Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

test_dnssec: re-add named-pkcs11 workarounds #1559

Closed
wants to merge 3 commits into from

Conversation

@tiran
Copy link
Member

commented Feb 9, 2018

DNSSEC tests starrted to fail again, probably due to a bug in
some underlaying component.

This reverts commit 8bc6775
and makes the xfail test check less strict - it will no longer
mark the test suite red if it passes.

Related https://pagure.io/freeipa/issue/5348

Clone of @tomaskrizek PR #973

@tiran tiran force-pushed the tiran:dnssec_tests_workarounds branch 2 times, most recently from 2cb1c6a to ceabb9d Feb 9, 2018
@felipevolpone

This comment has been minimized.

Copy link
Member

commented Mar 26, 2018

Hi @tiran, could you please rebase this PR and add this to .freeipa-pr-ci.yaml file? This way we can run test_dnssec tests here before acking this PR.

diff --git a/.freeipa-pr-ci.yaml b/.freeipa-pr-ci.yaml                                          
index c95bef79e..28a086464 100644               
--- a/.freeipa-pr-ci.yaml                       
+++ b/.freeipa-pr-ci.yaml                       
@@ -11,6 +11,10 @@ topologies:                  
     name: master_1repl_1client                 
     cpu: 4                                     
     memory: 6700                               
+  master_2repl_1client: &master_2repl_1client  
+    name: master_2repl_1client                 
+    cpu: 5                                     
+    memory: 9100                               
                                                
 jobs:                                          
   fedora-27/build:                             
@@ -182,3 +186,15 @@ jobs:                      
         template: *ci-master-f27               
         timeout: 3600                          
         topology: *master_1repl                
+                                               
+  fedora-27/test_dnssec:                       
+    requires: [fedora-27/build]                
+    priority: 50                               
+    job:                                       
+      class: RunPytest                         
+      args:                                    
+        build_url: '{fedora-27/build_url}'     
+        test_suite: test_integration/test_dnssec.py                                            
+        template: *ci-master-f27               
+        timeout: 7200                          
+        topology: *master_2repl_1client  
@tiran tiran force-pushed the tiran:dnssec_tests_workarounds branch from ceabb9d to 59be207 Mar 26, 2018
@tiran

This comment has been minimized.

Copy link
Member Author

commented Mar 26, 2018

@felipevolpone done

@tiran tiran requested a review from felipevolpone Mar 26, 2018
@tiran tiran added the re-run label Mar 27, 2018
@freeipa-pr-ci2 freeipa-pr-ci2 removed the re-run label Mar 27, 2018
@felipevolpone

This comment has been minimized.

Copy link
Member

commented Mar 27, 2018

We have only one test failing. Is it related to the changes in this PR?

@tiran

This comment has been minimized.

Copy link
Member Author

commented Mar 27, 2018

I don't understand why the test is failing. Do you have some time to investigate?

@tiran tiran force-pushed the tiran:dnssec_tests_workarounds branch from 59be207 to 93d2342 Apr 4, 2018
@slaykovsky slaykovsky added the re-run label Apr 5, 2018
@freeipa-pr-ci freeipa-pr-ci removed the re-run label Apr 5, 2018
@slaykovsky slaykovsky added the re-run label Apr 6, 2018
@freeipa-pr-ci freeipa-pr-ci removed the re-run label Apr 6, 2018
@slaykovsky slaykovsky added the re-run label Apr 6, 2018
@freeipa-pr-ci freeipa-pr-ci removed the re-run label Apr 6, 2018
@tiran tiran force-pushed the tiran:dnssec_tests_workarounds branch from 93d2342 to 0043548 Apr 10, 2018
@tiran tiran added the re-run label Apr 10, 2018
@freeipa-pr-ci freeipa-pr-ci removed the re-run label Apr 10, 2018
@tiran tiran added the re-run label Apr 10, 2018
@freeipa-pr-ci freeipa-pr-ci added needs rebase and removed re-run labels Apr 10, 2018
@freeipa-pr-ci freeipa-pr-ci removed the re-run label Apr 17, 2018
@tiran tiran force-pushed the tiran:dnssec_tests_workarounds branch from 0043548 to 649fdde Apr 17, 2018
@tiran

This comment has been minimized.

Copy link
Member Author

commented Apr 17, 2018

I have included @abbra PR #1793 (with small modifications) to this DNSSEC test PR. Let's hope that the combined powers fix the DNSSEC testing issues once and for all.

@tiran tiran removed the needs rebase label Apr 17, 2018
@tiran tiran force-pushed the tiran:dnssec_tests_workarounds branch from 5b55d53 to e1c26d4 Jun 19, 2018
@tiran tiran added the re-run label Jun 19, 2018
@freeipa-pr-ci2 freeipa-pr-ci2 removed the re-run label Jun 19, 2018
@tiran tiran added the re-run label Jun 19, 2018
@freeipa-pr-ci2 freeipa-pr-ci2 removed the re-run label Jun 19, 2018
@tiran tiran force-pushed the tiran:dnssec_tests_workarounds branch 5 times, most recently from 9521547 to eefcdb1 Jun 19, 2018
@tiran tiran requested a review from abbra Jun 20, 2018
@abbra

This comment has been minimized.

Copy link
Contributor

commented Jun 21, 2018

Changes looks good. Please remove the temp commit.

Tomas Krizek and others added 3 commits Aug 15, 2017
DNSSEC tests starrted to fail again, probably due to a bug in
some underlaying component.

This reverts commit 8bc6775
and makes the xfail test check less strict - it will no longer
mark the test suite red if it passes.

Run DNSSEC tests on PR-CI

Co-authored-by: Felipe Barreto <fbarreto@redhat.com>
Related https://pagure.io/freeipa/issue/5348
When running IPA tests, a default TTL for the zone should be set
very low to allow get rid of timeouts in the tests. Zone updates should
be propagated to the clients as soon as possible.

This is not something that should be used in production so the change is
done purely at install time within the tests. As zone information is
replicated, we only modify it when creating a master with integrated
DNS.

This change should fix a number of DNSSEC-related tests where default
TTL is longer than what a test expects and a change of DNSSEC keys
never gets noticed by the BIND. As result, DNSSEC tests never match
their expected output with what they received from the BIND.

Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Co-authored-by: Alexander Bokovoy <abokovoy@redhat.com>
Signed-off-by: Christian Heimes <cheimes@redhat.com>
With shorter TTL, several named restarts are no longer necessary to make
tests pass. The test case TestZoneSigningWithoutNamedRestart is no
longer relevant, too.

Modification of the root zone and disabling/enabling signing still seems
to need a restart. I have marked those cases as TODO.

See: https://pagure.io/freeipa/issue/5348
Signed-off-by: Christian Heimes <cheimes@redhat.com>
@tiran tiran force-pushed the tiran:dnssec_tests_workarounds branch from eefcdb1 to 415a3d1 Jun 21, 2018
@tiran tiran added the re-run label Jun 21, 2018
@freeipa-pr-ci2 freeipa-pr-ci2 removed the re-run label Jun 21, 2018
@tiran tiran added the re-run label Jun 21, 2018
@freeipa-pr-ci2 freeipa-pr-ci2 removed the re-run label Jun 21, 2018
@abbra abbra added ack and removed needs review labels Jun 21, 2018
@tiran tiran added the pushed label Jun 21, 2018
@tiran

This comment has been minimized.

Copy link
Member Author

commented Jun 21, 2018

master:

  • 6fb45d2 test_dnssec: re-add named-pkcs11 workarounds
  • dae4aac Tests: Set default TTL for DNS zones to 1 sec
  • 3a8f0bb Remove restarted_named and xfail
@tiran tiran closed this Jun 21, 2018
@tiran tiran deleted the tiran:dnssec_tests_workarounds branch Jun 21, 2018
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
6 participants
You can’t perform that action at this time.