Test pr ci #15
Open
Test pr ci #15
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
amore17
force-pushed
the
test_pr_ci
branch
2 times, most recently
from
6a82d7f to
adee044
Compare
amore17
force-pushed
the
test_pr_ci
branch
3 times, most recently
from
8147eff to
cb9b696
Compare
amore17
force-pushed
the
test_pr_ci
branch
4 times, most recently
from
f8c870d to
a055114
Compare
We have multiple log files that produced by IPA components. Some of them
are written by the tools that run as root and inherit their file context
from /var/log -> var_log_t. However, increasingly we get tools that were
run through oddjob helpers. These supposed to be run within ipa_helper_t
SELinux context which has write permissions for ipa_log_t file context.
Add all known log files from the base platform. The following script was
used to generate them:
$ git grep '_LOG = .*ipa.*\.log' ipaplatform/base/paths.py | cut -d= -f2 | \
xargs -I% echo -e "%\t--\tgen_context(system_u:object_r:ipa_log_t,s0)"
/var/log/ipabackup.log -- gen_context(system_u:object_r:ipa_log_t,s0)
/var/log/ipaclient-install.log -- gen_context(system_u:object_r:ipa_log_t,s0)
/var/log/ipaclient-uninstall.log -- gen_context(system_u:object_r:ipa_log_t,s0)
/var/log/ipaclientsamba-install.log -- gen_context(system_u:object_r:ipa_log_t,s0)
/var/log/ipaclientsamba-uninstall.log -- gen_context(system_u:object_r:ipa_log_t,s0)
/var/log/ipareplica-ca-install.log -- gen_context(system_u:object_r:ipa_log_t,s0)
/var/log/ipareplica-conncheck.log -- gen_context(system_u:object_r:ipa_log_t,s0)
/var/log/ipareplica-install.log -- gen_context(system_u:object_r:ipa_log_t,s0)
/var/log/iparestore.log -- gen_context(system_u:object_r:ipa_log_t,s0)
/var/log/ipaserver-enable-sid.log -- gen_context(system_u:object_r:ipa_log_t,s0)
/var/log/ipaserver-install.log -- gen_context(system_u:object_r:ipa_log_t,s0)
/var/log/ipaserver-adtrust-install.log -- gen_context(system_u:object_r:ipa_log_t,s0)
/var/log/ipaserver-dns-install.log -- gen_context(system_u:object_r:ipa_log_t,s0)
/var/log/ipaserver-kra-install.log -- gen_context(system_u:object_r:ipa_log_t,s0)
/var/log/ipaserver-uninstall.log -- gen_context(system_u:object_r:ipa_log_t,s0)
/var/log/ipaupgrade.log -- gen_context(system_u:object_r:ipa_log_t,s0)
/var/log/ipatrust-enable-agent.log -- gen_context(system_u:object_r:ipa_log_t,s0)
/var/log/ipaepn.log -- gen_context(system_u:object_r:ipa_log_t,s0)
/var/log/ipa-custodia.audit.log -- gen_context(system_u:object_r:ipa_log_t,s0)
/var/log/ipa-migrate.log -- gen_context(system_u:object_r:ipa_log_t,s0)
ipa-custodia.audit.log was already in the present list.
Additionally, ipa-migrate-conflict.ldif is used by the ipa-migrate tool
but is not provided through the ipaplatform mechanism. It is added
explicitly.
Fixes: https://pagure.io/freeipa/issue/9654
Signed-off-by: Alexander Bokovoy <[email protected]>
Reviewed-By: Florence Blanc-Renaud <[email protected]>
ipa-idrange-fix is a tool for analysis of existing IPA ranges, users and groups outside of those ranges, and functionality to propose and apply remediations to make sure as much users and groups as possible end up in the IPA-managed ranges. Fixes: https://pagure.io/freeipa/issue/9612 Signed-off-by: Aleksandr Sharov <[email protected]> Reviewed-By: Rob Crittenden <[email protected]>
fixes: https://pagure.io/freeipa/issue/9612 Reviewed-By: Rob Crittenden <[email protected]>
amore17
force-pushed
the
test_pr_ci
branch
5 times, most recently
from
459bf62 to
9682758
Compare
There has always been a pki-server commnd acme-remove. We were not aware that it should be called prior to removing a CA. In 11.5.0 this is strongly encouraged by the PKI team. In 11.6.0 ACME is treated as a full subsystem so will be removed in the future using pkidestroy -s ACME The new class acmeinstance.ACMEInstance is introduced so its uninstallation can be handled in a similar way as the other PKI services via DogtagInstance. It is, right now, a pretty thin wrapper. We can discuss moving the ACME installation routines here at some point. It would be ok as long as we don't have to introduce another PKI restart as part of it. In PKI 11.6.0 pkidestroy has new options to ensure a clean uninstall: --remove-conf --remove-logs. Pass those options into pkidestroy calls for 11.6.0+. Clean up an additional IPA-generated file that needs to be cleaned up during uninstall: /root/kracert.p12. 11.6.0 is more sensitive to leftover files than previous versions. Fixes: https://pagure.io/freeipa/issue/9673 Fixes: https://pagure.io/freeipa/issue/9674 Signed-off-by: Rob Crittenden <[email protected]> Reviewed-By: Alexander Bokovoy <[email protected]>
This patch adds the line tasks.install_master(cls.master). The kinit admin command fails with the below error as the IPA is not configured on the test system 'ipa: ERROR: stderr: kinit: Configuration file does not specify default realm when parsing name admin' Signed-off-by: Sudhir Menon <[email protected]> Reviewed-By: Rob Crittenden <[email protected]>
nodejs22 is now the default nodejs version in RHEL 10 as well as ELN. Signed-off-by: Yaakov Selkowitz <[email protected]> Reviewed-By: Alexander Bokovoy <[email protected]> Reviewed-By: Florence Blanc-Renaud <[email protected]>
Currently translated at 19.0% (930 of 4881 strings) Translated using Weblate (Korean) Currently translated at 19.0% (930 of 4881 strings) Co-authored-by: 김인수 <[email protected]> Translate-URL: https://translate.fedoraproject.org/projects/freeipa/master/ko/ Translation: freeipa/master Reviewed-By: Florence Blanc-Renaud <[email protected]>
…lowed If only OTP authentication is allowed, and a user tries to login with an expired token, do not let them log in with their password. Forcing the admin to intervene. If the user does not have an OTP token then allow them to log in with a password until an OTP token is configured Fixes: https://pagure.io/freeipa/issue/9387 Signed-off-by: Mark Reynolds <[email protected]> Reviewed-By: Rob Crittenden <[email protected]> Reviewed-By: Alexander Bokovoy <[email protected]> Reviewed-By: Julien Rische <[email protected]>
The test test_ipa_idrange_fix is installing IPA server as it sets topology=line. Its test definition should not use a template that pre-installs the IPA server (ipaserver preinstalls IPA server but master_1repl does not). Signed-off-by: Florence Blanc-Renaud <[email protected]> Reviewed-By: Sudhir Menon <[email protected]>
PKI removed the clones.check connectivity_and_data check in 11.5 and master branches. Skip the test depending on PKI version. The most recent version on 11.5 is 11.5.4 and still contains the check, hence skipping if version >= 11.5.5. Fixes: https://pagure.io/freeipa/issue/9668 Signed-off-by: Florence Blanc-Renaud <[email protected]> Reviewed-By: Rob Crittenden <[email protected]>
This testcase checks that services: ssh is included in the sssd.conf file when ipa-client-install is successful. Ref: https://pagure.io/freeipa/issue/9649 Signed-off-by: Sudhir Menon <[email protected]> Reviewed-By: Rob Crittenden <[email protected]>
Cockpit can use GSSAPI authentication and has pretty good definition of how to enable it: https://cockpit-project.org/guide/latest/sso.html. These instructions work on IPA clients but they cannot be used on IPA servers because IPA framework already owns HTTP/.. Kerberos service and its keytab. Luckily, there are two changes that need to be done to enable Cockpit single sign-on with GSSAPI on IPA servers: - create a symlink /etc/cockpit/krb5.keytab to /var/lib/ipa/gssproxy/http.keytab - add SELinux policy to allow cockpit_session_t to operate on /var/lib/ipa/gssproxy/http.keytab file For existing installation an upgrade process would restore SELinux context of the http.keytab file to the new value. Note that Cockpit documentation above also talks about Kerberos service modifications to enable delegation. These modifications should not be done for IPA servers' HTTP services, as these services are already enabled to handle delegation. Fixes: https://pagure.io/freeipa/issue/9675 Signed-off-by: Alexander Bokovoy <[email protected]> Reviewed-By: Rob Crittenden <[email protected]>
Add a test to share HTTP service keytab on IPA master between IPA and Cockpit. The test configures Cockpit with IPA CA-issued certificate and allows Cockpit to access IPA HTTP service keytab for authentication. The test then attempts to authenticate with GSSAPI as admin user. A successful result is when we receive CSRF token from the Cockpit as the result of this authentication. This means we have logged in successfully with Kerberos. Fixes: https://pagure.io/freeipa/issue/9675 Signed-off-by: Alexander Bokovoy <[email protected]> Reviewed-By: Rob Crittenden <[email protected]>
Fixes: https://pagure.io/freeipa/issue/9675 Signed-off-by: Alexander Bokovoy <[email protected]> Reviewed-By: Rob Crittenden <[email protected]>
When token and associated certs are not being cleaned up properly, the subsequent installation fails. Hence Password file related scenarios moved out to new test class so that it have fresh installation. Signed-off-by: Mohammad Rizwan <[email protected]> Reviewed-By: Rob Crittenden <[email protected]> Reviewed-By: Florence Blanc-Renaud <[email protected]>
Fixes: https://pagure.io/freeipa/issue/9450 Signed-off-by: Ian Brown <[email protected]> Signed-off-by: Ian Brown <[email protected]> Reviewed-By: Alexander Bokovoy <[email protected]>
amore17
force-pushed
the
test_pr_ci
branch
6 times, most recently
from
8665679 to
aa8c782
Compare
amore17
force-pushed
the
test_pr_ci
branch
4 times, most recently
from
9f58450 to
327c5da
Compare
Added changes in ipatests so that ipa server-replica-client can be installed with two domain - ipa.test and trustedipa.test Related: https://pagure.io/freeipa/issue/9657 Signed-off-by: Anuja More <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
No description provided.