From 60d4e1a75192f32ff5db46b6743a797ac98a8a55 Mon Sep 17 00:00:00 2001 From: Iker Pedrosa Date: Wed, 29 Apr 2026 11:59:03 +0200 Subject: [PATCH 1/5] tests: add TMT plan for passkey testing MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Add comprehensive TMT plan for testing SSSD passkey functionality across IPA, LDAP, and Samba identity providers using containerized environments. Signed-off-by: Iker Pedrosa Co-authored-by: Claude Sonnet 4 Reviewed-by: Jakub Vávra Reviewed-by: Justin Stephenson (cherry picked from commit d54cf526c92143653108b455fa4e477c24b6263f) --- .fmf/version | 1 + plans/passkey.fmf | 234 ++++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 235 insertions(+) create mode 100644 .fmf/version create mode 100644 plans/passkey.fmf diff --git a/.fmf/version b/.fmf/version new file mode 100644 index 0000000000..d00491fd7e --- /dev/null +++ b/.fmf/version @@ -0,0 +1 @@ +1 diff --git a/plans/passkey.fmf b/plans/passkey.fmf new file mode 100644 index 0000000000..4625b8c4ed --- /dev/null +++ b/plans/passkey.fmf @@ -0,0 +1,234 @@ +summary: SSSD passkey tests +description: | + Test passkey functionality with SSSD across different identity providers + (IPA, LDAP, Samba). +tag: passkey + +provision: + how: virtual + # Testing Farm provides a maximum of 4GB RAM, + # but 16GB allows smoother operation by avoiding memory swap + # when running locally or if memory limits increase + memory: 16384 + +prepare: + - name: Install general dependencies + how: install + package: + - expect + - gcc + - git + - openldap-devel + - podman + - podman-compose + - podman-docker + - python3-devel + - python3-pip + - yq + + - name: Setup docker-compose compatibility + how: shell + script: | + if ! command -v docker-compose >/dev/null 2>&1; then + ln -sf $(command -v podman-compose) /usr/local/bin/docker-compose + fi + + - name: Install and load kernel module for passkey testing + how: shell + script: | + dnf install -y kernel-modules-extra-$(uname -r) + modprobe vhci_hcd + + - name: Clone sssd + how: shell + script: | + if [ -n "$PACKIT_SOURCE_BRANCH" ] && [ -n "$PACKIT_SOURCE_URL" ]; then + echo "Direct PR branch clone: url $PACKIT_SOURCE_URL branch $PACKIT_SOURCE_BRANCH" + git clone --branch "$PACKIT_SOURCE_BRANCH" "$PACKIT_SOURCE_URL" /tmp/sssd + elif [ -n "$PACKIT_PR_ID" ]; then + echo "PR ID fetch: PR ID $PACKIT_PR_ID" + git clone https://github.com/SSSD/sssd.git /tmp/sssd + cd /tmp/sssd + git fetch origin "pull/$PACKIT_PR_ID/head:pr-$PACKIT_PR_ID" + git checkout "pr-$PACKIT_PR_ID" + else + echo "No PR context found, master branch fallback" + git clone https://github.com/SSSD/sssd.git /tmp/sssd + fi + + cd /tmp/sssd + echo "Current branch: $(git branch --show-current)" + echo "Current commit: $(git rev-parse HEAD)" + + - name: Clone sssd-ci-containers + how: shell + script: + - git clone https://github.com/SSSD/sssd-ci-containers.git /tmp/sssd-ci-containers + + - name: Install test dependencies + how: shell + script: + - pip3 install --break-system-packages -r /tmp/sssd/src/tests/system/requirements.txt + + - name: Setup containers + how: shell + script: | + cd /tmp/sssd-ci-containers + systemctl enable --now podman.socket + setsebool container_manage_cgroup true + cp env.example .env + + # Use CONTAINER_TARGET from packit if provided, otherwise use Fedora + if [ -n "$CONTAINER_TARGET" ]; then + CONTAINER_TAG="$CONTAINER_TARGET" + else + . /tmp/sssd/contrib/ci/distro.sh + CONTAINER_TAG="fedora-$DISTRO_RELEASE" + fi + echo "Using container tag: $CONTAINER_TAG" + sed -i "s/TAG=latest/TAG=$CONTAINER_TAG/g" .env + + make setup-dns-files + make up + + - name: Fix SSH key permissions + how: shell + script: + - chmod 600 /tmp/sssd-ci-containers/data/ssh-keys/root.id_rsa + + - name: Wait for client and IPA containers to be ready + how: shell + script: | + # Wait for client container + for i in $(seq 1 60); do + if ssh -i /tmp/sssd-ci-containers/data/ssh-keys/root.id_rsa \ + -o StrictHostKeyChecking=no \ + -o ConnectTimeout=5 \ + root@client.test "echo 'ready'" >/dev/null 2>&1; then + echo "Client container ready" + break + fi + if [ $i -eq 60 ]; then + echo "ERROR: Client container not ready after 60 attempts" + exit 1 + fi + sleep 1 + done + + # Wait for IPA container + for i in $(seq 1 60); do + if ssh -i /tmp/sssd-ci-containers/data/ssh-keys/root.id_rsa \ + -o StrictHostKeyChecking=no \ + -o ConnectTimeout=5 \ + root@master.ipa.test "echo 'ready'" >/dev/null 2>&1; then + echo "IPA container ready" + break + fi + if [ $i -eq 60 ]; then + echo "ERROR: IPA container not ready after 60 attempts" + exit 1 + fi + sleep 1 + done + + - name: Install SSSD from PR build into containers + how: shell + script: | + # Get COPR repo name from environment + if [ -n "$PACKIT_COPR_PROJECT" ]; then + COPR_REPO="$PACKIT_COPR_PROJECT" + else + echo "WARNING: No PACKIT_COPR_PROJECT found, using latest master build" + COPR_REPO="packit/SSSD-sssd-master" + fi + + echo "Using COPR repo: $COPR_REPO" + + if [[ "$CONTAINER_TARGET" == "centos-10" ]]; then + COPR_ENABLE_CMD="dnf copr enable -y $COPR_REPO centos-stream-10-x86_64" + else + COPR_ENABLE_CMD="dnf copr enable -y $COPR_REPO" + fi + + # Install on client container + ssh -i /tmp/sssd-ci-containers/data/ssh-keys/root.id_rsa \ + -o StrictHostKeyChecking=no \ + root@client.test " + $COPR_ENABLE_CMD + dnf upgrade -y --refresh sssd* + " + + # Install on IPA container + ssh -i /tmp/sssd-ci-containers/data/ssh-keys/root.id_rsa \ + -o StrictHostKeyChecking=no \ + root@master.ipa.test " + $COPR_ENABLE_CMD + dnf upgrade -y --refresh sssd* + " + + - name: Restart SSSD services in containers + how: shell + script: | + # Restart SSSD on client container + ssh -i /tmp/sssd-ci-containers/data/ssh-keys/root.id_rsa \ + -o StrictHostKeyChecking=no \ + root@client.test "systemctl restart sssd" + + # Restart SSSD on IPA container + ssh -i /tmp/sssd-ci-containers/data/ssh-keys/root.id_rsa \ + -o StrictHostKeyChecking=no \ + root@master.ipa.test "systemctl restart sssd" + + - name: Remove ad from mhc.yaml + how: shell + script: | + cd /tmp/sssd/src/tests/system + yq -i 'del(.domains[0].hosts[] | select(.role == "ad"))' mhc.yaml + + - name: Wait for samba domain connectivity + how: shell + script: | + echo "Wait for samba domain connectivity..." + + for i in $(seq 1 90); do + # Check if we can resolve users from samba.test domain + if ssh -i /tmp/sssd-ci-containers/data/ssh-keys/root.id_rsa \ + -o StrictHostKeyChecking=no \ + -o ConnectTimeout=5 \ + root@client.test " + timeout 10s getent passwd Administrator@samba.test >/dev/null 2>&1 + " 2>/dev/null; then + echo "Domain connectivity ready (${i}s)" + break + else + if [ $i -eq 90 ]; then + echo "User resolution not ready after 90 attempts, proceeding with tests anyway" + fi + sleep 1 + fi + done + +execute: + how: tmt + duration: 45m + script: | + mkdir -p /tmp/artifacts + cd /tmp/sssd/src/tests/system + pytest --durations=0 \ + --color=yes \ + --show-capture=no \ + --mh-config=mhc.yaml \ + --mh-artifacts-dir=/tmp/artifacts \ + -vvv tests/test_passkey.py + +finish: + - name: Copy artifacts + how: shell + script: | + if [ -d "/tmp/artifacts" ] && [ "$(ls -A /tmp/artifacts 2>/dev/null)" ]; then + mkdir -p $TMT_PLAN_DATA/artifacts + cp -r /tmp/artifacts/* $TMT_PLAN_DATA/artifacts/ + echo "Artifacts copied to: $TMT_PLAN_DATA/artifacts" + else + echo "No artifacts to copy" + fi From 394c8cd696f120515172d1d6d6dd8470459e608c Mon Sep 17 00:00:00 2001 From: Iker Pedrosa Date: Tue, 5 May 2026 12:05:51 +0200 Subject: [PATCH 2/5] ci: add TMT passkey tests to packit workflow MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Enable automated passkey testing on pull requests after COPR builds complete. Tests run on centos-stream-10 target using the TMT plan. Signed-off-by: Iker Pedrosa Co-Authored-By: Claude Sonnet 4 Reviewed-by: Jakub Vávra Reviewed-by: Justin Stephenson (cherry picked from commit 210f50f507c8443d1522fd7504b001e95af29950) --- .packit.yaml | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/.packit.yaml b/.packit.yaml index 38ad3cedbb..34ea0ca02d 100644 --- a/.packit.yaml +++ b/.packit.yaml @@ -42,3 +42,17 @@ jobs: - upstream targets: - centos-stream-10 + + # Use fedora-latest as host for centos-10 tests due to memory constraints + # that cause swapping issues with centos-10 containers on centos hosts + - job: tests + trigger: pull_request + identifier: "centos-stream-10" + packages: + - upstream + targets: + - fedora-latest + tf_extra_params: + environments: + - variables: + CONTAINER_TARGET: "centos-10" From a626172eea6e244a3bf5389d9e54fbbe2a728bd3 Mon Sep 17 00:00:00 2001 From: Iker Pedrosa Date: Mon, 25 May 2026 15:02:57 +0200 Subject: [PATCH 3/5] ci: fix error handling in passkey TMT plan SSH commands MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit If COPR_ENABLE_CMD fails, the script will now fail immediately instead of proceeding to dnf upgrade with packages from default repositories, ensuring tests run against the correct SSSD version. Signed-off-by: Iker Pedrosa Reviewed-by: Jakub Vávra Reviewed-by: Justin Stephenson (cherry picked from commit 334449b9df7386052d1a09bcf01597b0ebb21ebc) --- plans/passkey.fmf | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/plans/passkey.fmf b/plans/passkey.fmf index 4625b8c4ed..61f44f38c9 100644 --- a/plans/passkey.fmf +++ b/plans/passkey.fmf @@ -154,7 +154,7 @@ prepare: ssh -i /tmp/sssd-ci-containers/data/ssh-keys/root.id_rsa \ -o StrictHostKeyChecking=no \ root@client.test " - $COPR_ENABLE_CMD + $COPR_ENABLE_CMD && \ dnf upgrade -y --refresh sssd* " @@ -162,7 +162,7 @@ prepare: ssh -i /tmp/sssd-ci-containers/data/ssh-keys/root.id_rsa \ -o StrictHostKeyChecking=no \ root@master.ipa.test " - $COPR_ENABLE_CMD + $COPR_ENABLE_CMD && \ dnf upgrade -y --refresh sssd* " From 41d599855e5fd922ca2a9d302d6758aed4f866d4 Mon Sep 17 00:00:00 2001 From: Iker Pedrosa Date: Wed, 27 May 2026 10:02:53 +0200 Subject: [PATCH 4/5] ci: use hardware.memory syntax for TMT passkey tests MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Update passkey.fmf to use the `hardware.memory` specification. Changed from fixed 16GB to ">= 16 GB" requirement as per Testing Farm documentation at https://docs.testing-farm.io/Testing%20Farm/0.1/test-request.html#ram Signed-off-by: Iker Pedrosa Reviewed-by: Jakub Vávra Reviewed-by: Justin Stephenson (cherry picked from commit 167b5a9c9aa596af29bbdd964be839e0d17b0301) --- plans/passkey.fmf | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/plans/passkey.fmf b/plans/passkey.fmf index 61f44f38c9..a17b0f0f04 100644 --- a/plans/passkey.fmf +++ b/plans/passkey.fmf @@ -6,10 +6,8 @@ tag: passkey provision: how: virtual - # Testing Farm provides a maximum of 4GB RAM, - # but 16GB allows smoother operation by avoiding memory swap - # when running locally or if memory limits increase - memory: 16384 + hardware: + memory: ">= 16 GB" prepare: - name: Install general dependencies From df797a959dda0b8237248d928a9813bd604e89de Mon Sep 17 00:00:00 2001 From: Iker Pedrosa Date: Thu, 28 May 2026 10:09:54 +0200 Subject: [PATCH 5/5] ci: update passkey TMT plan for native CentOS Stream 10 execution MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit With 16GB RAM allocation, CentOS Stream 10 tests can now run directly on matching VM and containers. Thus, update the plan to take this into account and detect the distribution accordingly. Signed-off-by: Iker Pedrosa Reviewed-by: Jakub Vávra Reviewed-by: Justin Stephenson (cherry picked from commit 943ecbb369820a01fba2372995eaf7473aab0505) --- .packit.yaml | 10 ++-------- plans/passkey.fmf | 27 +++++++++++++++++++-------- 2 files changed, 21 insertions(+), 16 deletions(-) diff --git a/.packit.yaml b/.packit.yaml index 34ea0ca02d..def5e9cba0 100644 --- a/.packit.yaml +++ b/.packit.yaml @@ -43,16 +43,10 @@ jobs: targets: - centos-stream-10 - # Use fedora-latest as host for centos-10 tests due to memory constraints - # that cause swapping issues with centos-10 containers on centos hosts + # Run TMT tests after COPR builds complete - job: tests trigger: pull_request - identifier: "centos-stream-10" packages: - upstream targets: - - fedora-latest - tf_extra_params: - environments: - - variables: - CONTAINER_TARGET: "centos-10" + - centos-stream-10 diff --git a/plans/passkey.fmf b/plans/passkey.fmf index a17b0f0f04..615ac04e57 100644 --- a/plans/passkey.fmf +++ b/plans/passkey.fmf @@ -10,6 +10,13 @@ provision: memory: ">= 16 GB" prepare: + - name: Enable EPEL repository for CentOS Stream + how: shell + script: | + if grep -q "CentOS Stream" /etc/os-release 2>/dev/null; then + dnf install -y epel-release + fi + - name: Install general dependencies how: install package: @@ -31,11 +38,13 @@ prepare: ln -sf $(command -v podman-compose) /usr/local/bin/docker-compose fi - - name: Install and load kernel module for passkey testing + - name: Install and load kernel module for passkey testing on Fedora how: shell script: | - dnf install -y kernel-modules-extra-$(uname -r) - modprobe vhci_hcd + if grep -q "^ID=fedora" /etc/os-release 2>/dev/null; then + dnf install -y kernel-modules-extra-$(uname -r) + modprobe vhci_hcd + fi - name: Clone sssd how: shell @@ -76,11 +85,11 @@ prepare: setsebool container_manage_cgroup true cp env.example .env - # Use CONTAINER_TARGET from packit if provided, otherwise use Fedora - if [ -n "$CONTAINER_TARGET" ]; then - CONTAINER_TAG="$CONTAINER_TARGET" + # Detect system distribution and set appropriate container tag + . /tmp/sssd/contrib/ci/distro.sh + if [ "$DISTRO_ID" = "centos" ]; then + CONTAINER_TAG="centos-$DISTRO_RELEASE" else - . /tmp/sssd/contrib/ci/distro.sh CONTAINER_TAG="fedora-$DISTRO_RELEASE" fi echo "Using container tag: $CONTAINER_TAG" @@ -142,7 +151,9 @@ prepare: echo "Using COPR repo: $COPR_REPO" - if [[ "$CONTAINER_TARGET" == "centos-10" ]]; then + # Detect system distribution and set appropriate COPR command + . /tmp/sssd/contrib/ci/distro.sh + if [ "$DISTRO_ID" = "centos" ] && [ "$DISTRO_RELEASE" = "10" ]; then COPR_ENABLE_CMD="dnf copr enable -y $COPR_REPO centos-stream-10-x86_64" else COPR_ENABLE_CMD="dnf copr enable -y $COPR_REPO"