Use PKI COPR repo for testing

[edewata]

Currently freeipa containers are built using the official PKI packages published on Fedora Rawhide and CentOS 9 Stream. However, by the time PKI packages are published on those platforms PKI development and testing cycles are already complete, so issues like these are found too late: https://bugzilla.redhat.com/show_bug.cgi?id=2265995 https://issues.redhat.com/browse/RHEL-20465

To avoid such issues in the future please use PKI COPR repo: https://copr.fedorainfracloud.org/coprs/g/pki/master/builds/ This way issues can be found during development and bug fixes can be tested properly.

[adelton]

Even if I do

diff --git a/Dockerfile.fedora-rawhide b/Dockerfile.fedora-rawhide
index 0d36478..02e2ae9 100644
--- a/Dockerfile.fedora-rawhide
+++ b/Dockerfile.fedora-rawhide
@@ -7,6 +7,7 @@ RUN groupadd -g 289 ipaapi; useradd -u 289 -g 289 -c 'IPA Framework User' -r -d
 # Workaround 1615948
 RUN ln -s /bin/false /usr/sbin/systemd-machine-id-setup
 RUN sed -i 's!%_install_langs.*!%_install_langs all!' /etc/rpm/macros.image-language-conf
+RUN dnf install -y 'dnf-command(copr)' && dnf copr -y enable @pki/master
 RUN dnf upgrade -y --setopt=install_weak_deps=False \
        && dnf install -y --setopt=install_weak_deps=False freeipa-server freeipa-server-dns freeipa-server-trust-ad freeipa-healthcheck freeipa-client-epn patch \
        && dnf clean all

I still get

  [3/5]: Generating ipa-custodia keys
  [4/5]: starting ipa-custodia 
  [5/5]: configuring ipa-custodia to start on boot
Done configuring ipa-custodia.
Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes
  [1/30]: configuring certificate server instance
Failed to configure CA instance
See the installation logs and the following files/directories for more information:
  /var/log/pki/pki-tomcat
  [error] RuntimeError: CA configuration failed.
CA configuration failed.
The ipa-server-install command failed. See /var/log/ipaserver-install.log for more information

So at this point even the copr repo does not help.

I'm not sure I realistically have capacity to use the copr repos of respective upgram projects that comprise FreeIPA. The use of Fedora rawhide and CentOS Stream in our CI and diligently reporting issues we find is all I can handle. I assume the copr builds with master contents get unstable much more often.

I'd be more than happy to help the PKI project setup the respective containerization CI setups in you repos.

But at this point we don't even seem to have a stable baseline.

[edewata]

Right, it does not work right now because of bug #2265995. What I meant was, once that issue is resolved, and to avoid similar issues from happening again, there should be regular tests for freeipa-container using PKI COPR build so that issues like this can be discovered much earlier during PKI development/testing cycles rather than later after PKI is publicly released to Fedora and CentOS.

[abbra]

May be we can pull freeipa-container tests into FreeIPA PR CI weekly run we do against both 389-ds and PKI COPRs. Then we would be able to triage the failures as part of existing PKI and 389-ds COPR runs.

[adelton]

That seems like a more sustainable place to have those tests done, @abbra.

Is there anything specific I could help with to get that done?

[adelton]

Let me close this issue with the conclusion that we will try to do that in the FreeIPA PR CI.

[abbra]

@adelton I've heard from @edewata that he is still working on consequences of supporting this variable back in the Dogtag code. Meanwhile we can patch things out like you proposed. We will remove the patch once Dogtag provides a proper solution.

[adelton]

I've actually already done that in master via 95852937d6ba9a509475851f415e9149e025c9cd and 4ab5bf9746630095c27576981e39444bb01fa545, setting

CONFIG_DIR = '/data/etc/pki'