Attachment 1697980 Details for Bug 1648521 – vagrant script for reproducer

vagrant script for reproducer

Vagrantfile (text/plain), 14.99 KB, created by rob.verduijn on 2020-06-18 15:43:12 UTC

(hide)

Description:

Filename:

MIME Type:

Creator: rob.verduijn

Created: 2020-06-18 15:43:12 UTC

Size: 14.99 KB

patch

obsolete

># -*- mode: ruby -*-
># vi: set ft=ruby :
>
># if your domain uri is 'qemu:///system' then you must run this vagrant script as root
># if your domain uri is 'qemu+ssh://root@localhost/system' then you must be able to login as root
>#   pubkey auth makes things easy (ie create a ssh keypair and do a ssh-copy-id root@localhost before running this script )
>DOMAIN_URI = 'qemu+ssh://root@localhost/system'
># this is what all passwords will be set to
>PASSWORD = 'centos82'
># if you like to see dnf install flood the screen with installation messages, set QUIET = ''
>QUIET = '-q' 
>
># All Vagrant configuration is done below. The "2" in Vagrant.configure
># configures the configuration version (we support older styles for
># backwards compatibility). Please don't change it unless you know what
># you're doing.
>Vagrant.configure("2") do |config|
>  config.vm.box_check_update = true
>  config.vm.define :ipa_server do |ipa_server|
>      ipa_server.vm.network :private_network, :libvirt__network_name=>'default', :ip =>'192.168.122.2', :auto_config=>false
>      ipa_server.vm.hostname = "ipa.linux.lab"
>      ipa_server.vm.box = "centos/8"
>      ipa_server.vm.provision "shell", env: { "MYPASS" => PASSWORD, "QUIET" => QUIET }, inline: <<-SHELL
>          # default vagrant does not allow login via console using a password
>        # enable ssh access with passwords and pubkeys
>        sed -i 's/PasswordAuthentication no/PasswordAuthentication yes/' /etc/ssh/sshd_config
>        sed -i 's/#PubkeyAuthentication yes/PubkeyAuthentication yes/' /etc/ssh/sshd_config
>        systemctl restart sshd.service
>
>        # vagrant does not set a password for the root or vagrant account
>        # root password 
>        echo $MYPASS | passwd --stdin root
>
>        # vagrant password
>        echo $MYPASS | passwd --stdin vagrant
>
>        # I want firewalld running (I use this for checks from the clients)
>        echo 'enable firewall'
>        systemctl enable --now firewalld.service
>
>        # enable module, update and install packages
>        echo 'enable module idm'
>        dnf module $QUIET -y enable idm:DL1
>        echo 'update system'
>        dnf update $QUIET -y
>        echo 'install packages'
>        dnf install $QUIET -y ipa-server ipa-server-dns sssd-tools vim
>
>        # start qemu-guest-agent
>        echo 'enable qemu-guest-agent'
>        systemctl enable --now qemu-guest-agent.service
>
>        # make sure the server can always resolv itself
>        echo 'configure hosts'
>        echo '192.168.122.2 ipa.linux.lab ipa' >> /etc/hosts
>
>        # set 127.0.0.1 to localhost
>        echo 'ensure 127.0.0.1 points to localhost'
>        sed -i '1d' /etc/hosts
>
>        # configure the 2nd interface with a static ip that I use for ipa
>        # because I am going to use ipa as a dns server
>        # I no longer want dns from the host
>        # so I set the 1st interface to ignore-auto-dns true
>
>        echo 'reconfigure network'
>        # delete old 2nd interface config
>        nmcli connection down 'Wired connection 1'
>        nmcli connection del 'Wired connection 1'
>        # disable auto dns
>        nmcli connection mod 'System eth0' ipv4.ignore-auto-dns true
>        nmcli connection up 'System eth0'
>        # configure the 2nd network interface
>        nmcli connection add type ethernet con-name eth1 ifname eth1
>        nmcli connection mod eth1 ipv4.addresses 192.168.122.2/24 ipv4.dns 192.168.122.2 ipv4.method manual
>        nmcli connection up eth1
>
>        # configure ipa server with dns
>        echo 'configure ipa-server'
>        ipa-server-install \
>          --unattended \
>          --setup-dns \
>          --realm=LINUX.LAB \
>          --domain=linux.lab \
>          --ds-password=$MYPASS \
>          --admin-password=$MYPASS \
>          --hostname=ipa.linux.lab \
>          --no-forwarders \
>          --auto-reverse \
>          --allow-zone-overlap
>        
>        # obtain principal
>        echo 'get admin tgt'
>        echo $MYPASS | kinit admin
>
>        # Allow synchronization of forward (A, AAAA) and reverse (PTR) records in the zone
>        echo 'enable ptr sync'
>        ipa dnszone-mod linux.lab. --allow-sync-ptr=TRUE
>
>        # add hosts
>        echo 'add host'
>        ipa host-add fedoraclient.linux.lab --password=$MYPASS --ip-address=192.168.122.4
>        
>        # add automount maps
>        # systemd does not get the fact that your first need to unmount nfs before stopping the network
>        # the workaround is to set the option _netdev in the network map
>        # async and noatime for speed
>        echo 'configure network map'
>        ipa automountkey-add default auto.direct --key='/home' \
>          --info='-_netdev,rw,noatime,acl,sec=krb5p,async ipa.linux.lab:/homes'
>        # create exports
>        echo 'create nfs exports'
>        echo '/exports *(rw,crossmnt,fsid=0,sec=krb5p)' > /etc/exports
>        echo '/exports/homes *(rw,no_subtree_check,async,sec=krb5p)' >> /etc/export
>        
>        # create test user
>        echo 'add test user'
>        echo -e "$MYPASS\n$MYPASS\n" | ipa user-add test --first=test --last=user --shell='/bin/bash' --password
>
>        # create dirs
>        echo 'create export dirs'
>        mkdir -p /exports/homes
>
>        # set context
>        echo 'set secontext on export dir'
>        chcon -t home_root_t /exports/homes/
>
>        # put content in dirs
>        echo 'create content in export dir'
>        mkdir -p /exports/homes/test
>        rsync -a /etc/skel/ /exports/homes/test/
>        chown -R test:test /exports/homes/test
>        
>        # create a test file
>        echo "hello world" > /exports/home/test/hello.txt
>        chmod 500 /exports/home/test/hello.txt
>
>        # add nfs server principal
>        echo 'add nfs service'
>        ipa service-add nfs/ipa.linux.lab@LINUX.LAB
>
>        # install principal in keytab
>        echo 'add nfs service to keytab'
>        ipa-getkeytab -p nfs/ipa.linux.lab@LINUX.LAB -k /etc/krb5.keytab
>
>        # install crudini to manipulate ini files
>        echo 'enable epel and install crudini'
>        dnf install $QUIET -y epel-release
>        dnf install $QUIET -y crudini
>
>        # set the nfs-idmap method to sss
>        echo 'set nfs-idmap translation method to sss'
>        crudini --set /etc/idmapd.conf Translation Method sss
>
>        # disable nfs3
>        echo 'disable nfs3'
>        crudini --set /etc/nfs.conf nfsd vers3 n
>
>        # open up the firewall for nfs
>        echo 'configure firewalld'
>        firewall-cmd --add-service=nfs --permanent
>        # open up the firewall for ipa
>        firewall-cmd --add-service=dns --permanent
>        firewall-cmd --add-service=freeipa-4 --permanent
>
>        # shutdown ipa
>        echo 'shutdown ipa'
>        ipactl stop
>        
>        # shutdown services and clear cache and tmp
>        echo 'cleanup and reboot'
>        systemctl stop autofs.service sssd.service gssproxy.service
>        rm -rf /tmp/.* /tmp/* /var/tmp/.* /var/tmp/* /var/lib/sss/db/* /var/lib/gssproxy/clients/krb5cc_0
>        
>        # poweroff
>        reboot
>     SHELL
>     # server needs more resources than the default asssignment of 1cpu/512Mb
>     # see https://github.com/vagrant-libvirt/vagrant-libvirt for all options
>     ipa_server.vm.provider :libvirt do |domain|
>        domain.uri = DOMAIN_URI
>        domain.memory = 4096
>        domain.cpus = 2
>        domain.graphics_ip = '0.0.0.0'
>        # passthrouhg /dev/random to make sure I got plenty entropy (requires vagrant >= 1.9)
>        domain.random :model => 'random'
>        # I like spice
>        domain.video_type = 'qxl'
>        domain.graphics_type = 'spice'
>        domain.channel :type => 'unix', :target_name => 'org.qemu.guest_agent.0', :target_type => 'virtio'
>        domain.channel :type => 'spicevmc', :target_name => 'com.redhat.spice.0', :target_type => 'virtio'
>     end
>  end
>
>    config.vm.define :fedoraclient do |fedoraclient|
>    fedoraclient.vm.network :private_network, :libvirt__network_name=>'default', :ip =>'192.168.122.4', :auto_config=>false
>    fedoraclient.vm.hostname = "fedoraclient.linux.lab"
>    fedoraclient.vm.box = "fedora/32-cloud-base"
>    fedoraclient.vm.provision "shell", env: { "MYPASS" => PASSWORD, "QUIET" => QUIET }, inline: <<-SHELL
>        # default vagrant does not allow login via console using a password
>        # enable ssh access with passwords and pubkeys
>        sed -i 's/PasswordAuthentication no/PasswordAuthentication yes/' /etc/ssh/sshd_config
>        sed -i 's/#PubkeyAuthentication yes/PubkeyAuthentication yes/' /etc/ssh/sshd_config
>        systemctl restart sshd.service
>
>        # vagrant does not set a password for the root or vagrant account
>        # root password 
>        echo $MYPASS | passwd --stdin root
>
>        # vagrant password
>        echo $MYPASS | passwd --stdin vagrant
>
>        # update and install
>        echo 'update system'
>        dnf update $QUIET -y
>        echo 'install custom packages'
>        dnf install $QUIET -y ipa-client tuned sssd-tools vim crudini
>
>        # enable and start tuned
>        echo 'enable tuned'
>        systemctl enable --now tuned.service
>
>        # start qemu-guest-agent
>        echo 'enable qemu-guest-agent'
>        systemctl enable --now qemu-guest-agent.service
>        
>        # set the nfs-idmap translation method to sss
>        # leave this to default and all files on nfs shares will be owned by nobody:nobody
>        echo 'configure nfs-idmap to use translation method sss'
>        crudini --set /etc/idmapd.conf Translation Method sss
>        
>        # I am going to mount an nfs share on /home
>        # so I move the homedir of the vagrant user to a
>        # location where it will remain available after mounting /home
>        # usermod fails due to vagrant so I have to do it manualy
>        echo 'move the vagrant home dir'
>        rsync -avXA /home/vagrant /var/lib
>        sed -i 's!/home/vagrant!/var/lib/vagrant!' /etc/passwd
>        rm -rf /home/vagrant
>        
>        # configure the 2nd interface with a static ip that I use for ipa
>        # because I am going to use ipa as a dns server
>        # I no longer want dns from the host
>        # so I set the 1st interface to ignore-auto-dns true
>
>        echo 'reconfigure network'
>        # delete old 2nd interface config
>        nmcli connection down 'Wired connection 1'
>        nmcli connection del 'Wired connection 1'
>        # disable auto dns
>        nmcli connection mod 'System eth0' ipv4.ignore-auto-dns true
>        nmcli connection up 'System eth0'
>        # configure the 2nd network interface
>        nmcli connection add type ethernet con-name eth1 ifname eth1
>        nmcli connection mod eth1 ipv4.addresses 192.168.122.4/24 ipv4.dns 192.168.122.2 ipv4.method manual
>        nmcli connection up eth1
>
>        # now wait for the ipaserver configuration to finish
>        while ! curl -s http://192.168.122.2 2>&1 1>/dev/null ; do
>          echo 'waiting for ipa to finish configuring' 
>          sleep 10 
>        done
>
>        # in case of starting the ipa_server and the fedoraclient at the same time
>        # the ipa-server has just booted, before I continue
>        # wait 60 sec so that all the services are up and running
>        echo 'wait 60 sec'
>        sleep 60
>
>        # add system to ipa (no mkhome because I got automount home)
>        echo 'install ipa client'
>        ipa-client-install -U -w $MYPASS --ip-address=192.168.122.4 --no-ntp
>
>        # configure automount
>        echo 'configure automount'
>        ipa-client-automount -U --location=default
>
>        # start graphical section
>        # the reproducer only seems to work when kde is running
>        # I prefer KDE
>        echo 'the reproducer only seemt to work when kde is running'
>        echo 'install kde'
>        dnf groupinstall $QUIET -y 'KDE Plasma Workspaces'
>        
>        # why is firefox not a default package for kde ?
>        echo 'install firefox'
>        dnf install $QUIET -y firefox
>        
>        # gnome desktop
>        #dnf install $QUIET -y '@workstation-product-environment'
>
>        # setdefault target
>        echo 'set default target to graphical'
>        systemctl set-default graphical.target
>       
>        # set desktop booleans
>        echo 'set desktop booleans'
>        setsebool -P allow_execheap 1
>        setsebool -P polyinstantiation_enabled 1
>        setsebool -P domain_can_mmap_files 1
>        setsebool -P use_nfs_home_dirs 1
>        setsebool -P colord_use_nfs 1
>        setsebool -P nis_enabled 1
>
>        # sddm default greeter is not really ipa domain friendly
>        # so I change a few settings here
>
>        # first gather some facts
>        echo 'configure sddm'
>        echo $MYPASS | kinit admin
>        ipabaseid=$(ipa idrange-show LINUX.LAB_id_range --raw | grep ipabaseid | awk '{print $2}')
>        ipaidrangesize=$(ipa idrange-show LINUX.LAB_id_range --raw | grep ipaidrangesize | awk '{print $2}')
>
>        # change sddm minimum user id
>        crudini --set /etc/sddm.conf Users MinimumUid $ipabaseid
>
>        # change sddm maximum user id
>        crudini --set /etc/sddm.conf Users MaximumUid $(( $ipabaseid + $ipaidrangesize ))
>
>        # sddm greeter has no change password dialog
>        # see https://bugzilla.redhat.com/show_bug.cgi?id=1430446
>        # so I reset the test user password here
>        # default history size is 0 on ipa, so I can keep the same password
>        echo 'implement "sddm greeter has no password change dialog" workarround'
>        echo 'see https://bugzilla.redhat.com/show_bug.cgi?id=1430446'
>        echo -e "$MYPASS\n$MYPASS\n$MYPASS\n" | kinit test
>        
>        # end graphical section
>
>        # generate reproducer script
>        echo 'create reproducer script'
>        echo '#!/bin/bash' > /root/reproducer.sh
>        echo 'kdestroy -A' >> /root/reproducer.sh
>        echo 'systemctl stop autofs.service sssd.service gssproxy.service' >> /root/reproducer.sh
>        echo 'rm -rf /tmp/.* /tmp/* /var/tmp/.* /var/tmp/* /var/lib/sss/db/* /var/lib/gssproxy/clients/krb5cc_0' >> /root/reproducer.sh
>        echo 'reboot' >> /root/reproducer.sh
>        chmod +x /root/reproducer.sh
>      
>        # shutdown services and clear cache and tmp
>        echo 'stop services, clear cache and tmp, reboot'
>        kdestroy -A
>        systemctl stop autofs.service sssd.service gssproxy.service
>        rm -rf /tmp/.* /tmp/* /var/tmp/.* /var/tmp/* /var/lib/sss/db/* /var/lib/gssproxy/clients/krb5cc_0
>        
>        # poweroff
>        reboot
>     SHELL
>     # graphical fedora desktop  needs more resources than the default asssignment of 1cpu/512Mb
>     # see https://github.com/vagrant-libvirt/vagrant-libvirt for all options
>     fedoraclient.vm.provider :libvirt do |domain|
>       domain.uri = DOMAIN_URI
>       domain.memory = 4096
>       domain.cpus = 2
>       domain.graphics_ip = '0.0.0.0'
>       # passthrouhg /dev/random to make sure I got plenty entropy (requires vagrant >= 1.9
>       domain.random :model => 'random'
>       # I like spice
>       domain.video_type = 'qxl'
>       domain.graphics_type = 'spice'
>       domain.channel :type => 'unix', :target_name => 'org.qemu.guest_agent.0', :target_type => 'virtio'
>       domain.channel :type => 'spicevmc', :target_name => 'com.redhat.spice.0', :target_type => 'virtio'
>       domain.input :type => "tablet", :bus => "usb"
>     end
>  end
>end

Actions: View

Attachments on bug 1648521: 1697980