Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support IPA IPA Trust with additional IPA server #106

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Support IPA IPA Trust with additional IPA server #106

wants to merge 1 commit into from

Conversation

justin-stephenson
Copy link
Contributor

@justin-stephenson justin-stephenson commented Aug 1, 2024
edited
Loading

Add new server master2.ipa2.test which deploys an IPA domain ipa2.test to be used in IPA IPA trust.

with this PR checked out
sudo make down
sudo make build
`sudo REGISTRY="localhost/sssd" make up

Linked PRs:
SSSD/sssd-test-framework#119
SSSD/sssd#7517

This was referenced Aug 1, 2024
Open
Open
@justin-stephenson justin-stephenson marked this pull request as ready for review August 1, 2024 13:43
jakub-vavra-cz
jakub-vavra-cz reviewed Aug 1, 2024
View reviewed changes
src/ansible/roles/packages/tasks/Fedora.yml Outdated
@@ -221,7 +221,7 @@
dnf:
state: present
name: sssd-kcm
when: "'base_ipa' in group_names or 'ipa' in group_names"
when: "'base_ipa' in group_names or 'base_ipa2' in group_names or 'ipa' in group_names"
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is there a reason to use base_ipa2? Wouldn't it be tha same as base_ipa?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Fixed to use base_ipa only, this was an oversight on my part.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Does not look fixed yet.

jakub-vavra-cz
jakub-vavra-cz reviewed Aug 1, 2024
View reviewed changes
src/ansible/inventory.yml Outdated
@@ -14,6 +14,9 @@ all:
base_ipa:
hosts:
base-ipa
base_ipa2:
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

why create base_ipa2?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Fixed to use base_ipa only, this was an oversight on my part.

@justin-stephenson justin-stephenson force-pushed the ipa_ipa_trust branch 2 times, most recently from 6301e05 to 46ac0c5 Compare August 13, 2024 13:31
@justin-stephenson
Copy link
Contributor Author

Hi @pbrezina Can you help me understand why docker.io/ubuntu:rolling build fails (https://github.com/SSSD/sssd-ci-containers/actions/runs/10370744252/job/28711693110?pr=106) when sshd does not restart properly on master2.ipa2.test. I see that the host keys are not found.

Aug 13 13:19:21 master2.ipa2.test sshd[6905]: Unable to load host key: /data/ssh-keys/hosts/master2.ipa2.test.ecdsa_key                                                    
Aug 13 13:19:21 master2.ipa2.test sshd[6905]: Unable to load host key: /data/ssh-keys/hosts/master2.ipa2.test.ed25519_key                                          
Aug 13 13:19:21 master2.ipa2.test sshd[6905]: Unable to load host key: /data/ssh-keys/hosts/master2.ipa2.test.rsa_key

I ran src/tools/gen-ssh-keys.sh and added the ssh keys for master2.ipa2.test into this PR. I also added master2.ipa2.test into the for loop in src/tools/gen-ssh-keys.sh

However, these are not being copied into the master2.ipa2.test system.

[root@master2 /]# ll data/ssh-keys/hosts/
total 192       
-rw-------. 1 root root  525 Aug 13 02:05 client.test.ecdsa_key                                                        
-rw-------. 1 root root  189 Aug 13 02:05 client.test.ecdsa_key.pub                                                    
-rw-------. 1 root root  419 Aug 13 02:05 client.test.ed25519_key                                                      
-rw-------. 1 root root  109 Aug 13 02:05 client.test.ed25519_key.pub                                                  
-rw-------. 1 root root 2610 Aug 13 02:05 client.test.rsa_key                                                          
-rw-------. 1 root root  581 Aug 13 02:05 client.test.rsa_key.pub                                                      
-rw-------. 1 root root  525 Aug 13 02:05 dc.samba.test.ecdsa_key                                                      
-rw-------. 1 root root  189 Aug 13 02:05 dc.samba.test.ecdsa_key.pub                                                  
-rw-------. 1 root root  419 Aug 13 02:05 dc.samba.test.ed25519_key                                                    
-rw-------. 1 root root  109 Aug 13 02:05 dc.samba.test.ed25519_key.pub                                                
-rw-------. 1 root root 2622 Aug 13 02:05 dc.samba.test.rsa_key                                                        
-rw-------. 1 root root  581 Aug 13 02:05 dc.samba.test.rsa_key.pub                                                    
-rw-------. 1 root root  525 Aug 13 02:05 dns.test.ecdsa_key                                                           
-rw-------. 1 root root  189 Aug 13 02:05 dns.test.ecdsa_key.pub                                                       
-rw-------. 1 root root  419 Aug 13 02:05 dns.test.ed25519_key                                                         
-rw-------. 1 root root  109 Aug 13 02:05 dns.test.ed25519_key.pub                                                     
-rw-------. 1 root root 2610 Aug 13 02:05 dns.test.rsa_key
-rw-------. 1 root root  581 Aug 13 02:05 dns.test.rsa_key.pub                                                         
-rw-------. 1 root root  525 Aug 13 02:05 kdc.test.ecdsa_key                                                           
-rw-------. 1 root root  189 Aug 13 02:05 kdc.test.ecdsa_key.pub                                                       
-rw-------. 1 root root  419 Aug 13 02:05 kdc.test.ed25519_key                                                         
-rw-------. 1 root root  109 Aug 13 02:05 kdc.test.ed25519_key.pub                                                     
-rw-------. 1 root root 2622 Aug 13 02:05 kdc.test.rsa_key
-rw-------. 1 root root  581 Aug 13 02:05 kdc.test.rsa_key.pub                                                         
-rw-------. 1 root root  525 Aug 13 02:05 master.ipa.test.ecdsa_key                                                    
-rw-------. 1 root root  189 Aug 13 02:05 master.ipa.test.ecdsa_key.pub                                                
-rw-------. 1 root root  419 Aug 13 02:05 master.ipa.test.ed25519_key                                                  
-rw-------. 1 root root  109 Aug 13 02:05 master.ipa.test.ed25519_key.pub                                              
-rw-------. 1 root root 2622 Aug 13 02:05 master.ipa.test.rsa_key                                                      
-rw-------. 1 root root  581 Aug 13 02:05 master.ipa.test.rsa_key.pub                                                  
-rw-------. 1 root root  525 Aug 13 02:05 master.keycloak.test.ecdsa_key                                               
-rw-------. 1 root root  189 Aug 13 02:05 master.keycloak.test.ecdsa_key.pub                                           
-rw-------. 1 root root  419 Aug 13 02:05 master.keycloak.test.ed25519_key                                             
-rw-------. 1 root root  109 Aug 13 02:05 master.keycloak.test.ed25519_key.pub                                         
-rw-------. 1 root root 2622 Aug 13 02:05 master.keycloak.test.rsa_key                                                 
-rw-------. 1 root root  581 Aug 13 02:05 master.keycloak.test.rsa_key.pub                                             
-rw-------. 1 root root  525 Aug 13 02:05 master.ldap.test.ecdsa_key                                                   
-rw-------. 1 root root  189 Aug 13 02:05 master.ldap.test.ecdsa_key.pub                                               
-rw-------. 1 root root  419 Aug 13 02:05 master.ldap.test.ed25519_key                                                 
-rw-------. 1 root root  109 Aug 13 02:05 master.ldap.test.ed25519_key.pub                                             
-rw-------. 1 root root 2622 Aug 13 02:05 master.ldap.test.rsa_key                                                     
-rw-------. 1 root root  581 Aug 13 02:05 master.ldap.test.rsa_key.pub                                                 
-rw-------. 1 root root  525 Aug 13 02:05 nfs.test.ecdsa_key                                                           
-rw-------. 1 root root  189 Aug 13 02:05 nfs.test.ecdsa_key.pub                                                       
-rw-------. 1 root root  419 Aug 13 02:05 nfs.test.ed25519_key                                                         
-rw-------. 1 root root  109 Aug 13 02:05 nfs.test.ed25519_key.pub                                                     
-rw-------. 1 root root 2610 Aug 13 02:05 nfs.test.rsa_key
-rw-------. 1 root root  581 Aug 13 02:05 nfs.test.rsa_key.pub

pbrezina
pbrezina reviewed Aug 14, 2024
View reviewed changes
Makefile Outdated
@@ -18,13 +18,18 @@ up-keycloak:
docker-compose -f docker-compose.yml -f docker-compose.keycloak.yml up \
--no-recreate --detach ${LIMIT}

up-ipaipatrust:
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is something we can test in PR CI, so I think we can start second IPA with just make up. What do you think?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sure, PR updated.

data/configs/dnsmasq.conf Outdated
@@ -12,6 +12,7 @@ cache-size=0

# These zones have their own DNS server
server=/ipa.test/172.16.100.10
server=/ipa2.test/172.16.100.80
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It does not matter much but you can use .11 instead of .80 to keep IPA servers grouped together.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Fixed, switched to 172.16.100.11

@pbrezina
Copy link
Member

Hi @pbrezina Can you help me understand why docker.io/ubuntu:rolling build fails (https://github.com/SSSD/sssd-ci-containers/actions/runs/10370744252/job/28711693110?pr=106) when sshd does not restart properly on master2.ipa2.test. I see that the host keys are not found.

Aug 13 13:19:21 master2.ipa2.test sshd[6905]: Unable to load host key: /data/ssh-keys/hosts/master2.ipa2.test.ecdsa_key                                                    
Aug 13 13:19:21 master2.ipa2.test sshd[6905]: Unable to load host key: /data/ssh-keys/hosts/master2.ipa2.test.ed25519_key                                          
Aug 13 13:19:21 master2.ipa2.test sshd[6905]: Unable to load host key: /data/ssh-keys/hosts/master2.ipa2.test.rsa_key

I ran src/tools/gen-ssh-keys.sh and added the ssh keys for master2.ipa2.test into this PR. I also added master2.ipa2.test into the for loop in src/tools/gen-ssh-keys.sh

However, these are not being copied into the master2.ipa2.test system.

Ubuntu does not provide ipa package so base-ipa container is actually pulled from quay.io/sssd/ci-base-$svc:lates which does not contain your changes. Maybe, it would be possible to use the base image we just created? But build.sh would have to change. Maybe introduce UNAVAILABLE_BASE_IMAGE variable or something like that.

@pbrezina
Copy link
Member

Hi @pbrezina Can you help me understand why docker.io/ubuntu:rolling build fails (https://github.com/SSSD/sssd-ci-containers/actions/runs/10370744252/job/28711693110?pr=106) when sshd does not restart properly on master2.ipa2.test. I see that the host keys are not found.

Aug 13 13:19:21 master2.ipa2.test sshd[6905]: Unable to load host key: /data/ssh-keys/hosts/master2.ipa2.test.ecdsa_key                                                    
Aug 13 13:19:21 master2.ipa2.test sshd[6905]: Unable to load host key: /data/ssh-keys/hosts/master2.ipa2.test.ed25519_key                                          
Aug 13 13:19:21 master2.ipa2.test sshd[6905]: Unable to load host key: /data/ssh-keys/hosts/master2.ipa2.test.rsa_key

I ran src/tools/gen-ssh-keys.sh and added the ssh keys for master2.ipa2.test into this PR. I also added master2.ipa2.test into the for loop in src/tools/gen-ssh-keys.sh
However, these are not being copied into the master2.ipa2.test system.

Ubuntu does not provide ipa package so base-ipa container is actually pulled from quay.io/sssd/ci-base-$svc:lates which does not contain your changes. Maybe, it would be possible to use the base image we just created? But build.sh would have to change. Maybe introduce UNAVAILABLE_BASE_IMAGE variable or something like that.

Actually it wouldn't work because we run each distro on different host. We would need to store it as artifact and then download it and install it.

@justin-stephenson
Copy link
Contributor Author

Ubuntu does not provide ipa package so base-ipa container is actually pulled from quay.io/sssd/ci-base-$svc:lates which does not contain your changes. Maybe, it would be possible to use the base image we just created? But build.sh would have to change. Maybe introduce UNAVAILABLE_BASE_IMAGE variable or something like that.

Actually it wouldn't work because we run each distro on different host. We would need to store it as artifact and then download it and install it.

Can ssh keys from both IPA servers master.ipa.test and master2.ipa2.test be added to quay.io/sssd/ci-base-ipa:latest ?

jakub-vavra-cz
jakub-vavra-cz reviewed Aug 15, 2024
View reviewed changes
src/ansible/roles/packages/tasks/Fedora.yml Outdated
@@ -264,7 +264,7 @@
- ci-sssd-random
- umockdev
when: passkey_support
when: "'base_client' in group_names or 'client' in group_names or 'base_ipa' in group_names or 'ipa' in group_names"
when: "'base_client' in group_names or 'client' in group_names or 'base_ipa' in group_names or 'base_ipa2' in group_names or 'ipa' in group_names"
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Here is still base_ipa2.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Removed.

jakub-vavra-cz
jakub-vavra-cz requested changes Aug 15, 2024
View reviewed changes
Copy link
Contributor

@jakub-vavra-cz jakub-vavra-cz left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The base_ipa2 is still present.

@justin-stephenson
Copy link
Contributor Author

The base_ipa2 is still present.

Removed fully.

jakub-vavra-cz
jakub-vavra-cz reviewed Aug 16, 2024
View reviewed changes
src/ansible/playbook_image_service.yml Outdated
@@ -16,7 +16,9 @@
roles:
- samba

- hosts: master.ipa.test
- hosts:
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This should target group ipa.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Updated as part of rebase.

@pbrezina
Copy link
Member

pbrezina commented Aug 16, 2024
edited
Loading

Ubuntu does not provide ipa package so base-ipa container is actually pulled from quay.io/sssd/ci-base-$svc:lates which does not contain your changes. Maybe, it would be possible to use the base image we just created? But build.sh would have to change. Maybe introduce UNAVAILABLE_BASE_IMAGE variable or something like that.

Actually it wouldn't work because we run each distro on different host. We would need to store it as artifact and then download it and install it.

Can ssh keys from both IPA servers master.ipa.test and master2.ipa2.test be added to quay.io/sssd/ci-base-ipa:latest ?

No until this PR is merged. But you could do it manually, however it's probably not worth the effort.

@pbrezina
Copy link
Member

Justin, you can try removing the ssh host keys completely when you will rebase on top of Jakub's changes. I'm pretty sure I added them as a workaround for something, but I don't remember anymore. Maybe, it is not needed anymore.

@justin-stephenson
Copy link
Contributor Author

Justin, you can try removing the ssh host keys completely when you will rebase on top of Jakub's changes. I'm pretty sure I added them as a workaround for something, but I don't remember anymore. Maybe, it is not needed anymore.

I rebased and removed the host keys.

jakub-vavra-cz
jakub-vavra-cz approved these changes Aug 19, 2024
View reviewed changes
Copy link
Contributor

@jakub-vavra-cz jakub-vavra-cz left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@pbrezina pbrezina pbrezina left review comments

@jakub-vavra-cz jakub-vavra-cz jakub-vavra-cz approved these changes

@danlavu danlavu Awaiting requested review from danlavu

Assignees

@danlavu danlavu

@pbrezina pbrezina

@jakub-vavra-cz jakub-vavra-cz

Labels
blocked
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@justin-stephenson @pbrezina @jakub-vavra-cz @danlavu @alexey-tikhonov