On Fri, 2018-06-15 at 09:24 +0300, Alexander Bokovoy wrote:
Hi,
as discussed earlier[1], I'm proposing to extend Fedora Server release
criteria to include replicated topology testing for domain controllers
shipped with Fedora Server. This is an aspirational goal as there are
limiting factors right now.
Fedora Server ships with two domain controllers: FreeIPA and Samba AD.
OpenQA infrastructure uses domain controller-agnostic approach to enroll
clients and deploys domain controllers and clients with the help of
rolekit. There is only one type supported currently to deploy a domain
controller: FreeIPA, and only a single domain controller can be
deployed.
As result, large part of FreeIPA functionality is not tested at all
because we are not able to deploy FreeIPA replicas in OpenQA via
rolekit. With an ongoing Python 3 and NSS to OpenSSL migration for
FreeIPA, Dogtag, SSSD, and other related components, we aren't testing
critical integration of these components within Fedora.
FreeIPA upstream has a testing infrastructure that allows to test
different topologies for a replicated FreeIPA deployment. The tests run
against each pull request upstream and there are 'nightly' test suites
which kicked off several times a week. These tests, however, use a fixed
Fedora image, regenerated regularly but typically tracking current
Fedora stable release, not Rawhide.
Ideally, a test covering basic replication scenario needs to exist for
Rawhide/Branched.OpenQA uses rolekit to deploy a DC. Rolekit does not
have support for deploying a replica. Rolekit is supposed to be
deprecated (dead in development). It shouldn't be hard to extend rolekit
to run FreeIPA replica promotion, though.
Based on the above, if we would extend rolekit, I believe it would be
relatively easy to extend OpenQA tests to add a second domain controller
into a test environment and check whether a client enrolled into the
domain against one domain controller can use management services from
the other domain controller.
When such extension is ready for FreeIPA, we can establish a release
criteria to include a test of replicated topology for domain controller
technology in Fedora Server.
Note that I'm trying to keep this generic to allow us to add Samba AD as
a tested domain controller later. This, however, raises a question on
whether rolekit way of configuring servers is a right approach going
forward.
Rolekit is supposed to go away; what we're missing there is basically
someone doing the work of reformulating the PRD, tech spec and then
criteria around...*not* using rolekit. Once that's done we can update
the test cases and the openQA tests.
As a practical matter, we can implement testing of this without
extending rolekit, I think. All rolekit ultimately does is call ipa-
server-install. We could certainly retain the existing deployment of
the *initial* controller via rolekit, but extend things so we deploy a
replica controller not via rolekit.
It's currently intentional that we do not treat Samba AD as release-
blocking / supported / whatever for Server. It's just outside the scope
of Server by design. What's in scope is acting as a *client* of an
Active Directory domain, but we specifically mean actual Microsoft AD
domains there, not Samba AD. This could be revisited, but it was
specifically decided back when we were initially setting up the Server
requirements.
--
Adam Williamson
Fedora QA Community Monkey
IRC: adamw | Twitter: AdamW_Fedora | XMPP: adamw AT happyassassin . net
http://www.happyassassin.net