Commit Graph

1834 Commits

Author SHA1 Message Date
Alexander Bokovoy
77ed0918a7 Remove Fedora repository fastmirror selection
Fast mirror selection somehow stopped working. If disabled, the
difference is around 20 seconds for the 'Prepare build environment' step
(2:49 versus 3:09), so while we are saving, currently it is not a lot.

Also remove explicit nodejs stream choice, it seems to be not needed
anymore (again).

Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Armando Neto <abiagion@redhat.com>
2020-03-28 19:55:10 +01:00
François Cami
f9804558bb ipatests: test_replica_promotion.py: test KRA on Hidden Replica
The Hidden replica tests did not test what happened when KRA was
installed on a hidden replica and then other KRAs instantiated from
this original one. Add a test scenario that covers this.

Related: https://pagure.io/freeipa/issue/8240
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Michal Polovka <mpolovka@redhat.com>
2020-03-26 13:18:14 +01:00
Mohammad Rizwan Yusuf
d07da41739 ipatests: Skip test using paramiko when FIPS is enabled
Test used paramiko to connect to the master from controller.
Hence skip if FIPS is enabled

Signed-off-by: Mohammad Rizwan Yusuf <myusuf@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2020-03-25 15:18:57 +01:00
Rob Crittenden
8906689215 Test that pwpolicy only applied on Kerberos entries
Also test that a normal user has password history enforcement

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2020-03-25 10:11:48 +01:00
Rob Crittenden
ff6984e2ee Add ability to change a user password as the Directory Manager
This is to confirm that the Directory Manager is not affected by
password policy.

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2020-03-25 10:11:48 +01:00
Alexander Bokovoy
a620ac0f6f ipatests: test sysaccount password change with a password policy applied
ipa-pwd-extop plugin had a bug which prevented a cn=Directory Manager
to change a password to a value that is not allowed by an associated
password policy. Password policy checks should not apply to any
operations done as cn=Directory Manager.

The test creates a system account with associated policy that prevents
password reuse. It then goes to try to change a password three times:
 - as a user: must succeeed
 - as a cn=Directory Manager: must succeed even with a password re-use
 - as a user again: must fail due to password re-use

Related: https://pagure.io/freeipa/issue/7181
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2020-03-25 10:11:48 +01:00
Alexander Bokovoy
8c191ddf6d ipatests: allow changing sysaccount passwords as cn=Directory Manager
Extend ldappasswd_sysaccount_change() helper to allow changing
passwords as a cn=Directory Manager.

Related to: https://pagure.io/freeipa/issue/7181
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2020-03-25 10:11:48 +01:00
Alexander Bokovoy
c1c45df4b2 ipatests: always skip additional input for group-add-member --external
'ipa group-add-member groupname --external some-object' will attempt to
ask interactive questions about other optional parameters (users and
groups) if only external group member was specified. This leads to a
timeout in the tests as there is no input provided.

Do not wait for the entry that would never come by using 'ipa -n'.

Related: https://pagure.io/freeipa/issue/8236
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Reviewed-By: Sergey Orlov <sorlov@redhat.com>
2020-03-25 09:39:01 +02:00
Fraser Tweedale
45b5384b6e ipatests: check HTTP certificate contains ipa-ca.$DOMAIN dnsname
Add integration test that confirms that on CA-ful installation, the
(non-3rd-party) HTTP certificate bears the ipa-ca.$DOMAIN DNS name.

For detailed discussion on the purpose of this change and the design
decisions made, see `git log -1 $THIS_COMMIT~4`.

Part of: https://pagure.io/freeipa/issue/8186

Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2020-03-25 11:13:03 +11:00
Sergey Orlov
aae30eb708
ipatests: provide AD admin password when trying to establish trust
`ipa trust-add --password` command requires that user provides a password.

Related to: https://pagure.io/freeipa/issue/7895

Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2020-03-24 18:26:03 +01:00
Mohammad Rizwan Yusuf
312d00df90 Test if schema-compat-entry-attribute is set
This is to ensure if said entry is set after installation.
It also checks if compat tree is disable.

related: https://pagure.io/freeipa/issue/8193

Signed-off-by: Mohammad Rizwan Yusuf <myusuf@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
Reviewed-By: Kaleemullah Siddiqui <ksiddiqu@redhat.com>
2020-03-24 13:49:57 +01:00
Mohammad Rizwan Yusuf
9120d65e88 Test if schema-compat-entry-attribute is set
This is to ensure if said entry is set after installation with AD.

related: https://pagure.io/freeipa/issue/8193

Signed-off-by: Mohammad Rizwan Yusuf <myusuf@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
Reviewed-By: Kaleemullah Siddiqui <ksiddiqu@redhat.com>
2020-03-24 13:49:57 +01:00
Christian Heimes
e8602b1586 Add pytest OpenSSH transport with password
The pytest_multihost transport does not provide password-based
authentication for OpenSSH transport. The OpenSSH command line tool has
no API to pass in a password securely.

The patch implements a custom transport that uses sshpass hack. It is
not recommended for production but good enough for testing.

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2020-03-24 10:22:18 +02:00
Sergey Orlov
9e47799cc7 ipatests: remove test_ordering
The test_integration/test_ordering.py is a test for pytest_sourceorder
plugin which is not part of freeipa project, it is not an integration test.

The up to date version of this test is available at project repository:
https://pagure.io/python-pytest-sourceorder/blob/master/f/test_sourceorder.py

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2020-03-24 10:20:39 +02:00
Rob Crittenden
4a3b7baed7 Test that ipa-healthcheck human output translates error strings
The code rather than the string was being displayed in human
output for non-SUCCESS messages. Verify that in case of an error
the right output will be present.

https://bugzilla.redhat.com/show_bug.cgi?id=1752849

Reviewed-By: Mohammad Rizwan Yusuf <myusuf@redhat.com>
Reviewed-By: Sumedh Sidhaye <ssidhaye@redhat.com>
Reviewed-By: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2020-03-21 09:36:40 +01:00
Christian Heimes
a4efb3028b Test documentation builds in Azure 2020-03-21 07:40:33 +02:00
Florence Blanc-Renaud
3753862401 ipatests: wait for SSSD to become online in backup/restore tests
The backup/restore tests are calling 'id admin' after restore
to make sure that the user name can be resolved after a restore.
The test should wait for SSSD backend to become online before
doing any check, otherwise there is a risk that the call to
'id admin' fails.

Fixes: https://pagure.io/freeipa/issue/8228

Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Sergey Orlov <sorlov@redhat.com>
2020-03-21 07:37:05 +02:00
sumenon
c77f4213e9 ipatests: Added testcase to check logrotate is added for healthcheck tool
Issue: freeipa/freeipa-healthcheck#35
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Mohammad Rizwan Yusuf <myusuf@redhat.com>
Reviewed-By: Anuja More <amore@redhat.com>
2020-03-20 08:20:56 +01:00
Alexander Bokovoy
2997a74abc Prevent adding IPA objects as external members of external groups
The purpose of external groups in FreeIPA is to be able to reference
objects only existing in trusted domains. These members get resolved
through SSSD interfaces but there is nothing that prevents SSSD from
resolving any IPA user or group if they have security identifiers
associated.

Enforce a check that a SID returned by SSSD does not belong to IPA
domain and raise a validation error if this is the case. This would
prevent adding IPA users or groups as external members of an external
group.

RN: Command 'ipa group-add-member' allowed to specify any user or group
RN: for '--external' option. A stricter check is added to verify that
RN: a group or user to be added as an external member does not come
RN: from IPA domain.

Fixes: https://pagure.io/freeipa/issue/8236
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2020-03-19 13:27:30 +01:00
Florence Blanc-Renaud
20d601e9c3 xmlrpc tests: add a test for idview-apply on a master
Add a new XMLRPC test trying to apply an IDview:
- to a master
- to a hostgroup containing a master
The command must refuse to apply the IDview to a master node.

Related: https://pagure.io/freeipa/issue/5662

Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2020-03-19 10:55:11 +01:00
Anuja More
6018ccaa8d Mark test to skip sssd-2.2.2
Test test_ext_grp_with_ldap is marked as skip as
fix for https://pagure.io/SSSD/sssd/issue/4073
unavailable with sssd-2.2.2

Related: https://pagure.io/SSSD/sssd/issue/4073

Signed-off-by: Anuja More <amore@redhat.com>
Reviewed-By: Sergey Orlov <sorlov@redhat.com>
2020-03-17 09:13:16 +02:00
Anuja More
b2ab2863ca ipatests: User and group with same name should not break reading AD user data.
Regression test resolving trusted users and groups should be
successful when there is a user in IPA with the
same name as a group name.

Related: https://pagure.io/SSSD/sssd/issue/4073

Signed-off-by: Anuja More <amore@redhat.com>
Reviewed-By: Sergey Orlov <sorlov@redhat.com>
2020-03-17 09:13:16 +02:00
Christian Heimes
7a9ac1f586 Allow hosts to read DNS records for IP SAN
For SAN IPAddress extension the cert plugin verifies that the IP address
matches the host entry. Certmonger uses the host principal to
authenticate and retrieve certificates. But the host principal did not
have permission to read DNS entries from LDAP.

Allow all hosts to read some entries from active DNS records.

Fixes: https://pagure.io/freeipa/issue/8098
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2020-03-16 13:04:17 +01:00
Rob Crittenden
44e7342844 Move execution of ipa-healthcheck to a separate function
This removes a lot of duplication and simplifies the test
code.

It returns the command returncode and the JSON data (if any)

Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
2020-03-12 17:24:33 -04:00
sumenon
4e3a2bd6bf ipatests: check that ipa-healthcheck warns if no dna range is set
Added testcase to verify that ipa-healthcheck tool displays a
warning if no DNS range is set. It previously just reported at the
SUCCESS level that no range was set.

Issue: freeipa/freeipa-healthcheck#60
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
2020-03-12 17:24:33 -04:00
Sergey Orlov
8dd663e0c2 ipatests: add test for SSSD updating expired cache items
New test checks that sssd updates expired cache values both for IPA
domain and trusted AD domain.

Related to: https://pagure.io/SSSD/sssd/issue/4012

Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2020-03-12 07:39:12 +01:00
Sergey Orlov
7c059c81ce ipatests: provide docstrings instead of imporperly placed comments
Related to: https://bugzilla.redhat.com/show_bug.cgi?id=1685581

Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2020-03-12 07:39:12 +01:00
Mohammad Rizwan Yusuf
9bcc57d9e0 Test if getcert creates cacert file with -F option
It took longer to create the cacert file in older version.
restarting the certmonger service creates the file at the location
specified by -F option. This fix is to check that cacert file
creates immediately after certificate goes into MONITORING state.

related: https://pagure.io/freeipa/issue/8105

Signed-off-by: Mohammad Rizwan Yusuf <myusuf@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2020-03-11 15:48:42 -04:00
Mohammad Rizwan Yusuf
6739d8722c Move wait_for_request() method to tasks.py
Moved the method so that it can be used by other modules too

Signed-off-by: Mohammad Rizwan Yusuf <myusuf@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2020-03-11 15:48:42 -04:00
Sergey Orlov
e01e7fe6c6
ipatests: remove invalid parameter from sssd.conf
`use_fully_qualified_names` is not a valid parameter for `[sssd]` section
of sssd.conf, it can be specified only in domain section.
According to `man sssd.conf` it simply requires all requests to be fully
qualified, otherwise no result will be found. It is irrelevant to the
test scenario, so removing it.

Related to: https://pagure.io/freeipa/issue/8219

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2020-03-09 16:17:13 +01:00
Sergey Orlov
3dd679b31d
ipatests: use remote_sssd_config to modify sssd.conf
Replace usage of remote_ini_file with remote_sssd_config.
The latter verifies changes against schema which helps to spot the mistakes.

Related to: https://pagure.io/freeipa/issue/8219

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2020-03-09 16:17:13 +01:00
Sergey Orlov
9450aef75f
ipatests: replace utility for editing sssd.conf
There are three patterns for editing sssd.conf in tests now:
1. using modify_sssd_conf() which allows to modify only domain sections
2. using remote_ini_file
3. direct file editing using `sed`

This patch introduces new utility function which combines advantages of
first two approaches:
* changes are verified against schema, so that mistakes can be spotted
  early
* has convenient interface for simple options modification,
  both in domain and service sections
* allows sophisticated modifications through SSSDConfig object

Fixes: https://pagure.io/freeipa/issue/8219
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2020-03-09 16:17:13 +01:00
Sergey Orlov
888c7ba938
ipatests: update docstring to reflect changes in FileBackup.restore()
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2020-03-09 16:17:13 +01:00
Florence Blanc-Renaud
fc4c3ac795 ipatests: add test for ipa-adtrust-install --add-agents
Add tests checking the behavior of ipa-adtrust-install when
adding trust agents:
- try calling the remote method trust_enable_agent with
a principal missing the required privilege.
- try adding a trust agent when the remote node is stopped.
The installer must detect that he's not able to run the remote
commands and print a WARNING.
- try adding a trust agent when the remote node is running.
The WARNING must not be printed as the remote configuration is done.
- try adding a trust agent with --enable-compat.
The WARNING must not be printed and the Schema Compatibility plugin
must be enabled (the entries
cn=users/groups,cn=Schema Compatibility,cn=plugins,cn=config
must contain a new attribute schema-compat-lookup-nsswitch
(=user/group).

Thanks to sorlov for the nightly test definitions and new test.

Related: https://pagure.io/freeipa/issue/7600
Co-authored-by: Sergey Orlov <sorlov@redhat.com>
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Sergey Orlov <sorlov@redhat.com>
2020-03-05 14:40:58 +01:00
Florence Blanc-Renaud
9ee8657c2a ipatests: fix TestSubCAkeyReplication
The test is using the output of openssl to compare the SubCA issuer name
with the expected value.
Depending on the version of openssl, the issuer can be displayed
differently (with/without space around the = character). On RHEL 7.x,
there is no space by default while on Fedora the space is used.
Calling openssl with -nameopt space_eq forces a consistent output, always
adding space around =.

Reviewed-By: Sudhir Menon <sumenon@redhat.com>
2020-03-05 07:20:15 +01:00
Mohammad Rizwan Yusuf
1556f3f767 Test if server installer lock Bind9 recursion
This test is to check if recursion can be configured.
It checks if newly added file /etc/named/ipa-ext.conf
exists and /etc/named.conf should not have
'allow-recursion { any; };'. It also checks if ipa-backup
command backup the /etc/named/ipa-ext.conf file as well

related : https://pagure.io/freeipa/issue/8079

Signed-off-by: Mohammad Rizwan Yusuf <myusuf@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2020-03-03 08:11:51 -05:00
Anuja More
8007cec855 ipatests: Added test when 2FA prompting configurations is set.
Related : https://pagure.io/SSSD/sssd/issue/3264
Signed-off-by: Anuja More <amore@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2020-03-03 10:23:58 +02:00
Armando Neto
132ef03acb prci: bump version for latest and previous templates
Packages updated in the new templates.

Boxes:
* https://app.vagrantup.com/freeipa/boxes/ci-master-f31/versions/0.0.4
* https://app.vagrantup.com/freeipa/boxes/ci-master-f30/versions/0.0.7

Signed-off-by: Armando Neto <abiagion@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2020-03-01 15:26:13 -03:00
Rob Crittenden
f589a8952c Fix div-by-zero when svc weight is 0 for all masters in location
The relative service weight output tries to show the relative
chance that any given master in a locaiton will be picked. This
didn't account for all masters having a weight of 0 which would
result in a divide-by-zero error.

Implement the following rules:
1. If all masters have weight == 0 then all are equally
   weighted.
2. If any masters have weight == 0 then they have an
   extremely small chance of being chosen, percentage is
   0.1.
3. Otherwise it's percentage change is based on the sum of
   the weights of non-zero masters.

https://pagure.io/freeipa/issue/8135

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2020-02-26 13:42:10 -05:00
Stanislav Levin
0a1e98cdf0 Azure: Report elapsed time
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2020-02-25 18:02:12 +02:00
Stanislav Levin
38e0a9f4c0 Azure: Rebalance tests
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2020-02-25 18:02:12 +02:00
Stanislav Levin
9203404cd5 Azure: Skip tests requiring external DNS
An external DNS is not supported yet, but it could be easily
implemented by adding another container with simple DNS server.

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2020-02-25 18:02:12 +02:00
Stanislav Levin
e925148ad9 Azure: Free Docker resources after usage
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2020-02-25 18:02:12 +02:00
Stanislav Levin
1fa033c32d Azure: Preliminary check for provided limits
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2020-02-25 18:02:12 +02:00
Stanislav Levin
6daf4d2e10 Azure: Sync Gating definitions to current PR-CI
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2020-02-25 18:02:12 +02:00
Stanislav Levin
31d05650fb Azure: Add support for testing multi IPA environments
Currently, only one IPA environment is tested within Docker
containers. This is not efficient because Azure's agent gives
6 GB of physical memory and 13 GB of total memory (Feb 2020),
but limits CPU with 2 cores.

Next examples are for 'master-only' topologies.

Let's assume that only one member of github repo simultaneously
run CI. This allows to get the full strength of Azure.

Concurrency results for TestInstallMaster:
------------------------------------------
|    job concurrency      |  time/jobs   |
------------------------------------------
|             5           |     40/5     |
|             4           |     34/4     |
|             3           |     25/3     |
|             2           |     19/2     |
|             1           |     17/1     |
------------------------------------------
Results prove the limitation of 2 cores. So, in case of jobs'
number not exceeds the max capacity for parallel jobs(10) the
proposed method couldn't save time, but it reduces the used
jobs number up to 2 times. In other words, in this case CI
could pass 2 x tests.

But what if CI was triggered by several PRs? or jobs' number is
bigger than 10. For example, there are 20 tests to be run.

Concurrency results for TestInstallMaster and 20 input jobs:
------------------------------------------------------------------
|    job concurrency      |     time     | jobs used | jobs free |
------------------------------------------------------------------
|             5           |      40      |      4    |     6     |
|             4           |      34      |      5    |     5     |
|             3           |      25      |      7    |     3     |
|             2           |      19      |     10    |     0     |
|             1           |      34      |     20    |     0     |
------------------------------------------------------------------
So, in this case the optimal concurrency would be 4 since it
allows to run two CIs simultaneously (20 tasks on board) and get
results in 34 minutes for both. In other words, two people could
trigger CI from PR and don't wait for each other.

New Azure IPA tests workflow:

+ 1) generate-matrix.py script generates JSON from user's YAML [0]
  2) Azure generate jobs using Matrix strategy
  3) each job is run in parallel (up to 10) within its own VM (Ubuntu-18.04):
    a) downloads prepared Docker container image (artifact) from Azure cloud
       (built on Build Job) and loads the received image into local pool
  + b) GNU 'parallel' launch each IPA environment in parallel:
    + 1) docker-compose creates the Docker environment having a required number
         of replicas and/or clients
    + 2) setup_containers.py script does the needed container's changes (DNS,
         SSH, etc.)
    + 3) launch IPA tests on tests' controller
    c) publish tests results in JUnit format to provide a comprehensive test
       reporting and analytics experience via Azure WebUI [1]
    d) publish regular system logs as artifacts

[0]: https://docs.microsoft.com/en-us/azure/devops/pipelines/process/phases?view=azure-devops&tabs=yaml

Fixes: https://pagure.io/freeipa/issue/8202
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2020-02-25 18:02:12 +02:00
Stanislav Levin
d3f1b9b43d Azure: Don't collect twice systemd_journal.log
This log file is collected by azure-run-tests.sh script and then by
Azure 'PublishPipelineArtifact' task. So, the same file gets into
logs artifact.

Fixes: https://pagure.io/freeipa/issue/8202
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2020-02-25 18:02:12 +02:00
Stanislav Levin
b82515562a Azure: Make it possible to configure distro-specific stuff
This allows to run IPA tests on Azure using any distro.

To achieve this, one has to do:
1) place a platform specific template on 'ipatests/azure/templates/'
and make a soft link from 'ipatests/azure/templates/variables.yml' to
the new template.
2) place a configuration templates on these paths
3) templates have to answer the questions such as:
  a) which Docker image to use to build IPA packages (rpm, deb, etc.)
  b) how to prepare Build environment
  c) how to build IPA packages
  d) how to prepare environment to run Tox tests
  e) how to prepare environment to run WebUI unittests
  f) which base Docker image to use to build the new image to run
     IPA tests within it

Fixes: https://pagure.io/freeipa/issue/8202
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2020-02-25 18:02:12 +02:00
Stanislav Levin
879855ce70 Azure: Allow to run integration tests
Azure provides Microsoft-hosted agents having tasty resources [0].
For now (Feb 2020),
- (Linux only) Run steps in a cgroup that offers 6 GB of physical memory and
13 GB of total memory
- Provide at least 10 GB of storage for your source and build outputs.

This is enough to set up IPA environments consisted of not only master but also
replicas and clients and thus, run IPA integration tests.

New Azure IPA tests workflow:

+ 1) Azure generate jobs using Matrix strategy
  2) each job is run in parallel (up to 10) within its own VM (Ubuntu-18.04):
    a) downloads prepared Docker container image (artifact) from Azure cloud
       (built on Build Job) and loads the received image into local pool
  + b) docker-compose creates the Docker environment having a required number
       of replicas and/or clients
  + c) setup_containers.py script does the needed container's changes (DNS,
       SSH, etc.)
  + d) launch IPA tests on tests' controller
    e) publish tests results in JUnit format to provide a comprehensive test
       reporting and analytics experience via Azure WebUI [1]
    f) publish regular system logs as artifacts

[0] https://docs.microsoft.com/en-us/azure/devops/pipelines/agents/hosted?view=azure-devops
[1] https://docs.microsoft.com/en-us/azure/devops/pipelines/tasks/test/publish-test-results?view=azure-devops&tabs=yaml

Fixes: https://pagure.io/freeipa/issue/8202
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2020-02-25 18:02:12 +02:00
Stanislav Levin
157fa59e7c Azure: Allow SSH for Docker environments
IPA integration tests utilize SSH as a transport to communicate
with IPA hosts. To run such tests Docker environments should
have configured SSH.

Fixes: https://pagure.io/freeipa/issue/8202
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2020-02-25 18:02:12 +02:00