[PATCH v2 00/10] add initial support for testing nfs with krb5

[PATCH v2 00/10] add initial support for testing nfs with krb5

[Scott Mayhew]

These patches add support for running fstests on NFS with krb5.  There
are numerous other fixes and cleanups, but the bulk of the work is in
patch 10.

There are a handful of new Kconfig options (KDEVOPS_SETUP_KRB5,
KRB5_REALM, KRB5_ADMIN_PW, and FSTESTS_NFS_AUTH_FLAVOR) as well as some
new Makefile targets ("kdc" and "krb5", both of which get executed
automatically).  During "make bringup", a KDC is spun up automatically,
and all the necessary package dependencies are installed, keys are
generated, and the keytabs are updated on the NFS client and server VMs.

Right now you can only use krb5 with the fstests workflow, but it should
be straightforward to add it to the other NFS-related workflows.

-Scott

Changes since v1:

- Added a pipefs-directory config in nfs.conf to fix a debian issue.
- Moved update_etc_hosts target to run as an early bringup dependency.
- Cleaned up the top level Makefile and bringup.Makefile by moving some
  directives into lower level makefiles for nfsd, ktls, siw, and krb5.
- Added a kdevops_nfsd_enable variable and use that instead of checking
  if nfsd_threads is defined in several places.
- Cleaned up the hosts file by making sure "nfsd" and "nfsd:vars"
  stanzas do not get created if nfsd isn't enabled.
- Cleaned up the hosts file by making sure "krb5", "krb5:vars", "kdc",
  and "kdc:vars" stanzas do not get created if krb5 isn't enabled.
- Cleaned up Kconfig.bringup.goals by moving some directives into lower
  level kconfigs for nfsd and krb5.
- Added a kdevops_krb5_enable variable and use that instead of checking
  if krb5_realm is defined in several places.
- Folded the kdc.Makefile into the krb5.Makefile (there's no reason for
  them to have two separate makefiles).
- Added some default vars settings for the KDC.
- Got rid of some unnecessary tasks in the krb5 role that check to see
  if a principal existed before creating it, and also before adding it
  to the keytab (in reality these checks were just triggering errors that
  needed to be ignored).
- Forced the restart rpc.gssd task in the krb5 role to only run on the
  nfsd server (because rpc.gssd isn't installed on the clients yet at
  the point when the krb5 role is executed).
- Made the krb5 target to run automatically as a late bringup dependency.

Scott Mayhew (10):
  nfsd: make sure the appropriate fsprogs package is installed
  update_etc_hosts: fix up hostnames on debian guestfs hosts
  nfsd: use EXTRA_VAR_INPUTS for export options
  devconfig: set /etc/hostname earlier
  nfsd: add a pipefs-directory config to nfs.conf
  bringup: move the update_etc_hosts task to run early
  bringup: clean up the nfs-related make targets
  gen_hosts/gen_nodes: clean up nfsd-related stuff
  kconfigs: clean up Kconfig.bringup.goals
  fstests/nfs: add krb5 support

 Makefile                                      |  10 +-
 kconfigs/Kconfig.bringup.goals                |  13 +-
 kconfigs/Kconfig.krb5                         |  25 ++++
 kconfigs/Kconfig.nfsd                         |  16 +++
 playbooks/kdc.yml                             |   4 +
 playbooks/krb5.yml                            |   4 +
 playbooks/roles/devconfig/tasks/main.yml      |  21 ++--
 .../fstests/tasks/install-deps/suse/main.yml  |  10 ++
 playbooks/roles/fstests/tasks/main.yml        |  41 ++++++
 .../roles/fstests/templates/nfs/nfsmount.conf |   2 +
 playbooks/roles/gen_hosts/defaults/main.yml   |   3 +
 .../roles/gen_hosts/templates/fstests.j2      |  19 ++-
 playbooks/roles/gen_hosts/templates/gitr.j2   |   4 +-
 playbooks/roles/gen_hosts/templates/hosts.j2  |   6 +-
 playbooks/roles/gen_nodes/defaults/main.yml   |   2 +
 playbooks/roles/gen_nodes/tasks/main.yml      |  25 +++-
 .../kdc/tasks/install-deps/debian/main.yml    |  11 ++
 .../roles/kdc/tasks/install-deps/main.yml     |  12 ++
 .../kdc/tasks/install-deps/redhat/main.yml    |  16 +++
 .../kdc/tasks/install-deps/suse/main.yml      |  10 ++
 playbooks/roles/kdc/tasks/main.yml            | 119 ++++++++++++++++++
 playbooks/roles/kdc/templates/kadm5.acl.j2    |   1 +
 playbooks/roles/kdc/templates/kdc.conf.j2     |  15 +++
 playbooks/roles/kdc/templates/krb5.conf.j2    |  29 +++++
 playbooks/roles/kdc/vars/Debian.yml           |   7 ++
 playbooks/roles/kdc/vars/RedHat.yml           |   7 ++
 playbooks/roles/kdc/vars/Suse.yml             |   7 ++
 playbooks/roles/kdc/vars/default.yml          |   7 ++
 playbooks/roles/kdc/vars/main.yml             |   1 +
 .../krb5/tasks/install-deps/debian/main.yml   |   9 ++
 .../roles/krb5/tasks/install-deps/main.yml    |  12 ++
 .../krb5/tasks/install-deps/redhat/main.yml   |  15 +++
 .../krb5/tasks/install-deps/suse/main.yml     |  16 +++
 playbooks/roles/krb5/tasks/main.yml           |  52 ++++++++
 playbooks/roles/krb5/templates/krb5.conf.j2   |  31 +++++
 .../nfsd/tasks/install-deps/debian/main.yml   |  33 ++++-
 .../nfsd/tasks/install-deps/redhat/main.yml   |  31 +++--
 .../nfsd/tasks/install-deps/suse/main.yml     |  32 ++++-
 playbooks/roles/nfsd/templates/nfs.conf.j2    |   3 +
 playbooks/roles/nfsd/vars/Debian.yml          |  13 ++
 playbooks/roles/nfsd/vars/RedHat.yml          |  14 +++
 playbooks/roles/nfsd/vars/Suse.yml            |  12 ++
 .../roles/update_etc_hosts/tasks/main.yml     |  26 +++-
 playbooks/update_etc_hosts.yml                |   1 +
 scripts/bringup.Makefile                      |  19 +--
 scripts/krb5.Makefile                         |  22 ++++
 scripts/ktls.Makefile                         |   7 ++
 scripts/nfsd.Makefile                         |  17 ++-
 scripts/siw.Makefile                          |   6 +
 scripts/update_etc_hosts.Makefile             |   7 ++
 workflows/fstests/nfs/Kconfig                 |  29 +++++
 workflows/fstests/nfs/Makefile                |   4 +
 52 files changed, 778 insertions(+), 80 deletions(-)
 create mode 100644 kconfigs/Kconfig.krb5
 create mode 100644 playbooks/kdc.yml
 create mode 100644 playbooks/krb5.yml
 create mode 100644 playbooks/roles/fstests/templates/nfs/nfsmount.conf
 create mode 100644 playbooks/roles/kdc/tasks/install-deps/debian/main.yml
 create mode 100644 playbooks/roles/kdc/tasks/install-deps/main.yml
 create mode 100644 playbooks/roles/kdc/tasks/install-deps/redhat/main.yml
 create mode 100644 playbooks/roles/kdc/tasks/install-deps/suse/main.yml
 create mode 100644 playbooks/roles/kdc/tasks/main.yml
 create mode 100644 playbooks/roles/kdc/templates/kadm5.acl.j2
 create mode 100644 playbooks/roles/kdc/templates/kdc.conf.j2
 create mode 100644 playbooks/roles/kdc/templates/krb5.conf.j2
 create mode 100644 playbooks/roles/kdc/vars/Debian.yml
 create mode 100644 playbooks/roles/kdc/vars/RedHat.yml
 create mode 100644 playbooks/roles/kdc/vars/Suse.yml
 create mode 100644 playbooks/roles/kdc/vars/default.yml
 create mode 100644 playbooks/roles/kdc/vars/main.yml
 create mode 100644 playbooks/roles/krb5/tasks/install-deps/debian/main.yml
 create mode 100644 playbooks/roles/krb5/tasks/install-deps/main.yml
 create mode 100644 playbooks/roles/krb5/tasks/install-deps/redhat/main.yml
 create mode 100644 playbooks/roles/krb5/tasks/install-deps/suse/main.yml
 create mode 100644 playbooks/roles/krb5/tasks/main.yml
 create mode 100644 playbooks/roles/krb5/templates/krb5.conf.j2
 create mode 100644 playbooks/roles/nfsd/vars/Debian.yml
 create mode 100644 playbooks/roles/nfsd/vars/RedHat.yml
 create mode 100644 playbooks/roles/nfsd/vars/Suse.yml
 create mode 100644 scripts/krb5.Makefile
 create mode 100644 scripts/update_etc_hosts.Makefile

-- 
2.43.0

[PATCH v2 01/10] nfsd: make sure the appropriate fsprogs package is installed

[Scott Mayhew]

The virt-builder images don't have all of the fsprogs packages installed
by default, so make sure to install whatever package is needed for the
filesystem being exported.

Signed-off-by: Scott Mayhew <smayhew@redhat.com>
---
 .../nfsd/tasks/install-deps/debian/main.yml   | 28 ++++++++++++++---
 .../nfsd/tasks/install-deps/redhat/main.yml   | 31 ++++++++++++++-----
 .../nfsd/tasks/install-deps/suse/main.yml     | 27 +++++++++++++---
 playbooks/roles/nfsd/vars/Debian.yml          | 11 +++++++
 playbooks/roles/nfsd/vars/RedHat.yml          | 12 +++++++
 playbooks/roles/nfsd/vars/Suse.yml            | 10 ++++++
 6 files changed, 102 insertions(+), 17 deletions(-)
 create mode 100644 playbooks/roles/nfsd/vars/Debian.yml
 create mode 100644 playbooks/roles/nfsd/vars/RedHat.yml
 create mode 100644 playbooks/roles/nfsd/vars/Suse.yml

diff --git a/playbooks/roles/nfsd/tasks/install-deps/debian/main.yml b/playbooks/roles/nfsd/tasks/install-deps/debian/main.yml
index fd237e76..a48d40ef 100644
--- a/playbooks/roles/nfsd/tasks/install-deps/debian/main.yml
+++ b/playbooks/roles/nfsd/tasks/install-deps/debian/main.yml
@@ -1,13 +1,31 @@
 ---
+- name: Get OS-specific variables
+  ansible.builtin.include_vars: "{{ lookup('ansible.builtin.first_found', params) }}"
+  vars:
+    params:
+      files:
+        - '{{ansible_distribution}}.yml'
+        - '{{ansible_os_family}}.yml'
+        - default.yml
+      paths:
+        - 'vars'
+
+- name: Determine which fsprogs package is needed for "{{ nfsd_export_fstype }}"
+  set_fact:
+    fsprogs: "{{ fstype_userspace_progs[nfsd_export_fstype] | default() }}"
+
+- name: Add {{ fsprogs }} to the nfsd packages list
+  set_fact:
+    nfsd_packages: "{{ nfsd_packages + [fsprogs] }}"
+  when:
+    - fsprogs is defined
+    - fsprogs
+
 - name: Install nfsd dependencies
   become: yes
   become_method: sudo
   apt:
-    name:
-      - lvm2
-      - nfs-common
-      - nfs-kernel-server
-      - policycoreutils
+    name: "{{ nfsd_packages }}"
     state: present
     update_cache: yes
   tags: [ 'pynfs', 'deps' ]
diff --git a/playbooks/roles/nfsd/tasks/install-deps/redhat/main.yml b/playbooks/roles/nfsd/tasks/install-deps/redhat/main.yml
index 15e06a66..d5d25c20 100644
--- a/playbooks/roles/nfsd/tasks/install-deps/redhat/main.yml
+++ b/playbooks/roles/nfsd/tasks/install-deps/redhat/main.yml
@@ -1,18 +1,33 @@
 ---
+- name: Get OS-specific variables
+  ansible.builtin.include_vars: "{{ lookup('ansible.builtin.first_found', params) }}"
+  vars:
+    params:
+      files:
+        - '{{ansible_distribution}}.yml'
+        - '{{ansible_os_family}}.yml'
+        - default.yml
+      paths:
+        - 'vars'
+
+- name: Determine which fsprogs package is needed for "{{ nfsd_export_fstype }}"
+  set_fact:
+    fsprogs: "{{ fstype_userspace_progs[nfsd_export_fstype] | default() }}"
+
+- name: Add {{ fsprogs }} to the nfsd packages list
+  set_fact:
+    nfsd_packages: "{{ nfsd_packages + [fsprogs] }}"
+  when:
+    - fsprogs is defined
+    - fsprogs
+
 - name: Install nfsd dependencies
   become: yes
   become_method: sudo
   yum:
     update_cache: yes
-    name: "{{ packages }}"
+    name: "{{ nfsd_packages }}"
   retries: 3
   delay: 5
   register: result
   until: result.rc == 0
-  vars:
-    packages:
-      - checkpolicy
-      - lvm2
-      - nfs-utils
-      - policycoreutils
-      - python3-policycoreutils
diff --git a/playbooks/roles/nfsd/tasks/install-deps/suse/main.yml b/playbooks/roles/nfsd/tasks/install-deps/suse/main.yml
index 8d84509a..49d931cd 100644
--- a/playbooks/roles/nfsd/tasks/install-deps/suse/main.yml
+++ b/playbooks/roles/nfsd/tasks/install-deps/suse/main.yml
@@ -1,10 +1,29 @@
 ---
+- name: Get OS-specific variables
+  ansible.builtin.include_vars: "{{ lookup('ansible.builtin.first_found', params) }}"
+  vars:
+    params:
+      files:
+        - '{{ansible_distribution}}.yml'
+        - '{{ansible_os_family}}.yml'
+        - default.yml
+      paths:
+        - 'vars'
+
+- name: Determine which fsprogs package is needed for "{{ nfsd_export_fstype }}"
+  set_fact:
+    fsprogs: "{{ fstype_userspace_progs[nfsd_export_fstype] | default() }}"
+
+- name: Add {{ fsprogs }} to the nfsd packages list
+  set_fact:
+    nfsd_packages: "{{ nfsd_packages + [fsprogs] }}"
+  when:
+    - fsprogs is defined
+    - fsprogs
+
 - name: Install nfsd dependencies
   become: yes
   become_method: sudo
   zypper:
-    name:
-      - lvm2
-      - nfs-utils
-      - policycoreutils
+    name: "{{ nfsd_packages }}"
     state: present
diff --git a/playbooks/roles/nfsd/vars/Debian.yml b/playbooks/roles/nfsd/vars/Debian.yml
new file mode 100644
index 00000000..3bb9e810
--- /dev/null
+++ b/playbooks/roles/nfsd/vars/Debian.yml
@@ -0,0 +1,11 @@
+---
+nfsd_packages:
+  - lvm2
+  - nfs-common
+  - nfs-kernel-server
+  - policycoreutils
+
+fstype_userspace_progs:
+  btrfs: btrfs-progs
+  ext4: e2fsprogs
+  xfs: xfsprogs
diff --git a/playbooks/roles/nfsd/vars/RedHat.yml b/playbooks/roles/nfsd/vars/RedHat.yml
new file mode 100644
index 00000000..590818ca
--- /dev/null
+++ b/playbooks/roles/nfsd/vars/RedHat.yml
@@ -0,0 +1,12 @@
+---
+nfsd_packages:
+  - checkpolicy
+  - lvm2
+  - nfs-utils
+  - policycoreutils
+  - python3-policycoreutils
+
+fstype_userspace_progs:
+  btrfs: btrfs-progs
+  ext4: e2fsprogs
+  xfs: xfsprogs
diff --git a/playbooks/roles/nfsd/vars/Suse.yml b/playbooks/roles/nfsd/vars/Suse.yml
new file mode 100644
index 00000000..73b06c83
--- /dev/null
+++ b/playbooks/roles/nfsd/vars/Suse.yml
@@ -0,0 +1,10 @@
+---
+nfsd_packages:
+  - lvm2
+  - nfs-utils
+  - policycoreutils
+
+fstype_userspace_progs:
+  btrfs: btrfsprogs
+  ext4: e2fsprogs
+  xfs: xfsprogs
-- 
2.43.0

[PATCH v2 02/10] update_etc_hosts: fix up hostnames on debian guestfs hosts

[Scott Mayhew]

Since we're not currently using DNS domains in our hostnames, debian
guestfs hosts wind up with an entry like this in /etc/hosts:

127.0.1.1       unassigned-hostname.unassigned-domain   foo

which causes the ansible_fqdn variable to report
"unassigned-hostname.unassigned-domain".  Get rid of the
"unassigned-hostname.unassigned-domain" part, so that ansible_fqdn
reports the short hostname "foo" instead.

Signed-off-by: Scott Mayhew <smayhew@redhat.com>
---
 playbooks/roles/update_etc_hosts/tasks/main.yml | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/playbooks/roles/update_etc_hosts/tasks/main.yml b/playbooks/roles/update_etc_hosts/tasks/main.yml
index dca61d9f..34a69f6d 100644
--- a/playbooks/roles/update_etc_hosts/tasks/main.yml
+++ b/playbooks/roles/update_etc_hosts/tasks/main.yml
@@ -65,3 +65,15 @@
   with_items: "{{ ueh_hosts }}"
   when:
     - not terraform_private_net_enabled
+
+- name: Fix up hostname on Debian guestfs hosts
+  become: yes
+  become_method: sudo
+  lineinfile:
+    path: /etc/hosts
+    regexp: '^(127\.0\.1\.1)(\s+)unassigned-hostname\.unassigned-domain\s+({{ ansible_hostname }})$'
+    backrefs: yes
+    line: '\1\2\3'
+  when:
+    - ansible_os_family == 'Debian'
+    - kdevops_enable_guestfs
-- 
2.43.0

[PATCH v2 03/10] nfsd: use EXTRA_VAR_INPUTS for export options

[Scott Mayhew]

The most_extra_vars target in Makefile.extra_vars replaces '=' with ':',
which breaks any export options that use '='.  So use EXTRA_VAR_INPUTS
and quote the export options string instead.

Signed-off-by: Scott Mayhew <smayhew@redhat.com>
---
 scripts/nfsd.Makefile | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/scripts/nfsd.Makefile b/scripts/nfsd.Makefile
index d3549a29..a337390c 100644
--- a/scripts/nfsd.Makefile
+++ b/scripts/nfsd.Makefile
@@ -2,10 +2,16 @@ NFSD_EXTRA_ARGS += nfsd_export_device_prefix='$(subst ",,$(CONFIG_NFSD_EXPORT_DE
 NFSD_EXTRA_ARGS += nfsd_export_device_count='$(subst ",,$(CONFIG_NFSD_EXPORT_DEVICE_COUNT))'
 NFSD_EXTRA_ARGS += nfsd_export_fstype='$(subst ",,$(CONFIG_NFSD_EXPORT_FSTYPE))'
 NFSD_EXTRA_ARGS += nfsd_export_path='$(subst ",,$(CONFIG_NFSD_EXPORT_PATH))'
-NFSD_EXTRA_ARGS += nfsd_export_options='$(subst ",,$(CONFIG_NFSD_EXPORT_OPTIONS))'
 NFSD_EXTRA_ARGS += nfsd_threads=$(CONFIG_NFSD_THREADS)
 NFSD_EXTRA_ARGS += nfsd_lease_time=$(CONFIG_NFSD_LEASE_TIME)
 
+EXTRA_VAR_INPUTS += extend-extra-args-nfsd
+
+extend-extra-args-nfsd:
+	$(Q)echo "nfsd_export_options: '$(CONFIG_NFSD_EXPORT_OPTIONS)'" >> $(KDEVOPS_EXTRA_VARS) ;\
+
+PHONY += extend-extra-args-nfsd
+
 ANSIBLE_EXTRA_ARGS += $(NFSD_EXTRA_ARGS)
 
 nfsd:
-- 
2.43.0

[PATCH v2 04/10] devconfig: set /etc/hostname earlier

[Scott Mayhew]

I noticed that opensuse-tumbleweed guestfs VMs were still showing up
as 'localhost.localdomain', even though /etc/hostname had the correct
hostnames.

Update /etc/hostname before the distro-specific install tasks, so that
the reboot that occurs causes the hostname change to actually take
effect.

Signed-off-by: Scott Mayhew <smayhew@redhat.com>
---
 playbooks/roles/devconfig/tasks/main.yml | 21 ++++++++++++---------
 1 file changed, 12 insertions(+), 9 deletions(-)

diff --git a/playbooks/roles/devconfig/tasks/main.yml b/playbooks/roles/devconfig/tasks/main.yml
index 1f18e588..1e67f91e 100644
--- a/playbooks/roles/devconfig/tasks/main.yml
+++ b/playbooks/roles/devconfig/tasks/main.yml
@@ -17,6 +17,18 @@
   setup:
   tags: always
 
+# Update /etc/hostname first so the change gets picked up by the reboot
+# that occurs during the distro-specific tasks
+
+- name: Ensure /etc/hostname is set
+  become: yes
+  become_flags: 'su - -c'
+  become_method: sudo
+  template:
+    src: hostname
+    dest: /etc/hostname
+  tags: hostname
+
 # Distro specific
 - name: Install dependencies
   import_tasks: install-deps/main.yml
@@ -28,15 +40,6 @@
 
 # Distro agnostic stuff goes below
 
-- name: Ensure /etc/hostname is set
-  become: yes
-  become_flags: 'su - -c'
-  become_method: sudo
-  template:
-    src: hostname
-    dest: /etc/hostname
-  tags: hostname
-
 - name: Check if the developer has a git config
   delegate_to: localhost
   stat:
-- 
2.43.0

[PATCH v2 05/10] nfsd: add a pipefs-directory config to nfs.conf

[Scott Mayhew]

Debian uses /run/rpc_pipefs for the pipefs mountpoint by default, but
the nfs.conf that we deploy doesn't have a pipefs-directory
configuration.

That will cause any userspace daemons that use the pipefs to fail to
start/restart because they'll now be looking for the pipefs to be
mounted on /var/lib/nfs/rpc_pipefs... unless we reboot the nfsd server
after we overwrite Debian's default nfs.conf with our own.

So let's just add the pipefs-directory configuration to nfs.conf
instead.

Signed-off-by: Scott Mayhew <smayhew@redhat.com>
---
 playbooks/roles/nfsd/templates/nfs.conf.j2 | 3 +++
 playbooks/roles/nfsd/vars/Debian.yml       | 2 ++
 playbooks/roles/nfsd/vars/RedHat.yml       | 2 ++
 playbooks/roles/nfsd/vars/Suse.yml         | 2 ++
 4 files changed, 9 insertions(+)

diff --git a/playbooks/roles/nfsd/templates/nfs.conf.j2 b/playbooks/roles/nfsd/templates/nfs.conf.j2
index 2396f429..8e89eba4 100644
--- a/playbooks/roles/nfsd/templates/nfs.conf.j2
+++ b/playbooks/roles/nfsd/templates/nfs.conf.j2
@@ -1,3 +1,6 @@
+[general]
+pipefs-directory={{ pipefs_directory }}
+
 [nfsd]
 udp=y
 threads={{ nfsd_threads }}
diff --git a/playbooks/roles/nfsd/vars/Debian.yml b/playbooks/roles/nfsd/vars/Debian.yml
index 3bb9e810..d8aa50bc 100644
--- a/playbooks/roles/nfsd/vars/Debian.yml
+++ b/playbooks/roles/nfsd/vars/Debian.yml
@@ -9,3 +9,5 @@ fstype_userspace_progs:
   btrfs: btrfs-progs
   ext4: e2fsprogs
   xfs: xfsprogs
+
+pipefs_directory: /run/rpc_pipefs
diff --git a/playbooks/roles/nfsd/vars/RedHat.yml b/playbooks/roles/nfsd/vars/RedHat.yml
index 590818ca..091c827c 100644
--- a/playbooks/roles/nfsd/vars/RedHat.yml
+++ b/playbooks/roles/nfsd/vars/RedHat.yml
@@ -10,3 +10,5 @@ fstype_userspace_progs:
   btrfs: btrfs-progs
   ext4: e2fsprogs
   xfs: xfsprogs
+
+pipefs_directory: /var/lib/nfs/rpc_pipefs
diff --git a/playbooks/roles/nfsd/vars/Suse.yml b/playbooks/roles/nfsd/vars/Suse.yml
index 73b06c83..786e5f81 100644
--- a/playbooks/roles/nfsd/vars/Suse.yml
+++ b/playbooks/roles/nfsd/vars/Suse.yml
@@ -8,3 +8,5 @@ fstype_userspace_progs:
   btrfs: btrfsprogs
   ext4: e2fsprogs
   xfs: xfsprogs
+
+pipefs_directory: /var/lib/nfs/rpc_pipefs
-- 
2.43.0

[PATCH v2 06/10] bringup: move the update_etc_hosts task to run early

[Scott Mayhew]

Previously, update_etc_hosts was run after all of the other bringup
dependencies.  Fix this by making it an early (i.e.
KDEVOPS_BRING_UP_DEPS_EARLY) task.  This serves two purposes.  First,
it allows the top-level makefiles to be cleaned up a bit.  Second, it
allows other bringup tasks (i.e. KDEVOPS_BRING_UP_DEPS and
KDEVOPS_BRING_UP_LATE_DEPS tasks) to rely on the fact that /etc/hosts
has already been updated on the target hosts.

Signed-off-by: Scott Mayhew <smayhew@redhat.com>
---
 Makefile                                        |  1 +
 playbooks/roles/update_etc_hosts/tasks/main.yml | 14 +++++++++-----
 playbooks/update_etc_hosts.yml                  |  1 +
 scripts/bringup.Makefile                        |  6 +-----
 scripts/update_etc_hosts.Makefile               |  7 +++++++
 5 files changed, 19 insertions(+), 10 deletions(-)
 create mode 100644 scripts/update_etc_hosts.Makefile

diff --git a/Makefile b/Makefile
index 9ca3a5f3..e0cb89c5 100644
--- a/Makefile
+++ b/Makefile
@@ -95,6 +95,7 @@ ANSIBLE_EXTRA_ARGS += $(LOCAL_DEVELOPMENT_ARGS)
 include scripts/provision.Makefile
 include scripts/systemd-timesync.Makefile
 include scripts/journal-server.Makefile
+include scripts/update_etc_hosts.Makefile
 
 KDEVOPS_BRING_UP_DEPS += $(KDEVOPS_BRING_UP_DEPS_EARLY)
 KDEVOPS_BRING_UP_DEPS += $(KDEVOPS_PROVISIONED_DEVCONFIG)
diff --git a/playbooks/roles/update_etc_hosts/tasks/main.yml b/playbooks/roles/update_etc_hosts/tasks/main.yml
index 34a69f6d..694d08db 100644
--- a/playbooks/roles/update_etc_hosts/tasks/main.yml
+++ b/playbooks/roles/update_etc_hosts/tasks/main.yml
@@ -1,8 +1,4 @@
-- name: Gather network facts
-  ansible.builtin.setup:
-    gather_subset:
-      - 'network'
-
+---
 - name: Import optional extra_args file
   include_vars: "{{ item }}"
   ignore_errors: yes
@@ -14,6 +10,14 @@
       skip: true
   tags: vars
 
+- name: Wait for hosts to become available
+  wait_for_connection:
+
+- name: Gather network facts
+  ansible.builtin.setup:
+    gather_subset:
+      - 'network'
+
 - name: Build network address
   set_fact:
     private_network: "{{ terraform_private_net_prefix }}/{{ terraform_private_net_mask }}"
diff --git a/playbooks/update_etc_hosts.yml b/playbooks/update_etc_hosts.yml
index 89a63773..a0c21741 100644
--- a/playbooks/update_etc_hosts.yml
+++ b/playbooks/update_etc_hosts.yml
@@ -1,4 +1,5 @@
 ---
 - hosts: all
+  gather_facts: no
   roles:
     - role: update_etc_hosts
diff --git a/scripts/bringup.Makefile b/scripts/bringup.Makefile
index 5a477847..55e7d8d1 100644
--- a/scripts/bringup.Makefile
+++ b/scripts/bringup.Makefile
@@ -33,11 +33,7 @@ ifeq (y,$(CONFIG_KDEVOPS_SETUP_SIW))
 KDEVOPS_BRING_UP_DEPS += siw
 endif # KDEVOPS_SETUP_SIW
 
-update_etc_hosts:
-	$(Q)ansible-playbook $(ANSIBLE_VERBOSE) \
-		-f 30 -i hosts playbooks/update_etc_hosts.yml
-
-bringup: $(KDEVOPS_BRING_UP_DEPS) update_etc_hosts
+bringup: $(KDEVOPS_BRING_UP_DEPS)
 
 destroy: $(KDEVOPS_DESTROY_DEPS)
 
diff --git a/scripts/update_etc_hosts.Makefile b/scripts/update_etc_hosts.Makefile
new file mode 100644
index 00000000..e4eb0bca
--- /dev/null
+++ b/scripts/update_etc_hosts.Makefile
@@ -0,0 +1,7 @@
+update_etc_hosts:
+	$(Q)ansible-playbook $(ANSIBLE_VERBOSE) \
+		-f 30 -i hosts playbooks/update_etc_hosts.yml
+
+KDEVOPS_BRING_UP_DEPS_EARLY += update_etc_hosts
+
+PHONY += update_etc_hosts
-- 
2.43.0

[PATCH v2 07/10] bringup: clean up the nfs-related make targets

[Scott Mayhew]

Clean up the top level Makefile and scripts/brinup.Makefile by moving
the following into the lower level Makefiles for the nfs-related make
targets (ktls, nfsd, and siw):

1. The "ifeq (y,$(CONFIG_KDEVOPS_SETUP_foo))" directives.
2. The updates of the KDEVOPS_BRING_UP_DEPS/KDEVOPS_BRING_UP_DESTROY
   variables.

There should be no change in behavior.

Signed-off-by: Scott Mayhew <smayhew@redhat.com>
---
 Makefile                 |  8 --------
 scripts/bringup.Makefile | 13 -------------
 scripts/ktls.Makefile    |  7 +++++++
 scripts/nfsd.Makefile    |  8 ++++++++
 scripts/siw.Makefile     |  6 ++++++
 5 files changed, 21 insertions(+), 21 deletions(-)

diff --git a/Makefile b/Makefile
index e0cb89c5..11b409e0 100644
--- a/Makefile
+++ b/Makefile
@@ -104,17 +104,9 @@ ifeq (y,$(CONFIG_WORKFLOWS))
 include workflows/Makefile
 endif # CONFIG_WORKFLOWS
 
-ifeq (y,$(CONFIG_KDEVOPS_SETUP_SIW))
 include scripts/siw.Makefile
-endif # CONFIG_KDEVOPS_SETUP_SIW
-
-ifeq (y,$(CONFIG_KDEVOPS_SETUP_KTLS))
 include scripts/ktls.Makefile
-endif # CONFIG_KDEVOPS_SETUP_KTLS
-
-ifeq (y,$(CONFIG_KDEVOPS_SETUP_NFSD))
 include scripts/nfsd.Makefile
-endif # CONFIG_KDEVOPS_SETUP_NFSD
 
 include scripts/devconfig.Makefile
 include scripts/ssh.Makefile
diff --git a/scripts/bringup.Makefile b/scripts/bringup.Makefile
index 55e7d8d1..148547c0 100644
--- a/scripts/bringup.Makefile
+++ b/scripts/bringup.Makefile
@@ -20,19 +20,6 @@ endif
 
 endif
 
-ifeq (y,$(CONFIG_KDEVOPS_SETUP_NFSD))
-KDEVOPS_BRING_UP_DEPS += nfsd
-endif # KDEVOPS_SETUP_NFSD
-
-ifeq (y,$(CONFIG_KDEVOPS_SETUP_KTLS))
-KDEVOPS_BRING_UP_DEPS += ktls
-KDEVOPS_DESTROY_DEPS += ktls-destroy
-endif # KDEVOPS_SETUP_KTLS
-
-ifeq (y,$(CONFIG_KDEVOPS_SETUP_SIW))
-KDEVOPS_BRING_UP_DEPS += siw
-endif # KDEVOPS_SETUP_SIW
-
 bringup: $(KDEVOPS_BRING_UP_DEPS)
 
 destroy: $(KDEVOPS_DESTROY_DEPS)
diff --git a/scripts/ktls.Makefile b/scripts/ktls.Makefile
index 97753804..905f6887 100644
--- a/scripts/ktls.Makefile
+++ b/scripts/ktls.Makefile
@@ -1,3 +1,5 @@
+ifeq (y,$(CONFIG_KDEVOPS_SETUP_KTLS))
+
 ktls:
 	$(Q)ansible-playbook $(ANSIBLE_VERBOSE) --extra-vars=@./extra_vars.yaml \
 		-f 30 -i hosts playbooks/ktls.yml
@@ -5,4 +7,9 @@ ktls:
 ktls-destroy:
 	$(Q)rm -rf $(TOPDIR)/ca
 
+KDEVOPS_BRING_UP_DEPS += ktls
+KDEVOPS_DESTROY_DEPS += ktls-destroy
+
 PHONY += ktls ktls-destroy
+
+endif
diff --git a/scripts/nfsd.Makefile b/scripts/nfsd.Makefile
index a337390c..f534f4ff 100644
--- a/scripts/nfsd.Makefile
+++ b/scripts/nfsd.Makefile
@@ -1,3 +1,5 @@
+ifeq (y,$(CONFIG_KDEVOPS_SETUP_NFSD))
+
 NFSD_EXTRA_ARGS += nfsd_export_device_prefix='$(subst ",,$(CONFIG_NFSD_EXPORT_DEVICE_PREFIX))'
 NFSD_EXTRA_ARGS += nfsd_export_device_count='$(subst ",,$(CONFIG_NFSD_EXPORT_DEVICE_COUNT))'
 NFSD_EXTRA_ARGS += nfsd_export_fstype='$(subst ",,$(CONFIG_NFSD_EXPORT_FSTYPE))'
@@ -17,3 +19,9 @@ ANSIBLE_EXTRA_ARGS += $(NFSD_EXTRA_ARGS)
 nfsd:
 	$(Q)ansible-playbook $(ANSIBLE_VERBOSE) --extra-vars=@./extra_vars.yaml \
 		-f 30 -i hosts -l nfsd playbooks/nfsd.yml
+
+KDEVOPS_BRING_UP_DEPS += nfsd
+
+PHONY += nfsd
+
+endif
diff --git a/scripts/siw.Makefile b/scripts/siw.Makefile
index 80f96309..d09d1a2f 100644
--- a/scripts/siw.Makefile
+++ b/scripts/siw.Makefile
@@ -1,5 +1,11 @@
+ifeq (y,$(CONFIG_KDEVOPS_SETUP_SIW))
+
 siw:
 	$(Q)ansible-playbook $(ANSIBLE_VERBOSE) --extra-vars=@./extra_vars.yaml \
 		-f 30 -i hosts playbooks/siw.yml
 
+KDEVOPS_BRING_UP_DEPS += siw
+
 PHONY += siw
+
+endif
-- 
2.43.0

[PATCH v2 08/10] gen_hosts/gen_nodes: clean up nfsd-related stuff

[Scott Mayhew]

First, instead of checking if nfsd_threads is defined, create new
variable kdevops_nfsd_enable and use that.

Second, if nfsd is not enabled, then there shouldn't be "nfsd" and
"nfsd:vars" stanzas in the hosts file, so adjust the placement of the
conditionals in the templates accordingly.

No change in behavior.

Signed-off-by: Scott Mayhew <smayhew@redhat.com>
---
 playbooks/roles/gen_hosts/defaults/main.yml    | 2 ++
 playbooks/roles/gen_hosts/templates/fstests.j2 | 4 ++--
 playbooks/roles/gen_hosts/templates/gitr.j2    | 4 ++--
 playbooks/roles/gen_hosts/templates/hosts.j2   | 6 +++---
 playbooks/roles/gen_nodes/defaults/main.yml    | 1 +
 playbooks/roles/gen_nodes/tasks/main.yml       | 6 +++---
 scripts/nfsd.Makefile                          | 1 +
 7 files changed, 14 insertions(+), 10 deletions(-)

diff --git a/playbooks/roles/gen_hosts/defaults/main.yml b/playbooks/roles/gen_hosts/defaults/main.yml
index ff1212a5..0c49cde0 100644
--- a/playbooks/roles/gen_hosts/defaults/main.yml
+++ b/playbooks/roles/gen_hosts/defaults/main.yml
@@ -30,3 +30,5 @@ is_fstests: False
 fstests_fstyp: "bogus"
 fs_config_role_path: "/dev/null"
 fs_config_data: "[section_1]"
+
+kdevops_nfsd_enable: False
diff --git a/playbooks/roles/gen_hosts/templates/fstests.j2 b/playbooks/roles/gen_hosts/templates/fstests.j2
index 74057952..b5111ad3 100644
--- a/playbooks/roles/gen_hosts/templates/fstests.j2
+++ b/playbooks/roles/gen_hosts/templates/fstests.j2
@@ -21,9 +21,9 @@ ansible_python_interpreter =  "{{ kdevops_python_interpreter }}"
 {% endif %}
 [dev:vars]
 ansible_python_interpreter =  "{{ kdevops_python_interpreter }}"
+{% if kdevops_nfsd_enable %}
 [nfsd]
-{% if nfsd_threads is defined %}
 {{ kdevops_hosts_prefix }}-nfsd
-{% endif %}
 [nfsd:vars]
 ansible_python_interpreter =  "{{ kdevops_python_interpreter }}"
+{% endif %}
diff --git a/playbooks/roles/gen_hosts/templates/gitr.j2 b/playbooks/roles/gen_hosts/templates/gitr.j2
index ba144bfd..d6998bd8 100644
--- a/playbooks/roles/gen_hosts/templates/gitr.j2
+++ b/playbooks/roles/gen_hosts/templates/gitr.j2
@@ -15,9 +15,9 @@ ansible_python_interpreter =  "{{ kdevops_python_interpreter }}"
 {% endif %}
 [dev:vars]
 ansible_python_interpreter =  "{{ kdevops_python_interpreter }}"
+{% if kdevops_nfsd_enable %}
 [nfsd]
-{% if nfsd_threads is defined %}
 {{ kdevops_hosts_prefix }}-nfsd
-{% endif %}
 [nfsd:vars]
 ansible_python_interpreter =  "{{ kdevops_python_interpreter }}"
+{% endif %}
diff --git a/playbooks/roles/gen_hosts/templates/hosts.j2 b/playbooks/roles/gen_hosts/templates/hosts.j2
index 57325112..c22b2e39 100644
--- a/playbooks/roles/gen_hosts/templates/hosts.j2
+++ b/playbooks/roles/gen_hosts/templates/hosts.j2
@@ -14,7 +14,7 @@ write-your-own-template-for-your-workflow-and-task
 {% if kdevops_baseline_and_dev == True %}
 {{ kdevops_hosts_prefix }}-dev
 {% endif %}
-{% if nfsd_threads is defined %}
+{% if kdevops_nfsd_enable %}
 {{ kdevops_hosts_prefix }}-nfsd
 {% endif %}
 [all:vars]
@@ -29,10 +29,10 @@ ansible_python_interpreter =  "{{ kdevops_python_interpreter }}"
 {% endif %}
 [dev:vars]
 ansible_python_interpreter =  "{{ kdevops_python_interpreter }}"
+{% if kdevops_nfsd_enable %}
 [nfsd]
-{% if nfsd_threads is defined %}
 {{ kdevops_hosts_prefix }}-nfsd
-{% endif %}
 [nfsd:vars]
 ansible_python_interpreter =  "{{ kdevops_python_interpreter }}"
 {% endif %}
+{% endif %}
diff --git a/playbooks/roles/gen_nodes/defaults/main.yml b/playbooks/roles/gen_nodes/defaults/main.yml
index 0e41e0ad..51491d33 100644
--- a/playbooks/roles/gen_nodes/defaults/main.yml
+++ b/playbooks/roles/gen_nodes/defaults/main.yml
@@ -12,6 +12,7 @@ kdevops_workflow_enable_cxl: False
 kdevops_workflow_enable_pynfs: False
 kdevops_workflow_enable_gitr: False
 kdevops_workflow_enable_selftests: False
+kdevops_nfsd_enable: False
 
 virtualbox_provider: False
 libvirt_provider: False
diff --git a/playbooks/roles/gen_nodes/tasks/main.yml b/playbooks/roles/gen_nodes/tasks/main.yml
index 2f5c48b6..288dbdca 100644
--- a/playbooks/roles/gen_nodes/tasks/main.yml
+++ b/playbooks/roles/gen_nodes/tasks/main.yml
@@ -47,13 +47,13 @@
   set_fact:
     nfsd_nodes: "{{ [ kdevops_host_prefix + '-nfsd' ] }}"
   when:
-    - nfsd_threads is defined
+    - kdevops_nfsd_enable|bool
 
 - name: Add an nfs server if one was selected
   set_fact:
     generic_nodes: "{{ generic_nodes + nfsd_nodes }}"
   when:
-    - nfsd_threads is defined
+    - kdevops_nfsd_enable|bool
 
 - name: Set fstests config file variable for {{ fstests_fstyp }}
   set_fact:
@@ -215,7 +215,7 @@
     fstests_enabled_nodes: "{{ fstests_enabled_nodes + nfsd_nodes }}"
   when:
     - is_fstests|bool
-    - nfsd_threads is defined
+    - kdevops_nfsd_enable|bool
 
 - name: Generate the fstests kdevops nodes file using {{ kdevops_nodes_template }} as jinja2 source template
   tags: [ 'hosts' ]
diff --git a/scripts/nfsd.Makefile b/scripts/nfsd.Makefile
index f534f4ff..3accc879 100644
--- a/scripts/nfsd.Makefile
+++ b/scripts/nfsd.Makefile
@@ -6,6 +6,7 @@ NFSD_EXTRA_ARGS += nfsd_export_fstype='$(subst ",,$(CONFIG_NFSD_EXPORT_FSTYPE))'
 NFSD_EXTRA_ARGS += nfsd_export_path='$(subst ",,$(CONFIG_NFSD_EXPORT_PATH))'
 NFSD_EXTRA_ARGS += nfsd_threads=$(CONFIG_NFSD_THREADS)
 NFSD_EXTRA_ARGS += nfsd_lease_time=$(CONFIG_NFSD_LEASE_TIME)
+NFSD_EXTRA_ARGS += kdevops_nfsd_enable=True
 
 EXTRA_VAR_INPUTS += extend-extra-args-nfsd
 
-- 
2.43.0

[PATCH v2 09/10] kconfigs: clean up Kconfig.bringup.goals

[Scott Mayhew]

Move 'config KDEVOPS_SETUP_NFSD' and 'menu "Configure the kernel NFS
server"' out of Kconfig.bringup.goals and into Kconfig.nfsd.  This is
simply to keep the top level kconfigs cleaner.

Signed-off-by: Scott Mayhew <smayhew@redhat.com>
---
 kconfigs/Kconfig.bringup.goals | 12 ------------
 kconfigs/Kconfig.nfsd          | 16 ++++++++++++++++
 2 files changed, 16 insertions(+), 12 deletions(-)

diff --git a/kconfigs/Kconfig.bringup.goals b/kconfigs/Kconfig.bringup.goals
index 71948e9b..fc6af7f8 100644
--- a/kconfigs/Kconfig.bringup.goals
+++ b/kconfigs/Kconfig.bringup.goals
@@ -96,16 +96,4 @@ config KDEVOPS_SETUP_KTLS
 	  authority, and configure tlshd on the hosts to use it. This is
 	  necessary for testing RPC over TLS, or NVMe over TCP.
 
-config KDEVOPS_SETUP_NFSD
-	bool "Set up the kernel nfs server"
-	default n
-	help
-	  Configure and bring up the kernel NFS server. This will provision
-	  a filesystem on a block device, mount it, export it and start up the
-	  nfs server and associated daemons.
-
-if KDEVOPS_SETUP_NFSD
-menu "Configure the kernel NFS server"
 source "kconfigs/Kconfig.nfsd"
-endmenu
-endif
diff --git a/kconfigs/Kconfig.nfsd b/kconfigs/Kconfig.nfsd
index db80d8c0..dec98c1e 100644
--- a/kconfigs/Kconfig.nfsd
+++ b/kconfigs/Kconfig.nfsd
@@ -1,4 +1,16 @@
 # FIXME: need defaults for terraform hosts
+config KDEVOPS_SETUP_NFSD
+	bool "Set up the kernel nfs server"
+	default n
+	help
+	  Configure and bring up the kernel NFS server. This will provision
+	  a filesystem on a block device, mount it, export it and start up the
+	  nfs server and associated daemons.
+
+if KDEVOPS_SETUP_NFSD
+
+menu "Configure the kernel NFS server"
+
 config NFSD_EXPORT_DEVICE_PREFIX
 	string "The device prefix to use for LVM PVs"
 	default "/dev/disk/by-id/nvme-QEMU_NVMe_Ctrl_kdevops" if LIBVIRT && LIBVIRT_EXTRA_STORAGE_DRIVE_NVME
@@ -70,3 +82,7 @@ config NFSD_LEASE_TIME
 	  allow a large client cohort enough time to recover their open
 	  and lock state. But a shorter lease time helps certain tests
 	  complete faster.
+
+endmenu
+
+endif
-- 
2.43.0

[PATCH v2 10/10] fstests/nfs: add krb5 support

[Scott Mayhew]

This adds the ability to run fstests on NFS with sec=krb5{,i,p}.

To use it, you need to:

* Specify a krb5 realm and admin password via:
  -> Bring up goals
    -> Set up KRB5
      -> Configure the KRB5 KDC
        -> KRB5 Realm
        -> KRB5 admin password

* Add the 'sec=' export option to nfsd via:
  -> Bring up goals
    -> Set up the kernel nfs server
      -> Configure the kernel NFS server
        -> The export options to use for the exported fs

* Specify the auth flavor for the clients to use via:
  -> Target workflows
    -> Enable different target workflows
      -> Enable selection of test workflows
        -> Linux subsystem tests
          -> Configure and run fstests
            -> Configure how nfs should be tested
              -> Authentication flavor to use

The following will happen during 'make bringup'
- a KDC will automatically be created
- the dependency packages for krb5 will be installed on the clients and
  nfsd
- keys will be created for the clients and nfsd on the KDC
- the keys will get added to the keytabs on the clients and nfsd

The auth flavor gets written to /etc/nfsmount.conf on the clients during
'make fstests'.

Signed-off-by: Scott Mayhew <smayhew@redhat.com>
---
 Makefile                                      |   1 +
 kconfigs/Kconfig.bringup.goals                |   1 +
 kconfigs/Kconfig.krb5                         |  25 ++++
 playbooks/kdc.yml                             |   4 +
 playbooks/krb5.yml                            |   4 +
 .../fstests/tasks/install-deps/suse/main.yml  |  10 ++
 playbooks/roles/fstests/tasks/main.yml        |  41 ++++++
 .../roles/fstests/templates/nfs/nfsmount.conf |   2 +
 playbooks/roles/gen_hosts/defaults/main.yml   |   1 +
 .../roles/gen_hosts/templates/fstests.j2      |  15 +++
 playbooks/roles/gen_nodes/defaults/main.yml   |   1 +
 playbooks/roles/gen_nodes/tasks/main.yml      |  19 +++
 .../kdc/tasks/install-deps/debian/main.yml    |  11 ++
 .../roles/kdc/tasks/install-deps/main.yml     |  12 ++
 .../kdc/tasks/install-deps/redhat/main.yml    |  16 +++
 .../kdc/tasks/install-deps/suse/main.yml      |  10 ++
 playbooks/roles/kdc/tasks/main.yml            | 119 ++++++++++++++++++
 playbooks/roles/kdc/templates/kadm5.acl.j2    |   1 +
 playbooks/roles/kdc/templates/kdc.conf.j2     |  15 +++
 playbooks/roles/kdc/templates/krb5.conf.j2    |  29 +++++
 playbooks/roles/kdc/vars/Debian.yml           |   7 ++
 playbooks/roles/kdc/vars/RedHat.yml           |   7 ++
 playbooks/roles/kdc/vars/Suse.yml             |   7 ++
 playbooks/roles/kdc/vars/default.yml          |   7 ++
 playbooks/roles/kdc/vars/main.yml             |   1 +
 .../krb5/tasks/install-deps/debian/main.yml   |   9 ++
 .../roles/krb5/tasks/install-deps/main.yml    |  12 ++
 .../krb5/tasks/install-deps/redhat/main.yml   |  15 +++
 .../krb5/tasks/install-deps/suse/main.yml     |  16 +++
 playbooks/roles/krb5/tasks/main.yml           |  52 ++++++++
 playbooks/roles/krb5/templates/krb5.conf.j2   |  31 +++++
 .../nfsd/tasks/install-deps/debian/main.yml   |   5 +
 .../nfsd/tasks/install-deps/suse/main.yml     |   5 +
 scripts/krb5.Makefile                         |  22 ++++
 workflows/fstests/nfs/Kconfig                 |  29 +++++
 workflows/fstests/nfs/Makefile                |   4 +
 36 files changed, 566 insertions(+)
 create mode 100644 kconfigs/Kconfig.krb5
 create mode 100644 playbooks/kdc.yml
 create mode 100644 playbooks/krb5.yml
 create mode 100644 playbooks/roles/fstests/templates/nfs/nfsmount.conf
 create mode 100644 playbooks/roles/kdc/tasks/install-deps/debian/main.yml
 create mode 100644 playbooks/roles/kdc/tasks/install-deps/main.yml
 create mode 100644 playbooks/roles/kdc/tasks/install-deps/redhat/main.yml
 create mode 100644 playbooks/roles/kdc/tasks/install-deps/suse/main.yml
 create mode 100644 playbooks/roles/kdc/tasks/main.yml
 create mode 100644 playbooks/roles/kdc/templates/kadm5.acl.j2
 create mode 100644 playbooks/roles/kdc/templates/kdc.conf.j2
 create mode 100644 playbooks/roles/kdc/templates/krb5.conf.j2
 create mode 100644 playbooks/roles/kdc/vars/Debian.yml
 create mode 100644 playbooks/roles/kdc/vars/RedHat.yml
 create mode 100644 playbooks/roles/kdc/vars/Suse.yml
 create mode 100644 playbooks/roles/kdc/vars/default.yml
 create mode 100644 playbooks/roles/kdc/vars/main.yml
 create mode 100644 playbooks/roles/krb5/tasks/install-deps/debian/main.yml
 create mode 100644 playbooks/roles/krb5/tasks/install-deps/main.yml
 create mode 100644 playbooks/roles/krb5/tasks/install-deps/redhat/main.yml
 create mode 100644 playbooks/roles/krb5/tasks/install-deps/suse/main.yml
 create mode 100644 playbooks/roles/krb5/tasks/main.yml
 create mode 100644 playbooks/roles/krb5/templates/krb5.conf.j2
 create mode 100644 scripts/krb5.Makefile

diff --git a/Makefile b/Makefile
index 11b409e0..5b8e1a22 100644
--- a/Makefile
+++ b/Makefile
@@ -107,6 +107,7 @@ endif # CONFIG_WORKFLOWS
 include scripts/siw.Makefile
 include scripts/ktls.Makefile
 include scripts/nfsd.Makefile
+include scripts/krb5.Makefile
 
 include scripts/devconfig.Makefile
 include scripts/ssh.Makefile
diff --git a/kconfigs/Kconfig.bringup.goals b/kconfigs/Kconfig.bringup.goals
index fc6af7f8..dd7f4491 100644
--- a/kconfigs/Kconfig.bringup.goals
+++ b/kconfigs/Kconfig.bringup.goals
@@ -97,3 +97,4 @@ config KDEVOPS_SETUP_KTLS
 	  necessary for testing RPC over TLS, or NVMe over TCP.
 
 source "kconfigs/Kconfig.nfsd"
+source "kconfigs/Kconfig.krb5"
diff --git a/kconfigs/Kconfig.krb5 b/kconfigs/Kconfig.krb5
new file mode 100644
index 00000000..e5902718
--- /dev/null
+++ b/kconfigs/Kconfig.krb5
@@ -0,0 +1,25 @@
+config KDEVOPS_SETUP_KRB5
+	bool "Set up KRB5"
+	default n
+	help
+	  Configure and bring up a MIT Kerberos V5 KDC.
+
+if KDEVOPS_SETUP_KRB5
+
+menu "Configure the KRB5 KDC"
+
+config KRB5_REALM
+	string "KRB5 Realm"
+	default "KDEVOPS"
+	help
+	  Kerberos realm to create.
+
+config KRB5_ADMIN_PW
+	string "KRB5 admin password"
+	default "kdevops"
+	help
+	  Password to use for the 'root/admin' principal.
+
+endmenu
+
+endif
diff --git a/playbooks/kdc.yml b/playbooks/kdc.yml
new file mode 100644
index 00000000..66709db8
--- /dev/null
+++ b/playbooks/kdc.yml
@@ -0,0 +1,4 @@
+---
+- hosts: all
+  roles:
+    - role: kdc
diff --git a/playbooks/krb5.yml b/playbooks/krb5.yml
new file mode 100644
index 00000000..52ca3ef5
--- /dev/null
+++ b/playbooks/krb5.yml
@@ -0,0 +1,4 @@
+---
+- hosts: all
+  roles:
+    - role: krb5
diff --git a/playbooks/roles/fstests/tasks/install-deps/suse/main.yml b/playbooks/roles/fstests/tasks/install-deps/suse/main.yml
index 067e5c55..951dfc66 100644
--- a/playbooks/roles/fstests/tasks/install-deps/suse/main.yml
+++ b/playbooks/roles/fstests/tasks/install-deps/suse/main.yml
@@ -237,3 +237,13 @@
   when:
     - repos_present|bool
     - fstests_fstyp == "nfs"
+
+- name: Ensure nfs-client.target is enabled
+  become: yes
+  become_method: sudo
+  ansible.builtin.systemd:
+    name: nfs-client.target
+    enabled: true
+    state: started
+  when:
+    - fstests_fstyp == "nfs"
diff --git a/playbooks/roles/fstests/tasks/main.yml b/playbooks/roles/fstests/tasks/main.yml
index 3f210a53..b76536ec 100644
--- a/playbooks/roles/fstests/tasks/main.yml
+++ b/playbooks/roles/fstests/tasks/main.yml
@@ -668,6 +668,47 @@
   when:
     - fstests_fstyp == "nfs"
 
+- name: Check to see if /etc/nfsmount.conf exists
+  become: yes
+  become_flags: 'su - -c'
+  become_method: sudo
+  ansible.builtin.stat:
+    path: /etc/nfsmount.conf
+  register: nfsmount_conf
+  when:
+    - fstests_fstyp == "nfs"
+    - fstests_nfs_auth_flavor is defined
+    - fstests_nfs_auth_flavor
+
+- name: Create /etc/nfsmount.conf
+  become: yes
+  become_flags: 'su - -c'
+  become_method: sudo
+  ansible.builtin.template:
+    src: "{{ fstests_fstyp }}/nfsmount.conf"
+    dest: /etc/nfsmount.conf
+    owner: root
+    group: root
+    mode: 0644
+  when:
+    - fstests_fstyp == "nfs"
+    - fstests_nfs_auth_flavor is defined
+    - fstests_nfs_auth_flavor
+    - not nfsmount_conf.stat.exists
+
+- name: Set auth flavor for NFS
+  become: yes
+  become_flags: 'su - -c'
+  become_method: sudo
+  ansible.builtin.lineinfile:
+    path: /etc/nfsmount.conf
+    regexp: '^# Sec='
+    line: 'Sec={{ fstests_nfs_auth_flavor }}'
+  when:
+    - fstests_fstyp == "nfs"
+    - fstests_nfs_auth_flavor is defined
+    - fstests_nfs_auth_flavor
+
 - name: Reboot system before our test so we know everything is sane
   tags: [ 'oscheck', 'fstests', 'run_tests', 'reboot' ]
   become: yes
diff --git a/playbooks/roles/fstests/templates/nfs/nfsmount.conf b/playbooks/roles/fstests/templates/nfs/nfsmount.conf
new file mode 100644
index 00000000..73b6a8e4
--- /dev/null
+++ b/playbooks/roles/fstests/templates/nfs/nfsmount.conf
@@ -0,0 +1,2 @@
+[ NFSMount_Global_Options ]
+# Sec=sys
diff --git a/playbooks/roles/gen_hosts/defaults/main.yml b/playbooks/roles/gen_hosts/defaults/main.yml
index 0c49cde0..5cd7433c 100644
--- a/playbooks/roles/gen_hosts/defaults/main.yml
+++ b/playbooks/roles/gen_hosts/defaults/main.yml
@@ -32,3 +32,4 @@ fs_config_role_path: "/dev/null"
 fs_config_data: "[section_1]"
 
 kdevops_nfsd_enable: False
+kdevops_krb5_enable: False
diff --git a/playbooks/roles/gen_hosts/templates/fstests.j2 b/playbooks/roles/gen_hosts/templates/fstests.j2
index b5111ad3..985e3f76 100644
--- a/playbooks/roles/gen_hosts/templates/fstests.j2
+++ b/playbooks/roles/gen_hosts/templates/fstests.j2
@@ -27,3 +27,18 @@ ansible_python_interpreter =  "{{ kdevops_python_interpreter }}"
 [nfsd:vars]
 ansible_python_interpreter =  "{{ kdevops_python_interpreter }}"
 {% endif %}
+{% if kdevops_krb5_enable %}
+[kdc]
+{{ kdevops_hosts_prefix }}-kdc
+[kdc:vars]
+ansible_python_interpreter =  "{{ kdevops_python_interpreter }}"
+[krb5]
+{% for s in fstests_enabled_test_types %}
+{{ kdevops_host_prefix }}-{{ s }}
+{% endfor %}
+{% if kdevops_nfsd_enable %}
+{{ kdevops_hosts_prefix }}-nfsd
+{% endif %}
+[krb5:vars]
+ansible_python_interpreter =  "{{ kdevops_python_interpreter }}"
+{% endif %}
diff --git a/playbooks/roles/gen_nodes/defaults/main.yml b/playbooks/roles/gen_nodes/defaults/main.yml
index 51491d33..6d729605 100644
--- a/playbooks/roles/gen_nodes/defaults/main.yml
+++ b/playbooks/roles/gen_nodes/defaults/main.yml
@@ -13,6 +13,7 @@ kdevops_workflow_enable_pynfs: False
 kdevops_workflow_enable_gitr: False
 kdevops_workflow_enable_selftests: False
 kdevops_nfsd_enable: False
+kdevops_krb5_enable: False
 
 virtualbox_provider: False
 libvirt_provider: False
diff --git a/playbooks/roles/gen_nodes/tasks/main.yml b/playbooks/roles/gen_nodes/tasks/main.yml
index 288dbdca..f9537fce 100644
--- a/playbooks/roles/gen_nodes/tasks/main.yml
+++ b/playbooks/roles/gen_nodes/tasks/main.yml
@@ -55,6 +55,18 @@
   when:
     - kdevops_nfsd_enable|bool
 
+- name: Set kdc_nodes list
+  set_fact:
+    kdc_nodes: "{{ [ kdevops_host_prefix + '-kdc' ] }}"
+  when:
+    - kdevops_krb5_enable|bool
+
+- name: Add a KRB5 KDC if one was selected
+  set_fact:
+    generic_nodes: "{{ generic_nodes + kdc_nodes }}"
+  when:
+    - kdevops_krb5_enable|bool
+
 - name: Set fstests config file variable for {{ fstests_fstyp }}
   set_fact:
     is_fstests: True
@@ -217,6 +229,13 @@
     - is_fstests|bool
     - kdevops_nfsd_enable|bool
 
+- name: Add the KRB5 KDC if one was selected
+  set_fact:
+    fstests_enabled_nodes: "{{ fstests_enabled_nodes + kdc_nodes }}"
+  when:
+    - is_fstests|bool
+    - kdevops_krb5_enable|bool
+
 - name: Generate the fstests kdevops nodes file using {{ kdevops_nodes_template }} as jinja2 source template
   tags: [ 'hosts' ]
   vars:
diff --git a/playbooks/roles/kdc/tasks/install-deps/debian/main.yml b/playbooks/roles/kdc/tasks/install-deps/debian/main.yml
new file mode 100644
index 00000000..bc2a6a78
--- /dev/null
+++ b/playbooks/roles/kdc/tasks/install-deps/debian/main.yml
@@ -0,0 +1,11 @@
+---
+- name: Install kdc dependencies
+  become: yes
+  become_method: sudo
+  apt:
+    name:
+      - krb5-admin-server
+      - krb5-kdc
+      - krb5-user
+    state: present
+    update_cache: yes
diff --git a/playbooks/roles/kdc/tasks/install-deps/main.yml b/playbooks/roles/kdc/tasks/install-deps/main.yml
new file mode 100644
index 00000000..a1bd1da5
--- /dev/null
+++ b/playbooks/roles/kdc/tasks/install-deps/main.yml
@@ -0,0 +1,12 @@
+---
+- name: Debian-specific set up
+  ansible.builtin.include_tasks: roles/tasks/kdc/install-deps/debian/main.yml
+  when: ansible_os_family == 'Debian'
+
+- name: SuSE-specific set up
+  ansible.builtin.include_tasks: roles/tasks/kdc/install-deps/suse/main.yml
+  when: ansible_os_family == 'Suse'
+
+- name: Red Hat-specific set up
+  ansible.builtin.include_tasks: roles/tasks/kdc/install-deps/redhat/main.yml
+  when: ansible_os_family == 'RedHat'
diff --git a/playbooks/roles/kdc/tasks/install-deps/redhat/main.yml b/playbooks/roles/kdc/tasks/install-deps/redhat/main.yml
new file mode 100644
index 00000000..c393920d
--- /dev/null
+++ b/playbooks/roles/kdc/tasks/install-deps/redhat/main.yml
@@ -0,0 +1,16 @@
+---
+- name: Install kdc dependencies
+  become: yes
+  become_method: sudo
+  yum:
+    update_cache: yes
+    name: "{{ packages }}"
+  retries: 3
+  delay: 5
+  register: result
+  until: result.rc == 0
+  vars:
+    packages:
+      - krb5-server
+      - krb5-libs
+      - krb5-workstation
diff --git a/playbooks/roles/kdc/tasks/install-deps/suse/main.yml b/playbooks/roles/kdc/tasks/install-deps/suse/main.yml
new file mode 100644
index 00000000..d0fd019f
--- /dev/null
+++ b/playbooks/roles/kdc/tasks/install-deps/suse/main.yml
@@ -0,0 +1,10 @@
+---
+- name: Install kdc dependencies
+  become: yes
+  become_method: sudo
+  zypper:
+    name:
+      - krb5
+      - krb5-client
+      - krb5-server
+    state: present
diff --git a/playbooks/roles/kdc/tasks/main.yml b/playbooks/roles/kdc/tasks/main.yml
new file mode 100644
index 00000000..b67f38d0
--- /dev/null
+++ b/playbooks/roles/kdc/tasks/main.yml
@@ -0,0 +1,119 @@
+---
+- name: Get OS-specific variables
+  ansible.builtin.include_vars: "{{ lookup('ansible.builtin.first_found', params) }}"
+  vars:
+    params:
+      files:
+        - '{{ansible_distribution}}.yml'
+        - '{{ansible_os_family}}.yml'
+        - default.yml
+      paths:
+        - 'vars'
+
+- name: Debian-specific setup
+  ansible.builtin.include_tasks: roles/kdc/tasks/install-deps/debian/main.yml
+  when: ansible_os_family == 'Debian'
+
+- name: SuSE-specific setup
+  ansible.builtin.include_tasks: roles/kdc/tasks/install-deps/suse/main.yml
+  when: ansible_os_family == 'Suse'
+
+- name: Red Hat-specific setup
+  ansible.builtin.include_tasks: roles/kdc/tasks/install-deps/redhat/main.yml
+  when: ansible_os_family == 'RedHat'
+
+- name: Configure /etc/krb5.conf
+  become: yes
+  become_method: sudo
+  template:
+    src: krb5.conf.j2
+    dest: /etc/krb5.conf
+    owner: root
+    group: root
+    mode: 0644
+
+- name: Ensure /etc/krb5.conf.d exists
+  become: yes
+  become_method: sudo
+  ansible.builtin.file:
+    path: /etc/krb5.conf.d
+    state: directory
+    owner: root
+    group: root
+    mode: 0755
+
+- name: Configure {{ kdc_conf_dir }}/kdc.conf
+  become: yes
+  become_method: sudo
+  template:
+    src: kdc.conf.j2
+    dest: "{{ kdc_conf_dir }}/kdc.conf"
+    owner: root
+    group: root
+    mode: 0600
+
+- name: Configure {{ kdc_data_dir }}/kadm5.acl
+  become: yes
+  become_method: sudo
+  template:
+    src: kadm5.acl.j2
+    dest: "{{ kdc_data_dir }}/kadm5.acl"
+    owner: root
+    group: root
+    mode: 0600
+
+- name: Check to see if Kerberos database exists
+  become: yes
+  become_method: sudo
+  ansible.builtin.stat:
+    path: "{{ kdc_data_dir }}/principal"
+  register: kerberos_db
+
+- name: Create database
+  become: yes
+  become_method: sudo
+  ansible.builtin.shell:
+    cmd: kdb5_util -P {{ krb5_admin_pw }} create -s
+  when: not kerberos_db.stat.exists
+
+- name: Create admin principal
+  become: yes
+  become_method: sudo
+  ansible.builtin.shell:
+    cmd: kadmin.local -q "addprinc -pw {{ krb5_admin_pw }} root/admin"
+
+- name: Allow access to kerberos service in firewalld
+  become: yes
+  become_method: sudo
+  ansible.posix.firewalld:
+    service: kerberos
+    permanent: true
+    immediate: true
+    state: enabled
+  when: ansible_os_family == 'RedHat'
+
+- name: Allow access to kadmin service in firewalld
+  become: yes
+  become_method: sudo
+  ansible.posix.firewalld:
+    service: kadmin
+    permanent: true
+    immediate: true
+    state: enabled
+  when: ansible_os_family == 'RedHat'
+
+- name: Start and enable {{ krb5kdc_service_name }} systemd service
+  become: yes
+  become_method: sudo
+  ansible.builtin.systemd:
+    name: "{{ krb5kdc_service_name }}"
+    enabled: true
+    state: started
+
+- name: Start and enable {{ kadmin_service_name }} systemd service
+  become: yes
+  become_method: sudo
+  ansible.builtin.systemd:
+    name: "{{ kadmin_service_name }}"
+    enabled: true
+    state: started
diff --git a/playbooks/roles/kdc/templates/kadm5.acl.j2 b/playbooks/roles/kdc/templates/kadm5.acl.j2
new file mode 100644
index 00000000..0a303e28
--- /dev/null
+++ b/playbooks/roles/kdc/templates/kadm5.acl.j2
@@ -0,0 +1 @@
+*/admin@{{ krb5_realm }}	*
diff --git a/playbooks/roles/kdc/templates/kdc.conf.j2 b/playbooks/roles/kdc/templates/kdc.conf.j2
new file mode 100644
index 00000000..7de816dd
--- /dev/null
+++ b/playbooks/roles/kdc/templates/kdc.conf.j2
@@ -0,0 +1,15 @@
+[kdcdefaults]
+    kdc_ports = 88
+    kdc_tcp_ports = 88
+    spake_preauth_kdc_challenge = edwards25519
+
+[realms]
+{{ krb5_realm }} = {
+     database_name = {{ kdc_data_dir }}/principal
+     master_key_type = {{ kdc_master_key_type }}
+     acl_file = {{ kdc_data_dir }}/kadm5.acl
+     dict_file = /usr/share/dict/words
+     default_principal_flags = +preauth
+     admin_keytab = {{ kdc_data_dir }}/kadm5.keytab
+     supported_enctypes = {{ kdc_supported_enctypes }}
+}
diff --git a/playbooks/roles/kdc/templates/krb5.conf.j2 b/playbooks/roles/kdc/templates/krb5.conf.j2
new file mode 100644
index 00000000..e42ffb9b
--- /dev/null
+++ b/playbooks/roles/kdc/templates/krb5.conf.j2
@@ -0,0 +1,29 @@
+includedir /etc/krb5.conf.d/
+
+[logging]
+    default = FILE:/var/log/krb5libs.log
+    kdc = FILE:/var/log/krb5kdc.log
+    admin_server = FILE:/var/log/kadmind.log
+
+[libdefaults]
+    dns_lookup_realm = false
+    ticket_lifetime = 24h
+    renew_lifetime = 7d
+    forwardable = true
+    rdns = false
+    pkinit_anchors = FILE:/etc/pki/tls/certs/ca-bundle.crt
+    spake_preauth_groups = edwards25519
+    dns_canonicalize_hostname = fallback
+    qualify_shortname = ""
+    default_realm = {{ krb5_realm }}
+    default_ccache_name = KEYRING:persistent:%{uid}
+
+[realms]
+{{ krb5_realm }} = {
+    kdc = {{ hostvars[inventory_hostname]['ansible_default_ipv4']['address'] }}:88
+    admin_server = {{ hostvars[inventory_hostname]['ansible_default_ipv4']['address'] }}:749
+}
+
+[domain_realm]
+  .{{ krb5_realm | lower }} = {{ krb5_realm }}
+  {{ krb5_realm | lower }} = {{ krb5_realm }}
diff --git a/playbooks/roles/kdc/vars/Debian.yml b/playbooks/roles/kdc/vars/Debian.yml
new file mode 100644
index 00000000..b1cb8f13
--- /dev/null
+++ b/playbooks/roles/kdc/vars/Debian.yml
@@ -0,0 +1,7 @@
+---
+kdc_conf_dir: /etc/krb5kdc
+kdc_data_dir: /var/lib/krb5kdc
+kdc_master_key_type: aes256-cts
+kdc_supported_enctypes: aes256-cts:normal aes128-cts:normal
+krb5kdc_service_name: krb5-kdc
+kadmin_service_name: krb5-admin-server
diff --git a/playbooks/roles/kdc/vars/RedHat.yml b/playbooks/roles/kdc/vars/RedHat.yml
new file mode 100644
index 00000000..16de574d
--- /dev/null
+++ b/playbooks/roles/kdc/vars/RedHat.yml
@@ -0,0 +1,7 @@
+---
+kdc_conf_dir: /var/kerberos/krb5kdc
+kdc_data_dir: /var/kerberos/krb5kdc
+kdc_master_key_type: aes256-cts-hmac-sha384-192
+kdc_supported_enctypes: aes256-cts-hmac-sha384-192:normal aes128-cts-hmac-sha256-128:normal aes256-cts-hmac-sha1-96:normal aes128-cts-hmac-sha1-96:normal camellia256-cts-cmac:normal camellia128-cts-cmac:normal
+krb5kdc_service_name: krb5kdc
+kadmin_service_name: kadmin
diff --git a/playbooks/roles/kdc/vars/Suse.yml b/playbooks/roles/kdc/vars/Suse.yml
new file mode 100644
index 00000000..8900d6ad
--- /dev/null
+++ b/playbooks/roles/kdc/vars/Suse.yml
@@ -0,0 +1,7 @@
+---
+kdc_conf_dir: /var/lib/kerberos/krb5kdc
+kdc_data_dir: /var/lib/kerberos/krb5kdc
+kdc_master_key_type: aes256-cts
+kdc_supported_enctypes: aes256-cts:normal aes128-cts:normal
+krb5kdc_service_name: krb5kdc
+kadmin_service_name: kadmind
diff --git a/playbooks/roles/kdc/vars/default.yml b/playbooks/roles/kdc/vars/default.yml
new file mode 100644
index 00000000..16de574d
--- /dev/null
+++ b/playbooks/roles/kdc/vars/default.yml
@@ -0,0 +1,7 @@
+---
+kdc_conf_dir: /var/kerberos/krb5kdc
+kdc_data_dir: /var/kerberos/krb5kdc
+kdc_master_key_type: aes256-cts-hmac-sha384-192
+kdc_supported_enctypes: aes256-cts-hmac-sha384-192:normal aes128-cts-hmac-sha256-128:normal aes256-cts-hmac-sha1-96:normal aes128-cts-hmac-sha1-96:normal camellia256-cts-cmac:normal camellia128-cts-cmac:normal
+krb5kdc_service_name: krb5kdc
+kadmin_service_name: kadmin
diff --git a/playbooks/roles/kdc/vars/main.yml b/playbooks/roles/kdc/vars/main.yml
new file mode 100644
index 00000000..ed97d539
--- /dev/null
+++ b/playbooks/roles/kdc/vars/main.yml
@@ -0,0 +1 @@
+---
diff --git a/playbooks/roles/krb5/tasks/install-deps/debian/main.yml b/playbooks/roles/krb5/tasks/install-deps/debian/main.yml
new file mode 100644
index 00000000..25bdff7c
--- /dev/null
+++ b/playbooks/roles/krb5/tasks/install-deps/debian/main.yml
@@ -0,0 +1,9 @@
+---
+- name: Install krb5 dependencies
+  become: yes
+  become_method: sudo
+  apt:
+    name:
+      - krb5-user
+    state: present
+    update_cache: yes
diff --git a/playbooks/roles/krb5/tasks/install-deps/main.yml b/playbooks/roles/krb5/tasks/install-deps/main.yml
new file mode 100644
index 00000000..ab31e2d4
--- /dev/null
+++ b/playbooks/roles/krb5/tasks/install-deps/main.yml
@@ -0,0 +1,12 @@
+---
+- name: Debian-specific set up
+  ansible.builtin.include_tasks: roles/tasks/krb5/install-deps/debian/main.yml
+  when: ansible_os_family == 'Debian'
+
+- name: SuSE-specific set up
+  ansible.builtin.include_tasks: roles/tasks/krb5/install-deps/suse/main.yml
+  when: ansible_os_family == 'Suse'
+
+- name: Red Hat-specific set up
+  ansible.builtin.include_tasks: roles/tasks/krb5/install-deps/redhat/main.yml
+  when: ansible_os_family == 'RedHat'
diff --git a/playbooks/roles/krb5/tasks/install-deps/redhat/main.yml b/playbooks/roles/krb5/tasks/install-deps/redhat/main.yml
new file mode 100644
index 00000000..511f221f
--- /dev/null
+++ b/playbooks/roles/krb5/tasks/install-deps/redhat/main.yml
@@ -0,0 +1,15 @@
+---
+- name: Install krb5 dependencies
+  become: yes
+  become_method: sudo
+  yum:
+    update_cache: yes
+    name: "{{ packages }}"
+  retries: 3
+  delay: 5
+  register: result
+  until: result.rc == 0
+  vars:
+    packages:
+      - krb5-libs
+      - krb5-workstation
diff --git a/playbooks/roles/krb5/tasks/install-deps/suse/main.yml b/playbooks/roles/krb5/tasks/install-deps/suse/main.yml
new file mode 100644
index 00000000..b01ac532
--- /dev/null
+++ b/playbooks/roles/krb5/tasks/install-deps/suse/main.yml
@@ -0,0 +1,16 @@
+---
+- name: Install krb5 dependencies
+  become: yes
+  become_method: sudo
+  zypper:
+    name:
+      - krb5
+      - krb5-client
+      - kernel-default
+    state: present
+    force_resolution: true
+
+- name: Reboot system to make the new kernel and modules take effect
+  become: yes
+  become_method: sudo
+  ansible.builtin.reboot:
diff --git a/playbooks/roles/krb5/tasks/main.yml b/playbooks/roles/krb5/tasks/main.yml
new file mode 100644
index 00000000..968b0655
--- /dev/null
+++ b/playbooks/roles/krb5/tasks/main.yml
@@ -0,0 +1,52 @@
+---
+- name: Debian-specific setup
+  ansible.builtin.include_tasks: roles/krb5/tasks/install-deps/debian/main.yml
+  when: ansible_os_family == 'Debian'
+
+- name: SuSE-specific setup
+  ansible.builtin.include_tasks: roles/krb5/tasks/install-deps/suse/main.yml
+  when: ansible_os_family == 'Suse'
+
+- name: Red Hat-specific setup
+  ansible.builtin.include_tasks: roles/krb5/tasks/install-deps/redhat/main.yml
+  when: ansible_os_family == 'RedHat'
+
+- name: Configure /etc/krb5.conf
+  become: yes
+  become_method: sudo
+  template:
+    src: krb5.conf.j2
+    dest: /etc/krb5.conf
+    owner: root
+    group: root
+    mode: 0644
+
+- name: Ensure /etc/krb5.conf.d exists
+  become: yes
+  become_method: sudo
+  ansible.builtin.file:
+    path: /etc/krb5.conf.d
+    state: directory
+    owner: root
+    group: root
+    mode: 0755
+
+- name: Add nfs principal
+  become: yes
+  become_method: sudo
+  ansible.builtin.shell:
+    cmd: kadmin -w {{ krb5_admin_pw }} -q "addprinc -randkey nfs/{{ hostvars[inventory_hostname].ansible_fqdn }}"
+
+- name: Add nfs principal to keytab
+  become: yes
+  become_method: sudo
+  ansible.builtin.shell:
+    cmd: kadmin -w {{ krb5_admin_pw }} -q "ktadd -k /etc/krb5.keytab nfs/{{ hostvars[inventory_hostname].ansible_fqdn }}"
+
+- name: Restart rpc.gssd on the NFS server
+  become: yes
+  become_method: sudo
+  delegate_to: "{{ kdevops_hosts_prefix }}-nfsd"
+  ansible.builtin.systemd:
+    name: rpc-gssd
+    state: restarted
diff --git a/playbooks/roles/krb5/templates/krb5.conf.j2 b/playbooks/roles/krb5/templates/krb5.conf.j2
new file mode 100644
index 00000000..1ed37d5e
--- /dev/null
+++ b/playbooks/roles/krb5/templates/krb5.conf.j2
@@ -0,0 +1,31 @@
+includedir /etc/krb5.conf.d/
+
+[logging]
+    default = FILE:/var/log/krb5libs.log
+    kdc = FILE:/var/log/krb5kdc.log
+    admin_server = FILE:/var/log/kadmind.log
+
+[libdefaults]
+    dns_lookup_realm = false
+    ticket_lifetime = 24h
+    renew_lifetime = 7d
+    forwardable = true
+    rdns = false
+    pkinit_anchors = FILE:/etc/pki/tls/certs/ca-bundle.crt
+    spake_preauth_groups = edwards25519
+    dns_canonicalize_hostname = fallback
+    qualify_shortname = ""
+    default_realm = {{ krb5_realm }}
+    default_ccache_name = KEYRING:persistent:%{uid}
+
+[realms]
+{{ krb5_realm }} = {
+    kdc = {{ kdevops_hosts_prefix }}-kdc:88
+    admin_server = {{ kdevops_hosts_prefix }}-kdc:749
+    auth_to_local = RULE:[2:$1;$2](^nfs;.*$)s/^.*$/root/
+    auth_to_local = DEFAULT
+}
+
+[domain_realm]
+  .{{ krb5_realm | lower }} = {{ krb5_realm }}
+  {{ krb5_realm | lower }} = {{ krb5_realm }}
diff --git a/playbooks/roles/nfsd/tasks/install-deps/debian/main.yml b/playbooks/roles/nfsd/tasks/install-deps/debian/main.yml
index a48d40ef..2a2b7899 100644
--- a/playbooks/roles/nfsd/tasks/install-deps/debian/main.yml
+++ b/playbooks/roles/nfsd/tasks/install-deps/debian/main.yml
@@ -21,6 +21,11 @@
     - fsprogs is defined
     - fsprogs
 
+- name: Add gssproxy to the nfsd packages list
+  set_fact:
+    nfsd_packages: "{{ nfsd_packages + ['gssproxy'] }}"
+  when: kdevops_krb5_enable|bool
+
 - name: Install nfsd dependencies
   become: yes
   become_method: sudo
diff --git a/playbooks/roles/nfsd/tasks/install-deps/suse/main.yml b/playbooks/roles/nfsd/tasks/install-deps/suse/main.yml
index 49d931cd..5bda13c9 100644
--- a/playbooks/roles/nfsd/tasks/install-deps/suse/main.yml
+++ b/playbooks/roles/nfsd/tasks/install-deps/suse/main.yml
@@ -21,6 +21,11 @@
     - fsprogs is defined
     - fsprogs
 
+- name: Add additional packages needed for krb5 to the nfsd packages list
+  set_fact:
+    nfsd_packages: "{{ nfsd_packages + ['gssproxy', 'libverto-libev1'] }}"
+  when: kdevops_krb5_enable|bool
+
 - name: Install nfsd dependencies
   become: yes
   become_method: sudo
diff --git a/scripts/krb5.Makefile b/scripts/krb5.Makefile
new file mode 100644
index 00000000..14f73d8c
--- /dev/null
+++ b/scripts/krb5.Makefile
@@ -0,0 +1,22 @@
+ifeq (y,$(CONFIG_KDEVOPS_SETUP_KRB5))
+
+KRB5_EXTRA_ARGS += krb5_realm='$(subst ",,$(CONFIG_KRB5_REALM))'
+KRB5_EXTRA_ARGS += krb5_admin_pw='$(subst ",,$(CONFIG_KRB5_ADMIN_PW))'
+KRB5_EXTRA_ARGS += kdevops_krb5_enable=True
+
+ANSIBLE_EXTRA_ARGS += $(KRB5_EXTRA_ARGS)
+
+kdc:
+	$(Q)ansible-playbook $(ANSIBLE_VERBOSE) --extra-vars=@./extra_vars.yaml \
+		-f 30 -i hosts -l kdc playbooks/kdc.yml
+
+krb5:
+	$(Q)ansible-playbook $(ANSIBLE_VERBOSE) --extra-vars=@./extra_vars.yaml \
+		-f 30 -i hosts -l krb5 playbooks/krb5.yml
+
+KDEVOPS_BRING_UP_DEPS += kdc
+KDEVOPS_BRING_UP_LATE_DEPS += krb5
+
+PHONY += kdc krb5
+
+endif
diff --git a/workflows/fstests/nfs/Kconfig b/workflows/fstests/nfs/Kconfig
index 9de5ae04..86e930a6 100644
--- a/workflows/fstests/nfs/Kconfig
+++ b/workflows/fstests/nfs/Kconfig
@@ -98,3 +98,32 @@ config FSTESTS_NFS_SECTION_V3
 	default n
 
 endif # !FSTESTS_NFS_MANUAL_COVERAGE
+
+choice
+	prompt "Authentication flavor to use"
+	default	FSTESTS_NFS_AUTH_KRB5
+	depends on KDEVOPS_SETUP_KRB5
+	help
+	  This is the authentication flavor you want to test.  The selected
+          option will get written to /etc/nfsmount.conf on the NFS clients.
+
+config FSTESTS_NFS_AUTH_SYS
+	bool "sys"
+
+config FSTESTS_NFS_AUTH_KRB5
+	bool "krb5"
+
+config FSTESTS_NFS_AUTH_KRB5I
+	bool "krb5i"
+
+config FSTESTS_NFS_AUTH_KRB5P
+	bool "krb5p"
+
+endchoice
+
+config FSTESTS_NFS_AUTH_FLAVOR
+	string
+	default "sys" if FSTESTS_NFS_AUTH_SYS
+	default "krb5" if FSTESTS_NFS_AUTH_KRB5
+	default "krb5i" if FSTESTS_NFS_AUTH_KRB5I
+	default "krb5p" if FSTESTS_NFS_AUTH_KRB5P
diff --git a/workflows/fstests/nfs/Makefile b/workflows/fstests/nfs/Makefile
index 686e27ae..ba4387e1 100644
--- a/workflows/fstests/nfs/Makefile
+++ b/workflows/fstests/nfs/Makefile
@@ -24,3 +24,7 @@ endif
 ifeq (y,$(CONFIG_FSTESTS_NFS_SECTION_V3))
 FSTESTS_ARGS += fstests_nfs_section_v3=True
 endif
+
+ifdef CONFIG_FSTESTS_NFS_AUTH_FLAVOR
+FSTESTS_ARGS += fstests_nfs_auth_flavor='$(subst ",,$(CONFIG_FSTESTS_NFS_AUTH_FLAVOR))'
+endif
-- 
2.43.0

Re: [PATCH v2 00/10] add initial support for testing nfs with krb5

[Jeff Layton]

On Sat, 2024-03-09 at 18:35 -0500, Scott Mayhew wrote:
> These patches add support for running fstests on NFS with krb5.  There
> are numerous other fixes and cleanups, but the bulk of the work is in
> patch 10.
> 
> There are a handful of new Kconfig options (KDEVOPS_SETUP_KRB5,
> KRB5_REALM, KRB5_ADMIN_PW, and FSTESTS_NFS_AUTH_FLAVOR) as well as some
> new Makefile targets ("kdc" and "krb5", both of which get executed
> automatically).  During "make bringup", a KDC is spun up automatically,
> and all the necessary package dependencies are installed, keys are
> generated, and the keytabs are updated on the NFS client and server VMs.
> 
> Right now you can only use krb5 with the fstests workflow, but it should
> be straightforward to add it to the other NFS-related workflows.
> 
> -Scott
> 
> Changes since v1:
> 
> - Added a pipefs-directory config in nfs.conf to fix a debian issue.
> - Moved update_etc_hosts target to run as an early bringup dependency.
> - Cleaned up the top level Makefile and bringup.Makefile by moving some
>   directives into lower level makefiles for nfsd, ktls, siw, and krb5.
> - Added a kdevops_nfsd_enable variable and use that instead of checking
>   if nfsd_threads is defined in several places.
> - Cleaned up the hosts file by making sure "nfsd" and "nfsd:vars"
>   stanzas do not get created if nfsd isn't enabled.
> - Cleaned up the hosts file by making sure "krb5", "krb5:vars", "kdc",
>   and "kdc:vars" stanzas do not get created if krb5 isn't enabled.
> - Cleaned up Kconfig.bringup.goals by moving some directives into lower
>   level kconfigs for nfsd and krb5.
> - Added a kdevops_krb5_enable variable and use that instead of checking
>   if krb5_realm is defined in several places.
> - Folded the kdc.Makefile into the krb5.Makefile (there's no reason for
>   them to have two separate makefiles).
> - Added some default vars settings for the KDC.
> - Got rid of some unnecessary tasks in the krb5 role that check to see
>   if a principal existed before creating it, and also before adding it
>   to the keytab (in reality these checks were just triggering errors that
>   needed to be ignored).
> - Forced the restart rpc.gssd task in the krb5 role to only run on the
>   nfsd server (because rpc.gssd isn't installed on the clients yet at
>   the point when the krb5 role is executed).
> - Made the krb5 target to run automatically as a late bringup dependency.
> 
> Scott Mayhew (10):
>   nfsd: make sure the appropriate fsprogs package is installed
>   update_etc_hosts: fix up hostnames on debian guestfs hosts
>   nfsd: use EXTRA_VAR_INPUTS for export options
>   devconfig: set /etc/hostname earlier
>   nfsd: add a pipefs-directory config to nfs.conf
>   bringup: move the update_etc_hosts task to run early
>   bringup: clean up the nfs-related make targets
>   gen_hosts/gen_nodes: clean up nfsd-related stuff
>   kconfigs: clean up Kconfig.bringup.goals
>   fstests/nfs: add krb5 support
> 
>  Makefile                                      |  10 +-
>  kconfigs/Kconfig.bringup.goals                |  13 +-
>  kconfigs/Kconfig.krb5                         |  25 ++++
>  kconfigs/Kconfig.nfsd                         |  16 +++
>  playbooks/kdc.yml                             |   4 +
>  playbooks/krb5.yml                            |   4 +
>  playbooks/roles/devconfig/tasks/main.yml      |  21 ++--
>  .../fstests/tasks/install-deps/suse/main.yml  |  10 ++
>  playbooks/roles/fstests/tasks/main.yml        |  41 ++++++
>  .../roles/fstests/templates/nfs/nfsmount.conf |   2 +
>  playbooks/roles/gen_hosts/defaults/main.yml   |   3 +
>  .../roles/gen_hosts/templates/fstests.j2      |  19 ++-
>  playbooks/roles/gen_hosts/templates/gitr.j2   |   4 +-
>  playbooks/roles/gen_hosts/templates/hosts.j2  |   6 +-
>  playbooks/roles/gen_nodes/defaults/main.yml   |   2 +
>  playbooks/roles/gen_nodes/tasks/main.yml      |  25 +++-
>  .../kdc/tasks/install-deps/debian/main.yml    |  11 ++
>  .../roles/kdc/tasks/install-deps/main.yml     |  12 ++
>  .../kdc/tasks/install-deps/redhat/main.yml    |  16 +++
>  .../kdc/tasks/install-deps/suse/main.yml      |  10 ++
>  playbooks/roles/kdc/tasks/main.yml            | 119 ++++++++++++++++++
>  playbooks/roles/kdc/templates/kadm5.acl.j2    |   1 +
>  playbooks/roles/kdc/templates/kdc.conf.j2     |  15 +++
>  playbooks/roles/kdc/templates/krb5.conf.j2    |  29 +++++
>  playbooks/roles/kdc/vars/Debian.yml           |   7 ++
>  playbooks/roles/kdc/vars/RedHat.yml           |   7 ++
>  playbooks/roles/kdc/vars/Suse.yml             |   7 ++
>  playbooks/roles/kdc/vars/default.yml          |   7 ++
>  playbooks/roles/kdc/vars/main.yml             |   1 +
>  .../krb5/tasks/install-deps/debian/main.yml   |   9 ++
>  .../roles/krb5/tasks/install-deps/main.yml    |  12 ++
>  .../krb5/tasks/install-deps/redhat/main.yml   |  15 +++
>  .../krb5/tasks/install-deps/suse/main.yml     |  16 +++
>  playbooks/roles/krb5/tasks/main.yml           |  52 ++++++++
>  playbooks/roles/krb5/templates/krb5.conf.j2   |  31 +++++
>  .../nfsd/tasks/install-deps/debian/main.yml   |  33 ++++-
>  .../nfsd/tasks/install-deps/redhat/main.yml   |  31 +++--
>  .../nfsd/tasks/install-deps/suse/main.yml     |  32 ++++-
>  playbooks/roles/nfsd/templates/nfs.conf.j2    |   3 +
>  playbooks/roles/nfsd/vars/Debian.yml          |  13 ++
>  playbooks/roles/nfsd/vars/RedHat.yml          |  14 +++
>  playbooks/roles/nfsd/vars/Suse.yml            |  12 ++
>  .../roles/update_etc_hosts/tasks/main.yml     |  26 +++-
>  playbooks/update_etc_hosts.yml                |   1 +
>  scripts/bringup.Makefile                      |  19 +--
>  scripts/krb5.Makefile                         |  22 ++++
>  scripts/ktls.Makefile                         |   7 ++
>  scripts/nfsd.Makefile                         |  17 ++-
>  scripts/siw.Makefile                          |   6 +
>  scripts/update_etc_hosts.Makefile             |   7 ++
>  workflows/fstests/nfs/Kconfig                 |  29 +++++
>  workflows/fstests/nfs/Makefile                |   4 +
>  52 files changed, 778 insertions(+), 80 deletions(-)
>  create mode 100644 kconfigs/Kconfig.krb5
>  create mode 100644 playbooks/kdc.yml
>  create mode 100644 playbooks/krb5.yml
>  create mode 100644 playbooks/roles/fstests/templates/nfs/nfsmount.conf
>  create mode 100644 playbooks/roles/kdc/tasks/install-deps/debian/main.yml
>  create mode 100644 playbooks/roles/kdc/tasks/install-deps/main.yml
>  create mode 100644 playbooks/roles/kdc/tasks/install-deps/redhat/main.yml
>  create mode 100644 playbooks/roles/kdc/tasks/install-deps/suse/main.yml
>  create mode 100644 playbooks/roles/kdc/tasks/main.yml
>  create mode 100644 playbooks/roles/kdc/templates/kadm5.acl.j2
>  create mode 100644 playbooks/roles/kdc/templates/kdc.conf.j2
>  create mode 100644 playbooks/roles/kdc/templates/krb5.conf.j2
>  create mode 100644 playbooks/roles/kdc/vars/Debian.yml
>  create mode 100644 playbooks/roles/kdc/vars/RedHat.yml
>  create mode 100644 playbooks/roles/kdc/vars/Suse.yml
>  create mode 100644 playbooks/roles/kdc/vars/default.yml
>  create mode 100644 playbooks/roles/kdc/vars/main.yml
>  create mode 100644 playbooks/roles/krb5/tasks/install-deps/debian/main.yml
>  create mode 100644 playbooks/roles/krb5/tasks/install-deps/main.yml
>  create mode 100644 playbooks/roles/krb5/tasks/install-deps/redhat/main.yml
>  create mode 100644 playbooks/roles/krb5/tasks/install-deps/suse/main.yml
>  create mode 100644 playbooks/roles/krb5/tasks/main.yml
>  create mode 100644 playbooks/roles/krb5/templates/krb5.conf.j2
>  create mode 100644 playbooks/roles/nfsd/vars/Debian.yml
>  create mode 100644 playbooks/roles/nfsd/vars/RedHat.yml
>  create mode 100644 playbooks/roles/nfsd/vars/Suse.yml
>  create mode 100644 scripts/krb5.Makefile
>  create mode 100644 scripts/update_etc_hosts.Makefile
> 

This all looks good to me.

Reviewed-by: Jeff Layton <jlayton@kernel.org>

Re: [PATCH v2 00/10] add initial support for testing nfs with krb5

[Luis Chamberlain]

On Sat, Mar 09, 2024 at 06:35:53PM -0500, Scott Mayhew wrote:
> These patches add support for running fstests on NFS with krb5.  There
> are numerous other fixes and cleanups, but the bulk of the work is in
> patch 10.
> 
> There are a handful of new Kconfig options (KDEVOPS_SETUP_KRB5,
> KRB5_REALM, KRB5_ADMIN_PW, and FSTESTS_NFS_AUTH_FLAVOR) as well as some
> new Makefile targets ("kdc" and "krb5", both of which get executed
> automatically).  During "make bringup", a KDC is spun up automatically,
> and all the necessary package dependencies are installed, keys are
> generated, and the keytabs are updated on the NFS client and server VMs.
> 
> Right now you can only use krb5 with the fstests workflow, but it should
> be straightforward to add it to the other NFS-related workflows.

Looks super sexy now:

Reviewed-by: Luis Chamberlain <mcgrof@kernel.org>

  Luis