[RHEL-79582] Test gssproxy with Image Mode

Type: Task
Resolution: Done
Priority: Major
Fix Version/s: None
Affects Version/s: None
Component/s: gssproxy
Labels:

Epic Link:
RHELMISC-8885
sprint_count:
3

Pool Team:

rhel-sst-idm-ipa
Sub-System Group:

ssg_idm

Sprint:
2025-Q1-Alpha-S4, 2025-Q1-Alpha-S5, 2025-Q1-Alpha-S6
Story Points:
8
Blocked:
False
Blocked Reason:

Hide

None

Show
None

This component was present in a list of critical components for Image Mode testing as of Feb 14, 2024. Therefore the Image Mode program is proactively filing this dedicated ticket for it so the SST may have an actionable tracker. Refer to the instructions in the epic on how to proceed with this ticket. Should your team identify more critical components, please create a ticket for it like this. If, however, you intend to track this on a more aggregated matter (e.g. by performing changes in your team's CI) and don't need this component-level ticket, feel free to close it as "Won't Do".

Sudhir Menon added a comment - 2025/03/25 6:24 AM - edited

Currently the tests from https://github.com/gssapi/gssproxy/tree/main/tests have been run manually on to the container image pulled from quay.io/centos-bootc/centos-bootc and all the tests have passed. Attaching the tests result for reference.

[testuser@master ~]$ podman-bootc images
REPOSITORY TAG IMAGE ID CREATED SIZE
quay.io/centos-bootc/centos-bootc stream10 ecf1898f8c12 3 days ago 1.37 GB
images.paas.redhat.com/idmops/gssproxy-bootc-rhel10 latest cc946c884cfb 6 days ago 1.37 GB

[testuser@master ~]$ podman-bootc ssh ecf1898f8c12

[root@ibm-p8-kvm-03-guest-02 driver]# sh -x runtest.sh
+ cd /var/tmp/source/gssproxy-0.9.2/
+ autoreconf -fi
Copying file mkinstalldirs
libtoolize: putting auxiliary files in '.'.
libtoolize: copying file './ltmain.sh'
libtoolize: putting macros in AC_CONFIG_MACRO_DIRS, 'm4'.
libtoolize: copying file 'm4/libtool.m4'
libtoolize: copying file 'm4/ltoptions.m4'
libtoolize: copying file 'm4/ltsugar.m4'
libtoolize: copying file 'm4/ltversion.m4'
libtoolize: copying file 'm4/lt~obsolete.m4'
...........

Waiting for LDAP server to start...
krb5kdc: starting...
Tests to be run: t_acquire.py, t_basic.py, t_cred_store.py, t_impersonate.py, t_interpose.py, t_multi_key.py, t_names.py, t_program.py, t_reloading.py, t_setcredopt.py
Testing basic acquire creds...
[PASS] (0) Acquire test returned 0
Testing basic init/accept context
[PASS] (1) Init test returned 0
[PASS] (2) Accept test returned 0
Testing cred store extensions...
[PASS] (3) Cred store test returned 0
Testing impersonate creds...
[PASS] (4) Impersonate test returned 0
[PASS] (5) Impersonate fail self test returned 255
[PASS] (6) Impersonate fail proxy test returned 255
[PASS] (7) s4u2self delegation test returned 0
[PASS] (8) Impersonate to self test returned 0
[PASS] (9) s4u2proxy fail test returned 255
[PASS] (10) s4u2proxy test returned 0
Testing interposer...
[PASS] (11) Interpose test returned 0
Testing multiple keys Keytab with first principal
Testing basic init/accept context
[PASS] (12) Init test returned 0
[PASS] (13) Accept test returned 0
Testing multiple keys Keytab with second principal
Testing basic init/accept context
[PASS] (14) Init test returned 0
[PASS] (15) Accept test returned 0
Testing name options...
[PASS] (16) Check Names test returned 0
Testing positive program name matching...
Testing basic acquire creds...
[PASS] (17) Acquire test returned 0
Testing negative program name matching...
Testing basic acquire creds...
[PASS] (18) Acquire test returned 255
[PASS] (19) Program test returned 0
Testing basic SIGHUP with no change
Testing basic init/accept context
[PASS] (20) Init test returned 0
[PASS] (21) Accept test returned 0
Testing SIGHUP with dropped service
Testing basic init/accept context
[PASS] (22) Init test returned -13
[PASS] (23) Accept test returned None
Testing SIGHUP with new service
Testing basic init/accept context
[PASS] (24) Init test returned 0
[PASS] (25) Accept test returned 0
Testing SIGHUP with change of socket
Testing basic init/accept context
[PASS] (26) Init test returned 0
[PASS] (27) Accept test returned 0
Testing setting credential options...
[PASS] (28) Set cred options test returned 0
Killing LDAP(31012)
Killing KDC(31020)
Killing GSS-Proxy(31035)

2. The same tests need to be run on images.paas.redhat.com/idmops/gssproxy-bootc-rhel10 but since the booted container image is read-only and doesn't allow to install packages even with --transient option, the tests couldn't be the run. The same is being investigated and the packages need to be part of the image which is being built

[root@ibm-p8-kvm-03-guest-02 ~]# dnf install ~~y openldap~~servers --transient

*** Error: system is configured to be read-only; for more
*** information run `bootc --help`.

Sudhir Menon added a comment - 2025/03/25 6:24 AM - edited Currently the tests from https://github.com/gssapi/gssproxy/tree/main/tests have been run manually on to the container image pulled from quay.io/centos-bootc/centos-bootc and all the tests have passed. Attaching the tests result for reference. [testuser@master ~] $ podman-bootc images REPOSITORY TAG IMAGE ID CREATED SIZE quay.io/centos-bootc/centos-bootc stream10 ecf1898f8c12 3 days ago 1.37 GB images.paas.redhat.com/idmops/gssproxy-bootc-rhel10 latest cc946c884cfb 6 days ago 1.37 GB [testuser@master ~] $ podman-bootc ssh ecf1898f8c12 [root@ibm-p8-kvm-03-guest-02 driver] # sh -x runtest.sh + cd /var/tmp/source/gssproxy-0.9.2/ + autoreconf -fi Copying file mkinstalldirs libtoolize: putting auxiliary files in '.'. libtoolize: copying file './ltmain.sh' libtoolize: putting macros in AC_CONFIG_MACRO_DIRS, 'm4'. libtoolize: copying file 'm4/libtool.m4' libtoolize: copying file 'm4/ltoptions.m4' libtoolize: copying file 'm4/ltsugar.m4' libtoolize: copying file 'm4/ltversion.m4' libtoolize: copying file 'm4/lt~obsolete.m4' ........... Waiting for LDAP server to start... krb5kdc: starting... Tests to be run: t_acquire.py, t_basic.py, t_cred_store.py, t_impersonate.py, t_interpose.py, t_multi_key.py, t_names.py, t_program.py, t_reloading.py, t_setcredopt.py Testing basic acquire creds... [PASS] (0) Acquire test returned 0 Testing basic init/accept context [PASS] (1) Init test returned 0 [PASS] (2) Accept test returned 0 Testing cred store extensions... [PASS] (3) Cred store test returned 0 Testing impersonate creds... [PASS] (4) Impersonate test returned 0 [PASS] (5) Impersonate fail self test returned 255 [PASS] (6) Impersonate fail proxy test returned 255 [PASS] (7) s4u2self delegation test returned 0 [PASS] (8) Impersonate to self test returned 0 [PASS] (9) s4u2proxy fail test returned 255 [PASS] (10) s4u2proxy test returned 0 Testing interposer... [PASS] (11) Interpose test returned 0 Testing multiple keys Keytab with first principal Testing basic init/accept context [PASS] (12) Init test returned 0 [PASS] (13) Accept test returned 0 Testing multiple keys Keytab with second principal Testing basic init/accept context [PASS] (14) Init test returned 0 [PASS] (15) Accept test returned 0 Testing name options... [PASS] (16) Check Names test returned 0 Testing positive program name matching... Testing basic acquire creds... [PASS] (17) Acquire test returned 0 Testing negative program name matching... Testing basic acquire creds... [PASS] (18) Acquire test returned 255 [PASS] (19) Program test returned 0 Testing basic SIGHUP with no change Testing basic init/accept context [PASS] (20) Init test returned 0 [PASS] (21) Accept test returned 0 Testing SIGHUP with dropped service Testing basic init/accept context [PASS] (22) Init test returned -13 [PASS] (23) Accept test returned None Testing SIGHUP with new service Testing basic init/accept context [PASS] (24) Init test returned 0 [PASS] (25) Accept test returned 0 Testing SIGHUP with change of socket Testing basic init/accept context [PASS] (26) Init test returned 0 [PASS] (27) Accept test returned 0 Testing setting credential options... [PASS] (28) Set cred options test returned 0 Killing LDAP(31012) Killing KDC(31020) Killing GSS-Proxy(31035) 2. The same tests need to be run on images.paas.redhat.com/idmops/gssproxy-bootc-rhel10 but since the booted container image is read-only and doesn't allow to install packages even with --transient option, the tests couldn't be the run. The same is being investigated and the packages need to be part of the image which is being built [root@ibm-p8-kvm-03-guest-02 ~] # dnf install y openldap servers --transient *** Error: system is configured to be read-only; for more *** information run `bootc --help`.

Florence Renaud added a comment - 2025/02/24 1:40 PM

We have 2 scenarios to test:

boot the image generated with gssproxy package and launch the gssproxy tests:
```
podman-bootc run --filesystem=xfs <image with gssproxy>
```

boot a centos 10 bootc image, then switch to the image generated with gssproxy package and launch the gssproxy tests:
```
podman-bootc run --filesystem=xfs quay.io/centos-bootc/centos-bootc:stream10
```
then inside the booted vm:
```
podman pull <image with gssproxy>
bootc switch <image with gssproxy> --transport=containers-storage
reboot
```
Reconnect to the booted v with:
```
podman-bootc ssh <id>
```
Inside the booted vm, run gssproxy tests

Florence Renaud added a comment - 2025/02/24 1:40 PM We have 2 scenarios to test: boot the image generated with gssproxy package and launch the gssproxy tests: podman-bootc run --filesystem=xfs <image with gssproxy> boot a centos 10 bootc image, then switch to the image generated with gssproxy package and launch the gssproxy tests: podman-bootc run --filesystem=xfs quay.io/centos-bootc/centos-bootc:stream10 then inside the booted vm: podman pull <image with gssproxy> bootc switch <image with gssproxy> --transport=containers-storage reboot Reconnect to the booted v with: podman-bootc ssh <id> Inside the booted vm, run gssproxy tests

Francisco Trivino Garcia added a comment - 2025/02/17 4:17 PM

gssproxy image available in openstack.

We can test in idm-ci using https://gitlab.cee.redhat.com/-/snippets/9372/raw/main/snippet101.yaml

Francisco Trivino Garcia added a comment - 2025/02/17 4:17 PM gssproxy image available in openstack. We can test in idm-ci using https://gitlab.cee.redhat.com/-/snippets/9372/raw/main/snippet101.yaml

Details

Description

Attachments

Easy Agile Planning Poker

Activity

Collapse comment: Sudhir Menon added a comment - 2025/03/25 6:24 AM, Edited by Sudhir Menon - 2025/03/25 6:42 AM

Expand comment: Sudhir Menon added a comment - 2025/03/25 6:24 AM, Edited by Sudhir Menon - 2025/03/25 6:42 AM

Collapse comment: Florence Renaud added a comment - 2025/02/24 1:40 PM

Expand comment: Florence Renaud added a comment - 2025/02/24 1:40 PM

Collapse comment: Francisco Trivino Garcia added a comment - 2025/02/17 4:17 PM

Expand comment: Francisco Trivino Garcia added a comment - 2025/02/17 4:17 PM

People

Dates