Skip to content

[autobackport: sssd-2-12] ci: add TMT plan for passkey testing in PRCI #8727

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
ikerexxe merged 2 commits into from
May 27, 2026
Merged

[autobackport: sssd-2-12] ci: add TMT plan for passkey testing in PRCI #8727

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
b0a9ee8
tests: add TMT plan for passkey testing
ikerexxe Apr 29, 2026
f0e2edc
ci: add TMT passkey tests to packit workflow
ikerexxe May 5, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions .fmf/version
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
1
14 changes: 14 additions & 0 deletions .packit.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -45,6 +45,20 @@ jobs:
- fedora-all
- centos-stream-10

# Use fedora-latest as host for centos-10 tests due to memory constraints
# that cause swapping issues with centos-10 containers on centos hosts
- job: tests
trigger: pull_request
identifier: "centos-stream-10"
packages:
- upstream
targets:
- fedora-latest
tf_extra_params:
environments:
- variables:
CONTAINER_TARGET: "centos-10"

# Create Fedora pull request on release
- job: propose_downstream
trigger: release
Expand Down
234 changes: 234 additions & 0 deletions plans/passkey.fmf
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,234 @@
summary: SSSD passkey tests
description: |
Test passkey functionality with SSSD across different identity providers
(IPA, LDAP, Samba).
tag: passkey

provision:
how: virtual
# Testing Farm provides a maximum of 4GB RAM,
# but 16GB allows smoother operation by avoiding memory swap
# when running locally or if memory limits increase
memory: 16384

prepare:
- name: Install general dependencies
how: install
package:
- expect
- gcc
- git
- openldap-devel
- podman
- podman-compose
- podman-docker
- python3-devel
- python3-pip
- yq

- name: Setup docker-compose compatibility
how: shell
script: |
if ! command -v docker-compose >/dev/null 2>&1; then
ln -sf $(command -v podman-compose) /usr/local/bin/docker-compose
fi

- name: Install and load kernel module for passkey testing
how: shell
script: |
dnf install -y kernel-modules-extra-$(uname -r)
modprobe vhci_hcd

- name: Clone sssd
how: shell
script: |
if [ -n "$PACKIT_SOURCE_BRANCH" ] && [ -n "$PACKIT_SOURCE_URL" ]; then
echo "Direct PR branch clone: url $PACKIT_SOURCE_URL branch $PACKIT_SOURCE_BRANCH"
git clone --branch "$PACKIT_SOURCE_BRANCH" "$PACKIT_SOURCE_URL" /tmp/sssd
elif [ -n "$PACKIT_PR_ID" ]; then
echo "PR ID fetch: PR ID $PACKIT_PR_ID"
git clone https://github.com/SSSD/sssd.git /tmp/sssd
cd /tmp/sssd
git fetch origin "pull/$PACKIT_PR_ID/head:pr-$PACKIT_PR_ID"
git checkout "pr-$PACKIT_PR_ID"
else
echo "No PR context found, master branch fallback"
git clone https://github.com/SSSD/sssd.git /tmp/sssd
fi

cd /tmp/sssd
echo "Current branch: $(git branch --show-current)"
echo "Current commit: $(git rev-parse HEAD)"

- name: Clone sssd-ci-containers
how: shell
script:
- git clone https://github.com/SSSD/sssd-ci-containers.git /tmp/sssd-ci-containers

- name: Install test dependencies
how: shell
script:
- pip3 install --break-system-packages -r /tmp/sssd/src/tests/system/requirements.txt

- name: Setup containers
how: shell
script: |
cd /tmp/sssd-ci-containers
systemctl enable --now podman.socket
setsebool container_manage_cgroup true
cp env.example .env

# Use CONTAINER_TARGET from packit if provided, otherwise use Fedora
if [ -n "$CONTAINER_TARGET" ]; then
CONTAINER_TAG="$CONTAINER_TARGET"
else
. /tmp/sssd/contrib/ci/distro.sh
CONTAINER_TAG="fedora-$DISTRO_RELEASE"
fi
echo "Using container tag: $CONTAINER_TAG"
sed -i "s/TAG=latest/TAG=$CONTAINER_TAG/g" .env

make setup-dns-files
make up

- name: Fix SSH key permissions
how: shell
script:
- chmod 600 /tmp/sssd-ci-containers/data/ssh-keys/root.id_rsa

- name: Wait for client and IPA containers to be ready
how: shell
script: |
# Wait for client container
for i in $(seq 1 60); do
if ssh -i /tmp/sssd-ci-containers/data/ssh-keys/root.id_rsa \
-o StrictHostKeyChecking=no \
-o ConnectTimeout=5 \
Comment thread
ikerexxe marked this conversation as resolved.
root@client.test "echo 'ready'" >/dev/null 2>&1; then
echo "Client container ready"
break
fi
if [ $i -eq 60 ]; then
echo "ERROR: Client container not ready after 60 attempts"
exit 1
fi
sleep 1
done

# Wait for IPA container
for i in $(seq 1 60); do
if ssh -i /tmp/sssd-ci-containers/data/ssh-keys/root.id_rsa \
-o StrictHostKeyChecking=no \
-o ConnectTimeout=5 \
root@master.ipa.test "echo 'ready'" >/dev/null 2>&1; then
echo "IPA container ready"
break
fi
if [ $i -eq 60 ]; then
echo "ERROR: IPA container not ready after 60 attempts"
exit 1
fi
sleep 1
done

- name: Install SSSD from PR build into containers
how: shell
script: |
# Get COPR repo name from environment
if [ -n "$PACKIT_COPR_PROJECT" ]; then
COPR_REPO="$PACKIT_COPR_PROJECT"
else
echo "WARNING: No PACKIT_COPR_PROJECT found, using latest master build"
COPR_REPO="packit/SSSD-sssd-master"
Comment thread
ikerexxe marked this conversation as resolved.
fi

echo "Using COPR repo: $COPR_REPO"

if [[ "$CONTAINER_TARGET" == "centos-10" ]]; then
COPR_ENABLE_CMD="dnf copr enable -y $COPR_REPO centos-stream-10-x86_64"
else
COPR_ENABLE_CMD="dnf copr enable -y $COPR_REPO"
fi

# Install on client container
ssh -i /tmp/sssd-ci-containers/data/ssh-keys/root.id_rsa \
-o StrictHostKeyChecking=no \
root@client.test "
$COPR_ENABLE_CMD
dnf upgrade -y --refresh sssd*
"

# Install on IPA container
ssh -i /tmp/sssd-ci-containers/data/ssh-keys/root.id_rsa \
-o StrictHostKeyChecking=no \
root@master.ipa.test "
$COPR_ENABLE_CMD
dnf upgrade -y --refresh sssd*
"

- name: Restart SSSD services in containers
how: shell
script: |
# Restart SSSD on client container
ssh -i /tmp/sssd-ci-containers/data/ssh-keys/root.id_rsa \
-o StrictHostKeyChecking=no \
root@client.test "systemctl restart sssd"

# Restart SSSD on IPA container
ssh -i /tmp/sssd-ci-containers/data/ssh-keys/root.id_rsa \
-o StrictHostKeyChecking=no \
root@master.ipa.test "systemctl restart sssd"

- name: Remove ad from mhc.yaml
how: shell
script: |
cd /tmp/sssd/src/tests/system
yq -i 'del(.domains[0].hosts[] | select(.role == "ad"))' mhc.yaml

- name: Wait for samba domain connectivity
how: shell
script: |
echo "Wait for samba domain connectivity..."

for i in $(seq 1 90); do
# Check if we can resolve users from samba.test domain
if ssh -i /tmp/sssd-ci-containers/data/ssh-keys/root.id_rsa \
-o StrictHostKeyChecking=no \
-o ConnectTimeout=5 \
root@client.test "
timeout 10s getent passwd Administrator@samba.test >/dev/null 2>&1
" 2>/dev/null; then
echo "Domain connectivity ready (${i}s)"
break
else
if [ $i -eq 90 ]; then
echo "User resolution not ready after 90 attempts, proceeding with tests anyway"
Comment thread
ikerexxe marked this conversation as resolved.
fi
sleep 1
fi
done

execute:
how: tmt
duration: 45m
script: |
mkdir -p /tmp/artifacts
cd /tmp/sssd/src/tests/system
pytest --durations=0 \
--color=yes \
--show-capture=no \
--mh-config=mhc.yaml \
--mh-artifacts-dir=/tmp/artifacts \
-vvv tests/test_passkey.py

finish:
- name: Copy artifacts
how: shell
script: |
if [ -d "/tmp/artifacts" ] && [ "$(ls -A /tmp/artifacts 2>/dev/null)" ]; then
mkdir -p $TMT_PLAN_DATA/artifacts
cp -r /tmp/artifacts/* $TMT_PLAN_DATA/artifacts/
echo "Artifacts copied to: $TMT_PLAN_DATA/artifacts"
else
echo "No artifacts to copy"
fi