def teardown_method(self, method): """ Uninstall ipa-server, ipa-replica and ipa-client """ tasks.uninstall_client(self.client) tasks.uninstall_master(self.replica) tasks.uninstall_master(self.master)
def cleanup(self): nfssrv = self.clients[0] nfsclt = self.replicas[0] automntclt = self.replicas[1] nfsclt.run_command(["umount", "-a", "-t", "nfs4"]) nfsclt.run_command(["systemctl", "stop", "rpc-gssd"]) nfssrv.run_command(["systemctl", "stop", "nfs-server"]) nfssrv.run_command(["systemctl", "disable", "nfs-server"]) nfssrv.run_command([ "rm", "-f", "/etc/exports.d/krbnfs.exports", "/etc/exports.d/stdnfs.exports" ]) nfssrv.run_command(["rm", "-rf", "/exports"]) tasks.uninstall_client(nfsclt) tasks.uninstall_client(nfssrv) self.master.run_command( ["ipa", "host-mod", automntclt.hostname, "--location", "''"]) # not strictly necessary, but this exercises automountlocation-del self.master.run_command(["ipa", "automountlocation-del", "seattle"]) nfsclt.run_command(["systemctl", "restart", "nfs-utils"]) nfssrv.run_command(["systemctl", "restart", "nfs-utils"]) for client in (nfssrv, nfsclt, automntclt): self.restore_resolv_conf(client) tasks.uninstall_master(self.master)
def test_replica_promotion_with_ntp_options(self): """ test to verify that replica promotion with ntp --ntp-server, --ntp-pool and -N or --no-ntp option would fail """ ntp_server = "1.pool.ntp.org" ntp_pool = "pool.ntp.org" exp_str = "NTP configuration cannot be updated during promotion" tasks.install_master(self.master, setup_dns=False) tasks.install_client(self.master, self.replica) try: replica_install = self.replica.run_command( ['ipa-replica-install', '-N'], raiseonerr=False) assert replica_install.returncode == 1 assert exp_str in replica_install.stderr_text replica_install = self.replica.run_command( ['ipa-replica-install', '--ntp-server=%s' % ntp_server], raiseonerr=False) assert replica_install.returncode == 1 assert exp_str in replica_install.stderr_text replica_install = self.replica.run_command( ['ipa-replica-install', '--ntp-pool=%s' % ntp_pool], raiseonerr=False) assert replica_install.returncode == 1 assert exp_str in replica_install.stderr_text finally: tasks.uninstall_master(self.replica) self.cleanup()
def test_replica_uninstall_deletes_ruvs(self): """ http://www.freeipa.org/page/V4/Manage_replication_topology_4_4/Test_Plan #Test_case:_.2A-ruv_subcommands_of_ipa-replica-manage_are_extended _to_handle_CA-specific_RUVs """ master = self.master replica = self.replicas[1] res1 = master.run_command([ 'ipa-replica-manage', 'list-ruv', '-p', master.config.dirman_password ]).stdout_text assert (res1.count(replica.hostname) == 2), ( "Did not find proper number of replica hostname (%s) occurrencies" " in the command output: %s" % (replica.hostname, res1)) master.run_command([ 'ipa-replica-manage', 'del', replica.hostname, '-p', master.config.dirman_password ]) tasks.uninstall_master(replica) res2 = master.run_command([ 'ipa-replica-manage', 'list-ruv', '-p', master.config.dirman_password ]).stdout_text assert (replica.hostname not in res2), ( "Replica RUVs were not clean during replica uninstallation")
def test_install_with_bad_ldap_conf(self): """ Test a client install with a non standard ldap.config https://pagure.io/freeipa/issue/7418 """ ldap_conf = paths.OPENLDAP_LDAP_CONF base_dn = self.master.domain.basedn # pylint: disable=no-member client = self.replicas[0] tasks.uninstall_master(client) expected_msg1 = "contains deprecated and unsupported " \ "entries: HOST, PORT" file_backup = client.get_file_contents(ldap_conf, encoding='utf-8') constants = "URI ldaps://{}\nBASE {}\nHOST {}\nPORT 636".format( self.master.hostname, base_dn, self.master.hostname) modifications = "{}\n{}".format(file_backup, constants) client.put_file_contents(paths.OPENLDAP_LDAP_CONF, modifications) result = client.run_command(['ipa-client-install', '-U', '--domain', client.domain.name, '--realm', client.domain.realm, '-p', client.config.admin_name, '-w', client.config.admin_password, '--server', self.master.hostname], raiseonerr=False) assert expected_msg1 in result.stderr_text client.put_file_contents(ldap_conf, file_backup)
def test_install_with_bad_ldap_conf(self): """ Test a client install with a non standard ldap.config https://pagure.io/freeipa/issue/7418 """ ldap_conf = paths.OPENLDAP_LDAP_CONF base_dn = self.master.domain.basedn # pylint: disable=no-member client = self.replicas[0] tasks.uninstall_master(client) expected_msg1 = "contains deprecated and unsupported " \ "entries: HOST, PORT" file_backup = client.get_file_contents(ldap_conf, encoding='utf-8') constants = "URI ldaps://{}\nBASE {}\nHOST {}\nPORT 636".format( self.master.hostname, base_dn, self.master.hostname) modifications = "{}\n{}".format(file_backup, constants) client.put_file_contents(paths.OPENLDAP_LDAP_CONF, modifications) result = client.run_command([ 'ipa-client-install', '-U', '--domain', client.domain.name, '--realm', client.domain.realm, '-p', client.config.admin_name, '-w', client.config.admin_password, '--server', self.master.hostname ], raiseonerr=False) assert expected_msg1 in result.stderr_text client.put_file_contents(ldap_conf, file_backup)
def uninstall(cls, mh): # For this test, we need to uninstall DNSSEC master last # Find which server is DNSSec master result = cls.master.run_command(["ipa", "config-show"]).stdout_text matches = list(re.finditer('IPA DNSSec key master: (.*)', result)) if len(matches) == 1: # Found the DNSSec master dnssec_master_hostname = matches[0].group(1) for replica in cls.replicas + [cls.master]: if replica.hostname == dnssec_master_hostname: dnssec_master = replica else: # By default consider that the master is DNSSEC dnssec_master = cls.master for replica in cls.replicas + [cls.master]: if replica == dnssec_master: # Skip this one continue try: tasks.run_server_del(dnssec_master, replica.hostname, force=True, ignore_topology_disconnect=True, ignore_last_of_role=True) except subprocess.CalledProcessError: # If the master has already been uninstalled, # this call may fail pass tasks.uninstall_master(replica) tasks.uninstall_master(dnssec_master)
def fin(): """ Uninstall ipa-server, ipa-replica and ipa-client """ tasks.uninstall_client(self.client) tasks.uninstall_master(self.replica) tasks.uninstall_master(self.master)
def expire_cert_critical(): """ Fixture to expire the certs by moving the system date using date -s command and revert it back """ hosts = dict() def _expire_cert_critical(host, setup_kra=False): hosts['host'] = host # Do not install NTP as the test plays with the date tasks.install_master(host, setup_dns=False, extra_args=['--no-ntp']) if setup_kra: tasks.install_kra(host) # move date to expire certs tasks.move_date(host, 'stop', '+3Years+1day') yield _expire_cert_critical host = hosts.pop('host') # Prior to uninstall remove all the cert tracking to prevent # errors from certmonger trying to check the status of certs # that don't matter because we are uninstalling. host.run_command(['systemctl', 'stop', 'certmonger']) host.run_command(['rm', '-f', paths.CERTMONGER_REQUESTS_DIR + '/*']) tasks.uninstall_master(host) tasks.move_date(host, 'start', '-3Years-1day')
def test_replica_uninstall_deletes_ruvs(self): """ http://www.freeipa.org/page/V4/Manage_replication_topology_4_4/Test_Plan #Test_case:_.2A-ruv_subcommands_of_ipa-replica-manage_are_extended _to_handle_CA-specific_RUVs """ master = self.master replica = self.replicas[1] res1 = master.run_command(['ipa-replica-manage', 'list-ruv', '-p', master.config.dirman_password]).stdout_text assert(res1.count(replica.hostname) == 2), ( "Did not find proper number of replica hostname (%s) occurrencies" " in the command output: %s" % (replica.hostname, res1)) master.run_command(['ipa-replica-manage', 'del', replica.hostname, '-p', master.config.dirman_password]) tasks.uninstall_master(replica) # ipa-replica-manage del launches a clean-ruv task which is # ASYNCHRONOUS # wait for the task to finish before checking list-ruv tasks.wait_for_cleanallruv_tasks(self.master.ldap_connect()) res2 = master.run_command(['ipa-replica-manage', 'list-ruv', '-p', master.config.dirman_password]).stdout_text assert(replica.hostname not in res2), ( "Replica RUVs were not clean during replica uninstallation")
def test_ipa_certs_check_ipacertnsstrust(self): """ Test checks the output for IPACertNSSTrust when kra is installed on the IPA system using ipa-kra-install """ cmd = tasks.install_kra(self.master) assert cmd.returncode == 0 tasks.install_packages(self.master, HEALTHCHECK_PKG) self.master.run_command( [ "ipa-healthcheck", "--source", "ipahealthcheck.ipa.certs", "--check", "IPACertNSSTrust", "--output-file", HEALTHCHECK_OUTPUT_FILE, ], raiseonerr=False, ) contents = self.master.get_file_contents(HEALTHCHECK_OUTPUT_FILE, encoding="utf-8") data = json.loads(contents) for check in data: assert check["result"] == "SUCCESS" assert (check["kw"]["key"] in DEFAULT_PKI_CA_CERTS or check["kw"]["key"] in DEFAULT_PKI_KRA_CERTS) tasks.uninstall_master(self.master)
def cleanup(self): nfssrv = self.clients[0] nfsclt = self.replicas[0] automntclt = self.replicas[1] nfsclt.run_command(["umount", "-a", "-t", "nfs4"]) nfsclt.run_command(["systemctl", "stop", "rpc-gssd"]) nfssrv.run_command(["systemctl", "stop", "nfs-server"]) nfssrv.run_command(["systemctl", "disable", "nfs-server"]) nfssrv.run_command([ "rm", "-f", "/etc/exports.d/krbnfs.exports", "/etc/exports.d/stdnfs.exports" ]) nfssrv.run_command(["rm", "-rf", "/exports"]) tasks.uninstall_client(nfsclt) tasks.uninstall_client(nfssrv) self.master.run_command([ "ipa", "host-mod", automntclt.hostname, "--location", "''" ]) # not strictly necessary, but this exercises automountlocation-del self.master.run_command([ "ipa", "automountlocation-del", "seattle" ]) nfsclt.run_command(["systemctl", "restart", "nfs-utils"]) nfssrv.run_command(["systemctl", "restart", "nfs-utils"]) for client in (nfssrv, nfsclt, automntclt): self.restore_resolv_conf(client) tasks.uninstall_master(self.master)
def test_replica_install_against_server_without_ca(self): """Replica install will fail complaining about CA role and exit code 4""" # stop custodia service on replica1 self.replicas[0].run_command('systemctl stop ipa-custodia.service') # check if custodia service is stopped cmd = self.replicas[0].run_command('ipactl status') assert 'ipa-custodia Service: STOPPED' in cmd.stdout_text try: # install replica2 against replica1, as CA is not installed on # replica1, installation on replica2 should fail cmd = tasks.install_replica(self.replicas[0], self.replicas[1], promote=False, raiseonerr=False) assert cmd.returncode == 4 error = "please provide a server with the CA role" assert error in cmd.stderr_text finally: tasks.uninstall_master(self.replicas[1], ignore_topology_disconnect=True, ignore_last_of_role=True)
def teardown_method(self, method): """ Uninstall ipa-server, ipa-replica and ipa-client """ tasks.uninstall_client(self.client) tasks.uninstall_master(self.replica) tasks.uninstall_master(self.master)
def test_uninstall_with_subid(self): """ Test server uninstallation when --subid option was configured """ # uninstall must revert to the preconfigured profile tasks.uninstall_master(self.master) check_authselect_profile( self.master, preconfigured_profile, preconfigured_options)
def test_automatic_renewal_master_transfer_ondelete(self): # Test that after replica uninstallation, master overtakes the cert # renewal master role from replica (which was previously set there) tasks.uninstall_master(self.replicas[0]) result = self.master.run_command(['ipa', 'config-show']).stdout_text assert("IPA CA renewal master: %s" % self.master.hostname in result), ( "Master hostname not found among CA renewal masters" )
def test_uninstall(self): """ Test server uninstallation when a different profile was present before server installation """ # uninstall must revert to the preconfigured profile tasks.uninstall_master(self.master) check_authselect_profile(self.master, preconfigured_profile, preconfigured_options)
def wrapped(*args): master = args[0].master create_broken_resolv_conf(master) try: func(*args) finally: tasks.uninstall_master(master, clean=False) restore_resolv_conf(master) ipa_certs_cleanup(master)
def wrapped(*args): master = args[0].master create_broken_resolv_conf(master) try: func(*args) finally: tasks.uninstall_master(master, clean=False) restore_resolv_conf(master) ipa_certs_cleanup(master)
def expire_ca_cert(self): tasks.install_master(self.master, setup_dns=False, extra_args=['--no-ntp']) tasks.move_date(self.master, 'stop', '+20Years+1day') yield tasks.uninstall_master(self.master) tasks.move_date(self.master, 'start', '-20Years-1day')
def test_uninstall_server_without_dns(self): """Test if server setup without dns uninstall properly IPA server uninstall was failing if dns was not setup. This test check if it uninstalls properly. related: https://pagure.io/freeipa/issue/8630 """ tasks.uninstall_master(self.master)
def test_setup_teardown(self): tasks.install_master(self.master, setup_dns=True) tasks.install_replica(self.master, self.replicas[0], setup_ca=False) yield tasks.uninstall_replica(self.master, self.replicas[0]) tasks.uninstall_master(self.master)
def test_uninstall(self): """ Test server uninstallation when a different profile was present before server installation """ # uninstall must revert to the preconfigured profile tasks.uninstall_master(self.master) check_authselect_profile( self.master, preconfigured_profile, preconfigured_options)
def test_replica_install_after_restore(self): master = self.master replica1 = self.replicas[0] replica2 = self.replicas[1] tasks.install_master(master) tasks.install_replica(master, replica1) check_replication(master, replica1, "testuser1") # backup master. backup_path = tasks.get_backup_dir(self.master) suffix = ipautil.realm_to_suffix(master.domain.realm) suffix = escape_dn_chars(str(suffix)) entry_ldif = ( "dn: cn=meTo{hostname},cn=replica," "cn={suffix}," "cn=mapping tree,cn=config\n" "changetype: modify\n" "replace: nsds5ReplicaEnabled\n" "nsds5ReplicaEnabled: off\n\n" "dn: cn=caTo{hostname},cn=replica," "cn=o\\3Dipaca,cn=mapping tree,cn=config\n" "changetype: modify\n" "replace: nsds5ReplicaEnabled\n" "nsds5ReplicaEnabled: off").format( hostname=replica1.hostname, suffix=suffix) # disable replication agreement tasks.ldapmodify_dm(master, entry_ldif) # uninstall master. tasks.uninstall_master(master, clean=False) # master restore. dirman_password = master.config.dirman_password master.run_command(['ipa-restore', backup_path], stdin_text=dirman_password + '\nyes') # re-initialize topology after restore. topo_name = "{}-to-{}".format(master.hostname, replica1.hostname) for topo_suffix in 'domain', 'ca': arg = ['ipa', 'topologysegment-reinitialize', topo_suffix, topo_name, '--left'] replica1.run_command(arg) # wait sometime for re-initialization tasks.wait_for_replication(replica1.ldap_connect()) # install second replica after restore tasks.install_replica(master, replica2) check_replication(master, replica2, "testuser2")
def test_replica_install_after_restore(self): master = self.master replica1 = self.replicas[0] replica2 = self.replicas[1] tasks.install_master(master) tasks.install_replica(master, replica1) check_replication(master, replica1, "testuser1") # backup master. backup_path = backup(master) suffix = ipautil.realm_to_suffix(master.domain.realm) suffix = escape_dn_chars(str(suffix)) entry_ldif = ( "dn: cn=meTo{hostname},cn=replica," "cn={suffix}," "cn=mapping tree,cn=config\n" "changetype: modify\n" "replace: nsds5ReplicaEnabled\n" "nsds5ReplicaEnabled: off\n\n" "dn: cn=caTo{hostname},cn=replica," "cn=o\\3Dipaca,cn=mapping tree,cn=config\n" "changetype: modify\n" "replace: nsds5ReplicaEnabled\n" "nsds5ReplicaEnabled: off").format( hostname=replica1.hostname, suffix=suffix) # disable replication agreement tasks.ldapmodify_dm(master, entry_ldif) # uninstall master. tasks.uninstall_master(master, clean=False) # master restore. dirman_password = master.config.dirman_password master.run_command(['ipa-restore', backup_path], stdin_text=dirman_password + '\nyes') # re-initialize topology after restore. topo_name = "{}-to-{}".format(master.hostname, replica1.hostname) for topo_suffix in 'domain', 'ca': arg = ['ipa', 'topologysegment-reinitialize', topo_suffix, topo_name, '--left'] replica1.run_command(arg) # wait sometime for re-initialization tasks.wait_for_replication(replica1.ldap_connect()) # install second replica after restore tasks.install_replica(master, replica2) check_replication(master, replica2, "testuser2")
def test_setup_teardown(self): tasks.install_master(self.master, setup_dns=True) tasks.install_replica(self.master, self.replicas[0], setup_ca=False) tasks.config_host_resolvconf_with_master_data(self.master, self.replicas[0]) yield tasks.uninstall_replica(self.master, self.replicas[0]) tasks.uninstall_master(self.master)
def expire_certs(self): # move system date to expire certs for host in self.master, self.replicas[0]: tasks.move_date(host, 'stop', '+3years+1days') yield # move date back on replica and master for host in self.replicas[0], self.master: tasks.uninstall_master(host) tasks.move_date(host, 'start', '-3years-1days')
def test_ignore_topology_disconnect_replica2(self): """ tests that removal of replica2 with '--ignore-topology-disconnect' destroys master for good with verbose option for uninstallation """ check_master_removal(self.client, self.replica2.hostname, ignore_topology_disconnect=True) # reinstall the replica tasks.uninstall_master(self.replica2, verbose=True) tasks.install_replica(self.master, self.replica2, setup_ca=True)
def test_ignore_topology_disconnect_replica1(self): """ tests that removal of replica1 with '--ignore-topology-disconnect' destroys master for good """ check_master_removal(self.client, self.replica1.hostname, ignore_topology_disconnect=True) # reinstall the replica tasks.uninstall_master(self.replica1) tasks.install_replica(self.master, self.replica1, setup_ca=True)
def test_ignore_topology_disconnect_replica1(self): """ tests that removal of replica1 with '--ignore-topology-disconnect' destroys master for good """ check_master_removal( self.client, self.replica1.hostname, ignore_topology_disconnect=True ) # reinstall the replica tasks.uninstall_master(self.replica1) tasks.install_replica(self.master, self.replica1, setup_ca=True)
def expire_cert_critical(self): """ Fixture to expire the certs by moving the system date using date -s command and revert it back """ # Do not install NTP as the test plays with the date tasks.install_master(self.master, setup_dns=False, extra_args=['--no-ntp']) self.master.run_command(['systemctl', 'stop', 'chronyd']) self.master.run_command(['date','-s', '+3Years+1day']) yield tasks.uninstall_master(self.master) self.master.run_command(['date','-s', '-3Years-1day']) self.master.run_command(['systemctl', 'start', 'chronyd'])
def test_ignore_topology_disconnect_replica2(self): """ tests that removal of replica2 with '--ignore-topology-disconnect' destroys master for good with verbose option for uninstallation """ check_master_removal( self.client, self.replica2.hostname, ignore_topology_disconnect=True ) # reinstall the replica tasks.uninstall_master(self.replica2, verbose=True) tasks.install_replica(self.master, self.replica2, setup_ca=True)
def uninstall(cls, mh): for replica in cls.replicas: try: tasks.run_server_del(cls.master, replica.hostname, force=True, ignore_topology_disconnect=True, ignore_last_of_role=True) except subprocess.CalledProcessError: # If the master has already been uninstalled, # this call may fail pass tasks.uninstall_master(replica) tasks.uninstall_master(cls.master) for client in cls.clients: tasks.uninstall_client(client) if cls.fips_mode: cls.disable_fips_mode()
def test_topology_updated_on_replica_install_remove(self): """ Install and remove a replica and make sure topology information is updated on all other replicas Testcase: http://www.freeipa.org/page/V4/Manage_replication_topology/ Test_plan#Test_case: _Replication_topology_should_be_saved_in_the_LDAP_tree """ tasks.kinit_admin(self.master) result1 = self.master.run_command( ['ipa', 'topologysegment-find', DOMAIN_SUFFIX_NAME]).stdout_text segment_name = self.segmentnames_re.findall(result1)[0] assert (self.master.hostname in segment_name), ( "Segment %s does not contain master hostname" % segment_name) assert (self.replicas[0].hostname in segment_name), ( "Segment %s does not contain replica hostname" % segment_name) tasks.install_replica(self.master, self.replicas[1], setup_ca=False, setup_dns=False) # We need to make sure topology information is consistent across all # replicas result2 = self.master.run_command( ['ipa', 'topologysegment-find', DOMAIN_SUFFIX_NAME]) result3 = self.replicas[0].run_command( ['ipa', 'topologysegment-find', DOMAIN_SUFFIX_NAME]) result4 = self.replicas[1].run_command( ['ipa', 'topologysegment-find', DOMAIN_SUFFIX_NAME]) segments = self.tokenize_topologies(result2.stdout_text) assert (len(segments) == 2), "Unexpected number of segments found" assert_deepequal(result2.stdout_text, result3.stdout_text) assert_deepequal(result3.stdout_text, result4.stdout_text) # Now let's check that uninstalling the replica will update the topology # info on the rest of replicas. # first step of uninstallation is removal of the replica on other # master, then it can be uninstalled. Doing it the other way is also # possible, but not reliable - some data might not be replicated. tasks.clean_replication_agreement(self.master, self.replicas[1]) tasks.uninstall_master(self.replicas[1]) result5 = self.master.run_command( ['ipa', 'topologysegment-find', DOMAIN_SUFFIX_NAME]) num_entries = self.noentries_re.search(result5.stdout_text).group(1) assert (num_entries == "1"), "Incorrect number of entries displayed"
def test_ipa_certs_check_ipacertnsstrust(self): """ Test checks the output for IPACertNSSTrust when kra is installed on the IPA system using ipa-kra-install """ cmd = tasks.install_kra(self.master) assert cmd.returncode == 0 tasks.install_packages(self.master, HEALTHCHECK_PKG) returncode, data = run_healthcheck( self.master, "ipahealthcheck.ipa.certs", "IPACertNSSTrust", ) assert returncode == 0 for check in data: assert check["result"] == "SUCCESS" assert (check["kw"]["key"] in DEFAULT_PKI_CA_CERTS or check["kw"]["key"] in DEFAULT_PKI_KRA_CERTS) tasks.uninstall_master(self.master)
def test_replica_install_against_server_without_kra(self): """Replica install will fail complaining about KRA role and exit code 4""" # install ca on replica1 tasks.install_ca(self.replicas[0]) try: # install replica2 against replica1, as KRA is not installed on # replica1(CA installed), installation should fail on replica2 cmd = tasks.install_replica(self.replicas[0], self.replicas[1], promote=False, setup_kra=True, raiseonerr=False) assert cmd.returncode == 4 error = "please provide a server with the KRA role" assert error in cmd.stderr_text finally: tasks.uninstall_master(self.replicas[1], ignore_topology_disconnect=True, ignore_last_of_role=True)
def test_hidden_replica_backup_and_restore(self): """Exercises backup+restore and hidden replica uninstall """ self._check_server_role(self.replicas[0], 'hidden') # backup backup_path = backup(self.replicas[0]) # uninstall tasks.uninstall_master(self.replicas[0]) # restore dirman_password = self.master.config.dirman_password self.replicas[0].run_command(['ipa-restore', backup_path], stdin_text=dirman_password + '\nyes') # give replication some time time.sleep(5) tasks.kinit_admin(self.replicas[0]) # FIXME: restore turns hidden replica into enabled replica self._check_config([self.master, self.replicas[0]]) self._check_server_role(self.replicas[0], 'enabled')
def test_hidden_replica_backup_and_restore(self): """Exercises backup+restore and hidden replica uninstall """ self._check_server_role(self.replicas[0], 'hidden') # backup backup_path = tasks.get_backup_dir(self.replicas[0]) # uninstall tasks.uninstall_master(self.replicas[0]) # restore dirman_password = self.master.config.dirman_password self.replicas[0].run_command(['ipa-restore', backup_path], stdin_text=dirman_password + '\nyes') tasks.kinit_admin(self.master) tasks.kinit_admin(self.replicas[0]) # restore turns a hidden replica into an enabled replica # https://pagure.io/freeipa/issue/7894 self._check_config([self.master, self.replicas[0]]) self._check_server_role(self.replicas[0], 'enabled')
def test_topology_updated_on_replica_install_remove(self): """ Install and remove a replica and make sure topology information is updated on all other replicas Testcase: http://www.freeipa.org/page/V4/Manage_replication_topology/ Test_plan#Test_case: _Replication_topology_should_be_saved_in_the_LDAP_tree """ tasks.kinit_admin(self.master) result1 = self.master.run_command(['ipa', 'topologysegment-find', DOMAIN_SUFFIX_NAME]).stdout_text segment_name = self.segmentnames_re.findall(result1)[0] assert(self.master.hostname in segment_name), ( "Segment %s does not contain master hostname" % segment_name) assert(self.replicas[0].hostname in segment_name), ( "Segment %s does not contain replica hostname" % segment_name) tasks.install_replica(self.master, self.replicas[1], setup_ca=False, setup_dns=False) # We need to make sure topology information is consistent across all # replicas result2 = self.master.run_command(['ipa', 'topologysegment-find', DOMAIN_SUFFIX_NAME]) result3 = self.replicas[0].run_command(['ipa', 'topologysegment-find', DOMAIN_SUFFIX_NAME]) result4 = self.replicas[1].run_command(['ipa', 'topologysegment-find', DOMAIN_SUFFIX_NAME]) segments = self.tokenize_topologies(result2.stdout_text) assert(len(segments) == 2), "Unexpected number of segments found" assert_deepequal(result2.stdout_text, result3.stdout_text) assert_deepequal(result3.stdout_text, result4.stdout_text) # Now let's check that uninstalling the replica will update the topology # info on the rest of replicas. # first step of uninstallation is removal of the replica on other # master, then it can be uninstalled. Doing it the other way is also # possible, but not reliable - some data might not be replicated. tasks.clean_replication_agreement(self.master, self.replicas[1]) tasks.uninstall_master(self.replicas[1]) result5 = self.master.run_command(['ipa', 'topologysegment-find', DOMAIN_SUFFIX_NAME]) num_entries = self.noentries_re.search(result5.stdout_text).group(1) assert(num_entries == "1"), "Incorrect number of entries displayed"
def test_replica_promotion_without_ntp(self): """ test to verify that replica promotion without ntp options - ipa-client install with ntp option - ipa-replica without ntp option will be successful """ ntp_pool = "pool.ntp.org" exp_str = "ipa-replica-install command was successful" tasks.install_master(self.master, setup_dns=False) tasks.install_client(self.master, self.replica, extra_args=['--ntp-pool=%s' % ntp_pool]) replica_install = self.replica.run_command(['ipa-replica-install'], raiseonerr=False) assert exp_str in replica_install.stderr_text cmd = self.replica.run_command(['cat', paths.CHRONY_CONF]) assert ntp_pool in cmd.stdout_text tasks.uninstall_master(self.replica)
def uninstall(cls, mh): tasks.uninstall_master(cls.master) for replica in cls.replicas: tasks.uninstall_master(replica) for client in cls.clients: tasks.uninstall_client(client)
def test_full_backup_and_restore_with_replica(self, cert_sign_request): # check prerequisites self.check_replication_success(self.master) self.check_replication_success(self.replica1) self.master.run_command( ['ipa', 'service-add', 'TEST/' + self.master.hostname]) tasks.user_add(self.master, 'test1_master') tasks.user_add(self.replica1, 'test1_replica') with restore_checker(self.master): backup_path = backup(self.master) # change data after backup self.master.run_command(['ipa', 'user-del', 'test1_master']) self.replica1.run_command(['ipa', 'user-del', 'test1_replica']) tasks.user_add(self.master, 'test2_master') tasks.user_add(self.replica1, 'test2_replica') # simulate master crash self.master.run_command(['ipactl', 'stop']) tasks.uninstall_master(self.master, clean=False) logger.info("Stopping and disabling oddjobd service") self.master.run_command([ "systemctl", "stop", "oddjobd" ]) self.master.run_command([ "systemctl", "disable", "oddjobd" ]) self.master.run_command(['ipa-restore', '-U', backup_path]) status = self.master.run_command([ "systemctl", "status", "oddjobd" ]) assert "active (running)" in status.stdout_text # replication should not work after restoration # create users to force master and replica to try to replicate tasks.user_add(self.master, 'test3_master') tasks.user_add(self.replica1, 'test3_replica') self.check_replication_error(self.master) self.check_replication_error(self.replica1) assert {'admin', 'test1_master', 'test1_replica', 'test3_master'} == \ self.get_users(self.master) assert {'admin', 'test2_master', 'test2_replica', 'test3_replica'} == \ self.get_users(self.replica1) # reestablish and check replication self.replica1.run_command(['ipa-replica-manage', 're-initialize', '--from', self.master.hostname]) # create users to force master and replica to try to replicate tasks.user_add(self.master, 'test4_master') tasks.user_add(self.replica1, 'test4_replica') self.check_replication_success(self.master) self.check_replication_success(self.replica1) assert {'admin', 'test1_master', 'test1_replica', 'test3_master', 'test4_master', 'test4_replica'} == \ self.get_users(self.master) assert {'admin', 'test1_master', 'test1_replica', 'test3_master', 'test4_master', 'test4_replica'} == \ self.get_users(self.replica1) # CA on master should be accesible from master and replica self.request_test_service_cert( self.master, cert_sign_request[self.master.hostname]) self.request_test_service_cert( self.replica1, cert_sign_request[self.replica1.hostname]) # replica should not be able to sign certificates without CA on master self.master.run_command(['ipactl', 'stop']) try: self.request_test_service_cert( self.replica1, cert_sign_request[self.replica1.hostname], expect_connection_error=True) finally: self.master.run_command(['ipactl', 'start']) tasks.install_ca(self.replica1) # now replica should be able to sign certificates without CA on master self.master.run_command(['ipactl', 'stop']) self.request_test_service_cert( self.replica1, cert_sign_request[self.replica1.hostname]) self.master.run_command(['ipactl', 'start']) # check installation of new replica tasks.install_replica(self.master, self.replica2, setup_ca=True) check_replication(self.master, self.replica2, "testuser") # new replica should be able to sign certificates without CA on master # and old replica self.master.run_command(['ipactl', 'stop']) self.replica1.run_command(['ipactl', 'stop']) try: self.request_test_service_cert( self.replica2, cert_sign_request[self.replica2.hostname]) finally: self.replica1.run_command(['ipactl', 'start']) self.master.run_command(['ipactl', 'start'])