Commit Graph

14723 Commits

Author SHA1 Message Date
Sergey Orlov
ae533e2998 ipatests: allocate pseudo-terminal only for specific command
While "ktutil" does require a pseudo-terminal on particular systems to
operate, majority of programs do not need it.
At the same time invoking `ssh` with forced pseudo-terminal allocation
interferes with sessions multiplexing feature and increases connection
time. The increase can be as large as 10 seconds in certain cases which
leads to unexpected EOFs of pexpect utility.

Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2021-03-29 14:55:23 +03:00
Stanislav Levin
83e16a4e47 Azure: Run rpmlint on Fedora
Template the autoconf phase.

Fixes: https://pagure.io/freeipa/issue/8768
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2021-03-29 10:16:12 +03:00
Stanislav Levin
7fc0c04dc4 configure: Make rpmlint optional
Distributions may want to run comprehensive fastcheck or lint tasks,
but rpmlint tool is mandatory for these targets while some platforms
don't have it at all.

With this change the rpmlint becomes optional for fastcheck, devcheck
and lint make targets.

Note: rpmlint option is disabled by default.
To enable: ./configure --enable-rpmlint
To explicitly disable: ./configure --disable-rpmlint

Fixes: https://pagure.io/freeipa/issue/8768
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2021-03-29 10:16:12 +03:00
Antonio Torres
8caac84146 ipatests: expect boolean type for nsaccountlock in user module
user-add now returns the `nsaccountlock` parameter as
a boolean instead of as a list of string, meaning tests
have to be adapted to expect the correct type.

Related: https://pagure.io/freeipa/issue/8743
Signed-off-by: Antonio Torres <antorres@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2021-03-29 10:11:56 +03:00
Antonio Torres
45de2d7f39 Return nsaccountlock in user-add as boolean
The `nsaccountlock` attribute was being returned as a
list of string ("TRUE"/"FALSE") instead of a boolean.
Use the convert function used in `user-find` and `user-mod`
for consistency, since these commands return the parameter as a boolean.

Fixes: https://pagure.io/freeipa/issue/8743
Signed-off-by: Antonio Torres <antorres@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2021-03-29 10:11:56 +03:00
Antonio Torres
5984f14426 ipatests: add test for group creation with GID and nonposix option
Add test to ensure group creation fails when passing the --nonposix
option and a GID number at the same time. Failure shows a message
to warn the user that this is not allowed.

Signed-off-by: Antonio Torres <antorres@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2021-03-29 10:09:22 +03:00
Antonio Torres
c0216fb235 Enhance error message when adding non-posix group with a GID
Enhance error message when adding non-posix group
with a GID so the user knows that a GID should not
be passed when adding a group with the --nonposix option.

Fixes: https://pagure.io/freeipa/issue/8155
Signed-off-by: Antonio Torres <antorres@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2021-03-29 10:09:22 +03:00
Antonio Torres
e820e2d1a8 ipa passwd: make help for --otp option clearer
Update help for the `--otp` option in `ipa passwd`
to actually explain its usage.

Fixes: https://pagure.io/freeipa/issue/8244
Signed-off-by: Antonio Torres <antorres@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2021-03-29 10:07:38 +03:00
Antonio Torres
6cd544d38e ipatests: add test for multiple permitopen entries in SSH keys
Add test to ensure that IPA allows to introduce multiple
permitopen and permitlisten entries.

Signed-off-by: Antonio Torres <antorres@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2021-03-29 10:06:07 +03:00
Antonio Torres
c8b5779e28 Allow multiple permitopen/permitlisten in SSH keys
SSH keys allow to have multiple entries for
the permitopen and permitlisten options. Prior
to this change, only one of each could be configured.

Fixes: https://pagure.io/freeipa/issue/8423
Signed-off-by: Antonio Torres <antorres@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2021-03-29 10:06:07 +03:00
Florence Blanc-Renaud
c2c533b765 Adapt redhat ipaplatform to RHEL9/ELN
On RHEL8, ipa is using named-pkcs11.service but RHEL9 is based on
fedora34 and uses named.service instead. There is already some support
for this distinction in ipaplatform, and the patch relies on the
specific settings that can be configured in ipaplatform/xx/services.py
and ipaplatform/xx/constants.py

On RHEL9 ipa also needs to define NAMED_OPENSSL_ENGINE for named
to use openssl's okcs11 engine.

Fixes: https://pagure.io/freeipa/issue/8753
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2021-03-29 10:03:21 +03:00
Rob Crittenden
8c93e2fb0b Increase timeout for TestIpaHealthCheck to 5400s
During development of a fix to workaround certmonger effectivly
hanging server uninstallation the test was re-worked to force
uninstall during the test execution itself.

https://pagure.io/freeipa/issue/8506

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2021-03-26 10:54:08 +01:00
Rob Crittenden
fb58b76a80 Uninstall without starting the CA in cert expiration test
Some certificates may have started renewal so returning to
present time can bind the server up with trying to renew.

certmonger fires off helpers when it's time to renew
certificates. This scenario puts the time within the renewal
window. If certmonger notices while the test is running it
will kick off renewal for all 12 certificates.

A lock is used to serialize things. The CA was shut down prior
to changing time so there is no chance of issuing new certs.

A fixture was used to ensure that things restarted when
the test was over. This was for chronyd and the CA. By restarting
the CA we allow the chance that it will be able to do some
work, versus returning a connection error and letting
certmonger just error out (CA_UNREACHABLE).

During uninstallation we call certmonger remove_request over
DBus (the equivalent to stop-tracking). As part of this
certmonger waits for any child (helper) processes to go away.
This used to do it via SIGKILL but that caused other problems
so it was changed to waitpid(). We know that it isn't going to
return for a while because the CA isn't up. DBus has a
hardcoded 25 second timeout. So we're guaranteed to get a
DBus timeout. We *could* try to play with it and change the
timeout, or retry a bunch of times, but it isn't worth the
hassle.

This is a contrived scenario that uninstalls immediately after
tweaking time forward. So rather than trying to make this
succesful, uninstall at the future time with the CA stopped
so that helpers won't be hanging around and certmonger can
remove the certs.

This is the last test so also the last time we need the replica
so to avoid replication bogging things down remove that prior
to executing the test. It's one less moving part during the
uninstall phase.

https://pagure.io/freeipa/issue/8506

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2021-03-26 10:54:08 +01:00
Mohammad Rizwan
34af8099e6 ipatests: Don't rely on certmonger's assigned request id
There are failure observed in test_rekey_keytype_DSA(test_cert.py)
It is due to the fact that there is no guarantee that the request id
will match the filename that certmonger assigns.

This fix assigns the request id with -I option to command (and make
use of existing fixture) and get the file name by grepping the
certmonger's directory with specified req id.

fixes: https://pagure.io/freeipa/issue/8725

Signed-off-by: Mohammad Rizwan <myusuf@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2021-03-25 15:46:54 +01:00
Rob Crittenden
7ee30aa092 ipatests: Test secure_ajp_connector works with multiple connectors
There may be both IPv4 and IPv6 AJP connectors. Test that both
are upgraded with the new tomcat attribute and the passwords are
kept in sync.

The Apache password will be updated if needed elsewhere in the
upgrade process.

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2021-03-25 15:43:22 +01:00
Rob Crittenden
fd66a74a59 Allow overriding is_newer_tomcat_version()
This is needed so we can mock the DogtagInstance class
and have control over the version of tomcat.

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2021-03-25 15:43:22 +01:00
Alexander Scheel
8a715feb57 Handle multiple AJP adapters during upgrade
In this patch, we ensure we upgrade all AJP adapters with the same
secret value if any are missing. This ensures that both IPv4 and IPv6
adapters have the same secret value, so whichever httpd connects to
will be in sync. This is consistent with what Dogtag does when
provisioning them.

Notably missing from this patch is handling of multiple unrelated AJP
adapters. In an IPA scenario (and default PKI scenario) this shouldn't
be necessary. However, with external load balancing, this might happen.

This patch benefits IPA in the scenario when:

 1. pkispawn runs on an older PKI version (pre-AJP secret, so ~8.2?)
 2. pki gets upgraded to 10.10.1 before IPA can provision a secret,
    resulting in split IPv4/IPv6 adapters -- this would only happen
    on a direct migration from 8.2 -> 8.4
 3. ipa upgrade script then runs to provision an AJP secret value for
    use with both Dogtag and IPA.

Without this patch, only the first (IPv4) adapter would have a secret
value provisioned in the above scenario.

Signed-off-by: Alexander Scheel <ascheel@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2021-03-25 15:43:22 +01:00
Mohammad Rizwan
19da4a76d5 ipatests: Enable certbot test on rhel
With this change, certbot test will be running on rhel.
certbot is not avilable on rhel through repository.
Plan is to install certbot using pip/epel on rhel and increase the
test coverage on rhel

Signed-off-by: Mohammad Rizwan <myusuf@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Anuja More <amore@redhat.com>
2021-03-23 15:57:51 +01:00
Armando Neto
c572697d98 ipatests: Bump PR-CI Rawhide template
Template based on Fedora 35.

Signed-off-by: Armando Neto <abiagion@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2021-03-23 10:18:59 +01:00
Jan Pazdziora
4769c15f37 Avoid comparing 'max' with 'max\n'.
Fixes https://pagure.io/freeipa/issue/8764.

Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2021-03-23 08:35:32 +01:00
Antonio Torres
4d716d3fbc Extend logging to include execution time
Adding execution time in logs provides useful information
for identifying API operations that impact IPA performance.

Related: https://pagure.io/freeipa/issue/8759
Signed-off-by: Antonio Torres <antorres@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2021-03-22 10:55:56 -04:00
Sergey Orlov
76dd9a97fd
ipatests: update prci definitions for test_http_kdc_proxy
the new tests require an AD instance

Reviewed-By: Anuja More <amore@redhat.com>
2021-03-18 13:41:49 +01:00
Sergey Orlov
40a686ca84
ipatests: add test for kdcproxy handling reply split to several TCP packets
This is a regression test for the bug in python-kdcproxy mentioned in
https://github.com/latchset/kdcproxy/pull/44
  When the reply from AD is split into several TCP packets the kdc
  proxy software cannot handle it and returns a false error message
  indicating it cannot contact the KDC server.

This could be observed as login failures of AD user on IPA clients
when:
* IPA client was configured to use kdcproxy to communicate with AD
* kdcproxy used TCP to communicate with AD
* response from AD to kdcproxy was split into several packets

This patch also refactors and improves existing tests:
* switch to using pytest fixtures for test setup and cleanup steps to make
  them isolated and reusable
* simulate a much more restricted network environment: instead of blocking
  single 88 port we now block all outgoing traffic except few essential
  ports
* add basic tests for using kdcproxy to communicate between IPA client
  and AD DC.

Reviewed-By: Anuja More <amore@redhat.com>
2021-03-18 13:41:49 +01:00
Sergey Orlov
38c897f946
ipatests: return result of kinit_as_user, pass raiseonerr parameter
Similar to kinit_admin, this allows to check for error values returned
by kinit.

Reviewed-By: Anuja More <amore@redhat.com>
2021-03-18 13:41:49 +01:00
Florence Blanc-Renaud
fb107b9180 ipatests: fix TestInstalDNSSECFirst::test_resolvconf logic
The test test_dnssec.py::TestInstallDNSSECFirst::test_resolvconf
checks that /etc/resolv.conf points to the localhost and
fails on fedora33 because systemd-resolved is in place
(and /etc/resolv.conf contains 127.0.0.53).
The test logic needs to be adapted. When systemd-resolved is
used, the test can check the output of "resolvectl dns".

Fixes: https://pagure.io/freeipa/issue/8695
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Sergey Orlov <sorlov@redhat.com>
2021-03-17 16:28:19 +01:00
Florence Blanc-Renaud
a9b4ed4f52 ipatests: re-add test_dnssec.py::TestInstallDNSSECFirst in gating
The test was temporarily removed because of a known issue
but the issue is now fixed.

Related: https://pagure.io/freeipa/issue/8496
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Sergey Orlov <sorlov@redhat.com>
2021-03-17 16:28:19 +01:00
Florence Blanc-Renaud
6d39ef7de6 ipatests: filter_users belongs to nss section
In the test test_sssd.py::TestSSSDWithAdTrust::test_is_user_filtered
the config file sssd.conf is modified with a parameter
filter_users written in the [domain/..] section but
the parameter should appear in [nss] section instead.

Fixes: https://pagure.io/freeipa/issue/8747

Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2021-03-17 16:20:37 +01:00
Florence Blanc-Renaud
96a297f3b3 ipatests: add test_acme.py in nightly previous
The nightly_latest.yaml file is missing the test test_acme.py
Add the job definition.

Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2021-03-17 16:16:26 +01:00
Mohammad Rizwan
40aeec975a ipatests: introduce wait_for_replication in test_rolecheck_Trust
Test was randomly failing if the query for the server role is
executed before the replication had time to replicate the
changes on cn=adtrust agents,cn=sysaccounts,cn=etc,dc=ipa,dc=test,
as the server role is read using this entry.

related: https://pagure.io/freeipa/issue/8553

Signed-off-by: Mohammad Rizwan <myusuf@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2021-03-17 09:04:30 +01:00
François Cami
1ef54f2b8f ipatests: check for the "no sudo present" string absence
When sudo is installed, no warning should be output about sudo not
being available (obviously). Check that the relevant string is
not present.

Fixes: https://pagure.io/freeipa/issue/8530
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Armando Neto <abiagion@redhat.com>
2021-03-16 08:44:03 -04:00
François Cami
abaa614a3c ipa-client-install: output a warning if sudo is not present (2)
Fixes: https://pagure.io/freeipa/issue/8530
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Armando Neto <abiagion@redhat.com>
2021-03-16 08:44:03 -04:00
Thorsten Scherf
5a1f8e76de Update 10-ssh-key-management.rst
Removing conclusion statement since we now have more than 10 units.

Reviewed-By: Francois Cami <fcami@redhat.com>
2021-03-10 09:30:26 +02:00
Alexander Bokovoy
fed2e399d4 freeipa.spec: synchronize with Fedora for 389-ds and PKI versions
- 389-ds fixes an information disclosure during unsuccessful LDAP BIND
  operation, CVE-2020-35518, https://github.com/389ds/389-ds-base/issues/4609

- Dogtag PKI adopted to work with 389-ds with the fix,
  https://github.com/dogtagpki/pki/issues/3458

FreeIPA needs to require new Dogtag and 389-ds versions on all Fedora
and RHEL versions.

RHEL 8 version is set to 1.4.3.16-12 which is the official build after
pki-core was fixed to work with the CVE fixes.

In order to avoid excessive %if/%endif conditionals in the spec file, I
have added a short Lua table with 389-ds versions for F32-33. F34 and
Rawhide will fallback to the same newer 389-ds 2.0.3 version. We do not
support building on F31 or older Fedora anymore as they are EOLed
already.

Fixes: https://pagure.io/freeipa/issue/8705

Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2021-03-10 09:28:18 +02:00
Sergey Orlov
886506f89f
ipatests: use proper template for TestMaskInstall
TestMaskInstall is a usual integration tests and should
install freeipa server during test run.
"ipaserver" template provides pre-install freeipa server and
is intended for use with webui and xmlrpc tests.

Reviewed-By: Francois Cami <fcami@redhat.com>
2021-03-09 19:41:10 +01:00
Florence Blanc-Renaud
73ced07e2e dnssec: concurrency issue when disabling old replica key
When dnssec role is removed from the local node, the uninstaller
creates a new replica key and marks the older replica keys as disabled
(both in the local HSM and in LDAP).
If ipa-ods-exporter runs in the middle of this operation, the old replica
key may be disabled in the local HSM but not yet in LDAP and
ipa-ods-exporter believes that it is a new replica key that needs to be
imported from LDAP to local hsm. The op fails as there is already the key
in the local HSM.

The error can be ignored, ipa-ods-exporter simply needs to log a warning.

Fixes: https://pagure.io/freeipa/issue/8654
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2021-03-09 16:52:38 +01:00
Florence Blanc-Renaud
3b1a56f588 dnssec: fix ipa-ods-exporter crash when master key missing
When a master key is missing from the local HSM, ipa-ods-exporter crashes.
This can happen when the DNSSEC master role is moved from one node to
another with the following scenario:
- install server1 with dns + dnssec
- install server2 without dns
- disable dnssec from server1
- install dns + dnssec on server2

With the above scenario, server2 never had the opportunity to get
the master key (this happens only when the replica is already
configured as DNS server and has put its public replica key in LDAP +
the current DNSSEC master wraps its master key with the replica key).

ipa-ods-exporter can only log an error instead of crashing.

Related: https://pagure.io/freeipa/issue/8654
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2021-03-09 16:52:38 +01:00
Armando Neto
a6b4871304
ipatests: Update gating to Fedora 33
* Update template images to include updated packages
* Bump rawhide to use branched F34 template

Signed-off-by: Armando Neto <abiagion@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
2021-03-09 12:46:21 +01:00
Thorsten Scherf
886c0dcb07 Fix lgtm file classification
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2021-03-08 08:31:41 +01:00
Stanislav Levin
2c4a160fc2 ipatests: Fix expectation about GSS error in test for healthcheck
As of 1.19.1 MIT krb changed the error returned if no valid
credentials could be obtained(GSS_S_CRED_UNAVAIL->GSS_S_NO_CRED).
To be compatible with previous versions of krb the new expected
error message has been added.

Fixes: https://pagure.io/freeipa/issue/8737
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2021-03-05 10:41:48 +01:00
François Cami
87304c78a8 ipatests: fix nightly_latest_testing_selinux template
The TestInstallWithoutSudo entry referenced fedora-latest instead
of testing-fedora for its build dependency. Fix it.

Fixes: https://pagure.io/freeipa/issue/8530
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2021-03-05 10:34:35 +01:00
Sudhir Menon
735355ad03 ipatests: Test to check sosreport collects healthcheck.log file
This test creates healthcheck.log file in /var/log/ipa/healthcheck/
directory if its not present and then checks that when sosreport command
is run it collects the healthcheck log file by checking the console log

Signed-off-by: Sudhir Menon <sumenon@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Mohammad Rizwan Yusuf <myusuf@redhat.com>
2021-03-05 08:45:18 +01:00
Sergey Orlov
881eea4efe
ipatests: do not configure nameserver when installing client and replica
When IPA master is installed without DNS, using it as nameserver creates
invalid configuration.

Related to https://pagure.io/freeipa/issue/8703

Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2021-03-04 18:47:32 +01:00
Sergey Orlov
4ad5ce7b58
ipatests: always try to create A records for hosts in IPA domain
Do not check that host is resolvable.
systemd-resolved creates synthetic records for hosts in /etc/hosts.
If test hosts are listed in /etc/hosts on controller, no A records will
be created.

Related to https://pagure.io/freeipa/issue/8703

Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2021-03-04 18:47:32 +01:00
Sergey Orlov
dc423661c8
ipatests: mock resolver factory
test_testconfig is using hardcoded hostnames which do not match ones
provided in real test config. This causes resolver factory to fail
when trying to detect resolver type of the host.

Related to https://pagure.io/freeipa/issue/8703

Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2021-03-04 18:47:32 +01:00
Sergey Orlov
1853695d22
ipatests: disable systemd-resolved cache
systemd-resolved enables positive and negative cache by default which
affects test scenarios where dns records are being created and deleted and
then verified using any tools that utilize default system resolver
(i.e. `dig` or `curl`).

Related to https://pagure.io/freeipa/issue/8703

Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2021-03-04 18:47:32 +01:00
Sergey Orlov
01f455f424
ipatests: do not manually modify /etc/resolv.conf in tests
Related to https://pagure.io/freeipa/issue/8703

Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2021-03-04 18:47:32 +01:00
Sergey Orlov
cd066ba887
ipatests: setup resolvers during replica and client installations
Set IPA master as nameserver on replica and client machines during default
installation. This will help to avoid manual configuration in test cases
which require members of IPA domain to be resolvable.

Related to https://pagure.io/freeipa/issue/8703

Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2021-03-04 18:47:32 +01:00
Sergey Orlov
2e92d0836d
ipatests: add utility for managing domain name resolvers
Many test scenarios need to configure resolvers on test machines. Most
notable patterns are:

* using IPA master as DNS resolver on clients and replicas
* intentionally breaking name resolution

Now it is done by directly editing /etc/resolv.conf file. While being
simple this approach has following issues:

* NetworkManager restores this file periodically and on specific events
* This is not how users are expected to manage resolvers on modern
  systems with NetworkManager and systemd-resolved.

This patch introduces three classes for main types of resolvers management:
* plain file
* NetworkManager
* systemd-resolved

For each resolver manager the native way of configuring of nameserves is
used: direct editing for /etc/resolv.conf or drop-in config files for
NM and resolved.

The type of resolver is automatically detected for each host and an
appropriate instance is added to Host object.

The Resolver class (and it's subclasses) provide convenience functions
for changing nameservers and restoring the original config.
During all operations (backup, modify, restore) it checks that resolver
configuration has not been altered unexpectedly and raises exception if it
was. This helps to detect unexpected changes in resolvers.

Related to https://pagure.io/freeipa/issue/8703

Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2021-03-04 18:47:32 +01:00
Sergey Orlov
fe3c6657ec
ipatests: collect config files for NetworkManager and systemd-resolved
Those config files are valuable for debugging issues relate to DNS
resolvers.

Related to https://pagure.io/freeipa/issue/8703

Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2021-03-04 18:47:32 +01:00
Stanislav Levin
7972d28240 cleanup: Drop never used path for httpd's ccache
`HTTP_CCACHE` path was introduced in [0], but hasn't been set as
gssproxy's cred_store option(`ccache`) and nowhere is really
used besides the removing of this not existed path. It is safe to
drop all referencies for `HTTP_CCACHE`.

As of 0.8.0[1] gssproxy uses `MEMORY` credentials type for cred_store
as default.

[0]: d2f5fc304f
[1]: 0e1b4a0c84

Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2021-03-04 14:17:01 +02:00