Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

test: omit setting group for certificate tests on cockpit 330 and later #188

Closed
wants to merge 1 commit into from

Conversation

richm
Copy link
Contributor

@richm richm commented Dec 12, 2024

cockpit 330 uses DynamicUser instead of the hard coded user/group in
the package, so omit setting group, but keep group for other platforms.

refactor the certificate test code to DRY it a bit

Signed-off-by: Rich Megginson [email protected]

@richm richm force-pushed the group-2 branch 3 times, most recently from 28d1fd0 to 1b6fbb6 Compare December 12, 2024 21:55
@richm
Copy link
Contributor Author

richm commented Dec 12, 2024

[citest]

@richm
Copy link
Contributor Author

richm commented Dec 12, 2024

[citest]

@richm richm mentioned this pull request Dec 12, 2024
2 tasks
cockpit 330 uses DynamicUser instead of the hard coded user/group in
the package, so omit setting group, but keep group for other platforms.

refactor the certificate test code to DRY it a bit

Signed-off-by: Rich Megginson <[email protected]>
@richm
Copy link
Contributor Author

richm commented Dec 13, 2024

[citest]

@richm
Copy link
Contributor Author

richm commented Dec 13, 2024

Not sure what's going on with the integration tests. The error is that the cockpit service/socket restarts too quickly too many times, and systemd is shutting it down. But I'm not sure why it is happening with my PR - perhaps I changed the timing? At any rate, we have seen similar issues in other tests, and have had to fix them like https://github.com/linux-system-roles/journald/blob/main/tests/tests_example.yml#L28 - I will submit another PR to address that in the tests.

@richm
Copy link
Contributor Author

richm commented Dec 13, 2024

and this version doesn't clean up /etc/cockpit/ws-certs.d/50-system-role.* - because I didn't want to remove any files installed by the package, I changed the code that removed /etc/cockpit/ws-certs.d/*

Copy link
Collaborator

@martinpitt martinpitt left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks! I really don't like the proliferation of the group: setting. #187 gets rid of that in a more thorough and forward-looking way.

However, the factorization of cert setup for the three test_certificate* is nice -- perhaps you can dedicate this PR to that, and we land both?

@@ -212,7 +212,8 @@ assuming your machines are joined to a FreeIPA domain.
- name: monger-cockpit
dns: ['localhost', 'www.example.com']
ca: ipa
group: cockpit-ws
# NOTE: omit group when using cockpit 330 and later (Fedora and EL10)
group: cockpit-ws # or cockpit-wsinstance on newer cockpit versions
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This advice is wrong and even dangerous -- files should never be owned by cockpit-wsinstance. cockpit-tls needs to read the certificates, but the actual cockpit-ws units really shouldn't. There were only two situations:

  • with cockpit < 257 the certificate needed to readable by group cockpit-ws
  • after that, the certificate ownership does not matter any more (it's copied by a tiny root helper process), so you can share it with other services; but it should not be owned by system groups.

It also keeps setting the group by default, which has been obsolete for a loooong time. It's only necessary on RHEL 7.

@richm richm closed this Dec 13, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants