* [PATCH 0/5] add initial support for testing nfs with krb5
@ 2024-03-07 13:14 Scott Mayhew
2024-03-07 13:14 ` [PATCH 1/5] nfsd: make sure the appropriate fsprogs package is installed Scott Mayhew
` (5 more replies)
0 siblings, 6 replies; 15+ messages in thread
From: Scott Mayhew @ 2024-03-07 13:14 UTC (permalink / raw)
To: kdevops
These patches add support for running fstests on NFS with krb5. The
bulk of the work is in patch 5. There are a handful of new Kconfig
options (KDEVOPS_SETUP_KRB5, KRB5_REALM, KRB5_ADMIN_PW, and
FSTESTS_NFS_AUTH_FLAVOR) as well as a new Makefile target "krb5" which
should be run after "make bringup". A KDC is spun up automatically
during "make bringup". "make krb5" installs all the necessary
dependencies, generates keys, and updates the keytabs on the NFS client
and server VMs.
Right now you can only use krb5 with the fstests workflow, but it should
be straightforward to add it to the other NFS-related workflows.
I tested these patches using fedora-39, debian-12, and
opensuse-tumbleweed guestfs images.
-Scott
Scott Mayhew (5):
nfsd: make sure the appropriate fsprogs package is installed
update_etc_hosts: fix up hostnames on debian guestfs hosts
nfsd: use EXTRA_VAR_INPUTS for export options
devconfig: set /etc/hostname earlier
fstests/nfs: add krb5 support
Makefile | 5 +
kconfigs/Kconfig.bringup.goals | 12 ++
kconfigs/Kconfig.kdc | 11 ++
playbooks/kdc.yml | 4 +
playbooks/krb5.yml | 4 +
playbooks/roles/devconfig/tasks/main.yml | 21 ++--
.../fstests/tasks/install-deps/suse/main.yml | 10 ++
playbooks/roles/fstests/tasks/main.yml | 41 ++++++
.../roles/fstests/templates/nfs/nfsmount.conf | 2 +
.../roles/gen_hosts/templates/fstests.j2 | 17 +++
playbooks/roles/gen_nodes/tasks/main.yml | 19 +++
.../kdc/tasks/install-deps/debian/main.yml | 11 ++
.../roles/kdc/tasks/install-deps/main.yml | 12 ++
.../kdc/tasks/install-deps/redhat/main.yml | 16 +++
.../kdc/tasks/install-deps/suse/main.yml | 10 ++
playbooks/roles/kdc/tasks/main.yml | 119 ++++++++++++++++++
playbooks/roles/kdc/templates/kadm5.acl.j2 | 1 +
playbooks/roles/kdc/templates/kdc.conf.j2 | 15 +++
playbooks/roles/kdc/templates/krb5.conf.j2 | 29 +++++
playbooks/roles/kdc/vars/Debian.yml | 7 ++
playbooks/roles/kdc/vars/RedHat.yml | 7 ++
playbooks/roles/kdc/vars/Suse.yml | 7 ++
playbooks/roles/kdc/vars/default.yml | 1 +
playbooks/roles/kdc/vars/main.yml | 1 +
.../krb5/tasks/install-deps/debian/main.yml | 9 ++
.../roles/krb5/tasks/install-deps/main.yml | 12 ++
.../krb5/tasks/install-deps/redhat/main.yml | 15 +++
.../krb5/tasks/install-deps/suse/main.yml | 16 +++
playbooks/roles/krb5/tasks/main.yml | 70 +++++++++++
playbooks/roles/krb5/templates/krb5.conf.j2 | 31 +++++
.../nfsd/tasks/install-deps/debian/main.yml | 33 ++++-
.../nfsd/tasks/install-deps/redhat/main.yml | 31 +++--
.../nfsd/tasks/install-deps/suse/main.yml | 32 ++++-
playbooks/roles/nfsd/vars/Debian.yml | 11 ++
playbooks/roles/nfsd/vars/RedHat.yml | 12 ++
playbooks/roles/nfsd/vars/Suse.yml | 10 ++
.../roles/update_etc_hosts/tasks/main.yml | 12 ++
scripts/bringup.Makefile | 4 +
scripts/kdc.Makefile | 8 ++
scripts/krb5.Makefile | 10 ++
scripts/nfsd.Makefile | 8 +-
workflows/fstests/nfs/Kconfig | 29 +++++
workflows/fstests/nfs/Makefile | 4 +
43 files changed, 712 insertions(+), 27 deletions(-)
create mode 100644 kconfigs/Kconfig.kdc
create mode 100644 playbooks/kdc.yml
create mode 100644 playbooks/krb5.yml
create mode 100644 playbooks/roles/fstests/templates/nfs/nfsmount.conf
create mode 100644 playbooks/roles/kdc/tasks/install-deps/debian/main.yml
create mode 100644 playbooks/roles/kdc/tasks/install-deps/main.yml
create mode 100644 playbooks/roles/kdc/tasks/install-deps/redhat/main.yml
create mode 100644 playbooks/roles/kdc/tasks/install-deps/suse/main.yml
create mode 100644 playbooks/roles/kdc/tasks/main.yml
create mode 100644 playbooks/roles/kdc/templates/kadm5.acl.j2
create mode 100644 playbooks/roles/kdc/templates/kdc.conf.j2
create mode 100644 playbooks/roles/kdc/templates/krb5.conf.j2
create mode 100644 playbooks/roles/kdc/vars/Debian.yml
create mode 100644 playbooks/roles/kdc/vars/RedHat.yml
create mode 100644 playbooks/roles/kdc/vars/Suse.yml
create mode 100644 playbooks/roles/kdc/vars/default.yml
create mode 100644 playbooks/roles/kdc/vars/main.yml
create mode 100644 playbooks/roles/krb5/tasks/install-deps/debian/main.yml
create mode 100644 playbooks/roles/krb5/tasks/install-deps/main.yml
create mode 100644 playbooks/roles/krb5/tasks/install-deps/redhat/main.yml
create mode 100644 playbooks/roles/krb5/tasks/install-deps/suse/main.yml
create mode 100644 playbooks/roles/krb5/tasks/main.yml
create mode 100644 playbooks/roles/krb5/templates/krb5.conf.j2
create mode 100644 playbooks/roles/nfsd/vars/Debian.yml
create mode 100644 playbooks/roles/nfsd/vars/RedHat.yml
create mode 100644 playbooks/roles/nfsd/vars/Suse.yml
create mode 100644 scripts/kdc.Makefile
create mode 100644 scripts/krb5.Makefile
--
2.43.0
^ permalink raw reply [flat|nested] 15+ messages in thread* [PATCH 1/5] nfsd: make sure the appropriate fsprogs package is installed 2024-03-07 13:14 [PATCH 0/5] add initial support for testing nfs with krb5 Scott Mayhew @ 2024-03-07 13:14 ` Scott Mayhew 2024-03-07 13:14 ` [PATCH 2/5] update_etc_hosts: fix up hostnames on debian guestfs hosts Scott Mayhew ` (4 subsequent siblings) 5 siblings, 0 replies; 15+ messages in thread From: Scott Mayhew @ 2024-03-07 13:14 UTC (permalink / raw) To: kdevops The virt-builder images don't have all of the fsprogs packages installed by default, so make sure to install whatever package is needed for the filesystem being exported. Signed-off-by: Scott Mayhew <smayhew@redhat.com> --- .../nfsd/tasks/install-deps/debian/main.yml | 28 ++++++++++++++--- .../nfsd/tasks/install-deps/redhat/main.yml | 31 ++++++++++++++----- .../nfsd/tasks/install-deps/suse/main.yml | 27 +++++++++++++--- playbooks/roles/nfsd/vars/Debian.yml | 11 +++++++ playbooks/roles/nfsd/vars/RedHat.yml | 12 +++++++ playbooks/roles/nfsd/vars/Suse.yml | 10 ++++++ 6 files changed, 102 insertions(+), 17 deletions(-) create mode 100644 playbooks/roles/nfsd/vars/Debian.yml create mode 100644 playbooks/roles/nfsd/vars/RedHat.yml create mode 100644 playbooks/roles/nfsd/vars/Suse.yml diff --git a/playbooks/roles/nfsd/tasks/install-deps/debian/main.yml b/playbooks/roles/nfsd/tasks/install-deps/debian/main.yml index fd237e76..a48d40ef 100644 --- a/playbooks/roles/nfsd/tasks/install-deps/debian/main.yml +++ b/playbooks/roles/nfsd/tasks/install-deps/debian/main.yml @@ -1,13 +1,31 @@ --- +- name: Get OS-specific variables + ansible.builtin.include_vars: "{{ lookup('ansible.builtin.first_found', params) }}" + vars: + params: + files: + - '{{ansible_distribution}}.yml' + - '{{ansible_os_family}}.yml' + - default.yml + paths: + - 'vars' + +- name: Determine which fsprogs package is needed for "{{ nfsd_export_fstype }}" + set_fact: + fsprogs: "{{ fstype_userspace_progs[nfsd_export_fstype] | default() }}" + +- name: Add {{ fsprogs }} to the nfsd packages list + set_fact: + nfsd_packages: "{{ nfsd_packages + [fsprogs] }}" + when: + - fsprogs is defined + - fsprogs + - name: Install nfsd dependencies become: yes become_method: sudo apt: - name: - - lvm2 - - nfs-common - - nfs-kernel-server - - policycoreutils + name: "{{ nfsd_packages }}" state: present update_cache: yes tags: [ 'pynfs', 'deps' ] diff --git a/playbooks/roles/nfsd/tasks/install-deps/redhat/main.yml b/playbooks/roles/nfsd/tasks/install-deps/redhat/main.yml index 15e06a66..d5d25c20 100644 --- a/playbooks/roles/nfsd/tasks/install-deps/redhat/main.yml +++ b/playbooks/roles/nfsd/tasks/install-deps/redhat/main.yml @@ -1,18 +1,33 @@ --- +- name: Get OS-specific variables + ansible.builtin.include_vars: "{{ lookup('ansible.builtin.first_found', params) }}" + vars: + params: + files: + - '{{ansible_distribution}}.yml' + - '{{ansible_os_family}}.yml' + - default.yml + paths: + - 'vars' + +- name: Determine which fsprogs package is needed for "{{ nfsd_export_fstype }}" + set_fact: + fsprogs: "{{ fstype_userspace_progs[nfsd_export_fstype] | default() }}" + +- name: Add {{ fsprogs }} to the nfsd packages list + set_fact: + nfsd_packages: "{{ nfsd_packages + [fsprogs] }}" + when: + - fsprogs is defined + - fsprogs + - name: Install nfsd dependencies become: yes become_method: sudo yum: update_cache: yes - name: "{{ packages }}" + name: "{{ nfsd_packages }}" retries: 3 delay: 5 register: result until: result.rc == 0 - vars: - packages: - - checkpolicy - - lvm2 - - nfs-utils - - policycoreutils - - python3-policycoreutils diff --git a/playbooks/roles/nfsd/tasks/install-deps/suse/main.yml b/playbooks/roles/nfsd/tasks/install-deps/suse/main.yml index 8d84509a..49d931cd 100644 --- a/playbooks/roles/nfsd/tasks/install-deps/suse/main.yml +++ b/playbooks/roles/nfsd/tasks/install-deps/suse/main.yml @@ -1,10 +1,29 @@ --- +- name: Get OS-specific variables + ansible.builtin.include_vars: "{{ lookup('ansible.builtin.first_found', params) }}" + vars: + params: + files: + - '{{ansible_distribution}}.yml' + - '{{ansible_os_family}}.yml' + - default.yml + paths: + - 'vars' + +- name: Determine which fsprogs package is needed for "{{ nfsd_export_fstype }}" + set_fact: + fsprogs: "{{ fstype_userspace_progs[nfsd_export_fstype] | default() }}" + +- name: Add {{ fsprogs }} to the nfsd packages list + set_fact: + nfsd_packages: "{{ nfsd_packages + [fsprogs] }}" + when: + - fsprogs is defined + - fsprogs + - name: Install nfsd dependencies become: yes become_method: sudo zypper: - name: - - lvm2 - - nfs-utils - - policycoreutils + name: "{{ nfsd_packages }}" state: present diff --git a/playbooks/roles/nfsd/vars/Debian.yml b/playbooks/roles/nfsd/vars/Debian.yml new file mode 100644 index 00000000..3bb9e810 --- /dev/null +++ b/playbooks/roles/nfsd/vars/Debian.yml @@ -0,0 +1,11 @@ +--- +nfsd_packages: + - lvm2 + - nfs-common + - nfs-kernel-server + - policycoreutils + +fstype_userspace_progs: + btrfs: btrfs-progs + ext4: e2fsprogs + xfs: xfsprogs diff --git a/playbooks/roles/nfsd/vars/RedHat.yml b/playbooks/roles/nfsd/vars/RedHat.yml new file mode 100644 index 00000000..590818ca --- /dev/null +++ b/playbooks/roles/nfsd/vars/RedHat.yml @@ -0,0 +1,12 @@ +--- +nfsd_packages: + - checkpolicy + - lvm2 + - nfs-utils + - policycoreutils + - python3-policycoreutils + +fstype_userspace_progs: + btrfs: btrfs-progs + ext4: e2fsprogs + xfs: xfsprogs diff --git a/playbooks/roles/nfsd/vars/Suse.yml b/playbooks/roles/nfsd/vars/Suse.yml new file mode 100644 index 00000000..73b06c83 --- /dev/null +++ b/playbooks/roles/nfsd/vars/Suse.yml @@ -0,0 +1,10 @@ +--- +nfsd_packages: + - lvm2 + - nfs-utils + - policycoreutils + +fstype_userspace_progs: + btrfs: btrfsprogs + ext4: e2fsprogs + xfs: xfsprogs -- 2.43.0 ^ permalink raw reply related [flat|nested] 15+ messages in thread
* [PATCH 2/5] update_etc_hosts: fix up hostnames on debian guestfs hosts 2024-03-07 13:14 [PATCH 0/5] add initial support for testing nfs with krb5 Scott Mayhew 2024-03-07 13:14 ` [PATCH 1/5] nfsd: make sure the appropriate fsprogs package is installed Scott Mayhew @ 2024-03-07 13:14 ` Scott Mayhew 2024-03-07 13:14 ` [PATCH 3/5] nfsd: use EXTRA_VAR_INPUTS for export options Scott Mayhew ` (3 subsequent siblings) 5 siblings, 0 replies; 15+ messages in thread From: Scott Mayhew @ 2024-03-07 13:14 UTC (permalink / raw) To: kdevops Since we're not currently using DNS domains in our hostnames, debian guestfs hosts wind up with an entry like this in /etc/hosts: 127.0.1.1 unassigned-hostname.unassigned-domain foo which causes the ansible_fqdn variable to report "unassigned-hostname.unassigned-domain". Get rid of the "unassigned-hostname.unassigned-domain" part, so that ansible_fqdn reports the short hostname "foo" instead. Signed-off-by: Scott Mayhew <smayhew@redhat.com> --- playbooks/roles/update_etc_hosts/tasks/main.yml | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/playbooks/roles/update_etc_hosts/tasks/main.yml b/playbooks/roles/update_etc_hosts/tasks/main.yml index dca61d9f..34a69f6d 100644 --- a/playbooks/roles/update_etc_hosts/tasks/main.yml +++ b/playbooks/roles/update_etc_hosts/tasks/main.yml @@ -65,3 +65,15 @@ with_items: "{{ ueh_hosts }}" when: - not terraform_private_net_enabled + +- name: Fix up hostname on Debian guestfs hosts + become: yes + become_method: sudo + lineinfile: + path: /etc/hosts + regexp: '^(127\.0\.1\.1)(\s+)unassigned-hostname\.unassigned-domain\s+({{ ansible_hostname }})$' + backrefs: yes + line: '\1\2\3' + when: + - ansible_os_family == 'Debian' + - kdevops_enable_guestfs -- 2.43.0 ^ permalink raw reply related [flat|nested] 15+ messages in thread
* [PATCH 3/5] nfsd: use EXTRA_VAR_INPUTS for export options 2024-03-07 13:14 [PATCH 0/5] add initial support for testing nfs with krb5 Scott Mayhew 2024-03-07 13:14 ` [PATCH 1/5] nfsd: make sure the appropriate fsprogs package is installed Scott Mayhew 2024-03-07 13:14 ` [PATCH 2/5] update_etc_hosts: fix up hostnames on debian guestfs hosts Scott Mayhew @ 2024-03-07 13:14 ` Scott Mayhew 2024-03-07 13:14 ` [PATCH 4/5] devconfig: set /etc/hostname earlier Scott Mayhew ` (2 subsequent siblings) 5 siblings, 0 replies; 15+ messages in thread From: Scott Mayhew @ 2024-03-07 13:14 UTC (permalink / raw) To: kdevops The most_extra_vars target in Makefile.extra_vars replaces '=' with ':', which breaks any export options that use '='. So use EXTRA_VAR_INPUTS and quote the export options string instead. Signed-off-by: Scott Mayhew <smayhew@redhat.com> --- scripts/nfsd.Makefile | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/scripts/nfsd.Makefile b/scripts/nfsd.Makefile index d3549a29..a337390c 100644 --- a/scripts/nfsd.Makefile +++ b/scripts/nfsd.Makefile @@ -2,10 +2,16 @@ NFSD_EXTRA_ARGS += nfsd_export_device_prefix='$(subst ",,$(CONFIG_NFSD_EXPORT_DE NFSD_EXTRA_ARGS += nfsd_export_device_count='$(subst ",,$(CONFIG_NFSD_EXPORT_DEVICE_COUNT))' NFSD_EXTRA_ARGS += nfsd_export_fstype='$(subst ",,$(CONFIG_NFSD_EXPORT_FSTYPE))' NFSD_EXTRA_ARGS += nfsd_export_path='$(subst ",,$(CONFIG_NFSD_EXPORT_PATH))' -NFSD_EXTRA_ARGS += nfsd_export_options='$(subst ",,$(CONFIG_NFSD_EXPORT_OPTIONS))' NFSD_EXTRA_ARGS += nfsd_threads=$(CONFIG_NFSD_THREADS) NFSD_EXTRA_ARGS += nfsd_lease_time=$(CONFIG_NFSD_LEASE_TIME) +EXTRA_VAR_INPUTS += extend-extra-args-nfsd + +extend-extra-args-nfsd: + $(Q)echo "nfsd_export_options: '$(CONFIG_NFSD_EXPORT_OPTIONS)'" >> $(KDEVOPS_EXTRA_VARS) ;\ + +PHONY += extend-extra-args-nfsd + ANSIBLE_EXTRA_ARGS += $(NFSD_EXTRA_ARGS) nfsd: -- 2.43.0 ^ permalink raw reply related [flat|nested] 15+ messages in thread
* [PATCH 4/5] devconfig: set /etc/hostname earlier 2024-03-07 13:14 [PATCH 0/5] add initial support for testing nfs with krb5 Scott Mayhew ` (2 preceding siblings ...) 2024-03-07 13:14 ` [PATCH 3/5] nfsd: use EXTRA_VAR_INPUTS for export options Scott Mayhew @ 2024-03-07 13:14 ` Scott Mayhew 2024-03-07 13:14 ` [PATCH 5/5] fstests/nfs: add krb5 support Scott Mayhew 2024-03-08 15:01 ` [PATCH 0/5] add initial support for testing nfs with krb5 Chuck Lever III 5 siblings, 0 replies; 15+ messages in thread From: Scott Mayhew @ 2024-03-07 13:14 UTC (permalink / raw) To: kdevops I noticed that opensuse-tumbleweed guestfs VMs were still showing up as 'localhost.localdomain', even though /etc/hostname had the correct hostnames. Update /etc/hostname before the distro-specific install tasks, so that the reboot that occurs causes the hostname change to actually take effect. Signed-off-by: Scott Mayhew <smayhew@redhat.com> --- playbooks/roles/devconfig/tasks/main.yml | 21 ++++++++++++--------- 1 file changed, 12 insertions(+), 9 deletions(-) diff --git a/playbooks/roles/devconfig/tasks/main.yml b/playbooks/roles/devconfig/tasks/main.yml index 1f18e588..1e67f91e 100644 --- a/playbooks/roles/devconfig/tasks/main.yml +++ b/playbooks/roles/devconfig/tasks/main.yml @@ -17,6 +17,18 @@ setup: tags: always +# Update /etc/hostname first so the change gets picked up by the reboot +# that occurs during the distro-specific tasks + +- name: Ensure /etc/hostname is set + become: yes + become_flags: 'su - -c' + become_method: sudo + template: + src: hostname + dest: /etc/hostname + tags: hostname + # Distro specific - name: Install dependencies import_tasks: install-deps/main.yml @@ -28,15 +40,6 @@ # Distro agnostic stuff goes below -- name: Ensure /etc/hostname is set - become: yes - become_flags: 'su - -c' - become_method: sudo - template: - src: hostname - dest: /etc/hostname - tags: hostname - - name: Check if the developer has a git config delegate_to: localhost stat: -- 2.43.0 ^ permalink raw reply related [flat|nested] 15+ messages in thread
* [PATCH 5/5] fstests/nfs: add krb5 support 2024-03-07 13:14 [PATCH 0/5] add initial support for testing nfs with krb5 Scott Mayhew ` (3 preceding siblings ...) 2024-03-07 13:14 ` [PATCH 4/5] devconfig: set /etc/hostname earlier Scott Mayhew @ 2024-03-07 13:14 ` Scott Mayhew 2024-03-08 16:57 ` Luis Chamberlain 2024-03-08 15:01 ` [PATCH 0/5] add initial support for testing nfs with krb5 Chuck Lever III 5 siblings, 1 reply; 15+ messages in thread From: Scott Mayhew @ 2024-03-07 13:14 UTC (permalink / raw) To: kdevops This adds the ability to run fstests on NFS with sec=krb5{,i,p}. To use it, you need to: * Specify a krb5 realm and admin password via: -> Bring up goals -> Set up KRB5 -> Configure the KRB5 KDC -> KRB5 Realm -> KRB5 admin password * Add the 'sec=' export option to nfsd via: -> Bring up goals -> Set up the kernel nfs server -> Configure the kernel NFS server -> The export options to use for the exported fs * Specify the auth flavor for the clients to use via: -> Target workflows -> Enable different target workflows -> Enable selection of test workflows -> Linux subsystem tests -> Configure and run fstests -> Configure how nfs should be tested -> Authentication flavor to use A KDC will be created during 'make bringup'. After 'make bringup', it is necessary to run the new command 'make krb5', which will install the necessary packages on the clients and nfsd, create nfs principals for the clients and nfsd on the KDC, and update the keytabs on the clients and nfsd. The auth flavor gets written to /etc/nfsmount.conf on the clients during 'make fstests'. Signed-off-by: Scott Mayhew <smayhew@redhat.com> --- Makefile | 5 + kconfigs/Kconfig.bringup.goals | 12 ++ kconfigs/Kconfig.kdc | 11 ++ playbooks/kdc.yml | 4 + playbooks/krb5.yml | 4 + .../fstests/tasks/install-deps/suse/main.yml | 10 ++ playbooks/roles/fstests/tasks/main.yml | 41 ++++++ .../roles/fstests/templates/nfs/nfsmount.conf | 2 + .../roles/gen_hosts/templates/fstests.j2 | 17 +++ playbooks/roles/gen_nodes/tasks/main.yml | 19 +++ .../kdc/tasks/install-deps/debian/main.yml | 11 ++ .../roles/kdc/tasks/install-deps/main.yml | 12 ++ .../kdc/tasks/install-deps/redhat/main.yml | 16 +++ .../kdc/tasks/install-deps/suse/main.yml | 10 ++ playbooks/roles/kdc/tasks/main.yml | 119 ++++++++++++++++++ playbooks/roles/kdc/templates/kadm5.acl.j2 | 1 + playbooks/roles/kdc/templates/kdc.conf.j2 | 15 +++ playbooks/roles/kdc/templates/krb5.conf.j2 | 29 +++++ playbooks/roles/kdc/vars/Debian.yml | 7 ++ playbooks/roles/kdc/vars/RedHat.yml | 7 ++ playbooks/roles/kdc/vars/Suse.yml | 7 ++ playbooks/roles/kdc/vars/default.yml | 1 + playbooks/roles/kdc/vars/main.yml | 1 + .../krb5/tasks/install-deps/debian/main.yml | 9 ++ .../roles/krb5/tasks/install-deps/main.yml | 12 ++ .../krb5/tasks/install-deps/redhat/main.yml | 15 +++ .../krb5/tasks/install-deps/suse/main.yml | 16 +++ playbooks/roles/krb5/tasks/main.yml | 70 +++++++++++ playbooks/roles/krb5/templates/krb5.conf.j2 | 31 +++++ .../nfsd/tasks/install-deps/debian/main.yml | 5 + .../nfsd/tasks/install-deps/suse/main.yml | 5 + scripts/bringup.Makefile | 4 + scripts/kdc.Makefile | 8 ++ scripts/krb5.Makefile | 10 ++ workflows/fstests/nfs/Kconfig | 29 +++++ workflows/fstests/nfs/Makefile | 4 + 36 files changed, 579 insertions(+) create mode 100644 kconfigs/Kconfig.kdc create mode 100644 playbooks/kdc.yml create mode 100644 playbooks/krb5.yml create mode 100644 playbooks/roles/fstests/templates/nfs/nfsmount.conf create mode 100644 playbooks/roles/kdc/tasks/install-deps/debian/main.yml create mode 100644 playbooks/roles/kdc/tasks/install-deps/main.yml create mode 100644 playbooks/roles/kdc/tasks/install-deps/redhat/main.yml create mode 100644 playbooks/roles/kdc/tasks/install-deps/suse/main.yml create mode 100644 playbooks/roles/kdc/tasks/main.yml create mode 100644 playbooks/roles/kdc/templates/kadm5.acl.j2 create mode 100644 playbooks/roles/kdc/templates/kdc.conf.j2 create mode 100644 playbooks/roles/kdc/templates/krb5.conf.j2 create mode 100644 playbooks/roles/kdc/vars/Debian.yml create mode 100644 playbooks/roles/kdc/vars/RedHat.yml create mode 100644 playbooks/roles/kdc/vars/Suse.yml create mode 100644 playbooks/roles/kdc/vars/default.yml create mode 100644 playbooks/roles/kdc/vars/main.yml create mode 100644 playbooks/roles/krb5/tasks/install-deps/debian/main.yml create mode 100644 playbooks/roles/krb5/tasks/install-deps/main.yml create mode 100644 playbooks/roles/krb5/tasks/install-deps/redhat/main.yml create mode 100644 playbooks/roles/krb5/tasks/install-deps/suse/main.yml create mode 100644 playbooks/roles/krb5/tasks/main.yml create mode 100644 playbooks/roles/krb5/templates/krb5.conf.j2 create mode 100644 scripts/kdc.Makefile create mode 100644 scripts/krb5.Makefile diff --git a/Makefile b/Makefile index 9ca3a5f3..df4aad7b 100644 --- a/Makefile +++ b/Makefile @@ -115,6 +115,11 @@ ifeq (y,$(CONFIG_KDEVOPS_SETUP_NFSD)) include scripts/nfsd.Makefile endif # CONFIG_KDEVOPS_SETUP_NFSD +ifeq (y,$(CONFIG_KDEVOPS_SETUP_KRB5)) +include scripts/kdc.Makefile +include scripts/krb5.Makefile +endif # CONFIG_KDEVOPS_SETUP_KRB5 + include scripts/devconfig.Makefile include scripts/ssh.Makefile diff --git a/kconfigs/Kconfig.bringup.goals b/kconfigs/Kconfig.bringup.goals index 71948e9b..26ffac98 100644 --- a/kconfigs/Kconfig.bringup.goals +++ b/kconfigs/Kconfig.bringup.goals @@ -109,3 +109,15 @@ menu "Configure the kernel NFS server" source "kconfigs/Kconfig.nfsd" endmenu endif + +config KDEVOPS_SETUP_KRB5 + bool "Set up KRB5" + default n + help + Configure and bring up a MIT Kerberos V5 KDC. + +if KDEVOPS_SETUP_KRB5 +menu "Configure the KRB5 KDC" +source "kconfigs/Kconfig.kdc" +endmenu +endif diff --git a/kconfigs/Kconfig.kdc b/kconfigs/Kconfig.kdc new file mode 100644 index 00000000..c0483a37 --- /dev/null +++ b/kconfigs/Kconfig.kdc @@ -0,0 +1,11 @@ +config KRB5_REALM + string "KRB5 Realm" + default "" + help + Kerberos realm to create. + +config KRB5_ADMIN_PW + string "KRB5 admin password" + default "" + help + Password to use for the 'root/admin' principal. diff --git a/playbooks/kdc.yml b/playbooks/kdc.yml new file mode 100644 index 00000000..66709db8 --- /dev/null +++ b/playbooks/kdc.yml @@ -0,0 +1,4 @@ +--- +- hosts: all + roles: + - role: kdc diff --git a/playbooks/krb5.yml b/playbooks/krb5.yml new file mode 100644 index 00000000..52ca3ef5 --- /dev/null +++ b/playbooks/krb5.yml @@ -0,0 +1,4 @@ +--- +- hosts: all + roles: + - role: krb5 diff --git a/playbooks/roles/fstests/tasks/install-deps/suse/main.yml b/playbooks/roles/fstests/tasks/install-deps/suse/main.yml index 067e5c55..951dfc66 100644 --- a/playbooks/roles/fstests/tasks/install-deps/suse/main.yml +++ b/playbooks/roles/fstests/tasks/install-deps/suse/main.yml @@ -237,3 +237,13 @@ when: - repos_present|bool - fstests_fstyp == "nfs" + +- name: Ensure nfs-client.target is enabled + become: yes + become_method: sudo + ansible.builtin.systemd: + name: nfs-client.target + enabled: true + state: started + when: + - fstests_fstyp == "nfs" diff --git a/playbooks/roles/fstests/tasks/main.yml b/playbooks/roles/fstests/tasks/main.yml index 3f210a53..b76536ec 100644 --- a/playbooks/roles/fstests/tasks/main.yml +++ b/playbooks/roles/fstests/tasks/main.yml @@ -668,6 +668,47 @@ when: - fstests_fstyp == "nfs" +- name: Check to see if /etc/nfsmount.conf exists + become: yes + become_flags: 'su - -c' + become_method: sudo + ansible.builtin.stat: + path: /etc/nfsmount.conf + register: nfsmount_conf + when: + - fstests_fstyp == "nfs" + - fstests_nfs_auth_flavor is defined + - fstests_nfs_auth_flavor + +- name: Create /etc/nfsmount.conf + become: yes + become_flags: 'su - -c' + become_method: sudo + ansible.builtin.template: + src: "{{ fstests_fstyp }}/nfsmount.conf" + dest: /etc/nfsmount.conf + owner: root + group: root + mode: 0644 + when: + - fstests_fstyp == "nfs" + - fstests_nfs_auth_flavor is defined + - fstests_nfs_auth_flavor + - not nfsmount_conf.stat.exists + +- name: Set auth flavor for NFS + become: yes + become_flags: 'su - -c' + become_method: sudo + ansible.builtin.lineinfile: + path: /etc/nfsmount.conf + regexp: '^# Sec=' + line: 'Sec={{ fstests_nfs_auth_flavor }}' + when: + - fstests_fstyp == "nfs" + - fstests_nfs_auth_flavor is defined + - fstests_nfs_auth_flavor + - name: Reboot system before our test so we know everything is sane tags: [ 'oscheck', 'fstests', 'run_tests', 'reboot' ] become: yes diff --git a/playbooks/roles/fstests/templates/nfs/nfsmount.conf b/playbooks/roles/fstests/templates/nfs/nfsmount.conf new file mode 100644 index 00000000..73b6a8e4 --- /dev/null +++ b/playbooks/roles/fstests/templates/nfs/nfsmount.conf @@ -0,0 +1,2 @@ +[ NFSMount_Global_Options ] +# Sec=sys diff --git a/playbooks/roles/gen_hosts/templates/fstests.j2 b/playbooks/roles/gen_hosts/templates/fstests.j2 index 74057952..b94e89da 100644 --- a/playbooks/roles/gen_hosts/templates/fstests.j2 +++ b/playbooks/roles/gen_hosts/templates/fstests.j2 @@ -27,3 +27,20 @@ ansible_python_interpreter = "{{ kdevops_python_interpreter }}" {% endif %} [nfsd:vars] ansible_python_interpreter = "{{ kdevops_python_interpreter }}" +[kdc] +{% if krb5_realm is defined %} +{{ kdevops_hosts_prefix }}-kdc +{% endif %} +[kdc:vars] +ansible_python_interpreter = "{{ kdevops_python_interpreter }}" +[krb5] +{% if krb5_realm is defined %} +{% for s in fstests_enabled_test_types %} +{{ kdevops_host_prefix }}-{{ s }} +{% endfor %} +{% if nfsd_threads is defined %} +{{ kdevops_hosts_prefix }}-nfsd +{% endif %} +{% endif %} +[krb5:vars] +ansible_python_interpreter = "{{ kdevops_python_interpreter }}" diff --git a/playbooks/roles/gen_nodes/tasks/main.yml b/playbooks/roles/gen_nodes/tasks/main.yml index 2f5c48b6..1181ef10 100644 --- a/playbooks/roles/gen_nodes/tasks/main.yml +++ b/playbooks/roles/gen_nodes/tasks/main.yml @@ -55,6 +55,18 @@ when: - nfsd_threads is defined +- name: Set kdc_nodes list + set_fact: + kdc_nodes: "{{ [ kdevops_host_prefix + '-kdc' ] }}" + when: + - krb5_realm is defined + +- name: Add a KRB5 KDC if one was selected + set_fact: + generic_nodes: "{{ generic_nodes + kdc_nodes }}" + when: + - krb5_realm is defined + - name: Set fstests config file variable for {{ fstests_fstyp }} set_fact: is_fstests: True @@ -217,6 +229,13 @@ - is_fstests|bool - nfsd_threads is defined +- name: Add the KRB5 KDC if one was selected + set_fact: + fstests_enabled_nodes: "{{ fstests_enabled_nodes + kdc_nodes }}" + when: + - is_fstests|bool + - krb5_realm is defined + - name: Generate the fstests kdevops nodes file using {{ kdevops_nodes_template }} as jinja2 source template tags: [ 'hosts' ] vars: diff --git a/playbooks/roles/kdc/tasks/install-deps/debian/main.yml b/playbooks/roles/kdc/tasks/install-deps/debian/main.yml new file mode 100644 index 00000000..bc2a6a78 --- /dev/null +++ b/playbooks/roles/kdc/tasks/install-deps/debian/main.yml @@ -0,0 +1,11 @@ +--- +- name: Install kdc dependencies + become: yes + become_method: sudo + apt: + name: + - krb5-admin-server + - krb5-kdc + - krb5-user + state: present + update_cache: yes diff --git a/playbooks/roles/kdc/tasks/install-deps/main.yml b/playbooks/roles/kdc/tasks/install-deps/main.yml new file mode 100644 index 00000000..a1bd1da5 --- /dev/null +++ b/playbooks/roles/kdc/tasks/install-deps/main.yml @@ -0,0 +1,12 @@ +--- +- name: Debian-specific set up + ansible.builtin.include_tasks: roles/tasks/kdc/install-deps/debian/main.yml + when: ansible_os_family == 'Debian' + +- name: SuSE-specific set up + ansible.builtin.include_tasks: roles/tasks/kdc/install-deps/suse/main.yml + when: ansible_os_family == 'Suse' + +- name: Red Hat-specific set up + ansible.builtin.include_tasks: roles/tasks/kdc/install-deps/redhat/main.yml + when: ansible_os_family == 'RedHat' diff --git a/playbooks/roles/kdc/tasks/install-deps/redhat/main.yml b/playbooks/roles/kdc/tasks/install-deps/redhat/main.yml new file mode 100644 index 00000000..c393920d --- /dev/null +++ b/playbooks/roles/kdc/tasks/install-deps/redhat/main.yml @@ -0,0 +1,16 @@ +--- +- name: Install kdc dependencies + become: yes + become_method: sudo + yum: + update_cache: yes + name: "{{ packages }}" + retries: 3 + delay: 5 + register: result + until: result.rc == 0 + vars: + packages: + - krb5-server + - krb5-libs + - krb5-workstation diff --git a/playbooks/roles/kdc/tasks/install-deps/suse/main.yml b/playbooks/roles/kdc/tasks/install-deps/suse/main.yml new file mode 100644 index 00000000..d0fd019f --- /dev/null +++ b/playbooks/roles/kdc/tasks/install-deps/suse/main.yml @@ -0,0 +1,10 @@ +--- +- name: Install kdc dependencies + become: yes + become_method: sudo + zypper: + name: + - krb5 + - krb5-client + - krb5-server + state: present diff --git a/playbooks/roles/kdc/tasks/main.yml b/playbooks/roles/kdc/tasks/main.yml new file mode 100644 index 00000000..b67f38d0 --- /dev/null +++ b/playbooks/roles/kdc/tasks/main.yml @@ -0,0 +1,119 @@ +--- +- name: Get OS-specific variables + ansible.builtin.include_vars: "{{ lookup('ansible.builtin.first_found', params) }}" + vars: + params: + files: + - '{{ansible_distribution}}.yml' + - '{{ansible_os_family}}.yml' + - default.yml + paths: + - 'vars' + +- name: Debian-specific setup + ansible.builtin.include_tasks: roles/kdc/tasks/install-deps/debian/main.yml + when: ansible_os_family == 'Debian' + +- name: SuSE-specific setup + ansible.builtin.include_tasks: roles/kdc/tasks/install-deps/suse/main.yml + when: ansible_os_family == 'Suse' + +- name: Red Hat-specific setup + ansible.builtin.include_tasks: roles/kdc/tasks/install-deps/redhat/main.yml + when: ansible_os_family == 'RedHat' + +- name: Configure /etc/krb5.conf + become: yes + become_method: sudo + template: + src: krb5.conf.j2 + dest: /etc/krb5.conf + owner: root + group: root + mode: 0644 + +- name: Ensure /etc/krb5.conf.d exists + become: yes + become_method: sudo + ansible.builtin.file: + path: /etc/krb5.conf.d + state: directory + owner: root + group: root + mode: 0755 + +- name: Configure {{ kdc_conf_dir }}/kdc.conf + become: yes + become_method: sudo + template: + src: kdc.conf.j2 + dest: "{{ kdc_conf_dir }}/kdc.conf" + owner: root + group: root + mode: 0600 + +- name: Configure {{ kdc_data_dir }}/kadm5.acl + become: yes + become_method: sudo + template: + src: kadm5.acl.j2 + dest: "{{ kdc_data_dir }}/kadm5.acl" + owner: root + group: root + mode: 0600 + +- name: Check to see if Kerberos database exists + become: yes + become_method: sudo + ansible.builtin.stat: + path: "{{ kdc_data_dir }}/principal" + register: kerberos_db + +- name: Create database + become: yes + become_method: sudo + ansible.builtin.shell: + cmd: kdb5_util -P {{ krb5_admin_pw }} create -s + when: not kerberos_db.stat.exists + +- name: Create admin principal + become: yes + become_method: sudo + ansible.builtin.shell: + cmd: kadmin.local -q "addprinc -pw {{ krb5_admin_pw }} root/admin" + +- name: Allow access to kerberos service in firewalld + become: yes + become_method: sudo + ansible.posix.firewalld: + service: kerberos + permanent: true + immediate: true + state: enabled + when: ansible_os_family == 'RedHat' + +- name: Allow access to kadmin service in firewalld + become: yes + become_method: sudo + ansible.posix.firewalld: + service: kadmin + permanent: true + immediate: true + state: enabled + when: ansible_os_family == 'RedHat' + +- name: Start and enable {{ krb5kdc_service_name }} systemd service + become: yes + become_method: sudo + ansible.builtin.systemd: + name: "{{ krb5kdc_service_name }}" + enabled: true + state: started + +- name: Start and enable {{ kadmin_service_name }} systemd service + become: yes + become_method: sudo + ansible.builtin.systemd: + name: "{{ kadmin_service_name }}" + enabled: true + state: started diff --git a/playbooks/roles/kdc/templates/kadm5.acl.j2 b/playbooks/roles/kdc/templates/kadm5.acl.j2 new file mode 100644 index 00000000..0a303e28 --- /dev/null +++ b/playbooks/roles/kdc/templates/kadm5.acl.j2 @@ -0,0 +1 @@ +*/admin@{{ krb5_realm }} * diff --git a/playbooks/roles/kdc/templates/kdc.conf.j2 b/playbooks/roles/kdc/templates/kdc.conf.j2 new file mode 100644 index 00000000..7de816dd --- /dev/null +++ b/playbooks/roles/kdc/templates/kdc.conf.j2 @@ -0,0 +1,15 @@ +[kdcdefaults] + kdc_ports = 88 + kdc_tcp_ports = 88 + spake_preauth_kdc_challenge = edwards25519 + +[realms] +{{ krb5_realm }} = { + database_name = {{ kdc_data_dir }}/principal + master_key_type = {{ kdc_master_key_type }} + acl_file = {{ kdc_data_dir }}/kadm5.acl + dict_file = /usr/share/dict/words + default_principal_flags = +preauth + admin_keytab = {{ kdc_data_dir }}/kadm5.keytab + supported_enctypes = {{ kdc_supported_enctypes }} +} diff --git a/playbooks/roles/kdc/templates/krb5.conf.j2 b/playbooks/roles/kdc/templates/krb5.conf.j2 new file mode 100644 index 00000000..e42ffb9b --- /dev/null +++ b/playbooks/roles/kdc/templates/krb5.conf.j2 @@ -0,0 +1,29 @@ +includedir /etc/krb5.conf.d/ + +[logging] + default = FILE:/var/log/krb5libs.log + kdc = FILE:/var/log/krb5kdc.log + admin_server = FILE:/var/log/kadmind.log + +[libdefaults] + dns_lookup_realm = false + ticket_lifetime = 24h + renew_lifetime = 7d + forwardable = true + rdns = false + pkinit_anchors = FILE:/etc/pki/tls/certs/ca-bundle.crt + spake_preauth_groups = edwards25519 + dns_canonicalize_hostname = fallback + qualify_shortname = "" + default_realm = {{ krb5_realm }} + default_ccache_name = KEYRING:persistent:%{uid} + +[realms] +{{ krb5_realm }} = { + kdc = {{ hostvars[inventory_hostname]['ansible_default_ipv4']['address'] }}:88 + admin_server = {{ hostvars[inventory_hostname]['ansible_default_ipv4']['address'] }}:749 +} + +[domain_realm] + .{{ krb5_realm | lower }} = {{ krb5_realm }} + {{ krb5_realm | lower }} = {{ krb5_realm }} diff --git a/playbooks/roles/kdc/vars/Debian.yml b/playbooks/roles/kdc/vars/Debian.yml new file mode 100644 index 00000000..b1cb8f13 --- /dev/null +++ b/playbooks/roles/kdc/vars/Debian.yml @@ -0,0 +1,7 @@ +--- +kdc_conf_dir: /etc/krb5kdc +kdc_data_dir: /var/lib/krb5kdc +kdc_master_key_type: aes256-cts +kdc_supported_enctypes: aes256-cts:normal aes128-cts:normal +krb5kdc_service_name: krb5-kdc +kadmin_service_name: krb5-admin-server diff --git a/playbooks/roles/kdc/vars/RedHat.yml b/playbooks/roles/kdc/vars/RedHat.yml new file mode 100644 index 00000000..16de574d --- /dev/null +++ b/playbooks/roles/kdc/vars/RedHat.yml @@ -0,0 +1,7 @@ +--- +kdc_conf_dir: /var/kerberos/krb5kdc +kdc_data_dir: /var/kerberos/krb5kdc +kdc_master_key_type: aes256-cts-hmac-sha384-192 +kdc_supported_enctypes: aes256-cts-hmac-sha384-192:normal aes128-cts-hmac-sha256-128:normal aes256-cts-hmac-sha1-96:normal aes128-cts-hmac-sha1-96:normal camellia256-cts-cmac:normal camellia128-cts-cmac:normal +krb5kdc_service_name: krb5kdc +kadmin_service_name: kadmin diff --git a/playbooks/roles/kdc/vars/Suse.yml b/playbooks/roles/kdc/vars/Suse.yml new file mode 100644 index 00000000..8900d6ad --- /dev/null +++ b/playbooks/roles/kdc/vars/Suse.yml @@ -0,0 +1,7 @@ +--- +kdc_conf_dir: /var/lib/kerberos/krb5kdc +kdc_data_dir: /var/lib/kerberos/krb5kdc +kdc_master_key_type: aes256-cts +kdc_supported_enctypes: aes256-cts:normal aes128-cts:normal +krb5kdc_service_name: krb5kdc +kadmin_service_name: kadmind diff --git a/playbooks/roles/kdc/vars/default.yml b/playbooks/roles/kdc/vars/default.yml new file mode 100644 index 00000000..ed97d539 --- /dev/null +++ b/playbooks/roles/kdc/vars/default.yml @@ -0,0 +1 @@ +--- diff --git a/playbooks/roles/kdc/vars/main.yml b/playbooks/roles/kdc/vars/main.yml new file mode 100644 index 00000000..ed97d539 --- /dev/null +++ b/playbooks/roles/kdc/vars/main.yml @@ -0,0 +1 @@ +--- diff --git a/playbooks/roles/krb5/tasks/install-deps/debian/main.yml b/playbooks/roles/krb5/tasks/install-deps/debian/main.yml new file mode 100644 index 00000000..25bdff7c --- /dev/null +++ b/playbooks/roles/krb5/tasks/install-deps/debian/main.yml @@ -0,0 +1,9 @@ +--- +- name: Install krb5 dependencies + become: yes + become_method: sudo + apt: + name: + - krb5-user + state: present + update_cache: yes diff --git a/playbooks/roles/krb5/tasks/install-deps/main.yml b/playbooks/roles/krb5/tasks/install-deps/main.yml new file mode 100644 index 00000000..ab31e2d4 --- /dev/null +++ b/playbooks/roles/krb5/tasks/install-deps/main.yml @@ -0,0 +1,12 @@ +--- +- name: Debian-specific set up + ansible.builtin.include_tasks: roles/tasks/krb5/install-deps/debian/main.yml + when: ansible_os_family == 'Debian' + +- name: SuSE-specific set up + ansible.builtin.include_tasks: roles/tasks/krb5/install-deps/suse/main.yml + when: ansible_os_family == 'Suse' + +- name: Red Hat-specific set up + ansible.builtin.include_tasks: roles/tasks/krb5/install-deps/redhat/main.yml + when: ansible_os_family == 'RedHat' diff --git a/playbooks/roles/krb5/tasks/install-deps/redhat/main.yml b/playbooks/roles/krb5/tasks/install-deps/redhat/main.yml new file mode 100644 index 00000000..511f221f --- /dev/null +++ b/playbooks/roles/krb5/tasks/install-deps/redhat/main.yml @@ -0,0 +1,15 @@ +--- +- name: Install krb5 dependencies + become: yes + become_method: sudo + yum: + update_cache: yes + name: "{{ packages }}" + retries: 3 + delay: 5 + register: result + until: result.rc == 0 + vars: + packages: + - krb5-libs + - krb5-workstation diff --git a/playbooks/roles/krb5/tasks/install-deps/suse/main.yml b/playbooks/roles/krb5/tasks/install-deps/suse/main.yml new file mode 100644 index 00000000..b01ac532 --- /dev/null +++ b/playbooks/roles/krb5/tasks/install-deps/suse/main.yml @@ -0,0 +1,16 @@ +--- +- name: Install krb5 dependencies + become: yes + become_method: sudo + zypper: + name: + - krb5 + - krb5-client + - kernel-default + state: present + force_resolution: true + +- name: Reboot system to make the new kernel and modules take effect + become: yes + become_method: sudo + ansible.builtin.reboot: diff --git a/playbooks/roles/krb5/tasks/main.yml b/playbooks/roles/krb5/tasks/main.yml new file mode 100644 index 00000000..e3731f29 --- /dev/null +++ b/playbooks/roles/krb5/tasks/main.yml @@ -0,0 +1,70 @@ +--- +- name: Debian-specific setup + ansible.builtin.include_tasks: roles/krb5/tasks/install-deps/debian/main.yml + when: ansible_os_family == 'Debian' + +- name: SuSE-specific setup + ansible.builtin.include_tasks: roles/krb5/tasks/install-deps/suse/main.yml + when: ansible_os_family == 'Suse' + +- name: Red Hat-specific setup + ansible.builtin.include_tasks: roles/krb5/tasks/install-deps/redhat/main.yml + when: ansible_os_family == 'RedHat' + +- name: Configure /etc/krb5.conf + become: yes + become_method: sudo + template: + src: krb5.conf.j2 + dest: /etc/krb5.conf + owner: root + group: root + mode: 0644 + +- name: Ensure /etc/krb5.conf.d exists + become: yes + become_method: sudo + ansible.builtin.file: + path: /etc/krb5.conf.d + state: directory + owner: root + group: root + mode: 0755 + +- name: Check to see if nfs principal exists + become: yes + become_method: sudo + ansible.builtin.shell: + cmd: kadmin -w {{ krb5_admin_pw }} -q "listprincs" | grep -q "nfs/{{ hostvars[inventory_hostname].ansible_fqdn }}" + register: host_princ_grep + ignore_errors: yes + +- name: Add nfs principal + become: yes + become_method: sudo + ansible.builtin.shell: + cmd: kadmin -w {{ krb5_admin_pw }} -q "addprinc -randkey nfs/{{ hostvars[inventory_hostname].ansible_fqdn }}" + when: host_princ_grep.rc != 0 + +- name: Check to see if nfs principal is in /etc/krb5.keytab + become: yes + become_method: sudo + ansible.builtin.shell: + cmd: klist -kt | grep -q "nfs/{{ hostvars[inventory_hostname].ansible_fqdn }}" + register: keytab_grep + ignore_errors: yes + +- name: Add nfs principal to keytab + become: yes + become_method: sudo + ansible.builtin.shell: + cmd: kadmin -w {{ krb5_admin_pw }} -q "ktadd -k /etc/krb5.keytab nfs/{{ hostvars[inventory_hostname].ansible_fqdn }}" + when: keytab_grep.rc != 0 + +- name: Restart rpc.gssd + become: yes + become_method: sudo + ansible.builtin.systemd: + name: rpc-gssd + state: restarted + ignore_errors: yes diff --git a/playbooks/roles/krb5/templates/krb5.conf.j2 b/playbooks/roles/krb5/templates/krb5.conf.j2 new file mode 100644 index 00000000..1ed37d5e --- /dev/null +++ b/playbooks/roles/krb5/templates/krb5.conf.j2 @@ -0,0 +1,31 @@ +includedir /etc/krb5.conf.d/ + +[logging] + default = FILE:/var/log/krb5libs.log + kdc = FILE:/var/log/krb5kdc.log + admin_server = FILE:/var/log/kadmind.log + +[libdefaults] + dns_lookup_realm = false + ticket_lifetime = 24h + renew_lifetime = 7d + forwardable = true + rdns = false + pkinit_anchors = FILE:/etc/pki/tls/certs/ca-bundle.crt + spake_preauth_groups = edwards25519 + dns_canonicalize_hostname = fallback + qualify_shortname = "" + default_realm = {{ krb5_realm }} + default_ccache_name = KEYRING:persistent:%{uid} + +[realms] +{{ krb5_realm }} = { + kdc = {{ kdevops_hosts_prefix }}-kdc:88 + admin_server = {{ kdevops_hosts_prefix }}-kdc:749 + auth_to_local = RULE:[2:$1;$2](^nfs;.*$)s/^.*$/root/ + auth_to_local = DEFAULT +} + +[domain_realm] + .{{ krb5_realm | lower }} = {{ krb5_realm }} + {{ krb5_realm | lower }} = {{ krb5_realm }} diff --git a/playbooks/roles/nfsd/tasks/install-deps/debian/main.yml b/playbooks/roles/nfsd/tasks/install-deps/debian/main.yml index a48d40ef..033c2edf 100644 --- a/playbooks/roles/nfsd/tasks/install-deps/debian/main.yml +++ b/playbooks/roles/nfsd/tasks/install-deps/debian/main.yml @@ -21,6 +21,11 @@ - fsprogs is defined - fsprogs +- name: Add gssproxy to the nfsd packages list + set_fact: + nfsd_packages: "{{ nfsd_packages + ['gssproxy'] }}" + when: krb5_realm is defined + - name: Install nfsd dependencies become: yes become_method: sudo diff --git a/playbooks/roles/nfsd/tasks/install-deps/suse/main.yml b/playbooks/roles/nfsd/tasks/install-deps/suse/main.yml index 49d931cd..535d6d9a 100644 --- a/playbooks/roles/nfsd/tasks/install-deps/suse/main.yml +++ b/playbooks/roles/nfsd/tasks/install-deps/suse/main.yml @@ -21,6 +21,11 @@ - fsprogs is defined - fsprogs +- name: Add additional packages needed for krb5 to the nfsd packages list + set_fact: + nfsd_packages: "{{ nfsd_packages + ['gssproxy', 'libverto-libev1'] }}" + when: krb5_realm is defined + - name: Install nfsd dependencies become: yes become_method: sudo diff --git a/scripts/bringup.Makefile b/scripts/bringup.Makefile index 5a477847..5c6a59c3 100644 --- a/scripts/bringup.Makefile +++ b/scripts/bringup.Makefile @@ -33,6 +33,10 @@ ifeq (y,$(CONFIG_KDEVOPS_SETUP_SIW)) KDEVOPS_BRING_UP_DEPS += siw endif # KDEVOPS_SETUP_SIW +ifeq (y,$(CONFIG_KDEVOPS_SETUP_KRB5)) +KDEVOPS_BRING_UP_DEPS += kdc +endif # KDEVOPS_SETUP_KRB5 + update_etc_hosts: $(Q)ansible-playbook $(ANSIBLE_VERBOSE) \ -f 30 -i hosts playbooks/update_etc_hosts.yml diff --git a/scripts/kdc.Makefile b/scripts/kdc.Makefile new file mode 100644 index 00000000..6e859193 --- /dev/null +++ b/scripts/kdc.Makefile @@ -0,0 +1,8 @@ +KDC_EXTRA_ARGS += krb5_realm='$(subst ",,$(CONFIG_KRB5_REALM))' +KDC_EXTRA_ARGS += krb5_admin_pw='$(subst ",,$(CONFIG_KRB5_ADMIN_PW))' + +ANSIBLE_EXTRA_ARGS += $(KDC_EXTRA_ARGS) + +kdc: + $(Q)ansible-playbook $(ANSIBLE_VERBOSE) --extra-vars=@./extra_vars.yaml \ + -f 30 -i hosts -l kdc playbooks/kdc.yml diff --git a/scripts/krb5.Makefile b/scripts/krb5.Makefile new file mode 100644 index 00000000..0240bedf --- /dev/null +++ b/scripts/krb5.Makefile @@ -0,0 +1,10 @@ +krb5: + $(Q)ansible-playbook $(ANSIBLE_VERBOSE) --extra-vars=@./extra_vars.yaml \ + -f 30 -i hosts -l krb5 playbooks/krb5.yml + +krb5-help-menu: + @echo "krb5 options:" + @echo "krb5 - Installs krb5 packages, generates principals, and updates keytabs" + @echo "" + +HELP_TARGETS += krb5-help-menu diff --git a/workflows/fstests/nfs/Kconfig b/workflows/fstests/nfs/Kconfig index 9de5ae04..86e930a6 100644 --- a/workflows/fstests/nfs/Kconfig +++ b/workflows/fstests/nfs/Kconfig @@ -98,3 +98,32 @@ config FSTESTS_NFS_SECTION_V3 default n endif # !FSTESTS_NFS_MANUAL_COVERAGE + +choice + prompt "Authentication flavor to use" + default FSTESTS_NFS_AUTH_KRB5 + depends on KDEVOPS_SETUP_KRB5 + help + This is the authentication flavor you want to test. The selected + option will get written to /etc/nfsmount.conf on the NFS clients. + +config FSTESTS_NFS_AUTH_SYS + bool "sys" + +config FSTESTS_NFS_AUTH_KRB5 + bool "krb5" + +config FSTESTS_NFS_AUTH_KRB5I + bool "krb5i" + +config FSTESTS_NFS_AUTH_KRB5P + bool "krb5p" + +endchoice + +config FSTESTS_NFS_AUTH_FLAVOR + string + default "sys" if FSTESTS_NFS_AUTH_SYS + default "krb5" if FSTESTS_NFS_AUTH_KRB5 + default "krb5i" if FSTESTS_NFS_AUTH_KRB5I + default "krb5p" if FSTESTS_NFS_AUTH_KRB5P diff --git a/workflows/fstests/nfs/Makefile b/workflows/fstests/nfs/Makefile index 686e27ae..ba4387e1 100644 --- a/workflows/fstests/nfs/Makefile +++ b/workflows/fstests/nfs/Makefile @@ -24,3 +24,7 @@ endif ifeq (y,$(CONFIG_FSTESTS_NFS_SECTION_V3)) FSTESTS_ARGS += fstests_nfs_section_v3=True endif + +ifdef CONFIG_FSTESTS_NFS_AUTH_FLAVOR +FSTESTS_ARGS += fstests_nfs_auth_flavor='$(subst ",,$(CONFIG_FSTESTS_NFS_AUTH_FLAVOR))' +endif -- 2.43.0 ^ permalink raw reply related [flat|nested] 15+ messages in thread
* Re: [PATCH 5/5] fstests/nfs: add krb5 support 2024-03-07 13:14 ` [PATCH 5/5] fstests/nfs: add krb5 support Scott Mayhew @ 2024-03-08 16:57 ` Luis Chamberlain 2024-03-08 19:33 ` Scott Mayhew 0 siblings, 1 reply; 15+ messages in thread From: Luis Chamberlain @ 2024-03-08 16:57 UTC (permalink / raw) To: Scott Mayhew; +Cc: kdevops My review comments are not requirements, they are how to enhance this so we can scale better and long term goals to keep in mind. Whether or not you do the work is up to you. On Thu, Mar 07, 2024 at 08:14:14AM -0500, Scott Mayhew wrote: > diff --git a/Makefile b/Makefile > index 9ca3a5f3..df4aad7b 100644 > --- a/Makefile > +++ b/Makefile > @@ -115,6 +115,11 @@ ifeq (y,$(CONFIG_KDEVOPS_SETUP_NFSD)) > include scripts/nfsd.Makefile > endif # CONFIG_KDEVOPS_SETUP_NFSD > > +ifeq (y,$(CONFIG_KDEVOPS_SETUP_KRB5)) > +include scripts/kdc.Makefile > +include scripts/krb5.Makefile > +endif # CONFIG_KDEVOPS_SETUP_KRB5 This sort of clutter can be compartamentalized now, see right above: include scripts/provision.Makefile include scripts/systemd-timesync.Makefile include scripts/journal-server.Makefile KDEVOPS_BRING_UP_DEPS += $(KDEVOPS_BRING_UP_DEPS_EARLY) KDEVOPS_BRING_UP_DEPS += $(KDEVOPS_PROVISIONED_DEVCONFIG) This let's us now split work which needs to be set up early and this can vary depending on if the dep is a localhost (hypervisor or command and control) setting or a target node (guest or taret node on cloud) setting. So for example systemd-timesync has both parts: LOCALHOST_SETUP_WORK += timesyncd-server KDEVOPS_BRING_UP_DEPS_EARLY += timesyncd-client Then the clutter is kept on the target makefile. This let's us also keep ordering by the Makfile include order. So we should be able to move siw ktls nfs setup to this methodology too. That will let us scale this and keep our top level Makefile neat and makes orer explicit and clear. It seems in this case it's all being set up on the target node so only KDEVOPS_BRING_UP_DEPS_EARLY is needed. BTW you may benefit from CONFIG_DEVCONFIG_ENABLE_SYSTEMD_TIMESYNCD as it sets up NTP on the host/nodes. But if you're going to enable that you could just enable systemd-remote-journal too, which we now have support for in guestfs. > diff --git a/kconfigs/Kconfig.bringup.goals b/kconfigs/Kconfig.bringup.goals > index 71948e9b..26ffac98 100644 > --- a/kconfigs/Kconfig.bringup.goals > +++ b/kconfigs/Kconfig.bringup.goals > @@ -109,3 +109,15 @@ menu "Configure the kernel NFS server" > source "kconfigs/Kconfig.nfsd" > endmenu > endif > + > +config KDEVOPS_SETUP_KRB5 > + bool "Set up KRB5" > + default n > + help > + Configure and bring up a MIT Kerberos V5 KDC. > + > +if KDEVOPS_SETUP_KRB5 > +menu "Configure the KRB5 KDC" > +source "kconfigs/Kconfig.kdc" > +endmenu > +endif I think its cleaner if we move the config and the if to the kconfigs/Kconfig.kdc, the similar change could be done with KDEVOPS_SETUP_NFSD so its easier to add things the the top level kconfigs/Kconfig.nfsd is kept clean. > diff --git a/playbooks/roles/fstests/templates/nfs/nfsmount.conf b/playbooks/roles/fstests/templates/nfs/nfsmount.conf > new file mode 100644 > index 00000000..73b6a8e4 > --- /dev/null > +++ b/playbooks/roles/fstests/templates/nfs/nfsmount.conf > @@ -0,0 +1,2 @@ > +[ NFSMount_Global_Options ] > +# Sec=sys > diff --git a/playbooks/roles/gen_hosts/templates/fstests.j2 b/playbooks/roles/gen_hosts/templates/fstests.j2 > index 74057952..b94e89da 100644 > --- a/playbooks/roles/gen_hosts/templates/fstests.j2 > +++ b/playbooks/roles/gen_hosts/templates/fstests.j2 > @@ -27,3 +27,20 @@ ansible_python_interpreter = "{{ kdevops_python_interpreter }}" > {% endif %} > [nfsd:vars] > ansible_python_interpreter = "{{ kdevops_python_interpreter }}" > +[kdc] > +{% if krb5_realm is defined %} > +{{ kdevops_hosts_prefix }}-kdc > +{% endif %} > +[kdc:vars] > +ansible_python_interpreter = "{{ kdevops_python_interpreter }}" > +[krb5] > +{% if krb5_realm is defined %} > +{% for s in fstests_enabled_test_types %} > +{{ kdevops_host_prefix }}-{{ s }} > +{% endfor %} > +{% if nfsd_threads is defined %} > +{{ kdevops_hosts_prefix }}-nfsd > +{% endif %} > +{% endif %} > +[krb5:vars] > +ansible_python_interpreter = "{{ kdevops_python_interpreter }}" We should add an kdc_enable which defaults to False and if true then we include the clutter below. In retrospect the same should be done for nfsd. Ie, if no one enabled nfsd or kdc we should hide targets for these options too and so the user has no make targets to use them and so no reason to clutter exisitng hosts file for user who don't enable these things. > diff --git a/playbooks/roles/gen_nodes/tasks/main.yml b/playbooks/roles/gen_nodes/tasks/main.yml > index 2f5c48b6..1181ef10 100644 > --- a/playbooks/roles/gen_nodes/tasks/main.yml > +++ b/playbooks/roles/gen_nodes/tasks/main.yml > @@ -55,6 +55,18 @@ > when: > - nfsd_threads is defined > > +- name: Set kdc_nodes list > + set_fact: > + kdc_nodes: "{{ [ kdevops_host_prefix + '-kdc' ] }}" > + when: > + - krb5_realm is defined We shoudl have a respective krb5_enable or something like that which defaults to False and here we shiould use krb5_realm_enable|bool instead. The respective kconfig option would be CONFIG_KRB5_REALM_ENABLE The rationale would be that we later extend kconfig support so each kconfig option can have below say an extra tag to indicate "generate yaml", so our extra_vars.yaml file is automatically generated for us by kconfig itself. That is, we'd tell kconfig which kconfig symbols we want it to generate respective yaml entries for. So it'd just lowercase the symbol name and remove config prefix. Then later we can remove tons of Makefile changes which modify something to True. > +- name: Add a KRB5 KDC if one was selected > + set_fact: > + generic_nodes: "{{ generic_nodes + kdc_nodes }}" > + when: > + - krb5_realm is defined Same. > + > - name: Set fstests config file variable for {{ fstests_fstyp }} > set_fact: > is_fstests: True > @@ -217,6 +229,13 @@ > - is_fstests|bool > - nfsd_threads is defined > > +- name: Add the KRB5 KDC if one was selected > + set_fact: > + fstests_enabled_nodes: "{{ fstests_enabled_nodes + kdc_nodes }}" > + when: > + - is_fstests|bool > + - krb5_realm is defined Same. > diff --git a/playbooks/roles/kdc/tasks/main.yml b/playbooks/roles/kdc/tasks/main.yml > new file mode 100644 > index 00000000..b67f38d0 > --- /dev/null > +++ b/playbooks/roles/kdc/tasks/main.yml > @@ -0,0 +1,119 @@ > +--- > +- name: Get OS-specific variables > + ansible.builtin.include_vars: "{{ lookup('ansible.builtin.first_found', params) }}" > + vars: > + params: > + files: > + - '{{ansible_distribution}}.yml' > + - '{{ansible_os_family}}.yml' > + - default.yml > + paths: > + - 'vars' Ah.. this is a good alternative to Kconfig defaults but ... > diff --git a/playbooks/roles/kdc/vars/default.yml b/playbooks/roles/kdc/vars/default.yml > new file mode 100644 > index 00000000..ed97d539 > --- /dev/null > +++ b/playbooks/roles/kdc/vars/default.yml > @@ -0,0 +1 @@ > +--- This is empty, it should have all sensible defaults and .. it's a good time to evaluate whether or not having things configurable is better, but I undersand that can be a second step. The other reason to have things configurable is it lets you document things. But that's totally optional. > index 5a477847..5c6a59c3 100644 > --- a/scripts/bringup.Makefile > +++ b/scripts/bringup.Makefile > @@ -33,6 +33,10 @@ ifeq (y,$(CONFIG_KDEVOPS_SETUP_SIW)) > KDEVOPS_BRING_UP_DEPS += siw > endif # KDEVOPS_SETUP_SIW > > +ifeq (y,$(CONFIG_KDEVOPS_SETUP_KRB5)) > +KDEVOPS_BRING_UP_DEPS += kdc > +endif # KDEVOPS_SETUP_KRB5 See same ordering thing here. Granted, I am not sure if this is a dep which needs to be set up early, so you should decide, but as our deps grow I thought it would be good to split them by regular services Vs optional later things. Luis ^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: [PATCH 5/5] fstests/nfs: add krb5 support 2024-03-08 16:57 ` Luis Chamberlain @ 2024-03-08 19:33 ` Scott Mayhew 2024-03-08 21:08 ` Scott Mayhew 2024-03-08 21:18 ` Luis Chamberlain 0 siblings, 2 replies; 15+ messages in thread From: Scott Mayhew @ 2024-03-08 19:33 UTC (permalink / raw) To: Luis Chamberlain; +Cc: kdevops On Fri, 08 Mar 2024, Luis Chamberlain wrote: > My review comments are not requirements, they are how to enhance this > so we can scale better and long term goals to keep in mind. Whether or > not you do the work is up to you. > > On Thu, Mar 07, 2024 at 08:14:14AM -0500, Scott Mayhew wrote: > > diff --git a/Makefile b/Makefile > > index 9ca3a5f3..df4aad7b 100644 > > --- a/Makefile > > +++ b/Makefile > > @@ -115,6 +115,11 @@ ifeq (y,$(CONFIG_KDEVOPS_SETUP_NFSD)) > > include scripts/nfsd.Makefile > > endif # CONFIG_KDEVOPS_SETUP_NFSD > > > > +ifeq (y,$(CONFIG_KDEVOPS_SETUP_KRB5)) > > +include scripts/kdc.Makefile > > +include scripts/krb5.Makefile > > +endif # CONFIG_KDEVOPS_SETUP_KRB5 > > This sort of clutter can be compartamentalized now, see right above: > > include scripts/provision.Makefile > include scripts/systemd-timesync.Makefile > include scripts/journal-server.Makefile > > KDEVOPS_BRING_UP_DEPS += $(KDEVOPS_BRING_UP_DEPS_EARLY) > KDEVOPS_BRING_UP_DEPS += $(KDEVOPS_PROVISIONED_DEVCONFIG) > > This let's us now split work which needs to be set up early > and this can vary depending on if the dep is a localhost (hypervisor or > command and control) setting or a target node (guest or taret node on > cloud) setting. > > So for example systemd-timesync has both parts: > > LOCALHOST_SETUP_WORK += timesyncd-server > KDEVOPS_BRING_UP_DEPS_EARLY += timesyncd-client > > Then the clutter is kept on the target makefile. This let's us also keep > ordering by the Makfile include order. So we should be able to move > siw ktls nfs setup to this methodology too. That will let us scale this > and keep our top level Makefile neat and makes orer explicit and clear. > > It seems in this case it's all being set up on the target node so only > KDEVOPS_BRING_UP_DEPS_EARLY is needed. Just so I'm clear on what you're suggesting... 1. move the ifeq...endif directives inside the target makefiles 2. move the KDEVOPS_BRING_UP_DEPS stuff out of bringup.Makefile and into the target makefiles (and use KDEVOPS_BRING_UP_DEPS_EARLY instead) 3. move the includes up above this line: KDEVOPS_BRING_UP_DEPS += $(KDEVOPS_BRING_UP_DEPS_EARLY) Does that sound right? Also, did you see my reply to Chuck about doing the krb5 client setup automatically? In order to do that I need to have a "post" bringup step, so that bringup target would look like this: bringup: $(KDEVOPS_BRING_UP_DEPS) update_etc_hosts $(KDEVOPS_BRING_UP_POST) Is that okay? Note that the krb5 client setup has to run after update_etc_hosts, so KDEVOPS_BRING_UP_LATE_DEPS wouldn't be appropriate for this. > > BTW you may benefit from CONFIG_DEVCONFIG_ENABLE_SYSTEMD_TIMESYNCD as it > sets up NTP on the host/nodes. But if you're going to enable that > you could just enable systemd-remote-journal too, which we now have > support for in guestfs. > > > diff --git a/kconfigs/Kconfig.bringup.goals b/kconfigs/Kconfig.bringup.goals > > index 71948e9b..26ffac98 100644 > > --- a/kconfigs/Kconfig.bringup.goals > > +++ b/kconfigs/Kconfig.bringup.goals > > @@ -109,3 +109,15 @@ menu "Configure the kernel NFS server" > > source "kconfigs/Kconfig.nfsd" > > endmenu > > endif > > + > > +config KDEVOPS_SETUP_KRB5 > > + bool "Set up KRB5" > > + default n > > + help > > + Configure and bring up a MIT Kerberos V5 KDC. > > + > > +if KDEVOPS_SETUP_KRB5 > > +menu "Configure the KRB5 KDC" > > +source "kconfigs/Kconfig.kdc" > > +endmenu > > +endif > > I think its cleaner if we move the config and the if to the > kconfigs/Kconfig.kdc, the similar change could be done with > KDEVOPS_SETUP_NFSD so its easier to add things the the top level > kconfigs/Kconfig.nfsd is kept clean. Will do. > > > diff --git a/playbooks/roles/fstests/templates/nfs/nfsmount.conf b/playbooks/roles/fstests/templates/nfs/nfsmount.conf > > new file mode 100644 > > index 00000000..73b6a8e4 > > --- /dev/null > > +++ b/playbooks/roles/fstests/templates/nfs/nfsmount.conf > > @@ -0,0 +1,2 @@ > > +[ NFSMount_Global_Options ] > > +# Sec=sys > > diff --git a/playbooks/roles/gen_hosts/templates/fstests.j2 b/playbooks/roles/gen_hosts/templates/fstests.j2 > > index 74057952..b94e89da 100644 > > --- a/playbooks/roles/gen_hosts/templates/fstests.j2 > > +++ b/playbooks/roles/gen_hosts/templates/fstests.j2 > > @@ -27,3 +27,20 @@ ansible_python_interpreter = "{{ kdevops_python_interpreter }}" > > {% endif %} > > [nfsd:vars] > > ansible_python_interpreter = "{{ kdevops_python_interpreter }}" > > +[kdc] > > +{% if krb5_realm is defined %} > > +{{ kdevops_hosts_prefix }}-kdc > > +{% endif %} > > +[kdc:vars] > > +ansible_python_interpreter = "{{ kdevops_python_interpreter }}" > > +[krb5] > > +{% if krb5_realm is defined %} > > +{% for s in fstests_enabled_test_types %} > > +{{ kdevops_host_prefix }}-{{ s }} > > +{% endfor %} > > +{% if nfsd_threads is defined %} > > +{{ kdevops_hosts_prefix }}-nfsd > > +{% endif %} > > +{% endif %} > > +[krb5:vars] > > +ansible_python_interpreter = "{{ kdevops_python_interpreter }}" > > We should add an kdc_enable which defaults to False and if true then we > include the clutter below. > > In retrospect the same should be done for nfsd. > > Ie, if no one enabled nfsd or kdc we should hide targets for these > options too and so the user has no make targets to use them and so no > reason to clutter exisitng hosts file for user who don't enable these > things. I did notice that those stanzas were present even if those options weren't enabled. Do I really need a separate kdc_enable or should I just use the krb5_enable variable that you suggested below? > > > diff --git a/playbooks/roles/gen_nodes/tasks/main.yml b/playbooks/roles/gen_nodes/tasks/main.yml > > index 2f5c48b6..1181ef10 100644 > > --- a/playbooks/roles/gen_nodes/tasks/main.yml > > +++ b/playbooks/roles/gen_nodes/tasks/main.yml > > @@ -55,6 +55,18 @@ > > when: > > - nfsd_threads is defined > > > > +- name: Set kdc_nodes list > > + set_fact: > > + kdc_nodes: "{{ [ kdevops_host_prefix + '-kdc' ] }}" > > + when: > > + - krb5_realm is defined > > We shoudl have a respective krb5_enable or something like that > which defaults to False and here we shiould use krb5_realm_enable|bool > instead. > > The respective kconfig option would be > > CONFIG_KRB5_REALM_ENABLE > > The rationale would be that we later extend kconfig support so > each kconfig option can have below say an extra tag to indicate > "generate yaml", so our extra_vars.yaml file is automatically generated > for us by kconfig itself. That is, we'd tell kconfig which kconfig > symbols we want it to generate respective yaml entries for. So it'd > just lowercase the symbol name and remove config prefix. Then later > we can remove tons of Makefile changes which modify something to True. Will do. > > > +- name: Add a KRB5 KDC if one was selected > > + set_fact: > > + generic_nodes: "{{ generic_nodes + kdc_nodes }}" > > + when: > > + - krb5_realm is defined > > Same. > > > + > > - name: Set fstests config file variable for {{ fstests_fstyp }} > > set_fact: > > is_fstests: True > > @@ -217,6 +229,13 @@ > > - is_fstests|bool > > - nfsd_threads is defined > > > > +- name: Add the KRB5 KDC if one was selected > > + set_fact: > > + fstests_enabled_nodes: "{{ fstests_enabled_nodes + kdc_nodes }}" > > + when: > > + - is_fstests|bool > > + - krb5_realm is defined > > Same. > > > diff --git a/playbooks/roles/kdc/tasks/main.yml b/playbooks/roles/kdc/tasks/main.yml > > new file mode 100644 > > index 00000000..b67f38d0 > > --- /dev/null > > +++ b/playbooks/roles/kdc/tasks/main.yml > > @@ -0,0 +1,119 @@ > > +--- > > +- name: Get OS-specific variables > > + ansible.builtin.include_vars: "{{ lookup('ansible.builtin.first_found', params) }}" > > + vars: > > + params: > > + files: > > + - '{{ansible_distribution}}.yml' > > + - '{{ansible_os_family}}.yml' > > + - default.yml > > + paths: > > + - 'vars' > > Ah.. this is a good alternative to Kconfig defaults but ... > > > diff --git a/playbooks/roles/kdc/vars/default.yml b/playbooks/roles/kdc/vars/default.yml > > new file mode 100644 > > index 00000000..ed97d539 > > --- /dev/null > > +++ b/playbooks/roles/kdc/vars/default.yml > > @@ -0,0 +1 @@ > > +--- > > This is empty, it should have all sensible defaults and .. it's a good > time to evaluate whether or not having things configurable is better, > but I undersand that can be a second step. The other reason to have > things configurable is it lets you document things. But that's totally > optional. I can add defaults, but they'll be the Red Hat defaults and might not work with other distros. Originally I didn't have those configurable at all, and when I went and tested Debian and Suse I found that stuff didn't work. Unfortunately the names of the systemd services and where they look for configuration files and data differs from distro to distro, so I had to have a least some of the stuff configurable... but I tried to keep the number of variables to a minimum. > > > index 5a477847..5c6a59c3 100644 > > --- a/scripts/bringup.Makefile > > +++ b/scripts/bringup.Makefile > > @@ -33,6 +33,10 @@ ifeq (y,$(CONFIG_KDEVOPS_SETUP_SIW)) > > KDEVOPS_BRING_UP_DEPS += siw > > endif # KDEVOPS_SETUP_SIW > > > > +ifeq (y,$(CONFIG_KDEVOPS_SETUP_KRB5)) > > +KDEVOPS_BRING_UP_DEPS += kdc > > +endif # KDEVOPS_SETUP_KRB5 > > See same ordering thing here. Granted, I am not sure if this is > a dep which needs to be set up early, so you should decide, but as > our deps grow I thought it would be good to split them by regular > services Vs optional later things. > > Luis > ^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: [PATCH 5/5] fstests/nfs: add krb5 support 2024-03-08 19:33 ` Scott Mayhew @ 2024-03-08 21:08 ` Scott Mayhew 2024-03-08 21:20 ` Luis Chamberlain 2024-03-08 21:18 ` Luis Chamberlain 1 sibling, 1 reply; 15+ messages in thread From: Scott Mayhew @ 2024-03-08 21:08 UTC (permalink / raw) To: Luis Chamberlain; +Cc: kdevops On Fri, 08 Mar 2024, Scott Mayhew wrote: > On Fri, 08 Mar 2024, Luis Chamberlain wrote: > > > My review comments are not requirements, they are how to enhance this > > so we can scale better and long term goals to keep in mind. Whether or > > not you do the work is up to you. > > > > On Thu, Mar 07, 2024 at 08:14:14AM -0500, Scott Mayhew wrote: > > > diff --git a/Makefile b/Makefile > > > index 9ca3a5f3..df4aad7b 100644 > > > --- a/Makefile > > > +++ b/Makefile > > > @@ -115,6 +115,11 @@ ifeq (y,$(CONFIG_KDEVOPS_SETUP_NFSD)) > > > include scripts/nfsd.Makefile > > > endif # CONFIG_KDEVOPS_SETUP_NFSD > > > > > > +ifeq (y,$(CONFIG_KDEVOPS_SETUP_KRB5)) > > > +include scripts/kdc.Makefile > > > +include scripts/krb5.Makefile > > > +endif # CONFIG_KDEVOPS_SETUP_KRB5 > > > > This sort of clutter can be compartamentalized now, see right above: > > > > include scripts/provision.Makefile > > include scripts/systemd-timesync.Makefile > > include scripts/journal-server.Makefile > > > > KDEVOPS_BRING_UP_DEPS += $(KDEVOPS_BRING_UP_DEPS_EARLY) > > KDEVOPS_BRING_UP_DEPS += $(KDEVOPS_PROVISIONED_DEVCONFIG) > > > > This let's us now split work which needs to be set up early > > and this can vary depending on if the dep is a localhost (hypervisor or > > command and control) setting or a target node (guest or taret node on > > cloud) setting. > > > > So for example systemd-timesync has both parts: > > > > LOCALHOST_SETUP_WORK += timesyncd-server > > KDEVOPS_BRING_UP_DEPS_EARLY += timesyncd-client > > > > Then the clutter is kept on the target makefile. This let's us also keep > > ordering by the Makfile include order. So we should be able to move > > siw ktls nfs setup to this methodology too. That will let us scale this > > and keep our top level Makefile neat and makes orer explicit and clear. > > > > It seems in this case it's all being set up on the target node so only > > KDEVOPS_BRING_UP_DEPS_EARLY is needed. > > Just so I'm clear on what you're suggesting... > > 1. move the ifeq...endif directives inside the target makefiles > 2. move the KDEVOPS_BRING_UP_DEPS stuff out of bringup.Makefile and into the > target makefiles (and use KDEVOPS_BRING_UP_DEPS_EARLY instead) > 3. move the includes up above this line: > KDEVOPS_BRING_UP_DEPS += $(KDEVOPS_BRING_UP_DEPS_EARLY) > > Does that sound right? I think I'm missing something, because doing the above puts those steps before the ssh configuration, and they fail. -Scott > > Also, did you see my reply to Chuck about doing the krb5 client setup > automatically? In order to do that I need to have a "post" bringup > step, so that bringup target would look like this: > > bringup: $(KDEVOPS_BRING_UP_DEPS) update_etc_hosts $(KDEVOPS_BRING_UP_POST) > > Is that okay? Note that the krb5 client setup has to run after update_etc_hosts, > so KDEVOPS_BRING_UP_LATE_DEPS wouldn't be appropriate for this. > > > > > BTW you may benefit from CONFIG_DEVCONFIG_ENABLE_SYSTEMD_TIMESYNCD as it > > sets up NTP on the host/nodes. But if you're going to enable that > > you could just enable systemd-remote-journal too, which we now have > > support for in guestfs. > > > > > diff --git a/kconfigs/Kconfig.bringup.goals b/kconfigs/Kconfig.bringup.goals > > > index 71948e9b..26ffac98 100644 > > > --- a/kconfigs/Kconfig.bringup.goals > > > +++ b/kconfigs/Kconfig.bringup.goals > > > @@ -109,3 +109,15 @@ menu "Configure the kernel NFS server" > > > source "kconfigs/Kconfig.nfsd" > > > endmenu > > > endif > > > + > > > +config KDEVOPS_SETUP_KRB5 > > > + bool "Set up KRB5" > > > + default n > > > + help > > > + Configure and bring up a MIT Kerberos V5 KDC. > > > + > > > +if KDEVOPS_SETUP_KRB5 > > > +menu "Configure the KRB5 KDC" > > > +source "kconfigs/Kconfig.kdc" > > > +endmenu > > > +endif > > > > I think its cleaner if we move the config and the if to the > > kconfigs/Kconfig.kdc, the similar change could be done with > > KDEVOPS_SETUP_NFSD so its easier to add things the the top level > > kconfigs/Kconfig.nfsd is kept clean. > > Will do. > > > > > > diff --git a/playbooks/roles/fstests/templates/nfs/nfsmount.conf b/playbooks/roles/fstests/templates/nfs/nfsmount.conf > > > new file mode 100644 > > > index 00000000..73b6a8e4 > > > --- /dev/null > > > +++ b/playbooks/roles/fstests/templates/nfs/nfsmount.conf > > > @@ -0,0 +1,2 @@ > > > +[ NFSMount_Global_Options ] > > > +# Sec=sys > > > diff --git a/playbooks/roles/gen_hosts/templates/fstests.j2 b/playbooks/roles/gen_hosts/templates/fstests.j2 > > > index 74057952..b94e89da 100644 > > > --- a/playbooks/roles/gen_hosts/templates/fstests.j2 > > > +++ b/playbooks/roles/gen_hosts/templates/fstests.j2 > > > @@ -27,3 +27,20 @@ ansible_python_interpreter = "{{ kdevops_python_interpreter }}" > > > {% endif %} > > > [nfsd:vars] > > > ansible_python_interpreter = "{{ kdevops_python_interpreter }}" > > > +[kdc] > > > +{% if krb5_realm is defined %} > > > +{{ kdevops_hosts_prefix }}-kdc > > > +{% endif %} > > > +[kdc:vars] > > > +ansible_python_interpreter = "{{ kdevops_python_interpreter }}" > > > +[krb5] > > > +{% if krb5_realm is defined %} > > > +{% for s in fstests_enabled_test_types %} > > > +{{ kdevops_host_prefix }}-{{ s }} > > > +{% endfor %} > > > +{% if nfsd_threads is defined %} > > > +{{ kdevops_hosts_prefix }}-nfsd > > > +{% endif %} > > > +{% endif %} > > > +[krb5:vars] > > > +ansible_python_interpreter = "{{ kdevops_python_interpreter }}" > > > > We should add an kdc_enable which defaults to False and if true then we > > include the clutter below. > > > > In retrospect the same should be done for nfsd. > > > > Ie, if no one enabled nfsd or kdc we should hide targets for these > > options too and so the user has no make targets to use them and so no > > reason to clutter exisitng hosts file for user who don't enable these > > things. > > I did notice that those stanzas were present even if those options weren't > enabled. > > Do I really need a separate kdc_enable or should I just use the > krb5_enable variable that you suggested below? > > > > > > diff --git a/playbooks/roles/gen_nodes/tasks/main.yml b/playbooks/roles/gen_nodes/tasks/main.yml > > > index 2f5c48b6..1181ef10 100644 > > > --- a/playbooks/roles/gen_nodes/tasks/main.yml > > > +++ b/playbooks/roles/gen_nodes/tasks/main.yml > > > @@ -55,6 +55,18 @@ > > > when: > > > - nfsd_threads is defined > > > > > > +- name: Set kdc_nodes list > > > + set_fact: > > > + kdc_nodes: "{{ [ kdevops_host_prefix + '-kdc' ] }}" > > > + when: > > > + - krb5_realm is defined > > > > We shoudl have a respective krb5_enable or something like that > > which defaults to False and here we shiould use krb5_realm_enable|bool > > instead. > > > > The respective kconfig option would be > > > > CONFIG_KRB5_REALM_ENABLE > > > > The rationale would be that we later extend kconfig support so > > each kconfig option can have below say an extra tag to indicate > > "generate yaml", so our extra_vars.yaml file is automatically generated > > for us by kconfig itself. That is, we'd tell kconfig which kconfig > > symbols we want it to generate respective yaml entries for. So it'd > > just lowercase the symbol name and remove config prefix. Then later > > we can remove tons of Makefile changes which modify something to True. > > Will do. > > > > > > +- name: Add a KRB5 KDC if one was selected > > > + set_fact: > > > + generic_nodes: "{{ generic_nodes + kdc_nodes }}" > > > + when: > > > + - krb5_realm is defined > > > > Same. > > > > > + > > > - name: Set fstests config file variable for {{ fstests_fstyp }} > > > set_fact: > > > is_fstests: True > > > @@ -217,6 +229,13 @@ > > > - is_fstests|bool > > > - nfsd_threads is defined > > > > > > +- name: Add the KRB5 KDC if one was selected > > > + set_fact: > > > + fstests_enabled_nodes: "{{ fstests_enabled_nodes + kdc_nodes }}" > > > + when: > > > + - is_fstests|bool > > > + - krb5_realm is defined > > > > Same. > > > > > diff --git a/playbooks/roles/kdc/tasks/main.yml b/playbooks/roles/kdc/tasks/main.yml > > > new file mode 100644 > > > index 00000000..b67f38d0 > > > --- /dev/null > > > +++ b/playbooks/roles/kdc/tasks/main.yml > > > @@ -0,0 +1,119 @@ > > > +--- > > > +- name: Get OS-specific variables > > > + ansible.builtin.include_vars: "{{ lookup('ansible.builtin.first_found', params) }}" > > > + vars: > > > + params: > > > + files: > > > + - '{{ansible_distribution}}.yml' > > > + - '{{ansible_os_family}}.yml' > > > + - default.yml > > > + paths: > > > + - 'vars' > > > > Ah.. this is a good alternative to Kconfig defaults but ... > > > > > diff --git a/playbooks/roles/kdc/vars/default.yml b/playbooks/roles/kdc/vars/default.yml > > > new file mode 100644 > > > index 00000000..ed97d539 > > > --- /dev/null > > > +++ b/playbooks/roles/kdc/vars/default.yml > > > @@ -0,0 +1 @@ > > > +--- > > > > This is empty, it should have all sensible defaults and .. it's a good > > time to evaluate whether or not having things configurable is better, > > but I undersand that can be a second step. The other reason to have > > things configurable is it lets you document things. But that's totally > > optional. > > I can add defaults, but they'll be the Red Hat defaults and might not > work with other distros. Originally I didn't have those configurable at > all, and when I went and tested Debian and Suse I found that stuff > didn't work. Unfortunately the names of the systemd services and where > they look for configuration files and data differs from distro to > distro, so I had to have a least some of the stuff configurable... but I > tried to keep the number of variables to a minimum. > > > > > > index 5a477847..5c6a59c3 100644 > > > --- a/scripts/bringup.Makefile > > > +++ b/scripts/bringup.Makefile > > > @@ -33,6 +33,10 @@ ifeq (y,$(CONFIG_KDEVOPS_SETUP_SIW)) > > > KDEVOPS_BRING_UP_DEPS += siw > > > endif # KDEVOPS_SETUP_SIW > > > > > > +ifeq (y,$(CONFIG_KDEVOPS_SETUP_KRB5)) > > > +KDEVOPS_BRING_UP_DEPS += kdc > > > +endif # KDEVOPS_SETUP_KRB5 > > > > See same ordering thing here. Granted, I am not sure if this is > > a dep which needs to be set up early, so you should decide, but as > > our deps grow I thought it would be good to split them by regular > > services Vs optional later things. > > > > Luis > > ^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: [PATCH 5/5] fstests/nfs: add krb5 support 2024-03-08 21:08 ` Scott Mayhew @ 2024-03-08 21:20 ` Luis Chamberlain 0 siblings, 0 replies; 15+ messages in thread From: Luis Chamberlain @ 2024-03-08 21:20 UTC (permalink / raw) To: Scott Mayhew; +Cc: kdevops On Fri, Mar 08, 2024 at 04:08:57PM -0500, Scott Mayhew wrote: > On Fri, 08 Mar 2024, Scott Mayhew wrote: > > > On Fri, 08 Mar 2024, Luis Chamberlain wrote: > > > > > My review comments are not requirements, they are how to enhance this > > > so we can scale better and long term goals to keep in mind. Whether or > > > not you do the work is up to you. > > > > > > On Thu, Mar 07, 2024 at 08:14:14AM -0500, Scott Mayhew wrote: > > > > diff --git a/Makefile b/Makefile > > > > index 9ca3a5f3..df4aad7b 100644 > > > > --- a/Makefile > > > > +++ b/Makefile > > > > @@ -115,6 +115,11 @@ ifeq (y,$(CONFIG_KDEVOPS_SETUP_NFSD)) > > > > include scripts/nfsd.Makefile > > > > endif # CONFIG_KDEVOPS_SETUP_NFSD > > > > > > > > +ifeq (y,$(CONFIG_KDEVOPS_SETUP_KRB5)) > > > > +include scripts/kdc.Makefile > > > > +include scripts/krb5.Makefile > > > > +endif # CONFIG_KDEVOPS_SETUP_KRB5 > > > > > > This sort of clutter can be compartamentalized now, see right above: > > > > > > include scripts/provision.Makefile > > > include scripts/systemd-timesync.Makefile > > > include scripts/journal-server.Makefile > > > > > > KDEVOPS_BRING_UP_DEPS += $(KDEVOPS_BRING_UP_DEPS_EARLY) > > > KDEVOPS_BRING_UP_DEPS += $(KDEVOPS_PROVISIONED_DEVCONFIG) > > > > > > This let's us now split work which needs to be set up early > > > and this can vary depending on if the dep is a localhost (hypervisor or > > > command and control) setting or a target node (guest or taret node on > > > cloud) setting. > > > > > > So for example systemd-timesync has both parts: > > > > > > LOCALHOST_SETUP_WORK += timesyncd-server > > > KDEVOPS_BRING_UP_DEPS_EARLY += timesyncd-client > > > > > > Then the clutter is kept on the target makefile. This let's us also keep > > > ordering by the Makfile include order. So we should be able to move > > > siw ktls nfs setup to this methodology too. That will let us scale this > > > and keep our top level Makefile neat and makes orer explicit and clear. > > > > > > It seems in this case it's all being set up on the target node so only > > > KDEVOPS_BRING_UP_DEPS_EARLY is needed. > > > > Just so I'm clear on what you're suggesting... > > > > 1. move the ifeq...endif directives inside the target makefiles > > 2. move the KDEVOPS_BRING_UP_DEPS stuff out of bringup.Makefile and into the > > target makefiles (and use KDEVOPS_BRING_UP_DEPS_EARLY instead) > > 3. move the includes up above this line: > > KDEVOPS_BRING_UP_DEPS += $(KDEVOPS_BRING_UP_DEPS_EARLY) > > > > Does that sound right? > > I think I'm missing something, because doing the above puts those steps > before the ssh configuration, and they fail. Yeah sorry the includes need to go after journal-server.Makefile for now given the need to have KDEVOPS_BRING_UP_DEPS_EARLY be the first KDEVOPS_BRING_UP_DEPS for now. In the other email I noted how to possibly solve that though but not sure if that Makefile hack works. Luis ^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: [PATCH 5/5] fstests/nfs: add krb5 support 2024-03-08 19:33 ` Scott Mayhew 2024-03-08 21:08 ` Scott Mayhew @ 2024-03-08 21:18 ` Luis Chamberlain 2024-03-08 22:13 ` Scott Mayhew 1 sibling, 1 reply; 15+ messages in thread From: Luis Chamberlain @ 2024-03-08 21:18 UTC (permalink / raw) To: Scott Mayhew; +Cc: kdevops On Fri, Mar 08, 2024 at 02:33:24PM -0500, Scott Mayhew wrote: > On Fri, 08 Mar 2024, Luis Chamberlain wrote: > > > My review comments are not requirements, they are how to enhance this > > so we can scale better and long term goals to keep in mind. Whether or > > not you do the work is up to you. > > > > On Thu, Mar 07, 2024 at 08:14:14AM -0500, Scott Mayhew wrote: > > > diff --git a/Makefile b/Makefile > > > index 9ca3a5f3..df4aad7b 100644 > > > --- a/Makefile > > > +++ b/Makefile > > > @@ -115,6 +115,11 @@ ifeq (y,$(CONFIG_KDEVOPS_SETUP_NFSD)) > > > include scripts/nfsd.Makefile > > > endif # CONFIG_KDEVOPS_SETUP_NFSD > > > > > > +ifeq (y,$(CONFIG_KDEVOPS_SETUP_KRB5)) > > > +include scripts/kdc.Makefile > > > +include scripts/krb5.Makefile > > > +endif # CONFIG_KDEVOPS_SETUP_KRB5 > > > > This sort of clutter can be compartamentalized now, see right above: > > > > include scripts/provision.Makefile > > include scripts/systemd-timesync.Makefile > > include scripts/journal-server.Makefile > > > > KDEVOPS_BRING_UP_DEPS += $(KDEVOPS_BRING_UP_DEPS_EARLY) > > KDEVOPS_BRING_UP_DEPS += $(KDEVOPS_PROVISIONED_DEVCONFIG) > > > > This let's us now split work which needs to be set up early > > and this can vary depending on if the dep is a localhost (hypervisor or > > command and control) setting or a target node (guest or taret node on > > cloud) setting. > > > > So for example systemd-timesync has both parts: > > > > LOCALHOST_SETUP_WORK += timesyncd-server > > KDEVOPS_BRING_UP_DEPS_EARLY += timesyncd-client > > > > Then the clutter is kept on the target makefile. This let's us also keep > > ordering by the Makfile include order. So we should be able to move > > siw ktls nfs setup to this methodology too. That will let us scale this > > and keep our top level Makefile neat and makes orer explicit and clear. > > > > It seems in this case it's all being set up on the target node so only > > KDEVOPS_BRING_UP_DEPS_EARLY is needed. > > Just so I'm clear on what you're suggesting... > > 1. move the ifeq...endif directives inside the target makefiles Yeap > 2. move the KDEVOPS_BRING_UP_DEPS stuff out of bringup.Makefile and into the > target makefiles Yes in that the order of the Makefile should suffice, then its a matter of just ordering the includes. Those other KDEVOPS_BRING_UP_DEPS += for nfsd, ktls and siw could also move out from scripts/bringup.Makefile to their own Makefile too. > (and use KDEVOPS_BRING_UP_DEPS_EARLY instead) Sorry about the confusion KDEVOPS_BRING_UP_DEPS_EARLY is for deps which neet to be run before the general devconfig playbook and in retrospect I don't think this is needed for the things you are adding. > 3. move the includes up above this line: > KDEVOPS_BRING_UP_DEPS += $(KDEVOPS_BRING_UP_DEPS_EARLY) Yes but I think we need to make a change to make it work properly, so I can try do that later. But for now I think what we need is to end up with something like this: include scripts/provision.Makefile include scripts/systemd-timesync.Makefile include scripts/journal-server.Makefile KDEVOPS_BRING_UP_DEPS += $(KDEVOPS_BRING_UP_DEPS_EARLY) KDEVOPS_BRING_UP_DEPS += $(KDEVOPS_PROVISIONED_DEVCONFIG) include scripts/siw.Makefile include scripts/ktls.Makefile <I guess your new stuff here?> include scripts/nfsd.Makefile include workflows/Makefile You would know best if the stuff you are adding goes before / after siw, or ktls, nfsd, etc. > Also, did you see my reply to Chuck about doing the krb5 client setup > automatically? In order to do that I need to have a "post" bringup > step, so that bringup target would look like this: > > bringup: $(KDEVOPS_BRING_UP_DEPS) update_etc_hosts $(KDEVOPS_BRING_UP_POST) > > Is that okay? Note that the krb5 client setup has to run after update_etc_hosts, > so KDEVOPS_BRING_UP_LATE_DEPS wouldn't be appropriate for this. Ah, no, just use KDEVOPS_BRING_UP_LATE_DEPS on your Makefile we already do this: KDEVOPS_BRING_UP_DEPS += $(KDEVOPS_BRING_UP_LATE_DEPS) ifneq (,$(KDEVOPS_BRING_UP_DEPS)) include scripts/bringup.Makefile endif So moving the nfs/etc out and keeping the Makefiles in order will ensure that is setup correctly, then in terms of having each Makfile have a few things which need to go early or not, that's where these different targets come into play. Technically we could move the eyesor eof having the top level Makefile do: KDEVOPS_BRING_UP_DEPS += $(KDEVOPS_BRING_UP_DEPS_EARLY) KDEVOPS_BRING_UP_DEPS += $(KDEVOPS_PROVISIONED_DEVCONFIG) And instead doing something like this later: # Redefine KDEVOPS_BRING_UP_DEPS now with proper ordering in mind KDEVOPS_BRING_UP_DEPS := \ $(KDEVOPS_BRING_UP_DEPS_EARLY) \ $(KDEVOPS_PROVISIONED_DEVCONFIG) \ $(KDEVOPS_BRING_UP_DEPS) \ $(KDEVOPS_BRING_UP_LATE_DEPS) ifneq (,$(KDEVOPS_BRING_UP_DEPS)) include scripts/bringup.Makefile endif But I wasn't sure if this Make-foo works. > > We should add an kdc_enable which defaults to False and if true then we > > include the clutter below. > > > > In retrospect the same should be done for nfsd. > > > > Ie, if no one enabled nfsd or kdc we should hide targets for these > > options too and so the user has no make targets to use them and so no > > reason to clutter exisitng hosts file for user who don't enable these > > things. > > I did notice that those stanzas were present even if those options weren't > enabled. > > Do I really need a separate kdc_enable or should I just use the > krb5_enable variable that you suggested below? That's up to you, you know your requirements better. > > > diff --git a/playbooks/roles/kdc/vars/default.yml b/playbooks/roles/kdc/vars/default.yml > > > new file mode 100644 > > > index 00000000..ed97d539 > > > --- /dev/null > > > +++ b/playbooks/roles/kdc/vars/default.yml > > > @@ -0,0 +1 @@ > > > +--- > > > > This is empty, it should have all sensible defaults and .. it's a good > > time to evaluate whether or not having things configurable is better, > > but I undersand that can be a second step. The other reason to have > > things configurable is it lets you document things. But that's totally > > optional. > > I can add defaults, but they'll be the Red Hat defaults and might not > work with other distros. Originally I didn't have those configurable at > all, and when I went and tested Debian and Suse I found that stuff > didn't work. Sorry for the trouble and thanks for doing this! Using default for the first distro that added support makes sense. Best effort for the others makes sense to me. It's what we did with guestfs, we now are extending it slowly with debian stuff. > Unfortunately the names of the systemd services and where > they look for configuration files and data differs from distro to > distro, so I had to have a least some of the stuff configurable... but I > tried to keep the number of variables to a minimum. Sure, to ramp up it makse sense to minimize tunables, I figured I'd just point out the possible value in that Kconfig also serves as a way to let us document often obscure things, it serves as documentation for us too. But sure, makes sense to avoid adding knobs if you don't need them yet. Luis ^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: [PATCH 5/5] fstests/nfs: add krb5 support 2024-03-08 21:18 ` Luis Chamberlain @ 2024-03-08 22:13 ` Scott Mayhew 2024-03-08 22:47 ` Luis Chamberlain 0 siblings, 1 reply; 15+ messages in thread From: Scott Mayhew @ 2024-03-08 22:13 UTC (permalink / raw) To: Luis Chamberlain; +Cc: kdevops On Fri, 08 Mar 2024, Luis Chamberlain wrote: > On Fri, Mar 08, 2024 at 02:33:24PM -0500, Scott Mayhew wrote: > > On Fri, 08 Mar 2024, Luis Chamberlain wrote: > > > > > My review comments are not requirements, they are how to enhance this > > > so we can scale better and long term goals to keep in mind. Whether or > > > not you do the work is up to you. > > > > > > On Thu, Mar 07, 2024 at 08:14:14AM -0500, Scott Mayhew wrote: > > > > diff --git a/Makefile b/Makefile > > > > index 9ca3a5f3..df4aad7b 100644 > > > > --- a/Makefile > > > > +++ b/Makefile > > > > @@ -115,6 +115,11 @@ ifeq (y,$(CONFIG_KDEVOPS_SETUP_NFSD)) > > > > include scripts/nfsd.Makefile > > > > endif # CONFIG_KDEVOPS_SETUP_NFSD > > > > > > > > +ifeq (y,$(CONFIG_KDEVOPS_SETUP_KRB5)) > > > > +include scripts/kdc.Makefile > > > > +include scripts/krb5.Makefile > > > > +endif # CONFIG_KDEVOPS_SETUP_KRB5 > > > > > > This sort of clutter can be compartamentalized now, see right above: > > > > > > include scripts/provision.Makefile > > > include scripts/systemd-timesync.Makefile > > > include scripts/journal-server.Makefile > > > > > > KDEVOPS_BRING_UP_DEPS += $(KDEVOPS_BRING_UP_DEPS_EARLY) > > > KDEVOPS_BRING_UP_DEPS += $(KDEVOPS_PROVISIONED_DEVCONFIG) > > > > > > This let's us now split work which needs to be set up early > > > and this can vary depending on if the dep is a localhost (hypervisor or > > > command and control) setting or a target node (guest or taret node on > > > cloud) setting. > > > > > > So for example systemd-timesync has both parts: > > > > > > LOCALHOST_SETUP_WORK += timesyncd-server > > > KDEVOPS_BRING_UP_DEPS_EARLY += timesyncd-client > > > > > > Then the clutter is kept on the target makefile. This let's us also keep > > > ordering by the Makfile include order. So we should be able to move > > > siw ktls nfs setup to this methodology too. That will let us scale this > > > and keep our top level Makefile neat and makes orer explicit and clear. > > > > > > It seems in this case it's all being set up on the target node so only > > > KDEVOPS_BRING_UP_DEPS_EARLY is needed. > > > > Just so I'm clear on what you're suggesting... > > > > 1. move the ifeq...endif directives inside the target makefiles > > Yeap > > > 2. move the KDEVOPS_BRING_UP_DEPS stuff out of bringup.Makefile and into the > > target makefiles > > Yes in that the order of the Makefile should suffice, then its a matter > of just ordering the includes. Those other KDEVOPS_BRING_UP_DEPS += for > nfsd, ktls and siw could also move out from scripts/bringup.Makefile > to their own Makefile too. > > > (and use KDEVOPS_BRING_UP_DEPS_EARLY instead) > > Sorry about the confusion KDEVOPS_BRING_UP_DEPS_EARLY is for deps > which neet to be run before the general devconfig playbook and > in retrospect I don't think this is needed for the things you are > adding. > > > 3. move the includes up above this line: > > KDEVOPS_BRING_UP_DEPS += $(KDEVOPS_BRING_UP_DEPS_EARLY) > > Yes but I think we need to make a change to make it work properly, > so I can try do that later. But for now I think what we need is > to end up with something like this: > > include scripts/provision.Makefile > include scripts/systemd-timesync.Makefile > include scripts/journal-server.Makefile > > KDEVOPS_BRING_UP_DEPS += $(KDEVOPS_BRING_UP_DEPS_EARLY) > KDEVOPS_BRING_UP_DEPS += $(KDEVOPS_PROVISIONED_DEVCONFIG) > > include scripts/siw.Makefile > include scripts/ktls.Makefile > <I guess your new stuff here?> > include scripts/nfsd.Makefile > > include workflows/Makefile > > You would know best if the stuff you are adding goes before / after > siw, or ktls, nfsd, etc. > > > Also, did you see my reply to Chuck about doing the krb5 client setup > > automatically? In order to do that I need to have a "post" bringup > > step, so that bringup target would look like this: > > > > bringup: $(KDEVOPS_BRING_UP_DEPS) update_etc_hosts $(KDEVOPS_BRING_UP_POST) > > > > Is that okay? Note that the krb5 client setup has to run after update_etc_hosts, > > so KDEVOPS_BRING_UP_LATE_DEPS wouldn't be appropriate for this. > > Ah, no, just use KDEVOPS_BRING_UP_LATE_DEPS on your Makefile we already > do this: > > KDEVOPS_BRING_UP_DEPS += $(KDEVOPS_BRING_UP_LATE_DEPS) > > ifneq (,$(KDEVOPS_BRING_UP_DEPS)) > include > scripts/bringup.Makefile > endif Again, using KDEVOPS_BRING_UP_LATE_DEPS won't work for the krb5 setup because everything in KDEVOPS_BRING_UP_LATE_DEPS still happens before update_etc_hosts... so the clients & nfsd will all fail to contact the KDC because they won't have the KDC's address yet. Maybe update_etc_hosts needs to also be in its own makefile, and add it to KDEVOPS_BRING_UP_LATE_DEPS. Then I could add krb5 to KDEVOPS_BRING_UP_LATE_DEPS... as long as it's *after* update_etc_hosts it should work. > > So moving the nfs/etc out and keeping the Makefiles in order will ensure > that is setup correctly, then in terms of having each Makfile have a few > things which need to go early or not, that's where these different > targets come into play. > > Technically we could move the eyesor eof having the top level Makefile > do: > > KDEVOPS_BRING_UP_DEPS += $(KDEVOPS_BRING_UP_DEPS_EARLY) > KDEVOPS_BRING_UP_DEPS += $(KDEVOPS_PROVISIONED_DEVCONFIG) > > And instead doing something like this later: > > # Redefine KDEVOPS_BRING_UP_DEPS now with proper ordering in mind > KDEVOPS_BRING_UP_DEPS := \ > $(KDEVOPS_BRING_UP_DEPS_EARLY) \ > $(KDEVOPS_PROVISIONED_DEVCONFIG) \ > $(KDEVOPS_BRING_UP_DEPS) \ > $(KDEVOPS_BRING_UP_LATE_DEPS) > > ifneq (,$(KDEVOPS_BRING_UP_DEPS)) > include > scripts/bringup.Makefile > endif > > But I wasn't sure if this Make-foo works. > > > > We should add an kdc_enable which defaults to False and if true then we > > > include the clutter below. > > > > > > In retrospect the same should be done for nfsd. > > > > > > Ie, if no one enabled nfsd or kdc we should hide targets for these > > > options too and so the user has no make targets to use them and so no > > > reason to clutter exisitng hosts file for user who don't enable these > > > things. > > > > I did notice that those stanzas were present even if those options weren't > > enabled. > > > > Do I really need a separate kdc_enable or should I just use the > > krb5_enable variable that you suggested below? > > That's up to you, you know your requirements better. > > > > > diff --git a/playbooks/roles/kdc/vars/default.yml b/playbooks/roles/kdc/vars/default.yml > > > > new file mode 100644 > > > > index 00000000..ed97d539 > > > > --- /dev/null > > > > +++ b/playbooks/roles/kdc/vars/default.yml > > > > @@ -0,0 +1 @@ > > > > +--- > > > > > > This is empty, it should have all sensible defaults and .. it's a good > > > time to evaluate whether or not having things configurable is better, > > > but I undersand that can be a second step. The other reason to have > > > things configurable is it lets you document things. But that's totally > > > optional. > > > > I can add defaults, but they'll be the Red Hat defaults and might not > > work with other distros. Originally I didn't have those configurable at > > all, and when I went and tested Debian and Suse I found that stuff > > didn't work. > > Sorry for the trouble and thanks for doing this! > > Using default for the first distro that added support makes sense. > Best effort for the others makes sense to me. > > It's what we did with guestfs, we now are extending it slowly with > debian stuff. > > > Unfortunately the names of the systemd services and where > > they look for configuration files and data differs from distro to > > distro, so I had to have a least some of the stuff configurable... but I > > tried to keep the number of variables to a minimum. > > Sure, to ramp up it makse sense to minimize tunables, I figured I'd just > point out the possible value in that Kconfig also serves as a way to let > us document often obscure things, it serves as documentation for us > too. But sure, makes sense to avoid adding knobs if you don't need > them yet. > > Luis > ^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: [PATCH 5/5] fstests/nfs: add krb5 support 2024-03-08 22:13 ` Scott Mayhew @ 2024-03-08 22:47 ` Luis Chamberlain 0 siblings, 0 replies; 15+ messages in thread From: Luis Chamberlain @ 2024-03-08 22:47 UTC (permalink / raw) To: Scott Mayhew; +Cc: kdevops On Fri, Mar 8, 2024 at 2:13 PM Scott Mayhew <smayhew@redhat.com> wrote: > Again, using KDEVOPS_BRING_UP_LATE_DEPS won't work for the krb5 setup > because everything in KDEVOPS_BRING_UP_LATE_DEPS still happens before > update_etc_hosts... so the clients & nfsd will all fail to contact the > KDC because they won't have the KDC's address yet. Ah, I see. > Maybe update_etc_hosts needs to also be in its own makefile, and add it > to KDEVOPS_BRING_UP_LATE_DEPS. Then I could add krb5 to > KDEVOPS_BRING_UP_LATE_DEPS... as long as it's *after* update_etc_hosts > it should work. Yes, or rather -- why not move update_etc_hosts early right after ssh is set up, ie an early dep? Then it would run before devconfig and all the other regular deps. Luis ^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: [PATCH 0/5] add initial support for testing nfs with krb5 2024-03-07 13:14 [PATCH 0/5] add initial support for testing nfs with krb5 Scott Mayhew ` (4 preceding siblings ...) 2024-03-07 13:14 ` [PATCH 5/5] fstests/nfs: add krb5 support Scott Mayhew @ 2024-03-08 15:01 ` Chuck Lever III 2024-03-08 15:50 ` Scott Mayhew 5 siblings, 1 reply; 15+ messages in thread From: Chuck Lever III @ 2024-03-08 15:01 UTC (permalink / raw) To: Scott Mayhew; +Cc: kdevops@lists.linux.dev > On Mar 7, 2024, at 8:14 AM, Scott Mayhew <smayhew@redhat.com> wrote: > > These patches add support for running fstests on NFS with krb5. The > bulk of the work is in patch 5. There are a handful of new Kconfig > options (KDEVOPS_SETUP_KRB5, KRB5_REALM, KRB5_ADMIN_PW, and > FSTESTS_NFS_AUTH_FLAVOR) as well as a new Makefile target "krb5" which > should be run after "make bringup". A KDC is spun up automatically > during "make bringup". "make krb5" installs all the necessary > dependencies, generates keys, and updates the keytabs on the NFS client > and server VMs. Would it be easy to integrate KDC bringup with the existing make targets? nfsd and tls, for instance, do not have a separate make target. > Right now you can only use krb5 with the fstests workflow, but it should > be straightforward to add it to the other NFS-related workflows. > > I tested these patches using fedora-39, debian-12, and > opensuse-tumbleweed guestfs images. > > -Scott > > Scott Mayhew (5): > nfsd: make sure the appropriate fsprogs package is installed > update_etc_hosts: fix up hostnames on debian guestfs hosts > nfsd: use EXTRA_VAR_INPUTS for export options > devconfig: set /etc/hostname earlier > fstests/nfs: add krb5 support > > Makefile | 5 + > kconfigs/Kconfig.bringup.goals | 12 ++ > kconfigs/Kconfig.kdc | 11 ++ > playbooks/kdc.yml | 4 + > playbooks/krb5.yml | 4 + > playbooks/roles/devconfig/tasks/main.yml | 21 ++-- > .../fstests/tasks/install-deps/suse/main.yml | 10 ++ > playbooks/roles/fstests/tasks/main.yml | 41 ++++++ > .../roles/fstests/templates/nfs/nfsmount.conf | 2 + > .../roles/gen_hosts/templates/fstests.j2 | 17 +++ > playbooks/roles/gen_nodes/tasks/main.yml | 19 +++ > .../kdc/tasks/install-deps/debian/main.yml | 11 ++ > .../roles/kdc/tasks/install-deps/main.yml | 12 ++ > .../kdc/tasks/install-deps/redhat/main.yml | 16 +++ > .../kdc/tasks/install-deps/suse/main.yml | 10 ++ > playbooks/roles/kdc/tasks/main.yml | 119 ++++++++++++++++++ > playbooks/roles/kdc/templates/kadm5.acl.j2 | 1 + > playbooks/roles/kdc/templates/kdc.conf.j2 | 15 +++ > playbooks/roles/kdc/templates/krb5.conf.j2 | 29 +++++ > playbooks/roles/kdc/vars/Debian.yml | 7 ++ > playbooks/roles/kdc/vars/RedHat.yml | 7 ++ > playbooks/roles/kdc/vars/Suse.yml | 7 ++ > playbooks/roles/kdc/vars/default.yml | 1 + > playbooks/roles/kdc/vars/main.yml | 1 + > .../krb5/tasks/install-deps/debian/main.yml | 9 ++ > .../roles/krb5/tasks/install-deps/main.yml | 12 ++ > .../krb5/tasks/install-deps/redhat/main.yml | 15 +++ > .../krb5/tasks/install-deps/suse/main.yml | 16 +++ > playbooks/roles/krb5/tasks/main.yml | 70 +++++++++++ > playbooks/roles/krb5/templates/krb5.conf.j2 | 31 +++++ > .../nfsd/tasks/install-deps/debian/main.yml | 33 ++++- > .../nfsd/tasks/install-deps/redhat/main.yml | 31 +++-- > .../nfsd/tasks/install-deps/suse/main.yml | 32 ++++- > playbooks/roles/nfsd/vars/Debian.yml | 11 ++ > playbooks/roles/nfsd/vars/RedHat.yml | 12 ++ > playbooks/roles/nfsd/vars/Suse.yml | 10 ++ > .../roles/update_etc_hosts/tasks/main.yml | 12 ++ > scripts/bringup.Makefile | 4 + > scripts/kdc.Makefile | 8 ++ > scripts/krb5.Makefile | 10 ++ > scripts/nfsd.Makefile | 8 +- > workflows/fstests/nfs/Kconfig | 29 +++++ > workflows/fstests/nfs/Makefile | 4 + > 43 files changed, 712 insertions(+), 27 deletions(-) > create mode 100644 kconfigs/Kconfig.kdc > create mode 100644 playbooks/kdc.yml > create mode 100644 playbooks/krb5.yml > create mode 100644 playbooks/roles/fstests/templates/nfs/nfsmount.conf > create mode 100644 playbooks/roles/kdc/tasks/install-deps/debian/main.yml > create mode 100644 playbooks/roles/kdc/tasks/install-deps/main.yml > create mode 100644 playbooks/roles/kdc/tasks/install-deps/redhat/main.yml > create mode 100644 playbooks/roles/kdc/tasks/install-deps/suse/main.yml > create mode 100644 playbooks/roles/kdc/tasks/main.yml > create mode 100644 playbooks/roles/kdc/templates/kadm5.acl.j2 > create mode 100644 playbooks/roles/kdc/templates/kdc.conf.j2 > create mode 100644 playbooks/roles/kdc/templates/krb5.conf.j2 > create mode 100644 playbooks/roles/kdc/vars/Debian.yml > create mode 100644 playbooks/roles/kdc/vars/RedHat.yml > create mode 100644 playbooks/roles/kdc/vars/Suse.yml > create mode 100644 playbooks/roles/kdc/vars/default.yml > create mode 100644 playbooks/roles/kdc/vars/main.yml > create mode 100644 playbooks/roles/krb5/tasks/install-deps/debian/main.yml > create mode 100644 playbooks/roles/krb5/tasks/install-deps/main.yml > create mode 100644 playbooks/roles/krb5/tasks/install-deps/redhat/main.yml > create mode 100644 playbooks/roles/krb5/tasks/install-deps/suse/main.yml > create mode 100644 playbooks/roles/krb5/tasks/main.yml > create mode 100644 playbooks/roles/krb5/templates/krb5.conf.j2 > create mode 100644 playbooks/roles/nfsd/vars/Debian.yml > create mode 100644 playbooks/roles/nfsd/vars/RedHat.yml > create mode 100644 playbooks/roles/nfsd/vars/Suse.yml > create mode 100644 scripts/kdc.Makefile > create mode 100644 scripts/krb5.Makefile > > -- > 2.43.0 > > -- Chuck Lever ^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: [PATCH 0/5] add initial support for testing nfs with krb5 2024-03-08 15:01 ` [PATCH 0/5] add initial support for testing nfs with krb5 Chuck Lever III @ 2024-03-08 15:50 ` Scott Mayhew 0 siblings, 0 replies; 15+ messages in thread From: Scott Mayhew @ 2024-03-08 15:50 UTC (permalink / raw) To: Chuck Lever III; +Cc: kdevops@lists.linux.dev On Fri, 08 Mar 2024, Chuck Lever III wrote: > > > > On Mar 7, 2024, at 8:14 AM, Scott Mayhew <smayhew@redhat.com> wrote: > > > > These patches add support for running fstests on NFS with krb5. The > > bulk of the work is in patch 5. There are a handful of new Kconfig > > options (KDEVOPS_SETUP_KRB5, KRB5_REALM, KRB5_ADMIN_PW, and > > FSTESTS_NFS_AUTH_FLAVOR) as well as a new Makefile target "krb5" which > > should be run after "make bringup". A KDC is spun up automatically > > during "make bringup". "make krb5" installs all the necessary > > dependencies, generates keys, and updates the keytabs on the NFS client > > and server VMs. > > Would it be easy to integrate KDC bringup with the > existing make targets? nfsd and tls, for instance, > do not have a separate make target. I'm assuming you mean the krb5 target. The KDC bringup is already automatic. I modeled it after the nfsd and tls stuff actually, which do have separate make targets - they just don't show up on the help menu and you don't run them directly. The krb5 target needs to be run after the /etc/hosts files are updated so that the clients and nfsd are able to talk to the KDC... so something like this should work ---8<--- diff --git a/scripts/bringup.Makefile b/scripts/bringup.Makefile index 5c6a59c3..62a77d8e 100644 --- a/scripts/bringup.Makefile +++ b/scripts/bringup.Makefile @@ -35,13 +35,14 @@ endif # KDEVOPS_SETUP_SIW ifeq (y,$(CONFIG_KDEVOPS_SETUP_KRB5)) KDEVOPS_BRING_UP_DEPS += kdc +KDEVOPS_BRING_UP_POST += krb5 endif # KDEVOPS_SETUP_KRB5 update_etc_hosts: $(Q)ansible-playbook $(ANSIBLE_VERBOSE) \ -f 30 -i hosts playbooks/update_etc_hosts.yml -bringup: $(KDEVOPS_BRING_UP_DEPS) update_etc_hosts +bringup: $(KDEVOPS_BRING_UP_DEPS) update_etc_hosts $(KDEVOPS_BRING_UP_POST) destroy: $(KDEVOPS_DESTROY_DEPS) ---8<--- I'll test and if it works I'll just get rid of the help text from krb5.Makefile and we should be good to go. -Scott > > > > Right now you can only use krb5 with the fstests workflow, but it should > > be straightforward to add it to the other NFS-related workflows. > > > > I tested these patches using fedora-39, debian-12, and > > opensuse-tumbleweed guestfs images. > > > > -Scott > > > > Scott Mayhew (5): > > nfsd: make sure the appropriate fsprogs package is installed > > update_etc_hosts: fix up hostnames on debian guestfs hosts > > nfsd: use EXTRA_VAR_INPUTS for export options > > devconfig: set /etc/hostname earlier > > fstests/nfs: add krb5 support > > > > Makefile | 5 + > > kconfigs/Kconfig.bringup.goals | 12 ++ > > kconfigs/Kconfig.kdc | 11 ++ > > playbooks/kdc.yml | 4 + > > playbooks/krb5.yml | 4 + > > playbooks/roles/devconfig/tasks/main.yml | 21 ++-- > > .../fstests/tasks/install-deps/suse/main.yml | 10 ++ > > playbooks/roles/fstests/tasks/main.yml | 41 ++++++ > > .../roles/fstests/templates/nfs/nfsmount.conf | 2 + > > .../roles/gen_hosts/templates/fstests.j2 | 17 +++ > > playbooks/roles/gen_nodes/tasks/main.yml | 19 +++ > > .../kdc/tasks/install-deps/debian/main.yml | 11 ++ > > .../roles/kdc/tasks/install-deps/main.yml | 12 ++ > > .../kdc/tasks/install-deps/redhat/main.yml | 16 +++ > > .../kdc/tasks/install-deps/suse/main.yml | 10 ++ > > playbooks/roles/kdc/tasks/main.yml | 119 ++++++++++++++++++ > > playbooks/roles/kdc/templates/kadm5.acl.j2 | 1 + > > playbooks/roles/kdc/templates/kdc.conf.j2 | 15 +++ > > playbooks/roles/kdc/templates/krb5.conf.j2 | 29 +++++ > > playbooks/roles/kdc/vars/Debian.yml | 7 ++ > > playbooks/roles/kdc/vars/RedHat.yml | 7 ++ > > playbooks/roles/kdc/vars/Suse.yml | 7 ++ > > playbooks/roles/kdc/vars/default.yml | 1 + > > playbooks/roles/kdc/vars/main.yml | 1 + > > .../krb5/tasks/install-deps/debian/main.yml | 9 ++ > > .../roles/krb5/tasks/install-deps/main.yml | 12 ++ > > .../krb5/tasks/install-deps/redhat/main.yml | 15 +++ > > .../krb5/tasks/install-deps/suse/main.yml | 16 +++ > > playbooks/roles/krb5/tasks/main.yml | 70 +++++++++++ > > playbooks/roles/krb5/templates/krb5.conf.j2 | 31 +++++ > > .../nfsd/tasks/install-deps/debian/main.yml | 33 ++++- > > .../nfsd/tasks/install-deps/redhat/main.yml | 31 +++-- > > .../nfsd/tasks/install-deps/suse/main.yml | 32 ++++- > > playbooks/roles/nfsd/vars/Debian.yml | 11 ++ > > playbooks/roles/nfsd/vars/RedHat.yml | 12 ++ > > playbooks/roles/nfsd/vars/Suse.yml | 10 ++ > > .../roles/update_etc_hosts/tasks/main.yml | 12 ++ > > scripts/bringup.Makefile | 4 + > > scripts/kdc.Makefile | 8 ++ > > scripts/krb5.Makefile | 10 ++ > > scripts/nfsd.Makefile | 8 +- > > workflows/fstests/nfs/Kconfig | 29 +++++ > > workflows/fstests/nfs/Makefile | 4 + > > 43 files changed, 712 insertions(+), 27 deletions(-) > > create mode 100644 kconfigs/Kconfig.kdc > > create mode 100644 playbooks/kdc.yml > > create mode 100644 playbooks/krb5.yml > > create mode 100644 playbooks/roles/fstests/templates/nfs/nfsmount.conf > > create mode 100644 playbooks/roles/kdc/tasks/install-deps/debian/main.yml > > create mode 100644 playbooks/roles/kdc/tasks/install-deps/main.yml > > create mode 100644 playbooks/roles/kdc/tasks/install-deps/redhat/main.yml > > create mode 100644 playbooks/roles/kdc/tasks/install-deps/suse/main.yml > > create mode 100644 playbooks/roles/kdc/tasks/main.yml > > create mode 100644 playbooks/roles/kdc/templates/kadm5.acl.j2 > > create mode 100644 playbooks/roles/kdc/templates/kdc.conf.j2 > > create mode 100644 playbooks/roles/kdc/templates/krb5.conf.j2 > > create mode 100644 playbooks/roles/kdc/vars/Debian.yml > > create mode 100644 playbooks/roles/kdc/vars/RedHat.yml > > create mode 100644 playbooks/roles/kdc/vars/Suse.yml > > create mode 100644 playbooks/roles/kdc/vars/default.yml > > create mode 100644 playbooks/roles/kdc/vars/main.yml > > create mode 100644 playbooks/roles/krb5/tasks/install-deps/debian/main.yml > > create mode 100644 playbooks/roles/krb5/tasks/install-deps/main.yml > > create mode 100644 playbooks/roles/krb5/tasks/install-deps/redhat/main.yml > > create mode 100644 playbooks/roles/krb5/tasks/install-deps/suse/main.yml > > create mode 100644 playbooks/roles/krb5/tasks/main.yml > > create mode 100644 playbooks/roles/krb5/templates/krb5.conf.j2 > > create mode 100644 playbooks/roles/nfsd/vars/Debian.yml > > create mode 100644 playbooks/roles/nfsd/vars/RedHat.yml > > create mode 100644 playbooks/roles/nfsd/vars/Suse.yml > > create mode 100644 scripts/kdc.Makefile > > create mode 100644 scripts/krb5.Makefile > > > > -- > > 2.43.0 > > > > > > -- > Chuck Lever > > ^ permalink raw reply related [flat|nested] 15+ messages in thread
end of thread, other threads:[~2024-03-08 22:47 UTC | newest] Thread overview: 15+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2024-03-07 13:14 [PATCH 0/5] add initial support for testing nfs with krb5 Scott Mayhew 2024-03-07 13:14 ` [PATCH 1/5] nfsd: make sure the appropriate fsprogs package is installed Scott Mayhew 2024-03-07 13:14 ` [PATCH 2/5] update_etc_hosts: fix up hostnames on debian guestfs hosts Scott Mayhew 2024-03-07 13:14 ` [PATCH 3/5] nfsd: use EXTRA_VAR_INPUTS for export options Scott Mayhew 2024-03-07 13:14 ` [PATCH 4/5] devconfig: set /etc/hostname earlier Scott Mayhew 2024-03-07 13:14 ` [PATCH 5/5] fstests/nfs: add krb5 support Scott Mayhew 2024-03-08 16:57 ` Luis Chamberlain 2024-03-08 19:33 ` Scott Mayhew 2024-03-08 21:08 ` Scott Mayhew 2024-03-08 21:20 ` Luis Chamberlain 2024-03-08 21:18 ` Luis Chamberlain 2024-03-08 22:13 ` Scott Mayhew 2024-03-08 22:47 ` Luis Chamberlain 2024-03-08 15:01 ` [PATCH 0/5] add initial support for testing nfs with krb5 Chuck Lever III 2024-03-08 15:50 ` Scott Mayhew
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox