IntenseWebs/freeipa
3
0
Fork 0
mirror of https://salsa.debian.org/freeipa-team/freeipa.git synced 2024-12-23 07:33:27 -06:00
Code Issues Packages Projects Releases Wiki Activity
15,293 Commits 11 Branches 59 Tags 60 MiB
0e8bde3175
Commit Graph

102 Commits

Author SHA1 Message Date
Stanislav Levin
0e8bde3175 ap: Raise dbus timeout 
With some recent changes on Azure Agent the default DBus call
timeout is not good enough. For example, in case of
`InstallDNSSECFirst_1_to_5` job hostnamectl received reply in ~20sec,
but later it increased to ~30sec (more subjobs - more time to reply).
It's good to raise this timeout to be more protected against minimum
performance times.

https://www.freedesktop.org/software/systemd/man/sd_bus_set_method_call_timeout.html#Description

Fixes: https://pagure.io/freeipa/issue/9207
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
 2022-07-26 12:36:41 -04:00
Alexander Bokovoy
862340a3a1 js tests: use latest grunt 
Allow npm to install and use latest grunt that is compatible with newer
OpenSSL.

This, in turn, requires ATK interfaces to be present for the chromium
installed by puppeteer.

Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
 2022-05-05 15:04:28 +03:00
Alexander Bokovoy
53d9dafe2f Azure CI: don't force non-existing OpenSSL configuration anymore 
Newer grunt will pull a PhantomJS that is compatible with newer OpenSSL
so the workaround is not needed anymore.

Additionally, OpenSSL 3.0 is more strict and does not tolerate
non-existing default configuration file.

Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
 2022-05-05 15:04:28 +03:00
Alexander Bokovoy
6a086eb220 Azure CI: temporarily add libldap_r.so symlink for python-ldap PIP use 
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
 2022-05-05 15:04:28 +03:00
Alexander Bokovoy
64bbf31fd8 Switch Azure CI to Fedora 36 pre-release 
Use fedora-toolbox:36 image as it is prepared to work with systemd and
sudo

Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
 2022-05-05 15:04:28 +03:00
Alexander Bokovoy
4a7cc3467c docs: add plantuml and use virtual environment to generate docs 
Documentation generator can be run inside Python virtual environment.
This allows to isolate from the system-wide changes and add Sphinx
extensions that aren't packaged in a distribution.

The only exception right now is plantuml package. We rely on plantuml to
generate diagrams and since it is written in Java, it cannot be
installed directly into the Python venv through 'pip' tool.

Fixes: https://pagure.io/freeipa/issue/9148

Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Francisco Trivino <ftrivino@redhat.com>
 2022-05-04 09:36:40 +03:00
Stanislav Levin
5a00882eab pylint: Fix useless-suppression 
Cleanup up no longer used Pylint's disables where possible.

Fixes: https://pagure.io/freeipa/issue/9117
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
 2022-03-11 13:37:08 -05:00
Stanislav Levin
8f1dda6404 seccomp profile: Default to ENOSYS instead of EPERM 
This allows application to detect whether the kernel supports
syscall or not. Previously, an error was unconditionally EPERM.
There are many issues about glibc failed with new syscalls in containerized
environments if their host run on old kernel.

More about motivation for ENOSYS over EPERM:
https://github.com/opencontainers/runc/issues/2151
https://github.com/opencontainers/runc/pull/2750

See about defaultErrnoRet introduction:
https://github.com/opencontainers/runtime-spec/pull/1087

Previously, FreeIPA profile was vendored from
https://github.com/containers/podman/blob/main/vendor/github.com/containers/common/pkg/seccomp/seccomp.json

Now it is merged directly from
https://github.com/containers/common/blob/main/pkg/seccomp/seccomp.json

Fixes: https://pagure.io/freeipa/issue/9008
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
 2021-10-18 12:08:56 +02:00
Stanislav Levin
a941e8f602 azure: Ignore tar errors 
Sometimes tar fails on changed in process files:
```
[2021-09-07 11:03:33] + tar --ignore-failed-read -czf ipaserver_install_logs.tar.gz --warning=no-failed-read /var/log/dirsrv /var/log/httpd2 /var/log/ipa /var/log/ipaclient-install.log /var/log/ipa-custodia.audit.log /var/log/ipaserver-install.log /var/log/krb5kdc.log /var/log/pki /var/log/samba /var/lib/bind/data systemd_journal.log
[2021-09-07 11:03:33] tar: Removing leading `/' from member names
[2021-09-07 11:03:33] tar: Removing leading `/' from hard link targets
[2021-09-07 11:03:33] tar: /var/log/dirsrv/slapd-IPA-TEST/access: file changed as we read it
[2021-09-07 11:03:33] + tests_result=1
```

This is expected failure since processes are not stopped during logs
collection and can flush their logs.

Fixes: https://pagure.io/freeipa/issue/8983
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
 2021-09-15 08:48:13 +02:00
Stanislav Levin
42067e5610 Azure: Run pycodestyle check in Lint job 
- previously, fastlint make's target includes both the Pylint task
and pycodestyle one. The purpose of this target is a fast checking
only for changed Python files. This makes sense for pycodestyle, but
limits Pylint due to a context(file) checking. The clients which
call the code being linted are not checked at all. In Azure Pylint
(for the whole codebase) is run in the Lint task, this makes fastlint
extra for Azure.

- `Quick code style check` task used distro's Pylint, while `Lint`
task PyPI's one. This may cause different results and confuse a
user.

- `Build` task takes time longer than `Lint` one, so this change
doesn't lead to increased CI time.

- all Azure tests depend on Build and Lint tasks. Mostly it's no need
to run tests due to a probably broken code.

Fixes: https://pagure.io/freeipa/issue/8961
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: François Cami <fcami@redhat.com>
 2021-08-24 16:49:10 +02:00
François Cami
baed2e6f91 Azure: temporarily disable problematic tests, #2 
test_cert and test_SubCAkeyReplication are randomly failing.
The suspect for test_SubCAkeyReplication is an nss bug:
https://bugzilla.redhat.com/show_bug.cgi?id=1985061

The reason for test_cert failures was not identified, the only
relevant line in the log contains:
2021-07-22T17:37:21.0873339Z tests: cert, result: 1, time: 30:08.98
2021-07-22T17:37:21.0874172Z Command exited with non-zero status 1

Disable these tests in gating until the NSS bug is fixed and
the related build is available in Fedora.

Related: https://pagure.io/freeipa/issue/8864
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Michal Polovka <mpolovka@redhat.com>
Reviewed-By: Stanislav Levin <slev@altlinux.org>
 2021-07-23 10:52:55 +02:00
François Cami
b71009b31a Azure: temporarily disable problematic tests, #1 
test_installation.TestInstallMaster, test_advise,
and test_integration.test_commands.TestIPACommand rely on DNS
forwarders and hit a known BIND bug:
https://gitlab.isc.org/isc-projects/bind9/-/issues/2728
quite often.
This is blocking gating nearly completely.
Disable these tests in gating until the bug is fixed and
the related build is available in Fedora.

Related: https://pagure.io/freeipa/issue/8864
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Michal Polovka <mpolovka@redhat.com>
Reviewed-By: Stanislav Levin <slev@altlinux.org>
 2021-07-23 10:52:55 +02:00
Christian Heimes
470bb6ed45 Add Custodia tests 
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
 2021-06-16 10:28:17 -04:00
Stanislav Levin
10461b7091 azure: Make it possible to adjust Docker resources per test env 
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
 2021-05-25 10:45:49 +03:00
Stanislav Levin
6c2db326f8 azure: coredump: Wait for systemd fully booted 
Otherwise, 'Check for coredumps' task fails with:
```
Verifying        : samba-debugsource-2:4.14.4-0.fc34.x86_64             20/20
[Errno 2] No such file or directory: '/var/lib/dnf/rpmdb_lock.pid'
Finishing: Check for coredumps
```

This is due to systemd-tmpfiles(not ready yet).

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
 2021-05-25 10:45:49 +03:00
Stanislav Levin
01553572d4 azure: Re-balance tests envs 
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
 2021-05-25 10:45:49 +03:00
Stanislav Levin
a893852b4f azure: Warn about extra and missing gating tests compared to PR-CI 
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
 2021-05-25 10:45:49 +03:00
Stanislav Levin
611b49e42b azure: Collect installed packages 
The list of installed packages may be useful for checking the
versions of packages for analysis. Previously, only the newly
installed packages can be observed on Build phase.

This is convenient for experienced users of PR-CI.

Note: the read-only access provided for non-master containers
to be able to execute Azure scripts. The logs are still collected
only on controller.

Only RPM-based collection is implemented for Fedora. By default
nothing is collected.

Users may want to override `installed_packages` function
in the corresponding `ipatests/azure/scripts/variables-DISTRO.sh`.

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
 2021-05-25 10:45:49 +03:00
Stanislav Levin
afef09ccba ipatests: Ignore warnings on failed to read files on tarring 
There are tons of useless warnings about missing files on collecting
logs, such as:

```
tar: /var/log/ipaserver-kra-install.log: Warning: Cannot stat: No such file or directory
tar: /var/log/ipaepn.log: Warning: Cannot stat: No such file or directory
tar: /etc/NetworkManager/NetworkManager.conf: Warning: Cannot stat: No such file or directory
tar: /var/log/ipabackup.log: Warning: Cannot stat: No such file or directory
tar: /var/log/iparestore.log: Warning: Cannot stat: No such file or directory
...

```

Since `--ignore-failed-read` option is passed to tar the caller
doesn't care about not readable(mostly missing) files and these warnings
may be filtered out.

This improves the readability of test logs.

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
 2021-05-25 10:45:49 +03:00
Stanislav Levin
3889d8654a pytest: Show extra summary information for all except passed tests 
By default pytest reports in summary section about tests failures and errors.
It will be helpful to see skipped, xfailed and xpassed tests.

Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
 2021-05-25 10:45:49 +03:00
Stanislav Levin
fc0c6b44a8 azure: Run Base and XMLRPC tests is isolated network 
The tests in these envs make DNS requests to wild(internet) NSs,
though usually tests assume the opposite making requests to
`test.` zone. This makes CI unstable and dependent on wild
resolvers and logically wrong.

In future there can be tests which may want to check BIND as
resolver(cache) for external networks. In this case such tests
should be placed on not isolated mode.

By default, a test env is not isolated from internet(as it was
before), but it may be a good idea to change this default in
future.

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
 2021-05-25 10:45:49 +03:00
Stanislav Levin
65700bf743 ipatests: Setup and collect BIND logs 
For Base/XMLRPC tests BIND's logs are already collected.

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
 2021-05-25 10:45:49 +03:00
Stanislav Levin
b5fdba7a72 azure: Warn about memory issues 
The nonzero number of memory/memory+Swap usage hits limits may
indicate the possible env instability(crashes, random failures, etc.).

> memory.failcnt		 # show the number of memory usage hits limits
  memory.memsw.failcnt		 # show the number of memory+Swap hits limits

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
 2021-05-25 10:45:49 +03:00
Stanislav Levin
9148ca2e1e azure: Add workaround for PhantomJS against OpenSSL 1.1.1 
WebUI unit tests fail with:
```
PhantomJS threw an error:ERROR
>> Auto configuration failed 0 [
>>   'Auto configuration failed',
>>   '140613066520384:error:25066067:DSO support routines:DLFCN_LOAD:could not load the shared library:dso_dlfcn.c:185:filename(libssl_conf.so): libssl_conf.so: cannot open shared object file: No such file or directory',
>>   '140613066520384:error:25070067:DSO support routines:DSO_load:could not load the shared library:dso_lib.c:244:',
>>   '140613066520384:error:0E07506E:configuration file routines:MODULE_LOAD_DSO:error loading dso:conf_mod.c:285:module=ssl_conf, path=ssl_conf',
>>   '140613066520384:error:0E076071:configuration file routines:MODULE_RUN:unknown module name:conf_mod.c:222:module=ssl_conf'
>> ]
...

Warning: PhantomJS exited unexpectedly with exit code 1. Use --force to continue.

Aborted due to warnings.
```

See https://github.com/wch/webshot/pull/93 for details.

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
 2021-05-25 10:45:49 +03:00
Stanislav Levin
06d7c7f1d3 azure: Mask systemd-resolved 
The initial value of NS of resolv.conf is 127.0.0.11, this
is the embedded NS of docker-compose. The disabling of
this feature is not currently supported by Docker.

On startup systemd-resolved caches the /etc/resolv.conf
(docker-compose version), which is later modified by
setup_containers.py script.

This results in resolving error occurs:
```console
[root@replica1 /]# getent ahosts master1.ipa.test
... can't resolve

[root@replica1 /]# grep 'hosts:' /etc/nsswitch.conf
hosts:      files myhostname resolve [!UNAVAIL=return] dns

[root@replica1 /]# resolvectl status
Global
       LLMNR setting: resolve
MulticastDNS setting: no
  DNSOverTLS setting: no
      DNSSEC setting: no
    DNSSEC supported: no
  Current DNS Server: 127.0.0.11
         DNS Servers: 127.0.0.11
Fallback DNS Servers: 1.1.1.1
                      8.8.8.8
                      1.0.0.1
                      8.8.4.4
                      2606:4700:4700::1111
                      2001:4860:4860::8888
                      2606:4700:4700::1001
                      2001:4860:4860::8844
```

According to docs:
https://www.freedesktop.org/software/systemd/man/systemd-resolved.service.html#/etc/resolv.conf
our case is 4(managed by other packages).

So, restart of systemd-resolved is enough for its re-initialization,
but not for services that already received DNS results. To speed up
the overall process and to no restart each service which wants
internet connection(or wait until service retries connection)
systemd-resolved is masked.

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
 2021-05-25 10:45:49 +03:00
Stanislav Levin
7ed21f158c azure: Remove no longer needed repo 
libseccomp2 2.5.1 is on focal-updates(Ubuntu 20.04LTS):
https://packages.ubuntu.com/focal-updates/libseccomp2

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
 2021-05-25 10:45:49 +03:00
Stanislav Levin
1c82895c20 azure: Wait for systemd booted 
The calling of systemd's utils during systemd boot may lead to
unpredictable results. For example, if DBus(dbus-broker) service
is not started then DBus request goes nowhere and eventually will
be timeouted. So, it's safer to wait fully booted system.

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
 2021-05-25 10:45:49 +03:00
Stanislav Levin
09a4918f03 azure: Enforce multi-user.target as default systemd's target 
This may speed up boot process.
For example, 'fedora:34' set graphical.target as default,
while multi-user one will be more appropriate.

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
 2021-05-25 10:45:49 +03:00
Stanislav Levin
be2f659aa7 azure: Collect systemd boot log 
If an error occured while containers setup phase then no logs will
be collected and it is hard(impossible?) to debug such issues on
remote Azure host. With this change in case of such error all the
container's journals will be collected in `systemd_boot_logs`.

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
 2021-05-25 10:45:49 +03:00
Stanislav Levin
6fe8620668 azure: bump F32->F34 
Fixes: https://pagure.io/freeipa/issue/8848
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
 2021-05-25 10:45:49 +03:00
Christian Heimes
6d0d1c7088 Constrain pylint to supported versions 
Two, three times a year PR-CI starts failing because tox tests pull in a
newer version of pylint with new warnings. To reduce breakage this
change constraints pylint (and indirectly astroid) to latest tested
minor version. The constraint should be updated when FreeIPA starts to
support a new Fedora version with more recent pylint.

Related: https://pagure.io/freeipa/issue/8818
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
 2021-05-03 09:16:14 +02:00
Stanislav Levin
bdb2696805 pylint: Adapt to new Pylint 2.8 
- globally ignore `consider-using-with`
- fix `consider-using-max-builtin`
- explicitly enable pylint on project configuration
- unpin Pylint
- added transformation for IntegrationTest attributes(will work
  unless explicitly defined)

Fixes: https://pagure.io/freeipa/issue/8818
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
 2021-04-27 13:28:42 +02:00
Stanislav Levin
7855c77f93 Azure: Run Lint task as separate job 
Lint task uses PyPI to get the latest Pylint, which may pull in
any other packages as dependencies. For distro isolation the Lint
job should not produce any meaningful artifacts or they should not
be used in subsequent jobs. So, this job have to be isolated from
the others.

Fixes: https://pagure.io/freeipa/issue/8772
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
 2021-03-30 09:58:42 +02:00
Stanislav Levin
056c51161c Azure: Don't install pypi's docker 
Ubuntu 20.04's docker meets the requirement(4+).

Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
 2021-03-30 09:58:42 +02:00
Stanislav Levin
72adb3279a Azure: Disable AppArmor profile for chrony 
The security option 'apparmor:unconfined' tells Docker to not
apply AppArmor profiles for containers at all. This will not
replace or remove any existing profile. For example, this happens
on Ubuntu 20.04 which switched to chrony and brings its AppArmor
profile. Container's chronyd get blocked by AppArmor:

fv-az26-252 audit[11304]: AVC apparmor="DENIED" operation="capable" profile="/usr/sbin/chronyd" pid=11304 comm="chronyd" capability=2  capname="dac_read_search"
fv-az26-252 audit[11304]: AVC apparmor="DENIED" operation="capable" profile="/usr/sbin/chronyd" pid=11304 comm="chronyd" capability=1  capname="dac_override"

So, any of AppArmor profiles can block container's processes by
matching executable name. There are two ways:
1) prepare custom AppArmor unconfined profile, load it on Host and
    reference it in container's configuration. This requires the
    knowledge of profile syntax at least, not to difficult, but
    potentially hard to maintain.
2) disable conflicting profile on Host;

Azure will warn about AVC in either case.
The second one was chosen as more simple.

Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
 2021-03-30 09:58:42 +02:00
Stanislav Levin
5daa41fc55 Azure: Warn about Host's AVC and SECCOMP 
Azure's VM distro is Ubuntu, which has enabled AppArmor.
This security module sometimes interferes with CI Docker containers,
but to be completely disabled it requires reboot(this is impossible,
at least for now). So, Azure will warn about AVC records in Host's
journal as a possible clue.

It will be equally important to be warned about SECCOMP records to
see possible blocked syscalls(requires SCMP_ACT_LOG as defaultAction in
seccomp profile).

Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
 2021-03-30 09:58:42 +02:00
Stanislav Levin
45d2381037 Azure: Collect Host's systemd journal 
The journal of Host is useful for AVC/SECCOMP analyzing.

Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
 2021-03-30 09:58:42 +02:00
Stanislav Levin
5afe13798e Azure: Run chronyd in Docker 
The syncing time stuff is required by IPA NTP tests.

Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
 2021-03-30 09:58:42 +02:00
Stanislav Levin
908e8cf338 Azure: Template docs build 
The distros may use different sphinx builder paths,
for example, by exporting of SPHINXBUILD env var.

Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
 2021-03-30 09:58:42 +02:00
Stanislav Levin
85c63fbe62 Azure: Show disk usage 
Collect disk usage information may be helpful, for example, for
debugging code required free space such as healthcheck tests.

Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
 2021-03-30 09:58:42 +02:00
Stanislav Levin
3ac2cdfd43 Azure: Make it possible to pass additional Pytest args 
Some tests require its specific Pytest args. With this change
they can be specified in tests definitions.

Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
 2021-03-30 09:58:42 +02:00
Stanislav Levin
83e16a4e47 Azure: Run rpmlint on Fedora 
Template the autoconf phase.

Fixes: https://pagure.io/freeipa/issue/8768
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
 2021-03-29 10:16:12 +03:00
Florence Blanc-Renaud
a9b4ed4f52 ipatests: re-add test_dnssec.py::TestInstallDNSSECFirst in gating 
The test was temporarily removed because of a known issue
but the issue is now fixed.

Related: https://pagure.io/freeipa/issue/8496
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Sergey Orlov <sorlov@redhat.com>
 2021-03-17 16:28:19 +01:00
Stanislav Levin
3e33e546c3 Azure: Populate containers with self-AAAA records 
IPA server's AAAA records at embedded DNS mode depend on result of
`get_server_ip_address` function(`ipaserver.install.installutils`),
which in turn, relies on NSS.

In case of Azure Pipelines, there are neither IPv6 records in
'/etc/hosts' nor external DNS, which may provide such. This leads to
the missing AAAA records for master and missing AAAA records for `ipa-ca`
pointing to master in embedded DNS.

In particular, tests `test_ipa_healthcheck_no_errors`,
`test_ipa_dns_systemrecords_check` fail with:
```
[
  {
    "source": "ipahealthcheck.ipa.idns",
    "check": "IPADNSSystemRecordsCheck",
    "result": "WARNING",
    "uuid": "b979a88a-6373-4990-bc83-ce724e9730b4",
    "when": "20210120055054Z",
    "duration": "0.032740",
    "kw": {
      "msg": "Got {count} ipa-ca AAAA records, expected {expected}",
      "count": 1,
      "expected": 2
    }
  }
]
```
where `ipa-ca` record exists only for replica.

Note: since the most of the code in setup_containers was touched it has
been reformatted.

Fixes: https://pagure.io/freeipa/issue/8683
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
 2021-02-15 09:54:51 +02:00
Alexander Bokovoy
f977629182 Azure CI: mask chronyd in the container 
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
 2020-11-17 18:48:24 +02:00
Alexander Bokovoy
1bf0d62828 Azure CI: use PPA to provide newer libseccomp version 
Linux 5.8 made faccessat2() system call available in August 2020. This
system call is used now by GNU libc to implement more precisely
faccessat() system call. GNU glibc does compile-time check for the
kernel version and uses faccessat2() unconditionally in case it is
available. If kernel responds with ENOSYS error code, GNU libc will
attempt to use older, less flexible, faccessat(() system call.

When running on a system where libseccomp does not know about the new
syscall, the default action in seccomp filters in Docker and other
container runtimes is to respond with EPERM error code. This breaks GNU
libc's implementation of the faccessat() function -- as well as other
newer syscall implementations (e.g. statx()).

libseccomp started to support faccessat2() in July 2020 with
5696c89640
(version 2.5.0: https://github.com/seccomp/libseccomp/releases/tag/v2.5.0)

With Ubuntu 20.04 as a host, use PPA abbra/freeipa-libseccomp which
provides libseccomp 2.5.0 rebuild from Debian Sid.

Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
 2020-11-17 18:48:24 +02:00
Alexander Bokovoy
6e1eaad873 Azure CI: use Ubuntu-20.04 image by default 
Ubuntu 20.04 image is available in Azure Pipelines, migrate to it.
https://github.com/actions/virtual-environments/blob/main/images/linux/Ubuntu2004-README.md

Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
 2020-11-17 18:48:24 +02:00
Florence Blanc-Renaud
a33530f2f6 ipatests: temporarily remove test_dnssec.py::TestInstallDNSSECFirst from gating 
The test test_dnssec.py::TestInstallDNSSECFirst is failing due to known
issue https://pagure.io/freeipa/issue/8496
currently under investigation by 389ds team.

In the meantime, remove the test from gating to avoid blocking the PRs.

Related: https://pagure.io/freeipa/issue/8496
Reviewed-By: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
 2020-11-17 08:39:59 +01:00
Christian Heimes
644bd0e46b Make git a build requirement 
FreeIPA uses git in its build process. In the past git was automatically
pulled in. On Fedora 33 builds are failing because git is missing.

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
 2020-09-23 14:49:56 +02:00
Alexander Bokovoy
31bc0df6a2 Specify memory limits as strings for docker compose 
Fixes the following error in Azure Pipelines CI after upgrade of Docker
setup:

[2020-09-14 06:50:07] The Compose file './docker-compose.yml' is invalid because:
[2020-09-14 06:50:07] services.client.mem_limit contains an invalid type, it should be a string

Fixes: https://pagure.io/freeipa/issue/8494
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
 2020-09-14 14:00:20 +03:00