Hi,
as discussed earlier[1], I'm proposing to extend Fedora Server release
criteria to include replicated topology testing for domain controllers
shipped with Fedora Server. This is an aspirational goal as there are
limiting factors right now.
Fedora Server ships with two domain controllers: FreeIPA and Samba AD.
OpenQA infrastructure uses domain controller-agnostic approach to enroll
clients and deploys domain controllers and clients with the help of
rolekit. There is only one type supported currently to deploy a domain
controller: FreeIPA, and only a single domain controller can be
deployed.
As result, large part of FreeIPA functionality is not tested at all
because we are not able to deploy FreeIPA replicas in OpenQA via
rolekit. With an ongoing Python 3 and NSS to OpenSSL migration for
FreeIPA, Dogtag, SSSD, and other related components, we aren't testing
critical integration of these components within Fedora.
FreeIPA upstream has a testing infrastructure that allows to test
different topologies for a replicated FreeIPA deployment. The tests run
against each pull request upstream and there are 'nightly' test suites
which kicked off several times a week. These tests, however, use a fixed
Fedora image, regenerated regularly but typically tracking current
Fedora stable release, not Rawhide.
Ideally, a test covering basic replication scenario needs to exist for
Rawhide/Branched.OpenQA uses rolekit to deploy a DC. Rolekit does not
have support for deploying a replica. Rolekit is supposed to be
deprecated (dead in development). It shouldn't be hard to extend rolekit
to run FreeIPA replica promotion, though.
Based on the above, if we would extend rolekit, I believe it would be
relatively easy to extend OpenQA tests to add a second domain controller
into a test environment and check whether a client enrolled into the
domain against one domain controller can use management services from
the other domain controller.
When such extension is ready for FreeIPA, we can establish a release
criteria to include a test of replicated topology for domain controller
technology in Fedora Server.
Note that I'm trying to keep this generic to allow us to add Samba AD as
a tested domain controller later. This, however, raises a question on
whether rolekit way of configuring servers is a right approach going
forward.
--
/ Alexander Bokovoy