diff --git a/.gitignore b/.gitignore index 38075bbf..c86a33c3 100644 --- a/.gitignore +++ b/.gitignore @@ -75,3 +75,6 @@ tmp/ # Developer symlinks helm-toolkit + +# VScode IDE +.vscode diff --git a/charts/etcdctl-utility/Chart.yaml b/charts/etcdctl-utility/Chart.yaml index bdcbf4f9..5eb8d502 100644 --- a/charts/etcdctl-utility/Chart.yaml +++ b/charts/etcdctl-utility/Chart.yaml @@ -13,4 +13,4 @@ apiVersion: v1 description: etcdctl Client name: etcdctl-utility -version: 0.1.0 +version: 0.1.1 diff --git a/charts/etcdctl-utility/templates/deployment-etcdctl-utility.yaml b/charts/etcdctl-utility/templates/deployment-etcdctl-utility.yaml index 6eaaf508..153d3737 100644 --- a/charts/etcdctl-utility/templates/deployment-etcdctl-utility.yaml +++ b/charts/etcdctl-utility/templates/deployment-etcdctl-utility.yaml @@ -131,6 +131,7 @@ spec: command: - /tmp/bootstrap.sh volumeMounts: +{{- if .Values.manifests.secret_certificates }} - name: etcdctl-etcd-secrets mountPath: {{ .Values.endpoints.etcd.auth.client.path.ca }} subPath: tls.ca @@ -143,6 +144,7 @@ spec: mountPath: {{ .Values.endpoints.etcd.auth.client.path.key }} subPath: tls.key readOnly: true +{{- end }} - name: etcdctl-utility-bin-utilscli mountPath: /tmp/bootstrap.sh subPath: bootstrap.sh @@ -203,10 +205,12 @@ spec: configMap: name: {{ printf "%s-%s" $envAll.Release.Name "bin-utilscli" }} defaultMode: 0755 +{{- if .Values.manifests.secret_certificates }} - name: etcdctl-etcd-secrets secret: secretName: etcdctl-etcd-secrets defaultMode: 0444 +{{- end }} {{- if .Values.pod.mounts.etcd.container.etcdctl_utility.volumes }} {{ .Values.pod.mounts.etcd.container.etcdctl_utility.volumes | toYaml | indent 8 }} {{- end }} diff --git a/charts/etcdctl-utility/values.yaml b/charts/etcdctl-utility/values.yaml index 719d009a..0441a08e 100644 --- a/charts/etcdctl-utility/values.yaml +++ b/charts/etcdctl-utility/values.yaml @@ -246,4 +246,4 @@ manifests: configmap_etc_sudoers: true deployment_etcdctl_utility: true job_image_repo_sync: false - secret_certificates: true + secret_certificates: false diff --git a/charts/mysqlclient-utility/Chart.yaml b/charts/mysqlclient-utility/Chart.yaml index 6ce50bea..59cf868a 100644 --- a/charts/mysqlclient-utility/Chart.yaml +++ b/charts/mysqlclient-utility/Chart.yaml @@ -13,4 +13,4 @@ apiVersion: v1 description: Porthole MySql Client name: mysqlclient-utility -version: 0.1.0 +version: 0.1.1 diff --git a/charts/mysqlclient-utility/templates/bin/utility/_dbutils.tpl b/charts/mysqlclient-utility/templates/bin/utility/_dbutils.tpl index 61791a74..b915841c 100755 --- a/charts/mysqlclient-utility/templates/bin/utility/_dbutils.tpl +++ b/charts/mysqlclient-utility/templates/bin/utility/_dbutils.tpl @@ -110,7 +110,7 @@ function ensure_ondemand_pod_exists() { CONTAINERS=$(echo "$POD_LISTING" | awk '{print $2}') # There should only ever be one ondemand pod existing at any time, so if # we find any which are not ready remove them, even if completed. - if [[ $STATUS != "Running" || $CONTAINERS != "1/1" ]]; then + if [[ $STATUS != "Running" || $CONTAINERS != "2/2" ]]; then echo "Found an old on-demand pod; removing it." remove_job "$NAMESPACE" "$ONDEMAND_JOB" if [[ $? -ne 0 ]]; then diff --git a/charts/mysqlclient-utility/templates/bin/utility/_mariadb_ondemand_job.sh.tpl b/charts/mysqlclient-utility/templates/bin/utility/_mariadb_ondemand_job.sh.tpl index d2c916c9..bf2cf9db 100644 --- a/charts/mysqlclient-utility/templates/bin/utility/_mariadb_ondemand_job.sh.tpl +++ b/charts/mysqlclient-utility/templates/bin/utility/_mariadb_ondemand_job.sh.tpl @@ -9,7 +9,8 @@ if [[ $MARIADB_POD_NAMESPACE == "" ]]; then fi export MARIADB_CONF_SECRET={{ $envAll.Values.conf.mariadb_backup_restore.secrets.conf_secret }} -export MARIADB_IMAGE_NAME=$(kubectl get cronjob -n ${MARIADB_POD_NAMESPACE} mariadb-backup -o yaml -o jsonpath="{range .spec.jobTemplate.spec.template.spec.containers[*]}{.image}{'\n'}{end}" | grep mysqlclient-utility) +export MARIADB_IMAGE_NAME=$(kubectl get cronjob -n ${MARIADB_POD_NAMESPACE} mariadb-backup -o yaml -o jsonpath="{range .spec.jobTemplate.spec.template.spec.containers[*]}{.image}{'\n'}{end}" | grep mariadb) +export MYSQLCLIENT_UTILTIY_IMAGE_NAME=$(kubectl get cronjob -n ${MARIADB_POD_NAMESPACE} mariadb-backup -o yaml -o jsonpath="{range .spec.jobTemplate.spec.template.spec.containers[*]}{.image}{'\n'}{end}" | grep mysqlclient-utility) export MARIADB_BACKUP_BASE_PATH=$(kubectl get secret -n ${MARIADB_POD_NAMESPACE} ${MARIADB_CONF_SECRET} -o json | jq -r .data.BACKUP_BASE_PATH | base64 -d) MARIADB_REMOTE_BACKUP_ENABLED=$(kubectl get secret -n ${MARIADB_POD_NAMESPACE} ${MARIADB_CONF_SECRET} -o json | jq -r .data.REMOTE_BACKUP_ENABLED | base64 -d) export MARIADB_REMOTE_BACKUP_ENABLED=$(echo $MARIADB_REMOTE_BACKUP_ENABLED | sed 's/"//g') @@ -19,6 +20,11 @@ if [[ $MARIADB_IMAGE_NAME == "" ]]; then exit 1 fi +if [[ $MYSQLCLIENT_UTILTIY_IMAGE_NAME == "" ]]; then + echo "Cannot find the utility image for populating MYSQLCLIENT_UTILTIY_IMAGE_NAME variable." + exit 1 +fi + export TMP_FILE=$(mktemp -p /tmp) if ! kubectl -n ${MARIADB_POD_NAMESPACE} --no-headers=true get secret {{ $envAll.Values.conf.mariadb_backup_restore.secrets.tls_secret }} > /dev/null 2>&1 ; then @@ -44,7 +50,7 @@ spec: metadata: annotations: {{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" }} -{{ dict "envAll" $envAll "podName" "mariadb-ondemand" "containerNames" (list "ondemand-perms" "mariadb-ondemand" ) | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }} +{{ dict "envAll" $envAll "podName" "mariadb-ondemand" "containerNames" (list "ondemand-perms" "mariadb-verify-server" "mariadb-ondemand" ) | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }} labels: {{ tuple $envAll "mariadb-ondemand" "ondemand" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }} spec: @@ -54,7 +60,7 @@ spec: {{ .Values.labels.utility.node_selector_key }}: {{ .Values.labels.utility.node_selector_value }} initContainers: - name: ondemand-perms - image: ${MARIADB_IMAGE_NAME} + image: ${MYSQLCLIENT_UTILTIY_IMAGE_NAME} {{ tuple $envAll $envAll.Values.pod.resources.jobs.mariadb_ondemand | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }} {{ dict "envAll" $envAll "application" "mariadb_ondemand" "container" "ondemand_perms" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }} command: @@ -67,14 +73,30 @@ spec: name: pod-tmp - mountPath: ${MARIADB_BACKUP_BASE_PATH} name: mariadb-backup-dir + - name: verify-perms + image: ${MYSQLCLIENT_UTILTIY_IMAGE_NAME} +{{ tuple $envAll $envAll.Values.pod.resources.jobs.mariadb_ondemand | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }} +{{ dict "envAll" $envAll "application" "mariadb_ondemand" "container" "verify_perms" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }} + command: + - chown + - -R + - "65534:65534" + - /var/lib/mysql + volumeMounts: + - mountPath: /tmp + name: pod-tmp + - mountPath: /var/lib/mysql + name: mysql-data containers: - name: mariadb-ondemand - image: ${MARIADB_IMAGE_NAME} + image: ${MYSQLCLIENT_UTILTIY_IMAGE_NAME} {{ tuple $envAll $envAll.Values.pod.resources.jobs.mariadb_ondemand | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }} {{ dict "envAll" $envAll "application" "mariadb_ondemand" "container" "mariadb_ondemand" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }} - command: - - /bin/sleep - - "1000000" + command: ["/bin/sh"] + args: + - -c + - >- + /bin/sleep "1000000" env: - name: MARIADB_BACKUP_BASE_DIR valueFrom: @@ -216,9 +238,49 @@ if $TLS_ENABLED; then {{- if .Values.pod.mounts.mariadb_ondemand.container.mariadb_ondemand.volumeMounts }} {{ .Values.pod.mounts.mariadb_ondemand.container.mariadb_ondemand.volumeMounts | toYaml | indent 12 }} {{- end }} + - name: mariadb-verify-server + image: ${MARIADB_IMAGE_NAME} +{{ dict "envAll" $envAll "application" "mariadb_ondemand" "container" "mariadb_verify_server" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }} +{{ tuple $envAll $envAll.Values.pod.resources.mariadb_verify_server | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }} + env: + - name: MYSQL_HISTFILE + value: /dev/null + command: + - /tmp/start_verification_server.sh + volumeMounts: + - name: pod-tmp + mountPath: /tmp + - name: var-run + mountPath: /var/run/mysqld + - name: mycnfd + mountPath: /etc/mysql/conf.d + - name: mariadb-etc + mountPath: /etc/mysql/my.cnf + subPath: my.cnf + readOnly: true + - name: mariadb-secrets + mountPath: /etc/mysql/admin_user.cnf + subPath: admin_user.cnf + readOnly: true + - name: mysql-data + mountPath: /var/lib/mysql + - name: mariadb-bin + mountPath: /tmp/start_verification_server.sh + subPath: start_verification_server.sh + readOnly: true volumes: - name: pod-tmp emptyDir: {} + - name: mycnfd + emptyDir: {} + - name: var-run + emptyDir: {} + - name: mariadb-etc + configMap: + name: mariadb-etc + defaultMode: 0444 + - name: mysql-data + emptyDir: {} - name: mariadb-secrets secret: secretName: mariadb-secrets @@ -268,9 +330,49 @@ else {{- if .Values.pod.mounts.mariadb_ondemand.container.mariadb_ondemand.volumeMounts }} {{ .Values.pod.mounts.mariadb_ondemand.container.mariadb_ondemand.volumeMounts | toYaml | indent 12 }} {{- end }} + - name: mariadb-verify-server + image: ${MARIADB_IMAGE_NAME} +{{ dict "envAll" $envAll "application" "mariadb_ondemand" "container" "mariadb_verify_server" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }} +{{ tuple $envAll $envAll.Values.pod.resources.mariadb_verify_server | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }} + env: + - name: MYSQL_HISTFILE + value: /dev/null + command: + - /tmp/start_verification_server.sh + volumeMounts: + - name: pod-tmp + mountPath: /tmp + - name: var-run + mountPath: /var/run/mysqld + - name: mycnfd + mountPath: /etc/mysql/conf.d + - name: mariadb-etc + mountPath: /etc/mysql/my.cnf + subPath: my.cnf + readOnly: true + - name: mariadb-secrets + mountPath: /etc/mysql/admin_user.cnf + subPath: admin_user.cnf + readOnly: true + - name: mysql-data + mountPath: /var/lib/mysql + - name: mariadb-bin + mountPath: /tmp/start_verification_server.sh + subPath: start_verification_server.sh + readOnly: true volumes: - name: pod-tmp emptyDir: {} + - name: mycnfd + emptyDir: {} + - name: var-run + emptyDir: {} + - name: mariadb-etc + configMap: + name: mariadb-etc + defaultMode: 0444 + - name: mysql-data + emptyDir: {} - name: mariadb-secrets secret: secretName: mariadb-secrets diff --git a/charts/mysqlclient-utility/values.yaml b/charts/mysqlclient-utility/values.yaml index 1a678563..83189dbb 100644 --- a/charts/mysqlclient-utility/values.yaml +++ b/charts/mysqlclient-utility/values.yaml @@ -19,6 +19,7 @@ release_group: null images: tags: + mariadb: docker.io/openstackhelm/mariadb:latest-ubuntu_focal mysqlclient_utility: 'quay.io/airshipit/porthole-mysqlclient-utility:latest-ubuntu_bionic' image_repo_sync: docker.io/docker:18.09.02 pull_policy: IfNotPresent @@ -49,10 +50,17 @@ pod: ondemand_perms: runAsUser: 0 readOnlyRootFilesystem: true + verify_perms: + runAsUser: 0 + readOnlyRootFilesystem: true mariadb_ondemand: runAsUser: 65534 readOnlyRootFilesystem: true allowPrivilegeEscalation: false + mariadb_verify_server: + runAsUser: 65534 + readOnlyRootFilesystem: true + allowPrivilegeEscalation: false mounts: mysqlclient: container: @@ -83,6 +91,8 @@ pod: default: kubernetes.io/hostname mandatory_access_control: type: apparmor + mariadb-verify-server: + mariadb-verify-server: runtime/default mysqlclient-utility: mysqlclient-utility: runtime/default mariadb-ondemand: @@ -97,6 +107,13 @@ pod: limits: memory: "250Mi" cpu: "500m" + server: + requests: + memory: "128Mi" + cpu: "100m" + limits: + memory: "1024Mi" + cpu: "2000m" jobs: bootstrap: limits: diff --git a/docs/source/conf.py b/docs/source/conf.py index f15273c2..b6dfc108 100644 --- a/docs/source/conf.py +++ b/docs/source/conf.py @@ -41,7 +41,7 @@ release = u'0.1.0' # # This is also used if you do content translation via gettext catalogs. # Usually you set "language" from the command line for these cases. -language = None +language = "en" # List of patterns, relative to source directory, that match files and # directories to ignore when looking for source files. diff --git a/kube_utility_container/tests/utility/postgresql/test_postgresql_utility_container.py b/kube_utility_container/tests/utility/postgresql/test_postgresql_utility_container.py index 053fb1fc..1b5f551f 100644 --- a/kube_utility_container/tests/utility/postgresql/test_postgresql_utility_container.py +++ b/kube_utility_container/tests/utility/postgresql/test_postgresql_utility_container.py @@ -16,6 +16,8 @@ import unittest from kube_utility_container.tests.utility.base import TestBase +import warnings + class TestPostgresqlUtilityContainer(TestBase): @classmethod def setUpClass(cls): @@ -39,6 +41,7 @@ class TestPostgresqlUtilityContainer(TestBase): def test_verify_postgresql_utility_pod_logs(self): """To verify postgresql-utility pod logs""" + warnings.filterwarnings(action="ignore", message="unclosed", category=ResourceWarning) date_1 = (self.client.exec_cmd( self.deployment_name, ['date', '+%Y-%m-%d %H'])).replace('\n','') diff --git a/requirements-frozen.txt b/requirements-frozen.txt index a4dc7d30..5cb800a6 100644 --- a/requirements-frozen.txt +++ b/requirements-frozen.txt @@ -16,8 +16,8 @@ idna==2.10 importlib-metadata==3.3.0 importlib-resources==3.3.0 iso8601==0.1.13 -kubeconfig==1.0.1 -kubernetes==10.0.1 +kubeconfig==1.1.1 +kubernetes==23.6.0 linecache2==1.0.0 monotonic==1.5 msgpack==1.0.1 @@ -42,13 +42,13 @@ python-dateutil==2.8.1 python-mimeparse==1.6.0 python-subunit==1.4.0 pytz==2020.4 -PyYAML==5.3.1 +PyYAML==5.4.1 requests==2.25.0 requests-oauthlib==1.3.0 rfc3986==1.4.0 rsa==4.6 six==1.15.0 -stestr==3.1.0 +stestr==3.2.1 stevedore==3.3.0 testtools==2.4.0 traceback2==1.4.0 diff --git a/requirements.txt b/requirements.txt index 15cbd6e7..64ca04a6 100644 --- a/requirements.txt +++ b/requirements.txt @@ -4,9 +4,9 @@ # When modifying this file `tox -e freeze-req` must be run to regenerate the requirements-frozen.txt. coverage==4.5.1 -kubeconfig==1.0.1 -kubernetes==10.0.1 +kubeconfig==1.1.1 +kubernetes==23.6.0 oslo.config==6.7.0 # Apache-2.0 oslo.log==3.40.1 # Apache-2.0 pbr==3.1.1 -stestr==3.1.0 # Apache-2.0 +stestr==3.2.1 # Apache-2.0 diff --git a/tools/deployment/000-install-packages.sh b/tools/deployment/000-install-packages.sh index 76f6aab9..19efffd1 100755 --- a/tools/deployment/000-install-packages.sh +++ b/tools/deployment/000-install-packages.sh @@ -4,7 +4,9 @@ set -xe cd ${INSTALL_PATH} # Clone dependencies +rm -rf openstack-helm-infra +rm -rf openstack-helm git clone https://opendev.org/openstack/openstack-helm-infra.git git clone https://opendev.org/openstack/openstack-helm.git # Install Packages -bash -c "./openstack-helm-infra/tools/deployment/common/000-install-packages.sh" \ No newline at end of file +bash -c "./openstack-helm-infra/tools/deployment/common/000-install-packages.sh" diff --git a/tools/deployment/002-build-helm-toolkit.sh b/tools/deployment/002-build-helm-toolkit.sh new file mode 100755 index 00000000..5a7d2446 --- /dev/null +++ b/tools/deployment/002-build-helm-toolkit.sh @@ -0,0 +1,21 @@ +#!/bin/bash + +CURRENT_DIR="$(pwd)" +: "${PORTHOLE_PATH:="../porthole"}" + +cd "${PORTHOLE_PATH}" || exit +sudo echo 127.0.0.1 localhost /etc/hosts + +BUILD_DIR=$(mktemp -d) +HELM=${BUILD_DIR}/helm +HELM_PIDFILE=${CURRENT_DIR}/.helm-pid + +rm -rf build +rm -f charts/*.tgz +rm -f charts/*/requirements.lock +rm -rf charts/*/charts + +./tools/helm_install.sh ${HELM} +./tools/helm_tk.sh ${HELM} ${HELM_PIDFILE} + + diff --git a/tools/deployment/002-deploy-k8s.sh b/tools/deployment/002-deploy-k8s.sh deleted file mode 100755 index f968ffac..00000000 --- a/tools/deployment/002-deploy-k8s.sh +++ /dev/null @@ -1,7 +0,0 @@ -#!/bin/bash - -CURRENT_DIR="$(pwd)" -: "${OSH_INFRA_PATH:="../openstack-helm-infra"}" - -cd "${OSH_INFRA_PATH}" -bash -c "./tools/deployment/common/005-deploy-k8s.sh" \ No newline at end of file diff --git a/tools/deployment/003-deploy-k8s.sh b/tools/deployment/003-deploy-k8s.sh new file mode 100755 index 00000000..1a6591cd --- /dev/null +++ b/tools/deployment/003-deploy-k8s.sh @@ -0,0 +1,15 @@ +#!/bin/bash + +CURRENT_DIR="$(pwd)" +: "${OSH_INFRA_PATH:="../openstack-helm-infra"}" + +./helm serve +curl -i http://localhost:8879/charts/ + +cd "${OSH_INFRA_PATH}" +bash -c "./tools/deployment/common/005-deploy-k8s.sh" + +kubectl create namespace utility + + +curl -i http://localhost:8879/charts/ diff --git a/tools/gate/deploy.sh b/tools/gate/deploy.sh new file mode 100755 index 00000000..29bf4c24 --- /dev/null +++ b/tools/gate/deploy.sh @@ -0,0 +1,15 @@ +#!/bin/bash + +set -ex + +./tools/deployment/000-install-packages.sh +./tools/deployment/002-build-helm-toolkit.sh +./tools/deployment/003-deploy-k8s.sh +./tools/deployment/005-calicoctl-utility.sh +./tools/deployment/010-ceph-utility.sh +./tools/deployment/020-compute-utility.sh +./tools/deployment/030-etcdctl-utility.sh +./tools/deployment/040-mysqlclient-utility.sh +./tools/deployment/050-openstack-utility.sh +./tools/deployment/060-postgresql-utility.sh +sleep 30 diff --git a/tools/gate/playbooks/osh-infra-upgrade-host.yaml b/tools/gate/playbooks/osh-infra-upgrade-host.yaml new file mode 100644 index 00000000..076d0ffc --- /dev/null +++ b/tools/gate/playbooks/osh-infra-upgrade-host.yaml @@ -0,0 +1,55 @@ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +--- +- hosts: all + vars_files: + - vars.yaml + vars: + work_dir: "{{ zuul.project.src_dir }}/{{ zuul_osh_infra_relative_path | default('') }}" + gather_facts: False + become: yes + roles: + - deploy-python + tags: + - deploy-python + +- hosts: all + vars_files: + - vars.yaml + vars: + work_dir: "{{ zuul.project.src_dir }}/{{ zuul_osh_infra_relative_path | default('') }}" + gather_facts: True + become: yes + roles: + - upgrade-host + - start-zuul-console + - disable-local-nameserver + - setup-firewall + tags: + - upgrade-host + - start-zuul-console + - disable-local-nameserver + - setup-firewall + +- hosts: all + vars_files: + - vars.yaml + vars: + work_dir: "{{ zuul.project.src_dir }}/{{ zuul_osh_infra_relative_path | default('') }}" + gather_facts: False + become: yes + roles: + - deploy-apparmor + tags: + - deploy-apparmor +... diff --git a/tools/gate/playbooks/roles/deploy-apparmor/tasks/main.yaml b/tools/gate/playbooks/roles/deploy-apparmor/tasks/main.yaml new file mode 100644 index 00000000..d00e7c8a --- /dev/null +++ b/tools/gate/playbooks/roles/deploy-apparmor/tasks/main.yaml @@ -0,0 +1,37 @@ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +--- +- block: + - name: ensuring AppArmor is deployed on host + when: ansible_distribution == 'Ubuntu' + include_role: + name: deploy-package + tasks_from: dist + vars: + packages: + deb: + - apparmor + + - name: "Enable AppArmor" + when: ansible_distribution == 'Ubuntu' + become: true + become_user: root + shell: |- + set -xe + systemctl enable apparmor + systemctl start apparmor + systemctl status apparmor.service + args: + executable: /bin/bash + ignore_errors: True +... diff --git a/tools/gate/playbooks/roles/deploy-docker/defaults/main.yml b/tools/gate/playbooks/roles/deploy-docker/defaults/main.yml new file mode 100644 index 00000000..b1a6fabd --- /dev/null +++ b/tools/gate/playbooks/roles/deploy-docker/defaults/main.yml @@ -0,0 +1,18 @@ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +--- +proxy: + http: null + https: null + noproxy: null +... diff --git a/tools/gate/playbooks/roles/deploy-docker/tasks/deploy-ansible-docker-support.yaml b/tools/gate/playbooks/roles/deploy-docker/tasks/deploy-ansible-docker-support.yaml new file mode 100644 index 00000000..3bba2153 --- /dev/null +++ b/tools/gate/playbooks/roles/deploy-docker/tasks/deploy-ansible-docker-support.yaml @@ -0,0 +1,70 @@ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +--- +- name: ensuring SELinux is disabled on centos & fedora + when: ansible_distribution == 'CentOS' or ansible_distribution == 'Red Hat Enterprise Linux' or ansible_distribution == 'Fedora' + become: true + become_user: root + command: setenforce 0 + ignore_errors: True + +# NOTE(portdirect): See https://ask.openstack.org/en/question/110437/importerror-cannot-import-name-unrewindablebodyerror/ +- name: fix docker removal issue with ansible's docker_container on centos + when: ansible_distribution == 'CentOS' or ansible_distribution == 'Red Hat Enterprise Linux' + block: + - name: remove requests and urllib3 distro packages to fix docker removal issue with ansible's docker_container on centos + include_role: + name: deploy-package + tasks_from: dist + vars: + state: absent + packages: + rpm: + - python-urllib3 + - python-requests + - name: restore requests and urllib3 distro packages to fix docker removal issue with ansible's docker_container on centos + include_role: + name: deploy-package + tasks_from: dist + vars: + state: present + packages: + rpm: + - python-urllib3 + - python-requests + +- name: install additional packages + include_role: + name: deploy-package + tasks_from: dist + vars: + state: present + packages: + deb: + - conntrack + - bc + - nmap + - ethtool + rpm: + - conntrack-tools + - bc + - nmap + +- name: Ensure docker python packages deployed + include_role: + name: deploy-package + tasks_from: pip + vars: + packages: + - docker +... diff --git a/tools/gate/playbooks/roles/deploy-docker/tasks/main.yaml b/tools/gate/playbooks/roles/deploy-docker/tasks/main.yaml new file mode 100644 index 00000000..d0ad154d --- /dev/null +++ b/tools/gate/playbooks/roles/deploy-docker/tasks/main.yaml @@ -0,0 +1,80 @@ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +--- +- name: setting default limit memlock + shell: | + set -xe; + echo "DefaultLimitMEMLOCK=16777216" | sudo tee -a /etc/systemd/system.conf + sudo systemctl daemon-reexec + sudo systemctl daemon-reload + +- name: check if docker deploy is needed + raw: which docker + register: need_docker + ignore_errors: True + +- name: centos | moving systemd unit into place + when: ( ansible_distribution == 'CentOS' or ansible_distribution == 'Red Hat Enterprise Linux' ) and ( need_docker is failed ) + template: + src: centos-docker.service.j2 + dest: /etc/systemd/system/docker.service + mode: 416 + +- name: fedora | moving systemd unit into place + when: ( ansible_distribution == 'Fedora' ) and ( need_docker is failed ) + template: + src: fedora-docker.service.j2 + dest: /etc/systemd/system/docker.service + mode: 416 + +- name: ubuntu | moving systemd unit into place + when: ( ansible_distribution == 'Debian' or ansible_distribution == 'Ubuntu' ) and ( need_docker is failed ) + template: + src: ubuntu-docker.service.j2 + dest: /etc/systemd/system/docker.service + mode: 416 + +# NOTE: (lamt) Setting up the proxy before installing docker +- name: ensure docker.service.d directory exists + when: proxy.http + file: + path: /etc/systemd/system/docker.service.d + state: directory + +- name: proxy | moving proxy systemd unit into place + when: proxy.http + template: + src: http-proxy.conf.j2 + dest: /etc/systemd/system/docker.service.d/http-proxy.conf + mode: 416 + +- name: deploy docker packages + when: need_docker is failed + include_role: + name: deploy-package + tasks_from: dist + vars: + packages: + deb: + - docker.io + rpm: + - docker + +- name: restarting docker + systemd: + state: restarted + daemon_reload: yes + name: docker + +- include: deploy-ansible-docker-support.yaml +... diff --git a/tools/gate/playbooks/roles/deploy-docker/templates/centos-docker.service.j2 b/tools/gate/playbooks/roles/deploy-docker/templates/centos-docker.service.j2 new file mode 100644 index 00000000..bbaea27b --- /dev/null +++ b/tools/gate/playbooks/roles/deploy-docker/templates/centos-docker.service.j2 @@ -0,0 +1,35 @@ +[Unit] +Description=Docker Application Container Engine +Documentation=http://docs.docker.com +After=network.target + +[Service] +Type=notify +NotifyAccess=all +Environment=GOTRACEBACK=crash +Environment=DOCKER_HTTP_HOST_COMPAT=1 +Environment=PATH=/usr/libexec/docker:/usr/bin:/usr/sbin +ExecStart=/usr/bin/dockerd-current \ + --add-runtime docker-runc=/usr/libexec/docker/docker-runc-current \ + --default-runtime=docker-runc \ + --exec-opt native.cgroupdriver=systemd \ + --userland-proxy-path=/usr/libexec/docker/docker-proxy-current \ + --seccomp-profile=/etc/docker/seccomp.json \ + --graph=/var/lib/docker \ + --storage-driver=overlay2 \ + --log-driver=json-file \ + --iptables=false +# NOTE(portdirect): fix mount propagation for CentOS, this is done post start, +# as docker seems to reset this. +ExecStartPost=/usr/bin/mount --make-rshared / +ExecReload=/bin/kill -s HUP $MAINPID +LimitNOFILE=1048576 +LimitNPROC=1048576 +LimitCORE=infinity +TimeoutStartSec=0 +Restart=on-abnormal +MountFlags=share +KillMode=process + +[Install] +WantedBy=multi-user.target diff --git a/tools/gate/playbooks/roles/deploy-docker/templates/fedora-docker.service.j2 b/tools/gate/playbooks/roles/deploy-docker/templates/fedora-docker.service.j2 new file mode 100644 index 00000000..2c796c6b --- /dev/null +++ b/tools/gate/playbooks/roles/deploy-docker/templates/fedora-docker.service.j2 @@ -0,0 +1,34 @@ +[Unit] +Description=Docker Application Container Engine +Documentation=http://docs.docker.com +After=network.target docker-containerd.service +Requires=docker-containerd.service + +[Service] +Type=notify +Environment=GOTRACEBACK=crash +ExecStart=/usr/bin/dockerd-current \ + --add-runtime oci=/usr/libexec/docker/docker-runc-current \ + --default-runtime=oci \ + --containerd /run/containerd.sock \ + --exec-opt native.cgroupdriver=systemd \ + --userland-proxy-path=/usr/libexec/docker/docker-proxy-current \ + --init-path=/usr/libexec/docker/docker-init-current \ + --seccomp-profile=/etc/docker/seccomp.json \ + --graph=/var/lib/docker \ + --storage-driver=overlay2 \ + --log-driver=json-file \ + --iptables=false +# NOTE(portdirect): fix mount propagation for Fedora, this is done post start, +# as docker seems to reset this. +ExecStartPost=/usr/bin/mount --make-rshared / +ExecReload=/bin/kill -s HUP $MAINPID +TasksMax=8192 +LimitNOFILE=1048576 +LimitNPROC=1048576 +LimitCORE=infinity +TimeoutStartSec=0 +Restart=on-abnormal + +[Install] +WantedBy=multi-user.target diff --git a/tools/gate/playbooks/roles/deploy-docker/templates/http-proxy.conf.j2 b/tools/gate/playbooks/roles/deploy-docker/templates/http-proxy.conf.j2 new file mode 100644 index 00000000..90d8e1d5 --- /dev/null +++ b/tools/gate/playbooks/roles/deploy-docker/templates/http-proxy.conf.j2 @@ -0,0 +1,4 @@ +[Service] +Environment="HTTP_PROXY={{ proxy.http }}" +Environment="HTTPS_PROXY={{ proxy.https }}" +Environment="NO_PROXY={{ proxy.noproxy }}" diff --git a/tools/gate/playbooks/roles/deploy-docker/templates/ubuntu-docker.service.j2 b/tools/gate/playbooks/roles/deploy-docker/templates/ubuntu-docker.service.j2 new file mode 100644 index 00000000..2451b198 --- /dev/null +++ b/tools/gate/playbooks/roles/deploy-docker/templates/ubuntu-docker.service.j2 @@ -0,0 +1,30 @@ +[Unit] +Description=Docker Application Container Engine +Documentation=https://docs.docker.com +After=network.target docker.socket firewalld.service +Requires=docker.socket + +[Service] +Type=notify +# the default is not to use systemd for cgroups because the delegate issues still +# exists and systemd currently does not support the cgroup feature set required +# for containers run by docker +EnvironmentFile=-/etc/default/docker +ExecStart=/usr/bin/dockerd --iptables=false -H fd:// $DOCKER_OPTS +ExecReload=/bin/kill -s HUP $MAINPID +LimitNOFILE=1048576 +# Having non-zero Limit*s causes performance problems due to accounting overhead +# in the kernel. We recommend using cgroups to do container-local accounting. +LimitNPROC=infinity +LimitCORE=infinity +# Uncomment TasksMax if your systemd version supports it. +# Only systemd 226 and above support this version. +TasksMax=infinity +TimeoutStartSec=0 +# set delegate yes so that systemd does not reset the cgroups of docker containers +Delegate=yes +# kill only the docker process, not all processes in the cgroup +KillMode=process + +[Install] +WantedBy=multi-user.target diff --git a/tools/gate/playbooks/roles/deploy-jq/tasks/main.yaml b/tools/gate/playbooks/roles/deploy-jq/tasks/main.yaml new file mode 100644 index 00000000..ed78c625 --- /dev/null +++ b/tools/gate/playbooks/roles/deploy-jq/tasks/main.yaml @@ -0,0 +1,36 @@ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +--- +- block: + - name: ensuring jq is deployed on host + when: ansible_distribution == 'Debian' or ansible_distribution == 'Ubuntu' or ansible_distribution == 'Fedora' + include_role: + name: deploy-package + tasks_from: dist + vars: + packages: + deb: + - jq + rpm: + - jq + + - name: installing jq 1.5 binary for centos + become: true + become_user: root + when: ansible_distribution == 'CentOS' or ansible_distribution == 'Red Hat Enterprise Linux' + get_url: + url: https://github.com/stedolan/jq/releases/download/jq-1.5/jq-linux64 + dest: /usr/bin/jq + mode: 365 + force: yes +... diff --git a/tools/gate/playbooks/roles/deploy-package/defaults/main.yml b/tools/gate/playbooks/roles/deploy-package/defaults/main.yml new file mode 100644 index 00000000..b1a6fabd --- /dev/null +++ b/tools/gate/playbooks/roles/deploy-package/defaults/main.yml @@ -0,0 +1,18 @@ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +--- +proxy: + http: null + https: null + noproxy: null +... diff --git a/tools/gate/playbooks/roles/deploy-package/tasks/dist.yaml b/tools/gate/playbooks/roles/deploy-package/tasks/dist.yaml new file mode 100644 index 00000000..73939ffd --- /dev/null +++ b/tools/gate/playbooks/roles/deploy-package/tasks/dist.yaml @@ -0,0 +1,46 @@ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +--- +- name: managing distro packages for ubuntu + become: true + become_user: root + when: ansible_distribution == 'Debian' or ansible_distribution == 'Ubuntu' + vars: + state: present + apt: + name: "{{ item }}" + state: "{{ state }}" + with_items: "{{ packages.deb }}" + +- name: managing distro packages for centos + become: true + become_user: root + when: ansible_distribution == 'CentOS' or ansible_distribution == 'Red Hat Enterprise Linux' + vars: + state: present + yum: + name: "{{ item }}" + state: "{{ state }}" + with_items: "{{ packages.rpm }}" + +- name: managing distro packages for fedora + become: true + become_user: root + when: ansible_distribution == 'Fedora' + vars: + state: present + dnf: + name: "{{ item }}" + state: "{{ state }}" + with_items: "{{ packages.rpm }}" +... diff --git a/tools/gate/playbooks/roles/deploy-package/tasks/pip.yaml b/tools/gate/playbooks/roles/deploy-package/tasks/pip.yaml new file mode 100644 index 00000000..0b2a4836 --- /dev/null +++ b/tools/gate/playbooks/roles/deploy-package/tasks/pip.yaml @@ -0,0 +1,27 @@ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +--- +- name: managing pip packages + become: true + become_user: root + environment: + http_proxy: "{{ proxy.http }}" + https_proxy: "{{ proxy.https }}" + no_proxy: "{{ proxy.noproxy }}" + vars: + state: present + pip: + name: "{{ item }}" + state: "{{ state }}" + with_items: "{{ packages }}" +... diff --git a/tools/gate/playbooks/roles/deploy-python-pip/defaults/main.yml b/tools/gate/playbooks/roles/deploy-python-pip/defaults/main.yml new file mode 100644 index 00000000..b1a6fabd --- /dev/null +++ b/tools/gate/playbooks/roles/deploy-python-pip/defaults/main.yml @@ -0,0 +1,18 @@ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +--- +proxy: + http: null + https: null + noproxy: null +... diff --git a/tools/gate/playbooks/roles/deploy-python-pip/tasks/main.yaml b/tools/gate/playbooks/roles/deploy-python-pip/tasks/main.yaml new file mode 100644 index 00000000..0be60307 --- /dev/null +++ b/tools/gate/playbooks/roles/deploy-python-pip/tasks/main.yaml @@ -0,0 +1,55 @@ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +--- +- name: check if pip installed + command: pip3 --version + register: pip_version_output + ignore_errors: yes + changed_when: false + +- name: ensuring python pip package is present for ubuntu + when: ( pip_version_output is failed ) and ( ansible_distribution == 'Debian' or ansible_distribution == 'Ubuntu' ) + apt: + name: python3-pip + state: present + +- name: ensuring python pip package is present for centos + when: ( pip_version_output is failed ) and ( ansible_distribution == 'CentOS' or ansible_distribution == 'Red Hat Enterprise Linux' ) + block: + - name: ensuring epel-release package is present for centos as python3-pip is in the epel repo + yum: + name: epel-release + state: present + - name: ensuring python pip package is present for centos + yum: + name: python3-pip + state: present + +- name: ensuring python pip package is present for fedora via the python3-pip rpm + when: ( pip_version_output is failed ) and ( ansible_distribution == 'Fedora' ) + dnf: + name: python3-pip + state: present + +- name: ensuring pip is the latest version + become: true + become_user: root + environment: + http_proxy: "{{ proxy.http }}" + https_proxy: "{{ proxy.https }}" + no_proxy: "{{ proxy.noproxy }}" + pip: + name: pip + state: latest + executable: pip3 +... diff --git a/tools/gate/playbooks/roles/deploy-python/tasks/main.yaml b/tools/gate/playbooks/roles/deploy-python/tasks/main.yaml new file mode 100644 index 00000000..babce86d --- /dev/null +++ b/tools/gate/playbooks/roles/deploy-python/tasks/main.yaml @@ -0,0 +1,16 @@ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +--- +- name: ensuring python3 is present on all hosts + raw: test -e /usr/bin/python3 || (sudo apt -y update && sudo apt install -y python3-minimal) || (sudo yum install -y python3) || (sudo dnf install -y python3) +... diff --git a/tools/gate/playbooks/roles/disable-local-nameserver/tasks/main.yaml b/tools/gate/playbooks/roles/disable-local-nameserver/tasks/main.yaml new file mode 100644 index 00000000..f2ea4e91 --- /dev/null +++ b/tools/gate/playbooks/roles/disable-local-nameserver/tasks/main.yaml @@ -0,0 +1,59 @@ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# NOTE(portdirect): We disable the local nameserver as it interferes with the +# k8s dns-service and other local resolvers used for development use. +# See the following for the original config: +# * https://github.com/openstack/project-config/blob/0332c33dd134033e0620645c252f82b77e4c16f5/nodepool/elements/nodepool-base/finalise.d/89-unbound + +--- +- name: Disable local nameserver and systemd-resolved service + when: ansible_distribution == 'Ubuntu' + block: + - name: update rc.local + blockinfile: + path: /etc/rc.local + mode: 365 + block: | + #!/bin/bash + set -o xtrace + # Some providers inject dynamic network config statically. Work around this + # for DNS nameservers. This is expected to fail on some nodes so remove -e. + set +e + sed -i -e 's/^\(DNS[0-9]*=[.0-9]\+\)/#\1/g' /etc/sysconfig/network-scripts/ifcfg-* + sed -i -e 's/^NETCONFIG_DNS_POLICY=.*/NETCONFIG_DNS_POLICY=""/g' /etc/sysconfig/network/config + set -e + echo 'nameserver 208.67.222.222' > /etc/resolv.conf + echo 'nameserver 8.8.8.8' >> /etc/resolv.conf + exit 0 + - name: write resolv.conf + blockinfile: + path: /etc/resolv.conf + mode: 644 + block: | + nameserver 208.67.222.222 + nameserver 8.8.8.8 + - name: stop unbound service + systemd: + state: stopped + enabled: no + masked: yes + daemon_reload: yes + name: unbound + - name: stop systemd-resolved service + systemd: + state: stopped + enabled: no + masked: yes + daemon_reload: yes + name: systemd-resolved +... diff --git a/tools/gate/playbooks/roles/setup-firewall/tasks/main.yaml b/tools/gate/playbooks/roles/setup-firewall/tasks/main.yaml new file mode 100644 index 00000000..64e75ddc --- /dev/null +++ b/tools/gate/playbooks/roles/setup-firewall/tasks/main.yaml @@ -0,0 +1,29 @@ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# NOTE(portdirect): This needs refinement but drops the firewall on zuul nodes +--- +- name: deploy iptables packages + include_role: + name: deploy-package + tasks_from: dist + vars: + packages: + deb: + - iptables + rpm: + - iptables +- command: iptables -S +- command: iptables -F +- command: iptables -P INPUT ACCEPT +- command: iptables -S +... diff --git a/tools/gate/playbooks/roles/upgrade-host/defaults/main.yml b/tools/gate/playbooks/roles/upgrade-host/defaults/main.yml new file mode 100644 index 00000000..93b068cd --- /dev/null +++ b/tools/gate/playbooks/roles/upgrade-host/defaults/main.yml @@ -0,0 +1,15 @@ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +--- +ubuntu_kernel_hwe: false +... diff --git a/tools/gate/playbooks/roles/upgrade-host/tasks/main.yaml b/tools/gate/playbooks/roles/upgrade-host/tasks/main.yaml new file mode 100644 index 00000000..0afb3738 --- /dev/null +++ b/tools/gate/playbooks/roles/upgrade-host/tasks/main.yaml @@ -0,0 +1,44 @@ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +--- +- name: Upgrade to HWE kernel on Ubuntu Hosts + when: + - ansible_distribution == 'Ubuntu' + - ubuntu_kernel_hwe == true + block: + - name: Deploy HWE kernel on Ubuntu Hosts + include_role: + name: deploy-package + tasks_from: dist + vars: + packages: + deb: + - linux-generic-hwe-16.04 + - name: Reboot Host following kernel upgrade + shell: sleep 2 && reboot + become: yes + async: 30 + poll: 0 + ignore_errors: true + args: + executable: /bin/bash + - name: Wait for hosts to come up following reboot + wait_for: + host: '{{ hostvars[item].ansible_host }}' + port: 22 + state: started + delay: 60 + timeout: 240 + with_items: '{{ play_hosts }}' + connection: local +... diff --git a/tools/gate/playbooks/vars.yaml b/tools/gate/playbooks/vars.yaml index 75aee365..4e2e9829 100644 --- a/tools/gate/playbooks/vars.yaml +++ b/tools/gate/playbooks/vars.yaml @@ -15,3 +15,5 @@ docker_daemon: registry-mirrors: - "http://{{ zuul_site_mirror_fqdn }}:8082/" storage-driver: overlay2 +ansible_python_interpreter: python3 +... \ No newline at end of file diff --git a/tools/helm_install.sh b/tools/helm_install.sh index 3b9061c0..b3036e16 100755 --- a/tools/helm_install.sh +++ b/tools/helm_install.sh @@ -24,19 +24,19 @@ function install_helm_binary { if [[ -z "${HELM}" ]] then echo "No Helm binary target location." - exit -1 + exit 1 fi if [[ -w "$(dirname ${HELM})" ]] then TMP_DIR=${BUILD_DIR:-$(mktemp -d)} curl -o "${TMP_DIR}/helm.tar.gz" "${HELM_ARTIFACT_URL}" - cd ${TMP_DIR} + cd ${TMP_DIR} || exit tar -xvzf helm.tar.gz cp "${TMP_DIR}/linux-amd64/helm" "${HELM}" else echo "Cannot write to ${HELM}" - exit -1 + exit 1 fi } diff --git a/tools/helm_tk.sh b/tools/helm_tk.sh index bddc7102..b1536383 100755 --- a/tools/helm_tk.sh +++ b/tools/helm_tk.sh @@ -22,7 +22,7 @@ HELM=${1} HELM_PIDFILE=${2} SERVE_DIR=$(mktemp -d) -HTK_STABLE_COMMIT=${HTK_COMMIT:-"b1a247e7f54ab12d830ab74f7634457b4e43f3ef"} +HTK_STABLE_COMMIT=${HTK_COMMIT:-"5c4056ad341afcc577e63902b6ddbfb222d757e1"} ${HELM} init --client-only --skip-refresh --stable-repo-url "https://charts.helm.sh/stable" @@ -69,11 +69,11 @@ fi { cd "${SERVE_DIR}" + rm -rf openstack-helm-infra git clone https://git.openstack.org/openstack/openstack-helm-infra.git || true cd openstack-helm-infra git reset --hard "${HTK_STABLE_COMMIT}" - make helm-toolkit } -rm -rf "${SERVE_DIR}" +# rm -rf "${SERVE_DIR}" diff --git a/tools/run_avt.sh b/tools/run_avt.sh index 4d04f40b..28f08efe 100755 --- a/tools/run_avt.sh +++ b/tools/run_avt.sh @@ -20,7 +20,7 @@ PLUGINS=kube_utility_container export KUBECONFIG=${KUBECONFIG:-~/.kube/config} function setup_venv() { - sudo apt-get install libffi-dev libssl-dev -y + sudo apt-get install libffi-dev libssl-dev python3-dev python3-setuptools python3-venv gcc make build-essential automake autoconf -y python3 -m venv ${VENV} if [[ -f ${VENV}/bin/activate ]] ;then source $VENV/bin/activate diff --git a/zuul.d/base.yaml b/zuul.d/base.yaml index 35dd934b..ebf09622 100644 --- a/zuul.d/base.yaml +++ b/zuul.d/base.yaml @@ -55,6 +55,12 @@ - name: primary label: ubuntu-bionic +- nodeset: + name: airship-porthole-focal-single-node + nodes: + - name: primary + label: ubuntu-focal + - job: name: airship-porthole-images abstract: true @@ -85,23 +91,16 @@ description: | Deploys all UC's and Executes unit and feature tests. run: tools/gate/playbooks/airship-porthole-gate-runner.yaml - nodeset: airship-porthole-single-node + nodeset: airship-porthole-focal-single-node timeout: 7200 + pre-run: + - tools/gate/playbooks/osh-infra-upgrade-host.yaml post-run: - tools/gate/playbooks/make-unit-tests.yaml - tools/gate/playbooks/make-feature-tests.yaml vars: gate_scripts: - - ./tools/deployment/000-install-packages.sh - - ./tools/deployment/001-setup-apparmor-profiles.sh - - ./tools/deployment/002-deploy-k8s.sh - - ./tools/deployment/005-calicoctl-utility.sh - - ./tools/deployment/010-ceph-utility.sh - - ./tools/deployment/020-compute-utility.sh - - ./tools/deployment/030-etcdctl-utility.sh - - ./tools/deployment/040-mysqlclient-utility.sh - - ./tools/deployment/050-openstack-utility.sh - - ./tools/deployment/060-postgresql-utility.sh + - ./tools/gate/deploy.sh args: chdir: "{{ zuul.project.src_dir }}" @@ -129,4 +128,4 @@ Vlpomy02Nj4PkZZDKY7Eo3uf/+3aa8/hhvJursqv6VvqwYl75euT8Immo1EUw/Hw4PBpJ JXcwlGoK6kvXmYaG2c7yEiH2xNtTzVTai10fsalubQWR4FTmJA5LU9+HatHBa46XLy4gS vMHs2uJudmxhqLIhs5Er248FVjfxw7le5dPun3ir4J7Mjgypu5y8eLCMZAFIwpeqlJrVU - uih8ByaTlSEh6FBzle7Hb330RjSztC4pX6xiNAmtkpxhF2rEEFS66B/ixwCphQ= + uih8ByaTlSEh6FBzle7Hb330RjSztC4pX6xiNAmtkpxhF2rEEFS66B/ixwCphQ= \ No newline at end of file