-
Notifications
You must be signed in to change notification settings - Fork 180
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
QE: Fix and improve the server hostname rename test #7700
Changes from all commits
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -237,16 +237,6 @@ | |
raise 'Vendor change option not found in logs' unless return_code.zero? | ||
end | ||
|
||
When(/^I apply highstate on "([^"]*)"$/) do |host| | ||
system_name = get_system_name(host) | ||
if host.include? 'ssh_minion' | ||
cmd = 'mgr-salt-ssh' | ||
elsif host.include? 'minion' or host.include? 'build' | ||
cmd = 'salt' | ||
end | ||
get_target('server').run_until_ok("#{cmd} #{system_name} state.highstate") | ||
end | ||
|
||
When(/^I wait until "([^"]*)" service is active on "([^"]*)"$/) do |service, host| | ||
node = get_target(host) | ||
cmd = "systemctl is-active #{service}" | ||
|
@@ -1469,13 +1459,18 @@ | |
When(/^I change the server's short hostname from hosts and hostname files$/) do | ||
server_node = get_target('server') | ||
old_hostname = server_node.hostname | ||
new_hostname = old_hostname + '2' | ||
new_hostname = old_hostname + '-renamed' | ||
log "Old hostname: #{old_hostname} - New hostname: #{new_hostname}" | ||
server_node.run("sed -i 's/#{old_hostname}/#{new_hostname}/g' /etc/hostname && | ||
hostname #{new_hostname} && | ||
echo '#{server_node.public_ip} #{server_node.full_hostname} #{old_hostname}' >> /etc/hosts && | ||
echo '#{server_node.public_ip} #{new_hostname}#{server_node.full_hostname.delete_prefix(server_node.hostname)} #{new_hostname}' >> /etc/hosts") | ||
get_target('server', refresh: true) # This will refresh the attributes of this node | ||
# This will refresh the attributes of this node | ||
get_target('server', refresh: true) | ||
hostname, _result = get_target('server').run('hostname') | ||
hostname.strip! | ||
|
||
raise "Wrong hostname after changing it. Is: #{hostname}, should be: #{new_hostname}" unless hostname == new_hostname | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Maybe such basic checks would deserve a There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Yes, we could do that. However, my main issue with this is, that our hostname rename and then changing the hostname back step, has a hardcoded new hostname variable in it. We do not define this new hostname in the step itself. Which is good, since across all our CIs and PR tests, the prefix of the hostname is different. Those are the reasons why I did not implement a new step of its own to check for the new hostname. |
||
|
||
# Add the new hostname on controller's /etc/hosts to resolve in smoke tests | ||
`echo '#{server_node.public_ip} #{new_hostname}#{server_node.full_hostname.delete_prefix(server_node.hostname)} #{new_hostname}' >> /etc/hosts` | ||
|
@@ -1504,8 +1499,7 @@ | |
end | ||
|
||
# Update the server CA certificate since it changed, otherwise all API and browser uses will fail | ||
update_ca('controller') | ||
update_ca('proxy') | ||
update_controller_ca | ||
|
||
# Reset the API client to take the new CA into account | ||
reset_api_client | ||
|
@@ -1514,16 +1508,43 @@ | |
raise 'Error in the output logs - see logs above' if out_spacewalk.include? 'No such file or directory' | ||
end | ||
|
||
When(/^I check all certificates after renaming the server hostname$/) do | ||
# get server certificate serial to compare it with the other minions | ||
command_server = "openssl x509 --noout --text -in /etc/pki/trust/anchors/LOCAL-RHN-ORG-TRUSTED-SSL-CERT | grep -A1 'Serial' | grep -v 'Serial'" | ||
server_cert_serial, result_code = get_target('server').run(command_server) | ||
server_cert_serial.strip! | ||
log "Server certificate serial: #{server_cert_serial}" | ||
|
||
raise 'Error getting server certificate serial!' unless result_code.zero? | ||
|
||
command_minion = "openssl x509 --noout --text -in /etc/pki/trust/anchors/RHN-ORG-TRUSTED-SSL-CERT | grep -A1 'Serial' | grep -v 'Serial'" | ||
targets = %w[proxy sle_minion ssh_minion rhlike_minion deblike_minion build_host kvm_server] | ||
targets.each do |target| | ||
# get all defined minions from the environment variables and check their certificate serial | ||
next unless ENV.key? ENV_VAR_BY_HOST[target] | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. You can either do this or: There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. But at a higher level, I think you can also do: $host_by_node.each do |node, _host|
minion_cert_serial, result_code = node.run(command_minion)
minion_cert_serial.strip!
log "#{target} certificate serial: #{minion_cert_serial}"
raise 'Error getting server certificate serial!' unless result_code.zero?
raise "Error comparing #{target} certificate with server!" unless minion_cert_serial == server_cert_serial
end Bearing in mind that if you use this suggested loop, you will be iterating over all initialized twopences, so not only some particular targets. There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Thanks for the suggestion. I will do some test run with this code. There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. This broke the code somehow. Scenario: Check all new server certificates on the minions # features/secondary/srv_rename_hostname.feature:134
This scenario ran at: 2023-10-20 16:53:27 +0200
When I check all certificates after renaming the server hostname # features/step_definitions/command_steps.rb:1550
Server certificate serial: 35:a1:54:c6:5e:c3:f5:f5:c6:d8:52:e6:f9:73:20:a2:d1:c5:75:83
FAIL: openssl x509 --noout --text -in /etc/pki/trust/anchors/RHN-ORG-TRUSTED-SSL-CERT | grep -A1 'Serial' | grep -v 'Serial' returned status code = 1.
Output:
Can't open /etc/pki/trust/anchors/RHN-ORG-TRUSTED-SSL-CERT for reading, No such file or directory
139797779679040:error:02001002:system library:fopen:No such file or directory:crypto/bio/bss_file.c:69:fopen('/etc/pki/trust/anchors/RHN-ORG-TRUSTED-SSL-CERT','r')
139797779679040:error:2006D080:BIO routines:BIO_new_file:no such file:crypto/bio/bss_file.c:76:
unable to load certificate
(RuntimeError)
./features/support/lavanda.rb:177:in `run_local'
./features/support/lavanda.rb:155:in `run'
./features/step_definitions/command_steps.rb:1561:in `block (2 levels) in <top (required)>'
./features/step_definitions/command_steps.rb:1560:in `each'
./features/step_definitions/command_steps.rb:1560:in `/^I check all certificates after renaming the server hostname$/'
features/secondary/srv_rename_hostname.feature:135:in `I check all certificates after renaming the server hostname'
=> /var/log/rhn/rhn_web_ui.log |
||
minion_cert_serial, result_code = get_target(target).run(command_minion) | ||
minion_cert_serial.strip! | ||
log "#{target} certificate serial: #{minion_cert_serial}" | ||
|
||
raise 'Error getting server certificate serial!' unless result_code.zero? | ||
raise "Error comparing #{target} certificate with server!" unless minion_cert_serial == server_cert_serial | ||
end | ||
end | ||
|
||
When(/^I change back the server's hostname$/) do | ||
server_node = get_target('server') | ||
old_hostname = server_node.hostname | ||
new_hostname = old_hostname.delete_suffix('2') | ||
new_hostname = old_hostname.delete_suffix('-renamed') | ||
log "Old hostname: #{old_hostname} - New hostname: #{new_hostname}" | ||
server_node.run("sed -i 's/#{old_hostname}/#{new_hostname}/g' /etc/hostname && | ||
hostname #{new_hostname} && | ||
sed -i \'$d\' /etc/hosts && | ||
sed -i \'$d\' /etc/hosts") | ||
get_target('server', refresh: true) # This will refresh the attributes of this node | ||
hostname, _result = get_target('server').run('hostname') | ||
hostname.strip! | ||
|
||
raise "Wrong hostname after changing it. Is: #{hostname}, should be: #{new_hostname}" unless hostname == new_hostname | ||
|
||
# Cleanup the temporary entry in /etc/hosts on the controller | ||
`sed -i \'$d\' /etc/hosts` | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I would use SSM to apply high state to all the registered systems at the same time.
That way if we add any other system in our CI test suite later, we don't need to go here and maintain this part.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Good idea. I still have issues with high state for the proxy when doing it with Salt:
which uses
And running
salt dominik-pxy.mgr.suse.de state.highstate
manually from the server works.There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
After wondering about SSM, I think we do not yet have a step to select all systems from the systems list and add them to the SSM.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Here a new proposal scenario that will apply high-state in all registered systems:
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for the suggestion. I will do some test run with this code.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It seems no systems were selected before. This is the screen when no systems are currently selected: