Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support IPA IPA Trust with additional IPA server #106

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Support IPA IPA Trust with additional IPA server #106

wants to merge 1 commit into from

Conversation

justin-stephenson
Copy link
Contributor

@justin-stephenson justin-stephenson commented Aug 1, 2024
edited
Loading

Add new server master2.ipa2.test which deploys an IPA domain ipa2.test to be used in IPA IPA trust.

with this PR checked out
sudo make down
sudo make build
`sudo REGISTRY="localhost/sssd" make up

Linked PRs:
SSSD/sssd-test-framework#119
SSSD/sssd#7517

This was referenced Aug 1, 2024
Open
Open
@justin-stephenson justin-stephenson marked this pull request as ready for review August 1, 2024 13:43
jakub-vavra-cz
jakub-vavra-cz reviewed Aug 1, 2024
View reviewed changes
src/ansible/roles/packages/tasks/Fedora.yml Outdated
@@ -221,7 +221,7 @@
dnf:
state: present
name: sssd-kcm
when: "'base_ipa' in group_names or 'ipa' in group_names"
when: "'base_ipa' in group_names or 'base_ipa2' in group_names or 'ipa' in group_names"
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is there a reason to use base_ipa2? Wouldn't it be tha same as base_ipa?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Fixed to use base_ipa only, this was an oversight on my part.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Does not look fixed yet.

jakub-vavra-cz
jakub-vavra-cz reviewed Aug 1, 2024
View reviewed changes
src/ansible/inventory.yml Outdated
@@ -14,6 +14,9 @@ all:
base_ipa:
hosts:
base-ipa
base_ipa2:
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

why create base_ipa2?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Fixed to use base_ipa only, this was an oversight on my part.

@justin-stephenson justin-stephenson force-pushed the ipa_ipa_trust branch 2 times, most recently from 6301e05 to 46ac0c5 Compare August 13, 2024 13:31
@justin-stephenson
Copy link
Contributor Author

Hi @pbrezina Can you help me understand why docker.io/ubuntu:rolling build fails (https://github.com/SSSD/sssd-ci-containers/actions/runs/10370744252/job/28711693110?pr=106) when sshd does not restart properly on master2.ipa2.test. I see that the host keys are not found.

Aug 13 13:19:21 master2.ipa2.test sshd[6905]: Unable to load host key: /data/ssh-keys/hosts/master2.ipa2.test.ecdsa_key                                                    
Aug 13 13:19:21 master2.ipa2.test sshd[6905]: Unable to load host key: /data/ssh-keys/hosts/master2.ipa2.test.ed25519_key                                          
Aug 13 13:19:21 master2.ipa2.test sshd[6905]: Unable to load host key: /data/ssh-keys/hosts/master2.ipa2.test.rsa_key

I ran src/tools/gen-ssh-keys.sh and added the ssh keys for master2.ipa2.test into this PR. I also added master2.ipa2.test into the for loop in src/tools/gen-ssh-keys.sh

However, these are not being copied into the master2.ipa2.test system.

[root@master2 /]# ll data/ssh-keys/hosts/
total 192       
-rw-------. 1 root root  525 Aug 13 02:05 client.test.ecdsa_key                                                        
-rw-------. 1 root root  189 Aug 13 02:05 client.test.ecdsa_key.pub                                                    
-rw-------. 1 root root  419 Aug 13 02:05 client.test.ed25519_key                                                      
-rw-------. 1 root root  109 Aug 13 02:05 client.test.ed25519_key.pub                                                  
-rw-------. 1 root root 2610 Aug 13 02:05 client.test.rsa_key                                                          
-rw-------. 1 root root  581 Aug 13 02:05 client.test.rsa_key.pub                                                      
-rw-------. 1 root root  525 Aug 13 02:05 dc.samba.test.ecdsa_key                                                      
-rw-------. 1 root root  189 Aug 13 02:05 dc.samba.test.ecdsa_key.pub                                                  
-rw-------. 1 root root  419 Aug 13 02:05 dc.samba.test.ed25519_key                                                    
-rw-------. 1 root root  109 Aug 13 02:05 dc.samba.test.ed25519_key.pub                                                
-rw-------. 1 root root 2622 Aug 13 02:05 dc.samba.test.rsa_key                                                        
-rw-------. 1 root root  581 Aug 13 02:05 dc.samba.test.rsa_key.pub                                                    
-rw-------. 1 root root  525 Aug 13 02:05 dns.test.ecdsa_key                                                           
-rw-------. 1 root root  189 Aug 13 02:05 dns.test.ecdsa_key.pub                                                       
-rw-------. 1 root root  419 Aug 13 02:05 dns.test.ed25519_key                                                         
-rw-------. 1 root root  109 Aug 13 02:05 dns.test.ed25519_key.pub                                                     
-rw-------. 1 root root 2610 Aug 13 02:05 dns.test.rsa_key
-rw-------. 1 root root  581 Aug 13 02:05 dns.test.rsa_key.pub                                                         
-rw-------. 1 root root  525 Aug 13 02:05 kdc.test.ecdsa_key                                                           
-rw-------. 1 root root  189 Aug 13 02:05 kdc.test.ecdsa_key.pub                                                       
-rw-------. 1 root root  419 Aug 13 02:05 kdc.test.ed25519_key                                                         
-rw-------. 1 root root  109 Aug 13 02:05 kdc.test.ed25519_key.pub                                                     
-rw-------. 1 root root 2622 Aug 13 02:05 kdc.test.rsa_key
-rw-------. 1 root root  581 Aug 13 02:05 kdc.test.rsa_key.pub                                                         
-rw-------. 1 root root  525 Aug 13 02:05 master.ipa.test.ecdsa_key                                                    
-rw-------. 1 root root  189 Aug 13 02:05 master.ipa.test.ecdsa_key.pub                                                
-rw-------. 1 root root  419 Aug 13 02:05 master.ipa.test.ed25519_key                                                  
-rw-------. 1 root root  109 Aug 13 02:05 master.ipa.test.ed25519_key.pub                                              
-rw-------. 1 root root 2622 Aug 13 02:05 master.ipa.test.rsa_key                                                      
-rw-------. 1 root root  581 Aug 13 02:05 master.ipa.test.rsa_key.pub                                                  
-rw-------. 1 root root  525 Aug 13 02:05 master.keycloak.test.ecdsa_key                                               
-rw-------. 1 root root  189 Aug 13 02:05 master.keycloak.test.ecdsa_key.pub                                           
-rw-------. 1 root root  419 Aug 13 02:05 master.keycloak.test.ed25519_key                                             
-rw-------. 1 root root  109 Aug 13 02:05 master.keycloak.test.ed25519_key.pub                                         
-rw-------. 1 root root 2622 Aug 13 02:05 master.keycloak.test.rsa_key                                                 
-rw-------. 1 root root  581 Aug 13 02:05 master.keycloak.test.rsa_key.pub                                             
-rw-------. 1 root root  525 Aug 13 02:05 master.ldap.test.ecdsa_key                                                   
-rw-------. 1 root root  189 Aug 13 02:05 master.ldap.test.ecdsa_key.pub                                               
-rw-------. 1 root root  419 Aug 13 02:05 master.ldap.test.ed25519_key                                                 
-rw-------. 1 root root  109 Aug 13 02:05 master.ldap.test.ed25519_key.pub                                             
-rw-------. 1 root root 2622 Aug 13 02:05 master.ldap.test.rsa_key                                                     
-rw-------. 1 root root  581 Aug 13 02:05 master.ldap.test.rsa_key.pub                                                 
-rw-------. 1 root root  525 Aug 13 02:05 nfs.test.ecdsa_key                                                           
-rw-------. 1 root root  189 Aug 13 02:05 nfs.test.ecdsa_key.pub                                                       
-rw-------. 1 root root  419 Aug 13 02:05 nfs.test.ed25519_key                                                         
-rw-------. 1 root root  109 Aug 13 02:05 nfs.test.ed25519_key.pub                                                     
-rw-------. 1 root root 2610 Aug 13 02:05 nfs.test.rsa_key
-rw-------. 1 root root  581 Aug 13 02:05 nfs.test.rsa_key.pub

pbrezina
pbrezina reviewed Aug 14, 2024
View reviewed changes
Makefile Outdated
@@ -18,13 +18,18 @@ up-keycloak:
docker-compose -f docker-compose.yml -f docker-compose.keycloak.yml up \
--no-recreate --detach ${LIMIT}

up-ipaipatrust:
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is something we can test in PR CI, so I think we can start second IPA with just make up. What do you think?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sure, PR updated.

data/configs/dnsmasq.conf Outdated
@@ -12,6 +12,7 @@ cache-size=0

# These zones have their own DNS server
server=/ipa.test/172.16.100.10
server=/ipa2.test/172.16.100.80
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It does not matter much but you can use .11 instead of .80 to keep IPA servers grouped together.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Fixed, switched to 172.16.100.11

@pbrezina
Copy link
Member

Hi @pbrezina Can you help me understand why docker.io/ubuntu:rolling build fails (https://github.com/SSSD/sssd-ci-containers/actions/runs/10370744252/job/28711693110?pr=106) when sshd does not restart properly on master2.ipa2.test. I see that the host keys are not found.

Aug 13 13:19:21 master2.ipa2.test sshd[6905]: Unable to load host key: /data/ssh-keys/hosts/master2.ipa2.test.ecdsa_key                                                    
Aug 13 13:19:21 master2.ipa2.test sshd[6905]: Unable to load host key: /data/ssh-keys/hosts/master2.ipa2.test.ed25519_key                                          
Aug 13 13:19:21 master2.ipa2.test sshd[6905]: Unable to load host key: /data/ssh-keys/hosts/master2.ipa2.test.rsa_key

I ran src/tools/gen-ssh-keys.sh and added the ssh keys for master2.ipa2.test into this PR. I also added master2.ipa2.test into the for loop in src/tools/gen-ssh-keys.sh

However, these are not being copied into the master2.ipa2.test system.

Ubuntu does not provide ipa package so base-ipa container is actually pulled from quay.io/sssd/ci-base-$svc:lates which does not contain your changes. Maybe, it would be possible to use the base image we just created? But build.sh would have to change. Maybe introduce UNAVAILABLE_BASE_IMAGE variable or something like that.

@pbrezina
Copy link
Member

Hi @pbrezina Can you help me understand why docker.io/ubuntu:rolling build fails (https://github.com/SSSD/sssd-ci-containers/actions/runs/10370744252/job/28711693110?pr=106) when sshd does not restart properly on master2.ipa2.test. I see that the host keys are not found.

Aug 13 13:19:21 master2.ipa2.test sshd[6905]: Unable to load host key: /data/ssh-keys/hosts/master2.ipa2.test.ecdsa_key                                                    
Aug 13 13:19:21 master2.ipa2.test sshd[6905]: Unable to load host key: /data/ssh-keys/hosts/master2.ipa2.test.ed25519_key                                          
Aug 13 13:19:21 master2.ipa2.test sshd[6905]: Unable to load host key: /data/ssh-keys/hosts/master2.ipa2.test.rsa_key

I ran src/tools/gen-ssh-keys.sh and added the ssh keys for master2.ipa2.test into this PR. I also added master2.ipa2.test into the for loop in src/tools/gen-ssh-keys.sh
However, these are not being copied into the master2.ipa2.test system.

Ubuntu does not provide ipa package so base-ipa container is actually pulled from quay.io/sssd/ci-base-$svc:lates which does not contain your changes. Maybe, it would be possible to use the base image we just created? But build.sh would have to change. Maybe introduce UNAVAILABLE_BASE_IMAGE variable or something like that.

Actually it wouldn't work because we run each distro on different host. We would need to store it as artifact and then download it and install it.

@justin-stephenson
Copy link
Contributor Author

Ubuntu does not provide ipa package so base-ipa container is actually pulled from quay.io/sssd/ci-base-$svc:lates which does not contain your changes. Maybe, it would be possible to use the base image we just created? But build.sh would have to change. Maybe introduce UNAVAILABLE_BASE_IMAGE variable or something like that.

Actually it wouldn't work because we run each distro on different host. We would need to store it as artifact and then download it and install it.

Can ssh keys from both IPA servers master.ipa.test and master2.ipa2.test be added to quay.io/sssd/ci-base-ipa:latest ?

jakub-vavra-cz
jakub-vavra-cz reviewed Aug 15, 2024
View reviewed changes
src/ansible/roles/packages/tasks/Fedora.yml Outdated
@@ -264,7 +264,7 @@
- ci-sssd-random
- umockdev
when: passkey_support
when: "'base_client' in group_names or 'client' in group_names or 'base_ipa' in group_names or 'ipa' in group_names"
when: "'base_client' in group_names or 'client' in group_names or 'base_ipa' in group_names or 'base_ipa2' in group_names or 'ipa' in group_names"
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Here is still base_ipa2.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Removed.

jakub-vavra-cz
jakub-vavra-cz requested changes Aug 15, 2024
View reviewed changes
Copy link
Contributor

@jakub-vavra-cz jakub-vavra-cz left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The base_ipa2 is still present.

@justin-stephenson
Copy link
Contributor Author

The base_ipa2 is still present.

Removed fully.

jakub-vavra-cz
jakub-vavra-cz reviewed Aug 16, 2024
View reviewed changes
src/ansible/playbook_image_service.yml Outdated
@@ -16,7 +16,9 @@
roles:
- samba

- hosts: master.ipa.test
- hosts:
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This should target group ipa.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Updated as part of rebase.

@pbrezina
Copy link
Member

pbrezina commented Aug 16, 2024
edited
Loading

Ubuntu does not provide ipa package so base-ipa container is actually pulled from quay.io/sssd/ci-base-$svc:lates which does not contain your changes. Maybe, it would be possible to use the base image we just created? But build.sh would have to change. Maybe introduce UNAVAILABLE_BASE_IMAGE variable or something like that.

Actually it wouldn't work because we run each distro on different host. We would need to store it as artifact and then download it and install it.

Can ssh keys from both IPA servers master.ipa.test and master2.ipa2.test be added to quay.io/sssd/ci-base-ipa:latest ?

No until this PR is merged. But you could do it manually, however it's probably not worth the effort.

@pbrezina
Copy link
Member

Justin, you can try removing the ssh host keys completely when you will rebase on top of Jakub's changes. I'm pretty sure I added them as a workaround for something, but I don't remember anymore. Maybe, it is not needed anymore.

@justin-stephenson
Copy link
Contributor Author

Justin, you can try removing the ssh host keys completely when you will rebase on top of Jakub's changes. I'm pretty sure I added them as a workaround for something, but I don't remember anymore. Maybe, it is not needed anymore.

I rebased and removed the host keys.

jakub-vavra-cz
jakub-vavra-cz approved these changes Aug 19, 2024
View reviewed changes
Copy link
Contributor

@jakub-vavra-cz jakub-vavra-cz left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@danlavu
Copy link

danlavu commented Dec 9, 2024

@justin-stephenson , before I go deeper into the PR. I think we should create a new network for ipa2 and make it more realistic.

server=/ipa2.test/172.16.101.10

WDYT?

@justin-stephenson
Copy link
Contributor Author

@justin-stephenson , before I go deeper into the PR. I think we should create a new network for ipa2 and make it more realistic.

server=/ipa2.test/172.16.101.10

WDYT?

Forgive my ignorance but what is the benefit?

@danlavu
Copy link

danlavu commented Dec 9, 2024

Forgive my ignorance but what is the benefit?

Realism mostly, two domains sharing the same class C network, while it works, it's not suggested per our installation docs. I don't think it helps us to to test against an unsupported installation.

I do recall there has seem some automation limitations in the past, definitely one, maybe two bugs we would've caught if it wasn't sharing the same subnet.

@justin-stephenson
Copy link
Contributor Author

Forgive my ignorance but what is the benefit?

Realism mostly, two domains sharing the same class C network, while it works, it's not suggested per our installation docs. I don't think it helps us to to test against an unsupported installation.

I do recall there has seem some automation limitations in the past, definitely one, maybe two bugs we would've caught if it wasn't sharing the same subnet.

I don't have a strong opinion either way, @pbrezina can you provide your thoughts?

@danlavu
Copy link

danlavu commented Dec 10, 2024

I don't have a strong opinion either way, @pbrezina can you provide your thoughts?

FWIW, I feel strongly about this. Testing against a supported/gss certified setup than a test. While it doesn't apply here, the downstream multi-domain AD stuff needs to be segmented this way otherwise dcpromo will fail.

@pbrezina
Copy link
Member

Forgive my ignorance but what is the benefit?

Realism mostly, two domains sharing the same class C network, while it works, it's not suggested per our installation docs. I don't think it helps us to to test against an unsupported installation.
I do recall there has seem some automation limitations in the past, definitely one, maybe two bugs we would've caught if it wasn't sharing the same subnet.

I don't have a strong opinion either way, @pbrezina can you provide your thoughts?

I think it just unnecessarily complicates the setup. I have no idea if adding a network in a docker-compose is sufficient or additional tinkering to make the networks accessible from each other will be required.

But I don't have opinion whether it should or should not be done, I'm fine either way.

@danlavu
Copy link

danlavu commented Dec 10, 2024

A new docker net will be sufficient, I know it's extra complexity, but it's worth it.

@justin-stephenson
Copy link
Contributor Author

A new docker net will be sufficient, I know it's extra complexity, but it's worth it.

Is it more than a simple one-line change? If yes would you mind adding a commit to this PR with these changes and pushing to this PR?

@jakub-vavra-cz
Copy link
Contributor

Just be aware that we can't copy this that easily in idmci (without hadcoding specific openstack networks). We also need to make sure that the same network will still work.

@danlavu
Copy link

danlavu commented Dec 12, 2024

Just be aware that we can't copy this that easily in idmci (without hadcoding specific openstack networks). We also need to make sure that the same network will still work.

Ack, I did run it in IDMCI and the provision passes, I'll go ahead and test it.

2024-12-10T05:40:24 PLAY RECAP *********************************************************************
2024-12-10T05:40:24 client.test                : ok=82   changed=46   unreachable=0    failed=0    skipped=45   rescued=0    ignored=0   
2024-12-10T05:40:24 dc-nhhq.ad-nhhq.test       : ok=17   changed=8    unreachable=0    failed=0    skipped=8    rescued=0    ignored=0   
2024-12-10T05:40:24 dc.samba.test              : ok=67   changed=44   unreachable=0    failed=0    skipped=44   rescued=0    ignored=0   
2024-12-10T05:40:24 dns.test                   : ok=57   changed=26   unreachable=0    failed=0    skipped=42   rescued=0    ignored=0   
2024-12-10T05:40:24 kdc.test                   : ok=57   changed=27   unreachable=0    failed=0    skipped=46   rescued=0    ignored=0   
2024-12-10T05:40:24 master.ipa.test            : ok=61   changed=35   unreachable=0    failed=0    skipped=47   rescued=0    ignored=0   
2024-12-10T05:40:24 master.ldap.test           : ok=61   changed=31   unreachable=0    failed=0    skipped=44   rescued=0    ignored=0   
2024-12-10T05:40:24 master2.ipa2.test          : ok=60   changed=34   unreachable=0    failed=0    skipped=48   rescued=0    ignored=0   
2024-12-10T05:40:24 nfs.test                   : ok=54   changed=24   unreachable=0    failed=0    skipped=46   rescued=0    ignored=0

@justin-stephenson
Copy link
Contributor Author

I rebased this PR, and also added capabilities to the 'ipa2' section in docker-compose.yml similar to

211908d

@danlavu
Copy link

danlavu commented Dec 19, 2024

@justin-stephenson, I have the configuration provisioning but the networks are not routable to one another so I'm trying to figure that out.

@sumit-bose sumit-bose mentioned this pull request Feb 12, 2025
Closed
@sumit-bose
Copy link
Contributor

Hi,

jfyi, I was still able to setup a test environment with this PR.

bye,
Sumit

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@pbrezina pbrezina pbrezina left review comments

@jakub-vavra-cz jakub-vavra-cz jakub-vavra-cz approved these changes

@danlavu danlavu Awaiting requested review from danlavu

Assignees

@danlavu danlavu

@pbrezina pbrezina

@jakub-vavra-cz jakub-vavra-cz

Labels
blocked
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
6 participants
@justin-stephenson @pbrezina @danlavu @jakub-vavra-cz @sumit-bose @alexey-tikhonov