On Sun, 2023-06-18 at 07:36 +0200, Adam Williamson wrote:
Hi folks! I want to talk about the Active Directory requirements in
the
release criteria.
Since Fedora Server was created, we've had this in the criteria:
"It must be possible to join the system to a FreeIPA or Active
Directory domain at install time and post-install, and the system must
respect the identity, authentication and access control configuration
provided by the domain."
...plus various further requirements at Beta and Final.
For FreeIPA we have this testing entirely automated, it's no problem at
all. For Active Directory we...don't. At every release point this does
not get tested until very late. Often Stephen Gallagher has to test it
manually at the very last minute, which is an unfair burden on him.
When we *do* find problems, there is a mad scramble to fix them or at
least find workarounds, because we find them way too late.
We've looked into automating it and still kinda intend to do so, but
it's not really simple. There's a legal side to it - it's not clear
what the licensing requirements involved would be - and a technical
side to it - we'd need a way to reliably and quite quickly deploy an AD
domain controller using openQA automation, which is not a trivial job.
When I estimate the time that's going to take and consider what *else*
I (or anyone else) could do with that time, I'm not certain that
"automating AD testing" is the best use of it. To me it doesn't feel
like a really key feature of Fedora to the point that would justify the
work involved, or justify continuing to throw Stephen and others under
the last-minute-manual-testing bus. But I'm not sure!
What do others think? Do you use the AD client support of Fedora
Server? Do you think it's a key feature that we should keep as a
release-blocking requirement, or no?
Hey folks! Just to give an update on this, as I'm not sure I ever did
on the list: the current plan is to not drop the criterion, but instead
implement automated testing based on Samba AD (not Microsoft AD).
I am working on this at present and have got quite far, should have it
completed next week.
What I intend after that is that we will be OK with releasing so long
as the automated tests against Samba AD pass, but if anyone decides to
manually test against Microsoft AD and finds a bug, that can
potentially be a blocker. But we will not block the release on making
sure Microsoft AD has been tested.
Does this sound like a decent solution to everyone? Thanks!
--
Adam Williamson (he/him/his)
Fedora QA
Fedora Chat: @adamwill:fedora.im | Mastodon: @adamw(a)fosstodon.org
https://www.happyassassin.net