├── .ansible-lint ├── .copr └── Makefile ├── .github ├── actions │ ├── build │ │ └── action.yml │ ├── get-build-matrix │ │ └── action.yml │ ├── install-dependencies │ │ └── action.yml │ └── publish │ │ └── action.yml └── workflows │ ├── actions.yml │ ├── build.yml │ ├── rpms.yml │ └── vagrant.yml ├── .gitignore ├── LICENSE ├── Makefile ├── actions ├── exec │ └── action.yml └── setup │ └── action.yml ├── data ├── certs │ ├── ca.crt │ ├── ca.key │ ├── dc.samba.test.crt │ ├── dc.samba.test.key │ ├── master.keycloak.test.crt │ ├── master.keycloak.test.key │ ├── master.ldap.test.crt │ └── master.ldap.test.key ├── configs │ ├── dnsmasq.conf │ ├── nm_enable_dnsmasq.conf │ ├── nm_zone_test.conf │ ├── openssl_ca.cfg │ ├── openssl_sign_ca.ext │ └── openssl_sign_service.ext └── ssh-keys │ ├── ci.id_rsa │ ├── ci.id_rsa.pub │ ├── hosts │ ├── client.test.ecdsa_key │ ├── client.test.ecdsa_key.pub │ ├── client.test.ed25519_key │ ├── client.test.ed25519_key.pub │ ├── client.test.rsa_key │ ├── client.test.rsa_key.pub │ ├── dc.samba.test.ecdsa_key │ ├── dc.samba.test.ecdsa_key.pub │ ├── dc.samba.test.ed25519_key │ ├── dc.samba.test.ed25519_key.pub │ ├── dc.samba.test.rsa_key │ ├── dc.samba.test.rsa_key.pub │ ├── dns.test.ecdsa_key │ ├── dns.test.ecdsa_key.pub │ ├── dns.test.ed25519_key │ ├── dns.test.ed25519_key.pub │ ├── dns.test.rsa_key │ ├── dns.test.rsa_key.pub │ ├── kdc.test.ecdsa_key │ ├── kdc.test.ecdsa_key.pub │ ├── kdc.test.ed25519_key │ ├── kdc.test.ed25519_key.pub │ ├── kdc.test.rsa_key │ ├── kdc.test.rsa_key.pub │ ├── master.ipa.test.ecdsa_key │ ├── master.ipa.test.ecdsa_key.pub │ ├── master.ipa.test.ed25519_key │ ├── master.ipa.test.ed25519_key.pub │ ├── master.ipa.test.rsa_key │ ├── master.ipa.test.rsa_key.pub │ ├── master.ipa2.test.ecdsa_key │ ├── master.ipa2.test.ecdsa_key.pub │ ├── master.ipa2.test.ed25519_key │ ├── master.ipa2.test.ed25519_key.pub │ ├── master.ipa2.test.rsa_key │ ├── master.ipa2.test.rsa_key.pub │ ├── master.keycloak.test.ecdsa_key │ ├── master.keycloak.test.ecdsa_key.pub │ ├── master.keycloak.test.ed25519_key │ ├── master.keycloak.test.ed25519_key.pub │ ├── master.keycloak.test.rsa_key │ ├── master.keycloak.test.rsa_key.pub │ ├── master.ldap.test.ecdsa_key │ ├── master.ldap.test.ecdsa_key.pub │ ├── master.ldap.test.ed25519_key │ ├── master.ldap.test.ed25519_key.pub │ ├── master.ldap.test.rsa_key │ ├── master.ldap.test.rsa_key.pub │ ├── nfs.test.ecdsa_key │ ├── nfs.test.ecdsa_key.pub │ ├── nfs.test.ed25519_key │ ├── nfs.test.ed25519_key.pub │ ├── nfs.test.rsa_key │ └── nfs.test.rsa_key.pub │ ├── root.id_rsa │ └── root.id_rsa.pub ├── docker-compose.passkey.yml ├── docker-compose.yml ├── env.containers ├── env.example ├── misc └── demo.gif ├── readme.md ├── shared └── .gitkeep └── src ├── Containerfile ├── Vagrantfile ├── ansible ├── ansible.cfg ├── filter_plugins │ └── distro.py ├── group_vars │ └── all ├── inventory.yml ├── playbook_image_base.yml ├── playbook_image_service.yml ├── playbook_vagrant.yml ├── playbook_vm.yml └── roles │ ├── ad │ ├── defaults │ │ └── main.yml │ ├── files │ │ └── sudo.schema │ └── tasks │ │ ├── dns.yml │ │ ├── install.yml │ │ ├── main.yml │ │ └── schema.yml │ ├── cleanup │ └── tasks │ │ └── main.yml │ ├── client │ ├── tasks │ │ ├── enroll_AD.yml │ │ ├── enroll_IPA.yml │ │ ├── enroll_samba.yml │ │ └── main.yml │ └── templates │ │ ├── krb5.conf │ │ └── sssd.conf │ ├── common │ ├── tasks │ │ └── main.yml │ └── templates │ │ └── sudoers │ ├── dns │ ├── tasks │ │ └── main.yml │ └── templates │ │ └── etc.dnsmasq.conf.j2 │ ├── facts │ └── tasks │ │ ├── CentOS10.yml │ │ ├── CentOS8.yml │ │ ├── CentOS9.yml │ │ ├── Debian.yml │ │ ├── Fedora.yml │ │ ├── RedHat.yml │ │ ├── Ubuntu.yml │ │ └── main.yml │ ├── firewall │ └── tasks │ │ └── main.yml │ ├── ipa │ └── tasks │ │ └── main.yml │ ├── ipasmartcard │ ├── defaults │ │ └── main.yml │ └── tasks │ │ └── main.yml │ ├── kdc │ ├── tasks │ │ └── main.yml │ └── templates │ │ └── krb5.conf │ ├── keycloak │ ├── defaults │ │ └── main.yml │ └── tasks │ │ └── main.yml │ ├── ldap │ ├── tasks │ │ └── main.yml │ └── templates │ │ └── instance.inf │ ├── nfs │ └── tasks │ │ └── main.yml │ ├── no_nscd │ └── tasks │ │ └── main.yml │ ├── packages │ ├── tasks │ │ ├── CentOS10.yml │ │ ├── CentOS8.yml │ │ ├── CentOS9.yml │ │ ├── Debian.yml │ │ ├── Fedora.yml │ │ ├── RedHat-rpm-ostree.yml │ │ ├── RedHat8.yml │ │ ├── Ubuntu.yml │ │ └── main.yml │ └── templates │ │ └── repo │ ├── passkey │ ├── files │ │ └── random.c │ └── tasks │ │ └── main.yml │ ├── samba │ ├── tasks │ │ └── main.yml │ └── templates │ │ ├── samba-sysvolreset.service │ │ ├── sudo.attrs.ldif.j2 │ │ └── sudo.class.ldif.j2 │ ├── ssh_server │ ├── tasks │ │ └── main.yml │ └── templates │ │ └── sshd.conf │ └── virtsmartcard │ ├── tasks │ └── main.yml │ └── templates │ ├── softhsm2.conf.j2 │ └── virt_cacard.service.j2 ├── build.sh ├── docker-compose.build.yml ├── push.sh ├── rpms ├── Makefile ├── ci-sssd.spec └── random.c └── tools ├── gen-certs.sh ├── gen-ssh-keys.sh ├── get-build-matrix.py ├── get-container-engine.sh ├── setup-dns-files.sh ├── setup-dns.sh └── trust-ca.sh /.ansible-lint: -------------------------------------------------------------------------------- 1 | --- 2 | skip_list: 3 | - no-changed-when 4 | -------------------------------------------------------------------------------- /.copr/Makefile: -------------------------------------------------------------------------------- 1 | srpm: 2 | make -C ./src/rpms srpm 3 | [ -n "$(outdir)" ] && cp ./rpmbuild/SRPMS/* "$(outdir)" || : 4 | -------------------------------------------------------------------------------- /.github/actions/build/action.yml: -------------------------------------------------------------------------------- 1 | name: 'Build images' 2 | inputs: 3 | base_image: 4 | description: Base image. 5 | required: true 6 | tag: 7 | description: Output tag. 8 | required: true 9 | unavailable: 10 | description: Space separated list of unavailable services. 11 | required: false 12 | default: "" 13 | runs: 14 | using: "composite" 15 | steps: 16 | - name: Build containers 17 | uses: nick-fields/retry@v2 18 | with: 19 | shell: bash 20 | max_attempts: 3 21 | timeout_minutes: 120 22 | retry_on: error 23 | command: | 24 | sudo --preserve-env=ANSIBLE_FORCE_COLOR,DOCKER_HOST \ 25 | make build \ 26 | BASE_IMAGE="${{ inputs.base_image }}" \ 27 | TAG="${{ inputs.tag }}" \ 28 | UNAVAILABLE="${{ inputs.unavailable }}" \ 29 | XDG_RUNTIME_DIR= 30 | -------------------------------------------------------------------------------- /.github/actions/get-build-matrix/action.yml: -------------------------------------------------------------------------------- 1 | name: 'Get build matrix' 2 | description: 'Get build matrix for the CI containers' 3 | outputs: 4 | matrix: 5 | description: Build matrix in JSON format. 6 | value: ${{ steps.matrix.outputs.matrix }} 7 | runs: 8 | using: "composite" 9 | steps: 10 | - name: Get build matrix 11 | id: matrix 12 | shell: bash 13 | run: | 14 | ./src/tools/get-build-matrix.py action 15 | -------------------------------------------------------------------------------- /.github/actions/install-dependencies/action.yml: -------------------------------------------------------------------------------- 1 | name: 'Install dependencies' 2 | description: 'Install dependencies for building and publishing containers' 3 | 4 | inputs: 5 | tag: 6 | description: Built container tag. 7 | required: false 8 | default: "" 9 | 10 | runs: 11 | using: "composite" 12 | steps: 13 | - name: Install python packages with older ansible for Centos 8 14 | if: ${{ inputs.tag == 'centos-8' }} 15 | shell: bash 16 | run: | 17 | sudo pip3 install ansible==9.8 passlib 18 | 19 | - name: Install python packages 20 | if: ${{ inputs.tag != 'centos-8' }} 21 | shell: bash 22 | run: | 23 | sudo pip3 install ansible passlib 24 | 25 | - name: Install deb packages 26 | shell: bash 27 | run: | 28 | sudo apt-get update 29 | sudo apt-get install -y podman docker-compose 30 | 31 | - name: Print package versions 32 | shell: bash 33 | run: | 34 | podman --version 35 | crun --version 36 | ansible --version 37 | ansible-config dump --only-changed -t all 38 | 39 | - name: Workaround https://github.com/actions/runner-images/issues/7753 40 | shell: bash 41 | run: | 42 | curl -O http://archive.ubuntu.com/ubuntu/pool/universe/g/golang-github-containernetworking-plugins/containernetworking-plugins_1.1.1+ds1-3ubuntu0.24.04.2_amd64.deb 43 | sudo dpkg -i containernetworking-plugins_1.1.1+ds1-3ubuntu0.24.04.2_amd64.deb 44 | rm --force containernetworking-plugins_1.1.1+ds1-3ubuntu0.24.04.2_amd64.deb 45 | 46 | - name: Workaround https://github.com/containers/crun/issues/1308 47 | shell: bash 48 | run: | 49 | CRUN_VER='1.11.2' 50 | sudo curl -L "https://github.com/containers/crun/releases/download/${CRUN_VER}/crun-${CRUN_VER}-linux-amd64" -o "/usr/bin/crun" 51 | sudo chmod +x "/usr/bin/crun" 52 | crun --version 53 | 54 | - name: Enable podman socket 55 | shell: bash 56 | run: | 57 | sudo systemctl enable podman.socket 58 | sudo systemctl restart podman.socket 59 | -------------------------------------------------------------------------------- /.github/actions/publish/action.yml: -------------------------------------------------------------------------------- 1 | name: 'Publish images' 2 | inputs: 3 | credentials: 4 | description: Registry credentials. 5 | required: true 6 | tag: 7 | description: Output tag. 8 | required: true 9 | registry: 10 | description: Target image resigty. 11 | required: false 12 | default: "quay.io/sssd" 13 | extra_tags: 14 | description: Space separated list of extra tags. 15 | required: false 16 | default: "" 17 | runs: 18 | using: "composite" 19 | steps: 20 | - name: Build containers 21 | shell: bash 22 | env: 23 | CREDENTIALS: ${{ inputs.credentials }} 24 | run: | 25 | authfile=`mktemp` 26 | trap "rm -f '$authfile' || :" EXIT 27 | sudo echo -e "$CREDENTIALS" > "$authfile" 28 | sudo make push \ 29 | REGISTRY="${{ inputs.registry }}" \ 30 | TAG="${{ inputs.tag }}" \ 31 | EXTRA_TAGS="${{ inputs.extra_tags }}" \ 32 | REGISTRY_AUTH_FILE="$authfile" 33 | -------------------------------------------------------------------------------- /.github/workflows/actions.yml: -------------------------------------------------------------------------------- 1 | name: Actions 2 | on: 3 | push: 4 | branches: 5 | - master 6 | paths: 7 | - 'actions/**' 8 | pull_request: 9 | paths: 10 | - 'actions/**' 11 | concurrency: 12 | group: ${{ github.workflow }}-${{ github.ref }} 13 | cancel-in-progress: true 14 | jobs: 15 | check: 16 | runs-on: ubuntu-latest 17 | permissions: 18 | contents: read 19 | steps: 20 | - name: Checkout repository 21 | uses: actions/checkout@v3 22 | 23 | - name: Setup containers 24 | uses: ./actions/setup 25 | with: 26 | path: sssd-ci-containers 27 | 28 | - name: Exec in containers 29 | uses: ./actions/exec 30 | with: 31 | working-directory: / 32 | script: ls 33 | 34 | - name: Exec in containers 35 | uses: ./actions/exec 36 | with: 37 | working-directory: / 38 | script: ls 39 | where: | 40 | client 41 | ipa 42 | -------------------------------------------------------------------------------- /.github/workflows/build.yml: -------------------------------------------------------------------------------- 1 | name: Build 2 | on: 3 | push: 4 | branches: 5 | - master 6 | paths: 7 | - '.github/workflows/build.yml' 8 | - 'src/**' 9 | - 'data/**' 10 | - 'docker-compose.yml' 11 | pull_request: 12 | paths: 13 | - '.github/workflows/build.yml' 14 | - 'src/**' 15 | - 'data/**' 16 | - 'docker-compose.yml' 17 | workflow_dispatch: 18 | schedule: 19 | - cron: '0 1 * * *' 20 | concurrency: 21 | group: ${{ github.workflow }}-${{ github.ref }} 22 | cancel-in-progress: true 23 | env: 24 | ANSIBLE_FORCE_COLOR: 1 25 | DOCKER_HOST: unix:///run/podman/podman.sock 26 | jobs: 27 | get-matrix: 28 | runs-on: ubuntu-latest 29 | permissions: 30 | contents: read 31 | outputs: 32 | matrix: ${{ steps.matrix.outputs.matrix }} 33 | steps: 34 | - uses: actions/checkout@v3 35 | - name: Get build matrix 36 | id: matrix 37 | uses: ./.github/actions/get-build-matrix 38 | 39 | fedora: 40 | runs-on: ubuntu-latest 41 | needs: 'get-matrix' 42 | permissions: 43 | contents: read 44 | strategy: 45 | fail-fast: false 46 | matrix: 47 | image: ${{ fromJson(needs.get-matrix.outputs.matrix) }} 48 | steps: 49 | - name: Checkout sources 50 | uses: actions/checkout@v3 51 | 52 | - name: Install dependencies 53 | uses: ./.github/actions/install-dependencies 54 | with: 55 | tag: ${{ matrix.image.tag }} 56 | 57 | - name: Build images 58 | uses: ./.github/actions/build 59 | with: 60 | base_image: ${{ matrix.image.base }} 61 | tag: ${{ matrix.image.tag }} 62 | 63 | - name: Publish images 64 | if: github.event_name != 'pull_request' 65 | uses: ./.github/actions/publish 66 | with: 67 | credentials: ${{ secrets.QUAY_IO_CREDENTIALS }} 68 | tag: ${{ matrix.image.tag }} 69 | extra_tags: ${{ matrix.image.extra }} 70 | 71 | other: 72 | runs-on: ubuntu-latest 73 | needs: 'fedora' 74 | if: ${{ !cancelled() }} 75 | permissions: 76 | contents: read 77 | strategy: 78 | fail-fast: false 79 | matrix: 80 | image: [ 81 | { base: 'quay.io/centos/centos:stream8', tag: 'centos-8', extra: '', unavailable: 'samba' }, 82 | { base: 'quay.io/centos/centos:stream9', tag: 'centos-9', extra: 'centos-latest', unavailable: 'samba' }, 83 | { base: 'quay.io/centos/centos:stream10-development', tag: 'centos-10', extra: '', unavailable: 'samba' }, 84 | { base: 'docker.io/debian:12', tag: 'debian-12', extra: 'debian-latest', unavailable: 'ipa ldap samba' }, 85 | { base: 'docker.io/ubuntu:latest', tag: 'ubuntu-latest', extra: '', unavailable: 'ipa ldap samba' }, 86 | { base: 'docker.io/ubuntu:rolling', tag: 'ubuntu-rolling', extra: '', unavailable: 'ipa ldap samba' }, 87 | ] 88 | steps: 89 | - name: Checkout sources 90 | uses: actions/checkout@v3 91 | 92 | - name: Install dependencies 93 | uses: ./.github/actions/install-dependencies 94 | with: 95 | tag: ${{ matrix.image.tag }} 96 | 97 | - name: Build images 98 | uses: ./.github/actions/build 99 | with: 100 | base_image: ${{ matrix.image.base }} 101 | tag: ${{ matrix.image.tag }} 102 | unavailable: ${{ matrix.image.unavailable }} 103 | 104 | - name: Publish images 105 | if: github.event_name != 'pull_request' 106 | uses: ./.github/actions/publish 107 | with: 108 | credentials: ${{ secrets.QUAY_IO_CREDENTIALS }} 109 | tag: ${{ matrix.image.tag }} 110 | extra_tags: ${{ matrix.image.extra }} 111 | -------------------------------------------------------------------------------- /.github/workflows/rpms.yml: -------------------------------------------------------------------------------- 1 | name: Build RPMs 2 | on: 3 | push: 4 | branches: 5 | - master 6 | pull_request: 7 | concurrency: 8 | group: ${{ github.workflow }}-${{ github.ref }} 9 | cancel-in-progress: true 10 | jobs: 11 | rpms: 12 | runs-on: ubuntu-latest 13 | container: 14 | image: fedora:38 15 | permissions: 16 | contents: read 17 | steps: 18 | - uses: actions/checkout@v3 19 | 20 | - name: Install dependencies 21 | shell: bash 22 | working-directory: ./src/rpms 23 | run: | 24 | dnf install -y rpm-build dnf-plugins-core 25 | dnf build-dep -y ./ci-sssd.spec 26 | 27 | - name: Build srpm 28 | shell: bash 29 | working-directory: ./src/rpms 30 | run: make srpm 31 | 32 | - name: Build rpms 33 | shell: bash 34 | working-directory: ./src/rpms 35 | run: make rpms 36 | -------------------------------------------------------------------------------- /.github/workflows/vagrant.yml: -------------------------------------------------------------------------------- 1 | name: Build vagrant images 2 | on: 3 | push: 4 | branches: 5 | - master 6 | paths: 7 | - 'src/Containerfile' 8 | pull_request: 9 | paths: 10 | - 'src/Containerfile' 11 | workflow_dispatch: 12 | schedule: 13 | - cron: '0 1 * * 0' 14 | jobs: 15 | vagrant: 16 | runs-on: ubuntu-latest 17 | permissions: 18 | contents: read 19 | steps: 20 | - name: Checkout sources 21 | uses: actions/checkout@v3 22 | 23 | - name: Install dependencies 24 | uses: ./.github/actions/install-dependencies 25 | 26 | - name: Build image 27 | run: | 28 | sudo -E XDG_RUNTIME_DIR= podman build --file "src/Containerfile" --target=vagrant --tag "localhost/vagrant:latest" ./src 29 | 30 | - name: Publish image 31 | if: github.event_name != 'pull_request' 32 | env: 33 | CREDENTIALS: ${{ secrets.QUAY_IO_CREDENTIALS }} 34 | run: | 35 | authfile=`mktemp` 36 | trap "rm -f '$authfile' || :" EXIT 37 | sudo echo -e "$CREDENTIALS" > "$authfile" 38 | sudo REGISTRY_AUTH_FILE="$authfile" podman push "localhost/vagrant:latest" "quay.io/sssd/vagrant:latest" 39 | -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | .vscode 2 | __pycache__ 3 | /.env 4 | /docker-compose.override* 5 | .vagrant 6 | 7 | shared/**/* 8 | !shared/.gitkeep 9 | -------------------------------------------------------------------------------- /Makefile: -------------------------------------------------------------------------------- 1 | # make build BASE_IMAGE=fedora:latest TAG=latest 2 | build: 3 | /bin/bash -c "src/build.sh" 4 | 5 | # make build REGISTRY=quay.io/account TAG=latest 6 | push: 7 | /bin/bash -c "src/push.sh" 8 | 9 | up: 10 | docker-compose up --no-recreate --detach ${LIMIT} 11 | 12 | up-passkey: 13 | export HIDRAW=$(shell fido2-token -L|cut -f1 -d:) \ 14 | && docker-compose -f docker-compose.yml -f docker-compose.passkey.yml up \ 15 | --no-recreate --detach ${LIMIT} 16 | 17 | # deprecated 18 | up-keycloak: 19 | docker-compose -f docker-compose.yml up \ 20 | --no-recreate --detach ${LIMIT} 21 | 22 | stop: 23 | docker-compose stop 24 | 25 | down: 26 | docker-compose -f docker-compose.yml \ 27 | -f docker-compose.passkey.yml down 28 | 29 | update: 30 | docker-compose pull 31 | 32 | trust-ca: 33 | /bin/bash -c "src/tools/trust-ca.sh" 34 | 35 | setup-dns: 36 | /bin/bash -c "src/tools/setup-dns.sh" 37 | 38 | setup-dns-files: 39 | /bin/bash -c "src/tools/setup-dns-files.sh" 40 | -------------------------------------------------------------------------------- /actions/exec/action.yml: -------------------------------------------------------------------------------- 1 | name: 'Execute script inside a container' 2 | inputs: 3 | script: 4 | description: Script to run. 5 | required: true 6 | where: 7 | description: Which container(s) will run the script. 8 | required: false 9 | default: client 10 | user: 11 | description: User that will be used to run the script. 12 | required: false 13 | default: ci 14 | log-file: 15 | description: Path to the log file where the output will be stored. 16 | required: false 17 | working-directory: 18 | description: Working directory. 19 | required: false 20 | default: / 21 | runs: 22 | using: "composite" 23 | steps: 24 | - name: Create temporary script 25 | shell: bash 26 | id: script 27 | env: 28 | script: ${{ inputs.script }} 29 | run: | 30 | file=`mktemp` 31 | echo -e "$script" > "$file" 32 | echo "path=$file" >> $GITHUB_OUTPUT 33 | 34 | - name: Copy file to the container 35 | shell: bash 36 | env: 37 | path: ${{ steps.script.outputs.path }} 38 | where: ${{ inputs.where }} 39 | run: | 40 | for container in $where; do 41 | echo -e ::group::Preparing container: $container 42 | sudo podman cp "$path" "$container:$path" 43 | sudo podman exec "$container" chmod a=rx "$path" 44 | echo ::endgroup:: 45 | done 46 | 47 | - name: Execute command 48 | shell: bash 49 | env: 50 | path: ${{ steps.script.outputs.path }} 51 | user: ${{ inputs.user }} 52 | where: ${{ inputs.where }} 53 | log: ${{ inputs.log-file }} 54 | workdir: ${{ inputs.working-directory }} 55 | run: | 56 | set -ex -o pipefail 57 | [[ ! -z $log ]] && log=\"$log\" 58 | 59 | for container in $where; do 60 | echo -e ::group::Executing on: $container 61 | sudo podman exec \ 62 | --user "$user" \ 63 | --env "USER=$user" \ 64 | --workdir "$workdir" \ 65 | "$container" /bin/bash -c "$path" |& tee $log.$container 66 | echo ::endgroup:: 67 | done 68 | -------------------------------------------------------------------------------- /actions/setup/action.yml: -------------------------------------------------------------------------------- 1 | name: 'Setup and start sssd-ci-containers' 2 | inputs: 3 | path: 4 | description: Where to checkout sssd-ci-containers sources. 5 | required: false 6 | default: sssd-ci-containers 7 | tag: 8 | description: Image tag to pull. 9 | required: false 10 | default: latest 11 | registry: 12 | description: Image registry. 13 | required: false 14 | default: quay.io/sssd 15 | limit: 16 | description: Comma separated list of services to run (empty = all). 17 | required: false 18 | override: 19 | description: Override docker-compose. 20 | required: false 21 | runs: 22 | using: "composite" 23 | steps: 24 | - name: Install dependencies 25 | shell: bash 26 | run: | 27 | set -ex 28 | sudo apt-get update 29 | sudo apt-get install -y podman docker-compose 30 | 31 | - name: Workaround https://github.com/actions/runner-images/issues/7753 32 | shell: bash 33 | run: | 34 | curl -O http://archive.ubuntu.com/ubuntu/pool/universe/g/golang-github-containernetworking-plugins/containernetworking-plugins_1.1.1+ds1-3ubuntu0.24.04.2_amd64.deb 35 | sudo dpkg -i containernetworking-plugins_1.1.1+ds1-3ubuntu0.24.04.2_amd64.deb 36 | rm --force containernetworking-plugins_1.1.1+ds1-3ubuntu0.24.04.2_amd64.deb 37 | 38 | - name: Workaround https://github.com/containers/crun/issues/1308 39 | shell: bash 40 | run: | 41 | CRUN_VER='1.11.2' 42 | sudo curl -L "https://github.com/containers/crun/releases/download/${CRUN_VER}/crun-${CRUN_VER}-linux-amd64" -o "/usr/bin/crun" 43 | sudo chmod +x "/usr/bin/crun" 44 | crun --version 45 | 46 | - name: Start podman socket 47 | shell: bash 48 | run: | 49 | sudo systemctl enable podman.socket 50 | sudo systemctl restart podman.socket 51 | 52 | - name: Checkout sssd-ci-containers repository 53 | uses: actions/checkout@v3 54 | with: 55 | repository: SSSD/sssd-ci-containers 56 | path: ${{ inputs.path }} 57 | 58 | - name: Add override 59 | shell: bash 60 | env: 61 | OVERRIDE: ${{ inputs.override }} 62 | run: | 63 | if [[ ! -z $OVERRIDE ]]; then 64 | echo "$OVERRIDE" > "${{ inputs.path }}/docker-compose.override.yml" 65 | cat "${{ inputs.path }}/docker-compose.override.yml" 66 | fi 67 | 68 | - name: Setup DNS 69 | shell: bash 70 | run: | 71 | sudo make -C "${{ inputs.path }}" setup-dns-files 72 | 73 | - name: Trust container CA 74 | shell: bash 75 | run: | 76 | sudo cp "${{ inputs.path }}/data/certs/ca.crt" /usr/local/share/ca-certificates 77 | sudo update-ca-certificates 78 | 79 | - name: Print docker-compose config 80 | shell: bash 81 | run: | 82 | export REGISTRY="${{ inputs.registry }}" 83 | export TAG="${{ inputs.tag }}" 84 | docker-compose --project-directory "${{ inputs.path }}" config 85 | 86 | - name: Start containers 87 | uses: nick-fields/retry@v2 88 | with: 89 | shell: bash 90 | max_attempts: 3 91 | timeout_minutes: 5 92 | retry_on: error 93 | command: | 94 | # Put it down first to allow smooth retry and avoid "network need to be recreated" issue 95 | # This is a workaround for older podman 96 | sudo make -C "${{ inputs.path }}" down \ 97 | DOCKER_HOST=unix:///run/podman/podman.sock 98 | 99 | sudo make -C "${{ inputs.path }}" up \ 100 | DOCKER_HOST=unix:///run/podman/podman.sock \ 101 | LIMIT="${{ inputs.limit }}" \ 102 | REGISTRY="${{ inputs.registry }}" \ 103 | TAG="${{ inputs.tag }}" 104 | 105 | - name: Workaround failing sudo 106 | shell: bash 107 | run: | 108 | # 'sudo' calls 'unix_chkpwd' and this fails with 109 | # openat(AT_FDCWD, "/etc/shadow", O_RDONLY|O_CLOEXEC) = -1 EACCES 110 | # for unclear reason (CAP_DAC_* are granted) 111 | for svc in `sudo podman container ls --format "{{ .Names }}"`; do 112 | if [ $svc != "dns" ]; then 113 | sudo podman exec "$svc" chmod u+r /etc/shadow & 114 | fi 115 | done 116 | 117 | - name: Change regular user uid to 1001 118 | shell: bash 119 | run: | 120 | # GitHub-hosted runner user has uid 1001, so lets propagate this to the 121 | # containers to simplify permission management of shared folders. 122 | 123 | for svc in `sudo podman container ls --format "{{ .Names }}"`; do 124 | if [ $svc != "dns" ]; then 125 | sudo podman exec "$svc" usermod -u 1001 ci & 126 | sudo podman exec "$svc" groupmod -g 1001 ci & 127 | fi 128 | done 129 | 130 | wait 131 | -------------------------------------------------------------------------------- /data/certs/ca.crt: -------------------------------------------------------------------------------- 1 | -----BEGIN CERTIFICATE----- 2 | MIIFdDCCA1ygAwIBAgIUf1SV4l+9pBSZnQQpf4RhHwJnJF0wDQYJKoZIhvcNAQEL 3 | BQAwKzENMAsGA1UECgwEdGVzdDENMAsGA1UECwwEc3NzZDELMAkGA1UEAwwCY2Ew 4 | HhcNMjIwMzA3MTA0NDIwWhcNNDExMTIyMTA0NDIwWjArMQ0wCwYDVQQKDAR0ZXN0 5 | MQ0wCwYDVQQLDARzc3NkMQswCQYDVQQDDAJjYTCCAiIwDQYJKoZIhvcNAQEBBQAD 6 | ggIPADCCAgoCggIBAMW6CcPCYgUK2oM11mR1TwlBdGKodTOG+Doc6Yee/8ty+rwB 7 | 6+rIaiPHSlh9iLeJcNaz8tpVPwskguhOQWIab0PRuPpy+2OkMAfgFqWabzAac0tq 8 | qE7vDuV2xuUvWgm0TuVXEicJ+LrkjeaEfSpj1t7Y63fY4QgWTPow3IEppgXayZpG 9 | 3/f+W4VW1CM8tqhCeeNhd//jrpM7Fb20Iy/j364HiC5WmhNcOaMo7otUs++6LgqH 10 | Gky/cftaLBsS5DdD1JzsYgvcaNVT5JSNL2MNc3BSWmsLLqqdQlGTM/5sQ7aPRIwA 11 | jcNoMvZIF42A1a0m5lnfbwvQcqSJE2X5v5QTgfy88Vqh1nBfPUw6rxUpZ9iDgw6x 12 | i3K4spq15O5LTpg4gjY5KY3xnbX3WQ9A1+AsUllI7C3pvGf33gNgMaXU93xlE4tN 13 | VW/q7VDASTHoFeeJru5GLLGyR13JUxTA6p50MQOAzcZQwpVFEYxSyHkpa6LF1tu3 14 | vg63U/1/kXI4jNWLUzWjKvFMO+7WK7dnGP1msnZKZjreisVSw5m1id95TQLNbvtK 15 | 11mxq1m4iKv43LhR2baWdQMolJpcFL82gkA0qHz2837aBbKfcRMuyfXazZtOXNwq 16 | PXD494vtHQoxoOjCJLT+g11csobUMbolzYtJ477xegCGyczpjjy0gj7DpjnVAgMB 17 | AAGjgY8wgYwwUAYDVR0jBEkwR6EvpC0wKzENMAsGA1UECgwEdGVzdDENMAsGA1UE 18 | CwwEc3NzZDELMAkGA1UEAwwCY2GCFH9UleJfvaQUmZ0EKX+EYR8CZyRdMAwGA1Ud 19 | EwQFMAMBAf8wCwYDVR0PBAQDAgEGMB0GA1UdDgQWBBQSPLfFtWcRm7Fu08Z57mHR 20 | 9MIGfTANBgkqhkiG9w0BAQsFAAOCAgEAb7S917zOxxW3vAnKIFETZ5hzwJKTV+GM 21 | 85aeAMhyr+CA77ZdjYTmgo6Za1yf9hYr6Xnx8IdRQ1C9gf+uo/4W9QmML15e2NkQ 22 | 2J/wf9BZpowY2Ddui16N/ew3Ov1EQRf2bKWY05wZdQ/jd+/TfaBJFbwQQr2P33cS 23 | zDO+85cSAZBbLAV7GZ9XIbPb0c2CgJ6/5DC+v66eN/B4PaTOWpm3CuYhQOUykIXe 24 | y1mq85pZo3wb/iOnzHy+d8zXS0co+0WagVMiqaa+focwjGPZhzm3cD29t0J6tknU 25 | rUAaGyttAIQ4mQbfed15J21cYbNecqjPfBhtxEUZa6LeTjsD232beXQz6bcxw3QO 26 | n7udpnLXCQlzd3aR7Vio13cabY/V865MjCinatDmsDKaNJH6qNZ1kTv4QLoVBuh9 27 | /rw9j4bL0bshR9EUgZ5RLuTIpFt7aG+LPC7w6YC23znvtMXGcI9HDjUpD5GWUACt 28 | 8hdGk/+WHOvMC32b62WZ2XZZLYdtHkQWMlMuXB77gWP7KNeGX8Eibo5NesomeY0X 29 | /yyOZZnZ3ld+Tn8SmgJOA0nnGSJ8K+6SbvIYNn6z+2MoS0aJKz1Ue1biN9ik98Md 30 | ZXMsKYYW4KgBHvewiKhu3aCAwZJ2lFmUETNdr44i8XziQV+VsLswtNTIWTzPBSl4 31 | tqwzOLXK3Cc= 32 | -----END CERTIFICATE----- 33 | -------------------------------------------------------------------------------- /data/certs/ca.key: -------------------------------------------------------------------------------- 1 | -----BEGIN PRIVATE KEY----- 2 | MIIJQQIBADANBgkqhkiG9w0BAQEFAASCCSswggknAgEAAoICAQDFugnDwmIFCtqD 3 | NdZkdU8JQXRiqHUzhvg6HOmHnv/Lcvq8AevqyGojx0pYfYi3iXDWs/LaVT8LJILo 4 | TkFiGm9D0bj6cvtjpDAH4Balmm8wGnNLaqhO7w7ldsblL1oJtE7lVxInCfi65I3m 5 | hH0qY9be2Ot32OEIFkz6MNyBKaYF2smaRt/3/luFVtQjPLaoQnnjYXf/466TOxW9 6 | tCMv49+uB4guVpoTXDmjKO6LVLPvui4KhxpMv3H7WiwbEuQ3Q9Sc7GIL3GjVU+SU 7 | jS9jDXNwUlprCy6qnUJRkzP+bEO2j0SMAI3DaDL2SBeNgNWtJuZZ328L0HKkiRNl 8 | +b+UE4H8vPFaodZwXz1MOq8VKWfYg4MOsYtyuLKateTuS06YOII2OSmN8Z2191kP 9 | QNfgLFJZSOwt6bxn994DYDGl1Pd8ZROLTVVv6u1QwEkx6BXnia7uRiyxskddyVMU 10 | wOqedDEDgM3GUMKVRRGMUsh5KWuixdbbt74Ot1P9f5FyOIzVi1M1oyrxTDvu1iu3 11 | Zxj9ZrJ2SmY63orFUsOZtYnfeU0CzW77StdZsatZuIir+Ny4Udm2lnUDKJSaXBS/ 12 | NoJANKh89vN+2gWyn3ETLsn12s2bTlzcKj1w+PeL7R0KMaDowiS0/oNdXLKG1DG6 13 | Jc2LSeO+8XoAhsnM6Y48tII+w6Y51QIDAQABAoICACUoXQVo1jrUW1QlHfErCntW 14 | zaRsu/m+948UN97AxplZNj12rvskRq4KmbIfhT3Ymlf+4TiepIZXijJV4nupNBeu 15 | pfCLAysqg8w3FIpyh0qm7dvSY2bSDh6ZP696QpVoSRtYTZUAjrmwkeosI8l/kbW3 16 | VijjnQaECltKK2YqiYS4JQLVJunX5yMbuioVEs50D6vneUGhbAFHLULFQ4eQb0yp 17 | JbJvm+zffAVpf8q3VElM17IqyYp6v9TYkUlVN4YbPS1wTsyj0x+j8GTqU2lt8a++ 18 | Cjfrlg2CGCB0ZWT+u4rnSZ51zC5YupsF2UdCWuV7Vfa1woyZ07GQARE86f/N2rNr 19 | ilAu5LjggmTKZUsEdjV8wRnbTxCY/XtZE0KUBd75dg17AI9SZsc9SnQf5u3Beg04 20 | hQnTOzykoPt5Nmiw5zIWLEfdueAGwWzGKTi5N/D7cwgmAQuOS2sW/qmF5wW8vSoO 21 | jjvdXn7CrAHmt5EzzZ07XPEJ/jQTnCtZ+u5ZjclIqjpY6H2pMZ2cC5gIlYRjVQId 22 | IOGXQaiZ24JqeHz58HJ5Q7ONDKrmQNf4xtK3XyDZSX0qoD/gBL00Eeye8sPqcWBT 23 | ZrejUsttcO7YZNQkkCghRL4fFoCtBP5+7BF2aDzgaqSQ5X6W9z3AZLhzftyP6eAr 24 | a46lEz3cQJN2fIKxICcBAoIBAQDzmjyF1FmWX8ZIkqqFwIO8w4ghXbevoQ+CjQM4 25 | tFY+G2w5eJGDkYGKMMrKqzVVQqwCTrxrRbMM6wr5FeBxueh1KaeK+LzthInHttNM 26 | jxPpwq5Yu+1+PFtVhSmy4nGLh//HjcQ4NvToLqGCW67BqVhD8qK3njfwOGxYcfeV 27 | m26eScdNhg4YlY6b05lOVS3/aBqsVl9ZeTZIlkGuzAsUXlJ+RmGHOZDg6BPgwVKw 28 | S03EUmWm4W/kX/b1Lqqb3tzhBeervBkYHcenLXifLXzL6gG79DC/gmeDrobsAK+b 29 | 5xEQTZEH5TRafKsIGMyXMzfaU634iEe8WlXOZootGPpInXgRAoIBAQDPyhyBLOmx 30 | 7spGCwKW/YLGxwmW5OYFCM5+c4d7MC/d3KA9F57U2l4UfaBz8wOhGthfwrnoHhP0 31 | Ojj1vob1/ekhlZ9fjQ1v843cGFZooPii6m3NJ+Zjn2SDEQEoyv0wb6uY0WBjqI7L 32 | k5YIrs79xm09wGEZFVHgS5AG+2NDUx7KCx1Jh3v8NT3wJ6SerWycY++m+q6zz6Ds 33 | /celvELs19DIa5kADrHj5CbL6gfBwOMFCndYjsi47UaDb2t4pShaQn6UUdtyXqxb 34 | h8aZgxpUDvyRD3gJmwgN/F73vs8Z463GzXmxu1q4F1RyVXBrx6NczgG67LC2cREu 35 | pKsmDN7C+kmFAoIBABqrbSrdt70t2SCC5iZkkEevRI0anIye3nrVg1/G5pZAHFYi 36 | bBPybzM46krL+bfO59QM2LYJ2HN2nCnvCjaJOvjwyYX+e3iphQgXbQS5uV1jUgEm 37 | +fZTF1DClnEeN34mMoufarcY1TFCQa5q6TQMnTw7KTNfIBKtqrb4Kzn23WJ5A1fq 38 | cEqivQ00WlloG/QVaq4peqDqE1ZZFPHVJvVg6jkm7XCHjeQBpIN7xtjENcxjlPtz 39 | PPPMydXH+Se9e4MrSVTU8A5i3EPiR41txnbwtKXmMxwUY87X4a+e15sC7ixRwaoS 40 | nuu1MGhfhq6bDedaN/a4vNnTLge91Czhyiz/CHECggEATUKpNp6shixzqXeOjvXU 41 | GnUHa8PQgy6zGPF7/qH8KlJOgmi19g77zEKp1nMVdmG08mZFGbmVUcoUQ8uEAxNW 42 | C9bGW5Dm3imBJcUm2+B+kpT4HsAnOgOaK+G2vKQ9YDUlaLzxShzye190+eWFsXaG 43 | R9+wOtNijjOKag4u6mmNmTJowV5PC4gAb7tNynJRYBUIlt2+97zL6VKzWTyW5dmZ 44 | F+xqB0tveXzrsAZku/Ysc0Ng/NyaZahT/6r+Gu3OA0GWLzAAmJX7IE1r2siUkYzA 45 | /G70Ax5R8GFWLmgUOVwe0Ty1cxBmuuxxydFa67hfVbKDki1Px4ZjDSTNPmiqq3TE 46 | wQKCAQBZRa499/50rXEM62ECM5/b1OE2A/REoR+tx41je81dJ0SZtsoDXJRhZuir 47 | /ElOd9x7isa8Fj2vsXhutE7PFYD82jUFHBgnjBVBx3Uqph7E+HYeLZE9PnUv7QQG 48 | Sz5oZFXcX4zW7NMZzKRBlJWnAzFAwb4R+goJe+fWiFwCFyq5iXSekjDEmCN/3xRy 49 | lR0kNCtUZwN07yAJ8PN2vfms4+Up6/rKuPdhgkFq9jUgyHHjTdDkkQnetUf4c1oO 50 | r5JayiRDqbzGMfc7lm42enEIEW5iR+2wlbCkcCmWELCT00M573iFKh69xPb4ako4 51 | Q8IRGYHg0dt3SVRoKCyiF1If0swi 52 | -----END PRIVATE KEY----- 53 | -------------------------------------------------------------------------------- /data/certs/dc.samba.test.crt: -------------------------------------------------------------------------------- 1 | -----BEGIN CERTIFICATE----- 2 | MIIFSTCCAzGgAwIBAgIUX5BFcLnQi8PTz0LyuRMmfu1wa3kwDQYJKoZIhvcNAQEL 3 | BQAwKzENMAsGA1UECgwEdGVzdDENMAsGA1UECwwEc3NzZDELMAkGA1UEAwwCY2Ew 4 | HhcNMjIwMzA3MTA0NDIyWhcNNDExMTIyMTA0NDIyWjA2MQ0wCwYDVQQKDAR0ZXN0 5 | MQ0wCwYDVQQLDARzc3NkMRYwFAYDVQQDDA1kYy5zYW1iYS50ZXN0MIICIjANBgkq 6 | hkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAvvg9BzBgSYQgIqb/5CbNsOLDIVdocUS5 7 | lLRasB96zThR3+7WFa9WAWlLwcFzS6yCLZZJthk/MXxKjBgOaIAWbO/NjjWy3zDC 8 | UQZKA8tYX08REEMk5GwVnWiTxXpy4fu6Si/eUWEuMd2HqHD4IH072XFY1JOT78mb 9 | IHq37j1A2DKKznUvjgsLLd7Ym/49s9q9h8m1WSyc/6onJ1HPg/wbtQsEl0X76hc+ 10 | TkaKMxCZP1/A4dsSW3lPdT1R+0+ELtgPfKnY4wg5kb71tjdDxoIgTUcw3gUMQUEQ 11 | mEfnV2uULwUT6FLwoecILeOXrR/0CY6+rb2Mh+EvjEnBpfyLbIi2m5mJI+pr7F/7 12 | D3e7W/Wf5WlOjDoDEy62uf3Hwt56SyuMwAuOw+IzcM537A+pw/K8H6g4JbK2ykAm 13 | oZUl/1aN4xu6YXbbRFMWY5xADkPUM2L+9jz8ogI/ARLGxrXRH5rE1LSMF/B0CsUH 14 | J+nnk/Ucj+gJpd8XINftQS5EEhR9OWDcI25ibvc+xMtqjTnJ1v7zGGkJs29uuk+b 15 | kPrsk1KWsZvCsUSSwD7eKiXpzyadjf/zPPQleS1cqNAzHNvNg5A2NII9IKXlOysO 16 | vuIU4oRHeP/aDLGIXCn/u9l9butLYWtjdYbeMkEh9uVgagaKfuUr/kGtczbgJmZq 17 | DZqjye2ueJECAwEAAaNaMFgwHwYDVR0jBBgwFoAUEjy3xbVnEZuxbtPGee5h0fTC 18 | Bn0wCQYDVR0TBAIwADALBgNVHQ8EBAMCBPAwHQYDVR0OBBYEFLjH9E+zQxkVsSlH 19 | vrCUtt9pXiVeMA0GCSqGSIb3DQEBCwUAA4ICAQAoV179Y3iuN5CYyYxrPBn4DeD4 20 | 77wd6sGsNVouqlIKVNKp7j68NsciF4tdMmhINnwKfSm6jji5+EsFvG5xWCX0tON7 21 | EE6DUZNoF/IV/GuSWmmWlbs8PpWAjexuq9Zyot9qulchnJhpRTxvBwpvj8MX/lqH 22 | XbPavHfuviVkQUxYOEZ1XY3/vPzwUU8pjiJNA2Q3IWwDPf4eZbZx2chZ2FG3wgEb 23 | s2DZiQJIvpL13KCoX7b6jDB1+4ldRSAeDrmNcf7xGXe2e7H6Brlu8EzO4XtIlrk8 24 | nMyhKppU444Vzn8hrFfwYO2qRUOiI5pRby6JoIv7qJHUWNnPVDOCVFR4H1jcbgkA 25 | N92w2diNtc65MBOYH/DsqXHkvaGw4GLN2TZT0x+2UXVupDgwjOFn5IpkWrO/Fswb 26 | 2+cpUe2gD3Y6cfcv8O6EwLAAhA7VqOwL4OYkL6lb/LNl3Qkd6nRseMCZgZ5N9lr0 27 | gTv6mj+J9GzVZW0x5yViJtYpMkpApnZkznxuF8mVRTiweQ/D5QC+pTzx5HdC/bRU 28 | oSfDm5Jn8lJjVHb8HkBhHwhGLjaEWVe0RK6Cb4xjSy95HUWEeHetEZ6S/1I0X3/g 29 | kuS5iX45dpAiv/uuiM3lPwpToyKgekAy5ai5wsuCFy9t5jbK1Ru+ciWldfVOya0B 30 | FpM8P9xxPqQO9mXwbA== 31 | -----END CERTIFICATE----- 32 | -------------------------------------------------------------------------------- /data/certs/dc.samba.test.key: -------------------------------------------------------------------------------- 1 | -----BEGIN PRIVATE KEY----- 2 | MIIJQwIBADANBgkqhkiG9w0BAQEFAASCCS0wggkpAgEAAoICAQC++D0HMGBJhCAi 3 | pv/kJs2w4sMhV2hxRLmUtFqwH3rNOFHf7tYVr1YBaUvBwXNLrIItlkm2GT8xfEqM 4 | GA5ogBZs782ONbLfMMJRBkoDy1hfTxEQQyTkbBWdaJPFenLh+7pKL95RYS4x3Yeo 5 | cPggfTvZcVjUk5PvyZsgerfuPUDYMorOdS+OCwst3tib/j2z2r2HybVZLJz/qicn 6 | Uc+D/Bu1CwSXRfvqFz5ORoozEJk/X8Dh2xJbeU91PVH7T4Qu2A98qdjjCDmRvvW2 7 | N0PGgiBNRzDeBQxBQRCYR+dXa5QvBRPoUvCh5wgt45etH/QJjr6tvYyH4S+MScGl 8 | /ItsiLabmYkj6mvsX/sPd7tb9Z/laU6MOgMTLra5/cfC3npLK4zAC47D4jNwznfs 9 | D6nD8rwfqDglsrbKQCahlSX/Vo3jG7phdttEUxZjnEAOQ9QzYv72PPyiAj8BEsbG 10 | tdEfmsTUtIwX8HQKxQcn6eeT9RyP6Aml3xcg1+1BLkQSFH05YNwjbmJu9z7Ey2qN 11 | OcnW/vMYaQmzb266T5uQ+uyTUpaxm8KxRJLAPt4qJenPJp2N//M89CV5LVyo0DMc 12 | 282DkDY0gj0gpeU7Kw6+4hTihEd4/9oMsYhcKf+72X1u60tha2N1ht4yQSH25WBq 13 | Bop+5Sv+Qa1zNuAmZmoNmqPJ7a54kQIDAQABAoICAFZfHfMHbTUy3fnuQCQnbLaJ 14 | CSomR2WbaLgaDj5ELp1s0JMQiaFLKQIAZrQeU5AxWLtXksUajBtMlMbiBno7HGlu 15 | 2DBulxUdD3Xn+0fWC4Un1JbfV2s8e1YzO0qAxD7zRGFTXyC9bFA/WqDTX1YKbiw9 16 | eKjEio9URqYc+t10tMRTr7YLCFQdKJQ5iwyao7uZvkkQ8MWBSQzVH1pIRSvztXBf 17 | qFbm3zYUBykN/Gl2I2mnXCyKkbXvmwFyl4argyRQskh25VJhoPALR0R/oFbC+esZ 18 | vL9d1xoYXHITa019qYrOqB9Wi+EeBfQDUNGLdytvdUxNQ6cdMQ0pOr1hCIoxFy1m 19 | MQ9F9Ruz1nAfhVocRrVaaCCngbqhKyvPLQUpzDj6Io2RyM1zgnDaYpPGZaALf0b/ 20 | t4t0mvN9bhBktVbZVmEpKTNF3FFcFSs6EndIgCVKsT+pXFSrhGtimUL2AvBRcQbo 21 | IkOhvMZ/V8s/xn/l/Wa3lEWEgszihYqQ8icE7IpxqIUhXRqqOJJVxXX4TIDj3RXp 22 | yZkm7Ug+oM5Erx0AEIkpGA/inX+fqhYKQ9oYoZbTwOsRnpszSeMOyM3XFFcUzee+ 23 | qtGlPIUw5c+x3pmsNS5Rto3l8x8Y5F5Xwr+Ldcpa7K/3Lj095wr+cmOKMNrlPl2z 24 | GZXi/jD/MkMELOEFBnhBAoIBAQDxUEy5Pj4Zuj3853XdSnxHb9WLonOQ9rvMtQtG 25 | DJ7NOaSLZTNr77Ula/fbBXJ/YxVWiyx/6Wx7dyQInczKgsimDliHrn3dBrfAVtjU 26 | CWOZxtiT9RXuyolSmnRUcOXrFfFL6zZKiNO+6gYX+vVeQgJaCdCLgq8JT1EYtu8+ 27 | w2bCmQk/zBmm//nAxrJaddYP+LcT2OcmuVwpL6uB8PHyxQFAMlff8HcnHbK/NvV1 28 | 59YKGgxyrYZVdR7BvIAieCNfAPAhez3RL8CzOKmGsPTmqNf7OlxeoKCBIN2Es6Du 29 | RQWW6xHVNmA+hwuhTliTxSnGUANiAjnMVDWExEj4w9SjtIopAoIBAQDKl5KHwgcE 30 | T5ZcrnzlEV2MrPuoKhKxOjgxUzaHxgdPRmNdE7G15FirC/PaDFfd2BB8VhHSAeKY 31 | 5InZfLkeN6E6//iaDiXMT6zVOF6Zc6/DOH4pTTXdrGz7BsyYg2q/fD1iYfThyx51 32 | ytHC/CjiYQLrNOEFvkkvnKQ9wex9/4sjp/IvvhZxuBLEKp2Lm9DpDbGabS+ro1DM 33 | bUDTxLrMlbsoHzEHLEw1jz1nHTd2lnDyUXT0mS8jEZsHydI/GwZgyaY1moamrIbv 34 | lXnUj3yofGFFh5HiQboWcLAxYr/DD6dD5oIUNzP1JZCKu435xq3YKDmh6gEkqGzB 35 | CrQFK/WVXJgpAoIBAQDT0P5no8Dy6E29Dpag1d7c/cdeOAxk9I7IEyqAJFfIII7U 36 | ZNKMLe69mFYJhHCKbLiwLJ208XntrhiND6ZRJBdn2zPOdVW5i0oDpLfS9yLcOnSk 37 | +v5zioibX0Q5UpgekDYrw5z2M8BZ1iXfKsPyJtLVocPSkbV+4IZ4wSqj1vT+X0KF 38 | I2xo8EuT8VVgngp2HoTlAQF1NkM1S8ip2Isn49FDPm1v/i04wpLB0UYIZqW0XEUM 39 | 7E/790A2InX+y6GQpMwjN4B9fAMTzerQdceiKBbdSM8HqMr6TZTkBKCARUmwvUn7 40 | 8yzr9bI5twF9RBV1I4q0nuuI9Wm8zmaXJZ4izDhxAoIBADdrj2Ij6dd8Dh38fZ4M 41 | ShMZnx45pDNnQcf8g4ZQ3d8J2lSz9oFTng3sjyCvD7pYSOo6gVV5voskubENNXbW 42 | sPx62X8LL7vcb+NEMFy6EPLOmXSi8oFZkdZ53a47BRCs4/3t3heGgSan/QniAS0s 43 | bKf7JzNzAoJLz4I1coRlS6LNZqs4zNr/B+Mx5TczwMqAPH2KMOg7HPdPS9SilJcy 44 | vqgTIE5eB9r+/EUg8PM35F3leqEO5p4pSseuph0tP2lqwFUZmIwv1hnkQheryOYu 45 | YE2s8HN8l3NcEFbyNJMfzRn+DMeK8mO1ivzoocYaW6QuHNX2NanZiSalzuk7RUs+ 46 | sUECggEBAL42D4jgeZjS+q4PVOdbjFrWBZY9f0ChgbIWSKCsLI+pQ+B0BEH1kD2x 47 | 9NOyRCc3MnCwlKozLYhlrfpiRreRzx3F7EIpnmzHJ3SeQCdFmRRDeBBFV0V6mF/3 48 | kvsv99QnkKR9KSovPFX4w6e4cPdEJWaVch/t4lYDey8m5NbzA0xv21cBRnfi9Wqa 49 | ZkVMZGxQWrUnCTwz8bUNTqXnngDA2Qj/1UsNiXRDwd+qu/15F7qIknYQdRldFt9x 50 | xtXINmuriOGAa06lsTnTi626Sal/6TjJaI8JeYS4dzEGV4js8wWXJwp9vskeXZsj 51 | vK4+nn52E/1RjOZDPM92bJUWBVwlEno= 52 | -----END PRIVATE KEY----- 53 | -------------------------------------------------------------------------------- /data/certs/master.keycloak.test.crt: -------------------------------------------------------------------------------- 1 | -----BEGIN CERTIFICATE----- 2 | MIIFTzCCAzegAwIBAgITPJ2nsJjf6JgZjc5YZi1LZL1I4DANBgkqhkiG9w0BAQsF 3 | ADArMQ0wCwYDVQQKDAR0ZXN0MQ0wCwYDVQQLDARzc3NkMQswCQYDVQQDDAJjYTAe 4 | Fw0yMzAzMzAyMDE3MjFaFw00MjEyMTUyMDE3MjFaMD0xDTALBgNVBAoMBHRlc3Qx 5 | DTALBgNVBAsMBHNzc2QxHTAbBgNVBAMMFG1hc3Rlci5rZXljbG9hay50ZXN0MIIC 6 | IjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAo3v/0s0OAKNG8508BGXHb6pW 7 | 5NMatadps42KYSY+PKNd96ANMfOrSstFCDgxMM33abOZl4FyLCfsZv5++XCYiQ6x 8 | KCgO/RYqH0YXUOw560RKOismA3fWbIsgwb8LecOR73LpOot/pIo5HAgKYjMu72Gy 9 | GBpBeKeMhIdKwaAYdCkjy1VsDIdaCC0RrcR+ZP3PI4ksCzx6icICReM9UJmzvRvT 10 | YPz/E99OvfVd+d2WQiSysePLygV0xYMI70YkTTDrZvAs4R3Qfe1DGYqLGu8dvLsd 11 | awWNdJcASgu1ODV0hKRZLHd+8OkpmROG7SxWv5F+XzIplmMjy0N6hxXzQeUwx0Uh 12 | /LE4QgW1Za0qS/SFkdaWBoP86SpjvXYvrAgiSQs3X+HLp6SlZCgk0fmhWzeLluYk 13 | XyiGmTLnoV6+YoeXR79P2pPaoAMmyyeitDtLzAadnFmXaxV9ZqGETu1VSOZtjNRz 14 | sBz8EpboPxputeDV3h5MlWMNR1mqjt8WCPH3vAP0IaXC26OpWumDjLV6x4UmcuBM 15 | x7GWSnx4f94AMtapECahWbqlY/Zs8zRjUP3GoC8g4SA/Ck2DaIEcjABYH3YyXL/4 16 | MA6fSqyTJ8zwCsg0CIUckud8qmpAoy9laLGWcQY2/jbh8bE2cWh91jksc+SRQe1x 17 | ppub9iP6mtksihb88XkCAwEAAaNaMFgwHwYDVR0jBBgwFoAUEjy3xbVnEZuxbtPG 18 | ee5h0fTCBn0wCQYDVR0TBAIwADALBgNVHQ8EBAMCBPAwHQYDVR0OBBYEFCR8rEJ+ 19 | +3dGG+WhrodO9w2q3jAbMA0GCSqGSIb3DQEBCwUAA4ICAQAdTHDnLLtbdG9SVVpJ 20 | zvajm4TeEqrB07BvTsY4N9eboTK/A3mj68E8gj1NsehYsbqyBDg7dUXOacFSFXBj 21 | GB0+eaHPmerjokB0pJBxc0TCrlLL5sV1wd0LFziqPBUUEG2Q9Y85YZqOCfY9Ta3n 22 | DJb1PIl5/AH76b+MT3+v/7OftyGmkDGL3H4l+S27ki87AeP4CuroNLfJ8L5tIKHk 23 | nkCXF3MWcbhWQ3qnGx6K8jGby8lwGler91QCQSSOVswtAOcixXU24dVqZQDiE/nr 24 | 6lT97EE9rvWOc61BnL7Po8cADlH9uWBsAMjl3NHt9XdLGSlrjsfLSmqVHLbL8GUm 25 | g5fp87K+ishQiWOXBz0KhLjbouFJZQgqmojF3d3SKP25F/gwpl2s2OTl3TiBShaa 26 | a7qB4pOI4n7TEso05PvPUlvNe/52iBz4dfd8Alic4G+4ApExrjiPBK2VdgVun0bQ 27 | qN6M4RW7cudTORnOENDGp9aO+AB4G1xcH4kiZa/FWvgPRT3FmMzeV8cYQg23vM9q 28 | 066Vu3gp+lRLHncoBxdJuXtaY6gT3cgptnQLvXhiZfwaPaNQLDi+UWZ9+rPMGkD6 29 | yBthELFTGw93h0RojVj+VKCUY6NnrNvbxhcQntwhNHt0ot7B280iR1eZnmlwbMCI 30 | qpEVBfEoqIYxBQG/ksqYrICzsA== 31 | -----END CERTIFICATE----- 32 | -------------------------------------------------------------------------------- /data/certs/master.keycloak.test.key: -------------------------------------------------------------------------------- 1 | -----BEGIN PRIVATE KEY----- 2 | MIIJQwIBADANBgkqhkiG9w0BAQEFAASCCS0wggkpAgEAAoICAQCje//SzQ4Ao0bz 3 | nTwEZcdvqlbk0xq1p2mzjYphJj48o133oA0x86tKy0UIODEwzfdps5mXgXIsJ+xm 4 | /n75cJiJDrEoKA79FiofRhdQ7DnrREo6KyYDd9ZsiyDBvwt5w5Hvcuk6i3+kijkc 5 | CApiMy7vYbIYGkF4p4yEh0rBoBh0KSPLVWwMh1oILRGtxH5k/c8jiSwLPHqJwgJF 6 | 4z1QmbO9G9Ng/P8T30699V353ZZCJLKx48vKBXTFgwjvRiRNMOtm8CzhHdB97UMZ 7 | iosa7x28ux1rBY10lwBKC7U4NXSEpFksd37w6SmZE4btLFa/kX5fMimWYyPLQ3qH 8 | FfNB5TDHRSH8sThCBbVlrSpL9IWR1pYGg/zpKmO9di+sCCJJCzdf4cunpKVkKCTR 9 | +aFbN4uW5iRfKIaZMuehXr5ih5dHv0/ak9qgAybLJ6K0O0vMBp2cWZdrFX1moYRO 10 | 7VVI5m2M1HOwHPwSlug/Gm614NXeHkyVYw1HWaqO3xYI8fe8A/QhpcLbo6la6YOM 11 | tXrHhSZy4EzHsZZKfHh/3gAy1qkQJqFZuqVj9mzzNGNQ/cagLyDhID8KTYNogRyM 12 | AFgfdjJcv/gwDp9KrJMnzPAKyDQIhRyS53yqakCjL2VosZZxBjb+NuHxsTZxaH3W 13 | OSxz5JFB7XGmm5v2I/qa2SyKFvzxeQIDAQABAoICAAm1RpkKR7tWdtNnIiYBtEDn 14 | jN7sQVEJtr9sl4vS1U3NBrq6dKYjeefIX9pP2e3zwS4z9do3G+RO350zHi+qVciH 15 | yJHhpRg23Xv7cc2CpaLYrI69OrXogyFxdpnCwkfyCuO8/2gUWhlXgvIs8Q7pSq94 16 | 7fY78ujbDD9feFs8qk8VlVRRB4hL7lb/dCYNPdM59je+QNEO/5jYHkHvr1eutOt1 17 | ME15YJ1ZvKePn0vD8pUNcFYbeKHPxqIm+Jwa3nN+BPCZMRUSK+wab4pf/Yg1LF8l 18 | fmb5Tq/eeqwq+1Ex7XAmAUygcPeV5Pw72l6RrDoWhfpZtHoDe5/pqyhD76zZUxbd 19 | 8gtHv7fJ+MPy0eNbYJgLqRuHvX+ro36wqLt3zP6rrBXibiwolgissNqUQUgwGjqE 20 | 5yw+ENn60W2QqIzZrIOpSxOodJ9yhhnTPNgFPVUzzVPQvpodgXUOAqxzi8qNwIkU 21 | NSrnvduh1jBNvg3vHMg6Ux0n19rAeJdM7NwJoPdcX3Z7CS/AQPMHwMUksMJUpZWR 22 | i8j3H0Edd9cSInxPHDZaksNLH8K51vt/9OtGdois0bUYwihKrQK3xoDgUdMQ8ZNk 23 | rgBo/+jxIM+XZMJBULIK/Uj/a1lDe5a/gAA1XQHR1K3ay9WUyXhgauW7JSUJ7cX3 24 | 4/lHthOHMvxrLjjMHmftAoIBAQDKsNUEjPfRjfyROJFY3nyLXagU9+TijQyx7elg 25 | MMTabmQPGiF1TSn3ecJxFucg3mtzjyootIwFqj+TlqJ5Ui3NedmTqk/IK2UGncJW 26 | jNZH2f2ldJS+U0+PGqXTC+uI8Ny5Z6VUYs+pnclChDAsP2jwCtwVp4aRoqZq9TeW 27 | gz1hbH1//lV2U7UTUqxS/HdZTO4XwzacfVhAdzD0Z3qg5WR4FyLt7qadK1hZzZXC 28 | SGKyWDRvTTEijs/h1NwtIzHNm5P5VhfQzTfzHfrfM6SFJEXoBIgQoCdrPsqH7ksa 29 | Fz3N4uAZmRi1dcJSu/x+k/4b4//qhsJ1AkBi9JM5W9DVPVMNAoIBAQDOe2betiQe 30 | +Bp605LTka1DHoE1YLhce5Rr87yaIc0H99T2W+fJJHlbcJ0aAaJr/7MLdbSIB1SW 31 | HarNy5uqIOZzklop5C3iLPUx7h5fNJQmwrljpJ1E46K1e7QKZrIzywKkzrHWm+ak 32 | Ftzs7P5vF9ucHrrme9UecYh6shiEBlR6+YQtruV/GkMz02B2GjHBD6h15OsPMhdv 33 | VUH0mDamUBSuWfCveJIf3aVh90Bttl/eA8RkB+5C5WAEFwyBJjN7ptyf7a/IUO8e 34 | UKL5Y421cKnq37PU4bJA+l11X68jrTvyUnX/koeKIWclMpJOJg5nz7eMv0z1llKv 35 | +BfUAK3J5m0dAoIBAQDBQspZhG/mhxODBATST5FA8RQKqjK7MPIh1U7oQJfyDb+q 36 | BqhQSDrzlE0pt0S5ulmJ3b+9ACliXWoxNzfDpe+2M7CZc5KOsZGqNVHPZIoMCHYp 37 | BHeu4ZDCSg5CpOL3t3E99u1VAMIwYBo+KfwktHFCL5iZrRpKUmOLKDTQdmJYOjGP 38 | kNm78SR+QB2/IqpJo2iBj8jKfVlgXkV3RBNQxmh9eNH9O8fxpBqhxbw9evdgRWn5 39 | lgh7guAD3Anzn9Mk0GrPGp+qn4HxdWx21a7QpD1jdK6n64yqXTyPT06cmfx8Cw7S 40 | WX+NxbJ7YHLn3gQ0Y7jnzYYsOvFZaQnXbww3xjkhAoIBAQCFS9zJAcSnyXsut88d 41 | jfnQTq0TDHF4Ir9aQWsMBa4a6r8sm4Aytb0ybqy80TlNhzDKwR3egvz0PAq7+Clx 42 | 1vNuwJg8WvXUATn5FcO9qm/J5gNQdECi7GFpz4YXAN0h2njGdDkSVmq6m5fby9Ml 43 | XL2FN8FocaDPmnOE4dw5vuxixxmxdCrrtsSTfG3VUGu2OqmCElo84RWH5f5CLNF6 44 | 5E+1jpJ2dNvAfpH5gGizavzQkpYCDayeuv0VJtwHs+WgecQL6qGEK9tyMpRDcyVU 45 | cHsBCZFKaLlugTI8R50E5xy//sP2TV36qj2wIcmZca/zDIFt90Fzeau/teWMEzQe 46 | FwdxAoIBAEZdO6/WwuXH7v5uKdInGmkxxswdnAaPCulSM6ruUHh2XvGFTa557OkT 47 | p9zYDlMWrt7IZ55CaeLMbTqliY5/Ic+srBDw1111JJv1ARHg1+TrZ8AjgSzQSHX+ 48 | lO1UnQlu6eQ5PkE4Ns6yoD9gJzxRgHxHkifhWzJfwqHJ7bAk7CA/6Jbpvuwe7y4j 49 | X2xf4k7HRrVzAP/jwL1d9Nnzk2xEJ6WjNcmWNeYOJt5Wog9t1pyqnI5iwZDhRHKi 50 | H25jt3nPjG1LQU+Bix2qeuKoqjP3bsAakrsrQKckopA70egSPpUpwD5246TcItty 51 | wpmmCXuBcDn5+o3D4ZI7fZ9QVn9bi28= 52 | -----END PRIVATE KEY----- 53 | -------------------------------------------------------------------------------- /data/certs/master.ldap.test.crt: -------------------------------------------------------------------------------- 1 | -----BEGIN CERTIFICATE----- 2 | MIIFTDCCAzSgAwIBAgIUX5BFcLnQi8PTz0LyuRMmfu1wa3gwDQYJKoZIhvcNAQEL 3 | BQAwKzENMAsGA1UECgwEdGVzdDENMAsGA1UECwwEc3NzZDELMAkGA1UEAwwCY2Ew 4 | HhcNMjIwMzA3MTA0NDIwWhcNNDExMTIyMTA0NDIwWjA5MQ0wCwYDVQQKDAR0ZXN0 5 | MQ0wCwYDVQQLDARzc3NkMRkwFwYDVQQDDBBtYXN0ZXIubGRhcC50ZXN0MIICIjAN 6 | BgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAtTVnGwHnMPbOoviCl/uSfl/FUpAA 7 | 5Z/2LwZ9d3Jn1qdVJR+aiVdS0L/eZqTyovNnXdMhpaxCqCsytjwKuZvql9h1HeoH 8 | CZ5P3sSWntOf3UMhMg4MR9VngovKb0gYJQUXzTev0M9ve2qBFf8OiTCsJeMlACcK 9 | u7FYOkpLZNvP1Rh9zPlJMyx7m9r7a4d5YvUR02RrynRBOnTcL8+1dOhDCqGcguZ0 10 | W5dJUNceF7Qks4DWSEtM4tmyPPQXyuAwCNEore6b12mNeHAMXd72W/E5+5ohfD9Q 11 | P4aLjRAUnE1JvWtaQBKtgnr3+tUgGCwOmXHn0gAec9UyjGRuW9qidsQLVWnqQycT 12 | 0iwRplU1WP11I75EfbIjxQqsnatpVBL5cA2T/6GS4SjSb+PnRyOaBjIxMeQnPLKI 13 | DXA8Zii+GsON3WJ1kfSiXtfv3WpHbNjvQ+8pOMfP3hwW3gmkWJqybuda0rZy+Y2f 14 | lB+hUtleEBg5+0hkAU0xm+dqblTvOdg5Y7Q6C+P4/YIwBOOUIC7lBtV67Emepd0A 15 | xUH3nQ30Wvzc2HNbjtE6s/Q+RvGGB/6Zpcj2K/KNXdzt9LE2qM40Rm7UNdYvafEt 16 | kCqRGZQ040ySNdirViQl4hQX4zzBnjKUFj8XbLeh0v/PZw99PRMB3Zu3Rnm3Qi2u 17 | +N2HL5EutqLc0TMCAwEAAaNaMFgwHwYDVR0jBBgwFoAUEjy3xbVnEZuxbtPGee5h 18 | 0fTCBn0wCQYDVR0TBAIwADALBgNVHQ8EBAMCBPAwHQYDVR0OBBYEFBLHpP7EbMLK 19 | XYOLEXMxjOaFbfKkMA0GCSqGSIb3DQEBCwUAA4ICAQC5heiNDU7iHo7H+tgvSbD7 20 | TTW/Gcgk120v6qdbDEDNESUeNggGvethd0IGjhJUu1GeX/2AIuPX3YOgS+wNHgvI 21 | Vyi2BAbdwDwS9DQsH8uqm9UhKUbriXFQfumcluNzAQmTMjWhGeYIUC385xyFkvHl 22 | kncE40zpglYvcBum+9iMlH5mma07SQElIks//kn1SU3Po1IL1DKIVZRD+E6CyU4/ 23 | e1e3xRHC2mt1l18A1KLvE+giP4hFpYfrxGWHSvZNdV6A8EyMHaZCzlsv07wr1LWG 24 | LHxZF7P/76M4vEY5crP4/si9kOlX3WS6F3NVEYRFIxrz/irgK4uBLzooJnBcpJ1n 25 | FFuGOvHe79/2L0BOdTOwJKzV6oj0VUln+Bc2iTt8eAHsDDiutTLkRxqBO/Qsv0RT 26 | 0BlOD8UHkD+WKG9jC41DCQAs4Uirr9h+g2mcnvBpuXRV+NBQhm64zn87WV9zy/+f 27 | DCvCGbl3+JGhrlk/cEve/glF3zP7VSntCIF/RzQzP/NSxYLaUfIg8CwkmfugflwV 28 | mYoGSac3hIHE7IVd53RCClSGaQ0Ahp3Lm7i7XxLZZcEhArAxWcNIFe6MwNgJ80oD 29 | h1o8azLw6+3Zv3wReCZQhKjCjMYkZMcSQhBvFG80B2KskOoeSQGfD9byW/HaRE4k 30 | asZaEzeO/9Yg3s/QK0E/ng== 31 | -----END CERTIFICATE----- 32 | -------------------------------------------------------------------------------- /data/certs/master.ldap.test.key: -------------------------------------------------------------------------------- 1 | -----BEGIN PRIVATE KEY----- 2 | MIIJQgIBADANBgkqhkiG9w0BAQEFAASCCSwwggkoAgEAAoICAQC1NWcbAecw9s6i 3 | +IKX+5J+X8VSkADln/YvBn13cmfWp1UlH5qJV1LQv95mpPKi82dd0yGlrEKoKzK2 4 | PAq5m+qX2HUd6gcJnk/exJae05/dQyEyDgxH1WeCi8pvSBglBRfNN6/Qz297aoEV 5 | /w6JMKwl4yUAJwq7sVg6Sktk28/VGH3M+UkzLHub2vtrh3li9RHTZGvKdEE6dNwv 6 | z7V06EMKoZyC5nRbl0lQ1x4XtCSzgNZIS0zi2bI89BfK4DAI0Sit7pvXaY14cAxd 7 | 3vZb8Tn7miF8P1A/houNEBScTUm9a1pAEq2Cevf61SAYLA6ZcefSAB5z1TKMZG5b 8 | 2qJ2xAtVaepDJxPSLBGmVTVY/XUjvkR9siPFCqydq2lUEvlwDZP/oZLhKNJv4+dH 9 | I5oGMjEx5Cc8sogNcDxmKL4aw43dYnWR9KJe1+/dakds2O9D7yk4x8/eHBbeCaRY 10 | mrJu51rStnL5jZ+UH6FS2V4QGDn7SGQBTTGb52puVO852DljtDoL4/j9gjAE45Qg 11 | LuUG1XrsSZ6l3QDFQfedDfRa/NzYc1uO0Tqz9D5G8YYH/pmlyPYr8o1d3O30sTao 12 | zjRGbtQ11i9p8S2QKpEZlDTjTJI12KtWJCXiFBfjPMGeMpQWPxdst6HS/89nD309 13 | EwHdm7dGebdCLa743YcvkS62otzRMwIDAQABAoICADj+m/hlp9bBugqOSV0ONmxj 14 | KQgn3PBcWK0/yFS6eiiMpv4vK4cJHTYlMwlr1hkkn51mG84lGS4VsDSbO/BXNvkd 15 | jvCivCXtUkfJ42n/O+f3BkjdHEW3vH/WAgzwSw/Rw0O7wSPXKsRRolpNx7+kvHCK 16 | OggLP5f7Vrm2xnHppTvsIR1IRxq+Yf6KaMvQZ4CVfk7T5gdee2msedjb5sHnj7aX 17 | UEfnvi9UrS2tC3z/HxAKdNt2O6+aMzJyv80CqHkNeFMEmqWtQF7iNzGLQEd43vjg 18 | 6KlQrKfeZKQwq5rhwFDApDlE5qgEj1yojhisOsdOiVCG0w0xwF1h9UgUw0bBsKJc 19 | KDOA4BeShUVnktqubVH83fbczwfOj19eN9OvtqmMQUkmb8FmPjTdIAkx+Dlh4F6m 20 | 8BA9qjZl51u7YTYiMfERFfL3+5mo7pYd+eilmv4oUaWq6iB0q+7NSdSVbTSwcBNe 21 | HoNlDosTt2yvlQaHNjvSJkNngGm7yekj8EBQ64C7AbZCI6vUl+aFEKxmjHsR2+Ux 22 | HSQMCpdAhlRkEsxdZu+XOWxVTZDVMs5bXvrwLbTdedtfJ+PvGhP6Pkifvq1DHqr1 23 | Nuj0UuptVtRKVxuXz4O1Pcrjnc0UYRhIFDu1Xt/BJLhbhc3AvP8Cgsrq5q3LC1+B 24 | B6CbAEAffFFDBB17W3nBAoIBAQDjO11bH158qUnBS5tDVc7OsbvQFXcRRAydoryE 25 | +VeUyqVXDuov9mtjdbwe7NtJcz414N4VAKga45iCCsxq85Rt6rwxasZ6RG06QCcE 26 | +4wPAowT+hYXFjqECRhdDZU4PwwGl6v1ZPxdR/60BF6Ca/OUtIHoRGUQNcjB2ZAn 27 | Pm8kldyYPQX9Z9CCorCZViXjbPHUqe0KUWfQJ/eCFiuHXXrujkmjgJ0tX8oAANPx 28 | T3z10yikwDq8xwPbeoQBnmiizLIugjzggtlkOGVd3D5hx0fR7UKSJOMB7mWCpi91 29 | Ey9QatpUD+gtvU+2pY0SUoBtnOHgvvBvn87qzYBYh5DPgGYTAoIBAQDMJmnJ35tO 30 | xlCesJi2wbjVsSNwmBPB53fo40tXxe67PplF5YurQX6ngO03zTrhEeZs7YT1Dgh/ 31 | UJxvwgdtNJeU8CBkKjL6657tUuLtIWl3587ccusxkhnGs2h9HAM00W+zDMaAmHs9 32 | upq8xUf31WtQDnYlDmIk97S3MfnOcPS0LG8iFKQxqabPnAjfmo7ABHoXItU/pPqS 33 | naW9dL1cJVmXnfISXku/jv9RzadpyxvoB5FrGGW33eBzJZxJDGJWur/UA+LFCN49 34 | hPVslsqcY1VlRbgMDXtJecYkXFa2tx+W04ARQKdwW721109CgAmjee2dfS+eYRe+ 35 | ohQTHfHuhcxhAoIBAC8fhYm7JKYnmVMLseQx7FRzCWbqvKmI+jDKqdvNtbr2l3lJ 36 | b4mIydZzeRLUvdkqnBEiVAv4+eOxpVP6l0/qubJdxq9c3FJI1HoLCcx/uhj2x0Px 37 | Thl1k6cEF9hcU8C5Wm4XkCKw0aEqqAh/C3Zymq4RDQu0+1x0OvDwhHOPAA+PQJMV 38 | vKNDnzsoMAVslyjl0/TtVGoaXbQORcblgBtvaGoGegD9UBszzTlY8psNh/WW18vq 39 | zYOOph8i9jM7valdV+pLOgK5QAoHpAXmAc3XPO6tDGwwWB9zZ/vDKP5Xfy1nK2XZ 40 | cqXhp6FSDcJp95ZDvZgVINmVQ5zwBxjU7FQL5Z8CggEBAINS2o5f5xoffFD4rOQz 41 | beEY2AFf8qWzbnFDdX36930/4X0TEmuR8BV0XCSfQpbx2taLXBH/evvbMSa7G+fm 42 | AvRuG4gTlUPQOiXUQeHksmHNnkY1LpJut2IYmsiQMofRihcVysOCUxT8avmvtoH4 43 | qdWP1/QycnPxXDDUVyuzgdY9FyhHOvAvf/zhFNwyIk3nE1q6r48HY6DZBHsBE6ao 44 | 6B8eHVAvlG6fYCKRNnZZj5QM+kB4K0bB1dZ8hTKAYuoDq86IyWGSONQ+KVo3DhLX 45 | 22EQHjqymXJEgW92btmOpyVw3Fs8yfj/KuREotnWX1zn3DCJDQ7Gym14+YzqoGyd 46 | aUECggEAc7zhfOGa7aHq7PHPOZdVyp5NJpheF2zEX1ZZn97XUqSd0QOeaqXBT4+D 47 | FBQPUT78RpiBVzk99yWc1UqUCi/okk6r4J1jO8qZYGnSAg1A1Ug1NdD+LqpjkMw5 48 | vUj1JgIKoKxtAwhly+iISzXSIpXb1QR7hdRiU4FeqRyYF95xJ6JkeRr7Gfwtt1N7 49 | ZKBTPHAxVcqBemTdHx2aZ773aD4GPgTaX3Ga3SadYi9ib3V/ecjcwsKX62C61lL+ 50 | JWV3Rx20+HPviqo1joDZysHyN7Q660WnLATJM85Zp/Xfh0MAFybDAaozW1Qi8c3Z 51 | zYxUyJuiTvN3gLPG77xq94hPlYiHrQ== 52 | -----END PRIVATE KEY----- 53 | -------------------------------------------------------------------------------- /data/configs/dnsmasq.conf: -------------------------------------------------------------------------------- 1 | # dnsmasq configuration for sssd containers 2 | # 3 | # This makes sure that all machines are accessible through DNS including 4 | # SRV and PTR records. 5 | 6 | log-queries 7 | log-facility=- 8 | local=/test/ 9 | 10 | # Disable caching so we always query AD and IPA DNS 11 | cache-size=0 12 | 13 | # These zones have their own DNS server 14 | server=/ipa.test/172.16.100.10 15 | server=/ipa2.test/172.16.100.11 16 | server=/samba.test/172.16.100.30 17 | server=/ad.test/172.16.200.10 18 | 19 | # Add reverse zones for artificial hosts in IPA domain 20 | server=/251.255.10.in-addr.arpa/172.16.100.10 21 | 22 | # Add A records for LDAP, client and other machines without own DNS server 23 | address=/master.ldap.test/172.16.100.20 24 | address=/client.test/172.16.100.40 25 | address=/nfs.test/172.16.100.50 26 | address=/kdc.test/172.16.100.60 27 | address=/master.keycloak.test/172.16.100.70 28 | 29 | # Add SRV record for LDAP 30 | srv-host=_ldap._tcp.ldap.test,master.ldap.test,389 31 | 32 | # Add PTR records for all machines 33 | ptr-record=10.100.16.172.in-addr.arpa,master.ipa.test 34 | ptr-record=20.100.16.172.in-addr.arpa,master.ldap.test 35 | ptr-record=30.100.16.172.in-addr.arpa,dc.samba.test 36 | ptr-record=40.100.16.172.in-addr.arpa,client.test 37 | ptr-record=10.200.16.172.in-addr.arpa,dc.ad.test 38 | ptr-record=70.100.16.172.in-addr.arpa,master.keycloak.test 39 | ptr-record=80.100.16.172.in-addr.arpa,master.ipa2.test 40 | -------------------------------------------------------------------------------- /data/configs/nm_enable_dnsmasq.conf: -------------------------------------------------------------------------------- 1 | [main] 2 | dns=dnsmasq 3 | -------------------------------------------------------------------------------- /data/configs/nm_zone_test.conf: -------------------------------------------------------------------------------- 1 | # dnsmasq configuration for sssd-ci 2 | # 3 | # This makes sure that all machines are accessible through DNS including 4 | # SRV and PTR records. 5 | 6 | server=/test/172.16.100.2 7 | -------------------------------------------------------------------------------- /data/configs/openssl_ca.cfg: -------------------------------------------------------------------------------- 1 | [req] 2 | default_bits = 4096 3 | default_md = sha256 4 | encrypt_key = no 5 | prompt = no 6 | utf8 = yes 7 | distinguished_name = distinguished_name 8 | x509_extensions = ca_extensions 9 | 10 | [ distinguished_name ] 11 | 12 | [ ca_extensions ] 13 | authorityKeyIdentifier=keyid,issuer 14 | basicConstraints=CA:TRUE 15 | keyUsage = keyCertSign,cRLSign 16 | subjectKeyIdentifier=hash 17 | -------------------------------------------------------------------------------- /data/configs/openssl_sign_ca.ext: -------------------------------------------------------------------------------- 1 | authorityKeyIdentifier=keyid,issuer 2 | basicConstraints=CA:TRUE 3 | keyUsage = keyCertSign,cRLSign 4 | subjectKeyIdentifier=hash 5 | -------------------------------------------------------------------------------- /data/configs/openssl_sign_service.ext: -------------------------------------------------------------------------------- 1 | authorityKeyIdentifier=keyid,issuer 2 | basicConstraints=CA:FALSE 3 | keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment 4 | subjectKeyIdentifier=hash 5 | -------------------------------------------------------------------------------- /data/ssh-keys/ci.id_rsa: -------------------------------------------------------------------------------- 1 | -----BEGIN OPENSSH PRIVATE KEY----- 2 | b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAACFwAAAAdzc2gtcn 3 | NhAAAAAwEAAQAAAgEAx5c2rpN3KKIOIejy0NF3w++uBxxWq69+amMdqftQM8xy7tY/9ZHf 4 | sEnTFP0JrDuRfCi6fH9IgFM2m/7+21vCCYbCpg8skZyHU2bWxJPSEE7bqbXRQzx+S9HPsA 5 | dRKNyIdFdVPWlvUKZlCkO4a8GlfePmFwXZSfZHNdIZboNhOrh5nd8qGNx07a3ynJJvc+zJ 6 | ZvWsF5mMYUA+PnNI4S6sB0yTFJfOs0waNgXUwt5BPmD7BUwjuYCQFUwye+upkkFwYzZ/7D 7 | eEdwSzkdARMxmgY6HLIilIxNlta1yIwlJ6PwuX1SdmXrzTq8p/2svv8C3ZHch5S7W6u2Vc 8 | +VJIWf1VLf4at4QDj+zrqbfdIlajHukAk4IsXUY6fopy7arENU2CgZe5ZK1xy3WMFQmBXh 9 | j219bHyUCHEjG6cHaoaU2Q1I46CpNl9vTLZ+fvw2o60bSaOaBClXjtNJ6Jqbw9AaWVoVkL 10 | vnrXOUUNsuslVv/KT2KN9ha9EhPIkX9c6wPpRWmD9JEi/pApKPrIizWSpfVFkbA64P9r1n 11 | PcGFqtDPZG4TqwuRg8TPAA4QPD5eK11O7uttgpulIf4KMyDDNyIjZP28Lex39T8QJ8crmM 12 | 6ZZeeehGVY/bCG0kvBmMnyn///q48VNli/WpYXVNyHdJAkc8v4lUMKLSlPLNBaeENf0RSV 13 | UAAAdgQfGh7kHxoe4AAAAHc3NoLXJzYQAAAgEAx5c2rpN3KKIOIejy0NF3w++uBxxWq69+ 14 | amMdqftQM8xy7tY/9ZHfsEnTFP0JrDuRfCi6fH9IgFM2m/7+21vCCYbCpg8skZyHU2bWxJ 15 | PSEE7bqbXRQzx+S9HPsAdRKNyIdFdVPWlvUKZlCkO4a8GlfePmFwXZSfZHNdIZboNhOrh5 16 | nd8qGNx07a3ynJJvc+zJZvWsF5mMYUA+PnNI4S6sB0yTFJfOs0waNgXUwt5BPmD7BUwjuY 17 | CQFUwye+upkkFwYzZ/7DeEdwSzkdARMxmgY6HLIilIxNlta1yIwlJ6PwuX1SdmXrzTq8p/ 18 | 2svv8C3ZHch5S7W6u2Vc+VJIWf1VLf4at4QDj+zrqbfdIlajHukAk4IsXUY6fopy7arENU 19 | 2CgZe5ZK1xy3WMFQmBXhj219bHyUCHEjG6cHaoaU2Q1I46CpNl9vTLZ+fvw2o60bSaOaBC 20 | lXjtNJ6Jqbw9AaWVoVkLvnrXOUUNsuslVv/KT2KN9ha9EhPIkX9c6wPpRWmD9JEi/pApKP 21 | rIizWSpfVFkbA64P9r1nPcGFqtDPZG4TqwuRg8TPAA4QPD5eK11O7uttgpulIf4KMyDDNy 22 | IjZP28Lex39T8QJ8crmM6ZZeeehGVY/bCG0kvBmMnyn///q48VNli/WpYXVNyHdJAkc8v4 23 | lUMKLSlPLNBaeENf0RSVUAAAADAQABAAACAQCX3kR6Y7TYky6juMgCAlDaIybNPE/qhTdw 24 | pghtTc/CCkAt4ZJ7PcryLcpSfxN8HTtfOPJlRsiY9DhqTIYJzXEApKy5hHRKO8twt6CVpV 25 | DCne5g3Prk6UPEV1pru7WSnPOrasRuXSqZOHNLcyoBvDA7cUyjmgyzTZTzq/Ez+P3jm3jW 26 | mndCwYSrUZ94aagqkjLRh/+xWWHKogJ6rGf5B/VX/Hkxwy1BmpebIaa5vDnyyAJZDo1kWi 27 | HIQtlrF29I3UgyBcciqz+8/DPSsHpV4pr7FKInVTiMqFCsz5U0H2PrUtvuEfPABHgfkI7m 28 | oiTpIUnCcsdwx0/VxZQQFf79kljbtShbduFaVXQbcq1eBvGfFW1JGsMxjziW4qWmfdHAkM 29 | vkJt4MPJnDGFE2buEbK/fM5dPYbYAs9AwahdI20i9r82HCnSJAMgLcFZuJdNcKMv9TjLiX 30 | Mb20LjGzWNBXPqTvk2ETixfcl1hjBNPfAvBRZN2B66Cs2KNg5M8C7cWd6hTO3OH/82KcdF 31 | zjrkl+kEogMMY5YvYI2elP2LvmJQlCKOadD5PLcjNr5Ja8Yh3gyDsfQu5ZYoLi//hbWcRO 32 | NEphMf1X0kQsJFcKzUhDFKB022p0P2/VKoXSdrjGcg10aElpP0+j79ZMmgEItQK3Qmtv9z 33 | ON6sCpXTqc/dVPvtNRBQAAAQBL+Gn8Xx46jLvbGAWCoU473aAL4XI2KvZW1zQpABFpSXwT 34 | 6nPDFV82dj7xTnDPAVB0DbezhvcoorNYaqyen99eiDi0Udq6QA/+OYiFYe4GxeUzFPwRW3 35 | mnKtfNRQD7ACdH0KZNuhAqVuT0ILIWGZGUEsy+bLzOlN8sEPyTHFrUm13AM4IHMxaVi8xT 36 | LQ4OqdrpJuCSwGAFw57oX2KwHJ1LA3l4B7FyvXsDLzAQN6YxXz/JXqrcLUkDKXLMZizQ9w 37 | q+gwY6DSoEuCyZeb/1vs5NpFPuTbUA5rs94xaN6J/4EkwDc/NtXz02FRdccSGSNr9lyFyW 38 | LMHgpr7FgQZduPEEAAABAQDkoOGVrm1hdVix62XjK03RVmHgUD/FpMCc1VpSBBDUJw32cr 39 | x2txsMnwAlnHtsCLBxtqtG51gVTI14RKBQ3KbOqDbCXmD3mX3makEl7IeZq6OXG0m1C4rZ 40 | woFEXf7P+TOHGQlOjKU14usjIOlnVYayyDKpns+GKzTNM+1CiKocAD1menV54nhiUr3UhO 41 | gtUWnDBGSbQuNFy3L7VfHR4UTUhiTCvudOTCCnjy62D55cKnsEbRIeZhMP8eoxsXMIpCMt 42 | XQOj/8aAF+H42P9M4+o6319Qb5YU6KuGe7Dc8nH87O8T+EWGeD4EkoWKnR9ob5uF9HbrrZ 43 | CNKZpoj+eeXoCHAAABAQDffF5WDHoqwIoVvIG8X3UaKwvAMr0oJt1a7xjpZnswXqUj4/zZ 44 | WmtSGvzvpGqvqqrj4TaxHkOeuJv4UBlwkbXst2vTGWSSNZWLbckxBCDkW8gAWouxYAyNDY 45 | B02qmd38AoPdGQ/wSIDKYrkIgSHfOaYD3GpWapZZpMgQOlEU21igkKLawtv9w99QopIxKL 46 | QUbChjyFwfBfQo/PktOS/9xiV8leZxDDGJXKtwNSmy502RwYf8aAaTO3E5OBlmyXgiQclg 47 | SvwmyzN9R9WqJIbxHTkb9dSCJgOlBx0xHH0ygum8+wFJMWb1nYZGLUds2GHSWPbXpYD6pr 48 | hYo4WIMaJKpDAAAAI1dlbGwga25vd24ga2V5IGZvciBzc3NkLWNpIGNpIHVzZXIuAQIDBA 49 | UGBw== 50 | -----END OPENSSH PRIVATE KEY----- 51 | -------------------------------------------------------------------------------- /data/ssh-keys/ci.id_rsa.pub: -------------------------------------------------------------------------------- 1 | ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDHlzauk3coog4h6PLQ0XfD764HHFarr35qYx2p+1AzzHLu1j/1kd+wSdMU/QmsO5F8KLp8f0iAUzab/v7bW8IJhsKmDyyRnIdTZtbEk9IQTtuptdFDPH5L0c+wB1Eo3Ih0V1U9aW9QpmUKQ7hrwaV94+YXBdlJ9kc10hlug2E6uHmd3yoY3HTtrfKckm9z7Mlm9awXmYxhQD4+c0jhLqwHTJMUl86zTBo2BdTC3kE+YPsFTCO5gJAVTDJ766mSQXBjNn/sN4R3BLOR0BEzGaBjocsiKUjE2W1rXIjCUno/C5fVJ2ZevNOryn/ay+/wLdkdyHlLtbq7ZVz5UkhZ/VUt/hq3hAOP7Oupt90iVqMe6QCTgixdRjp+inLtqsQ1TYKBl7lkrXHLdYwVCYFeGPbX1sfJQIcSMbpwdqhpTZDUjjoKk2X29Mtn5+/DajrRtJo5oEKVeO00nompvD0BpZWhWQu+etc5RQ2y6yVW/8pPYo32Fr0SE8iRf1zrA+lFaYP0kSL+kCko+siLNZKl9UWRsDrg/2vWc9wYWq0M9kbhOrC5GDxM8ADhA8Pl4rXU7u622Cm6Uh/gozIMM3IiNk/bwt7Hf1PxAnxyuYzpll556EZVj9sIbSS8GYyfKf//+rjxU2WL9alhdU3Id0kCRzy/iVQwotKU8s0Fp4Q1/RFJVQ== Well known key for sssd-ci ci user. 2 | -------------------------------------------------------------------------------- /data/ssh-keys/hosts/client.test.ecdsa_key: -------------------------------------------------------------------------------- 1 | -----BEGIN OPENSSH PRIVATE KEY----- 2 | b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAaAAAABNlY2RzYS 3 | 1zaGEyLW5pc3RwMjU2AAAACG5pc3RwMjU2AAAAQQQiOemhrbFiG48/F4Tg0U/DQIqPkyBz 4 | F3YiqBuknQrVZQkesTT+oF4JgoVVifQ15Thd1s7TgX/aJuUrDxl+9/7aAAAAuMU/IV3FPy 5 | FdAAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBCI56aGtsWIbjz8X 6 | hODRT8NAio+TIHMXdiKoG6SdCtVlCR6xNP6gXgmChVWJ9DXlOF3WztOBf9om5SsPGX73/t 7 | oAAAAgLrfhU0/2fN8M733ZZ3RbX2z6SVp9zaIJsJ17lfCjL5MAAAAbV2VsbCBrbm93biBr 8 | ZXkgZm9yIHNzc2QtY2kuAQIDBAU= 9 | -----END OPENSSH PRIVATE KEY----- 10 | -------------------------------------------------------------------------------- /data/ssh-keys/hosts/client.test.ecdsa_key.pub: -------------------------------------------------------------------------------- 1 | ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBCI56aGtsWIbjz8XhODRT8NAio+TIHMXdiKoG6SdCtVlCR6xNP6gXgmChVWJ9DXlOF3WztOBf9om5SsPGX73/to= Well known key for sssd-ci. 2 | -------------------------------------------------------------------------------- /data/ssh-keys/hosts/client.test.ed25519_key: -------------------------------------------------------------------------------- 1 | -----BEGIN OPENSSH PRIVATE KEY----- 2 | b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAMwAAAAtzc2gtZW 3 | QyNTUxOQAAACD3koEb+Fcqunoa3APIXOixXfXFEdR973bR/ljCV739YQAAAKA5gckOOYHJ 4 | DgAAAAtzc2gtZWQyNTUxOQAAACD3koEb+Fcqunoa3APIXOixXfXFEdR973bR/ljCV739YQ 5 | AAAEBDYa4BRWMsB01zqKrhNEvaH9/5GKHUZJrLUlEeoruva/eSgRv4Vyq6ehrcA8hc6LFd 6 | 9cUR1H3vdtH+WMJXvf1hAAAAG1dlbGwga25vd24ga2V5IGZvciBzc3NkLWNpLgEC 7 | -----END OPENSSH PRIVATE KEY----- 8 | -------------------------------------------------------------------------------- /data/ssh-keys/hosts/client.test.ed25519_key.pub: -------------------------------------------------------------------------------- 1 | ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPeSgRv4Vyq6ehrcA8hc6LFd9cUR1H3vdtH+WMJXvf1h Well known key for sssd-ci. 2 | -------------------------------------------------------------------------------- /data/ssh-keys/hosts/client.test.rsa_key: -------------------------------------------------------------------------------- 1 | -----BEGIN OPENSSH PRIVATE KEY----- 2 | b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABlwAAAAdzc2gtcn 3 | NhAAAAAwEAAQAAAYEAuDvtnV1ouIkyUd75bKmRPe9OytLCk3hJ1h8jKFlGNDf6ek2YMaC1 4 | n1FvFz24+GLeAWiOjOPP41mYx41zyYy34KJ9wU+S78mR65Zzd+AD3Ge/q+95jLeKSDyO1p 5 | 86iZbkRoHHRELiYWklG0xgVKB8ApqeSQERKljGqaZMMEqPUEBM3gMU+fHS0xMhDU8QdQwj 6 | +7CUoWXfaft+/uVydZtX5KZ6Q2/yTJ01/Y0gKZOq9gzmYHKV9mjRTG8UkOcwEn4ZsyQn8e 7 | dnPexg/OWcfizFwSeCszSgG707K7hY95OY4e6WL6mbHlLkXgQwo0hkOEODAwZvlwD2wjX0 8 | HICz6Ou/JJCBSvG2Xyiw3iR+IOuBDtcRxsQYZnGIl5HNIMqqRAinpIlG95bZMlAP0fkPCa 9 | Pma+9CBxDNnxb8oiKss9jcdzx/xUyw0gYLkLhLcwR3DH2/f7DvJW6HyZ3gH7AJNwt02Mai 10 | de+sWKpOAtuKQfFKzgH5Z4vj9EaktWcLXtrt2Q9BAAAFkAruE2gK7hNoAAAAB3NzaC1yc2 11 | EAAAGBALg77Z1daLiJMlHe+WypkT3vTsrSwpN4SdYfIyhZRjQ3+npNmDGgtZ9Rbxc9uPhi 12 | 3gFojozjz+NZmMeNc8mMt+CifcFPku/JkeuWc3fgA9xnv6vveYy3ikg8jtafOomW5EaBx0 13 | RC4mFpJRtMYFSgfAKankkBESpYxqmmTDBKj1BATN4DFPnx0tMTIQ1PEHUMI/uwlKFl32n7 14 | fv7lcnWbV+SmekNv8kydNf2NICmTqvYM5mBylfZo0UxvFJDnMBJ+GbMkJ/HnZz3sYPzlnH 15 | 4sxcEngrM0oBu9Oyu4WPeTmOHuli+pmx5S5F4EMKNIZDhDgwMGb5cA9sI19ByAs+jrvySQ 16 | gUrxtl8osN4kfiDrgQ7XEcbEGGZxiJeRzSDKqkQIp6SJRveW2TJQD9H5Dwmj5mvvQgcQzZ 17 | 8W/KIirLPY3Hc8f8VMsNIGC5C4S3MEdwx9v3+w7yVuh8md4B+wCTcLdNjGonXvrFiqTgLb 18 | ikHxSs4B+WeL4/RGpLVnC17a7dkPQQAAAAMBAAEAAAF/BpVgBM3M+a6+ASV7ZXmgRUp3Vu 19 | 4LNV/LMLWzQBMy/UJrIsRNvvOD+8Uvkedp2qXTuuPSNEAosl9uTxuGB7dB91M/dwfJOGmT 20 | SJWJisiS++6AScEMG6Xbs3bCYZOt4qUZcDwpg/GdjaSvf10x2ymoFWZBqg5WOVyT9bTopU 21 | LoYOLO5d27EZJG0HOJNhZ3RzK/kbC0NrF2vCNmgtHDKOKAqdp4hANfpTdOTk9w4ERdI3c/ 22 | lN1m8EFTX0tpejXlLIscF4O8ma0d7j1ZLtB6eVLqrUApiJO11BIaWRGlmkoC/293BhDWzW 23 | 3Dx9IbQmlKSSHnBBkpltK2jj0W8BX5GPZuwbP3+IgVsUn9TWqsTeKfxhTH6RgS60H53rGa 24 | pQdrSx6UJR+lL84razWnyJcOKyl5KosRsx/ScyaxYC+79qg/Y/9ef/m0PHnN7xJLzShQ6/ 25 | EzY2Z3GijYy0aw2UgpZ0lIfXoQ9wLSYOnr6nqUVcPccvMFlwTqqCooS63MSuGvTMEAAADB 26 | ANs59unjsCLhFIN/Gdi5w+JwpUziLkqH1tDKkZzOamzIzn7LIjMXTvI3L/0LfhGu4ie9X4 27 | UVQRxDvdbMacszCxdcQpjyjbf4Zgi+9AD3GHCk4su8kgOtWGMZ8+HuXsHHA5hyKELNTod8 28 | A6OvEi4+4PHUGzEajOdQP4HnCOzyf02dAOkvhmxFWPDLq5G091quLjDYH9+YoCH30CPSdn 29 | tt36as+pERJwTAioDG2iJ1SsAsbDTUqiWmCTvqVro+568JBQAAAMEA7u1mmZ0MjmoPRLY4 30 | wrxz9PVo/uxK3wZCxVA/KB8FTFno8uk68QNMnSPNfnJCn+O+its5+Pjv6WZVCn6lr8hq2/ 31 | JYRyCR+2IkYe2yKcL918IyWRF0q2EzC6+USfG1CgFSPir002+0uSYXGjY9U3A4A9WoTNFQ 32 | lMQFvUbxB8MPsI+jh9rJVnFf+yf+Tr5BaXqmBPTzId/wDKpxoTox1veIXrcdGUEdGsQ3sW 33 | U9JaqKuuVygoWhsZ6Wgko4+KFvqRnpAAAAwQDFZgvczJE3qzl1cd9K0S2BCQCm2d4abDIg 34 | TUx1AOvxv7ICXqUo7M4CXuJ0qbstMhVNp8UZxYchrPuOp0U0uEAnzTt4aPrhFvY7/XFQNv 35 | RmtpUJjcN+/5ROpUg+ZSpj9i7n9lPSGg+w4nQ+4kZT4Gw39f638aofzWq9vbVnFyWbiiAy 36 | xEtG3zE4pdmCVZPPmyPsgeWphaeL5++pt+E3jrOC2Zoq18SZQCZ8JyS3bdP+gVvSQau2iP 37 | oQTw9QGPaFG5kAAAAbV2VsbCBrbm93biBrZXkgZm9yIHNzc2QtY2ku 38 | -----END OPENSSH PRIVATE KEY----- 39 | -------------------------------------------------------------------------------- /data/ssh-keys/hosts/client.test.rsa_key.pub: -------------------------------------------------------------------------------- 1 | ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQC4O+2dXWi4iTJR3vlsqZE9707K0sKTeEnWHyMoWUY0N/p6TZgxoLWfUW8XPbj4Yt4BaI6M48/jWZjHjXPJjLfgon3BT5LvyZHrlnN34APcZ7+r73mMt4pIPI7WnzqJluRGgcdEQuJhaSUbTGBUoHwCmp5JAREqWMappkwwSo9QQEzeAxT58dLTEyENTxB1DCP7sJShZd9p+37+5XJ1m1fkpnpDb/JMnTX9jSApk6r2DOZgcpX2aNFMbxSQ5zASfhmzJCfx52c97GD85Zx+LMXBJ4KzNKAbvTsruFj3k5jh7pYvqZseUuReBDCjSGQ4Q4MDBm+XAPbCNfQcgLPo678kkIFK8bZfKLDeJH4g64EO1xHGxBhmcYiXkc0gyqpECKekiUb3ltkyUA/R+Q8Jo+Zr70IHEM2fFvyiIqyz2Nx3PH/FTLDSBguQuEtzBHcMfb9/sO8lbofJneAfsAk3C3TYxqJ176xYqk4C24pB8UrOAflni+P0RqS1Zwte2u3ZD0E= Well known key for sssd-ci. 2 | -------------------------------------------------------------------------------- /data/ssh-keys/hosts/dc.samba.test.ecdsa_key: -------------------------------------------------------------------------------- 1 | -----BEGIN OPENSSH PRIVATE KEY----- 2 | b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAaAAAABNlY2RzYS 3 | 1zaGEyLW5pc3RwMjU2AAAACG5pc3RwMjU2AAAAQQTMZ7cFlXBab8c1L399YGsQn0wzvcGT 4 | 9om8SKjMRdOk5ouInmSFiyiMXYda4MmKqprUJURm0tTPHagUa4usaGY9AAAAuL4oqu++KK 5 | rvAAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBMxntwWVcFpvxzUv 6 | f31gaxCfTDO9wZP2ibxIqMxF06Tmi4ieZIWLKIxdh1rgyYqqmtQlRGbS1M8dqBRri6xoZj 7 | 0AAAAhAPM1gL7eKOoS1JaypA9mR/irIRZH539NW6lZbigVd67CAAAAG1dlbGwga25vd24g 8 | a2V5IGZvciBzc3NkLWNpLgECAwQ= 9 | -----END OPENSSH PRIVATE KEY----- 10 | -------------------------------------------------------------------------------- /data/ssh-keys/hosts/dc.samba.test.ecdsa_key.pub: -------------------------------------------------------------------------------- 1 | ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBMxntwWVcFpvxzUvf31gaxCfTDO9wZP2ibxIqMxF06Tmi4ieZIWLKIxdh1rgyYqqmtQlRGbS1M8dqBRri6xoZj0= Well known key for sssd-ci. 2 | -------------------------------------------------------------------------------- /data/ssh-keys/hosts/dc.samba.test.ed25519_key: -------------------------------------------------------------------------------- 1 | -----BEGIN OPENSSH PRIVATE KEY----- 2 | b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAMwAAAAtzc2gtZW 3 | QyNTUxOQAAACCG0bRfdOp+AoxLLIafkkcgy+xXhJKKBuHs3N4ODRMafgAAAKCU64x6lOuM 4 | egAAAAtzc2gtZWQyNTUxOQAAACCG0bRfdOp+AoxLLIafkkcgy+xXhJKKBuHs3N4ODRMafg 5 | AAAEC8YmVMdhUqpdKKN+Zu7n7AVBjCvoh/4X+TwzhqfobjEYbRtF906n4CjEsshp+SRyDL 6 | 7FeEkooG4ezc3g4NExp+AAAAG1dlbGwga25vd24ga2V5IGZvciBzc3NkLWNpLgEC 7 | -----END OPENSSH PRIVATE KEY----- 8 | -------------------------------------------------------------------------------- /data/ssh-keys/hosts/dc.samba.test.ed25519_key.pub: -------------------------------------------------------------------------------- 1 | ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIbRtF906n4CjEsshp+SRyDL7FeEkooG4ezc3g4NExp+ Well known key for sssd-ci. 2 | -------------------------------------------------------------------------------- /data/ssh-keys/hosts/dc.samba.test.rsa_key: -------------------------------------------------------------------------------- 1 | -----BEGIN OPENSSH PRIVATE KEY----- 2 | b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABlwAAAAdzc2gtcn 3 | NhAAAAAwEAAQAAAYEAwfHn3G0T4KCT3K0O7rI2kceqVlv2OP5GAznSOG55uwgUO5bqv9Z5 4 | tg+CvLva23aM2OzRA+xWKFmlbF9kXXheMqUGgAzOa/Eu3h/u9C//ayu6suoPIKvGlhNwZ+ 5 | 5sWkwQNLGSvDaljpwGTk2A+kmQCzx+/g9H6UnYM9nuPLUwNU4L8FvKVI/afIRLogOcLRat 6 | Gu3mjQkNo7q4LGgFk7SzsJ6FNLIEGteakZdHwIWoxKdzDjodDZ/C4diMZRwBGKY8DruLz0 7 | CqBAI27oxPanyQFg3Pw9PdMykBfmxeReYMGppeplV+Sf9eAaAInVExDSx+Gpfg8uTxhWzT 8 | uUjSdfqRMQfKl5V89HbIGCLS4XRqRxSHe8HZHzp3Jxa0QWIHrAyhfBbBvfgvg/eDbXAYWx 9 | LXyUOIewTB9mt+LAYOHp43IgRRRX2voCoZ1LUpPpKxXS5/se8DyesY1OJXUA9I23ODTOCb 10 | w06Fwo3WyYB1r9MEi0Bl7Kkfx24HqD30UQiitoITAAAFmJ5nYmueZ2JrAAAAB3NzaC1yc2 11 | EAAAGBAMHx59xtE+Cgk9ytDu6yNpHHqlZb9jj+RgM50jhuebsIFDuW6r/WebYPgry72tt2 12 | jNjs0QPsVihZpWxfZF14XjKlBoAMzmvxLt4f7vQv/2srurLqDyCrxpYTcGfubFpMEDSxkr 13 | w2pY6cBk5NgPpJkAs8fv4PR+lJ2DPZ7jy1MDVOC/BbylSP2nyES6IDnC0WrRrt5o0JDaO6 14 | uCxoBZO0s7CehTSyBBrXmpGXR8CFqMSncw46HQ2fwuHYjGUcARimPA67i89AqgQCNu6MT2 15 | p8kBYNz8PT3TMpAX5sXkXmDBqaXqZVfkn/XgGgCJ1RMQ0sfhqX4PLk8YVs07lI0nX6kTEH 16 | ypeVfPR2yBgi0uF0akcUh3vB2R86dycWtEFiB6wMoXwWwb34L4P3g21wGFsS18lDiHsEwf 17 | ZrfiwGDh6eNyIEUUV9r6AqGdS1KT6SsV0uf7HvA8nrGNTiV1APSNtzg0zgm8NOhcKN1smA 18 | da/TBItAZeypH8duB6g99FEIoraCEwAAAAMBAAEAAAGAAIKu/g0JcttpWDjaY7VzYFHauG 19 | x4ivDcZVDHJV/hESV1zCxbBNM/McP7r5x8+Hvo5f9Fk5GRLn0B6vWbUYWqFc8KY9bkyjLx 20 | 0SLbYagor3MHhEYKcScSmD2H27YscdZmaoUXIkiwid4ORDF/B+mep/DqUqfepBYOLCDEOE 21 | Ov00wXyvOq5isUw6QjgNMqm5HGNd5vb2qZLxekOXWyog9lM69PIXLggOOVZBG2XiLb7VyV 22 | eHGdtvX3MNn9kJyQwixZ1fEz+9ptmFPbKRnTeKjo9q5wAfxfiSXGBgkRZ7zE6i5GZU2kt5 23 | 6cTUIplcvf8Svi2PjqKO9HyitJ9SO+xqYU9kB8+9DFRud1OIRBmitLohFJPHHiEHqQmclI 24 | 8NXdq+sWV+pEuDLJ6TK6VJY0G2u5ib2MYqGUW35A7uO8FYc/3NdWSpwOgengC+SjDLTRgQ 25 | P0dHsWkUodYVrpGU/VTtKwO5vKzwTkSjF+oWmWeojgbkCSOFc5g8HkbHmAOhUJ9C4BAAAA 26 | wQDocordM2G6OPgCqDZ8O47aKR9pIcC0hLXkZdS+OjzrENii1RAQ8t1Wtf//G0/jQoGGpA 27 | 72J7BVizp/Xqf9zY3Xywx7eJwRjO/bvFFVOM6F4jxrRv16jWPnO7pqbZW7EkDk9bVTNkMe 28 | GEScBn3CPE44mftgcUew6saPrJ0BAauFIGXBP6bWgJjhfqrF28n4bl4y1wIRR8q5dCINXi 29 | MIAcopOX+GyxdIXOqzErAZJ5Lrjy4YaZaw/7jozH9e8sgaKagAAADBAO1dAQ4sdJqM+zvC 30 | Ab8Alg2tAdLNPva833chFrBoo0RqBpO+ajRf/wj3ejeGCiau9+uS6BFUxS2536vjhPGq24 31 | YuRZAhPW4LrUKVJxNxTCXfrvePwAYvZZkU1faBxCf4BKq7T3OsrUSVpy1R/POddxh5OTms 32 | bFFDKQjXoRcw1610ucMmremy5VEcQzEvDdY3SUL/05t22nr4vVNpBMIuxgCm1OVycIbP4o 33 | CuKOh8a0m/Pdz33fIoaYFCMcAF/MlYEwAAAMEA0SwxoI92VMDwE0YddX4FBwpyySIKip5W 34 | QQlTvsje5L9xL3if8AjbFaaP8VrAboleUv1bDW5y6QUhbBMQFfXCh05pH5BO2S1UwBGTbb 35 | NFqR4iYGbEtilfsE9xxxTv/KWpbcJjf7V06RnXVNgRkr7mTrbUjdOHQNGf3qpiQBGF6AVg 36 | rZpbitwuLf3mSPKJzYT76JAjAalq6usnYmh/+J/tFsMszfrKKYLac4kAKvwfXy7VFbXshs 37 | FEkHajRyeyN24BAAAAG1dlbGwga25vd24ga2V5IGZvciBzc3NkLWNpLgECAwQFBgc= 38 | -----END OPENSSH PRIVATE KEY----- 39 | -------------------------------------------------------------------------------- /data/ssh-keys/hosts/dc.samba.test.rsa_key.pub: -------------------------------------------------------------------------------- 1 | ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDB8efcbRPgoJPcrQ7usjaRx6pWW/Y4/kYDOdI4bnm7CBQ7luq/1nm2D4K8u9rbdozY7NED7FYoWaVsX2RdeF4ypQaADM5r8S7eH+70L/9rK7qy6g8gq8aWE3Bn7mxaTBA0sZK8NqWOnAZOTYD6SZALPH7+D0fpSdgz2e48tTA1TgvwW8pUj9p8hEuiA5wtFq0a7eaNCQ2jurgsaAWTtLOwnoU0sgQa15qRl0fAhajEp3MOOh0Nn8Lh2IxlHAEYpjwOu4vPQKoEAjbujE9qfJAWDc/D090zKQF+bF5F5gwaml6mVX5J/14BoAidUTENLH4al+Dy5PGFbNO5SNJ1+pExB8qXlXz0dsgYItLhdGpHFId7wdkfOncnFrRBYgesDKF8FsG9+C+D94NtcBhbEtfJQ4h7BMH2a34sBg4enjciBFFFfa+gKhnUtSk+krFdLn+x7wPJ6xjU4ldQD0jbc4NM4JvDToXCjdbJgHWv0wSLQGXsqR/HbgeoPfRRCKK2ghM= Well known key for sssd-ci. 2 | -------------------------------------------------------------------------------- /data/ssh-keys/hosts/dns.test.ecdsa_key: -------------------------------------------------------------------------------- 1 | -----BEGIN OPENSSH PRIVATE KEY----- 2 | b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAaAAAABNlY2RzYS 3 | 1zaGEyLW5pc3RwMjU2AAAACG5pc3RwMjU2AAAAQQTeoDWHkeAxJwxiCAJ5kjCE/xpA3T7L 4 | ZndAyO7/ygQ6CdWArKEFab+X4/adnwttHIA9mMGqUZZGryK9733xGoHhAAAAuIfIVTaHyF 5 | U2AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBN6gNYeR4DEnDGII 6 | AnmSMIT/GkDdPstmd0DI7v/KBDoJ1YCsoQVpv5fj9p2fC20cgD2YwapRlkavIr3vffEage 7 | EAAAAhAKVUVVC5MY9wzbClODWatvgCoUAhdyYWbXXrkv5n+eqKAAAAG1dlbGwga25vd24g 8 | a2V5IGZvciBzc3NkLWNpLgECAwQ= 9 | -----END OPENSSH PRIVATE KEY----- 10 | -------------------------------------------------------------------------------- /data/ssh-keys/hosts/dns.test.ecdsa_key.pub: -------------------------------------------------------------------------------- 1 | ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBN6gNYeR4DEnDGIIAnmSMIT/GkDdPstmd0DI7v/KBDoJ1YCsoQVpv5fj9p2fC20cgD2YwapRlkavIr3vffEageE= Well known key for sssd-ci. 2 | -------------------------------------------------------------------------------- /data/ssh-keys/hosts/dns.test.ed25519_key: -------------------------------------------------------------------------------- 1 | -----BEGIN OPENSSH PRIVATE KEY----- 2 | b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAMwAAAAtzc2gtZW 3 | QyNTUxOQAAACDOpKV+VKY6RDCZrQBa0DkirIN9xrb9f84iGC9Ya1KxIAAAAKC4GE7SuBhO 4 | 0gAAAAtzc2gtZWQyNTUxOQAAACDOpKV+VKY6RDCZrQBa0DkirIN9xrb9f84iGC9Ya1KxIA 5 | AAAEAcDAzaB7EteuqWaCY7U7shGM7XJQPswBUE5J6DD3A+CM6kpX5UpjpEMJmtAFrQOSKs 6 | g33Gtv1/ziIYL1hrUrEgAAAAG1dlbGwga25vd24ga2V5IGZvciBzc3NkLWNpLgEC 7 | -----END OPENSSH PRIVATE KEY----- 8 | -------------------------------------------------------------------------------- /data/ssh-keys/hosts/dns.test.ed25519_key.pub: -------------------------------------------------------------------------------- 1 | ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIM6kpX5UpjpEMJmtAFrQOSKsg33Gtv1/ziIYL1hrUrEg Well known key for sssd-ci. 2 | -------------------------------------------------------------------------------- /data/ssh-keys/hosts/dns.test.rsa_key: -------------------------------------------------------------------------------- 1 | -----BEGIN OPENSSH PRIVATE KEY----- 2 | b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABlwAAAAdzc2gtcn 3 | NhAAAAAwEAAQAAAYEAwgVLOKRQrgbu/XRKflkhchk8CkJkXbu+qlG5Q6lX85ORtgH1T4c/ 4 | Bz+xGZdCbmSaeLU1ac5cGxwGZNUfvLu1XR28E2FA7mlCNbWb9c2EAFxf12KeLr98S4NGRx 5 | wJpnEbrYYtR25UqjqCQC+kPeOBkeWqgu1gIivMKFI/PvHXhPHCs/RINGYlh7XS7cBUV32I 6 | a+8KH6IeUgzjWxT63I8SV6XjtsSBn+Zylq0dCimQnJ+qNNOyCM+789cZ6OG8WIYGZpNfwH 7 | 7NiB8ksOCB1QzZKHY8BnXkVc/EQ9Pd0pHRZ/luTOa7TLOBWMgZH2NwojrMeQqe6r2mcr45 8 | ItedantMxX48cOrtrdL6W6DfmbS4jxMkgm4MBFEEqaeKi748o9OwSZdyFkzKVxLhfe/53Y 9 | 7QwfP6uKpEc2MP3JP0xhf8F01VL5FHLt4pxKvDbHldRHxZaHNtYtunoZShi8yV5qThVXiY 10 | xb9mB1ad8pezO1RyckVQn6RaHOGx9I7Dho20ytfBAAAFkM0i6CDNIuggAAAAB3NzaC1yc2 11 | EAAAGBAMIFSzikUK4G7v10Sn5ZIXIZPApCZF27vqpRuUOpV/OTkbYB9U+HPwc/sRmXQm5k 12 | mni1NWnOXBscBmTVH7y7tV0dvBNhQO5pQjW1m/XNhABcX9dini6/fEuDRkccCaZxG62GLU 13 | duVKo6gkAvpD3jgZHlqoLtYCIrzChSPz7x14TxwrP0SDRmJYe10u3AVFd9iGvvCh+iHlIM 14 | 41sU+tyPElel47bEgZ/mcpatHQopkJyfqjTTsgjPu/PXGejhvFiGBmaTX8B+zYgfJLDggd 15 | UM2Sh2PAZ15FXPxEPT3dKR0Wf5bkzmu0yzgVjIGR9jcKI6zHkKnuq9pnK+OSLXnWp7TMV+ 16 | PHDq7a3S+lug35m0uI8TJIJuDARRBKmniou+PKPTsEmXchZMylcS4X3v+d2O0MHz+riqRH 17 | NjD9yT9MYX/BdNVS+RRy7eKcSrw2x5XUR8WWhzbWLbp6GUoYvMleak4VV4mMW/ZgdWnfKX 18 | sztUcnJFUJ+kWhzhsfSOw4aNtMrXwQAAAAMBAAEAAAGAHmgDe58+uKNECYsT0JzJ0c6UGv 19 | yAK7NsZFdV7D1qF/V4yLgiWIIW1d08tUjAA7p2/fNSKWCKjUIVW3COHn8hY3QxQS1E5ogu 20 | 9OlfBYTdisvvRjtBlIx0X4Y1eZfyiDfiMU3dozvuf1YXixUcTYmtyO5gDFBEuF46Sthm6o 21 | eusbpMu/SM609V0uCjK5jwbtywyE+IO+BllZDJAcF2NiIi6wMHvqEpumQ8cZI0Qp80d2NL 22 | YqeJl3ls2IBNonJcGNh5+vcHhtjQs7VJaCMBc9Lyopt2rX2t1zF/PQc/mPkP/l1DiIUi0H 23 | RxZpXfDkuVKcqnzmPksT1IukoAAQFMPnCb1sMuubq0XJ+1WgjkYtOLNkt/UnA0PfEMlUTV 24 | MmC2xxfsXbcOoHPM4ilnkHN1fk2OSFYNmbrv2PmdJCYul15iJr17vVJgrsYUMBWvMSNDru 25 | w62V/p76URZ3aWorWg85+qB6Xyw1JUta8oqEqjW16ts80eEjIbSUjAmr8wxaUToQKlAAAA 26 | wBmtAJHgvUH0EXwGh0JbH6tfrEjo7IZyR+ucATNEOEVjZcPTeM6cHCzjeWBx8Od+uhZsdo 27 | NnSj1DO1y5irJU9lZXRxWAVWqj47DnVJyNIoztwkNMGOCPsZUT1J0HstBP/OQCUtZGitb9 28 | +NNV2fXeD5TFgca7/rpiOAqnCJU0sBU/7V/SF68zqeJUPZTv8o6+OhiLCQfwOVc/puhfvF 29 | xqcAtfdYMXvEB6bbPEnKnNQNO20Fr5cM7MnfPrjLg06hUAMQAAAMEA3x3q6sKOqT0nNDXt 30 | 0n8Kw9x47xPu1Hnt51tcI5vFTJcAcMPvtvwWMWTQGPDjwPCP5uvq/UfkXUCsWEdRpF4+Vw 31 | SkVq5rD4FGIqNFO89ilxvnq6vHcwxBn9+rAsR2iSoBkJfvB4Ie0LKA527Ovot3iakNo6K0 32 | MqJPuaO3EcrF9pYY7FUgh56NV6ewpzFXVBrVmLj3oo4D/bPCPOTirL7gob/YVTixvzZ8vk 33 | H+g3wxM/t7hb2+NatX3L3DtKopXQ0dAAAAwQDenZeiLOTCZ/QquIi17iYwwPy2k7Hy4sjY 34 | TJkIZRIr/Z2dm2GLdA/byg+DMcO/6drWjzaB09n13gDEkvggGNMZtdHhlU9e0HlTHMLruM 35 | GX3JPJIWCytf1vpuXniA4hU0Y1QhQY1QSe7ULWTMbz8PIFHoRtRRbbcHt/nuxHX4Mhh1k0 36 | odOpR5NZWM/bdac0zxENrfPHC6FFf9+kvZ9Xkab2tWUwJf5tbeTWQojn3+ezQRF0st7979 37 | XQtcY6ao6vh/UAAAAbV2VsbCBrbm93biBrZXkgZm9yIHNzc2QtY2ku 38 | -----END OPENSSH PRIVATE KEY----- 39 | -------------------------------------------------------------------------------- /data/ssh-keys/hosts/dns.test.rsa_key.pub: -------------------------------------------------------------------------------- 1 | ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDCBUs4pFCuBu79dEp+WSFyGTwKQmRdu76qUblDqVfzk5G2AfVPhz8HP7EZl0JuZJp4tTVpzlwbHAZk1R+8u7VdHbwTYUDuaUI1tZv1zYQAXF/XYp4uv3xLg0ZHHAmmcRuthi1HblSqOoJAL6Q944GR5aqC7WAiK8woUj8+8deE8cKz9Eg0ZiWHtdLtwFRXfYhr7wofoh5SDONbFPrcjxJXpeO2xIGf5nKWrR0KKZCcn6o007IIz7vz1xno4bxYhgZmk1/Afs2IHySw4IHVDNkodjwGdeRVz8RD093SkdFn+W5M5rtMs4FYyBkfY3CiOsx5Cp7qvaZyvjki151qe0zFfjxw6u2t0vpboN+ZtLiPEySCbgwEUQSpp4qLvjyj07BJl3IWTMpXEuF97/ndjtDB8/q4qkRzYw/ck/TGF/wXTVUvkUcu3inEq8NseV1EfFloc21i26ehlKGLzJXmpOFVeJjFv2YHVp3yl7M7VHJyRVCfpFoc4bH0jsOGjbTK18E= Well known key for sssd-ci. 2 | -------------------------------------------------------------------------------- /data/ssh-keys/hosts/kdc.test.ecdsa_key: -------------------------------------------------------------------------------- 1 | -----BEGIN OPENSSH PRIVATE KEY----- 2 | b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAaAAAABNlY2RzYS 3 | 1zaGEyLW5pc3RwMjU2AAAACG5pc3RwMjU2AAAAQQRGhH99OVfpvHR46Xp38Zp5DnobrEYo 4 | rZov2S+b9NhBHfTZVHFbp2Ws2uwmCyC9QOEqisGshpqLrcstVrHmZnJZAAAAuDf3v8o397 5 | /KAAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBEaEf305V+m8dHjp 6 | enfxmnkOehusRiitmi/ZL5v02EEd9NlUcVunZaza7CYLIL1A4SqKwayGmoutyy1WseZmcl 7 | kAAAAgD2oZCMrVuGyEHXejErS0hqPhb4GXvDHvz3hn0ecIjI4AAAAbV2VsbCBrbm93biBr 8 | ZXkgZm9yIHNzc2QtY2kuAQIDBAU= 9 | -----END OPENSSH PRIVATE KEY----- 10 | -------------------------------------------------------------------------------- /data/ssh-keys/hosts/kdc.test.ecdsa_key.pub: -------------------------------------------------------------------------------- 1 | ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBEaEf305V+m8dHjpenfxmnkOehusRiitmi/ZL5v02EEd9NlUcVunZaza7CYLIL1A4SqKwayGmoutyy1WseZmclk= Well known key for sssd-ci. 2 | -------------------------------------------------------------------------------- /data/ssh-keys/hosts/kdc.test.ed25519_key: -------------------------------------------------------------------------------- 1 | -----BEGIN OPENSSH PRIVATE KEY----- 2 | b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAMwAAAAtzc2gtZW 3 | QyNTUxOQAAACBc8KOLHsQHaAiCMSqVi58Ox4UGf5seDkowh9NJsJZr9wAAAKBbAEIGWwBC 4 | BgAAAAtzc2gtZWQyNTUxOQAAACBc8KOLHsQHaAiCMSqVi58Ox4UGf5seDkowh9NJsJZr9w 5 | AAAECPSBc7jVUzi5AY7OhbcWwP3sSJL4AvfJkbFN64E/vna1zwo4sexAdoCIIxKpWLnw7H 6 | hQZ/mx4OSjCH00mwlmv3AAAAG1dlbGwga25vd24ga2V5IGZvciBzc3NkLWNpLgEC 7 | -----END OPENSSH PRIVATE KEY----- 8 | -------------------------------------------------------------------------------- /data/ssh-keys/hosts/kdc.test.ed25519_key.pub: -------------------------------------------------------------------------------- 1 | ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFzwo4sexAdoCIIxKpWLnw7HhQZ/mx4OSjCH00mwlmv3 Well known key for sssd-ci. 2 | -------------------------------------------------------------------------------- /data/ssh-keys/hosts/kdc.test.rsa_key: -------------------------------------------------------------------------------- 1 | -----BEGIN OPENSSH PRIVATE KEY----- 2 | b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABlwAAAAdzc2gtcn 3 | NhAAAAAwEAAQAAAYEAy8VLlWq4OYTl0v/HO5oM/d6fnomgm6ikDh5CFEUOzeFDOdmqi6sn 4 | 31+XpFotIQbB+ij3sVip/EiIXQpMGOtJMv/hCQIclAyVjJ3ByzgZIxxvSx9zc0fyuEVO4Q 5 | yYT54U3iv3NK4rVogXdQSrNZpaFSPCStZMs+Lol1O0s+KmUm4TYxVeQyT1r6tnNDSCVWfZ 6 | lDTm5f1bdbXoBC+NAbjl5MhFKvB6FPUH4vT1/rtTta8zTZjE/O8dTTgG0iffRQYa1iY5pU 7 | Q0q0QBbpSmOG5ynyk8g1Q5iAYwwT8uxUrHbBgD1p676RWBmZE5H/54TbHmNV+hYX3drwCY 8 | SHMJ4J12g4dCUj56R5+qBa5sXf47qRsasHNRMB1LSckN83Tn21g6S59moNBZ9XtgfPqgry 9 | fMAbz8UTLcBHSimAtcfZ+1nLGBbFHc34KyH6khVQI/pVPAa0Tbk6zNXZXpsJSCuod8zAE9 10 | /Kdc5mhzoMD4qpEjR47QjaxukxtX4OnJHakwPiLTAAAFmMvoERbL6BEWAAAAB3NzaC1yc2 11 | EAAAGBAMvFS5VquDmE5dL/xzuaDP3en56JoJuopA4eQhRFDs3hQznZqourJ99fl6RaLSEG 12 | wfoo97FYqfxIiF0KTBjrSTL/4QkCHJQMlYydwcs4GSMcb0sfc3NH8rhFTuEMmE+eFN4r9z 13 | SuK1aIF3UEqzWaWhUjwkrWTLPi6JdTtLPiplJuE2MVXkMk9a+rZzQ0glVn2ZQ05uX9W3W1 14 | 6AQvjQG45eTIRSrwehT1B+L09f67U7WvM02YxPzvHU04BtIn30UGGtYmOaVENKtEAW6Upj 15 | hucp8pPINUOYgGMME/LsVKx2wYA9aeu+kVgZmROR/+eE2x5jVfoWF93a8AmEhzCeCddoOH 16 | QlI+ekefqgWubF3+O6kbGrBzUTAdS0nJDfN059tYOkufZqDQWfV7YHz6oK8nzAG8/FEy3A 17 | R0opgLXH2ftZyxgWxR3N+Csh+pIVUCP6VTwGtE25OszV2V6bCUgrqHfMwBPfynXOZoc6DA 18 | +KqRI0eO0I2sbpMbV+DpyR2pMD4i0wAAAAMBAAEAAAGABRScN9N7WGPJ3yLlcsT6gfHlBO 19 | zlhjwEKx3yA9Nc9SEirfSRXf4cdmNJwp1E9sfWWkhfNJrDUjj0vW0eTJjBMHZUxAa7c62E 20 | pQbh6BEz/z4cQEE+fadTk+iWeOH5gjKszoVGGpglGHk4LIC7TBDXIiPMGlWRgAKuTeeWX8 21 | 3M281Gynej7ASl44Vgg1qzzTFTqXBQOXfBqgOpD0GoQFy9zqB3qQRp5s/dLHlzELDW+3as 22 | zsh6UNwdXOmCsgaweGYYhcyOvl4OqpE4wRh2IVXG5TLqMDC57aW3CWgKjeX/E0gBuJodHs 23 | +JcS3lv7ri5rOh8QRoBUlOnnmLQuOS3TplRDb7ZAH315BqJAXJliGpHGKak1L7Xk1b2/rL 24 | aiXovzzXUlG47KvhYL0XuhuixC+U7lOp8YwSvhrz92i5ZpoBZuaXBdmnfrWAJd5mKJWl2D 25 | F1H2YwyIV0JueIL3oXC5bJGWcj/osgcZ5sVz1c+IvYAIdD21CTh6Ad1fVaLQl9pNHhAAAA 26 | wQCc+Ev+pugdQ3ffwAsBZTCfRYdZY1zOC55pnAW1k1KTRIpzpAoeoIZNvyWF7K11ZYca8G 27 | mIpYOrZehvh3erJWyQOEOHGb3hzb096uCW2YD55FiA99L7SltcCQQhvjGrv4vUwR4wM/W1 28 | qNYqHLfKi9XxKyVSSv/wgEEYBTi8jAj3NNB75EL9AtzpxWpblL/2vo+QoKo1ZZxWB9OgQV 29 | 3wVHVCoX45lvkicxF7ujuFiYA6XuRevryCfu4PdNL2oUIc/4kAAADBAO1cwyi6VX12ERY4 30 | Vlitym8W4rnrb93r+rVrrptl2V3mwgSxnTgkGHzKZpvFOWvGeWuwz8ik7jdzLF65LtI98G 31 | rLHnwRjV278hNxyOMaI0slxfzn259az4WypvbPE7821+c5pWGS5EtVaJtHSuLbZGU4RNBP 32 | cyX6S7HmTUZyL4sfW3HXOzpTNpouCIgg72CM4SIC1WdVolqGqIvHYO/x5pMrI72iLBqvwu 33 | fdkfHCGjKuAOq8Xt9s/CdQgl63/FyQmQAAAMEA28VN66Y5UsvaDFdret8D2A1u67vN/iJA 34 | NfVZAWMN0OvaAjTrKIlXc/0yxUyS7C0gOw7aGv1MQBDAwr2niuK8hb0kTumUn+aVuThQJN 35 | cNtMxyKq8SWS8wCnylgeyA5Qv9UH5QYeUW8ENZdMHs20jIcsA1lyIIVPf6aBLCPTluHNo6 36 | lwsvN/yWQRYyVxgUwjkJI8O4CiYuZxCmgiJHcU76Jf+O29Qnl5In2ETRRa9NVOomp5HtM+ 37 | SmmhQVzbixy7ZLAAAAG1dlbGwga25vd24ga2V5IGZvciBzc3NkLWNpLgECAwQFBgc= 38 | -----END OPENSSH PRIVATE KEY----- 39 | -------------------------------------------------------------------------------- /data/ssh-keys/hosts/kdc.test.rsa_key.pub: -------------------------------------------------------------------------------- 1 | ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDLxUuVarg5hOXS/8c7mgz93p+eiaCbqKQOHkIURQ7N4UM52aqLqyffX5ekWi0hBsH6KPexWKn8SIhdCkwY60ky/+EJAhyUDJWMncHLOBkjHG9LH3NzR/K4RU7hDJhPnhTeK/c0ritWiBd1BKs1mloVI8JK1kyz4uiXU7Sz4qZSbhNjFV5DJPWvq2c0NIJVZ9mUNObl/Vt1tegEL40BuOXkyEUq8HoU9Qfi9PX+u1O1rzNNmMT87x1NOAbSJ99FBhrWJjmlRDSrRAFulKY4bnKfKTyDVDmIBjDBPy7FSsdsGAPWnrvpFYGZkTkf/nhNseY1X6Fhfd2vAJhIcwngnXaDh0JSPnpHn6oFrmxd/jupGxqwc1EwHUtJyQ3zdOfbWDpLn2ag0Fn1e2B8+qCvJ8wBvPxRMtwEdKKYC1x9n7WcsYFsUdzfgrIfqSFVAj+lU8BrRNuTrM1dlemwlIK6h3zMAT38p1zmaHOgwPiqkSNHjtCNrG6TG1fg6ckdqTA+ItM= Well known key for sssd-ci. 2 | -------------------------------------------------------------------------------- /data/ssh-keys/hosts/master.ipa.test.ecdsa_key: -------------------------------------------------------------------------------- 1 | -----BEGIN OPENSSH PRIVATE KEY----- 2 | b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAaAAAABNlY2RzYS 3 | 1zaGEyLW5pc3RwMjU2AAAACG5pc3RwMjU2AAAAQQSUrSHTYJ9psItv0piw34CBrzXq4JVx 4 | F4npr/a8tqIlAKcRoAtTLvVOi5UT+0QZzJU8oj1FAG/nG4lIsaK+ob25AAAAuFIUSsJSFE 5 | rCAAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBJStIdNgn2mwi2/S 6 | mLDfgIGvNerglXEXiemv9ry2oiUApxGgC1Mu9U6LlRP7RBnMlTyiPUUAb+cbiUixor6hvb 7 | kAAAAhAJOAkxatlAvcjFYv3czUsGT18FkqbUumjO1GekhzWtB+AAAAG1dlbGwga25vd24g 8 | a2V5IGZvciBzc3NkLWNpLgECAwQ= 9 | -----END OPENSSH PRIVATE KEY----- 10 | -------------------------------------------------------------------------------- /data/ssh-keys/hosts/master.ipa.test.ecdsa_key.pub: -------------------------------------------------------------------------------- 1 | ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBJStIdNgn2mwi2/SmLDfgIGvNerglXEXiemv9ry2oiUApxGgC1Mu9U6LlRP7RBnMlTyiPUUAb+cbiUixor6hvbk= Well known key for sssd-ci. 2 | -------------------------------------------------------------------------------- /data/ssh-keys/hosts/master.ipa.test.ed25519_key: -------------------------------------------------------------------------------- 1 | -----BEGIN OPENSSH PRIVATE KEY----- 2 | b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAMwAAAAtzc2gtZW 3 | QyNTUxOQAAACCOF1oWIiGHuIotwjXHCp1yZprxKaRlAxVCBSlnqwrfgwAAAKCRs6idkbOo 4 | nQAAAAtzc2gtZWQyNTUxOQAAACCOF1oWIiGHuIotwjXHCp1yZprxKaRlAxVCBSlnqwrfgw 5 | AAAEBHF6ssYwECYvqJySd4wWbGHPt4Ea51C3rkqANgK3ghw44XWhYiIYe4ii3CNccKnXJm 6 | mvEppGUDFUIFKWerCt+DAAAAG1dlbGwga25vd24ga2V5IGZvciBzc3NkLWNpLgEC 7 | -----END OPENSSH PRIVATE KEY----- 8 | -------------------------------------------------------------------------------- /data/ssh-keys/hosts/master.ipa.test.ed25519_key.pub: -------------------------------------------------------------------------------- 1 | ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAII4XWhYiIYe4ii3CNccKnXJmmvEppGUDFUIFKWerCt+D Well known key for sssd-ci. 2 | -------------------------------------------------------------------------------- /data/ssh-keys/hosts/master.ipa.test.rsa_key: -------------------------------------------------------------------------------- 1 | -----BEGIN OPENSSH PRIVATE KEY----- 2 | b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABlwAAAAdzc2gtcn 3 | NhAAAAAwEAAQAAAYEAvSvY6UsaIKTL0WdVqjl4JfJ+RO+x40uYGkYjNGCNds0WdQGDkXuQ 4 | vrf8HYA9a1X23GJ3yqltbf8gyulQUMax0URUn2brRCZDQgdzs11ztC3fHVJabBeFsx2wkA 5 | U7mQSrJ/33Dq07OWbGwOFDHQQ8mEuGOG+JvQVilqrB3vxtz9RpJrdcSA+Q8aUfv3Aur33D 6 | 6dp17iGu8rXHjhkGL8brhQ106rb7gXB4B5X/32AujFW4Tbh19MXP/na8R+4g9MheZuxiUs 7 | PSTV9IXMkzG0GKm4xY0wu/HkiU/wkQHFa4aK7f2W1TIXuOqbhClGTdp9ArJe0ZRCcIQ3bc 8 | lf5jPPKkNFhLHjq4p6tyfQMsmWYQe79acHB2DTkoPr571UvI18L+lh6o8/W/n6tFPxXeA+ 9 | O57YhRRziVRN+I40GMI+bbiS4yXkluD6UAREKv4cwxxIX0WyKHs6OGdXX+KwneHW1o0uTO 10 | DVlTcImgp5s2Vcl+mM/koYld5kwA72r4wdywxWuvAAAFmMqPh+3Kj4ftAAAAB3NzaC1yc2 11 | EAAAGBAL0r2OlLGiCky9FnVao5eCXyfkTvseNLmBpGIzRgjXbNFnUBg5F7kL63/B2APWtV 12 | 9txid8qpbW3/IMrpUFDGsdFEVJ9m60QmQ0IHc7Ndc7Qt3x1SWmwXhbMdsJAFO5kEqyf99w 13 | 6tOzlmxsDhQx0EPJhLhjhvib0FYpaqwd78bc/UaSa3XEgPkPGlH79wLq99w+nade4hrvK1 14 | x44ZBi/G64UNdOq2+4FweAeV/99gLoxVuE24dfTFz/52vEfuIPTIXmbsYlLD0k1fSFzJMx 15 | tBipuMWNMLvx5IlP8JEBxWuGiu39ltUyF7jqm4QpRk3afQKyXtGUQnCEN23JX+YzzypDRY 16 | Sx46uKercn0DLJlmEHu/WnBwdg05KD6+e9VLyNfC/pYeqPP1v5+rRT8V3gPjue2IUUc4lU 17 | TfiONBjCPm24kuMl5Jbg+lAERCr+HMMcSF9Fsih7OjhnV1/isJ3h1taNLkzg1ZU3CJoKeb 18 | NlXJfpjP5KGJXeZMAO9q+MHcsMVrrwAAAAMBAAEAAAGABIfKGNMn0zthQ9N0DQYxlhm8Be 19 | NKnLy7mKxsI4zI8kNa/odNFjWZb39TT8pbtrxtcYpmKk8V6m00oLZaZf5wd5/QCwIMll2R 20 | 0qeZ1Uq3/pfy6TsPV7fEfzXce8aBG1r6zQtBrgyi1IihhUH1J9jPqVy5aOnL/fE6NQSY9c 21 | HU8uPaZeUJnqwvKd2PPdG7Gl07b0+3vD6UiOQvVI1FASCVLrg6Yh8M8THISMjkQroew0Qp 22 | e1WwU12j0gkpQ3RF6R0/1jAUijirB2HPOUrtwcgIvTBrnsasbIQvFKR0ElY2d6PHi5NnHm 23 | 6ARN22G3gwpW3+tOkF/WHAKcfHK8GnM9gbPefocscSsHhlYqn7Gnly65ewqeflNCd/vYOc 24 | S/UjNz9kBPP9UA4yEHkh32uZSGwItyiB6z3tLcjTTPtpfYdamzzGXy2083CehHj3mVAc9F 25 | 6SsxfVDkpLG8nt4rRyCvdKgnV2evC6cGByE6KV88RRNXVxTsxF65qpDDkDZkZuMZlpAAAA 26 | wQDQQTFKI0NNWvB6Mv1a+oz7yIM8SrhlpCdurqdMJ8E9oByf/wUdMSS+/dwJksJO4Hc3H/ 27 | VT0RqayW9QbPM2nSIvX7zFo9VfAvz/KJxduT65vVB7VYIc7ADuoeOQ2Vl7zuF+QxPvGpt/ 28 | BUluTzlEvL+DmPgQG6E0uVH2ReI8NPKXDP18AKitbAlvUe29m/HFJkCNi5SQ4coYPo49xC 29 | mpWYmiU5T5ePByDvc3K0Z7C64sQgBMuwuo1rzXL/UcQCSEQ/kAAADBAN0NxkUsB8/ZvPUc 30 | 1JJT2XvglkHgnZEdtrAb7SI2VJ2x57TrGpdhlfRMxp2yAdFDZexytKh+7fCudseIkK5PW9 31 | VDS5zLTIrhhhLROn13s5Xgtb/LwRZ3Vmqf6N4sH2u3xbsgdfKCWSkJb41uZJwjyBLAvsNt 32 | 1GrrkPALy5DkYZrD+sHg2zFZogJ988kEjT/n9CULBr9n2/OjhgYY6ydr7VcVDLSMBO6Tkk 33 | UHhtk8lXbQm/dRaguS+a3FphTthlcktQAAAMEA2xPC4KD4mPuAcD/ii65VNFDddVaVG61a 34 | gO83dvnGzOqCGAuEzVdesBK8vdXBYQ14pT+BoQ9K4sKs2CUR72KiodVGT+sUBdeX8ueu/M 35 | vqcfyc7UVkSJ6VkHXVfC4Hw834aoOFpkSRwFh9TGAlxahsmTJJCdjBWu+2wsgiIc6Y9Jgf 36 | 5GEzswhh1IzHHtybZzzBuyHMcPDxKXpWKIpwrlkOzxkN184+xGLDT4QVcj3fohIDi4Dfym 37 | eLCEmvvXqqEpFTAAAAG1dlbGwga25vd24ga2V5IGZvciBzc3NkLWNpLgECAwQFBgc= 38 | -----END OPENSSH PRIVATE KEY----- 39 | -------------------------------------------------------------------------------- /data/ssh-keys/hosts/master.ipa.test.rsa_key.pub: -------------------------------------------------------------------------------- 1 | ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQC9K9jpSxogpMvRZ1WqOXgl8n5E77HjS5gaRiM0YI12zRZ1AYORe5C+t/wdgD1rVfbcYnfKqW1t/yDK6VBQxrHRRFSfZutEJkNCB3OzXXO0Ld8dUlpsF4WzHbCQBTuZBKsn/fcOrTs5ZsbA4UMdBDyYS4Y4b4m9BWKWqsHe/G3P1Gkmt1xID5DxpR+/cC6vfcPp2nXuIa7ytceOGQYvxuuFDXTqtvuBcHgHlf/fYC6MVbhNuHX0xc/+drxH7iD0yF5m7GJSw9JNX0hcyTMbQYqbjFjTC78eSJT/CRAcVrhort/ZbVMhe46puEKUZN2n0Csl7RlEJwhDdtyV/mM88qQ0WEseOrinq3J9AyyZZhB7v1pwcHYNOSg+vnvVS8jXwv6WHqjz9b+fq0U/Fd4D47ntiFFHOJVE34jjQYwj5tuJLjJeSW4PpQBEQq/hzDHEhfRbIoezo4Z1df4rCd4dbWjS5M4NWVNwiaCnmzZVyX6Yz+ShiV3mTADvavjB3LDFa68= Well known key for sssd-ci. 2 | -------------------------------------------------------------------------------- /data/ssh-keys/hosts/master.ipa2.test.ecdsa_key: -------------------------------------------------------------------------------- 1 | -----BEGIN OPENSSH PRIVATE KEY----- 2 | b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAaAAAABNlY2RzYS 3 | 1zaGEyLW5pc3RwMjU2AAAACG5pc3RwMjU2AAAAQQS8NdlhWjczTrSSmXrPIm5dxUPF9l1r 4 | n6/iWMQOvSied2nz1L7KlcL10FY8fV/CSfHdLav4ZUqcVA5IlnHcboZYAAAAuIaESlSGhE 5 | pUAAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBLw12WFaNzNOtJKZ 6 | es8ibl3FQ8X2XWufr+JYxA69KJ53afPUvsqVwvXQVjx9X8JJ8d0tq/hlSpxUDkiWcdxuhl 7 | gAAAAhANtStHx78vkgxkGy20Ad7KyCGgDsRsCbV0vyPQEHnAL8AAAAG1dlbGwga25vd24g 8 | a2V5IGZvciBzc3NkLWNpLgECAwQ= 9 | -----END OPENSSH PRIVATE KEY----- 10 | -------------------------------------------------------------------------------- /data/ssh-keys/hosts/master.ipa2.test.ecdsa_key.pub: -------------------------------------------------------------------------------- 1 | ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBLw12WFaNzNOtJKZes8ibl3FQ8X2XWufr+JYxA69KJ53afPUvsqVwvXQVjx9X8JJ8d0tq/hlSpxUDkiWcdxuhlg= Well known key for sssd-ci. 2 | -------------------------------------------------------------------------------- /data/ssh-keys/hosts/master.ipa2.test.ed25519_key: -------------------------------------------------------------------------------- 1 | -----BEGIN OPENSSH PRIVATE KEY----- 2 | b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAMwAAAAtzc2gtZW 3 | QyNTUxOQAAACCjsyIr5pg77lSpJ3be3Bws6peMckoZPcaoxzV9nOd6dgAAAKDuA//H7gP/ 4 | xwAAAAtzc2gtZWQyNTUxOQAAACCjsyIr5pg77lSpJ3be3Bws6peMckoZPcaoxzV9nOd6dg 5 | AAAEA9qGHT87bpptMonGNLVVli2ey6arjyf3Yy7fi8FC02JqOzIivmmDvuVKkndt7cHCzq 6 | l4xyShk9xqjHNX2c53p2AAAAG1dlbGwga25vd24ga2V5IGZvciBzc3NkLWNpLgEC 7 | -----END OPENSSH PRIVATE KEY----- 8 | -------------------------------------------------------------------------------- /data/ssh-keys/hosts/master.ipa2.test.ed25519_key.pub: -------------------------------------------------------------------------------- 1 | ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKOzIivmmDvuVKkndt7cHCzql4xyShk9xqjHNX2c53p2 Well known key for sssd-ci. 2 | -------------------------------------------------------------------------------- /data/ssh-keys/hosts/master.ipa2.test.rsa_key: -------------------------------------------------------------------------------- 1 | -----BEGIN OPENSSH PRIVATE KEY----- 2 | b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABlwAAAAdzc2gtcn 3 | NhAAAAAwEAAQAAAYEAjZ1FeLKLYYNBDJkA8BfMTKVRD2jZOn3YPWN3uezc7Rx5w1x/0rqW 4 | tLRZdz2QV+K7BmqhhcuotNr2g1uf3eZSZL1p7OZ10INuET2ZyoLANM1ME22S+Qedan8uU7 5 | bN/KH/VW1QF1NHvI/C2uMUcGIzoKWrfyGSNp6vWvhIG6qjm8IcK4IcLeGh+wVNCEoH7EVv 6 | EqxSVbiPkqvEAZ0X4UbXpEXrFi9BL25KbyD+yevHFPfhb2PP2pVQfz2Ip6CJ8XhvNrE1s1 7 | 3EiDYugbMjDmzJNwyZNPiarIXqqgfI3R/nj/jLgBl6r0uOAMPpFNJambmDxXoW6bjadfeE 8 | +Lgb/OtrrLNaqdzg3d8C0EKFwdA7rXS+iZTc4skldnoZGyw4wojTxTPkG7khSH1D1N47gW 9 | VAzPnZySAcyCMvQHRbYpHu5va+Ye6vCYvzp+7k3mm1S2zzS5qB/Mzg9thP16s7JKtvS29l 10 | 38MqhsMedvJAoBvTpQck7aoL9vIl0Ylie7AGkszBAAAFkNCDdlfQg3ZXAAAAB3NzaC1yc2 11 | EAAAGBAI2dRXiyi2GDQQyZAPAXzEylUQ9o2Tp92D1jd7ns3O0cecNcf9K6lrS0WXc9kFfi 12 | uwZqoYXLqLTa9oNbn93mUmS9aezmddCDbhE9mcqCwDTNTBNtkvkHnWp/LlO2zfyh/1VtUB 13 | dTR7yPwtrjFHBiM6Clq38hkjaer1r4SBuqo5vCHCuCHC3hofsFTQhKB+xFbxKsUlW4j5Kr 14 | xAGdF+FG16RF6xYvQS9uSm8g/snrxxT34W9jz9qVUH89iKegifF4bzaxNbNdxIg2LoGzIw 15 | 5syTcMmTT4mqyF6qoHyN0f54/4y4AZeq9LjgDD6RTSWpm5g8V6Fum42nX3hPi4G/zra6yz 16 | Wqnc4N3fAtBChcHQO610vomU3OLJJXZ6GRssOMKI08Uz5Bu5IUh9Q9TeO4FlQMz52ckgHM 17 | gjL0B0W2KR7ub2vmHurwmL86fu5N5ptUts80uagfzM4PbYT9erOySrb0tvZd/DKobDHnby 18 | QKAb06UHJO2qC/byJdGJYnuwBpLMwQAAAAMBAAEAAAGAMVA6YGjgM3E25jGji3fmCyyoOR 19 | L8TiuDcQEhsItkdWcsmZSs6E9UapHA885q5MfN89KO853zXiM/o4d0+JsbRvxUlgu8rAMQ 20 | gY1vb/8u+lQhMUS/YNu/e9XU5o7qVRZ+aRubP7we53EyW/GmbOotazw1p5wjo8SHcMizp3 21 | q45WTnVVlGAc4oD1cNt5y7/JFDN//s3e/agyswIpW3OpnmPsygLAYBj4g7AE6/msXxegJF 22 | rPnXaBkFwoFFhIXZc05J+0uQzUYoFPSCHg5MV9oMlQ4QNv01TEUnpBTbWd2ujhfKUlImAA 23 | RHOf0xQx1/ktSQE5SsmRnEFGmAjkSUooEvCt/AXHjN87SoUWgEklr63viymWNAfdcRcsOa 24 | /cj1sCsYBxJUMpivPQ05N6tbP7ikOvxX/mpfPsg7P7NrpoNVp8gwsCG8eNJEPrOTOO5C2j 25 | iAFtDbp+uZ7QxgMfFSIxdwQU4A38rCaMe2opnvEHYEkrOyRi43X2QH2YW/9Au9LxLPAAAA 26 | wH3G2wy2i2BpzWG8Tvww9x6dyigivn1JTY2HOh8pihcvGbs72HYQAHVXCoALIlMXnevpw8 27 | +RI5Tta058yoGmoVwi48ZBzMnkvoFmaU6lZf2Gy7LODZX3JGIo+qSayYUH8tX37ZU96QC7 28 | TJOyDuwQu0vQf/G7OvCLWKekgS7TAzK6Rk0lsVkCXc7HF6LpYdYt6b6na/vaLx5TT1ywbs 29 | pGSUrh7jvgCkFviNgMNKmd1R9wRzQFaNoYjCQaCBFSmh9MqQAAAMEAxnKJ+RRL6AbBpxye 30 | fnW/ciGLo4l/EbJC6imT0AFgYw6Gu1epiCVBTD6oERAgxs+3fu6DnxWVLojWpTT9RESkYJ 31 | PVUzAnp4cgdf4vyyj80dAsJ3RbGU+Y1hZWKdb5COLvMiXg8orMgCvNhADD6Az8cG+ncVPz 32 | busx+kStztT8Uy4VwwxQutglQYqvp0o6M4Kb5r8s6kAQu55ENhOSKUIKfU1//VPN5dQ/wV 33 | 71jNvU5ym07UgcZNhkyNw97WOyFfVzAAAAwQC2rzy87d7qskmkNN11lSkh1L52NcQyxhsE 34 | jX+FjMTRbr4YgdnsU9tTtAigYrfQqDL4WGNPrnsA0qse32Ed3nNM1QdI/Mzni3eyK0ayqd 35 | tPE2CdrqxYW2Brlp5luHwaFlW2UvrmZ5H+Yw80tVfXZrRZkmzHD0kCFkwZqYBtbMY19mMa 36 | K8NmGXEMYPHGk/uHPruS57jr/h4Of8x2QlJ2aSBTRom1Ah42zZJgVqZO6MdY40EJBSfE5m 37 | z7ClUXMywXB/sAAAAbV2VsbCBrbm93biBrZXkgZm9yIHNzc2QtY2ku 38 | -----END OPENSSH PRIVATE KEY----- 39 | -------------------------------------------------------------------------------- /data/ssh-keys/hosts/master.ipa2.test.rsa_key.pub: -------------------------------------------------------------------------------- 1 | ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCNnUV4sothg0EMmQDwF8xMpVEPaNk6fdg9Y3e57NztHHnDXH/Supa0tFl3PZBX4rsGaqGFy6i02vaDW5/d5lJkvWns5nXQg24RPZnKgsA0zUwTbZL5B51qfy5Tts38of9VbVAXU0e8j8La4xRwYjOgpat/IZI2nq9a+EgbqqObwhwrghwt4aH7BU0ISgfsRW8SrFJVuI+Sq8QBnRfhRtekResWL0EvbkpvIP7J68cU9+FvY8/alVB/PYinoInxeG82sTWzXcSINi6BsyMObMk3DJk0+JqsheqqB8jdH+eP+MuAGXqvS44Aw+kU0lqZuYPFehbpuNp194T4uBv862uss1qp3ODd3wLQQoXB0DutdL6JlNziySV2ehkbLDjCiNPFM+QbuSFIfUPU3juBZUDM+dnJIBzIIy9AdFtike7m9r5h7q8Ji/On7uTeabVLbPNLmoH8zOD22E/Xqzskq29Lb2XfwyqGwx528kCgG9OlByTtqgv28iXRiWJ7sAaSzME= Well known key for sssd-ci. 2 | -------------------------------------------------------------------------------- /data/ssh-keys/hosts/master.keycloak.test.ecdsa_key: -------------------------------------------------------------------------------- 1 | -----BEGIN OPENSSH PRIVATE KEY----- 2 | b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAaAAAABNlY2RzYS 3 | 1zaGEyLW5pc3RwMjU2AAAACG5pc3RwMjU2AAAAQQQo6x4yFjX+7NouHZzMyXid7gRR5C0W 4 | UtZ8wzOyE8jMAmserl+FLtj5rh03iXnYNQyoM6e28YjFTW40S6QgGeEOAAAAuD0IGAs9CB 5 | gLAAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBCjrHjIWNf7s2i4d 6 | nMzJeJ3uBFHkLRZS1nzDM7ITyMwCax6uX4Uu2PmuHTeJedg1DKgzp7bxiMVNbjRLpCAZ4Q 7 | 4AAAAhAJEZoIsYYJM1zgrQBNpJ/nBQkUB0KX/edjVHvxTtLcj8AAAAG1dlbGwga25vd24g 8 | a2V5IGZvciBzc3NkLWNpLgECAwQ= 9 | -----END OPENSSH PRIVATE KEY----- 10 | -------------------------------------------------------------------------------- /data/ssh-keys/hosts/master.keycloak.test.ecdsa_key.pub: -------------------------------------------------------------------------------- 1 | ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBCjrHjIWNf7s2i4dnMzJeJ3uBFHkLRZS1nzDM7ITyMwCax6uX4Uu2PmuHTeJedg1DKgzp7bxiMVNbjRLpCAZ4Q4= Well known key for sssd-ci. 2 | -------------------------------------------------------------------------------- /data/ssh-keys/hosts/master.keycloak.test.ed25519_key: -------------------------------------------------------------------------------- 1 | -----BEGIN OPENSSH PRIVATE KEY----- 2 | b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAMwAAAAtzc2gtZW 3 | QyNTUxOQAAACCov1JiaIYfzQaYxgKY1dKCsEYp9p3nyxEBU6Za7rLc7AAAAKAed+L4Hnfi 4 | +AAAAAtzc2gtZWQyNTUxOQAAACCov1JiaIYfzQaYxgKY1dKCsEYp9p3nyxEBU6Za7rLc7A 5 | AAAEACGVdj+XCsdSk+I4aqGl9E8CH9ts3cRda1AxiAMCSRMqi/UmJohh/NBpjGApjV0oKw 6 | Rin2nefLEQFTplrustzsAAAAG1dlbGwga25vd24ga2V5IGZvciBzc3NkLWNpLgEC 7 | -----END OPENSSH PRIVATE KEY----- 8 | -------------------------------------------------------------------------------- /data/ssh-keys/hosts/master.keycloak.test.ed25519_key.pub: -------------------------------------------------------------------------------- 1 | ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKi/UmJohh/NBpjGApjV0oKwRin2nefLEQFTplrustzs Well known key for sssd-ci. 2 | -------------------------------------------------------------------------------- /data/ssh-keys/hosts/master.keycloak.test.rsa_key: -------------------------------------------------------------------------------- 1 | -----BEGIN OPENSSH PRIVATE KEY----- 2 | b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABlwAAAAdzc2gtcn 3 | NhAAAAAwEAAQAAAYEAxt78uW0Mfdug1K8LY96ibWhDwzeN11s/r7LWrkrg/QbjkJPAi54m 4 | dBZ80z8UfzCisZmIMs/n4Y+B+vM3bi98utnTa0xYTQizSoIfDdH5RN4b21xbKrwaPVFBTI 5 | uHFjBrhZTGI8UaqMKKjv2SaD68LGipnMugGEgRUXQC/NZVdswGjeyytNAxFI2rGoGx9OhD 6 | +UNjqYtjdRb+ZdIFs01a2L9N1WY9cjckK+AskPWImOnXupI/uchSOsSiMjdDazQyCy013l 7 | MWvUGQrD1W0JD5+KwvfZ1HIVgHrPciASUg+Hn1XZluO9pyJkpQBiXjjS/PwBFUcTeRb49x 8 | uEsZqFskeWpnWemRg8KqrvSU6K8+iDZCUCVWINObN3Z4mKx2vOtB+rBsjfmg+cmgzEA6cL 9 | ePjYMnHjBeEcQ4kIJvK8jTmFWd1d8/32unQ6lm1egA6L+tPJUE3N2CSCNL2PFFzfkY1xme 10 | Bbn7OU7My/mKQgUoRrD/J3vl6RkWKqD712mRxkblAAAFmIk3jJ+JN4yfAAAAB3NzaC1yc2 11 | EAAAGBAMbe/LltDH3boNSvC2Peom1oQ8M3jddbP6+y1q5K4P0G45CTwIueJnQWfNM/FH8w 12 | orGZiDLP5+GPgfrzN24vfLrZ02tMWE0Is0qCHw3R+UTeG9tcWyq8Gj1RQUyLhxYwa4WUxi 13 | PFGqjCio79kmg+vCxoqZzLoBhIEVF0AvzWVXbMBo3ssrTQMRSNqxqBsfToQ/lDY6mLY3UW 14 | /mXSBbNNWti/TdVmPXI3JCvgLJD1iJjp17qSP7nIUjrEojI3Q2s0MgstNd5TFr1BkKw9Vt 15 | CQ+fisL32dRyFYB6z3IgElIPh59V2ZbjvaciZKUAYl440vz8ARVHE3kW+PcbhLGahbJHlq 16 | Z1npkYPCqq70lOivPog2QlAlViDTmzd2eJisdrzrQfqwbI35oPnJoMxAOnC3j42DJx4wXh 17 | HEOJCCbyvI05hVndXfP99rp0OpZtXoAOi/rTyVBNzdgkgjS9jxRc35GNcZngW5+zlOzMv5 18 | ikIFKEaw/yd75ekZFiqg+9dpkcZG5QAAAAMBAAEAAAGACmr7BUGxAlTY5Ntd9uIzqGnqXC 19 | soWzbqAVZr3Z80OxJl0G3qYRtXUK8u5H1s9vQWycP3uRBgHtZUN6UPFc7CCM3Jaq5fVSXB 20 | XVlaBBt9pJMYFX04lLwG3zMcVG9eE8D/Q5+quOFQnLTtlOu0BDxTwjsiC4Hf8KBcho5TwR 21 | Kp+8+uAOL8l5vtE50Pm2izkwH/MZXLU5c8OLw2y8xdRRUmea1H3V0o7IyhRfUikIjJmkJs 22 | bSx6ec0vKun1xI4APPjzwIhjEJ46LogAU9daOQzw8xDQ6tVvCCaDWBSgCPf4Lbz7zK4rzp 23 | Xz4zRtQTt+uICCmCtzcp+YfMJbaT/KhKg9wzM+z5pdXcnOmIobx11BxsoTm5qn+C1Ec86y 24 | UDPVc3pEBDk6VW8+9tAe9vCuA8KdKZpbCPcx0bc2YZ0uyeimY3g0BlnP7fsVjEjMEGHL/C 25 | VWGZg00nXkmdKdAjGK4kNzDA04Ov5QRgunhc8M0QST3uNxgFp6nsYWR3dpWLw3M97/AAAA 26 | wQDe3X7B1d1RcXxQYGIAF50q+4UJ/zim1gGKx90K4lGmhBgxKv9o2+XrXvt4JCLpvNeYHX 27 | Z5ULU6ZrctQqT/nHpTWoDWQ0o4nExcKcRARAP69KuoQ7BCi1iRkJOXrWZ6xtk2bwzObVrv 28 | /lRohRuMQFAg1gp47wTteH91CZVHKW9W4RvUl6tHKX7E+xx8mT6cUq2e/nHdt/EW8lhBed 29 | Kt2TtI+4wsBYYMQLyjWc9nSg2QessWwWigOq3CyUDASfHhJ0AAAADBAON1t2egLvBQjnlz 30 | 1Ciad//kopHGtXKB2cZFONJLfpmCjXEwdRxsNWVoqa5lILwtXvdbpB1XyRQLnbC/WZo0G4 31 | hG35qKySj4Z7iurhQMMbWR4uKA1H6THSEBwDY0wz9iDmyOGs3Hi9FKMqOmNOOGcDCXmh+B 32 | Ii4QFMHVvFpoB4sr0pGfGqKd61Hok5MHLbrRJGGig2C8YA+KeYIb1P6jlP28ZFziJUegRu 33 | 0V8AujsJgbgf9zsK8A5KvUjo3ym08bJwAAAMEA39L27QOzddV3eo5/mymZLIiqyVZZZCeb 34 | SJdILIz3+6GmwjHucMnVBPZYVYjdQ1P1rGInIbmL6Di25AyrJ9Vz1nSro0uSUdRDHDMpZV 35 | fp4oX4OhW7ACBOrrwla9CSvqqO2b0qUVV1rjCHyuXVpZpXiGdSPLgl9gtzRWeoL2+p1CzN 36 | TPytzzoQpkdEltz4RKnA2PxXpyacGMQO3U+f+bNL/HC6bs1TpjNiIY8IzV+y2msOY+XvHY 37 | hM62Dafc5PVIUTAAAAG1dlbGwga25vd24ga2V5IGZvciBzc3NkLWNpLgECAwQFBgc= 38 | -----END OPENSSH PRIVATE KEY----- 39 | -------------------------------------------------------------------------------- /data/ssh-keys/hosts/master.keycloak.test.rsa_key.pub: -------------------------------------------------------------------------------- 1 | ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDG3vy5bQx926DUrwtj3qJtaEPDN43XWz+vstauSuD9BuOQk8CLniZ0FnzTPxR/MKKxmYgyz+fhj4H68zduL3y62dNrTFhNCLNKgh8N0flE3hvbXFsqvBo9UUFMi4cWMGuFlMYjxRqowoqO/ZJoPrwsaKmcy6AYSBFRdAL81lV2zAaN7LK00DEUjasagbH06EP5Q2Opi2N1Fv5l0gWzTVrYv03VZj1yNyQr4CyQ9YiY6de6kj+5yFI6xKIyN0NrNDILLTXeUxa9QZCsPVbQkPn4rC99nUchWAes9yIBJSD4efVdmW472nImSlAGJeONL8/AEVRxN5Fvj3G4SxmoWyR5amdZ6ZGDwqqu9JTorz6INkJQJVYg05s3dniYrHa860H6sGyN+aD5yaDMQDpwt4+NgyceMF4RxDiQgm8ryNOYVZ3V3z/fa6dDqWbV6ADov608lQTc3YJII0vY8UXN+RjXGZ4Fufs5TszL+YpCBShGsP8ne+XpGRYqoPvXaZHGRuU= Well known key for sssd-ci. 2 | -------------------------------------------------------------------------------- /data/ssh-keys/hosts/master.ldap.test.ecdsa_key: -------------------------------------------------------------------------------- 1 | -----BEGIN OPENSSH PRIVATE KEY----- 2 | b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAaAAAABNlY2RzYS 3 | 1zaGEyLW5pc3RwMjU2AAAACG5pc3RwMjU2AAAAQQQhhFWEqsGG3s2wTyn9alNzKCc8Akpi 4 | XyTR5/ePn80tqw7bZObuEvu/r4NaupddvBWe9VcWsPko58D2DOM//qw6AAAAuCzqhAQs6o 5 | QEAAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBCGEVYSqwYbezbBP 6 | Kf1qU3MoJzwCSmJfJNHn94+fzS2rDttk5u4S+7+vg1q6l128FZ71Vxaw+SjnwPYM4z/+rD 7 | oAAAAgLMD2JxUYuwiY8Xpr2oAQH+dkATJBCujRQlkS3Gqyb4gAAAAbV2VsbCBrbm93biBr 8 | ZXkgZm9yIHNzc2QtY2kuAQIDBAU= 9 | -----END OPENSSH PRIVATE KEY----- 10 | -------------------------------------------------------------------------------- /data/ssh-keys/hosts/master.ldap.test.ecdsa_key.pub: -------------------------------------------------------------------------------- 1 | ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBCGEVYSqwYbezbBPKf1qU3MoJzwCSmJfJNHn94+fzS2rDttk5u4S+7+vg1q6l128FZ71Vxaw+SjnwPYM4z/+rDo= Well known key for sssd-ci. 2 | -------------------------------------------------------------------------------- /data/ssh-keys/hosts/master.ldap.test.ed25519_key: -------------------------------------------------------------------------------- 1 | -----BEGIN OPENSSH PRIVATE KEY----- 2 | b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAMwAAAAtzc2gtZW 3 | QyNTUxOQAAACDKtVh7W73FZYkxupdXx3+xuIbngdS8OAyac7GxGtYZHwAAAKD0D0L/9A9C 4 | /wAAAAtzc2gtZWQyNTUxOQAAACDKtVh7W73FZYkxupdXx3+xuIbngdS8OAyac7GxGtYZHw 5 | AAAECDes6+zVb0mNFpH3eLtakE0jFHGtr81UY/RV54oZ0dHsq1WHtbvcVliTG6l1fHf7G4 6 | hueB1Lw4DJpzsbEa1hkfAAAAG1dlbGwga25vd24ga2V5IGZvciBzc3NkLWNpLgEC 7 | -----END OPENSSH PRIVATE KEY----- 8 | -------------------------------------------------------------------------------- /data/ssh-keys/hosts/master.ldap.test.ed25519_key.pub: -------------------------------------------------------------------------------- 1 | ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMq1WHtbvcVliTG6l1fHf7G4hueB1Lw4DJpzsbEa1hkf Well known key for sssd-ci. 2 | -------------------------------------------------------------------------------- /data/ssh-keys/hosts/master.ldap.test.rsa_key: -------------------------------------------------------------------------------- 1 | -----BEGIN OPENSSH PRIVATE KEY----- 2 | b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABlwAAAAdzc2gtcn 3 | NhAAAAAwEAAQAAAYEA8zxhDrvp/oPr4gsz69CzSoL9XKfXEyEnHAug4dApGgvjTeDkr+23 4 | 0JWEM3So1VUQM1DQwkCi+/1ds2HVQZD/5YchYqDFUw0sKcGJ7be6bOpxR/asOliK4UhVkL 5 | ddl3XtjIv7zRU1JOle6D3RhlaeJ2YKduWZm9aHVD3mKzneNb22sVz/MnhU5fGJHrO1fL/u 6 | Sy67FARuD+z14dx8TVYi/YLmGKCjRStmm/M00taeUQCBqaVsVFgCD8PSe9n6ZBi47lsVx0 7 | IgmlVcNIXu9a1tVhGJsBH2DkaJ42DiqZwEg0TbD6thtvMHzI4ZsYxhvKRa4hCgNwdSVgHd 8 | S3brGNiA52Gks1/popWzDhYop5ewfxFRt5kVnLSpI+FxBhUlsfF8JdwZhPsYPXSRLQWBL4 9 | D9IT1WkawMXB8oRsDygcbeW9v9ecr35Ih/nh0LykOuzkpxDziZCwIBqcE1mpCo8TFeYbTh 10 | TlakrvFZvW9M8nwEGYlzlpVgWLcqEitZy+RDT/H9AAAFmP4CRLv+AkS7AAAAB3NzaC1yc2 11 | EAAAGBAPM8YQ676f6D6+ILM+vQs0qC/Vyn1xMhJxwLoOHQKRoL403g5K/tt9CVhDN0qNVV 12 | EDNQ0MJAovv9XbNh1UGQ/+WHIWKgxVMNLCnBie23umzqcUf2rDpYiuFIVZC3XZd17YyL+8 13 | 0VNSTpXug90YZWnidmCnblmZvWh1Q95is53jW9trFc/zJ4VOXxiR6ztXy/7ksuuxQEbg/s 14 | 9eHcfE1WIv2C5higo0UrZpvzNNLWnlEAgamlbFRYAg/D0nvZ+mQYuO5bFcdCIJpVXDSF7v 15 | WtbVYRibAR9g5GieNg4qmcBINE2w+rYbbzB8yOGbGMYbykWuIQoDcHUlYB3Ut26xjYgOdh 16 | pLNf6aKVsw4WKKeXsH8RUbeZFZy0qSPhcQYVJbHxfCXcGYT7GD10kS0FgS+A/SE9VpGsDF 17 | wfKEbA8oHG3lvb/XnK9+SIf54dC8pDrs5KcQ84mQsCAanBNZqQqPExXmG04U5WpK7xWb1v 18 | TPJ8BBmJc5aVYFi3KhIrWcvkQ0/x/QAAAAMBAAEAAAGASUAnOJE1zDy9VlMqXTt6Kxfcpk 19 | Ezf6LNzN/hoO+X2Sy4VPVD2Yl9AFduuzJIQArAeLu/Sqi9jKbGR6XQW9EHh3+U+cdR9Ytz 20 | f9W1rH3WqkNGPzZVsrKEjIjEn/LgwCK3Gcr0V1QqL4YKW2V2in7eXR4ZS6okgu5tzdxgSy 21 | c/uK577NkFT5U2eBMvyKu1Ha8NW93kYAhffvNNLyo/0uh8XB1GHyeNU+DYo2FwSIhyoBFH 22 | eygCwjnI0SeXZU4FXoyk2nB5w80OVexMk5EEAubbJc71dhMLRcO0LuQmFSm6tT4zcvsvSh 23 | sCcj6fnSdV7f4EyLJOJdbdSqtor1gu+MnYf0EhJ+NuYM0cYpczfJrpztEjUl+TTvXG8M+u 24 | cw7L7QGA+IPPwpXt6EQOGEbr/+HU55U80AIOknc9rI2DAAsF7sGp0Olb2ZRT7Qr117wDHK 25 | wZyehYpZrSkWybSXZGqzwWs9DzE934jci7/f2eAqIKd57OBQEc6dZcoID8nAMKfBl/AAAA 26 | wQCqPBp87NQGEJHgZNv4uRRplKlgnZAByFXblrJ5oBnP3kmglw+/8knVLug0JVoS4dYg/K 27 | Wg1sF7d3gJyEd3TDzhUOkrv+UOlFY++XAcTZWUMzfkDnOUAZMFyjy7a2wn+OnOrPbKTT3M 28 | W+LMdUiCGmziQ4hTAwyRwsLYc7H3xPEN3IAnGurM3o6SqZIjREJFbJM7GgtWlKZc6rhNDN 29 | XAuTOeUCsxbVwo2ZLNdIWOzZVQfQ2hzFAOeM5PqRb4FrtaoLIAAADBAPxo4jXX0udPsq8h 30 | V7fKfrTF8/rQ2So6DPGal2/OF6smn2uoFclyNCG2r8NvMVRn2ryF5T9QENTse08NFF/rpj 31 | nY56yWjskpPkQZvi524WNyEnnGPZ/zSW/KYiYxvFW8uydheBHJtQwiHq82iECvUVmA3JuH 32 | j8WGuBloDl2Z4lZeFUMffzesV2Ly0Y8CNFexpx4d/n3ajBN9p0QBlJKCNzr97y8XcHhalC 33 | neiDttnlsEswH9iIQhwHaKTaSlEf8ITwAAAMEA9rIXFJKfK3SBRISQIoAI8iQ1SdlLuy8t 34 | 7K3gYWnX7CpxTIQYEqXiTTxyJmvbQWicafZTbp6uSmibG0QzGfZ7PJugCvZIV+PWfwGzVv 35 | N/D8EgDYcfrvfDF39VjmvkORhDfMraIKtuQRoE6LbgGJ6yu9Vmve9TDh/pLcQxM17t34Fc 36 | 5hKqFrGUg4fxko7o/GA3gBY4Bm6vzbmj6GcdU3yqIEQg+1Ya51o++yZNpunOJRNsfHPc5x 37 | VCtcBBBCVKMUHzAAAAG1dlbGwga25vd24ga2V5IGZvciBzc3NkLWNpLgECAwQFBgc= 38 | -----END OPENSSH PRIVATE KEY----- 39 | -------------------------------------------------------------------------------- /data/ssh-keys/hosts/master.ldap.test.rsa_key.pub: -------------------------------------------------------------------------------- 1 | ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDzPGEOu+n+g+viCzPr0LNKgv1cp9cTISccC6Dh0CkaC+NN4OSv7bfQlYQzdKjVVRAzUNDCQKL7/V2zYdVBkP/lhyFioMVTDSwpwYntt7ps6nFH9qw6WIrhSFWQt12Xde2Mi/vNFTUk6V7oPdGGVp4nZgp25Zmb1odUPeYrOd41vbaxXP8yeFTl8Ykes7V8v+5LLrsUBG4P7PXh3HxNViL9guYYoKNFK2ab8zTS1p5RAIGppWxUWAIPw9J72fpkGLjuWxXHQiCaVVw0he71rW1WEYmwEfYORonjYOKpnASDRNsPq2G28wfMjhmxjGG8pFriEKA3B1JWAd1LdusY2IDnYaSzX+milbMOFiinl7B/EVG3mRWctKkj4XEGFSWx8Xwl3BmE+xg9dJEtBYEvgP0hPVaRrAxcHyhGwPKBxt5b2/15yvfkiH+eHQvKQ67OSnEPOJkLAgGpwTWakKjxMV5htOFOVqSu8Vm9b0zyfAQZiXOWlWBYtyoSK1nL5ENP8f0= Well known key for sssd-ci. 2 | -------------------------------------------------------------------------------- /data/ssh-keys/hosts/nfs.test.ecdsa_key: -------------------------------------------------------------------------------- 1 | -----BEGIN OPENSSH PRIVATE KEY----- 2 | b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAaAAAABNlY2RzYS 3 | 1zaGEyLW5pc3RwMjU2AAAACG5pc3RwMjU2AAAAQQT8GNn6qqtLCyQjtlq77sSDWBjINyLJ 4 | 24KcbRA4sHe+3H19UXwinUUCUcVFDg68hY1hbEWo8WvIbIUPRVqGZ8llAAAAuGkbpMxpG6 5 | TMAAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBPwY2fqqq0sLJCO2 6 | WrvuxINYGMg3IsnbgpxtEDiwd77cfX1RfCKdRQJRxUUODryFjWFsRajxa8hshQ9FWoZnyW 7 | UAAAAhAJLb6d8MznT101H4rxWAmMwmYSMBUQtCEqIg1lQzhGgNAAAAG1dlbGwga25vd24g 8 | a2V5IGZvciBzc3NkLWNpLgECAwQ= 9 | -----END OPENSSH PRIVATE KEY----- 10 | -------------------------------------------------------------------------------- /data/ssh-keys/hosts/nfs.test.ecdsa_key.pub: -------------------------------------------------------------------------------- 1 | ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBPwY2fqqq0sLJCO2WrvuxINYGMg3IsnbgpxtEDiwd77cfX1RfCKdRQJRxUUODryFjWFsRajxa8hshQ9FWoZnyWU= Well known key for sssd-ci. 2 | -------------------------------------------------------------------------------- /data/ssh-keys/hosts/nfs.test.ed25519_key: -------------------------------------------------------------------------------- 1 | -----BEGIN OPENSSH PRIVATE KEY----- 2 | b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAMwAAAAtzc2gtZW 3 | QyNTUxOQAAACDjrh5OWGGpTPN3IMlSA9uq0FOQfvn1Bjkvhqfdw903iwAAAKCo3yd7qN8n 4 | ewAAAAtzc2gtZWQyNTUxOQAAACDjrh5OWGGpTPN3IMlSA9uq0FOQfvn1Bjkvhqfdw903iw 5 | AAAECzfbc5Rr1tPeNudlz5bbEujgye5xQHsNYB4cbj8MEcEuOuHk5YYalM83cgyVID26rQ 6 | U5B++fUGOS+Gp93D3TeLAAAAG1dlbGwga25vd24ga2V5IGZvciBzc3NkLWNpLgEC 7 | -----END OPENSSH PRIVATE KEY----- 8 | -------------------------------------------------------------------------------- /data/ssh-keys/hosts/nfs.test.ed25519_key.pub: -------------------------------------------------------------------------------- 1 | ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOOuHk5YYalM83cgyVID26rQU5B++fUGOS+Gp93D3TeL Well known key for sssd-ci. 2 | -------------------------------------------------------------------------------- /data/ssh-keys/hosts/nfs.test.rsa_key: -------------------------------------------------------------------------------- 1 | -----BEGIN OPENSSH PRIVATE KEY----- 2 | b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABlwAAAAdzc2gtcn 3 | NhAAAAAwEAAQAAAYEAvxjksZNP5f/amq1JgXgJxuaGaoal5XUNNFn1/m/RgT7kTB1RqAob 4 | ekJWpnlAgQCoLuIc5YPFefL2XS1z+cnyyLOPv24XkBG3ZTUwWnleDI5F8ZnpS3EcoKhP9P 5 | qMHAaxFwFr4NAWI2Vfx48T09JT1cwSbFSD6E/MbvreRlic/Mkgq/vC0W3W56azmxDV+IZF 6 | lveUERe+yG6Mttf4GZaLwDeLO4O27vxG4MbjTtITS9xQqWoZgnYEDkNygSD+3bWujrQ8H5 7 | vIiPPsN2UBYXzKn/91oOeMIA4ld4d6ZGDNv2M598Vxtk+knUSJyWw5gozgB2+fiVvRgzEG 8 | 0Y14oHKopSHFM06q0FZeWsgydGhZB2rDMEB/CVB+kBwsC7ggcO+RZJ1a1JLnhgykf1ONsQ 9 | krKyu4pCGMi7kl2dl+UCUIXfQ2GgT7oTA7vOxWeenfzUDQFHtwhDpJRgcB56ZRTRHHEkxZ 10 | yGj1ZTEZW0TVUpSiG4qhwGAJRhn4mFzMZFBEz/9FAAAFkP4q6zH+KusxAAAAB3NzaC1yc2 11 | EAAAGBAL8Y5LGTT+X/2pqtSYF4CcbmhmqGpeV1DTRZ9f5v0YE+5EwdUagKG3pCVqZ5QIEA 12 | qC7iHOWDxXny9l0tc/nJ8sizj79uF5ARt2U1MFp5XgyORfGZ6UtxHKCoT/T6jBwGsRcBa+ 13 | DQFiNlX8ePE9PSU9XMEmxUg+hPzG763kZYnPzJIKv7wtFt1uems5sQ1fiGRZb3lBEXvshu 14 | jLbX+BmWi8A3izuDtu78RuDG407SE0vcUKlqGYJ2BA5DcoEg/t21ro60PB+byIjz7DdlAW 15 | F8yp//daDnjCAOJXeHemRgzb9jOffFcbZPpJ1EiclsOYKM4Advn4lb0YMxBtGNeKByqKUh 16 | xTNOqtBWXlrIMnRoWQdqwzBAfwlQfpAcLAu4IHDvkWSdWtSS54YMpH9TjbEJKysruKQhjI 17 | u5JdnZflAlCF30NhoE+6EwO7zsVnnp381A0BR7cIQ6SUYHAeemUU0RxxJMWcho9WUxGVtE 18 | 1VKUohuKocBgCUYZ+JhczGRQRM//RQAAAAMBAAEAAAGAGOWq4hHhzoL7nbxm/8W+bFobeC 19 | SL163c5w2zdY9m+dJSVzJYsa6DbvXWqUDR7RzDTLxr7GEzKNTFUVV7Lzem+Iwgdd3nlv8f 20 | 6EE6SAdZAATHSxd05D3b73iOVkoQWBRtHSSzw+oIgFsUVAEpoabdAlVgrxmByBIhffIUZJ 21 | Dl/y9LIO0fsD6BydOXweO7JPKFfYpLEcEIu79fePEBY4AQPB5gdwQNoOxgZaez9NB88BzH 22 | q5LluPAcTilucTF10zf4yOscLhZvCxCFQ2gXCTvpCyF0jiAPN9acMVftGk+vGSdcrQ6IyZ 23 | ab69Z2pWBeilXpLQjMaacrR55HuDJlcu/EPbfqC0UWwRMgGik9G605XWp4a5RdjCZwgIaw 24 | Yo4um+50MoHudau4En+ncEVTFGEMeqqTwsbx10Zg+m+c3Rmz7SGGx8JIIT0gn2O0js7nad 25 | sezU6Mfgot00k11g2Od3EyyC3O2s33yAimBMcMRYcgN/jo8DFW3JTJ2nx1zMGBRJOvAAAA 26 | wHTwmY5OUYYUWErLdkLeU38YVmaHYg/uModGG6OGz+s/9Jy5tdECHpqvftSkng+Q5ghxYZ 27 | gprVSgmDgN1jZq2aRllatBfxgltpgMorbpMzy7ZYlvq3EWuEjRuKLqMi9qIrvwVYWmehCS 28 | ZQl41WNhpKb0nfY6NnQKQEu8o8MFyr7aQm1sn11sp9hhPVzM88PhlAH4x3EtzVybGLd/1M 29 | y6mPU62oIydVI0xMNt34LlMYVVwcfOz4TaDTsjMYIkV8DRbQAAAMEA6SVDHMyb9NTrlWNo 30 | Ql4gaTxzi3aeou1jzjLV6E//zC9Pvh9TvIr+nIutZB2RDrYFAfVddm1bFHvoNKBjLiv20/ 31 | Q083xZBNa5mxpMIviQfJI86Ndp7AmSSwqtdAevTSd74WYd49JUujA2RwDtwNb5QmI7ZjkP 32 | oqzfUk39NE9HnSAWD4zXCJIm9I+jUK37Kcs1n2OkceoWAgHDg8YZYxk6vVsMlJHipj8rR8 33 | 38jcJLn8TSXyybyLLm73HZmlSaAE9zAAAAwQDR1HAMR7ZUiu1i/SHvGv+w4LrE/xOJ73NO 34 | JvtVvYCtOfJHGrx0veb5nq/v/OKQ8CjuTWgnAHvV5zlfWtuhpBkD244lIjxDVvPv7MN3fR 35 | gUe37qul/bz+PzbArXHSLeZtWEeJ1MjSHc+VHnh14INSrbba/e3Aq7nm3uYUQTBLBQLFly 36 | lFRIG8jDYBMK6JEhm2QHDI9bC0qAsAvwEv35XJNtGvICY/C7Po/gEsfm2qaAiTRXKeRPb5 37 | nMljYL+p392GcAAAAbV2VsbCBrbm93biBrZXkgZm9yIHNzc2QtY2ku 38 | -----END OPENSSH PRIVATE KEY----- 39 | -------------------------------------------------------------------------------- /data/ssh-keys/hosts/nfs.test.rsa_key.pub: -------------------------------------------------------------------------------- 1 | ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQC/GOSxk0/l/9qarUmBeAnG5oZqhqXldQ00WfX+b9GBPuRMHVGoCht6QlameUCBAKgu4hzlg8V58vZdLXP5yfLIs4+/bheQEbdlNTBaeV4MjkXxmelLcRygqE/0+owcBrEXAWvg0BYjZV/HjxPT0lPVzBJsVIPoT8xu+t5GWJz8ySCr+8LRbdbnprObENX4hkWW95QRF77Iboy21/gZlovAN4s7g7bu/EbgxuNO0hNL3FCpahmCdgQOQ3KBIP7dta6OtDwfm8iI8+w3ZQFhfMqf/3Wg54wgDiV3h3pkYM2/Yzn3xXG2T6SdRInJbDmCjOAHb5+JW9GDMQbRjXigcqilIcUzTqrQVl5ayDJ0aFkHasMwQH8JUH6QHCwLuCBw75FknVrUkueGDKR/U42xCSsrK7ikIYyLuSXZ2X5QJQhd9DYaBPuhMDu87FZ56d/NQNAUe3CEOklGBwHnplFNEccSTFnIaPVlMRlbRNVSlKIbiqHAYAlGGfiYXMxkUETP/0U= Well known key for sssd-ci. 2 | -------------------------------------------------------------------------------- /data/ssh-keys/root.id_rsa: -------------------------------------------------------------------------------- 1 | -----BEGIN OPENSSH PRIVATE KEY----- 2 | b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAACFwAAAAdzc2gtcn 3 | NhAAAAAwEAAQAAAgEAwPAQq6bzibpfTfKzluMuMCB4mvZ1Iya3pnQ5CBt3+2WcHAE2VzSQ 4 | lvPuvz1LRVu1j6T97N0Ws8YPKyX95I6hs5uwWzv+loWbMVUEKXPfVuDQ1zmBc0TrJsvj0w 5 | if+e8jLlF+vsdS2Ld+oIllDUJaL3CyIm7yQ/PTKBmtcRH+09O2XEuxEXGVh/korcf7DKMM 6 | 9a6yTvotK5FdM7/fG647IzNEVEgpsta84y2H4WjLHoioBRnU1whNKbjTfzXhXvS1xivwPs 7 | GIdclMsImgQRndTWofxlbPrlXIeiIJJf9nuKkvNwX0PnTWIx1wLuCxuFCpFcUUh4FRrSx8 8 | 84eRNqR+aA1TECR1/V1f9fpcjHyGT1N8WotfIZVKsk4D+miRKGo7cciFaZvndiwJkMsIUt 9 | XpnNgtNiPHq26/w+D0D3A4I8a+2gzGl4g+kmvYCx+CYWLFKOEZOimOFg79Kn1JaqeMTz4u 10 | X0ZzjUZb95r89YCbKaj6gfzAcBhw1FnyAoTf46FJ+KyB84ydc19mq7OmnrgAMBdWpJlQ95 11 | L2D3cXWu3QqKMU0TphGLTZU6ds/5K3XnjgInOOnRlQnROXZ2+cI/EOlTcqhMCgmv5RvkoR 12 | C9RfYEjnTW/x9/4PkXoBovZ7hnqqlW5InKK9Hk7EHdV42aEoRAXXPR+pi9SncqI+7tDkXl 13 | kAAAdg0fATzNHwE8wAAAAHc3NoLXJzYQAAAgEAwPAQq6bzibpfTfKzluMuMCB4mvZ1Iya3 14 | pnQ5CBt3+2WcHAE2VzSQlvPuvz1LRVu1j6T97N0Ws8YPKyX95I6hs5uwWzv+loWbMVUEKX 15 | PfVuDQ1zmBc0TrJsvj0wif+e8jLlF+vsdS2Ld+oIllDUJaL3CyIm7yQ/PTKBmtcRH+09O2 16 | XEuxEXGVh/korcf7DKMM9a6yTvotK5FdM7/fG647IzNEVEgpsta84y2H4WjLHoioBRnU1w 17 | hNKbjTfzXhXvS1xivwPsGIdclMsImgQRndTWofxlbPrlXIeiIJJf9nuKkvNwX0PnTWIx1w 18 | LuCxuFCpFcUUh4FRrSx884eRNqR+aA1TECR1/V1f9fpcjHyGT1N8WotfIZVKsk4D+miRKG 19 | o7cciFaZvndiwJkMsIUtXpnNgtNiPHq26/w+D0D3A4I8a+2gzGl4g+kmvYCx+CYWLFKOEZ 20 | OimOFg79Kn1JaqeMTz4uX0ZzjUZb95r89YCbKaj6gfzAcBhw1FnyAoTf46FJ+KyB84ydc1 21 | 9mq7OmnrgAMBdWpJlQ95L2D3cXWu3QqKMU0TphGLTZU6ds/5K3XnjgInOOnRlQnROXZ2+c 22 | I/EOlTcqhMCgmv5RvkoRC9RfYEjnTW/x9/4PkXoBovZ7hnqqlW5InKK9Hk7EHdV42aEoRA 23 | XXPR+pi9SncqI+7tDkXlkAAAADAQABAAACAGqLZ7lS7cRN/llOQKx/cj8zf0ab+V3bAKnU 24 | HraCbMSQfR/d74NCzOH/fQVwtMNtfJsBkxQdl27ZXgEG7ukrdtJ3lHEddV7sEyKv/ydhDK 25 | GubsWbxQfBtFXtXDdq2OUtkPEAIgz6h56T3kKK/RnQXXs7MbPgLrslx6KqY2RAesfBb0AS 26 | sIqgfeHjzvoAqHt3Ay4dNex1LUKU+LIeL/faRGAQ7JfabeSLvy15NENfGmQXNSnz9Nx2gh 27 | 4bKfhi6b0FR+hS1U3ilBfvfQE0TyIERXh9tWRTBkcQqi//4atxGncYPrGVAScIYERt+kh4 28 | 3suZB3a1KbwWxuLp4Wqen6tcNU0Lu++nh52VClIAoVIxFSBZTPfR/CFEWor80GP4cT3Gto 29 | tB1uoYsCCsltq9XD9PutTFYtnDLfpZbE6zcJ0J1UMIinEAtQlrhxfgKWDCopXP/gV7nhRZ 30 | imJff9sLtw4ON8mMgjkfkjt83bxZpg0Qv/IqOLgHzd3YPZY3jDGZedQUcNWU4EMSelm+Vi 31 | TDoCpy9qmSROIONcVFcmccgVXRas4ygJb+2S6Q/Cg2CYhWmiphLOkFkKq189tUZS6hkB51 32 | cLkwyCz0nd3yzrU+wqm3N3tvMO8Pf3iWSJnesPpsMDNcZrmF4cClLkp5xtBcVjzAe1DriX 33 | OTHAkz38L7yTSAZIKBAAABAQCPA4KQROodwVLiok/q0YKNPMTzvWVipcPfpkN5h/NAQMFY 34 | RVLVuN3fqY2gO50VTbykObYoTD662B0xsZiVYtvurFwiEzeq2ZclsL5WBmr/jbN9Hpat/K 35 | pVWtErofjhvWVlrtgVkshk/NK52iXDiMyF60S0xZgLzW8CUn6mMZzARXk0pP8jbnO8GYZS 36 | 6WZaBeLR1B+rHGSfGXI/P0pfMtQjMQqeaDQqDyxvf2g/7V2xWSeJezJDQ50jANmevcbcXo 37 | rx6yqw1dchfatYaTv4meKuTqLLHRABVXeRFkTE8KwhnQnwc3dbKf56CBVK30nlLnGHcekf 38 | bS0bLzF6/Uo28S0wAAABAQD30dWqsUqucna9U/E4bn1novSudUPUGUFKPW1uArd+NfBiQT 39 | Vr/oNOUgtra127yHR9e3Nwmi3ilyC+HnJRB+0TYo2Kf7Wxcljw5kGj6G3TB9r3W3odjrAW 40 | PQz15O5GMRg0LnJp0LuHkjeFV3RGL5R/yMmEw2YwQ1yf1QPwTDPNCEyQUs+iaZgYwri0X4 41 | ZAMQYjBTreILZnDrppq7sw5n3ibWOD98DJ91fOuvyU0bv6FuRIy6mEiXoqzercyLLiSjv4 42 | iQbftxIaW12qcyi0R4D4oxNIISt++p18rrESSzhCXX3EXA3Ai8McZlfS8q66UkRVsdHeeO 43 | 7tTj8KsdyB6oRxAAABAQDHTnVlMkuWmjSOTomFyHyakk67j9w1jg2vW1aDaiGABuDBdwOL 44 | gRIR1M90HpjnuOAWymkymmCdHAYwcRhDPYGBUZQbTKVw2YNP/7yYO5f/OGU8uXiMvuxZbj 45 | h7dWvweinffwTV71AHe1Eh+REpsO7CwzN+7af48i5GI5Qz/44WE6pi3U5vnUlmURTcLAnh 46 | oRUxorxV+U2370AtzqM/icONy+V8hSHx5QYmu6EMzfd3wL7+rJGX8V0YRoThNcdGC7Wi3j 47 | L050gFXcWIKyEOMEkkyigWJ/y4AGraGUB/t9wayiAnpBB42K1bHXsQbwA//3m1WYWtdf0G 48 | +YSoj8r1ysxpAAAAJVdlbGwga25vd24ga2V5IGZvciBzc3NkLWNpIHJvb3QgdXNlci4BAg 49 | MEBQ== 50 | -----END OPENSSH PRIVATE KEY----- 51 | -------------------------------------------------------------------------------- /data/ssh-keys/root.id_rsa.pub: -------------------------------------------------------------------------------- 1 | ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDA8BCrpvOJul9N8rOW4y4wIHia9nUjJremdDkIG3f7ZZwcATZXNJCW8+6/PUtFW7WPpP3s3Razxg8rJf3kjqGzm7BbO/6WhZsxVQQpc99W4NDXOYFzROsmy+PTCJ/57yMuUX6+x1LYt36giWUNQlovcLIibvJD89MoGa1xEf7T07ZcS7ERcZWH+Sitx/sMowz1rrJO+i0rkV0zv98brjsjM0RUSCmy1rzjLYfhaMseiKgFGdTXCE0puNN/NeFe9LXGK/A+wYh1yUywiaBBGd1Nah/GVs+uVch6Igkl/2e4qS83BfQ+dNYjHXAu4LG4UKkVxRSHgVGtLHzzh5E2pH5oDVMQJHX9XV/1+lyMfIZPU3xai18hlUqyTgP6aJEoajtxyIVpm+d2LAmQywhS1emc2C02I8erbr/D4PQPcDgjxr7aDMaXiD6Sa9gLH4JhYsUo4Rk6KY4WDv0qfUlqp4xPPi5fRnONRlv3mvz1gJspqPqB/MBwGHDUWfIChN/joUn4rIHzjJ1zX2ars6aeuAAwF1akmVD3kvYPdxda7dCooxTROmEYtNlTp2z/krdeeOAic46dGVCdE5dnb5wj8Q6VNyqEwKCa/lG+ShEL1F9gSOdNb/H3/g+RegGi9nuGeqqVbkicor0eTsQd1XjZoShEBdc9H6mL1Kdyoj7u0OReWQ== Well known key for sssd-ci root user. 2 | -------------------------------------------------------------------------------- /docker-compose.passkey.yml: -------------------------------------------------------------------------------- 1 | services: 2 | client: 3 | cap_add: 4 | - SYS_RAWIO 5 | devices: 6 | - "$HIDRAW:$HIDRAW" -------------------------------------------------------------------------------- /docker-compose.yml: -------------------------------------------------------------------------------- 1 | services: 2 | dns: 3 | restart: always 4 | image: ${REGISTRY}/ci-dns:latest 5 | container_name: dns 6 | env_file: ./env.containers 7 | volumes: 8 | - ./data/configs/dnsmasq.conf:/etc/dnsmasq.conf 9 | cap_add: 10 | - NET_RAW 11 | - NET_ADMIN 12 | - SYS_CHROOT 13 | security_opt: 14 | - apparmor=unconfined 15 | - label=disable 16 | - seccomp=unconfined 17 | networks: 18 | sssd: 19 | ipv4_address: 172.16.100.2 20 | ipa: 21 | image: ${REGISTRY}/ci-ipa:${TAG} 22 | container_name: ipa 23 | hostname: master.ipa.test 24 | dns: 172.16.100.2 25 | env_file: ./env.containers 26 | volumes: 27 | - ./shared:/shared:rw 28 | cap_add: 29 | - SYS_ADMIN 30 | - SYS_PTRACE 31 | - AUDIT_WRITE 32 | - AUDIT_CONTROL 33 | - SYS_CHROOT 34 | - NET_ADMIN 35 | - CAP_CHOWN 36 | - CAP_DAC_OVERRIDE 37 | - CAP_SETGID 38 | - CAP_SETUID 39 | - CAP_DAC_READ_SEARCH 40 | security_opt: 41 | - apparmor=unconfined 42 | - label=disable 43 | - seccomp=unconfined 44 | networks: 45 | sssd: 46 | ipv4_address: 172.16.100.10 47 | ipa2: 48 | image: ${REGISTRY}/ci-ipa2:${TAG} 49 | container_name: ipa2 50 | hostname: master.ipa2.test 51 | dns: 172.16.100.2 52 | env_file: ./env.containers 53 | volumes: 54 | - ./shared:/shared:rw 55 | cap_add: 56 | - SYS_ADMIN 57 | - SYS_PTRACE 58 | - AUDIT_WRITE 59 | - AUDIT_CONTROL 60 | - SYS_CHROOT 61 | - NET_ADMIN 62 | - CAP_CHOWN 63 | - CAP_DAC_OVERRIDE 64 | - CAP_SETGID 65 | - CAP_SETUID 66 | - CAP_DAC_READ_SEARCH 67 | security_opt: 68 | - apparmor=unconfined 69 | - label=disable 70 | - seccomp=unconfined 71 | networks: 72 | sssd: 73 | ipv4_address: 172.16.100.11 74 | ldap: 75 | image: ${REGISTRY}/ci-ldap:${TAG} 76 | container_name: ldap 77 | hostname: master.ldap.test 78 | dns: 172.16.100.2 79 | env_file: ./env.containers 80 | volumes: 81 | - ./shared:/shared:rw 82 | cap_add: 83 | - SYS_PTRACE 84 | - AUDIT_WRITE 85 | - AUDIT_CONTROL 86 | - SYS_CHROOT 87 | - NET_ADMIN 88 | security_opt: 89 | - apparmor=unconfined 90 | - label=disable 91 | - seccomp=unconfined 92 | networks: 93 | sssd: 94 | ipv4_address: 172.16.100.20 95 | samba: 96 | image: ${REGISTRY}/ci-samba:${TAG} 97 | container_name: samba 98 | hostname: dc.samba.test 99 | dns: 172.16.100.2 100 | env_file: ./env.containers 101 | volumes: 102 | - ./shared:/shared:rw 103 | cap_add: 104 | - SYS_ADMIN 105 | - SYS_PTRACE 106 | - AUDIT_WRITE 107 | - AUDIT_CONTROL 108 | - SYS_CHROOT 109 | - NET_ADMIN 110 | security_opt: 111 | - apparmor=unconfined 112 | - label=disable 113 | - seccomp=unconfined 114 | networks: 115 | sssd: 116 | ipv4_address: 172.16.100.30 117 | client: 118 | image: ${REGISTRY}/ci-client:${TAG} 119 | container_name: client 120 | hostname: client.test 121 | dns: 172.16.100.2 122 | env_file: ./env.containers 123 | volumes: 124 | - ./shared:/shared:rw 125 | cap_add: 126 | - SYS_ADMIN 127 | - SYS_PTRACE 128 | - NET_RAW 129 | - NET_ADMIN 130 | - AUDIT_WRITE 131 | - AUDIT_CONTROL 132 | - SYS_CHROOT 133 | - CAP_CHOWN 134 | - CAP_DAC_OVERRIDE 135 | - CAP_SETGID 136 | - CAP_SETUID 137 | - CAP_DAC_READ_SEARCH 138 | security_opt: 139 | - apparmor=unconfined 140 | - label=disable 141 | - seccomp=unconfined 142 | networks: 143 | sssd: 144 | ipv4_address: 172.16.100.40 145 | nfs: 146 | image: ${REGISTRY}/ci-nfs:${TAG} 147 | container_name: nfs 148 | hostname: nfs.test 149 | dns: 172.16.100.2 150 | env_file: ./env.containers 151 | volumes: 152 | - ./shared:/shared:rw 153 | - ./exports:/exports:rw 154 | cap_add: 155 | - SYS_ADMIN 156 | - SYS_PTRACE 157 | - AUDIT_WRITE 158 | - AUDIT_CONTROL 159 | - SYS_CHROOT 160 | - NET_ADMIN 161 | security_opt: 162 | - apparmor=unconfined 163 | - label=disable 164 | - seccomp=unconfined 165 | networks: 166 | sssd: 167 | ipv4_address: 172.16.100.50 168 | kdc: 169 | image: ${REGISTRY}/ci-kdc:${TAG} 170 | container_name: kdc 171 | hostname: kdc.test 172 | dns: 172.16.100.2 173 | env_file: ./env.containers 174 | volumes: 175 | - ./shared:/shared:rw 176 | - ./exports:/exports:rw 177 | cap_add: 178 | - SYS_ADMIN 179 | - SYS_PTRACE 180 | - AUDIT_WRITE 181 | - AUDIT_CONTROL 182 | - SYS_CHROOT 183 | - NET_ADMIN 184 | security_opt: 185 | - apparmor=unconfined 186 | - label=disable 187 | - seccomp=unconfined 188 | networks: 189 | sssd: 190 | ipv4_address: 172.16.100.60 191 | keycloak: 192 | image: ${REGISTRY}/ci-keycloak:${TAG} 193 | container_name: keycloak 194 | hostname: master.keycloak.test 195 | dns: 172.16.100.2 196 | env_file: ./env.containers 197 | cap_add: 198 | - SYS_ADMIN 199 | - SYS_PTRACE 200 | - AUDIT_WRITE 201 | - AUDIT_CONTROL 202 | - NET_ADMIN 203 | - SYS_CHROOT 204 | security_opt: 205 | - apparmor=unconfined 206 | - label=disable 207 | - seccomp=unconfined 208 | networks: 209 | sssd: 210 | ipv4_address: 172.16.100.70 211 | networks: 212 | sssd: 213 | name: sssd-ci 214 | driver: bridge 215 | ipam: 216 | config: 217 | - subnet: 172.16.100.0/24 218 | gateway: 172.16.100.1 219 | options: 220 | driver: host-local 221 | -------------------------------------------------------------------------------- /env.containers: -------------------------------------------------------------------------------- 1 | # Environment variables set in all started containers 2 | CONTAINER=yes 3 | -------------------------------------------------------------------------------- /env.example: -------------------------------------------------------------------------------- 1 | # This is the docker-compose environment file. 2 | # Copy it to .env or use --env-file=env.example on docker-compose command. 3 | REGISTRY=quay.io/sssd 4 | TAG=latest 5 | -------------------------------------------------------------------------------- /misc/demo.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SSSD/sssd-ci-containers/e696a76846af2f4fb001adec7d328f14ec275c6a/misc/demo.gif -------------------------------------------------------------------------------- /shared/.gitkeep: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SSSD/sssd-ci-containers/e696a76846af2f4fb001adec7d328f14ec275c6a/shared/.gitkeep -------------------------------------------------------------------------------- /src/Containerfile: -------------------------------------------------------------------------------- 1 | # dns server 2 | FROM docker.io/alpine:latest AS dns 3 | RUN apk --no-cache add dnsmasq 4 | ENTRYPOINT ["dnsmasq", "-k"] 5 | 6 | # vagrant with preinstalled plugins and ansible 7 | FROM debian:latest as vagrant-base 8 | ENV VAGRANT_HOME /vagrant 9 | ENV VAGRANT_DEFAULT_PROVIDER=libvirt 10 | RUN mkdir /vagrant 11 | RUN set -e \ 12 | && apt update \ 13 | && apt install -y --no-install-recommends \ 14 | ca-certificates \ 15 | curl \ 16 | jq \ 17 | kmod \ 18 | libvirt-clients \ 19 | openssh-client \ 20 | openssh-server \ 21 | python3-pip \ 22 | rsync \ 23 | && rm -rf /var/lib/apt/lists 24 | RUN set -e \ 25 | && VERSION=`curl -s https://api.github.com/repos/hashicorp/vagrant/tags | jq -r '.[0].name' | sed 's/^v//'` \ 26 | && curl https://releases.hashicorp.com/vagrant/${VERSION}/vagrant_${VERSION}-1_amd64.deb -o vagrant.deb \ 27 | && apt update && apt install -y ./vagrant.deb && rm -rf /var/lib/apt/lists/* \ 28 | && rm -f vagrant.deb 29 | 30 | FROM vagrant-base as vagrant-plugins 31 | WORKDIR /build 32 | RUN sed -i 's/^Types: deb$/Types: deb deb-src/' /etc/apt/sources.list.d/debian.sources 33 | RUN set -e \ 34 | && apt update && apt build-dep -y vagrant ruby-libvirt \ 35 | && apt install -y --no-install-recommends libxslt-dev libxml2-dev libvirt-dev ruby-bundler ruby-dev zlib1g-dev \ 36 | && rm -rf /var/lib/apt/lists 37 | RUN vagrant plugin install vagrant-libvirt 38 | RUN vagrant plugin install vagrant-sshfs 39 | 40 | FROM vagrant-base as vagrant 41 | ENTRYPOINT ["/usr/bin/bash"] 42 | COPY --from=vagrant-plugins /vagrant /vagrant 43 | RUN pip3 install ansible pywinrm --break-system-packages 44 | -------------------------------------------------------------------------------- /src/Vagrantfile: -------------------------------------------------------------------------------- 1 | Vagrant.configure("2") do |config| 2 | config.vm.define "ad" do |this| 3 | this.vm.box = "peru/windows-server-2022-standard-x64-eval" 4 | this.vm.hostname = "dc" 5 | this.vm.guest = :windows 6 | this.vm.communicator = "winrm" 7 | this.winrm.username = "Administrator" 8 | this.vm.network "private_network", 9 | :ip => "172.16.200.10", 10 | :libvirt__dhcp_enabled => false, 11 | :libvirt__network_address => '172.16.200.0/24', 12 | :libvirt__forward_mode => 'route' 13 | 14 | this.vm.provider :libvirt do |libvirt| 15 | libvirt.memory = 4092 16 | 17 | if defined?(libvirt.qemu_use_session) 18 | libvirt.qemu_use_session = false 19 | end 20 | end 21 | 22 | this.vm.provision "ansible" do |ansible| 23 | ansible.inventory_path = "./ansible/inventory.yml" 24 | ansible.playbook = "./ansible/playbook_vagrant.yml" 25 | ansible.config_file = "./ansible/ansible.cfg" 26 | end 27 | end 28 | end 29 | -------------------------------------------------------------------------------- /src/ansible/ansible.cfg: -------------------------------------------------------------------------------- 1 | [defaults] 2 | inventory = ./inventory.yml 3 | stdout_callback = yaml 4 | -------------------------------------------------------------------------------- /src/ansible/filter_plugins/distro.py: -------------------------------------------------------------------------------- 1 | class FilterModule(object): 2 | def filters(self): 3 | return { 4 | 'distro_includes': self.distro_includes 5 | } 6 | 7 | def distro_includes(self, distro, version, extra=""): 8 | """ Create list of distribution specific include files. """ 9 | min_version = 1 10 | if distro.lower() == 'fedora': 11 | min_version = 34 12 | elif distro.lower() == 'centos': 13 | min_version = 8 14 | 15 | out = [f'{distro}{extra}.yml'] 16 | out.extend([ f'{distro}{x}{extra}.yml' for x in range(min_version, int(version) + 1) ]) 17 | out.reverse() 18 | 19 | return out 20 | -------------------------------------------------------------------------------- /src/ansible/group_vars/all: -------------------------------------------------------------------------------- 1 | service: { 2 | ipa: { 3 | domain: 'ipa.test', 4 | hostname: 'master', 5 | fqn: 'master.ipa.test', 6 | netbios: 'IPA', 7 | password: 'Secret123' 8 | }, 9 | ipa2: { 10 | domain: 'ipa2.test', 11 | hostname: 'master', 12 | fqn: 'master.ipa2.test', 13 | netbios: 'IPA2', 14 | password: 'Secret123' 15 | }, 16 | ldap: { 17 | domain: 'ldap.test', 18 | hostname: 'master', 19 | fqn: 'master.ldap.test', 20 | suffix: 'dc=ldap,dc=test', 21 | bind: { 22 | dn: 'cn=Directory Manager', 23 | password: 'Secret123' 24 | } 25 | }, 26 | samba: { 27 | netbios: SAMBA, 28 | domain: samba.test, 29 | password: Secret123 30 | }, 31 | client: { 32 | domain: 'client.test', 33 | fqn: 'client.test' 34 | }, 35 | kdc: { 36 | realm: TEST, 37 | domain: test, 38 | fqn: kdc.test, 39 | master_password: Secret123 40 | }, 41 | keycloak: { 42 | domain: keycloak.test, 43 | fqn: master.keycloak.test, 44 | admin_password: Secret123 45 | }, 46 | ad: { 47 | domain: ad.test, 48 | hostname: 'dc', 49 | netbios: AD, 50 | safe_password: Secret123, 51 | suffix: 'dc=ad,dc=test' 52 | } 53 | } 54 | 55 | user_regular_uid: 1000 56 | user: { 57 | root: { 58 | password: Secret123 59 | }, 60 | regular: { 61 | uid: "{{ user_regular_uid | int }}", 62 | name: ci, 63 | password: Secret123 64 | } 65 | } 66 | 67 | freeipa_packages: { 68 | server: [ freeipa-server, freeipa-server-dns, freeipa-server-trust-ad ], 69 | client: [ freeipa-client, ] 70 | } 71 | 72 | ipa_packages: { 73 | server: [ ipa-server-dns, ipa-server, ipa-server-trust-ad ], 74 | client: [ ipa-client, ] 75 | } 76 | 77 | join_samba: yes 78 | join_ipa: yes 79 | join_ldap: yes 80 | join_ad: no 81 | trust_ipa_samba: yes 82 | trust_ipa_ad: no 83 | trust_ipa_ad_two_way: no 84 | extended_packageset: yes 85 | virt_smartcard: no 86 | virt_smartcard_dir: /opt/test_ca 87 | virt_smartcard_sopin: 12345678 88 | virt_smartcard_pin: 123456 89 | virt_smartcard_libsofthsm: /usr/lib64/pkcs11/libsofthsm2.so 90 | -------------------------------------------------------------------------------- /src/ansible/inventory.yml: -------------------------------------------------------------------------------- 1 | all: 2 | children: 3 | local: 4 | hosts: 5 | localhost: 6 | vars: 7 | ansible_connection: local 8 | ansible_python_interpreter: /usr/bin/python3 9 | base: 10 | children: 11 | base_client: 12 | hosts: 13 | base-client 14 | base_ipa: 15 | hosts: 16 | base-ipa 17 | base_ldap: 18 | hosts: 19 | base-ldap 20 | base_samba: 21 | hosts: 22 | base-samba 23 | base_nfs: 24 | hosts: 25 | base-nfs 26 | base_kdc: 27 | hosts: 28 | base-kdc 29 | base_keycloak: 30 | hosts: 31 | base-keycloak 32 | base_ground: 33 | hosts: 34 | base-ground 35 | client_devel: 36 | hosts: 37 | client-devel 38 | ipa_devel: 39 | hosts: 40 | ipa-devel 41 | vars: 42 | ansible_connection: podman 43 | ansible_host: sssd-wip-base 44 | ansible_python_interpreter: /usr/bin/python3 45 | extended_packageset: yes 46 | services: 47 | children: 48 | client: 49 | hosts: 50 | client.test: 51 | ansible_host: sssd-wip-client 52 | ipa: 53 | hosts: 54 | master.ipa.test: 55 | ansible_host: sssd-wip-ipa 56 | master.ipa2.test: 57 | ansible_host: sssd-wip-ipa2 58 | ldap: 59 | hosts: 60 | master.ldap.test: 61 | ansible_host: sssd-wip-ldap 62 | samba: 63 | hosts: 64 | dc.samba.test: 65 | ansible_host: sssd-wip-samba 66 | nfs: 67 | hosts: 68 | nfs.test: 69 | ansible_host: sssd-wip-nfs 70 | kdc: 71 | hosts: 72 | kdc.test: 73 | ansible_host: sssd-wip-kdc 74 | keycloak: 75 | hosts: 76 | master.keycloak.test: 77 | ansible_host: sssd-wip-keycloak 78 | vars: 79 | ansible_connection: podman 80 | ansible_python_interpreter: /usr/bin/python3 81 | windows: 82 | children: 83 | ad: 84 | hosts: 85 | dc.ad.test: 86 | ansible_host: 172.16.200.10 87 | vars: 88 | ansible_connection: winrm 89 | ansible_port: 5985 90 | ansible_user: Administrator 91 | ansible_password: vagrant 92 | -------------------------------------------------------------------------------- /src/ansible/playbook_image_base.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - hosts: base 3 | gather_facts: yes 4 | roles: 5 | - facts 6 | - packages 7 | 8 | - hosts: base_ground 9 | roles: 10 | - common 11 | 12 | - hosts: base 13 | roles: 14 | - cleanup 15 | -------------------------------------------------------------------------------- /src/ansible/playbook_image_service.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - hosts: services 3 | gather_facts: yes 4 | roles: 5 | - facts 6 | - firewall 7 | - no_nscd 8 | 9 | - hosts: ldap 10 | gather_facts: no 11 | roles: 12 | - ldap 13 | 14 | - hosts: samba 15 | gather_facts: no 16 | roles: 17 | - samba 18 | 19 | - hosts: ipa 20 | gather_facts: no 21 | roles: 22 | - ipa 23 | - { role: passkey, when: ansible_distribution == "Ubuntu" or ansible_distribution == "Debian" } 24 | - { role: ipasmartcard, when: ansible_os_family == 'RedHat' and virt_smartcard } 25 | 26 | - hosts: client 27 | gather_facts: no 28 | roles: 29 | - client 30 | - { role: passkey, when: ansible_distribution == "Ubuntu" or ansible_distribution == "Debian" } 31 | - { role: virtsmartcard, when: ansible_distribution != "Ubuntu" and ansible_distribution != "Debian" and virt_smartcard } 32 | - { role: ipasmartcard, when: ansible_os_family == 'RedHat' and virt_smartcard } 33 | 34 | - hosts: nfs 35 | gather_facts: no 36 | roles: 37 | - nfs 38 | 39 | - hosts: kdc 40 | gather_facts: no 41 | roles: 42 | - kdc 43 | 44 | - hosts: keycloak 45 | gather_facts: no 46 | roles: 47 | - keycloak 48 | 49 | - hosts: services 50 | gather_facts: no 51 | roles: 52 | - ssh_server 53 | 54 | - hosts: services 55 | gather_facts: no 56 | roles: 57 | - role: cleanup 58 | when: skip_cleanup is undefined or not skip_cleanup 59 | -------------------------------------------------------------------------------- /src/ansible/playbook_vagrant.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - hosts: dc.ad.test 3 | gather_facts: yes 4 | roles: 5 | - { role: ad, enable_firewall: yes } 6 | -------------------------------------------------------------------------------- /src/ansible/playbook_vm.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - hosts: all 3 | gather_facts: yes 4 | roles: 5 | - dns 6 | 7 | - name: Include base 8 | ansible.builtin.import_playbook: playbook_image_base.yml 9 | vars: 10 | passkey_support: "{{ override_passkey_support | default('no') | bool }}" 11 | user_regular_uid: 1024 12 | ansible_become: yes 13 | extended_packageset: "{{ override_extended_packageset | default('no') | bool }}" 14 | virt_smarcard: "{{ override_virt_smarcard | default('no') | bool }}" 15 | 16 | - name: Include services 17 | ansible.builtin.import_playbook: playbook_image_service.yml 18 | vars: 19 | passkey_support: "{{ override_passkey_support | default('no') | bool }}" 20 | user_regular_uid: 1024 21 | ansible_become: yes 22 | join_ad: "{{ override_join_ad | default('no') | bool }}" 23 | join_ldap: "{{ override_join_ldap | default('no') | bool }}" 24 | join_samba: "{{ override_join_samba | default('no') | bool }}" 25 | join_ipa: "{{ override_join_ipa | default('no') | bool }}" 26 | trust_ipa_samba: "{{ override_trust_ipa_samba | default('no') | bool }}" 27 | trust_ipa_ad: "{{ override_trust_ipa_ad | default('no') | bool }}" 28 | trust_ipa_ad_two_way: "{{ override_trust_ipa_ad_two_way | default('no') | bool }}" 29 | extended_packageset: "{{ override_extended_packageset | default('no') | bool }}" 30 | skip_cleanup: true 31 | virt_smarcard: "{{ override_virt_smarcard | default('no') | bool }}" 32 | 33 | - hosts: ad 34 | gather_facts: yes 35 | roles: 36 | - { role: ad, skip_addc_install: yes, skip_dns: yes, ad_permanent_users: ['Administrator'] } 37 | -------------------------------------------------------------------------------- /src/ansible/roles/ad/defaults/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # Users to be configured that their password never expires 3 | ad_permanent_users: 4 | - Administrator 5 | - vagrant 6 | # Skip vagrant-specific configuration of dns 7 | skip_dns: no 8 | # Skip installation of AD server 9 | skip_addc_install: no 10 | # Skip addition of sudo schema and possibly other ones 11 | skip_schema: no 12 | # Open firewall for all incomming traffic. 13 | open_firewall: yes 14 | -------------------------------------------------------------------------------- /src/ansible/roles/ad/tasks/dns.yml: -------------------------------------------------------------------------------- 1 | - name: Disable automatic DNS updates 2 | win_regedit: 3 | path: '{{ item.path }}' 4 | name: '{{ item.name }}' 5 | data: '{{ item.value }}' 6 | type: dword 7 | state: present 8 | with_items: 9 | - {path: 'HKLM:\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters', name: 'DisableDynamicUpdate', value: 1} 10 | - {path: 'HKLM:\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters', name: 'RegisterDnsARecords', value: 0} 11 | - {path: 'HKLM:\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters', name: 'UseDynamicDns', value: 0} 12 | 13 | - name: Allow only specific IP address for the DNS server 14 | win_regedit: 15 | path: HKLM:\SYSTEM\CurrentControlSet\Services\DNS\Parameters 16 | name: PublishAddresses 17 | data: "172.16.200.10" 18 | type: string 19 | state: present 20 | 21 | - name: Remove vagrant IP address from DNS 22 | win_shell: | 23 | Get-DnsServerResourceRecord -ZoneName "{{ ad_domain }}" -RRType A \ 24 | | Where-Object {$_.RecordData.ipv4address -ne "172.16.200.10"} \ 25 | | Remove-DnsServerResourceRecord -ZoneName "{{ ad_domain }}" -Force 26 | -------------------------------------------------------------------------------- /src/ansible/roles/ad/tasks/install.yml: -------------------------------------------------------------------------------- 1 | - name: Install Active Directory Services 2 | win_feature: 3 | name: '{{ item }}' 4 | include_management_tools: yes 5 | include_sub_features: yes 6 | state: present 7 | with_items: 8 | - AD-Domain-Services 9 | - DNS 10 | 11 | - name: 'Create new AD forest {{ ad_domain }}' 12 | win_shell: | 13 | Import-Module ADDSDeployment 14 | 15 | Install-ADDSForest \ 16 | -DomainName "{{ ad_domain }}" \ 17 | -CreateDnsDelegation:$false \ 18 | -ForestMode "WinThreshold" \ 19 | -DomainMode "WinThreshold" \ 20 | -Force:$true \ 21 | -InstallDns:$true \ 22 | -NoRebootOnCompletion:$true \ 23 | -SafeModeAdministratorPassword \ 24 | (ConvertTo-SecureString '{{ ad_password }}' -AsPlainText -Force) 25 | register: installation 26 | args: 27 | creates: 'C:\Windows\NTDS' 28 | 29 | - name: Reboot machine 30 | win_reboot: 31 | when: installation.changed 32 | -------------------------------------------------------------------------------- /src/ansible/roles/ad/tasks/main.yml: -------------------------------------------------------------------------------- 1 | - name: Allow access from our network 2 | win_firewall_rule: 3 | name: Allow access from our network 4 | direction: in 5 | action: allow 6 | enabled: yes 7 | state: present 8 | when: open_firewall 9 | 10 | - name: Set the default SSH shell to PowerShell 11 | win_regedit: 12 | path: HKLM:\SOFTWARE\OpenSSH 13 | name: DefaultShell 14 | data: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 15 | type: string 16 | state: present 17 | 18 | - name: Detect cygwin 19 | win_stat: 20 | path: 'C:\cygwin64\etc' 21 | register: cygwin 22 | 23 | - name: Configure shell for cygwin 24 | win_lineinfile: 25 | path: 'C:\cygwin64\etc\nsswitch.conf' 26 | line: "db_shell: /cygdrive/c/Windows/System32/WindowsPowerShell/v1.0/powershell.exe" 27 | when: cygwin.stat.exists 28 | register: configured_cygwin 29 | 30 | - name: Reboot machine to apply changes in cygwin config 31 | win_reboot: 32 | when: configured_cygwin.changed and skip_addc_install 33 | 34 | - name: Prepare AD facts 35 | set_fact: 36 | ad_domain: "{{ '.'.join(inventory_hostname.split('.')[1:]) }}" 37 | ad_netbios: "{{ inventory_hostname.split('.')[0].upper() }}" 38 | ad_suffix: "{{ inventory_hostname.split('.')[1:] | map('regex_replace', '^(.*)$', 'dc=\\1') | join(',') }}" 39 | ad_password: "{{ service.ad.safe_password }}" 40 | 41 | - name: Debug AD facts 42 | debug: 43 | msg: 'AD domain: "{{ ad_domain }}", AD netbios: "{{ ad_netbios }}", AD suffix: "{{ ad_suffix }}"' 44 | 45 | - name: 'Install AD server' 46 | include_tasks: 'install.yml' 47 | when: not skip_addc_install 48 | 49 | - name: Install management tools 50 | win_feature: 51 | name: 52 | - RSAT-AD-Tools 53 | include_sub_features: yes 54 | include_management_tools: yes 55 | 56 | - name: Install powershell modules 57 | win_shell: | 58 | Get-PackageProvider NuGet -ForceBootstrap 59 | Set-PSRepository -Name 'PSGallery' -InstallationPolicy Trusted 60 | Install-Module PSIni -RequiredVersion 3.1.4 -Confirm:$False 61 | 62 | - name: Make sure Active Directory Web Services is running 63 | win_service: 64 | name: adws 65 | start_mode: auto 66 | state: started 67 | 68 | - name: 'Add sudo schema and possibly other' 69 | include_tasks: 'schema.yml' 70 | when: not skip_schema 71 | 72 | - name: Set Password Never Expires for system users 73 | win_shell: | 74 | Import-Module ActiveDirectory 75 | 76 | $user = Get-ADUser -Server {{ ad_domain }} -Identity {{ item }} \ 77 | -Properties PasswordNeverExpires 78 | if ($user.PasswordNeverExpires -eq $true) { 79 | exit 255 80 | } 81 | 82 | Set-ADUser -Server {{ ad_domain }} -Identity {{ item }} \ 83 | -PasswordNeverExpires $true 84 | register: result 85 | failed_when: "result.rc != 255 and result.rc != 0" 86 | changed_when: "result.rc == 0" 87 | until: "result.rc == 255 or result.rc == 0" 88 | # The AD is sometimes not ready to proccess requests so we retry 89 | # to make it stable. 90 | retries: 5 91 | delay: 60 92 | with_items: 93 | - "{{ ad_permanent_users }}" 94 | 95 | - name: 'Configure DNS on vagrant AD' 96 | include_tasks: 'dns.yml' 97 | when: not skip_dns 98 | -------------------------------------------------------------------------------- /src/ansible/roles/ad/tasks/schema.yml: -------------------------------------------------------------------------------- 1 | - name: Copy sudo schema to guest 2 | win_copy: 3 | src: '{{ item }}.schema' 4 | dest: 'C:\{{ item }}.schema' 5 | with_items: 6 | - sudo 7 | 8 | - name: Install additional schemas 9 | win_shell: | 10 | ldifde -i -f C:\{{ item }}.schema -c dc=X {{ ad_suffix }} -b "Administrator" "{{ ad_domain }}" "{{ ansible_password }}" 11 | register: schema 12 | failed_when: schema.rc != 0 and schema.stdout is not search('ENTRY_EXISTS') 13 | changed_when: schema.rc == 0 14 | with_items: 15 | - sudo 16 | -------------------------------------------------------------------------------- /src/ansible/roles/cleanup/tasks/main.yml: -------------------------------------------------------------------------------- 1 | - name: Minimize IPA service container 2 | block: 3 | - name: Stop IPA service 4 | service: 5 | name: ipa.service 6 | state: stopped 7 | 8 | - name: Remove 389ds database to make image smaller 9 | shell: rm -f /var/lib/dirsrv/slapd-IPA-TEST/db/__db.* 10 | when: inventory_hostname in groups["ipa"] or inventory_hostname == 'ipa-devel' 11 | 12 | - name: Minimize LDAP service container 13 | block: 14 | - name: Stop directory service 15 | service: 16 | name: dirsrv@localhost.service 17 | state: stopped 18 | 19 | - name: Remove 389ds database to make image smaller 20 | shell: rm -f /var/lib/dirsrv/slapd-localhost/db/__db.* 21 | when: inventory_hostname == 'master.ldap.test' 22 | 23 | - name: Minimize client service container 24 | block: 25 | - name: Stop SSSD service 26 | service: 27 | name: sssd.service 28 | state: stopped 29 | 30 | - name: Remove SSSD's database and logs 31 | shell: rm -f /var/lib/sss/db/* /var/lib/sss/mc/* /var/log/sssd/* 32 | when: inventory_hostname in groups["client"] or inventory_hostname in groups["ipa"] 33 | -------------------------------------------------------------------------------- /src/ansible/roles/client/tasks/enroll_AD.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - name: Set AD facts 3 | set_fact: 4 | ad_domain: "{{ '.'.join(groups.ad.0.split('.')[1:]) }}" 5 | safe_password: "{{ service.ad.safe_password }}" 6 | ad_keytab: /var/enrollment/{{ '.'.join(groups.ad.0.split('.')[1:]) }}.keytab 7 | 8 | - name: Stat {{ ad_keytab }} to detect that we are already joined to AD 9 | stat: 10 | path: "{{ ad_keytab }}" 11 | register: enrollment_ad_1 12 | 13 | - name: Create /etc/krb5.conf for AD join 14 | template: 15 | src: krb5.conf 16 | dest: /etc/krb5.conf 17 | owner: root 18 | group: root 19 | mode: 0644 20 | 21 | - name: Join AD domain 22 | command: realm join {{ ad_domain | quote }} --verbose 23 | args: 24 | stdin: '{{ safe_password }}' 25 | when: not enrollment_ad_1.stat.exists 26 | 27 | - name: Stat {{ ad_keytab }} 28 | stat: 29 | path: "{{ ad_keytab }}" 30 | register: enrollment_ad 31 | 32 | - name: Copy AD keytab to "{{ ad_keytab }}" 33 | copy: 34 | src: /etc/krb5.keytab 35 | dest: "{{ ad_keytab }}" 36 | mode: 0600 37 | remote_src: yes 38 | when: not enrollment_ad.stat.exists 39 | 40 | - name: Cleanup after joining the AD domain 41 | file: 42 | path: '{{ item }}' 43 | state: absent 44 | with_items: 45 | - /etc/krb5.conf 46 | - /etc/krb5.keytab 47 | - /etc/sssd/sssd.conf 48 | -------------------------------------------------------------------------------- /src/ansible/roles/client/tasks/enroll_IPA.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - name: Set ipa facts 3 | set_fact: 4 | ipa_domain: "{{ hostvars[groups.ipa.0]['ipa_domain'] }}" 5 | ipa_password: "{{ hostvars[groups.ipa.0].ansible_password | default(service.ipa.password) }}" 6 | ipa_keytab: /var/enrollment/{{ hostvars[groups.ipa.0]['ipa_domain'] }}.keytab 7 | 8 | - name: Run ipa-client-install 9 | shell: | 10 | /usr/sbin/ipa-client-install --unattended --no-ntp \ 11 | --domain {{ ipa_domain | quote }} \ 12 | --principal admin \ 13 | --password {{ ipa_password | quote }} 14 | # Retry to workaround "Unable to find IPA Server to join" failure (fedora-42) 15 | # in PRCI fedora build workflow 16 | retries: 2 17 | delay: 10 18 | args: 19 | creates: /etc/ipa/ca.crt 20 | 21 | - name: Stat {{ ipa_keytab }} 22 | stat: 23 | path: "{{ ipa_keytab }}" 24 | register: enrollment_ipa 25 | 26 | - name: Copy IPA keytab to {{ ipa_keytab }} 27 | copy: 28 | src: /etc/krb5.keytab 29 | dest: "{{ ipa_keytab }}" 30 | mode: 0600 31 | remote_src: yes 32 | when: not enrollment_ipa.stat.exists 33 | 34 | - name: Cleanup after joining the IPA domain 35 | file: 36 | path: '{{ item }}' 37 | state: absent 38 | with_items: 39 | - /etc/krb5.conf 40 | - /etc/krb5.keytab 41 | - /etc/sssd/sssd.conf 42 | 43 | - name: Add ipa to domains 44 | set_fact: 45 | domains: "{{ domains + [ipa_domain] }}" 46 | -------------------------------------------------------------------------------- /src/ansible/roles/client/tasks/enroll_samba.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - name: Set Samba facts 3 | set_fact: 4 | samba_domain: "{{ hostvars[groups.samba.0]['samba_domain'] }}" 5 | samba_password: "{{ hostvars[groups.samba.0].ansible_password | default(service.samba.password) }}" 6 | samba_keytab: /var/enrollment/{{ hostvars[groups.samba.0]['samba_domain'] }}.keytab 7 | 8 | - name: Stat {{ samba_keytab }} to detect that we are already joined 9 | stat: 10 | path: "{{ samba_keytab }}" 11 | register: enrollment_samba_1 12 | 13 | - name: Create /etc/krb5.conf for samba join 14 | template: 15 | src: krb5.conf 16 | dest: /etc/krb5.conf 17 | owner: root 18 | group: root 19 | mode: 0644 20 | 21 | - name: Realm join Samba domain 22 | command: realm join {{ samba_domain | quote }} --verbose 23 | args: 24 | stdin: '{{ samba_password }}' 25 | when: not enrollment_samba_1.stat.exists 26 | 27 | - name: Stat {{ samba_keytab }} 28 | stat: 29 | path: "{{ samba_keytab }}" 30 | register: enrollment_samba 31 | 32 | - name: Copy Samba keytab to {{ samba_keytab }} 33 | copy: 34 | src: /etc/krb5.keytab 35 | dest: "{{ samba_keytab }}" 36 | mode: 0600 37 | remote_src: yes 38 | when: not enrollment_samba.stat.exists 39 | 40 | - name: Cleanup after joining the Samba domain 41 | file: 42 | path: '{{ item }}' 43 | state: absent 44 | with_items: 45 | - /etc/krb5.conf 46 | - /etc/krb5.keytab 47 | - /etc/sssd/sssd.conf 48 | 49 | - name: Add samba to domains 50 | set_fact: 51 | domains: "{{ domains + [samba_domain] }}" 52 | -------------------------------------------------------------------------------- /src/ansible/roles/client/tasks/main.yml: -------------------------------------------------------------------------------- 1 | - name: Set facts for client 2 | set_fact: 3 | domains: [] 4 | client_fqdn: "{{ inventory_hostname }}" 5 | 6 | - name: Check if we are running in image mode 7 | stat: 8 | path: /usr/bin/rpm-ostree 9 | register: rpm_ostree 10 | 11 | - name: Create /var/enrollment directory 12 | file: 13 | path: /var/enrollment 14 | state: directory 15 | owner: root 16 | group: root 17 | mode: '0700' 18 | 19 | # Backward compatibility symlink 20 | - name: Create symlink /enrollment to /var/enrollment 21 | ansible.builtin.file: 22 | src: '/var/enrollment' 23 | dest: '/enrollment' 24 | state: link 25 | owner: root 26 | group: root 27 | when: 28 | - not rpm_ostree.stat.exists 29 | 30 | - name: Join IPA domain 31 | ansible.builtin.include_tasks: 32 | file: enroll_IPA.yml 33 | when: 34 | - '"ipa" in groups and groups["ipa"]' 35 | - join_ipa 36 | 37 | - name: Join Samba domain 38 | ansible.builtin.include_tasks: 39 | file: enroll_samba.yml 40 | when: 41 | - '"samba" in groups and groups["samba"]' 42 | - join_samba 43 | 44 | - name: Join ldap domain 45 | block: 46 | - name: Add ldap to domains 47 | set_fact: 48 | domains: "{{ domains + [service.ldap.domain] }}" 49 | when: 50 | - '"ldap" in groups and groups["ldap"]' 51 | - join_ldap 52 | 53 | - name: Join AD 54 | ansible.builtin.include_tasks: 55 | file: enroll_AD.yml 56 | when: 57 | - '"ad" in groups and groups["ad"]' 58 | - join_ad 59 | 60 | - name: Stop SSSD 61 | service: 62 | name: sssd.service 63 | enabled: yes 64 | state: stopped 65 | 66 | - name: Create /etc/sssd/sssd.conf 67 | template: 68 | src: sssd.conf 69 | dest: /etc/sssd/sssd.conf 70 | owner: root 71 | group: root 72 | mode: 0600 73 | 74 | - name: Create /etc/krb5.conf 75 | template: 76 | src: krb5.conf 77 | dest: /etc/krb5.conf 78 | owner: root 79 | group: root 80 | mode: 0644 81 | 82 | - name: Set SELinux label for /var/enrollment 83 | shell: | 84 | if selinuxenabled; then 85 | semanage fcontext -a -t etc_t "/var/enrollment(/.*)*" 86 | restorecon -R -v /var/enrollment 87 | else 88 | exit 0 89 | fi 90 | 91 | - name: Show configured domains 92 | debug: 93 | msg: "domains = {{ ', '.join(domains) }}" 94 | -------------------------------------------------------------------------------- /src/ansible/roles/client/templates/krb5.conf: -------------------------------------------------------------------------------- 1 | includedir /etc/krb5.conf.d/ 2 | includedir /var/lib/sss/pubconf/krb5.include.d/ 3 | 4 | [libdefaults] 5 | ticket_lifetime = 24h 6 | forwardable = true 7 | rdns = false 8 | 9 | {% if join_ipa %} 10 | [realms] 11 | {{ ipa_domain | upper }} = { 12 | pkinit_anchors = FILE:/var/lib/ipa-client/pki/kdc-ca-bundle.pem 13 | pkinit_pool = FILE:/var/lib/ipa-client/pki/ca-bundle.pem 14 | } 15 | {% endif %} 16 | -------------------------------------------------------------------------------- /src/ansible/roles/client/templates/sssd.conf: -------------------------------------------------------------------------------- 1 | [sssd] 2 | services = nss, pam 3 | domains = {{ ", ".join(domains) }} 4 | 5 | {% if join_ldap %} 6 | [domain/{{ service.ldap.domain }}] 7 | id_provider = ldap 8 | ldap_uri = _srv_ 9 | ldap_tls_reqcert = demand 10 | ldap_tls_cacert = /var/data/certs/ca.crt 11 | dns_discovery_domain = {{ service.ldap.domain }} 12 | use_fully_qualified_names = true 13 | {% endif %} 14 | 15 | {% if join_ipa %} 16 | [domain/{{ ipa_domain }}] 17 | id_provider = ipa 18 | access_provider = ipa 19 | ipa_server = _srv_ 20 | ipa_domain = {{ ipa_domain }} 21 | ipa_hostname = {{ client_fqdn }} 22 | krb5_keytab = {{ ipa_keytab }} 23 | ldap_krb5_keytab = {{ ipa_keytab }} 24 | use_fully_qualified_names = true 25 | {% endif %} 26 | 27 | {% if join_samba %} 28 | [domain/{{ samba_domain }}] 29 | id_provider = ad 30 | access_provider = ad 31 | ad_server = _srv_ 32 | ad_domain = {{ samba_domain }} 33 | ad_hostname = {{ client_fqdn }} 34 | krb5_keytab = {{ samba_keytab }} 35 | ldap_krb5_keytab = {{ samba_keytab }} 36 | use_fully_qualified_names = true 37 | {% endif %} 38 | 39 | {% if join_ad %} 40 | [domain/{{ ad_domain }}] 41 | id_provider = ad 42 | access_provider = ad 43 | ad_server = _srv_ 44 | ad_domain = {{ ad_domain }} 45 | ad_hostname = {{ client_fqdn }} 46 | krb5_keytab = {{ ad_keytab }} 47 | use_fully_qualified_names = true 48 | {% endif %} -------------------------------------------------------------------------------- /src/ansible/roles/common/tasks/main.yml: -------------------------------------------------------------------------------- 1 | - name: Set data path 2 | set_fact: 3 | data_path: '{{ role_path }}/../../../../data' 4 | 5 | - name: Check if we are running in image mode 6 | stat: 7 | path: /usr/bin/rpm-ostree 8 | register: rpm_ostree 9 | 10 | - name: Set /usr/bin/python to python3 11 | alternatives: 12 | name: python 13 | link: /usr/bin/python 14 | path: /usr/bin/python3 15 | when: 16 | - not rpm_ostree.stat.exists 17 | 18 | - name: Create /etc/sudoers 19 | template: 20 | src: sudoers 21 | dest: /etc/sudoers 22 | owner: root 23 | group: root 24 | mode: 0600 25 | 26 | - name: Create /var/data 27 | file: 28 | path: '/var/data' 29 | state: directory 30 | mode: 0700 31 | 32 | # Backward compatibility symlink 33 | - name: Create symlink /data /var/data 34 | ansible.builtin.file: 35 | src: '/var/data' 36 | dest: '/data' 37 | state: link 38 | owner: root 39 | group: root 40 | when: 41 | - not rpm_ostree.stat.exists 42 | 43 | - name: Copy common data 44 | synchronize: 45 | src: '{{ data_path }}/' 46 | dest: /var/data/ 47 | 48 | # synchronize rsync option --chown was ignored for some reason 49 | - name: Set correct permissions on /var/data 50 | shell: | 51 | chown -R root:root /var/data 52 | chmod -R 0755 /var/data 53 | chmod 0600 $(find /var/data -type f) 54 | chmod 0644 /var/data/certs/*.crt 55 | 56 | - name: Set SELinux label for /var/data 57 | shell: | 58 | if selinuxenabled; then 59 | semanage fcontext -a -t etc_t "/var/data(/.*)*" 60 | restorecon -R -v /var/data 61 | else 62 | exit 0 63 | fi 64 | 65 | - name: 'Change root password' 66 | user: 67 | name: root 68 | update_password: always 69 | password: '{{ user.root.password | password_hash("sha512") }}' 70 | 71 | - name: 'Create /root/.ssh directory' 72 | file: 73 | path: '/root/.ssh' 74 | state: directory 75 | mode: 0700 76 | 77 | - name: Copy root user ssh keys 78 | copy: 79 | src: '{{ data_path }}/ssh-keys/{{ item.src }}' 80 | dest: '/root/.ssh/{{ item.dest }}' 81 | owner: 'root' 82 | group: 'root' 83 | mode: '0600' 84 | with_items: 85 | - { src: 'root.id_rsa', dest: 'id_rsa' } 86 | - { src: 'root.id_rsa.pub', dest: 'id_rsa.pub' } 87 | 88 | - name: Append or create authorized_keys 89 | lineinfile: 90 | dest: "/root/.ssh/authorized_keys" 91 | line: "{{ lookup('file', '{{ data_path }}/ssh-keys/root.id_rsa.pub') }}" 92 | create: yes 93 | state: present 94 | owner: 'root' 95 | group: 'root' 96 | mode: '0600' 97 | 98 | - name: 'Create wheel group' 99 | group: 100 | name: wheel 101 | system: yes 102 | state: present 103 | 104 | - name: 'Check if user with uid {{ user.regular.uid }} already exists' 105 | shell: | 106 | getent passwd {{ user.regular.uid }} | cut -d ':' -f 1 107 | register: regular_user_check 108 | 109 | - name: 'Remove regular user with uid {{ user.regular.uid }} to avoid conflicts' 110 | user: 111 | name: '{{ regular_user_check.stdout }}' 112 | state: absent 113 | remove: yes 114 | force: yes 115 | when: regular_user_check.stdout | length > 0 and regular_user_check.stdout != user.regular.name 116 | 117 | - name: 'Create {{ user.regular.name }} user' 118 | user: 119 | name: '{{ user.regular.name }}' 120 | uid: '{{ user.regular.uid }}' 121 | groups: wheel 122 | append: yes 123 | shell: /usr/bin/bash 124 | password: '{{ user.regular.password | password_hash("sha512") }}' 125 | 126 | - name: 'Create /home/{{ user.regular.name }}/.ssh directory' 127 | file: 128 | path: '/home/{{ user.regular.name }}/.ssh' 129 | state: directory 130 | mode: 0700 131 | 132 | - name: Copy ci user ssh keys 133 | copy: 134 | src: '{{ data_path }}/ssh-keys/{{ item.src }}' 135 | dest: '/home/{{ user.regular.name }}/.ssh/{{ item.dest }}' 136 | owner: '{{ user.regular.name }}' 137 | group: '{{ user.regular.name }}' 138 | mode: '0600' 139 | with_items: 140 | - { src: 'ci.id_rsa', dest: 'id_rsa' } 141 | - { src: 'ci.id_rsa.pub', dest: 'authorized_keys' } 142 | - { src: 'ci.id_rsa.pub', dest: 'id_rsa.pub' } 143 | 144 | - name: Copy CA certificate to local pki anchors 145 | copy: 146 | src: /var/data/certs/ca.crt 147 | dest: "{{ ca_trust_dir }}" 148 | remote_src: yes 149 | 150 | - name: Update system CA trusts to pick up new certificate 151 | command: "{{ ca_trust_update }}" 152 | -------------------------------------------------------------------------------- /src/ansible/roles/common/templates/sudoers: -------------------------------------------------------------------------------- 1 | Defaults !visiblepw 2 | Defaults always_set_home 3 | Defaults match_group_by_gid 4 | 5 | Defaults env_reset 6 | Defaults env_keep = "COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS" 7 | Defaults env_keep += "MAIL QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE" 8 | Defaults env_keep += "LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES" 9 | Defaults env_keep += "LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE" 10 | Defaults env_keep += "LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY" 11 | 12 | Defaults secure_path = /sbin:/bin:/usr/sbin:/usr/bin 13 | 14 | root ALL=(ALL) ALL 15 | %wheel ALL=(ALL) NOPASSWD: ALL 16 | 17 | ## Read drop-in files from /etc/sudoers.d (the # here does not mean a comment) 18 | #includedir /etc/sudoers.d 19 | -------------------------------------------------------------------------------- /src/ansible/roles/dns/tasks/main.yml: -------------------------------------------------------------------------------- 1 | - name: Gather facts 2 | ansible.builtin.setup: 3 | 4 | - name: Add fqdn and short hostname to /etc/hosts 5 | ansible.builtin.lineinfile: 6 | line: "{{ hostvars[inventory_hostname]['ansible_default_ipv4']['address'] }} \ 7 | {{ inventory_hostname }} {{ inventory_hostname.split('.')[0] }}" 8 | path: /etc/hosts 9 | when: ansible_os_family != "Windows" 10 | become: true 11 | 12 | - name: Setup dns (on dns machine) 13 | block: 14 | - name: Install dnsmasq package 15 | ansible.builtin.package: 16 | name: 17 | - dnsmasq 18 | state: present 19 | 20 | - name: Place dnsmasq config 21 | ansible.builtin.template: 22 | src: etc.dnsmasq.conf.j2 23 | dest: /etc/dnsmasq.conf 24 | owner: root 25 | group: root 26 | mode: 0600 27 | register: config 28 | 29 | - name: Show dnsmasq templating results 30 | ansible.builtin.debug: 31 | msg: "{{ lookup('ansible.builtin.template', 'etc.dnsmasq.conf.j2') }}" 32 | 33 | - name: Gather the package facts 34 | ansible.builtin.package_facts: 35 | 36 | - name: Create dnsmasq.service.d if needed 37 | ansible.builtin.file: 38 | path: /etc/systemd/system/dnsmasq.service.d/ 39 | state: directory 40 | recurse: yes 41 | owner: root 42 | group: root 43 | 44 | - name: Force dnsmasq before systemd-resolved 45 | copy: 46 | content: | 47 | [Unit] 48 | After=systemd-resolved.service 49 | [Service] 50 | ExecStartPre=/usr/bin/systemctl stop systemd-resolved.service 51 | ExecStartPost=/usr/bin/systemctl start systemd-resolved.service 52 | dest: /etc/systemd/system/dnsmasq.service.d/resolved-fix.conf 53 | owner: root 54 | group: root 55 | mode: '0644' 56 | when: "'systemd-resolved' in ansible_facts.packages" 57 | 58 | - name: Restart systemd-resolved (if present) 59 | ansible.builtin.systemd_service: 60 | name: systemd-resolved 61 | daemon_reload: true 62 | state: restarted 63 | when: "'systemd-resolved' in ansible_facts.packages" 64 | 65 | - name: Restart dnsmasq service 66 | ansible.builtin.systemd_service: 67 | name: dnsmasq 68 | enabled: true 69 | daemon_reload: true 70 | state: restarted 71 | 72 | when: "'dns' in group_names" 73 | become: true 74 | -------------------------------------------------------------------------------- /src/ansible/roles/dns/templates/etc.dnsmasq.conf.j2: -------------------------------------------------------------------------------- 1 | # This config is specific to downstream ci and does not 2 | # handle multiple AD DCs and other setups yet. 3 | # TODO: Add group DNS_SERVER that will contain all machines running dns to add them 4 | # as servers here like master.ipa.test dc.samba.test and ad. 5 | # dnsmasq config 6 | listen-address=::1,127.0.0.53,127.0.0.1,{{ hostvars['dns.test']['ansible_facts']['default_ipv4']['address'] }} 7 | log-queries 8 | log-facility=- 9 | local=/test/ 10 | domain=test 11 | 12 | # Disable caching so we always query AD and IPA DNS 13 | cache-size=0 14 | 15 | # These zones have their own DNS server 16 | {% for host in groups['ipa'] %} 17 | server=/{{ '.'.join(hostvars[host].inventory_hostname.split('.')[1:]) }}/{{ hostvars[host]['ansible_facts']['default_ipv4']['address'] }} 18 | {% endfor %} 19 | {% if 'dc.samba.test' in hostvars %} 20 | server=/samba.test/{{ hostvars['dc.samba.test']['ansible_facts']['default_ipv4']['address'] }} 21 | {% endif %} 22 | {% if 'dc.ad.test' in hostvars %} 23 | server=/ad.test/{{ hostvars['dc.ad.test']['ansible_facts']['ip_addresses'][0] }} 24 | {% elif 'ad' in groups and groups['ad'] %} 25 | {% for ad in groups['ad'] %} 26 | server=/{{ hostvars[ad]['ansible_facts']['windows_domain'] }}/{{ hostvars[ad]['ansible_facts']['ip_addresses'][0] }} 27 | {% endfor %} 28 | {% endif %} 29 | 30 | {% if 'master.ipa.test' in hostvars %} 31 | # Add reverse zones for artificial hosts in IPA domain 32 | server=/251.255.10.in-addr.arpa/{{ hostvars['master.ipa.test']['ansible_facts']['default_ipv4']['address'] }} 33 | {% endif %} 34 | 35 | # Add SRV record for LDAP 36 | {% if 'master.ldap.test' in hostvars %} 37 | srv-host=_ldap._tcp.ldap.test,master.ldap.test,389 38 | {% endif %} 39 | 40 | # All hosts A record 41 | {% for host in groups['all'] %} 42 | {% if hostvars[host].ansible_system == 'Linux' %} 43 | address=/{{ host }}/{{ hostvars[host]['ansible_facts']['default_ipv4']['address'] }} 44 | {% elif hostvars[host].ansible_system == 'Win32NT' %} 45 | address=/{{ host }}/{{ hostvars[host]['ansible_facts']['ip_addresses'][0] }} 46 | {% endif %} 47 | {% endfor %} 48 | 49 | # All hosts PTR records 50 | {% for host in groups['all'] %} 51 | {% if hostvars[host].ansible_system == 'Linux' %} 52 | ptr-record={{ hostvars[host]['ansible_facts']['default_ipv4']['address'].split('.') | reverse | join(".") }}.in-addr.arpa,{{ host }} 53 | {% elif hostvars[host].ansible_system == 'Win32NT' %} 54 | ptr-record={{ hostvars[host]['ansible_facts']['ip_addresses'][0].split('.') | reverse | join(".") }}.in-addr.arpa,{{ host }} 55 | {% endif %} 56 | {% endfor %} 57 | -------------------------------------------------------------------------------- /src/ansible/roles/facts/tasks/CentOS10.yml: -------------------------------------------------------------------------------- 1 | - name: 'Facts are the same as in Fedora' 2 | include_tasks: 'Fedora.yml' 3 | 4 | - name: Set distribution specific facts 5 | set_fact: 6 | buildroot: Yes 7 | passkey_support: Yes 8 | virt_smartcard: No 9 | -------------------------------------------------------------------------------- /src/ansible/roles/facts/tasks/CentOS8.yml: -------------------------------------------------------------------------------- 1 | - name: 'Facts are the same as in Fedora' 2 | include_tasks: 'Fedora.yml' 3 | 4 | - name: Set distribution specific facts 5 | set_fact: 6 | passkey_support: No 7 | -------------------------------------------------------------------------------- /src/ansible/roles/facts/tasks/CentOS9.yml: -------------------------------------------------------------------------------- 1 | - name: 'Facts are the same as in Fedora' 2 | include_tasks: 'Fedora.yml' 3 | 4 | - name: Set distribution specific facts 5 | set_fact: 6 | passkey_support: Yes 7 | -------------------------------------------------------------------------------- /src/ansible/roles/facts/tasks/Debian.yml: -------------------------------------------------------------------------------- 1 | - name: Set distribution specific facts 2 | set_fact: 3 | systemd: 4 | services: 5 | kadmin: krb5-admin-server.service 6 | krb5kdc: krb5-kdc.service 7 | sshd: ssh.service 8 | passkey_support: No 9 | ca_trust_dir: /etc/ssl/certs 10 | ca_trust_update: update-ca-certificates 11 | -------------------------------------------------------------------------------- /src/ansible/roles/facts/tasks/Fedora.yml: -------------------------------------------------------------------------------- 1 | - name: Set distribution specific facts 2 | set_fact: 3 | systemd: 4 | services: 5 | kadmin: kadmin.service 6 | krb5kdc: krb5kdc.service 7 | sshd: sshd.service 8 | buildroot: yes 9 | debuginfo: yes 10 | passkey_support: Yes 11 | ipa: '{{ freeipa_packages }}' 12 | ca_trust_dir: /etc/pki/ca-trust/source/anchors/ 13 | ca_trust_update: update-ca-trust 14 | -------------------------------------------------------------------------------- /src/ansible/roles/facts/tasks/RedHat.yml: -------------------------------------------------------------------------------- 1 | - name: 'Facts are the same as in CentOS {{ ansible_distribution_major_version }}' 2 | include_tasks: '{{ include_centos }}' 3 | loop_control: 4 | loop_var: include_centos 5 | with_first_found: 6 | - files: '{{ "CentOS" | distro_includes(ansible_distribution_major_version) }}' 7 | 8 | - name: Set distribution specific facts 9 | set_fact: 10 | buildroot: no 11 | debuginfo: no 12 | ipa: '{{ ipa_packages }}' 13 | 14 | - name: Set distribution specific facts for RHEL 7 15 | set_fact: 16 | passkey_support: No 17 | when: ansible_distribution_major_version == '7' 18 | -------------------------------------------------------------------------------- /src/ansible/roles/facts/tasks/Ubuntu.yml: -------------------------------------------------------------------------------- 1 | - name: Set distribution specific facts 2 | set_fact: 3 | systemd: 4 | services: 5 | kadmin: krb5-admin-server.service 6 | krb5kdc: krb5-kdc.service 7 | sshd: ssh.service 8 | passkey_support: Yes 9 | ca_trust_dir: /etc/ssl/certs 10 | ca_trust_update: update-ca-certificates 11 | -------------------------------------------------------------------------------- /src/ansible/roles/facts/tasks/main.yml: -------------------------------------------------------------------------------- 1 | - name: 'Include distribution specific tasks [{{ ansible_distribution }} {{ ansible_distribution_major_version }}]' 2 | include_tasks: '{{ include_file }}' 3 | loop_control: 4 | loop_var: include_file 5 | with_first_found: 6 | - files: '{{ ansible_distribution | distro_includes(ansible_distribution_major_version) }}' 7 | -------------------------------------------------------------------------------- /src/ansible/roles/firewall/tasks/main.yml: -------------------------------------------------------------------------------- 1 | # Workaround for image mode where firewalld goes haywire after installation 2 | - name: Reload dbus service 3 | ansible.builtin.systemd_service: 4 | name: dbus 5 | state: reloaded 6 | 7 | - name: Start firewalld 8 | ansible.builtin.systemd_service: 9 | name: firewalld 10 | enabled: yes 11 | state: restarted 12 | 13 | - name: Set default firewalld zone to trusted 14 | command: firewall-cmd --set-default-zone=trusted 15 | -------------------------------------------------------------------------------- /src/ansible/roles/ipasmartcard/defaults/main.yml: -------------------------------------------------------------------------------- 1 | ipa_ca_path: /root/ipa.crt 2 | sssd_ca_path: /etc/pki/ca-trust/source/anchors/ca.crt 3 | ipa_password: "{{ hostvars[groups.ipa.0].ansible_password | default(service.ipa.password) }}" 4 | ipa_domain: "{{ hostvars[groups.ipa.0].ipa_domain | default(service.ipa.domain) }}" 5 | -------------------------------------------------------------------------------- /src/ansible/roles/ipasmartcard/tasks/main.yml: -------------------------------------------------------------------------------- 1 | - name: Make sure virtual smartcard dir exists 2 | file: 3 | path: "{{ virt_smartcard_dir }}" 4 | state: directory 5 | 6 | - block: 7 | - name: Run IPA advise script for server setup for smart cards 8 | shell: | 9 | kinit admin@{{ ipa_domain.upper() }} 10 | ipa-advise config-server-for-smart-card-auth > {{ virt_smartcard_dir }}/sc_server.sh 11 | sh -x {{ virt_smartcard_dir }}/sc_server.sh {{ sssd_ca_path }} {{ ipa_ca_path }} 12 | args: 13 | stdin: '{{ ipa_password }}' 14 | register: ipa_advise_sc_server 15 | 16 | - name: Workaround to disable IPA WebUI OCSP checking 17 | lineinfile: 18 | path: /etc/httpd/conf.d/ssl.conf 19 | regexp: 'SSLOCSPEnable on\s*$' 20 | line: 'SSLOCSPEnable on no_ocsp_for_cert_ok' 21 | 22 | - name: Restart httpd service 23 | ansible.builtin.systemd_service: 24 | name: httpd 25 | state: restarted 26 | when: inventory_hostname == groups.ipa.0 27 | 28 | - block: 29 | - name: Get IPA advise script for client setup for smart cards from IPA server 30 | command: ipa-advise config-client-for-smart-card-auth 31 | delegate_to: "{{ groups.ipa.0 }}" 32 | register: ipa_advise_sc_client_script 33 | 34 | - name: Write advise script to sc_client.sh 35 | copy: 36 | content: "{{ ipa_advise_sc_client_script.stdout }}" 37 | dest: "{{ virt_smartcard_dir }}/sc_client.sh" 38 | 39 | - name: Get IPA CA certificate from IPA server 40 | command: cat /root/ipa.crt 41 | delegate_to: "{{ groups.ipa.0 }}" 42 | register: ipa_ca_cert 43 | 44 | - name: Write IPA CA certificate to /root/ipa.crt 45 | copy: 46 | content: "{{ ipa_ca_cert.stdout }}" 47 | dest: /root/ipa.crt 48 | 49 | - name: Add krb5.keytab link for IPA client 50 | file: 51 | src: /var/enrollment/{{ ipa_domain }}.keytab 52 | dest: /etc/krb5.keytab 53 | state: link 54 | 55 | - name: Run IPA advise script on client 56 | shell: | 57 | kinit admin@{{ ipa_domain.upper() }} 58 | sh -x {{ virt_smartcard_dir }}/sc_client.sh {{ sssd_ca_path }} {{ ipa_ca_path }} 59 | args: 60 | stdin: "{{ ipa_password }}" 61 | register: ipa_advise_sc_client 62 | 63 | - name: Remove krb5.keytab link from IPA client 64 | file: 65 | path: /etc/krb5.keytab 66 | state: absent 67 | when: 68 | - inventory_hostname == groups.client.0 69 | - join_ipa 70 | - virt_smartcard 71 | -------------------------------------------------------------------------------- /src/ansible/roles/kdc/tasks/main.yml: -------------------------------------------------------------------------------- 1 | - name: 'Create /etc/krb5.conf.d directory' 2 | file: 3 | path: '/etc/krb5.conf.d' 4 | state: directory 5 | mode: 0755 6 | 7 | - name: Create krb5.conf 8 | template: 9 | src: krb5.conf 10 | dest: /etc/krb5.conf 11 | owner: root 12 | group: root 13 | mode: 0644 14 | 15 | - name: Create Kerberos database 16 | shell: | 17 | /usr/sbin/kdb5_util -P "{{ service.kdc.master_password }}" create -s 18 | args: 19 | creates: "/var/kerberos/krb5kdc/principal" 20 | 21 | - name: Start Kerberos services 22 | service: 23 | name: '{{ item }}' 24 | enabled: yes 25 | state: started 26 | with_items: 27 | - '{{ systemd.services.kadmin }}' 28 | - '{{ systemd.services.krb5kdc }}' 29 | -------------------------------------------------------------------------------- /src/ansible/roles/kdc/templates/krb5.conf: -------------------------------------------------------------------------------- 1 | includedir /etc/krb5.conf.d/ 2 | 3 | [logging] 4 | default = FILE:/var/log/krb5libs.log 5 | kdc = FILE:/var/log/krb5kdc.log 6 | admin_server = FILE:/var/log/kadmind.log 7 | 8 | [libdefaults] 9 | default_realm = {{ service.kdc.realm }} 10 | dns_lookup_realm = false 11 | dns_lookup_kdc = false 12 | ticket_lifetime = 24h 13 | renew_lifetime = 7d 14 | forwardable = yes 15 | 16 | [realms] 17 | {{ service.kdc.realm }} = { 18 | kdc = {{ service.kdc.fqn }}:88 19 | admin_server = {{ service.kdc.fqn }}:749 20 | max_renewable_life = 14d 21 | } 22 | 23 | [domain_realm] 24 | .{{ service.kdc.domain }} = {{ service.kdc.realm }} 25 | {{ service.kdc.domain }} = {{ service.kdc.realm }} 26 | -------------------------------------------------------------------------------- /src/ansible/roles/keycloak/defaults/main.yml: -------------------------------------------------------------------------------- 1 | base_url: https://github.com/keycloak/keycloak/releases/download 2 | -------------------------------------------------------------------------------- /src/ansible/roles/keycloak/tasks/main.yml: -------------------------------------------------------------------------------- 1 | - name: Get Keycloak latest version info 2 | shell: curl -L https://api.github.com/repos/keycloak/keycloak/releases/latest | jq -r '.tag_name' 3 | register: result 4 | 5 | - name: Set keycloak_url fact 6 | set_fact: 7 | keycloak_url: "{{ base_url }}/{{ result.stdout }}/keycloak-{{ result.stdout }}.tar.gz" 8 | 9 | - name: Print keycloak_url 10 | debug: 11 | msg: "keycloak_url={{ keycloak_url }}" 12 | 13 | - name: Create Keycloak user/group 14 | user: 15 | name: keycloak 16 | home: /opt/keycloak 17 | system: yes 18 | create_home: yes 19 | 20 | - name: Download software zipfile 21 | command: curl -L {{ keycloak_url }} -o /tmp/keycloak.tgz 22 | 23 | - name: Unzip software 24 | unarchive: 25 | remote_src: yes 26 | src: /tmp/keycloak.tgz 27 | dest: /opt/keycloak 28 | owner: keycloak 29 | group: keycloak 30 | extra_opts: 31 | - --strip-components=1 32 | 33 | - name: Change ownership of files in /var/data/certs 34 | file: 35 | path: /var/data/certs/master.keycloak.test.key 36 | mode: 0644 37 | 38 | - name: Add CA certificate to keystore 39 | shell: | 40 | keytool -noprompt -import \ 41 | -keystore /var/data/certs/master.keycloak.test.keystore \ 42 | -file /var/data/certs/ca.crt \ 43 | -alias ca.crt \ 44 | -trustcacerts -storepass {{ service.keycloak.admin_password }} 45 | args: 46 | creates: /var/data/certs/master.keycloak.test.keystore 47 | 48 | - name: Add Keycloak certificate to keystore 49 | shell: | 50 | keytool -noprompt -import \ 51 | -keystore /var/data/certs/master.keycloak.test.keystore \ 52 | -file /var/data/certs/master.keycloak.test.crt \ 53 | -alias master.keycloak.test.crt \ 54 | -trustcacerts -storepass {{ service.keycloak.admin_password }} 55 | 56 | - name: Run build step for Keycloak 57 | shell: | 58 | su - keycloak -c ''' 59 | export KEYCLOAK_ADMIN=admin 60 | export KEYCLOAK_ADMIN_PASSWORD={{ service.keycloak.admin_password }} 61 | export KC_HOSTNAME=$(hostname):8443 62 | export KC_HTTPS_CERTIFICATE_FILE=/var/data/certs/master.keycloak.test.crt 63 | export KC_HTTPS_CERTIFICATE_KEY_FILE=/var/data/certs/master.keycloak.test.key 64 | export KC_HTTPS_TRUST_STORE_FILE=/var/data/certs/master.keycloak.test.keystore 65 | export KC_HTTPS_TRUST_STORE_PASSWORD={{ service.keycloak.admin_password }} 66 | export KC_HTTPS_TRUST_STORE_TYPE=JKS 67 | export KC_HTTP_RELATIVE_PATH=/auth 68 | /opt/keycloak/bin/kc.sh build 69 | ''' 70 | 71 | - name: Create Keycloak service env file 72 | copy: 73 | content: | 74 | KEYCLOAK_ADMIN=admin 75 | KEYCLOAK_ADMIN_PASSWORD={{ service.keycloak.admin_password }} 76 | KC_HOSTNAME={{ inventory_hostname }} 77 | KC_HTTPS_CERTIFICATE_FILE=/var/data/certs/master.keycloak.test.crt 78 | KC_HTTPS_CERTIFICATE_KEY_FILE=/var/data/certs/master.keycloak.test.key 79 | KC_HTTPS_TRUST_STORE_FILE=/var/data/certs/master.keycloak.test.keystore 80 | KC_HTTPS_TRUST_STORE_PASSWORD={{ service.keycloak.admin_password }} 81 | KC_HTTPS_TRUST_STORE_TYPE=JKS 82 | KC_HTTP_RELATIVE_PATH=/auth 83 | dest: /etc/keycloak.env 84 | 85 | - name: Create systemd Keycloak service file 86 | copy: 87 | content: | 88 | [Unit] 89 | Description=Keycloak Server 90 | After=network.target 91 | 92 | [Service] 93 | Type=idle 94 | EnvironmentFile=/etc/keycloak.env 95 | 96 | User=keycloak 97 | Group=keycloak 98 | ExecStart=/opt/keycloak/bin/kc.sh start 99 | TimeoutStartSec=600 100 | TimeoutStopSec=600 101 | 102 | [Install] 103 | WantedBy=multi-user.target 104 | dest: /etc/systemd/system/keycloak.service 105 | 106 | - name: Reload systemd to pickup changes added for Keycloak 107 | systemd: 108 | daemon_reload: yes 109 | 110 | - name: Enable Keycloak service 111 | systemd: 112 | name: keycloak 113 | enabled: yes 114 | -------------------------------------------------------------------------------- /src/ansible/roles/ldap/tasks/main.yml: -------------------------------------------------------------------------------- 1 | - name: Create /root/localhost.inf 2 | template: 3 | src: instance.inf 4 | dest: /root/localhost.inf 5 | owner: root 6 | group: root 7 | mode: 0600 8 | 9 | - name: Create directory server instance 10 | shell: | 11 | dscreate from-file /root/localhost.inf 12 | args: 13 | creates: '/etc/dirsrv/slapd-localhost' 14 | 15 | - name: Install ldap certificate 16 | shell: | 17 | dsconf localhost security ca-certificate add --file /var/data/certs/ca.crt --name "sssd-ca" 18 | dsconf localhost security ca-certificate set-trust-flags "sssd-ca" --flags "CT,," 19 | dsctl localhost tls import-server-key-cert /var/data/certs/master.ldap.test.crt /var/data/certs/master.ldap.test.key 20 | 21 | - name: Grant read-only anonymous access 22 | shell: | 23 | ldapmodify -D "{{ service.ldap.bind.dn }}" -w "{{ service.ldap.bind.password }}" -H ldap://localhost -x 24 | args: 25 | stdin: | 26 | dn: {{ service.ldap.suffix }} 27 | changetype: modify 28 | add: aci 29 | aci: (targetattr=*)(version 3.0; acl "Enable anyone read"; allow (read, search, compare)(userdn="ldap:///anyone");) 30 | register: ldapmod 31 | failed_when: 32 | - 'ldapmod.rc != 0 and "ldap_modify: Type or value exists" not in ldapmod.stderr' 33 | 34 | - name: 'Install additional schema: passkey' 35 | shell: | 36 | ldapmodify -D "{{ service.ldap.bind.dn }}" -w "{{ service.ldap.bind.password }}" -H ldap://localhost -x 37 | args: 38 | stdin: | 39 | dn: cn=schema 40 | changetype: modify 41 | add: attributeTypes 42 | attributeTypes: ( 2.16.840.1.113730.3.8.24.27 NAME 'passkey' DESC 'Passkey mapping' EQUALITY caseExactMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) 43 | - 44 | add: objectclasses 45 | objectclasses: ( 2.16.840.1.113730.3.8.24.9 NAME 'passkeyUser' DESC 'IPA passkey user' AUXILIARY MAY passkey) 46 | 47 | - name: Restart LDAP service 48 | service: 49 | name: dirsrv@localhost.service 50 | enabled: yes 51 | state: restarted 52 | -------------------------------------------------------------------------------- /src/ansible/roles/ldap/templates/instance.inf: -------------------------------------------------------------------------------- 1 | [general] 2 | config_version = 2 3 | full_machine_name = {{ service.ldap.fqn }} 4 | 5 | [slapd] 6 | instance_name = localhost 7 | root_dn = {{ service.ldap.bind.dn }} 8 | root_password = {{ service.ldap.bind.password }} 9 | 10 | [backend-userroot] 11 | suffix = {{ service.ldap.suffix }} 12 | create_suffix_entry = True 13 | -------------------------------------------------------------------------------- /src/ansible/roles/nfs/tasks/main.yml: -------------------------------------------------------------------------------- 1 | - name: Start NFS services 2 | service: 3 | name: '{{ item }}.service' 4 | enabled: yes 5 | state: started 6 | with_items: 7 | - nfs-server 8 | - rpcbind 9 | -------------------------------------------------------------------------------- /src/ansible/roles/no_nscd/tasks/main.yml: -------------------------------------------------------------------------------- 1 | - name: Populate service facts 2 | service_facts: 3 | 4 | - name: Disable nscd.service 5 | service: 6 | name: nscd.service 7 | enabled: no 8 | state: stopped 9 | when: "ansible_facts.services['nscd.service'] is defined" 10 | 11 | - name: Disable nscd.socket 12 | service: 13 | name: nscd.socket 14 | enabled: no 15 | state: stopped 16 | when: "ansible_facts.services['nscd.socket'] is defined" 17 | 18 | -------------------------------------------------------------------------------- /src/ansible/roles/packages/tasks/CentOS10.yml: -------------------------------------------------------------------------------- 1 | - name: Install buildroot repository 2 | block: 3 | - name: Install dnf plugins 4 | dnf: 5 | state: present 6 | name: 7 | - dnf-plugins-core 8 | 9 | - name: Install buildroot 10 | template: 11 | src: repo 12 | dest: '/etc/yum.repos.d/{{ item.name }}.repo' 13 | owner: root 14 | group: root 15 | mode: 0644 16 | with_items: 17 | - {name: 'buildroot', url: 'https://kojihub.stream.centos.org/kojifiles/repos/c10s-build/latest/$basearch'} 18 | when: buildroot 19 | 20 | - name: 'Packages are the same as in Fedora' 21 | include_tasks: 'Fedora.yml' -------------------------------------------------------------------------------- /src/ansible/roles/packages/tasks/CentOS8.yml: -------------------------------------------------------------------------------- 1 | - name: Install buildroot repository 2 | block: 3 | - name: Install dnf plugins 4 | dnf: 5 | state: present 6 | name: 7 | - dnf-plugins-core 8 | 9 | - name: Install additional repos 10 | template: 11 | src: repo 12 | dest: '/etc/yum.repos.d/{{ item.name }}.repo' 13 | owner: root 14 | group: root 15 | mode: 0644 16 | with_items: 17 | - {name: 'buildroot', url: 'https://kojihub.stream.centos.org/kojifiles/repos/c8s-build/latest/$basearch'} 18 | - {name: 'crb', url: 'http://vault.centos.org/centos/8-stream/PowerTools/$basearch/os/'} 19 | when: buildroot 20 | 21 | - name: Install EPEL repository 22 | dnf: 23 | state: present 24 | name: 25 | - epel-release 26 | 27 | - name: Enable IdM module 28 | shell: | 29 | dnf module enable -y idm:DL1 30 | when: "'base_ground' in group_names" 31 | 32 | - name: 'Packages are the same as in Fedora' 33 | include_tasks: 'Fedora.yml' -------------------------------------------------------------------------------- /src/ansible/roles/packages/tasks/CentOS9.yml: -------------------------------------------------------------------------------- 1 | - name: Install buildroot repository 2 | block: 3 | - name: Install dnf plugins 4 | dnf: 5 | state: present 6 | name: 7 | - dnf-plugins-core 8 | 9 | - name: Install buildroot 10 | template: 11 | src: repo 12 | dest: '/etc/yum.repos.d/{{ item.name }}.repo' 13 | owner: root 14 | group: root 15 | mode: 0644 16 | with_items: 17 | - {name: 'buildroot', url: 'https://kojihub.stream.centos.org/kojifiles/repos/c9s-build/latest/$basearch'} 18 | when: buildroot 19 | 20 | - name: Install EPEL and @sssd/ci-deps repositories 21 | shell: | 22 | set -ex 23 | rpm --import https://dl.fedoraproject.org/pub/epel/RPM-GPG-KEY-EPEL-9 24 | dnf install --setopt=install_weak_deps=False -y https://dl.fedoraproject.org/pub/epel/epel-release-latest-9.noarch.rpm 25 | when: "'base_ground' in group_names" 26 | 27 | - name: 'Packages are the same as in Fedora' 28 | include_tasks: 'Fedora.yml' -------------------------------------------------------------------------------- /src/ansible/roles/packages/tasks/Debian.yml: -------------------------------------------------------------------------------- 1 | - name: Install packages for ground base image 2 | block: 3 | - name: Install systemd and common tools 4 | apt: 5 | state: present 6 | update_cache: yes 7 | name: 8 | - bash-completion 9 | - bind9utils 10 | - dbus 11 | - e2fsprogs 12 | - expect 13 | - findutils 14 | - firewalld 15 | - gdb 16 | - gdbserver 17 | - git 18 | - iproute2 19 | - iputils-* 20 | - ldap-utils 21 | - ldb-tools 22 | - less 23 | - man 24 | - mc 25 | - net-tools 26 | - openssh-client 27 | - openssh-server 28 | - passwd 29 | - python3-pip 30 | - rsync 31 | - sudo 32 | - systemd 33 | - tcpdump 34 | - tig 35 | - tmux 36 | - tshark 37 | - vim 38 | - wget 39 | when: "'base_ground' in group_names" 40 | 41 | - name: Enable backports repo to install freeipa 42 | block: 43 | - name: Enable backports repo 44 | copy: 45 | dest: /etc/apt/sources.list.d/backports.list 46 | content: "deb http://deb.debian.org/debian bullseye-backports main" 47 | owner: root 48 | group: root 49 | mode: '0644' 50 | 51 | - name: Install packages for client base image 52 | block: 53 | - name: Install SSSD and its dependencies 54 | apt: 55 | state: present 56 | update_cache: yes 57 | name: 58 | - adcli 59 | - freeipa-client 60 | - nfs-common 61 | - nslcd 62 | - packagekit 63 | - realmd 64 | - slapd 65 | - sssd 66 | - sssd-* 67 | - name: Install test dependencies on client 68 | apt: 69 | state: present 70 | update_cache: yes 71 | name: 72 | - augeas-tools 73 | - binutils 74 | when: "'base_client' in group_names or 'client' in group_names" 75 | 76 | - name: Install packages for NFS base image 77 | block: 78 | - name: Install NFS 79 | apt: 80 | state: present 81 | update_cache: yes 82 | name: 83 | - nfs-kernel-server 84 | when: "'base_nfs' in group_names or 'nfs' in group_names" 85 | 86 | - name: Install packages for KDC base image 87 | block: 88 | - name: Install KDC 89 | apt: 90 | state: present 91 | update_cache: yes 92 | name: 93 | - krb5-admin-server 94 | - krb5-config 95 | - krb5-kdc 96 | when: "'base_kdc' in group_names or 'kdc' in group_names" 97 | 98 | - name: Install packages for Keycloak base image 99 | block: 100 | - name: Install ca-certificates-java first to avoid dep issues 101 | apt: 102 | state: present 103 | update_cache: yes 104 | name: 105 | - ca-certificates-java 106 | - name: Install Keycloak dependencies 107 | apt: 108 | state: present 109 | update_cache: yes 110 | name: 111 | - openssl 112 | - unzip 113 | - ca-certificates 114 | - openjdk-17-jre-headless 115 | - curl 116 | - jq 117 | when: "'base_keycloak' in group_names" 118 | 119 | - name: Install additional packages for client development image 120 | block: 121 | - name: Install SSSD build and integration tests dependencies 122 | apt: 123 | state: present 124 | update_cache: yes 125 | name: 126 | - adcli 127 | - autoconf 128 | - automake 129 | - autopoint 130 | - check 131 | - cifs-utils 132 | - clang 133 | - dh-apparmor 134 | - dnsutils 135 | - docbook-xml 136 | - docbook-xsl 137 | - fakeroot 138 | - faketime 139 | - gettext 140 | - gnutls-bin 141 | - krb5-admin-server 142 | - krb5-config 143 | - krb5-kdc 144 | - krb5-user 145 | - lcov 146 | - libc-ares-dev 147 | - libcmocka-dev 148 | - libcollection-dev 149 | - libcurl4-openssl-dev 150 | - libdbus-1-dev 151 | - libdhash-dev 152 | - libglib2.0-dev 153 | - libini-config-dev 154 | - libjansson-dev 155 | - libkeyutils-dev 156 | - libkrad-dev 157 | - libkrb5-dev 158 | - libldap2-dev 159 | - libldb-dev 160 | - libltdl-dev 161 | - libnfsidmap-dev 162 | - libnl-3-dev 163 | - libnl-route-3-dev 164 | - libnspr4-dev 165 | - libnss-wrapper 166 | - libnss3-dev 167 | - libp11-kit-dev 168 | - libpam-wrapper 169 | - libpam0g-dev 170 | - libpcre2-dev 171 | - libpcre3-dev 172 | - libpopt-dev 173 | - libsasl2-dev 174 | - libselinux1-dev 175 | - libsemanage-dev 176 | - libsmbclient-dev 177 | - libssl-dev 178 | - libssl-dev 179 | - libsystemd-dev 180 | - libtalloc-dev 181 | - libtdb-dev 182 | - libtevent-dev 183 | - libtool 184 | - libtool-bin 185 | - libuid-wrapper 186 | - libunistring-dev 187 | - libxml2-utils 188 | - lsb-release 189 | - make 190 | - packagekit 191 | - python3-dbus 192 | - python3-dev 193 | - python3-ldap 194 | - python3-ldb 195 | - python3-psutil 196 | - python3-pycodestyle 197 | - python3-pytest 198 | - python3-requests 199 | - samba-dev 200 | - softhsm2 201 | - uuid-dev 202 | - valgrind 203 | - xml-core 204 | - xsltproc 205 | 206 | - name: Install additional python packages 207 | apt: 208 | state: present 209 | update_cache: yes 210 | name: 211 | - python3-flaky 212 | when: "'client_devel' in group_names" 213 | -------------------------------------------------------------------------------- /src/ansible/roles/packages/tasks/RedHat-rpm-ostree.yml: -------------------------------------------------------------------------------- 1 | - name: Install minimal set of client packages on rpm-ostree 2 | command: rpm-ostree install --idempotent --apply-live {{ item }} -y 3 | with_items: 4 | - bind-utils 5 | - expect 6 | - firewalld 7 | - iproute 8 | - iproute-tc 9 | - net-tools 10 | - openldap-clients 11 | - openssh-clients 12 | - openssh-server 13 | - policycoreutils 14 | - policycoreutils-python-utils 15 | - python3-pip 16 | - sudo 17 | - rsync 18 | - autofs 19 | - augeas 20 | - krb5-workstation 21 | - '{{ ipa.client }}' 22 | - oddjob 23 | - oddjob-mkhomedir 24 | - ldb-tools 25 | - net-tools 26 | - tcpdump 27 | - wireshark-cli 28 | - binutils 29 | ignore_errors: yes 30 | register: inst 31 | failed_when: 32 | - 'inst.rc != 0 and "is already requested" not in inst.stderr' 33 | when: 34 | - "'base_client' in group_names or 'client' in group_names" 35 | 36 | # The ansible.posix.rhel_rpm_ostree can only check 37 | # for presence but can not install anything 38 | - name: Check sssd packages that should be present and fail when they are missing 39 | ansible.posix.rhel_rpm_ostree: 40 | name: 41 | - adcli 42 | - authselect 43 | - realmd 44 | - sssd-idp 45 | - sssd-client 46 | - sssd-nfs-idmap 47 | - sssd-client 48 | - sssd-common 49 | - sssd-krb5-common 50 | - sssd-common-pac 51 | - sssd-ad 52 | - sssd-ipa 53 | - sssd-krb5 54 | - sssd-ldap 55 | - sssd-dbus 56 | - python3-sssdconfig 57 | - sssd-proxy 58 | - python3-sss 59 | - sssd-tools 60 | - sssd 61 | - sssd-kcm 62 | - sssd-idp 63 | - sssd-passkey 64 | state: present 65 | 66 | # If realmd was installed after polkit it needs to be restarted 67 | - name: Restart polkit 68 | ansible.builtin.systemd_service: 69 | name: polkit 70 | enabled: yes 71 | state: restarted 72 | 73 | - name: Restart realmd 74 | ansible.builtin.systemd_service: 75 | name: realmd 76 | enabled: yes 77 | state: restarted 78 | -------------------------------------------------------------------------------- /src/ansible/roles/packages/tasks/RedHat8.yml: -------------------------------------------------------------------------------- 1 | - name: Enable idm module 2 | command: yum module enable idm:DL1 -y 3 | when: ansible_distribution_major_version == '8' 4 | 5 | - name: Install EPEL repository 6 | dnf: 7 | state: present 8 | name: 'https://dl.fedoraproject.org/pub/epel/epel-release-latest-{{ ansible_distribution_major_version }}.noarch.rpm' 9 | disable_gpg_check: yes 10 | when: extended_packageset 11 | 12 | - name: 'Packages are the same as in Fedora' 13 | include_tasks: 'Fedora.yml' 14 | -------------------------------------------------------------------------------- /src/ansible/roles/packages/tasks/Ubuntu.yml: -------------------------------------------------------------------------------- 1 | - name: Install packages for ground base image 2 | block: 3 | - name: Install systemd and common tools 4 | apt: 5 | state: present 6 | update_cache: yes 7 | name: 8 | - bash-completion 9 | - bind9utils 10 | - dbus 11 | - e2fsprogs 12 | - expect 13 | - findutils 14 | - firewalld 15 | - gdb 16 | - gdbserver 17 | - git 18 | - iproute2 19 | - iputils-* 20 | - ldap-utils 21 | - ldb-tools 22 | - less 23 | - man 24 | - mc 25 | - net-tools 26 | - openssh-client 27 | - openssh-server 28 | - passwd 29 | - python3-pip 30 | - rsync 31 | - sudo 32 | - systemd 33 | - tcpdump 34 | - tig 35 | - tmux 36 | - tshark 37 | - vim 38 | - wget 39 | when: "'base_ground' in group_names" 40 | 41 | - name: Install packages for client base image 42 | block: 43 | - name: Install SSSD and its dependencies 44 | apt: 45 | state: present 46 | update_cache: yes 47 | name: 48 | - adcli 49 | - freeipa-client 50 | - nfs-common 51 | - nslcd 52 | - packagekit 53 | - realmd 54 | - slapd 55 | - sssd 56 | - sssd-* 57 | - name: Install test dependencies on client 58 | apt: 59 | state: present 60 | update_cache: yes 61 | name: 62 | - augeas-tools 63 | - binutils 64 | - name: Install packages required for passkey testing 65 | apt: 66 | state: present 67 | name: 68 | - gcc 69 | - libssl-dev 70 | - umockdev 71 | when: passkey_support 72 | when: "'base_client' in group_names or 'client' in group_names or 'base_ipa' in group_names or 'ipa' in group_names" 73 | 74 | - name: Install packages for NFS base image 75 | block: 76 | - name: Install NFS 77 | apt: 78 | state: present 79 | update_cache: yes 80 | name: 81 | - nfs-kernel-server 82 | when: "'base_nfs' in group_names or 'nfs' in group_names" 83 | 84 | - name: Install packages for KDC base image 85 | block: 86 | - name: Install KDC 87 | apt: 88 | state: present 89 | update_cache: yes 90 | name: 91 | - krb5-admin-server 92 | - krb5-config 93 | - krb5-kdc 94 | when: "'base_kdc' in group_names or 'kdc' in group_names" 95 | 96 | - name: Install packages for Keycloak base image 97 | block: 98 | - name: Install Keycloak dependencies 99 | apt: 100 | state: present 101 | update_cache: yes 102 | name: 103 | - openjdk-17-jre-headless 104 | - openssl 105 | - unzip 106 | - ca-certificates 107 | - curl 108 | - jq 109 | when: "'base_keycloak' in group_names" 110 | 111 | - name: Install additional packages for client development image 112 | block: 113 | - name: Install SSSD build and integration tests dependencies 114 | apt: 115 | state: present 116 | update_cache: yes 117 | name: 118 | - adcli 119 | - autoconf 120 | - automake 121 | - autopoint 122 | - check 123 | - cifs-utils 124 | - clang 125 | - dh-apparmor 126 | - dnsutils 127 | - docbook-xml 128 | - docbook-xsl 129 | - fakeroot 130 | - faketime 131 | - gettext 132 | - gnutls-bin 133 | - krb5-admin-server 134 | - krb5-config 135 | - krb5-kdc 136 | - krb5-user 137 | - lcov 138 | - libc-ares-dev 139 | - libcmocka-dev 140 | - libcollection-dev 141 | - libcurl4-openssl-dev 142 | - libdbus-1-dev 143 | - libdhash-dev 144 | - libglib2.0-dev 145 | - libini-config-dev 146 | - libjansson-dev 147 | - libkeyutils-dev 148 | - libkrad-dev 149 | - libkrb5-dev 150 | - libldap2-dev 151 | - libldb-dev 152 | - libltdl-dev 153 | - libnfsidmap-dev 154 | - libnl-3-dev 155 | - libnl-route-3-dev 156 | - libnspr4-dev 157 | - libnss-wrapper 158 | - libnss3-dev 159 | - libp11-kit-dev 160 | - libpam-wrapper 161 | - libpam0g-dev 162 | - libpcre2-dev 163 | - libpcre3-dev 164 | - libpopt-dev 165 | - libsasl2-dev 166 | - libselinux1-dev 167 | - libsemanage-dev 168 | - libsmbclient-dev 169 | - libssl-dev 170 | - libsystemd-dev 171 | - libtalloc-dev 172 | - libtdb-dev 173 | - libtevent-dev 174 | - libtool 175 | - libtool-bin 176 | - libuid-wrapper 177 | - libunistring-dev 178 | - libxml2-utils 179 | - lsb-release 180 | - make 181 | - packagekit 182 | - pycodestyle 183 | - python3-dbus 184 | - python3-dev 185 | - python3-dev 186 | - python3-ldap 187 | - python3-ldb 188 | - python3-psutil 189 | - python3-pytest 190 | - python3-requests 191 | - samba-dev 192 | - softhsm2 193 | - uuid-dev 194 | - valgrind 195 | - xml-core 196 | - xsltproc 197 | 198 | - name: Install additional python packages 199 | apt: 200 | state: present 201 | update_cache: yes 202 | name: 203 | - python3-flaky 204 | when: "'client_devel' in group_names" 205 | -------------------------------------------------------------------------------- /src/ansible/roles/packages/tasks/main.yml: -------------------------------------------------------------------------------- 1 | - name: Package mode installations 2 | block: 3 | - name: 'Include distribution specific package tasks [{{ ansible_distribution }} {{ ansible_distribution_major_version }}]' 4 | include_tasks: '{{ include_file }}' 5 | loop_control: 6 | loop_var: include_file 7 | with_first_found: 8 | - files: '{{ ansible_distribution | distro_includes(ansible_distribution_major_version) }}' 9 | 10 | - name: 'Clear package manager cache' 11 | shell: | 12 | if [ -f /usr/bin/apt ]; then 13 | rm -rf /var/lib/apt/lists/* 14 | fi 15 | if [ -f /usr/bin/dnf ]; then 16 | dnf clean all 17 | fi 18 | when: ansible_facts['pkg_mgr'] != "atomic_container" 19 | 20 | 21 | # This is bandaid to run tests in image mode until dnf can take over and install test dependencies. 22 | - name: Image mode rpm-ostree installations 23 | block: 24 | - name: 'Include distribution specific tasks (rpm-ostree) [{{ ansible_distribution }} {{ ansible_distribution_major_version }}]' 25 | include_tasks: '{{ include_file }}' 26 | loop_control: 27 | loop_var: include_file 28 | with_first_found: 29 | - files: '{{ ansible_distribution | distro_includes(ansible_distribution_major_version, "-rpm-ostree") }}' 30 | skip: True 31 | when: ansible_facts['pkg_mgr'] == "atomic_container" 32 | -------------------------------------------------------------------------------- /src/ansible/roles/packages/templates/repo: -------------------------------------------------------------------------------- 1 | [{{ item.name }}] 2 | name={{ item.name }} 3 | baseurl={{ item.url }} 4 | enabled=1 5 | gpgcheck=0 6 | skip_if_unavailable=True 7 | -------------------------------------------------------------------------------- /src/ansible/roles/passkey/files/random.c: -------------------------------------------------------------------------------- 1 | ../../../../rpms/random.c -------------------------------------------------------------------------------- /src/ansible/roles/passkey/tasks/main.yml: -------------------------------------------------------------------------------- 1 | - name: Build random.so for passkey testing 2 | block: 3 | - name: Copy random.c to /opt 4 | copy: 5 | src: random.c 6 | dest: /opt/random.c 7 | owner: root 8 | group: root 9 | mode: 0644 10 | 11 | - name: Build random.so 12 | shell: | 13 | cd /opt 14 | gcc -fPIC -shared -o random.so random.c -lcrypto 15 | 16 | - name: Remove random.c 17 | file: 18 | path: /opt/random.c 19 | state: absent 20 | when: passkey_support 21 | -------------------------------------------------------------------------------- /src/ansible/roles/samba/templates/samba-sysvolreset.service: -------------------------------------------------------------------------------- 1 | [Unit] 2 | Description=Restore sysvol permission after Samba DC is started 3 | 4 | [Service] 5 | Restart=on-failure 6 | Type=oneshot 7 | ExecStart=samba-tool ntacl sysvolreset 8 | 9 | [Install] 10 | WantedBy=multi-user.target 11 | -------------------------------------------------------------------------------- /src/ansible/roles/samba/templates/sudo.attrs.ldif.j2: -------------------------------------------------------------------------------- 1 | dn: CN=sudoUser,CN=Schema,CN=Configuration,{{ samba_suffix }} 2 | objectClass: top 3 | objectClass: attributeSchema 4 | attributeID: 1.3.6.1.4.1.15953.9.1.1 5 | schemaIdGuid:: //ytX3k5E8mkc6LWgoND+Q== 6 | cn: sudoUser 7 | name: sudoUser 8 | lDAPDisplayName: sudoUser 9 | description: User(s) who may run sudo 10 | attributeSyntax: 2.5.5.5 11 | oMSyntax: 22 12 | isSingleValued: FALSE 13 | 14 | dn: CN=sudoHost,CN=Schema,CN=Configuration,{{ samba_suffix }} 15 | objectClass: top 16 | objectClass: attributeSchema 17 | attributeID: 1.3.6.1.4.1.15953.9.1.2 18 | schemaIdGuid:: 82e1Hf487BDUcBI1WfDraA== 19 | cn: sudoHost 20 | name: sudoHost 21 | lDAPDisplayName: sudoHost 22 | description: Host(s) who may run sudo 23 | attributeSyntax: 2.5.5.5 24 | oMSyntax: 22 25 | isSingleValued: FALSE 26 | 27 | dn: CN=sudoCommand,CN=Schema,CN=Configuration,{{ samba_suffix }} 28 | objectClass: top 29 | objectClass: attributeSchema 30 | attributeID: 1.3.6.1.4.1.15953.9.1.3 31 | schemaIdGuid:: ghdg+gPkvRd8V9BOtwrG8g== 32 | cn: sudoCommand 33 | name: sudoCommand 34 | lDAPDisplayName: sudoCommand 35 | description: Command(s) to be executed by sudo 36 | attributeSyntax: 2.5.5.5 37 | oMSyntax: 22 38 | isSingleValued: FALSE 39 | 40 | dn: CN=sudoRunAs,CN=Schema,CN=Configuration,{{ samba_suffix }} 41 | objectClass: top 42 | objectClass: attributeSchema 43 | attributeID: 1.3.6.1.4.1.15953.9.1.4 44 | schemaIdGuid:: d4cy8I6W8Al6aEYyUbHb1A== 45 | cn: sudoRunAs 46 | name: sudoRunAs 47 | lDAPDisplayName: sudoRunAs 48 | description: User(s) impersonated by sudo (deprecated) 49 | attributeSyntax: 2.5.5.5 50 | oMSyntax: 22 51 | isSingleValued: FALSE 52 | 53 | dn: CN=sudoOption,CN=Schema,CN=Configuration,{{ samba_suffix }} 54 | objectClass: top 55 | objectClass: attributeSchema 56 | attributeID: 1.3.6.1.4.1.15953.9.1.5 57 | schemaIdGuid:: BenwRQeqlB9xi0+XvVQKzg== 58 | cn: sudoOption 59 | name: sudoOption 60 | lDAPDisplayName: sudoOption 61 | description: Options(s) followed by sudo 62 | attributeSyntax: 2.5.5.5 63 | oMSyntax: 22 64 | isSingleValued: FALSE 65 | 66 | dn: CN=sudoRunAsUser,CN=Schema,CN=Configuration,{{ samba_suffix }} 67 | objectClass: top 68 | objectClass: attributeSchema 69 | attributeID: 1.3.6.1.4.1.15953.9.1.6 70 | schemaIdGuid:: KdyHPmGCzCHuh9Dpf3RSHw== 71 | cn: sudoRunAsUser 72 | name: sudoRunAsUser 73 | lDAPDisplayName: sudoRunAsUser 74 | description: User(s) impersonated by sudo 75 | attributeSyntax: 2.5.5.5 76 | oMSyntax: 22 77 | isSingleValued: FALSE 78 | 79 | dn: CN=sudoRunAsGroup,CN=Schema,CN=Configuration,{{ samba_suffix }} 80 | objectClass: top 81 | objectClass: attributeSchema 82 | attributeID: 1.3.6.1.4.1.15953.9.1.7 83 | schemaIdGuid:: P8xh3i8n3z601NmgS5k3LQ== 84 | cn: sudoRunAsGroup 85 | name: sudoRunAsGroup 86 | lDAPDisplayName: sudoRunAsGroup 87 | description: Group(s) impersonated by sudo 88 | attributeSyntax: 2.5.5.5 89 | oMSyntax: 22 90 | isSingleValued: FALSE 91 | 92 | dn: CN=sudoNotBefore,CN=Schema,CN=Configuration,{{ samba_suffix }} 93 | objectClass: top 94 | objectClass: attributeSchema 95 | attributeID: 1.3.6.1.4.1.15953.9.1.8 96 | schemaIdGuid:: 8Ahfnub8lt8bbfKnBEHNOA== 97 | cn: sudoNotBefore 98 | name: sudoNotBefore 99 | lDAPDisplayName: sudoNotBefore 100 | description: Start of time interval for which the entry is valid 101 | attributeSyntax: 2.5.5.11 102 | oMSyntax: 24 103 | isSingleValued: FALSE 104 | 105 | dn: CN=sudoNotAfter,CN=Schema,CN=Configuration,{{ samba_suffix }} 106 | objectClass: top 107 | objectClass: attributeSchema 108 | attributeID: 1.3.6.1.4.1.15953.9.1.9 109 | schemaIdGuid:: OfqkhVrfOFetpb8xEDYmCg== 110 | cn: sudoNotAfter 111 | name: sudoNotAfter 112 | lDAPDisplayName: sudoNotAfter 113 | description: End of time interval for which the entry is valid 114 | attributeSyntax: 2.5.5.11 115 | oMSyntax: 24 116 | isSingleValued: FALSE 117 | 118 | dn: CN=sudoOrder,CN=Schema,CN=Configuration,{{ samba_suffix }} 119 | objectClass: top 120 | objectClass: attributeSchema 121 | attributeID: 1.3.6.1.4.1.15953.9.1.10 122 | schemaIdGuid:: MGwmF4dyOUDTGr0KFZd+ag== 123 | cn: sudoOrder 124 | name: sudoOrder 125 | lDAPDisplayName: sudoOrder 126 | description: an integer to order the sudoRole entries 127 | attributeSyntax: 2.5.5.9 128 | oMSyntax: 2 129 | isSingleValued: FALSE 130 | 131 | -------------------------------------------------------------------------------- /src/ansible/roles/samba/templates/sudo.class.ldif.j2: -------------------------------------------------------------------------------- 1 | dn: CN=sudoRole,CN=Schema,CN=Configuration,{{ samba_suffix }} 2 | objectClass: top 3 | objectClass: classSchema 4 | governsID: 1.3.6.1.4.1.15953.9.2.1 5 | schemaIdGuid:: eDVFrChLa4I/yFpeegWnFQ== 6 | cn: sudoRole 7 | name: sudoRole 8 | lDAPDisplayName: sudoRole 9 | subClassOf: top 10 | objectClassCategory: 1 11 | description: Sudoer Entries 12 | mustContain: cn 13 | mayContain: sudoUser 14 | mayContain: sudoHost 15 | mayContain: sudoCommand 16 | mayContain: sudoRunAs 17 | mayContain: sudoRunAsUser 18 | mayContain: sudoRunAsGroup 19 | mayContain: sudoOption 20 | mayContain: sudoOrder 21 | mayContain: sudoNotBefore 22 | mayContain: sudoNotAfter 23 | mayContain: description 24 | possSuperiors: top 25 | defaultObjectCategory: CN=sudoRole,CN=Schema,CN=Configuration,{{ samba_suffix }} 26 | defaultSecurityDescriptor: D:(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;DA)(OA;;CCDC;bf967a86-0de6-11d0-a285-00aa003049e2;;AO)(OA;;CCDC;bf967aba-0de6-11d0-a285-00aa003049e2;;AO)(OA;;CCDC;bf967a9c-0de6-11d0-a285-00aa003049e2;;AO)(OA;;CCDC;bf967aa8-0de6-11d0-a285-00aa003049e2;;PO)(A;;RPLCLORC;;;AU)(A;;LCRPLORC;;;ED)(OA;;CCDC;4828CC14-1437-45bc-9B07-AD6F015E5F28;;AO) 27 | -------------------------------------------------------------------------------- /src/ansible/roles/ssh_server/tasks/main.yml: -------------------------------------------------------------------------------- 1 | - name: Check if we have pre-generated key 2 | ansible.builtin.stat: 3 | path: "/var/data/ssh-keys/hosts/{{ inventory_hostname }}.ecdsa_key" 4 | register: stat_ecdsa_key 5 | 6 | - name: Configure SSH daemon with pre-generated hostkey 7 | template: 8 | src: sshd.conf 9 | dest: /etc/ssh/sshd_config.d 10 | owner: root 11 | group: root 12 | mode: 0600 13 | when: stat_ecdsa_key.stat.exists 14 | 15 | - name: Configure SSH daemon without pre-generated hostkey 16 | ansible.builtin.copy: 17 | dest: /etc/ssh/sshd_config.d/sshd.conf 18 | owner: root 19 | group: root 20 | mode: 0600 21 | content: | 22 | PermitRootLogin yes 23 | when: not stat_ecdsa_key.stat.exists 24 | 25 | - name: Start SSH daemon 26 | service: 27 | name: '{{ systemd.services.sshd }}' 28 | enabled: yes 29 | state: restarted 30 | register: restart_res 31 | until: "restart_res is not failed" 32 | # The ssh service restart sometimes gets stuck on VMs in openstack, 33 | # so we retry to make it more robust. 34 | retries: 5 35 | delay: 30 36 | -------------------------------------------------------------------------------- /src/ansible/roles/ssh_server/templates/sshd.conf: -------------------------------------------------------------------------------- 1 | HostKey /var/data/ssh-keys/hosts/{{ inventory_hostname }}.ecdsa_key 2 | HostKey /var/data/ssh-keys/hosts/{{ inventory_hostname }}.ed25519_key 3 | HostKey /var/data/ssh-keys/hosts/{{ inventory_hostname }}.rsa_key 4 | 5 | PermitRootLogin yes 6 | -------------------------------------------------------------------------------- /src/ansible/roles/virtsmartcard/tasks/main.yml: -------------------------------------------------------------------------------- 1 | - name: Check if we are running in image mode 2 | stat: 3 | path: /usr/bin/rpm-ostree 4 | register: rpm_ostree 5 | 6 | - name: End play for host on rpm-ostree with ro /opt 7 | meta: end_host 8 | when: rpm_ostree.stat.exists 9 | 10 | - name: Create virtual card dirs 11 | file: 12 | path: "{{ item }}" 13 | state: directory 14 | with_items: 15 | - "{{ virt_smartcard_dir }}" 16 | - "{{ virt_smartcard_dir }}/db" 17 | - "{{ virt_smartcard_dir }}/tokens" 18 | 19 | - name: Create softhsm2 config 20 | template: 21 | dest: "{{ virt_smartcard_dir }}/softhsm2.conf" 22 | src: softhsm2.conf.j2 23 | owner: root 24 | group: root 25 | mode: 0644 26 | 27 | - name: Initialize softhsm2 token 28 | shell: | 29 | softhsm2-util --init-token --slot 0 --label "SC test" \ 30 | --so-pin={{ virt_smartcard_sopin }} --pin={{ virt_smartcard_pin }} 31 | environment: 32 | SOFTHSM2_CONF: "{{ virt_smartcard_dir }}/softhsm2.conf" 33 | args: 34 | chdir: "{{ virt_smartcard_dir }}" 35 | 36 | - name: Create NSSDB with modutil 37 | command: 38 | cmd: "modutil -create -dbdir sql:{{ virt_smartcard_dir }}/db -force" 39 | args: 40 | creates: "{{ virt_smartcard_dir }}/db/pkcs11.txt" 41 | 42 | - name: Check if p11-kit-proxy is configured 43 | shell: | 44 | modutil -list -dbdir sql:{{ virt_smartcard_dir }}/db -libfile \ 45 | {{ virt_smartcard_libsofthsm }} | grep 'library name: p11-kit-proxy.so' 46 | ignore_errors: true 47 | register: check_p11_kit_proxy 48 | 49 | - name: Add SoftHSM if p11-kit-proxy is configured 50 | shell: | 51 | modutil -force -add 'SoftHSM PKCS#11' -dbdir \ 52 | sql:{{ virt_smartcard_dir }}/db -libfile {{ virt_smartcard_libsofthsm }} 53 | when: check_p11_kit_proxy.rc == 1 54 | 55 | - name: Create custom pcscd semodule file 56 | copy: 57 | dest: "{{ virt_smartcard_dir }}/virtcacard.te" 58 | content: | 59 | policy_module(virtcacard, 1.0) 60 | gen_require(` 61 | type pcscd_t; 62 | type node_t; 63 | ') 64 | allow pcscd_t node_t:tcp_socket node_bind; 65 | 66 | - name: Install custom semodule 67 | shell: | 68 | set -e 69 | make -f /usr/share/selinux/devel/Makefile virtcacard.pp 70 | semodule -i {{ virt_smartcard_dir }}/virtcacard.pp 71 | touch {{ virt_smartcard_dir }}/virtcacard.cil.done 72 | args: 73 | chdir: "{{ virt_smartcard_dir }}" 74 | creates: "{{ virt_smartcard_dir }}/virtcacard.cil.done" 75 | 76 | - name: Copy pcscd service config file 77 | copy: 78 | src: /usr/lib/systemd/system/pcscd.service 79 | dest: /etc/systemd/system/pcscd.service 80 | remote_src: true 81 | 82 | - name: Remove --auto-exit from pcscd service 83 | replace: 84 | path: /etc/systemd/system/pcscd.service 85 | regexp: ' --auto-exit' 86 | 87 | - name: Copy virt_cacard.service template 88 | template: 89 | dest: /etc/systemd/system/virt_cacard.service 90 | src: virt_cacard.service.j2 91 | owner: root 92 | group: root 93 | mode: 0644 94 | 95 | - name: Disable virt_cacard in p11-kit opensc module 96 | lineinfile: 97 | path: /usr/share/p11-kit/modules/opensc.module 98 | line: "disable-in: virt_cacard" 99 | 100 | - name: Restart pcscd 101 | systemd_service: 102 | name: pcscd 103 | daemon_reload: true 104 | state: restarted 105 | 106 | - name: Start and enable virt_cacard service 107 | systemd_service: 108 | name: virt_cacard 109 | daemon_reload: true 110 | state: started 111 | enabled: true 112 | -------------------------------------------------------------------------------- /src/ansible/roles/virtsmartcard/templates/softhsm2.conf.j2: -------------------------------------------------------------------------------- 1 | directories.tokendir = {{ virt_smartcard_dir }}/tokens/ 2 | slots.removable = true 3 | objectstore.backend = file 4 | log.level = INFO 5 | -------------------------------------------------------------------------------- /src/ansible/roles/virtsmartcard/templates/virt_cacard.service.j2: -------------------------------------------------------------------------------- 1 | [Unit] 2 | Description=virt_cacard Service 3 | Requires=pcscd.service 4 | 5 | [Service] 6 | Environment=SOFTHSM2_CONF="{{ virt_smartcard_dir }}/softhsm2.conf" 7 | WorkingDirectory={{ virt_smartcard_dir }} 8 | ExecStart=/usr/bin/virt_cacard >> /var/log/virt_cacard.debug 2>&1 9 | KillMode=process 10 | Restart=on-failure 11 | 12 | [Install] 13 | WantedBy=multi-user.target 14 | -------------------------------------------------------------------------------- /src/build.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | # ============== 4 | # IMAGE LAYERS 5 | # ============== 6 | # 7 | # original image 8 | # |------------------------------------------------------------------------------------------------| 9 | # | base-ground | 10 | # |------------------------------------------------------------------------------------------------| 11 | # | base-ldap | base-client | base-samba | base-nfs | base-keycloak | base-kdc | 12 | # |------------------------------------ |--------------|------------|-----------------|------------| 13 | # | base-ipa | | | | | | | 14 | # |------------| | | | | | | 15 | # | ipa | ldap | client | samba | nfs | keycloak | kdc | 16 | # | | |---------------| | | | | 17 | # | | | client-dev | | | | | 18 | # |------------|--------|---------------|--------------|------------|-----------------|------------| 19 | 20 | trap "cleanup &> /dev/null || :" EXIT 21 | pushd $(realpath `dirname "$0"`) &> /dev/null 22 | source ./tools/get-container-engine.sh 23 | 24 | export REGISTRY="localhost/sssd" 25 | export BASE_IMAGE="${BASE_IMAGE:-registry.fedoraproject.org/fedora:latest}" 26 | export TAG="${TAG:-latest}" 27 | export UNAVAILABLE="${UNAVAILABLE:-}" 28 | export ANSIBLE_CONFIG=./ansible/ansible.cfg 29 | export ANSIBLE_OPTS=${ANSIBLE_OPTS:-} 30 | export ANSIBLE_DEBUG=${ANSIBLE_DEBUG:-0} 31 | 32 | # Debugging options 33 | export CLEANUP=${CLEANUP:-yes} 34 | export SKIP_BASE=${SKIP_BASE:-no} 35 | 36 | echo "Building from: $BASE_IMAGE" 37 | echo "Building with tag: $TAG" 38 | echo "Building in priviledged mode: $PRIVILEDGED" 39 | echo "Storing in: $REGISTRY" 40 | 41 | if [ "$CLEANUP" == "no" ]; then 42 | trap - EXIT 43 | fi 44 | 45 | set -xe 46 | 47 | function cleanup { 48 | ${DOCKER} rm sssd-wip-base --force || : 49 | compose down 50 | } 51 | 52 | function compose { 53 | docker-compose -f "../docker-compose.yml" -f "./docker-compose.build.yml" $@ 54 | } 55 | 56 | function base_exec { 57 | ${DOCKER} exec sssd-wip-base /bin/bash -c "$1" 58 | } 59 | 60 | function c8s_repo { 61 | # Update repos to working ones 62 | ${DOCKER} exec sssd-wip-base /bin/bash -c 'grep -q "CentOS Stream 8" /etc/os-release && sed -i "s/mirrorlist/#mirrorlist/g" /etc/yum.repos.d/CentOS-* || true' 63 | ${DOCKER} exec sssd-wip-base /bin/bash -c 'grep -q "CentOS Stream 8" /etc/os-release && sed -i "s|#baseurl=http://mirror.centos.org|baseurl=http://vault.centos.org|g" /etc/yum.repos.d/CentOS-* || true' 64 | } 65 | 66 | # Make sure that Ansible dependencies are installed so we can run playbooks 67 | function base_install_python { 68 | # Install python3 if not available 69 | if base_exec '[ ! -f /usr/bin/python3 ]'; then 70 | if base_exec '[ -f /usr/bin/apt ]'; then 71 | base_exec 'apt update && apt install -y python3 python3-apt && rm -rf /var/lib/apt/lists/*' 72 | else 73 | base_exec 'dnf install -y python3 && dnf clean all' 74 | fi 75 | fi 76 | 77 | # Add python3-dnf5 to enable ansible to use it 78 | if base_exec '[ -f /usr/bin/dnf5 ]'; then 79 | base_exec 'dnf install -y python3-libdnf5 dnf5-plugins' 80 | fi 81 | } 82 | 83 | # We use commit instead of build so we can provision the images with Ansible. 84 | function build_base_image { 85 | local from=$1 86 | local name=$2 87 | 88 | for svc in $UNAVAILABLE; do 89 | if [ "base-$svc" != $name ]; then 90 | continue 91 | fi 92 | 93 | echo "Service $svc is not available in $BASE_IMAGE." 94 | echo "Using quay.io/sssd/ci-base-$svc:latest instead." 95 | ${DOCKER} pull "quay.io/sssd/ci-base-$svc:latest" 96 | ${DOCKER} tag "quay.io/sssd/ci-base-$svc:latest" "${REGISTRY}/ci-$name:${TAG}" 97 | return 0 98 | done 99 | 100 | echo "Building $name from $from" 101 | ${DOCKER} run --security-opt seccomp=unconfined --name sssd-wip-base --detach -i "$from" 102 | if [ $name == 'base-ground' ]; then 103 | c8s_repo 104 | base_install_python 105 | fi 106 | ansible-playbook $ANSIBLE_OPTS --limit "`echo $name | sed -r 's/-/_/g'`" ./ansible/playbook_image_base.yml 107 | ${DOCKER} stop sssd-wip-base 108 | ${DOCKER} commit \ 109 | --change 'CMD ["/sbin/init"]' \ 110 | --change 'STOPSIGNAL SIGRTMIN+3' \ 111 | sssd-wip-base "${REGISTRY}/ci-$name:${TAG}" 112 | ${DOCKER} rm sssd-wip-base --force 113 | } 114 | 115 | # We have to use commit because the services require functional systemd. 116 | function build_service_image { 117 | local from=$1 118 | local name=$2 119 | 120 | echo "Commiting $from as $name" 121 | ${DOCKER} commit "$from" "${REGISTRY}/ci-$name:${TAG}" 122 | } 123 | 124 | if [ "$SKIP_BASE" == 'no' ]; then 125 | # Create base images 126 | ${DOCKER} build --file "Containerfile" --target dns --tag "${REGISTRY}/ci-dns:latest" . 127 | build_base_image "$BASE_IMAGE" base-ground 128 | build_base_image "ci-base-ground:${TAG}" base-client 129 | build_base_image "ci-base-ground:${TAG}" base-ldap 130 | build_base_image "ci-base-ground:${TAG}" base-samba 131 | build_base_image "ci-base-ldap:${TAG}" base-ipa 132 | build_base_image "ci-base-ground:${TAG}" base-nfs 133 | build_base_image "ci-base-ground:${TAG}" base-kdc 134 | build_base_image "ci-base-ground:${TAG}" base-keycloak 135 | fi 136 | 137 | # Create services 138 | compose up --detach 139 | ansible-playbook $ANSIBLE_OPTS ./ansible/playbook_image_service.yml 140 | compose stop 141 | build_service_image sssd-wip-client client 142 | build_service_image sssd-wip-ipa ipa 143 | build_service_image sssd-wip-ipa2 ipa2 144 | build_service_image sssd-wip-ldap ldap 145 | build_service_image sssd-wip-samba samba 146 | build_service_image sssd-wip-nfs nfs 147 | build_service_image sssd-wip-kdc kdc 148 | build_service_image sssd-wip-keycloak keycloak 149 | compose down 150 | 151 | # Create development images with additional packages 152 | build_base_image "ci-client:${TAG}" client-devel 153 | build_base_image "ci-ipa:${TAG}" ipa-devel 154 | -------------------------------------------------------------------------------- /src/docker-compose.build.yml: -------------------------------------------------------------------------------- 1 | services: 2 | dns: 3 | image: localhost/sssd/ci-dns:latest 4 | container_name: sssd-wip-dns 5 | ipa: 6 | image: localhost/sssd/ci-base-ipa:${TAG} 7 | container_name: sssd-wip-ipa 8 | ipa2: 9 | image: localhost/sssd/ci-base-ipa:${TAG} 10 | container_name: sssd-wip-ipa2 11 | ldap: 12 | image: localhost/sssd/ci-base-ldap:${TAG} 13 | container_name: sssd-wip-ldap 14 | samba: 15 | image: localhost/sssd/ci-base-samba:${TAG} 16 | container_name: sssd-wip-samba 17 | client: 18 | image: localhost/sssd/ci-base-client:${TAG} 19 | container_name: sssd-wip-client 20 | nfs: 21 | image: localhost/sssd/ci-base-nfs:${TAG} 22 | container_name: sssd-wip-nfs 23 | kdc: 24 | image: localhost/sssd/ci-base-kdc:${TAG} 25 | container_name: sssd-wip-kdc 26 | keycloak: 27 | image: localhost/sssd/ci-base-keycloak:${TAG} 28 | container_name: sssd-wip-keycloak 29 | -------------------------------------------------------------------------------- /src/push.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | # ============== 4 | # IMAGE LAYERS 5 | # ============== 6 | # 7 | # original image 8 | # |------------------------------------------------------------------------------------------------| 9 | # | base-ground | 10 | # |------------------------------------------------------------------------------------------------| 11 | # | base-ldap | base-client | base-samba | base-nfs | base-keycloak | base-kdc | 12 | # |------------------------------------ |--------------|------------|-----------------|------------| 13 | # | base-ipa | | | | | | | 14 | # |------------| | | | | | | 15 | # | ipa | ldap | client | samba | nfs | keycloak | kdc | 16 | # | | |---------------| | | | | 17 | # | | | client-dev | | | | | 18 | # |------------|--------|---------------|--------------|------------|-----------------|------------| 19 | 20 | trap "cleanup &> /dev/null || :" EXIT 21 | pushd $(realpath `dirname "$0"`) &> /dev/null 22 | source ./tools/get-container-engine.sh 23 | 24 | # Additional tags of the image 25 | EXTRA_TAGS="${EXTRA_TAGS:-}" 26 | 27 | # REGISTRY is required 28 | if [ -z "$REGISTRY" ]; then 29 | echo "REGISTRY environment variable have to be set." 30 | exit 1 31 | fi 32 | 33 | # TAG is required 34 | if [ -z "$TAG" ]; then 35 | echo "TAG environment variable have to be set." 36 | exit 1 37 | fi 38 | 39 | echo "Pushing to $REGISTRY with tag $TAG." 40 | 41 | set -xe 42 | 43 | function push { 44 | local name=$1 45 | local tag=$2 46 | local extra_tags=$3 47 | 48 | ${DOCKER} push "localhost/sssd/$name:$tag" "${REGISTRY}/$name:$tag" 49 | 50 | for extra in $extra_tags; do 51 | ${DOCKER} push "localhost/sssd/$name:$tag" "${REGISTRY}/$name:$extra" 52 | done 53 | } 54 | 55 | # Push base images 56 | push ci-base-client "$TAG" "$EXTRA_TAGS" 57 | push ci-base-ipa "$TAG" "$EXTRA_TAGS" 58 | push ci-base-ldap "$TAG" "$EXTRA_TAGS" 59 | push ci-base-samba "$TAG" "$EXTRA_TAGS" 60 | push ci-base-nfs "$TAG" "$EXTRA_TAGS" 61 | push ci-base-kdc "$TAG" "$EXTRA_TAGS" 62 | push ci-base-keycloak "$TAG" "$EXTRA_TAGS" 63 | 64 | # Push service images 65 | push ci-dns latest "" 66 | push ci-client "$TAG" "$EXTRA_TAGS" 67 | push ci-client-devel "$TAG" "$EXTRA_TAGS" 68 | push ci-ipa "$TAG" "$EXTRA_TAGS" 69 | push ci-ipa2 "$TAG" "$EXTRA_TAGS" 70 | push ci-ipa-devel "$TAG" "$EXTRA_TAGS" 71 | push ci-ldap "$TAG" "$EXTRA_TAGS" 72 | push ci-samba "$TAG" "$EXTRA_TAGS" 73 | push ci-nfs "$TAG" "$EXTRA_TAGS" 74 | push ci-kdc "$TAG" "$EXTRA_TAGS" 75 | push ci-keycloak "$TAG" "$EXTRA_TAGS" 76 | -------------------------------------------------------------------------------- /src/rpms/Makefile: -------------------------------------------------------------------------------- 1 | prep: 2 | mkdir -p $(PWD)/rpmbuild/BUILD 3 | mkdir -p $(PWD)/rpmbuild/RPMS 4 | mkdir -p $(PWD)/rpmbuild/SOURCES 5 | mkdir -p $(PWD)/rpmbuild/SPECS 6 | mkdir -p $(PWD)/rpmbuild/SRPMS 7 | cp random.c $(PWD)/rpmbuild/SOURCES 8 | cp ci-sssd.spec $(PWD)/rpmbuild/SPECS 9 | 10 | srpm: prep 11 | rpmbuild --define "_topdir $(PWD)/rpmbuild" -bs ci-sssd.spec 12 | 13 | rpms: prep 14 | rpmbuild --define "_topdir $(PWD)/rpmbuild" -ba ci-sssd.spec 15 | 16 | clean: 17 | rm -fr $(PWD)/rpmbuild 18 | -------------------------------------------------------------------------------- /src/rpms/ci-sssd.spec: -------------------------------------------------------------------------------- 1 | %define build_timestamp %(date +"%%Y_%%m_%%d_%%H_%%M_%%S") 2 | 3 | Name: ci-sssd 4 | Version: 1 5 | Release: 1%{?dist}.%{build_timestamp} 6 | Summary: SSSD CI Packages 7 | URL: https://github.com/SSSD/sssd-ci-containers 8 | 9 | License: GPLv3+ 10 | Source0: random.c 11 | 12 | BuildRequires: gcc 13 | BuildRequires: openssl-devel 14 | 15 | %description 16 | SSSD CI Packages. For testing purpose only. 17 | 18 | %prep 19 | 20 | %build 21 | gcc -fPIC -shared -o random.so %{SOURCE0} -lcrypto 22 | 23 | %install 24 | mkdir -p %{buildroot}/opt 25 | cp random.so %{buildroot}/opt/random.so 26 | 27 | %package random 28 | Summary: random.so for passkey testing. 29 | 30 | %description random 31 | random.so for passkey testing. 32 | 33 | %files random 34 | /opt/random.so 35 | 36 | %changelog 37 | * Thu Jul 20 2023 SSSD Team - 1.0.0-1 38 | - Test package release. 39 | -------------------------------------------------------------------------------- /src/rpms/random.c: -------------------------------------------------------------------------------- 1 | #undef NDEBUG 2 | #include 3 | #include 4 | #include 5 | #include 6 | 7 | #include 8 | #include 9 | #include 10 | #include 11 | 12 | static OSSL_FUNC_rand_newctx_fn mock_rand_newctx; 13 | static OSSL_FUNC_rand_freectx_fn mock_rand_freectx; 14 | static OSSL_FUNC_rand_instantiate_fn mock_rand_instantiate; 15 | static OSSL_FUNC_rand_uninstantiate_fn mock_rand_uninstantiate; 16 | static OSSL_FUNC_rand_generate_fn mock_rand_generate; 17 | static OSSL_FUNC_rand_enable_locking_fn mock_rand_enable_locking; 18 | static OSSL_FUNC_rand_gettable_ctx_params_fn mock_rand_gettable_ctx_params; 19 | static OSSL_FUNC_rand_get_ctx_params_fn mock_rand_get_ctx_params; 20 | 21 | static void * 22 | mock_rand_newctx(void *provctx, void *parent, 23 | const OSSL_DISPATCH *parent_calls) 24 | { 25 | int *ctx = OPENSSL_zalloc(sizeof(*ctx)); 26 | assert(ctx); 27 | return ctx; 28 | } 29 | 30 | static void 31 | mock_rand_freectx(void *vctx) 32 | { 33 | int *ctx = vctx; 34 | OPENSSL_clear_free(ctx, sizeof(*ctx)); 35 | } 36 | 37 | static int 38 | mock_rand_instantiate(void *ctx, unsigned int strength, 39 | int prediction_resistance, 40 | const unsigned char *pstr, size_t pstr_len, 41 | const OSSL_PARAM params[]) 42 | { 43 | return 1; 44 | } 45 | 46 | static int 47 | mock_rand_uninstantiate(void *ctx) 48 | { 49 | return 1; 50 | } 51 | 52 | static int 53 | mock_rand_generate(void *ctx, unsigned char *out, size_t outlen, 54 | unsigned int strength, int prediction_resistance, 55 | const unsigned char *adin, size_t adinlen) 56 | { 57 | for (size_t i = 0; i < outlen; i++) 58 | out[i] = (unsigned char)rand(); 59 | return 1; 60 | } 61 | 62 | static int 63 | mock_rand_enable_locking(void *ctx) 64 | { 65 | return 1; 66 | } 67 | 68 | static const OSSL_PARAM * 69 | mock_rand_gettable_ctx_params(void *ctx, void *provctx) 70 | { 71 | static const OSSL_PARAM known_gettable_ctx_params[] = { 72 | OSSL_PARAM_size_t(OSSL_RAND_PARAM_MAX_REQUEST, NULL), 73 | OSSL_PARAM_END 74 | }; 75 | return known_gettable_ctx_params; 76 | } 77 | 78 | static int 79 | mock_rand_get_ctx_params(void *ctx, OSSL_PARAM params[]) 80 | { 81 | OSSL_PARAM *p; 82 | p = OSSL_PARAM_locate(params, OSSL_RAND_PARAM_MAX_REQUEST); 83 | if (p != NULL && !OSSL_PARAM_set_size_t(p, SIZE_MAX)) 84 | return 0; 85 | return 1; 86 | } 87 | 88 | static const OSSL_DISPATCH mock_rand_functions[] = { 89 | { OSSL_FUNC_RAND_NEWCTX, (void(*)(void))mock_rand_newctx }, 90 | { OSSL_FUNC_RAND_FREECTX, (void(*)(void))mock_rand_freectx }, 91 | { OSSL_FUNC_RAND_INSTANTIATE, (void(*)(void))mock_rand_instantiate }, 92 | { OSSL_FUNC_RAND_UNINSTANTIATE, (void(*)(void))mock_rand_uninstantiate }, 93 | { OSSL_FUNC_RAND_GENERATE, (void(*)(void))mock_rand_generate }, 94 | { OSSL_FUNC_RAND_ENABLE_LOCKING, (void(*)(void))mock_rand_enable_locking }, 95 | { OSSL_FUNC_RAND_GETTABLE_CTX_PARAMS, (void(*)(void))mock_rand_gettable_ctx_params }, 96 | { OSSL_FUNC_RAND_GET_CTX_PARAMS, (void(*)(void))mock_rand_get_ctx_params }, 97 | { 0, NULL } 98 | }; 99 | 100 | 101 | static const OSSL_ALGORITHM mock_rand[] = { 102 | { "MOCK", "provider=mock", mock_rand_functions }, 103 | { NULL, NULL, NULL } 104 | }; 105 | 106 | static const OSSL_ALGORITHM * 107 | mock_provider_query(void *provctx, int id, int *no_cache) 108 | { 109 | *no_cache = 0; 110 | return id == OSSL_OP_RAND ? mock_rand : NULL; 111 | } 112 | 113 | static const OSSL_DISPATCH mock_provider[] = { 114 | { OSSL_FUNC_PROVIDER_TEARDOWN, (void (*)(void))OSSL_LIB_CTX_free }, 115 | { OSSL_FUNC_PROVIDER_QUERY_OPERATION, (void (*)(void))mock_provider_query }, 116 | { 0, NULL } 117 | }; 118 | 119 | static int 120 | mock_provider_init(const OSSL_CORE_HANDLE *handle, const OSSL_DISPATCH *in, 121 | const OSSL_DISPATCH **out, void **provctx) 122 | { 123 | if ((*provctx = OSSL_LIB_CTX_new()) == NULL) 124 | return 0; 125 | *out = mock_provider; 126 | return 1; 127 | } 128 | 129 | ssize_t __attribute__((visibility("protected"))) 130 | getrandom(void *buf, size_t buflen, unsigned int flags) 131 | { 132 | if (buflen > INT_MAX || RAND_bytes(buf, buflen) != 1) 133 | return -1; 134 | return (ssize_t)buflen; 135 | } 136 | 137 | int __attribute__ ((visibility ("protected"))) 138 | RAND_bytes (unsigned char *buf, int num) 139 | { 140 | memset (buf, 0x1, num); 141 | return 1; 142 | } 143 | 144 | void __attribute__ ((visibility ("protected"))) 145 | arc4random_buf(void *buf, size_t nbytes) 146 | { 147 | memset (buf, 0x1, nbytes); 148 | } 149 | 150 | static void __attribute__((constructor)) 151 | install_mock_provider(void) 152 | { 153 | srand(0x12345678); 154 | assert(OSSL_PROVIDER_add_builtin(NULL, "mock", mock_provider_init)); 155 | assert(RAND_set_DRBG_type(NULL, "mock", NULL, NULL, NULL)); 156 | assert(OSSL_PROVIDER_try_load(NULL, "mock", 1)); 157 | } 158 | -------------------------------------------------------------------------------- /src/tools/gen-certs.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # 3 | # Generate CA and service certificates. 4 | # 5 | # Usage: 6 | # gen-certs.sh [output=data/certs] 7 | # 8 | 9 | # Output directory 10 | OUT="${1:-$(realpath `dirname "$0"`/../../data/certs)}" 11 | CONFIG_DIR="$(realpath `dirname "$0"`/../../data/configs)" 12 | SUBJECT="/O=test/OU=sssd" 13 | REQ_CONFIG="$CONFIG_DIR/openssl_ca.cfg" 14 | X509_CONFIG="$CONFIG_DIR/openssl_sign_service.ext" 15 | 16 | echo "Creating CA and service certificates" 17 | echo "Output directory: $OUT" 18 | 19 | set -xe 20 | mkdir -p $OUT 21 | 22 | # Create non-encrypted self-signed root certificate authority 23 | openssl req -new -x509 -days 7200 -config "$REQ_CONFIG" -subj "$SUBJECT/CN=ca" -keyout "$OUT/ca.key" -out "$OUT/ca.crt" 24 | 25 | # Create certificates 26 | for service in master.ldap.test dc.samba.test master.keycloak.test; do 27 | openssl req -new -config "$REQ_CONFIG" -subj "$SUBJECT/CN=$service" -keyout "$OUT/$service.key" -out "$OUT/$service.csr" 28 | openssl x509 -req -days 7200 -extfile "$X509_CONFIG" -CA "$OUT/ca.crt" -CAkey "$OUT/ca.key" -CAcreateserial -in "$OUT/$service.csr" -out "$OUT/$service.crt" 29 | rm -f "$OUT/$service.csr" 30 | done 31 | 32 | rm -f "$OUT/ca.srl" 33 | -------------------------------------------------------------------------------- /src/tools/gen-ssh-keys.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # 3 | # Generate service and user SSH keys. 4 | # 5 | # Usage: 6 | # gen-certs.sh [output=data/ssh-keys] 7 | # 8 | 9 | # Output directory 10 | OUT="${1:-$(realpath `dirname "$0"`/../../data/ssh-keys)}" 11 | 12 | echo "Creating service and user SSH keys" 13 | echo "Output directory: $OUT" 14 | 15 | set -xe 16 | mkdir -p $OUT 17 | mkdir -p $OUT/hosts 18 | 19 | for name in client.test dc.samba.test dns.test kdc.test \ 20 | master.ipa.test master.ipa2.test master.keycloak.test master.ldap.test nfs.test; do 21 | for type in ecdsa ed25519 rsa; do 22 | ssh-keygen -C "Well known key for sssd-ci." -t $type -f "$OUT/hosts/$name.${type}_key" -N "" <<< y 23 | done 24 | done 25 | 26 | ssh-keygen -C "Well known key for sssd-ci ci user." -t rsa -b 4096 -f "$OUT/ci.id_rsa" -N "" <<< y 27 | ssh-keygen -C "Well known key for sssd-ci root user." -t rsa -b 4096 -f "$OUT/root.id_rsa" -N "" <<< y 28 | -------------------------------------------------------------------------------- /src/tools/get-build-matrix.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python3 2 | 3 | import json 4 | import requests 5 | import sys 6 | import os 7 | 8 | 9 | def get_matrix(image, image_tags, ci_tag, ci_tag_extra): 10 | def is_last(tag): 11 | """ Return true if this is the last tag in the set. """ 12 | return tag == image_tags[-1] 13 | 14 | matrix = [] 15 | for tag in image_tags: 16 | matrix.append({ 17 | 'base': f'{image}:{tag}-x86_64', 18 | 'tag': ci_tag.format(tag=tag), 19 | 'extra': ci_tag_extra if is_last(tag) else '' 20 | }) 21 | 22 | return matrix 23 | 24 | 25 | def get_fedora_releases(type, exclude=[], extra=''): 26 | r = requests.get(f'https://bodhi.fedoraproject.org/releases?state={type}') 27 | r.raise_for_status() 28 | 29 | versions = [x['version'] for x in r.json()['releases'] if x['id_prefix'] == 'FEDORA'] 30 | versions = list(set(versions) - set(exclude)) 31 | versions.sort() 32 | 33 | return versions 34 | 35 | 36 | fedora_stable = get_fedora_releases('current') 37 | fedora_devel = get_fedora_releases('pending', exclude=['eln']) 38 | 39 | matrix = [] 40 | matrix.extend(get_matrix('registry.fedoraproject.org/fedora', fedora_stable, 'fedora-{tag}', 'latest fedora-latest')) 41 | matrix.extend(get_matrix('registry.fedoraproject.org/fedora', fedora_devel, 'fedora-{tag}', 'rawhide')) 42 | 43 | if 'action' in sys.argv[1:]: 44 | with open(os.environ['GITHUB_OUTPUT'], 'a') as f: 45 | f.write(f'matrix={json.dumps(matrix)}') 46 | 47 | print(json.dumps(matrix, indent=2)) 48 | -------------------------------------------------------------------------------- /src/tools/get-container-engine.sh: -------------------------------------------------------------------------------- 1 | default=docker 2 | if which podman &> /dev/null; then 3 | default=podman 4 | fi 5 | 6 | export DOCKER="${DOCKER:-$default}" 7 | -------------------------------------------------------------------------------- /src/tools/setup-dns-files.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # 3 | # Setup /etc/hosts to resolve hostnames of our containers. 4 | # 5 | # Usage: 6 | # setup-dns-files.sh 7 | # 8 | 9 | pushd $(realpath `dirname "$0"`) &> /dev/null 10 | set -xe 11 | 12 | # First remove lines if they exist 13 | sed -i '/master.ipa.test/d' /etc/hosts 14 | sed -i '/master.ldap.test/d' /etc/hosts 15 | sed -i '/dc.samba.test/d' /etc/hosts 16 | sed -i '/client.test/d' /etc/hosts 17 | sed -i '/nfs.test/d' /etc/hosts 18 | sed -i '/kdc.test/d' /etc/hosts 19 | sed -i '/master.keycloak.test/d' /etc/hosts 20 | sed -i '/dc.ad.test/d' /etc/hosts 21 | sed -i '/master.ipa2.test/d' /etc/hosts 22 | 23 | # Append the lines 24 | echo "172.16.100.10 master.ipa.test" >> /etc/hosts 25 | echo "172.16.100.20 master.ldap.test" >> /etc/hosts 26 | echo "172.16.100.30 dc.samba.test" >> /etc/hosts 27 | echo "172.16.100.40 client.test" >> /etc/hosts 28 | echo "172.16.100.50 nfs.test" >> /etc/hosts 29 | echo "172.16.100.60 kdc.test" >> /etc/hosts 30 | echo "172.16.100.70 master.keycloak.test" >> /etc/hosts 31 | echo "172.16.200.10 dc.ad.test" >> /etc/hosts 32 | echo "172.16.100.11 master.ipa2.test" >> /etc/hosts 33 | -------------------------------------------------------------------------------- /src/tools/setup-dns.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # 3 | # Setup host DNS to forward all *.test queries to sssd-ci DNS server. 4 | # 5 | # Usage: 6 | # setup-dns.sh 7 | # 8 | 9 | pushd $(realpath `dirname "$0"`) &> /dev/null 10 | set -xe 11 | 12 | cp ../../data/configs/nm_enable_dnsmasq.conf /etc/NetworkManager/conf.d/ 13 | cp ../../data/configs/nm_zone_test.conf /etc/NetworkManager/dnsmasq.d/ 14 | systemctl disable --now systemd-resolved 15 | rm -f /etc/resolv.conf 16 | systemctl reload NetworkManager 17 | -------------------------------------------------------------------------------- /src/tools/trust-ca.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # 3 | # Trust sssd-ci CA. 4 | # 5 | # Usage: 6 | # trust-ca.sh 7 | # 8 | 9 | CA="${1:-$(realpath `dirname "$0"`/../../data/certs/ca.crt)}" 10 | 11 | set -xe 12 | cp "$CA" /etc/pki/ca-trust/source/anchors/sssd-ci-ca.crt 13 | update-ca-trust 14 | --------------------------------------------------------------------------------