|
Packit Service |
509fd4 |
#!/bin/bash
|
|
Packit Service |
509fd4 |
set -euxo pipefail
|
|
Packit Service |
509fd4 |
|
|
Packit Service |
509fd4 |
source /etc/os-release
|
|
Packit Service |
509fd4 |
|
|
Packit Service |
509fd4 |
sudo mkdir -p /etc/osbuild-composer
|
|
Packit Service |
509fd4 |
sudo cp -a /usr/share/tests/osbuild-composer/composer/*.toml \
|
|
Packit Service |
509fd4 |
/etc/osbuild-composer/
|
|
Packit Service |
509fd4 |
|
|
Packit Service |
509fd4 |
# Copy rpmrepo snapshots for use in weldr tests
|
|
Packit Service |
509fd4 |
sudo mkdir -p /etc/osbuild-composer/repositories
|
|
Packit Service |
509fd4 |
# Copy all fedora repo overrides
|
|
Packit Service |
509fd4 |
sudo cp -a /usr/share/tests/osbuild-composer/repositories/fedora-*.json \
|
|
Packit Service |
509fd4 |
/etc/osbuild-composer/repositories/
|
|
Packit Service |
509fd4 |
# RHEL nightly repos need to be overriden in rhel-8.json and rhel-8-beta.json
|
|
Packit Service |
509fd4 |
case "${ID}-${VERSION_ID}" in
|
|
Packit Service |
509fd4 |
"rhel-8.4")
|
|
Packit Service |
509fd4 |
# Override old rhel-8.json and rhel-8-beta.json because RHEL 8.4 test needs nightly repos
|
|
Packit Service |
509fd4 |
sudo cp /usr/share/tests/osbuild-composer/repositories/rhel-84.json /etc/osbuild-composer/repositories/rhel-8.json
|
|
Packit Service |
509fd4 |
# If multiple tests are run and call provision.sh the symlink will need to be overriden with -f
|
|
Packit Service |
509fd4 |
sudo ln -sf /etc/osbuild-composer/repositories/rhel-8.json /etc/osbuild-composer/repositories/rhel-8-beta.json;;
|
|
Packit Service |
509fd4 |
*) ;;
|
|
Packit Service |
509fd4 |
esac
|
|
Packit Service |
509fd4 |
|
|
Packit Service |
509fd4 |
# Generate all X.509 certificates for the tests
|
|
Packit Service |
509fd4 |
# The whole generation is done in a $CADIR to better represent how osbuild-ca
|
|
Packit Service |
509fd4 |
# it.
|
|
Packit Service |
509fd4 |
CERTDIR=/etc/osbuild-composer
|
|
Packit Service |
509fd4 |
OPENSSL_CONFIG=/usr/share/tests/osbuild-composer/x509/openssl.cnf
|
|
Packit Service |
509fd4 |
CADIR=/etc/osbuild-composer-test/ca
|
|
Packit Service |
509fd4 |
|
|
Packit Service |
509fd4 |
# The $CADIR might exist from a previous test (current Schutzbot's imperfection)
|
|
Packit Service |
509fd4 |
sudo rm -rf $CADIR || true
|
|
Packit Service |
509fd4 |
sudo mkdir -p $CADIR
|
|
Packit Service |
509fd4 |
|
|
Packit Service |
509fd4 |
pushd $CADIR
|
|
Packit Service |
509fd4 |
sudo mkdir certs private
|
|
Packit Service |
509fd4 |
sudo touch index.txt
|
|
Packit Service |
509fd4 |
|
|
Packit Service |
509fd4 |
# Generate a CA.
|
|
Packit Service |
509fd4 |
sudo openssl req -config $OPENSSL_CONFIG \
|
|
Packit Service |
509fd4 |
-keyout private/ca.key.pem \
|
|
Packit Service |
509fd4 |
-new -nodes -x509 -extensions osbuild_ca_ext \
|
|
Packit Service |
509fd4 |
-out ca.cert.pem -subj "/CN=osbuild.org"
|
|
Packit Service |
509fd4 |
|
|
Packit Service |
509fd4 |
# Copy the private key to the location expected by the tests
|
|
Packit Service |
509fd4 |
sudo cp ca.cert.pem "$CERTDIR"/ca-crt.pem
|
|
Packit Service |
509fd4 |
|
|
Packit Service |
509fd4 |
# Generate a composer certificate.
|
|
Packit Service |
509fd4 |
sudo openssl req -config $OPENSSL_CONFIG \
|
|
Packit Service |
509fd4 |
-keyout "$CERTDIR"/composer-key.pem \
|
|
Packit Service |
509fd4 |
-new -nodes \
|
|
Packit Service |
509fd4 |
-out /tmp/composer-csr.pem \
|
|
Packit Service |
509fd4 |
-subj "/CN=localhost/emailAddress=osbuild@example.com" \
|
|
Packit Service |
509fd4 |
-addext "subjectAltName=DNS:localhost"
|
|
Packit Service |
509fd4 |
|
|
Packit Service |
509fd4 |
sudo openssl ca -batch -config $OPENSSL_CONFIG \
|
|
Packit Service |
509fd4 |
-extensions osbuild_server_ext \
|
|
Packit Service |
509fd4 |
-in /tmp/composer-csr.pem \
|
|
Packit Service |
509fd4 |
-out "$CERTDIR"/composer-crt.pem
|
|
Packit Service |
509fd4 |
|
|
Packit Service |
509fd4 |
sudo chown _osbuild-composer "$CERTDIR"/composer-*.pem
|
|
Packit Service |
509fd4 |
|
|
Packit Service |
509fd4 |
# Generate a worker certificate.
|
|
Packit Service |
509fd4 |
sudo openssl req -config $OPENSSL_CONFIG \
|
|
Packit Service |
509fd4 |
-keyout "$CERTDIR"/worker-key.pem \
|
|
Packit Service |
509fd4 |
-new -nodes \
|
|
Packit Service |
509fd4 |
-out /tmp/worker-csr.pem \
|
|
Packit Service |
509fd4 |
-subj "/CN=localhost/emailAddress=osbuild@example.com" \
|
|
Packit Service |
509fd4 |
-addext "subjectAltName=DNS:localhost"
|
|
Packit Service |
509fd4 |
|
|
Packit Service |
509fd4 |
sudo openssl ca -batch -config $OPENSSL_CONFIG \
|
|
Packit Service |
509fd4 |
-extensions osbuild_client_ext \
|
|
Packit Service |
509fd4 |
-in /tmp/worker-csr.pem \
|
|
Packit Service |
509fd4 |
-out "$CERTDIR"/worker-crt.pem
|
|
Packit Service |
509fd4 |
|
|
Packit Service |
509fd4 |
# Generate a client certificate.
|
|
Packit Service |
509fd4 |
sudo openssl req -config $OPENSSL_CONFIG \
|
|
Packit Service |
509fd4 |
-keyout "$CERTDIR"/client-key.pem \
|
|
Packit Service |
509fd4 |
-new -nodes \
|
|
Packit Service |
509fd4 |
-out /tmp/client-csr.pem \
|
|
Packit Service |
509fd4 |
-subj "/CN=client.osbuild.org/emailAddress=osbuild@example.com" \
|
|
Packit Service |
509fd4 |
-addext "subjectAltName=DNS:client.osbuild.org"
|
|
Packit Service |
509fd4 |
|
|
Packit Service |
509fd4 |
sudo openssl ca -batch -config $OPENSSL_CONFIG \
|
|
Packit Service |
509fd4 |
-extensions osbuild_client_ext \
|
|
Packit Service |
509fd4 |
-in /tmp/client-csr.pem \
|
|
Packit Service |
509fd4 |
-out "$CERTDIR"/client-crt.pem
|
|
Packit Service |
509fd4 |
|
|
Packit Service |
509fd4 |
# Client keys are used by tests to access the composer APIs. Allow all users access.
|
|
Packit Service |
509fd4 |
sudo chmod 644 "$CERTDIR"/client-key.pem
|
|
Packit Service |
509fd4 |
|
|
Packit Service |
509fd4 |
# Generate a kojihub certificate.
|
|
Packit Service |
509fd4 |
sudo openssl req -config $OPENSSL_CONFIG \
|
|
Packit Service |
509fd4 |
-keyout "$CERTDIR"/kojihub-key.pem \
|
|
Packit Service |
509fd4 |
-new -nodes \
|
|
Packit Service |
509fd4 |
-out /tmp/kojihub-csr.pem \
|
|
Packit Service |
509fd4 |
-subj "/CN=localhost/emailAddress=osbuild@example.com" \
|
|
Packit Service |
509fd4 |
-addext "subjectAltName=DNS:localhost"
|
|
Packit Service |
509fd4 |
|
|
Packit Service |
509fd4 |
sudo openssl ca -batch -config $OPENSSL_CONFIG \
|
|
Packit Service |
509fd4 |
-extensions osbuild_server_ext \
|
|
Packit Service |
509fd4 |
-in /tmp/kojihub-csr.pem \
|
|
Packit Service |
509fd4 |
-out "$CERTDIR"/kojihub-crt.pem
|
|
Packit Service |
509fd4 |
|
|
Packit Service |
509fd4 |
popd
|
|
Packit Service |
509fd4 |
|
|
Packit Service |
509fd4 |
sudo systemctl start osbuild-remote-worker.socket
|
|
Packit Service |
509fd4 |
sudo systemctl start osbuild-composer.socket
|
|
Packit Service |
509fd4 |
sudo systemctl start osbuild-composer-api.socket
|
|
Packit Service |
509fd4 |
|
|
Packit Service |
509fd4 |
# The keys were regenerated but osbuild-composer might be already running.
|
|
Packit Service |
509fd4 |
# Let's try to restart it. In ideal world, this shouldn't be needed as every
|
|
Packit Service |
509fd4 |
# test case is supposed to run on a pristine machine. However, this is
|
|
Packit Service |
509fd4 |
# currently not true on Schutzbot
|
|
Packit Service |
509fd4 |
sudo systemctl try-restart osbuild-composer
|
|
Packit Service |
509fd4 |
|
|
Packit Service |
509fd4 |
# Basic verification
|
|
Packit Service |
509fd4 |
sudo composer-cli status show
|
|
Packit Service |
509fd4 |
sudo composer-cli sources list
|
|
Packit Service |
509fd4 |
for SOURCE in $(sudo composer-cli sources list); do
|
|
Packit Service |
509fd4 |
sudo composer-cli sources info "$SOURCE"
|
|
Packit Service |
509fd4 |
done
|