search

SSSD / sssd-ci-containers

Setup containerized environment for testing and developing SSSD.
GNU General Public License v3.0
10 stars 21 forks source link

Support IPA IPA Trust with additional IPA server #106

Open justin-stephenson opened 3 months ago

justin-stephenson commented 3 months ago

Add new server master2.ipa2.test which deploys an IPA domain ipa2.test to be used in IPA IPA trust.

with this PR checked out sudo make down sudo make build `sudo REGISTRY="localhost/sssd" make up

Linked PRs: https://github.com/SSSD/sssd-test-framework/pull/119 https://github.com/SSSD/sssd/pull/7517

justin-stephenson commented 3 months ago

Hi @pbrezina Can you help me understand why docker.io/ubuntu:rolling build fails (https://github.com/SSSD/sssd-ci-containers/actions/runs/10370744252/job/28711693110?pr=106) when sshd does not restart properly on master2.ipa2.test. I see that the host keys are not found.

Aug 13 13:19:21 master2.ipa2.test sshd[6905]: Unable to load host key: /data/ssh-keys/hosts/master2.ipa2.test.ecdsa_key                                                    
Aug 13 13:19:21 master2.ipa2.test sshd[6905]: Unable to load host key: /data/ssh-keys/hosts/master2.ipa2.test.ed25519_key                                          
Aug 13 13:19:21 master2.ipa2.test sshd[6905]: Unable to load host key: /data/ssh-keys/hosts/master2.ipa2.test.rsa_key

I ran src/tools/gen-ssh-keys.sh and added the ssh keys for master2.ipa2.test into this PR. I also added master2.ipa2.test into the for loop in src/tools/gen-ssh-keys.sh

However, these are not being copied into the master2.ipa2.test system.

[root@master2 /]# ll data/ssh-keys/hosts/
total 192       
-rw-------. 1 root root  525 Aug 13 02:05 client.test.ecdsa_key                                                        
-rw-------. 1 root root  189 Aug 13 02:05 client.test.ecdsa_key.pub                                                    
-rw-------. 1 root root  419 Aug 13 02:05 client.test.ed25519_key                                                      
-rw-------. 1 root root  109 Aug 13 02:05 client.test.ed25519_key.pub                                                  
-rw-------. 1 root root 2610 Aug 13 02:05 client.test.rsa_key                                                          
-rw-------. 1 root root  581 Aug 13 02:05 client.test.rsa_key.pub                                                      
-rw-------. 1 root root  525 Aug 13 02:05 dc.samba.test.ecdsa_key                                                      
-rw-------. 1 root root  189 Aug 13 02:05 dc.samba.test.ecdsa_key.pub                                                  
-rw-------. 1 root root  419 Aug 13 02:05 dc.samba.test.ed25519_key                                                    
-rw-------. 1 root root  109 Aug 13 02:05 dc.samba.test.ed25519_key.pub                                                
-rw-------. 1 root root 2622 Aug 13 02:05 dc.samba.test.rsa_key                                                        
-rw-------. 1 root root  581 Aug 13 02:05 dc.samba.test.rsa_key.pub                                                    
-rw-------. 1 root root  525 Aug 13 02:05 dns.test.ecdsa_key                                                           
-rw-------. 1 root root  189 Aug 13 02:05 dns.test.ecdsa_key.pub                                                       
-rw-------. 1 root root  419 Aug 13 02:05 dns.test.ed25519_key                                                         
-rw-------. 1 root root  109 Aug 13 02:05 dns.test.ed25519_key.pub                                                     
-rw-------. 1 root root 2610 Aug 13 02:05 dns.test.rsa_key
-rw-------. 1 root root  581 Aug 13 02:05 dns.test.rsa_key.pub                                                         
-rw-------. 1 root root  525 Aug 13 02:05 kdc.test.ecdsa_key                                                           
-rw-------. 1 root root  189 Aug 13 02:05 kdc.test.ecdsa_key.pub                                                       
-rw-------. 1 root root  419 Aug 13 02:05 kdc.test.ed25519_key                                                         
-rw-------. 1 root root  109 Aug 13 02:05 kdc.test.ed25519_key.pub                                                     
-rw-------. 1 root root 2622 Aug 13 02:05 kdc.test.rsa_key
-rw-------. 1 root root  581 Aug 13 02:05 kdc.test.rsa_key.pub                                                         
-rw-------. 1 root root  525 Aug 13 02:05 master.ipa.test.ecdsa_key                                                    
-rw-------. 1 root root  189 Aug 13 02:05 master.ipa.test.ecdsa_key.pub                                                
-rw-------. 1 root root  419 Aug 13 02:05 master.ipa.test.ed25519_key                                                  
-rw-------. 1 root root  109 Aug 13 02:05 master.ipa.test.ed25519_key.pub                                              
-rw-------. 1 root root 2622 Aug 13 02:05 master.ipa.test.rsa_key                                                      
-rw-------. 1 root root  581 Aug 13 02:05 master.ipa.test.rsa_key.pub                                                  
-rw-------. 1 root root  525 Aug 13 02:05 master.keycloak.test.ecdsa_key                                               
-rw-------. 1 root root  189 Aug 13 02:05 master.keycloak.test.ecdsa_key.pub                                           
-rw-------. 1 root root  419 Aug 13 02:05 master.keycloak.test.ed25519_key                                             
-rw-------. 1 root root  109 Aug 13 02:05 master.keycloak.test.ed25519_key.pub                                         
-rw-------. 1 root root 2622 Aug 13 02:05 master.keycloak.test.rsa_key                                                 
-rw-------. 1 root root  581 Aug 13 02:05 master.keycloak.test.rsa_key.pub                                             
-rw-------. 1 root root  525 Aug 13 02:05 master.ldap.test.ecdsa_key                                                   
-rw-------. 1 root root  189 Aug 13 02:05 master.ldap.test.ecdsa_key.pub                                               
-rw-------. 1 root root  419 Aug 13 02:05 master.ldap.test.ed25519_key                                                 
-rw-------. 1 root root  109 Aug 13 02:05 master.ldap.test.ed25519_key.pub                                             
-rw-------. 1 root root 2622 Aug 13 02:05 master.ldap.test.rsa_key                                                     
-rw-------. 1 root root  581 Aug 13 02:05 master.ldap.test.rsa_key.pub                                                 
-rw-------. 1 root root  525 Aug 13 02:05 nfs.test.ecdsa_key                                                           
-rw-------. 1 root root  189 Aug 13 02:05 nfs.test.ecdsa_key.pub                                                       
-rw-------. 1 root root  419 Aug 13 02:05 nfs.test.ed25519_key                                                         
-rw-------. 1 root root  109 Aug 13 02:05 nfs.test.ed25519_key.pub                                                     
-rw-------. 1 root root 2610 Aug 13 02:05 nfs.test.rsa_key
-rw-------. 1 root root  581 Aug 13 02:05 nfs.test.rsa_key.pub
pbrezina commented 3 months ago

Hi @pbrezina Can you help me understand why docker.io/ubuntu:rolling build fails (https://github.com/SSSD/sssd-ci-containers/actions/runs/10370744252/job/28711693110?pr=106) when sshd does not restart properly on master2.ipa2.test. I see that the host keys are not found.

Aug 13 13:19:21 master2.ipa2.test sshd[6905]: Unable to load host key: /data/ssh-keys/hosts/master2.ipa2.test.ecdsa_key                                                    
Aug 13 13:19:21 master2.ipa2.test sshd[6905]: Unable to load host key: /data/ssh-keys/hosts/master2.ipa2.test.ed25519_key                                          
Aug 13 13:19:21 master2.ipa2.test sshd[6905]: Unable to load host key: /data/ssh-keys/hosts/master2.ipa2.test.rsa_key

I ran src/tools/gen-ssh-keys.sh and added the ssh keys for master2.ipa2.test into this PR. I also added master2.ipa2.test into the for loop in src/tools/gen-ssh-keys.sh

However, these are not being copied into the master2.ipa2.test system.

Ubuntu does not provide ipa package so base-ipa container is actually pulled from quay.io/sssd/ci-base-$svc:lates which does not contain your changes. Maybe, it would be possible to use the base image we just created? But build.sh would have to change. Maybe introduce UNAVAILABLE_BASE_IMAGE variable or something like that.

pbrezina commented 3 months ago

Hi @pbrezina Can you help me understand why docker.io/ubuntu:rolling build fails (https://github.com/SSSD/sssd-ci-containers/actions/runs/10370744252/job/28711693110?pr=106) when sshd does not restart properly on master2.ipa2.test. I see that the host keys are not found.

Aug 13 13:19:21 master2.ipa2.test sshd[6905]: Unable to load host key: /data/ssh-keys/hosts/master2.ipa2.test.ecdsa_key                                                    
Aug 13 13:19:21 master2.ipa2.test sshd[6905]: Unable to load host key: /data/ssh-keys/hosts/master2.ipa2.test.ed25519_key                                          
Aug 13 13:19:21 master2.ipa2.test sshd[6905]: Unable to load host key: /data/ssh-keys/hosts/master2.ipa2.test.rsa_key

I ran src/tools/gen-ssh-keys.sh and added the ssh keys for master2.ipa2.test into this PR. I also added master2.ipa2.test into the for loop in src/tools/gen-ssh-keys.sh However, these are not being copied into the master2.ipa2.test system.

Ubuntu does not provide ipa package so base-ipa container is actually pulled from quay.io/sssd/ci-base-$svc:lates which does not contain your changes. Maybe, it would be possible to use the base image we just created? But build.sh would have to change. Maybe introduce UNAVAILABLE_BASE_IMAGE variable or something like that.

Actually it wouldn't work because we run each distro on different host. We would need to store it as artifact and then download it and install it.

justin-stephenson commented 3 months ago

Ubuntu does not provide ipa package so base-ipa container is actually pulled from quay.io/sssd/ci-base-$svc:lates which does not contain your changes. Maybe, it would be possible to use the base image we just created? But build.sh would have to change. Maybe introduce UNAVAILABLE_BASE_IMAGE variable or something like that.

Actually it wouldn't work because we run each distro on different host. We would need to store it as artifact and then download it and install it.

Can ssh keys from both IPA servers master.ipa.test and master2.ipa2.test be added to quay.io/sssd/ci-base-ipa:latest ?

justin-stephenson commented 3 months ago

The base_ipa2 is still present.

Removed fully.

pbrezina commented 3 months ago

Ubuntu does not provide ipa package so base-ipa container is actually pulled from quay.io/sssd/ci-base-$svc:lates which does not contain your changes. Maybe, it would be possible to use the base image we just created? But build.sh would have to change. Maybe introduce UNAVAILABLE_BASE_IMAGE variable or something like that.

Actually it wouldn't work because we run each distro on different host. We would need to store it as artifact and then download it and install it.

Can ssh keys from both IPA servers master.ipa.test and master2.ipa2.test be added to quay.io/sssd/ci-base-ipa:latest ?

No until this PR is merged. But you could do it manually, however it's probably not worth the effort.

pbrezina commented 3 months ago

Justin, you can try removing the ssh host keys completely when you will rebase on top of Jakub's changes. I'm pretty sure I added them as a workaround for something, but I don't remember anymore. Maybe, it is not needed anymore.

justin-stephenson commented 3 months ago

Justin, you can try removing the ssh host keys completely when you will rebase on top of Jakub's changes. I'm pretty sure I added them as a workaround for something, but I don't remember anymore. Maybe, it is not needed anymore.

I rebased and removed the host keys.