test_acme is not stable and often needs to be
launched multiple times. Remove the test from gating
until the issue is fixed
Related: https://pagure.io/freeipa/issue/8602
Reviewed-By: Kaleemullah Siddiqui <ksiddiqu@redhat.com>
Increase to 7200 from 3600 to match other executions.
Related: https://pagure.io/freeipa/issue/8581
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Mohammad Rizwan <myusuf@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Reviewed-By: Armando Neto <abiagion@redhat.com>
Accounts without a shell should not execute ProxyCommand
otherwise the authorization will fail.
https://pagure.io/freeipa/issue/7676
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
The test test_dnssec.py::TestInstallDNSSECFirst is failing due to known
issue https://pagure.io/freeipa/issue/8496
currently under investigation by 389ds team.
In the meantime, remove the test from gating to avoid blocking the PRs.
Related: https://pagure.io/freeipa/issue/8496
Reviewed-By: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
New templates with a previously working version of `geckodriver`.
Issue: https://pagure.io/freeipa/issue/8473
Signed-off-by: Armando Neto <abiagion@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
New template images for ci-master-f32 to include latest packages.
Signed-off-by: Armando Neto <abiagion@redhat.com>
Reviewed-By: Alexander Bokovoy <abbra@users.noreply.github.com>
New template images for ci-master-f32 and ci-master-f31 to include
latest certmonger package (`certmonger-0.79.11-2`).
Signed-off-by: Armando Neto <abiagion@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Because the FreeIPA ACME service is a new feature and may require
stabilisation, including it in gating CI. This is done as a
separate commit so that it can be reverted more easily.
Part of: https://pagure.io/freeipa/issue/4751
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
New template images for ci-master-f32 and ci-master-f31 with updated
packages.
Signed-off-by: Armando Neto <abiagion@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Remove all freeipa-* packages from template:
bdd98c3b9d
Signed-off-by: Armando Neto <abiagion@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
New images were necessary to include updated `selinux-policy` package.
Rawhide image based on `Fedora-Rawhide-20200607.n.0` compose.
Signed-off-by: Armando Neto <abiagion@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
Commit a5cbdb57e5 introduced a bug when
updating IPA from 4.8.6 to 4.8.7. NAMED_DNSSEC_VALIDATION template
variable was not declared.
Fixes: https://pagure.io/freeipa/issue/8363
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
"previous" updated to Fedora 31
"latest" updated to Fedora 32
"rawhide" based on Fedora 33
389ds, testing and pki definitions updated to Fedora 32
Signed-off-by: Armando Neto <abiagion@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Add tests checking the behavior of ipa-adtrust-install when
adding trust agents:
- try calling the remote method trust_enable_agent with
a principal missing the required privilege.
- try adding a trust agent when the remote node is stopped.
The installer must detect that he's not able to run the remote
commands and print a WARNING.
- try adding a trust agent when the remote node is running.
The WARNING must not be printed as the remote configuration is done.
- try adding a trust agent with --enable-compat.
The WARNING must not be printed and the Schema Compatibility plugin
must be enabled (the entries
cn=users/groups,cn=Schema Compatibility,cn=plugins,cn=config
must contain a new attribute schema-compat-lookup-nsswitch
(=user/group).
Thanks to sorlov for the nightly test definitions and new test.
Related: https://pagure.io/freeipa/issue/7600
Co-authored-by: Sergey Orlov <sorlov@redhat.com>
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Sergey Orlov <sorlov@redhat.com>
These new images have SELinux enabled in permissive mode. After
this all tests skipped because SELinux was disabled will be
executed again.
Signed-off-by: Armando Neto <abiagion@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Use a consistent way to label the tests. As a result, replace external_ca_1 with test_external_ca_TestExternalCA and external_ca_2 with test_external_ca_TestSelfExternalSelf to better reflect which subtest is executed.
Issue : freeipa/freeipa-pr-ci#336
Signed-off-by: Gaurav Talreja <gtalreja@redhat.com>
Reviewed-By: Sumedh Sidhaye <ssidhaye@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Rename job titles to match their test suites and how they are defined in nightly yamls.
Issue : https://github.com/freeipa/freeipa-pr-ci/issues/336
Signed-off-by: Gaurav Talreja <gtalreja@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
test_smb slows down gating and PR turnover. The test takes between 45 and
50 minutes to execute while the other gating tests finish in about or less
than half the time.
The Samba / AD integration tests are still executed in nightly tests.
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
Commands like ipa group-add-member-manager now show permission
errors on failed operations.
Fixes: https://pagure.io/freeipa/issue/8122
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Template used: https://app.vagrantup.com/freeipa/boxes/ci-master-f31/versions/0.0.2
with installed packages updated.
This commit also replaces `fedora-30` with `fedora-latest` for test_smb gating definition
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Armando Neto <abiagion@redhat.com>
Fedora 31 is the latest release, Fedora 30 is now the previous release.
New template boxes were built for current tests definitions with
updated dependencies.
Boxes were generated after https://github.com/freeipa/freeipa-pr-ci/pull/321
Signed-off-by: Armando Neto <abiagion@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Replacing `fedora-30` with `fedora-latest` and `fedora-29` with `fedora-previous` will
reduce the changes required for new releases of Fedora.
Future changes would only require to update the name and version of the template used.
Signed-off-by: Armando Neto <abiagion@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
test_smb is now failing in a repeatable way due to CI infrastructure
issues. Temporarily remove it until this is fixed.
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Vagrant retries to provision hosts if something happens, it was introduced
in PR-CI after 380c8b8c78.
This takes time, some jobs are killed during test execution, so this
increases the time-out parameter from 1 hour and 20 minutes to 2 hours.
Signed-off-by: Armando Neto <abiagion@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Sometimes the gating tasks (build and jobs) are blocked because of nightly
regression remaining tasks are in progress. The reason is because nightly
regressions are not finished or they are re-triggered during day-time.
Gating tasks are blocked because they have same priority than nightly tasks.
This commit increases gating tasks priority so the testing of pull requests
will not be blocked anymore.
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Add tests for following scenarios:
* running `ipa-client-samba --uninstall` without prior installation
* mount and access Samba share by IPA user
* mount and access Samba share by AD user
* mount samba share by one IPA user and access it by another one
* try mount samba share without kerberos authentication
* uninstall and reinstall ipa-client-samba
Relates: https://pagure.io/freeipa/issue/3999
Reviewed-By: Michal Polovka <mpolovka@redhat.com>
Reviewed-By: Alexander Bokovoy <abbra@users.noreply.github.com>
Update boxes used in nightlies runs and add new ones.
Based on the changes made in freeipa/freeipa-pr-ci#304.
Signed-off-by: Armando Neto <abiagion@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Verify that FreeIPA can be installed with an external CA that has a name
constraints extension.
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Fixes: https://pagure.io/freeipa/issue/3999
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
The signing key for IPA's CA certificate now uses a 3072 bit RSA key by
default.
According to https://www.keylength.com/, NIST 800-57 Part 1 Rev. 4
recommends 3072 bit RSA keys for keys that are used beyond 2030 for 128 bit
strength.
Fixes: https://pagure.io/freeipa/issue/6790
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Vault and KDC proxy are neither critical subsystems nor are they likely to
fail. They have been pretty stable and don't see any major development.
It's sufficient to run them in nightly tests only.
The removal speed up gating a bit. Especially vault tests are slow and
usually take more than 30 minutes to complete
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Create and execute the server and client smart card advise scripts.
See: See: https://pagure.io/freeipa/issue/7751
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Enable testing (gating and nightly) to use the new F29 template.
Fixes: https://pagure.io/freeipa/issue/7779
Signed-off-by: Diogo Nunes <dnunes@redhat.com>
Reviewed-By: Francisco Trivino <ftrivino@redhat.com>
Memory requirements for master and replica have been increased
due to OOM issues. This PR updates prci_definitions accordingly.
This PR also roll-back ipaserver mem reqs to the previous value
since the WebUI tests were split into different blocks.
Fixes https://pagure.io/freeipa/issue/7777
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>