME +) from ipaplatform.paths import paths from ipapython import certdb from ipatests.test_integration.test_dns_locations import ( @@ -887,11 +890,20 @@ def _check_config(self, enabled=(), hidden=()): assert values.get(hservice, set()) == hidden def test_hidden_replica_install(self): -# TODO: check that all services are running on hidden replica self._check_server_role(self.master, 'enabled') self._check_server_role(self.replicas[0], 'hidden') self._check_dnsrecords([self.master], [self.replicas[0]]) self._check_config([self.master], [self.replicas[0]]) +returncode0, _unused = run_healthcheck( +self.master, +failures_only=True +) +returncode1, _unused = run_healthcheck( +self.replicas[0], +failures_only=True +) +assert returncode0 == 0 +assert returncode1 == 0 def test_hide_master_fails(self): # verify state From 15a3a8b7bde2ec0e80d8b489b93e4b558bb58903 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fran=C3=A7ois=20Cami?= Date: Thu, 8 Oct 2020 18:22:29 +0200 Subject: [PATCH 3/3] ipatests: hidden replica: misc fixes MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding:
[Freeipa-devel] [freeipa PR#5176][opened] freeipa.spec.in: depend on libsss_sudo
URL: https://github.com/freeipa/freeipa/pull/5176 Author: fcami Title: #5176: freeipa.spec.in: depend on libsss_sudo Action: opened PR body: """ On 10.10+ releases od Dogtag, the PKI installer will not depend on sudo anymore. This opens the possibility of creating IPA servers without a properly configured sudo. Depend on libsss_sudo to make sure all IPA servers can have sudo. Fixes: https://pagure.io/freeipa/issue/8530 Signed-off-by: François Cami """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/5176/head:pr5176 git checkout pr5176 From cde7b1045d943956501a6a5ae4460c1d8593347e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fran=C3=A7ois=20Cami?= Date: Tue, 6 Oct 2020 16:48:09 +0200 Subject: [PATCH] freeipa.spec.in: depend on libsss_sudo MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit On 10.10+ releases od Dogtag, the PKI installer will not depend on sudo anymore. This opens the possibility of creating IPA servers without a properly configured sudo. Depend on libsss_sudo to make sure all IPA servers can have sudo. Fixes: https://pagure.io/freeipa/issue/8530 Signed-off-by: François Cami --- freeipa.spec.in | 1 + 1 file changed, 1 insertion(+) diff --git a/freeipa.spec.in b/freeipa.spec.in index 00669b1fc6..222c8f1712 100755 --- a/freeipa.spec.in +++ b/freeipa.spec.in @@ -398,6 +398,7 @@ Requires: oddjob # 0.7.0-2: https://pagure.io/gssproxy/pull-request/172 Requires: gssproxy >= 0.7.0-2 Requires: sssd-dbus >= %{sssd_version} +Requires: libsss_sudo Provides: %{alt_name}-server = %{version} Conflicts: %{alt_name}-server ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#5151][closed] IPA-EPN: Make ipa-epn.timer a configuration file
URL: https://github.com/freeipa/freeipa/pull/5151 Author: fcami Title: #5151: IPA-EPN: Make ipa-epn.timer a configuration file Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/5151/head:pr5151 git checkout pr5151 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#5151][opened] IPA-EPN: Make ipa-epn.timer a configuration file
URL: https://github.com/freeipa/freeipa/pull/5151 Author: fcami Title: #5151: IPA-EPN: Make ipa-epn.timer a configuration file Action: opened PR body: """ The time at which ipa-epn runs using the timer should be configurable. Currently, ipa-epn.timer is not marked as a config file, resulting in overwriting the file at each update. Add %config(noreplace) so that customisation can persist. Fixes: https://pagure.io/freeipa/issue/8517 Signed-off-by: François Cami """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/5151/head:pr5151 git checkout pr5151 From 22ac7920597e16208e7d32eb9eb651cb7d2c5b96 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fran=C3=A7ois=20Cami?= Date: Fri, 25 Sep 2020 16:26:56 +0200 Subject: [PATCH] IPA-EPN: Make ipa-epn.timer a configuration file MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The time at which ipa-epn runs using the timer should be configurable. Currently, ipa-epn.timer is not marked as a config file, resulting in overwriting the file at each update. Add %config(noreplace) so that customisation can persist. Fixes: https://pagure.io/freeipa/issue/8517 Signed-off-by: François Cami --- freeipa.spec.in | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/freeipa.spec.in b/freeipa.spec.in index 6425a2d866..ad63dffdc7 100755 --- a/freeipa.spec.in +++ b/freeipa.spec.in @@ -1446,7 +1446,7 @@ fi %{_mandir}/man1/ipa-epn.1* %{_mandir}/man5/epn.conf.5* %attr(644,root,root) %{_unitdir}/ipa-epn.service -%attr(644,root,root) %{_unitdir}/ipa-epn.timer +%attr(644,root,root) %config(noreplace) %{_unitdir}/ipa-epn.timer %attr(600,root,root) %config(noreplace) %{_sysconfdir}/ipa/epn.conf %attr(644,root,root) %config(noreplace) %{_sysconfdir}/ipa/epn/expire_msg.template ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#5140][closed] [Backport][ipa-4-8] Add ipa_pki_retrieve_key_exec() interface
URL: https://github.com/freeipa/freeipa/pull/5140 Author: tiran Title: #5140: [Backport][ipa-4-8] Add ipa_pki_retrieve_key_exec() interface Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/5140/head:pr5140 git checkout pr5140 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#5136][closed] [Backport][ipa-4-8] SELinux: do not double-define node_t and pki_tomcat_cert_t
URL: https://github.com/freeipa/freeipa/pull/5136 Author: tiran Title: #5136: [Backport][ipa-4-8] SELinux: do not double-define node_t and pki_tomcat_cert_t Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/5136/head:pr5136 git checkout pr5136 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#5133][opened] SELinux: do not double-define node_t and pki_tomcat_cert_t
URL: https://github.com/freeipa/freeipa/pull/5133 Author: fcami Title: #5133: SELinux: do not double-define node_t and pki_tomcat_cert_t Action: opened PR body: """ node_t and pki_tomcat_cert_t are defined in other modules. Do not double-define them. Fixes: https://pagure.io/freeipa/issue/8513 Signed-off-by: François Cami """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/5133/head:pr5133 git checkout pr5133 From 536dbfa7b12480f40bf31762a00c3e76a4a7bee7 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fran=C3=A7ois=20Cami?= Date: Wed, 23 Sep 2020 09:17:53 +0200 Subject: [PATCH] SELinux: do not double-define node_t and pki_tomcat_cert_t MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit node_t and pki_tomcat_cert_t are defined in other modules. Do not double-define them. Fixes: https://pagure.io/freeipa/issue/8513 Signed-off-by: François Cami --- selinux/ipa.te | 9 ++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/selinux/ipa.te b/selinux/ipa.te index fa577191c5..b5bc8be15b 100644 --- a/selinux/ipa.te +++ b/selinux/ipa.te @@ -74,9 +74,6 @@ logging_log_file(ipa_custodia_log_t) type ipa_custodia_tmp_t; files_tmp_file(ipa_custodia_tmp_t) -type pki_tomcat_cert_t; -type node_t; - type ipa_pki_retrieve_key_exec_t; type ipa_pki_retrieve_key_t; domain_type(ipa_pki_retrieve_key_t) @@ -339,8 +336,14 @@ allow ipa_custodia_t self:unix_dgram_socket create_socket_perms; allow ipa_custodia_t self:tcp_socket { bind create }; allow ipa_custodia_t self:udp_socket create_socket_perms; +gen_require(` +type node_t; +') allow ipa_custodia_t node_t:tcp_socket node_bind; +gen_require(` +type pki_tomcat_cert_t; +') allow ipa_custodia_t pki_tomcat_cert_t:dir remove_name; allow ipa_custodia_t pki_tomcat_cert_t:file create; allow ipa_custodia_t pki_tomcat_cert_t:file unlink; ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#5127][closed] [Backport][ipa-4-8] SELinux: add dedicated policy for ipa-pki-retrieve-key + ipatests: enhance TestSubCAkeyReplication for better coverage
URL: https://github.com/freeipa/freeipa/pull/5127 Author: fcami Title: #5127: [Backport][ipa-4-8] SELinux: add dedicated policy for ipa-pki-retrieve-key + ipatests: enhance TestSubCAkeyReplication for better coverage Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/5127/head:pr5127 git checkout pr5127 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#5128][opened] ipatests: kinit_as_user: collect kdcinfo.REALM on failure
URL: https://github.com/freeipa/freeipa/pull/5128 Author: fcami Title: #5128: ipatests: kinit_as_user: collect kdcinfo.REALM on failure Action: opened PR body: """ When requesting a tgt fails after a password reset, collecting: /var/lib/sss/pubconf/kdcinfo.$REALM will help determine how SSSD was selecting which KRB5KDC to use. Fixes: https://pagure.io/freeipa/issue/8510 Signed-off-by: François Cami """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/5128/head:pr5128 git checkout pr5128 From a1da254d39465afc63645dfd7e985e05599a09cc Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fran=C3=A7ois=20Cami?= Date: Tue, 22 Sep 2020 20:50:43 +0200 Subject: [PATCH] ipatests: kinit_as_user: collect kdcinfo.REALM on failure MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit When requesting a tgt fails after a password reset, collecting: /var/lib/sss/pubconf/kdcinfo.$REALM will help determine how SSSD was selecting which KRB5KDC to use. Fixes: https://pagure.io/freeipa/issue/8510 Signed-off-by: François Cami --- ipatests/pytest_ipa/integration/tasks.py | 22 ++ 1 file changed, 18 insertions(+), 4 deletions(-) diff --git a/ipatests/pytest_ipa/integration/tasks.py b/ipatests/pytest_ipa/integration/tasks.py index fceac1b628..01e3952b8a 100755 --- a/ipatests/pytest_ipa/integration/tasks.py +++ b/ipatests/pytest_ipa/integration/tasks.py @@ -2003,10 +2003,24 @@ def run_command_as_user(host, user, command, *args, **kwargs): def kinit_as_user(host, user, password, krb5_trace=False): if krb5_trace: -host.run_command( -"KRB5_TRACE=/dev/stdout kinit %s" % user, -stdin_text='{0}\n'.format(password) -) +try: +host.run_command( +"KRB5_TRACE=/dev/stdout kinit %s" % user, +stdin_text='{0}\n'.format(password), +raiseonerr=False +) +except subprocess.CalledProcessError as e: +logger.info( +'Collecting kdcinfo log from: %s', host.hostname +) +kdcinfo = host.get_file_contents( +"/var/lib/sss/pubconf/kdcinfo.{}".format(host.realm) +) +logger.info( +'kdcinfo %s contains:\n%s', host.hostname, kdcinfo +) +raise e + else: host.run_command(['kinit', user], stdin_text='{0}\n'.format(password)) ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#5127][opened] [Backport][ipa-4-8] SELinux: add dedicated policy for ipa-pki-retrieve-key + ipatests: enhance TestSubCAkeyReplication for better coverage
URL: https://github.com/freeipa/freeipa/pull/5127 Author: fcami Title: #5127: [Backport][ipa-4-8] SELinux: add dedicated policy for ipa-pki-retrieve-key + ipatests: enhance TestSubCAkeyReplication for better coverage Action: opened PR body: """ MANUAL CHERRY PICK of commits in https://github.com/freeipa/freeipa/pull/5109 This PR was opened because PR https://github.com/freeipa/freeipa/pull/5109 was pushed to master and backport to ipa-4-8 is required. """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/5127/head:pr5127 git checkout pr5127 From 444b04cd4fc241a6083b52dd42db987077417963 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fran=C3=A7ois=20Cami?= Date: Thu, 17 Sep 2020 11:30:45 +0200 Subject: [PATCH 1/8] ipatests: enhance TestSubCAkeyReplication MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit enhance the test suite so that it covers: - deleting subCAs (disabling them first) - checking what happens when creating a dozen+ subCAs at a time - adding a subCA that already exists and expect failure Related: https://pagure.io/freeipa/issue/8488 Signed-off-by: François Cami Reviewed-By: Alexander Bokovoy Reviewed-By: Christian Heimes Reviewed-By: Rob Crittenden Reviewed-By: Ondrej Mosnacek Reviewed-By: Lukas Vrabec Reviewed-By: Zdenek Pytela Reviewed-By: Thomas Woerner --- .../test_replica_promotion.py | 52 +-- 1 file changed, 47 insertions(+), 5 deletions(-) diff --git a/ipatests/test_integration/test_replica_promotion.py b/ipatests/test_integration/test_replica_promotion.py index 82117054fd..f0b72e1f8e 100644 --- a/ipatests/test_integration/test_replica_promotion.py +++ b/ipatests/test_integration/test_replica_promotion.py @@ -474,17 +474,35 @@ class TestSubCAkeyReplication(IntegrationTest): SERVER_CERT_NICK: 'u,u,u', } -def add_subca(self, host, name, subject): +def add_subca(self, host, name, subject, raiseonerr=True): result = host.run_command([ 'ipa', 'ca-add', name, '--subject', subject, -'--desc', self.SUBCA_DESC, +'--desc', self.SUBCA_DESC], +raiseonerr=raiseonerr +) +if raiseonerr: +assert "ipa: ERROR:" not in result.stderr_text +auth_id = "".join(re.findall(AUTH_ID_RE, result.stdout_text)) +return '{} {}'.format(IPA_CA_NICKNAME, auth_id) +else: +assert "ipa: ERROR:" in result.stderr_text +assert result.returncode != 0 +return result + +def del_subca(self, host, name): +host.run_command([ +'ipa', 'ca-disable', name ]) -auth_id = "".join(re.findall(AUTH_ID_RE, result.stdout_text)) -return '{} {}'.format(IPA_CA_NICKNAME, auth_id) +result = host.run_command([ +'ipa', 'ca-del', name +]) +assert "Deleted CA \"{}\"".format(name) in result.stdout_text def check_subca(self, host, name, cert_nick): -host.run_command(['ipa', 'ca-show', name]) +result = host.run_command(['ipa', 'ca-show', name]) +# ipa ca-show returns 0 even if the cert cannot be found locally. +assert "ipa: ERROR:" not in result.stderr_text tasks.run_certutil( host, ['-L', '-n', cert_nick], paths.PKI_TOMCAT_ALIAS_DIR ) @@ -627,6 +645,30 @@ def test_sign_with_subca_on_replica(self): ssl = replica.run_command(ssl_cmd) assert 'Issuer: CN = {}'.format(self.SUBCA_MASTER) in ssl.stdout_text +def test_del_subca_master_on_replica(self): +self.del_subca(self.replicas[0], self.SUBCA_MASTER) + +def test_del_subca_replica(self): +self.del_subca(self.replicas[0], self.SUBCA_REPLICA) + +def test_scale_add_subca(self): +master = self.master +replica = self.replicas[0] + +subcas = {} +for i in range(0, 16): +name = "_".join((self.SUBCA_MASTER, str(i))) +cn = "_".join((self.SUBCA_MASTER_CN, str(i))) +subcas[name] = self.add_subca(master, name, cn) +self.add_subca(master, name, cn, raiseonerr=False) + +# give replication some time +time.sleep(15) + +for name in subcas: +self.check_subca(replica, name, subcas[name]) +self.del_subca(replica, name) + class TestReplicaInstallCustodia(IntegrationTest): """ From 1f0b1b66a5b856375cc327ce2a6fed4a33a07b07 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fran=C3=A7ois=20Cami?= Date: Fri, 18 Sep 2020 11:55:37 +0200 Subject: [PATCH 2/8] SELinux: Add dedicated policy for ipa-pki-retrieve-key MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Add proper labeling, transition and policy for ipa-pki-retrieve-key. Make sure tomcat_t can execute ipa-pki-retrieve-key. Fixes: https://pagure.io/freeipa/issue/8488
[Freeipa-devel] [freeipa PR#5109][closed] SELinux: add dedicated policy for ipa-pki-retrieve-key + ipatests: enhance TestSubCAkeyReplication for better coverage
URL: https://github.com/freeipa/freeipa/pull/5109 Author: fcami Title: #5109: SELinux: add dedicated policy for ipa-pki-retrieve-key + ipatests: enhance TestSubCAkeyReplication for better coverage Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/5109/head:pr5109 git checkout pr5109 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#5120][closed] [Test PR] ipatests: enhance TestSubCAkeyReplication
URL: https://github.com/freeipa/freeipa/pull/5120 Author: fcami Title: #5120: [Test PR] ipatests: enhance TestSubCAkeyReplication Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/5120/head:pr5120 git checkout pr5120 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#5120][opened] [Test PR] ipatests: enhance TestSubCAkeyReplication
URL: https://github.com/freeipa/freeipa/pull/5120 Author: fcami Title: #5120: [Test PR] ipatests: enhance TestSubCAkeyReplication Action: opened PR body: """ enhance the test suite so that it covers: - deleting subCAs (disabling them first) - checking what happens when creating a dozen+ subCAs at a time - adding a subCA that already exists and expect failure Related: https://pagure.io/freeipa/issue/8488 Signed-off-by: François Cami """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/5120/head:pr5120 git checkout pr5120 From daa4d220c131dae025a70890cc3922a41c3c7a8a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fran=C3=A7ois=20Cami?= Date: Thu, 17 Sep 2020 11:30:45 +0200 Subject: [PATCH 1/2] ipatests: enhance TestSubCAkeyReplication MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit enhance the test suite so that it covers: - deleting subCAs (disabling them first) - checking what happens when creating a dozen+ subCAs at a time - adding a subCA that already exists and expect failure Related: https://pagure.io/freeipa/issue/8488 Signed-off-by: François Cami --- .../test_replica_promotion.py | 52 +-- 1 file changed, 47 insertions(+), 5 deletions(-) diff --git a/ipatests/test_integration/test_replica_promotion.py b/ipatests/test_integration/test_replica_promotion.py index 82117054fd..f0b72e1f8e 100644 --- a/ipatests/test_integration/test_replica_promotion.py +++ b/ipatests/test_integration/test_replica_promotion.py @@ -474,17 +474,35 @@ class TestSubCAkeyReplication(IntegrationTest): SERVER_CERT_NICK: 'u,u,u', } -def add_subca(self, host, name, subject): +def add_subca(self, host, name, subject, raiseonerr=True): result = host.run_command([ 'ipa', 'ca-add', name, '--subject', subject, -'--desc', self.SUBCA_DESC, +'--desc', self.SUBCA_DESC], +raiseonerr=raiseonerr +) +if raiseonerr: +assert "ipa: ERROR:" not in result.stderr_text +auth_id = "".join(re.findall(AUTH_ID_RE, result.stdout_text)) +return '{} {}'.format(IPA_CA_NICKNAME, auth_id) +else: +assert "ipa: ERROR:" in result.stderr_text +assert result.returncode != 0 +return result + +def del_subca(self, host, name): +host.run_command([ +'ipa', 'ca-disable', name ]) -auth_id = "".join(re.findall(AUTH_ID_RE, result.stdout_text)) -return '{} {}'.format(IPA_CA_NICKNAME, auth_id) +result = host.run_command([ +'ipa', 'ca-del', name +]) +assert "Deleted CA \"{}\"".format(name) in result.stdout_text def check_subca(self, host, name, cert_nick): -host.run_command(['ipa', 'ca-show', name]) +result = host.run_command(['ipa', 'ca-show', name]) +# ipa ca-show returns 0 even if the cert cannot be found locally. +assert "ipa: ERROR:" not in result.stderr_text tasks.run_certutil( host, ['-L', '-n', cert_nick], paths.PKI_TOMCAT_ALIAS_DIR ) @@ -627,6 +645,30 @@ def test_sign_with_subca_on_replica(self): ssl = replica.run_command(ssl_cmd) assert 'Issuer: CN = {}'.format(self.SUBCA_MASTER) in ssl.stdout_text +def test_del_subca_master_on_replica(self): +self.del_subca(self.replicas[0], self.SUBCA_MASTER) + +def test_del_subca_replica(self): +self.del_subca(self.replicas[0], self.SUBCA_REPLICA) + +def test_scale_add_subca(self): +master = self.master +replica = self.replicas[0] + +subcas = {} +for i in range(0, 16): +name = "_".join((self.SUBCA_MASTER, str(i))) +cn = "_".join((self.SUBCA_MASTER_CN, str(i))) +subcas[name] = self.add_subca(master, name, cn) +self.add_subca(master, name, cn, raiseonerr=False) + +# give replication some time +time.sleep(15) + +for name in subcas: +self.check_subca(replica, name, subcas[name]) +self.del_subca(replica, name) + class TestReplicaInstallCustodia(IntegrationTest): """ From 36a4383cadb55c4c902fd6bcf78489f589e721ff Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fran=C3=A7ois=20Cami?= Date: Tue, 15 Sep 2020 16:44:56 +0200 Subject: [PATCH 2/2] temp commit --- .freeipa-pr-ci.yaml| 2 +- ipatests/prci_definitions/temp_commit.yaml | 22 ++ 2 files changed, 19 insertions(+), 5 deletions(-) diff --git a/.freeipa-pr-ci.yaml b/.freeipa-pr-ci.yaml index abcf8c5b63..8065669008 12 --- a/.freeipa-pr-ci.yaml +++ b/.freeipa-pr-ci.yaml @@ -1 +1 @@ -ipatests/prci_definitions/gating.yaml \ No newline at end of file +ipatests/prci_definitions/temp_commit.yaml \ No newline at end of file diff --git
[Freeipa-devel] [freeipa PR#5115][closed] [Backport][ipa-4-8] dogtaginstance.py: add --debug to pkispawn
URL: https://github.com/freeipa/freeipa/pull/5115 Author: fcami Title: #5115: [Backport][ipa-4-8] dogtaginstance.py: add --debug to pkispawn Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/5115/head:pr5115 git checkout pr5115 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#5115][opened] [Backport][ipa-4-8] dogtaginstance.py: add --debug to pkispawn
URL: https://github.com/freeipa/freeipa/pull/5115 Author: fcami Title: #5115: [Backport][ipa-4-8] dogtaginstance.py: add --debug to pkispawn Action: opened PR body: """ MANUAL cherry-pick of https://github.com/freeipa/freeipa/pull/5113 Since commits: dogtagpki/pki@0102d83 dogtagpki/pki@de21755 pkispawn will not honor the pki_log_level configuration item. All 10.9 Dogtag versions have these commits. This affects FreeIPA in that it makes debugging Dogtag installation issues next to impossible. Adding --debug to the pkispawn CLI is required to revert to the previous behavior. Fixes: https://pagure.io/freeipa/issue/8503 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/5115/head:pr5115 git checkout pr5115 From 70de03a328696669fe50a58019387449c9e75b1f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fran=C3=A7ois=20Cami?= Date: Wed, 16 Sep 2020 17:07:21 +0200 Subject: [PATCH 1/2] ipatests: check that pkispawn log is not empty MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Since commits: https://github.com/dogtagpki/pki/commit/0102d836f4eac0fcea0adddb4c98d5ea05e4e8f6 https://github.com/dogtagpki/pki/commit/de217557a642d799b1c4c390efa55493707c738e pkispawn will not honor the pki_log_level configuration item. All 10.9 Dogtag versions have these commits. This affects FreeIPA in that it makes debugging Dogtag installation issues next to impossible. Adding --debug to the pkispawn CLI is required to revert to the previous behavior. Therefore check that the log is not empty and contains DEBUG+INFO lines. Fixes: https://pagure.io/freeipa/issue/8503 Signed-off-by: François Cami Reviewed-By: Thomas Woerner Reviewed-By: Christian Heimes Reviewed-By: Rob Crittenden --- ipatests/test_integration/test_commands.py | 23 ++ 1 file changed, 23 insertions(+) diff --git a/ipatests/test_integration/test_commands.py b/ipatests/test_integration/test_commands.py index fa6abd81e0..3a12bcde2b 100644 --- a/ipatests/test_integration/test_commands.py +++ b/ipatests/test_integration/test_commands.py @@ -1295,3 +1295,26 @@ def test_ipa_nis_manage_enable_incorrect_password(self): ) assert result.returncode == 1 assert msg in result.stderr_text + +def test_pkispawn_log_is_present(self): +""" +This testcase checks if pkispawn logged properly. +It is a candidate from being moved out of test_commands. +""" +result = self.master.run_command( +["ls", "/var/log/pki/"] +) +pkispawnlogfile = None +for file in result.stdout_text.splitlines(): +if file.startswith("pki-ca-spawn"): +pkispawnlogfile = file +break +assert pkispawnlogfile is not None +pkispawnlogfile = os.path.sep.join(("/var/log/pki", pkispawnlogfile)) +pkispawnlog = self.master.get_file_contents( +pkispawnlogfile, encoding='utf-8' +) +# Totally arbitrary. pkispawn debug logs tend to be > 10KiB. +assert len(pkispawnlog) > 1024 +assert "DEBUG" in pkispawnlog +assert "INFO" in pkispawnlog From da724056003b900d6433eefac05378359548589f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fran=C3=A7ois=20Cami?= Date: Thu, 17 Sep 2020 07:31:59 +0200 Subject: [PATCH 2/2] dogtaginstance.py: add --debug to pkispawn MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Since commits: https://github.com/dogtagpki/pki/commit/0102d836f4eac0fcea0adddb4c98d5ea05e4e8f6 https://github.com/dogtagpki/pki/commit/de217557a642d799b1c4c390efa55493707c738e pkispawn will not honor the pki_log_level configuration item. All 10.9 Dogtag versions have these commits. This affects FreeIPA in that it makes debugging Dogtag installation issues next to impossible. Adding --debug to the pkispawn CLI is required to revert to the previous behavior. Fixes: https://pagure.io/freeipa/issue/8503 Signed-off-by: François Cami Reviewed-By: Thomas Woerner Reviewed-By: Christian Heimes Reviewed-By: Rob Crittenden --- ipaserver/install/dogtaginstance.py | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/ipaserver/install/dogtaginstance.py b/ipaserver/install/dogtaginstance.py index 524262ad75..03fdd7c0b1 100644 --- a/ipaserver/install/dogtaginstance.py +++ b/ipaserver/install/dogtaginstance.py @@ -183,7 +183,8 @@ def spawn_instance(self, cfg_file, nolog_list=()): subsystem = self.subsystem args = [paths.PKISPAWN, "-s", subsystem, -"-f", cfg_file] +"-f", cfg_file, +"--debug"] with open(cfg_file) as f: logger.debug( ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org Fedora Code of
[Freeipa-devel] [freeipa PR#5113][closed] dogtaginstance.py: add --debug to pkispawn
URL: https://github.com/freeipa/freeipa/pull/5113 Author: fcami Title: #5113: dogtaginstance.py: add --debug to pkispawn Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/5113/head:pr5113 git checkout pr5113 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#5113][opened] dogtaginstance.py: add --debug to pkispawn
URL: https://github.com/freeipa/freeipa/pull/5113 Author: fcami Title: #5113: dogtaginstance.py: add --debug to pkispawn Action: opened PR body: """ """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/5113/head:pr5113 git checkout pr5113 From 48ae626aae04f8e6efcf2434c79169eceecafa1f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fran=C3=A7ois=20Cami?= Date: Wed, 16 Sep 2020 18:36:55 +0200 Subject: [PATCH] dogtaginstance.py: add --debug to pkispawn MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: François Cami --- ipaserver/install/dogtaginstance.py | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/ipaserver/install/dogtaginstance.py b/ipaserver/install/dogtaginstance.py index 60ef72f82f..a2190e183b 100644 --- a/ipaserver/install/dogtaginstance.py +++ b/ipaserver/install/dogtaginstance.py @@ -190,7 +190,8 @@ def spawn_instance(self, cfg_file, nolog_list=()): subsystem = self.subsystem args = [paths.PKISPAWN, "-s", subsystem, -"-f", cfg_file] +"-f", cfg_file, +"--debug"] with open(cfg_file) as f: logger.debug( ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#5109][opened] [WIP] ipatests: enhance TestSubCAkeyReplication
URL: https://github.com/freeipa/freeipa/pull/5109 Author: fcami Title: #5109: [WIP] ipatests: enhance TestSubCAkeyReplication Action: opened PR body: """ """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/5109/head:pr5109 git checkout pr5109 From b4b51b7f30a30d0460d20b4b7caff0dd86cf182c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fran=C3=A7ois=20Cami?= Date: Tue, 15 Sep 2020 16:42:45 +0200 Subject: [PATCH 1/2] ipatests: enhance TestSubCAkeyReplication MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: François Cami --- .../test_replica_promotion.py | 49 +-- 1 file changed, 44 insertions(+), 5 deletions(-) diff --git a/ipatests/test_integration/test_replica_promotion.py b/ipatests/test_integration/test_replica_promotion.py index 82117054fd..09ac40e338 100644 --- a/ipatests/test_integration/test_replica_promotion.py +++ b/ipatests/test_integration/test_replica_promotion.py @@ -474,17 +474,32 @@ class TestSubCAkeyReplication(IntegrationTest): SERVER_CERT_NICK: 'u,u,u', } -def add_subca(self, host, name, subject): +def add_subca(self, host, name, subject, raiseonerr=True): result = host.run_command([ 'ipa', 'ca-add', name, '--subject', subject, -'--desc', self.SUBCA_DESC, +'--desc', self.SUBCA_DESC], +raiseonerr=raiseonerr +) +if raiseonerr: +assert "ipa: ERROR:" not in result.stderr_text +auth_id = "".join(re.findall(AUTH_ID_RE, result.stdout_text)) +return '{} {}'.format(IPA_CA_NICKNAME, auth_id) +else: +assert "ipa: ERROR:" in result.stderr_text +assert result.returncode != 0 +return result + +def del_subca(self, host, name): +result = host.run_command([ +'ipa', 'ca-del', name ]) -auth_id = "".join(re.findall(AUTH_ID_RE, result.stdout_text)) -return '{} {}'.format(IPA_CA_NICKNAME, auth_id) +assert "Deleted CA \"{}\"".format(name) in result.stdout_text def check_subca(self, host, name, cert_nick): -host.run_command(['ipa', 'ca-show', name]) +result = host.run_command(['ipa', 'ca-show', name]) +# ipa ca-show returns 0 even if the cert cannot be found locally. +assert "ipa: ERROR:" not in result.stderr_text tasks.run_certutil( host, ['-L', '-n', cert_nick], paths.PKI_TOMCAT_ALIAS_DIR ) @@ -627,6 +642,30 @@ def test_sign_with_subca_on_replica(self): ssl = replica.run_command(ssl_cmd) assert 'Issuer: CN = {}'.format(self.SUBCA_MASTER) in ssl.stdout_text +def test_del_subca_master_on_replica(self): +self.del_subca(self.replicas[0], self.SUBCA_MASTER) + +def test_del_subca_replica(self): +self.del_subca(self.replicas[0], self.SUBCA_REPLICA) + +def test_scale_add_subca(self): +master = self.master +replica = self.replicas[0] + +subcas = {} +for i in range(0, 16): +name = "_".join((self.SUBCA_MASTER, str(i))) +cn = "_".join((self.SUBCA_MASTER_CN, str(i))) +subcas[name] = self.add_subca(master, name, cn) +self.add_subca(master, name, cn, raiseonerr=False) + +# give replication some time +time.sleep(15) + +for name in subcas: +self.check_subca(replica, name, subcas[name]) +self.del_subca(replica, name) + class TestReplicaInstallCustodia(IntegrationTest): """ From be95293b8a4253c6edafccdc18708f89c74386d7 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fran=C3=A7ois=20Cami?= Date: Tue, 15 Sep 2020 16:44:56 +0200 Subject: [PATCH 2/2] temp commit --- .freeipa-pr-ci.yaml| 2 +- ipatests/prci_definitions/temp_commit.yaml | 22 ++ 2 files changed, 19 insertions(+), 5 deletions(-) diff --git a/.freeipa-pr-ci.yaml b/.freeipa-pr-ci.yaml index abcf8c5b63..8065669008 12 --- a/.freeipa-pr-ci.yaml +++ b/.freeipa-pr-ci.yaml @@ -1 +1 @@ -ipatests/prci_definitions/gating.yaml \ No newline at end of file +ipatests/prci_definitions/temp_commit.yaml \ No newline at end of file diff --git a/ipatests/prci_definitions/temp_commit.yaml b/ipatests/prci_definitions/temp_commit.yaml index 181404133c..48f2a9d8a1 100644 --- a/ipatests/prci_definitions/temp_commit.yaml +++ b/ipatests/prci_definitions/temp_commit.yaml @@ -61,14 +61,28 @@ jobs: timeout: 1800 topology: *build - fedora-latest/temp_commit: + fedora-latest/test_replica_promotion_TestSubCAkeyReplication: requires: [fedora-latest/build] priority: 50 job: class: RunPytest args: build_url: '{fedora-latest/build_url}' -test_suite: test_integration/test_REPLACEME.py +test_suite:
[Freeipa-devel] [freeipa PR#5087][closed] [Backport][ipa-4-8] SELinux Policy: let custodia replicate keys
URL: https://github.com/freeipa/freeipa/pull/5087 Author: rcritten Title: #5087: [Backport][ipa-4-8] SELinux Policy: let custodia replicate keys Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/5087/head:pr5087 git checkout pr5087 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#5083][opened] test_replica_promotion::TestSubCAkeyReplication: set SELinux to Enforcing
URL: https://github.com/freeipa/freeipa/pull/5083 Author: fcami Title: #5083: test_replica_promotion::TestSubCAkeyReplication: set SELinux to Enforcing Action: opened PR body: """ Test run with SELinux set to Enforcing """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/5083/head:pr5083 git checkout pr5083 From de710ed623f9373ed79064be3dde4c421d75e400 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fran=C3=A7ois=20Cami?= Date: Tue, 8 Sep 2020 13:14:06 +0200 Subject: [PATCH 1/2] test_replica_promotion::TestSubCAkeyReplication: set SELinux to Enforcing MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit test_replica_promotion::TestSubCAkeyReplication fails downstream with SELinux set to Enforcing. Temporarily switch to Enforcing here. Signed-off-by: François Cami --- ipatests/test_integration/test_replica_promotion.py | 12 1 file changed, 12 insertions(+) diff --git a/ipatests/test_integration/test_replica_promotion.py b/ipatests/test_integration/test_replica_promotion.py index 82117054fd..8ae9988670 100644 --- a/ipatests/test_integration/test_replica_promotion.py +++ b/ipatests/test_integration/test_replica_promotion.py @@ -568,6 +568,18 @@ def check_pki_error(self, host): # check for cert/key import error message assert self.ERR_MESS not in pki_debug_log +def switch_selinux_to_enabled(self, host): +"""Candidate to move to tasks.py +""" +cmd = ["setenforce", "1"] +status = host.run_command(cmd) +assert "usage: setenforce" not in status.stderr_text + +def test_switch_selinux_to_enabled(self): +hosts = (self.master, self.replicas[0]) +for host in hosts: +self.switch_selinux_to_enabled(host) + def test_subca_master(self): master = self.master replica = self.replicas[0] From 6bfdeb7f1f810bc4bd54790e1798ebbdc1619e78 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fran=C3=A7ois=20Cami?= Date: Tue, 8 Sep 2020 15:15:09 +0200 Subject: [PATCH 2/2] temp commit --- .freeipa-pr-ci.yaml| 2 +- ipatests/prci_definitions/temp_commit.yaml | 8 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/.freeipa-pr-ci.yaml b/.freeipa-pr-ci.yaml index abcf8c5b63..8065669008 12 --- a/.freeipa-pr-ci.yaml +++ b/.freeipa-pr-ci.yaml @@ -1 +1 @@ -ipatests/prci_definitions/gating.yaml \ No newline at end of file +ipatests/prci_definitions/temp_commit.yaml \ No newline at end of file diff --git a/ipatests/prci_definitions/temp_commit.yaml b/ipatests/prci_definitions/temp_commit.yaml index 181404133c..5c334c28af 100644 --- a/ipatests/prci_definitions/temp_commit.yaml +++ b/ipatests/prci_definitions/temp_commit.yaml @@ -61,14 +61,14 @@ jobs: timeout: 1800 topology: *build - fedora-latest/temp_commit: + fedora-latest/test_replica_promotion_TestSubCAkeyReplication: requires: [fedora-latest/build] -priority: 50 +priority: 100 job: class: RunPytest args: build_url: '{fedora-latest/build_url}' -test_suite: test_integration/test_REPLACEME.py +test_suite: test_integration/test_replica_promotion.py::TestSubCAkeyReplication template: *ci-master-latest timeout: 3600 -topology: *master_1repl_1client +topology: *master_1repl ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#5071][opened] 389-DS BDB: switch deadlock behavior to DB_LOCK_MINWRITE
URL: https://github.com/freeipa/freeipa/pull/5071 Author: fcami Title: #5071: 389-DS BDB: switch deadlock behavior to DB_LOCK_MINWRITE Action: opened PR body: """ Some IPA updates are expensive in term of processing and #page hit. The likelihood to generate a DS Berkeley DB database deadlock can be high for some common operations. When a deadlock is detected one deadlocking thread needs to be rejected to let the other(s) complete. DB_LOCK_YOUNGEST (9) is the DS default: it means the most recent operation fails in favor to the oldest one. DB_LOCK_MINWRITE (6) means the reader(s) are rejected in favor of the writers even if the reader(s) are older. Switch the default for FreeIPA to DB_LOCK_MINWRITE for new installs and also existing installs at update time. This depends on the backend redesign (https://pagure.io/389-ds-base/issue/49476) and therefore is valid on 389-DS 1.4.2.3 and higher. Explanation provided by Thierry Bordaz. Fixes: https://pagure.io/freeipa/issue/8479 Signed-off-by: François Cami """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/5071/head:pr5071 git checkout pr5071 From 9b5d33d513906bf5e2134d182347fe14ea79dfa2 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fran=C3=A7ois=20Cami?= Date: Mon, 31 Aug 2020 14:11:00 +0200 Subject: [PATCH] 389-DS BDB: switch deadlock behavior to DB_LOCK_MINWRITE MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Some IPA updates are expensive in term of processing and #page hit. The likelihood to generate a DS Berkeley DB database deadlock can be high for some common operations. When a deadlock is detected one deadlocking thread needs to be rejected to let the other(s) complete. DB_LOCK_YOUNGEST (9) is the DS default: it means the most recent operation fails in favor to the oldest one. DB_LOCK_MINWRITE (6) means the reader(s) are rejected in favor of the writers even if the reader(s) are older. Switch the default for FreeIPA to DB_LOCK_MINWRITE for new installs and also existing installs at update time. This depends on the backend redesign (https://pagure.io/389-ds-base/issue/49476) and therefore is valid on 389-DS 1.4.2.3 and higher. Explanation provided by Thierry Bordaz. Fixes: https://pagure.io/freeipa/issue/8479 Signed-off-by: François Cami --- freeipa.spec.in | 6 + .../10-nsslapd-db-deadlock-policy.update | 22 +++ install/updates/Makefile.am | 1 + 3 files changed, 29 insertions(+) create mode 100644 install/updates/10-nsslapd-db-deadlock-policy.update diff --git a/freeipa.spec.in b/freeipa.spec.in index 0e7a51f445..dee67ef58e 100755 --- a/freeipa.spec.in +++ b/freeipa.spec.in @@ -104,6 +104,12 @@ %global ds_version 1.4.0.21 %endif +# Configuring nsslapd-db-deadlock-policy to DB_LOCK_MINWRITE +# requires 389-DS 1.4.2.3 and higher. +%if 0%{?fedora} >= 31 +%global ds_version 1.4.2.3 +%endif + # Fix for TLS 1.3 PHA, RHBZ#1775146 %if 0%{?fedora} >= 31 %global httpd_version 2.4.41-9 diff --git a/install/updates/10-nsslapd-db-deadlock-policy.update b/install/updates/10-nsslapd-db-deadlock-policy.update new file mode 100644 index 00..0f621b7849 --- /dev/null +++ b/install/updates/10-nsslapd-db-deadlock-policy.update @@ -0,0 +1,22 @@ +# Configure 389-DS BDB backend to use DB_LOCK_MINWRITE. +# +# Some IPA updates are expensive in term of processing and #page hit. +# The likelihood to generate a DS Berkeley DB database deadlock can be high +# for some common operations. +# +# When a deadlock is detected one deadlocking thread needs to be +# rejected to let the other(s) complete. +# DB_LOCK_YOUNGEST (9) is the DS default: it means the most recent operation +# fails in favor to the oldest one. +# DB_LOCK_MINWRITE (6) means the reader(s) are rejected in favor +# of the writers even if the reader(s) are older. +# +# Switch the default for FreeIPA to DB_LOCK_MINWRITE. +# This depends on the backend redesign (https://pagure.io/389-ds-base/issue/49476) +# and therefore is valid on 389-DS 1.4.2.3 and higher. +# +# BDB header: +# https://github.com/berkeleydb/libdb/blob/5b7b02ae052442626af54c176335b67ecc613a30/src/dbinc/db.in#L287 +# +dn: cn=bdb,cn=config,cn=ldbm database,cn=plugins,cn=config +replace: nsslapd-db-deadlock-policy:9::6 diff --git a/install/updates/Makefile.am b/install/updates/Makefile.am index 8a4d9cc6cf..e1c5559ac7 100644 --- a/install/updates/Makefile.am +++ b/install/updates/Makefile.am @@ -6,6 +6,7 @@ app_DATA =\ 10-config.update \ 10-enable-betxn.update \ 10-ipapwd.update \ + 10-nsslapd-db-deadlock-policy.update \ 10-selinuxusermap.update \ 10-rootdse.update \ 10-uniqueness.update \ ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org Fedora Code of Conduct:
[Freeipa-devel] [freeipa PR#5012][opened] Test for pr5008
URL: https://github.com/freeipa/freeipa/pull/5012 Author: fcami Title: #5012: Test for pr5008 Action: opened PR body: """ """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/5012/head:pr5012 git checkout pr5012 From 65b758470922c07aa38f4edda7c71dc1d10439ad Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fran=C3=A7ois=20Cami?= Date: Thu, 6 Aug 2020 17:13:19 +0200 Subject: [PATCH 1/3] IPA-EPN: fix configuration file typo MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: François Cami --- client/share/epn.conf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/client/share/epn.conf b/client/share/epn.conf index 0e590dfc3b..e3645801cb 100644 --- a/client/share/epn.conf +++ b/client/share/epn.conf @@ -23,7 +23,7 @@ smtp_port = 25 # Default None (empty value). # smtp_password = -# pecifies the number of seconds to wait for SMTP to respond. +# Specifies the number of seconds to wait for SMTP to respond. smtp_timeout = 60 # Specifies the type of secure connection to make. Options are: none, From 812f5a68df9a5f96f2d14d8f554e79275e391035 Mon Sep 17 00:00:00 2001 From: Rob Crittenden Date: Thu, 6 Aug 2020 18:57:10 -0400 Subject: [PATCH 2/3] IPA-EPN: Test that users without givenname and/or mail are handled The admin user does not have a givenname by default, allow for that. Report errors for users without a default e-mail address. Update the SHA256 hash with the typo fix. --- ipatests/test_integration/test_epn.py | 22 +- 1 file changed, 21 insertions(+), 1 deletion(-) diff --git a/ipatests/test_integration/test_epn.py b/ipatests/test_integration/test_epn.py index f4c123c6d8..946e8e602a 100644 --- a/ipatests/test_integration/test_epn.py +++ b/ipatests/test_integration/test_epn.py @@ -231,7 +231,7 @@ def test_EPN_config_file(self): assert epn_conf in cmd1.stdout_text assert epn_template in cmd1.stdout_text cmd2 = self.master.run_command(["sha256sum", epn_conf]) -ck = "4c207b5c9c760c36db0d3b2b93da50ea49edcc4002d6d1e7383601f0ec30b957" +ck = "192481b52fb591112afd7b55b12a44c6618fdbc7e05a3b1866fd67ec579c51df" assert cmd2.stdout_text.find(ck) == 0 def test_EPN_smoketest_1(self): @@ -487,3 +487,23 @@ def test_EPN_delay_config(self, cleanupmail): self.master.put_file_contents('/etc/ipa/epn.conf', epn_conf) result = tasks.ipa_epn(self.master, raiseonerr=False) assert "smtp_delay cannot be less than zero" in result.stderr_text + +def test_EPN_admin(self): +"""The admin user is special and has no givenName by default + It also doesn't by default have an e-mail address + Check --dry-run output. +""" +epn_conf = textwrap.dedent(''' +[global] +''') +self.master.put_file_contents('/etc/ipa/epn.conf', epn_conf) +self.master.run_command( +['ipa', 'user-mod', 'admin', '--password-expiration', + datetime_to_generalized_time( + datetime.datetime.utcnow() + datetime.timedelta(days=7) + )] +) +(unused, stderr_text) = self._check_epn_output( +self.master, dry_run=True +) +assert "uid=admin" in stderr_text From acc6b6ab54d22266c701de30d7cdd5ebaf55659a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fran=C3=A7ois=20Cami?= Date: Thu, 6 Aug 2020 17:09:23 +0200 Subject: [PATCH 3/3] temp commit --- .freeipa-pr-ci.yaml| 2 +- ipatests/prci_definitions/temp_commit.yaml | 6 +++--- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/.freeipa-pr-ci.yaml b/.freeipa-pr-ci.yaml index abcf8c5b63..8065669008 12 --- a/.freeipa-pr-ci.yaml +++ b/.freeipa-pr-ci.yaml @@ -1 +1 @@ -ipatests/prci_definitions/gating.yaml \ No newline at end of file +ipatests/prci_definitions/temp_commit.yaml \ No newline at end of file diff --git a/ipatests/prci_definitions/temp_commit.yaml b/ipatests/prci_definitions/temp_commit.yaml index e337068145..5a4fc75c72 100644 --- a/ipatests/prci_definitions/temp_commit.yaml +++ b/ipatests/prci_definitions/temp_commit.yaml @@ -61,14 +61,14 @@ jobs: timeout: 1800 topology: *build - fedora-latest/temp_commit: + fedora-latest/test_epn: requires: [fedora-latest/build] priority: 50 job: class: RunPytest args: build_url: '{fedora-latest/build_url}' -test_suite: test_integration/test_REPLACEME.py +test_suite: test_integration/test_epn.py template: *ci-master-latest -timeout: 3600 +timeout: 7200 topology: *master_1repl_1client ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org Fedora Code of Conduct:
[Freeipa-devel] [freeipa PR#5010][opened] ipatests: test_epn: add test_EPN_connection_refused
URL: https://github.com/freeipa/freeipa/pull/5010 Author: fcami Title: #5010: ipatests: test_epn: add test_EPN_connection_refused Action: opened PR body: """ Add a test for EPN behavior when the configured SMTP does not accept connections. Fixes: https://pagure.io/freeipa/issue/8445 Signed-off-by: François Cami """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/5010/head:pr5010 git checkout pr5010 From 8e43c66fa0a518458809d16e377c9bbd3db73f1c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fran=C3=A7ois=20Cami?= Date: Fri, 7 Aug 2020 07:51:53 +0200 Subject: [PATCH] ipatests: test_epn: add test_EPN_connection_refused MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Add a test for EPN behavior when the configured SMTP does not accept connections. Fixes: https://pagure.io/freeipa/issue/8445 Signed-off-by: François Cami --- ipatests/test_integration/test_epn.py | 25 ++--- 1 file changed, 22 insertions(+), 3 deletions(-) diff --git a/ipatests/test_integration/test_epn.py b/ipatests/test_integration/test_epn.py index f4c123c6d8..9bf3d01135 100644 --- a/ipatests/test_integration/test_epn.py +++ b/ipatests/test_integration/test_epn.py @@ -175,13 +175,17 @@ def _check_epn_output( self, host, dry_run=False, +mailtest=False, from_nbdays=None, to_nbdays=None, raiseonerr=True, ): -result = tasks.ipa_epn(host, raiseonerr=raiseonerr, dry_run=dry_run, - from_nbdays=from_nbdays, - to_nbdays=to_nbdays) +result = tasks.ipa_epn( +host, raiseonerr=raiseonerr, +from_nbdays=from_nbdays, to_nbdays=to_nbdays, +dry_run=dry_run, +mailtest=mailtest +) json.dumps(json.loads(result.stdout_text), ensure_ascii=False) return (result.stdout_text, result.stderr_text) @@ -234,6 +238,21 @@ def test_EPN_config_file(self): ck = "4c207b5c9c760c36db0d3b2b93da50ea49edcc4002d6d1e7383601f0ec30b957" assert cmd2.stdout_text.find(ck) == 0 +@pytest.mark.xfail(reason='freeipa ticket 8445', strict=True) +def test_EPN_connection_refused(self): +"""Test EPN behavior when the configured SMTP is down +""" + +self.master.run_command(["systemctl", "stop", "postfix"]) +(stdout_text, stderr_text, rc) = self._check_epn_output( +self.master, mailtest=True, raiseonerr=False +) +self.master.run_command(["systemctl", "start", "postfix"]) +assert "[Errno 111] Connection refused" not in stderr_text +assert "Could not connect to the configured SMTP server." in \ +stdout_text +assert rc > 0 + def test_EPN_smoketest_1(self): """No users except admin. Check --dry-run output. With the default configuration, the result should be an empty list. ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#5006][closed] IPA-EPN: use entry.get() to retrieve attributes
URL: https://github.com/freeipa/freeipa/pull/5006 Author: fcami Title: #5006: IPA-EPN: use entry.get() to retrieve attributes Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/5006/head:pr5006 git checkout pr5006 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#5006][opened] IPA-EPN: use entry.get() to retrieve attributes
URL: https://github.com/freeipa/freeipa/pull/5006 Author: fcami Title: #5006: IPA-EPN: use entry.get() to retrieve attributes Action: opened PR body: """ Use entry.get() to retrieve attributes to avoid tripping on missing attrs. Fixes: TBD Signed-off-by: François Cami """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/5006/head:pr5006 git checkout pr5006 From b3c69af0013378a96b956a1f995aec266beb3d34 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fran=C3=A7ois=20Cami?= Date: Thu, 6 Aug 2020 17:07:36 +0200 Subject: [PATCH] IPA-EPN: use entry.get() to retrieve attributes MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Use entry.get() to retrieve attributes to avoid tripping on missing attrs. Fixes: TBD Signed-off-by: François Cami --- ipaclient/install/ipa_epn.py | 12 ++-- 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/ipaclient/install/ipa_epn.py b/ipaclient/install/ipa_epn.py index 6e1b001464..c7ce58fdba 100644 --- a/ipaclient/install/ipa_epn.py +++ b/ipaclient/install/ipa_epn.py @@ -131,14 +131,14 @@ def add(self, entry): self._sorted = False self._expiring_password_user_dq.append( dict( -uid=str(entry["uid"].pop(0)), -cn=str(entry["cn"].pop(0)), -givenname=str(entry["givenname"].pop(0)), -sn=str(entry["sn"].pop(0)), +uid=str(entry.get("uid")), +cn=str(entry.get("cn")), +givenname=str(entry.get("givenname")), +sn=str(entry.get("sn")), krbpasswordexpiration=str( -entry["krbpasswordexpiration"].pop(0) +entry.get("krbpasswordexpiration") ), -mail=str(entry["mail"]), +mail=str(entry.get("mail")), ) ) except IndexError as e: ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#4991][opened] IPA-EPN: enhance input validation
URL: https://github.com/freeipa/freeipa/pull/4991 Author: fcami Title: #4991: IPA-EPN: enhance input validation Action: opened PR body: """ Enhance input validation: * make sure --from-nbdays and --to-nbdays are integer * make sure --from-nbdays < --to-nbdays Fixes: https://pagure.io/freeipa/issue/8444 Signed-off-by: François Cami """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/4991/head:pr4991 git checkout pr4991 From dfdbce6563aaf33e8d3d997db512123add5aeaf5 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fran=C3=A7ois=20Cami?= Date: Tue, 4 Aug 2020 21:36:23 +0200 Subject: [PATCH] IPA-EPN: enhance input validation MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Enhance input validation: * make sure --from-nbdays and --to-nbdays are integer * make sure --from-nbdays < --to-nbdays Fixes: https://pagure.io/freeipa/issue/8444 Signed-off-by: François Cami --- ipaclient/install/ipa_epn.py | 27 +-- 1 file changed, 25 insertions(+), 2 deletions(-) diff --git a/ipaclient/install/ipa_epn.py b/ipaclient/install/ipa_epn.py index 6e1b001464..23fa35a1a4 100644 --- a/ipaclient/install/ipa_epn.py +++ b/ipaclient/install/ipa_epn.py @@ -238,12 +238,35 @@ def add_options(cls, parser): def validate_options(self): super(EPN, self).validate_options(needs_root=True) -if self.options.to_nbdays: +if self.options.to_nbdays is not None: +try: +int(self.options.to_nbdays) +assert float(self.options.to_nbdays) == \ +int(self.options.to_nbdays) +except Exception as e: +self.option_parser.error( +"--to-nbdays must be an integer. {error}".format(error=e) +) self.options.dry_run = True -if self.options.from_nbdays and not self.options.to_nbdays: +if self.options.from_nbdays is not None: +try: +int(self.options.from_nbdays) +assert float(self.options.from_nbdays) == \ +int(self.options.from_nbdays) +except Exception as e: +self.option_parser.error( +"--from-nbdays must be an integer. {error}".format(error=e) +) +if self.options.from_nbdays is not None and not self.options.to_nbdays: self.option_parser.error( "You cannot specify --from-nbdays without --to-nbdays" ) +if self.options.from_nbdays is not None and \ +self.options.to_nbdays is not None: +if self.options.from_nbdays >= self.options.to_nbdays: +self.option_parser.error( +"--from-nbdays must be smaller than --to-nbdays." +) if self.options.mailtest and self.options.dry_run: self.option_parser.error( "You cannot specify --mail-test and --dry-run together" ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#4970][opened] ipatests: test_epn: enhance CLI testing
URL: https://github.com/freeipa/freeipa/pull/4970 Author: fcami Title: #4970: ipatests: test_epn: enhance CLI testing Action: opened PR body: """ Enhance test_EPN_nbdays so that it checks: * that no emails get sent when using --dry-run * that --from-nbdays implies --dry-run * that --to-nbdays requires --from-nbdays Signed-off-by: François Cami """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/4970/head:pr4970 git checkout pr4970 From 8d6df218fe501b5ba7ae012c6cdb8cae960a353d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fran=C3=A7ois=20Cami?= Date: Fri, 31 Jul 2020 15:25:15 +0200 Subject: [PATCH 1/2] ipatests: test_epn: make sure --dry-run does not send emails MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Enhance test_EPN_nbdays so that it checks: * that no emails get sent when using --dry-run * that --from-nbdays implies --dry-run * that --to-nbdays requires --from-nbdays Signed-off-by: François Cami --- ipatests/test_integration/test_epn.py | 35 --- 1 file changed, 31 insertions(+), 4 deletions(-) diff --git a/ipatests/test_integration/test_epn.py b/ipatests/test_integration/test_epn.py index f4c123c6d8..aea3422076 100644 --- a/ipatests/test_integration/test_epn.py +++ b/ipatests/test_integration/test_epn.py @@ -344,22 +344,49 @@ def test_EPN_smoketest_3(self): expected_users = ["user1", "user3", "user7", "user14", "user28"] assert sorted(user_lst) == sorted(expected_users) -def test_EPN_nbdays(self): +def test_EPN_nbdays(self, cleanupmail): """Test the to/from nbdays options (implies --dry-run) We have a set of users installed with varying expiration dates. Confirm that to/from nbdays finds them. """ -# Compare the notify_ttls values for i in self.notify_ttls: +# Compare the notify_ttls values user_list = [] (stdout_text_client, unused) = self._check_epn_output( -self.clients[0], from_nbdays=i, to_nbdays=i + 1, dry_run=True) +self.clients[0], from_nbdays=i, to_nbdays=i + 1, dry_run=True +) for user in json.loads(stdout_text_client): user_list.append(user["uid"]) assert len(user_list) == 1 -assert user_list[0] == "user%d" % i +userid = "user{id}".format(id=i) +assert user_list[0] == userid + +# make sure that --from-nbdays implies --dry-run +(stdout_text_client, unused) = self._check_epn_output( +self.clients[0], from_nbdays=i +) +user_list = [] +for user in json.loads(stdout_text_client): +user_list.append(user["uid"]) +assert len(user_list) >= 1 +for j in range(i, self.notify_ttls): +userjd = "user{id}".format(id=j) +assert userjd in user_list + +# make sure that --to-nbdays cannot be used without --from-nbdays +with pytest.raises(CalledProcessError): +(unused, stderr_text_client) = self._check_epn_output( +self.clients[0], to_nbdays=i +) +assert "You cannot specify --from-nbdays without --to-nbdays" \ +in stderr_text_client + +# make sure no emails were sent +result = self.master.run_command(['ls', '-lha', '/var/mail/']) +assert ".." in result.stdout_text +assert userid not in result.stdout_text # From here the tests build on one another: # 1) add auth From c2364f677440e3d449b08a27f86ad0ceafc7a26f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fran=C3=A7ois=20Cami?= Date: Fri, 31 Jul 2020 18:29:43 +0200 Subject: [PATCH 2/2] add temp commit --- .freeipa-pr-ci.yaml| 2 +- ipatests/prci_definitions/temp_commit.yaml | 8 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/.freeipa-pr-ci.yaml b/.freeipa-pr-ci.yaml index abcf8c5b63..8065669008 12 --- a/.freeipa-pr-ci.yaml +++ b/.freeipa-pr-ci.yaml @@ -1 +1 @@ -ipatests/prci_definitions/gating.yaml \ No newline at end of file +ipatests/prci_definitions/temp_commit.yaml \ No newline at end of file diff --git a/ipatests/prci_definitions/temp_commit.yaml b/ipatests/prci_definitions/temp_commit.yaml index e337068145..8a857acaaf 100644 --- a/ipatests/prci_definitions/temp_commit.yaml +++ b/ipatests/prci_definitions/temp_commit.yaml @@ -61,14 +61,14 @@ jobs: timeout: 1800 topology: *build - fedora-latest/temp_commit: + fedora-latest/test_epn: requires: [fedora-latest/build] priority: 50 job: class: RunPytest args: build_url: '{fedora-latest/build_url}' -test_suite: test_integration/test_REPLACEME.py +test_suite:
[Freeipa-devel] [freeipa PR#4964][opened] Remove paramiko usage from ipatests
URL: https://github.com/freeipa/freeipa/pull/4964 Author: fcami Title: #4964: Remove paramiko usage from ipatests Action: opened PR body: """ MANUAL BACKPORT Paramiko is not compatible with FIPS. Migrate all tests using paramiko to the OpenSSH CLI SSH(1). Fixes: https://pagure.io/freeipa/issue/8129 Note that https://pagure.io/freeipa/issue/8431 was filed as sshpass would need an enhancement to cover all OTP tests. """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/4964/head:pr4964 git checkout pr4964 From 9043538e63de5ee1b597c433e13cbea14f61cd2c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fran=C3=A7ois=20Cami?= Date: Wed, 22 Jul 2020 09:59:12 +0200 Subject: [PATCH 1/8] tasks: add run_ssh_cmd MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Paramiko is not compatible with FIPS. A replacement is needed, and since what clients use is "ssh", create a shim over it so that tests can leverage it. Fixes: https://pagure.io/freeipa/issue/8129 Signed-off-by: François Cami Reviewed-By: Mohammad Rizwan Reviewed-By: Michal Polovka --- ipatests/pytest_ipa/integration/tasks.py | 133 +++ 1 file changed, 133 insertions(+) diff --git a/ipatests/pytest_ipa/integration/tasks.py b/ipatests/pytest_ipa/integration/tasks.py index 2ffaceb866..a3f7cc8386 100755 --- a/ipatests/pytest_ipa/integration/tasks.py +++ b/ipatests/pytest_ipa/integration/tasks.py @@ -30,6 +30,7 @@ import itertools import shutil import copy +import subprocess import tempfile import time from pipes import quote @@ -2297,3 +2298,135 @@ def get_sssd_version(host): """Get sssd version on remote host.""" version = host.run_command('sssd --version').stdout_text.strip() return parse_version(version) + + +def run_ssh_cmd( +from_host=None, to_host=None, username=None, cmd=None, +auth_method=None, password=None, private_key_path=None, +expect_auth_success=True, expect_auth_failure=None, +verbose=True, connect_timeout=2, strict_host_key_checking=False +): +"""Runs an ssh connection from the controller to the host. + - auth_method can be either "password" or "key". + - In the first case, set password to the user's password ; in the + second case, set private_key_path to the path of the private key. + - If expect_auth_success or expect_auth_failure, analyze the ssh + client's log and check whether the selected authentication method + worked. expect_auth_failure takes precedence over expect_auth_success. + - If verbose, display the ssh client verbose log. + - Both expect_auth_success and verbose are True by default. Debugging + ssh client failures is next to impossible without the associated + debug log. + Possible enhancements: + - select which host to run from (currently: controller only) +""" + +if from_host is not None: +raise NotImplementedError( +"from_host must be None ; running from anywhere but the " +"controller is not implemented yet." +) + +if expect_auth_failure: +expect_auth_success = False + +if to_host is None or username is None or auth_method is None: +raise ValueError("host, username and auth_method are mandatory") +if cmd is None: +# cmd must run properly on all supported platforms. +# true(1) ("do nothing, successfully") is the obvious candidate. +cmd = "true" + +if auth_method == "password": +if password is None: +raise ValueError( +"password is mandatory if auth_method == password" +) +ssh_cmd = ( +"ssh", +"-v", +"-o", "PubkeyAuthentication=no", +"-o", "GSSAPIAuthentication=no", +"-o", "ConnectTimeout={connect_timeout}".format( +connect_timeout=connect_timeout +), +) +elif auth_method == "key": +if private_key_path is None: +raise ValueError( +"private_key_path is mandatory if auth_method == key" +) +ssh_cmd = ( +"ssh", +"-v", +"-o", "BatchMode=yes", +"-o", "PubkeyAuthentication=yes", +"-o", "GSSAPIAuthentication=no", +"-o", "ConnectTimeout={connect_timeout}".format( +connect_timeout=connect_timeout +), +) +else: +raise ValueError( +"auth_method must either be password or key" +) + +ssh_cmd_1 = list(ssh_cmd) +if strict_host_key_checking is True: +ssh_cmd_1.extend(("-o", "StrictHostKeyChecking=yes")) +else: +ssh_cmd_1.extend(("-o", "StrictHostKeyChecking=no")) +if auth_method == "password": +ssh_cmd_1 = list(("sshpass", "-p", password)) + ssh_cmd_1 +elif auth_method == "key": +
[Freeipa-devel] [freeipa PR#4938][closed] Remove paramiko usage from ipatests
URL: https://github.com/freeipa/freeipa/pull/4938 Author: fcami Title: #4938: Remove paramiko usage from ipatests Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/4938/head:pr4938 git checkout pr4938 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#4952][opened] [Backport][ipa-4-8] re-enable test_sss_ssh_authorizedkeys
URL: https://github.com/freeipa/freeipa/pull/4952 Author: fcami Title: #4952: [Backport][ipa-4-8] re-enable test_sss_ssh_authorizedkeys Action: opened PR body: """ test_sss_ssh_authorizedkeys was disabled but recent test runs show it might be working properly. Run in multiple times to see if it works. Note two commits: I'd rather keep the -v even if we end up disabling the test again, so these commits should not be squashed. """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/4952/head:pr4952 git checkout pr4952 From d0d24c7745a8433a6d228f663cc18e6f778c6e84 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fran=C3=A7ois=20Cami?= Date: Thu, 23 Jul 2020 15:11:13 +0200 Subject: [PATCH 1/2] ipatests: re-enable test_sss_ssh_authorizedkeys MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Re-enable test_sss_ssh_authorizedkeys. Related: https://pagure.io/freeipa/issue/8151 Signed-off-by: François Cami Reviewed-By: Armando Neto --- ipatests/test_integration/test_commands.py | 1 - 1 file changed, 1 deletion(-) diff --git a/ipatests/test_integration/test_commands.py b/ipatests/test_integration/test_commands.py index bacde50416..bfb637cae5 100644 --- a/ipatests/test_integration/test_commands.py +++ b/ipatests/test_integration/test_commands.py @@ -1023,7 +1023,6 @@ def is_tls_version_enabled(tls_version): assert is_tls_version_enabled('tls1_2') assert is_tls_version_enabled('tls1_3') -@pytest.mark.skip(reason='https://pagure.io/freeipa/issue/8151') def test_sss_ssh_authorizedkeys(self): """Login via Ssh using private-key for ipa-user should work. From 933d1b577454ee5ddf69d65979ef20d3e45c9af3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fran=C3=A7ois=20Cami?= Date: Thu, 23 Jul 2020 15:13:04 +0200 Subject: [PATCH 2/2] ipatests: test_sss_ssh_authorizedkeys MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Add debug information to the ssh invocation. Related: https://pagure.io/freeipa/issue/8151 Signed-off-by: François Cami Reviewed-By: Armando Neto --- ipatests/test_integration/test_commands.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ipatests/test_integration/test_commands.py b/ipatests/test_integration/test_commands.py index bfb637cae5..184a70d8d3 100644 --- a/ipatests/test_integration/test_commands.py +++ b/ipatests/test_integration/test_commands.py @@ -1067,7 +1067,7 @@ def test_sss_ssh_authorizedkeys(self): assert ssh_pub_key in result.stdout_text # login to the system self.master.run_command( -['ssh', '-o', 'PasswordAuthentication=no', +['ssh', '-v', '-o', 'PasswordAuthentication=no', '-o', 'IdentitiesOnly=yes', '-o', 'StrictHostKeyChecking=no', '-o', 'ConnectTimeout=10', '-l', user, '-i', user_key, self.master.hostname, 'true']) ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#4945][closed] re-enable test_sss_ssh_authorizedkeys
URL: https://github.com/freeipa/freeipa/pull/4945 Author: fcami Title: #4945: re-enable test_sss_ssh_authorizedkeys Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/4945/head:pr4945 git checkout pr4945 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org