SSSD 2.10+ runs under non-privileged user 'sssd' and relies on system
capabilities to get access to certain resources like /etc/krb5.keytab.
Not having these capabilities result in SSSD not starting.
Podman has reduced the capabilities granted to containers, and to be
able to start SSSD it is needed to add DAC_READ_SEARCH back.
This patch adds file infra/images/shdefaults to store the defaults used
by ansible-freeipa shell utilities in a contral location.
See: https://github.com/containers/podman/discussions/24904#discussioncomment-11718823
Signed-off-by: Rafael Guterres Jeffman <rjeffman@redhat.com>
This change adds support for volumes to container_create. Now it can be
used like in this example:
container_create "${name}" "${local_image}" "hostname=${hostname}" \
"${capabilities:+capabilities=$capabilities}" \
volume=$PWD:/root/src
The new function container_tee has been added to enable creation of
fiiles with content from stdin like in this example:
cat <<EOF | container_tee "${name}" "/root/.gdbinit"
set debuginfod enabled on
set follow-fork-mode child
EOF
The shadow file in a Fedora or CentOS Stream container is not readable
any more using Ubuntu 24.04.
An extra call to ensure that the shadow file is readable again has been
added to container_start.
This adds the capabilities SYS_ADMIN and SYSLOG to the container_create
call in build.sh as long as server deployment has been enabled.
The privileged option has been removed as it is no longer needed.
The hostnamectl-wrapper for the container has been removed as it is no
longer needed.
The client part deployment fails in the configuration of NIS. The command
/usr/bin/nisdomainname is failing in a container in this task as the
container is not privileged.
The hostnamectl-wrapper is copied from the freeipa-container container
project to replace /usr/bin/nisdomainname in the container.
container_copy can be used to copy a file to the container,
container_fetch can be used to copy a file from the container.
For more information, please have a look at the podman-cp man page.
This patch modify the pipelines to create stages using the 'each'
expression on Azure pipelines, so that the configuration and the list of
distributions can be set using variables.
Testing CentOS 8 Stream and Galaxy collections still need to be handled
in a separate group, although, the pipeline configuration becomes easily
changed, specially when updating Ansible versions.
All scripts related to the Azure CI now reside on inrfa/azure, but the
scripts that evaluate the changes made against ansible-freeipa's main
development branch.
This patch move these scripts to the proper locations.
ansible-core versions 2.15 and 2.16 and used for all pipelines, but
version 2.17 is not used for CentOS 8 Stream, as platform python on
this version is 3.6 which is not supported in this ansible-core version.
Several optimizations have been done to the pipelines, to make them
closer to what can be reproduced, with the existing scripts, in a
development environment:
- Use start.sh and build.sh scripts to build and start containers
- Use variables to configure different stages instead of using separate
files
- Use a commom 'prepare_environment' to create the environment for every
pipeline
- Use a single file defining testing steps (run_tests.yml)
- Remove Centos 7 pipelines
- Reduce the number of pipelines in the test matrix due to the amount of
time that tests were using
- Use Azure "loop" (each) to create test groups
The above changes make the pipelines easier to understand and modify.
When using containers to test ansible-freeipa there's a need to deal
with 'podman' the development environment and the Azure environment. In
the Azure environment, with Ubuntu hosts, using 'cap-add' does not allow
FreeIPA to be installed on the containers, and they need to be executed
with privileged mode. On the other hand, on development environments,
such as recent Fedora hosts, there's no need to run the container with
extra privileges.
This patch modifies the utility function 'container_create' to allow the
usage of key-value argumes such as "cpus=4" and "privileged", that will
be used in the container creation.
The currently available options are "privileged", "cpus", "memory" and
"hostname". By default "cpus=2" and "hostname=ipaserver.test.local".
Also, too make the image build script more self-contained, if the
required Ansible collections are not installed, they will be temporarily
installed so that the image can be built.
The help has been fixed for the -s option and the comments about how to
start the container later on has been removed as there will be a script
that is handling this..
This reduces the number of started services in the container. The
fixipaip.service needed to be adapted to ensure that the service is
started properly.
The dockerfiles have been adapted for this change also.
This change also removed ansible_python_interpreter setting in the
inventory as the interpreter should be discovered by ansible for the
distributions.
The dockerfiles have been adapted to not force the installation of
python3 for CentOS-Stream 8, 9 and 10.
The script will try to get the latest image from quay to start it. With
the -l option it will try to use a local image first. This is for example
useful to test changes in the images build script locally.
This also adds infra/image/shcontainer. Some of the content is copied
from utils/shcontainer.
The DNS forwarder is set while deploying the IPA server. This forwarder
might not be correct later on.
The old /etc/resolv.conf is copied to /etc/resolv.conf.fixnet by the
fixnet service and later on the fixipaip service is trying to get the
nameserver from the copied file. If the retrieval failed of if the
namesever is 127.0.0.1, then the nameserver will be set to 8.8.8.8.
After fixing the IP addresses for the forward and reverse zone, also the
forwarder is set for the dnsserver "${HOSTNAME}".
Checks for IPv4 addresses have been added and reverse zone handling
for fixipaip.sh
The services are logging StandardOutput and StandardError to journal
now.
If the deployment was enabled and failed, the script still continued
without failing. If podman was missing it failed without a proper error.
The script now fails and does not enable the services and also does not
commit after the failed deployment. Also is fails if podman is missing.
This patch modifies the image building script by adding:
- An usage message.
- An option "-I" to NOT install IPA to the generated container.
- An opiton "-c NAME" to both set the name and use an existing container
to ONLY install IPA.
- Rename "scenario" to "DISTRO" as "scenario" should be used for the
container scenario usage, rather than the distro (I'll change the name
also in the Azure scripts)
- Use 'log' (from shlog) to print messages.
The new image builder is not using molecule and uses podman directly for
the generation of the ansible-test images.
Two additional services are installed to simplify the use of the
container in the test:
- fixnet.service uses /root/fixnet.sh to fix IP address of the server in
/etc/hosts and to set localhost as the nameserver.
This service is executed before IPA is started. This eliminates the
need to restart the IPA server after the container has been started
and the IPs have been fixed.
- fixipaip.service uses /root/fixipaip.sh to fix the IP address of the
IPA dnsrecords of server and ipa-ca.
With these services it is now only needed to wait till all services in
the container are started. There is no need to restart the IPA server
anymore. Simply use something like this before starting the tests:
while [ -n "$(podman exec ansible-test systemctl list-jobs | grep -vi 'no jobs running')" ]; do echo "waiting.."; sleep 5; done
New files
- infra/image/build.sh
- infra/image/dockerfile/c8s
- infra/image/dockerfile/c9s
- infra/image/dockerfile/c10s
- infra/image/dockerfile/fedora-latest
- infra/image/dockerfile/fedora-rawhide
- infra/image/inventory
- infra/image/system-service/fixipaip.service
- infra/image/system-service/fixipaip.sh
- infra/image/system-service/fixnet.service
- infra/image/system-service/fixnet.sh
