From Fedora Project Wiki

(Created page with "{{Infobox_group | name = IPA HSM Test Day | image = 300px|link=QA/Test Days | date = '''2024-12-09''' | time = all day | website = QA/Test Days | matrix = {{matrix|#test-day:fedoraproject.org}} | fedora_mailing_list = test }} {{admon/note | Can't make the date? | If you come to this page after the test day is completed, your testing is still valuable, and you can use the information on this page to test, file any bugs you find, and add...")
 
 
(5 intermediate revisions by 2 users not shown)
Line 1: Line 1:
{{Infobox_group
{{Infobox_group
| name = IPA HSM Test Day
| name = IPA MIGRATE TOOL
| image = [[File:test-days-banner.svg|300px|link=QA/Test Days]]
| image = [[File:test-days-banner.svg|300px|link=QA/Test Days]]
| date = '''2024-12-09'''
| date = '''2024-12-09'''
Line 15: Line 15:
<!-- Describe in detail what this test day is about and why would users want to participate in it. What makes this interesting for them? What's new and exciting in your software or a feature? -->
<!-- Describe in detail what this test day is about and why would users want to participate in it. What makes this interesting for them? What's new and exciting in your software or a feature? -->


This [[QA/Test Days|Test Day]] will focus on '''FreeIPA HSM'''
This [[QA/Test Days|Test Day]] will focus on '''FreeIPA ipa-migrate tool'''


== Who's available ==
== Who's available ==
Line 37: Line 37:
IPA to IPA migration design
IPA to IPA migration design


    IPA-to-IPA migration will be implemented as an AdminTool standalone client tool: /usr/sbin/ipa-migrate
* IPA-to-IPA migration will be implemented as an AdminTool standalone client tool: /usr/sbin/ipa-migrate


    Migration will consist of three areas:
===== Migration will consist of three areas: =====


        Schema - the LDAP schema (objectclasses and attributes)


         Config - the LDAP configuration under cn=config (dse.ldif)
       
* Schema - the LDAP schema (objectclasses and attributes)
*
*         Config - the LDAP configuration under cn=config (dse.ldif)
*
*        Database - the main LDAP database


        Database - the main LDAP database
Allow online (LDAP over the network) or offline (LDIF file) migration. You can mix and match LDIF (offline) with LDAP (online)


    Allow online (LDAP over the network) or offline (LDIF file) migration. You can mix and match LDIF (offline) with LDAP (online)
==== Online migration ====
 
Online migration


Online migration consists of contacting the remote server over the network and pulling in all the required information. With very large databases this could impact the tool’s performance
Online migration consists of contacting the remote server over the network and pulling in all the required information. With very large databases this could impact the tool’s performance
Offline migration


==== Offline migration ====
Offline migration consists of using LDIF files from the remote server
Offline migration consists of using LDIF files from the remote server
 
* Config - the DS config file: /etc/dirsrv/slapd-YOUR_LDAP_INSTANCE/dse.ldif
    Config - the DS config file: /etc/dirsrv/slapd-YOUR_LDAP_INSTANCE/dse.ldif
Schema - all the schema files found under /etc/dirsrv/schema/ and /etc/dirsrv/slapd-YOUR_LDAP_INSTANCE/schema/  
 
Database - You need to export the userroot database to an ldif file
    Schema - all the schema files found under /etc/dirsrv/schema/ and /etc/dirsrv/slapd-YOUR_LDAP_INSTANCE/schema/
 
    Database - You need to export the userroot database to an ldif file


Then copy these LDIF files to the new local server
Then copy these LDIF files to the new local server


== How to test? ==
== How to test? ==
# Install Remote IPA server on Fedora41 [remote.testrelm.test]
# Add users, groups, hbacrule, sudorules, selinuxusermaps etc on the Remote IPA server
# Install Local IPA server on Fedora 41 [local.testrelm.test]
# Ensure local and remote servers can ping each other.
#. Now Run ipa-migrate tool  with various options i.e ipa-migrate --help
  # ipa-migrate stage-mode <remote.testrelm.test> -w <password>
# Check for logs in /var/log/ipa-migrate.log
[Note: The log file gets appended for each time the command ipa-migrate is run]


=== Install freeIPA packages ===
=== Install freeIPA packages ===
# dnf -y install freeipa-server-dns
# dnf -y install freeipa-server freeipa-server-dns


=== Set up environment variables on each machine/VM ===
=== Set up environment variables on each machine/VM ===


  # export TOKEN_PASSWORD=password
   # export ADMIN_PASSWORD=password
   # export ADMIN_PASSWORD=password
   # export DM_PASSWORD=password
   # export DM_PASSWORD=password
If using a supported hardware HSM ensure that it is working properly and have the token name and PKCS#11 library path handy.


=== In between tests ===
=== In between tests ===


To re-use test machines in between installations:
To re-use test machines in between installations for correct results.


On replica (if there is one)
On local system.
   # ipa server-del $HOSTNAME
   # ipa-server-install --setup-dns --forwarder=<ip-address> -n testrelm.test -r TESTRELM.TEST --no-dnssec-validation -a <password> -p <password> -U
   # ipa-server-install –uninstall -U
   # ipa-server-install –uninstall -U


On the initial IPA server
On the remote IPA server
 
  # ipa-server-install --setup-dns --forwarder=<ip-address> -n testrelm.test -r TESTRELM.TEST --no-dnssec-validation -a <password> -p <password> -U
   # ipa-server-install –uninstall -U
   # ipa-server-install –uninstall -U


If using softhsm2 you will also need to delete and re-create the token. To delete the token:
  # softhsm2-util --delete-token --token ipa_token
This should return the machine(s) to the pre-installed state.


Visit the '''[http://testdays.fedoraproject.org/events/206 results page]''' and click on the column title links to see the tests that need to be run: most column titles are links to a specific test case. Follow the instructions there, then enter your results by clicking the ''Enter result'' button for the test.
Visit the '''[http://testdays.fedoraproject.org/events/206 results page]''' and click on the column title links to see the tests that need to be run: most column titles are links to a specific test case. Follow the instructions there, then enter your results by clicking the ''Enter result'' button for the test.

Latest revision as of 15:32, 25 November 2024

IPA MIGRATE TOOL

Date 2024-12-09
Time all day

Website QA/Test Days
Matrix #test-day:fedoraproject.org(other clients|?)
Mailing list test


Can't make the date?
If you come to this page after the test day is completed, your testing is still valuable, and you can use the information on this page to test, file any bugs you find, and add your results to the results section. If this page is more than a month old when you arrive here, please check the current schedule and see if a similar but more recent Test Day is planned or has already happened.

What to test?[edit]

This Test Day will focus on FreeIPA ipa-migrate tool

Who's available[edit]

The following cast of characters will be available testing, workarounds, bug fixes, and general discussion:

You can chat with me on Matrix. See the infobox on top of the page to learn where to join.

Prerequisite for Test Day[edit]

  • A virtual machine or a bare metal machine
  • An installation of Fedora 41 (ideally Server). Make sure to fully update your system. If installing a fresh system, it's recommended to use the latest nightly image.

What to test[edit]

Prerequisites[edit]

You must install IPA on the new system (local server), and the domain/suffix must be the final expected values. The remote data will be converted to match the new local server. Typically it is expected that this installation be bare. The tool was not designed to merge two different installations (although it might work). IPA to IPA migration design

  • IPA-to-IPA migration will be implemented as an AdminTool standalone client tool: /usr/sbin/ipa-migrate
Migration will consist of three areas:[edit]
  • Schema - the LDAP schema (objectclasses and attributes)
  • Config - the LDAP configuration under cn=config (dse.ldif)
  • Database - the main LDAP database

Allow online (LDAP over the network) or offline (LDIF file) migration. You can mix and match LDIF (offline) with LDAP (online)

Online migration[edit]

Online migration consists of contacting the remote server over the network and pulling in all the required information. With very large databases this could impact the tool’s performance

Offline migration[edit]

Offline migration consists of using LDIF files from the remote server

  • Config - the DS config file: /etc/dirsrv/slapd-YOUR_LDAP_INSTANCE/dse.ldif
  • Schema - all the schema files found under /etc/dirsrv/schema/ and /etc/dirsrv/slapd-YOUR_LDAP_INSTANCE/schema/
  • Database - You need to export the userroot database to an ldif file

Then copy these LDIF files to the new local server

How to test?[edit]

  1. Install Remote IPA server on Fedora41 [remote.testrelm.test]
  2. Add users, groups, hbacrule, sudorules, selinuxusermaps etc on the Remote IPA server
  3. Install Local IPA server on Fedora 41 [local.testrelm.test]
  4. Ensure local and remote servers can ping each other.
  5. . Now Run ipa-migrate tool with various options i.e ipa-migrate --help
  # ipa-migrate stage-mode <remote.testrelm.test> -w <password>
  1. Check for logs in /var/log/ipa-migrate.log

[Note: The log file gets appended for each time the command ipa-migrate is run]

Install freeIPA packages[edit]

  1. dnf -y install freeipa-server freeipa-server-dns

Set up environment variables on each machine/VM[edit]

 # export ADMIN_PASSWORD=password
 # export DM_PASSWORD=password

In between tests[edit]

To re-use test machines in between installations for correct results.

On local system.

 # ipa-server-install --setup-dns --forwarder=<ip-address> -n testrelm.test -r TESTRELM.TEST --no-dnssec-validation -a <password> -p <password> -U
 # ipa-server-install –uninstall -U

On the remote IPA server

 # ipa-server-install --setup-dns --forwarder=<ip-address> -n testrelm.test -r TESTRELM.TEST --no-dnssec-validation -a <password> -p <password> -U
 # ipa-server-install –uninstall -U


Visit the results page and click on the column title links to see the tests that need to be run: most column titles are links to a specific test case. Follow the instructions there, then enter your results by clicking the Enter result button for the test.

Reporting bugs[edit]

Perhaps you've found an already-reported bug. Please look at:

All new bugs should be reported into the upstream bug tracker. A less-preferred alternative is to file them into Red Hat JIRA, in most cases against the ipa component.

We really need bug reports!
Please note that just mentioning your problem into the comments section on the results page is not very helpful. Very often those problems only happen in specific circumstances, or with specific steps taken. We need the logs and screenshots, and we need to be able to ask you followup questions. Please file bug reports, it's much more useful than a short comment. Thank you!

When filing the bug, it's very helpful to include:

  • exact steps you've performed (and whether you can reproduce it again)
  • screenshots or videos, if applicable
  • system journal (log), which you can retrieve by journalctl -b > journal.txt
  • all output in a terminal, if started from a terminal
  • your system description

If you are unsure about exactly how to file the report or what other information to include, just ask us.

Please make sure to link to the bug when submitting your test result, thanks!

Test Results[edit]

Visit the results page and click on the column title links to see the tests that need to be run: most column titles are links to a specific test case. Follow the instructions there, then enter your results by clicking the Enter result button for the test.