Differential D832

add FreeIPA test disks (with kickstarts) and update InstallGuide
ClosedPublic
Actions

Authored by adamwill on Apr 28 2016, 6:12 AM.

Details

Reviewers
garretraziel
jskladan
Commits
rOPENQAb82f2d4c4d08: add FreeIPA kickstarts to disk_ks and update InstallGuide
rOPENQA26a751311564: add FreeIPA kickstarts and wiki config, update InstallGuide
rOPENQA8a814a190741: add FreeIPA kickstarts to disk_ks and update InstallGuide
rOPENQA86395e2c9996: add FreeIPA test disks (with kickstarts) and update InstallGuide
rOPENQA0f504a4c0f24: add FreeIPA kickstarts to disk_ks and update InstallGuide
Summary

This goes along with the openqa_fedora commit to add the tests.
I didn't update the Docker instructions yet because I don't
quite remember how that goes. It might need a whole different
setup using some other networking...thing...

Test Plan

See https://phab.qadevel.cloud.fedoraproject.org/D831

Diff Detail

Repository
rOPENQA fedora_openqa
Lint
Automatic diff as part of commit; lint not applicable.
Unit
Automatic diff as part of commit; unit tests not applicable.
adamwill retitled this revision from to add FreeIPA test disks (with kickstarts) and update InstallGuide.Apr 28 2016, 6:12 AM
adamwill updated this object.
adamwill edited the test plan for this revision. (Show Details)
adamwill added reviewers: jskladan, garretraziel.
garretraziel added inline comments.Apr 28 2016, 3:13 PM
InstallGuide.md
52

Having discussed this with jskladan we came to conclusion that bridge shouldn't be named "br0", because there may be a lot of people who already have br0 and use it for something. Why not create bridge called "os-autoinst-br0" or something like that?

65

Same concern as above - I would vote for creating TAP device with more openQA-specific name. We can then specify it only in two necessary tests by using TAPDEV variable.

91

Let's find out how to rewrite those rules into firewalld. I'm not OK with "let's tell people to disable firewalld and use different technology instead". Sounds like fun plan for Friday, I might look into it.

tools/hdds.json
85

Just a quick thought - can't we use only one disk and upload both kickstarts to it? It will save space.

adamwill updated this revision to Diff 2121.Apr 28 2016, 3:25 PM

Update InstallGuide.md to explain device naming possibilities

adamwill added a comment.Apr 28 2016, 3:41 PM

Good point on the disk images: in fact we could just roll both kickstarts into the 'ks' image, I guess, and add another file to that image any time we need to.

I've updated the InstallGuide to explain the limitations around device naming. You can rename the bridge (and set an env var to tell os-autoinst what name to use) but os-autoinst enforces the tap device naming scheme.

On the firewall stuff - I was actually trying to do it with firewalld at first, the reason I switched to iptables is simply that the infra hosts use iptables and our primary case is the infra deployment. But it would go *something* like this, I think: put br0 in zone internal and enp2s0 in external, allow all traffic to br0 as in the iptables rules (I think firewalld can do that too), and do...something?...to enable port forwarding (I think in firewalld you have to do port forwarding by IP or MAC, not interface name). I believe firewalld actually enables masquerading on devices in the external zone by default.

adamwill updated this revision to Diff 2122.Apr 28 2016, 3:54 PM

add a bit more detail on the networking config

adamwill updated this revision to Diff 2123.Apr 28 2016, 4:01 PM

move network instructions to a separate file

they're big and scary and you can run most tests without them,
so let's do this so InstallGuide doesn't scare people off.

adamwill updated this revision to Diff 2124.Apr 28 2016, 4:01 PM

tiny text tweak

adamwill updated this revision to Diff 2125.Apr 28 2016, 5:57 PM

put the kickstarts in disk_ks instead of their own disks

as suggested by garretraziel, there's no need for each test to
have its own disk, they can all share disk_ks. lots of room! We
bump the version so it'll be rebuilt and the new kickstarts
added.

adamwill updated this revision to Diff 2127.Apr 28 2016, 6:17 PM

rebase on current develop

adamwill updated this revision to Diff 2128.Apr 28 2016, 8:25 PM

fix handling of multiple writes/uploads in createhdds

hah, so combining the kickstarts found a bug...let's
fix that.

adamwill updated this revision to Diff 2138.May 4 2016, 12:07 AM

Add the wiki reporting config for the FreeIPA tests

garretraziel accepted this revision.May 4 2016, 6:49 AM
This revision is now accepted and ready to land.May 4 2016, 6:49 AM
Closed by commit rOPENQA86395e2c9996: add FreeIPA test disks (with kickstarts) and update InstallGuide (authored by adamwill). · Explain WhyMay 4 2016, 6:55 PM
This revision was automatically updated to reflect the committed changes.

Revision Contents

Diff 2149

View Options

AdvancedNetwork.md

  • This file was added.
1openQA advanced networking
2==========================
3
4If you want to run the tests that rely on advanced networking, you must configure it. See [the upstream documentation](https://github.com/os-autoinst/openQA/blob/master/docs/Networking.asciidoc). You can actually configure the network in any way (using openvswitch, VDE, or any other software-defined networking system you like) so long as it meets openQA's expectations: there must be a bridge with IP 10.0.2.2 and several `tapN` devices attached to the bridge, as many as there are worker instances on each worker host, which the qemu processes can attach to using `-netdev tap`. The worker instances must be able to communicate with each other and with the worker host web server which listens on the bridge interface (and has a random port number within a specified range). The traffic from the workers must be masqueraded to the external network.
5
6These instructions are for openvswitch, as used by Fedora and SUSE: probably best to stick with it unless you know exactly what you're doing. os-autoinst has a helper service, `os-autoinst-openvswitch`, which isolates groups of workers on their own VLANs, so you don't have to worry about address collisions if you have more than one set of parallel jobs running at once (e.g. if you have a set of jobs which uses hardcoded static IPs, and it happens to run for two arches or images at once). The workers for each set of parallel jobs are assigned a different VLAN.
7
8Install the packages:
9
10 dnf install os-autoinst-openvswitch
11 dnf install tunctl
12 dnf install iptables-services
13
14Create the bridge config file, `/etc/sysconfig/network-scripts/ifcfg-br0`, with these contents:
15
16 DEVICETYPE='ovs'
17 TYPE='OVSBridge'
18 BOOTPROTO='static'
19 IPADDR='10.0.2.2'
20 NETMASK='255.254.0.0'
21 DEVICE=br0
22 STP=off
23 ONBOOT='yes'
24 NAME='br0'
25 HOTPLUG='no'
26
27If you already have a `br0`, you can name the bridge something else: just change the value `br0` wherever it appears in these instructions to your desired name, and set the environment variable `OS_AUTOINST_USE_BRIDGE` to your desired name when launching os-autoinst-openvswitch. You can do this by copying `/usr/lib/systemd/system/os-autoinst-openvswitch.service` to `/etc/systemd/system/os-autoinst-openvswitch.service` and changing the value in the `Environment` line, then running `systemctl daemon-reload`.
28
29Create `/etc/sysconfig/network-scripts/ifcfg-tap0`, with these contents:
30
31 DEVICETYPE='ovs'
32 TYPE='OVSPort'
33 OVS_BRIDGE='br0'
34 DEVICE='tap0'
35 ONBOOT='yes'
36 BOOTPROTO='none'
37 HOTPLUG='no'
38
39Create as many `ifcfg-tapN` files as you have workers, with the `DEVICE` changed appropriately - `ifcfg-tap1`, `ifcfg-tap2` and so on. Note you cannot name the `tap` devices in any other way, and by default, openQA workers pick the tap device based on their number - worker 2 uses `tap1`, and so on. Tests can override this and specify a particular tap device, but when a test does not do this, the behaviour is not configurable.
40
41Create `/sbin/ifup-pre-local` with these contents:
42
43 #!/bin/sh
44
45 # if the interface being brought up is tap[n], create
46 # the tap device first
47 if=$(echo "$1" | sed -e 's,ifcfg-,,')
48 tap=$(echo "$if" | sed -e 's,[0-9]\+$,,')
49 if [ "$tap" == "tap" ]; then
50 tunctl -u _openqa-worker -p -t "$if"
51 fi
52
53This will create the underlying device for the tap connections when they are brought up. Ensure the file is executable by root: `chmod ug+x /sbin/ifup-pre-local`
54
55Adjust the firewall configuration. For iptables, `/etc/sysconfig/iptables` should look like something like this, with `enp2s0` changed to the name of whatever adapter you have connected to the outside world:
56
57 *filter
58 :INPUT ACCEPT [0:0]
59 :FORWARD ACCEPT [0:0]
60 :OUTPUT ACCEPT [0:0]
61
62 # allow ping and traceroute
63 -A INPUT -p icmp -j ACCEPT
64
65 # localhost is fine
66 -A INPUT -i lo -j ACCEPT
67
68 # Established connections allowed
69 -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
70 -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
71
72 # allow ssh - always
73 -A INPUT -m conntrack --ctstate NEW -m tcp -p tcp --dport 22 -j ACCEPT
74
75 # allow HTTP / HTTPS
76 -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
77 -A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
78
79 # allow port forwarding
80 -A FORWARD -i br0 -j ACCEPT
81 -A FORWARD -m state -i enp2s0 -o br0 --state RELATED,ESTABLISHED -j ACCEPT
82
83 # allow all traffic from br0
84 -A INPUT -i br0 -j ACCEPT
85
86 # otherwise kick everything out
87 -A INPUT -j REJECT --reject-with icmp-host-prohibited
88 -A FORWARD -j REJECT --reject-with icmp-host-prohibited
89 COMMIT
90
91 *nat
92 # setup masquerade
93 -A POSTROUTING -o enp2s0 -j MASQUERADE
94 COMMIT
95
96Disable firewalld, if you will use iptables: `systemctl disable firewalld.service; systemctl stop firewalld.service`. If you want to use firewalld, figuring out how to configure it to allow forwarding and NAT from the openvswitch network is up to you.
97
98Enable forwarding in sysctl: `sysctl -w net.ipv4.ip_forward=1`. To make this permanent, edit `/etc/sysctl.conf` and add this line:
99
100 net.ipv4.ip_forward = 1
101
102Enable all the networking-related services:
103
104 systemctl enable openvswitch.service network.service iptables.service os-autoinst-openvswitch.service
105 systemctl restart openvswitch.service network.service iptables.service os-autoinst-openvswitch.service
View Options

InstallGuide.md

1OpenQA install guide 1OpenQA install guide
2==================== 2====================
3 3
4For Fedora 22+ 4For Fedora 23+
5 5
6Install the required packages: 6Install the required packages:
7 7
8 sudo dnf install openqa openqa-httpd openqa-worker 8 sudo dnf install openqa openqa-httpd openqa-worker
9 9
10Configure httpd: 10Configure httpd:
11 11
12 cd /etc/httpd/conf.d/ 12 cd /etc/httpd/conf.d/
13 cp openqa.conf.template openqa.conf 13 cp openqa.conf.template openqa.conf
14 cp openqa-ssl.conf.template openqa-ssl.conf 14 cp openqa-ssl.conf.template openqa-ssl.conf
15 15
16 16
17Configure OpenQA WebUI by editing `/etc/openqa/openqa.ini`: 17Configure OpenQA WebUI by editing `/etc/openqa/openqa.ini`:
18 18
19 [global] 19 [global]
20 branding=plain 20 branding=plain
21 download_domains = fedoraproject.org opensuse.org 21 download_domains = fedoraproject.org opensuse.org
22 [auth] 22 [auth]
23 method = Fake 23 method = Fake
24 24
25Start the Services (consider also running `enable` if you want persistence: 25Start the Services (consider also running `enable` if you want persistence):
26 26
27 systemctl start httpd 27 systemctl start httpd
28 systemctl start openqa-gru 28 systemctl start openqa-gru
29 systemctl start openqa-webui 29 systemctl start openqa-webui
30 30
31Create non-temporary API keys in the Web Interface at http://localhost click `Login`, then `Manage API Keys` and create new keyset. 31Create non-temporary API keys in the Web Interface at http://localhost click `Login`, then `Manage API Keys` and create new keyset.
32Edit `/etc/openqa/client.conf`: 32Edit `/etc/openqa/client.conf`:
33 33
Show All 10 Lines
44Grab the tests, and initialize the database: 44Grab the tests, and initialize the database:
45 45
46 cd /var/lib/openqa/tests/ 46 cd /var/lib/openqa/tests/
47 git clone https://bitbucket.org/rajcze/openqa_fedora fedora 47 git clone https://bitbucket.org/rajcze/openqa_fedora fedora
48 chown -R geekotest:geekotest fedora 48 chown -R geekotest:geekotest fedora
49 cd fedora 49 cd fedora
50 ./templates 50 ./templates
51 51
52To run the tests, you will also need to provide some disk images: 52To run the tests, you will also need to provide some disk images:
garretrazielUnsubmitted
Not Done

Having discussed this with jskladan we came to conclusion that bridge shouldn't be named "br0", because there may be a lot of people who already have br0 and use it for something. Why not create bridge called "os-autoinst-br0" or something like that?

53 53
54 git clone http://bitbucket.org/rajcze/openqa_fedora_tools.git ~/openqa_fedora_tools 54 git clone http://bitbucket.org/rajcze/openqa_fedora_tools.git ~/openqa_fedora_tools
55 dnf install libguestfs-tools libguestfs-xfs 55 dnf install libguestfs-tools libguestfs-xfs
56 mkdir -p /var/lib/openqa/factory/hdd 56 mkdir -p /var/lib/openqa/factory/hdd
57 cd /var/lib/openqa/factory/hdd/ 57 cd /var/lib/openqa/factory/hdd/
58 ~/openqa_fedora_tools/tools/createhdds.py all 58 ~/openqa_fedora_tools/tools/createhdds.py all
59 chown geekotest * 59 chown geekotest *
60 60
61[optional] go to OpenQA web interface, go to "admin" -> "Test suites". 61[optional] go to OpenQA web interface, go to "admin" -> "Test suites".
62Set `REPOSITORY_GRAPHICAL` and `REPOSITORY_VARIATION` to your nearest mirror 62Set `REPOSITORY_GRAPHICAL` and `REPOSITORY_VARIATION` to your nearest mirror
63according to this list: https://mirrors.fedoraproject.org/mirrorlist?repo=fedora-23&arch=x86_64, 63according to this list: https://mirrors.fedoraproject.org/mirrorlist?repo=fedora-23&arch=x86_64,
64excluding `/23/x86_64/os/` at the end of url. For example if your nearest mirror 64excluding `/23/x86_64/os/` at the end of url. For example if your nearest mirror
65is http://ftp.linux.cz/pub/linux/fedora/linux/development/23/x86_64/os/, set 65is http://ftp.linux.cz/pub/linux/fedora/linux/development/23/x86_64/os/, set
garretrazielUnsubmitted
Not Done

Same concern as above - I would vote for creating TAP device with more openQA-specific name. We can then specify it only in two necessary tests by using TAPDEV variable.

66`REPOSITORY_GRAPHICAL` and `REPOSITORY_VARIATION` to http://ftp.linux.cz/pub/linux/fedora/linux/development. 66`REPOSITORY_GRAPHICAL` and `REPOSITORY_VARIATION` to http://ftp.linux.cz/pub/linux/fedora/linux/development.
67 67
68At this point most of the tests should work. However, a few of the tests require two or more workers to be able to communicate with each other (e.g. the FreeIPA tests, where one job sets up a server, and other jobs set up clients and try to connect to the server). For these tests to work, you must do some quite complex software-defined networking configuration on the worker host(s). Instructions for this are in [AdvancedNetwork.md](AdvancedNetwork.md).
garretrazielUnsubmitted
Not Done

Let's find out how to rewrite those rules into firewalld. I'm not OK with "let's tell people to disable firewalld and use different technology instead". Sounds like fun plan for Friday, I might look into it.

View Options

scheduler/fedora_openqa_schedule/conf_test_suites.py

Show First 20 LinesShow All 257 Lines▼ Show 20 Line(s)26TESTCASES = {
258 "QA:Testcase_kickstart_firewall_disabled": { 258 "QA:Testcase_kickstart_firewall_disabled": {
259 "env": "x86", 259 "env": "x86",
260 "type": "Server", 260 "type": "Server",
261 }, 261 },
262 "QA:Testcase_kickstart_firewall_configured": { 262 "QA:Testcase_kickstart_firewall_configured": {
263 "env": "x86", 263 "env": "x86",
264 "type": "Server", 264 "type": "Server",
265 }, 265 },
266 "QA:Testcase_Server_role_deploy": {
267 "env": "x86",
268 "type": "Server",
269 # for now we're only testing this role, but we could easily
270 # test Database server too and we'd need to tweak this somehow
271 "name": "Domain controller",
272 },
273 "QA:Testcase_realmd_join_kickstart": {
274 "section": "Domain joining tests: FreeIPA",
275 "env": "Result",
276 "type": "Server",
277 },
278 "QA:Testcase_domain_client_authenticate": {
279 "env": "Result",
280 "type": "Server",
281 "name": "(FreeIPA)",
282 },
283 "QA:Testcase_FreeIPA_realmd_login": {
284 "env": "Result",
285 "type": "Server",
286 },
266 # "": { 287 # "": {
267 # "name": "", # optional, use when same testcase occurs on multiple rows with different link text 288 # "name": "", # optional, use when same testcase occurs on multiple rows with different link text
268 # "section": "", # optional, some result pages have no sections 289 # "section": "", # optional, some result pages have no sections
269 # "env": "x86", 290 # "env": "x86",
270 # "type": "Installation", 291 # "type": "Installation",
271 # }, 292 # },
272} 293}
273 294
▲ Show 20 LinesShow All 250 Lines▼ Show 20 Line(s)544 "base_service_manipulation": [
524 "QA:Testcase_base_service_manipulation", 545 "QA:Testcase_base_service_manipulation",
525 ], 546 ],
526 "install_kickstart_firewall_disabled": [ 547 "install_kickstart_firewall_disabled": [
527 "QA:Testcase_kickstart_firewall_disabled", 548 "QA:Testcase_kickstart_firewall_disabled",
528 ], 549 ],
529 "install_kickstart_firewall_configured": [ 550 "install_kickstart_firewall_configured": [
530 "QA:Testcase_kickstart_firewall_configured", 551 "QA:Testcase_kickstart_firewall_configured",
531 ], 552 ],
553 "server_role_deploy_domain_controller": [
554 "QA:Testcase_Server_role_deploy",
555 ],
556 "server_realmd_join_kickstart": [
557 "QA:Testcase_realmd_join_kickstart",
558 "QA:Testcase_FreeIPA_realmd_login",
559 "QA:Testcase_domain_client_authenticate",
560 ],
532 } 561 }
View Options

tools/createhdds.py

Show First 20 LinesShow All 134 Lines▼ Show 20 Line(s)134 for write in self.writes:
135 # the write dict must specify the partition to be 135 # the write dict must specify the partition to be
136 # written to, numbered from 1 as humans usually do; 136 # written to, numbered from 1 as humans usually do;
137 # find that part and mount it 137 # find that part and mount it
138 partn = gfs.list_partitions()[int(write['part'])-1] 138 partn = gfs.list_partitions()[int(write['part'])-1]
139 gfs.mount(partn, "/") 139 gfs.mount(partn, "/")
140 # do the write: the dict must specify the target path 140 # do the write: the dict must specify the target path
141 # and the string to be written ('content') 141 # and the string to be written ('content')
142 gfs.write(write['path'], write['content']) 142 gfs.write(write['path'], write['content'])
143 gfs.sync()
144 gfs.umount_opts("/")
143 # do file 'uploads'. in guestfs-speak that means transfer 145 # do file 'uploads'. in guestfs-speak that means transfer
144 # a file from the host to the image, we use it to mean 146 # a file from the host to the image, we use it to mean
145 # download a file from an http server and transfer that 147 # download a file from an http server and transfer that
146 # to the image 148 # to the image
147 for upload in self.uploads: 149 for upload in self.uploads:
148 # download the file to a temp file - borrowed from 150 # download the file to a temp file - borrowed from
149 # fedora_openqa_schedule (which stole it from SO) 151 # fedora_openqa_schedule (which stole it from SO)
150 (_, tmpfname) = tempfile.mkstemp(prefix="createhdds") 152 (_, tmpfname) = tempfile.mkstemp(prefix="createhdds")
151 with open(tmpfname, 'wb') as tmpfh: 153 with open(tmpfname, 'wb') as tmpfh:
152 resp = urlopen(upload['source']) 154 resp = urlopen(upload['source'])
153 while True: 155 while True:
154 # This is the number of bytes to read between buffer 156 # This is the number of bytes to read between buffer
155 # flushes. Value taken from the SO example. 157 # flushes. Value taken from the SO example.
156 buff = resp.read(8192) 158 buff = resp.read(8192)
157 if not buff: 159 if not buff:
158 break 160 break
159 tmpfh.write(buff) 161 tmpfh.write(buff)
160 # as with write, the dict must specify a target 162 # as with write, the dict must specify a target
161 # partition and location ('target') 163 # partition and location ('target')
162 partn = gfs.list_partitions()[int(upload['part'])-1] 164 partn = gfs.list_partitions()[int(upload['part'])-1]
163 gfs.mount(partn, "/") 165 gfs.mount(partn, "/")
164 gfs.upload(tmpfname, upload['target']) 166 gfs.upload(tmpfname, upload['target'])
165 os.remove(tmpfname) 167 os.remove(tmpfname)
168 gfs.sync()
169 gfs.umount_opts("/")
166 # we're all done! rename to the correct name 170 # we're all done! rename to the correct name
167 os.rename(tmpfile, self.filename) 171 os.rename(tmpfile, self.filename)
168 except: 172 except:
169 # if anything went wrong, we want to wipe the temp file 173 # if anything went wrong, we want to wipe the temp file
170 # then raise 174 # then raise
171 os.remove(tmpfile) 175 os.remove(tmpfile)
172 raise 176 raise
173 finally: 177 finally:
▲ Show 20 LinesShow All 486 LinesShow Last 20 Lines
View Options

tools/hdds.json

Show First 20 LinesShow All 48 Lines▼ Show 20 Line(s)47 {
49 "path" : "/testfile", 49 "path" : "/testfile",
50 "content" : "Hello, world!" 50 "content" : "Hello, world!"
51 } 51 }
52 ] 52 ]
53 }, 53 },
54 { 54 {
55 "name" : "ks", 55 "name" : "ks",
56 "size" : "100M", 56 "size" : "100M",
57 "imgver" : "2",
57 "parts" : [ 58 "parts" : [
58 { 59 {
59 "filesystem" : "ext4", 60 "filesystem" : "ext4",
60 "type" : "p", 61 "type" : "p",
61 "start" : "4096", 62 "start" : "4096",
62 "end" : "-1" 63 "end" : "-1"
63 } 64 }
64 ], 65 ],
65 "uploads" : [ 66 "uploads" : [
66 { 67 {
67 "part" : "1", 68 "part" : "1",
68 "target" : "/root-user-crypted-net.ks", 69 "target" : "/root-user-crypted-net.ks",
69 "source" : "https://jskladan.fedorapeople.org/kickstarts/root-user-crypted-net.ks" 70 "source" : "https://jskladan.fedorapeople.org/kickstarts/root-user-crypted-net.ks"
71 },
72 {
73 "part" : "1",
74 "target" : "/freeipa.ks",
75 "source" : "https://www.happyassassin.net/ks/oqipas.ks"
76 },
77 {
78 "part" : "1",
79 "target" : "/freeipaclient.ks",
80 "source" : "https://www.happyassassin.net/ks/oqipac.ks"
70 } 81 }
71 ] 82 ]
72 }, 83 },
73 { 84 {
74 "name" : "updates_img", 85 "name" : "updates_img",
garretrazielUnsubmitted
Not Done

Just a quick thought - can't we use only one disk and upload both kickstarts to it? It will save space.

75 "size" : "100M", 86 "size" : "100M",
76 "imgver" : "2", 87 "imgver" : "2",
77 "parts" : [ 88 "parts" : [
78 { 89 {
79 "filesystem" : "ext4", 90 "filesystem" : "ext4",
80 "label" : "UPDATES_IMG", 91 "label" : "UPDATES_IMG",
81 "type" : "p", 92 "type" : "p",
82 "start" : "4096", 93 "start" : "4096",
▲ Show 20 LinesShow All 66 LinesShow Last 20 Lines