[Freeipa-devel] [freeipa PR#6109][opened] [Backport][ipa-4-9] freeipa.spec: depend on bind-pkcs11-utils
URL: https://github.com/freeipa/freeipa/pull/6109
Author: fcami
Title: #6109: [Backport][ipa-4-9] freeipa.spec: depend on bind-pkcs11-utils
Action: opened
PR body:
"""
This PR was opened automatically because PR #6074 was pushed to master and
backport to ipa-4-9 is required.
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/6109/head:pr6109
git checkout pr6109
From b7b970aad93839413815947b8bafa5d4c8f24191 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fran=C3=A7ois=20Cami?=
Date: Thu, 4 Nov 2021 12:01:38 +0100
Subject: [PATCH] freeipa.spec: depend on bind-dnssec-utils
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
The OpenDNSSec integration code requires:
/usr/sbin/dnssec-keyfromlabel-pkcs11
which is provided by bind-pkcs11-utils, but that package is
only available on RHEL<9.
With this change, freeipa-server-dns depends on bind-dnssec-utils
on all Fedora releases and RHEL==9+, and uses:
/usr/sbin/dnssec-keyfromlabel -E pkcs11
instead of dnssec-keyfromlabel-pkcs11.
Fixes: https://pagure.io/freeipa/issue/9026
Signed-off-by: François Cami
---
freeipa.spec.in | 4 +++-
ipaplatform/base/paths.py | 2 +-
ipaplatform/fedora/paths.py | 1 -
ipaserver/dnssec/bindmgr.py | 1 +
4 files changed, 5 insertions(+), 3 deletions(-)
diff --git a/freeipa.spec.in b/freeipa.spec.in
index e20edb7bc60..8f5c370e561 100755
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -576,9 +576,11 @@ Requires: %{name}-server = %{version}-%{release}
Requires: bind-dyndb-ldap >= 11.2-2
Requires: bind >= %{bind_version}
Requires: bind-utils >= %{bind_version}
+# bind-dnssec-utils is required by the OpenDNSSec integration
+# https://pagure.io/freeipa/issue/9026
+Requires: bind-dnssec-utils >= %{bind_version}
%if %{with bind_pkcs11}
Requires: bind-pkcs11 >= %{bind_version}
-Requires: bind-pkcs11-utils >= %{bind_version}
%else
Requires: softhsm >= %{softhsm_version}
Requires: openssl-pkcs11 >= %{openssl_pkcs11_version}
diff --git a/ipaplatform/base/paths.py b/ipaplatform/base/paths.py
index 42a47f1df37..7d21367ece0 100644
--- a/ipaplatform/base/paths.py
+++ b/ipaplatform/base/paths.py
@@ -259,7 +259,7 @@ class BasePathNamespace:
IPA_PKI_RETRIEVE_KEY = "/usr/libexec/ipa/ipa-pki-retrieve-key"
IPA_HTTPD_PASSWD_READER = "/usr/libexec/ipa/ipa-httpd-pwdreader"
IPA_PKI_WAIT_RUNNING = "/usr/libexec/ipa/ipa-pki-wait-running"
-DNSSEC_KEYFROMLABEL = "/usr/sbin/dnssec-keyfromlabel-pkcs11"
+DNSSEC_KEYFROMLABEL = "/usr/sbin/dnssec-keyfromlabel"
GETSEBOOL = "/usr/sbin/getsebool"
GROUPADD = "/usr/sbin/groupadd"
USERMOD = "/usr/sbin/usermod"
diff --git a/ipaplatform/fedora/paths.py b/ipaplatform/fedora/paths.py
index 92a948966b6..4e993c063e2 100644
--- a/ipaplatform/fedora/paths.py
+++ b/ipaplatform/fedora/paths.py
@@ -36,7 +36,6 @@ class FedoraPathNamespace(RedHatPathNamespace):
NAMED_CRYPTO_POLICY_FILE = "/etc/crypto-policies/back-ends/bind.config"
if HAS_NFS_CONF:
SYSCONFIG_NFS = '/etc/nfs.conf'
-DNSSEC_KEYFROMLABEL = "/usr/sbin/dnssec-keyfromlabel"
paths = FedoraPathNamespace()
diff --git a/ipaserver/dnssec/bindmgr.py b/ipaserver/dnssec/bindmgr.py
index a15c0e601a2..0c79cc03d40 100644
--- a/ipaserver/dnssec/bindmgr.py
+++ b/ipaserver/dnssec/bindmgr.py
@@ -127,6 +127,7 @@ def install_key(self, zone, uuid, attrs, workdir):
)
cmd = [
paths.DNSSEC_KEYFROMLABEL,
+'-E', 'pkcs11',
'-K', workdir,
'-a', attrs['idnsSecAlgorithm'][0],
'-l', uri
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org
Do not reply to spam on the list, report it:
https://pagure.io/fedora-infrastructure
[Freeipa-devel] [freeipa PR#6074][closed] freeipa.spec: depend on bind-pkcs11-utils
URL: https://github.com/freeipa/freeipa/pull/6074 Author: fcami Title: #6074: freeipa.spec: depend on bind-pkcs11-utils Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/6074/head:pr6074 git checkout pr6074 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[Freeipa-devel] [freeipa PR#5939][closed] ipaserver: disable resolved' stub resolver
URL: https://github.com/freeipa/freeipa/pull/5939 Author: fcami Title: #5939: ipaserver: disable resolved' stub resolver Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/5939/head:pr5939 git checkout pr5939 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[Freeipa-devel] [freeipa PR#6099][opened] [Backport][ipa-4-9] pwpolicy: change lifetime error message
URL: https://github.com/freeipa/freeipa/pull/6099
Author: fcami
Title: #6099: [Backport][ipa-4-9] pwpolicy: change lifetime error message
Action: opened
PR body:
"""
This PR was opened automatically because PR #6086 was pushed to master and
backport to ipa-4-9 is required.
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/6099/head:pr6099
git checkout pr6099
From e3e28bf680ec50e1ea538c4e3bbca9a2a5e2962f Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fran=C3=A7ois=20Cami?=
Date: Wed, 17 Nov 2021 15:08:35 +0100
Subject: [PATCH] pwpolicy: change lifetime error message
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
ipa pwpolicy-mod --minlife $min --maxlife $max
accepts $max >= $min, yet the error message says:
"Maximum password life must be greater than minimum."
Change the error message so that it conveys the
actual logic.
Fixes: https://pagure.io/freeipa/issue/9038
Signed-off-by: François Cami
---
ipaserver/plugins/pwpolicy.py | 5 -
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/ipaserver/plugins/pwpolicy.py b/ipaserver/plugins/pwpolicy.py
index 9e20bb7a4dc..816faffe0f9 100644
--- a/ipaserver/plugins/pwpolicy.py
+++ b/ipaserver/plugins/pwpolicy.py
@@ -491,7 +491,10 @@ def validate_lifetime(self, entry_attrs, add=False, *keys):
if minlife > maxlife:
raise errors.ValidationError(
name='maxlife',
-error=_('Maximum password life must be greater than minimum.'),
+error=_(
+"Maximum password life must be equal to "
+"or greater than the minimum."
+),
)
def add_cospriority(self, entry, pwpolicy_name, rights=True):
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org
Do not reply to spam on the list, report it:
https://pagure.io/fedora-infrastructure
[Freeipa-devel] [freeipa PR#6086][closed] pwpolicy: change lifetime error message
URL: https://github.com/freeipa/freeipa/pull/6086 Author: fcami Title: #6086: pwpolicy: change lifetime error message Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/6086/head:pr6086 git checkout pr6086 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[Freeipa-devel] [freeipa PR#6095][opened] subid: test with podman
URL: https://github.com/freeipa/freeipa/pull/6095 Author: fcami Title: #6095: subid: test with podman Action: opened PR body: """ podman can leverage FreeIPA-managed subids provided: - nsswitch.conf contains "subid: sss" - a real session is opened for that user (not su) podman provides also a way to test whether subids can be retrieved: $ podman unshare cat /proc/self/uid_map $ podman unshare cat /proc/self/gid_map Fixes: TBD Signed-off-by: François Cami """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/6095/head:pr6095 git checkout pr6095 From c9fafd1ce9ae716aa49c3b2ac2c691fe082caa96 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fran=C3=A7ois=20Cami?= Date: Thu, 18 Nov 2021 18:06:49 +0100 Subject: [PATCH] subid: test with podman MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit podman can leverage FreeIPA-managed subids provided: - nsswitch.conf contains "subid: sss" - a real session is opened for that user (not su) podman provides also a way to test whether subids can be retrieved: $ podman unshare cat /proc/self/uid_map $ podman unshare cat /proc/self/gid_map Fixes: TBD Signed-off-by: François Cami --- ipatests/test_integration/test_subids.py | 34 1 file changed, 34 insertions(+) diff --git a/ipatests/test_integration/test_subids.py b/ipatests/test_integration/test_subids.py index 28cd1f765cd..2898f8e9660 100644 --- a/ipatests/test_integration/test_subids.py +++ b/ipatests/test_integration/test_subids.py @@ -127,6 +127,40 @@ def test_auto_generate_subid(self): match = self._parse_result(result) self.assert_subid_info(uid, match) +def test_podman(self): +uid = "testuser_auto1" +passwd = "Secret123" + +# check that podman can retrieve the subids +nsswitch_conf = self.master.get_file_contents( +paths.NSSWITCH_CONF, +encoding="utf-8" +) +new_nsswitch_conf = nsswitch_conf + "\nsubid: sss files" +self.master.put_file_contents( +paths.NSSWITCH_CONF, +new_nsswitch_conf +) + +tasks.install_packages(self.master, ["podman"]) +cmds = ( +["podman", "unshare", "cat", "/proc/self/gid_map"], +["podman", "unshare", "cat", "/proc/self/uid_map"] +) +for cmd in cmds: +result = tasks.run_ssh_cmd( +to_host=self.master, +username=uid, +cmd=cmd, +auth_method="password", +password=passwd, +verbose=True +) +stdout = result[1] +# temp +print(cmd) +print(stdout) + def test_ipa_subid_script(self): tasks.kinit_admin(self.master) ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[Freeipa-devel] [freeipa PR#6086][opened] pwpolicy: change error message
URL: https://github.com/freeipa/freeipa/pull/6086
Author: fcami
Title: #6086: pwpolicy: change error message
Action: opened
PR body:
"""
ipa pwpolicy-mod --minlife $min --maxlife $max
accepts $max >= $min, yet the error message says:
"Maximum password life must be greater than minimum."
Change the error message so that it conveys the
actual logic.
Fixes:
Signed-off-by: François Cami
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/6086/head:pr6086
git checkout pr6086
From 1a901aae7108bacf4be91211d32d1dc0ba5214b1 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fran=C3=A7ois=20Cami?=
Date: Wed, 17 Nov 2021 15:08:35 +0100
Subject: [PATCH] pwpolicy: change error message
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
ipa pwpolicy-mod --minlife $min --maxlife $max
accepts $max >= $min, yet the error message says:
"Maximum password life must be greater than minimum."
Change the error message so that it conveys the
actual logic.
Fixes: TBD
Signed-off-by: François Cami
---
ipaserver/plugins/pwpolicy.py | 5 -
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/ipaserver/plugins/pwpolicy.py b/ipaserver/plugins/pwpolicy.py
index 9e20bb7a4dc..a6a04d8a8cb 100644
--- a/ipaserver/plugins/pwpolicy.py
+++ b/ipaserver/plugins/pwpolicy.py
@@ -491,7 +491,10 @@ def validate_lifetime(self, entry_attrs, add=False, *keys):
if minlife > maxlife:
raise errors.ValidationError(
name='maxlife',
-error=_('Maximum password life must be greater than minimum.'),
+error=_(
+"Maximum password life must be equal "
+"or greater than the minimum."
+),
)
def add_cospriority(self, entry, pwpolicy_name, rights=True):
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org
Do not reply to spam on the list, report it:
https://pagure.io/fedora-infrastructure
[Freeipa-devel] [freeipa PR#6074][opened] freeipa.spec: depend on bind-pkcs11-utils
URL: https://github.com/freeipa/freeipa/pull/6074
Author: fcami
Title: #6074: freeipa.spec: depend on bind-pkcs11-utils
Action: opened
PR body:
"""
The OpenDNSSec integration code requires:
/usr/sbin/dnssec-keyfromlabel-pkcs11
which is provided by bind-pkcs11-utils.
Currently, bind-pkcs11-utils is only installed for RHEL<9.
With this change, FreeIPA depends on bind-pkcs11-utils on all
Fedora and RHEL versions.
Fixes: https://pagure.io/freeipa/issue/9026
Signed-off-by: François Cami
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/6074/head:pr6074
git checkout pr6074
From bdc9746c48addd3126a675e05f0e56b43d5051f3 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fran=C3=A7ois=20Cami?=
Date: Thu, 4 Nov 2021 12:01:38 +0100
Subject: [PATCH] freeipa.spec: depend on bind-pkcs11-utils
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
The OpenDNSSec integration code requires:
/usr/sbin/dnssec-keyfromlabel-pkcs11
which is provided by bind-pkcs11-utils.
Currently, bind-pkcs11-utils is only installed for RHEL<9.
With this change, FreeIPA depends on bind-pkcs11-utils on all
Fedora and RHEL versions.
Fixes: https://pagure.io/freeipa/issue/9026
Signed-off-by: François Cami
---
freeipa.spec.in | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/freeipa.spec.in b/freeipa.spec.in
index 952c1ad1894..d4d94a4c273 100755
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -124,13 +124,14 @@
# Fedora
%endif
+# Needed for OpenDNSSec integration
+%global with_bind_pkcs11 1
+
# BIND employs 'pkcs11' OpenSSL engine instead of native PKCS11
# Fedora 31+ uses OpenSSL engine, as well as Fedora ELN (RHEL9)
%if 0%{?fedora} || 0%{?rhel} >= 9
%global openssl_pkcs11_version 0.4.10-6
%global softhsm_version 2.5.0-4
-%else
-%global with_bind_pkcs11 1
%endif
%if 0%{?rhel} == 8
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org
Do not reply to spam on the list, report it:
https://pagure.io/fedora-infrastructure
[Freeipa-devel] [freeipa PR#6001][opened] subid: update subid-match
URL: https://github.com/freeipa/freeipa/pull/6001 Author: fcami Title: #6001: subid: update subid-match Action: opened PR body: """ Previously, the subid-match command would output the full DN of the owner of the matched range. With this change, the UID of the owner is displayed, just like for other subid- commands. Fixes: Signed-off-by: François Cami """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/6001/head:pr6001 git checkout pr6001 From 7244bed1a1cee161b6dca7501af2b0cfb4ff478d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fran=C3=A7ois=20Cami?= Date: Thu, 2 Sep 2021 16:17:01 +0200 Subject: [PATCH] subid: update subid-match MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Previously, the subid-match command would output the full DN of the owner of the matched range. With this change, the UID of the owner is displayed, just like for other subid- commands. Fixes: Signed-off-by: François Cami --- ipaserver/plugins/subid.py | 1 + 1 file changed, 1 insertion(+) diff --git a/ipaserver/plugins/subid.py b/ipaserver/plugins/subid.py index 440f24ee627..132c85c7f19 100644 --- a/ipaserver/plugins/subid.py +++ b/ipaserver/plugins/subid.py @@ -524,6 +524,7 @@ def post_callback(self, ldap, entries, truncated, *args, **options): osubuid = options["ipasubuidnumber"] new_entries = [] for entry in entries: +self.obj.convert_owner(entry, options) esubuid = int(entry.single_value["ipasubuidnumber"]) esubcount = int(entry.single_value["ipasubuidcount"]) minsubuid = esubuid ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[Freeipa-devel] [freeipa PR#5992][opened] [Backport][ipa-4-9] Specify PKI installation log paths
URL: https://github.com/freeipa/freeipa/pull/5992
Author: fcami
Title: #5992: [Backport][ipa-4-9] Specify PKI installation log paths
Action: opened
PR body:
"""
This PR was opened automatically because PR #5973 was pushed to master and
backport to ipa-4-9 is required.
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/5992/head:pr5992
git checkout pr5992
From 4a3bb18c76b752b9442cae99887e630818a74d1a Mon Sep 17 00:00:00 2001
From: "Endi S. Dewata"
Date: Thu, 12 Aug 2021 13:26:42 -0500
Subject: [PATCH] Specify PKI installation log paths
The DogtagInstance.spawn_instance() and uninstall() have
been modified to specify the paths of PKI installation
logs using --log-file option on PKI 11.0.0 or later.
This allows IPA to have a full control over the log files
instead of relying on PKI's default log files.
Fixes: https://pagure.io/freeipa/issue/8966
Signed-off-by: Endi Sukma Dewata
---
ipaserver/install/dogtaginstance.py | 35 ++---
1 file changed, 32 insertions(+), 3 deletions(-)
diff --git a/ipaserver/install/dogtaginstance.py b/ipaserver/install/dogtaginstance.py
index 644acd4eace..0d9aebb542f 100644
--- a/ipaserver/install/dogtaginstance.py
+++ b/ipaserver/install/dogtaginstance.py
@@ -36,8 +36,10 @@
import six
+import pki
from pki.client import PKIConnection
import pki.system
+import pki.util
from ipalib import api, errors, x509
from ipalib.install import certmonger
@@ -202,6 +204,18 @@ def spawn_instance(self, cfg_file, nolog_list=()):
"-f", cfg_file,
"--debug"]
+# specify --log-file on PKI 11.0.0 or later
+
+pki_version = pki.util.Version(pki.specification_version())
+if pki_version >= pki.util.Version("11.0.0"):
+timestamp = time.strftime(
+"%Y%m%d%H%M%S",
+time.localtime(time.time()))
+log_file = os.path.join(
+paths.VAR_LOG_PKI_DIR,
+"pki-%s-spawn.%s.log" % (self.subsystem.lower(), timestamp))
+args.extend(["--log-file", log_file])
+
with open(cfg_file) as f:
logger.debug(
'Contents of pkispawn configuration file (%s):\n%s',
@@ -290,10 +304,25 @@ def uninstall(self):
if self.is_installed():
self.print_msg("Unconfiguring %s" % self.subsystem)
+args = [paths.PKIDESTROY,
+"-i", "pki-tomcat",
+"-s", self.subsystem]
+
+# specify --log-file on PKI 11.0.0 or later
+
+pki_version = pki.util.Version(pki.specification_version())
+if pki_version >= pki.util.Version("11.0.0"):
+timestamp = time.strftime(
+"%Y%m%d%H%M%S",
+time.localtime(time.time()))
+log_file = os.path.join(
+paths.VAR_LOG_PKI_DIR,
+"pki-%s-destroy.%s.log" % (self.subsystem.lower(), timestamp))
+args.extend(["--log-file", log_file])
+
try:
-ipautil.run([paths.PKIDESTROY,
- "-i", 'pki-tomcat',
- "-s", self.subsystem])
+ipautil.run(args)
+
except ipautil.CalledProcessError as e:
logger.critical("failed to uninstall %s instance %s",
self.subsystem, e)
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org
Do not reply to spam on the list, report it:
https://pagure.io/fedora-infrastructure
[Freeipa-devel] [freeipa PR#5973][closed] Specify PKI installation log paths
URL: https://github.com/freeipa/freeipa/pull/5973 Author: edewata Title: #5973: Specify PKI installation log paths Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/5973/head:pr5973 git checkout pr5973 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[Freeipa-devel] [freeipa PR#5989][opened] [Backport][ipa-4-9] ipatests: use whole date for journalctl --since
URL: https://github.com/freeipa/freeipa/pull/5989
Author: fcami
Title: #5989: [Backport][ipa-4-9] ipatests: use whole date for journalctl
--since
Action: opened
PR body:
"""
This PR was opened automatically because PR #5984 was pushed to master and
backport to ipa-4-9 is required.
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/5989/head:pr5989
git checkout pr5989
From eb1ff887e3a55c008a94d92d89dce84b2a4581e3 Mon Sep 17 00:00:00 2001
From: Florence Blanc-Renaud
Date: Thu, 19 Aug 2021 10:51:01 +0200
Subject: [PATCH] ipatests: use whole date for journalctl --since
When a test is executed around midnight and is checking the
journal content with --since=date, it needs to specify the
whole date (with day and time) to avoid missing entries.
If for instance --since=23:59:00 is used and the current time is
now 00:01:00, --since=23:59:00 would refer to a date in the
future and no journal entry will be found.
Fixes: https://pagure.io/freeipa/issue/8953
---
ipatests/test_integration/test_cert.py | 2 +-
ipatests/test_integration/test_commands.py | 3 ++-
ipatests/test_integration/test_nfs.py | 2 +-
3 files changed, 4 insertions(+), 3 deletions(-)
diff --git a/ipatests/test_integration/test_cert.py b/ipatests/test_integration/test_cert.py
index 9a90db5e2a2..7d51b76ee34 100644
--- a/ipatests/test_integration/test_cert.py
+++ b/ipatests/test_integration/test_cert.py
@@ -69,7 +69,7 @@ def install(cls, mh):
# time to look into journal logs in
# test_certmonger_ipa_responder_jsonrpc
-cls.since = time.strftime('%H:%M:%S')
+cls.since = time.strftime('%Y-%m-%d %H:%M:%S')
def test_cacert_file_appear_with_option_F(self):
"""Test if getcert creates cacert file with -F option
diff --git a/ipatests/test_integration/test_commands.py b/ipatests/test_integration/test_commands.py
index 4d9a8165248..fd5d1b47264 100644
--- a/ipatests/test_integration/test_commands.py
+++ b/ipatests/test_integration/test_commands.py
@@ -1208,7 +1208,8 @@ def test_login_wrong_password(self, user_creation_deletion):
# start to look at logs a bit before "now"
# https://pagure.io/freeipa/issue/8432
since = time.strftime(
-'%H:%M:%S', (datetime.now() - timedelta(seconds=10)).timetuple()
+'%Y-%m-%d %H:%M:%S',
+(datetime.now() - timedelta(seconds=10)).timetuple()
)
password = 'WrongPassword'
diff --git a/ipatests/test_integration/test_nfs.py b/ipatests/test_integration/test_nfs.py
index 9a6153409d4..dc53a6da9ee 100644
--- a/ipatests/test_integration/test_nfs.py
+++ b/ipatests/test_integration/test_nfs.py
@@ -130,7 +130,7 @@ def test_krb5_nfs_manual_configuration(self):
nfsclt = self.clients[1]
# for journalctl --since
-since = time.strftime('%H:%M:%S')
+since = time.strftime('%Y-%m-%d %H:%M:%S')
nfsclt.run_command(["systemctl", "restart", "rpc-gssd"])
time.sleep(WAIT_AFTER_INSTALL)
mountpoints = ("/mnt/krb", "/mnt/std", "/home")
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org
Do not reply to spam on the list, report it:
https://pagure.io/fedora-infrastructure
[Freeipa-devel] [freeipa PR#5984][closed] ipatests: use whole date for journalctl --since
URL: https://github.com/freeipa/freeipa/pull/5984 Author: flo-renaud Title: #5984: ipatests: use whole date for journalctl --since Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/5984/head:pr5984 git checkout pr5984 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[Freeipa-devel] [freeipa PR#5988][closed] [Backport][ipa-4-9] Azure: Run pycodestyle check in Lint job
URL: https://github.com/freeipa/freeipa/pull/5988 Author: fcami Title: #5988: [Backport][ipa-4-9] Azure: Run pycodestyle check in Lint job Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/5988/head:pr5988 git checkout pr5988 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[Freeipa-devel] [freeipa PR#5988][opened] [Backport][ipa-4-9] Azure: Run pycodestyle check in Lint job
URL: https://github.com/freeipa/freeipa/pull/5988
Author: fcami
Title: #5988: [Backport][ipa-4-9] Azure: Run pycodestyle check in Lint job
Action: opened
PR body:
"""
This PR was opened automatically because PR #5983 was pushed to master and
backport to ipa-4-9 is required.
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/5988/head:pr5988
git checkout pr5988
From d0a652f638aad8bcce6ae0742225341ef8c22637 Mon Sep 17 00:00:00 2001
From: Stanislav Levin
Date: Mon, 19 Apr 2021 17:20:47 +0300
Subject: [PATCH 1/2] Azure: Run pycodestyle check in Lint job
- previously, fastlint make's target includes both the Pylint task
and pycodestyle one. The purpose of this target is a fast checking
only for changed Python files. This makes sense for pycodestyle, but
limits Pylint due to a context(file) checking. The clients which
call the code being linted are not checked at all. In Azure Pylint
(for the whole codebase) is run in the Lint task, this makes fastlint
extra for Azure.
- `Quick code style check` task used distro's Pylint, while `Lint`
task PyPI's one. This may cause different results and confuse a
user.
- `Build` task takes time longer than `Lint` one, so this change
doesn't lead to increased CI time.
- all Azure tests depend on Build and Lint tasks. Mostly it's no need
to run tests due to a probably broken code.
Fixes: https://pagure.io/freeipa/issue/8961
Signed-off-by: Stanislav Levin
---
Makefile.am| 35 +-
ipatests/azure/azure-pipelines.yml | 20 ++---
2 files changed, 41 insertions(+), 14 deletions(-)
diff --git a/Makefile.am b/Makefile.am
index 321df05a7c4..abeaca7edbe 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -216,7 +216,7 @@ endif
$(MAKE) $(AM_MAKEFLAGS) acilint apilint polint pylint jslint $(RPMLINT_TARGET) yamllint check
@echo "All tests passed."
-.PHONY: fastcheck fasttest fastlint
+.PHONY: fastcheck fasttest fastlint fastcodestyle
fastcheck:
@$(MAKE) -j1 $(AM_MAKEFLAGS) fastlint $(RPMLINT_TARGET) yamllint fasttest apilint acilint
@@ -229,7 +229,34 @@ fasttest: $(GENERATED_PYTHON_FILES) ipasetup.py
--ignore $(abspath $(top_srcdir))/ipatests/test_integration \
--ignore $(abspath $(top_srcdir))/ipatests/test_xmlrpc
-fastlint: $(GENERATED_PYTHON_FILES) ipasetup.py acilint apilint
+fastcodestyle: $(GENERATED_PYTHON_FILES) ipasetup.py
+ @echo "Fast code style checking with $(PYTHON) from branch '$(GIT_BRANCH)'"
+
+ @MERGEBASE=$$(git merge-base --fork-point $(GIT_BRANCH)); \
+ PYFILES=$$(git diff --name-only --diff-filter=d $${MERGEBASE} \
+ | grep -E '\.py$$' ); \
+ INFILES=$$(git diff --name-only --diff-filter=d $${MERGEBASE} \
+ | grep -E '\.in$$' \
+ | xargs -n1 file 2>/dev/null | grep Python \
+ | cut -d':' -f1; ); \
+ if [ -n "$${PYFILES}" ] && [ -n "$${INFILES}" ]; then \
+ FILES="$$( printf $${PYFILES}\\n$${INFILES} )" ; \
+ elif [ -n "$${PYFILES}" ]; then \
+ FILES="$${PYFILES}" ; \
+ else \
+ FILES="$${INFILES}" ; \
+ fi ; \
+ if [ -n "$${FILES}" ]; then \
+ echo -e "Fast code style checking for files:\n$${FILES}\n"; \
+ echo "pycodestyle"; \
+ echo "---"; \
+ git diff -U0 $${MERGEBASE} | \
+ $(PYTHON) -m pycodestyle --diff || exit $$?; \
+ else \
+ echo "No modified Python files found"; \
+ fi
+
+fastlint: $(GENERATED_PYTHON_FILES) ipasetup.py fastcodestyle acilint apilint
if ! WITH_PYLINT
@echo "ERROR: pylint not available"; exit 1
endif
@@ -251,10 +278,6 @@ endif
fi ; \
if [ -n "$${FILES}" ]; then \
echo -e "Fast linting files:\n$${FILES}\n"; \
- echo "pycodestyle"; \
- echo "---"; \
- git diff -U0 $${MERGEBASE} | \
- $(PYTHON) -m pycodestyle --diff || exit $$?; \
echo -e "\npylint"; \
echo "--"; \
$(PYTHON) -m pylint --version; \
diff --git a/ipatests/azure/azure-pipelines.yml b/ipatests/azure/azure-pipelines.yml
index edf26ad77f8..a920f2852c5 100644
--- a/ipatests/azure/azure-pipelines.yml
+++ b/ipatests/azure/azure-pipelines.yml
@@ -20,12 +20,6 @@ jobs:
steps:
- template: templates/${{ variables.PREPARE_BUILD_TEMPLATE }}
- template: templates/${{ variables.AUTOCONF_TEMPLATE }}
-- script: |
-set -e
-git update-ref refs/heads/$(System.PullRequest.TargetBranch) origin/$(System.PullRequest.TargetBranch)
-make V=0 "GIT_BRANCH=$(System.PullRequest.TargetBranch)" fastlint
- displayName: Quick code style check
- condition: eq(variables['Build.Reason'], 'PullRequest')
- template: templates/${{ variables.BUILD_TEMPLATE }}
- template: templates/publish-build.yml
parameters:
@@ -75,6 +69,12 @@ jobs:
echo "Running make target 'lint'"
make V=0 lint
displayName: Lint sources
+- script: |
+set -e
+git update-ref refs/heads/$(System.PullRequest.TargetBranch)
[Freeipa-devel] [freeipa PR#5983][closed] Azure: Run pycodestyle check in Lint job
URL: https://github.com/freeipa/freeipa/pull/5983 Author: stanislavlevin Title: #5983: Azure: Run pycodestyle check in Lint job Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/5983/head:pr5983 git checkout pr5983 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[Freeipa-devel] [freeipa PR#5987][opened] [Backport][ipa-4-9] freeipa.spec.in: update 389-DS version
URL: https://github.com/freeipa/freeipa/pull/5987
Author: fcami
Title: #5987: [Backport][ipa-4-9] freeipa.spec.in: update 389-DS version
Action: opened
PR body:
"""
This PR was opened automatically because PR #5986 was pushed to master and
backport to ipa-4-9 is required.
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/5987/head:pr5987
git checkout pr5987
From 0aea11b410b01d5c6e4b9548d5b1f5ffeab10059 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fran=C3=A7ois=20Cami?=
Date: Fri, 20 Aug 2021 13:07:59 +0200
Subject: [PATCH] freeipa.spec.in: update 389-DS version
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Signed-off-by: François Cami
---
freeipa.spec.in | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/freeipa.spec.in b/freeipa.spec.in
index 9440f3602c2..07ce6b29299 100755
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -110,7 +110,7 @@
%if 0%{?fedora} < 34
%global ds_version 1.4.4.16-1
%else
-%global ds_version 2.0.5-1
+%global ds_version 2.0.7-1
%endif
# Fix for TLS 1.3 PHA, RHBZ#1775146
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org
Do not reply to spam on the list, report it:
https://pagure.io/fedora-infrastructure
[Freeipa-devel] [freeipa PR#5986][closed] freeipa.spec.in: update 389-DS version
URL: https://github.com/freeipa/freeipa/pull/5986 Author: fcami Title: #5986: freeipa.spec.in: update 389-DS version Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/5986/head:pr5986 git checkout pr5986 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[Freeipa-devel] [freeipa PR#5986][opened] freeipa.spec.in: update 389-DS version
URL: https://github.com/freeipa/freeipa/pull/5986
Author: fcami
Title: #5986: freeipa.spec.in: update 389-DS version
Action: opened
PR body:
"""
Signed-off-by: François Cami
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/5986/head:pr5986
git checkout pr5986
From fa93c1f0dec8ae41a15d0856acbf5b579c12363e Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fran=C3=A7ois=20Cami?=
Date: Fri, 20 Aug 2021 13:07:59 +0200
Subject: [PATCH] freeipa.spec.in: update 389-DS version
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Signed-off-by: François Cami
---
freeipa.spec.in | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/freeipa.spec.in b/freeipa.spec.in
index 9440f3602c2..07ce6b29299 100755
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -110,7 +110,7 @@
%if 0%{?fedora} < 34
%global ds_version 1.4.4.16-1
%else
-%global ds_version 2.0.5-1
+%global ds_version 2.0.7-1
%endif
# Fix for TLS 1.3 PHA, RHBZ#1775146
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org
Do not reply to spam on the list, report it:
https://pagure.io/fedora-infrastructure
[Freeipa-devel] [freeipa PR#5959][opened] Fix string check in uninstall helper
URL: https://github.com/freeipa/freeipa/pull/5959
Author: fcami
Title: #5959: Fix string check in uninstall helper
Action: opened
PR body:
"""
The install helpers used an invalid string check. ``('ubuntu')`` is
not a tuple. It's a string with superfluous parenthesis. A single-item
tuple would be ``('ubuntu',)``. It's recommended to use set literals to
avoid such mistakes.
Also check for 'debian' platform.
Fixes: https://pagure.io/freeipa/issue/8937
Signed-off-by: Christian Heimes
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/5959/head:pr5959
git checkout pr5959
From 85a2adb8077ecf59dbd46cf589b0e356747bbb1e Mon Sep 17 00:00:00 2001
From: Christian Heimes
Date: Tue, 27 Jul 2021 21:14:30 +0200
Subject: [PATCH] Fix string check in uninstall helper
The install helpers used an invalid string check. ``('ubuntu')`` is
not a tuple. It's a string with superfluous parenthesis. A single-item
tuple would be ``('ubuntu',)``. It's recommended to use set literals to
avoid such mistakes.
Also check for 'debian' platform.
Fixes: https://pagure.io/freeipa/issue/8937
Signed-off-by: Christian Heimes
---
ipatests/pytest_ipa/integration/tasks.py | 37 ++--
1 file changed, 16 insertions(+), 21 deletions(-)
diff --git a/ipatests/pytest_ipa/integration/tasks.py b/ipatests/pytest_ipa/integration/tasks.py
index 075c05cdeff..b01b52f5a0e 100755
--- a/ipatests/pytest_ipa/integration/tasks.py
+++ b/ipatests/pytest_ipa/integration/tasks.py
@@ -29,7 +29,6 @@
import collections
import itertools
import shutil
-import shlex
import copy
import subprocess
import tempfile
@@ -2441,9 +2440,9 @@ def install_packages(host, pkgs):
:param pkgs: packages to install, provided as a list of strings
"""
platform = get_platform(host)
-if platform in ('rhel', 'fedora'):
+if platform in {'rhel', 'fedora'}:
install_cmd = ['/usr/bin/dnf', 'install', '-y']
-elif platform in ('ubuntu'):
+elif platform in {'debian', 'ubuntu'}:
install_cmd = ['apt-get', 'install', '-y']
else:
raise ValueError('install_packages: unknown platform %s' % platform)
@@ -2482,26 +2481,22 @@ def uninstall_packages(host, pkgs, nodeps=False):
:param nodeps: ignore dependencies (dangerous!).
"""
platform = get_platform(host)
-if platform not in ('rhel', 'fedora', 'ubuntu'):
-raise ValueError('uninstall_packages: unknown platform %s' % platform)
+if platform not in {"rhel", "fedora", "debian", "ubuntu"}:
+raise ValueError(f"uninstall_packages: unknown platform {platform}")
if nodeps:
-if platform in ('rhel', 'fedora'):
-cmd = "rpm -e --nodeps"
-elif platform in ('ubuntu'):
-cmd = "dpkg -P --force-depends"
+if platform in {"rhel", "fedora"}:
+cmd = ["rpm", "-e", "--nodeps"]
+elif platform in {"debian", "ubuntu"}:
+cmd = ["dpkg", "-P", "--force-depends"]
for package in pkgs:
-uninstall_cmd = shlex.split(cmd)
-uninstall_cmd.append(package)
# keep raiseonerr=True here. --fcami
-host.run_command(uninstall_cmd)
+host.run_command(cmd + [package])
else:
-if platform in ('rhel', 'fedora'):
-cmd = "/usr/bin/dnf remove -y"
-elif platform in ('ubuntu'):
-cmd = "apt-get remove -y"
-uninstall_cmd = shlex.split(cmd)
-uninstall_cmd.extend(pkgs)
-host.run_command(uninstall_cmd, raiseonerr=False)
+if platform in {"rhel", "fedora"}:
+cmd = ["/usr/bin/dnf", "remove", "-y"]
+elif platform in {"debian", "ubuntu"}:
+cmd = ["apt-get", "remove", "-y"]
+host.run_command(cmd + pkgs, raiseonerr=False)
def wait_for_request(host, request_id, timeout=120):
@@ -2789,11 +2784,11 @@ def run_ssh_cmd(
def is_package_installed(host, pkg):
platform = get_platform(host)
-if platform in ('rhel', 'fedora'):
+if platform in {'rhel', 'fedora'}:
result = host.run_command(
['rpm', '-q', pkg], raiseonerr=False
)
-elif platform in ['ubuntu']:
+elif platform in {'debian', 'ubuntu'}:
result = host.run_command(
['dpkg', '-s', pkg], raiseonerr=False
)
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org
Do not reply to spam on the list, report it:
https://pagure.io/fedora-infrastructure
[Freeipa-devel] [freeipa PR#5955][opened] Add index for dnahostname
URL: https://github.com/freeipa/freeipa/pull/5955 Author: fcami Title: #5955: Add index for dnahostname Action: opened PR body: """ There are 60+ searches for: Filter: (dnahostname=FQDN) at startup. Fixes: https://pagure.io/freeipa/issue/8945 Signed-off-by: François Cami """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/5955/head:pr5955 git checkout pr5955 From 0de8f05d3c395b0afff1084b3506f7d9806ef08f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fran=C3=A7ois=20Cami?= Date: Thu, 5 Aug 2021 15:46:53 +0200 Subject: [PATCH] Add index for dnahostname MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit There are 60+ searches for: Filter: (dnahostname=FQDN) at startup. Fixes: https://pagure.io/freeipa/issue/8945 Signed-off-by: François Cami --- install/updates/20-indices.update | 7 +++ 1 file changed, 7 insertions(+) diff --git a/install/updates/20-indices.update b/install/updates/20-indices.update index 42c16bc3a0d..4cd387e31f9 100644 --- a/install/updates/20-indices.update +++ b/install/updates/20-indices.update @@ -107,6 +107,13 @@ default:nsSystemIndex: false add:nsIndexType: eq add:nsIndexType: sub +dn: cn=dnahostname,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config +only:cn: dnahostname +default:objectClass: nsIndex +default:objectClass: top +default:nsSystemIndex: false +add:nsIndexType: eq + dn: cn=fqdn,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config only:cn: fqdn default:objectClass: nsIndex ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[Freeipa-devel] [freeipa PR#5954][opened] [Backport][ipa-4-9] ipatests: use krb5_trace in TestIpaAdTrustInstall
URL: https://github.com/freeipa/freeipa/pull/5954
Author: fcami
Title: #5954: [Backport][ipa-4-9] ipatests: use krb5_trace in
TestIpaAdTrustInstall
Action: opened
PR body:
"""
This PR was opened automatically because PR #5953 was pushed to master and
backport to ipa-4-9 is required.
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/5954/head:pr5954
git checkout pr5954
From a7cd2992c67eb5c40392beffcec9fcfdadb7e263 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fran=C3=A7ois=20Cami?=
Date: Thu, 5 Aug 2021 11:37:35 +0200
Subject: [PATCH] ipatests: use krb5_trace in TestIpaAdTrustInstall
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
tasks.create_active_user can fail in a subtle way when there
are two IPA servers due to replication delays.
Using the debug-enabled version of create_active_user helps
determine whether there is another underlying issue and, in
general, prevents the above problem.
Fixes: https://pagure.io/freeipa/issue/8944
Signed-off-by: François Cami
---
ipatests/test_integration/test_adtrust_install.py | 14 ++
1 file changed, 10 insertions(+), 4 deletions(-)
diff --git a/ipatests/test_integration/test_adtrust_install.py b/ipatests/test_integration/test_adtrust_install.py
index 385a58e..f2322118640 100644
--- a/ipatests/test_integration/test_adtrust_install.py
+++ b/ipatests/test_integration/test_adtrust_install.py
@@ -257,8 +257,11 @@ def test_ipa_user_pac(self):
user_princ = '@'.join([user, self.master.domain.realm])
passwd = 'Secret123'
# Create a user with a password
-tasks.create_active_user(self.master, user, passwd, extra_args=[
-'--homedir', '/home/{}'.format(user)])
+tasks.create_active_user(
+self.master, user, passwd,
+extra_args=["--homedir", "/home/{}".format(user)],
+krb5_trace=True
+)
try:
# Defaults: host/... principal for service
# keytab in /etc/krb5.keytab
@@ -282,8 +285,11 @@ def test_ipa_user_s4u2self_pac(self):
user_princ = '@'.join([user, self.master.domain.realm])
passwd = 'Secret123'
# Create a user with a password
-tasks.create_active_user(self.master, user, passwd, extra_args=[
-'--homedir', '/home/{}'.format(user)])
+tasks.create_active_user(
+self.master, user, passwd,
+extra_args=["--homedir", "/home/{}".format(user)],
+krb5_trace=True
+)
try:
# Defaults: host/... principal for service
# keytab in /etc/krb5.keytab
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org
Do not reply to spam on the list, report it:
https://pagure.io/fedora-infrastructure
[Freeipa-devel] [freeipa PR#5953][closed] ipatests: use krb5_trace in TestIpaAdTrustInstall
URL: https://github.com/freeipa/freeipa/pull/5953 Author: fcami Title: #5953: ipatests: use krb5_trace in TestIpaAdTrustInstall Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/5953/head:pr5953 git checkout pr5953 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[Freeipa-devel] [freeipa PR#5953][opened] ipatests: use krb5_trace in TestIpaAdTrustInstall
URL: https://github.com/freeipa/freeipa/pull/5953
Author: fcami
Title: #5953: ipatests: use krb5_trace in TestIpaAdTrustInstall
Action: opened
PR body:
"""
tasks.create_active_user can fail in a subtle way when there
are two IPA servers due to replication delays.
Using the debug-enabled version of create_active_user helps
determine whether there is another underlying issue and, in
general, prevents the above problem.
Fixes: https://pagure.io/freeipa/issue/8944
Signed-off-by: François Cami
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/5953/head:pr5953
git checkout pr5953
From 03350a11eb524269175ae4ff0b64a9e10be5558a Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fran=C3=A7ois=20Cami?=
Date: Thu, 5 Aug 2021 11:37:35 +0200
Subject: [PATCH] ipatests: use krb5_trace in TestIpaAdTrustInstall
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
tasks.create_active_user can fail in a subtle way when there
are two IPA servers due to replication delays.
Using the debug-enabled version of create_active_user helps
determine whether there is another underlying issue and, in
general, prevents the above problem.
Fixes: https://pagure.io/freeipa/issue/8944
Signed-off-by: François Cami
---
ipatests/test_integration/test_adtrust_install.py | 14 ++
1 file changed, 10 insertions(+), 4 deletions(-)
diff --git a/ipatests/test_integration/test_adtrust_install.py b/ipatests/test_integration/test_adtrust_install.py
index 385a58e..f2322118640 100644
--- a/ipatests/test_integration/test_adtrust_install.py
+++ b/ipatests/test_integration/test_adtrust_install.py
@@ -257,8 +257,11 @@ def test_ipa_user_pac(self):
user_princ = '@'.join([user, self.master.domain.realm])
passwd = 'Secret123'
# Create a user with a password
-tasks.create_active_user(self.master, user, passwd, extra_args=[
-'--homedir', '/home/{}'.format(user)])
+tasks.create_active_user(
+self.master, user, passwd,
+extra_args=["--homedir", "/home/{}".format(user)],
+krb5_trace=True
+)
try:
# Defaults: host/... principal for service
# keytab in /etc/krb5.keytab
@@ -282,8 +285,11 @@ def test_ipa_user_s4u2self_pac(self):
user_princ = '@'.join([user, self.master.domain.realm])
passwd = 'Secret123'
# Create a user with a password
-tasks.create_active_user(self.master, user, passwd, extra_args=[
-'--homedir', '/home/{}'.format(user)])
+tasks.create_active_user(
+self.master, user, passwd,
+extra_args=["--homedir", "/home/{}".format(user)],
+krb5_trace=True
+)
try:
# Defaults: host/... principal for service
# keytab in /etc/krb5.keytab
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org
Do not reply to spam on the list, report it:
https://pagure.io/fedora-infrastructure
[Freeipa-devel] [freeipa PR#5941][opened] [Backport][ipa-4-9] freeipa.spec.in: remove python3-pexpect from Requires
URL: https://github.com/freeipa/freeipa/pull/5941
Author: fcami
Title: #5941: [Backport][ipa-4-9] freeipa.spec.in: remove python3-pexpect from
Requires
Action: opened
PR body:
"""
This PR was opened automatically because PR #5931 was pushed to master and
backport to ipa-4-9 is required.
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/5941/head:pr5941
git checkout pr5941
From 28d71c642e7e2f7ebdbc4fffc2890354598554c6 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fran=C3=A7ois=20Cami?=
Date: Wed, 28 Jul 2021 18:47:02 +0200
Subject: [PATCH] freeipa.spec.in: remove python3-pexpect from Requires
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
python3-pexpect will be removed in RHEL9.
Update BuildRequires/Requires accordingly.
Fixes: https://pagure.io/freeipa/issue/8938
Signed-off-by: François Cami
---
freeipa.spec.in | 14 ++
1 file changed, 10 insertions(+), 4 deletions(-)
diff --git a/freeipa.spec.in b/freeipa.spec.in
index c33d2e216e5..9440f3602c2 100755
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -328,11 +328,18 @@ BuildRequires: python3-m2r
# Build dependencies for lint and fastcheck
#
%if %{with lint}
-BuildRequires: git
-%if 0%{?fedora} < 34
+
+# python3-pexpect might not be available in RHEL9
+%if 0%{?fedora} || 0%{?rhel} < 9
+BuildRequires: python3-pexpect
+%endif
+
# jsl is orphaned in Fedora 34+
+%if 0%{?fedora} < 34
BuildRequires: jsl
%endif
+
+BuildRequires: git
BuildRequires: nss-tools
BuildRequires: rpmlint
BuildRequires: softhsm
@@ -357,7 +364,6 @@ BuildRequires: python3-lxml
BuildRequires: python3-netaddr >= %{python_netaddr_version}
BuildRequires: python3-netifaces
BuildRequires: python3-paste
-BuildRequires: python3-pexpect
BuildRequires: python3-pki >= %{pki_version}
BuildRequires: python3-polib
BuildRequires: python3-pyasn1
@@ -878,11 +884,11 @@ Requires: python3-ipaclient = %{version}-%{release}
Requires: python3-ipaserver = %{version}-%{release}
Requires: iptables
Requires: python3-cryptography >= 1.6
-Requires: python3-pexpect
%if 0%{?fedora}
# These packages do not exist on RHEL and for ipatests use
# they are installed on the controller through other means
Requires: ldns-utils
+Requires: python3-pexpect
# update-crypto-policies
Requires: crypto-policies-scripts
Requires: python3-polib
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org
Do not reply to spam on the list, report it:
https://pagure.io/fedora-infrastructure
[Freeipa-devel] [freeipa PR#5931][closed] freeipa.spec.in: remove python3-pexpect from Requires
URL: https://github.com/freeipa/freeipa/pull/5931 Author: fcami Title: #5931: freeipa.spec.in: remove python3-pexpect from Requires Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/5931/head:pr5931 git checkout pr5931 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[Freeipa-devel] [freeipa PR#5939][opened] ipaserver: disable resolved' stub resolver
URL: https://github.com/freeipa/freeipa/pull/5939 Author: fcami Title: #5939: ipaserver: disable resolved' stub resolver Action: opened PR body: """ Disable systemd-resolved stub resolver at install time. Use systemd-resolved' maintained list of upstream DNS servers instead. Rationale: systemd-resolved always resolves the FQDN to the local IP and vice-versa. This breaks DNS zone detection and especially reverse zone detection. This results in --auto-reverse being broken. On systemd-resolved enabled systems, there are four ways to configure resolv.conf: * a symlink to /run/systemd/resolve/stub-resolv.conf This is the default and uses both the 127.0.0.53 DNS stub plus the search domains. * a symlink to /usr/lib/systemd/resolv.conf This only contains the 127.0.0.53 DNS stub. * a symlink to /run/systemd/resolve/resolv.conf This contains the upstream DNS IPs and bypasses systemd-resolved. * Create and maintain /etc/resolv.conf directly. Solutions #1 and #2 break DNS zone detection. Solution #4 is not straightforward. Combine Solution3 and 4: copy the file containing the upstream DNS IPs so that it is properly maintained by NetworkManager after installation. Fixes: https://pagure.io/freeipa/issue/8700 Signed-off-by: François Cami """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/5939/head:pr5939 git checkout pr5939 From 2a6e13d81c4879098691fea237f79671c6c3174d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fran=C3=A7ois=20Cami?= Date: Mon, 2 Aug 2021 11:59:02 +0200 Subject: [PATCH] ipaserver: disable resolved' stub resolver MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Disable systemd-resolved stub resolver at install time. Use systemd-resolved' maintained list of upstream DNS servers instead. Rationale: systemd-resolved always resolves the FQDN to the local IP and vice-versa. This breaks DNS zone detection and especially reverse zone detection. This results in --auto-reverse being broken. On systemd-resolved enabled systems, there are four ways to configure resolv.conf: * a symlink to /run/systemd/resolve/stub-resolv.conf This is the default and uses both the 127.0.0.53 DNS stub plus the search domains. * a symlink to /usr/lib/systemd/resolv.conf This only contains the 127.0.0.53 DNS stub. * a symlink to /run/systemd/resolve/resolv.conf This contains the upstream DNS IPs and bypasses systemd-resolved. * Create and maintain /etc/resolv.conf directly. Solutions #1 and #2 break DNS zone detection. Solution #4 is not straightforward. Combine Solution3 and 4: copy the file containing the upstream DNS IPs so that it is properly maintained by NetworkManager after installation. Fixes: https://pagure.io/freeipa/issue/8700 Signed-off-by: François Cami --- ipaplatform/base/paths.py | 2 ++ ipaserver/install/dns.py | 12 2 files changed, 14 insertions(+) diff --git a/ipaplatform/base/paths.py b/ipaplatform/base/paths.py index de217d9efdb..bb239f7822f 100644 --- a/ipaplatform/base/paths.py +++ b/ipaplatform/base/paths.py @@ -136,6 +136,8 @@ class BasePathNamespace: PKI_ACME_REALM_CONF = "/etc/pki/pki-tomcat/acme/realm.conf" ETC_REDHAT_RELEASE = "/etc/redhat-release" RESOLV_CONF = "/etc/resolv.conf" +RESOLV_CONF_STUB_RESOLVED = "/run/systemd/resolve/stub-resolv.conf" +RESOLV_CONF_RESOLVED = "/run/systemd/resolve/resolv.conf" SAMBA_KEYTAB = "/etc/samba/samba.keytab" SMB_CONF = "/etc/samba/smb.conf" LIMITS_CONF = "/etc/security/limits.conf" diff --git a/ipaserver/install/dns.py b/ipaserver/install/dns.py index b51b92bfd4f..67e84706319 100644 --- a/ipaserver/install/dns.py +++ b/ipaserver/install/dns.py @@ -12,6 +12,8 @@ import enum import logging import os +import os.path +import shutil import sys import six @@ -143,6 +145,16 @@ def install_check(standalone, api, replica, options, hostname): if hst not in e.kwargs['ns']: raise ValueError(str(e)) +# https://pagure.io/freeipa/issue/8700 +# https://www.freedesktop.org/software/systemd/man/systemd-resolved.service.html +# Temporary copy the resolv.conf file containing the upstream DNS servers +# into /etc/resolv.conf so that systemd-resolved does not interfere with +# reverse zone detection. +if os.path.islink(paths.RESOLV_CONF): +if os.readlink(paths.RESOLV_CONF) == paths.RESOLV_CONF_STUB_RESOLVED: +os.unlink(paths.RESOLV_CONF) +shutil.copyfile(paths.RESOLV_CONF_RESOLVED, paths.RESOLV_CONF) + for reverse_zone in options.reverse_zones: try: dnsutil.check_zone_overlap(reverse_zone) ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org Fedora Code of Conduct:
[Freeipa-devel] [freeipa PR#5931][opened] freeipa.spec.in: remove python3-pexpect from Requires
URL: https://github.com/freeipa/freeipa/pull/5931
Author: fcami
Title: #5931: freeipa.spec.in: remove python3-pexpect from Requires
Action: opened
PR body:
"""
python3-pexpect will be removed in RHEL9.
Update BuildRequires/Requires accordingly.
Fixes: https://pagure.io/freeipa/issue/8938
Signed-off-by: François Cami
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/5931/head:pr5931
git checkout pr5931
From 8e0fe810459f85aa0c5226e5db914e9a8b66d721 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fran=C3=A7ois=20Cami?=
Date: Wed, 28 Jul 2021 18:47:02 +0200
Subject: [PATCH] freeipa.spec.in: remove python3-pexpect from Requires
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
python3-pexpect will be removed in RHEL9.
Update BuildRequires/Requires accordingly.
Fixes: https://pagure.io/freeipa/issue/8938
Signed-off-by: François Cami
---
freeipa.spec.in | 14 ++
1 file changed, 10 insertions(+), 4 deletions(-)
diff --git a/freeipa.spec.in b/freeipa.spec.in
index c33d2e216e5..9440f3602c2 100755
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -328,11 +328,18 @@ BuildRequires: python3-m2r
# Build dependencies for lint and fastcheck
#
%if %{with lint}
-BuildRequires: git
-%if 0%{?fedora} < 34
+
+# python3-pexpect might not be available in RHEL9
+%if 0%{?fedora} || 0%{?rhel} < 9
+BuildRequires: python3-pexpect
+%endif
+
# jsl is orphaned in Fedora 34+
+%if 0%{?fedora} < 34
BuildRequires: jsl
%endif
+
+BuildRequires: git
BuildRequires: nss-tools
BuildRequires: rpmlint
BuildRequires: softhsm
@@ -357,7 +364,6 @@ BuildRequires: python3-lxml
BuildRequires: python3-netaddr >= %{python_netaddr_version}
BuildRequires: python3-netifaces
BuildRequires: python3-paste
-BuildRequires: python3-pexpect
BuildRequires: python3-pki >= %{pki_version}
BuildRequires: python3-polib
BuildRequires: python3-pyasn1
@@ -878,11 +884,11 @@ Requires: python3-ipaclient = %{version}-%{release}
Requires: python3-ipaserver = %{version}-%{release}
Requires: iptables
Requires: python3-cryptography >= 1.6
-Requires: python3-pexpect
%if 0%{?fedora}
# These packages do not exist on RHEL and for ipatests use
# they are installed on the controller through other means
Requires: ldns-utils
+Requires: python3-pexpect
# update-crypto-policies
Requires: crypto-policies-scripts
Requires: python3-polib
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org
Do not reply to spam on the list, report it:
https://pagure.io/fedora-infrastructure
[Freeipa-devel] [freeipa PR#5929][closed] ipatests: test removing BIND and the named user
URL: https://github.com/freeipa/freeipa/pull/5929 Author: fcami Title: #5929: ipatests: test removing BIND and the named user Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/5929/head:pr5929 git checkout pr5929 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[Freeipa-devel] [freeipa PR#5929][reopened] ipatests: test removing BIND and the named user
URL: https://github.com/freeipa/freeipa/pull/5929 Author: fcami Title: #5929: ipatests: test removing BIND and the named user Action: reopened To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/5929/head:pr5929 git checkout pr5929 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[Freeipa-devel] [freeipa PR#5930][opened] Azure: re-enable tests using forwarders
URL: https://github.com/freeipa/freeipa/pull/5930 Author: fcami Title: #5930: Azure: re-enable tests using forwarders Action: opened PR body: """ Since BIND was updated in Fedora, revert: b71009b31a1d4dc76af3052a1e826e0306525410 Related: https://pagure.io/freeipa/issue/8864 Signed-off-by: François Cami """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/5930/head:pr5930 git checkout pr5930 From 3d86d12db9a2f0915c8b1a85d1230a500b7839ad Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fran=C3=A7ois=20Cami?= Date: Wed, 28 Jul 2021 11:35:28 +0200 Subject: [PATCH] Azure: re-enable tests using forwarders MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Since BIND was updated in Fedora, revert: b71009b31a1d4dc76af3052a1e826e0306525410 Related: https://pagure.io/freeipa/issue/8864 Signed-off-by: François Cami --- .../azure/azure_definitions/gating-fedora.yml | 71 ++- 1 file changed, 36 insertions(+), 35 deletions(-) diff --git a/ipatests/azure/azure_definitions/gating-fedora.yml b/ipatests/azure/azure_definitions/gating-fedora.yml index 3c2fdc39b76..7dfce622c5d 100644 --- a/ipatests/azure/azure_definitions/gating-fedora.yml +++ b/ipatests/azure/azure_definitions/gating-fedora.yml @@ -11,14 +11,14 @@ default_resources: vms: - vm_jobs: -# - container_job: InstallMaster -#containers: -# resources: -#server: -# mem_limit: "3200m" -# memswap_limit: "4800m" -#tests: -#- test_integration/test_installation.py::TestInstallMaster + - container_job: InstallMaster +containers: + resources: +server: + mem_limit: "3200m" + memswap_limit: "4800m" +tests: +- test_integration/test_installation.py::TestInstallMaster - container_job: kerberos_flags containers: @@ -119,19 +119,19 @@ vms: - test_integration/test_external_ca.py::TestExternalCAConstraints - vm_jobs: -# - container_job: commands -#containers: -# replicas: 1 -# clients: 1 -# resources: -#server: -# mem_limit: "3500m" -# memswap_limit: "4000m" -#client: -# mem_limit: "768m" -# memswap_limit: "1024m" -#tests: -#- test_integration/test_commands.py + - container_job: commands +containers: + replicas: 1 + clients: 1 + resources: +server: + mem_limit: "3500m" + memswap_limit: "4000m" +client: + mem_limit: "768m" + memswap_limit: "1024m" +tests: +- test_integration/test_commands.py - container_job: membermanager tests: @@ -150,21 +150,22 @@ vms: #tests: #- test_integration/test_replica_promotion.py::TestSubCAkeyReplication -# - container_job: adtrust_install -#tests: -#- test_integration/test_adtrust_install.py -#containers: -# replicas: 1 + - container_job: adtrust_install +tests: +- test_integration/test_adtrust_install.py +containers: + replicas: 1 -# - container_job: advise -#containers: -# clients: 1 -# resources: -#client: -# mem_limit: "768m" -# memswap_limit: "1024m" -#tests: -#- test_integration/test_advise.py +- vm_jobs: + - container_job: advise +containers: + clients: 1 + resources: +client: + mem_limit: "768m" + memswap_limit: "1024m" +tests: +- test_integration/test_advise.py # - container_job: cert #tests: ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[Freeipa-devel] [freeipa PR#5929][closed] ipatests: test removing BIND and the named user
URL: https://github.com/freeipa/freeipa/pull/5929 Author: fcami Title: #5929: ipatests: test removing BIND and the named user Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/5929/head:pr5929 git checkout pr5929 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[Freeipa-devel] [freeipa PR#5929][opened] ipatests: test removing BIND and the named user
URL: https://github.com/freeipa/freeipa/pull/5929 Author: fcami Title: #5929: ipatests: test removing BIND and the named user Action: opened PR body: """ Test that FreeIPA can be installed if the named user does not exist. Related: https://github.com/freeipa/freeipa/pull/5927 Signed-off-by: François Cami """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/5929/head:pr5929 git checkout pr5929 From b2305a701317c2e3a0e76445fb1e72099a38dcbe Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fran=C3=A7ois=20Cami?= Date: Tue, 27 Jul 2021 18:25:32 +0200 Subject: [PATCH] ipatests: test removing BIND and the named user MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Test that FreeIPA can be installed if the named user does not exist. Related: https://github.com/freeipa/freeipa/pull/5927 Signed-off-by: François Cami --- ipatests/test_integration/test_installation.py | 15 +++ 1 file changed, 15 insertions(+) diff --git a/ipatests/test_integration/test_installation.py b/ipatests/test_integration/test_installation.py index 27f15dbe542..b2ef9e49010 100644 --- a/ipatests/test_integration/test_installation.py +++ b/ipatests/test_integration/test_installation.py @@ -178,13 +178,28 @@ def test_replica1_all_components_adtrust(self): class TestInstallWithCA1(InstallTestBase1): master_with_dns = False +@classmethod +def remove_named(cls, host): +# remove the bind package and make sure the named user does not exist. +# https://pagure.io/freeipa/issue/8936 +result = host.run_command(['id', 'named'], raiseonerr=False) +if result.returncode == 0: +tasks.uninstall_packages(host, 'bind') +host.run_command(['userdel', 'named']) +assert host.run_command( +['id', 'named'], raiseonerr=False +).returncode == 1 + @classmethod def install(cls, mh): +for tgt in (cls.master, cls.replicas[0]): +cls.remove_named(tgt) tasks.install_master(cls.master, setup_dns=cls.master_with_dns) @pytest.mark.skipif(config.domain_level == DOMAIN_LEVEL_0, reason='does not work on DOMAIN_LEVEL_0 by design') def test_replica1_ipa_kra_install(self): + super(TestInstallWithCA1, self).test_replica1_ipa_kra_install() @pytest.mark.skipif(config.domain_level == DOMAIN_LEVEL_0, ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[Freeipa-devel] [freeipa PR#5924][closed] [master] ipatests: bump prci boxes + move gating to f34
URL: https://github.com/freeipa/freeipa/pull/5924 Author: netoarmando Title: #5924: [master] ipatests: bump prci boxes + move gating to f34 Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/5924/head:pr5924 git checkout pr5924 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[Freeipa-devel] [freeipa PR#5925][closed] [ipa-4-9] ipatests: bump prci boxes + move gating to f34
URL: https://github.com/freeipa/freeipa/pull/5925 Author: netoarmando Title: #5925: [ipa-4-9] ipatests: bump prci boxes + move gating to f34 Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/5925/head:pr5925 git checkout pr5925 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[Freeipa-devel] [freeipa PR#5914][closed] ipatests: refactor test_ipa_cert_fix with tasks
URL: https://github.com/freeipa/freeipa/pull/5914 Author: fcami Title: #5914: ipatests: refactor test_ipa_cert_fix with tasks Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/5914/head:pr5914 git checkout pr5914 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[Freeipa-devel] [freeipa PR#5921][opened] [Backport][ipa-4-9] Azure: temporarily disable problematic tests #5916
URL: https://github.com/freeipa/freeipa/pull/5921 Author: fcami Title: #5921: [Backport][ipa-4-9] Azure: temporarily disable problematic tests #5916 Action: opened PR body: """ Manual backport of https://github.com/freeipa/freeipa/pull/5916 The PR-CI template required a cherry-pick. """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/5921/head:pr5921 git checkout pr5921 From 119e0fc3be848571f04282368ff297671c3b1180 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fran=C3=A7ois=20Cami?= Date: Thu, 22 Jul 2021 08:34:47 +0200 Subject: [PATCH 1/3] Azure: temporarily disable problematic tests, #1 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit test_installation.TestInstallMaster, test_advise, and test_integration.test_commands.TestIPACommand rely on DNS forwarders and hit a known BIND bug: https://gitlab.isc.org/isc-projects/bind9/-/issues/2728 quite often. This is blocking gating nearly completely. Disable these tests in gating until the bug is fixed and the related build is available in Fedora. Related: https://pagure.io/freeipa/issue/8864 Signed-off-by: François Cami Reviewed-By: Michal Polovka Reviewed-By: Stanislav Levin --- .../azure/azure_definitions/gating-fedora.yml | 73 +-- 1 file changed, 36 insertions(+), 37 deletions(-) diff --git a/ipatests/azure/azure_definitions/gating-fedora.yml b/ipatests/azure/azure_definitions/gating-fedora.yml index 70c15834c5c..346da2d52a4 100644 --- a/ipatests/azure/azure_definitions/gating-fedora.yml +++ b/ipatests/azure/azure_definitions/gating-fedora.yml @@ -11,14 +11,14 @@ default_resources: vms: - vm_jobs: - - container_job: InstallMaster -containers: - resources: -server: - mem_limit: "3200m" - memswap_limit: "4800m" -tests: -- test_integration/test_installation.py::TestInstallMaster +# - container_job: InstallMaster +#containers: +# resources: +#server: +# mem_limit: "3200m" +# memswap_limit: "4800m" +#tests: +#- test_integration/test_installation.py::TestInstallMaster - container_job: kerberos_flags containers: @@ -119,19 +119,19 @@ vms: - test_integration/test_external_ca.py::TestExternalCAConstraints - vm_jobs: - - container_job: commands -containers: - replicas: 1 - clients: 1 - resources: -server: - mem_limit: "3500m" - memswap_limit: "4000m" -client: - mem_limit: "768m" - memswap_limit: "1024m" -tests: -- test_integration/test_commands.py +# - container_job: commands +#containers: +# replicas: 1 +# clients: 1 +# resources: +#server: +# mem_limit: "3500m" +# memswap_limit: "4000m" +#client: +# mem_limit: "768m" +# memswap_limit: "1024m" +#tests: +#- test_integration/test_commands.py - container_job: membermanager tests: @@ -150,22 +150,21 @@ vms: tests: - test_integration/test_replica_promotion.py::TestSubCAkeyReplication - - container_job: adtrust_install -tests: -- test_integration/test_adtrust_install.py -containers: - replicas: 1 - -- vm_jobs: - - container_job: advise -containers: - clients: 1 - resources: -client: - mem_limit: "768m" - memswap_limit: "1024m" -tests: -- test_integration/test_advise.py +# - container_job: adtrust_install +#tests: +#- test_integration/test_adtrust_install.py +#containers: +# replicas: 1 + +# - container_job: advise +#containers: +# clients: 1 +# resources: +#client: +# mem_limit: "768m" +# memswap_limit: "1024m" +#tests: +#- test_integration/test_advise.py - container_job: cert tests: From 48c8ec68808c82846cd0a9fe6812ee7856409ce3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fran=C3=A7ois=20Cami?= Date: Thu, 22 Jul 2021 20:22:13 +0200 Subject: [PATCH 2/3] Azure: temporarily disable problematic tests, #2 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit test_cert and test_SubCAkeyReplication are randomly failing. The suspect for test_SubCAkeyReplication is an nss bug: https://bugzilla.redhat.com/show_bug.cgi?id=1985061 The reason for test_cert failures was not identified, the only relevant line in the log contains: 2021-07-22T17:37:21.0873339Z tests: cert, result: 1, time: 30:08.98 2021-07-22T17:37:21.0874172Z Command exited with non-zero status 1 Disable these tests in gating until the NSS bug is fixed and the related build is available in Fedora. Related: https://pagure.io/freeipa/issue/8864 Signed-off-by: François Cami Reviewed-By: Michal Polovka Reviewed-By: Stanislav Levin --- .../azure/azure_definitions/gating-fedora.yml | 30 +-- 1 file changed, 15 insertions(+), 15 deletions(-) diff --git
[Freeipa-devel] [freeipa PR#5916][closed] Azure: temporarily disable problematic tests
URL: https://github.com/freeipa/freeipa/pull/5916 Author: fcami Title: #5916: Azure: temporarily disable problematic tests Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/5916/head:pr5916 git checkout pr5916 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[Freeipa-devel] [freeipa PR#5916][opened] Azure: temporarily disable problematic tests
URL: https://github.com/freeipa/freeipa/pull/5916 Author: fcami Title: #5916: Azure: temporarily disable problematic tests Action: opened PR body: """ test_installation.TestInstallMaster and test_advise rely on DNS forwarders and hit a known BIND bug quite often. Disable these tests in gating until the bug is fixed. Related: https://pagure.io/freeipa/issue/8864 Signed-off-by: François Cami """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/5916/head:pr5916 git checkout pr5916 From dc66f98d9fc12bbb6e1afb74326e28116cd25628 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fran=C3=A7ois=20Cami?= Date: Thu, 22 Jul 2021 08:34:47 +0200 Subject: [PATCH] Azure: temporarily disable problematic tests MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit test_installation.TestInstallMaster and test_advise rely on DNS forwarders and hit a known BIND bug quite often. Disable these tests in gating until the bug is fixed. Related: https://pagure.io/freeipa/issue/8864 Signed-off-by: François Cami --- .../azure/azure_definitions/gating-fedora.yml | 35 +-- 1 file changed, 17 insertions(+), 18 deletions(-) diff --git a/ipatests/azure/azure_definitions/gating-fedora.yml b/ipatests/azure/azure_definitions/gating-fedora.yml index 70c15834c5c..b1b8e940ede 100644 --- a/ipatests/azure/azure_definitions/gating-fedora.yml +++ b/ipatests/azure/azure_definitions/gating-fedora.yml @@ -11,14 +11,14 @@ default_resources: vms: - vm_jobs: - - container_job: InstallMaster -containers: - resources: -server: - mem_limit: "3200m" - memswap_limit: "4800m" -tests: -- test_integration/test_installation.py::TestInstallMaster +# - container_job: InstallMaster +#containers: +# resources: +#server: +# mem_limit: "3200m" +# memswap_limit: "4800m" +#tests: +#- test_integration/test_installation.py::TestInstallMaster - container_job: kerberos_flags containers: @@ -156,16 +156,15 @@ vms: containers: replicas: 1 -- vm_jobs: - - container_job: advise -containers: - clients: 1 - resources: -client: - mem_limit: "768m" - memswap_limit: "1024m" -tests: -- test_integration/test_advise.py +# - container_job: advise +#containers: +# clients: 1 +# resources: +#client: +# mem_limit: "768m" +# memswap_limit: "1024m" +#tests: +#- test_integration/test_advise.py - container_job: cert tests: ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[Freeipa-devel] [freeipa PR#5914][opened] ipatests: refactor test_ipa_cert_fix with tasks
URL: https://github.com/freeipa/freeipa/pull/5914
Author: fcami
Title: #5914: ipatests: refactor test_ipa_cert_fix with tasks
Action: opened
PR body:
"""
Fixes: https://pagure.io/freeipa/issue/8932
Signed-off-by: François Cami
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/5914/head:pr5914
git checkout pr5914
From bc270efb38d17b9c960b892c91eb17976343c485 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fran=C3=A7ois=20Cami?=
Date: Wed, 21 Jul 2021 14:29:31 +0200
Subject: [PATCH] ipatests: refactor test_ipa_cert_fix with tasks
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Fixes: https://pagure.io/freeipa/issue/8932
Signed-off-by: François Cami
---
.../test_integration/test_ipa_cert_fix.py | 26 ++-
1 file changed, 8 insertions(+), 18 deletions(-)
diff --git a/ipatests/test_integration/test_ipa_cert_fix.py b/ipatests/test_integration/test_ipa_cert_fix.py
index 33441c02234..1b9dbd81810 100644
--- a/ipatests/test_integration/test_ipa_cert_fix.py
+++ b/ipatests/test_integration/test_ipa_cert_fix.py
@@ -49,16 +49,6 @@ def check_status(host, cert_count, state, timeout=600):
return count
-def move_date(host, chrony_state, date_str):
-"""Helper method to move the date on given host
-:param host: The host on which date is to be moved
-:param chrony_state: State to which chrony service to be moved
-:param date_str: date string to move the date i.e 2years1month1days
-"""
-host.run_command(['systemctl', chrony_state, 'chronyd'])
-host.run_command(['date', '-s', date_str])
-
-
@pytest.fixture
def expire_cert_critical():
"""
@@ -77,13 +67,13 @@ def _expire_cert_critical(host, setup_kra=False):
tasks.install_kra(host)
# move date to expire certs
-move_date(host, 'stop', '+3Years+1day')
+tasks.move_date(host, 'stop', '+3Years+1day')
yield _expire_cert_critical
host = hosts.pop('host')
tasks.uninstall_master(host)
-move_date(host, 'start', '-3Years-1day')
+tasks.move_date(host, 'start', '-3Years-1day')
class TestIpaCertFix(IntegrationTest):
@@ -97,12 +87,12 @@ def uninstall(cls, mh):
def expire_ca_cert(self):
tasks.install_master(self.master, setup_dns=False,
extra_args=['--no-ntp'])
-move_date(self.master, 'stop', '+20Years+1day')
+tasks.move_date(self.master, 'stop', '+20Years+1day')
yield
tasks.uninstall_master(self.master)
-move_date(self.master, 'start', '-20Years-1day')
+tasks.move_date(self.master, 'start', '-20Years-1day')
def test_missing_csr(self, expire_cert_critical):
"""
@@ -363,7 +353,7 @@ def test_renew_expired_cert_replica(self):
related: https://pagure.io/freeipa/issue/7885
"""
-move_date(self.master, 'stop', '+3years+1days')
+tasks.move_date(self.master, 'stop', '+3years+1days')
# wait for cert expiry
check_status(self.master, 8, "CA_UNREACHABLE")
@@ -373,7 +363,7 @@ def test_renew_expired_cert_replica(self):
check_status(self.master, 9, "MONITORING")
# move system date to expire cert on replica
-move_date(self.replicas[0], 'stop', '+3years+1days')
+tasks.move_date(self.replicas[0], 'stop', '+3years+1days')
# RA agent cert will be expired and in CA_UNREACHABLE state
check_status(self.replicas[0], 1, "CA_UNREACHABLE")
@@ -402,5 +392,5 @@ def test_renew_expired_cert_replica(self):
check_status(self.master, 9, "MONITORING")
# move date back on replica and master
-move_date(self.replicas[0], 'start', '-3years-1days')
-move_date(self.master, 'start', '-3years-1days')
+tasks.move_date(self.replicas[0], 'start', '-3years-1days')
+tasks.move_date(self.master, 'start', '-3years-1days')
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org
Do not reply to spam on the list, report it:
https://pagure.io/fedora-infrastructure
[Freeipa-devel] [freeipa PR#5913][opened] [Backport][ipa-4-9] test_acme: make password renewal more robust
URL: https://github.com/freeipa/freeipa/pull/5913
Author: fcami
Title: #5913: [Backport][ipa-4-9] test_acme: make password renewal more robust
Action: opened
PR body:
"""
This PR was opened automatically because PR #5910 was pushed to master and
backport to ipa-4-9 is required.
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/5913/head:pr5913
git checkout pr5913
From 8eea96cb7124e0b40be025272aea7498b2eb8701 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fran=C3=A7ois=20Cami?=
Date: Tue, 20 Jul 2021 20:19:16 +0200
Subject: [PATCH 1/2] test_acme: refactor with tasks
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Signed-off-by: François Cami
---
ipatests/pytest_ipa/integration/tasks.py | 11 +++
ipatests/test_integration/test_acme.py | 19 ---
2 files changed, 15 insertions(+), 15 deletions(-)
diff --git a/ipatests/pytest_ipa/integration/tasks.py b/ipatests/pytest_ipa/integration/tasks.py
index 22c7ba7827b..c2e5486173b 100755
--- a/ipatests/pytest_ipa/integration/tasks.py
+++ b/ipatests/pytest_ipa/integration/tasks.py
@@ -2800,3 +2800,14 @@ def is_package_installed(host, pkg):
'is_package_installed: unknown platform %s' % platform
)
return result.returncode == 0
+
+
+def move_date(host, chrony_cmd, date_str):
+"""Helper method to move system date
+:param host: host on which date is to be manipulated
+:param chrony_cmd: systemctl command to apply to
+ chrony service, for instance 'start', 'stop'
+:param date_str: date string to change the date i.e '3years2months1day1'
+"""
+host.run_command(['systemctl', chrony_cmd, 'chronyd'])
+host.run_command(['date', '-s', date_str])
diff --git a/ipatests/test_integration/test_acme.py b/ipatests/test_integration/test_acme.py
index d90f1ff7d41..b4aa1b3512b 100644
--- a/ipatests/test_integration/test_acme.py
+++ b/ipatests/test_integration/test_acme.py
@@ -35,17 +35,6 @@
CERTBOT_DNS_IPA_SCRIPT = '/usr/libexec/ipa/acme/certbot-dns-ipa'
-def move_date(host, chrony_cmd, date_str):
-"""Helper method to move system date
-:param host: host on which date is to be manipulated
-:param chrony_cmd: systemctl command to apply to
- chrony service, for instance 'start', 'stop'
-:param date_str: date string to change the date i.e '3years2months1day1'
-"""
-host.run_command(['systemctl', chrony_cmd, 'chronyd'])
-host.run_command(['date', '-s', date_str])
-
-
def check_acme_status(host, exp_status, timeout=60):
"""Helper method to check the status of acme server"""
for _i in range(0, timeout, 5):
@@ -598,8 +587,8 @@ def issue_and_expire_cert(self):
)
# move system date to expire acme cert
for host in self.clients[0], self.master:
-host.run_command(['kdestroy', '-A'])
-move_date(host, 'stop', '+90days')
+tasks.kdestroy_all(host)
+tasks.move_date(host, 'stop', '+90days')
self.clients[0].run_command(
['kinit', 'admin'],
stdin_text=cmd_input.format(
@@ -611,8 +600,8 @@ def issue_and_expire_cert(self):
# move back date
for host in self.clients[0], self.master:
-host.run_command(['kdestroy', '-A'])
-move_date(host, 'start', '-90days')
+tasks.kdestroy_all(host)
+tasks.move_date(host, 'start', '-90days')
tasks.kinit_admin(host)
@pytest.mark.skipif(skip_certbot_tests, reason='certbot not available')
From c6f4e8f5e64da74ef6098e9c6e3634c6d5d8e8ea Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fran=C3=A7ois=20Cami?=
Date: Tue, 20 Jul 2021 20:22:23 +0200
Subject: [PATCH 2/2] test_acme: make password renewal more robust
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
A kinit immediately following a password change can fail.
Setting KRB5_TRACE and retrieving kdcinfo will help to understand
the cause of failure.
Fixes: https://pagure.io/freeipa/issue/8929
Signed-off-by: François Cami
---
ipatests/test_integration/test_acme.py | 28 +-
1 file changed, 14 insertions(+), 14 deletions(-)
diff --git a/ipatests/test_integration/test_acme.py b/ipatests/test_integration/test_acme.py
index b4aa1b3512b..10195a95f93 100644
--- a/ipatests/test_integration/test_acme.py
+++ b/ipatests/test_integration/test_acme.py
@@ -576,25 +576,25 @@ def issue_and_expire_cert(self):
# request a standalone acme cert
certbot_standalone_cert(self.clients[0], self.acme_server)
-cmd_input = (
-# Password for admin@{REALM}:
-"{pwd}\n"
-# Password expired. You must change it now.
-# Enter new password:
-"{pwd}\n"
-# Enter it again:
-"{pwd}\n"
-)
# move system date to
[Freeipa-devel] [freeipa PR#5910][closed] test_acme: make password renewal more robust
URL: https://github.com/freeipa/freeipa/pull/5910 Author: fcami Title: #5910: test_acme: make password renewal more robust Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/5910/head:pr5910 git checkout pr5910 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[Freeipa-devel] [freeipa PR#5912][opened] [Backport][ipa-4-9] tasks.py: fix flake8-reported issues
URL: https://github.com/freeipa/freeipa/pull/5912
Author: fcami
Title: #5912: [Backport][ipa-4-9] tasks.py: fix flake8-reported issues
Action: opened
PR body:
"""
This PR was opened automatically because PR #5911 was pushed to master and
backport to ipa-4-9 is required.
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/5912/head:pr5912
git checkout pr5912
From 2bb2652a351ee1529c16cc3c9f847359f0ad970c Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fran=C3=A7ois=20Cami?=
Date: Tue, 20 Jul 2021 20:29:00 +0200
Subject: [PATCH] tasks.py: fix flake8-reported issues
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Fixes: https://pagure.io/freeipa/issue/8931
Signed-off-by: François Cami
---
ipatests/pytest_ipa/integration/tasks.py | 14 --
1 file changed, 8 insertions(+), 6 deletions(-)
diff --git a/ipatests/pytest_ipa/integration/tasks.py b/ipatests/pytest_ipa/integration/tasks.py
index 22c7ba7827b..cd27cff37fb 100755
--- a/ipatests/pytest_ipa/integration/tasks.py
+++ b/ipatests/pytest_ipa/integration/tasks.py
@@ -597,7 +597,9 @@ def install_adtrust(host):
dig_command = ['dig', 'SRV', '+short', '@localhost',
'_ldap._tcp.%s' % host.domain.name]
dig_output = '0 100 389 %s.' % host.hostname
-dig_test = lambda x: re.search(re.escape(dig_output), x)
+
+def dig_test(x):
+return re.search(re.escape(dig_output), x)
run_repeatedly(host, dig_command, test=dig_test)
@@ -2122,8 +2124,8 @@ def create_active_user(host, login, password, first='test', last='user',
result = host.run_command(
"KRB5_TRACE=/dev/stdout kinit %s" % login,
stdin_text='{0}\n{1}\n{1}\n'.format(
-temp_password, password, raiseonerr=False
-)
+temp_password, password
+), raiseonerr=False
)
# Retrieve kdc.$REALM after the password change, just in case SSSD
# domain status flipped to online during the password change.
@@ -2264,10 +2266,10 @@ def extract_key_refs(self, keytab, princ=None):
[paths.KLIST, "-eK", "-k", keytab], log_stdout=False)
keys_to_sync = []
-for l in result.stdout_text.splitlines():
-if (princ in l and any(e in l for e in self.valid_etypes)):
+for line in result.stdout_text.splitlines():
+if (princ in line and any(e in line for e in self.valid_etypes)):
-els = l.split()
+els = line.split()
els[-2] = els[-2].strip('()')
els[-1] = els[-1].strip('()')
keys_to_sync.append(KeyEntry._make(els))
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org
Do not reply to spam on the list, report it:
https://pagure.io/fedora-infrastructure
[Freeipa-devel] [freeipa PR#5911][closed] tasks.py: fix flake8-reported issues
URL: https://github.com/freeipa/freeipa/pull/5911 Author: fcami Title: #5911: tasks.py: fix flake8-reported issues Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/5911/head:pr5911 git checkout pr5911 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[Freeipa-devel] [freeipa PR#5911][opened] tasks.py: fix flake8-reported issues
URL: https://github.com/freeipa/freeipa/pull/5911
Author: fcami
Title: #5911: tasks.py: fix flake8-reported issues
Action: opened
PR body:
"""
Fixes: https://pagure.io/freeipa/issue/8931
Signed-off-by: François Cami
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/5911/head:pr5911
git checkout pr5911
From 0193e43552ae7c92c86e8eb04208ed1d6d08d388 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fran=C3=A7ois=20Cami?=
Date: Tue, 20 Jul 2021 20:29:00 +0200
Subject: [PATCH] tasks.py: fix flake8-reported issues
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Fixes: https://pagure.io/freeipa/issue/8931
Signed-off-by: François Cami
---
ipatests/pytest_ipa/integration/tasks.py | 14 --
1 file changed, 8 insertions(+), 6 deletions(-)
diff --git a/ipatests/pytest_ipa/integration/tasks.py b/ipatests/pytest_ipa/integration/tasks.py
index 22c7ba7827b..cd27cff37fb 100755
--- a/ipatests/pytest_ipa/integration/tasks.py
+++ b/ipatests/pytest_ipa/integration/tasks.py
@@ -597,7 +597,9 @@ def install_adtrust(host):
dig_command = ['dig', 'SRV', '+short', '@localhost',
'_ldap._tcp.%s' % host.domain.name]
dig_output = '0 100 389 %s.' % host.hostname
-dig_test = lambda x: re.search(re.escape(dig_output), x)
+
+def dig_test(x):
+return re.search(re.escape(dig_output), x)
run_repeatedly(host, dig_command, test=dig_test)
@@ -2122,8 +2124,8 @@ def create_active_user(host, login, password, first='test', last='user',
result = host.run_command(
"KRB5_TRACE=/dev/stdout kinit %s" % login,
stdin_text='{0}\n{1}\n{1}\n'.format(
-temp_password, password, raiseonerr=False
-)
+temp_password, password
+), raiseonerr=False
)
# Retrieve kdc.$REALM after the password change, just in case SSSD
# domain status flipped to online during the password change.
@@ -2264,10 +2266,10 @@ def extract_key_refs(self, keytab, princ=None):
[paths.KLIST, "-eK", "-k", keytab], log_stdout=False)
keys_to_sync = []
-for l in result.stdout_text.splitlines():
-if (princ in l and any(e in l for e in self.valid_etypes)):
+for line in result.stdout_text.splitlines():
+if (princ in line and any(e in line for e in self.valid_etypes)):
-els = l.split()
+els = line.split()
els[-2] = els[-2].strip('()')
els[-1] = els[-1].strip('()')
keys_to_sync.append(KeyEntry._make(els))
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org
Do not reply to spam on the list, report it:
https://pagure.io/fedora-infrastructure
[Freeipa-devel] [freeipa PR#5910][opened] test_acme: make password renewal more robust
URL: https://github.com/freeipa/freeipa/pull/5910
Author: fcami
Title: #5910: test_acme: make password renewal more robust
Action: opened
PR body:
"""
Fixes: https://pagure.io/freeipa/issue/8929
Signed-off-by: François Cami
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/5910/head:pr5910
git checkout pr5910
From 006d6bf64e6eb90ee0b554203b480b309fa03b48 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fran=C3=A7ois=20Cami?=
Date: Tue, 20 Jul 2021 19:36:42 +0200
Subject: [PATCH] test_acme: make password renewal more robust
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Signed-off-by: François Cami
---
ipatests/pytest_ipa/integration/tasks.py | 11 ++
ipatests/test_integration/test_acme.py | 45 +---
2 files changed, 27 insertions(+), 29 deletions(-)
diff --git a/ipatests/pytest_ipa/integration/tasks.py b/ipatests/pytest_ipa/integration/tasks.py
index 22c7ba7827b..c2e5486173b 100755
--- a/ipatests/pytest_ipa/integration/tasks.py
+++ b/ipatests/pytest_ipa/integration/tasks.py
@@ -2800,3 +2800,14 @@ def is_package_installed(host, pkg):
'is_package_installed: unknown platform %s' % platform
)
return result.returncode == 0
+
+
+def move_date(host, chrony_cmd, date_str):
+"""Helper method to move system date
+:param host: host on which date is to be manipulated
+:param chrony_cmd: systemctl command to apply to
+ chrony service, for instance 'start', 'stop'
+:param date_str: date string to change the date i.e '3years2months1day1'
+"""
+host.run_command(['systemctl', chrony_cmd, 'chronyd'])
+host.run_command(['date', '-s', date_str])
diff --git a/ipatests/test_integration/test_acme.py b/ipatests/test_integration/test_acme.py
index d90f1ff7d41..3f54d31a148 100644
--- a/ipatests/test_integration/test_acme.py
+++ b/ipatests/test_integration/test_acme.py
@@ -35,17 +35,6 @@
CERTBOT_DNS_IPA_SCRIPT = '/usr/libexec/ipa/acme/certbot-dns-ipa'
-def move_date(host, chrony_cmd, date_str):
-"""Helper method to move system date
-:param host: host on which date is to be manipulated
-:param chrony_cmd: systemctl command to apply to
- chrony service, for instance 'start', 'stop'
-:param date_str: date string to change the date i.e '3years2months1day1'
-"""
-host.run_command(['systemctl', chrony_cmd, 'chronyd'])
-host.run_command(['date', '-s', date_str])
-
-
def check_acme_status(host, exp_status, timeout=60):
"""Helper method to check the status of acme server"""
for _i in range(0, timeout, 5):
@@ -587,32 +576,30 @@ def issue_and_expire_cert(self):
# request a standalone acme cert
certbot_standalone_cert(self.clients[0], self.acme_server)
-cmd_input = (
-# Password for admin@{REALM}:
-"{pwd}\n"
-# Password expired. You must change it now.
-# Enter new password:
-"{pwd}\n"
-# Enter it again:
-"{pwd}\n"
-)
# move system date to expire acme cert
for host in self.clients[0], self.master:
-host.run_command(['kdestroy', '-A'])
-move_date(host, 'stop', '+90days')
-self.clients[0].run_command(
-['kinit', 'admin'],
-stdin_text=cmd_input.format(
-pwd=self.clients[0].config.admin_password
-)
+tasks.kdestroy_all(host)
+tasks.move_date(host, 'stop', '+90days')
+
+tasks.get_kdcinfo(host)
+# Note raiseonerr=False:
+# the assert is located after kdcinfo retrieval.
+result = host.run_command(
+"KRB5_TRACE=/dev/stdout kinit %s" % 'admin',
+stdin_text='{0}\n{0}\n{0}\n'.format("{pwd}"),
+raiseonerr=False
)
+# Retrieve kdc.$REALM after the password change, just in case SSSD
+# domain status flipped to online during the password change.
+tasks.get_kdcinfo(host)
+assert result.returncode == 0
yield
# move back date
for host in self.clients[0], self.master:
-host.run_command(['kdestroy', '-A'])
-move_date(host, 'start', '-90days')
+tasks.kdestroy_all(host)
+tasks.move_date(host, 'start', '-90days')
tasks.kinit_admin(host)
@pytest.mark.skipif(skip_certbot_tests, reason='certbot not available')
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
[Freeipa-devel] [freeipa PR#5909][closed] [Backport][ipa-4-9] ipatests: smbclient "-k" => "--use-kerberos=desired"
URL: https://github.com/freeipa/freeipa/pull/5909 Author: fcami Title: #5909: [Backport][ipa-4-9] ipatests: smbclient "-k" => "--use-kerberos=desired" Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/5909/head:pr5909 git checkout pr5909 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[Freeipa-devel] [freeipa PR#5909][opened] [Backport][ipa-4-9] ipatests: smbclient "-k" => "--use-kerberos=desired"
URL: https://github.com/freeipa/freeipa/pull/5909
Author: fcami
Title: #5909: [Backport][ipa-4-9] ipatests: smbclient "-k" =>
"--use-kerberos=desired"
Action: opened
PR body:
"""
Change documentation:
https://download.samba.org/pub/samba/rc/samba-4.15.0rc1.WHATSNEW.txt
As of Samba 4.15rc1, smbclient does not accept "-k" anymore.
The "-k|--kerberos" option ("Try to authenticate with kerberos.")
has been replaced with "--use-kerberos=required|desired|off".
Fixes: https://pagure.io/freeipa/issue/8926
Signed-off-by: François Cami
Reviewed-By: Michal Polovka
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/5909/head:pr5909
git checkout pr5909
From ec3ca1860f249ee6e517c3a87767280221b0588f Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fran=C3=A7ois=20Cami?=
Date: Mon, 19 Jul 2021 15:59:01 +0200
Subject: [PATCH] ipatests: smbclient "-k" => "--use-kerberos=desired"
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Change documentation:
https://download.samba.org/pub/samba/rc/samba-4.15.0rc1.WHATSNEW.txt
As of Samba 4.15rc1, smbclient does not accept "-k" anymore.
The "-k|--kerberos" option ("Try to authenticate with kerberos.")
has been replaced with "--use-kerberos=required|desired|off".
Fixes: https://pagure.io/freeipa/issue/8926
Signed-off-by: François Cami
Reviewed-By: Michal Polovka
---
ipatests/test_integration/test_smb.py | 23 +--
1 file changed, 21 insertions(+), 2 deletions(-)
diff --git a/ipatests/test_integration/test_smb.py b/ipatests/test_integration/test_smb.py
index 399ad62099e..b2b7ce2e4ed 100644
--- a/ipatests/test_integration/test_smb.py
+++ b/ipatests/test_integration/test_smb.py
@@ -166,9 +166,28 @@ def smb_sanity_check(self, user, client_mountpoint, share):
encoding='utf-8')
assert file_contents_at_server == test_string
-# check access using smbclient utility
+# Detect whether smbclient uses -k or --use-kerberos=required
+# https://pagure.io/freeipa/issue/8926
+# then check access using smbclient.
res = run_smb_client(
-['smbclient', '-k', share['unc'], '-c', 'dir'])
+[
+"smbclient",
+"-h",
+], raiseonerr=False
+)
+if "[-k|--kerberos]" in res.stderr_text:
+smbclient_krb5_knob = "-k"
+else:
+smbclient_krb5_knob = "--use-kerberos=desired"
+res = run_smb_client(
+[
+"smbclient",
+smbclient_krb5_knob,
+share["unc"],
+"-c",
+"dir",
+]
+)
assert test_dir in res.stdout_text
# check file and dir removal from client side
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org
Do not reply to spam on the list, report it:
https://pagure.io/fedora-infrastructure
[Freeipa-devel] [freeipa PR#5907][closed] ipatests: smbclient "-k" => "--use-kerberos=required"
URL: https://github.com/freeipa/freeipa/pull/5907 Author: fcami Title: #5907: ipatests: smbclient "-k" => "--use-kerberos=required" Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/5907/head:pr5907 git checkout pr5907 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[Freeipa-devel] [freeipa PR#5907][opened] ipatests: smbclient "-k" => "--use-kerberos=required"
URL: https://github.com/freeipa/freeipa/pull/5907
Author: fcami
Title: #5907: ipatests: smbclient "-k" => "--use-kerberos=required"
Action: opened
PR body:
"""
As of Samba 4.15rc1, smbclient does not accept -k anymore.
The -k|--kerberos option ("Try to authenticate with kerberos."
has been replaced with "--use-kerberos=required|desired|off".
Change documentation:
https://download.samba.org/pub/samba/rc/samba-4.15.0rc1.WHATSNEW.txt
Fixes: https://pagure.io/freeipa/issue/8926
Signed-off-by: François Cami
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/5907/head:pr5907
git checkout pr5907
From c973cb6fcc28930d13651ac66a0c23d6ce7344f3 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fran=C3=A7ois=20Cami?=
Date: Mon, 19 Jul 2021 16:32:31 +0200
Subject: [PATCH] ipatests: smbclient "-k" => "--use-kerberos=required"
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
As of Samba 4.15rc1, smbclient does not accept -k anymore.
The -k|--kerberos option ("Try to authenticate with kerberos."
has been replaced with "--use-kerberos=required|desired|off".
Change documentation:
https://download.samba.org/pub/samba/rc/samba-4.15.0rc1.WHATSNEW.txt
Fixes: https://pagure.io/freeipa/issue/8926
Signed-off-by: François Cami
---
ipatests/test_integration/test_smb.py | 9 -
1 file changed, 8 insertions(+), 1 deletion(-)
diff --git a/ipatests/test_integration/test_smb.py b/ipatests/test_integration/test_smb.py
index 399ad62099e..4e6efb687a7 100644
--- a/ipatests/test_integration/test_smb.py
+++ b/ipatests/test_integration/test_smb.py
@@ -168,7 +168,14 @@ def smb_sanity_check(self, user, client_mountpoint, share):
# check access using smbclient utility
res = run_smb_client(
-['smbclient', '-k', share['unc'], '-c', 'dir'])
+[
+"smbclient",
+"--use-kerberos=required",
+share["unc"],
+"-c",
+"dir",
+]
+)
assert test_dir in res.stdout_text
# check file and dir removal from client side
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org
Do not reply to spam on the list, report it:
https://pagure.io/fedora-infrastructure
[Freeipa-devel] [freeipa PR#5852][opened] rpcserver.py: perf_counter_ns is Python 3.7+
URL: https://github.com/freeipa/freeipa/pull/5852 Author: fcami Title: #5852: rpcserver.py: perf_counter_ns is Python 3.7+ Action: opened PR body: """ perf_counter_ns is only available in Python 3.7 and later. Define a lambda for 3.6 and lower. Fixes: TBD Signed-off-by: François Cami """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/5852/head:pr5852 git checkout pr5852 From 381c709c2ab437bad39923be3e2fdc37a1165491 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fran=C3=A7ois=20Cami?= Date: Tue, 22 Jun 2021 20:18:07 +0200 Subject: [PATCH] rpcserver.py: perf_counter_ns is Python 3.7+ MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit perf_counter_ns is only available in Python 3.7 and later. Define a lambda for 3.6 and lower. Fixes: TBD Signed-off-by: François Cami --- ipaserver/rpcserver.py | 6 +- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/ipaserver/rpcserver.py b/ipaserver/rpcserver.py index b121316bf87..61225d7af28 100644 --- a/ipaserver/rpcserver.py +++ b/ipaserver/rpcserver.py @@ -31,6 +31,7 @@ import time import traceback from io import BytesIO +from sys import version_info from urllib.parse import parse_qs from xmlrpc.client import Fault @@ -68,10 +69,13 @@ from base64 import b64decode, b64encode from requests.auth import AuthBase - if six.PY3: unicode = str +# time.perf_counter_ns appeared in Python 3.7. +if version_info.major == 3 and version_info.minor < 7: +time.perf_counter_ns = lambda: int(time.perf_counter() * 10**9) + logger = logging.getLogger(__name__) HTTP_STATUS_SUCCESS = '200 Success' ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[Freeipa-devel] [freeipa PR#5638][closed] [Backport][ipa-4-9] ipa-client-install: output a warning if sudo is not present
URL: https://github.com/freeipa/freeipa/pull/5638 Author: rcritten Title: #5638: [Backport][ipa-4-9] ipa-client-install: output a warning if sudo is not present Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/5638/head:pr5638 git checkout pr5638 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[Freeipa-devel] [freeipa PR#5636][opened] ipa-client-install: output a warning if sudo is not present
URL: https://github.com/freeipa/freeipa/pull/5636
Author: fcami
Title: #5636: ipa-client-install: output a warning if sudo is not present
Action: opened
PR body:
"""
Fixes: https://pagure.io/freeipa/issue/8530
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/5636/head:pr5636
git checkout pr5636
From 80b0859d5130dd66f2a51963096d177513e8499a Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fran=C3=A7ois=20Cami?=
Date: Mon, 15 Mar 2021 16:55:08 +0100
Subject: [PATCH 1/2] ipa-client-install: output a warning if sudo is not
present (2)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Fixes: https://pagure.io/freeipa/issue/8530
Signed-off-by: François Cami
---
ipaclient/install/client.py | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/ipaclient/install/client.py b/ipaclient/install/client.py
index 0e478fa26b7..9bdfbddafb2 100644
--- a/ipaclient/install/client.py
+++ b/ipaclient/install/client.py
@@ -2205,7 +2205,7 @@ def install_check(options):
# available.
if options.conf_sudo:
try:
-subprocess.Popen(['sudo -V'])
+subprocess.Popen(['sudo', '-V'])
except FileNotFoundError:
logger.info(
"The sudo binary does not seem to be present on this "
From cb98e8e30a85aba8e0c7ae14d0d9a347d68f Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fran=C3=A7ois=20Cami?=
Date: Mon, 15 Mar 2021 17:00:05 +0100
Subject: [PATCH 2/2] ipatests: check for the "no sudo present" string absence
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
When sudo is installed, no warning should be output about sudo not
being available (obviously). Check that the relevant string is
not present.
Fixes: https://pagure.io/freeipa/issue/8530
Signed-off-by: François Cami
---
ipatests/test_integration/test_installation.py | 2 ++
1 file changed, 2 insertions(+)
diff --git a/ipatests/test_integration/test_installation.py b/ipatests/test_integration/test_installation.py
index a50a59f1a9b..a5ff17a0d1e 100644
--- a/ipatests/test_integration/test_installation.py
+++ b/ipatests/test_integration/test_installation.py
@@ -1620,3 +1620,5 @@ def test_install_sudo_on_client(self):
tasks.install_packages(self.clients[0], ['sudo'])
for pkg in ('sudo', 'libsss_sudo'):
assert tasks.is_package_installed(self.clients[0], pkg)
+result = tasks.install_client(self.master, self.clients[0])
+assert self.no_sudo_str not in result.stderr_text
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org
Do not reply to spam on the list, report it:
https://pagure.io/fedora-infrastructure
[Freeipa-devel] [freeipa PR#5607][opened] ipatests: fix nightly_latest_testing_selinux template
URL: https://github.com/freeipa/freeipa/pull/5607 Author: fcami Title: #5607: ipatests: fix nightly_latest_testing_selinux template Action: opened PR body: """ The TestInstallWithoutSudo entry referenced fedora-latest instead of testing-fedora for its build dependency. Fix it. Fixes: https://pagure.io/freeipa/issue/8530 Signed-off-by: François Cami """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/5607/head:pr5607 git checkout pr5607 From 1348729b5379e6f034d9f9584c847a58be65a6bc Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fran=C3=A7ois=20Cami?= Date: Thu, 4 Mar 2021 10:10:10 +0100 Subject: [PATCH] ipatests: fix nightly_latest_testing_selinux template MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The TestInstallWithoutSudo entry referenced fedora-latest instead of testing-fedora for its build dependency. Fix it. Fixes: https://pagure.io/freeipa/issue/8530 Signed-off-by: François Cami --- ipatests/prci_definitions/nightly_latest_testing_selinux.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ipatests/prci_definitions/nightly_latest_testing_selinux.yaml b/ipatests/prci_definitions/nightly_latest_testing_selinux.yaml index 0bc1047df1d..bc6e60ac669 100644 --- a/ipatests/prci_definitions/nightly_latest_testing_selinux.yaml +++ b/ipatests/prci_definitions/nightly_latest_testing_selinux.yaml @@ -616,7 +616,7 @@ jobs: topology: *master_1repl testing-fedora/test_installation_TestInstallWithoutSudo: -requires: [fedora-latest/build] +requires: [testing-fedora/build] priority: 50 job: class: RunPytest ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[Freeipa-devel] [freeipa PR#5408][closed] upgrade.py: restart CS for 30 seconds until it is up
URL: https://github.com/freeipa/freeipa/pull/5408 Author: fcami Title: #5408: upgrade.py: restart CS for 30 seconds until it is up Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/5408/head:pr5408 git checkout pr5408 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[Freeipa-devel] [freeipa PR#5556][opened] ipatests: various enhancement to hidden replica tests
URL: https://github.com/freeipa/freeipa/pull/5556
Author: fcami
Title: #5556: ipatests: various enhancement to hidden replica tests
Action: opened
PR body:
"""
https://github.com/freeipa/freeipa/pull/5183 redux. I cannot reopen the
original PR because the branch was force-pushed.
+
ipatests: add wait_for_ipa_to_start
wait_for_ipa_to_start(host) waits for ipactl to return RUNNING for all
IPA services on the specified host.
Related: https://pagure.io/freeipa/issue/8534
+
ipatests: hiddenreplica: use wait_for_ipa_to_start after restore
Use wait_for_ipa_to_start to wait until the restored replica is online.
Related: https://pagure.io/freeipa/issue/8534
+
ipatests: use wait_for_replication for hidden replica checks
Previously, hidden replica checks were run without waiting for replication
to complete, potentially leading to unstable behavior.
Use wait_for_replication.
Fixes: https://pagure.io/freeipa/issue/8534
+
ipatests: hidden replica: misc fixes
Split a test in two and add additional fixes.
Related: https://pagure.io/freeipa/issue/8534
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/5556/head:pr5556
git checkout pr5556
From e76116f4341f7c30ce56f3e2b9bbe321fd46f509 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fran=C3=A7ois=20Cami?=
Date: Tue, 9 Feb 2021 07:46:35 +0200
Subject: [PATCH 1/7] ipatests: tasks.py: add wait_for_ipa_to_start
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
wait_for_ipa_to_start(host) waits for ipactl to return RUNNING for all
IPA services on the specified host.
Related: https://pagure.io/freeipa/issue/8534
Signed-off-by: François Cami
---
ipatests/pytest_ipa/integration/tasks.py | 22 ++
1 file changed, 22 insertions(+)
diff --git a/ipatests/pytest_ipa/integration/tasks.py b/ipatests/pytest_ipa/integration/tasks.py
index 2fe78367fce..6b00183d14c 100755
--- a/ipatests/pytest_ipa/integration/tasks.py
+++ b/ipatests/pytest_ipa/integration/tasks.py
@@ -47,6 +47,7 @@
from cryptography.hazmat.primitives import serialization
from cryptography.hazmat.primitives.asymmetric import rsa
from cryptography.hazmat.backends import default_backend
+from datetime import datetime, timedelta
from ipapython import certdb
from ipapython import ipautil
@@ -2533,6 +2534,27 @@ def get_healthcheck_version(host):
return healthcheck_version
+def wait_for_ipa_to_start(host, timeout=60):
+"""Wait up to timeout seconds for ipa to start on a given host.
+
+If DS is restarted, and SSSD must be online, please consider using
+wait_for_sssd_domain_status_online(host) in the test after calling
+this method.
+"""
+pattern = 'STOPPED'
+interval = 1
+end_time = datetime.now() + timedelta(seconds=timeout)
+for _i in range(0, timeout, interval):
+if datetime.now() > end_time:
+raise RuntimeError("Request timed out")
+time.sleep(interval)
+result = host.run_command(
+[paths.IPACTL, "status"]
+)
+if pattern not in result.stdout_text:
+break
+
+
def run_ssh_cmd(
from_host=None, to_host=None, username=None, cmd=None,
auth_method=None, password=None, private_key_path=None,
From 0dd1014a4e7b9b196099ec5b1b26af199f9db28d Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fran=C3=A7ois=20Cami?=
Date: Tue, 9 Feb 2021 08:36:33 +0200
Subject: [PATCH 2/7] ipatests: tasks.py: add dns_update_system_records
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Add a frontend to "ipa dns-update-system-records" to tasks.py.
Related: https://pagure.io/freeipa/issue/8534
Signed-off-by: François Cami
---
ipatests/pytest_ipa/integration/tasks.py | 10 ++
1 file changed, 10 insertions(+)
diff --git a/ipatests/pytest_ipa/integration/tasks.py b/ipatests/pytest_ipa/integration/tasks.py
index 6b00183d14c..79701aa97ed 100755
--- a/ipatests/pytest_ipa/integration/tasks.py
+++ b/ipatests/pytest_ipa/integration/tasks.py
@@ -2555,6 +2555,16 @@ def wait_for_ipa_to_start(host, timeout=60):
break
+def dns_update_system_records(host):
+"""Runs "ipa dns-update-system-records" on "host".
+"""
+kinit_admin(host)
+result = host.run_command(
+["ipa", "dns-update-system-records"]
+)
+return result
+
+
def run_ssh_cmd(
from_host=None, to_host=None, username=None, cmd=None,
auth_method=None, password=None, private_key_path=None,
From 4a247ece343ef02a4a40513a31d17d2ff0f53325 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fran=C3=A7ois=20Cami?=
Date: Wed, 10 Feb 2021 06:50:17 +0200
Subject: [PATCH 3/7] ipatests: hiddenreplica: use wait_for_ipa_to_start after
restore
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Use wait_for_ipa_to_start to wait until the restored
[Freeipa-devel] [freeipa PR#5533][opened] [Backport][ipa-4-9] freeipa.spec.in: client: depend on libsss_sudo
URL: https://github.com/freeipa/freeipa/pull/5533
Author: fcami
Title: #5533: [Backport][ipa-4-9] freeipa.spec.in: client: depend on
libsss_sudo
Action: opened
PR body:
"""
MANUAL BACKPORT of https://github.com/freeipa/freeipa/pull/5176
On 10.10+ releases of Dogtag, the PKI installer will not depend on sudo
anymore. This opens the possibility of creating IPA servers without a properly
configured sudo.
In fact, even IPA clients should have sudo and libsss_sudo installed in most
cases, so: add a weak dependency on libsss_sudo to freeipa-client.
Fixes: https://pagure.io/freeipa/issue/8530
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/5533/head:pr5533
git checkout pr5533
From 2b49299b73cd9ef338fc5515cfb07e04b1709e53 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fran=C3=A7ois=20Cami?=
Date: Fri, 11 Dec 2020 07:35:59 +0200
Subject: [PATCH 1/4] ipatests: add TestInstallWithoutSudo
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Test IPA servers and clients behavior when sudo is not installed.
Fixes: https://pagure.io/freeipa/issue/8530
Signed-off-by: François Cami
Reviewed-By: Alexander Bokovoy
Reviewed-By: Armando Neto
Reviewed-By: Michal Polovka
---
.../nightly_ipa-4-9_latest.yaml | 12
.../nightly_ipa-4-9_latest_selinux.yaml | 15 -
.../nightly_ipa-4-9_previous.yaml | 13
.../test_integration/test_installation.py | 66 +++
4 files changed, 105 insertions(+), 1 deletion(-)
diff --git a/ipatests/prci_definitions/nightly_ipa-4-9_latest.yaml b/ipatests/prci_definitions/nightly_ipa-4-9_latest.yaml
index 3acd6a13c81..d91b16cab82 100644
--- a/ipatests/prci_definitions/nightly_ipa-4-9_latest.yaml
+++ b/ipatests/prci_definitions/nightly_ipa-4-9_latest.yaml
@@ -535,6 +535,18 @@ jobs:
timeout: 10800
topology: *master_1repl
+ fedora-latest-ipa-4-9/test_installation_TestInstallWithoutSudo:
+requires: [fedora-latest-ipa-4-9/build]
+priority: 50
+job:
+ class: RunPytest
+ args:
+build_url: '{fedora-latest-ipa-4-9/build_url}'
+test_suite: test_integration/test_installation.py::TestInstallWithoutSudo
+template: *ci-ipa-4-9-latest
+timeout: 4800
+topology: *master_1repl_1client
+
fedora-latest-ipa-4-9/test_idviews:
requires: [fedora-latest-ipa-4-9/build]
priority: 50
diff --git a/ipatests/prci_definitions/nightly_ipa-4-9_latest_selinux.yaml b/ipatests/prci_definitions/nightly_ipa-4-9_latest_selinux.yaml
index c01192cf5ae..e4bec2cb3ff 100644
--- a/ipatests/prci_definitions/nightly_ipa-4-9_latest_selinux.yaml
+++ b/ipatests/prci_definitions/nightly_ipa-4-9_latest_selinux.yaml
@@ -575,9 +575,22 @@ jobs:
timeout: 10800
topology: *master_1repl
- fedora-latest-ipa-4-9/test_idviews:
+ fedora-latest-ipa-4-9/test_installation_TestInstallWithoutSudo:
requires: [fedora-latest-ipa-4-9/build]
priority: 50
+job:
+ class: RunPytest
+ args:
+build_url: '{fedora-latest-ipa-4-9/build_url}'
+selinux_enforcing: True
+test_suite: test_integration/test_installation.py::TestInstallWithoutSudo
+template: *ci-ipa-4-9-latest
+timeout: 4800
+topology: *master_1repl_1client
+
+ fedora-latest/test_idviews:
+requires: [fedora-latest/build]
+priority: 50
job:
class: RunADTests
args:
diff --git a/ipatests/prci_definitions/nightly_ipa-4-9_previous.yaml b/ipatests/prci_definitions/nightly_ipa-4-9_previous.yaml
index a6ea24f6a88..a1f38deb1e1 100644
--- a/ipatests/prci_definitions/nightly_ipa-4-9_previous.yaml
+++ b/ipatests/prci_definitions/nightly_ipa-4-9_previous.yaml
@@ -535,6 +535,19 @@ jobs:
timeout: 10800
topology: *master_1repl
+ fedora-previous-ipa-4-9/test_installation_TestInstallWithoutSudo:
+requires: [fedora-previous-ipa-4-9/build]
+priority: 50
+job:
+ class: RunPytest
+ args:
+build_url: '{testing-fedora/build_url}'
+update_packages: True
+test_suite: test_integration/test_installation.py::TestInstallWithoutSudo
+template: *ci-ipa-4-9-previous
+timeout: 4800
+topology: *master_1repl_1client
+
fedora-previous-ipa-4-9/test_idviews:
requires: [fedora-previous-ipa-4-9/build]
priority: 50
diff --git a/ipatests/test_integration/test_installation.py b/ipatests/test_integration/test_installation.py
index fca8860d9b9..1cd62c74f55 100644
--- a/ipatests/test_integration/test_installation.py
+++ b/ipatests/test_integration/test_installation.py
@@ -1537,3 +1537,69 @@ def test_replica_install_against_server(self):
self.replicas[0].hostname],
stdin_text=dirman_password)
assert self.replicas[0].hostname not in cmd.stdout_text
+
+
+class
[Freeipa-devel] [freeipa PR#5472][opened] Manual backport of 9f0ec27e9f13ed40b8e58162d99bf9b0e8b4afd5.
URL: https://github.com/freeipa/freeipa/pull/5472 Author: fcami Title: #5472: Manual backport of 9f0ec27e9f13ed40b8e58162d99bf9b0e8b4afd5. Action: opened PR body: """ Manual backport of 9f0ec27e9f13ed40b8e58162d99bf9b0e8b4afd5. Original commit message: ipaCASubjectDN is used by lightweight sub CA feature. ipaExternalMember is used by KRB driver to assemble MS-PAC records. ipaNTSecurityIdentifier was only index for "pres" and was missing an index on "eq". Samba and ipasam perform queries with SID string. memberPrincipal is used by S4U2Proxy constrained delegation and by ipa-custodia. Also note that dnaHostname, ipServiceProtocol, ipaCertSubject, and ipaKeyUsage are currently not index because an index would rarely used or have a poor selectivity. Signed-off-by: Christian Heimes The ipaNTSecurityIdentifier entry was missing in ipa-4-6 and is added by this commit. Fixes: https://pagure.io/freeipa/issue/8677 Signed-off-by: François Cami """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/5472/head:pr5472 git checkout pr5472 From b9fcb97dd0f0aef2b9618b217768a8a6f0657699 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fran=C3=A7ois=20Cami?= Date: Fri, 22 Jan 2021 14:35:59 +0200 Subject: [PATCH] Add more indices MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Manual backport of 9f0ec27e9f13ed40b8e58162d99bf9b0e8b4afd5. Original commit message: ipaCASubjectDN is used by lightweight sub CA feature. ipaExternalMember is used by KRB driver to assemble MS-PAC records. ipaNTSecurityIdentifier was only index for "pres" and was missing an index on "eq". Samba and ipasam perform queries with SID string. memberPrincipal is used by S4U2Proxy constrained delegation and by ipa-custodia. Also note that dnaHostname, ipServiceProtocol, ipaCertSubject, and ipaKeyUsage are currently not index because an index would rarely used or have a poor selectivity. Signed-off-by: Christian Heimes The ipaNTSecurityIdentifier entry was missing in ipa-4-6 and is added by this commit. Fixes: https://pagure.io/freeipa/issue/8677 Signed-off-by: François Cami --- install/updates/20-indices.update | 29 + 1 file changed, 29 insertions(+) diff --git a/install/updates/20-indices.update b/install/updates/20-indices.update index 6798f50c807..9c0a6552cf5 100644 --- a/install/updates/20-indices.update +++ b/install/updates/20-indices.update @@ -380,3 +380,32 @@ default: objectClass: top default: objectClass: nsIndex default: nsSystemIndex: false default: nsIndexType: eq + +dn: cn=ipaCASubjectDN,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config +only:cn: ipaCASubjectDN +default:objectClass: nsIndex +default:objectClass: top +default:nsSystemIndex: false +add:nsIndexType: eq + +dn: cn=ipaExternalMember,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config +only:cn: ipaExternalMember +default:objectClass: nsIndex +default:objectClass: top +default:nsSystemIndex: false +add:nsIndexType: eq + +dn: cn=memberPrincipal,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config +only:cn: memberPrincipal +default:objectClass: nsIndex +default:objectClass: top +default:nsSystemIndex: false +add:nsIndexType: eq + +dn: cn=ipaNTSecurityIdentifier,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config +only: cn: ipaNTSecurityIdentifier +default: objectClass: top +default: objectClass: nsIndex +default: nsSystemIndex: false +add: nsIndexType: eq +add: nsIndexType: pres \ No newline at end of file ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#5451][opened] ipatests: test_ipahealthcheck: fix division
URL: https://github.com/freeipa/freeipa/pull/5451
Author: fcami
Title: #5451: ipatests: test_ipahealthcheck: fix division
Action: opened
PR body:
"""
df uses 1024 bytes as its default display value, but this can be
tweaked by environment variables or a CLI knob.
Force the output unit to 1024 bytes using the CLI and parse it
accordingly.
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/5451/head:pr5451
git checkout pr5451
From d852e1da496fbc64f994e9d46d6740d44bfe3cdc Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fran=C3=A7ois=20Cami?=
Date: Tue, 19 Jan 2021 15:25:44 +0100
Subject: [PATCH 1/2] ipatests: test_ipahealthcheck: fix division
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
df uses 1024 bytes as its default display value, but this can be
tweaked by environment variables or a CLI knob.
Force the output unit to 1024 bytes using the CLI and parse it
accordingly.
Signed-off-by: François Cami
---
ipatests/test_integration/test_ipahealthcheck.py | 6 --
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/ipatests/test_integration/test_ipahealthcheck.py b/ipatests/test_integration/test_ipahealthcheck.py
index 92ad1860e17..9cd0b250fa3 100644
--- a/ipatests/test_integration/test_ipahealthcheck.py
+++ b/ipatests/test_integration/test_ipahealthcheck.py
@@ -1952,8 +1952,10 @@ def create_jumbo_file(self):
path = os.path.join('/tmp', str(uuid.uuid4()))
# CI has a single big disk so we may end up allocating most of it.
-result = self.master.run_command(['df', '--output=avail', '/tmp'])
-free = (int(result.stdout_text.split('\n')[1]) // 1000) - 50
+result = self.master.run_command(
+['df', '--block-size=1024', '--output=avail', '/tmp']
+)
+free = (int(result.stdout_text.split('\n')[1]) // 1024) - 50
self.master.run_command(['fallocate', '-l', '%dMiB' % free, path])
yield
From d039379a2a078b130de298b669bee0e8c4973216 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fran=C3=A7ois=20Cami?=
Date: Tue, 19 Jan 2021 15:30:41 +0100
Subject: [PATCH 2/2] temp commit
---
.freeipa-pr-ci.yaml| 2 +-
ipatests/prci_definitions/temp_commit.yaml | 43 --
2 files changed, 41 insertions(+), 4 deletions(-)
diff --git a/.freeipa-pr-ci.yaml b/.freeipa-pr-ci.yaml
index abcf8c5b634..80656690080 12
--- a/.freeipa-pr-ci.yaml
+++ b/.freeipa-pr-ci.yaml
@@ -1 +1 @@
-ipatests/prci_definitions/gating.yaml
\ No newline at end of file
+ipatests/prci_definitions/temp_commit.yaml
\ No newline at end of file
diff --git a/ipatests/prci_definitions/temp_commit.yaml b/ipatests/prci_definitions/temp_commit.yaml
index b297cd4e319..65af2a8dd54 100644
--- a/ipatests/prci_definitions/temp_commit.yaml
+++ b/ipatests/prci_definitions/temp_commit.yaml
@@ -61,14 +61,51 @@ jobs:
timeout: 1800
topology: *build
- fedora-latest/temp_commit:
+ fedora-latest/test_ipahealthcheck:
requires: [fedora-latest/build]
priority: 50
job:
class: RunPytest
args:
build_url: '{fedora-latest/build_url}'
-test_suite: test_integration/test_REPLACEME.py
+test_suite: test_integration/test_ipahealthcheck.py::TestIpaHealthCheck
template: *ci-master-latest
timeout: 3600
-topology: *master_1repl_1client
+topology: *master_1repl
+
+ fedora-latest/test_ipahealthcheck_nodns_extca_file:
+requires: [fedora-latest/build]
+priority: 50
+job:
+ class: RunPytest
+ args:
+build_url: '{fedora-latest/build_url}'
+test_suite: test_integration/test_ipahealthcheck.py::TestIpaHealthCheckWithoutDNS test_integration/test_ipahealthcheck.py::TestIpaHealthCheckWithExternalCA test_integration/test_ipahealthcheck.py::TestIpaHealthCheckFileCheck
+template: *ci-master-latest
+timeout: 5400
+topology: *master_1repl
+
+ fedora-latest/test_ipahealthcheck_cli_fsspace:
+requires: [fedora-latest/build]
+priority: 50
+job:
+ class: RunPytest
+ args:
+build_url: '{fedora-latest/build_url}'
+test_suite: test_integration/test_ipahealthcheck.py::TestIpaHealthCLI test_integration/test_ipahealthcheck.py::TestIpaHealthCheckFilesystemSpace
+template: *ci-master-latest
+timeout: 3600
+topology: *master_1repl
+
+ fedora-latest/test_ipahealthcheck_adtrust:
+requires: [fedora-latest/build]
+priority: 50
+job:
+ class: RunADTests
+ args:
+build_url: '{fedora-latest/build_url}'
+test_suite: test_integration/test_ipahealthcheck.py::TestIpaHealthCheckWithADtrust
+template: *ci-master-latest
+timeout: 4800
+topology: *adroot_adchild_adtree_master_1client
+
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To
[Freeipa-devel] [freeipa PR#5408][opened] upgrade.py: restart CS for 30 seconds until it is up
URL: https://github.com/freeipa/freeipa/pull/5408
Author: fcami
Title: #5408: upgrade.py: restart CS for 30 seconds until it is up
Action: opened
PR body:
"""
Restart CS as many times as necessary within a 30-second window
to wait for DS to be ready.
Fixes: https://pagure.io/freeipa/issue/8645
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/5408/head:pr5408
git checkout pr5408
From b5bd03194ff1b4cd5cdda71075904e9c074ea989 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fran=C3=A7ois=20Cami?=
Date: Tue, 5 Jan 2021 15:47:31 +0100
Subject: [PATCH 1/2] upgrade.py: check that CS successfully restarted
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Check that the CA was properly restarted before
migrating profiles.
Fixes: https://pagure.io/freeipa/issue/8645
Signed-off-by: François Cami
---
ipaserver/install/server/upgrade.py | 5 -
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/ipaserver/install/server/upgrade.py b/ipaserver/install/server/upgrade.py
index af8eb458f3f..aa385b399d5 100644
--- a/ipaserver/install/server/upgrade.py
+++ b/ipaserver/install/server/upgrade.py
@@ -429,7 +429,10 @@ def ca_enable_ldap_profile_subsystem(ca):
quotes=False,
separator='=')
-ca.restart('pki-tomcat')
+try:
+ca.restart('pki-tomcat')
+except ipautil.CalledProcessError as e:
+logger.error("Failed to restart %s: %s", ca.service_name, e)
logger.info('[Migrating certificate profiles to LDAP]')
cainstance.migrate_profiles_to_ldap()
From 225e8956eb74f99ad512e3931745eb487fb31833 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fran=C3=A7ois=20Cami?=
Date: Thu, 7 Jan 2021 17:32:25 +0100
Subject: [PATCH 2/2] upgrade.py: restart CS for 30 seconds until it is up
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Restart CS as many times as necessary within a 30-second window
to wait for DS to be ready.
Fixes: https://pagure.io/freeipa/issue/8645
Signed-off-by: François Cami
---
ipaserver/install/server/upgrade.py | 31 +
1 file changed, 27 insertions(+), 4 deletions(-)
diff --git a/ipaserver/install/server/upgrade.py b/ipaserver/install/server/upgrade.py
index aa385b399d5..060818a8962 100644
--- a/ipaserver/install/server/upgrade.py
+++ b/ipaserver/install/server/upgrade.py
@@ -16,7 +16,10 @@
import stat
import sys
import tempfile
+import time
+
from contextlib import contextmanager
+from datetime import datetime
from augeas import Augeas
from ipalib import api, x509
@@ -429,10 +432,30 @@ def ca_enable_ldap_profile_subsystem(ca):
quotes=False,
separator='=')
-try:
-ca.restart('pki-tomcat')
-except ipautil.CalledProcessError as e:
-logger.error("Failed to restart %s: %s", ca.service_name, e)
+logger.info(
+'pki-tomcat configuration changed, restart pki-tomcat'
+)
+cur_date = datetime.now()
+ca_is_running = ca.is_running()
+retries = 0
+while not ca_is_running:
+time.sleep(5)
+try:
+retries += 1
+ca.restart('pki-tomcat')
+except ipautil.CalledProcessError as e:
+if datetime.now() > cur_date + datetime.timedelta(seconds=30):
+logger.error(
+"Failed to restart %s: %s after %s retries",
+ca.service_name, e, retries
+)
+sys.exit(1)
+logger.info(
+"Failed to restart %s: %s, retrying.",
+ca.service_name, e
+)
+if ca.is_running():
+break
logger.info('[Migrating certificate profiles to LDAP]')
cainstance.migrate_profiles_to_ldap()
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#5366][opened] set SELinux back to Permissive in gating.xml
URL: https://github.com/freeipa/freeipa/pull/5366
Author: fcami
Title: #5366: set SELinux back to Permissive in gating.xml
Action: opened
PR body:
"""
https://github.com/freeipa/freeipa/pull/5362 was merged with a commit meant to
test the changes with gating in Enforcing mode, not to be merged.
Whether we want to have gating in Enforcing mode has not been discussed with
the team.
I'm in favor of it but right before a release might not be the best time to do
so.
Signed-off-by: François Cami
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/5366/head:pr5366
git checkout pr5366
From 1e7fd34239fe46ea1fac38c6384e37c7ee06c466 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fran=C3=A7ois=20Cami?=
Date: Fri, 18 Dec 2020 21:18:19 +0100
Subject: [PATCH] set SELinux back to Permissive in gating.xml
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Signed-off-by: François Cami
---
ipatests/prci_definitions/gating.yaml | 23 ---
1 file changed, 23 deletions(-)
diff --git a/ipatests/prci_definitions/gating.yaml b/ipatests/prci_definitions/gating.yaml
index 7488d32000b..375d8968167 100644
--- a/ipatests/prci_definitions/gating.yaml
+++ b/ipatests/prci_definitions/gating.yaml
@@ -41,7 +41,6 @@ jobs:
job:
class: RunPytest
args:
-selinux_enforcing: True
build_url: '{fedora-latest/build_url}'
test_suite: test_integration/test_installation.py::TestInstallMaster
template: *ci-master-latest
@@ -54,7 +53,6 @@ jobs:
job:
class: RunPytest
args:
-selinux_enforcing: True
build_url: '{fedora-latest/build_url}'
test_suite: test_integration/test_simple_replication.py
template: *ci-master-latest
@@ -67,7 +65,6 @@ jobs:
job:
class: RunPytest
args:
-selinux_enforcing: True
build_url: '{fedora-latest/build_url}'
test_suite: test_integration/test_caless.py::TestServerReplicaCALessToCAFull
template: *ci-master-latest
@@ -80,7 +77,6 @@ jobs:
job:
class: RunPytest
args:
-selinux_enforcing: True
build_url: '{fedora-latest/build_url}'
test_suite: test_integration/test_external_ca.py::TestExternalCA test_integration/test_external_ca.py::TestExternalCAConstraints
template: *ci-master-latest
@@ -93,7 +89,6 @@ jobs:
job:
class: RunPytest
args:
-selinux_enforcing: True
build_url: '{fedora-latest/build_url}'
test_suite: test_integration/test_external_ca.py::TestSelfExternalSelf test_integration/test_external_ca.py::TestExternalCAInstall
template: *ci-master-latest
@@ -106,7 +101,6 @@ jobs:
job:
class: RunPytest
args:
-selinux_enforcing: True
build_url: '{fedora-latest/build_url}'
test_suite: test_integration/test_external_ca.py::TestExternalCAProfileScenarios
template: *ci-master-latest
@@ -119,7 +113,6 @@ jobs:
job:
class: RunPytest
args:
-selinux_enforcing: True
build_url: '{fedora-latest/build_url}'
test_suite: test_integration/test_topologies.py
template: *ci-master-latest
@@ -132,7 +125,6 @@ jobs:
job:
class: RunPytest
args:
-selinux_enforcing: True
build_url: '{fedora-latest/build_url}'
test_suite: test_integration/test_sudo.py
template: *ci-master-latest
@@ -145,7 +137,6 @@ jobs:
job:
class: RunPytest
args:
-selinux_enforcing: True
build_url: '{fedora-latest/build_url}'
test_suite: test_integration/test_commands.py
template: *ci-master-latest
@@ -158,7 +149,6 @@ jobs:
job:
class: RunPytest
args:
-selinux_enforcing: True
build_url: '{fedora-latest/build_url}'
test_suite: test_integration/test_kerberos_flags.py
template: *ci-master-latest
@@ -171,7 +161,6 @@ jobs:
job:
class: RunPytest
args:
-selinux_enforcing: True
build_url: '{fedora-latest/build_url}'
test_suite: test_integration/test_forced_client_reenrollment.py
template: *ci-master-latest
@@ -184,7 +173,6 @@ jobs:
job:
class: RunPytest
args:
-selinux_enforcing: True
build_url: '{fedora-latest/build_url}'
test_suite: test_integration/test_advise.py
template: *ci-master-latest
@@ -197,7 +185,6 @@ jobs:
job:
class: RunPytest
args:
-selinux_enforcing: True
build_url: '{fedora-latest/build_url}'
test_suite: test_integration/test_testconfig.py
template: *ci-master-latest
@@ -210,7 +197,6 @@ jobs:
job:
class: RunPytest
args:
-selinux_enforcing: True
build_url: '{fedora-latest/build_url}'
test_suite:
[Freeipa-devel] [freeipa PR#5343][closed] PR-CI templates: add test_integration/test_installation_client.py
URL: https://github.com/freeipa/freeipa/pull/5343 Author: fcami Title: #5343: PR-CI templates: add test_integration/test_installation_client.py Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/5343/head:pr5343 git checkout pr5343 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#5343][opened] PR-CI templates: add test_integration/test_installation_client.py
URL: https://github.com/freeipa/freeipa/pull/5343
Author: fcami
Title: #5343: PR-CI templates: add test_integration/test_installation_client.py
Action: opened
PR body:
"""
Fixes: https://pagure.io/freeipa/issue/8082
Signed-off-by: François Cami
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/5343/head:pr5343
git checkout pr5343
From 0ba1323e1ec535e3d0d8e4d593e2b7a6566e492a Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fran=C3=A7ois=20Cami?=
Date: Tue, 15 Dec 2020 12:46:48 +0100
Subject: [PATCH] PR-CI templates: add
test_integration/test_installation_client.py
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Fixes: https://pagure.io/freeipa/issue/8082
Signed-off-by: François Cami
---
ipatests/prci_definitions/nightly_latest.yaml | 12
.../prci_definitions/nightly_latest_389ds.yaml | 13 +
ipatests/prci_definitions/nightly_latest_pki.yaml | 13 +
.../prci_definitions/nightly_latest_selinux.yaml | 13 +
.../prci_definitions/nightly_latest_testing.yaml | 13 +
.../nightly_latest_testing_selinux.yaml| 14 ++
ipatests/prci_definitions/nightly_previous.yaml| 12
7 files changed, 90 insertions(+)
diff --git a/ipatests/prci_definitions/nightly_latest.yaml b/ipatests/prci_definitions/nightly_latest.yaml
index 60c69e0ed07..411edbede24 100644
--- a/ipatests/prci_definitions/nightly_latest.yaml
+++ b/ipatests/prci_definitions/nightly_latest.yaml
@@ -1100,6 +1100,18 @@ jobs:
timeout: 7200
topology: *master_1repl_1client
+ fedora-latest/test_installation_client:
+requires: [fedora-latest/build]
+priority: 50
+job:
+ class: RunPytest
+ args:
+build_url: '{fedora-latest/build_url}'
+test_suite: test_integration/test_installation_client.py
+template: *ci-master-latest
+timeout: 3600
+topology: *master_3client
+
fedora-latest/test_user_permissions:
requires: [fedora-latest/build]
priority: 50
diff --git a/ipatests/prci_definitions/nightly_latest_389ds.yaml b/ipatests/prci_definitions/nightly_latest_389ds.yaml
index 10590764deb..08f4f28f5d4 100644
--- a/ipatests/prci_definitions/nightly_latest_389ds.yaml
+++ b/ipatests/prci_definitions/nightly_latest_389ds.yaml
@@ -508,6 +508,19 @@ jobs:
timeout: 7200
topology: *master_1repl_1client
+ 389ds-fedora/test_installation_client:
+requires: [389ds-fedora/build]
+priority: 50
+job:
+ class: RunPytest
+ args:
+build_url: '{389ds-fedora/build_url}'
+update_packages: True
+test_suite: test_integration/test_installation_client.py
+template: *389ds-master-latest
+timeout: 3600
+topology: *master_3client
+
389ds-fedora/customized_ds_config_install:
requires: [389ds-fedora/build]
priority: 50
diff --git a/ipatests/prci_definitions/nightly_latest_pki.yaml b/ipatests/prci_definitions/nightly_latest_pki.yaml
index 4d77507e7fc..d5aa92471b1 100644
--- a/ipatests/prci_definitions/nightly_latest_pki.yaml
+++ b/ipatests/prci_definitions/nightly_latest_pki.yaml
@@ -707,6 +707,19 @@ jobs:
timeout: 7200
topology: *master_1repl_1client
+ pki-fedora/test_installation_client:
+requires: [fedora-latest/build]
+priority: 50
+job:
+ class: RunPytest
+ args:
+build_url: '{pki-fedora/build_url}'
+update_packages: True
+test_suite: test_integration/test_installation_client.py
+template: *pki-master-latest
+timeout: 3600
+topology: *master_3client
+
pki-fedora/test_webui_cert:
requires: [pki-fedora/build]
priority: 50
diff --git a/ipatests/prci_definitions/nightly_latest_selinux.yaml b/ipatests/prci_definitions/nightly_latest_selinux.yaml
index e35b5628059..8a1b44181ab 100644
--- a/ipatests/prci_definitions/nightly_latest_selinux.yaml
+++ b/ipatests/prci_definitions/nightly_latest_selinux.yaml
@@ -1187,6 +1187,19 @@ jobs:
timeout: 7200
topology: *master_1repl_1client
+ fedora-latest/test_installation_client:
+requires: [fedora-latest/build]
+priority: 50
+job:
+ class: RunPytest
+ args:
+build_url: '{fedora-latest/build_url}'
+selinux_enforcing: True
+test_suite: test_integration/test_installation_client.py
+template: *ci-master-latest
+timeout: 3600
+topology: *master_3client
+
fedora-latest/test_user_permissions:
requires: [fedora-latest/build]
priority: 50
diff --git a/ipatests/prci_definitions/nightly_latest_testing.yaml b/ipatests/prci_definitions/nightly_latest_testing.yaml
index f5c0c191070..cdf4886bd37 100644
--- a/ipatests/prci_definitions/nightly_latest_testing.yaml
+++ b/ipatests/prci_definitions/nightly_latest_testing.yaml
@@ -1187,6 +1187,19 @@ jobs:
[Freeipa-devel] [freeipa PR#5341][opened] ipa-client-install: unilaterally set dns_lookup_kdc to True
URL: https://github.com/freeipa/freeipa/pull/5341
Author: fcami
Title: #5341: ipa-client-install: unilaterally set dns_lookup_kdc to True
Action: opened
PR body:
"""
Previously, dns_lookup_kdc was only set to True if DNS
discovery worked or if the KDC was not specified on the
command-line.
Setting dns_lookup_kdc to False would result in a hardcoded
configuration which is less reliable in the long run.
For instance, adding a trust to an Active Directory forest
after clients are enrolled would result in clients not being
able to authenticate AD users. Recycling FreeIPA servers
could prove problematic if the original hostnames are not
reused too.
Change summary:
Always set dns_lookup_kdc to True on client enrollment.
With this change, DNS SRV search will always be performed
before looking into /etc/krb5.conf realm entries.
Fixes: https://pagure.io/freeipa/issue/6523
Signed-off-by: François Cami
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/5341/head:pr5341
git checkout pr5341
From c3d2da66bcf0eaf6a97dc61f0a9c30a7b3c88b59 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fran=C3=A7ois=20Cami?=
Date: Tue, 15 Dec 2020 09:50:57 +0100
Subject: [PATCH] ipa-client-install: unilaterally set dns_lookup_kdc to True
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Previously, dns_lookup_kdc was only set to True if DNS
discovery worked or if the KDC was not specified on the
command-line.
Setting dns_lookup_kdc to False would result in a hardcoded
configuration which is less reliable in the long run.
For instance, adding a trust to an Active Directory forest
after clients are enrolled would result in clients not being
able to authenticate AD users. Recycling FreeIPA servers
could prove problematic if the original hostnames are not
reused too.
Change summary:
Always set dns_lookup_kdc to True on client enrollment.
With this change, DNS SRV search will always be performed
before looking into /etc/krb5.conf realm entries.
Fixes: https://pagure.io/freeipa/issue/6523
Signed-off-by: François Cami
---
ipaclient/install/client.py | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
diff --git a/ipaclient/install/client.py b/ipaclient/install/client.py
index abb6bd30475..37d623f703a 100644
--- a/ipaclient/install/client.py
+++ b/ipaclient/install/client.py
@@ -693,16 +693,15 @@ def configure_krb5_conf(
if not dnsok or not cli_kdc or force:
libopts.extend([
krbconf.setOption('dns_lookup_realm', 'false'),
-krbconf.setOption('dns_lookup_kdc', 'false')
])
else:
libopts.extend([
krbconf.setOption('dns_lookup_realm', 'true'),
-krbconf.setOption('dns_lookup_kdc', 'true')
])
libopts.extend([
krbconf.setOption('rdns', 'false'),
krbconf.setOption('dns_canonicalize_hostname', 'false'),
+krbconf.setOption('dns_lookup_kdc', 'true'),
krbconf.setOption('ticket_lifetime', '24h'),
krbconf.setOption('forwardable', 'true'),
krbconf.setOption('udp_preference_limit', '0')
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#5196][closed] ipatests: invoke JRE with -Djava.security.debug=access:failure
URL: https://github.com/freeipa/freeipa/pull/5196 Author: fcami Title: #5196: ipatests: invoke JRE with -Djava.security.debug=access:failure Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/5196/head:pr5196 git checkout pr5196 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#5313][opened] Gracefully handle Nsds5replicalastupdateend's absence
URL: https://github.com/freeipa/freeipa/pull/5313
Author: fcami
Title: #5313: Gracefully handle Nsds5replicalastupdateend's absence
Action: opened
PR body:
"""
https://pagure.io/freeipa/issue/8605
ipa-replica-manage: handle missing attributes
If nsds5replicalastupdateend is not yet present,
ipa-replica-manage will backtrace as it tries to retrieve that
attribute unconditionally.
Gracefully handle that situation.
ipa-replica-manage: always display nsds5replicalastinitstatus
If nsds5replicalastinitstatus is none, the status is not displayed.
Always displaying the last init status is more useful to the end-user.
ipalib/util.py: add print_replication_status
ipa-csreplica-manage, ipa-replica-manage: refactor
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/5313/head:pr5313
git checkout pr5313
From 97e013bd3febdf9b2b2e9a22564c0c7e86b58e34 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fran=C3=A7ois=20Cami?=
Date: Tue, 1 Dec 2020 14:50:17 +0200
Subject: [PATCH 1/4] ipa-replica-manage: always display
nsds5replicalastinitstatus
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
If nsds5replicalastinitstatus is none, the status is not displayed.
Always displaying the last init status is more useful to the end-user.
Related: https://pagure.io/freeipa/issue/8605
Signed-off-by: François Cami
---
install/tools/ipa-replica-manage.in | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/install/tools/ipa-replica-manage.in b/install/tools/ipa-replica-manage.in
index a29c550d204..1486ada4265 100644
--- a/install/tools/ipa-replica-manage.in
+++ b/install/tools/ipa-replica-manage.in
@@ -238,8 +238,8 @@ def list_replicas(realm, host, replica, dirman_passwd, verbose, nolookup=False):
if verbose:
initstatus = entry.single_value.get('nsds5replicalastinitstatus')
+print(" last init status: %s" % initstatus)
if initstatus is not None:
-print(" last init status: %s" % initstatus)
print(" last init ended: %s" % str(
ipautil.parse_generalized_time(
entry.single_value['nsds5replicalastinitend'])))
From 7c985d146f6d5b53e09f3aee9f1c072ac0af0617 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fran=C3=A7ois=20Cami?=
Date: Tue, 1 Dec 2020 15:00:24 +0200
Subject: [PATCH 2/4] ipa-replica-manage: handle missing attributes
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
If nsds5replicalastupdateend is not yet present,
ipa-replica-manage will backtrace as it tries to retrieve that
attribute unconditionally.
Gracefully handle that situation.
Fixes: https://pagure.io/freeipa/issue/8605
Signed-off-by: François Cami
---
install/tools/ipa-replica-manage.in | 18 --
1 file changed, 12 insertions(+), 6 deletions(-)
diff --git a/install/tools/ipa-replica-manage.in b/install/tools/ipa-replica-manage.in
index 1486ada4265..2a77a404d83 100644
--- a/install/tools/ipa-replica-manage.in
+++ b/install/tools/ipa-replica-manage.in
@@ -242,12 +242,18 @@ def list_replicas(realm, host, replica, dirman_passwd, verbose, nolookup=False):
if initstatus is not None:
print(" last init ended: %s" % str(
ipautil.parse_generalized_time(
-entry.single_value['nsds5replicalastinitend'])))
-print(" last update status: %s" % entry.single_value.get(
-'nsds5replicalastupdatestatus'))
-print(" last update ended: %s" % str(
-ipautil.parse_generalized_time(
-entry.single_value['nsds5replicalastupdateend'])))
+entry.single_value['nsds5replicalastinitend']))
+)
+updatestatus = entry.single_value.get(
+'nsds5replicalastupdatestatus'
+)
+print(" last update status: %s" % updatestatus)
+if updatestatus is not None:
+print(" last update ended: %s" % str(
+ipautil.parse_generalized_time(
+entry.single_value['nsds5replicalastupdateend']
+))
+)
def del_link(realm, replica1, replica2, dirman_passwd, force=False):
From bd9feafde9a335a715288728cac55d46a1d64ea9 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fran=C3=A7ois=20Cami?=
Date: Wed, 2 Dec 2020 12:12:11 +0100
Subject: [PATCH 3/4] ipalib/util.py: add print_replication_status
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Signed-off-by: François Cami
---
ipalib/util.py | 26 ++
1 file changed, 26 insertions(+)
diff --git a/ipalib/util.py b/ipalib/util.py
index e3a510fc7a3..3791c1f0365 100644
--- a/ipalib/util.py
+++ b/ipalib/util.py
@@ -65,6 +65,7 @@
from
[Freeipa-devel] [freeipa PR#5198][opened] tox.ini: Extend max-line-length from 80 to 88+
URL: https://github.com/freeipa/freeipa/pull/5198 Author: fcami Title: #5198: tox.ini: Extend max-line-length from 80 to 88+ Action: opened PR body: """ Change tox.ini's 80c character limit to 88. - 88 is the limit for a font size of 14 on a FHD (1920x1200) screen with two editors side-by-side. - A too-high number can become an issue for potential contributors with eyesight problems. So we want to avoid that. Fixes: https://pagure.io/freeipa/issue/8546 Signed-off-by: François Cami """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/5198/head:pr5198 git checkout pr5198 From 1b8f76644e1bb34c8d8df881725122b97753dfd3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fran=C3=A7ois=20Cami?= Date: Thu, 15 Oct 2020 15:30:00 +0200 Subject: [PATCH] tox.ini: Extend max-line-length from 80 to 88+ MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Change tox.ini's 80c character limit to 88. - 88 is the limit for a font size of 14 on a FHD (1920x1200) screen with two editors side-by-side. - A too-high number can become an issue for potential contributors with eyesight problems. So we want to avoid that. Fixes: https://pagure.io/freeipa/issue/8546 Signed-off-by: François Cami --- tox.ini | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tox.ini b/tox.ini index 8ae432988d..d6bb59e2f5 100644 --- a/tox.ini +++ b/tox.ini @@ -56,6 +56,6 @@ commands= # E731 do not assign a lambda expression # E741 ambiguous variable name 'l' ignore = E203, E402, E231, W503, E731, E741 -max-line-length = 80 +max-line-length = 88 # exclude auto-generated remote plugins exclude=.git,.venv,build,_build,rpmbuild,2_49,2_114,2_156,2_164 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#5196][opened] ipatests: invoke JRE with -Djava.security.debug=access:failure
URL: https://github.com/freeipa/freeipa/pull/5196
Author: fcami
Title: #5196: ipatests: invoke JRE with -Djava.security.debug=access:failure
Action: opened
PR body:
"""
ipatests: invoke JRE with -Djava.security.debug=access:failure
DO NOT MERGE.
https://github.com/dogtagpki/pki/issues/3299
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/5196/head:pr5196
git checkout pr5196
From 743114ada5bbc710f59e3e083f253e6321037c63 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fran=C3=A7ois=20Cami?=
Date: Tue, 13 Oct 2020 19:03:25 +0200
Subject: [PATCH 1/2] temp commit
---
.freeipa-pr-ci.yaml| 2 +-
ipatests/prci_definitions/temp_commit.yaml | 368 -
2 files changed, 365 insertions(+), 5 deletions(-)
diff --git a/.freeipa-pr-ci.yaml b/.freeipa-pr-ci.yaml
index abcf8c5b63..8065669008 12
--- a/.freeipa-pr-ci.yaml
+++ b/.freeipa-pr-ci.yaml
@@ -1 +1 @@
-ipatests/prci_definitions/gating.yaml
\ No newline at end of file
+ipatests/prci_definitions/temp_commit.yaml
\ No newline at end of file
diff --git a/ipatests/prci_definitions/temp_commit.yaml b/ipatests/prci_definitions/temp_commit.yaml
index ef2e4bfa90..445784b329 100644
--- a/ipatests/prci_definitions/temp_commit.yaml
+++ b/ipatests/prci_definitions/temp_commit.yaml
@@ -61,14 +61,374 @@ jobs:
timeout: 1800
topology: *build
- fedora-latest/temp_commit:
+ fedora-latest/test_installation_TestInstallWithCA_KRA1_01:
requires: [fedora-latest/build]
priority: 50
job:
class: RunPytest
args:
build_url: '{fedora-latest/build_url}'
-test_suite: test_integration/test_REPLACEME.py
+test_suite: test_integration/test_installation.py::TestInstallWithCA_KRA1
template: *ci-master-latest
-timeout: 3600
-topology: *master_1repl_1client
+timeout: 10800
+topology: *master_3repl_1client
+
+ fedora-latest/test_installation_TestInstallWithCA_KRA1_02:
+requires: [fedora-latest/build]
+priority: 50
+job:
+ class: RunPytest
+ args:
+build_url: '{fedora-latest/build_url}'
+test_suite: test_integration/test_installation.py::TestInstallWithCA_KRA1
+template: *ci-master-latest
+timeout: 10800
+topology: *master_3repl_1client
+
+ fedora-latest/test_installation_TestInstallWithCA_KRA1_03:
+requires: [fedora-latest/build]
+priority: 50
+job:
+ class: RunPytest
+ args:
+build_url: '{fedora-latest/build_url}'
+test_suite: test_integration/test_installation.py::TestInstallWithCA_KRA1
+template: *ci-master-latest
+timeout: 10800
+topology: *master_3repl_1client
+
+ fedora-latest/test_installation_TestInstallWithCA_KRA1_04:
+requires: [fedora-latest/build]
+priority: 50
+job:
+ class: RunPytest
+ args:
+build_url: '{fedora-latest/build_url}'
+test_suite: test_integration/test_installation.py::TestInstallWithCA_KRA1
+template: *ci-master-latest
+timeout: 10800
+topology: *master_3repl_1client
+
+ fedora-latest/test_installation_TestInstallWithCA_KRA1_05:
+requires: [fedora-latest/build]
+priority: 50
+job:
+ class: RunPytest
+ args:
+build_url: '{fedora-latest/build_url}'
+test_suite: test_integration/test_installation.py::TestInstallWithCA_KRA1
+template: *ci-master-latest
+timeout: 10800
+topology: *master_3repl_1client
+
+ fedora-latest/test_installation_TestInstallWithCA_KRA1_06:
+requires: [fedora-latest/build]
+priority: 50
+job:
+ class: RunPytest
+ args:
+build_url: '{fedora-latest/build_url}'
+test_suite: test_integration/test_installation.py::TestInstallWithCA_KRA1
+template: *ci-master-latest
+timeout: 10800
+topology: *master_3repl_1client
+
+ fedora-latest/test_installation_TestInstallWithCA_KRA1_07:
+requires: [fedora-latest/build]
+priority: 50
+job:
+ class: RunPytest
+ args:
+build_url: '{fedora-latest/build_url}'
+test_suite: test_integration/test_installation.py::TestInstallWithCA_KRA1
+template: *ci-master-latest
+timeout: 10800
+topology: *master_3repl_1client
+
+ fedora-latest/test_installation_TestInstallWithCA_KRA1_08:
+requires: [fedora-latest/build]
+priority: 50
+job:
+ class: RunPytest
+ args:
+build_url: '{fedora-latest/build_url}'
+test_suite: test_integration/test_installation.py::TestInstallWithCA_KRA1
+template: *ci-master-latest
+timeout: 10800
+topology: *master_3repl_1client
+
+ fedora-latest/test_installation_TestInstallWithCA_KRA1_09:
+requires: [fedora-latest/build]
+priority: 50
+job:
+ class: RunPytest
+ args:
+build_url: '{fedora-latest/build_url}'
+
[Freeipa-devel] [freeipa PR#5184][opened] ipatests: run freeipa-healthcheck on hidden replica
URL: https://github.com/freeipa/freeipa/pull/5184
Author: fcami
Title: #5184: ipatests: run freeipa-healthcheck on hidden replica
Action: opened
PR body:
"""
Make sure freeipa-healthcheck can run on FreeIPA clusters with hidden replica.
Fixes: https://pagure.io/freeipa/issue/8536
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/5184/head:pr5184
git checkout pr5184
From da9554a6ae085f86efa02d589cdb26087ee649f5 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fran=C3=A7ois=20Cami?=
Date: Thu, 8 Oct 2020 17:47:34 +0200
Subject: [PATCH 1/2] ipatests: run freeipa-healthcheck on hidden replica
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Make sure freeipa-healthcheck can run on FreeIPA clusters with
hidden replica.
Fixes: https://pagure.io/freeipa/issue/8536
Signed-off-by: François Cami
---
.../test_replica_promotion.py | 20 ---
1 file changed, 17 insertions(+), 3 deletions(-)
diff --git a/ipatests/test_integration/test_replica_promotion.py b/ipatests/test_integration/test_replica_promotion.py
index f0b72e1f8e..9d6ec5f993 100644
--- a/ipatests/test_integration/test_replica_promotion.py
+++ b/ipatests/test_integration/test_replica_promotion.py
@@ -11,13 +11,16 @@
import pytest
from ipatests.test_integration.base import IntegrationTest
+from ipatests.test_integration.test_ipahealthcheck import run_healthcheck
from ipatests.pytest_ipa.integration import tasks
from ipatests.pytest_ipa.integration.tasks import (
-assert_error, replicas_cleanup)
+assert_error, replicas_cleanup
+)
from ipatests.pytest_ipa.integration.firewall import Firewall
from ipatests.pytest_ipa.integration.env_config import get_global_config
from ipalib.constants import (
-DOMAIN_LEVEL_1, IPA_CA_NICKNAME, CA_SUFFIX_NAME)
+DOMAIN_LEVEL_1, IPA_CA_NICKNAME, CA_SUFFIX_NAME
+)
from ipaplatform.paths import paths
from ipapython import certdb
from ipatests.test_integration.test_dns_locations import (
@@ -887,11 +890,22 @@ def _check_config(self, enabled=(), hidden=()):
assert values.get(hservice, set()) == hidden
def test_hidden_replica_install(self):
-# TODO: check that all services are running on hidden replica
self._check_server_role(self.master, 'enabled')
self._check_server_role(self.replicas[0], 'hidden')
self._check_dnsrecords([self.master], [self.replicas[0]])
self._check_config([self.master], [self.replicas[0]])
+# A DNA range is needed on the replica for ipa-healthcheck to work.
+tasks.user_add(self.replicas[0], testuser)
+returncode0, _unused = run_healthcheck(
+self.master,
+failures_only=True
+)
+returncode1, _unused = run_healthcheck(
+self.replicas[0],
+failures_only=True
+)
+assert returncode0 == 0
+assert returncode1 == 0
def test_hide_master_fails(self):
# verify state
From 5aa4f16d5888f1170af4786847a408e76d7c3dc3 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fran=C3=A7ois=20Cami?=
Date: Thu, 8 Oct 2020 20:50:16 +0200
Subject: [PATCH 2/2] temp commit
---
.freeipa-pr-ci.yaml| 2 +-
ipatests/prci_definitions/temp_commit.yaml | 9 +
2 files changed, 6 insertions(+), 5 deletions(-)
diff --git a/.freeipa-pr-ci.yaml b/.freeipa-pr-ci.yaml
index abcf8c5b63..8065669008 12
--- a/.freeipa-pr-ci.yaml
+++ b/.freeipa-pr-ci.yaml
@@ -1 +1 @@
-ipatests/prci_definitions/gating.yaml
\ No newline at end of file
+ipatests/prci_definitions/temp_commit.yaml
\ No newline at end of file
diff --git a/ipatests/prci_definitions/temp_commit.yaml b/ipatests/prci_definitions/temp_commit.yaml
index ef2e4bfa90..68e79ff28c 100644
--- a/ipatests/prci_definitions/temp_commit.yaml
+++ b/ipatests/prci_definitions/temp_commit.yaml
@@ -61,14 +61,15 @@ jobs:
timeout: 1800
topology: *build
- fedora-latest/temp_commit:
+ fedora-latest/test_replica_promotion_TestHiddenReplicaPromotion:
requires: [fedora-latest/build]
priority: 50
job:
class: RunPytest
args:
build_url: '{fedora-latest/build_url}'
-test_suite: test_integration/test_REPLACEME.py
+test_suite: test_integration/test_replica_promotion.py::TestHiddenReplicaPromotion
template: *ci-master-latest
-timeout: 3600
-topology: *master_1repl_1client
+timeout: 7200
+topology: *master_2repl_1client
+
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
[Freeipa-devel] [freeipa PR#5183][opened] ipatests: various enhancement to hidden replica tests
URL: https://github.com/freeipa/freeipa/pull/5183 Author: fcami Title: #5183: ipatests: various enhancement to hidden replica tests Action: opened PR body: """ ipatests: hidden replica: misc fixes Split a test in two and add additional fixes. ipatests: run freeipa-healthcheck on hidden replica ipatests: use wait_for_replication for hidden replica checks Previously, hidden replica checks were run without waiting for replication to complete, potentially leading to unstable behavior. Use wait_for_replication. """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/5183/head:pr5183 git checkout pr5183 From 60b3b048a3cb5b649fde0836b8c29e6d2e026053 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fran=C3=A7ois=20Cami?= Date: Thu, 8 Oct 2020 17:41:45 +0200 Subject: [PATCH 1/3] ipatests: use wait_for_replication for hidden replica checks MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Previously, hidden replica checks were run without waiting for replication to complete, potentially leading to unstable behavior. Use wait_for_replication. Fixes: Signed-off-by: François Cami --- ipatests/test_integration/test_replica_promotion.py | 4 1 file changed, 4 insertions(+) diff --git a/ipatests/test_integration/test_replica_promotion.py b/ipatests/test_integration/test_replica_promotion.py index f0b72e1f8e..5525ddfacc 100644 --- a/ipatests/test_integration/test_replica_promotion.py +++ b/ipatests/test_integration/test_replica_promotion.py @@ -922,6 +922,8 @@ def test_hidden_replica_promote(self): self.replicas[0].hostname, '--state=enabled' ]) self._check_server_role(self.replicas[0], 'enabled') +ldap = self.replicas[0].ldap_connect() +tasks.wait_for_replication(ldap) self._check_dnsrecords([self.master, self.replicas[0]]) self._check_config([self.master, self.replicas[0]]) @@ -938,6 +940,8 @@ def test_hidden_replica_demote(self): self.replicas[0].hostname, '--state=hidden' ]) self._check_server_role(self.replicas[0], 'hidden') +ldap = self.replicas[0].ldap_connect() +tasks.wait_for_replication(ldap) self._check_dnsrecords([self.master], [self.replicas[0]]) def test_replica_from_hidden(self): From 593a446e60f9ec9fb3b536b8f84da4fd1b2d17d3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fran=C3=A7ois=20Cami?= Date: Thu, 8 Oct 2020 17:47:34 +0200 Subject: [PATCH 2/3] ipatests: run freeipa-healthcheck on hidden replica MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Fixes: Signed-off-by: François Cami --- .../test_integration/test_replica_promotion.py | 16 ++-- 1 file changed, 14 insertions(+), 2 deletions(-) diff --git a/ipatests/test_integration/test_replica_promotion.py b/ipatests/test_integration/test_replica_promotion.py index 5525ddfacc..e0a9dd9d13 100644 --- a/ipatests/test_integration/test_replica_promotion.py +++ b/ipatests/test_integration/test_replica_promotion.py @@ -10,6 +10,8 @@ import pytest +from test_ipahealthcheck import run_healthcheck + from ipatests.test_integration.base import IntegrationTest from ipatests.pytest_ipa.integration import tasks from ipatests.pytest_ipa.integration.tasks import ( @@ -17,7 +19,8 @@ from ipatests.pytest_ipa.integration.firewall import Firewall from ipatests.pytest_ipa.integration.env_config import get_global_config from ipalib.constants import ( -DOMAIN_LEVEL_1, IPA_CA_NICKNAME, CA_SUFFIX_NAME) +DOMAIN_LEVEL_1, IPA_CA_NICKNAME, CA_SUFFIX_NAME +) from ipaplatform.paths import paths from ipapython import certdb from ipatests.test_integration.test_dns_locations import ( @@ -887,11 +890,20 @@ def _check_config(self, enabled=(), hidden=()): assert values.get(hservice, set()) == hidden def test_hidden_replica_install(self): -# TODO: check that all services are running on hidden replica self._check_server_role(self.master, 'enabled') self._check_server_role(self.replicas[0], 'hidden') self._check_dnsrecords([self.master], [self.replicas[0]]) self._check_config([self.master], [self.replicas[0]]) +returncode0, _unused = run_healthcheck( +self.master, +failures_only=True +) +returncode1, _unused = run_healthcheck( +self.replicas[0], +failures_only=True +) +assert returncode0 == 0 +assert returncode1 == 0 def test_hide_master_fails(self): # verify state From 15a3a8b7bde2ec0e80d8b489b93e4b558bb58903 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fran=C3=A7ois=20Cami?= Date: Thu, 8 Oct 2020 18:22:29 +0200 Subject: [PATCH 3/3] ipatests: hidden replica: misc fixes MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding:
[Freeipa-devel] [freeipa PR#5176][opened] freeipa.spec.in: depend on libsss_sudo
URL: https://github.com/freeipa/freeipa/pull/5176
Author: fcami
Title: #5176: freeipa.spec.in: depend on libsss_sudo
Action: opened
PR body:
"""
On 10.10+ releases od Dogtag, the PKI installer will not depend
on sudo anymore. This opens the possibility of creating IPA servers
without a properly configured sudo.
Depend on libsss_sudo to make sure all IPA servers can have sudo.
Fixes: https://pagure.io/freeipa/issue/8530
Signed-off-by: François Cami
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/5176/head:pr5176
git checkout pr5176
From cde7b1045d943956501a6a5ae4460c1d8593347e Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fran=C3=A7ois=20Cami?=
Date: Tue, 6 Oct 2020 16:48:09 +0200
Subject: [PATCH] freeipa.spec.in: depend on libsss_sudo
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
On 10.10+ releases od Dogtag, the PKI installer will not depend
on sudo anymore. This opens the possibility of creating IPA servers
without a properly configured sudo.
Depend on libsss_sudo to make sure all IPA servers can have sudo.
Fixes: https://pagure.io/freeipa/issue/8530
Signed-off-by: François Cami
---
freeipa.spec.in | 1 +
1 file changed, 1 insertion(+)
diff --git a/freeipa.spec.in b/freeipa.spec.in
index 00669b1fc6..222c8f1712 100755
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -398,6 +398,7 @@ Requires: oddjob
# 0.7.0-2: https://pagure.io/gssproxy/pull-request/172
Requires: gssproxy >= 0.7.0-2
Requires: sssd-dbus >= %{sssd_version}
+Requires: libsss_sudo
Provides: %{alt_name}-server = %{version}
Conflicts: %{alt_name}-server
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#5151][closed] IPA-EPN: Make ipa-epn.timer a configuration file
URL: https://github.com/freeipa/freeipa/pull/5151 Author: fcami Title: #5151: IPA-EPN: Make ipa-epn.timer a configuration file Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/5151/head:pr5151 git checkout pr5151 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#5151][opened] IPA-EPN: Make ipa-epn.timer a configuration file
URL: https://github.com/freeipa/freeipa/pull/5151
Author: fcami
Title: #5151: IPA-EPN: Make ipa-epn.timer a configuration file
Action: opened
PR body:
"""
The time at which ipa-epn runs using the timer should be configurable.
Currently, ipa-epn.timer is not marked as a config file, resulting in
overwriting the file at each update.
Add %config(noreplace) so that customisation can persist.
Fixes: https://pagure.io/freeipa/issue/8517
Signed-off-by: François Cami
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/5151/head:pr5151
git checkout pr5151
From 22ac7920597e16208e7d32eb9eb651cb7d2c5b96 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fran=C3=A7ois=20Cami?=
Date: Fri, 25 Sep 2020 16:26:56 +0200
Subject: [PATCH] IPA-EPN: Make ipa-epn.timer a configuration file
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
The time at which ipa-epn runs using the timer should be configurable.
Currently, ipa-epn.timer is not marked as a config file, resulting in
overwriting the file at each update.
Add %config(noreplace) so that customisation can persist.
Fixes: https://pagure.io/freeipa/issue/8517
Signed-off-by: François Cami
---
freeipa.spec.in | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/freeipa.spec.in b/freeipa.spec.in
index 6425a2d866..ad63dffdc7 100755
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -1446,7 +1446,7 @@ fi
%{_mandir}/man1/ipa-epn.1*
%{_mandir}/man5/epn.conf.5*
%attr(644,root,root) %{_unitdir}/ipa-epn.service
-%attr(644,root,root) %{_unitdir}/ipa-epn.timer
+%attr(644,root,root) %config(noreplace) %{_unitdir}/ipa-epn.timer
%attr(600,root,root) %config(noreplace) %{_sysconfdir}/ipa/epn.conf
%attr(644,root,root) %config(noreplace) %{_sysconfdir}/ipa/epn/expire_msg.template
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#5140][closed] [Backport][ipa-4-8] Add ipa_pki_retrieve_key_exec() interface
URL: https://github.com/freeipa/freeipa/pull/5140 Author: tiran Title: #5140: [Backport][ipa-4-8] Add ipa_pki_retrieve_key_exec() interface Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/5140/head:pr5140 git checkout pr5140 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#5136][closed] [Backport][ipa-4-8] SELinux: do not double-define node_t and pki_tomcat_cert_t
URL: https://github.com/freeipa/freeipa/pull/5136 Author: tiran Title: #5136: [Backport][ipa-4-8] SELinux: do not double-define node_t and pki_tomcat_cert_t Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/5136/head:pr5136 git checkout pr5136 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#5133][opened] SELinux: do not double-define node_t and pki_tomcat_cert_t
URL: https://github.com/freeipa/freeipa/pull/5133
Author: fcami
Title: #5133: SELinux: do not double-define node_t and pki_tomcat_cert_t
Action: opened
PR body:
"""
node_t and pki_tomcat_cert_t are defined in other modules.
Do not double-define them.
Fixes: https://pagure.io/freeipa/issue/8513
Signed-off-by: François Cami
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/5133/head:pr5133
git checkout pr5133
From 536dbfa7b12480f40bf31762a00c3e76a4a7bee7 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fran=C3=A7ois=20Cami?=
Date: Wed, 23 Sep 2020 09:17:53 +0200
Subject: [PATCH] SELinux: do not double-define node_t and pki_tomcat_cert_t
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
node_t and pki_tomcat_cert_t are defined in other modules.
Do not double-define them.
Fixes: https://pagure.io/freeipa/issue/8513
Signed-off-by: François Cami
---
selinux/ipa.te | 9 ++---
1 file changed, 6 insertions(+), 3 deletions(-)
diff --git a/selinux/ipa.te b/selinux/ipa.te
index fa577191c5..b5bc8be15b 100644
--- a/selinux/ipa.te
+++ b/selinux/ipa.te
@@ -74,9 +74,6 @@ logging_log_file(ipa_custodia_log_t)
type ipa_custodia_tmp_t;
files_tmp_file(ipa_custodia_tmp_t)
-type pki_tomcat_cert_t;
-type node_t;
-
type ipa_pki_retrieve_key_exec_t;
type ipa_pki_retrieve_key_t;
domain_type(ipa_pki_retrieve_key_t)
@@ -339,8 +336,14 @@ allow ipa_custodia_t self:unix_dgram_socket create_socket_perms;
allow ipa_custodia_t self:tcp_socket { bind create };
allow ipa_custodia_t self:udp_socket create_socket_perms;
+gen_require(`
+type node_t;
+')
allow ipa_custodia_t node_t:tcp_socket node_bind;
+gen_require(`
+type pki_tomcat_cert_t;
+')
allow ipa_custodia_t pki_tomcat_cert_t:dir remove_name;
allow ipa_custodia_t pki_tomcat_cert_t:file create;
allow ipa_custodia_t pki_tomcat_cert_t:file unlink;
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#5127][closed] [Backport][ipa-4-8] SELinux: add dedicated policy for ipa-pki-retrieve-key + ipatests: enhance TestSubCAkeyReplication for better coverage
URL: https://github.com/freeipa/freeipa/pull/5127 Author: fcami Title: #5127: [Backport][ipa-4-8] SELinux: add dedicated policy for ipa-pki-retrieve-key + ipatests: enhance TestSubCAkeyReplication for better coverage Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/5127/head:pr5127 git checkout pr5127 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#5128][opened] ipatests: kinit_as_user: collect kdcinfo.REALM on failure
URL: https://github.com/freeipa/freeipa/pull/5128
Author: fcami
Title: #5128: ipatests: kinit_as_user: collect kdcinfo.REALM on failure
Action: opened
PR body:
"""
When requesting a tgt fails after a password reset, collecting:
/var/lib/sss/pubconf/kdcinfo.$REALM
will help determine how SSSD was selecting which KRB5KDC to use.
Fixes: https://pagure.io/freeipa/issue/8510
Signed-off-by: François Cami
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/5128/head:pr5128
git checkout pr5128
From a1da254d39465afc63645dfd7e985e05599a09cc Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fran=C3=A7ois=20Cami?=
Date: Tue, 22 Sep 2020 20:50:43 +0200
Subject: [PATCH] ipatests: kinit_as_user: collect kdcinfo.REALM on failure
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
When requesting a tgt fails after a password reset, collecting:
/var/lib/sss/pubconf/kdcinfo.$REALM
will help determine how SSSD was selecting which KRB5KDC to use.
Fixes: https://pagure.io/freeipa/issue/8510
Signed-off-by: François Cami
---
ipatests/pytest_ipa/integration/tasks.py | 22 ++
1 file changed, 18 insertions(+), 4 deletions(-)
diff --git a/ipatests/pytest_ipa/integration/tasks.py b/ipatests/pytest_ipa/integration/tasks.py
index fceac1b628..01e3952b8a 100755
--- a/ipatests/pytest_ipa/integration/tasks.py
+++ b/ipatests/pytest_ipa/integration/tasks.py
@@ -2003,10 +2003,24 @@ def run_command_as_user(host, user, command, *args, **kwargs):
def kinit_as_user(host, user, password, krb5_trace=False):
if krb5_trace:
-host.run_command(
-"KRB5_TRACE=/dev/stdout kinit %s" % user,
-stdin_text='{0}\n'.format(password)
-)
+try:
+host.run_command(
+"KRB5_TRACE=/dev/stdout kinit %s" % user,
+stdin_text='{0}\n'.format(password),
+raiseonerr=False
+)
+except subprocess.CalledProcessError as e:
+logger.info(
+'Collecting kdcinfo log from: %s', host.hostname
+)
+kdcinfo = host.get_file_contents(
+"/var/lib/sss/pubconf/kdcinfo.{}".format(host.realm)
+)
+logger.info(
+'kdcinfo %s contains:\n%s', host.hostname, kdcinfo
+)
+raise e
+
else:
host.run_command(['kinit', user], stdin_text='{0}\n'.format(password))
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#5127][opened] [Backport][ipa-4-8] SELinux: add dedicated policy for ipa-pki-retrieve-key + ipatests: enhance TestSubCAkeyReplication for better coverage
URL: https://github.com/freeipa/freeipa/pull/5127
Author: fcami
Title: #5127: [Backport][ipa-4-8] SELinux: add dedicated policy for
ipa-pki-retrieve-key + ipatests: enhance TestSubCAkeyReplication for better
coverage
Action: opened
PR body:
"""
MANUAL CHERRY PICK of commits in https://github.com/freeipa/freeipa/pull/5109
This PR was opened because PR https://github.com/freeipa/freeipa/pull/5109 was
pushed to master and backport to ipa-4-8 is required.
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/5127/head:pr5127
git checkout pr5127
From 444b04cd4fc241a6083b52dd42db987077417963 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fran=C3=A7ois=20Cami?=
Date: Thu, 17 Sep 2020 11:30:45 +0200
Subject: [PATCH 1/8] ipatests: enhance TestSubCAkeyReplication
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
enhance the test suite so that it covers:
- deleting subCAs (disabling them first)
- checking what happens when creating a dozen+ subCAs at a time
- adding a subCA that already exists and expect failure
Related: https://pagure.io/freeipa/issue/8488
Signed-off-by: François Cami
Reviewed-By: Alexander Bokovoy
Reviewed-By: Christian Heimes
Reviewed-By: Rob Crittenden
Reviewed-By: Ondrej Mosnacek
Reviewed-By: Lukas Vrabec
Reviewed-By: Zdenek Pytela
Reviewed-By: Thomas Woerner
---
.../test_replica_promotion.py | 52 +--
1 file changed, 47 insertions(+), 5 deletions(-)
diff --git a/ipatests/test_integration/test_replica_promotion.py b/ipatests/test_integration/test_replica_promotion.py
index 82117054fd..f0b72e1f8e 100644
--- a/ipatests/test_integration/test_replica_promotion.py
+++ b/ipatests/test_integration/test_replica_promotion.py
@@ -474,17 +474,35 @@ class TestSubCAkeyReplication(IntegrationTest):
SERVER_CERT_NICK: 'u,u,u',
}
-def add_subca(self, host, name, subject):
+def add_subca(self, host, name, subject, raiseonerr=True):
result = host.run_command([
'ipa', 'ca-add', name,
'--subject', subject,
-'--desc', self.SUBCA_DESC,
+'--desc', self.SUBCA_DESC],
+raiseonerr=raiseonerr
+)
+if raiseonerr:
+assert "ipa: ERROR:" not in result.stderr_text
+auth_id = "".join(re.findall(AUTH_ID_RE, result.stdout_text))
+return '{} {}'.format(IPA_CA_NICKNAME, auth_id)
+else:
+assert "ipa: ERROR:" in result.stderr_text
+assert result.returncode != 0
+return result
+
+def del_subca(self, host, name):
+host.run_command([
+'ipa', 'ca-disable', name
])
-auth_id = "".join(re.findall(AUTH_ID_RE, result.stdout_text))
-return '{} {}'.format(IPA_CA_NICKNAME, auth_id)
+result = host.run_command([
+'ipa', 'ca-del', name
+])
+assert "Deleted CA \"{}\"".format(name) in result.stdout_text
def check_subca(self, host, name, cert_nick):
-host.run_command(['ipa', 'ca-show', name])
+result = host.run_command(['ipa', 'ca-show', name])
+# ipa ca-show returns 0 even if the cert cannot be found locally.
+assert "ipa: ERROR:" not in result.stderr_text
tasks.run_certutil(
host, ['-L', '-n', cert_nick], paths.PKI_TOMCAT_ALIAS_DIR
)
@@ -627,6 +645,30 @@ def test_sign_with_subca_on_replica(self):
ssl = replica.run_command(ssl_cmd)
assert 'Issuer: CN = {}'.format(self.SUBCA_MASTER) in ssl.stdout_text
+def test_del_subca_master_on_replica(self):
+self.del_subca(self.replicas[0], self.SUBCA_MASTER)
+
+def test_del_subca_replica(self):
+self.del_subca(self.replicas[0], self.SUBCA_REPLICA)
+
+def test_scale_add_subca(self):
+master = self.master
+replica = self.replicas[0]
+
+subcas = {}
+for i in range(0, 16):
+name = "_".join((self.SUBCA_MASTER, str(i)))
+cn = "_".join((self.SUBCA_MASTER_CN, str(i)))
+subcas[name] = self.add_subca(master, name, cn)
+self.add_subca(master, name, cn, raiseonerr=False)
+
+# give replication some time
+time.sleep(15)
+
+for name in subcas:
+self.check_subca(replica, name, subcas[name])
+self.del_subca(replica, name)
+
class TestReplicaInstallCustodia(IntegrationTest):
"""
From 1f0b1b66a5b856375cc327ce2a6fed4a33a07b07 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fran=C3=A7ois=20Cami?=
Date: Fri, 18 Sep 2020 11:55:37 +0200
Subject: [PATCH 2/8] SELinux: Add dedicated policy for ipa-pki-retrieve-key
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Add proper labeling, transition and policy for ipa-pki-retrieve-key.
Make sure tomcat_t can execute ipa-pki-retrieve-key.
Fixes: https://pagure.io/freeipa/issue/8488
[Freeipa-devel] [freeipa PR#5109][closed] SELinux: add dedicated policy for ipa-pki-retrieve-key + ipatests: enhance TestSubCAkeyReplication for better coverage
URL: https://github.com/freeipa/freeipa/pull/5109 Author: fcami Title: #5109: SELinux: add dedicated policy for ipa-pki-retrieve-key + ipatests: enhance TestSubCAkeyReplication for better coverage Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/5109/head:pr5109 git checkout pr5109 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#5120][closed] [Test PR] ipatests: enhance TestSubCAkeyReplication
URL: https://github.com/freeipa/freeipa/pull/5120 Author: fcami Title: #5120: [Test PR] ipatests: enhance TestSubCAkeyReplication Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/5120/head:pr5120 git checkout pr5120 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#5120][opened] [Test PR] ipatests: enhance TestSubCAkeyReplication
URL: https://github.com/freeipa/freeipa/pull/5120
Author: fcami
Title: #5120: [Test PR] ipatests: enhance TestSubCAkeyReplication
Action: opened
PR body:
"""
enhance the test suite so that it covers:
- deleting subCAs (disabling them first)
- checking what happens when creating a dozen+ subCAs at a time
- adding a subCA that already exists and expect failure
Related: https://pagure.io/freeipa/issue/8488
Signed-off-by: François Cami
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/5120/head:pr5120
git checkout pr5120
From daa4d220c131dae025a70890cc3922a41c3c7a8a Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fran=C3=A7ois=20Cami?=
Date: Thu, 17 Sep 2020 11:30:45 +0200
Subject: [PATCH 1/2] ipatests: enhance TestSubCAkeyReplication
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
enhance the test suite so that it covers:
- deleting subCAs (disabling them first)
- checking what happens when creating a dozen+ subCAs at a time
- adding a subCA that already exists and expect failure
Related: https://pagure.io/freeipa/issue/8488
Signed-off-by: François Cami
---
.../test_replica_promotion.py | 52 +--
1 file changed, 47 insertions(+), 5 deletions(-)
diff --git a/ipatests/test_integration/test_replica_promotion.py b/ipatests/test_integration/test_replica_promotion.py
index 82117054fd..f0b72e1f8e 100644
--- a/ipatests/test_integration/test_replica_promotion.py
+++ b/ipatests/test_integration/test_replica_promotion.py
@@ -474,17 +474,35 @@ class TestSubCAkeyReplication(IntegrationTest):
SERVER_CERT_NICK: 'u,u,u',
}
-def add_subca(self, host, name, subject):
+def add_subca(self, host, name, subject, raiseonerr=True):
result = host.run_command([
'ipa', 'ca-add', name,
'--subject', subject,
-'--desc', self.SUBCA_DESC,
+'--desc', self.SUBCA_DESC],
+raiseonerr=raiseonerr
+)
+if raiseonerr:
+assert "ipa: ERROR:" not in result.stderr_text
+auth_id = "".join(re.findall(AUTH_ID_RE, result.stdout_text))
+return '{} {}'.format(IPA_CA_NICKNAME, auth_id)
+else:
+assert "ipa: ERROR:" in result.stderr_text
+assert result.returncode != 0
+return result
+
+def del_subca(self, host, name):
+host.run_command([
+'ipa', 'ca-disable', name
])
-auth_id = "".join(re.findall(AUTH_ID_RE, result.stdout_text))
-return '{} {}'.format(IPA_CA_NICKNAME, auth_id)
+result = host.run_command([
+'ipa', 'ca-del', name
+])
+assert "Deleted CA \"{}\"".format(name) in result.stdout_text
def check_subca(self, host, name, cert_nick):
-host.run_command(['ipa', 'ca-show', name])
+result = host.run_command(['ipa', 'ca-show', name])
+# ipa ca-show returns 0 even if the cert cannot be found locally.
+assert "ipa: ERROR:" not in result.stderr_text
tasks.run_certutil(
host, ['-L', '-n', cert_nick], paths.PKI_TOMCAT_ALIAS_DIR
)
@@ -627,6 +645,30 @@ def test_sign_with_subca_on_replica(self):
ssl = replica.run_command(ssl_cmd)
assert 'Issuer: CN = {}'.format(self.SUBCA_MASTER) in ssl.stdout_text
+def test_del_subca_master_on_replica(self):
+self.del_subca(self.replicas[0], self.SUBCA_MASTER)
+
+def test_del_subca_replica(self):
+self.del_subca(self.replicas[0], self.SUBCA_REPLICA)
+
+def test_scale_add_subca(self):
+master = self.master
+replica = self.replicas[0]
+
+subcas = {}
+for i in range(0, 16):
+name = "_".join((self.SUBCA_MASTER, str(i)))
+cn = "_".join((self.SUBCA_MASTER_CN, str(i)))
+subcas[name] = self.add_subca(master, name, cn)
+self.add_subca(master, name, cn, raiseonerr=False)
+
+# give replication some time
+time.sleep(15)
+
+for name in subcas:
+self.check_subca(replica, name, subcas[name])
+self.del_subca(replica, name)
+
class TestReplicaInstallCustodia(IntegrationTest):
"""
From 36a4383cadb55c4c902fd6bcf78489f589e721ff Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fran=C3=A7ois=20Cami?=
Date: Tue, 15 Sep 2020 16:44:56 +0200
Subject: [PATCH 2/2] temp commit
---
.freeipa-pr-ci.yaml| 2 +-
ipatests/prci_definitions/temp_commit.yaml | 22 ++
2 files changed, 19 insertions(+), 5 deletions(-)
diff --git a/.freeipa-pr-ci.yaml b/.freeipa-pr-ci.yaml
index abcf8c5b63..8065669008 12
--- a/.freeipa-pr-ci.yaml
+++ b/.freeipa-pr-ci.yaml
@@ -1 +1 @@
-ipatests/prci_definitions/gating.yaml
\ No newline at end of file
+ipatests/prci_definitions/temp_commit.yaml
\ No newline at end of file
diff --git
[Freeipa-devel] [freeipa PR#5115][closed] [Backport][ipa-4-8] dogtaginstance.py: add --debug to pkispawn
URL: https://github.com/freeipa/freeipa/pull/5115 Author: fcami Title: #5115: [Backport][ipa-4-8] dogtaginstance.py: add --debug to pkispawn Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/5115/head:pr5115 git checkout pr5115 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#5115][opened] [Backport][ipa-4-8] dogtaginstance.py: add --debug to pkispawn
URL: https://github.com/freeipa/freeipa/pull/5115
Author: fcami
Title: #5115: [Backport][ipa-4-8] dogtaginstance.py: add --debug to pkispawn
Action: opened
PR body:
"""
MANUAL cherry-pick of https://github.com/freeipa/freeipa/pull/5113
Since commits:
dogtagpki/pki@0102d83
dogtagpki/pki@de21755
pkispawn will not honor the pki_log_level configuration item.
All 10.9 Dogtag versions have these commits.
This affects FreeIPA in that it makes debugging Dogtag installation issues next
to impossible.
Adding --debug to the pkispawn CLI is required to revert to the previous
behavior.
Fixes: https://pagure.io/freeipa/issue/8503
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/5115/head:pr5115
git checkout pr5115
From 70de03a328696669fe50a58019387449c9e75b1f Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fran=C3=A7ois=20Cami?=
Date: Wed, 16 Sep 2020 17:07:21 +0200
Subject: [PATCH 1/2] ipatests: check that pkispawn log is not empty
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Since commits:
https://github.com/dogtagpki/pki/commit/0102d836f4eac0fcea0adddb4c98d5ea05e4e8f6
https://github.com/dogtagpki/pki/commit/de217557a642d799b1c4c390efa55493707c738e
pkispawn will not honor the pki_log_level configuration item.
All 10.9 Dogtag versions have these commits.
This affects FreeIPA in that it makes debugging Dogtag installation issues next
to impossible.
Adding --debug to the pkispawn CLI is required to revert to the previous
behavior.
Therefore check that the log is not empty and contains DEBUG+INFO lines.
Fixes: https://pagure.io/freeipa/issue/8503
Signed-off-by: François Cami
Reviewed-By: Thomas Woerner
Reviewed-By: Christian Heimes
Reviewed-By: Rob Crittenden
---
ipatests/test_integration/test_commands.py | 23 ++
1 file changed, 23 insertions(+)
diff --git a/ipatests/test_integration/test_commands.py b/ipatests/test_integration/test_commands.py
index fa6abd81e0..3a12bcde2b 100644
--- a/ipatests/test_integration/test_commands.py
+++ b/ipatests/test_integration/test_commands.py
@@ -1295,3 +1295,26 @@ def test_ipa_nis_manage_enable_incorrect_password(self):
)
assert result.returncode == 1
assert msg in result.stderr_text
+
+def test_pkispawn_log_is_present(self):
+"""
+This testcase checks if pkispawn logged properly.
+It is a candidate from being moved out of test_commands.
+"""
+result = self.master.run_command(
+["ls", "/var/log/pki/"]
+)
+pkispawnlogfile = None
+for file in result.stdout_text.splitlines():
+if file.startswith("pki-ca-spawn"):
+pkispawnlogfile = file
+break
+assert pkispawnlogfile is not None
+pkispawnlogfile = os.path.sep.join(("/var/log/pki", pkispawnlogfile))
+pkispawnlog = self.master.get_file_contents(
+pkispawnlogfile, encoding='utf-8'
+)
+# Totally arbitrary. pkispawn debug logs tend to be > 10KiB.
+assert len(pkispawnlog) > 1024
+assert "DEBUG" in pkispawnlog
+assert "INFO" in pkispawnlog
From da724056003b900d6433eefac05378359548589f Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fran=C3=A7ois=20Cami?=
Date: Thu, 17 Sep 2020 07:31:59 +0200
Subject: [PATCH 2/2] dogtaginstance.py: add --debug to pkispawn
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Since commits:
https://github.com/dogtagpki/pki/commit/0102d836f4eac0fcea0adddb4c98d5ea05e4e8f6
https://github.com/dogtagpki/pki/commit/de217557a642d799b1c4c390efa55493707c738e
pkispawn will not honor the pki_log_level configuration item.
All 10.9 Dogtag versions have these commits.
This affects FreeIPA in that it makes debugging Dogtag installation issues next
to impossible.
Adding --debug to the pkispawn CLI is required to revert to the previous
behavior.
Fixes: https://pagure.io/freeipa/issue/8503
Signed-off-by: François Cami
Reviewed-By: Thomas Woerner
Reviewed-By: Christian Heimes
Reviewed-By: Rob Crittenden
---
ipaserver/install/dogtaginstance.py | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/ipaserver/install/dogtaginstance.py b/ipaserver/install/dogtaginstance.py
index 524262ad75..03fdd7c0b1 100644
--- a/ipaserver/install/dogtaginstance.py
+++ b/ipaserver/install/dogtaginstance.py
@@ -183,7 +183,8 @@ def spawn_instance(self, cfg_file, nolog_list=()):
subsystem = self.subsystem
args = [paths.PKISPAWN,
"-s", subsystem,
-"-f", cfg_file]
+"-f", cfg_file,
+"--debug"]
with open(cfg_file) as f:
logger.debug(
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
Fedora Code of
[Freeipa-devel] [freeipa PR#5113][closed] dogtaginstance.py: add --debug to pkispawn
URL: https://github.com/freeipa/freeipa/pull/5113 Author: fcami Title: #5113: dogtaginstance.py: add --debug to pkispawn Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/5113/head:pr5113 git checkout pr5113 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#5113][opened] dogtaginstance.py: add --debug to pkispawn
URL: https://github.com/freeipa/freeipa/pull/5113 Author: fcami Title: #5113: dogtaginstance.py: add --debug to pkispawn Action: opened PR body: """ """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/5113/head:pr5113 git checkout pr5113 From 48ae626aae04f8e6efcf2434c79169eceecafa1f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fran=C3=A7ois=20Cami?= Date: Wed, 16 Sep 2020 18:36:55 +0200 Subject: [PATCH] dogtaginstance.py: add --debug to pkispawn MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: François Cami --- ipaserver/install/dogtaginstance.py | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/ipaserver/install/dogtaginstance.py b/ipaserver/install/dogtaginstance.py index 60ef72f82f..a2190e183b 100644 --- a/ipaserver/install/dogtaginstance.py +++ b/ipaserver/install/dogtaginstance.py @@ -190,7 +190,8 @@ def spawn_instance(self, cfg_file, nolog_list=()): subsystem = self.subsystem args = [paths.PKISPAWN, "-s", subsystem, -"-f", cfg_file] +"-f", cfg_file, +"--debug"] with open(cfg_file) as f: logger.debug( ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#5109][opened] [WIP] ipatests: enhance TestSubCAkeyReplication
URL: https://github.com/freeipa/freeipa/pull/5109
Author: fcami
Title: #5109: [WIP] ipatests: enhance TestSubCAkeyReplication
Action: opened
PR body:
"""
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/5109/head:pr5109
git checkout pr5109
From b4b51b7f30a30d0460d20b4b7caff0dd86cf182c Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fran=C3=A7ois=20Cami?=
Date: Tue, 15 Sep 2020 16:42:45 +0200
Subject: [PATCH 1/2] ipatests: enhance TestSubCAkeyReplication
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Signed-off-by: François Cami
---
.../test_replica_promotion.py | 49 +--
1 file changed, 44 insertions(+), 5 deletions(-)
diff --git a/ipatests/test_integration/test_replica_promotion.py b/ipatests/test_integration/test_replica_promotion.py
index 82117054fd..09ac40e338 100644
--- a/ipatests/test_integration/test_replica_promotion.py
+++ b/ipatests/test_integration/test_replica_promotion.py
@@ -474,17 +474,32 @@ class TestSubCAkeyReplication(IntegrationTest):
SERVER_CERT_NICK: 'u,u,u',
}
-def add_subca(self, host, name, subject):
+def add_subca(self, host, name, subject, raiseonerr=True):
result = host.run_command([
'ipa', 'ca-add', name,
'--subject', subject,
-'--desc', self.SUBCA_DESC,
+'--desc', self.SUBCA_DESC],
+raiseonerr=raiseonerr
+)
+if raiseonerr:
+assert "ipa: ERROR:" not in result.stderr_text
+auth_id = "".join(re.findall(AUTH_ID_RE, result.stdout_text))
+return '{} {}'.format(IPA_CA_NICKNAME, auth_id)
+else:
+assert "ipa: ERROR:" in result.stderr_text
+assert result.returncode != 0
+return result
+
+def del_subca(self, host, name):
+result = host.run_command([
+'ipa', 'ca-del', name
])
-auth_id = "".join(re.findall(AUTH_ID_RE, result.stdout_text))
-return '{} {}'.format(IPA_CA_NICKNAME, auth_id)
+assert "Deleted CA \"{}\"".format(name) in result.stdout_text
def check_subca(self, host, name, cert_nick):
-host.run_command(['ipa', 'ca-show', name])
+result = host.run_command(['ipa', 'ca-show', name])
+# ipa ca-show returns 0 even if the cert cannot be found locally.
+assert "ipa: ERROR:" not in result.stderr_text
tasks.run_certutil(
host, ['-L', '-n', cert_nick], paths.PKI_TOMCAT_ALIAS_DIR
)
@@ -627,6 +642,30 @@ def test_sign_with_subca_on_replica(self):
ssl = replica.run_command(ssl_cmd)
assert 'Issuer: CN = {}'.format(self.SUBCA_MASTER) in ssl.stdout_text
+def test_del_subca_master_on_replica(self):
+self.del_subca(self.replicas[0], self.SUBCA_MASTER)
+
+def test_del_subca_replica(self):
+self.del_subca(self.replicas[0], self.SUBCA_REPLICA)
+
+def test_scale_add_subca(self):
+master = self.master
+replica = self.replicas[0]
+
+subcas = {}
+for i in range(0, 16):
+name = "_".join((self.SUBCA_MASTER, str(i)))
+cn = "_".join((self.SUBCA_MASTER_CN, str(i)))
+subcas[name] = self.add_subca(master, name, cn)
+self.add_subca(master, name, cn, raiseonerr=False)
+
+# give replication some time
+time.sleep(15)
+
+for name in subcas:
+self.check_subca(replica, name, subcas[name])
+self.del_subca(replica, name)
+
class TestReplicaInstallCustodia(IntegrationTest):
"""
From be95293b8a4253c6edafccdc18708f89c74386d7 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fran=C3=A7ois=20Cami?=
Date: Tue, 15 Sep 2020 16:44:56 +0200
Subject: [PATCH 2/2] temp commit
---
.freeipa-pr-ci.yaml| 2 +-
ipatests/prci_definitions/temp_commit.yaml | 22 ++
2 files changed, 19 insertions(+), 5 deletions(-)
diff --git a/.freeipa-pr-ci.yaml b/.freeipa-pr-ci.yaml
index abcf8c5b63..8065669008 12
--- a/.freeipa-pr-ci.yaml
+++ b/.freeipa-pr-ci.yaml
@@ -1 +1 @@
-ipatests/prci_definitions/gating.yaml
\ No newline at end of file
+ipatests/prci_definitions/temp_commit.yaml
\ No newline at end of file
diff --git a/ipatests/prci_definitions/temp_commit.yaml b/ipatests/prci_definitions/temp_commit.yaml
index 181404133c..48f2a9d8a1 100644
--- a/ipatests/prci_definitions/temp_commit.yaml
+++ b/ipatests/prci_definitions/temp_commit.yaml
@@ -61,14 +61,28 @@ jobs:
timeout: 1800
topology: *build
- fedora-latest/temp_commit:
+ fedora-latest/test_replica_promotion_TestSubCAkeyReplication:
requires: [fedora-latest/build]
priority: 50
job:
class: RunPytest
args:
build_url: '{fedora-latest/build_url}'
-test_suite: test_integration/test_REPLACEME.py
+test_suite:
[Freeipa-devel] [freeipa PR#5087][closed] [Backport][ipa-4-8] SELinux Policy: let custodia replicate keys
URL: https://github.com/freeipa/freeipa/pull/5087 Author: rcritten Title: #5087: [Backport][ipa-4-8] SELinux Policy: let custodia replicate keys Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/5087/head:pr5087 git checkout pr5087 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#5083][opened] test_replica_promotion::TestSubCAkeyReplication: set SELinux to Enforcing
URL: https://github.com/freeipa/freeipa/pull/5083
Author: fcami
Title: #5083: test_replica_promotion::TestSubCAkeyReplication: set SELinux to
Enforcing
Action: opened
PR body:
"""
Test run with SELinux set to Enforcing
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/5083/head:pr5083
git checkout pr5083
From de710ed623f9373ed79064be3dde4c421d75e400 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fran=C3=A7ois=20Cami?=
Date: Tue, 8 Sep 2020 13:14:06 +0200
Subject: [PATCH 1/2] test_replica_promotion::TestSubCAkeyReplication: set
SELinux to Enforcing
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
test_replica_promotion::TestSubCAkeyReplication fails downstream
with SELinux set to Enforcing.
Temporarily switch to Enforcing here.
Signed-off-by: François Cami
---
ipatests/test_integration/test_replica_promotion.py | 12
1 file changed, 12 insertions(+)
diff --git a/ipatests/test_integration/test_replica_promotion.py b/ipatests/test_integration/test_replica_promotion.py
index 82117054fd..8ae9988670 100644
--- a/ipatests/test_integration/test_replica_promotion.py
+++ b/ipatests/test_integration/test_replica_promotion.py
@@ -568,6 +568,18 @@ def check_pki_error(self, host):
# check for cert/key import error message
assert self.ERR_MESS not in pki_debug_log
+def switch_selinux_to_enabled(self, host):
+"""Candidate to move to tasks.py
+"""
+cmd = ["setenforce", "1"]
+status = host.run_command(cmd)
+assert "usage: setenforce" not in status.stderr_text
+
+def test_switch_selinux_to_enabled(self):
+hosts = (self.master, self.replicas[0])
+for host in hosts:
+self.switch_selinux_to_enabled(host)
+
def test_subca_master(self):
master = self.master
replica = self.replicas[0]
From 6bfdeb7f1f810bc4bd54790e1798ebbdc1619e78 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fran=C3=A7ois=20Cami?=
Date: Tue, 8 Sep 2020 15:15:09 +0200
Subject: [PATCH 2/2] temp commit
---
.freeipa-pr-ci.yaml| 2 +-
ipatests/prci_definitions/temp_commit.yaml | 8
2 files changed, 5 insertions(+), 5 deletions(-)
diff --git a/.freeipa-pr-ci.yaml b/.freeipa-pr-ci.yaml
index abcf8c5b63..8065669008 12
--- a/.freeipa-pr-ci.yaml
+++ b/.freeipa-pr-ci.yaml
@@ -1 +1 @@
-ipatests/prci_definitions/gating.yaml
\ No newline at end of file
+ipatests/prci_definitions/temp_commit.yaml
\ No newline at end of file
diff --git a/ipatests/prci_definitions/temp_commit.yaml b/ipatests/prci_definitions/temp_commit.yaml
index 181404133c..5c334c28af 100644
--- a/ipatests/prci_definitions/temp_commit.yaml
+++ b/ipatests/prci_definitions/temp_commit.yaml
@@ -61,14 +61,14 @@ jobs:
timeout: 1800
topology: *build
- fedora-latest/temp_commit:
+ fedora-latest/test_replica_promotion_TestSubCAkeyReplication:
requires: [fedora-latest/build]
-priority: 50
+priority: 100
job:
class: RunPytest
args:
build_url: '{fedora-latest/build_url}'
-test_suite: test_integration/test_REPLACEME.py
+test_suite: test_integration/test_replica_promotion.py::TestSubCAkeyReplication
template: *ci-master-latest
timeout: 3600
-topology: *master_1repl_1client
+topology: *master_1repl
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#5071][opened] 389-DS BDB: switch deadlock behavior to DB_LOCK_MINWRITE
URL: https://github.com/freeipa/freeipa/pull/5071
Author: fcami
Title: #5071: 389-DS BDB: switch deadlock behavior to DB_LOCK_MINWRITE
Action: opened
PR body:
"""
Some IPA updates are expensive in term of processing and #page hit.
The likelihood to generate a DS Berkeley DB database deadlock can be high
for some common operations.
When a deadlock is detected one deadlocking thread needs to be
rejected to let the other(s) complete.
DB_LOCK_YOUNGEST (9) is the DS default: it means the most recent operation
fails in favor to the oldest one.
DB_LOCK_MINWRITE (6) means the reader(s) are rejected in favor
of the writers even if the reader(s) are older.
Switch the default for FreeIPA to DB_LOCK_MINWRITE for new installs and
also existing installs at update time.
This depends on the backend redesign (https://pagure.io/389-ds-base/issue/49476)
and therefore is valid on 389-DS 1.4.2.3 and higher.
Explanation provided by Thierry Bordaz.
Fixes: https://pagure.io/freeipa/issue/8479
Signed-off-by: François Cami
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/5071/head:pr5071
git checkout pr5071
From 9b5d33d513906bf5e2134d182347fe14ea79dfa2 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fran=C3=A7ois=20Cami?=
Date: Mon, 31 Aug 2020 14:11:00 +0200
Subject: [PATCH] 389-DS BDB: switch deadlock behavior to DB_LOCK_MINWRITE
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Some IPA updates are expensive in term of processing and #page hit.
The likelihood to generate a DS Berkeley DB database deadlock can be high
for some common operations.
When a deadlock is detected one deadlocking thread needs to be
rejected to let the other(s) complete.
DB_LOCK_YOUNGEST (9) is the DS default: it means the most recent operation
fails in favor to the oldest one.
DB_LOCK_MINWRITE (6) means the reader(s) are rejected in favor
of the writers even if the reader(s) are older.
Switch the default for FreeIPA to DB_LOCK_MINWRITE for new installs and
also existing installs at update time.
This depends on the backend redesign (https://pagure.io/389-ds-base/issue/49476)
and therefore is valid on 389-DS 1.4.2.3 and higher.
Explanation provided by Thierry Bordaz.
Fixes: https://pagure.io/freeipa/issue/8479
Signed-off-by: François Cami
---
freeipa.spec.in | 6 +
.../10-nsslapd-db-deadlock-policy.update | 22 +++
install/updates/Makefile.am | 1 +
3 files changed, 29 insertions(+)
create mode 100644 install/updates/10-nsslapd-db-deadlock-policy.update
diff --git a/freeipa.spec.in b/freeipa.spec.in
index 0e7a51f445..dee67ef58e 100755
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -104,6 +104,12 @@
%global ds_version 1.4.0.21
%endif
+# Configuring nsslapd-db-deadlock-policy to DB_LOCK_MINWRITE
+# requires 389-DS 1.4.2.3 and higher.
+%if 0%{?fedora} >= 31
+%global ds_version 1.4.2.3
+%endif
+
# Fix for TLS 1.3 PHA, RHBZ#1775146
%if 0%{?fedora} >= 31
%global httpd_version 2.4.41-9
diff --git a/install/updates/10-nsslapd-db-deadlock-policy.update b/install/updates/10-nsslapd-db-deadlock-policy.update
new file mode 100644
index 00..0f621b7849
--- /dev/null
+++ b/install/updates/10-nsslapd-db-deadlock-policy.update
@@ -0,0 +1,22 @@
+# Configure 389-DS BDB backend to use DB_LOCK_MINWRITE.
+#
+# Some IPA updates are expensive in term of processing and #page hit.
+# The likelihood to generate a DS Berkeley DB database deadlock can be high
+# for some common operations.
+#
+# When a deadlock is detected one deadlocking thread needs to be
+# rejected to let the other(s) complete.
+# DB_LOCK_YOUNGEST (9) is the DS default: it means the most recent operation
+# fails in favor to the oldest one.
+# DB_LOCK_MINWRITE (6) means the reader(s) are rejected in favor
+# of the writers even if the reader(s) are older.
+#
+# Switch the default for FreeIPA to DB_LOCK_MINWRITE.
+# This depends on the backend redesign (https://pagure.io/389-ds-base/issue/49476)
+# and therefore is valid on 389-DS 1.4.2.3 and higher.
+#
+# BDB header:
+# https://github.com/berkeleydb/libdb/blob/5b7b02ae052442626af54c176335b67ecc613a30/src/dbinc/db.in#L287
+#
+dn: cn=bdb,cn=config,cn=ldbm database,cn=plugins,cn=config
+replace: nsslapd-db-deadlock-policy:9::6
diff --git a/install/updates/Makefile.am b/install/updates/Makefile.am
index 8a4d9cc6cf..e1c5559ac7 100644
--- a/install/updates/Makefile.am
+++ b/install/updates/Makefile.am
@@ -6,6 +6,7 @@ app_DATA =\
10-config.update \
10-enable-betxn.update \
10-ipapwd.update \
+ 10-nsslapd-db-deadlock-policy.update \
10-selinuxusermap.update \
10-rootdse.update \
10-uniqueness.update \
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct:
[Freeipa-devel] [freeipa PR#5012][opened] Test for pr5008
URL: https://github.com/freeipa/freeipa/pull/5012
Author: fcami
Title: #5012: Test for pr5008
Action: opened
PR body:
"""
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/5012/head:pr5012
git checkout pr5012
From 65b758470922c07aa38f4edda7c71dc1d10439ad Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fran=C3=A7ois=20Cami?=
Date: Thu, 6 Aug 2020 17:13:19 +0200
Subject: [PATCH 1/3] IPA-EPN: fix configuration file typo
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Signed-off-by: François Cami
---
client/share/epn.conf | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/client/share/epn.conf b/client/share/epn.conf
index 0e590dfc3b..e3645801cb 100644
--- a/client/share/epn.conf
+++ b/client/share/epn.conf
@@ -23,7 +23,7 @@ smtp_port = 25
# Default None (empty value).
# smtp_password =
-# pecifies the number of seconds to wait for SMTP to respond.
+# Specifies the number of seconds to wait for SMTP to respond.
smtp_timeout = 60
# Specifies the type of secure connection to make. Options are: none,
From 812f5a68df9a5f96f2d14d8f554e79275e391035 Mon Sep 17 00:00:00 2001
From: Rob Crittenden
Date: Thu, 6 Aug 2020 18:57:10 -0400
Subject: [PATCH 2/3] IPA-EPN: Test that users without givenname and/or mail
are handled
The admin user does not have a givenname by default, allow for that.
Report errors for users without a default e-mail address.
Update the SHA256 hash with the typo fix.
---
ipatests/test_integration/test_epn.py | 22 +-
1 file changed, 21 insertions(+), 1 deletion(-)
diff --git a/ipatests/test_integration/test_epn.py b/ipatests/test_integration/test_epn.py
index f4c123c6d8..946e8e602a 100644
--- a/ipatests/test_integration/test_epn.py
+++ b/ipatests/test_integration/test_epn.py
@@ -231,7 +231,7 @@ def test_EPN_config_file(self):
assert epn_conf in cmd1.stdout_text
assert epn_template in cmd1.stdout_text
cmd2 = self.master.run_command(["sha256sum", epn_conf])
-ck = "4c207b5c9c760c36db0d3b2b93da50ea49edcc4002d6d1e7383601f0ec30b957"
+ck = "192481b52fb591112afd7b55b12a44c6618fdbc7e05a3b1866fd67ec579c51df"
assert cmd2.stdout_text.find(ck) == 0
def test_EPN_smoketest_1(self):
@@ -487,3 +487,23 @@ def test_EPN_delay_config(self, cleanupmail):
self.master.put_file_contents('/etc/ipa/epn.conf', epn_conf)
result = tasks.ipa_epn(self.master, raiseonerr=False)
assert "smtp_delay cannot be less than zero" in result.stderr_text
+
+def test_EPN_admin(self):
+"""The admin user is special and has no givenName by default
+ It also doesn't by default have an e-mail address
+ Check --dry-run output.
+"""
+epn_conf = textwrap.dedent('''
+[global]
+''')
+self.master.put_file_contents('/etc/ipa/epn.conf', epn_conf)
+self.master.run_command(
+['ipa', 'user-mod', 'admin', '--password-expiration',
+ datetime_to_generalized_time(
+ datetime.datetime.utcnow() + datetime.timedelta(days=7)
+ )]
+)
+(unused, stderr_text) = self._check_epn_output(
+self.master, dry_run=True
+)
+assert "uid=admin" in stderr_text
From acc6b6ab54d22266c701de30d7cdd5ebaf55659a Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fran=C3=A7ois=20Cami?=
Date: Thu, 6 Aug 2020 17:09:23 +0200
Subject: [PATCH 3/3] temp commit
---
.freeipa-pr-ci.yaml| 2 +-
ipatests/prci_definitions/temp_commit.yaml | 6 +++---
2 files changed, 4 insertions(+), 4 deletions(-)
diff --git a/.freeipa-pr-ci.yaml b/.freeipa-pr-ci.yaml
index abcf8c5b63..8065669008 12
--- a/.freeipa-pr-ci.yaml
+++ b/.freeipa-pr-ci.yaml
@@ -1 +1 @@
-ipatests/prci_definitions/gating.yaml
\ No newline at end of file
+ipatests/prci_definitions/temp_commit.yaml
\ No newline at end of file
diff --git a/ipatests/prci_definitions/temp_commit.yaml b/ipatests/prci_definitions/temp_commit.yaml
index e337068145..5a4fc75c72 100644
--- a/ipatests/prci_definitions/temp_commit.yaml
+++ b/ipatests/prci_definitions/temp_commit.yaml
@@ -61,14 +61,14 @@ jobs:
timeout: 1800
topology: *build
- fedora-latest/temp_commit:
+ fedora-latest/test_epn:
requires: [fedora-latest/build]
priority: 50
job:
class: RunPytest
args:
build_url: '{fedora-latest/build_url}'
-test_suite: test_integration/test_REPLACEME.py
+test_suite: test_integration/test_epn.py
template: *ci-master-latest
-timeout: 3600
+timeout: 7200
topology: *master_1repl_1client
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct:
[Freeipa-devel] [freeipa PR#5010][opened] ipatests: test_epn: add test_EPN_connection_refused
URL: https://github.com/freeipa/freeipa/pull/5010 Author: fcami Title: #5010: ipatests: test_epn: add test_EPN_connection_refused Action: opened PR body: """ Add a test for EPN behavior when the configured SMTP does not accept connections. Fixes: https://pagure.io/freeipa/issue/8445 Signed-off-by: François Cami """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/5010/head:pr5010 git checkout pr5010 From 8e43c66fa0a518458809d16e377c9bbd3db73f1c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fran=C3=A7ois=20Cami?= Date: Fri, 7 Aug 2020 07:51:53 +0200 Subject: [PATCH] ipatests: test_epn: add test_EPN_connection_refused MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Add a test for EPN behavior when the configured SMTP does not accept connections. Fixes: https://pagure.io/freeipa/issue/8445 Signed-off-by: François Cami --- ipatests/test_integration/test_epn.py | 25 ++--- 1 file changed, 22 insertions(+), 3 deletions(-) diff --git a/ipatests/test_integration/test_epn.py b/ipatests/test_integration/test_epn.py index f4c123c6d8..9bf3d01135 100644 --- a/ipatests/test_integration/test_epn.py +++ b/ipatests/test_integration/test_epn.py @@ -175,13 +175,17 @@ def _check_epn_output( self, host, dry_run=False, +mailtest=False, from_nbdays=None, to_nbdays=None, raiseonerr=True, ): -result = tasks.ipa_epn(host, raiseonerr=raiseonerr, dry_run=dry_run, - from_nbdays=from_nbdays, - to_nbdays=to_nbdays) +result = tasks.ipa_epn( +host, raiseonerr=raiseonerr, +from_nbdays=from_nbdays, to_nbdays=to_nbdays, +dry_run=dry_run, +mailtest=mailtest +) json.dumps(json.loads(result.stdout_text), ensure_ascii=False) return (result.stdout_text, result.stderr_text) @@ -234,6 +238,21 @@ def test_EPN_config_file(self): ck = "4c207b5c9c760c36db0d3b2b93da50ea49edcc4002d6d1e7383601f0ec30b957" assert cmd2.stdout_text.find(ck) == 0 +@pytest.mark.xfail(reason='freeipa ticket 8445', strict=True) +def test_EPN_connection_refused(self): +"""Test EPN behavior when the configured SMTP is down +""" + +self.master.run_command(["systemctl", "stop", "postfix"]) +(stdout_text, stderr_text, rc) = self._check_epn_output( +self.master, mailtest=True, raiseonerr=False +) +self.master.run_command(["systemctl", "start", "postfix"]) +assert "[Errno 111] Connection refused" not in stderr_text +assert "Could not connect to the configured SMTP server." in \ +stdout_text +assert rc > 0 + def test_EPN_smoketest_1(self): """No users except admin. Check --dry-run output. With the default configuration, the result should be an empty list. ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#5006][closed] IPA-EPN: use entry.get() to retrieve attributes
URL: https://github.com/freeipa/freeipa/pull/5006 Author: fcami Title: #5006: IPA-EPN: use entry.get() to retrieve attributes Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/5006/head:pr5006 git checkout pr5006 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#5006][opened] IPA-EPN: use entry.get() to retrieve attributes
URL: https://github.com/freeipa/freeipa/pull/5006
Author: fcami
Title: #5006: IPA-EPN: use entry.get() to retrieve attributes
Action: opened
PR body:
"""
Use entry.get() to retrieve attributes to avoid tripping on missing attrs.
Fixes: TBD
Signed-off-by: François Cami
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/5006/head:pr5006
git checkout pr5006
From b3c69af0013378a96b956a1f995aec266beb3d34 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fran=C3=A7ois=20Cami?=
Date: Thu, 6 Aug 2020 17:07:36 +0200
Subject: [PATCH] IPA-EPN: use entry.get() to retrieve attributes
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Use entry.get() to retrieve attributes to avoid tripping on missing attrs.
Fixes: TBD
Signed-off-by: François Cami
---
ipaclient/install/ipa_epn.py | 12 ++--
1 file changed, 6 insertions(+), 6 deletions(-)
diff --git a/ipaclient/install/ipa_epn.py b/ipaclient/install/ipa_epn.py
index 6e1b001464..c7ce58fdba 100644
--- a/ipaclient/install/ipa_epn.py
+++ b/ipaclient/install/ipa_epn.py
@@ -131,14 +131,14 @@ def add(self, entry):
self._sorted = False
self._expiring_password_user_dq.append(
dict(
-uid=str(entry["uid"].pop(0)),
-cn=str(entry["cn"].pop(0)),
-givenname=str(entry["givenname"].pop(0)),
-sn=str(entry["sn"].pop(0)),
+uid=str(entry.get("uid")),
+cn=str(entry.get("cn")),
+givenname=str(entry.get("givenname")),
+sn=str(entry.get("sn")),
krbpasswordexpiration=str(
-entry["krbpasswordexpiration"].pop(0)
+entry.get("krbpasswordexpiration")
),
-mail=str(entry["mail"]),
+mail=str(entry.get("mail")),
)
)
except IndexError as e:
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#4991][opened] IPA-EPN: enhance input validation
URL: https://github.com/freeipa/freeipa/pull/4991
Author: fcami
Title: #4991: IPA-EPN: enhance input validation
Action: opened
PR body:
"""
Enhance input validation:
* make sure --from-nbdays and --to-nbdays are integer
* make sure --from-nbdays < --to-nbdays
Fixes: https://pagure.io/freeipa/issue/8444
Signed-off-by: François Cami
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/4991/head:pr4991
git checkout pr4991
From dfdbce6563aaf33e8d3d997db512123add5aeaf5 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fran=C3=A7ois=20Cami?=
Date: Tue, 4 Aug 2020 21:36:23 +0200
Subject: [PATCH] IPA-EPN: enhance input validation
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Enhance input validation:
* make sure --from-nbdays and --to-nbdays are integer
* make sure --from-nbdays < --to-nbdays
Fixes: https://pagure.io/freeipa/issue/8444
Signed-off-by: François Cami
---
ipaclient/install/ipa_epn.py | 27 +--
1 file changed, 25 insertions(+), 2 deletions(-)
diff --git a/ipaclient/install/ipa_epn.py b/ipaclient/install/ipa_epn.py
index 6e1b001464..23fa35a1a4 100644
--- a/ipaclient/install/ipa_epn.py
+++ b/ipaclient/install/ipa_epn.py
@@ -238,12 +238,35 @@ def add_options(cls, parser):
def validate_options(self):
super(EPN, self).validate_options(needs_root=True)
-if self.options.to_nbdays:
+if self.options.to_nbdays is not None:
+try:
+int(self.options.to_nbdays)
+assert float(self.options.to_nbdays) == \
+int(self.options.to_nbdays)
+except Exception as e:
+self.option_parser.error(
+"--to-nbdays must be an integer. {error}".format(error=e)
+)
self.options.dry_run = True
-if self.options.from_nbdays and not self.options.to_nbdays:
+if self.options.from_nbdays is not None:
+try:
+int(self.options.from_nbdays)
+assert float(self.options.from_nbdays) == \
+int(self.options.from_nbdays)
+except Exception as e:
+self.option_parser.error(
+"--from-nbdays must be an integer. {error}".format(error=e)
+)
+if self.options.from_nbdays is not None and not self.options.to_nbdays:
self.option_parser.error(
"You cannot specify --from-nbdays without --to-nbdays"
)
+if self.options.from_nbdays is not None and \
+self.options.to_nbdays is not None:
+if self.options.from_nbdays >= self.options.to_nbdays:
+self.option_parser.error(
+"--from-nbdays must be smaller than --to-nbdays."
+)
if self.options.mailtest and self.options.dry_run:
self.option_parser.error(
"You cannot specify --mail-test and --dry-run together"
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#4970][opened] ipatests: test_epn: enhance CLI testing
URL: https://github.com/freeipa/freeipa/pull/4970
Author: fcami
Title: #4970: ipatests: test_epn: enhance CLI testing
Action: opened
PR body:
"""
Enhance test_EPN_nbdays so that it checks:
* that no emails get sent when using --dry-run
* that --from-nbdays implies --dry-run
* that --to-nbdays requires --from-nbdays
Signed-off-by: François Cami
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/4970/head:pr4970
git checkout pr4970
From 8d6df218fe501b5ba7ae012c6cdb8cae960a353d Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fran=C3=A7ois=20Cami?=
Date: Fri, 31 Jul 2020 15:25:15 +0200
Subject: [PATCH 1/2] ipatests: test_epn: make sure --dry-run does not send
emails
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Enhance test_EPN_nbdays so that it checks:
* that no emails get sent when using --dry-run
* that --from-nbdays implies --dry-run
* that --to-nbdays requires --from-nbdays
Signed-off-by: François Cami
---
ipatests/test_integration/test_epn.py | 35 ---
1 file changed, 31 insertions(+), 4 deletions(-)
diff --git a/ipatests/test_integration/test_epn.py b/ipatests/test_integration/test_epn.py
index f4c123c6d8..aea3422076 100644
--- a/ipatests/test_integration/test_epn.py
+++ b/ipatests/test_integration/test_epn.py
@@ -344,22 +344,49 @@ def test_EPN_smoketest_3(self):
expected_users = ["user1", "user3", "user7", "user14", "user28"]
assert sorted(user_lst) == sorted(expected_users)
-def test_EPN_nbdays(self):
+def test_EPN_nbdays(self, cleanupmail):
"""Test the to/from nbdays options (implies --dry-run)
We have a set of users installed with varying expiration
dates. Confirm that to/from nbdays finds them.
"""
-# Compare the notify_ttls values
for i in self.notify_ttls:
+# Compare the notify_ttls values
user_list = []
(stdout_text_client, unused) = self._check_epn_output(
-self.clients[0], from_nbdays=i, to_nbdays=i + 1, dry_run=True)
+self.clients[0], from_nbdays=i, to_nbdays=i + 1, dry_run=True
+)
for user in json.loads(stdout_text_client):
user_list.append(user["uid"])
assert len(user_list) == 1
-assert user_list[0] == "user%d" % i
+userid = "user{id}".format(id=i)
+assert user_list[0] == userid
+
+# make sure that --from-nbdays implies --dry-run
+(stdout_text_client, unused) = self._check_epn_output(
+self.clients[0], from_nbdays=i
+)
+user_list = []
+for user in json.loads(stdout_text_client):
+user_list.append(user["uid"])
+assert len(user_list) >= 1
+for j in range(i, self.notify_ttls):
+userjd = "user{id}".format(id=j)
+assert userjd in user_list
+
+# make sure that --to-nbdays cannot be used without --from-nbdays
+with pytest.raises(CalledProcessError):
+(unused, stderr_text_client) = self._check_epn_output(
+self.clients[0], to_nbdays=i
+)
+assert "You cannot specify --from-nbdays without --to-nbdays" \
+in stderr_text_client
+
+# make sure no emails were sent
+result = self.master.run_command(['ls', '-lha', '/var/mail/'])
+assert ".." in result.stdout_text
+assert userid not in result.stdout_text
# From here the tests build on one another:
# 1) add auth
From c2364f677440e3d449b08a27f86ad0ceafc7a26f Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fran=C3=A7ois=20Cami?=
Date: Fri, 31 Jul 2020 18:29:43 +0200
Subject: [PATCH 2/2] add temp commit
---
.freeipa-pr-ci.yaml| 2 +-
ipatests/prci_definitions/temp_commit.yaml | 8
2 files changed, 5 insertions(+), 5 deletions(-)
diff --git a/.freeipa-pr-ci.yaml b/.freeipa-pr-ci.yaml
index abcf8c5b63..8065669008 12
--- a/.freeipa-pr-ci.yaml
+++ b/.freeipa-pr-ci.yaml
@@ -1 +1 @@
-ipatests/prci_definitions/gating.yaml
\ No newline at end of file
+ipatests/prci_definitions/temp_commit.yaml
\ No newline at end of file
diff --git a/ipatests/prci_definitions/temp_commit.yaml b/ipatests/prci_definitions/temp_commit.yaml
index e337068145..8a857acaaf 100644
--- a/ipatests/prci_definitions/temp_commit.yaml
+++ b/ipatests/prci_definitions/temp_commit.yaml
@@ -61,14 +61,14 @@ jobs:
timeout: 1800
topology: *build
- fedora-latest/temp_commit:
+ fedora-latest/test_epn:
requires: [fedora-latest/build]
priority: 50
job:
class: RunPytest
args:
build_url: '{fedora-latest/build_url}'
-test_suite: test_integration/test_REPLACEME.py
+test_suite:
[Freeipa-devel] [freeipa PR#4964][opened] Remove paramiko usage from ipatests
URL: https://github.com/freeipa/freeipa/pull/4964
Author: fcami
Title: #4964: Remove paramiko usage from ipatests
Action: opened
PR body:
"""
MANUAL BACKPORT
Paramiko is not compatible with FIPS.
Migrate all tests using paramiko to the OpenSSH CLI SSH(1).
Fixes: https://pagure.io/freeipa/issue/8129
Note that https://pagure.io/freeipa/issue/8431 was filed as sshpass would need
an enhancement to cover all OTP tests.
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/4964/head:pr4964
git checkout pr4964
From 9043538e63de5ee1b597c433e13cbea14f61cd2c Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fran=C3=A7ois=20Cami?=
Date: Wed, 22 Jul 2020 09:59:12 +0200
Subject: [PATCH 1/8] tasks: add run_ssh_cmd
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Paramiko is not compatible with FIPS.
A replacement is needed, and since what clients use is "ssh",
create a shim over it so that tests can leverage it.
Fixes: https://pagure.io/freeipa/issue/8129
Signed-off-by: François Cami
Reviewed-By: Mohammad Rizwan
Reviewed-By: Michal Polovka
---
ipatests/pytest_ipa/integration/tasks.py | 133 +++
1 file changed, 133 insertions(+)
diff --git a/ipatests/pytest_ipa/integration/tasks.py b/ipatests/pytest_ipa/integration/tasks.py
index 2ffaceb866..a3f7cc8386 100755
--- a/ipatests/pytest_ipa/integration/tasks.py
+++ b/ipatests/pytest_ipa/integration/tasks.py
@@ -30,6 +30,7 @@
import itertools
import shutil
import copy
+import subprocess
import tempfile
import time
from pipes import quote
@@ -2297,3 +2298,135 @@ def get_sssd_version(host):
"""Get sssd version on remote host."""
version = host.run_command('sssd --version').stdout_text.strip()
return parse_version(version)
+
+
+def run_ssh_cmd(
+from_host=None, to_host=None, username=None, cmd=None,
+auth_method=None, password=None, private_key_path=None,
+expect_auth_success=True, expect_auth_failure=None,
+verbose=True, connect_timeout=2, strict_host_key_checking=False
+):
+"""Runs an ssh connection from the controller to the host.
+ - auth_method can be either "password" or "key".
+ - In the first case, set password to the user's password ; in the
+ second case, set private_key_path to the path of the private key.
+ - If expect_auth_success or expect_auth_failure, analyze the ssh
+ client's log and check whether the selected authentication method
+ worked. expect_auth_failure takes precedence over expect_auth_success.
+ - If verbose, display the ssh client verbose log.
+ - Both expect_auth_success and verbose are True by default. Debugging
+ ssh client failures is next to impossible without the associated
+ debug log.
+ Possible enhancements:
+ - select which host to run from (currently: controller only)
+"""
+
+if from_host is not None:
+raise NotImplementedError(
+"from_host must be None ; running from anywhere but the "
+"controller is not implemented yet."
+)
+
+if expect_auth_failure:
+expect_auth_success = False
+
+if to_host is None or username is None or auth_method is None:
+raise ValueError("host, username and auth_method are mandatory")
+if cmd is None:
+# cmd must run properly on all supported platforms.
+# true(1) ("do nothing, successfully") is the obvious candidate.
+cmd = "true"
+
+if auth_method == "password":
+if password is None:
+raise ValueError(
+"password is mandatory if auth_method == password"
+)
+ssh_cmd = (
+"ssh",
+"-v",
+"-o", "PubkeyAuthentication=no",
+"-o", "GSSAPIAuthentication=no",
+"-o", "ConnectTimeout={connect_timeout}".format(
+connect_timeout=connect_timeout
+),
+)
+elif auth_method == "key":
+if private_key_path is None:
+raise ValueError(
+"private_key_path is mandatory if auth_method == key"
+)
+ssh_cmd = (
+"ssh",
+"-v",
+"-o", "BatchMode=yes",
+"-o", "PubkeyAuthentication=yes",
+"-o", "GSSAPIAuthentication=no",
+"-o", "ConnectTimeout={connect_timeout}".format(
+connect_timeout=connect_timeout
+),
+)
+else:
+raise ValueError(
+"auth_method must either be password or key"
+)
+
+ssh_cmd_1 = list(ssh_cmd)
+if strict_host_key_checking is True:
+ssh_cmd_1.extend(("-o", "StrictHostKeyChecking=yes"))
+else:
+ssh_cmd_1.extend(("-o", "StrictHostKeyChecking=no"))
+if auth_method == "password":
+ssh_cmd_1 = list(("sshpass", "-p", password)) + ssh_cmd_1
+elif auth_method == "key":
+
[Freeipa-devel] [freeipa PR#4938][closed] Remove paramiko usage from ipatests
URL: https://github.com/freeipa/freeipa/pull/4938 Author: fcami Title: #4938: Remove paramiko usage from ipatests Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/4938/head:pr4938 git checkout pr4938 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#4952][opened] [Backport][ipa-4-8] re-enable test_sss_ssh_authorizedkeys
URL: https://github.com/freeipa/freeipa/pull/4952
Author: fcami
Title: #4952: [Backport][ipa-4-8] re-enable test_sss_ssh_authorizedkeys
Action: opened
PR body:
"""
test_sss_ssh_authorizedkeys was disabled but recent test runs show it might be
working properly.
Run in multiple times to see if it works.
Note two commits: I'd rather keep the -v even if we end up disabling the test
again, so these commits should not be squashed.
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/4952/head:pr4952
git checkout pr4952
From d0d24c7745a8433a6d228f663cc18e6f778c6e84 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fran=C3=A7ois=20Cami?=
Date: Thu, 23 Jul 2020 15:11:13 +0200
Subject: [PATCH 1/2] ipatests: re-enable test_sss_ssh_authorizedkeys
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Re-enable test_sss_ssh_authorizedkeys.
Related: https://pagure.io/freeipa/issue/8151
Signed-off-by: François Cami
Reviewed-By: Armando Neto
---
ipatests/test_integration/test_commands.py | 1 -
1 file changed, 1 deletion(-)
diff --git a/ipatests/test_integration/test_commands.py b/ipatests/test_integration/test_commands.py
index bacde50416..bfb637cae5 100644
--- a/ipatests/test_integration/test_commands.py
+++ b/ipatests/test_integration/test_commands.py
@@ -1023,7 +1023,6 @@ def is_tls_version_enabled(tls_version):
assert is_tls_version_enabled('tls1_2')
assert is_tls_version_enabled('tls1_3')
-@pytest.mark.skip(reason='https://pagure.io/freeipa/issue/8151')
def test_sss_ssh_authorizedkeys(self):
"""Login via Ssh using private-key for ipa-user should work.
From 933d1b577454ee5ddf69d65979ef20d3e45c9af3 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fran=C3=A7ois=20Cami?=
Date: Thu, 23 Jul 2020 15:13:04 +0200
Subject: [PATCH 2/2] ipatests: test_sss_ssh_authorizedkeys
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Add debug information to the ssh invocation.
Related: https://pagure.io/freeipa/issue/8151
Signed-off-by: François Cami
Reviewed-By: Armando Neto
---
ipatests/test_integration/test_commands.py | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/ipatests/test_integration/test_commands.py b/ipatests/test_integration/test_commands.py
index bfb637cae5..184a70d8d3 100644
--- a/ipatests/test_integration/test_commands.py
+++ b/ipatests/test_integration/test_commands.py
@@ -1067,7 +1067,7 @@ def test_sss_ssh_authorizedkeys(self):
assert ssh_pub_key in result.stdout_text
# login to the system
self.master.run_command(
-['ssh', '-o', 'PasswordAuthentication=no',
+['ssh', '-v', '-o', 'PasswordAuthentication=no',
'-o', 'IdentitiesOnly=yes', '-o', 'StrictHostKeyChecking=no',
'-o', 'ConnectTimeout=10', '-l', user, '-i', user_key,
self.master.hostname, 'true'])
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#4945][closed] re-enable test_sss_ssh_authorizedkeys
URL: https://github.com/freeipa/freeipa/pull/4945 Author: fcami Title: #4945: re-enable test_sss_ssh_authorizedkeys Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/4945/head:pr4945 git checkout pr4945 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org
