def teardown_method(self, method):
"""
Uninstall ipa-server, ipa-replica and ipa-client
"""
tasks.uninstall_client(self.client)
tasks.uninstall_master(self.replica)
tasks.uninstall_master(self.master)
def cleanup(self):
nfssrv = self.clients[0]
nfsclt = self.replicas[0]
automntclt = self.replicas[1]
nfsclt.run_command(["umount", "-a", "-t", "nfs4"])
nfsclt.run_command(["systemctl", "stop", "rpc-gssd"])
nfssrv.run_command(["systemctl", "stop", "nfs-server"])
nfssrv.run_command(["systemctl", "disable", "nfs-server"])
nfssrv.run_command([
"rm", "-f", "/etc/exports.d/krbnfs.exports",
"/etc/exports.d/stdnfs.exports"
])
nfssrv.run_command(["rm", "-rf", "/exports"])
tasks.uninstall_client(nfsclt)
tasks.uninstall_client(nfssrv)
self.master.run_command(
["ipa", "host-mod", automntclt.hostname, "--location", "''"])
# not strictly necessary, but this exercises automountlocation-del
self.master.run_command(["ipa", "automountlocation-del", "seattle"])
nfsclt.run_command(["systemctl", "restart", "nfs-utils"])
nfssrv.run_command(["systemctl", "restart", "nfs-utils"])
for client in (nfssrv, nfsclt, automntclt):
self.restore_resolv_conf(client)
tasks.uninstall_master(self.master)
def test_replica_promotion_with_ntp_options(self):
"""
test to verify that replica promotion with ntp --ntp-server,
--ntp-pool and -N or --no-ntp option would fail
"""
ntp_server = "1.pool.ntp.org"
ntp_pool = "pool.ntp.org"
exp_str = "NTP configuration cannot be updated during promotion"
tasks.install_master(self.master, setup_dns=False)
tasks.install_client(self.master, self.replica)
try:
replica_install = self.replica.run_command(
['ipa-replica-install', '-N'], raiseonerr=False)
assert replica_install.returncode == 1
assert exp_str in replica_install.stderr_text
replica_install = self.replica.run_command(
['ipa-replica-install',
'--ntp-server=%s' % ntp_server],
raiseonerr=False)
assert replica_install.returncode == 1
assert exp_str in replica_install.stderr_text
replica_install = self.replica.run_command(
['ipa-replica-install',
'--ntp-pool=%s' % ntp_pool],
raiseonerr=False)
assert replica_install.returncode == 1
assert exp_str in replica_install.stderr_text
finally:
tasks.uninstall_master(self.replica)
self.cleanup()
def test_replica_uninstall_deletes_ruvs(self):
"""
http://www.freeipa.org/page/V4/Manage_replication_topology_4_4/Test_Plan
#Test_case:_.2A-ruv_subcommands_of_ipa-replica-manage_are_extended
_to_handle_CA-specific_RUVs
"""
master = self.master
replica = self.replicas[1]
res1 = master.run_command([
'ipa-replica-manage', 'list-ruv', '-p',
master.config.dirman_password
]).stdout_text
assert (res1.count(replica.hostname) == 2), (
"Did not find proper number of replica hostname (%s) occurrencies"
" in the command output: %s" % (replica.hostname, res1))
master.run_command([
'ipa-replica-manage', 'del', replica.hostname, '-p',
master.config.dirman_password
])
tasks.uninstall_master(replica)
res2 = master.run_command([
'ipa-replica-manage', 'list-ruv', '-p',
master.config.dirman_password
]).stdout_text
assert (replica.hostname not in res2), (
"Replica RUVs were not clean during replica uninstallation")
def test_install_with_bad_ldap_conf(self):
"""
Test a client install with a non standard ldap.config
https://pagure.io/freeipa/issue/7418
"""
ldap_conf = paths.OPENLDAP_LDAP_CONF
base_dn = self.master.domain.basedn # pylint: disable=no-member
client = self.replicas[0]
tasks.uninstall_master(client)
expected_msg1 = "contains deprecated and unsupported " \
"entries: HOST, PORT"
file_backup = client.get_file_contents(ldap_conf, encoding='utf-8')
constants = "URI ldaps://{}\nBASE {}\nHOST {}\nPORT 636".format(
self.master.hostname, base_dn,
self.master.hostname)
modifications = "{}\n{}".format(file_backup, constants)
client.put_file_contents(paths.OPENLDAP_LDAP_CONF, modifications)
result = client.run_command(['ipa-client-install', '-U',
'--domain', client.domain.name,
'--realm', client.domain.realm,
'-p', client.config.admin_name,
'-w', client.config.admin_password,
'--server', self.master.hostname],
raiseonerr=False)
assert expected_msg1 in result.stderr_text
client.put_file_contents(ldap_conf, file_backup)
def test_install_with_bad_ldap_conf(self):
"""
Test a client install with a non standard ldap.config
https://pagure.io/freeipa/issue/7418
"""
ldap_conf = paths.OPENLDAP_LDAP_CONF
base_dn = self.master.domain.basedn # pylint: disable=no-member
client = self.replicas[0]
tasks.uninstall_master(client)
expected_msg1 = "contains deprecated and unsupported " \
"entries: HOST, PORT"
file_backup = client.get_file_contents(ldap_conf, encoding='utf-8')
constants = "URI ldaps://{}\nBASE {}\nHOST {}\nPORT 636".format(
self.master.hostname, base_dn, self.master.hostname)
modifications = "{}\n{}".format(file_backup, constants)
client.put_file_contents(paths.OPENLDAP_LDAP_CONF, modifications)
result = client.run_command([
'ipa-client-install', '-U', '--domain', client.domain.name,
'--realm', client.domain.realm, '-p', client.config.admin_name,
'-w', client.config.admin_password, '--server',
self.master.hostname
],
raiseonerr=False)
assert expected_msg1 in result.stderr_text
client.put_file_contents(ldap_conf, file_backup)
def uninstall(cls, mh):
# For this test, we need to uninstall DNSSEC master last
# Find which server is DNSSec master
result = cls.master.run_command(["ipa", "config-show"]).stdout_text
matches = list(re.finditer('IPA DNSSec key master: (.*)', result))
if len(matches) == 1:
# Found the DNSSec master
dnssec_master_hostname = matches[0].group(1)
for replica in cls.replicas + [cls.master]:
if replica.hostname == dnssec_master_hostname:
dnssec_master = replica
else:
# By default consider that the master is DNSSEC
dnssec_master = cls.master
for replica in cls.replicas + [cls.master]:
if replica == dnssec_master:
# Skip this one
continue
try:
tasks.run_server_del(dnssec_master,
replica.hostname,
force=True,
ignore_topology_disconnect=True,
ignore_last_of_role=True)
except subprocess.CalledProcessError:
# If the master has already been uninstalled,
# this call may fail
pass
tasks.uninstall_master(replica)
tasks.uninstall_master(dnssec_master)
def fin():
"""
Uninstall ipa-server, ipa-replica and ipa-client
"""
tasks.uninstall_client(self.client)
tasks.uninstall_master(self.replica)
tasks.uninstall_master(self.master)
def expire_cert_critical():
"""
Fixture to expire the certs by moving the system date using
date -s command and revert it back
"""
hosts = dict()
def _expire_cert_critical(host, setup_kra=False):
hosts['host'] = host
# Do not install NTP as the test plays with the date
tasks.install_master(host, setup_dns=False, extra_args=['--no-ntp'])
if setup_kra:
tasks.install_kra(host)
# move date to expire certs
tasks.move_date(host, 'stop', '+3Years+1day')
yield _expire_cert_critical
host = hosts.pop('host')
# Prior to uninstall remove all the cert tracking to prevent
# errors from certmonger trying to check the status of certs
# that don't matter because we are uninstalling.
host.run_command(['systemctl', 'stop', 'certmonger'])
host.run_command(['rm', '-f', paths.CERTMONGER_REQUESTS_DIR + '/*'])
tasks.uninstall_master(host)
tasks.move_date(host, 'start', '-3Years-1day')
def test_replica_uninstall_deletes_ruvs(self):
"""
http://www.freeipa.org/page/V4/Manage_replication_topology_4_4/Test_Plan
#Test_case:_.2A-ruv_subcommands_of_ipa-replica-manage_are_extended
_to_handle_CA-specific_RUVs
"""
master = self.master
replica = self.replicas[1]
res1 = master.run_command(['ipa-replica-manage', 'list-ruv', '-p',
master.config.dirman_password]).stdout_text
assert(res1.count(replica.hostname) == 2), (
"Did not find proper number of replica hostname (%s) occurrencies"
" in the command output: %s" % (replica.hostname, res1))
master.run_command(['ipa-replica-manage', 'del', replica.hostname,
'-p', master.config.dirman_password])
tasks.uninstall_master(replica)
# ipa-replica-manage del launches a clean-ruv task which is
# ASYNCHRONOUS
# wait for the task to finish before checking list-ruv
tasks.wait_for_cleanallruv_tasks(self.master.ldap_connect())
res2 = master.run_command(['ipa-replica-manage', 'list-ruv', '-p',
master.config.dirman_password]).stdout_text
assert(replica.hostname not in res2), (
"Replica RUVs were not clean during replica uninstallation")
def test_ipa_certs_check_ipacertnsstrust(self):
"""
Test checks the output for IPACertNSSTrust when kra is installed
on the IPA system using ipa-kra-install
"""
cmd = tasks.install_kra(self.master)
assert cmd.returncode == 0
tasks.install_packages(self.master, HEALTHCHECK_PKG)
self.master.run_command(
[
"ipa-healthcheck",
"--source",
"ipahealthcheck.ipa.certs",
"--check",
"IPACertNSSTrust",
"--output-file",
HEALTHCHECK_OUTPUT_FILE,
],
raiseonerr=False,
)
contents = self.master.get_file_contents(HEALTHCHECK_OUTPUT_FILE,
encoding="utf-8")
data = json.loads(contents)
for check in data:
assert check["result"] == "SUCCESS"
assert (check["kw"]["key"] in DEFAULT_PKI_CA_CERTS
or check["kw"]["key"] in DEFAULT_PKI_KRA_CERTS)
tasks.uninstall_master(self.master)
def cleanup(self):
nfssrv = self.clients[0]
nfsclt = self.replicas[0]
automntclt = self.replicas[1]
nfsclt.run_command(["umount", "-a", "-t", "nfs4"])
nfsclt.run_command(["systemctl", "stop", "rpc-gssd"])
nfssrv.run_command(["systemctl", "stop", "nfs-server"])
nfssrv.run_command(["systemctl", "disable", "nfs-server"])
nfssrv.run_command([
"rm", "-f", "/etc/exports.d/krbnfs.exports",
"/etc/exports.d/stdnfs.exports"
])
nfssrv.run_command(["rm", "-rf", "/exports"])
tasks.uninstall_client(nfsclt)
tasks.uninstall_client(nfssrv)
self.master.run_command([
"ipa", "host-mod", automntclt.hostname,
"--location", "''"
])
# not strictly necessary, but this exercises automountlocation-del
self.master.run_command([
"ipa", "automountlocation-del", "seattle"
])
nfsclt.run_command(["systemctl", "restart", "nfs-utils"])
nfssrv.run_command(["systemctl", "restart", "nfs-utils"])
for client in (nfssrv, nfsclt, automntclt):
self.restore_resolv_conf(client)
tasks.uninstall_master(self.master)
def test_replica_install_against_server_without_ca(self):
"""Replica install will fail complaining about CA role
and exit code 4"""
# stop custodia service on replica1
self.replicas[0].run_command('systemctl stop ipa-custodia.service')
# check if custodia service is stopped
cmd = self.replicas[0].run_command('ipactl status')
assert 'ipa-custodia Service: STOPPED' in cmd.stdout_text
try:
# install replica2 against replica1, as CA is not installed on
# replica1, installation on replica2 should fail
cmd = tasks.install_replica(self.replicas[0],
self.replicas[1],
promote=False,
raiseonerr=False)
assert cmd.returncode == 4
error = "please provide a server with the CA role"
assert error in cmd.stderr_text
finally:
tasks.uninstall_master(self.replicas[1],
ignore_topology_disconnect=True,
ignore_last_of_role=True)
def teardown_method(self, method):
"""
Uninstall ipa-server, ipa-replica and ipa-client
"""
tasks.uninstall_client(self.client)
tasks.uninstall_master(self.replica)
tasks.uninstall_master(self.master)
def test_uninstall_with_subid(self):
"""
Test server uninstallation when --subid option was configured
"""
# uninstall must revert to the preconfigured profile
tasks.uninstall_master(self.master)
check_authselect_profile(
self.master, preconfigured_profile, preconfigured_options)
def test_automatic_renewal_master_transfer_ondelete(self):
# Test that after replica uninstallation, master overtakes the cert
# renewal master role from replica (which was previously set there)
tasks.uninstall_master(self.replicas[0])
result = self.master.run_command(['ipa', 'config-show']).stdout_text
assert("IPA CA renewal master: %s" % self.master.hostname in result), (
"Master hostname not found among CA renewal masters"
)
def test_uninstall(self):
"""
Test server uninstallation when a different profile was present
before server installation
"""
# uninstall must revert to the preconfigured profile
tasks.uninstall_master(self.master)
check_authselect_profile(self.master, preconfigured_profile,
preconfigured_options)
def wrapped(*args):
master = args[0].master
create_broken_resolv_conf(master)
try:
func(*args)
finally:
tasks.uninstall_master(master, clean=False)
restore_resolv_conf(master)
ipa_certs_cleanup(master)
def wrapped(*args):
master = args[0].master
create_broken_resolv_conf(master)
try:
func(*args)
finally:
tasks.uninstall_master(master, clean=False)
restore_resolv_conf(master)
ipa_certs_cleanup(master)
def expire_ca_cert(self):
tasks.install_master(self.master, setup_dns=False,
extra_args=['--no-ntp'])
tasks.move_date(self.master, 'stop', '+20Years+1day')
yield
tasks.uninstall_master(self.master)
tasks.move_date(self.master, 'start', '-20Years-1day')
def test_uninstall_server_without_dns(self):
"""Test if server setup without dns uninstall properly
IPA server uninstall was failing if dns was not setup.
This test check if it uninstalls properly.
related: https://pagure.io/freeipa/issue/8630
"""
tasks.uninstall_master(self.master)
def test_setup_teardown(self):
tasks.install_master(self.master, setup_dns=True)
tasks.install_replica(self.master, self.replicas[0], setup_ca=False)
yield
tasks.uninstall_replica(self.master, self.replicas[0])
tasks.uninstall_master(self.master)
def test_uninstall(self):
"""
Test server uninstallation when a different profile was present
before server installation
"""
# uninstall must revert to the preconfigured profile
tasks.uninstall_master(self.master)
check_authselect_profile(
self.master, preconfigured_profile, preconfigured_options)
def test_replica_install_after_restore(self):
master = self.master
replica1 = self.replicas[0]
replica2 = self.replicas[1]
tasks.install_master(master)
tasks.install_replica(master, replica1)
check_replication(master, replica1, "testuser1")
# backup master.
backup_path = tasks.get_backup_dir(self.master)
suffix = ipautil.realm_to_suffix(master.domain.realm)
suffix = escape_dn_chars(str(suffix))
entry_ldif = (
"dn: cn=meTo{hostname},cn=replica,"
"cn={suffix},"
"cn=mapping tree,cn=config\n"
"changetype: modify\n"
"replace: nsds5ReplicaEnabled\n"
"nsds5ReplicaEnabled: off\n\n"
"dn: cn=caTo{hostname},cn=replica,"
"cn=o\\3Dipaca,cn=mapping tree,cn=config\n"
"changetype: modify\n"
"replace: nsds5ReplicaEnabled\n"
"nsds5ReplicaEnabled: off").format(
hostname=replica1.hostname,
suffix=suffix)
# disable replication agreement
tasks.ldapmodify_dm(master, entry_ldif)
# uninstall master.
tasks.uninstall_master(master, clean=False)
# master restore.
dirman_password = master.config.dirman_password
master.run_command(['ipa-restore', backup_path],
stdin_text=dirman_password + '\nyes')
# re-initialize topology after restore.
topo_name = "{}-to-{}".format(master.hostname, replica1.hostname)
for topo_suffix in 'domain', 'ca':
arg = ['ipa',
'topologysegment-reinitialize',
topo_suffix,
topo_name,
'--left']
replica1.run_command(arg)
# wait sometime for re-initialization
tasks.wait_for_replication(replica1.ldap_connect())
# install second replica after restore
tasks.install_replica(master, replica2)
check_replication(master, replica2, "testuser2")
def test_replica_install_after_restore(self):
master = self.master
replica1 = self.replicas[0]
replica2 = self.replicas[1]
tasks.install_master(master)
tasks.install_replica(master, replica1)
check_replication(master, replica1, "testuser1")
# backup master.
backup_path = backup(master)
suffix = ipautil.realm_to_suffix(master.domain.realm)
suffix = escape_dn_chars(str(suffix))
entry_ldif = (
"dn: cn=meTo{hostname},cn=replica,"
"cn={suffix},"
"cn=mapping tree,cn=config\n"
"changetype: modify\n"
"replace: nsds5ReplicaEnabled\n"
"nsds5ReplicaEnabled: off\n\n"
"dn: cn=caTo{hostname},cn=replica,"
"cn=o\\3Dipaca,cn=mapping tree,cn=config\n"
"changetype: modify\n"
"replace: nsds5ReplicaEnabled\n"
"nsds5ReplicaEnabled: off").format(
hostname=replica1.hostname,
suffix=suffix)
# disable replication agreement
tasks.ldapmodify_dm(master, entry_ldif)
# uninstall master.
tasks.uninstall_master(master, clean=False)
# master restore.
dirman_password = master.config.dirman_password
master.run_command(['ipa-restore', backup_path],
stdin_text=dirman_password + '\nyes')
# re-initialize topology after restore.
topo_name = "{}-to-{}".format(master.hostname, replica1.hostname)
for topo_suffix in 'domain', 'ca':
arg = ['ipa',
'topologysegment-reinitialize',
topo_suffix,
topo_name,
'--left']
replica1.run_command(arg)
# wait sometime for re-initialization
tasks.wait_for_replication(replica1.ldap_connect())
# install second replica after restore
tasks.install_replica(master, replica2)
check_replication(master, replica2, "testuser2")
def test_setup_teardown(self):
tasks.install_master(self.master, setup_dns=True)
tasks.install_replica(self.master, self.replicas[0], setup_ca=False)
tasks.config_host_resolvconf_with_master_data(self.master,
self.replicas[0])
yield
tasks.uninstall_replica(self.master, self.replicas[0])
tasks.uninstall_master(self.master)
def expire_certs(self):
# move system date to expire certs
for host in self.master, self.replicas[0]:
tasks.move_date(host, 'stop', '+3years+1days')
yield
# move date back on replica and master
for host in self.replicas[0], self.master:
tasks.uninstall_master(host)
tasks.move_date(host, 'start', '-3years-1days')
def test_ignore_topology_disconnect_replica2(self):
"""
tests that removal of replica2 with '--ignore-topology-disconnect'
destroys master for good with verbose option for uninstallation
"""
check_master_removal(self.client,
self.replica2.hostname,
ignore_topology_disconnect=True)
# reinstall the replica
tasks.uninstall_master(self.replica2, verbose=True)
tasks.install_replica(self.master, self.replica2, setup_ca=True)
def test_ignore_topology_disconnect_replica1(self):
"""
tests that removal of replica1 with '--ignore-topology-disconnect'
destroys master for good
"""
check_master_removal(self.client,
self.replica1.hostname,
ignore_topology_disconnect=True)
# reinstall the replica
tasks.uninstall_master(self.replica1)
tasks.install_replica(self.master, self.replica1, setup_ca=True)
def test_ignore_topology_disconnect_replica1(self):
"""
tests that removal of replica1 with '--ignore-topology-disconnect'
destroys master for good
"""
check_master_removal(
self.client,
self.replica1.hostname,
ignore_topology_disconnect=True
)
# reinstall the replica
tasks.uninstall_master(self.replica1)
tasks.install_replica(self.master, self.replica1, setup_ca=True)
def expire_cert_critical(self):
"""
Fixture to expire the certs by moving the system date using
date -s command and revert it back
"""
# Do not install NTP as the test plays with the date
tasks.install_master(self.master, setup_dns=False,
extra_args=['--no-ntp'])
self.master.run_command(['systemctl', 'stop', 'chronyd'])
self.master.run_command(['date','-s', '+3Years+1day'])
yield
tasks.uninstall_master(self.master)
self.master.run_command(['date','-s', '-3Years-1day'])
self.master.run_command(['systemctl', 'start', 'chronyd'])
def test_ignore_topology_disconnect_replica2(self):
"""
tests that removal of replica2 with '--ignore-topology-disconnect'
destroys master for good with verbose option for uninstallation
"""
check_master_removal(
self.client,
self.replica2.hostname,
ignore_topology_disconnect=True
)
# reinstall the replica
tasks.uninstall_master(self.replica2, verbose=True)
tasks.install_replica(self.master, self.replica2, setup_ca=True)
def uninstall(cls, mh):
for replica in cls.replicas:
try:
tasks.run_server_del(cls.master,
replica.hostname,
force=True,
ignore_topology_disconnect=True,
ignore_last_of_role=True)
except subprocess.CalledProcessError:
# If the master has already been uninstalled,
# this call may fail
pass
tasks.uninstall_master(replica)
tasks.uninstall_master(cls.master)
for client in cls.clients:
tasks.uninstall_client(client)
if cls.fips_mode:
cls.disable_fips_mode()
def test_topology_updated_on_replica_install_remove(self):
"""
Install and remove a replica and make sure topology information is
updated on all other replicas
Testcase: http://www.freeipa.org/page/V4/Manage_replication_topology/
Test_plan#Test_case:
_Replication_topology_should_be_saved_in_the_LDAP_tree
"""
tasks.kinit_admin(self.master)
result1 = self.master.run_command(
['ipa', 'topologysegment-find', DOMAIN_SUFFIX_NAME]).stdout_text
segment_name = self.segmentnames_re.findall(result1)[0]
assert (self.master.hostname in segment_name), (
"Segment %s does not contain master hostname" % segment_name)
assert (self.replicas[0].hostname in segment_name), (
"Segment %s does not contain replica hostname" % segment_name)
tasks.install_replica(self.master,
self.replicas[1],
setup_ca=False,
setup_dns=False)
# We need to make sure topology information is consistent across all
# replicas
result2 = self.master.run_command(
['ipa', 'topologysegment-find', DOMAIN_SUFFIX_NAME])
result3 = self.replicas[0].run_command(
['ipa', 'topologysegment-find', DOMAIN_SUFFIX_NAME])
result4 = self.replicas[1].run_command(
['ipa', 'topologysegment-find', DOMAIN_SUFFIX_NAME])
segments = self.tokenize_topologies(result2.stdout_text)
assert (len(segments) == 2), "Unexpected number of segments found"
assert_deepequal(result2.stdout_text, result3.stdout_text)
assert_deepequal(result3.stdout_text, result4.stdout_text)
# Now let's check that uninstalling the replica will update the topology
# info on the rest of replicas.
# first step of uninstallation is removal of the replica on other
# master, then it can be uninstalled. Doing it the other way is also
# possible, but not reliable - some data might not be replicated.
tasks.clean_replication_agreement(self.master, self.replicas[1])
tasks.uninstall_master(self.replicas[1])
result5 = self.master.run_command(
['ipa', 'topologysegment-find', DOMAIN_SUFFIX_NAME])
num_entries = self.noentries_re.search(result5.stdout_text).group(1)
assert (num_entries == "1"), "Incorrect number of entries displayed"
def test_ipa_certs_check_ipacertnsstrust(self):
"""
Test checks the output for IPACertNSSTrust when kra is installed
on the IPA system using ipa-kra-install
"""
cmd = tasks.install_kra(self.master)
assert cmd.returncode == 0
tasks.install_packages(self.master, HEALTHCHECK_PKG)
returncode, data = run_healthcheck(
self.master,
"ipahealthcheck.ipa.certs",
"IPACertNSSTrust",
)
assert returncode == 0
for check in data:
assert check["result"] == "SUCCESS"
assert (check["kw"]["key"] in DEFAULT_PKI_CA_CERTS
or check["kw"]["key"] in DEFAULT_PKI_KRA_CERTS)
tasks.uninstall_master(self.master)
def test_replica_install_against_server_without_kra(self):
"""Replica install will fail complaining about KRA role
and exit code 4"""
# install ca on replica1
tasks.install_ca(self.replicas[0])
try:
# install replica2 against replica1, as KRA is not installed on
# replica1(CA installed), installation should fail on replica2
cmd = tasks.install_replica(self.replicas[0], self.replicas[1],
promote=False, setup_kra=True,
raiseonerr=False)
assert cmd.returncode == 4
error = "please provide a server with the KRA role"
assert error in cmd.stderr_text
finally:
tasks.uninstall_master(self.replicas[1],
ignore_topology_disconnect=True,
ignore_last_of_role=True)
def test_hidden_replica_backup_and_restore(self):
"""Exercises backup+restore and hidden replica uninstall
"""
self._check_server_role(self.replicas[0], 'hidden')
# backup
backup_path = backup(self.replicas[0])
# uninstall
tasks.uninstall_master(self.replicas[0])
# restore
dirman_password = self.master.config.dirman_password
self.replicas[0].run_command(['ipa-restore', backup_path],
stdin_text=dirman_password + '\nyes')
# give replication some time
time.sleep(5)
tasks.kinit_admin(self.replicas[0])
# FIXME: restore turns hidden replica into enabled replica
self._check_config([self.master, self.replicas[0]])
self._check_server_role(self.replicas[0], 'enabled')
def test_hidden_replica_backup_and_restore(self):
"""Exercises backup+restore and hidden replica uninstall
"""
self._check_server_role(self.replicas[0], 'hidden')
# backup
backup_path = tasks.get_backup_dir(self.replicas[0])
# uninstall
tasks.uninstall_master(self.replicas[0])
# restore
dirman_password = self.master.config.dirman_password
self.replicas[0].run_command(['ipa-restore', backup_path],
stdin_text=dirman_password + '\nyes')
tasks.kinit_admin(self.master)
tasks.kinit_admin(self.replicas[0])
# restore turns a hidden replica into an enabled replica
# https://pagure.io/freeipa/issue/7894
self._check_config([self.master, self.replicas[0]])
self._check_server_role(self.replicas[0], 'enabled')
def test_topology_updated_on_replica_install_remove(self):
"""
Install and remove a replica and make sure topology information is
updated on all other replicas
Testcase: http://www.freeipa.org/page/V4/Manage_replication_topology/
Test_plan#Test_case:
_Replication_topology_should_be_saved_in_the_LDAP_tree
"""
tasks.kinit_admin(self.master)
result1 = self.master.run_command(['ipa', 'topologysegment-find',
DOMAIN_SUFFIX_NAME]).stdout_text
segment_name = self.segmentnames_re.findall(result1)[0]
assert(self.master.hostname in segment_name), (
"Segment %s does not contain master hostname" % segment_name)
assert(self.replicas[0].hostname in segment_name), (
"Segment %s does not contain replica hostname" % segment_name)
tasks.install_replica(self.master, self.replicas[1], setup_ca=False,
setup_dns=False)
# We need to make sure topology information is consistent across all
# replicas
result2 = self.master.run_command(['ipa', 'topologysegment-find',
DOMAIN_SUFFIX_NAME])
result3 = self.replicas[0].run_command(['ipa', 'topologysegment-find',
DOMAIN_SUFFIX_NAME])
result4 = self.replicas[1].run_command(['ipa', 'topologysegment-find',
DOMAIN_SUFFIX_NAME])
segments = self.tokenize_topologies(result2.stdout_text)
assert(len(segments) == 2), "Unexpected number of segments found"
assert_deepequal(result2.stdout_text, result3.stdout_text)
assert_deepequal(result3.stdout_text, result4.stdout_text)
# Now let's check that uninstalling the replica will update the topology
# info on the rest of replicas.
# first step of uninstallation is removal of the replica on other
# master, then it can be uninstalled. Doing it the other way is also
# possible, but not reliable - some data might not be replicated.
tasks.clean_replication_agreement(self.master, self.replicas[1])
tasks.uninstall_master(self.replicas[1])
result5 = self.master.run_command(['ipa', 'topologysegment-find',
DOMAIN_SUFFIX_NAME])
num_entries = self.noentries_re.search(result5.stdout_text).group(1)
assert(num_entries == "1"), "Incorrect number of entries displayed"
def test_replica_promotion_without_ntp(self):
"""
test to verify that replica promotion without ntp options
- ipa-client install with ntp option
- ipa-replica without ntp option
will be successful
"""
ntp_pool = "pool.ntp.org"
exp_str = "ipa-replica-install command was successful"
tasks.install_master(self.master, setup_dns=False)
tasks.install_client(self.master,
self.replica,
extra_args=['--ntp-pool=%s' % ntp_pool])
replica_install = self.replica.run_command(['ipa-replica-install'],
raiseonerr=False)
assert exp_str in replica_install.stderr_text
cmd = self.replica.run_command(['cat', paths.CHRONY_CONF])
assert ntp_pool in cmd.stdout_text
tasks.uninstall_master(self.replica)
def uninstall(cls, mh):
tasks.uninstall_master(cls.master)
for replica in cls.replicas:
tasks.uninstall_master(replica)
for client in cls.clients:
tasks.uninstall_client(client)
def test_full_backup_and_restore_with_replica(self, cert_sign_request):
# check prerequisites
self.check_replication_success(self.master)
self.check_replication_success(self.replica1)
self.master.run_command(
['ipa', 'service-add', 'TEST/' + self.master.hostname])
tasks.user_add(self.master, 'test1_master')
tasks.user_add(self.replica1, 'test1_replica')
with restore_checker(self.master):
backup_path = backup(self.master)
# change data after backup
self.master.run_command(['ipa', 'user-del', 'test1_master'])
self.replica1.run_command(['ipa', 'user-del', 'test1_replica'])
tasks.user_add(self.master, 'test2_master')
tasks.user_add(self.replica1, 'test2_replica')
# simulate master crash
self.master.run_command(['ipactl', 'stop'])
tasks.uninstall_master(self.master, clean=False)
logger.info("Stopping and disabling oddjobd service")
self.master.run_command([
"systemctl", "stop", "oddjobd"
])
self.master.run_command([
"systemctl", "disable", "oddjobd"
])
self.master.run_command(['ipa-restore', '-U', backup_path])
status = self.master.run_command([
"systemctl", "status", "oddjobd"
])
assert "active (running)" in status.stdout_text
# replication should not work after restoration
# create users to force master and replica to try to replicate
tasks.user_add(self.master, 'test3_master')
tasks.user_add(self.replica1, 'test3_replica')
self.check_replication_error(self.master)
self.check_replication_error(self.replica1)
assert {'admin', 'test1_master', 'test1_replica', 'test3_master'} == \
self.get_users(self.master)
assert {'admin', 'test2_master', 'test2_replica', 'test3_replica'} == \
self.get_users(self.replica1)
# reestablish and check replication
self.replica1.run_command(['ipa-replica-manage', 're-initialize',
'--from', self.master.hostname])
# create users to force master and replica to try to replicate
tasks.user_add(self.master, 'test4_master')
tasks.user_add(self.replica1, 'test4_replica')
self.check_replication_success(self.master)
self.check_replication_success(self.replica1)
assert {'admin', 'test1_master', 'test1_replica',
'test3_master', 'test4_master', 'test4_replica'} == \
self.get_users(self.master)
assert {'admin', 'test1_master', 'test1_replica',
'test3_master', 'test4_master', 'test4_replica'} == \
self.get_users(self.replica1)
# CA on master should be accesible from master and replica
self.request_test_service_cert(
self.master, cert_sign_request[self.master.hostname])
self.request_test_service_cert(
self.replica1, cert_sign_request[self.replica1.hostname])
# replica should not be able to sign certificates without CA on master
self.master.run_command(['ipactl', 'stop'])
try:
self.request_test_service_cert(
self.replica1, cert_sign_request[self.replica1.hostname],
expect_connection_error=True)
finally:
self.master.run_command(['ipactl', 'start'])
tasks.install_ca(self.replica1)
# now replica should be able to sign certificates without CA on master
self.master.run_command(['ipactl', 'stop'])
self.request_test_service_cert(
self.replica1, cert_sign_request[self.replica1.hostname])
self.master.run_command(['ipactl', 'start'])
# check installation of new replica
tasks.install_replica(self.master, self.replica2, setup_ca=True)
check_replication(self.master, self.replica2, "testuser")
# new replica should be able to sign certificates without CA on master
# and old replica
self.master.run_command(['ipactl', 'stop'])
self.replica1.run_command(['ipactl', 'stop'])
try:
self.request_test_service_cert(
self.replica2, cert_sign_request[self.replica2.hostname])
finally:
self.replica1.run_command(['ipactl', 'start'])
self.master.run_command(['ipactl', 'start'])
