* [PATCH 0/5] add initial support for testing nfs with krb5
@ 2024-03-07 13:14 Scott Mayhew
2024-03-07 13:14 ` [PATCH 1/5] nfsd: make sure the appropriate fsprogs package is installed Scott Mayhew
` (5 more replies)
0 siblings, 6 replies; 15+ messages in thread
From: Scott Mayhew @ 2024-03-07 13:14 UTC (permalink / raw)
To: kdevops
These patches add support for running fstests on NFS with krb5. The
bulk of the work is in patch 5. There are a handful of new Kconfig
options (KDEVOPS_SETUP_KRB5, KRB5_REALM, KRB5_ADMIN_PW, and
FSTESTS_NFS_AUTH_FLAVOR) as well as a new Makefile target "krb5" which
should be run after "make bringup". A KDC is spun up automatically
during "make bringup". "make krb5" installs all the necessary
dependencies, generates keys, and updates the keytabs on the NFS client
and server VMs.
Right now you can only use krb5 with the fstests workflow, but it should
be straightforward to add it to the other NFS-related workflows.
I tested these patches using fedora-39, debian-12, and
opensuse-tumbleweed guestfs images.
-Scott
Scott Mayhew (5):
nfsd: make sure the appropriate fsprogs package is installed
update_etc_hosts: fix up hostnames on debian guestfs hosts
nfsd: use EXTRA_VAR_INPUTS for export options
devconfig: set /etc/hostname earlier
fstests/nfs: add krb5 support
Makefile | 5 +
kconfigs/Kconfig.bringup.goals | 12 ++
kconfigs/Kconfig.kdc | 11 ++
playbooks/kdc.yml | 4 +
playbooks/krb5.yml | 4 +
playbooks/roles/devconfig/tasks/main.yml | 21 ++--
.../fstests/tasks/install-deps/suse/main.yml | 10 ++
playbooks/roles/fstests/tasks/main.yml | 41 ++++++
.../roles/fstests/templates/nfs/nfsmount.conf | 2 +
.../roles/gen_hosts/templates/fstests.j2 | 17 +++
playbooks/roles/gen_nodes/tasks/main.yml | 19 +++
.../kdc/tasks/install-deps/debian/main.yml | 11 ++
.../roles/kdc/tasks/install-deps/main.yml | 12 ++
.../kdc/tasks/install-deps/redhat/main.yml | 16 +++
.../kdc/tasks/install-deps/suse/main.yml | 10 ++
playbooks/roles/kdc/tasks/main.yml | 119 ++++++++++++++++++
playbooks/roles/kdc/templates/kadm5.acl.j2 | 1 +
playbooks/roles/kdc/templates/kdc.conf.j2 | 15 +++
playbooks/roles/kdc/templates/krb5.conf.j2 | 29 +++++
playbooks/roles/kdc/vars/Debian.yml | 7 ++
playbooks/roles/kdc/vars/RedHat.yml | 7 ++
playbooks/roles/kdc/vars/Suse.yml | 7 ++
playbooks/roles/kdc/vars/default.yml | 1 +
playbooks/roles/kdc/vars/main.yml | 1 +
.../krb5/tasks/install-deps/debian/main.yml | 9 ++
.../roles/krb5/tasks/install-deps/main.yml | 12 ++
.../krb5/tasks/install-deps/redhat/main.yml | 15 +++
.../krb5/tasks/install-deps/suse/main.yml | 16 +++
playbooks/roles/krb5/tasks/main.yml | 70 +++++++++++
playbooks/roles/krb5/templates/krb5.conf.j2 | 31 +++++
.../nfsd/tasks/install-deps/debian/main.yml | 33 ++++-
.../nfsd/tasks/install-deps/redhat/main.yml | 31 +++--
.../nfsd/tasks/install-deps/suse/main.yml | 32 ++++-
playbooks/roles/nfsd/vars/Debian.yml | 11 ++
playbooks/roles/nfsd/vars/RedHat.yml | 12 ++
playbooks/roles/nfsd/vars/Suse.yml | 10 ++
.../roles/update_etc_hosts/tasks/main.yml | 12 ++
scripts/bringup.Makefile | 4 +
scripts/kdc.Makefile | 8 ++
scripts/krb5.Makefile | 10 ++
scripts/nfsd.Makefile | 8 +-
workflows/fstests/nfs/Kconfig | 29 +++++
workflows/fstests/nfs/Makefile | 4 +
43 files changed, 712 insertions(+), 27 deletions(-)
create mode 100644 kconfigs/Kconfig.kdc
create mode 100644 playbooks/kdc.yml
create mode 100644 playbooks/krb5.yml
create mode 100644 playbooks/roles/fstests/templates/nfs/nfsmount.conf
create mode 100644 playbooks/roles/kdc/tasks/install-deps/debian/main.yml
create mode 100644 playbooks/roles/kdc/tasks/install-deps/main.yml
create mode 100644 playbooks/roles/kdc/tasks/install-deps/redhat/main.yml
create mode 100644 playbooks/roles/kdc/tasks/install-deps/suse/main.yml
create mode 100644 playbooks/roles/kdc/tasks/main.yml
create mode 100644 playbooks/roles/kdc/templates/kadm5.acl.j2
create mode 100644 playbooks/roles/kdc/templates/kdc.conf.j2
create mode 100644 playbooks/roles/kdc/templates/krb5.conf.j2
create mode 100644 playbooks/roles/kdc/vars/Debian.yml
create mode 100644 playbooks/roles/kdc/vars/RedHat.yml
create mode 100644 playbooks/roles/kdc/vars/Suse.yml
create mode 100644 playbooks/roles/kdc/vars/default.yml
create mode 100644 playbooks/roles/kdc/vars/main.yml
create mode 100644 playbooks/roles/krb5/tasks/install-deps/debian/main.yml
create mode 100644 playbooks/roles/krb5/tasks/install-deps/main.yml
create mode 100644 playbooks/roles/krb5/tasks/install-deps/redhat/main.yml
create mode 100644 playbooks/roles/krb5/tasks/install-deps/suse/main.yml
create mode 100644 playbooks/roles/krb5/tasks/main.yml
create mode 100644 playbooks/roles/krb5/templates/krb5.conf.j2
create mode 100644 playbooks/roles/nfsd/vars/Debian.yml
create mode 100644 playbooks/roles/nfsd/vars/RedHat.yml
create mode 100644 playbooks/roles/nfsd/vars/Suse.yml
create mode 100644 scripts/kdc.Makefile
create mode 100644 scripts/krb5.Makefile
--
2.43.0
^ permalink raw reply [flat|nested] 15+ messages in thread
* [PATCH 1/5] nfsd: make sure the appropriate fsprogs package is installed
2024-03-07 13:14 [PATCH 0/5] add initial support for testing nfs with krb5 Scott Mayhew
@ 2024-03-07 13:14 ` Scott Mayhew
2024-03-07 13:14 ` [PATCH 2/5] update_etc_hosts: fix up hostnames on debian guestfs hosts Scott Mayhew
` (4 subsequent siblings)
5 siblings, 0 replies; 15+ messages in thread
From: Scott Mayhew @ 2024-03-07 13:14 UTC (permalink / raw)
To: kdevops
The virt-builder images don't have all of the fsprogs packages installed
by default, so make sure to install whatever package is needed for the
filesystem being exported.
Signed-off-by: Scott Mayhew <smayhew@redhat.com>
---
.../nfsd/tasks/install-deps/debian/main.yml | 28 ++++++++++++++---
.../nfsd/tasks/install-deps/redhat/main.yml | 31 ++++++++++++++-----
.../nfsd/tasks/install-deps/suse/main.yml | 27 +++++++++++++---
playbooks/roles/nfsd/vars/Debian.yml | 11 +++++++
playbooks/roles/nfsd/vars/RedHat.yml | 12 +++++++
playbooks/roles/nfsd/vars/Suse.yml | 10 ++++++
6 files changed, 102 insertions(+), 17 deletions(-)
create mode 100644 playbooks/roles/nfsd/vars/Debian.yml
create mode 100644 playbooks/roles/nfsd/vars/RedHat.yml
create mode 100644 playbooks/roles/nfsd/vars/Suse.yml
diff --git a/playbooks/roles/nfsd/tasks/install-deps/debian/main.yml b/playbooks/roles/nfsd/tasks/install-deps/debian/main.yml
index fd237e76..a48d40ef 100644
--- a/playbooks/roles/nfsd/tasks/install-deps/debian/main.yml
+++ b/playbooks/roles/nfsd/tasks/install-deps/debian/main.yml
@@ -1,13 +1,31 @@
---
+- name: Get OS-specific variables
+ ansible.builtin.include_vars: "{{ lookup('ansible.builtin.first_found', params) }}"
+ vars:
+ params:
+ files:
+ - '{{ansible_distribution}}.yml'
+ - '{{ansible_os_family}}.yml'
+ - default.yml
+ paths:
+ - 'vars'
+
+- name: Determine which fsprogs package is needed for "{{ nfsd_export_fstype }}"
+ set_fact:
+ fsprogs: "{{ fstype_userspace_progs[nfsd_export_fstype] | default() }}"
+
+- name: Add {{ fsprogs }} to the nfsd packages list
+ set_fact:
+ nfsd_packages: "{{ nfsd_packages + [fsprogs] }}"
+ when:
+ - fsprogs is defined
+ - fsprogs
+
- name: Install nfsd dependencies
become: yes
become_method: sudo
apt:
- name:
- - lvm2
- - nfs-common
- - nfs-kernel-server
- - policycoreutils
+ name: "{{ nfsd_packages }}"
state: present
update_cache: yes
tags: [ 'pynfs', 'deps' ]
diff --git a/playbooks/roles/nfsd/tasks/install-deps/redhat/main.yml b/playbooks/roles/nfsd/tasks/install-deps/redhat/main.yml
index 15e06a66..d5d25c20 100644
--- a/playbooks/roles/nfsd/tasks/install-deps/redhat/main.yml
+++ b/playbooks/roles/nfsd/tasks/install-deps/redhat/main.yml
@@ -1,18 +1,33 @@
---
+- name: Get OS-specific variables
+ ansible.builtin.include_vars: "{{ lookup('ansible.builtin.first_found', params) }}"
+ vars:
+ params:
+ files:
+ - '{{ansible_distribution}}.yml'
+ - '{{ansible_os_family}}.yml'
+ - default.yml
+ paths:
+ - 'vars'
+
+- name: Determine which fsprogs package is needed for "{{ nfsd_export_fstype }}"
+ set_fact:
+ fsprogs: "{{ fstype_userspace_progs[nfsd_export_fstype] | default() }}"
+
+- name: Add {{ fsprogs }} to the nfsd packages list
+ set_fact:
+ nfsd_packages: "{{ nfsd_packages + [fsprogs] }}"
+ when:
+ - fsprogs is defined
+ - fsprogs
+
- name: Install nfsd dependencies
become: yes
become_method: sudo
yum:
update_cache: yes
- name: "{{ packages }}"
+ name: "{{ nfsd_packages }}"
retries: 3
delay: 5
register: result
until: result.rc == 0
- vars:
- packages:
- - checkpolicy
- - lvm2
- - nfs-utils
- - policycoreutils
- - python3-policycoreutils
diff --git a/playbooks/roles/nfsd/tasks/install-deps/suse/main.yml b/playbooks/roles/nfsd/tasks/install-deps/suse/main.yml
index 8d84509a..49d931cd 100644
--- a/playbooks/roles/nfsd/tasks/install-deps/suse/main.yml
+++ b/playbooks/roles/nfsd/tasks/install-deps/suse/main.yml
@@ -1,10 +1,29 @@
---
+- name: Get OS-specific variables
+ ansible.builtin.include_vars: "{{ lookup('ansible.builtin.first_found', params) }}"
+ vars:
+ params:
+ files:
+ - '{{ansible_distribution}}.yml'
+ - '{{ansible_os_family}}.yml'
+ - default.yml
+ paths:
+ - 'vars'
+
+- name: Determine which fsprogs package is needed for "{{ nfsd_export_fstype }}"
+ set_fact:
+ fsprogs: "{{ fstype_userspace_progs[nfsd_export_fstype] | default() }}"
+
+- name: Add {{ fsprogs }} to the nfsd packages list
+ set_fact:
+ nfsd_packages: "{{ nfsd_packages + [fsprogs] }}"
+ when:
+ - fsprogs is defined
+ - fsprogs
+
- name: Install nfsd dependencies
become: yes
become_method: sudo
zypper:
- name:
- - lvm2
- - nfs-utils
- - policycoreutils
+ name: "{{ nfsd_packages }}"
state: present
diff --git a/playbooks/roles/nfsd/vars/Debian.yml b/playbooks/roles/nfsd/vars/Debian.yml
new file mode 100644
index 00000000..3bb9e810
--- /dev/null
+++ b/playbooks/roles/nfsd/vars/Debian.yml
@@ -0,0 +1,11 @@
+---
+nfsd_packages:
+ - lvm2
+ - nfs-common
+ - nfs-kernel-server
+ - policycoreutils
+
+fstype_userspace_progs:
+ btrfs: btrfs-progs
+ ext4: e2fsprogs
+ xfs: xfsprogs
diff --git a/playbooks/roles/nfsd/vars/RedHat.yml b/playbooks/roles/nfsd/vars/RedHat.yml
new file mode 100644
index 00000000..590818ca
--- /dev/null
+++ b/playbooks/roles/nfsd/vars/RedHat.yml
@@ -0,0 +1,12 @@
+---
+nfsd_packages:
+ - checkpolicy
+ - lvm2
+ - nfs-utils
+ - policycoreutils
+ - python3-policycoreutils
+
+fstype_userspace_progs:
+ btrfs: btrfs-progs
+ ext4: e2fsprogs
+ xfs: xfsprogs
diff --git a/playbooks/roles/nfsd/vars/Suse.yml b/playbooks/roles/nfsd/vars/Suse.yml
new file mode 100644
index 00000000..73b06c83
--- /dev/null
+++ b/playbooks/roles/nfsd/vars/Suse.yml
@@ -0,0 +1,10 @@
+---
+nfsd_packages:
+ - lvm2
+ - nfs-utils
+ - policycoreutils
+
+fstype_userspace_progs:
+ btrfs: btrfsprogs
+ ext4: e2fsprogs
+ xfs: xfsprogs
--
2.43.0
^ permalink raw reply related [flat|nested] 15+ messages in thread
* [PATCH 2/5] update_etc_hosts: fix up hostnames on debian guestfs hosts
2024-03-07 13:14 [PATCH 0/5] add initial support for testing nfs with krb5 Scott Mayhew
2024-03-07 13:14 ` [PATCH 1/5] nfsd: make sure the appropriate fsprogs package is installed Scott Mayhew
@ 2024-03-07 13:14 ` Scott Mayhew
2024-03-07 13:14 ` [PATCH 3/5] nfsd: use EXTRA_VAR_INPUTS for export options Scott Mayhew
` (3 subsequent siblings)
5 siblings, 0 replies; 15+ messages in thread
From: Scott Mayhew @ 2024-03-07 13:14 UTC (permalink / raw)
To: kdevops
Since we're not currently using DNS domains in our hostnames, debian
guestfs hosts wind up with an entry like this in /etc/hosts:
127.0.1.1 unassigned-hostname.unassigned-domain foo
which causes the ansible_fqdn variable to report
"unassigned-hostname.unassigned-domain". Get rid of the
"unassigned-hostname.unassigned-domain" part, so that ansible_fqdn
reports the short hostname "foo" instead.
Signed-off-by: Scott Mayhew <smayhew@redhat.com>
---
playbooks/roles/update_etc_hosts/tasks/main.yml | 12 ++++++++++++
1 file changed, 12 insertions(+)
diff --git a/playbooks/roles/update_etc_hosts/tasks/main.yml b/playbooks/roles/update_etc_hosts/tasks/main.yml
index dca61d9f..34a69f6d 100644
--- a/playbooks/roles/update_etc_hosts/tasks/main.yml
+++ b/playbooks/roles/update_etc_hosts/tasks/main.yml
@@ -65,3 +65,15 @@
with_items: "{{ ueh_hosts }}"
when:
- not terraform_private_net_enabled
+
+- name: Fix up hostname on Debian guestfs hosts
+ become: yes
+ become_method: sudo
+ lineinfile:
+ path: /etc/hosts
+ regexp: '^(127\.0\.1\.1)(\s+)unassigned-hostname\.unassigned-domain\s+({{ ansible_hostname }})$'
+ backrefs: yes
+ line: '\1\2\3'
+ when:
+ - ansible_os_family == 'Debian'
+ - kdevops_enable_guestfs
--
2.43.0
^ permalink raw reply related [flat|nested] 15+ messages in thread
* [PATCH 3/5] nfsd: use EXTRA_VAR_INPUTS for export options
2024-03-07 13:14 [PATCH 0/5] add initial support for testing nfs with krb5 Scott Mayhew
2024-03-07 13:14 ` [PATCH 1/5] nfsd: make sure the appropriate fsprogs package is installed Scott Mayhew
2024-03-07 13:14 ` [PATCH 2/5] update_etc_hosts: fix up hostnames on debian guestfs hosts Scott Mayhew
@ 2024-03-07 13:14 ` Scott Mayhew
2024-03-07 13:14 ` [PATCH 4/5] devconfig: set /etc/hostname earlier Scott Mayhew
` (2 subsequent siblings)
5 siblings, 0 replies; 15+ messages in thread
From: Scott Mayhew @ 2024-03-07 13:14 UTC (permalink / raw)
To: kdevops
The most_extra_vars target in Makefile.extra_vars replaces '=' with ':',
which breaks any export options that use '='. So use EXTRA_VAR_INPUTS
and quote the export options string instead.
Signed-off-by: Scott Mayhew <smayhew@redhat.com>
---
scripts/nfsd.Makefile | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)
diff --git a/scripts/nfsd.Makefile b/scripts/nfsd.Makefile
index d3549a29..a337390c 100644
--- a/scripts/nfsd.Makefile
+++ b/scripts/nfsd.Makefile
@@ -2,10 +2,16 @@ NFSD_EXTRA_ARGS += nfsd_export_device_prefix='$(subst ",,$(CONFIG_NFSD_EXPORT_DE
NFSD_EXTRA_ARGS += nfsd_export_device_count='$(subst ",,$(CONFIG_NFSD_EXPORT_DEVICE_COUNT))'
NFSD_EXTRA_ARGS += nfsd_export_fstype='$(subst ",,$(CONFIG_NFSD_EXPORT_FSTYPE))'
NFSD_EXTRA_ARGS += nfsd_export_path='$(subst ",,$(CONFIG_NFSD_EXPORT_PATH))'
-NFSD_EXTRA_ARGS += nfsd_export_options='$(subst ",,$(CONFIG_NFSD_EXPORT_OPTIONS))'
NFSD_EXTRA_ARGS += nfsd_threads=$(CONFIG_NFSD_THREADS)
NFSD_EXTRA_ARGS += nfsd_lease_time=$(CONFIG_NFSD_LEASE_TIME)
+EXTRA_VAR_INPUTS += extend-extra-args-nfsd
+
+extend-extra-args-nfsd:
+ $(Q)echo "nfsd_export_options: '$(CONFIG_NFSD_EXPORT_OPTIONS)'" >> $(KDEVOPS_EXTRA_VARS) ;\
+
+PHONY += extend-extra-args-nfsd
+
ANSIBLE_EXTRA_ARGS += $(NFSD_EXTRA_ARGS)
nfsd:
--
2.43.0
^ permalink raw reply related [flat|nested] 15+ messages in thread
* [PATCH 4/5] devconfig: set /etc/hostname earlier
2024-03-07 13:14 [PATCH 0/5] add initial support for testing nfs with krb5 Scott Mayhew
` (2 preceding siblings ...)
2024-03-07 13:14 ` [PATCH 3/5] nfsd: use EXTRA_VAR_INPUTS for export options Scott Mayhew
@ 2024-03-07 13:14 ` Scott Mayhew
2024-03-07 13:14 ` [PATCH 5/5] fstests/nfs: add krb5 support Scott Mayhew
2024-03-08 15:01 ` [PATCH 0/5] add initial support for testing nfs with krb5 Chuck Lever III
5 siblings, 0 replies; 15+ messages in thread
From: Scott Mayhew @ 2024-03-07 13:14 UTC (permalink / raw)
To: kdevops
I noticed that opensuse-tumbleweed guestfs VMs were still showing up
as 'localhost.localdomain', even though /etc/hostname had the correct
hostnames.
Update /etc/hostname before the distro-specific install tasks, so that
the reboot that occurs causes the hostname change to actually take
effect.
Signed-off-by: Scott Mayhew <smayhew@redhat.com>
---
playbooks/roles/devconfig/tasks/main.yml | 21 ++++++++++++---------
1 file changed, 12 insertions(+), 9 deletions(-)
diff --git a/playbooks/roles/devconfig/tasks/main.yml b/playbooks/roles/devconfig/tasks/main.yml
index 1f18e588..1e67f91e 100644
--- a/playbooks/roles/devconfig/tasks/main.yml
+++ b/playbooks/roles/devconfig/tasks/main.yml
@@ -17,6 +17,18 @@
setup:
tags: always
+# Update /etc/hostname first so the change gets picked up by the reboot
+# that occurs during the distro-specific tasks
+
+- name: Ensure /etc/hostname is set
+ become: yes
+ become_flags: 'su - -c'
+ become_method: sudo
+ template:
+ src: hostname
+ dest: /etc/hostname
+ tags: hostname
+
# Distro specific
- name: Install dependencies
import_tasks: install-deps/main.yml
@@ -28,15 +40,6 @@
# Distro agnostic stuff goes below
-- name: Ensure /etc/hostname is set
- become: yes
- become_flags: 'su - -c'
- become_method: sudo
- template:
- src: hostname
- dest: /etc/hostname
- tags: hostname
-
- name: Check if the developer has a git config
delegate_to: localhost
stat:
--
2.43.0
^ permalink raw reply related [flat|nested] 15+ messages in thread
* [PATCH 5/5] fstests/nfs: add krb5 support
2024-03-07 13:14 [PATCH 0/5] add initial support for testing nfs with krb5 Scott Mayhew
` (3 preceding siblings ...)
2024-03-07 13:14 ` [PATCH 4/5] devconfig: set /etc/hostname earlier Scott Mayhew
@ 2024-03-07 13:14 ` Scott Mayhew
2024-03-08 16:57 ` Luis Chamberlain
2024-03-08 15:01 ` [PATCH 0/5] add initial support for testing nfs with krb5 Chuck Lever III
5 siblings, 1 reply; 15+ messages in thread
From: Scott Mayhew @ 2024-03-07 13:14 UTC (permalink / raw)
To: kdevops
This adds the ability to run fstests on NFS with sec=krb5{,i,p}.
To use it, you need to:
* Specify a krb5 realm and admin password via:
-> Bring up goals
-> Set up KRB5
-> Configure the KRB5 KDC
-> KRB5 Realm
-> KRB5 admin password
* Add the 'sec=' export option to nfsd via:
-> Bring up goals
-> Set up the kernel nfs server
-> Configure the kernel NFS server
-> The export options to use for the exported fs
* Specify the auth flavor for the clients to use via:
-> Target workflows
-> Enable different target workflows
-> Enable selection of test workflows
-> Linux subsystem tests
-> Configure and run fstests
-> Configure how nfs should be tested
-> Authentication flavor to use
A KDC will be created during 'make bringup'.
After 'make bringup', it is necessary to run the new command 'make krb5',
which will install the necessary packages on the clients and nfsd, create
nfs principals for the clients and nfsd on the KDC, and update the
keytabs on the clients and nfsd.
The auth flavor gets written to /etc/nfsmount.conf on the clients during
'make fstests'.
Signed-off-by: Scott Mayhew <smayhew@redhat.com>
---
Makefile | 5 +
kconfigs/Kconfig.bringup.goals | 12 ++
kconfigs/Kconfig.kdc | 11 ++
playbooks/kdc.yml | 4 +
playbooks/krb5.yml | 4 +
.../fstests/tasks/install-deps/suse/main.yml | 10 ++
playbooks/roles/fstests/tasks/main.yml | 41 ++++++
.../roles/fstests/templates/nfs/nfsmount.conf | 2 +
.../roles/gen_hosts/templates/fstests.j2 | 17 +++
playbooks/roles/gen_nodes/tasks/main.yml | 19 +++
.../kdc/tasks/install-deps/debian/main.yml | 11 ++
.../roles/kdc/tasks/install-deps/main.yml | 12 ++
.../kdc/tasks/install-deps/redhat/main.yml | 16 +++
.../kdc/tasks/install-deps/suse/main.yml | 10 ++
playbooks/roles/kdc/tasks/main.yml | 119 ++++++++++++++++++
playbooks/roles/kdc/templates/kadm5.acl.j2 | 1 +
playbooks/roles/kdc/templates/kdc.conf.j2 | 15 +++
playbooks/roles/kdc/templates/krb5.conf.j2 | 29 +++++
playbooks/roles/kdc/vars/Debian.yml | 7 ++
playbooks/roles/kdc/vars/RedHat.yml | 7 ++
playbooks/roles/kdc/vars/Suse.yml | 7 ++
playbooks/roles/kdc/vars/default.yml | 1 +
playbooks/roles/kdc/vars/main.yml | 1 +
.../krb5/tasks/install-deps/debian/main.yml | 9 ++
.../roles/krb5/tasks/install-deps/main.yml | 12 ++
.../krb5/tasks/install-deps/redhat/main.yml | 15 +++
.../krb5/tasks/install-deps/suse/main.yml | 16 +++
playbooks/roles/krb5/tasks/main.yml | 70 +++++++++++
playbooks/roles/krb5/templates/krb5.conf.j2 | 31 +++++
.../nfsd/tasks/install-deps/debian/main.yml | 5 +
.../nfsd/tasks/install-deps/suse/main.yml | 5 +
scripts/bringup.Makefile | 4 +
scripts/kdc.Makefile | 8 ++
scripts/krb5.Makefile | 10 ++
workflows/fstests/nfs/Kconfig | 29 +++++
workflows/fstests/nfs/Makefile | 4 +
36 files changed, 579 insertions(+)
create mode 100644 kconfigs/Kconfig.kdc
create mode 100644 playbooks/kdc.yml
create mode 100644 playbooks/krb5.yml
create mode 100644 playbooks/roles/fstests/templates/nfs/nfsmount.conf
create mode 100644 playbooks/roles/kdc/tasks/install-deps/debian/main.yml
create mode 100644 playbooks/roles/kdc/tasks/install-deps/main.yml
create mode 100644 playbooks/roles/kdc/tasks/install-deps/redhat/main.yml
create mode 100644 playbooks/roles/kdc/tasks/install-deps/suse/main.yml
create mode 100644 playbooks/roles/kdc/tasks/main.yml
create mode 100644 playbooks/roles/kdc/templates/kadm5.acl.j2
create mode 100644 playbooks/roles/kdc/templates/kdc.conf.j2
create mode 100644 playbooks/roles/kdc/templates/krb5.conf.j2
create mode 100644 playbooks/roles/kdc/vars/Debian.yml
create mode 100644 playbooks/roles/kdc/vars/RedHat.yml
create mode 100644 playbooks/roles/kdc/vars/Suse.yml
create mode 100644 playbooks/roles/kdc/vars/default.yml
create mode 100644 playbooks/roles/kdc/vars/main.yml
create mode 100644 playbooks/roles/krb5/tasks/install-deps/debian/main.yml
create mode 100644 playbooks/roles/krb5/tasks/install-deps/main.yml
create mode 100644 playbooks/roles/krb5/tasks/install-deps/redhat/main.yml
create mode 100644 playbooks/roles/krb5/tasks/install-deps/suse/main.yml
create mode 100644 playbooks/roles/krb5/tasks/main.yml
create mode 100644 playbooks/roles/krb5/templates/krb5.conf.j2
create mode 100644 scripts/kdc.Makefile
create mode 100644 scripts/krb5.Makefile
diff --git a/Makefile b/Makefile
index 9ca3a5f3..df4aad7b 100644
--- a/Makefile
+++ b/Makefile
@@ -115,6 +115,11 @@ ifeq (y,$(CONFIG_KDEVOPS_SETUP_NFSD))
include scripts/nfsd.Makefile
endif # CONFIG_KDEVOPS_SETUP_NFSD
+ifeq (y,$(CONFIG_KDEVOPS_SETUP_KRB5))
+include scripts/kdc.Makefile
+include scripts/krb5.Makefile
+endif # CONFIG_KDEVOPS_SETUP_KRB5
+
include scripts/devconfig.Makefile
include scripts/ssh.Makefile
diff --git a/kconfigs/Kconfig.bringup.goals b/kconfigs/Kconfig.bringup.goals
index 71948e9b..26ffac98 100644
--- a/kconfigs/Kconfig.bringup.goals
+++ b/kconfigs/Kconfig.bringup.goals
@@ -109,3 +109,15 @@ menu "Configure the kernel NFS server"
source "kconfigs/Kconfig.nfsd"
endmenu
endif
+
+config KDEVOPS_SETUP_KRB5
+ bool "Set up KRB5"
+ default n
+ help
+ Configure and bring up a MIT Kerberos V5 KDC.
+
+if KDEVOPS_SETUP_KRB5
+menu "Configure the KRB5 KDC"
+source "kconfigs/Kconfig.kdc"
+endmenu
+endif
diff --git a/kconfigs/Kconfig.kdc b/kconfigs/Kconfig.kdc
new file mode 100644
index 00000000..c0483a37
--- /dev/null
+++ b/kconfigs/Kconfig.kdc
@@ -0,0 +1,11 @@
+config KRB5_REALM
+ string "KRB5 Realm"
+ default ""
+ help
+ Kerberos realm to create.
+
+config KRB5_ADMIN_PW
+ string "KRB5 admin password"
+ default ""
+ help
+ Password to use for the 'root/admin' principal.
diff --git a/playbooks/kdc.yml b/playbooks/kdc.yml
new file mode 100644
index 00000000..66709db8
--- /dev/null
+++ b/playbooks/kdc.yml
@@ -0,0 +1,4 @@
+---
+- hosts: all
+ roles:
+ - role: kdc
diff --git a/playbooks/krb5.yml b/playbooks/krb5.yml
new file mode 100644
index 00000000..52ca3ef5
--- /dev/null
+++ b/playbooks/krb5.yml
@@ -0,0 +1,4 @@
+---
+- hosts: all
+ roles:
+ - role: krb5
diff --git a/playbooks/roles/fstests/tasks/install-deps/suse/main.yml b/playbooks/roles/fstests/tasks/install-deps/suse/main.yml
index 067e5c55..951dfc66 100644
--- a/playbooks/roles/fstests/tasks/install-deps/suse/main.yml
+++ b/playbooks/roles/fstests/tasks/install-deps/suse/main.yml
@@ -237,3 +237,13 @@
when:
- repos_present|bool
- fstests_fstyp == "nfs"
+
+- name: Ensure nfs-client.target is enabled
+ become: yes
+ become_method: sudo
+ ansible.builtin.systemd:
+ name: nfs-client.target
+ enabled: true
+ state: started
+ when:
+ - fstests_fstyp == "nfs"
diff --git a/playbooks/roles/fstests/tasks/main.yml b/playbooks/roles/fstests/tasks/main.yml
index 3f210a53..b76536ec 100644
--- a/playbooks/roles/fstests/tasks/main.yml
+++ b/playbooks/roles/fstests/tasks/main.yml
@@ -668,6 +668,47 @@
when:
- fstests_fstyp == "nfs"
+- name: Check to see if /etc/nfsmount.conf exists
+ become: yes
+ become_flags: 'su - -c'
+ become_method: sudo
+ ansible.builtin.stat:
+ path: /etc/nfsmount.conf
+ register: nfsmount_conf
+ when:
+ - fstests_fstyp == "nfs"
+ - fstests_nfs_auth_flavor is defined
+ - fstests_nfs_auth_flavor
+
+- name: Create /etc/nfsmount.conf
+ become: yes
+ become_flags: 'su - -c'
+ become_method: sudo
+ ansible.builtin.template:
+ src: "{{ fstests_fstyp }}/nfsmount.conf"
+ dest: /etc/nfsmount.conf
+ owner: root
+ group: root
+ mode: 0644
+ when:
+ - fstests_fstyp == "nfs"
+ - fstests_nfs_auth_flavor is defined
+ - fstests_nfs_auth_flavor
+ - not nfsmount_conf.stat.exists
+
+- name: Set auth flavor for NFS
+ become: yes
+ become_flags: 'su - -c'
+ become_method: sudo
+ ansible.builtin.lineinfile:
+ path: /etc/nfsmount.conf
+ regexp: '^# Sec='
+ line: 'Sec={{ fstests_nfs_auth_flavor }}'
+ when:
+ - fstests_fstyp == "nfs"
+ - fstests_nfs_auth_flavor is defined
+ - fstests_nfs_auth_flavor
+
- name: Reboot system before our test so we know everything is sane
tags: [ 'oscheck', 'fstests', 'run_tests', 'reboot' ]
become: yes
diff --git a/playbooks/roles/fstests/templates/nfs/nfsmount.conf b/playbooks/roles/fstests/templates/nfs/nfsmount.conf
new file mode 100644
index 00000000..73b6a8e4
--- /dev/null
+++ b/playbooks/roles/fstests/templates/nfs/nfsmount.conf
@@ -0,0 +1,2 @@
+[ NFSMount_Global_Options ]
+# Sec=sys
diff --git a/playbooks/roles/gen_hosts/templates/fstests.j2 b/playbooks/roles/gen_hosts/templates/fstests.j2
index 74057952..b94e89da 100644
--- a/playbooks/roles/gen_hosts/templates/fstests.j2
+++ b/playbooks/roles/gen_hosts/templates/fstests.j2
@@ -27,3 +27,20 @@ ansible_python_interpreter = "{{ kdevops_python_interpreter }}"
{% endif %}
[nfsd:vars]
ansible_python_interpreter = "{{ kdevops_python_interpreter }}"
+[kdc]
+{% if krb5_realm is defined %}
+{{ kdevops_hosts_prefix }}-kdc
+{% endif %}
+[kdc:vars]
+ansible_python_interpreter = "{{ kdevops_python_interpreter }}"
+[krb5]
+{% if krb5_realm is defined %}
+{% for s in fstests_enabled_test_types %}
+{{ kdevops_host_prefix }}-{{ s }}
+{% endfor %}
+{% if nfsd_threads is defined %}
+{{ kdevops_hosts_prefix }}-nfsd
+{% endif %}
+{% endif %}
+[krb5:vars]
+ansible_python_interpreter = "{{ kdevops_python_interpreter }}"
diff --git a/playbooks/roles/gen_nodes/tasks/main.yml b/playbooks/roles/gen_nodes/tasks/main.yml
index 2f5c48b6..1181ef10 100644
--- a/playbooks/roles/gen_nodes/tasks/main.yml
+++ b/playbooks/roles/gen_nodes/tasks/main.yml
@@ -55,6 +55,18 @@
when:
- nfsd_threads is defined
+- name: Set kdc_nodes list
+ set_fact:
+ kdc_nodes: "{{ [ kdevops_host_prefix + '-kdc' ] }}"
+ when:
+ - krb5_realm is defined
+
+- name: Add a KRB5 KDC if one was selected
+ set_fact:
+ generic_nodes: "{{ generic_nodes + kdc_nodes }}"
+ when:
+ - krb5_realm is defined
+
- name: Set fstests config file variable for {{ fstests_fstyp }}
set_fact:
is_fstests: True
@@ -217,6 +229,13 @@
- is_fstests|bool
- nfsd_threads is defined
+- name: Add the KRB5 KDC if one was selected
+ set_fact:
+ fstests_enabled_nodes: "{{ fstests_enabled_nodes + kdc_nodes }}"
+ when:
+ - is_fstests|bool
+ - krb5_realm is defined
+
- name: Generate the fstests kdevops nodes file using {{ kdevops_nodes_template }} as jinja2 source template
tags: [ 'hosts' ]
vars:
diff --git a/playbooks/roles/kdc/tasks/install-deps/debian/main.yml b/playbooks/roles/kdc/tasks/install-deps/debian/main.yml
new file mode 100644
index 00000000..bc2a6a78
--- /dev/null
+++ b/playbooks/roles/kdc/tasks/install-deps/debian/main.yml
@@ -0,0 +1,11 @@
+---
+- name: Install kdc dependencies
+ become: yes
+ become_method: sudo
+ apt:
+ name:
+ - krb5-admin-server
+ - krb5-kdc
+ - krb5-user
+ state: present
+ update_cache: yes
diff --git a/playbooks/roles/kdc/tasks/install-deps/main.yml b/playbooks/roles/kdc/tasks/install-deps/main.yml
new file mode 100644
index 00000000..a1bd1da5
--- /dev/null
+++ b/playbooks/roles/kdc/tasks/install-deps/main.yml
@@ -0,0 +1,12 @@
+---
+- name: Debian-specific set up
+ ansible.builtin.include_tasks: roles/tasks/kdc/install-deps/debian/main.yml
+ when: ansible_os_family == 'Debian'
+
+- name: SuSE-specific set up
+ ansible.builtin.include_tasks: roles/tasks/kdc/install-deps/suse/main.yml
+ when: ansible_os_family == 'Suse'
+
+- name: Red Hat-specific set up
+ ansible.builtin.include_tasks: roles/tasks/kdc/install-deps/redhat/main.yml
+ when: ansible_os_family == 'RedHat'
diff --git a/playbooks/roles/kdc/tasks/install-deps/redhat/main.yml b/playbooks/roles/kdc/tasks/install-deps/redhat/main.yml
new file mode 100644
index 00000000..c393920d
--- /dev/null
+++ b/playbooks/roles/kdc/tasks/install-deps/redhat/main.yml
@@ -0,0 +1,16 @@
+---
+- name: Install kdc dependencies
+ become: yes
+ become_method: sudo
+ yum:
+ update_cache: yes
+ name: "{{ packages }}"
+ retries: 3
+ delay: 5
+ register: result
+ until: result.rc == 0
+ vars:
+ packages:
+ - krb5-server
+ - krb5-libs
+ - krb5-workstation
diff --git a/playbooks/roles/kdc/tasks/install-deps/suse/main.yml b/playbooks/roles/kdc/tasks/install-deps/suse/main.yml
new file mode 100644
index 00000000..d0fd019f
--- /dev/null
+++ b/playbooks/roles/kdc/tasks/install-deps/suse/main.yml
@@ -0,0 +1,10 @@
+---
+- name: Install kdc dependencies
+ become: yes
+ become_method: sudo
+ zypper:
+ name:
+ - krb5
+ - krb5-client
+ - krb5-server
+ state: present
diff --git a/playbooks/roles/kdc/tasks/main.yml b/playbooks/roles/kdc/tasks/main.yml
new file mode 100644
index 00000000..b67f38d0
--- /dev/null
+++ b/playbooks/roles/kdc/tasks/main.yml
@@ -0,0 +1,119 @@
+---
+- name: Get OS-specific variables
+ ansible.builtin.include_vars: "{{ lookup('ansible.builtin.first_found', params) }}"
+ vars:
+ params:
+ files:
+ - '{{ansible_distribution}}.yml'
+ - '{{ansible_os_family}}.yml'
+ - default.yml
+ paths:
+ - 'vars'
+
+- name: Debian-specific setup
+ ansible.builtin.include_tasks: roles/kdc/tasks/install-deps/debian/main.yml
+ when: ansible_os_family == 'Debian'
+
+- name: SuSE-specific setup
+ ansible.builtin.include_tasks: roles/kdc/tasks/install-deps/suse/main.yml
+ when: ansible_os_family == 'Suse'
+
+- name: Red Hat-specific setup
+ ansible.builtin.include_tasks: roles/kdc/tasks/install-deps/redhat/main.yml
+ when: ansible_os_family == 'RedHat'
+
+- name: Configure /etc/krb5.conf
+ become: yes
+ become_method: sudo
+ template:
+ src: krb5.conf.j2
+ dest: /etc/krb5.conf
+ owner: root
+ group: root
+ mode: 0644
+
+- name: Ensure /etc/krb5.conf.d exists
+ become: yes
+ become_method: sudo
+ ansible.builtin.file:
+ path: /etc/krb5.conf.d
+ state: directory
+ owner: root
+ group: root
+ mode: 0755
+
+- name: Configure {{ kdc_conf_dir }}/kdc.conf
+ become: yes
+ become_method: sudo
+ template:
+ src: kdc.conf.j2
+ dest: "{{ kdc_conf_dir }}/kdc.conf"
+ owner: root
+ group: root
+ mode: 0600
+
+- name: Configure {{ kdc_data_dir }}/kadm5.acl
+ become: yes
+ become_method: sudo
+ template:
+ src: kadm5.acl.j2
+ dest: "{{ kdc_data_dir }}/kadm5.acl"
+ owner: root
+ group: root
+ mode: 0600
+
+- name: Check to see if Kerberos database exists
+ become: yes
+ become_method: sudo
+ ansible.builtin.stat:
+ path: "{{ kdc_data_dir }}/principal"
+ register: kerberos_db
+
+- name: Create database
+ become: yes
+ become_method: sudo
+ ansible.builtin.shell:
+ cmd: kdb5_util -P {{ krb5_admin_pw }} create -s
+ when: not kerberos_db.stat.exists
+
+- name: Create admin principal
+ become: yes
+ become_method: sudo
+ ansible.builtin.shell:
+ cmd: kadmin.local -q "addprinc -pw {{ krb5_admin_pw }} root/admin"
+
+- name: Allow access to kerberos service in firewalld
+ become: yes
+ become_method: sudo
+ ansible.posix.firewalld:
+ service: kerberos
+ permanent: true
+ immediate: true
+ state: enabled
+ when: ansible_os_family == 'RedHat'
+
+- name: Allow access to kadmin service in firewalld
+ become: yes
+ become_method: sudo
+ ansible.posix.firewalld:
+ service: kadmin
+ permanent: true
+ immediate: true
+ state: enabled
+ when: ansible_os_family == 'RedHat'
+
+- name: Start and enable {{ krb5kdc_service_name }} systemd service
+ become: yes
+ become_method: sudo
+ ansible.builtin.systemd:
+ name: "{{ krb5kdc_service_name }}"
+ enabled: true
+ state: started
+
+- name: Start and enable {{ kadmin_service_name }} systemd service
+ become: yes
+ become_method: sudo
+ ansible.builtin.systemd:
+ name: "{{ kadmin_service_name }}"
+ enabled: true
+ state: started
diff --git a/playbooks/roles/kdc/templates/kadm5.acl.j2 b/playbooks/roles/kdc/templates/kadm5.acl.j2
new file mode 100644
index 00000000..0a303e28
--- /dev/null
+++ b/playbooks/roles/kdc/templates/kadm5.acl.j2
@@ -0,0 +1 @@
+*/admin@{{ krb5_realm }} *
diff --git a/playbooks/roles/kdc/templates/kdc.conf.j2 b/playbooks/roles/kdc/templates/kdc.conf.j2
new file mode 100644
index 00000000..7de816dd
--- /dev/null
+++ b/playbooks/roles/kdc/templates/kdc.conf.j2
@@ -0,0 +1,15 @@
+[kdcdefaults]
+ kdc_ports = 88
+ kdc_tcp_ports = 88
+ spake_preauth_kdc_challenge = edwards25519
+
+[realms]
+{{ krb5_realm }} = {
+ database_name = {{ kdc_data_dir }}/principal
+ master_key_type = {{ kdc_master_key_type }}
+ acl_file = {{ kdc_data_dir }}/kadm5.acl
+ dict_file = /usr/share/dict/words
+ default_principal_flags = +preauth
+ admin_keytab = {{ kdc_data_dir }}/kadm5.keytab
+ supported_enctypes = {{ kdc_supported_enctypes }}
+}
diff --git a/playbooks/roles/kdc/templates/krb5.conf.j2 b/playbooks/roles/kdc/templates/krb5.conf.j2
new file mode 100644
index 00000000..e42ffb9b
--- /dev/null
+++ b/playbooks/roles/kdc/templates/krb5.conf.j2
@@ -0,0 +1,29 @@
+includedir /etc/krb5.conf.d/
+
+[logging]
+ default = FILE:/var/log/krb5libs.log
+ kdc = FILE:/var/log/krb5kdc.log
+ admin_server = FILE:/var/log/kadmind.log
+
+[libdefaults]
+ dns_lookup_realm = false
+ ticket_lifetime = 24h
+ renew_lifetime = 7d
+ forwardable = true
+ rdns = false
+ pkinit_anchors = FILE:/etc/pki/tls/certs/ca-bundle.crt
+ spake_preauth_groups = edwards25519
+ dns_canonicalize_hostname = fallback
+ qualify_shortname = ""
+ default_realm = {{ krb5_realm }}
+ default_ccache_name = KEYRING:persistent:%{uid}
+
+[realms]
+{{ krb5_realm }} = {
+ kdc = {{ hostvars[inventory_hostname]['ansible_default_ipv4']['address'] }}:88
+ admin_server = {{ hostvars[inventory_hostname]['ansible_default_ipv4']['address'] }}:749
+}
+
+[domain_realm]
+ .{{ krb5_realm | lower }} = {{ krb5_realm }}
+ {{ krb5_realm | lower }} = {{ krb5_realm }}
diff --git a/playbooks/roles/kdc/vars/Debian.yml b/playbooks/roles/kdc/vars/Debian.yml
new file mode 100644
index 00000000..b1cb8f13
--- /dev/null
+++ b/playbooks/roles/kdc/vars/Debian.yml
@@ -0,0 +1,7 @@
+---
+kdc_conf_dir: /etc/krb5kdc
+kdc_data_dir: /var/lib/krb5kdc
+kdc_master_key_type: aes256-cts
+kdc_supported_enctypes: aes256-cts:normal aes128-cts:normal
+krb5kdc_service_name: krb5-kdc
+kadmin_service_name: krb5-admin-server
diff --git a/playbooks/roles/kdc/vars/RedHat.yml b/playbooks/roles/kdc/vars/RedHat.yml
new file mode 100644
index 00000000..16de574d
--- /dev/null
+++ b/playbooks/roles/kdc/vars/RedHat.yml
@@ -0,0 +1,7 @@
+---
+kdc_conf_dir: /var/kerberos/krb5kdc
+kdc_data_dir: /var/kerberos/krb5kdc
+kdc_master_key_type: aes256-cts-hmac-sha384-192
+kdc_supported_enctypes: aes256-cts-hmac-sha384-192:normal aes128-cts-hmac-sha256-128:normal aes256-cts-hmac-sha1-96:normal aes128-cts-hmac-sha1-96:normal camellia256-cts-cmac:normal camellia128-cts-cmac:normal
+krb5kdc_service_name: krb5kdc
+kadmin_service_name: kadmin
diff --git a/playbooks/roles/kdc/vars/Suse.yml b/playbooks/roles/kdc/vars/Suse.yml
new file mode 100644
index 00000000..8900d6ad
--- /dev/null
+++ b/playbooks/roles/kdc/vars/Suse.yml
@@ -0,0 +1,7 @@
+---
+kdc_conf_dir: /var/lib/kerberos/krb5kdc
+kdc_data_dir: /var/lib/kerberos/krb5kdc
+kdc_master_key_type: aes256-cts
+kdc_supported_enctypes: aes256-cts:normal aes128-cts:normal
+krb5kdc_service_name: krb5kdc
+kadmin_service_name: kadmind
diff --git a/playbooks/roles/kdc/vars/default.yml b/playbooks/roles/kdc/vars/default.yml
new file mode 100644
index 00000000..ed97d539
--- /dev/null
+++ b/playbooks/roles/kdc/vars/default.yml
@@ -0,0 +1 @@
+---
diff --git a/playbooks/roles/kdc/vars/main.yml b/playbooks/roles/kdc/vars/main.yml
new file mode 100644
index 00000000..ed97d539
--- /dev/null
+++ b/playbooks/roles/kdc/vars/main.yml
@@ -0,0 +1 @@
+---
diff --git a/playbooks/roles/krb5/tasks/install-deps/debian/main.yml b/playbooks/roles/krb5/tasks/install-deps/debian/main.yml
new file mode 100644
index 00000000..25bdff7c
--- /dev/null
+++ b/playbooks/roles/krb5/tasks/install-deps/debian/main.yml
@@ -0,0 +1,9 @@
+---
+- name: Install krb5 dependencies
+ become: yes
+ become_method: sudo
+ apt:
+ name:
+ - krb5-user
+ state: present
+ update_cache: yes
diff --git a/playbooks/roles/krb5/tasks/install-deps/main.yml b/playbooks/roles/krb5/tasks/install-deps/main.yml
new file mode 100644
index 00000000..ab31e2d4
--- /dev/null
+++ b/playbooks/roles/krb5/tasks/install-deps/main.yml
@@ -0,0 +1,12 @@
+---
+- name: Debian-specific set up
+ ansible.builtin.include_tasks: roles/tasks/krb5/install-deps/debian/main.yml
+ when: ansible_os_family == 'Debian'
+
+- name: SuSE-specific set up
+ ansible.builtin.include_tasks: roles/tasks/krb5/install-deps/suse/main.yml
+ when: ansible_os_family == 'Suse'
+
+- name: Red Hat-specific set up
+ ansible.builtin.include_tasks: roles/tasks/krb5/install-deps/redhat/main.yml
+ when: ansible_os_family == 'RedHat'
diff --git a/playbooks/roles/krb5/tasks/install-deps/redhat/main.yml b/playbooks/roles/krb5/tasks/install-deps/redhat/main.yml
new file mode 100644
index 00000000..511f221f
--- /dev/null
+++ b/playbooks/roles/krb5/tasks/install-deps/redhat/main.yml
@@ -0,0 +1,15 @@
+---
+- name: Install krb5 dependencies
+ become: yes
+ become_method: sudo
+ yum:
+ update_cache: yes
+ name: "{{ packages }}"
+ retries: 3
+ delay: 5
+ register: result
+ until: result.rc == 0
+ vars:
+ packages:
+ - krb5-libs
+ - krb5-workstation
diff --git a/playbooks/roles/krb5/tasks/install-deps/suse/main.yml b/playbooks/roles/krb5/tasks/install-deps/suse/main.yml
new file mode 100644
index 00000000..b01ac532
--- /dev/null
+++ b/playbooks/roles/krb5/tasks/install-deps/suse/main.yml
@@ -0,0 +1,16 @@
+---
+- name: Install krb5 dependencies
+ become: yes
+ become_method: sudo
+ zypper:
+ name:
+ - krb5
+ - krb5-client
+ - kernel-default
+ state: present
+ force_resolution: true
+
+- name: Reboot system to make the new kernel and modules take effect
+ become: yes
+ become_method: sudo
+ ansible.builtin.reboot:
diff --git a/playbooks/roles/krb5/tasks/main.yml b/playbooks/roles/krb5/tasks/main.yml
new file mode 100644
index 00000000..e3731f29
--- /dev/null
+++ b/playbooks/roles/krb5/tasks/main.yml
@@ -0,0 +1,70 @@
+---
+- name: Debian-specific setup
+ ansible.builtin.include_tasks: roles/krb5/tasks/install-deps/debian/main.yml
+ when: ansible_os_family == 'Debian'
+
+- name: SuSE-specific setup
+ ansible.builtin.include_tasks: roles/krb5/tasks/install-deps/suse/main.yml
+ when: ansible_os_family == 'Suse'
+
+- name: Red Hat-specific setup
+ ansible.builtin.include_tasks: roles/krb5/tasks/install-deps/redhat/main.yml
+ when: ansible_os_family == 'RedHat'
+
+- name: Configure /etc/krb5.conf
+ become: yes
+ become_method: sudo
+ template:
+ src: krb5.conf.j2
+ dest: /etc/krb5.conf
+ owner: root
+ group: root
+ mode: 0644
+
+- name: Ensure /etc/krb5.conf.d exists
+ become: yes
+ become_method: sudo
+ ansible.builtin.file:
+ path: /etc/krb5.conf.d
+ state: directory
+ owner: root
+ group: root
+ mode: 0755
+
+- name: Check to see if nfs principal exists
+ become: yes
+ become_method: sudo
+ ansible.builtin.shell:
+ cmd: kadmin -w {{ krb5_admin_pw }} -q "listprincs" | grep -q "nfs/{{ hostvars[inventory_hostname].ansible_fqdn }}"
+ register: host_princ_grep
+ ignore_errors: yes
+
+- name: Add nfs principal
+ become: yes
+ become_method: sudo
+ ansible.builtin.shell:
+ cmd: kadmin -w {{ krb5_admin_pw }} -q "addprinc -randkey nfs/{{ hostvars[inventory_hostname].ansible_fqdn }}"
+ when: host_princ_grep.rc != 0
+
+- name: Check to see if nfs principal is in /etc/krb5.keytab
+ become: yes
+ become_method: sudo
+ ansible.builtin.shell:
+ cmd: klist -kt | grep -q "nfs/{{ hostvars[inventory_hostname].ansible_fqdn }}"
+ register: keytab_grep
+ ignore_errors: yes
+
+- name: Add nfs principal to keytab
+ become: yes
+ become_method: sudo
+ ansible.builtin.shell:
+ cmd: kadmin -w {{ krb5_admin_pw }} -q "ktadd -k /etc/krb5.keytab nfs/{{ hostvars[inventory_hostname].ansible_fqdn }}"
+ when: keytab_grep.rc != 0
+
+- name: Restart rpc.gssd
+ become: yes
+ become_method: sudo
+ ansible.builtin.systemd:
+ name: rpc-gssd
+ state: restarted
+ ignore_errors: yes
diff --git a/playbooks/roles/krb5/templates/krb5.conf.j2 b/playbooks/roles/krb5/templates/krb5.conf.j2
new file mode 100644
index 00000000..1ed37d5e
--- /dev/null
+++ b/playbooks/roles/krb5/templates/krb5.conf.j2
@@ -0,0 +1,31 @@
+includedir /etc/krb5.conf.d/
+
+[logging]
+ default = FILE:/var/log/krb5libs.log
+ kdc = FILE:/var/log/krb5kdc.log
+ admin_server = FILE:/var/log/kadmind.log
+
+[libdefaults]
+ dns_lookup_realm = false
+ ticket_lifetime = 24h
+ renew_lifetime = 7d
+ forwardable = true
+ rdns = false
+ pkinit_anchors = FILE:/etc/pki/tls/certs/ca-bundle.crt
+ spake_preauth_groups = edwards25519
+ dns_canonicalize_hostname = fallback
+ qualify_shortname = ""
+ default_realm = {{ krb5_realm }}
+ default_ccache_name = KEYRING:persistent:%{uid}
+
+[realms]
+{{ krb5_realm }} = {
+ kdc = {{ kdevops_hosts_prefix }}-kdc:88
+ admin_server = {{ kdevops_hosts_prefix }}-kdc:749
+ auth_to_local = RULE:[2:$1;$2](^nfs;.*$)s/^.*$/root/
+ auth_to_local = DEFAULT
+}
+
+[domain_realm]
+ .{{ krb5_realm | lower }} = {{ krb5_realm }}
+ {{ krb5_realm | lower }} = {{ krb5_realm }}
diff --git a/playbooks/roles/nfsd/tasks/install-deps/debian/main.yml b/playbooks/roles/nfsd/tasks/install-deps/debian/main.yml
index a48d40ef..033c2edf 100644
--- a/playbooks/roles/nfsd/tasks/install-deps/debian/main.yml
+++ b/playbooks/roles/nfsd/tasks/install-deps/debian/main.yml
@@ -21,6 +21,11 @@
- fsprogs is defined
- fsprogs
+- name: Add gssproxy to the nfsd packages list
+ set_fact:
+ nfsd_packages: "{{ nfsd_packages + ['gssproxy'] }}"
+ when: krb5_realm is defined
+
- name: Install nfsd dependencies
become: yes
become_method: sudo
diff --git a/playbooks/roles/nfsd/tasks/install-deps/suse/main.yml b/playbooks/roles/nfsd/tasks/install-deps/suse/main.yml
index 49d931cd..535d6d9a 100644
--- a/playbooks/roles/nfsd/tasks/install-deps/suse/main.yml
+++ b/playbooks/roles/nfsd/tasks/install-deps/suse/main.yml
@@ -21,6 +21,11 @@
- fsprogs is defined
- fsprogs
+- name: Add additional packages needed for krb5 to the nfsd packages list
+ set_fact:
+ nfsd_packages: "{{ nfsd_packages + ['gssproxy', 'libverto-libev1'] }}"
+ when: krb5_realm is defined
+
- name: Install nfsd dependencies
become: yes
become_method: sudo
diff --git a/scripts/bringup.Makefile b/scripts/bringup.Makefile
index 5a477847..5c6a59c3 100644
--- a/scripts/bringup.Makefile
+++ b/scripts/bringup.Makefile
@@ -33,6 +33,10 @@ ifeq (y,$(CONFIG_KDEVOPS_SETUP_SIW))
KDEVOPS_BRING_UP_DEPS += siw
endif # KDEVOPS_SETUP_SIW
+ifeq (y,$(CONFIG_KDEVOPS_SETUP_KRB5))
+KDEVOPS_BRING_UP_DEPS += kdc
+endif # KDEVOPS_SETUP_KRB5
+
update_etc_hosts:
$(Q)ansible-playbook $(ANSIBLE_VERBOSE) \
-f 30 -i hosts playbooks/update_etc_hosts.yml
diff --git a/scripts/kdc.Makefile b/scripts/kdc.Makefile
new file mode 100644
index 00000000..6e859193
--- /dev/null
+++ b/scripts/kdc.Makefile
@@ -0,0 +1,8 @@
+KDC_EXTRA_ARGS += krb5_realm='$(subst ",,$(CONFIG_KRB5_REALM))'
+KDC_EXTRA_ARGS += krb5_admin_pw='$(subst ",,$(CONFIG_KRB5_ADMIN_PW))'
+
+ANSIBLE_EXTRA_ARGS += $(KDC_EXTRA_ARGS)
+
+kdc:
+ $(Q)ansible-playbook $(ANSIBLE_VERBOSE) --extra-vars=@./extra_vars.yaml \
+ -f 30 -i hosts -l kdc playbooks/kdc.yml
diff --git a/scripts/krb5.Makefile b/scripts/krb5.Makefile
new file mode 100644
index 00000000..0240bedf
--- /dev/null
+++ b/scripts/krb5.Makefile
@@ -0,0 +1,10 @@
+krb5:
+ $(Q)ansible-playbook $(ANSIBLE_VERBOSE) --extra-vars=@./extra_vars.yaml \
+ -f 30 -i hosts -l krb5 playbooks/krb5.yml
+
+krb5-help-menu:
+ @echo "krb5 options:"
+ @echo "krb5 - Installs krb5 packages, generates principals, and updates keytabs"
+ @echo ""
+
+HELP_TARGETS += krb5-help-menu
diff --git a/workflows/fstests/nfs/Kconfig b/workflows/fstests/nfs/Kconfig
index 9de5ae04..86e930a6 100644
--- a/workflows/fstests/nfs/Kconfig
+++ b/workflows/fstests/nfs/Kconfig
@@ -98,3 +98,32 @@ config FSTESTS_NFS_SECTION_V3
default n
endif # !FSTESTS_NFS_MANUAL_COVERAGE
+
+choice
+ prompt "Authentication flavor to use"
+ default FSTESTS_NFS_AUTH_KRB5
+ depends on KDEVOPS_SETUP_KRB5
+ help
+ This is the authentication flavor you want to test. The selected
+ option will get written to /etc/nfsmount.conf on the NFS clients.
+
+config FSTESTS_NFS_AUTH_SYS
+ bool "sys"
+
+config FSTESTS_NFS_AUTH_KRB5
+ bool "krb5"
+
+config FSTESTS_NFS_AUTH_KRB5I
+ bool "krb5i"
+
+config FSTESTS_NFS_AUTH_KRB5P
+ bool "krb5p"
+
+endchoice
+
+config FSTESTS_NFS_AUTH_FLAVOR
+ string
+ default "sys" if FSTESTS_NFS_AUTH_SYS
+ default "krb5" if FSTESTS_NFS_AUTH_KRB5
+ default "krb5i" if FSTESTS_NFS_AUTH_KRB5I
+ default "krb5p" if FSTESTS_NFS_AUTH_KRB5P
diff --git a/workflows/fstests/nfs/Makefile b/workflows/fstests/nfs/Makefile
index 686e27ae..ba4387e1 100644
--- a/workflows/fstests/nfs/Makefile
+++ b/workflows/fstests/nfs/Makefile
@@ -24,3 +24,7 @@ endif
ifeq (y,$(CONFIG_FSTESTS_NFS_SECTION_V3))
FSTESTS_ARGS += fstests_nfs_section_v3=True
endif
+
+ifdef CONFIG_FSTESTS_NFS_AUTH_FLAVOR
+FSTESTS_ARGS += fstests_nfs_auth_flavor='$(subst ",,$(CONFIG_FSTESTS_NFS_AUTH_FLAVOR))'
+endif
--
2.43.0
^ permalink raw reply related [flat|nested] 15+ messages in thread
* Re: [PATCH 0/5] add initial support for testing nfs with krb5
2024-03-07 13:14 [PATCH 0/5] add initial support for testing nfs with krb5 Scott Mayhew
` (4 preceding siblings ...)
2024-03-07 13:14 ` [PATCH 5/5] fstests/nfs: add krb5 support Scott Mayhew
@ 2024-03-08 15:01 ` Chuck Lever III
2024-03-08 15:50 ` Scott Mayhew
5 siblings, 1 reply; 15+ messages in thread
From: Chuck Lever III @ 2024-03-08 15:01 UTC (permalink / raw)
To: Scott Mayhew; +Cc: kdevops@lists.linux.dev
> On Mar 7, 2024, at 8:14 AM, Scott Mayhew <smayhew@redhat.com> wrote:
>
> These patches add support for running fstests on NFS with krb5. The
> bulk of the work is in patch 5. There are a handful of new Kconfig
> options (KDEVOPS_SETUP_KRB5, KRB5_REALM, KRB5_ADMIN_PW, and
> FSTESTS_NFS_AUTH_FLAVOR) as well as a new Makefile target "krb5" which
> should be run after "make bringup". A KDC is spun up automatically
> during "make bringup". "make krb5" installs all the necessary
> dependencies, generates keys, and updates the keytabs on the NFS client
> and server VMs.
Would it be easy to integrate KDC bringup with the
existing make targets? nfsd and tls, for instance,
do not have a separate make target.
> Right now you can only use krb5 with the fstests workflow, but it should
> be straightforward to add it to the other NFS-related workflows.
>
> I tested these patches using fedora-39, debian-12, and
> opensuse-tumbleweed guestfs images.
>
> -Scott
>
> Scott Mayhew (5):
> nfsd: make sure the appropriate fsprogs package is installed
> update_etc_hosts: fix up hostnames on debian guestfs hosts
> nfsd: use EXTRA_VAR_INPUTS for export options
> devconfig: set /etc/hostname earlier
> fstests/nfs: add krb5 support
>
> Makefile | 5 +
> kconfigs/Kconfig.bringup.goals | 12 ++
> kconfigs/Kconfig.kdc | 11 ++
> playbooks/kdc.yml | 4 +
> playbooks/krb5.yml | 4 +
> playbooks/roles/devconfig/tasks/main.yml | 21 ++--
> .../fstests/tasks/install-deps/suse/main.yml | 10 ++
> playbooks/roles/fstests/tasks/main.yml | 41 ++++++
> .../roles/fstests/templates/nfs/nfsmount.conf | 2 +
> .../roles/gen_hosts/templates/fstests.j2 | 17 +++
> playbooks/roles/gen_nodes/tasks/main.yml | 19 +++
> .../kdc/tasks/install-deps/debian/main.yml | 11 ++
> .../roles/kdc/tasks/install-deps/main.yml | 12 ++
> .../kdc/tasks/install-deps/redhat/main.yml | 16 +++
> .../kdc/tasks/install-deps/suse/main.yml | 10 ++
> playbooks/roles/kdc/tasks/main.yml | 119 ++++++++++++++++++
> playbooks/roles/kdc/templates/kadm5.acl.j2 | 1 +
> playbooks/roles/kdc/templates/kdc.conf.j2 | 15 +++
> playbooks/roles/kdc/templates/krb5.conf.j2 | 29 +++++
> playbooks/roles/kdc/vars/Debian.yml | 7 ++
> playbooks/roles/kdc/vars/RedHat.yml | 7 ++
> playbooks/roles/kdc/vars/Suse.yml | 7 ++
> playbooks/roles/kdc/vars/default.yml | 1 +
> playbooks/roles/kdc/vars/main.yml | 1 +
> .../krb5/tasks/install-deps/debian/main.yml | 9 ++
> .../roles/krb5/tasks/install-deps/main.yml | 12 ++
> .../krb5/tasks/install-deps/redhat/main.yml | 15 +++
> .../krb5/tasks/install-deps/suse/main.yml | 16 +++
> playbooks/roles/krb5/tasks/main.yml | 70 +++++++++++
> playbooks/roles/krb5/templates/krb5.conf.j2 | 31 +++++
> .../nfsd/tasks/install-deps/debian/main.yml | 33 ++++-
> .../nfsd/tasks/install-deps/redhat/main.yml | 31 +++--
> .../nfsd/tasks/install-deps/suse/main.yml | 32 ++++-
> playbooks/roles/nfsd/vars/Debian.yml | 11 ++
> playbooks/roles/nfsd/vars/RedHat.yml | 12 ++
> playbooks/roles/nfsd/vars/Suse.yml | 10 ++
> .../roles/update_etc_hosts/tasks/main.yml | 12 ++
> scripts/bringup.Makefile | 4 +
> scripts/kdc.Makefile | 8 ++
> scripts/krb5.Makefile | 10 ++
> scripts/nfsd.Makefile | 8 +-
> workflows/fstests/nfs/Kconfig | 29 +++++
> workflows/fstests/nfs/Makefile | 4 +
> 43 files changed, 712 insertions(+), 27 deletions(-)
> create mode 100644 kconfigs/Kconfig.kdc
> create mode 100644 playbooks/kdc.yml
> create mode 100644 playbooks/krb5.yml
> create mode 100644 playbooks/roles/fstests/templates/nfs/nfsmount.conf
> create mode 100644 playbooks/roles/kdc/tasks/install-deps/debian/main.yml
> create mode 100644 playbooks/roles/kdc/tasks/install-deps/main.yml
> create mode 100644 playbooks/roles/kdc/tasks/install-deps/redhat/main.yml
> create mode 100644 playbooks/roles/kdc/tasks/install-deps/suse/main.yml
> create mode 100644 playbooks/roles/kdc/tasks/main.yml
> create mode 100644 playbooks/roles/kdc/templates/kadm5.acl.j2
> create mode 100644 playbooks/roles/kdc/templates/kdc.conf.j2
> create mode 100644 playbooks/roles/kdc/templates/krb5.conf.j2
> create mode 100644 playbooks/roles/kdc/vars/Debian.yml
> create mode 100644 playbooks/roles/kdc/vars/RedHat.yml
> create mode 100644 playbooks/roles/kdc/vars/Suse.yml
> create mode 100644 playbooks/roles/kdc/vars/default.yml
> create mode 100644 playbooks/roles/kdc/vars/main.yml
> create mode 100644 playbooks/roles/krb5/tasks/install-deps/debian/main.yml
> create mode 100644 playbooks/roles/krb5/tasks/install-deps/main.yml
> create mode 100644 playbooks/roles/krb5/tasks/install-deps/redhat/main.yml
> create mode 100644 playbooks/roles/krb5/tasks/install-deps/suse/main.yml
> create mode 100644 playbooks/roles/krb5/tasks/main.yml
> create mode 100644 playbooks/roles/krb5/templates/krb5.conf.j2
> create mode 100644 playbooks/roles/nfsd/vars/Debian.yml
> create mode 100644 playbooks/roles/nfsd/vars/RedHat.yml
> create mode 100644 playbooks/roles/nfsd/vars/Suse.yml
> create mode 100644 scripts/kdc.Makefile
> create mode 100644 scripts/krb5.Makefile
>
> --
> 2.43.0
>
>
--
Chuck Lever
^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: [PATCH 0/5] add initial support for testing nfs with krb5
2024-03-08 15:01 ` [PATCH 0/5] add initial support for testing nfs with krb5 Chuck Lever III
@ 2024-03-08 15:50 ` Scott Mayhew
0 siblings, 0 replies; 15+ messages in thread
From: Scott Mayhew @ 2024-03-08 15:50 UTC (permalink / raw)
To: Chuck Lever III; +Cc: kdevops@lists.linux.dev
On Fri, 08 Mar 2024, Chuck Lever III wrote:
>
>
> > On Mar 7, 2024, at 8:14 AM, Scott Mayhew <smayhew@redhat.com> wrote:
> >
> > These patches add support for running fstests on NFS with krb5. The
> > bulk of the work is in patch 5. There are a handful of new Kconfig
> > options (KDEVOPS_SETUP_KRB5, KRB5_REALM, KRB5_ADMIN_PW, and
> > FSTESTS_NFS_AUTH_FLAVOR) as well as a new Makefile target "krb5" which
> > should be run after "make bringup". A KDC is spun up automatically
> > during "make bringup". "make krb5" installs all the necessary
> > dependencies, generates keys, and updates the keytabs on the NFS client
> > and server VMs.
>
> Would it be easy to integrate KDC bringup with the
> existing make targets? nfsd and tls, for instance,
> do not have a separate make target.
I'm assuming you mean the krb5 target. The KDC bringup is already automatic.
I modeled it after the nfsd and tls stuff actually, which do have
separate make targets - they just don't show up on the help menu and
you don't run them directly. The krb5 target needs to be run after the
/etc/hosts files are updated so that the clients and nfsd are able to
talk to the KDC... so something like this should work
---8<---
diff --git a/scripts/bringup.Makefile b/scripts/bringup.Makefile
index 5c6a59c3..62a77d8e 100644
--- a/scripts/bringup.Makefile
+++ b/scripts/bringup.Makefile
@@ -35,13 +35,14 @@ endif # KDEVOPS_SETUP_SIW
ifeq (y,$(CONFIG_KDEVOPS_SETUP_KRB5))
KDEVOPS_BRING_UP_DEPS += kdc
+KDEVOPS_BRING_UP_POST += krb5
endif # KDEVOPS_SETUP_KRB5
update_etc_hosts:
$(Q)ansible-playbook $(ANSIBLE_VERBOSE) \
-f 30 -i hosts playbooks/update_etc_hosts.yml
-bringup: $(KDEVOPS_BRING_UP_DEPS) update_etc_hosts
+bringup: $(KDEVOPS_BRING_UP_DEPS) update_etc_hosts $(KDEVOPS_BRING_UP_POST)
destroy: $(KDEVOPS_DESTROY_DEPS)
---8<---
I'll test and if it works I'll just get rid of the help text from
krb5.Makefile and we should be good to go.
-Scott
>
>
> > Right now you can only use krb5 with the fstests workflow, but it should
> > be straightforward to add it to the other NFS-related workflows.
> >
> > I tested these patches using fedora-39, debian-12, and
> > opensuse-tumbleweed guestfs images.
> >
> > -Scott
> >
> > Scott Mayhew (5):
> > nfsd: make sure the appropriate fsprogs package is installed
> > update_etc_hosts: fix up hostnames on debian guestfs hosts
> > nfsd: use EXTRA_VAR_INPUTS for export options
> > devconfig: set /etc/hostname earlier
> > fstests/nfs: add krb5 support
> >
> > Makefile | 5 +
> > kconfigs/Kconfig.bringup.goals | 12 ++
> > kconfigs/Kconfig.kdc | 11 ++
> > playbooks/kdc.yml | 4 +
> > playbooks/krb5.yml | 4 +
> > playbooks/roles/devconfig/tasks/main.yml | 21 ++--
> > .../fstests/tasks/install-deps/suse/main.yml | 10 ++
> > playbooks/roles/fstests/tasks/main.yml | 41 ++++++
> > .../roles/fstests/templates/nfs/nfsmount.conf | 2 +
> > .../roles/gen_hosts/templates/fstests.j2 | 17 +++
> > playbooks/roles/gen_nodes/tasks/main.yml | 19 +++
> > .../kdc/tasks/install-deps/debian/main.yml | 11 ++
> > .../roles/kdc/tasks/install-deps/main.yml | 12 ++
> > .../kdc/tasks/install-deps/redhat/main.yml | 16 +++
> > .../kdc/tasks/install-deps/suse/main.yml | 10 ++
> > playbooks/roles/kdc/tasks/main.yml | 119 ++++++++++++++++++
> > playbooks/roles/kdc/templates/kadm5.acl.j2 | 1 +
> > playbooks/roles/kdc/templates/kdc.conf.j2 | 15 +++
> > playbooks/roles/kdc/templates/krb5.conf.j2 | 29 +++++
> > playbooks/roles/kdc/vars/Debian.yml | 7 ++
> > playbooks/roles/kdc/vars/RedHat.yml | 7 ++
> > playbooks/roles/kdc/vars/Suse.yml | 7 ++
> > playbooks/roles/kdc/vars/default.yml | 1 +
> > playbooks/roles/kdc/vars/main.yml | 1 +
> > .../krb5/tasks/install-deps/debian/main.yml | 9 ++
> > .../roles/krb5/tasks/install-deps/main.yml | 12 ++
> > .../krb5/tasks/install-deps/redhat/main.yml | 15 +++
> > .../krb5/tasks/install-deps/suse/main.yml | 16 +++
> > playbooks/roles/krb5/tasks/main.yml | 70 +++++++++++
> > playbooks/roles/krb5/templates/krb5.conf.j2 | 31 +++++
> > .../nfsd/tasks/install-deps/debian/main.yml | 33 ++++-
> > .../nfsd/tasks/install-deps/redhat/main.yml | 31 +++--
> > .../nfsd/tasks/install-deps/suse/main.yml | 32 ++++-
> > playbooks/roles/nfsd/vars/Debian.yml | 11 ++
> > playbooks/roles/nfsd/vars/RedHat.yml | 12 ++
> > playbooks/roles/nfsd/vars/Suse.yml | 10 ++
> > .../roles/update_etc_hosts/tasks/main.yml | 12 ++
> > scripts/bringup.Makefile | 4 +
> > scripts/kdc.Makefile | 8 ++
> > scripts/krb5.Makefile | 10 ++
> > scripts/nfsd.Makefile | 8 +-
> > workflows/fstests/nfs/Kconfig | 29 +++++
> > workflows/fstests/nfs/Makefile | 4 +
> > 43 files changed, 712 insertions(+), 27 deletions(-)
> > create mode 100644 kconfigs/Kconfig.kdc
> > create mode 100644 playbooks/kdc.yml
> > create mode 100644 playbooks/krb5.yml
> > create mode 100644 playbooks/roles/fstests/templates/nfs/nfsmount.conf
> > create mode 100644 playbooks/roles/kdc/tasks/install-deps/debian/main.yml
> > create mode 100644 playbooks/roles/kdc/tasks/install-deps/main.yml
> > create mode 100644 playbooks/roles/kdc/tasks/install-deps/redhat/main.yml
> > create mode 100644 playbooks/roles/kdc/tasks/install-deps/suse/main.yml
> > create mode 100644 playbooks/roles/kdc/tasks/main.yml
> > create mode 100644 playbooks/roles/kdc/templates/kadm5.acl.j2
> > create mode 100644 playbooks/roles/kdc/templates/kdc.conf.j2
> > create mode 100644 playbooks/roles/kdc/templates/krb5.conf.j2
> > create mode 100644 playbooks/roles/kdc/vars/Debian.yml
> > create mode 100644 playbooks/roles/kdc/vars/RedHat.yml
> > create mode 100644 playbooks/roles/kdc/vars/Suse.yml
> > create mode 100644 playbooks/roles/kdc/vars/default.yml
> > create mode 100644 playbooks/roles/kdc/vars/main.yml
> > create mode 100644 playbooks/roles/krb5/tasks/install-deps/debian/main.yml
> > create mode 100644 playbooks/roles/krb5/tasks/install-deps/main.yml
> > create mode 100644 playbooks/roles/krb5/tasks/install-deps/redhat/main.yml
> > create mode 100644 playbooks/roles/krb5/tasks/install-deps/suse/main.yml
> > create mode 100644 playbooks/roles/krb5/tasks/main.yml
> > create mode 100644 playbooks/roles/krb5/templates/krb5.conf.j2
> > create mode 100644 playbooks/roles/nfsd/vars/Debian.yml
> > create mode 100644 playbooks/roles/nfsd/vars/RedHat.yml
> > create mode 100644 playbooks/roles/nfsd/vars/Suse.yml
> > create mode 100644 scripts/kdc.Makefile
> > create mode 100644 scripts/krb5.Makefile
> >
> > --
> > 2.43.0
> >
> >
>
> --
> Chuck Lever
>
>
^ permalink raw reply related [flat|nested] 15+ messages in thread
* Re: [PATCH 5/5] fstests/nfs: add krb5 support
2024-03-07 13:14 ` [PATCH 5/5] fstests/nfs: add krb5 support Scott Mayhew
@ 2024-03-08 16:57 ` Luis Chamberlain
2024-03-08 19:33 ` Scott Mayhew
0 siblings, 1 reply; 15+ messages in thread
From: Luis Chamberlain @ 2024-03-08 16:57 UTC (permalink / raw)
To: Scott Mayhew; +Cc: kdevops
My review comments are not requirements, they are how to enhance this
so we can scale better and long term goals to keep in mind. Whether or
not you do the work is up to you.
On Thu, Mar 07, 2024 at 08:14:14AM -0500, Scott Mayhew wrote:
> diff --git a/Makefile b/Makefile
> index 9ca3a5f3..df4aad7b 100644
> --- a/Makefile
> +++ b/Makefile
> @@ -115,6 +115,11 @@ ifeq (y,$(CONFIG_KDEVOPS_SETUP_NFSD))
> include scripts/nfsd.Makefile
> endif # CONFIG_KDEVOPS_SETUP_NFSD
>
> +ifeq (y,$(CONFIG_KDEVOPS_SETUP_KRB5))
> +include scripts/kdc.Makefile
> +include scripts/krb5.Makefile
> +endif # CONFIG_KDEVOPS_SETUP_KRB5
This sort of clutter can be compartamentalized now, see right above:
include scripts/provision.Makefile
include scripts/systemd-timesync.Makefile
include scripts/journal-server.Makefile
KDEVOPS_BRING_UP_DEPS += $(KDEVOPS_BRING_UP_DEPS_EARLY)
KDEVOPS_BRING_UP_DEPS += $(KDEVOPS_PROVISIONED_DEVCONFIG)
This let's us now split work which needs to be set up early
and this can vary depending on if the dep is a localhost (hypervisor or
command and control) setting or a target node (guest or taret node on
cloud) setting.
So for example systemd-timesync has both parts:
LOCALHOST_SETUP_WORK += timesyncd-server
KDEVOPS_BRING_UP_DEPS_EARLY += timesyncd-client
Then the clutter is kept on the target makefile. This let's us also keep
ordering by the Makfile include order. So we should be able to move
siw ktls nfs setup to this methodology too. That will let us scale this
and keep our top level Makefile neat and makes orer explicit and clear.
It seems in this case it's all being set up on the target node so only
KDEVOPS_BRING_UP_DEPS_EARLY is needed.
BTW you may benefit from CONFIG_DEVCONFIG_ENABLE_SYSTEMD_TIMESYNCD as it
sets up NTP on the host/nodes. But if you're going to enable that
you could just enable systemd-remote-journal too, which we now have
support for in guestfs.
> diff --git a/kconfigs/Kconfig.bringup.goals b/kconfigs/Kconfig.bringup.goals
> index 71948e9b..26ffac98 100644
> --- a/kconfigs/Kconfig.bringup.goals
> +++ b/kconfigs/Kconfig.bringup.goals
> @@ -109,3 +109,15 @@ menu "Configure the kernel NFS server"
> source "kconfigs/Kconfig.nfsd"
> endmenu
> endif
> +
> +config KDEVOPS_SETUP_KRB5
> + bool "Set up KRB5"
> + default n
> + help
> + Configure and bring up a MIT Kerberos V5 KDC.
> +
> +if KDEVOPS_SETUP_KRB5
> +menu "Configure the KRB5 KDC"
> +source "kconfigs/Kconfig.kdc"
> +endmenu
> +endif
I think its cleaner if we move the config and the if to the
kconfigs/Kconfig.kdc, the similar change could be done with
KDEVOPS_SETUP_NFSD so its easier to add things the the top level
kconfigs/Kconfig.nfsd is kept clean.
> diff --git a/playbooks/roles/fstests/templates/nfs/nfsmount.conf b/playbooks/roles/fstests/templates/nfs/nfsmount.conf
> new file mode 100644
> index 00000000..73b6a8e4
> --- /dev/null
> +++ b/playbooks/roles/fstests/templates/nfs/nfsmount.conf
> @@ -0,0 +1,2 @@
> +[ NFSMount_Global_Options ]
> +# Sec=sys
> diff --git a/playbooks/roles/gen_hosts/templates/fstests.j2 b/playbooks/roles/gen_hosts/templates/fstests.j2
> index 74057952..b94e89da 100644
> --- a/playbooks/roles/gen_hosts/templates/fstests.j2
> +++ b/playbooks/roles/gen_hosts/templates/fstests.j2
> @@ -27,3 +27,20 @@ ansible_python_interpreter = "{{ kdevops_python_interpreter }}"
> {% endif %}
> [nfsd:vars]
> ansible_python_interpreter = "{{ kdevops_python_interpreter }}"
> +[kdc]
> +{% if krb5_realm is defined %}
> +{{ kdevops_hosts_prefix }}-kdc
> +{% endif %}
> +[kdc:vars]
> +ansible_python_interpreter = "{{ kdevops_python_interpreter }}"
> +[krb5]
> +{% if krb5_realm is defined %}
> +{% for s in fstests_enabled_test_types %}
> +{{ kdevops_host_prefix }}-{{ s }}
> +{% endfor %}
> +{% if nfsd_threads is defined %}
> +{{ kdevops_hosts_prefix }}-nfsd
> +{% endif %}
> +{% endif %}
> +[krb5:vars]
> +ansible_python_interpreter = "{{ kdevops_python_interpreter }}"
We should add an kdc_enable which defaults to False and if true then we
include the clutter below.
In retrospect the same should be done for nfsd.
Ie, if no one enabled nfsd or kdc we should hide targets for these
options too and so the user has no make targets to use them and so no
reason to clutter exisitng hosts file for user who don't enable these
things.
> diff --git a/playbooks/roles/gen_nodes/tasks/main.yml b/playbooks/roles/gen_nodes/tasks/main.yml
> index 2f5c48b6..1181ef10 100644
> --- a/playbooks/roles/gen_nodes/tasks/main.yml
> +++ b/playbooks/roles/gen_nodes/tasks/main.yml
> @@ -55,6 +55,18 @@
> when:
> - nfsd_threads is defined
>
> +- name: Set kdc_nodes list
> + set_fact:
> + kdc_nodes: "{{ [ kdevops_host_prefix + '-kdc' ] }}"
> + when:
> + - krb5_realm is defined
We shoudl have a respective krb5_enable or something like that
which defaults to False and here we shiould use krb5_realm_enable|bool
instead.
The respective kconfig option would be
CONFIG_KRB5_REALM_ENABLE
The rationale would be that we later extend kconfig support so
each kconfig option can have below say an extra tag to indicate
"generate yaml", so our extra_vars.yaml file is automatically generated
for us by kconfig itself. That is, we'd tell kconfig which kconfig
symbols we want it to generate respective yaml entries for. So it'd
just lowercase the symbol name and remove config prefix. Then later
we can remove tons of Makefile changes which modify something to True.
> +- name: Add a KRB5 KDC if one was selected
> + set_fact:
> + generic_nodes: "{{ generic_nodes + kdc_nodes }}"
> + when:
> + - krb5_realm is defined
Same.
> +
> - name: Set fstests config file variable for {{ fstests_fstyp }}
> set_fact:
> is_fstests: True
> @@ -217,6 +229,13 @@
> - is_fstests|bool
> - nfsd_threads is defined
>
> +- name: Add the KRB5 KDC if one was selected
> + set_fact:
> + fstests_enabled_nodes: "{{ fstests_enabled_nodes + kdc_nodes }}"
> + when:
> + - is_fstests|bool
> + - krb5_realm is defined
Same.
> diff --git a/playbooks/roles/kdc/tasks/main.yml b/playbooks/roles/kdc/tasks/main.yml
> new file mode 100644
> index 00000000..b67f38d0
> --- /dev/null
> +++ b/playbooks/roles/kdc/tasks/main.yml
> @@ -0,0 +1,119 @@
> +---
> +- name: Get OS-specific variables
> + ansible.builtin.include_vars: "{{ lookup('ansible.builtin.first_found', params) }}"
> + vars:
> + params:
> + files:
> + - '{{ansible_distribution}}.yml'
> + - '{{ansible_os_family}}.yml'
> + - default.yml
> + paths:
> + - 'vars'
Ah.. this is a good alternative to Kconfig defaults but ...
> diff --git a/playbooks/roles/kdc/vars/default.yml b/playbooks/roles/kdc/vars/default.yml
> new file mode 100644
> index 00000000..ed97d539
> --- /dev/null
> +++ b/playbooks/roles/kdc/vars/default.yml
> @@ -0,0 +1 @@
> +---
This is empty, it should have all sensible defaults and .. it's a good
time to evaluate whether or not having things configurable is better,
but I undersand that can be a second step. The other reason to have
things configurable is it lets you document things. But that's totally
optional.
> index 5a477847..5c6a59c3 100644
> --- a/scripts/bringup.Makefile
> +++ b/scripts/bringup.Makefile
> @@ -33,6 +33,10 @@ ifeq (y,$(CONFIG_KDEVOPS_SETUP_SIW))
> KDEVOPS_BRING_UP_DEPS += siw
> endif # KDEVOPS_SETUP_SIW
>
> +ifeq (y,$(CONFIG_KDEVOPS_SETUP_KRB5))
> +KDEVOPS_BRING_UP_DEPS += kdc
> +endif # KDEVOPS_SETUP_KRB5
See same ordering thing here. Granted, I am not sure if this is
a dep which needs to be set up early, so you should decide, but as
our deps grow I thought it would be good to split them by regular
services Vs optional later things.
Luis
^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: [PATCH 5/5] fstests/nfs: add krb5 support
2024-03-08 16:57 ` Luis Chamberlain
@ 2024-03-08 19:33 ` Scott Mayhew
2024-03-08 21:08 ` Scott Mayhew
2024-03-08 21:18 ` Luis Chamberlain
0 siblings, 2 replies; 15+ messages in thread
From: Scott Mayhew @ 2024-03-08 19:33 UTC (permalink / raw)
To: Luis Chamberlain; +Cc: kdevops
On Fri, 08 Mar 2024, Luis Chamberlain wrote:
> My review comments are not requirements, they are how to enhance this
> so we can scale better and long term goals to keep in mind. Whether or
> not you do the work is up to you.
>
> On Thu, Mar 07, 2024 at 08:14:14AM -0500, Scott Mayhew wrote:
> > diff --git a/Makefile b/Makefile
> > index 9ca3a5f3..df4aad7b 100644
> > --- a/Makefile
> > +++ b/Makefile
> > @@ -115,6 +115,11 @@ ifeq (y,$(CONFIG_KDEVOPS_SETUP_NFSD))
> > include scripts/nfsd.Makefile
> > endif # CONFIG_KDEVOPS_SETUP_NFSD
> >
> > +ifeq (y,$(CONFIG_KDEVOPS_SETUP_KRB5))
> > +include scripts/kdc.Makefile
> > +include scripts/krb5.Makefile
> > +endif # CONFIG_KDEVOPS_SETUP_KRB5
>
> This sort of clutter can be compartamentalized now, see right above:
>
> include scripts/provision.Makefile
> include scripts/systemd-timesync.Makefile
> include scripts/journal-server.Makefile
>
> KDEVOPS_BRING_UP_DEPS += $(KDEVOPS_BRING_UP_DEPS_EARLY)
> KDEVOPS_BRING_UP_DEPS += $(KDEVOPS_PROVISIONED_DEVCONFIG)
>
> This let's us now split work which needs to be set up early
> and this can vary depending on if the dep is a localhost (hypervisor or
> command and control) setting or a target node (guest or taret node on
> cloud) setting.
>
> So for example systemd-timesync has both parts:
>
> LOCALHOST_SETUP_WORK += timesyncd-server
> KDEVOPS_BRING_UP_DEPS_EARLY += timesyncd-client
>
> Then the clutter is kept on the target makefile. This let's us also keep
> ordering by the Makfile include order. So we should be able to move
> siw ktls nfs setup to this methodology too. That will let us scale this
> and keep our top level Makefile neat and makes orer explicit and clear.
>
> It seems in this case it's all being set up on the target node so only
> KDEVOPS_BRING_UP_DEPS_EARLY is needed.
Just so I'm clear on what you're suggesting...
1. move the ifeq...endif directives inside the target makefiles
2. move the KDEVOPS_BRING_UP_DEPS stuff out of bringup.Makefile and into the
target makefiles (and use KDEVOPS_BRING_UP_DEPS_EARLY instead)
3. move the includes up above this line:
KDEVOPS_BRING_UP_DEPS += $(KDEVOPS_BRING_UP_DEPS_EARLY)
Does that sound right?
Also, did you see my reply to Chuck about doing the krb5 client setup
automatically? In order to do that I need to have a "post" bringup
step, so that bringup target would look like this:
bringup: $(KDEVOPS_BRING_UP_DEPS) update_etc_hosts $(KDEVOPS_BRING_UP_POST)
Is that okay? Note that the krb5 client setup has to run after update_etc_hosts,
so KDEVOPS_BRING_UP_LATE_DEPS wouldn't be appropriate for this.
>
> BTW you may benefit from CONFIG_DEVCONFIG_ENABLE_SYSTEMD_TIMESYNCD as it
> sets up NTP on the host/nodes. But if you're going to enable that
> you could just enable systemd-remote-journal too, which we now have
> support for in guestfs.
>
> > diff --git a/kconfigs/Kconfig.bringup.goals b/kconfigs/Kconfig.bringup.goals
> > index 71948e9b..26ffac98 100644
> > --- a/kconfigs/Kconfig.bringup.goals
> > +++ b/kconfigs/Kconfig.bringup.goals
> > @@ -109,3 +109,15 @@ menu "Configure the kernel NFS server"
> > source "kconfigs/Kconfig.nfsd"
> > endmenu
> > endif
> > +
> > +config KDEVOPS_SETUP_KRB5
> > + bool "Set up KRB5"
> > + default n
> > + help
> > + Configure and bring up a MIT Kerberos V5 KDC.
> > +
> > +if KDEVOPS_SETUP_KRB5
> > +menu "Configure the KRB5 KDC"
> > +source "kconfigs/Kconfig.kdc"
> > +endmenu
> > +endif
>
> I think its cleaner if we move the config and the if to the
> kconfigs/Kconfig.kdc, the similar change could be done with
> KDEVOPS_SETUP_NFSD so its easier to add things the the top level
> kconfigs/Kconfig.nfsd is kept clean.
Will do.
>
> > diff --git a/playbooks/roles/fstests/templates/nfs/nfsmount.conf b/playbooks/roles/fstests/templates/nfs/nfsmount.conf
> > new file mode 100644
> > index 00000000..73b6a8e4
> > --- /dev/null
> > +++ b/playbooks/roles/fstests/templates/nfs/nfsmount.conf
> > @@ -0,0 +1,2 @@
> > +[ NFSMount_Global_Options ]
> > +# Sec=sys
> > diff --git a/playbooks/roles/gen_hosts/templates/fstests.j2 b/playbooks/roles/gen_hosts/templates/fstests.j2
> > index 74057952..b94e89da 100644
> > --- a/playbooks/roles/gen_hosts/templates/fstests.j2
> > +++ b/playbooks/roles/gen_hosts/templates/fstests.j2
> > @@ -27,3 +27,20 @@ ansible_python_interpreter = "{{ kdevops_python_interpreter }}"
> > {% endif %}
> > [nfsd:vars]
> > ansible_python_interpreter = "{{ kdevops_python_interpreter }}"
> > +[kdc]
> > +{% if krb5_realm is defined %}
> > +{{ kdevops_hosts_prefix }}-kdc
> > +{% endif %}
> > +[kdc:vars]
> > +ansible_python_interpreter = "{{ kdevops_python_interpreter }}"
> > +[krb5]
> > +{% if krb5_realm is defined %}
> > +{% for s in fstests_enabled_test_types %}
> > +{{ kdevops_host_prefix }}-{{ s }}
> > +{% endfor %}
> > +{% if nfsd_threads is defined %}
> > +{{ kdevops_hosts_prefix }}-nfsd
> > +{% endif %}
> > +{% endif %}
> > +[krb5:vars]
> > +ansible_python_interpreter = "{{ kdevops_python_interpreter }}"
>
> We should add an kdc_enable which defaults to False and if true then we
> include the clutter below.
>
> In retrospect the same should be done for nfsd.
>
> Ie, if no one enabled nfsd or kdc we should hide targets for these
> options too and so the user has no make targets to use them and so no
> reason to clutter exisitng hosts file for user who don't enable these
> things.
I did notice that those stanzas were present even if those options weren't
enabled.
Do I really need a separate kdc_enable or should I just use the
krb5_enable variable that you suggested below?
>
> > diff --git a/playbooks/roles/gen_nodes/tasks/main.yml b/playbooks/roles/gen_nodes/tasks/main.yml
> > index 2f5c48b6..1181ef10 100644
> > --- a/playbooks/roles/gen_nodes/tasks/main.yml
> > +++ b/playbooks/roles/gen_nodes/tasks/main.yml
> > @@ -55,6 +55,18 @@
> > when:
> > - nfsd_threads is defined
> >
> > +- name: Set kdc_nodes list
> > + set_fact:
> > + kdc_nodes: "{{ [ kdevops_host_prefix + '-kdc' ] }}"
> > + when:
> > + - krb5_realm is defined
>
> We shoudl have a respective krb5_enable or something like that
> which defaults to False and here we shiould use krb5_realm_enable|bool
> instead.
>
> The respective kconfig option would be
>
> CONFIG_KRB5_REALM_ENABLE
>
> The rationale would be that we later extend kconfig support so
> each kconfig option can have below say an extra tag to indicate
> "generate yaml", so our extra_vars.yaml file is automatically generated
> for us by kconfig itself. That is, we'd tell kconfig which kconfig
> symbols we want it to generate respective yaml entries for. So it'd
> just lowercase the symbol name and remove config prefix. Then later
> we can remove tons of Makefile changes which modify something to True.
Will do.
>
> > +- name: Add a KRB5 KDC if one was selected
> > + set_fact:
> > + generic_nodes: "{{ generic_nodes + kdc_nodes }}"
> > + when:
> > + - krb5_realm is defined
>
> Same.
>
> > +
> > - name: Set fstests config file variable for {{ fstests_fstyp }}
> > set_fact:
> > is_fstests: True
> > @@ -217,6 +229,13 @@
> > - is_fstests|bool
> > - nfsd_threads is defined
> >
> > +- name: Add the KRB5 KDC if one was selected
> > + set_fact:
> > + fstests_enabled_nodes: "{{ fstests_enabled_nodes + kdc_nodes }}"
> > + when:
> > + - is_fstests|bool
> > + - krb5_realm is defined
>
> Same.
>
> > diff --git a/playbooks/roles/kdc/tasks/main.yml b/playbooks/roles/kdc/tasks/main.yml
> > new file mode 100644
> > index 00000000..b67f38d0
> > --- /dev/null
> > +++ b/playbooks/roles/kdc/tasks/main.yml
> > @@ -0,0 +1,119 @@
> > +---
> > +- name: Get OS-specific variables
> > + ansible.builtin.include_vars: "{{ lookup('ansible.builtin.first_found', params) }}"
> > + vars:
> > + params:
> > + files:
> > + - '{{ansible_distribution}}.yml'
> > + - '{{ansible_os_family}}.yml'
> > + - default.yml
> > + paths:
> > + - 'vars'
>
> Ah.. this is a good alternative to Kconfig defaults but ...
>
> > diff --git a/playbooks/roles/kdc/vars/default.yml b/playbooks/roles/kdc/vars/default.yml
> > new file mode 100644
> > index 00000000..ed97d539
> > --- /dev/null
> > +++ b/playbooks/roles/kdc/vars/default.yml
> > @@ -0,0 +1 @@
> > +---
>
> This is empty, it should have all sensible defaults and .. it's a good
> time to evaluate whether or not having things configurable is better,
> but I undersand that can be a second step. The other reason to have
> things configurable is it lets you document things. But that's totally
> optional.
I can add defaults, but they'll be the Red Hat defaults and might not
work with other distros. Originally I didn't have those configurable at
all, and when I went and tested Debian and Suse I found that stuff
didn't work. Unfortunately the names of the systemd services and where
they look for configuration files and data differs from distro to
distro, so I had to have a least some of the stuff configurable... but I
tried to keep the number of variables to a minimum.
>
> > index 5a477847..5c6a59c3 100644
> > --- a/scripts/bringup.Makefile
> > +++ b/scripts/bringup.Makefile
> > @@ -33,6 +33,10 @@ ifeq (y,$(CONFIG_KDEVOPS_SETUP_SIW))
> > KDEVOPS_BRING_UP_DEPS += siw
> > endif # KDEVOPS_SETUP_SIW
> >
> > +ifeq (y,$(CONFIG_KDEVOPS_SETUP_KRB5))
> > +KDEVOPS_BRING_UP_DEPS += kdc
> > +endif # KDEVOPS_SETUP_KRB5
>
> See same ordering thing here. Granted, I am not sure if this is
> a dep which needs to be set up early, so you should decide, but as
> our deps grow I thought it would be good to split them by regular
> services Vs optional later things.
>
> Luis
>
^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: [PATCH 5/5] fstests/nfs: add krb5 support
2024-03-08 19:33 ` Scott Mayhew
@ 2024-03-08 21:08 ` Scott Mayhew
2024-03-08 21:20 ` Luis Chamberlain
2024-03-08 21:18 ` Luis Chamberlain
1 sibling, 1 reply; 15+ messages in thread
From: Scott Mayhew @ 2024-03-08 21:08 UTC (permalink / raw)
To: Luis Chamberlain; +Cc: kdevops
On Fri, 08 Mar 2024, Scott Mayhew wrote:
> On Fri, 08 Mar 2024, Luis Chamberlain wrote:
>
> > My review comments are not requirements, they are how to enhance this
> > so we can scale better and long term goals to keep in mind. Whether or
> > not you do the work is up to you.
> >
> > On Thu, Mar 07, 2024 at 08:14:14AM -0500, Scott Mayhew wrote:
> > > diff --git a/Makefile b/Makefile
> > > index 9ca3a5f3..df4aad7b 100644
> > > --- a/Makefile
> > > +++ b/Makefile
> > > @@ -115,6 +115,11 @@ ifeq (y,$(CONFIG_KDEVOPS_SETUP_NFSD))
> > > include scripts/nfsd.Makefile
> > > endif # CONFIG_KDEVOPS_SETUP_NFSD
> > >
> > > +ifeq (y,$(CONFIG_KDEVOPS_SETUP_KRB5))
> > > +include scripts/kdc.Makefile
> > > +include scripts/krb5.Makefile
> > > +endif # CONFIG_KDEVOPS_SETUP_KRB5
> >
> > This sort of clutter can be compartamentalized now, see right above:
> >
> > include scripts/provision.Makefile
> > include scripts/systemd-timesync.Makefile
> > include scripts/journal-server.Makefile
> >
> > KDEVOPS_BRING_UP_DEPS += $(KDEVOPS_BRING_UP_DEPS_EARLY)
> > KDEVOPS_BRING_UP_DEPS += $(KDEVOPS_PROVISIONED_DEVCONFIG)
> >
> > This let's us now split work which needs to be set up early
> > and this can vary depending on if the dep is a localhost (hypervisor or
> > command and control) setting or a target node (guest or taret node on
> > cloud) setting.
> >
> > So for example systemd-timesync has both parts:
> >
> > LOCALHOST_SETUP_WORK += timesyncd-server
> > KDEVOPS_BRING_UP_DEPS_EARLY += timesyncd-client
> >
> > Then the clutter is kept on the target makefile. This let's us also keep
> > ordering by the Makfile include order. So we should be able to move
> > siw ktls nfs setup to this methodology too. That will let us scale this
> > and keep our top level Makefile neat and makes orer explicit and clear.
> >
> > It seems in this case it's all being set up on the target node so only
> > KDEVOPS_BRING_UP_DEPS_EARLY is needed.
>
> Just so I'm clear on what you're suggesting...
>
> 1. move the ifeq...endif directives inside the target makefiles
> 2. move the KDEVOPS_BRING_UP_DEPS stuff out of bringup.Makefile and into the
> target makefiles (and use KDEVOPS_BRING_UP_DEPS_EARLY instead)
> 3. move the includes up above this line:
> KDEVOPS_BRING_UP_DEPS += $(KDEVOPS_BRING_UP_DEPS_EARLY)
>
> Does that sound right?
I think I'm missing something, because doing the above puts those steps
before the ssh configuration, and they fail.
-Scott
>
> Also, did you see my reply to Chuck about doing the krb5 client setup
> automatically? In order to do that I need to have a "post" bringup
> step, so that bringup target would look like this:
>
> bringup: $(KDEVOPS_BRING_UP_DEPS) update_etc_hosts $(KDEVOPS_BRING_UP_POST)
>
> Is that okay? Note that the krb5 client setup has to run after update_etc_hosts,
> so KDEVOPS_BRING_UP_LATE_DEPS wouldn't be appropriate for this.
>
> >
> > BTW you may benefit from CONFIG_DEVCONFIG_ENABLE_SYSTEMD_TIMESYNCD as it
> > sets up NTP on the host/nodes. But if you're going to enable that
> > you could just enable systemd-remote-journal too, which we now have
> > support for in guestfs.
> >
> > > diff --git a/kconfigs/Kconfig.bringup.goals b/kconfigs/Kconfig.bringup.goals
> > > index 71948e9b..26ffac98 100644
> > > --- a/kconfigs/Kconfig.bringup.goals
> > > +++ b/kconfigs/Kconfig.bringup.goals
> > > @@ -109,3 +109,15 @@ menu "Configure the kernel NFS server"
> > > source "kconfigs/Kconfig.nfsd"
> > > endmenu
> > > endif
> > > +
> > > +config KDEVOPS_SETUP_KRB5
> > > + bool "Set up KRB5"
> > > + default n
> > > + help
> > > + Configure and bring up a MIT Kerberos V5 KDC.
> > > +
> > > +if KDEVOPS_SETUP_KRB5
> > > +menu "Configure the KRB5 KDC"
> > > +source "kconfigs/Kconfig.kdc"
> > > +endmenu
> > > +endif
> >
> > I think its cleaner if we move the config and the if to the
> > kconfigs/Kconfig.kdc, the similar change could be done with
> > KDEVOPS_SETUP_NFSD so its easier to add things the the top level
> > kconfigs/Kconfig.nfsd is kept clean.
>
> Will do.
>
> >
> > > diff --git a/playbooks/roles/fstests/templates/nfs/nfsmount.conf b/playbooks/roles/fstests/templates/nfs/nfsmount.conf
> > > new file mode 100644
> > > index 00000000..73b6a8e4
> > > --- /dev/null
> > > +++ b/playbooks/roles/fstests/templates/nfs/nfsmount.conf
> > > @@ -0,0 +1,2 @@
> > > +[ NFSMount_Global_Options ]
> > > +# Sec=sys
> > > diff --git a/playbooks/roles/gen_hosts/templates/fstests.j2 b/playbooks/roles/gen_hosts/templates/fstests.j2
> > > index 74057952..b94e89da 100644
> > > --- a/playbooks/roles/gen_hosts/templates/fstests.j2
> > > +++ b/playbooks/roles/gen_hosts/templates/fstests.j2
> > > @@ -27,3 +27,20 @@ ansible_python_interpreter = "{{ kdevops_python_interpreter }}"
> > > {% endif %}
> > > [nfsd:vars]
> > > ansible_python_interpreter = "{{ kdevops_python_interpreter }}"
> > > +[kdc]
> > > +{% if krb5_realm is defined %}
> > > +{{ kdevops_hosts_prefix }}-kdc
> > > +{% endif %}
> > > +[kdc:vars]
> > > +ansible_python_interpreter = "{{ kdevops_python_interpreter }}"
> > > +[krb5]
> > > +{% if krb5_realm is defined %}
> > > +{% for s in fstests_enabled_test_types %}
> > > +{{ kdevops_host_prefix }}-{{ s }}
> > > +{% endfor %}
> > > +{% if nfsd_threads is defined %}
> > > +{{ kdevops_hosts_prefix }}-nfsd
> > > +{% endif %}
> > > +{% endif %}
> > > +[krb5:vars]
> > > +ansible_python_interpreter = "{{ kdevops_python_interpreter }}"
> >
> > We should add an kdc_enable which defaults to False and if true then we
> > include the clutter below.
> >
> > In retrospect the same should be done for nfsd.
> >
> > Ie, if no one enabled nfsd or kdc we should hide targets for these
> > options too and so the user has no make targets to use them and so no
> > reason to clutter exisitng hosts file for user who don't enable these
> > things.
>
> I did notice that those stanzas were present even if those options weren't
> enabled.
>
> Do I really need a separate kdc_enable or should I just use the
> krb5_enable variable that you suggested below?
>
> >
> > > diff --git a/playbooks/roles/gen_nodes/tasks/main.yml b/playbooks/roles/gen_nodes/tasks/main.yml
> > > index 2f5c48b6..1181ef10 100644
> > > --- a/playbooks/roles/gen_nodes/tasks/main.yml
> > > +++ b/playbooks/roles/gen_nodes/tasks/main.yml
> > > @@ -55,6 +55,18 @@
> > > when:
> > > - nfsd_threads is defined
> > >
> > > +- name: Set kdc_nodes list
> > > + set_fact:
> > > + kdc_nodes: "{{ [ kdevops_host_prefix + '-kdc' ] }}"
> > > + when:
> > > + - krb5_realm is defined
> >
> > We shoudl have a respective krb5_enable or something like that
> > which defaults to False and here we shiould use krb5_realm_enable|bool
> > instead.
> >
> > The respective kconfig option would be
> >
> > CONFIG_KRB5_REALM_ENABLE
> >
> > The rationale would be that we later extend kconfig support so
> > each kconfig option can have below say an extra tag to indicate
> > "generate yaml", so our extra_vars.yaml file is automatically generated
> > for us by kconfig itself. That is, we'd tell kconfig which kconfig
> > symbols we want it to generate respective yaml entries for. So it'd
> > just lowercase the symbol name and remove config prefix. Then later
> > we can remove tons of Makefile changes which modify something to True.
>
> Will do.
>
> >
> > > +- name: Add a KRB5 KDC if one was selected
> > > + set_fact:
> > > + generic_nodes: "{{ generic_nodes + kdc_nodes }}"
> > > + when:
> > > + - krb5_realm is defined
> >
> > Same.
> >
> > > +
> > > - name: Set fstests config file variable for {{ fstests_fstyp }}
> > > set_fact:
> > > is_fstests: True
> > > @@ -217,6 +229,13 @@
> > > - is_fstests|bool
> > > - nfsd_threads is defined
> > >
> > > +- name: Add the KRB5 KDC if one was selected
> > > + set_fact:
> > > + fstests_enabled_nodes: "{{ fstests_enabled_nodes + kdc_nodes }}"
> > > + when:
> > > + - is_fstests|bool
> > > + - krb5_realm is defined
> >
> > Same.
> >
> > > diff --git a/playbooks/roles/kdc/tasks/main.yml b/playbooks/roles/kdc/tasks/main.yml
> > > new file mode 100644
> > > index 00000000..b67f38d0
> > > --- /dev/null
> > > +++ b/playbooks/roles/kdc/tasks/main.yml
> > > @@ -0,0 +1,119 @@
> > > +---
> > > +- name: Get OS-specific variables
> > > + ansible.builtin.include_vars: "{{ lookup('ansible.builtin.first_found', params) }}"
> > > + vars:
> > > + params:
> > > + files:
> > > + - '{{ansible_distribution}}.yml'
> > > + - '{{ansible_os_family}}.yml'
> > > + - default.yml
> > > + paths:
> > > + - 'vars'
> >
> > Ah.. this is a good alternative to Kconfig defaults but ...
> >
> > > diff --git a/playbooks/roles/kdc/vars/default.yml b/playbooks/roles/kdc/vars/default.yml
> > > new file mode 100644
> > > index 00000000..ed97d539
> > > --- /dev/null
> > > +++ b/playbooks/roles/kdc/vars/default.yml
> > > @@ -0,0 +1 @@
> > > +---
> >
> > This is empty, it should have all sensible defaults and .. it's a good
> > time to evaluate whether or not having things configurable is better,
> > but I undersand that can be a second step. The other reason to have
> > things configurable is it lets you document things. But that's totally
> > optional.
>
> I can add defaults, but they'll be the Red Hat defaults and might not
> work with other distros. Originally I didn't have those configurable at
> all, and when I went and tested Debian and Suse I found that stuff
> didn't work. Unfortunately the names of the systemd services and where
> they look for configuration files and data differs from distro to
> distro, so I had to have a least some of the stuff configurable... but I
> tried to keep the number of variables to a minimum.
>
> >
> > > index 5a477847..5c6a59c3 100644
> > > --- a/scripts/bringup.Makefile
> > > +++ b/scripts/bringup.Makefile
> > > @@ -33,6 +33,10 @@ ifeq (y,$(CONFIG_KDEVOPS_SETUP_SIW))
> > > KDEVOPS_BRING_UP_DEPS += siw
> > > endif # KDEVOPS_SETUP_SIW
> > >
> > > +ifeq (y,$(CONFIG_KDEVOPS_SETUP_KRB5))
> > > +KDEVOPS_BRING_UP_DEPS += kdc
> > > +endif # KDEVOPS_SETUP_KRB5
> >
> > See same ordering thing here. Granted, I am not sure if this is
> > a dep which needs to be set up early, so you should decide, but as
> > our deps grow I thought it would be good to split them by regular
> > services Vs optional later things.
> >
> > Luis
> >
^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: [PATCH 5/5] fstests/nfs: add krb5 support
2024-03-08 19:33 ` Scott Mayhew
2024-03-08 21:08 ` Scott Mayhew
@ 2024-03-08 21:18 ` Luis Chamberlain
2024-03-08 22:13 ` Scott Mayhew
1 sibling, 1 reply; 15+ messages in thread
From: Luis Chamberlain @ 2024-03-08 21:18 UTC (permalink / raw)
To: Scott Mayhew; +Cc: kdevops
On Fri, Mar 08, 2024 at 02:33:24PM -0500, Scott Mayhew wrote:
> On Fri, 08 Mar 2024, Luis Chamberlain wrote:
>
> > My review comments are not requirements, they are how to enhance this
> > so we can scale better and long term goals to keep in mind. Whether or
> > not you do the work is up to you.
> >
> > On Thu, Mar 07, 2024 at 08:14:14AM -0500, Scott Mayhew wrote:
> > > diff --git a/Makefile b/Makefile
> > > index 9ca3a5f3..df4aad7b 100644
> > > --- a/Makefile
> > > +++ b/Makefile
> > > @@ -115,6 +115,11 @@ ifeq (y,$(CONFIG_KDEVOPS_SETUP_NFSD))
> > > include scripts/nfsd.Makefile
> > > endif # CONFIG_KDEVOPS_SETUP_NFSD
> > >
> > > +ifeq (y,$(CONFIG_KDEVOPS_SETUP_KRB5))
> > > +include scripts/kdc.Makefile
> > > +include scripts/krb5.Makefile
> > > +endif # CONFIG_KDEVOPS_SETUP_KRB5
> >
> > This sort of clutter can be compartamentalized now, see right above:
> >
> > include scripts/provision.Makefile
> > include scripts/systemd-timesync.Makefile
> > include scripts/journal-server.Makefile
> >
> > KDEVOPS_BRING_UP_DEPS += $(KDEVOPS_BRING_UP_DEPS_EARLY)
> > KDEVOPS_BRING_UP_DEPS += $(KDEVOPS_PROVISIONED_DEVCONFIG)
> >
> > This let's us now split work which needs to be set up early
> > and this can vary depending on if the dep is a localhost (hypervisor or
> > command and control) setting or a target node (guest or taret node on
> > cloud) setting.
> >
> > So for example systemd-timesync has both parts:
> >
> > LOCALHOST_SETUP_WORK += timesyncd-server
> > KDEVOPS_BRING_UP_DEPS_EARLY += timesyncd-client
> >
> > Then the clutter is kept on the target makefile. This let's us also keep
> > ordering by the Makfile include order. So we should be able to move
> > siw ktls nfs setup to this methodology too. That will let us scale this
> > and keep our top level Makefile neat and makes orer explicit and clear.
> >
> > It seems in this case it's all being set up on the target node so only
> > KDEVOPS_BRING_UP_DEPS_EARLY is needed.
>
> Just so I'm clear on what you're suggesting...
>
> 1. move the ifeq...endif directives inside the target makefiles
Yeap
> 2. move the KDEVOPS_BRING_UP_DEPS stuff out of bringup.Makefile and into the
> target makefiles
Yes in that the order of the Makefile should suffice, then its a matter
of just ordering the includes. Those other KDEVOPS_BRING_UP_DEPS += for
nfsd, ktls and siw could also move out from scripts/bringup.Makefile
to their own Makefile too.
> (and use KDEVOPS_BRING_UP_DEPS_EARLY instead)
Sorry about the confusion KDEVOPS_BRING_UP_DEPS_EARLY is for deps
which neet to be run before the general devconfig playbook and
in retrospect I don't think this is needed for the things you are
adding.
> 3. move the includes up above this line:
> KDEVOPS_BRING_UP_DEPS += $(KDEVOPS_BRING_UP_DEPS_EARLY)
Yes but I think we need to make a change to make it work properly,
so I can try do that later. But for now I think what we need is
to end up with something like this:
include scripts/provision.Makefile
include scripts/systemd-timesync.Makefile
include scripts/journal-server.Makefile
KDEVOPS_BRING_UP_DEPS += $(KDEVOPS_BRING_UP_DEPS_EARLY)
KDEVOPS_BRING_UP_DEPS += $(KDEVOPS_PROVISIONED_DEVCONFIG)
include scripts/siw.Makefile
include scripts/ktls.Makefile
<I guess your new stuff here?>
include scripts/nfsd.Makefile
include workflows/Makefile
You would know best if the stuff you are adding goes before / after
siw, or ktls, nfsd, etc.
> Also, did you see my reply to Chuck about doing the krb5 client setup
> automatically? In order to do that I need to have a "post" bringup
> step, so that bringup target would look like this:
>
> bringup: $(KDEVOPS_BRING_UP_DEPS) update_etc_hosts $(KDEVOPS_BRING_UP_POST)
>
> Is that okay? Note that the krb5 client setup has to run after update_etc_hosts,
> so KDEVOPS_BRING_UP_LATE_DEPS wouldn't be appropriate for this.
Ah, no, just use KDEVOPS_BRING_UP_LATE_DEPS on your Makefile we already
do this:
KDEVOPS_BRING_UP_DEPS += $(KDEVOPS_BRING_UP_LATE_DEPS)
ifneq (,$(KDEVOPS_BRING_UP_DEPS))
include
scripts/bringup.Makefile
endif
So moving the nfs/etc out and keeping the Makefiles in order will ensure
that is setup correctly, then in terms of having each Makfile have a few
things which need to go early or not, that's where these different
targets come into play.
Technically we could move the eyesor eof having the top level Makefile
do:
KDEVOPS_BRING_UP_DEPS += $(KDEVOPS_BRING_UP_DEPS_EARLY)
KDEVOPS_BRING_UP_DEPS += $(KDEVOPS_PROVISIONED_DEVCONFIG)
And instead doing something like this later:
# Redefine KDEVOPS_BRING_UP_DEPS now with proper ordering in mind
KDEVOPS_BRING_UP_DEPS := \
$(KDEVOPS_BRING_UP_DEPS_EARLY) \
$(KDEVOPS_PROVISIONED_DEVCONFIG) \
$(KDEVOPS_BRING_UP_DEPS) \
$(KDEVOPS_BRING_UP_LATE_DEPS)
ifneq (,$(KDEVOPS_BRING_UP_DEPS))
include
scripts/bringup.Makefile
endif
But I wasn't sure if this Make-foo works.
> > We should add an kdc_enable which defaults to False and if true then we
> > include the clutter below.
> >
> > In retrospect the same should be done for nfsd.
> >
> > Ie, if no one enabled nfsd or kdc we should hide targets for these
> > options too and so the user has no make targets to use them and so no
> > reason to clutter exisitng hosts file for user who don't enable these
> > things.
>
> I did notice that those stanzas were present even if those options weren't
> enabled.
>
> Do I really need a separate kdc_enable or should I just use the
> krb5_enable variable that you suggested below?
That's up to you, you know your requirements better.
> > > diff --git a/playbooks/roles/kdc/vars/default.yml b/playbooks/roles/kdc/vars/default.yml
> > > new file mode 100644
> > > index 00000000..ed97d539
> > > --- /dev/null
> > > +++ b/playbooks/roles/kdc/vars/default.yml
> > > @@ -0,0 +1 @@
> > > +---
> >
> > This is empty, it should have all sensible defaults and .. it's a good
> > time to evaluate whether or not having things configurable is better,
> > but I undersand that can be a second step. The other reason to have
> > things configurable is it lets you document things. But that's totally
> > optional.
>
> I can add defaults, but they'll be the Red Hat defaults and might not
> work with other distros. Originally I didn't have those configurable at
> all, and when I went and tested Debian and Suse I found that stuff
> didn't work.
Sorry for the trouble and thanks for doing this!
Using default for the first distro that added support makes sense.
Best effort for the others makes sense to me.
It's what we did with guestfs, we now are extending it slowly with
debian stuff.
> Unfortunately the names of the systemd services and where
> they look for configuration files and data differs from distro to
> distro, so I had to have a least some of the stuff configurable... but I
> tried to keep the number of variables to a minimum.
Sure, to ramp up it makse sense to minimize tunables, I figured I'd just
point out the possible value in that Kconfig also serves as a way to let
us document often obscure things, it serves as documentation for us
too. But sure, makes sense to avoid adding knobs if you don't need
them yet.
Luis
^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: [PATCH 5/5] fstests/nfs: add krb5 support
2024-03-08 21:08 ` Scott Mayhew
@ 2024-03-08 21:20 ` Luis Chamberlain
0 siblings, 0 replies; 15+ messages in thread
From: Luis Chamberlain @ 2024-03-08 21:20 UTC (permalink / raw)
To: Scott Mayhew; +Cc: kdevops
On Fri, Mar 08, 2024 at 04:08:57PM -0500, Scott Mayhew wrote:
> On Fri, 08 Mar 2024, Scott Mayhew wrote:
>
> > On Fri, 08 Mar 2024, Luis Chamberlain wrote:
> >
> > > My review comments are not requirements, they are how to enhance this
> > > so we can scale better and long term goals to keep in mind. Whether or
> > > not you do the work is up to you.
> > >
> > > On Thu, Mar 07, 2024 at 08:14:14AM -0500, Scott Mayhew wrote:
> > > > diff --git a/Makefile b/Makefile
> > > > index 9ca3a5f3..df4aad7b 100644
> > > > --- a/Makefile
> > > > +++ b/Makefile
> > > > @@ -115,6 +115,11 @@ ifeq (y,$(CONFIG_KDEVOPS_SETUP_NFSD))
> > > > include scripts/nfsd.Makefile
> > > > endif # CONFIG_KDEVOPS_SETUP_NFSD
> > > >
> > > > +ifeq (y,$(CONFIG_KDEVOPS_SETUP_KRB5))
> > > > +include scripts/kdc.Makefile
> > > > +include scripts/krb5.Makefile
> > > > +endif # CONFIG_KDEVOPS_SETUP_KRB5
> > >
> > > This sort of clutter can be compartamentalized now, see right above:
> > >
> > > include scripts/provision.Makefile
> > > include scripts/systemd-timesync.Makefile
> > > include scripts/journal-server.Makefile
> > >
> > > KDEVOPS_BRING_UP_DEPS += $(KDEVOPS_BRING_UP_DEPS_EARLY)
> > > KDEVOPS_BRING_UP_DEPS += $(KDEVOPS_PROVISIONED_DEVCONFIG)
> > >
> > > This let's us now split work which needs to be set up early
> > > and this can vary depending on if the dep is a localhost (hypervisor or
> > > command and control) setting or a target node (guest or taret node on
> > > cloud) setting.
> > >
> > > So for example systemd-timesync has both parts:
> > >
> > > LOCALHOST_SETUP_WORK += timesyncd-server
> > > KDEVOPS_BRING_UP_DEPS_EARLY += timesyncd-client
> > >
> > > Then the clutter is kept on the target makefile. This let's us also keep
> > > ordering by the Makfile include order. So we should be able to move
> > > siw ktls nfs setup to this methodology too. That will let us scale this
> > > and keep our top level Makefile neat and makes orer explicit and clear.
> > >
> > > It seems in this case it's all being set up on the target node so only
> > > KDEVOPS_BRING_UP_DEPS_EARLY is needed.
> >
> > Just so I'm clear on what you're suggesting...
> >
> > 1. move the ifeq...endif directives inside the target makefiles
> > 2. move the KDEVOPS_BRING_UP_DEPS stuff out of bringup.Makefile and into the
> > target makefiles (and use KDEVOPS_BRING_UP_DEPS_EARLY instead)
> > 3. move the includes up above this line:
> > KDEVOPS_BRING_UP_DEPS += $(KDEVOPS_BRING_UP_DEPS_EARLY)
> >
> > Does that sound right?
>
> I think I'm missing something, because doing the above puts those steps
> before the ssh configuration, and they fail.
Yeah sorry the includes need to go after journal-server.Makefile for now
given the need to have KDEVOPS_BRING_UP_DEPS_EARLY be the first
KDEVOPS_BRING_UP_DEPS for now. In the other email I noted how to
possibly solve that though but not sure if that Makefile hack works.
Luis
^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: [PATCH 5/5] fstests/nfs: add krb5 support
2024-03-08 21:18 ` Luis Chamberlain
@ 2024-03-08 22:13 ` Scott Mayhew
2024-03-08 22:47 ` Luis Chamberlain
0 siblings, 1 reply; 15+ messages in thread
From: Scott Mayhew @ 2024-03-08 22:13 UTC (permalink / raw)
To: Luis Chamberlain; +Cc: kdevops
On Fri, 08 Mar 2024, Luis Chamberlain wrote:
> On Fri, Mar 08, 2024 at 02:33:24PM -0500, Scott Mayhew wrote:
> > On Fri, 08 Mar 2024, Luis Chamberlain wrote:
> >
> > > My review comments are not requirements, they are how to enhance this
> > > so we can scale better and long term goals to keep in mind. Whether or
> > > not you do the work is up to you.
> > >
> > > On Thu, Mar 07, 2024 at 08:14:14AM -0500, Scott Mayhew wrote:
> > > > diff --git a/Makefile b/Makefile
> > > > index 9ca3a5f3..df4aad7b 100644
> > > > --- a/Makefile
> > > > +++ b/Makefile
> > > > @@ -115,6 +115,11 @@ ifeq (y,$(CONFIG_KDEVOPS_SETUP_NFSD))
> > > > include scripts/nfsd.Makefile
> > > > endif # CONFIG_KDEVOPS_SETUP_NFSD
> > > >
> > > > +ifeq (y,$(CONFIG_KDEVOPS_SETUP_KRB5))
> > > > +include scripts/kdc.Makefile
> > > > +include scripts/krb5.Makefile
> > > > +endif # CONFIG_KDEVOPS_SETUP_KRB5
> > >
> > > This sort of clutter can be compartamentalized now, see right above:
> > >
> > > include scripts/provision.Makefile
> > > include scripts/systemd-timesync.Makefile
> > > include scripts/journal-server.Makefile
> > >
> > > KDEVOPS_BRING_UP_DEPS += $(KDEVOPS_BRING_UP_DEPS_EARLY)
> > > KDEVOPS_BRING_UP_DEPS += $(KDEVOPS_PROVISIONED_DEVCONFIG)
> > >
> > > This let's us now split work which needs to be set up early
> > > and this can vary depending on if the dep is a localhost (hypervisor or
> > > command and control) setting or a target node (guest or taret node on
> > > cloud) setting.
> > >
> > > So for example systemd-timesync has both parts:
> > >
> > > LOCALHOST_SETUP_WORK += timesyncd-server
> > > KDEVOPS_BRING_UP_DEPS_EARLY += timesyncd-client
> > >
> > > Then the clutter is kept on the target makefile. This let's us also keep
> > > ordering by the Makfile include order. So we should be able to move
> > > siw ktls nfs setup to this methodology too. That will let us scale this
> > > and keep our top level Makefile neat and makes orer explicit and clear.
> > >
> > > It seems in this case it's all being set up on the target node so only
> > > KDEVOPS_BRING_UP_DEPS_EARLY is needed.
> >
> > Just so I'm clear on what you're suggesting...
> >
> > 1. move the ifeq...endif directives inside the target makefiles
>
> Yeap
>
> > 2. move the KDEVOPS_BRING_UP_DEPS stuff out of bringup.Makefile and into the
> > target makefiles
>
> Yes in that the order of the Makefile should suffice, then its a matter
> of just ordering the includes. Those other KDEVOPS_BRING_UP_DEPS += for
> nfsd, ktls and siw could also move out from scripts/bringup.Makefile
> to their own Makefile too.
>
> > (and use KDEVOPS_BRING_UP_DEPS_EARLY instead)
>
> Sorry about the confusion KDEVOPS_BRING_UP_DEPS_EARLY is for deps
> which neet to be run before the general devconfig playbook and
> in retrospect I don't think this is needed for the things you are
> adding.
>
> > 3. move the includes up above this line:
> > KDEVOPS_BRING_UP_DEPS += $(KDEVOPS_BRING_UP_DEPS_EARLY)
>
> Yes but I think we need to make a change to make it work properly,
> so I can try do that later. But for now I think what we need is
> to end up with something like this:
>
> include scripts/provision.Makefile
> include scripts/systemd-timesync.Makefile
> include scripts/journal-server.Makefile
>
> KDEVOPS_BRING_UP_DEPS += $(KDEVOPS_BRING_UP_DEPS_EARLY)
> KDEVOPS_BRING_UP_DEPS += $(KDEVOPS_PROVISIONED_DEVCONFIG)
>
> include scripts/siw.Makefile
> include scripts/ktls.Makefile
> <I guess your new stuff here?>
> include scripts/nfsd.Makefile
>
> include workflows/Makefile
>
> You would know best if the stuff you are adding goes before / after
> siw, or ktls, nfsd, etc.
>
> > Also, did you see my reply to Chuck about doing the krb5 client setup
> > automatically? In order to do that I need to have a "post" bringup
> > step, so that bringup target would look like this:
> >
> > bringup: $(KDEVOPS_BRING_UP_DEPS) update_etc_hosts $(KDEVOPS_BRING_UP_POST)
> >
> > Is that okay? Note that the krb5 client setup has to run after update_etc_hosts,
> > so KDEVOPS_BRING_UP_LATE_DEPS wouldn't be appropriate for this.
>
> Ah, no, just use KDEVOPS_BRING_UP_LATE_DEPS on your Makefile we already
> do this:
>
> KDEVOPS_BRING_UP_DEPS += $(KDEVOPS_BRING_UP_LATE_DEPS)
>
> ifneq (,$(KDEVOPS_BRING_UP_DEPS))
> include
> scripts/bringup.Makefile
> endif
Again, using KDEVOPS_BRING_UP_LATE_DEPS won't work for the krb5 setup
because everything in KDEVOPS_BRING_UP_LATE_DEPS still happens before
update_etc_hosts... so the clients & nfsd will all fail to contact the
KDC because they won't have the KDC's address yet.
Maybe update_etc_hosts needs to also be in its own makefile, and add it
to KDEVOPS_BRING_UP_LATE_DEPS. Then I could add krb5 to
KDEVOPS_BRING_UP_LATE_DEPS... as long as it's *after* update_etc_hosts
it should work.
>
> So moving the nfs/etc out and keeping the Makefiles in order will ensure
> that is setup correctly, then in terms of having each Makfile have a few
> things which need to go early or not, that's where these different
> targets come into play.
>
> Technically we could move the eyesor eof having the top level Makefile
> do:
>
> KDEVOPS_BRING_UP_DEPS += $(KDEVOPS_BRING_UP_DEPS_EARLY)
> KDEVOPS_BRING_UP_DEPS += $(KDEVOPS_PROVISIONED_DEVCONFIG)
>
> And instead doing something like this later:
>
> # Redefine KDEVOPS_BRING_UP_DEPS now with proper ordering in mind
> KDEVOPS_BRING_UP_DEPS := \
> $(KDEVOPS_BRING_UP_DEPS_EARLY) \
> $(KDEVOPS_PROVISIONED_DEVCONFIG) \
> $(KDEVOPS_BRING_UP_DEPS) \
> $(KDEVOPS_BRING_UP_LATE_DEPS)
>
> ifneq (,$(KDEVOPS_BRING_UP_DEPS))
> include
> scripts/bringup.Makefile
> endif
>
> But I wasn't sure if this Make-foo works.
>
> > > We should add an kdc_enable which defaults to False and if true then we
> > > include the clutter below.
> > >
> > > In retrospect the same should be done for nfsd.
> > >
> > > Ie, if no one enabled nfsd or kdc we should hide targets for these
> > > options too and so the user has no make targets to use them and so no
> > > reason to clutter exisitng hosts file for user who don't enable these
> > > things.
> >
> > I did notice that those stanzas were present even if those options weren't
> > enabled.
> >
> > Do I really need a separate kdc_enable or should I just use the
> > krb5_enable variable that you suggested below?
>
> That's up to you, you know your requirements better.
>
> > > > diff --git a/playbooks/roles/kdc/vars/default.yml b/playbooks/roles/kdc/vars/default.yml
> > > > new file mode 100644
> > > > index 00000000..ed97d539
> > > > --- /dev/null
> > > > +++ b/playbooks/roles/kdc/vars/default.yml
> > > > @@ -0,0 +1 @@
> > > > +---
> > >
> > > This is empty, it should have all sensible defaults and .. it's a good
> > > time to evaluate whether or not having things configurable is better,
> > > but I undersand that can be a second step. The other reason to have
> > > things configurable is it lets you document things. But that's totally
> > > optional.
> >
> > I can add defaults, but they'll be the Red Hat defaults and might not
> > work with other distros. Originally I didn't have those configurable at
> > all, and when I went and tested Debian and Suse I found that stuff
> > didn't work.
>
> Sorry for the trouble and thanks for doing this!
>
> Using default for the first distro that added support makes sense.
> Best effort for the others makes sense to me.
>
> It's what we did with guestfs, we now are extending it slowly with
> debian stuff.
>
> > Unfortunately the names of the systemd services and where
> > they look for configuration files and data differs from distro to
> > distro, so I had to have a least some of the stuff configurable... but I
> > tried to keep the number of variables to a minimum.
>
> Sure, to ramp up it makse sense to minimize tunables, I figured I'd just
> point out the possible value in that Kconfig also serves as a way to let
> us document often obscure things, it serves as documentation for us
> too. But sure, makes sense to avoid adding knobs if you don't need
> them yet.
>
> Luis
>
^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: [PATCH 5/5] fstests/nfs: add krb5 support
2024-03-08 22:13 ` Scott Mayhew
@ 2024-03-08 22:47 ` Luis Chamberlain
0 siblings, 0 replies; 15+ messages in thread
From: Luis Chamberlain @ 2024-03-08 22:47 UTC (permalink / raw)
To: Scott Mayhew; +Cc: kdevops
On Fri, Mar 8, 2024 at 2:13 PM Scott Mayhew <smayhew@redhat.com> wrote:
> Again, using KDEVOPS_BRING_UP_LATE_DEPS won't work for the krb5 setup
> because everything in KDEVOPS_BRING_UP_LATE_DEPS still happens before
> update_etc_hosts... so the clients & nfsd will all fail to contact the
> KDC because they won't have the KDC's address yet.
Ah, I see.
> Maybe update_etc_hosts needs to also be in its own makefile, and add it
> to KDEVOPS_BRING_UP_LATE_DEPS. Then I could add krb5 to
> KDEVOPS_BRING_UP_LATE_DEPS... as long as it's *after* update_etc_hosts
> it should work.
Yes, or rather -- why not move update_etc_hosts early right after ssh
is set up, ie an early dep? Then it would run before devconfig and all
the other regular deps.
Luis
^ permalink raw reply [flat|nested] 15+ messages in thread
end of thread, other threads:[~2024-03-08 22:47 UTC | newest]
Thread overview: 15+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2024-03-07 13:14 [PATCH 0/5] add initial support for testing nfs with krb5 Scott Mayhew
2024-03-07 13:14 ` [PATCH 1/5] nfsd: make sure the appropriate fsprogs package is installed Scott Mayhew
2024-03-07 13:14 ` [PATCH 2/5] update_etc_hosts: fix up hostnames on debian guestfs hosts Scott Mayhew
2024-03-07 13:14 ` [PATCH 3/5] nfsd: use EXTRA_VAR_INPUTS for export options Scott Mayhew
2024-03-07 13:14 ` [PATCH 4/5] devconfig: set /etc/hostname earlier Scott Mayhew
2024-03-07 13:14 ` [PATCH 5/5] fstests/nfs: add krb5 support Scott Mayhew
2024-03-08 16:57 ` Luis Chamberlain
2024-03-08 19:33 ` Scott Mayhew
2024-03-08 21:08 ` Scott Mayhew
2024-03-08 21:20 ` Luis Chamberlain
2024-03-08 21:18 ` Luis Chamberlain
2024-03-08 22:13 ` Scott Mayhew
2024-03-08 22:47 ` Luis Chamberlain
2024-03-08 15:01 ` [PATCH 0/5] add initial support for testing nfs with krb5 Chuck Lever III
2024-03-08 15:50 ` Scott Mayhew
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox