- bumps ansible-lint to 5.0
- updates our custom rules to make them compatible with 5.0
- replace custom module mocking with native ansible-lint ones
- remove custom call of ansible-playbook --syntax-check as now this
is done by ansible-lint
- assured molecule vars are hosted under a vars/ folder in order to
avoid confusing linter detection.
- replaced custom rule for loop var names in role as now this this an
optional core feature of the linter (see config)
- replaced custom rule no-same-owner with opt-in one (see config)
Change-Id: I233fae8c9036d295968a97ee80e07fde8846c633
This change adds a new attribute to setup zookeeper TLS.
It also adds support for Debian-derived distros.
Change-Id: Ifb5fc51f3b66be0b2dd1b8003507e21d8afe16fc
It is perfectly valid to want to add a value to a file that
does not exist yet, even the path may be missing.
This fixes last night regression when installing docker no longer
creates the /etc/docker folder, causing our MTU update to fail.
Change-Id: I0f037d1d6664de3c3b777aaf6da9cd7c3e8bb15f
Reference: https://review.rdoproject.org/zuul/builds?job_name=tox-py36-ci-config&project=rdo-infra/ci-config
This new role will be used to replace our upload-docker-image role in
the future.
Change-Id: I0e2b0cca6575255520aa6d4d48a12128ab5f46cc
Signed-off-by: Paul Belanger <pabelanger@redhat.com>
The merge-output-to-logs role is not doing anything in this test. As
described inline, this merges files in
zuul.executor.work_root/<docs,artifacts> into the
zuul.executor.log_root directory so they are available in change
results.
Since this job doesn't publish anything there, this role is unused.
merge-output-to-logs currently can't run because it tries to run shell
scripts on the executor. Thus we can remove this unused role and
restore the job.
Change-Id: I1afc905aa8d9c420bed316e99760ad7ad1d838ce
As described inline, we should lower the MTU in the docker
configuration when we see the interface has a MTU lower than 1500 so
things "just work". This particularly affects the Linaro ARM64 cloud
in OpenDev, but it is a generic issue.
Change-Id: I338616c41a65b007d56648fdab6da2a6a6b909f4
Story: https://storyboard.openstack.org/#!/story/2008230
Verifies that installed docker can download and run containers
that need network access. This should prevent bugs where
service was installed but in a broken state.
Fixes bug which failed to run tests when tests were modified.
Change-Id: I309168719fd3cb7488bc2d0f4fec7785e1eb5d53
Story: https://storyboard.openstack.org/#!/story/2008215
Ansible doens't really have a great built-in way to modify a json file
(unlike ini files). The extant docker role does what seems to be the
usual standard, which is slurp in the file, parse it and then write it
back out.
In a follow-on change (I338616c41a65b007d56648fdab6da2a6a6b909f4) we
need to set some more values in the docker configuration .json file,
which made me think it's generic enough that we can have a role to
basically run read the file, |combine and write it back out.
This adds such a role with various options, and converts the existing
json configuration update in ensure-docker to use it.
Change-Id: I155a409945e0175249cf2dc630b839c7a97fb452
Use '{{ zuul.pipeline }}' tag prefix in *-docker-image instead of
'change_{{ zuul.change }}' one when zuul.change is not provided, that is
the case with periodic jobs. This allows to build, upload and promote images
using periodic jobs e.g:
- project:
periodic:
- project-buildset-registry
- project-build-image1:
dependencies:
- name: project-buildset-registry
- project-build-image2:
dependencies:
- name: project-buildset-registry
# pulls from buildset registry and tests both images
- project-test:
dependencies:
- name: project-build-image1
- name: project-build-image2
# pre-pulls images from buildset registry for fast build
- project-upload-image1:
dependencies:
- name: project-test
- project-upload-image2:
dependencies:
- name: project-test
- project-promote:
dependencies:
- name: project-upload-image1
- name: project-upload-image2
This fuctionality will allow to keep latest images up to date for the
case when image incorporates continuously updating code from multiple
repositories.
Using true ternary for tag evaluation because ternary filter requires
all passed to it variables be defined or defaulted [0].
[0] https://github.com/ansible/ansible/issues/51276
Change-Id: I8eb7d2baa24905e7aac51fce0b2f9b1f24f037f9
Signed-off-by: Andrii Ostapenko <andrii.ostapenko@att.com>
Per the referenced link, account creation can be slow and that's just
the way it is. This should help tests that fail with
Error from server (Forbidden): error when creating "test-pod.yaml":
pods "test" is forbidden: error looking up service account
default/default: serviceaccount "default" not found
Change-Id: I405aa7e58737c7061a471da2e2807c77756c76b8
Add a role to install Rust via the rustup tool. It defaults to
installing globally, which avoids having to worry too much about
setting paths for follow-on jobs.
Packaged Rust and the upstream rustup install tool can live together,
and there's various documentation about it. Thus I've made this such
that we can expand it with packaged Rust support if there is a need,
but I have not implemented that yet.
Change-Id: I32f9b285904a7036f9a80ada8a49fa9cf31b5163
Add focal testing for automatically generated jobs.
Seems only one minor quoting change for ovs is required.
Change-Id: I5de5d5bd420092729de251d6bfcfe80b8af79f1a
The workspace setup role requires local code execution on the executor.
This is not allowed from an untrusted context so we disable it.
The previous assertions about the zuul-cloner setup depend on the
workspace setup running successfully. Disable those extra assertions.
subunit fetching role assertions grepped the html file for validity on
localhost. Disable this as well.
Change-Id: I7449749f50b6e4a34c4615b00836a7148e01c768
Setting tox_envlist to venv by default is unintuitive for
many users. Remove this behaviour and let default tox
behaviour be the same as running tox on the commandline.
Change-Id: I1b6d59ee4ebb7f6b3adcf4bd35d7148e83389008
When using docker buildx to build a container image, use a temporary
registry to receive the built image instead of requiring a buildset
registry.
A multi-arch test is also added with a publication registry
using the same task list to reduce duplication.
Change-Id: Ib20d1c97f6cb63e0ff9d8888ea792d1941cd8690
Co-Authored-By: James E. Blair <jeblair@redhat.com>
This partially reverts commit
3f961ce202d7d24e2944de09636b35cec9c13bf6.
This alternative installs wheel with the ensure-pip role instead of in
a separate role. wheel is very closely linked with pip install
operations so this isn't a large overreach of the role.
I suggest this for several reasons; firstly the python-wheel role
doesn't try to install packages, so we end up with mixed system pip
and upstream versions of wheel most of the time. This is the type of
thing that has proven problematic in the past. It also installs via
pip --user; something we've already had problems with tox when for
various reasons roles want to run this as non-zuul user. Using
ensure-pip we keep the packaged versions together.
[1] did try to install wheel with root, but during runtime which
didn't work due to sudo being revoked. This should work for the
existing build-python-release job, because it already includes
ensure-pip in pre-run via playbooks/python/pre.yaml
I believe our conclusion on the ensure-* roles was that requiring
root/become: for installation is OK, but we should have a no-op path
if the tools are found. This is consistent with that approach
(i.e. if you want wheel and can't do sudo, you should pre-install it
on your image using whatever you build that with).
This adds a check to the existing "is pip installed" check to also
check if wheel packages are available. If not we trigger the install
path.
This revealed some issues with RedHat.yaml -- we can always install
Python 3 (packages available for CentOS 7) so remove that check, and
if Ansible is running under Python 2; ensure we install the
dependencies too (not only if it is forced).
Update the documentation to describe that it will enable support for
bdist_wheel, and add a basic sanity test that wheels are produced by
pip. The existing build-python-release job is kept; although it is
modified to use the playbooks/python/pre.yaml playbook as the build
job does.
Change-Id: I2ab11bb45b6b2a49d54db39195228ab40141185c
[1] https://review.opendev.org/#/c/736001/5/roles/build-python-release/tasks/main.yaml
ansible-lint does not work when given an empty (/dev/null) config file.
Traceback (most recent call last):
File "/tmp/ansible.td6htcac/bin/ansible-lint", line 8, in <module>
sys.exit(main())
File "/tmp/ansible.td6htcac/lib/python3.6/site-packages/ansiblelint/__main__.py", line 42, in main
options = cli.get_config(sys.argv[1:])
File "/tmp/ansible.td6htcac/lib/python3.6/site-packages/ansiblelint/cli.py", line 208, in get_config
config = load_config(options.config_file)
File "/tmp/ansible.td6htcac/lib/python3.6/site-packages/ansiblelint/cli.py", line 77, in load_config
expand_to_normalized_paths(config, config_dir)
File "/tmp/ansible.td6htcac/lib/python3.6/site-packages/ansiblelint/cli.py", line 40, in expand_to_normalized_paths
if paths_var not in config:
TypeError: argument of type 'NoneType' is not iterable
Change-Id: Id2a883676c9fbb3a2c704c8cbd8f3cbc28cdc5fb
We can't do this all the time, because of rootless environments.
But sometimes people have root and want to be able to use something
from scripts from normal path.
Change-Id: I3f57a6108f8f53ebfdd12f04ecb3d8c68c5b4a60
Add a job that tests the build-container-image role as it would be
used in a tag-based release pipeline (as opposed to check or
gate+promote).
Also, correct an issue in the role where we assumed zuul.change
existed.
Change-Id: If2566764a52726ce45fff9b5e96ce9a42d513d8d
Adds terraform roles to install and execute terraform.
Supports adding an override.tf file to override configuration in CI
which is useful to let zuul handle module reposity authentication
instead of setting up credentials on the remote during the job.
Also returns the execution plan back as a comment for 'terraform plan'
to make it easy for reviewers.
Change-Id: I3b4f2bac7f055a0c0f9cb7888b4146ac9c007d25
This reverts commit 7101fe7d1c13250415f5c6f6392c2a22720bbe43.
This unfortunately has a number of problems.
Firstly, the "Fail if no wget" fails when download_artifact_recurse
isn't set, because we didn't check for wget.
Also, the download doesn't work with some providers. wget asks for
gzip downloads with it's accept headers (which can't be turned off)
but the recursive download doesn't understand the gzipped index.html
file and thus doesn't find anything to walk. The "--compression=auto"
flag is available to overcome this, but is not widely supported (and
not supported on the executor). https://review.opendev.org/733728
attempted to work-around this but the problems with this approach seem
too much for now.
Change-Id: I9bc55d771ec1828d374684d0ffe5ec1d1494773e
Avoids runtime warnings from use of Ansible shell/command module when
executed commands also have ansible modules.
Change-Id: I4e415cbd34f0f4cb15857051bf95458e0316de86
- added space around jinja variables
- use "name" argument on include_role, instead of undocumented role
Change-Id: I0984ca391667ace24705b20dd60eddd90e3a281e
- Bumps linter and make use of its auto-detection
- Temporary skips linting test-playbooks/ to match previous behavior
- Documents skips in a way that makes it easy to maintain the rules
- Keeps linter config in standard location, so it can be loaded
regardless how is called.
Change-Id: Ic379c91fa9385473f6ec2af91e61953dc10c1f54
Also adds a check that makes sure the instance the artifact
is to be uploaded to is actually defined.
Change-Id: Ie80fa9869e49566dc39e815c10146d45724f5744
