Skip to content

Commit

Permalink
Add test for CA container system service
Browse files Browse the repository at this point in the history 
A new test has been added to run a CA container as a system
service. The container is running in Podman which runs inside
a Fedora container (i.e. pki-runner). The service is owned by
the root user but running as PKI user. In the future there
will be a separate test to run a CA container as a rootless
user service.
  • Loading branch information
@edewata
edewata committed Jun 5, 2024
1 parent 92d6b50 commit 612b86c
Show file tree
Hide file tree
Showing 2 changed files with 337 additions and 0 deletions.
332 changes: 332 additions & 0 deletions .github/workflows/ca-container-system-service-test.yml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,332 @@
name: CA container system service

on: workflow_call

env:
DB_IMAGE: ${{ vars.DB_IMAGE || 'quay.io/389ds/dirsrv' }}

jobs:
test:
name: Test
runs-on: ubuntu-latest
env:
SHARED: /tmp/workdir/pki
steps:
- name: Clone repository
uses: actions/checkout@v4

- name: Retrieve PKI images
uses: actions/cache@v4
with:
key: pki-images-${{ github.sha }}
path: pki-images.tar

- name: Load PKI images
run: docker load --input pki-images.tar

- name: Create network
run: docker network create example

- name: Set up DS container
run: |
tests/bin/ds-container-create.sh \
--image=${{ env.DB_IMAGE }} \
--hostname=ds.example.com \
--network=example \
--network-alias=ds.example.com \
--password=Secret.123 \
ds
- name: Set up PKI container
run: |
tests/bin/runner-init.sh \
--hostname=ca.example.com \
--network=example \
pki
- name: Install Podman
run: |
docker exec pki dnf install -y podman
- name: Load PKI images into root user's space
run: |
docker exec pki podman load --input $SHARED/pki-images.tar
docker exec pki podman images
- name: Create shared folders in PKI user's home directory
run: |
# create folders with default owner and permissions
docker exec -u pkiuser pki mkdir /home/pkiuser/certs
docker exec -u pkiuser pki mkdir /home/pkiuser/conf
docker exec -u pkiuser pki mkdir /home/pkiuser/logs
docker exec pki ls -l /home/pkiuser
- name: Create CA system service
run: |
# create container unit file
# https://docs.podman.io/en/latest/markdown/podman-systemd.unit.5.html
docker exec -i pki tee /etc/containers/systemd/pki-ca.container << EOF
[Unit]
Description=PKI CA
[Container]
Image=pki-ca
Network=host
# run CA container as PKI user
User=pkiuser
Group=pkiuser
# use shared folders in PKI home directory
Volume=/home/pkiuser/certs:/certs
Volume=/home/pkiuser/conf:/conf
Volume=/home/pkiuser/logs:/logs
# connect to DS container
Environment=PKI_DS_URL=ldap://ds.example.com:3389
Environment=PKI_DS_PASSWORD=Secret.123
[Install]
WantedBy=multi-user.target
EOF
# check service unit file generated by Quadlet
docker exec pki /usr/libexec/podman/quadlet -dryrun
# reload service unit files
docker exec pki systemctl daemon-reload
- name: Run CA system service
run: |
docker exec pki systemctl start pki-ca.service
docker exec pki podman ps
# wait for CA to start
docker exec pki curl \
--retry 180 \
--retry-delay 0 \
--retry-connrefused \
-s \
-k \
-o /dev/null \
https://ca.example.com:8443
- name: Check conf dir
if: always()
run: |
docker exec pki ls -l /home/pkiuser/conf \
| sed \
-e '/^total/d' \
-e 's/^\(\S*\) *\S* *\S* *\(\S*\) *\S* *\S* *\S* *\S* *\(.*\)$/\1 \2 \3/' \
| tee output
# everything should be owned by pkiuser group
# TODO: review owners/permissions
cat > expected << EOF
drwxrwxrwx pkiuser Catalina
drwxrwxrwx pkiuser alias
drwxrwxrwx pkiuser ca
-rw-rw-rw- pkiuser catalina.policy
lrwxrwxrwx pkiuser catalina.properties -> /usr/share/pki/server/conf/catalina.properties
drwxrwxrwx pkiuser certs
lrwxrwxrwx pkiuser context.xml -> /etc/tomcat/context.xml
-rw-rw-rw- pkiuser jss.conf
lrwxrwxrwx pkiuser logging.properties -> /usr/share/pki/server/conf/logging.properties
-rw-rw-rw- pkiuser password.conf
-rw-rw-rw- pkiuser server.xml
-rw-rw-rw- pkiuser serverCertNick.conf
-rw-rw-rw- pkiuser tomcat.conf
lrwxrwxrwx pkiuser web.xml -> /etc/tomcat/web.xml
EOF
diff expected output
- name: Check conf/alias dir
if: always()
run: |
docker exec pki ls -l /home/pkiuser/conf/alias \
| sed \
-e '/^total/d' \
-e 's/^\(\S*\) *\S* *\S* *\(\S*\) *\S* *\S* *\S* *\S* *\(.*\)$/\1 \2 \3/' \
| tee output
# everything should be owned by pkiuser group
# TODO: review owners/permissions
cat > expected << EOF
-rw-rw-rw- pkiuser ca.crt
-rw-rw-rw- pkiuser cert9.db
-rw-rw-rw- pkiuser key4.db
-rw-rw-rw- pkiuser pkcs11.txt
EOF
diff expected output
- name: Check conf/ca dir
if: always()
run: |
docker exec pki ls -l /home/pkiuser/conf/ca \
| sed \
-e '/^total/d' \
-e 's/^\(\S*\) *\S* *\S* *\(\S*\) *\S* *\S* *\S* *\S* *\(.*\)$/\1 \2 \3/' \
-e '/^\S* *\S* *\S* *CS.cfg.bak /d' \
| tee output
# everything should be owned by pkiuser group
# TODO: review owners/permissions
cat > expected << EOF
-rw-rw-rw- pkiuser CS.cfg
-rw-rw-rw- pkiuser adminCert.profile
drwxrwxrwx pkiuser archives
-rw-rw-rw- pkiuser caAuditSigningCert.profile
-rw-rw-rw- pkiuser caCert.profile
-rw-rw-rw- pkiuser caOCSPCert.profile
drwxrwxrwx pkiuser emails
-rw-rw-rw- pkiuser flatfile.txt
drwxrwxrwx pkiuser profiles
-rw-rw-rw- pkiuser proxy.conf
-rw-rw-rw- pkiuser registry.cfg
-rw-rw-rw- pkiuser serverCert.profile
-rw-rw-rw- pkiuser subsystemCert.profile
EOF
diff expected output
- name: Check logs dir
if: always()
run: |
docker exec pki ls -l /home/pkiuser/logs \
| sed \
-e '/^total/d' \
-e 's/^\(\S*\) *\S* *\S* *\(\S*\) *\S* *\S* *\S* *\S* *\(.*\)$/\1 \2 \3/' \
| tee output
DATE=$(date +'%Y-%m-%d')
# everything should be owned by pkiuser group
# TODO: review owners/permissions
cat > expected << EOF
drwxrwx--- pkiuser backup
drwxrwxrwx pkiuser ca
-rw-rw-rw- pkiuser catalina.$DATE.log
-rw-rw-rw- pkiuser host-manager.$DATE.log
-rw-rw-rw- pkiuser localhost.$DATE.log
-rw-rw-rw- pkiuser localhost_access_log.$DATE.txt
-rw-rw-rw- pkiuser manager.$DATE.log
drwxrwxrwx pkiuser pki
EOF
diff expected output
- name: Check CA info
run: |
docker exec pki pki nss-cert-import \
--cert /home/pkiuser/certs/ca_signing.crt \
--trust CT,C,C \
ca_signing
docker exec pki pki info
# https://github.com/dogtagpki/pki/wiki/Setting-up-CA-Database
- name: Initialize CA database
run: |
docker exec pki podman exec systemd-pki-ca \
pki-server ca-db-init -v
docker exec pki podman exec systemd-pki-ca \
pki-server ca-db-index-add -v
docker exec pki podman exec systemd-pki-ca \
pki-server ca-db-index-rebuild -v
docker exec pki podman exec systemd-pki-ca \
pki-server ca-db-vlv-add -v
docker exec pki podman exec systemd-pki-ca \
pki-server ca-db-vlv-reindex -v
# https://github.com/dogtagpki/pki/wiki/Setting-up-CA-Admin-User
- name: Add CA admin user
run: |
# create CA admin user
docker exec pki podman exec systemd-pki-ca \
pki-server ca-user-add \
--full-name Administrator \
--type adminType \
admin
# assign admin cert to CA admin user
docker exec pki podman exec systemd-pki-ca \
pki-server ca-user-cert-add \
--cert /certs/admin.crt \
admin
# add CA admin user into CA groups
docker exec pki podman exec systemd-pki-ca \
pki-server ca-user-role-add admin "Administrators"
docker exec pki podman exec systemd-pki-ca \
pki-server ca-user-role-add admin "Certificate Manager Agents"
- name: Check CA admin user
run: |
docker exec pki pki pkcs12-import \
--pkcs12 /home/pkiuser/certs/admin.p12 \
--password Secret.123
docker exec pki pki \
-n admin \
ca-user-show \
admin
- name: Check cert enrollment
run: |
docker exec pki pki \
client-cert-request \
uid=testuser | tee output
REQUEST_ID=$(sed -n -e 's/^ *Request ID: *\(.*\)$/\1/p' output)
echo "REQUEST_ID: $REQUEST_ID"
docker exec pki pki \
-n admin \
ca-cert-request-approve \
$REQUEST_ID \
--force
- name: Check DS server systemd journal
if: always()
run: |
docker exec ds journalctl -x --no-pager -u [email protected]
- name: Check DS container logs
if: always()
run: |
docker logs ds
- name: Check CA container systemd journal
if: always()
run: |
docker exec pki journalctl -x --no-pager -u pki-ca.service
- name: Check CA container logs
if: always()
run: |
docker exec pki podman logs systemd-pki-ca 2>&1
- name: Check CA debug logs
if: always()
run: |
docker exec pki find /home/pkiuser/logs/ca -name "debug.*" -exec cat {} \;
- name: Gather artifacts
if: always()
run: |
tests/bin/ds-artifacts-save.sh ds
tests/bin/pki-artifacts-save.sh pki
mkdir -p /tmp/artifacts/ca
docker cp pki:/home/pkiuser/certs /tmp/artifacts/ca
docker cp pki:/home/pkiuser/conf /tmp/artifacts/ca
docker cp pki:/home/pkiuser/logs /tmp/artifacts/ca
docker exec pki podman logs systemd-pki-ca > /tmp/artifacts/ca/container.out 2> /tmp/artifacts/ca/container.err
- name: Upload artifacts
if: always()
uses: actions/upload-artifact@v4
with:
name: ca-container-system-service
path: /tmp/artifacts
5 changes: 5 additions & 0 deletions .github/workflows/ca-container-tests.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -17,3 +17,8 @@ jobs:
name: CA container with existing certs
needs: build
uses: ./.github/workflows/ca-container-existing-certs-test.yml

ca-container-system-service-test:
name: CA container system service
needs: build
uses: ./.github/workflows/ca-container-system-service-test.yml

0 comments on commit 612b86c

Please sign in to comment.