Test: To check ipa replica-manage del <FQDN> does not fail

Problem:
If a replica installation fails before all the services have been enabled then
it could leave things in a bad state.

ipa-replica-manage del <replica> --cleanup --force
invalid 'PKINIT enabled server': all masters must have IPA master role enabled

Test Steps:
1. Setup server
2. Setup replica
3. modify the replica entry on Master:
   dn: cn=KDC,cn=<replica hostname>,cn=masters,cn=ipa,cn=etc,dc=<test>,dc=<realm>
   changetype: modify
   delete: ipaconfigstring
   ipaconfigstring: enabledService

   dn: cn=KDC,cn=<replica hostname>,cn=masters,cn=ipa,cn=etc,dc=<test>,dc=<realm>
   add: ipaconfigstring
   ipaconfigstring: configuredService
4. On master,
   run ipa-replica-manage del <replicaFQDN> --cleanup --force

Related Ticket: https://pagure.io/freeipa/issue/7929

Signed-off-by: Sumedh Sidhaye <ssidhaye@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
This commit is contained in:
Sumedh Sidhaye 2019-07-16 16:26:29 +05:30 committed by Rob Crittenden
parent 94b4af55b0
commit b52d40b0c1
4 changed files with 115 additions and 4 deletions

View File

@ -411,6 +411,18 @@ jobs:
timeout: 10800
topology: *master_1repl
fedora-29/test_installation_TestInstallMasterReplica:
requires: [fedora-29/build]
priority: 50
job:
class: RunPytest
args:
build_url: '{fedora-29/build_url}'
test_suite: test_integration/test_installation.py::TestInstallMasterReplica
template: *ci-master-f29
timeout: 10800
topology: *master_1repl
fedora-29/test_idviews:
requires: [fedora-29/build]
priority: 50

View File

@ -423,6 +423,18 @@ jobs:
timeout: 10800
topology: *master_1repl
fedora-30/test_installation_TestInstallMasterReplica:
requires: [fedora-30/build]
priority: 50
job:
class: RunPytest
args:
build_url: '{fedora-30/build_url}'
test_suite: test_integration/test_installation.py::TestInstallMasterReplica
template: *ci-master-f30
timeout: 10800
topology: *master_1repl
fedora-30/test_idviews:
requires: [fedora-30/build]
priority: 50

View File

@ -411,6 +411,18 @@ jobs:
timeout: 10800
topology: *master_1repl
fedora-rawhide/test_installation_TestInstallMasterReplica:
requires: [fedora-rawhide/build]
priority: 50
job:
class: RunPytest
args:
build_url: '{fedora-rawhide/build_url}'
test_suite: test_integration/test_installation.py::TestInstallMasterReplica
template: *ci-master-frawhide
timeout: 10800
topology: *master_1repl
fedora-rawhide/test_idviews:
requires: [fedora-rawhide/build]
priority: 50

View File

@ -11,22 +11,24 @@ from __future__ import absolute_import
import os
import re
from datetime import datetime, timedelta
import textwrap
import time
from datetime import datetime, timedelta
from cryptography.hazmat.primitives import hashes
import pytest
from cryptography.hazmat.primitives import hashes
from ipalib import x509
from ipalib.constants import DOMAIN_LEVEL_0
from ipaplatform.constants import constants
from ipaplatform.osinfo import osinfo
from ipaplatform.paths import paths
from ipaplatform.tasks import tasks as platformtasks
from ipapython import ipautil
from ipatests.pytest_ipa.integration import tasks
from ipatests.pytest_ipa.integration.env_config import get_global_config
from ipatests.test_integration.base import IntegrationTest
from ipatests.pytest_ipa.integration import tasks
from ipatests.test_integration.test_caless import CALessBase, ipa_certs_cleanup
from ipalib import x509
config = get_global_config()
@ -772,3 +774,76 @@ class TestMaskInstall(IntegrationTest):
""" Method to restore the default bashrc contents"""
if self.bashrc_file is not None:
self.master.put_file_contents('/root/.bashrc', self.bashrc_file)
class TestInstallMasterReplica(IntegrationTest):
"""https://pagure.io/freeipa/issue/7929
Problem:
If a replica installation fails before all the services
have been enabled then
it could leave things in a bad state.
ipa-replica-manage del --cleanup --force
invalid 'PKINIT enabled server': all masters must have
IPA master role enabled
Root cause was that configuredServices were being
considered when determining what masters provide
what services, so a partially installed master
could cause operations to fail on other masters,
to the point where a broken master couldn't be removed.
"""
num_replicas = 1
topology = 'star'
@classmethod
def install(cls, mh):
tasks.install_master(cls.master, setup_kra=True)
# do not install KRA on replica, it is part of test
tasks.install_replica(cls.master, cls.replicas[0], setup_kra=False)
def test_replicamanage_del(self):
"""Test Steps:
1. Setup server
2. Setup replica
3. modify the replica entry on Master:
ldapmodify -D cn="Directory Manager"-w <passwd>
dn: cn=KDC,cn=<replicaFQDN>,cn=masters,cn=ipa,cn=etc,<baseDN>
changetype: modify
delete: ipaconfigstring
ipaconfigstring: enabledService
dn: cn=KDC,cn=<replicaFQDN>,cn=masters,cn=ipa,cn=etc,<baseDN>
add: ipaconfigstring
ipaconfigstring: configuredService
4. On master,
run ipa-replica-manage del <replicaFQDN> --cleanup --force
"""
# https://pagure.io/freeipa/issue/7929
# modify the replica entry on Master
cmd_output = None
dn_entry = 'dn: cn=KDC,cn=%s,cn=masters,cn=ipa,' \
'cn=etc,%s' % \
(self.replicas[0].hostname,
ipautil.realm_to_suffix(
self.replicas[0].domain.realm).ldap_text())
entry_ldif = textwrap.dedent("""
{dn}
changetype: modify
delete: ipaconfigstring
ipaconfigstring: enabledService
{dn}
add: ipaconfigstring
ipaconfigstring: configuredService
""").format(dn=dn_entry)
cmd_output = tasks.ldapmodify_dm(self.master, entry_ldif)
assert 'modifying entry' in cmd_output.stdout_text
cmd_output = self.master.run_command([
'ipa-replica-manage', 'del',
self.replicas[0].hostname, '--cleanup', '--force'
])
assert_text = 'Deleted IPA server "%s"' % self.replicas[0].hostname
assert assert_text in cmd_output.stdout_text