From: Scott Mayhew <smayhew@redhat.com>
To: kdevops@lists.linux.dev
Subject: [PATCH v2 10/10] fstests/nfs: add krb5 support
Date: Sat, 9 Mar 2024 18:36:03 -0500 [thread overview]
Message-ID: <20240309233603.1306533-11-smayhew@redhat.com> (raw)
In-Reply-To: <20240309233603.1306533-1-smayhew@redhat.com>
This adds the ability to run fstests on NFS with sec=krb5{,i,p}.
To use it, you need to:
* Specify a krb5 realm and admin password via:
-> Bring up goals
-> Set up KRB5
-> Configure the KRB5 KDC
-> KRB5 Realm
-> KRB5 admin password
* Add the 'sec=' export option to nfsd via:
-> Bring up goals
-> Set up the kernel nfs server
-> Configure the kernel NFS server
-> The export options to use for the exported fs
* Specify the auth flavor for the clients to use via:
-> Target workflows
-> Enable different target workflows
-> Enable selection of test workflows
-> Linux subsystem tests
-> Configure and run fstests
-> Configure how nfs should be tested
-> Authentication flavor to use
The following will happen during 'make bringup'
- a KDC will automatically be created
- the dependency packages for krb5 will be installed on the clients and
nfsd
- keys will be created for the clients and nfsd on the KDC
- the keys will get added to the keytabs on the clients and nfsd
The auth flavor gets written to /etc/nfsmount.conf on the clients during
'make fstests'.
Signed-off-by: Scott Mayhew <smayhew@redhat.com>
---
Makefile | 1 +
kconfigs/Kconfig.bringup.goals | 1 +
kconfigs/Kconfig.krb5 | 25 ++++
playbooks/kdc.yml | 4 +
playbooks/krb5.yml | 4 +
.../fstests/tasks/install-deps/suse/main.yml | 10 ++
playbooks/roles/fstests/tasks/main.yml | 41 ++++++
.../roles/fstests/templates/nfs/nfsmount.conf | 2 +
playbooks/roles/gen_hosts/defaults/main.yml | 1 +
.../roles/gen_hosts/templates/fstests.j2 | 15 +++
playbooks/roles/gen_nodes/defaults/main.yml | 1 +
playbooks/roles/gen_nodes/tasks/main.yml | 19 +++
.../kdc/tasks/install-deps/debian/main.yml | 11 ++
.../roles/kdc/tasks/install-deps/main.yml | 12 ++
.../kdc/tasks/install-deps/redhat/main.yml | 16 +++
.../kdc/tasks/install-deps/suse/main.yml | 10 ++
playbooks/roles/kdc/tasks/main.yml | 119 ++++++++++++++++++
playbooks/roles/kdc/templates/kadm5.acl.j2 | 1 +
playbooks/roles/kdc/templates/kdc.conf.j2 | 15 +++
playbooks/roles/kdc/templates/krb5.conf.j2 | 29 +++++
playbooks/roles/kdc/vars/Debian.yml | 7 ++
playbooks/roles/kdc/vars/RedHat.yml | 7 ++
playbooks/roles/kdc/vars/Suse.yml | 7 ++
playbooks/roles/kdc/vars/default.yml | 7 ++
playbooks/roles/kdc/vars/main.yml | 1 +
.../krb5/tasks/install-deps/debian/main.yml | 9 ++
.../roles/krb5/tasks/install-deps/main.yml | 12 ++
.../krb5/tasks/install-deps/redhat/main.yml | 15 +++
.../krb5/tasks/install-deps/suse/main.yml | 16 +++
playbooks/roles/krb5/tasks/main.yml | 52 ++++++++
playbooks/roles/krb5/templates/krb5.conf.j2 | 31 +++++
.../nfsd/tasks/install-deps/debian/main.yml | 5 +
.../nfsd/tasks/install-deps/suse/main.yml | 5 +
scripts/krb5.Makefile | 22 ++++
workflows/fstests/nfs/Kconfig | 29 +++++
workflows/fstests/nfs/Makefile | 4 +
36 files changed, 566 insertions(+)
create mode 100644 kconfigs/Kconfig.krb5
create mode 100644 playbooks/kdc.yml
create mode 100644 playbooks/krb5.yml
create mode 100644 playbooks/roles/fstests/templates/nfs/nfsmount.conf
create mode 100644 playbooks/roles/kdc/tasks/install-deps/debian/main.yml
create mode 100644 playbooks/roles/kdc/tasks/install-deps/main.yml
create mode 100644 playbooks/roles/kdc/tasks/install-deps/redhat/main.yml
create mode 100644 playbooks/roles/kdc/tasks/install-deps/suse/main.yml
create mode 100644 playbooks/roles/kdc/tasks/main.yml
create mode 100644 playbooks/roles/kdc/templates/kadm5.acl.j2
create mode 100644 playbooks/roles/kdc/templates/kdc.conf.j2
create mode 100644 playbooks/roles/kdc/templates/krb5.conf.j2
create mode 100644 playbooks/roles/kdc/vars/Debian.yml
create mode 100644 playbooks/roles/kdc/vars/RedHat.yml
create mode 100644 playbooks/roles/kdc/vars/Suse.yml
create mode 100644 playbooks/roles/kdc/vars/default.yml
create mode 100644 playbooks/roles/kdc/vars/main.yml
create mode 100644 playbooks/roles/krb5/tasks/install-deps/debian/main.yml
create mode 100644 playbooks/roles/krb5/tasks/install-deps/main.yml
create mode 100644 playbooks/roles/krb5/tasks/install-deps/redhat/main.yml
create mode 100644 playbooks/roles/krb5/tasks/install-deps/suse/main.yml
create mode 100644 playbooks/roles/krb5/tasks/main.yml
create mode 100644 playbooks/roles/krb5/templates/krb5.conf.j2
create mode 100644 scripts/krb5.Makefile
diff --git a/Makefile b/Makefile
index 11b409e0..5b8e1a22 100644
--- a/Makefile
+++ b/Makefile
@@ -107,6 +107,7 @@ endif # CONFIG_WORKFLOWS
include scripts/siw.Makefile
include scripts/ktls.Makefile
include scripts/nfsd.Makefile
+include scripts/krb5.Makefile
include scripts/devconfig.Makefile
include scripts/ssh.Makefile
diff --git a/kconfigs/Kconfig.bringup.goals b/kconfigs/Kconfig.bringup.goals
index fc6af7f8..dd7f4491 100644
--- a/kconfigs/Kconfig.bringup.goals
+++ b/kconfigs/Kconfig.bringup.goals
@@ -97,3 +97,4 @@ config KDEVOPS_SETUP_KTLS
necessary for testing RPC over TLS, or NVMe over TCP.
source "kconfigs/Kconfig.nfsd"
+source "kconfigs/Kconfig.krb5"
diff --git a/kconfigs/Kconfig.krb5 b/kconfigs/Kconfig.krb5
new file mode 100644
index 00000000..e5902718
--- /dev/null
+++ b/kconfigs/Kconfig.krb5
@@ -0,0 +1,25 @@
+config KDEVOPS_SETUP_KRB5
+ bool "Set up KRB5"
+ default n
+ help
+ Configure and bring up a MIT Kerberos V5 KDC.
+
+if KDEVOPS_SETUP_KRB5
+
+menu "Configure the KRB5 KDC"
+
+config KRB5_REALM
+ string "KRB5 Realm"
+ default "KDEVOPS"
+ help
+ Kerberos realm to create.
+
+config KRB5_ADMIN_PW
+ string "KRB5 admin password"
+ default "kdevops"
+ help
+ Password to use for the 'root/admin' principal.
+
+endmenu
+
+endif
diff --git a/playbooks/kdc.yml b/playbooks/kdc.yml
new file mode 100644
index 00000000..66709db8
--- /dev/null
+++ b/playbooks/kdc.yml
@@ -0,0 +1,4 @@
+---
+- hosts: all
+ roles:
+ - role: kdc
diff --git a/playbooks/krb5.yml b/playbooks/krb5.yml
new file mode 100644
index 00000000..52ca3ef5
--- /dev/null
+++ b/playbooks/krb5.yml
@@ -0,0 +1,4 @@
+---
+- hosts: all
+ roles:
+ - role: krb5
diff --git a/playbooks/roles/fstests/tasks/install-deps/suse/main.yml b/playbooks/roles/fstests/tasks/install-deps/suse/main.yml
index 067e5c55..951dfc66 100644
--- a/playbooks/roles/fstests/tasks/install-deps/suse/main.yml
+++ b/playbooks/roles/fstests/tasks/install-deps/suse/main.yml
@@ -237,3 +237,13 @@
when:
- repos_present|bool
- fstests_fstyp == "nfs"
+
+- name: Ensure nfs-client.target is enabled
+ become: yes
+ become_method: sudo
+ ansible.builtin.systemd:
+ name: nfs-client.target
+ enabled: true
+ state: started
+ when:
+ - fstests_fstyp == "nfs"
diff --git a/playbooks/roles/fstests/tasks/main.yml b/playbooks/roles/fstests/tasks/main.yml
index 3f210a53..b76536ec 100644
--- a/playbooks/roles/fstests/tasks/main.yml
+++ b/playbooks/roles/fstests/tasks/main.yml
@@ -668,6 +668,47 @@
when:
- fstests_fstyp == "nfs"
+- name: Check to see if /etc/nfsmount.conf exists
+ become: yes
+ become_flags: 'su - -c'
+ become_method: sudo
+ ansible.builtin.stat:
+ path: /etc/nfsmount.conf
+ register: nfsmount_conf
+ when:
+ - fstests_fstyp == "nfs"
+ - fstests_nfs_auth_flavor is defined
+ - fstests_nfs_auth_flavor
+
+- name: Create /etc/nfsmount.conf
+ become: yes
+ become_flags: 'su - -c'
+ become_method: sudo
+ ansible.builtin.template:
+ src: "{{ fstests_fstyp }}/nfsmount.conf"
+ dest: /etc/nfsmount.conf
+ owner: root
+ group: root
+ mode: 0644
+ when:
+ - fstests_fstyp == "nfs"
+ - fstests_nfs_auth_flavor is defined
+ - fstests_nfs_auth_flavor
+ - not nfsmount_conf.stat.exists
+
+- name: Set auth flavor for NFS
+ become: yes
+ become_flags: 'su - -c'
+ become_method: sudo
+ ansible.builtin.lineinfile:
+ path: /etc/nfsmount.conf
+ regexp: '^# Sec='
+ line: 'Sec={{ fstests_nfs_auth_flavor }}'
+ when:
+ - fstests_fstyp == "nfs"
+ - fstests_nfs_auth_flavor is defined
+ - fstests_nfs_auth_flavor
+
- name: Reboot system before our test so we know everything is sane
tags: [ 'oscheck', 'fstests', 'run_tests', 'reboot' ]
become: yes
diff --git a/playbooks/roles/fstests/templates/nfs/nfsmount.conf b/playbooks/roles/fstests/templates/nfs/nfsmount.conf
new file mode 100644
index 00000000..73b6a8e4
--- /dev/null
+++ b/playbooks/roles/fstests/templates/nfs/nfsmount.conf
@@ -0,0 +1,2 @@
+[ NFSMount_Global_Options ]
+# Sec=sys
diff --git a/playbooks/roles/gen_hosts/defaults/main.yml b/playbooks/roles/gen_hosts/defaults/main.yml
index 0c49cde0..5cd7433c 100644
--- a/playbooks/roles/gen_hosts/defaults/main.yml
+++ b/playbooks/roles/gen_hosts/defaults/main.yml
@@ -32,3 +32,4 @@ fs_config_role_path: "/dev/null"
fs_config_data: "[section_1]"
kdevops_nfsd_enable: False
+kdevops_krb5_enable: False
diff --git a/playbooks/roles/gen_hosts/templates/fstests.j2 b/playbooks/roles/gen_hosts/templates/fstests.j2
index b5111ad3..985e3f76 100644
--- a/playbooks/roles/gen_hosts/templates/fstests.j2
+++ b/playbooks/roles/gen_hosts/templates/fstests.j2
@@ -27,3 +27,18 @@ ansible_python_interpreter = "{{ kdevops_python_interpreter }}"
[nfsd:vars]
ansible_python_interpreter = "{{ kdevops_python_interpreter }}"
{% endif %}
+{% if kdevops_krb5_enable %}
+[kdc]
+{{ kdevops_hosts_prefix }}-kdc
+[kdc:vars]
+ansible_python_interpreter = "{{ kdevops_python_interpreter }}"
+[krb5]
+{% for s in fstests_enabled_test_types %}
+{{ kdevops_host_prefix }}-{{ s }}
+{% endfor %}
+{% if kdevops_nfsd_enable %}
+{{ kdevops_hosts_prefix }}-nfsd
+{% endif %}
+[krb5:vars]
+ansible_python_interpreter = "{{ kdevops_python_interpreter }}"
+{% endif %}
diff --git a/playbooks/roles/gen_nodes/defaults/main.yml b/playbooks/roles/gen_nodes/defaults/main.yml
index 51491d33..6d729605 100644
--- a/playbooks/roles/gen_nodes/defaults/main.yml
+++ b/playbooks/roles/gen_nodes/defaults/main.yml
@@ -13,6 +13,7 @@ kdevops_workflow_enable_pynfs: False
kdevops_workflow_enable_gitr: False
kdevops_workflow_enable_selftests: False
kdevops_nfsd_enable: False
+kdevops_krb5_enable: False
virtualbox_provider: False
libvirt_provider: False
diff --git a/playbooks/roles/gen_nodes/tasks/main.yml b/playbooks/roles/gen_nodes/tasks/main.yml
index 288dbdca..f9537fce 100644
--- a/playbooks/roles/gen_nodes/tasks/main.yml
+++ b/playbooks/roles/gen_nodes/tasks/main.yml
@@ -55,6 +55,18 @@
when:
- kdevops_nfsd_enable|bool
+- name: Set kdc_nodes list
+ set_fact:
+ kdc_nodes: "{{ [ kdevops_host_prefix + '-kdc' ] }}"
+ when:
+ - kdevops_krb5_enable|bool
+
+- name: Add a KRB5 KDC if one was selected
+ set_fact:
+ generic_nodes: "{{ generic_nodes + kdc_nodes }}"
+ when:
+ - kdevops_krb5_enable|bool
+
- name: Set fstests config file variable for {{ fstests_fstyp }}
set_fact:
is_fstests: True
@@ -217,6 +229,13 @@
- is_fstests|bool
- kdevops_nfsd_enable|bool
+- name: Add the KRB5 KDC if one was selected
+ set_fact:
+ fstests_enabled_nodes: "{{ fstests_enabled_nodes + kdc_nodes }}"
+ when:
+ - is_fstests|bool
+ - kdevops_krb5_enable|bool
+
- name: Generate the fstests kdevops nodes file using {{ kdevops_nodes_template }} as jinja2 source template
tags: [ 'hosts' ]
vars:
diff --git a/playbooks/roles/kdc/tasks/install-deps/debian/main.yml b/playbooks/roles/kdc/tasks/install-deps/debian/main.yml
new file mode 100644
index 00000000..bc2a6a78
--- /dev/null
+++ b/playbooks/roles/kdc/tasks/install-deps/debian/main.yml
@@ -0,0 +1,11 @@
+---
+- name: Install kdc dependencies
+ become: yes
+ become_method: sudo
+ apt:
+ name:
+ - krb5-admin-server
+ - krb5-kdc
+ - krb5-user
+ state: present
+ update_cache: yes
diff --git a/playbooks/roles/kdc/tasks/install-deps/main.yml b/playbooks/roles/kdc/tasks/install-deps/main.yml
new file mode 100644
index 00000000..a1bd1da5
--- /dev/null
+++ b/playbooks/roles/kdc/tasks/install-deps/main.yml
@@ -0,0 +1,12 @@
+---
+- name: Debian-specific set up
+ ansible.builtin.include_tasks: roles/tasks/kdc/install-deps/debian/main.yml
+ when: ansible_os_family == 'Debian'
+
+- name: SuSE-specific set up
+ ansible.builtin.include_tasks: roles/tasks/kdc/install-deps/suse/main.yml
+ when: ansible_os_family == 'Suse'
+
+- name: Red Hat-specific set up
+ ansible.builtin.include_tasks: roles/tasks/kdc/install-deps/redhat/main.yml
+ when: ansible_os_family == 'RedHat'
diff --git a/playbooks/roles/kdc/tasks/install-deps/redhat/main.yml b/playbooks/roles/kdc/tasks/install-deps/redhat/main.yml
new file mode 100644
index 00000000..c393920d
--- /dev/null
+++ b/playbooks/roles/kdc/tasks/install-deps/redhat/main.yml
@@ -0,0 +1,16 @@
+---
+- name: Install kdc dependencies
+ become: yes
+ become_method: sudo
+ yum:
+ update_cache: yes
+ name: "{{ packages }}"
+ retries: 3
+ delay: 5
+ register: result
+ until: result.rc == 0
+ vars:
+ packages:
+ - krb5-server
+ - krb5-libs
+ - krb5-workstation
diff --git a/playbooks/roles/kdc/tasks/install-deps/suse/main.yml b/playbooks/roles/kdc/tasks/install-deps/suse/main.yml
new file mode 100644
index 00000000..d0fd019f
--- /dev/null
+++ b/playbooks/roles/kdc/tasks/install-deps/suse/main.yml
@@ -0,0 +1,10 @@
+---
+- name: Install kdc dependencies
+ become: yes
+ become_method: sudo
+ zypper:
+ name:
+ - krb5
+ - krb5-client
+ - krb5-server
+ state: present
diff --git a/playbooks/roles/kdc/tasks/main.yml b/playbooks/roles/kdc/tasks/main.yml
new file mode 100644
index 00000000..b67f38d0
--- /dev/null
+++ b/playbooks/roles/kdc/tasks/main.yml
@@ -0,0 +1,119 @@
+---
+- name: Get OS-specific variables
+ ansible.builtin.include_vars: "{{ lookup('ansible.builtin.first_found', params) }}"
+ vars:
+ params:
+ files:
+ - '{{ansible_distribution}}.yml'
+ - '{{ansible_os_family}}.yml'
+ - default.yml
+ paths:
+ - 'vars'
+
+- name: Debian-specific setup
+ ansible.builtin.include_tasks: roles/kdc/tasks/install-deps/debian/main.yml
+ when: ansible_os_family == 'Debian'
+
+- name: SuSE-specific setup
+ ansible.builtin.include_tasks: roles/kdc/tasks/install-deps/suse/main.yml
+ when: ansible_os_family == 'Suse'
+
+- name: Red Hat-specific setup
+ ansible.builtin.include_tasks: roles/kdc/tasks/install-deps/redhat/main.yml
+ when: ansible_os_family == 'RedHat'
+
+- name: Configure /etc/krb5.conf
+ become: yes
+ become_method: sudo
+ template:
+ src: krb5.conf.j2
+ dest: /etc/krb5.conf
+ owner: root
+ group: root
+ mode: 0644
+
+- name: Ensure /etc/krb5.conf.d exists
+ become: yes
+ become_method: sudo
+ ansible.builtin.file:
+ path: /etc/krb5.conf.d
+ state: directory
+ owner: root
+ group: root
+ mode: 0755
+
+- name: Configure {{ kdc_conf_dir }}/kdc.conf
+ become: yes
+ become_method: sudo
+ template:
+ src: kdc.conf.j2
+ dest: "{{ kdc_conf_dir }}/kdc.conf"
+ owner: root
+ group: root
+ mode: 0600
+
+- name: Configure {{ kdc_data_dir }}/kadm5.acl
+ become: yes
+ become_method: sudo
+ template:
+ src: kadm5.acl.j2
+ dest: "{{ kdc_data_dir }}/kadm5.acl"
+ owner: root
+ group: root
+ mode: 0600
+
+- name: Check to see if Kerberos database exists
+ become: yes
+ become_method: sudo
+ ansible.builtin.stat:
+ path: "{{ kdc_data_dir }}/principal"
+ register: kerberos_db
+
+- name: Create database
+ become: yes
+ become_method: sudo
+ ansible.builtin.shell:
+ cmd: kdb5_util -P {{ krb5_admin_pw }} create -s
+ when: not kerberos_db.stat.exists
+
+- name: Create admin principal
+ become: yes
+ become_method: sudo
+ ansible.builtin.shell:
+ cmd: kadmin.local -q "addprinc -pw {{ krb5_admin_pw }} root/admin"
+
+- name: Allow access to kerberos service in firewalld
+ become: yes
+ become_method: sudo
+ ansible.posix.firewalld:
+ service: kerberos
+ permanent: true
+ immediate: true
+ state: enabled
+ when: ansible_os_family == 'RedHat'
+
+- name: Allow access to kadmin service in firewalld
+ become: yes
+ become_method: sudo
+ ansible.posix.firewalld:
+ service: kadmin
+ permanent: true
+ immediate: true
+ state: enabled
+ when: ansible_os_family == 'RedHat'
+
+- name: Start and enable {{ krb5kdc_service_name }} systemd service
+ become: yes
+ become_method: sudo
+ ansible.builtin.systemd:
+ name: "{{ krb5kdc_service_name }}"
+ enabled: true
+ state: started
+
+- name: Start and enable {{ kadmin_service_name }} systemd service
+ become: yes
+ become_method: sudo
+ ansible.builtin.systemd:
+ name: "{{ kadmin_service_name }}"
+ enabled: true
+ state: started
diff --git a/playbooks/roles/kdc/templates/kadm5.acl.j2 b/playbooks/roles/kdc/templates/kadm5.acl.j2
new file mode 100644
index 00000000..0a303e28
--- /dev/null
+++ b/playbooks/roles/kdc/templates/kadm5.acl.j2
@@ -0,0 +1 @@
+*/admin@{{ krb5_realm }} *
diff --git a/playbooks/roles/kdc/templates/kdc.conf.j2 b/playbooks/roles/kdc/templates/kdc.conf.j2
new file mode 100644
index 00000000..7de816dd
--- /dev/null
+++ b/playbooks/roles/kdc/templates/kdc.conf.j2
@@ -0,0 +1,15 @@
+[kdcdefaults]
+ kdc_ports = 88
+ kdc_tcp_ports = 88
+ spake_preauth_kdc_challenge = edwards25519
+
+[realms]
+{{ krb5_realm }} = {
+ database_name = {{ kdc_data_dir }}/principal
+ master_key_type = {{ kdc_master_key_type }}
+ acl_file = {{ kdc_data_dir }}/kadm5.acl
+ dict_file = /usr/share/dict/words
+ default_principal_flags = +preauth
+ admin_keytab = {{ kdc_data_dir }}/kadm5.keytab
+ supported_enctypes = {{ kdc_supported_enctypes }}
+}
diff --git a/playbooks/roles/kdc/templates/krb5.conf.j2 b/playbooks/roles/kdc/templates/krb5.conf.j2
new file mode 100644
index 00000000..e42ffb9b
--- /dev/null
+++ b/playbooks/roles/kdc/templates/krb5.conf.j2
@@ -0,0 +1,29 @@
+includedir /etc/krb5.conf.d/
+
+[logging]
+ default = FILE:/var/log/krb5libs.log
+ kdc = FILE:/var/log/krb5kdc.log
+ admin_server = FILE:/var/log/kadmind.log
+
+[libdefaults]
+ dns_lookup_realm = false
+ ticket_lifetime = 24h
+ renew_lifetime = 7d
+ forwardable = true
+ rdns = false
+ pkinit_anchors = FILE:/etc/pki/tls/certs/ca-bundle.crt
+ spake_preauth_groups = edwards25519
+ dns_canonicalize_hostname = fallback
+ qualify_shortname = ""
+ default_realm = {{ krb5_realm }}
+ default_ccache_name = KEYRING:persistent:%{uid}
+
+[realms]
+{{ krb5_realm }} = {
+ kdc = {{ hostvars[inventory_hostname]['ansible_default_ipv4']['address'] }}:88
+ admin_server = {{ hostvars[inventory_hostname]['ansible_default_ipv4']['address'] }}:749
+}
+
+[domain_realm]
+ .{{ krb5_realm | lower }} = {{ krb5_realm }}
+ {{ krb5_realm | lower }} = {{ krb5_realm }}
diff --git a/playbooks/roles/kdc/vars/Debian.yml b/playbooks/roles/kdc/vars/Debian.yml
new file mode 100644
index 00000000..b1cb8f13
--- /dev/null
+++ b/playbooks/roles/kdc/vars/Debian.yml
@@ -0,0 +1,7 @@
+---
+kdc_conf_dir: /etc/krb5kdc
+kdc_data_dir: /var/lib/krb5kdc
+kdc_master_key_type: aes256-cts
+kdc_supported_enctypes: aes256-cts:normal aes128-cts:normal
+krb5kdc_service_name: krb5-kdc
+kadmin_service_name: krb5-admin-server
diff --git a/playbooks/roles/kdc/vars/RedHat.yml b/playbooks/roles/kdc/vars/RedHat.yml
new file mode 100644
index 00000000..16de574d
--- /dev/null
+++ b/playbooks/roles/kdc/vars/RedHat.yml
@@ -0,0 +1,7 @@
+---
+kdc_conf_dir: /var/kerberos/krb5kdc
+kdc_data_dir: /var/kerberos/krb5kdc
+kdc_master_key_type: aes256-cts-hmac-sha384-192
+kdc_supported_enctypes: aes256-cts-hmac-sha384-192:normal aes128-cts-hmac-sha256-128:normal aes256-cts-hmac-sha1-96:normal aes128-cts-hmac-sha1-96:normal camellia256-cts-cmac:normal camellia128-cts-cmac:normal
+krb5kdc_service_name: krb5kdc
+kadmin_service_name: kadmin
diff --git a/playbooks/roles/kdc/vars/Suse.yml b/playbooks/roles/kdc/vars/Suse.yml
new file mode 100644
index 00000000..8900d6ad
--- /dev/null
+++ b/playbooks/roles/kdc/vars/Suse.yml
@@ -0,0 +1,7 @@
+---
+kdc_conf_dir: /var/lib/kerberos/krb5kdc
+kdc_data_dir: /var/lib/kerberos/krb5kdc
+kdc_master_key_type: aes256-cts
+kdc_supported_enctypes: aes256-cts:normal aes128-cts:normal
+krb5kdc_service_name: krb5kdc
+kadmin_service_name: kadmind
diff --git a/playbooks/roles/kdc/vars/default.yml b/playbooks/roles/kdc/vars/default.yml
new file mode 100644
index 00000000..16de574d
--- /dev/null
+++ b/playbooks/roles/kdc/vars/default.yml
@@ -0,0 +1,7 @@
+---
+kdc_conf_dir: /var/kerberos/krb5kdc
+kdc_data_dir: /var/kerberos/krb5kdc
+kdc_master_key_type: aes256-cts-hmac-sha384-192
+kdc_supported_enctypes: aes256-cts-hmac-sha384-192:normal aes128-cts-hmac-sha256-128:normal aes256-cts-hmac-sha1-96:normal aes128-cts-hmac-sha1-96:normal camellia256-cts-cmac:normal camellia128-cts-cmac:normal
+krb5kdc_service_name: krb5kdc
+kadmin_service_name: kadmin
diff --git a/playbooks/roles/kdc/vars/main.yml b/playbooks/roles/kdc/vars/main.yml
new file mode 100644
index 00000000..ed97d539
--- /dev/null
+++ b/playbooks/roles/kdc/vars/main.yml
@@ -0,0 +1 @@
+---
diff --git a/playbooks/roles/krb5/tasks/install-deps/debian/main.yml b/playbooks/roles/krb5/tasks/install-deps/debian/main.yml
new file mode 100644
index 00000000..25bdff7c
--- /dev/null
+++ b/playbooks/roles/krb5/tasks/install-deps/debian/main.yml
@@ -0,0 +1,9 @@
+---
+- name: Install krb5 dependencies
+ become: yes
+ become_method: sudo
+ apt:
+ name:
+ - krb5-user
+ state: present
+ update_cache: yes
diff --git a/playbooks/roles/krb5/tasks/install-deps/main.yml b/playbooks/roles/krb5/tasks/install-deps/main.yml
new file mode 100644
index 00000000..ab31e2d4
--- /dev/null
+++ b/playbooks/roles/krb5/tasks/install-deps/main.yml
@@ -0,0 +1,12 @@
+---
+- name: Debian-specific set up
+ ansible.builtin.include_tasks: roles/tasks/krb5/install-deps/debian/main.yml
+ when: ansible_os_family == 'Debian'
+
+- name: SuSE-specific set up
+ ansible.builtin.include_tasks: roles/tasks/krb5/install-deps/suse/main.yml
+ when: ansible_os_family == 'Suse'
+
+- name: Red Hat-specific set up
+ ansible.builtin.include_tasks: roles/tasks/krb5/install-deps/redhat/main.yml
+ when: ansible_os_family == 'RedHat'
diff --git a/playbooks/roles/krb5/tasks/install-deps/redhat/main.yml b/playbooks/roles/krb5/tasks/install-deps/redhat/main.yml
new file mode 100644
index 00000000..511f221f
--- /dev/null
+++ b/playbooks/roles/krb5/tasks/install-deps/redhat/main.yml
@@ -0,0 +1,15 @@
+---
+- name: Install krb5 dependencies
+ become: yes
+ become_method: sudo
+ yum:
+ update_cache: yes
+ name: "{{ packages }}"
+ retries: 3
+ delay: 5
+ register: result
+ until: result.rc == 0
+ vars:
+ packages:
+ - krb5-libs
+ - krb5-workstation
diff --git a/playbooks/roles/krb5/tasks/install-deps/suse/main.yml b/playbooks/roles/krb5/tasks/install-deps/suse/main.yml
new file mode 100644
index 00000000..b01ac532
--- /dev/null
+++ b/playbooks/roles/krb5/tasks/install-deps/suse/main.yml
@@ -0,0 +1,16 @@
+---
+- name: Install krb5 dependencies
+ become: yes
+ become_method: sudo
+ zypper:
+ name:
+ - krb5
+ - krb5-client
+ - kernel-default
+ state: present
+ force_resolution: true
+
+- name: Reboot system to make the new kernel and modules take effect
+ become: yes
+ become_method: sudo
+ ansible.builtin.reboot:
diff --git a/playbooks/roles/krb5/tasks/main.yml b/playbooks/roles/krb5/tasks/main.yml
new file mode 100644
index 00000000..968b0655
--- /dev/null
+++ b/playbooks/roles/krb5/tasks/main.yml
@@ -0,0 +1,52 @@
+---
+- name: Debian-specific setup
+ ansible.builtin.include_tasks: roles/krb5/tasks/install-deps/debian/main.yml
+ when: ansible_os_family == 'Debian'
+
+- name: SuSE-specific setup
+ ansible.builtin.include_tasks: roles/krb5/tasks/install-deps/suse/main.yml
+ when: ansible_os_family == 'Suse'
+
+- name: Red Hat-specific setup
+ ansible.builtin.include_tasks: roles/krb5/tasks/install-deps/redhat/main.yml
+ when: ansible_os_family == 'RedHat'
+
+- name: Configure /etc/krb5.conf
+ become: yes
+ become_method: sudo
+ template:
+ src: krb5.conf.j2
+ dest: /etc/krb5.conf
+ owner: root
+ group: root
+ mode: 0644
+
+- name: Ensure /etc/krb5.conf.d exists
+ become: yes
+ become_method: sudo
+ ansible.builtin.file:
+ path: /etc/krb5.conf.d
+ state: directory
+ owner: root
+ group: root
+ mode: 0755
+
+- name: Add nfs principal
+ become: yes
+ become_method: sudo
+ ansible.builtin.shell:
+ cmd: kadmin -w {{ krb5_admin_pw }} -q "addprinc -randkey nfs/{{ hostvars[inventory_hostname].ansible_fqdn }}"
+
+- name: Add nfs principal to keytab
+ become: yes
+ become_method: sudo
+ ansible.builtin.shell:
+ cmd: kadmin -w {{ krb5_admin_pw }} -q "ktadd -k /etc/krb5.keytab nfs/{{ hostvars[inventory_hostname].ansible_fqdn }}"
+
+- name: Restart rpc.gssd on the NFS server
+ become: yes
+ become_method: sudo
+ delegate_to: "{{ kdevops_hosts_prefix }}-nfsd"
+ ansible.builtin.systemd:
+ name: rpc-gssd
+ state: restarted
diff --git a/playbooks/roles/krb5/templates/krb5.conf.j2 b/playbooks/roles/krb5/templates/krb5.conf.j2
new file mode 100644
index 00000000..1ed37d5e
--- /dev/null
+++ b/playbooks/roles/krb5/templates/krb5.conf.j2
@@ -0,0 +1,31 @@
+includedir /etc/krb5.conf.d/
+
+[logging]
+ default = FILE:/var/log/krb5libs.log
+ kdc = FILE:/var/log/krb5kdc.log
+ admin_server = FILE:/var/log/kadmind.log
+
+[libdefaults]
+ dns_lookup_realm = false
+ ticket_lifetime = 24h
+ renew_lifetime = 7d
+ forwardable = true
+ rdns = false
+ pkinit_anchors = FILE:/etc/pki/tls/certs/ca-bundle.crt
+ spake_preauth_groups = edwards25519
+ dns_canonicalize_hostname = fallback
+ qualify_shortname = ""
+ default_realm = {{ krb5_realm }}
+ default_ccache_name = KEYRING:persistent:%{uid}
+
+[realms]
+{{ krb5_realm }} = {
+ kdc = {{ kdevops_hosts_prefix }}-kdc:88
+ admin_server = {{ kdevops_hosts_prefix }}-kdc:749
+ auth_to_local = RULE:[2:$1;$2](^nfs;.*$)s/^.*$/root/
+ auth_to_local = DEFAULT
+}
+
+[domain_realm]
+ .{{ krb5_realm | lower }} = {{ krb5_realm }}
+ {{ krb5_realm | lower }} = {{ krb5_realm }}
diff --git a/playbooks/roles/nfsd/tasks/install-deps/debian/main.yml b/playbooks/roles/nfsd/tasks/install-deps/debian/main.yml
index a48d40ef..2a2b7899 100644
--- a/playbooks/roles/nfsd/tasks/install-deps/debian/main.yml
+++ b/playbooks/roles/nfsd/tasks/install-deps/debian/main.yml
@@ -21,6 +21,11 @@
- fsprogs is defined
- fsprogs
+- name: Add gssproxy to the nfsd packages list
+ set_fact:
+ nfsd_packages: "{{ nfsd_packages + ['gssproxy'] }}"
+ when: kdevops_krb5_enable|bool
+
- name: Install nfsd dependencies
become: yes
become_method: sudo
diff --git a/playbooks/roles/nfsd/tasks/install-deps/suse/main.yml b/playbooks/roles/nfsd/tasks/install-deps/suse/main.yml
index 49d931cd..5bda13c9 100644
--- a/playbooks/roles/nfsd/tasks/install-deps/suse/main.yml
+++ b/playbooks/roles/nfsd/tasks/install-deps/suse/main.yml
@@ -21,6 +21,11 @@
- fsprogs is defined
- fsprogs
+- name: Add additional packages needed for krb5 to the nfsd packages list
+ set_fact:
+ nfsd_packages: "{{ nfsd_packages + ['gssproxy', 'libverto-libev1'] }}"
+ when: kdevops_krb5_enable|bool
+
- name: Install nfsd dependencies
become: yes
become_method: sudo
diff --git a/scripts/krb5.Makefile b/scripts/krb5.Makefile
new file mode 100644
index 00000000..14f73d8c
--- /dev/null
+++ b/scripts/krb5.Makefile
@@ -0,0 +1,22 @@
+ifeq (y,$(CONFIG_KDEVOPS_SETUP_KRB5))
+
+KRB5_EXTRA_ARGS += krb5_realm='$(subst ",,$(CONFIG_KRB5_REALM))'
+KRB5_EXTRA_ARGS += krb5_admin_pw='$(subst ",,$(CONFIG_KRB5_ADMIN_PW))'
+KRB5_EXTRA_ARGS += kdevops_krb5_enable=True
+
+ANSIBLE_EXTRA_ARGS += $(KRB5_EXTRA_ARGS)
+
+kdc:
+ $(Q)ansible-playbook $(ANSIBLE_VERBOSE) --extra-vars=@./extra_vars.yaml \
+ -f 30 -i hosts -l kdc playbooks/kdc.yml
+
+krb5:
+ $(Q)ansible-playbook $(ANSIBLE_VERBOSE) --extra-vars=@./extra_vars.yaml \
+ -f 30 -i hosts -l krb5 playbooks/krb5.yml
+
+KDEVOPS_BRING_UP_DEPS += kdc
+KDEVOPS_BRING_UP_LATE_DEPS += krb5
+
+PHONY += kdc krb5
+
+endif
diff --git a/workflows/fstests/nfs/Kconfig b/workflows/fstests/nfs/Kconfig
index 9de5ae04..86e930a6 100644
--- a/workflows/fstests/nfs/Kconfig
+++ b/workflows/fstests/nfs/Kconfig
@@ -98,3 +98,32 @@ config FSTESTS_NFS_SECTION_V3
default n
endif # !FSTESTS_NFS_MANUAL_COVERAGE
+
+choice
+ prompt "Authentication flavor to use"
+ default FSTESTS_NFS_AUTH_KRB5
+ depends on KDEVOPS_SETUP_KRB5
+ help
+ This is the authentication flavor you want to test. The selected
+ option will get written to /etc/nfsmount.conf on the NFS clients.
+
+config FSTESTS_NFS_AUTH_SYS
+ bool "sys"
+
+config FSTESTS_NFS_AUTH_KRB5
+ bool "krb5"
+
+config FSTESTS_NFS_AUTH_KRB5I
+ bool "krb5i"
+
+config FSTESTS_NFS_AUTH_KRB5P
+ bool "krb5p"
+
+endchoice
+
+config FSTESTS_NFS_AUTH_FLAVOR
+ string
+ default "sys" if FSTESTS_NFS_AUTH_SYS
+ default "krb5" if FSTESTS_NFS_AUTH_KRB5
+ default "krb5i" if FSTESTS_NFS_AUTH_KRB5I
+ default "krb5p" if FSTESTS_NFS_AUTH_KRB5P
diff --git a/workflows/fstests/nfs/Makefile b/workflows/fstests/nfs/Makefile
index 686e27ae..ba4387e1 100644
--- a/workflows/fstests/nfs/Makefile
+++ b/workflows/fstests/nfs/Makefile
@@ -24,3 +24,7 @@ endif
ifeq (y,$(CONFIG_FSTESTS_NFS_SECTION_V3))
FSTESTS_ARGS += fstests_nfs_section_v3=True
endif
+
+ifdef CONFIG_FSTESTS_NFS_AUTH_FLAVOR
+FSTESTS_ARGS += fstests_nfs_auth_flavor='$(subst ",,$(CONFIG_FSTESTS_NFS_AUTH_FLAVOR))'
+endif
--
2.43.0
next prev parent reply other threads:[~2024-03-09 23:36 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-03-09 23:35 [PATCH v2 00/10] add initial support for testing nfs with krb5 Scott Mayhew
2024-03-09 23:35 ` [PATCH v2 01/10] nfsd: make sure the appropriate fsprogs package is installed Scott Mayhew
2024-03-09 23:35 ` [PATCH v2 02/10] update_etc_hosts: fix up hostnames on debian guestfs hosts Scott Mayhew
2024-03-09 23:35 ` [PATCH v2 03/10] nfsd: use EXTRA_VAR_INPUTS for export options Scott Mayhew
2024-03-09 23:35 ` [PATCH v2 04/10] devconfig: set /etc/hostname earlier Scott Mayhew
2024-03-09 23:35 ` [PATCH v2 05/10] nfsd: add a pipefs-directory config to nfs.conf Scott Mayhew
2024-03-09 23:35 ` [PATCH v2 06/10] bringup: move the update_etc_hosts task to run early Scott Mayhew
2024-03-09 23:36 ` [PATCH v2 07/10] bringup: clean up the nfs-related make targets Scott Mayhew
2024-03-09 23:36 ` [PATCH v2 08/10] gen_hosts/gen_nodes: clean up nfsd-related stuff Scott Mayhew
2024-03-09 23:36 ` [PATCH v2 09/10] kconfigs: clean up Kconfig.bringup.goals Scott Mayhew
2024-03-09 23:36 ` Scott Mayhew [this message]
2024-03-11 12:57 ` [PATCH v2 00/10] add initial support for testing nfs with krb5 Jeff Layton
2024-03-11 22:05 ` Luis Chamberlain
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20240309233603.1306533-11-smayhew@redhat.com \
--to=smayhew@redhat.com \
--cc=kdevops@lists.linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox