def test_replica_install_after_restore(self): master = self.master replica1 = self.replicas[0] replica2 = self.replicas[1] tasks.install_master(master) tasks.install_replica(master, replica1) check_replication(master, replica1, "testuser1") # backup master. backup_path = backup(master) suffix = ipautil.realm_to_suffix(master.domain.realm) suffix = escape_dn_chars(str(suffix)) entry_ldif = ( "dn: cn=meTo{hostname},cn=replica," "cn={suffix}," "cn=mapping tree,cn=config\n" "changetype: modify\n" "replace: nsds5ReplicaEnabled\n" "nsds5ReplicaEnabled: off\n\n" "dn: cn=caTo{hostname},cn=replica," "cn=o\\3Dipaca,cn=mapping tree,cn=config\n" "changetype: modify\n" "replace: nsds5ReplicaEnabled\n" "nsds5ReplicaEnabled: off").format( hostname=replica1.hostname, suffix=suffix) # disable replication agreement tasks.ldapmodify_dm(master, entry_ldif) # uninstall master. tasks.uninstall_master(master, clean=False) # master restore. dirman_password = master.config.dirman_password master.run_command(['ipa-restore', backup_path], stdin_text=dirman_password + '\nyes') # re-initialize topology after restore. topo_name = "{}-to-{}".format(master.hostname, replica1.hostname) for topo_suffix in 'domain', 'ca': arg = ['ipa', 'topologysegment-reinitialize', topo_suffix, topo_name, '--left'] replica1.run_command(arg) # wait sometime for re-initialization tasks.wait_for_replication(replica1.ldap_connect()) # install second replica after restore tasks.install_replica(master, replica2) check_replication(master, replica2, "testuser2")
def test_install_uninstall_replica(self): # Test that the sequence install replica / uninstall replica # properly removes the line # Include /etc/httpd/conf.d/ipa-rewrite.conf # from ssl.conf on the replica tasks.install_replica(self.master, self.replicas[0], extra_args=['--force-join']) tasks.uninstall_replica(self.master, self.replicas[0]) errline = b'Include /etc/httpd/conf.d/ipa-rewrite.conf' ssl_conf = self.replicas[0].get_file_contents(paths.HTTPD_SSL_CONF) assert errline not in ssl_conf
def install(cls, mh): tasks.install_master(cls.master, setup_dns=True) args = [ "ipa-dns-install", "--dnssec-master", "--forwarder", cls.master.config.dns_forwarder, "-U", ] cls.master.run_command(args) # No need to enable dns service in the firewall as master has been # installed with dns support enabled # Firewall(cls.master).enable_services(["dns"]) tasks.install_replica(cls.master, cls.replicas[0], setup_dns=True)
def test_ignore_topology_disconnect_replica1(self): """ tests that removal of replica1 with '--ignore-topology-disconnect' destroys master for good """ check_master_removal( self.client, self.replica1.hostname, ignore_topology_disconnect=True ) # reinstall the replica tasks.uninstall_master(self.replica1) tasks.install_replica(self.master, self.replica1, setup_ca=True)
def install(cls, mh): cls.domain = DNSName(cls.master.domain.name).make_absolute() tasks.install_master(cls.master, setup_dns=True) tasks.install_replica(cls.master, cls.replicas[0], setup_dns=True, setup_ca=False) tasks.install_replica(cls.master, cls.replicas[1], setup_dns=True, setup_ca=True) for host in (cls.master, cls.replicas[0], cls.replicas[1]): ldap = host.ldap_connect() tasks.wait_for_replication(ldap) # give time to named to retrieve new records time.sleep(20)
def test_ignore_topology_disconnect_replica2(self): """ tests that removal of replica2 with '--ignore-topology-disconnect' destroys master for good with verbose option for uninstallation """ check_master_removal( self.client, self.replica2.hostname, ignore_topology_disconnect=True ) # reinstall the replica tasks.uninstall_master(self.replica2, verbose=True) tasks.install_replica(self.master, self.replica2, setup_ca=True)
def test_server_replica_client_install_with_pool_and_srv(self): """ test to verify that ipa-server, ipa-replica and ipa-client install passes with options --ntp-pool and --ntp-server together """ expected_msg = "Configuration of chrony was changed by installer." args = ['--ntp-pool=%s' % self.ntp_pool, '--ntp-server=%s' % self.ntp_server1] server_install = tasks.install_master(self.master, setup_dns=False, extra_args=args) assert expected_msg in server_install.stderr_text cmd = self.master.run_command(['cat', paths.CHRONY_CONF]) assert self.ntp_pool in cmd.stdout_text assert self.ntp_server1 in cmd.stdout_text replica_install = tasks.install_replica(self.master, self.replica, extra_args=args, promote=False) assert expected_msg in replica_install.stderr_text cmd = self.replica.run_command(['cat', paths.CHRONY_CONF]) assert self.ntp_pool in cmd.stdout_text assert self.ntp_server1 in cmd.stdout_text client_install = tasks.install_client(self.master, self.client, extra_args=args) assert expected_msg in client_install.stderr_text cmd = self.client.run_command(['cat', paths.CHRONY_CONF]) assert self.ntp_pool in cmd.stdout_text assert self.ntp_server1 in cmd.stdout_text
def test_replica_promotion_without_ntp(self): """ test to verify that replica promotion without ntp options - ipa-client-install with ntp option - ipa-replica-install without ntp option will be successful """ exp_str = "ipa-replica-install command was successful" expected_msg = "Configuration of chrony was changed by installer." ntp_args = ['--ntp-pool=%s' % self.ntp_pool] server_install = tasks.install_master(self.master, setup_dns=False, extra_args=ntp_args) assert expected_msg in server_install.stderr_text client_install = tasks.install_client(self.master, self.replica, extra_args=ntp_args) assert expected_msg in client_install.stderr_text replica_install = tasks.install_replica(self.master, self.replica, promote=False) assert exp_str in replica_install.stderr_text cmd = self.replica.run_command(['cat', paths.CHRONY_CONF]) assert self.ntp_pool in cmd.stdout_text
def install(cls, mh): tasks.install_master(cls.master, setup_dns=False) args = [ "ipa-dns-install", "--dnssec-master", "--forwarder", cls.master.config.dns_forwarder, "-U", ] cls.master.run_command(args) # Enable dns service on master as it has been installed without dns # support before Firewall(cls.master).enable_services(["dns"]) tasks.install_replica(cls.master, cls.replicas[0], setup_dns=True) # backup trusted key tasks.backup_file(cls.master, paths.DNSSEC_TRUSTED_KEY) tasks.backup_file(cls.replicas[0], paths.DNSSEC_TRUSTED_KEY)
def test_add_remove_segment(self): """ Make sure a topology segment can be manually created and deleted with the influence on the real topology Testcase http://www.freeipa.org/page/V4/Manage_replication_topology/ Test_plan#Test_case:_Basic_CRUD_test """ tasks.kinit_admin(self.master) # Install the second replica tasks.install_replica(self.master, self.replicas[1], setup_ca=False, setup_dns=False) # turn a star into a ring segment, err = tasks.create_segment(self.master, self.replicas[0], self.replicas[1]) assert err == "", err # Make sure the new segment is shown by `ipa topologysegment-find` result1 = self.master.run_command(['ipa', 'topologysegment-find', DOMAIN_SUFFIX_NAME]).stdout_text assert(segment['name'] in result1), ( "%s: segment not found" % segment['name']) # Remove master <-> replica2 segment and make sure that the changes get # there through replica1 # Since segment name can be one of master-to-replica2 or # replica2-to-master, we need to determine the segment name dynamically deleteme = find_segment(self.master, self.replicas[1]) returncode, error = tasks.destroy_segment(self.master, deleteme) assert returncode == 0, error # Wait till replication ends and make sure replica1 does not have # segment that was deleted on master master_ldap = self.master.ldap_connect() tasks.wait_for_replication(master_ldap) result3 = self.replicas[0].run_command(['ipa', 'topologysegment-find', DOMAIN_SUFFIX_NAME]).stdout_text assert(deleteme not in result3), "%s: segment still exists" % deleteme # Create test data on master and make sure it gets all the way down to # replica2 through replica1 self.master.run_command(['ipa', 'user-add', 'someuser', '--first', 'test', '--last', 'user']) tasks.wait_for_replication(master_ldap) result4 = self.replicas[1].run_command(['ipa', 'user-find']) assert('someuser' in result4.stdout_text), 'User not found: someuser'
def test_topology_updated_on_replica_install_remove(self): """ Install and remove a replica and make sure topology information is updated on all other replicas Testcase: http://www.freeipa.org/page/V4/Manage_replication_topology/ Test_plan#Test_case: _Replication_topology_should_be_saved_in_the_LDAP_tree """ tasks.kinit_admin(self.master) result1 = self.master.run_command(['ipa', 'topologysegment-find', DOMAIN_SUFFIX_NAME]).stdout_text segment_name = self.segmentnames_re.findall(result1)[0] assert(self.master.hostname in segment_name), ( "Segment %s does not contain master hostname" % segment_name) assert(self.replicas[0].hostname in segment_name), ( "Segment %s does not contain replica hostname" % segment_name) tasks.install_replica(self.master, self.replicas[1], setup_ca=False, setup_dns=False) # We need to make sure topology information is consistent across all # replicas result2 = self.master.run_command(['ipa', 'topologysegment-find', DOMAIN_SUFFIX_NAME]) result3 = self.replicas[0].run_command(['ipa', 'topologysegment-find', DOMAIN_SUFFIX_NAME]) result4 = self.replicas[1].run_command(['ipa', 'topologysegment-find', DOMAIN_SUFFIX_NAME]) segments = self.tokenize_topologies(result2.stdout_text) assert(len(segments) == 2), "Unexpected number of segments found" assert_deepequal(result2.stdout_text, result3.stdout_text) assert_deepequal(result3.stdout_text, result4.stdout_text) # Now let's check that uninstalling the replica will update the topology # info on the rest of replicas. # first step of uninstallation is removal of the replica on other # master, then it can be uninstalled. Doing it the other way is also # possible, but not reliable - some data might not be replicated. tasks.clean_replication_agreement(self.master, self.replicas[1]) tasks.uninstall_master(self.replicas[1]) result5 = self.master.run_command(['ipa', 'topologysegment-find', DOMAIN_SUFFIX_NAME]) num_entries = self.noentries_re.search(result5.stdout_text).group(1) assert(num_entries == "1"), "Incorrect number of entries displayed"
def test_backup_restore(self): """ TestCase: http://www.freeipa.org/page/V4/Replica_Promotion/Test_plan#Test_case: _ipa-restore_after_domainlevel_raise_restores_original_domain_level """ command = ["ipa", "topologysegment-find", DOMAIN_SUFFIX_NAME] tasks.install_replica(self.master, self.replicas[0]) backup_file = tasks.ipa_backup(self.master) self.master.run_command( ["ipa", "domainlevel-set", str(DOMAIN_LEVEL_1)]) # We need to give the server time to merge 2 one-way segments into one time.sleep(10) result = self.master.run_command(command) found1 = result.stdout_text.rfind("1 segment matched") assert (found1 > 0), result.stdout_text tasks.ipa_restore(self.master, backup_file) result2 = self.master.run_command(command, raiseonerr=False) found2 = result2.stdout_text.rfind("0 segments matched") assert (found2 > 0), result2.stdout_text
def install(cls, mh): super(TestForcedClientReenrollment, cls).install(mh) tasks.install_master(cls.master) cls.client_dom = cls.clients[0].hostname.split('.', 1)[1] if cls.client_dom != cls.master.domain.name: # In cases where client is managed by upstream DNS server we # overlap its zone so we can save DNS records (e.g. SSHFP) for # comparison. servers = [cls.master] + cls.replicas tasks.add_dns_zone(cls.master, cls.client_dom, skip_overlap_check=True, dynamic_update=True, add_a_record_hosts=servers) tasks.install_replica(cls.master, cls.replicas[0], setup_ca=False) cls.clients[0].resolver.backup() cls.clients[0].resolver.setup_resolver(cls.master.ip) cls.BACKUP_KEYTAB = os.path.join(cls.master.config.test_dir, 'krb5.keytab')
def install(cls, mh): super(TestForcedClientReenrollment, cls).install(mh) tasks.install_master(cls.master) cls.client_dom = cls.clients[0].hostname.split('.', 1)[1] if cls.client_dom != cls.master.domain.name: # In cases where client is managed by upstream DNS server we # overlap its zone so we can save DNS records (e.g. SSHFP) for # comparison. servers = [cls.master] + cls.replicas tasks.add_dns_zone(cls.master, cls.client_dom, skip_overlap_check=True, dynamic_update=True, add_a_record_hosts=servers ) tasks.install_replica(cls.master, cls.replicas[0], setup_ca=False) cls.BACKUP_KEYTAB = os.path.join( cls.master.config.test_dir, 'krb5.keytab' )
def install(cls, mh): tasks.install_master(cls.master, setup_dns=False) args = [ "ipa-dns-install", "--dnssec-master", "--forwarder", cls.master.config.dns_forwarder, "-U", ] cls.master.run_command(args) # Enable dns service on master as it has been installed without dns # support before Firewall(cls.master).enable_services(["dns"]) tasks.install_replica(cls.master, cls.replicas[0], setup_dns=True, nameservers=None) # backup trusted key tasks.backup_file(cls.master, paths.DNSSEC_TRUSTED_KEY) tasks.backup_file(cls.replicas[0], paths.DNSSEC_TRUSTED_KEY)
def test_external_ca(self): # Step 1 of ipa-server-install. result = install_server_external_ca_step1(self.master) assert result.returncode == 0 # Sign CA, transport it to the host and get ipa a root ca paths. root_ca_fname, ipa_ca_fname = tasks.sign_ca_and_transport( self.master, paths.ROOT_IPA_CSR, ROOT_CA, IPA_CA) # Step 2 of ipa-server-install. result = install_server_external_ca_step2( self.master, ipa_ca_fname, root_ca_fname) assert result.returncode == 0 # Make sure IPA server is working properly tasks.kinit_admin(self.master) result = self.master.run_command(['ipa', 'user-show', 'admin']) assert 'User login: admin' in result.stdout_text # check that we can also install replica tasks.install_replica(self.master, self.replicas[0]) # check that nsds5ReplicaReleaseTimeout option was set result = self.master.run_command([ 'ldapsearch', '-x', '-D', 'cn=directory manager', '-w', self.master.config.dirman_password, '-b', 'cn=mapping tree,cn=config', '(cn=replica)', '-LLL', '-o', 'ldif-wrap=no']) # case insensitive match text = result.stdout_text.lower() # see ipaserver.install.replication.REPLICA_FINAL_SETTINGS assert 'nsds5ReplicaReleaseTimeout: 60'.lower() in text assert 'nsDS5ReplicaBindDnGroupCheckInterval: 60'.lower() in text
def test_external_ca(self): # Step 1 of ipa-server-install. result = install_server_external_ca_step1( self.master, extra_args=['--external-ca-type=ms-cs'] ) assert result.returncode == 0 # check CSR for extension ipa_csr = self.master.get_file_contents(paths.ROOT_IPA_CSR) check_mscs_extension(ipa_csr, MSCSTemplateV1(u'SubCA')) # Sign CA, transport it to the host and get ipa a root ca paths. root_ca_fname, ipa_ca_fname = tasks.sign_ca_and_transport( self.master, paths.ROOT_IPA_CSR, ROOT_CA, IPA_CA) # Step 2 of ipa-server-install. result = install_server_external_ca_step2( self.master, ipa_ca_fname, root_ca_fname) assert result.returncode == 0 # Make sure IPA server is working properly tasks.kinit_admin(self.master) result = self.master.run_command(['ipa', 'user-show', 'admin']) assert 'User login: admin' in result.stdout_text # check that we can also install replica tasks.install_replica(self.master, self.replicas[0]) # check that nsds5ReplicaReleaseTimeout option was set result = tasks.ldapsearch_dm( self.master, 'cn=mapping tree,cn=config', ['(cn=replica)'], ) # case insensitive match text = result.stdout_text.lower() # see ipaserver.install.replication.REPLICA_FINAL_SETTINGS assert 'nsds5ReplicaReleaseTimeout: 60'.lower() in text assert 'nsDS5ReplicaBindDnGroupCheckInterval: 60'.lower() in text
def test_rolecheck_DNS_CA(self): """ipa-backup rolecheck: start with a master with DNS and CA then gradually upgrade a replica to the DNS and CA roles. """ # single master: check that backup works. assert self._ipa_replica_role_check( self.master.hostname, self.serverroles['DNS'] ) assert self._ipa_replica_role_check( self.master.hostname, self.serverroles['CA'] ) assert not self._ipa_replica_role_check( self.master.hostname, self.serverroles['KRA'] ) self._check_rolecheck_backup_success(self.master) # install CA-less, DNS-less replica tasks.install_replica(self.master, self.replicas[0], setup_ca=False) assert not self._ipa_replica_role_check( self.replicas[0].hostname, self.serverroles['DNS'] ) assert not self._ipa_replica_role_check( self.replicas[0].hostname, self.serverroles['CA'] ) assert not self._ipa_replica_role_check( self.replicas[0].hostname, self.serverroles['KRA'] ) self._check_rolecheck_backup_success(self.master) self._check_rolecheck_backup_failure(self.replicas[0]) # install DNS on replica tasks.install_dns(self.replicas[0]) assert self._ipa_replica_role_check( self.replicas[0].hostname, self.serverroles['DNS'] ) self._check_rolecheck_backup_failure(self.replicas[0])
def test_replica_install_with_existing_entry(self): master = self.master tasks.install_master(master) replica = self.replicas[0] tf = NamedTemporaryFile() ldif_file = tf.name base_dn = "dc=%s" % (",dc=".join(replica.domain.name.split("."))) # adding entry for replica on master so that master will have it before # replica installtion begins and creates a situation for pagure-7174 entry_ldif = textwrap.dedent(""" dn: cn=ipa-http-delegation,cn=s4u2proxy,cn=etc,{base_dn} changetype: modify add: memberPrincipal memberPrincipal: HTTP/{hostname}@{realm} dn: cn=ipa-ldap-delegation-targets,cn=s4u2proxy,cn=etc,{base_dn} changetype: modify add: memberPrincipal memberPrincipal: ldap/{hostname}@{realm}""").format( base_dn=base_dn, hostname=replica.hostname, realm=replica.domain.name.upper()) master.put_file_contents(ldif_file, entry_ldif) arg = [ 'ldapmodify', '-h', master.hostname, '-p', '389', '-D', str(master.config.dirman_dn), # pylint: disable=no-member '-w', master.config.dirman_password, '-f', ldif_file ] master.run_command(arg) tasks.install_replica(master, replica)
def install(cls, mh): tasks.install_master(cls.master, setup_kra=True) # install replica1 without CA cmd = tasks.install_replica(cls.master, cls.replicas[0], setup_ca=False, setup_dns=True, promote=False) # check for warning that CA is not installed on server warn = 'WARNING: The CA service is only installed on one server' assert warn in cmd.stderr_text
def test_replica_install_with_existing_entry(self): master = self.master tasks.install_master(master) replica = self.replicas[0] base_dn = "dc=%s" % (",dc=".join(replica.domain.name.split("."))) # adding entry for replica on master so that master will have it before # replica installtion begins and creates a situation for pagure-7174 entry_ldif = textwrap.dedent(""" dn: cn=ipa-http-delegation,cn=s4u2proxy,cn=etc,{base_dn} changetype: modify add: memberPrincipal memberPrincipal: HTTP/{hostname}@{realm} dn: cn=ipa-ldap-delegation-targets,cn=s4u2proxy,cn=etc,{base_dn} changetype: modify add: memberPrincipal memberPrincipal: ldap/{hostname}@{realm}""").format( base_dn=base_dn, hostname=replica.hostname, realm=replica.domain.name.upper()) tasks.ldapmodify_dm(master, entry_ldif) tasks.install_replica(master, replica)
def test_external_ca(self): # Step 1 of ipa-server-install. result = install_server_external_ca_step1( self.master, extra_args=['--external-ca-type=ms-cs']) assert result.returncode == 0 # check CSR for extension ipa_csr = self.master.get_file_contents(paths.ROOT_IPA_CSR) check_mscs_extension(ipa_csr, ipa_x509.MSCSTemplateV1(u'SubCA')) # Sign CA, transport it to the host and get ipa a root ca paths. root_ca_fname, ipa_ca_fname = tasks.sign_ca_and_transport( self.master, paths.ROOT_IPA_CSR, ROOT_CA, IPA_CA) # Step 2 of ipa-server-install. result = install_server_external_ca_step2(self.master, ipa_ca_fname, root_ca_fname) assert result.returncode == 0 # Make sure IPA server is working properly tasks.kinit_admin(self.master) result = self.master.run_command(['ipa', 'user-show', 'admin']) assert 'User login: admin' in result.stdout_text # check that we can also install replica tasks.install_replica(self.master, self.replicas[0]) # check that nsds5ReplicaReleaseTimeout option was set result = tasks.ldapsearch_dm( self.master, 'cn=mapping tree,cn=config', ['(cn=replica)'], ) # case insensitive match text = result.stdout_text.lower() # see ipaserver.install.replication.REPLICA_FINAL_SETTINGS assert 'nsds5ReplicaReleaseTimeout: 60'.lower() in text assert 'nsDS5ReplicaBindDnGroupCheckInterval: 60'.lower() in text
def test_kra_install_without_replica_file(self): master = self.master replica1 = self.replicas[0] replica2 = self.replicas[1] tasks.install_kra(master, first_instance=True) tasks.install_replica(master, replica1) result1 = tasks.install_kra(replica1, domain_level=DOMAIN_LEVEL_1, raiseonerr=False) assert_error(result1, "A replica file is required", 1) tasks.install_kra(replica1, domain_level=DOMAIN_LEVEL_0, raiseonerr=True) # Now prepare the replica file, copy it to the client and raise # domain level on master to test the reverse situation tasks.replica_prepare(master, replica2) master.run_command(["ipa", "domainlevel-set", str(DOMAIN_LEVEL_1)]) tasks.install_replica(master, replica2) result2 = tasks.install_kra(replica2, domain_level=DOMAIN_LEVEL_0, raiseonerr=False) assert_error(result2, "No replica file is required", 1) tasks.install_kra(replica2)
def install(cls, mh): cls.client = cls.replicas[0] cls.replica = cls.replicas[1] tasks.install_master(cls.master, extra_args=['--no-dnssec-validation']) tasks.install_client(cls.master, cls.replicas[0], extra_args=["--mkhomedir"]) tasks.install_replica(cls.master, cls.replicas[1]) for host in [cls.master, cls.replicas[0], cls.replicas[1]]: content = host.get_file_contents(paths.IPA_DEFAULT_CONF, encoding='utf-8') new_content = content + "\noidc_child_debug_level = 10" host.put_file_contents(paths.IPA_DEFAULT_CONF, new_content) with tasks.remote_sssd_config(cls.master) as sssd_config: sssd_config.edit_domain( cls.master.domain, 'krb5_auth_timeout', 1100) tasks.clear_sssd_cache(cls.master) tasks.clear_sssd_cache(cls.replicas[0]) tasks.kinit_admin(cls.master) cls.master.run_command(["ipa", "config-mod", "--user-auth-type=idp", "--user-auth-type=password"]) xvfb = ("nohup /usr/bin/Xvfb :99 -ac -noreset -screen 0 1400x1200x8 " "</dev/null &>/dev/null &") cls.replicas[0].run_command(xvfb)
def test_full_backup_and_restore_with_replica(self): replica = self.replicas[0] with restore_checker(self.master): backup_path = backup(self.master) logger.info("Backup path for %s is %s", self.master, backup_path) self.master.run_command( ["ipa-server-install", "--uninstall", "-U"]) logger.info("Stopping and disabling oddjobd service") self.master.run_command(["systemctl", "stop", "oddjobd"]) self.master.run_command(["systemctl", "disable", "oddjobd"]) self.master.run_command(["ipa-restore", backup_path], stdin_text='yes') status = self.master.run_command( ["systemctl", "status", "oddjobd"]) assert "active (running)" in status.stdout_text tasks.install_replica(self.master, replica) check_replication(self.master, replica, "testuser1")
def test_replica_install_against_server_without_kra(self): """Replica install will fail complaining about KRA role and exit code 4""" # install ca on replica1 tasks.install_ca(self.replicas[0]) try: # install replica2 against replica1, as KRA is not installed on # replica1(CA installed), installation should fail on replica2 cmd = tasks.install_replica(self.replicas[0], self.replicas[1], promote=False, setup_kra=True, raiseonerr=False) assert cmd.returncode == 4 error = "please provide a server with the KRA role" assert error in cmd.stderr_text finally: tasks.uninstall_master(self.replicas[1], ignore_topology_disconnect=True, ignore_last_of_role=True)
def test_server_replica_client_install_with_pool_and_srv(self): """ test to verify that ipa-server, ipa-replica and ipa-client install passes with options --ntp-pool and --ntp-server together """ args = [ '--ntp-pool=%s' % self.ntp_pool, '--ntp-server=%s' % self.ntp_server1 ] server_install = tasks.install_master(self.master, setup_dns=False, extra_args=args) assert self.exp_change_msg in server_install.stderr_text cmd = self.master.run_command(['cat', paths.CHRONY_CONF]) assert self.ntp_pool in cmd.stdout_text assert self.ntp_server1 in cmd.stdout_text replica_install = tasks.install_replica(self.master, self.replica, extra_args=args, promote=False, nameservers=None) assert self.exp_change_msg in replica_install.stderr_text cmd = self.replica.run_command(['cat', paths.CHRONY_CONF]) assert self.ntp_pool in cmd.stdout_text assert self.ntp_server1 in cmd.stdout_text client_install = tasks.install_client(self.master, self.client, extra_args=args, nameservers=None) assert self.exp_change_msg in client_install.stderr_text cmd = self.client.run_command(['cat', paths.CHRONY_CONF]) assert self.ntp_pool in cmd.stdout_text assert self.ntp_server1 in cmd.stdout_text
def test_replica_install_against_server_without_ca(self): """Replica install will fail complaining about CA role and exit code 4""" # stop custodia service on replica1 self.replicas[0].run_command('systemctl stop ipa-custodia.service') # check if custodia service is stopped cmd = self.replicas[0].run_command('ipactl status') assert 'ipa-custodia Service: STOPPED' in cmd.stdout_text try: # install replica2 against replica1, as CA is not installed on # replica1, installation on replica2 should fail cmd = tasks.install_replica(self.replicas[0], self.replicas[1], promote=False, raiseonerr=False) assert cmd.returncode == 4 error = "please provide a server with the CA role" assert error in cmd.stderr_text finally: tasks.uninstall_master(self.replicas[1], ignore_topology_disconnect=True, ignore_last_of_role=True)
def test_replica_promotion_without_ntp(self): """ test to verify that replica promotion without ntp options - ipa-client-install with ntp option - ipa-replica-install without ntp option will be successful """ ntp_args = ['--ntp-pool=%s' % self.ntp_pool] server_install = tasks.install_master(self.master, setup_dns=False, extra_args=ntp_args) assert self.exp_change_msg in server_install.stderr_text client_install = tasks.install_client(self.master, self.replica, extra_args=ntp_args) assert self.exp_change_msg in client_install.stderr_text replica_install = tasks.install_replica(self.master, self.replica, promote=False) assert "ipa-replica-install command was successful" in \ replica_install.stderr_text cmd = self.replica.run_command(['cat', paths.CHRONY_CONF]) assert self.ntp_pool in cmd.stdout_text
def test_replica2_with_ca_kra_install(self): tasks.install_replica(self.master, self.replicas[2], setup_ca=True, setup_kra=True)
def test_replica1_with_ca_install(self): tasks.install_replica(self.master, self.replicas[1], setup_ca=True)
def test_replica0_ca_less_install(self): tasks.install_replica(self.master, self.replicas[0], setup_ca=False)
def install(cls, mh): tasks.install_master(cls.master, setup_kra=True) # do not install KRA on replica, it is part of test tasks.install_replica(cls.master, cls.replicas[0], setup_kra=False)
def install_replica(self, replica, **kwargs): tasks.install_replica(self.master, replica, setup_adtrust=True, **kwargs)
def install(cls, mh): tasks.install_master(cls.master, setup_dns=True) tasks.install_replica(cls.master, cls.replicas[0], setup_dns=True) tasks.install_packages(cls.master, HEALTHCHECK_PKG)
def install(cls, mh): tasks.install_master(cls.master, setup_kra=True) # do not install KRA on replica, it is part of test tasks.install_replica(cls.master, cls.replicas[0], setup_kra=False)
def test_full_backup_and_restore_with_replica(self, cert_sign_request): # check prerequisites self.check_replication_success(self.master) self.check_replication_success(self.replica1) self.master.run_command( ['ipa', 'service-add', 'TEST/' + self.master.hostname]) tasks.user_add(self.master, 'test1_master') tasks.user_add(self.replica1, 'test1_replica') with restore_checker(self.master): backup_path = backup(self.master) # change data after backup self.master.run_command(['ipa', 'user-del', 'test1_master']) self.replica1.run_command(['ipa', 'user-del', 'test1_replica']) tasks.user_add(self.master, 'test2_master') tasks.user_add(self.replica1, 'test2_replica') # simulate master crash self.master.run_command(['ipactl', 'stop']) tasks.uninstall_master(self.master, clean=False) logger.info("Stopping and disabling oddjobd service") self.master.run_command([ "systemctl", "stop", "oddjobd" ]) self.master.run_command([ "systemctl", "disable", "oddjobd" ]) self.master.run_command(['ipa-restore', '-U', backup_path]) status = self.master.run_command([ "systemctl", "status", "oddjobd" ]) assert "active (running)" in status.stdout_text # replication should not work after restoration # create users to force master and replica to try to replicate tasks.user_add(self.master, 'test3_master') tasks.user_add(self.replica1, 'test3_replica') self.check_replication_error(self.master) self.check_replication_error(self.replica1) assert {'admin', 'test1_master', 'test1_replica', 'test3_master'} == \ self.get_users(self.master) assert {'admin', 'test2_master', 'test2_replica', 'test3_replica'} == \ self.get_users(self.replica1) # reestablish and check replication self.replica1.run_command(['ipa-replica-manage', 're-initialize', '--from', self.master.hostname]) # create users to force master and replica to try to replicate tasks.user_add(self.master, 'test4_master') tasks.user_add(self.replica1, 'test4_replica') self.check_replication_success(self.master) self.check_replication_success(self.replica1) assert {'admin', 'test1_master', 'test1_replica', 'test3_master', 'test4_master', 'test4_replica'} == \ self.get_users(self.master) assert {'admin', 'test1_master', 'test1_replica', 'test3_master', 'test4_master', 'test4_replica'} == \ self.get_users(self.replica1) # CA on master should be accesible from master and replica self.request_test_service_cert( self.master, cert_sign_request[self.master.hostname]) self.request_test_service_cert( self.replica1, cert_sign_request[self.replica1.hostname]) # replica should not be able to sign certificates without CA on master self.master.run_command(['ipactl', 'stop']) try: self.request_test_service_cert( self.replica1, cert_sign_request[self.replica1.hostname], expect_connection_error=True) finally: self.master.run_command(['ipactl', 'start']) tasks.install_ca(self.replica1) # now replica should be able to sign certificates without CA on master self.master.run_command(['ipactl', 'stop']) self.request_test_service_cert( self.replica1, cert_sign_request[self.replica1.hostname]) self.master.run_command(['ipactl', 'start']) # check installation of new replica tasks.install_replica(self.master, self.replica2, setup_ca=True) check_replication(self.master, self.replica2, "testuser") # new replica should be able to sign certificates without CA on master # and old replica self.master.run_command(['ipactl', 'stop']) self.replica1.run_command(['ipactl', 'stop']) try: self.request_test_service_cert( self.replica2, cert_sign_request[self.replica2.hostname]) finally: self.replica1.run_command(['ipactl', 'start']) self.master.run_command(['ipactl', 'start'])
def test_migrate_dnssec_master(self): """Both master and replica have DNS installed""" backup_filename = "/var/lib/ipa/ipa-kasp.db.backup" replica_backup_filename = "/tmp/ipa-kasp.db.backup" # add test zone dnszone_add_dnssec(self.master, example_test_zone) # wait until zone is signed assert wait_until_record_is_signed( self.master.ip, example_test_zone, timeout=100), "Zone %s is not signed (master)" % example_test_zone # wait until zone is signed assert wait_until_record_is_signed( self.replicas[0].ip, example_test_zone, timeout=200), "Zone %s is not signed (replica)" % example_test_zone dnskey_old = resolve_with_dnssec(self.master.ip, example_test_zone, rtype="DNSKEY").rrset # migrate dnssec master to replica args = [ "ipa-dns-install", "--disable-dnssec-master", "--forwarder", self.master.config.dns_forwarder, "--force", "-U", ] self.master.run_command(args) # move content of "ipa-kasp.db.backup" to replica kasp_db_backup = self.master.get_file_contents(backup_filename) self.replicas[0].put_file_contents(replica_backup_filename, kasp_db_backup) args = [ "ipa-dns-install", "--dnssec-master", "--kasp-db", replica_backup_filename, "--forwarder", self.master.config.dns_forwarder, "-U", ] self.replicas[0].run_command(args) # Enable the dns service in the firewall on the replica Firewall(self.replicas[0]).enable_services(["dns"]) # wait until zone is signed assert wait_until_record_is_signed( self.master.ip, example_test_zone, timeout=100 ), "Zone %s is not signed after migration (master)" % example_test_zone # wait until zone is signed assert wait_until_record_is_signed( self.replicas[0].ip, example_test_zone, timeout=200 ), "Zone %s is not signed after migration (replica)" % example_test_zone # test if dnskey are the same dnskey_new = resolve_with_dnssec(self.master.ip, example_test_zone, rtype="DNSKEY").rrset assert dnskey_old == dnskey_new, "DNSKEY should be the same" # add test zone dnszone_add_dnssec(self.replicas[0], example2_test_zone) # wait until zone is signed assert wait_until_record_is_signed( self.replicas[0].ip, example2_test_zone, timeout=100 ), ("Zone %s is not signed after migration (replica - dnssec master)" % example2_test_zone) # wait until zone is signed assert wait_until_record_is_signed( self.master.ip, example2_test_zone, timeout=200), ("Zone %s is not signed after migration (master)" % example2_test_zone) # add new replica tasks.install_replica(self.master, self.replicas[1], setup_dns=True) # test if originial zones are signed on new replica # wait until zone is signed assert wait_until_record_is_signed( self.replicas[1].ip, example_test_zone, timeout=200), ("Zone %s is not signed (new replica)" % example_test_zone) # wait until zone is signed assert wait_until_record_is_signed( self.replicas[1].ip, example2_test_zone, timeout=200), ("Zone %s is not signed (new replica)" % example2_test_zone) # add new zone to new replica dnszone_add_dnssec(self.replicas[0], example3_test_zone) # wait until zone is signed assert wait_until_record_is_signed( self.replicas[1].ip, example3_test_zone, timeout=200), ("Zone %s is not signed (new replica)" % example3_test_zone) assert wait_until_record_is_signed( self.replicas[0].ip, example3_test_zone, timeout=200), ("Zone %s is not signed (replica)" % example3_test_zone) # wait until zone is signed assert wait_until_record_is_signed( self.master.ip, example3_test_zone, timeout=200), ("Zone %s is not signed (master)" % example3_test_zone)
def install(cls, mh): tasks.install_master(cls.master, setup_dns=True) tasks.install_replica(cls.master, cls.replicas[0], setup_dns=True)
def install(cls, mh): tasks.install_master(cls.master) tasks.install_replica(cls.master, cls.replicas[0])
def test_full_backup_and_restore_with_replica(self, cert_sign_request): # check prerequisites self.check_replication_success(self.master) self.check_replication_success(self.replica1) self.master.run_command( ['ipa', 'service-add', 'TEST/' + self.master.hostname]) tasks.user_add(self.master, 'test1_master') tasks.user_add(self.replica1, 'test1_replica') with restore_checker(self.master): backup_path = tasks.get_backup_dir(self.master) # change data after backup self.master.run_command(['ipa', 'user-del', 'test1_master']) self.replica1.run_command(['ipa', 'user-del', 'test1_replica']) tasks.user_add(self.master, 'test2_master') tasks.user_add(self.replica1, 'test2_replica') # simulate master crash self.master.run_command(['ipactl', 'stop']) tasks.uninstall_master(self.master, clean=False) logger.info("Stopping and disabling oddjobd service") self.master.run_command([ "systemctl", "stop", "oddjobd" ]) self.master.run_command([ "systemctl", "disable", "oddjobd" ]) self.master.run_command(['ipa-restore', '-U', backup_path]) status = self.master.run_command([ "systemctl", "status", "oddjobd" ]) assert "active (running)" in status.stdout_text # replication should not work after restoration # create users to force master and replica to try to replicate tasks.user_add(self.master, 'test3_master') tasks.user_add(self.replica1, 'test3_replica') self.check_replication_error(self.master) self.check_replication_error(self.replica1) assert {'admin', 'test1_master', 'test1_replica', 'test3_master'} == \ self.get_users(self.master) assert {'admin', 'test2_master', 'test2_replica', 'test3_replica'} == \ self.get_users(self.replica1) # reestablish and check replication self.replica1.run_command(['ipa-replica-manage', 're-initialize', '--from', self.master.hostname]) # create users to force master and replica to try to replicate tasks.user_add(self.master, 'test4_master') tasks.user_add(self.replica1, 'test4_replica') self.check_replication_success(self.master) self.check_replication_success(self.replica1) assert {'admin', 'test1_master', 'test1_replica', 'test3_master', 'test4_master', 'test4_replica'} == \ self.get_users(self.master) assert {'admin', 'test1_master', 'test1_replica', 'test3_master', 'test4_master', 'test4_replica'} == \ self.get_users(self.replica1) # CA on master should be accesible from master and replica self.request_test_service_cert( self.master, cert_sign_request[self.master.hostname]) self.request_test_service_cert( self.replica1, cert_sign_request[self.replica1.hostname]) # replica should not be able to sign certificates without CA on master self.master.run_command(['ipactl', 'stop']) try: self.request_test_service_cert( self.replica1, cert_sign_request[self.replica1.hostname], expect_connection_error=True) finally: self.master.run_command(['ipactl', 'start']) tasks.install_ca(self.replica1) # now replica should be able to sign certificates without CA on master self.master.run_command(['ipactl', 'stop']) self.request_test_service_cert( self.replica1, cert_sign_request[self.replica1.hostname]) self.master.run_command(['ipactl', 'start']) # check installation of new replica tasks.install_replica(self.master, self.replica2, setup_ca=True) check_replication(self.master, self.replica2, "testuser") # new replica should be able to sign certificates without CA on master # and old replica self.master.run_command(['ipactl', 'stop']) self.replica1.run_command(['ipactl', 'stop']) try: self.request_test_service_cert( self.replica2, cert_sign_request[self.replica2.hostname]) finally: self.replica1.run_command(['ipactl', 'start']) self.master.run_command(['ipactl', 'start'])
def install(cls, mh): tasks.install_master(cls.master, setup_dns=True) tasks.install_replica(cls.master, cls.replicas[0], setup_dns=True)
def test_replica1_with_ca_install(self): tasks.install_replica(self.master, self.replicas[1], setup_ca=True)
def test_replica2_with_dns_install(self): tasks.install_replica(self.master, self.replicas[2], setup_ca=False, setup_dns=True)
def test_customized_ds_install_replica(self): tasks.install_replica( self.master, self.replicas[0], setup_ca=False, extra_args=['--dirsrv-config-file', CONFIG_LDIF_PATH])
def test_replica0_ca_less_install(self): tasks.install_replica(self.master, self.replicas[0], setup_ca=False)
def test_customized_ds_install_replica(self): tasks.install_replica( self.master, self.replicas[0], setup_ca=False, extra_args=['--dirsrv-config-file', CONFIG_LDIF_PATH])
def test_replica2_with_ca_kra_install(self): tasks.install_replica(self.master, self.replicas[2], setup_ca=True, setup_kra=True)
def test_replica2_with_dns_install(self): tasks.install_replica(self.master, self.replicas[2], setup_ca=False, setup_dns=True)
def install_replica(self, replica, **kwargs): tasks.install_replica(self.master, replica, setup_adtrust=True, **kwargs)
def test_migrate_dnssec_master(self): """Both master and replica have DNS installed""" backup_filename = "/var/lib/ipa/ipa-kasp.db.backup" replica_backup_filename = "/tmp/ipa-kasp.db.backup" # add test zone dnszone_add_dnssec(self.master, example_test_zone) # wait until zone is signed assert wait_until_record_is_signed( self.master.ip, example_test_zone, timeout=100 ), "Zone %s is not signed (master)" % example_test_zone # wait until zone is signed assert wait_until_record_is_signed( self.replicas[0].ip, example_test_zone, timeout=200 ), "Zone %s is not signed (replica)" % example_test_zone dnskey_old = resolve_with_dnssec(self.master.ip, example_test_zone, rtype="DNSKEY").rrset # migrate dnssec master to replica args = [ "ipa-dns-install", "--disable-dnssec-master", "--forwarder", self.master.config.dns_forwarder, "--force", "-U", ] self.master.run_command(args) # move content of "ipa-kasp.db.backup" to replica kasp_db_backup = self.master.get_file_contents(backup_filename) self.replicas[0].put_file_contents(replica_backup_filename, kasp_db_backup) args = [ "ipa-dns-install", "--dnssec-master", "--kasp-db", replica_backup_filename, "--forwarder", self.master.config.dns_forwarder, "-U", ] self.replicas[0].run_command(args) # Enable the dns service in the firewall on the replica Firewall(self.replicas[0]).enable_services(["dns"]) # wait until zone is signed assert wait_until_record_is_signed( self.master.ip, example_test_zone, timeout=100 ), "Zone %s is not signed after migration (master)" % example_test_zone # wait until zone is signed assert wait_until_record_is_signed( self.replicas[0].ip, example_test_zone, timeout=200 ), "Zone %s is not signed after migration (replica)" % example_test_zone # test if dnskey are the same dnskey_new = resolve_with_dnssec(self.master.ip, example_test_zone, rtype="DNSKEY").rrset assert dnskey_old == dnskey_new, "DNSKEY should be the same" # add test zone dnszone_add_dnssec(self.replicas[0], example2_test_zone) # wait until zone is signed assert wait_until_record_is_signed( self.replicas[0].ip, example2_test_zone, timeout=100 ), ("Zone %s is not signed after migration (replica - dnssec master)" % example2_test_zone) # wait until zone is signed assert wait_until_record_is_signed( self.master.ip, example2_test_zone, timeout=200 ), ("Zone %s is not signed after migration (master)" % example2_test_zone) # add new replica tasks.install_replica(self.master, self.replicas[1], setup_dns=True) # test if originial zones are signed on new replica # wait until zone is signed assert wait_until_record_is_signed( self.replicas[1].ip, example_test_zone, timeout=200 ), ("Zone %s is not signed (new replica)" % example_test_zone) # wait until zone is signed assert wait_until_record_is_signed( self.replicas[1].ip, example2_test_zone, timeout=200 ), ("Zone %s is not signed (new replica)" % example2_test_zone) # add new zone to new replica dnszone_add_dnssec(self.replicas[0], example3_test_zone) # wait until zone is signed assert wait_until_record_is_signed( self.replicas[1].ip, example3_test_zone, timeout=200 ), ("Zone %s is not signed (new replica)" % example3_test_zone) assert wait_until_record_is_signed( self.replicas[0].ip, example3_test_zone, timeout=200 ), ("Zone %s is not signed (replica)" % example3_test_zone) # wait until zone is signed assert wait_until_record_is_signed( self.master.ip, example3_test_zone, timeout=200 ), ("Zone %s is not signed (master)" % example3_test_zone)
def test_replica0_with_ca_kra_dns_install(self): tasks.install_replica(self.master, self.replicas[0], setup_ca=True, setup_kra=True, setup_dns=True)
def test_replica_install_after_restore(self): master = self.master replica1 = self.replicas[0] replica2 = self.replicas[1] tasks.install_master(master) tasks.install_replica(master, replica1) check_replication(master, replica1, "testuser1") # backup master. backup_path = backup(master) suffix = ipautil.realm_to_suffix(master.domain.realm) suffix = escape_dn_chars(str(suffix)) tf = NamedTemporaryFile() ldif_file = tf.name entry_ldif = ( "dn: cn=meTo{hostname},cn=replica," "cn={suffix}," "cn=mapping tree,cn=config\n" "changetype: modify\n" "replace: nsds5ReplicaEnabled\n" "nsds5ReplicaEnabled: off\n\n" "dn: cn=caTo{hostname},cn=replica," "cn=o\\3Dipaca,cn=mapping tree,cn=config\n" "changetype: modify\n" "replace: nsds5ReplicaEnabled\n" "nsds5ReplicaEnabled: off").format( hostname=replica1.hostname, suffix=suffix) master.put_file_contents(ldif_file, entry_ldif) # disable replication agreement arg = ['ldapmodify', '-h', master.hostname, '-p', '389', '-D', str(master.config.dirman_dn), # pylint: disable=no-member '-w', master.config.dirman_password, '-f', ldif_file] master.run_command(arg) # uninstall master. tasks.uninstall_master(master) # master restore. dirman_password = master.config.dirman_password master.run_command(['ipa-restore', backup_path], stdin_text=dirman_password + '\nyes') # re-initialize topology after restore. topo_name = "{}-to-{}".format(master.hostname, replica1.hostname) for topo_suffix in 'domain', 'ca': arg = ['ipa', 'topologysegment-reinitialize', topo_suffix, topo_name, '--left'] replica1.run_command(arg) # wait sometime for re-initialization tasks.wait_for_replication(replica1.ldap_connect()) # install second replica after restore tasks.install_replica(master, replica2) check_replication(master, replica2, "testuser2")