diff --git a/data/configs/dnsmasq.conf b/data/configs/dnsmasq.conf index 011d03c8..fd8b94e3 100644 --- a/data/configs/dnsmasq.conf +++ b/data/configs/dnsmasq.conf @@ -12,6 +12,7 @@ cache-size=0 # These zones have their own DNS server server=/ipa.test/172.16.100.10 +server=/ipa2.test/172.16.100.11 server=/samba.test/172.16.100.30 server=/ad.test/172.16.200.10 @@ -35,3 +36,4 @@ ptr-record=30.100.16.172.in-addr.arpa,dc.samba.test ptr-record=40.100.16.172.in-addr.arpa,client.test ptr-record=10.200.16.172.in-addr.arpa,dc.ad.test ptr-record=70.100.16.172.in-addr.arpa,master.keycloak.test +ptr-record=80.100.16.172.in-addr.arpa,master.ipa2.test diff --git a/data/ssh-keys/hosts/master.ipa2.test.ecdsa_key b/data/ssh-keys/hosts/master.ipa2.test.ecdsa_key new file mode 100644 index 00000000..035d5e67 --- /dev/null +++ b/data/ssh-keys/hosts/master.ipa2.test.ecdsa_key @@ -0,0 +1,9 @@ +-----BEGIN OPENSSH PRIVATE KEY----- +b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAaAAAABNlY2RzYS +1zaGEyLW5pc3RwMjU2AAAACG5pc3RwMjU2AAAAQQS8NdlhWjczTrSSmXrPIm5dxUPF9l1r +n6/iWMQOvSied2nz1L7KlcL10FY8fV/CSfHdLav4ZUqcVA5IlnHcboZYAAAAuIaESlSGhE +pUAAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBLw12WFaNzNOtJKZ +es8ibl3FQ8X2XWufr+JYxA69KJ53afPUvsqVwvXQVjx9X8JJ8d0tq/hlSpxUDkiWcdxuhl +gAAAAhANtStHx78vkgxkGy20Ad7KyCGgDsRsCbV0vyPQEHnAL8AAAAG1dlbGwga25vd24g +a2V5IGZvciBzc3NkLWNpLgECAwQ= +-----END OPENSSH PRIVATE KEY----- diff --git a/data/ssh-keys/hosts/master.ipa2.test.ecdsa_key.pub b/data/ssh-keys/hosts/master.ipa2.test.ecdsa_key.pub new file mode 100644 index 00000000..4d957205 --- /dev/null +++ b/data/ssh-keys/hosts/master.ipa2.test.ecdsa_key.pub @@ -0,0 +1 @@ +ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBLw12WFaNzNOtJKZes8ibl3FQ8X2XWufr+JYxA69KJ53afPUvsqVwvXQVjx9X8JJ8d0tq/hlSpxUDkiWcdxuhlg= Well known key for sssd-ci. diff --git a/data/ssh-keys/hosts/master.ipa2.test.ed25519_key b/data/ssh-keys/hosts/master.ipa2.test.ed25519_key new file mode 100644 index 00000000..3b2d2ff0 --- /dev/null +++ b/data/ssh-keys/hosts/master.ipa2.test.ed25519_key @@ -0,0 +1,7 @@ +-----BEGIN OPENSSH PRIVATE KEY----- +b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAMwAAAAtzc2gtZW +QyNTUxOQAAACCjsyIr5pg77lSpJ3be3Bws6peMckoZPcaoxzV9nOd6dgAAAKDuA//H7gP/ +xwAAAAtzc2gtZWQyNTUxOQAAACCjsyIr5pg77lSpJ3be3Bws6peMckoZPcaoxzV9nOd6dg +AAAEA9qGHT87bpptMonGNLVVli2ey6arjyf3Yy7fi8FC02JqOzIivmmDvuVKkndt7cHCzq +l4xyShk9xqjHNX2c53p2AAAAG1dlbGwga25vd24ga2V5IGZvciBzc3NkLWNpLgEC +-----END OPENSSH PRIVATE KEY----- diff --git a/data/ssh-keys/hosts/master.ipa2.test.ed25519_key.pub b/data/ssh-keys/hosts/master.ipa2.test.ed25519_key.pub new file mode 100644 index 00000000..e119e3e9 --- /dev/null +++ b/data/ssh-keys/hosts/master.ipa2.test.ed25519_key.pub @@ -0,0 +1 @@ +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKOzIivmmDvuVKkndt7cHCzql4xyShk9xqjHNX2c53p2 Well known key for sssd-ci. diff --git a/data/ssh-keys/hosts/master.ipa2.test.rsa_key b/data/ssh-keys/hosts/master.ipa2.test.rsa_key new file mode 100644 index 00000000..55e179cb --- /dev/null +++ b/data/ssh-keys/hosts/master.ipa2.test.rsa_key @@ -0,0 +1,38 @@ +-----BEGIN OPENSSH PRIVATE KEY----- +b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABlwAAAAdzc2gtcn +NhAAAAAwEAAQAAAYEAjZ1FeLKLYYNBDJkA8BfMTKVRD2jZOn3YPWN3uezc7Rx5w1x/0rqW +tLRZdz2QV+K7BmqhhcuotNr2g1uf3eZSZL1p7OZ10INuET2ZyoLANM1ME22S+Qedan8uU7 +bN/KH/VW1QF1NHvI/C2uMUcGIzoKWrfyGSNp6vWvhIG6qjm8IcK4IcLeGh+wVNCEoH7EVv +EqxSVbiPkqvEAZ0X4UbXpEXrFi9BL25KbyD+yevHFPfhb2PP2pVQfz2Ip6CJ8XhvNrE1s1 +3EiDYugbMjDmzJNwyZNPiarIXqqgfI3R/nj/jLgBl6r0uOAMPpFNJambmDxXoW6bjadfeE ++Lgb/OtrrLNaqdzg3d8C0EKFwdA7rXS+iZTc4skldnoZGyw4wojTxTPkG7khSH1D1N47gW +VAzPnZySAcyCMvQHRbYpHu5va+Ye6vCYvzp+7k3mm1S2zzS5qB/Mzg9thP16s7JKtvS29l +38MqhsMedvJAoBvTpQck7aoL9vIl0Ylie7AGkszBAAAFkNCDdlfQg3ZXAAAAB3NzaC1yc2 +EAAAGBAI2dRXiyi2GDQQyZAPAXzEylUQ9o2Tp92D1jd7ns3O0cecNcf9K6lrS0WXc9kFfi +uwZqoYXLqLTa9oNbn93mUmS9aezmddCDbhE9mcqCwDTNTBNtkvkHnWp/LlO2zfyh/1VtUB +dTR7yPwtrjFHBiM6Clq38hkjaer1r4SBuqo5vCHCuCHC3hofsFTQhKB+xFbxKsUlW4j5Kr +xAGdF+FG16RF6xYvQS9uSm8g/snrxxT34W9jz9qVUH89iKegifF4bzaxNbNdxIg2LoGzIw +5syTcMmTT4mqyF6qoHyN0f54/4y4AZeq9LjgDD6RTSWpm5g8V6Fum42nX3hPi4G/zra6yz +Wqnc4N3fAtBChcHQO610vomU3OLJJXZ6GRssOMKI08Uz5Bu5IUh9Q9TeO4FlQMz52ckgHM +gjL0B0W2KR7ub2vmHurwmL86fu5N5ptUts80uagfzM4PbYT9erOySrb0tvZd/DKobDHnby +QKAb06UHJO2qC/byJdGJYnuwBpLMwQAAAAMBAAEAAAGAMVA6YGjgM3E25jGji3fmCyyoOR +L8TiuDcQEhsItkdWcsmZSs6E9UapHA885q5MfN89KO853zXiM/o4d0+JsbRvxUlgu8rAMQ +gY1vb/8u+lQhMUS/YNu/e9XU5o7qVRZ+aRubP7we53EyW/GmbOotazw1p5wjo8SHcMizp3 +q45WTnVVlGAc4oD1cNt5y7/JFDN//s3e/agyswIpW3OpnmPsygLAYBj4g7AE6/msXxegJF +rPnXaBkFwoFFhIXZc05J+0uQzUYoFPSCHg5MV9oMlQ4QNv01TEUnpBTbWd2ujhfKUlImAA +RHOf0xQx1/ktSQE5SsmRnEFGmAjkSUooEvCt/AXHjN87SoUWgEklr63viymWNAfdcRcsOa +/cj1sCsYBxJUMpivPQ05N6tbP7ikOvxX/mpfPsg7P7NrpoNVp8gwsCG8eNJEPrOTOO5C2j +iAFtDbp+uZ7QxgMfFSIxdwQU4A38rCaMe2opnvEHYEkrOyRi43X2QH2YW/9Au9LxLPAAAA +wH3G2wy2i2BpzWG8Tvww9x6dyigivn1JTY2HOh8pihcvGbs72HYQAHVXCoALIlMXnevpw8 ++RI5Tta058yoGmoVwi48ZBzMnkvoFmaU6lZf2Gy7LODZX3JGIo+qSayYUH8tX37ZU96QC7 +TJOyDuwQu0vQf/G7OvCLWKekgS7TAzK6Rk0lsVkCXc7HF6LpYdYt6b6na/vaLx5TT1ywbs +pGSUrh7jvgCkFviNgMNKmd1R9wRzQFaNoYjCQaCBFSmh9MqQAAAMEAxnKJ+RRL6AbBpxye +fnW/ciGLo4l/EbJC6imT0AFgYw6Gu1epiCVBTD6oERAgxs+3fu6DnxWVLojWpTT9RESkYJ +PVUzAnp4cgdf4vyyj80dAsJ3RbGU+Y1hZWKdb5COLvMiXg8orMgCvNhADD6Az8cG+ncVPz +busx+kStztT8Uy4VwwxQutglQYqvp0o6M4Kb5r8s6kAQu55ENhOSKUIKfU1//VPN5dQ/wV +71jNvU5ym07UgcZNhkyNw97WOyFfVzAAAAwQC2rzy87d7qskmkNN11lSkh1L52NcQyxhsE +jX+FjMTRbr4YgdnsU9tTtAigYrfQqDL4WGNPrnsA0qse32Ed3nNM1QdI/Mzni3eyK0ayqd +tPE2CdrqxYW2Brlp5luHwaFlW2UvrmZ5H+Yw80tVfXZrRZkmzHD0kCFkwZqYBtbMY19mMa +K8NmGXEMYPHGk/uHPruS57jr/h4Of8x2QlJ2aSBTRom1Ah42zZJgVqZO6MdY40EJBSfE5m +z7ClUXMywXB/sAAAAbV2VsbCBrbm93biBrZXkgZm9yIHNzc2QtY2ku +-----END OPENSSH PRIVATE KEY----- diff --git a/data/ssh-keys/hosts/master.ipa2.test.rsa_key.pub b/data/ssh-keys/hosts/master.ipa2.test.rsa_key.pub new file mode 100644 index 00000000..f6d10df5 --- /dev/null +++ b/data/ssh-keys/hosts/master.ipa2.test.rsa_key.pub @@ -0,0 +1 @@ +ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCNnUV4sothg0EMmQDwF8xMpVEPaNk6fdg9Y3e57NztHHnDXH/Supa0tFl3PZBX4rsGaqGFy6i02vaDW5/d5lJkvWns5nXQg24RPZnKgsA0zUwTbZL5B51qfy5Tts38of9VbVAXU0e8j8La4xRwYjOgpat/IZI2nq9a+EgbqqObwhwrghwt4aH7BU0ISgfsRW8SrFJVuI+Sq8QBnRfhRtekResWL0EvbkpvIP7J68cU9+FvY8/alVB/PYinoInxeG82sTWzXcSINi6BsyMObMk3DJk0+JqsheqqB8jdH+eP+MuAGXqvS44Aw+kU0lqZuYPFehbpuNp194T4uBv862uss1qp3ODd3wLQQoXB0DutdL6JlNziySV2ehkbLDjCiNPFM+QbuSFIfUPU3juBZUDM+dnJIBzIIy9AdFtike7m9r5h7q8Ji/On7uTeabVLbPNLmoH8zOD22E/Xqzskq29Lb2XfwyqGwx528kCgG9OlByTtqgv28iXRiWJ7sAaSzME= Well known key for sssd-ci. diff --git a/docker-compose.yml b/docker-compose.yml index 4ab587b2..4191488c 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -44,6 +44,33 @@ services: networks: sssd: ipv4_address: 172.16.100.10 + ipa2: + image: ${REGISTRY}/ci-ipa2:${TAG} + container_name: ipa2 + hostname: master.ipa2.test + dns: 172.16.100.2 + env_file: ./env.containers + volumes: + - ./shared:/shared:rw + cap_add: + - SYS_ADMIN + - SYS_PTRACE + - AUDIT_WRITE + - AUDIT_CONTROL + - SYS_CHROOT + - NET_ADMIN + - CAP_CHOWN + - CAP_DAC_OVERRIDE + - CAP_SETGID + - CAP_SETUID + - CAP_DAC_READ_SEARCH + security_opt: + - apparmor=unconfined + - label=disable + - seccomp=unconfined + networks: + sssd: + ipv4_address: 172.16.100.11 ldap: image: ${REGISTRY}/ci-ldap:${TAG} container_name: ldap diff --git a/readme.md b/readme.md index 873a8ae5..4d16601f 100644 --- a/readme.md +++ b/readme.md @@ -81,6 +81,7 @@ perfoming an `ldapsearch`). | nfs | `172.16.100.50` | `nfs.test` | NFS server | | kdc | `172.16.100.60` | `kdc.test` | Kerberos KDC | | keycloak | `172.16.100.70` | `master.keycloak.test` | Keycloak IdP | +| ipa2 | `172.16.100.11` | `master.ipa2.test` | IPA server in different realm | ## Available user accounts diff --git a/src/ansible/group_vars/all b/src/ansible/group_vars/all index a36830bc..f1620faf 100644 --- a/src/ansible/group_vars/all +++ b/src/ansible/group_vars/all @@ -6,6 +6,13 @@ service: { netbios: 'IPA', password: 'Secret123' }, + ipa2: { + domain: 'ipa2.test', + hostname: 'master', + fqn: 'master.ipa2.test', + netbios: 'IPA2', + password: 'Secret123' + }, ldap: { domain: 'ldap.test', hostname: 'master', diff --git a/src/ansible/inventory.yml b/src/ansible/inventory.yml index de5d0276..64dca485 100644 --- a/src/ansible/inventory.yml +++ b/src/ansible/inventory.yml @@ -53,6 +53,8 @@ all: hosts: master.ipa.test: ansible_host: sssd-wip-ipa + master.ipa2.test: + ansible_host: sssd-wip-ipa2 ldap: hosts: master.ldap.test: diff --git a/src/ansible/roles/cleanup/tasks/main.yml b/src/ansible/roles/cleanup/tasks/main.yml index 58c032c1..2c3c35a4 100644 --- a/src/ansible/roles/cleanup/tasks/main.yml +++ b/src/ansible/roles/cleanup/tasks/main.yml @@ -7,7 +7,7 @@ - name: Remove 389ds database to make image smaller shell: rm -f /var/lib/dirsrv/slapd-IPA-TEST/db/__db.* - when: inventory_hostname == 'master.ipa.test' or inventory_hostname == 'ipa-devel' + when: inventory_hostname in groups["ipa"] or inventory_hostname == 'ipa-devel' - name: Minimize LDAP service container block: @@ -29,4 +29,4 @@ - name: Remove SSSD's database and logs shell: rm -f /var/lib/sss/db/* /var/lib/sss/mc/* /var/log/sssd/* - when: inventory_hostname == 'client.test' or inventory_hostname == 'master.ipa.test' + when: inventory_hostname in groups["client"] or inventory_hostname in groups["ipa"] diff --git a/src/ansible/roles/dns/templates/etc.dnsmasq.conf.j2 b/src/ansible/roles/dns/templates/etc.dnsmasq.conf.j2 index 6691d1c1..bc5ccb36 100644 --- a/src/ansible/roles/dns/templates/etc.dnsmasq.conf.j2 +++ b/src/ansible/roles/dns/templates/etc.dnsmasq.conf.j2 @@ -13,9 +13,9 @@ domain=test cache-size=0 # These zones have their own DNS server -{% if 'master.ipa.test' in hostvars %} -server=/ipa.test/{{ hostvars['master.ipa.test']['ansible_facts']['default_ipv4']['address'] }} -{% endif %} +{% for host in groups['ipa'] %} +server=/{{ hostvars[host]['ansible_facts']['domain'] }}/{{ hostvars[host]['ansible_facts']['default_ipv4']['address'] }} +{% endfor %} {% if 'dc.samba.test' in hostvars %} server=/samba.test/{{ hostvars['dc.samba.test']['ansible_facts']['default_ipv4']['address'] }} {% endif %} @@ -29,6 +29,7 @@ server=/{{ hostvars[ad]['ansible_facts']['windows_domain'] }}/{{ hostvars[ad]['a {% if 'master.ipa.test' in hostvars %} # Add reverse zones for artificial hosts in IPA domain +{% if 'master.ipa.test' in hostvars %} server=/251.255.10.in-addr.arpa/{{ hostvars['master.ipa.test']['ansible_facts']['default_ipv4']['address'] }} {% endif %} @@ -53,4 +54,4 @@ ptr-record={{ hostvars[host]['ansible_facts']['default_ipv4']['address'].split(' {% elif hostvars[host].ansible_system == 'Win32NT' %} ptr-record={{ hostvars[host]['ansible_facts']['ip_addresses'][0].split('.') | reverse | join(".") }}.in-addr.arpa,{{ host }} {% endif %} -{% endfor %} \ No newline at end of file +{% endfor %} diff --git a/src/ansible/roles/ipa/tasks/main.yml b/src/ansible/roles/ipa/tasks/main.yml index db36452f..37557362 100644 --- a/src/ansible/roles/ipa/tasks/main.yml +++ b/src/ansible/roles/ipa/tasks/main.yml @@ -110,6 +110,7 @@ ipa --no-prompt dnszone-add --name-from-ip 10.255.251.0/24 args: stdin: '{{ ipa_password }}' + when: inventory_hostname == 'master.ipa.test' - name: 'Check trust with other domains' shell: | @@ -144,6 +145,7 @@ - '"samba" in groups and groups["samba"]' - join_samba - trust_ipa_samba + - inventory_hostname != 'master.ipa2.test' - name: 'Setup trust with AD' block: @@ -167,6 +169,8 @@ when: - 'ad_domain not in trust.stdout' - not trust_ipa_ad_two_way + - inventory_hostname != 'master.ipa2.test' + - name: Run ipa trust-add (two-way) shell: | kinit admin @@ -182,3 +186,4 @@ - '"ad" in groups and groups["ad"]' - join_ad - trust_ipa_ad + - inventory_hostname != 'master.ipa2.test' diff --git a/src/build.sh b/src/build.sh index 0014303f..f832ec51 100755 --- a/src/build.sh +++ b/src/build.sh @@ -140,6 +140,7 @@ ansible-playbook $ANSIBLE_OPTS ./ansible/playbook_image_service.yml compose stop build_service_image sssd-wip-client client build_service_image sssd-wip-ipa ipa +build_service_image sssd-wip-ipa2 ipa2 build_service_image sssd-wip-ldap ldap build_service_image sssd-wip-samba samba build_service_image sssd-wip-nfs nfs diff --git a/src/docker-compose.build.yml b/src/docker-compose.build.yml index 22211d28..a94c6011 100644 --- a/src/docker-compose.build.yml +++ b/src/docker-compose.build.yml @@ -5,6 +5,9 @@ services: ipa: image: localhost/sssd/ci-base-ipa:${TAG} container_name: sssd-wip-ipa + ipa2: + image: localhost/sssd/ci-base-ipa:${TAG} + container_name: sssd-wip-ipa2 ldap: image: localhost/sssd/ci-base-ldap:${TAG} container_name: sssd-wip-ldap diff --git a/src/push.sh b/src/push.sh index 9c70d616..fc4eeeb1 100755 --- a/src/push.sh +++ b/src/push.sh @@ -66,6 +66,7 @@ push ci-dns latest "" push ci-client "$TAG" "$EXTRA_TAGS" push ci-client-devel "$TAG" "$EXTRA_TAGS" push ci-ipa "$TAG" "$EXTRA_TAGS" +push ci-ipa2 "$TAG" "$EXTRA_TAGS" push ci-ipa-devel "$TAG" "$EXTRA_TAGS" push ci-ldap "$TAG" "$EXTRA_TAGS" push ci-samba "$TAG" "$EXTRA_TAGS" diff --git a/src/tools/gen-ssh-keys.sh b/src/tools/gen-ssh-keys.sh index 395aa1de..e1cf90aa 100755 --- a/src/tools/gen-ssh-keys.sh +++ b/src/tools/gen-ssh-keys.sh @@ -17,7 +17,7 @@ mkdir -p $OUT mkdir -p $OUT/hosts for name in client.test dc.samba.test dns.test kdc.test \ - master.ipa.test master.keycloak.test master.ldap.test nfs.test; do + master.ipa.test master.ipa2.test master.keycloak.test master.ldap.test nfs.test; do for type in ecdsa ed25519 rsa; do ssh-keygen -C "Well known key for sssd-ci." -t $type -f "$OUT/hosts/$name.${type}_key" -N "" <<< y done diff --git a/src/tools/setup-dns-files.sh b/src/tools/setup-dns-files.sh index 056d8b1f..7ea3b5cb 100755 --- a/src/tools/setup-dns-files.sh +++ b/src/tools/setup-dns-files.sh @@ -17,6 +17,7 @@ sed -i '/client.test/d' /etc/hosts sed -i '/nfs.test/d' /etc/hosts sed -i '/kdc.test/d' /etc/hosts sed -i '/dc.ad.test/d' /etc/hosts +sed -i '/master.ipa2.test/d' /etc/hosts # Append the lines echo "172.16.100.10 master.ipa.test" >> /etc/hosts @@ -26,3 +27,4 @@ echo "172.16.100.40 client.test" >> /etc/hosts echo "172.16.100.50 nfs.test" >> /etc/hosts echo "172.16.100.60 kdc.test" >> /etc/hosts echo "172.16.200.10 dc.ad.test" >> /etc/hosts +echo "172.16.100.11 master.ipa2.test" >> /etc/hosts