search

saltstack-formulas / dhcpd-formula

http://docs.saltstack.com/en/latest/topics/development/conventions/formulas.html
Other
8 stars 56 forks source link

Feat/config ldap #44

Closed sticky-note closed 4 years ago

sticky-note commented 4 years ago

PR progress checklist (to be filled in by reviewers)

What type of PR is this?

Primary type

Secondary type

Does this PR introduce a BREAKING CHANGE?

No.

Related issues and/or pull requests

Describe the changes you're proposing

Add ldap backend support

Pillar / config required to test the proposed changes

Debug log showing how the proposed changes work

Documentation checklist

Testing checklist

Additional context

myii commented 4 years ago

@sticky-note If I understand correctly, this is built upon #43, so let's resolve the issues there before coming back to this.

sticky-note commented 4 years ago

@myii as forecasted, tests are failing

myii commented 4 years ago

@sticky-note No problem, I've got the fixes for you. But I've come across a different problem: if I actually enable the ldap values in pillar.example, the formula states don't even complete:

                 ID: dhcpd.conf
           Function: file.managed
               Name: /etc/dhcp/dhcpd.conf
             Result: False
            Comment: check_cmd execution failed
              Internet Systems Consortium DHCP Server 4.4.1
              Copyright 2004-2018 Internet Systems Consortium.
              All rights reserved.
              For info, please visit https://www.isc.org/software/dhcp/
              /etc/dhcp/tmp.Gf9jcLGwGC line 18: semicolon expected.
              ldap-server "localhost"
                           ^
              /etc/dhcp/tmp.Gf9jcLGwGC line 19: semicolon expected.
              ldap-port 389;
                         ^
              /etc/dhcp/tmp.Gf9jcLGwGC line 20: semicolon expected.
              ldap-username "cn=dhcpadmin,dc=example,dc=com"
                             ^
              /etc/dhcp/tmp.Gf9jcLGwGC line 21: semicolon expected.
              ldap-password "dhcppassword"
                             ^
              /etc/dhcp/tmp.Gf9jcLGwGC line 22: semicolon expected.
              ldap-base-dn "ou=dhcp,dc=example,dc=com"
                            ^
              /etc/dhcp/tmp.Gf9jcLGwGC line 23: semicolon expected.
              ldap-method dynamic;
                           ^
              /etc/dhcp/tmp.Gf9jcLGwGC line 24: semicolon expected.
              ldap-debug-file "/var/log/dhcp-ldap-startup.log"
                               ^
              WARNING: Host declarations are global.  They are not limited to the scope you declared them in.
              Configuration file errors encountered -- exiting

              If you think you have received this message due to a bug rather
              than a configuration issue please read the section on submitting
              bugs on either our web page at www.isc.org or in the README file
              before submitting a bug.  These pages explain the proper
              process and the information we find helpful for debugging.

              exiting.

If that's the case, then this PR needs adjusting before anything. Can you confirm that on your side? I can run Travis at the moment because I've got a number of other runs going on.

myii commented 4 years ago

@sticky-note This is the fix for the tests to get it working as-is:

Still need to check the failures when enabling the ldap values, though.

myii commented 4 years ago

@sticky-note So as mentioned, I've now been able to reproduce those errors in Travis:

All of the instances are tripping up at the check_cmd:

https://github.com/saltstack-formulas/dhcpd-formula/blob/69d3fdc827cd7cec3e861338b836728606d56450/dhcpd/config.sls#L14-L22

sticky-note commented 4 years ago

@Myii I am not able to reproduce, with myii/feat/config-ldap on stretch vagrant box, I get : 

          ID: dhcpd.conf
    Function: file.managed
        Name: /etc/dhcp/dhcpd.conf
      Result: False
     Comment: check_cmd execution failed
              Internet Systems Consortium DHCP Server 4.4.1
              Copyright 2004-2018 Internet Systems Consortium.
              All rights reserved.
              For info, please visit https://www.isc.org/software/dhcp/
              WARNING: Host declarations are global.  They are not limited to the scope you declared them in.
              Error: Cannot login into ldap server localhost:389: Can't contact LDAP server
              Configuration file errors encountered -- exiting

              If you think you have received this message due to a bug rather
              than a configuration issue please read the section on submitting
              bugs on either our web page at www.isc.org or in the README file
              before submitting a bug.  These pages explain the proper
              process and the information we find helpful for debugging.

              exiting.
     Started: 13:54:33.836694
    Duration: 1477.157 ms
     Changes:
sticky-note commented 4 years ago

@myii I wasn't able to reproduce because I hat dhcpd from isc-openldap-server-ldap which is able to parse ldap-* directives. dhcp from isc-dhcp-server can't parse those properties. To be able to test those properties on dhcpd from isc-openldap-server-ldap , we need to have an LDAP server running and containing the base configuration for dhcpd

myii commented 4 years ago

@sticky-note I see that error as well in Travis, we've got both examples there.

The problem is that we still need to be able to confirm this is working. This can be done by preparing a second test suite. You can use the outline I've provided here:

This results in the Travis job getting through that state and only tripping up on the service.running:

Looking at the journal, the reason is as you stated above, that the base configuration for dhcpd isn't available yet:

... systemd[1]: Starting LSB: DHCP server...
-- Subject: A start job for unit isc-dhcp-server.service has begun execution
-- Defined-By: systemd
-- Support: https://www.debian.org/support
--
-- A start job for unit isc-dhcp-server.service has begun execution.
--
-- The job identifier is 163.
... isc-dhcp-server[917]: Launching both IPv4 and IPv6 servers (please configure INTERFACES in /etc/default/isc-dhcp-server if you only want one or the other).
... dhcpd[929]: Wrote 0 leases to leases file.
... dhcpd[929]:
... dhcpd[929]: No subnet declaration for eth0 (172.17.0.2).
... dhcpd[929]: ** Ignoring requests on eth0.  If this is not what
... dhcpd[929]:    you want, please write a subnet declaration
... dhcpd[929]:    in your dhcpd.conf file for the network segment
... dhcpd[929]:    to which interface eth0 is attached. **
... dhcpd[929]:
... dhcpd[929]:
... dhcpd[929]: Not configured to listen on any interfaces!
... dhcpd[929]:
... dhcpd[929]: If you think you have received this message due to a bug rather
... dhcpd[929]: than a configuration issue please read the section on submitting
... dhcpd[929]: bugs on either our web page at www.isc.org or in the README file
... dhcpd[929]: before submitting a bug.  These pages explain the proper
... dhcpd[929]: process and the information we find helpful for debugging.
... dhcpd[929]:
... dhcpd[929]: exiting.
... dhcpd[929]: than a configuration issue please read the section on submitting
... dhcpd[929]: bugs on either our web page at www.isc.org or in the README file
... dhcpd[929]: before submitting a bug.  These pages explain the proper
... dhcpd[929]: process and the information we find helpful for debugging.
... dhcpd[929]:
... dhcpd[929]: exiting.
... isc-dhcp-server[917]: Starting ISC DHCPv4 server: dhcpdcheck syslog for diagnostics. ... failed!
... isc-dhcp-server[917]:  failed!
... systemd[1]: isc-dhcp-server.service: Control process exited, code=exited, status=1/FAILURE

So there are two ways forward here:

  1. I've not used openldap-formula myself but since you're familiar with it, would the dhcpd configuration be possible to add to the specific test pillar test/salt/pillar/openldap.sls?
  2. If not, we could introduce a Jinja conditional that only executes the service.running state if enabled (which it will be by default). Then, at least, we can run all of the other states to verify things are proceeding as they should.

As you try things out at your end, you test it out using:

$ bin/kitchen verify ldap-debian-10-master-py3
sticky-note commented 4 years ago

@Myii You have to fill base configuration for dhcpd, it can be done via ldap.managed state which depend on python3-ldap python module. I am working on parsing dhcpd-formula pillar to fill that correctly. All docs are here https://github.com/isc-projects/dhcp/tree/master/contrib/ldap. But I am working on a version generated by ldap-account-manager which seems to be compliant too

myii commented 4 years ago

So there are two ways forward here:

  1. I've not used openldap-formula myself but since you're familiar with it, would the dhcpd configuration be possible to add to the specific test pillar test/salt/pillar/openldap.sls?
  2. If not, we could introduce a Jinja conditional that only executes the service.running state if enabled (which it will be by default). Then, at least, we can run all of the other states to verify things are proceeding as they should.

@sticky-note So shall we just do number 2 for now?

myii commented 4 years ago

Thanks, @sticky-note. Testing against ldap is going to take more effort, so let's get this merged for now.

saltstack-formulas-travis commented 4 years ago

:tada: This PR is included in version 0.11.0 :tada:

The release is available on GitHub release

Your semantic-release bot :package::rocket:

sticky-note commented 4 years ago

@myii I have juste realized that dhcpd.conf and dhcpd configuration stored in LDAP are mixed up when used together so we can test LDAP connection and dhcpd.conf without filling dhcp configuration in LDAP

myii commented 4 years ago

@sticky-note Sure, please send through another PR with the changes. Don't worry too much if the verification stage fails again, I've tightened up the tests in this formula a lot, as a way of checking how useful that approach is.