m (add remote authentication criterion) |
(add a criterion requiring kickstart user creation to work) |
||
| (8 intermediate revisions by the same user not shown) | |||
| Line 1: | Line 1: | ||
{{anchor|scripted-user-creation}} | |||
==== Scripted user creation ==== | |||
The scripted installation mechanism must provide a working function for creating local user accounts, including the ability to specify a hashed password, and for specifying a hashed password for the root account. | |||
{{hidden|header=References|content= | |||
* Part of Server release criteria drafts, added after initial proposal | |||
* Test case: TODO | |||
|headerstyle=background:#e5e5e5|fw1=normal|ta1=left}} | |||
{{anchor|remote-authentication}} | {{anchor|remote-authentication}} | ||
==== Remote authentication ==== | ==== Remote authentication ==== | ||
| Line 11: | Line 19: | ||
{{anchor|post-install-requirements}} | {{anchor|post-install-requirements}} | ||
=== <span style="text-decoration:underline">Post-install requirements</span> === | === <span style="text-decoration:underline">Post-install requirements</span> === | ||
{{anchor|expected-installed-system-boot-behavior}} | |||
==== Expected installed system boot behavior ==== | |||
* A working mechanism to create a user account must be clearly presented during installation and/or first boot of the installed system. | |||
* Assuming no graphical desktop is installed, the installed system must boot to a state where it is possible to log in through at least one of the default virtual consoles. | |||
{{hidden|header=Encrypted partitions|content=In all of the above cases, if any system partitions were encrypted as part of the installation, the boot process must prompt for the passphrase(s) and correctly unlock the partition(s) when provided with the correct passphrase(s).|headerstyle=background:#e5e5e5|fw1=normal|ta1=left}} | |||
{{hidden|header=User intervention|content=In all of the above cases, the boot should proceed without any unexpected user intervention being required.|headerstyle=background:#e5e5e5|fw1=normal|ta1=left}} | |||
{{hidden|header=System-specific bugs|content=System-specific bugs don't necessarily constitute an infringement of this criterion - for instance, if the system fails to boot because of a bug in the support some specific system's hardware, that is unlikely to constitute a violation unless the system is an extremely popular one. See [[Blocker_Bug_FAQ]] for more discussion of this.|headerstyle=background:#e5e5e5|fw1=normal|ta1=left}} | |||
{{hidden|header=Use for severe issues in applying updates|content=These criteria can be used to cover known severe issues in applying post-release updates. For instance, if there was a bug that meant the system would install and boot fine but would break as soon as the user ran 'yum update', that may well be covered by these criteria.|headerstyle=background:#e5e5e5|fw1=normal|ta1=left}} | |||
{{hidden|header=First boot utilities|content=On the first boot after installation, a utility for creating user accounts and other configuration may (''may'', not ''must'') run prior to a log in screen appearing.|headerstyle=background:#e5e5e5|fw1=normal|ta1=left}} | |||
{{hidden|header=References|content= | |||
* Requirement for graphical installs to boot to desktop was in original Fedora 13 criteria revision. | |||
* Changes to cover non-graphical installs were proposed [https://lists.fedoraproject.org/pipermail/test/2010-August/092615.html 2010-08-12], implemented [https://lists.fedoraproject.org/pipermail/test/2010-August/092784.html 2010-08-16]. | |||
* Changes to cover firstboot were proposed [https://lists.fedoraproject.org/pipermail/test/2011-March/097859.html 2011-03-17], implemented [https://lists.fedoraproject.org/pipermail/test/2011-March/098365.html 2011-03-29]. | |||
* Change to stop requiring text mode firstboot to work was proposed [https://lists.fedoraproject.org/pipermail/test/2011-August/101727.html 2011-08-08], implemented [https://lists.fedoraproject.org/pipermail/test/2011-August/101916.html 2011-08-17]. | |||
* Wording was simplified and clarified as part of the major Fedora 19 criteria revision. | |||
* Change to reflect F19 firstboot->initial-setup/gnome-initial-setup migration and anaconda user creation [https://lists.fedoraproject.org/pipermail/test/2013-July/117053.html proposed 2013-07-18], [https://lists.fedoraproject.org/pipermail/test/2013-July/117132.html implemented 2013-07-24]. | |||
* Separated into per-Product variations as part of the [[Fedora.next]] Product split between Fedora 20 and Fedora 21, with only parts relevant to each Product included in each Product's criteria. | |||
* Test cases: | |||
** [[QA:Testcase_Anaconda_user_creation]] | |||
** [[QA:Testcase_base_initial_setup]] | |||
** [[QA:Testcase_base_startup]] | |||
|headerstyle=background:#e5e5e5|fw1=normal|ta1=left}} | |||
{{anchor|system-log-forwarding}} | {{anchor|system-log-forwarding}} | ||
==== System log forwarding ==== | ==== System log forwarding ==== | ||
| Line 22: | Line 54: | ||
{{anchor|firewall-configuration}} | {{anchor|firewall-configuration}} | ||
==== Firewall configuration ==== | ==== Firewall configuration ==== | ||
After system installation without explicit firewall configuration, the system firewall must be active on all non-loopback interfaces. The only ports which may be open to incoming traffic are port 22 and any ports associated with server Roles selected during installation. Supported install-time firewall configuration options must work correctly. | After system installation without explicit firewall configuration, the system firewall must be active on all non-loopback interfaces. The only ports which may be open to incoming traffic are port 22 (ssh), port XX (Cockpit web interface), and any ports associated with server Roles selected during installation. Supported install-time firewall configuration options must work correctly. | ||
{{hidden|header=Install time configuration|content=To explain the last part of this criterion - it is possible to include firewall configuration options in a kickstart-driven installation, and the criterion requires that those options work as expected. The options considered to be 'supported' are those documented at [[Anaconda/Kickstart#firewall]]. The case of a conflict between role-specified and manually-specified firewall configuration is not considered to be covered by these criteria.|headerstyle=background:#e5e5e5|fw1=normal|ta1=left}} | {{hidden|header=Install time configuration|content=To explain the last part of this criterion - it is possible to include firewall configuration options in a kickstart-driven installation, and the criterion requires that those options work as expected. The options considered to be 'supported' are those documented at [[Anaconda/Kickstart#firewall]]. The case of a conflict between role-specified and manually-specified firewall configuration is not considered to be covered by these criteria.|headerstyle=background:#e5e5e5|fw1=normal|ta1=left}} | ||
{{hidden|header=References|content= | {{hidden|header=References|content= | ||
| Line 32: | Line 64: | ||
==== SELinux configuration ==== | ==== SELinux configuration ==== | ||
Unless explicitly specified otherwise, after system installation SELinux must be enabled and in enforcing mode. | Unless explicitly specified otherwise, after system installation SELinux must be enabled and in enforcing mode. | ||
{{hidden|header=References|content= | |||
* Part of [https://lists.fedoraproject.org/pipermail/server/2014-June/001198.html initial Server release criteria proposal], 2014-06-06 | |||
* Test case: TODO | |||
|headerstyle=background:#e5e5e5|fw1=normal|ta1=left}} | |||
{{anchor|cockpit-management-interface}} | |||
==== Cockpit management interface ==== | |||
Unless explicitly specified otherwise, after system installation the Cockpit web management interface must be running and accessible on its default port (XX). | |||
{{hidden|header=References|content= | |||
* Part of [https://lists.fedoraproject.org/pipermail/server/2014-June/001198.html initial Server release criteria proposal], 2014-06-06 | |||
* Test case: TODO | |||
|headerstyle=background:#e5e5e5|fw1=normal|ta1=left}} | |||
{{anchor|server-role-requirements}} | |||
=== <span style="text-decoration:underline">Server Role requirements</span> === | |||
The requirements in this section are understood to cover the behaviour of both supported roles themselves and the server role framework they use. ''Supported roles'' are defined as the roles promoted as supported in the Fedora Server release under test. | |||
{{anchor|role-deployment}} | |||
==== Role deployment ==== | |||
It must be possible to deploy supported roles successfully both at initial deployment time (during installation, or via a tool running on first boot after install, or both) and post-install. | |||
{{hidden|header=Successful deployment|content="Successful" deployment consists of installing the correct set of default packages for the role, and performing initial configuration of the role, including appropriate firewall configuration for network-accessible roles.|headerstyle=background:#e5e5e5|fw1=normal|ta1=left}} | |||
{{hidden|header=References|content= | |||
* Part of [https://lists.fedoraproject.org/pipermail/server/2014-June/001198.html initial Server release criteria proposal], 2014-06-06 | |||
* Test case: TODO | |||
|headerstyle=background:#e5e5e5|fw1=normal|ta1=left}} | |||
{{anchor|role-service-query}} | |||
==== Role service query ==== | |||
It must be possible to query supported roles for a list of services provided by the role, including information as to which are running and/or enabled. | |||
{{hidden|header=References|content= | |||
* Part of [https://lists.fedoraproject.org/pipermail/server/2014-June/001198.html initial Server release criteria proposal], 2014-06-06 | |||
* Test case: TODO | |||
|headerstyle=background:#e5e5e5|fw1=normal|ta1=left}} | |||
{{anchor|role-firewall-configuration}} | |||
==== Role firewall configuration ==== | |||
It must be possible to query supported roles for a list of network ports the role operates on, and whether those ports are firewalled. It must be possible to open and close these ports using the server role interface. | |||
{{hidden|header=References|content= | |||
* Part of [https://lists.fedoraproject.org/pipermail/server/2014-June/001198.html initial Server release criteria proposal], 2014-06-06 | |||
* Test case: TODO | |||
|headerstyle=background:#e5e5e5|fw1=normal|ta1=left}} | |||
{{anchor|role-functional-requirements}} | |||
==== Role functional requirements ==== | |||
Supported roles must meet their functional requirements, as defined in their role specification documents. | |||
{{hidden|header=References|content= | {{hidden|header=References|content= | ||
* Part of [https://lists.fedoraproject.org/pipermail/server/2014-June/001198.html initial Server release criteria proposal], 2014-06-06 | * Part of [https://lists.fedoraproject.org/pipermail/server/2014-June/001198.html initial Server release criteria proposal], 2014-06-06 | ||
* Test case: TODO | * Test case: TODO | ||
|headerstyle=background:#e5e5e5|fw1=normal|ta1=left}} | |headerstyle=background:#e5e5e5|fw1=normal|ta1=left}} | ||
Latest revision as of 21:33, 26 June 2014
Scripted user creation
The scripted installation mechanism must provide a working function for creating local user accounts, including the ability to specify a hashed password, and for specifying a hashed password for the root account.
- Part of Server release criteria drafts, added after initial proposal
- Test case: TODO
Remote authentication
It must be possible to join the system to a FreeIPA or Active Directory domain at install time and post-install, and the system must respect the identity, authentication and access control configuration provided by the domain.
The install-time capability is not required to be interactive (i.e. it is acceptable for it to be possible by kickstart only).
This criterion is understood to mandate that there must be no requirement for a local user account to be created during install or first boot of a Server system.
- Part of initial Server release criteria proposal, 2014-06-06
- Test case: TODO
Post-install requirements
Expected installed system boot behavior
- A working mechanism to create a user account must be clearly presented during installation and/or first boot of the installed system.
- Assuming no graphical desktop is installed, the installed system must boot to a state where it is possible to log in through at least one of the default virtual consoles.
In all of the above cases, if any system partitions were encrypted as part of the installation, the boot process must prompt for the passphrase(s) and correctly unlock the partition(s) when provided with the correct passphrase(s).
In all of the above cases, the boot should proceed without any unexpected user intervention being required.
System-specific bugs don't necessarily constitute an infringement of this criterion - for instance, if the system fails to boot because of a bug in the support some specific system's hardware, that is unlikely to constitute a violation unless the system is an extremely popular one. See Blocker_Bug_FAQ for more discussion of this.
These criteria can be used to cover known severe issues in applying post-release updates. For instance, if there was a bug that meant the system would install and boot fine but would break as soon as the user ran 'yum update', that may well be covered by these criteria.
On the first boot after installation, a utility for creating user accounts and other configuration may (may, not must) run prior to a log in screen appearing.
- Requirement for graphical installs to boot to desktop was in original Fedora 13 criteria revision.
- Changes to cover non-graphical installs were proposed 2010-08-12, implemented 2010-08-16.
- Changes to cover firstboot were proposed 2011-03-17, implemented 2011-03-29.
- Change to stop requiring text mode firstboot to work was proposed 2011-08-08, implemented 2011-08-17.
- Wording was simplified and clarified as part of the major Fedora 19 criteria revision.
- Change to reflect F19 firstboot->initial-setup/gnome-initial-setup migration and anaconda user creation proposed 2013-07-18, implemented 2013-07-24.
- Separated into per-Product variations as part of the Fedora.next Product split between Fedora 20 and Fedora 21, with only parts relevant to each Product included in each Product's criteria.
- Test cases:
System log forwarding
It must be possible to forward system logs between two systems running the release, using rsyslog.
This criterion assumes a working network connection between the machines, appropriate firewall configuration, and a fairly straightforward rsyslog configuration. A more exotic configuration failing is unlikely to be considered a violation of this criterion.
- Part of initial Server release criteria proposal, 2014-06-06
- Test case: TODO
Firewall configuration
After system installation without explicit firewall configuration, the system firewall must be active on all non-loopback interfaces. The only ports which may be open to incoming traffic are port 22 (ssh), port XX (Cockpit web interface), and any ports associated with server Roles selected during installation. Supported install-time firewall configuration options must work correctly.
To explain the last part of this criterion - it is possible to include firewall configuration options in a kickstart-driven installation, and the criterion requires that those options work as expected. The options considered to be 'supported' are those documented at Anaconda/Kickstart#firewall. The case of a conflict between role-specified and manually-specified firewall configuration is not considered to be covered by these criteria.
- Part of initial Server release criteria proposal, 2014-06-06
- Test case: TODO
SELinux configuration
Unless explicitly specified otherwise, after system installation SELinux must be enabled and in enforcing mode.
- Part of initial Server release criteria proposal, 2014-06-06
- Test case: TODO
Cockpit management interface
Unless explicitly specified otherwise, after system installation the Cockpit web management interface must be running and accessible on its default port (XX).
- Part of initial Server release criteria proposal, 2014-06-06
- Test case: TODO
Server Role requirements
The requirements in this section are understood to cover the behaviour of both supported roles themselves and the server role framework they use. Supported roles are defined as the roles promoted as supported in the Fedora Server release under test.
Role deployment
It must be possible to deploy supported roles successfully both at initial deployment time (during installation, or via a tool running on first boot after install, or both) and post-install.
"Successful" deployment consists of installing the correct set of default packages for the role, and performing initial configuration of the role, including appropriate firewall configuration for network-accessible roles.
- Part of initial Server release criteria proposal, 2014-06-06
- Test case: TODO
Role service query
It must be possible to query supported roles for a list of services provided by the role, including information as to which are running and/or enabled.
- Part of initial Server release criteria proposal, 2014-06-06
- Test case: TODO
Role firewall configuration
It must be possible to query supported roles for a list of network ports the role operates on, and whether those ports are firewalled. It must be possible to open and close these ports using the server role interface.
- Part of initial Server release criteria proposal, 2014-06-06
- Test case: TODO
Role functional requirements
Supported roles must meet their functional requirements, as defined in their role specification documents.
- Part of initial Server release criteria proposal, 2014-06-06
- Test case: TODO