New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Test script for ipa-custodia #948
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
@stlaz suggested to add the script to freeipa tools rather than freeipa's contrib directory. I'm happy with either. |
c476f46
to
1c7e978
Compare
1c7e978
to
4156b71
Compare
Looks good to me. Perhaps we may keep it here. If you please rebase the PR on current master, @tiran, so that the tests pass and we can push it, that's be nice :) |
Hi @tiran, rebase to master could help pr-ci tests to pass. Could you please try it? |
4da77ab
to
11a8b30
Compare
Hi @tiran, Thank you for this tool! When ipa-custodia-check is run with target server=replica which does not have the CA installed, it reports errors trying to retrieve ca/* keys. To me this should not be considered as an error because the replica does not store the keys. The tool could add a check on the server role "CA" and try to retrieve ca/* keys only if CA role is present, or turn the error into a warning. An error also happens if run with --store from a replica without CA with target server = CA, because the tool needs /etc/pki/pki-tomcat/password.conf in order to store the certs, and the directory /etc/pki/pki-tomcat does not exist if the replica doesn't have the CA role. |
11a8b30
to
4dbbedf
Compare
By default the test script attempts to retrieve all possible secrets. IMO it's the correct answer, too. After all the remote server is not able to offer these secrets and therefore cannot be used to create a CA replica. You can limit the keys with command line options, e.g. The store option is rather dangerous. I've changed the script to suppress the option. It's still there but |
It doesn't handle running on an unconfigured server:
|
4dbbedf
to
288e3ec
Compare
I've added a check for |
6832511
to
1aa9757
Compare
Signed-off-by: Christian Heimes <cheimes@redhat.com>
1aa9757
to
891f789
Compare
This looks ok. Before I git it the ack is there a reason you are installing into libexec rather than bin/sbin? I'm assuming it is because it is a diagnostic and not meant for regular use but just want to confirm first. |
Yes, you are correct. I don't want to have a diagnostic tool in sbin. It's not useful for a general audience. The script is designed for rare occasion of a failing replica installation. |
master:
|
You may find my test script for ipa-custodia useful for testing and debugging issues like https://bugzilla.redhat.com/show_bug.cgi?id=1476150
Signed-off-by: Christian Heimes cheimes@redhat.com