Merge pull request #1351 from t-woerner/infra_image_start_debug

infra/image/shdefaults: Add SYS_PTRACE to CAP_DEFAULTS
infra/image/shcontainer: Fix processing of multi item CAP_DEFAULTS
2026-03-27 05:43:05 +00:00 · 2025-04-17 11:53:02 -03:00 · 2025-04-17 16:46:12 +02:00 · 2025-04-17 15:00:39 +02:00 · 2025-04-17 14:50:43 +02:00 · 2025-04-17 14:49:49 +02:00
12 changed files with 84 additions and 14 deletions
--- a/.pre-commit-config.yaml
+++ b/.pre-commit-config.yaml
@@ -26,7 +26,7 @@ repos:
  - id: yamllint
    files: \.(yaml|yml)$
 - repo: https://github.com/pycqa/flake8
-  rev: 7.0.0
+  rev: 7.2.0
  hooks:
  - id: flake8
 - repo: https://github.com/pycqa/pylint
--- a/infra/azure/azure-pipelines.yml
+++ b/infra/azure/azure-pipelines.yml
@@ -3,7 +3,7 @@ trigger:
 - master

 pool:
-  vmImage: 'ubuntu-20.04'
+  vmImage: 'ubuntu-24.04'

 variables:
  ansible_version: "-core >=2.16,<2.17"
--- a/infra/azure/nightly.yml
+++ b/infra/azure/nightly.yml
@@ -10,7 +10,7 @@ schedules:
 trigger: none

 pool:
-  vmImage: 'ubuntu-20.04'
+  vmImage: 'ubuntu-24.04'

 variables:
  # We need to have two sets, as c8s is not supported by all ansible versions
--- a/infra/azure/pr-pipeline.yml
+++ b/infra/azure/pr-pipeline.yml
@@ -3,7 +3,7 @@ trigger:
 - master

 pool:
-  vmImage: 'ubuntu-20.04'
+  vmImage: 'ubuntu-24.04'

 variables:
  distros: "fedora-latest,c10s,c9s,c8s,fedora-rawhide"
--- a/infra/image/shcontainer
+++ b/infra/image/shcontainer
@@ -4,13 +4,20 @@
 SCRIPTDIR="$(dirname -- "$(readlink -f "${BASH_SOURCE[0]}")")"
 TOPDIR="$(readlink -f "${SCRIPTDIR}/../..")"

+# shellcheck disable=SC1091
+. "${SCRIPTDIR}/shdefaults"
+
+# shellcheck disable=SC1091
 . "${TOPDIR}/utils/shfun"

 container_create() {
    local name=${1}
    local image=${2}
    shift 2
-    declare -a extra_opts=()
+    declare -a extra_opts
+    readarray -t extra_opts < \
+        <(sed -e "s/-/--cap-drop=/g" -e "s/+/--cap-add=/g" \
+        <<< "$(printf '%s\n' "${CAP_DEFAULTS[@]}")")
    for opt in "$@"
    do
        [ -z "${opt}" ] && continue
@@ -19,6 +26,7 @@ container_create() {
            cpus=*) extra_opts+=("--${opt}") ;;
            memory=*) extra_opts+=("--${opt}") ;;
            capabilities=*) extra_opts+=("--cap-add=${opt##*=}") ;;
+            volume=*) extra_opts+=("--volume=${opt##*=}") ;;
            *) log error "container_create: Invalid option: ${opt}" ;;
        esac
    done
@@ -47,6 +55,8 @@ container_start() {

    log info "= Starting ${name} ="
    podman start "${name}"
+    # Ensure /etc/shadow is readable
+    podman exec "${name}" bash -c "chmod u+r /etc/shadow"
    echo
 }

@@ -195,3 +205,15 @@ container_fetch() {
    podman cp "${name}:${source}" "${destination}"
    echo
 }
+
+container_tee() {
+    local name=${1}
+    local destination=${2}
+    tmpfile=$(mktemp /tmp/container-temp.XXXXXX)
+
+    log info "= Creating ${name}:${destination} from stdin ="
+    cat - > "${tmpfile}"
+    podman cp "${tmpfile}" "${name}:${destination}"
+    rm "${tmpfile}"
+    echo
+}
--- a/infra/image/shdefaults
+++ b/infra/image/shdefaults
@@ -0,0 +1,9 @@
+#!/bin/bash -eu
+# This file is meant to be source'd by other scripts
+
+# Set default capabilities options for freeipa containers.
+# Use +CAP to add the capability and -CAP to drop the capability.
+CAP_DEFAULTS=(
+    "+DAC_READ_SEARCH"  # Required for SSSD
+    "+SYS_PTRACE"       # Required for debugging
+)
--- a/requirements-dev.txt
+++ b/requirements-dev.txt
@@ -1,7 +1,7 @@
 -r requirements-tests.txt
 ipdb==0.13.4
 pre-commit==2.20.0
-flake8==7.0.0
+flake8
 flake8-bugbear
 pylint>=3.2
 wrapt==1.14.1
--- a/roles/ipaclient/library/ipaclient_setup_nss.py
+++ b/roles/ipaclient/library/ipaclient_setup_nss.py
@@ -279,6 +279,7 @@ def main():
    options.no_sssd = False
    options.sssd = not options.no_sssd
    options.no_ac = False
+    options.dns_over_tls = False
    nosssd_files = module.params.get('nosssd_files')
    selinux_works = module.params.get('selinux_works')
    krb_name = module.params.get('krb_name')
@@ -339,17 +340,19 @@ def main():
                                                      ca_subject)
        ca_certs_trust = [(c, n,
                           certstore.key_policy_to_trust_flags(t, True, u))
-                          for (c, n, t, u) in ca_certs]
+                          for (c, n, t, u) in [x[0:4] for x in ca_certs]]

        if hasattr(paths, "KDC_CA_BUNDLE_PEM"):
            x509.write_certificate_list(
-                [c for c, n, t, u in ca_certs if t is not False],
+                [c for c, n, t, u in [x[0:4] for x in ca_certs]
+                    if t is not False],
                paths.KDC_CA_BUNDLE_PEM,
                # mode=0o644
            )
        if hasattr(paths, "CA_BUNDLE_PEM"):
            x509.write_certificate_list(
-                [c for c, n, t, u in ca_certs if t is not False],
+                [c for c, n, t, u in [x[0:4] for x in ca_certs]
+                    if t is not False],
                paths.CA_BUNDLE_PEM,
                # mode=0o644
            )
@@ -376,7 +379,12 @@ def main():
            ssh_config_dir = paths.SSH_CONFIG_DIR
        else:
            ssh_config_dir = services.knownservices.sshd.get_config_dir()
-        update_ssh_keys(hostname, ssh_config_dir, options.create_sshfp)
+        argspec_update_ssh_keys = getargspec(update_ssh_keys)
+        # Hotfix for https://github.com/freeipa/freeipa/pull/7343
+        if "options" in argspec_update_ssh_keys.args:
+            update_ssh_keys(hostname, ssh_config_dir, options, cli_server[0])
+        else:
+            update_ssh_keys(hostname, ssh_config_dir, options.create_sshfp)

        try:
            os.remove(CCACHE_FILE)
--- a/roles/ipaclient/module_utils/ansible_ipa_client.py
+++ b/roles/ipaclient/module_utils/ansible_ipa_client.py
@@ -231,8 +231,6 @@ try:
                        cli_realm, cli_domain, cli_server, cli_kdc, dnsok,
                        filename, client_domain, client_hostname, force=False,
                        configure_sssd=True):
-                    # pylint: disable=global-variable-not-assigned
-                    global options
                    options.force = force
                    options.sssd = configure_sssd
                    return ipa_client_install.configure_krb5_conf(
--- a/roles/ipareplica/module_utils/ansible_ipa_replica.py
+++ b/roles/ipareplica/module_utils/ansible_ipa_replica.py
@@ -80,6 +80,13 @@ except ImportError:
 try:
    from contextlib import contextmanager as contextlib_contextmanager
    from ipapython.version import NUM_VERSION, VERSION
+    try:
+        from ipapython.version import parse_version
+    except ImportError:
+        # In IPA we either need pkg_resources or packaging Version
+        # class to compare versions with check_remote_version, so
+        # we let an exception to be raised if neither is available.
+        from pkg_resources import parse_version

    if NUM_VERSION < 30201:
        # See ipapython/version.py
@@ -99,8 +106,6 @@ try:
        import dns.resolver as dnsresolver
        import dns.reversename as dnsreversename

-        from pkg_resources import parse_version
-
        from ipaclient.install.ipachangeconf import IPAChangeConf
        from ipalib.install import certstore, sysrestore
        from ipapython.ipautil import ipa_generate_password
@@ -331,6 +336,13 @@ options.add_agents = False
 # ServerReplicaInstall
 options.subject_base = None
 options.ca_subject = None
+
+# Hotfix for https://github.com/freeipa/freeipa/pull/7343
+options.dns_over_tls = False
+options.dns_over_tls_key = None
+options.dns_over_tls_cert = None
+options.dot_forwarders = None
+options.dns_policy = None
 # pylint: enable=attribute-defined-outside-init


--- a/roles/ipaserver/module_utils/ansible_ipa_server.py
+++ b/roles/ipaserver/module_utils/ansible_ipa_server.py
@@ -354,6 +354,13 @@ options.add_agents = False
 # no_msdcs is deprecated
 options.no_msdcs = False

+# Hotfix for https://github.com/freeipa/freeipa/pull/7343
+options.dns_over_tls = False
+options.dns_over_tls_key = None
+options.dns_over_tls_cert = None
+options.dot_forwarders = None
+options.dns_policy = None
+
 # For pylint
 options.external_cert_files = None
 options.dirsrv_cert_files = None
--- a/utils/setup_test_container.sh
+++ b/utils/setup_test_container.sh
@@ -79,6 +79,20 @@ shift
 prepare_container "${scenario}" "${IMAGE_TAG}"
 start_container "${scenario}"

+log info "Wait till systemd-journald is running"
+max=20
+wait=2
+count=0
+while ! podman exec "${scenario}" ps -x | grep -q "systemd-journald"
+do
+    if [ $count -ge $max ]; then
+        die "Timeout: systemd-journald is not starting up"
+    fi
+    count=$((count+1))
+    log none "Waiting ${wait} seconds .."
+    sleep ${wait}
+done
+
 # wait for FreeIPA services to be available (usually ~45 seconds)
 log info "Wait for container to be initialized."
 wait=15
Author	SHA1	Message	Date
Rafael Guterres Jeffman	7245339934	Merge pull request #1351 from t-woerner/infra_image_start_debug infra/image/shdefaults: Add SYS_PTRACE to CAP_DEFAULTS	2025-04-17 11:53:02 -03:00
Thomas Woerner	638422e113	infra/image/shcontainer: Fix processing of multi item CAP_DEFAULTS readarray expects to get an item per line to be added to the array. Printing one item per line with printf fixes this to get the proper formatting for "${CAP_DEFAULTS[@]}" as a valid input for readarray.	2025-04-17 16:46:12 +02:00
Thomas Woerner	432376524c	infra/image/shdefaults: Add SYS_PTRACE to CAP_DEFAULTS Debugging is now enabled by default in the containers that are generated with container_create. "+SYS_PTRACE" has been added to CAP_DEFAULTS in shdefaults for this.	2025-04-17 15:00:39 +02:00
Thomas Woerner	86701caf8b	Merge pull request #1350 from freeipa/remove_pkg_resources ipareplica: Don't rely on pkg_resources whenever possible	2025-04-17 14:50:43 +02:00
Thomas Woerner	d1857c18ac	Merge pull request #1352 from freeipa/fix_sssd_on_test_container test container: Add DAC_READ_SEARCH capability	2025-04-17 14:49:49 +02:00
Thomas Woerner	edbdd3af79	Merge pull request #1348 from abbra/fix-cert-iteration Fix CA certificates iteration	2025-04-17 14:48:51 +02:00
Rafael Guterres Jeffman	2d3da2d72c	test container: Add DAC_READ_SEARCH capability SSSD 2.10+ runs under non-privileged user 'sssd' and relies on system capabilities to get access to certain resources like /etc/krb5.keytab. Not having these capabilities result in SSSD not starting. Podman has reduced the capabilities granted to containers, and to be able to start SSSD it is needed to add DAC_READ_SEARCH back. This patch adds file infra/images/shdefaults to store the defaults used by ansible-freeipa shell utilities in a contral location. See: https://github.com/containers/podman/discussions/24904#discussioncomment-11718823 Signed-off-by: Rafael Guterres Jeffman <rjeffman@redhat.com>	2025-04-17 09:44:01 -03:00
Thomas Woerner	329c16f742	Merge pull request #1355 from freeipa/fix_container_tee_message infra/image/shcontainer: Fix log message in container_tee	2025-04-17 14:15:50 +02:00
Rafael Guterres Jeffman	66c0be06d0	infra/image/shcontainer: Fix log message in container_tee Fix a log message in function container_tee and quote the temporary filename. Signed-off-by: Rafael Guterres Jeffman <rjeffman@redhat.com>	2025-04-16 16:25:29 -03:00
Rafael Guterres Jeffman	f04c90f4db	Merge pull request #1354 from t-woerner/extended_infra_image_container_functions infra/image/shcontainer: Volume support and new container_tee	2025-04-16 12:06:10 -03:00
Thomas Woerner	dfa4bcb68f	infra/image/shcontainer: Volume support and new container_tee This change adds support for volumes to container_create. Now it can be used like in this example: container_create "${name}" "${local_image}" "hostname=${hostname}" \ "${capabilities:+capabilities=$capabilities}" \ volume=$PWD:/root/src The new function container_tee has been added to enable creation of fiiles with content from stdin like in this example: cat <<EOF \| container_tee "${name}" "/root/.gdbinit" set debuginfod enabled on set follow-fork-mode child EOF	2025-04-16 16:11:14 +02:00
Rafael Guterres Jeffman	b1328ba7d5	ipareplica: Don't rely on pkg_resources whenever possible Python's module "pkg_resources" API has been deprecated in Python 3.12 and will be removed in a future release, and recent FreeIPA versions provide a replacement for pkg_resources.parse_version. To remove ansible-freeipa dependency on pkg_resources and not add a dependency on the 'packaging' module, which is not available in the standard Python distribution, we'll try to import the funcion used in FreeIPA to parse versions, and fallback to pkg_resources when it fails. As an equivalent class is needed, a fallback function is not provided and execution will fail if neither the FreeIPA nor the pkg_resources parse_version function are available. Signed-off-by: Rafael Guterres Jeffman <rjeffman@redhat.com>	2025-04-08 11:31:05 -03:00
Rafael Guterres Jeffman	fe58f3a8ba	Merge pull request #1301 from t-woerner/try_ubuntu_24.04_1 Use ubuntu 24.04 for testing	2025-04-02 12:30:43 -03:00
Thomas Woerner	4dc6192640	infra/image/shcontainer: Ensure '/ect/shadow' is readable The shadow file in a Fedora or CentOS Stream container is not readable any more using Ubuntu 24.04. An extra call to ensure that the shadow file is readable again has been added to container_start.	2025-04-02 17:21:35 +02:00
Thomas Woerner	e9435410b2	utils/setup_test_container.sh: Wait till systemd-journald is running This ensures that systemctl list-jobs could be executed and it will be waited till the list of jobs is empty.	2025-04-02 17:21:35 +02:00
Thomas Woerner	de6a0429a0	Merge pull request #1349 from freeipa/fix_flake8_7_2_0 Fix flake8 7 2 0	2025-04-02 17:10:18 +02:00
Rafael Guterres Jeffman	40d85f83e4	Fix linter issues related to 'global' This patch fixes an issue reported by flake8 7.2.0 and enables a pylint test that was disable, both related to the use of 'global'. Signed-off-by: Rafael Guterres Jeffman <rjeffman@redhat.com>	2025-04-02 11:59:30 -03:00
Rafael Guterres Jeffman	678927f35c	Unpin flake8 version from requirements-dev.txt Upstream flake8 lint test is executed with the latest available version in pip, but the requirements-dev.txt had a pinned version, making flake8 error to be found too late. Signed-off-by: Rafael Guterres Jeffman <rjeffman@redhat.com>	2025-04-02 11:56:47 -03:00
Rafael Guterres Jeffman	f0e6d0c89f	pre-commit: Bump flake8 version to 7.2.0 Bump pre-commit version to the latest available. Signed-off-by: Rafael Guterres Jeffman <rjeffman@redhat.com>	2025-04-02 11:55:19 -03:00
Thomas Woerner	c095c24950	Use ubuntu 24.04 for testing	2025-04-02 12:55:23 +02:00
Alexander Bokovoy	34dc75802c	Fix CA certificates iteration FreeIPA fix for https://pagure.io/freeipa/issue/9652 now produces five elements tuple when iterating over CA certificate list, the last element being the serial number. We do not need it, so extract only the first four elements (certificate, nickname, trusted, EKU). The regression was introduced by FreeIPA commit f91b677ada376034b25d50e78475237c5976770e. Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>	2025-03-30 13:01:35 +03:00
Varun Mylaraiah	feb33e4e3a	Merge pull request #1340 from t-woerner/dns_over_tls_hotfix ipa* deployment roles: Hotfix for dns_over_tls (Freeipa#7343)	2025-02-11 14:51:58 +05:30
Thomas Woerner	3c50a8121f	ipa* deployment roles: Hotfix for dns_over_tls (Freeipa#7343) This is a hotfix to allow deployments of clients, replicas and servers with the dns_over_tls PR for freeipa: https://github.com/freeipa/freeipa/pull/7343/ ipaclient: client.update_ssh_keys has changed parameters, options.dns_over_tls needs to be set for ipaclient_setup_nss. ipareplica, ipaserver: Set new parameters globally in module_utils so far: options.dns_over_tls, options.dns_over_tls_key, options.dns_over_tls_cert, options.dot_forwarders and options.dns_policy. The enablement for DNS over TLS for the deployment roles will be done later on.	2025-02-07 18:16:10 +01:00