systemtest: support running clients in a container

Motivation: Containers provide a convenient way of testing dCache as they allow an arbitrary client version, running on arbitrary Linux distribution. This is particularly useful when testing dCache's system-test. However, when building system-test, the 'populate' script generates (and disposes of) an X.509 certificate authority. This CA is used to generate host- and user credentials. In order to support X.509 credential testing, the container environment needs to be updated to trust the dCache disposable CA, and have the client credentials installed. Modification: Add a simple script that copies the Disposable CA related files into the container, enabling the container to trust that CA. The script also copies the X.509 client credentials into the container and creates a proxy credential. Result: It is easier to use clients running in a container to test dCache's system-test Target: master Requires-notes: no Requires-book: no Patch: https://rb.dcache.org/r/14192/ Acked-by: Marina Sahakyan
dCache · Jan 8, 2024 · 95db4a7 · 95db4a7
1 parent 7793086
commit 95db4a7
Showing 1 changed file with 56 additions and 0 deletions.
diff --git a/packages/system-test/src/main/bin/container-add-trust b/packages/system-test/src/main/bin/container-add-trust
@@ -0,0 +1,56 @@
+#!/bin/bash
+#
+#  This is a script that:
+#
+#    * adds dCache Disposable CA to a container's trust store.
+#
+#    * copies the auto-generated X.509 credential to root's home directory.
+#
+#    * generates a new X.509 proxy credential from the auto-generated X.509
+#      credential.
+#
+#  The container ID is supplied as an argument; e.g.
+#
+#      packages/system-test/src/main/bin/container-add-trust a1a201a97049
+#
+#  The DOCKER_CMD variable may be used to specify a command to run instead of 'docker'.
+#  For example, the following command uses 'podman' instead of 'docker'.
+#
+#      DOCKER_CMD=podman packages/system-test/src/main/bin/container-add-trust a1a201a97049
+#
+set -eu
+
+if [ $# -ne 1 ]; then
+  echo "Need ID of container"
+  exit 1
+fi
+
+docker=${DOCKER_CMD:-docker}
+
+# Support running this script from either
+#     packages/system-test/target/bin
+# or
+#     packages/system-test/src/main/bin
+parent=$(cd $(dirname $0)/..;pwd)
+cd $parent/..
+if [ "$(basename $parent)" = "main" ]; then
+    cd ..
+fi
+cd target/dcache
+
+hash=$(openssl x509 -in etc/grid-security/hostcert.pem -noout -issuer_hash)
+old_hash=$(openssl x509 -in etc/grid-security/hostcert.pem -noout -issuer_hash_old)
+
+for ext in 0 namespaces signing_policy; do
+    src=etc/grid-security/certificates/$hash.$ext
+    dst=/etc/grid-security/certificates/$hash.$ext
+    $docker cp $src $1:$dst
+    dst=/etc/grid-security/certificates/$old_hash.$ext
+    $docker cp $src $1:$dst
+done
+
+for filename in usercert.pem userkey.pem; do
+    $docker cp $filename $1:/root/
+done
+
+$docker exec $1 voms-proxy-init --key=/root/userkey.pem --cert=/root/usercert.pem