openstack/validations-common
Code Issues Proposed changes

Add common Ansible roles and libraries

Browse Source 
Signed-off-by: Gael Chamoulaud (Strider) <gchamoul@redhat.com>
This commit is contained in:
Gael Chamoulaud (Strider) 2020-03-04 16:22:45 +01:00
parent f2965bcfd1
commit eb35089c1c
No known key found for this signature in database
GPG Key ID: 4119D0305C651D66
111 changed files with 3820 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

89
library/haproxy_conf.py Normal file
View File

@ -0,0 +1,89 @@
#!/usr/bin/env python
# -*- coding: utf-8 -*-
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
# implied.
# See the License for the specific language governing permissions and
# limitations under the License.
import re
from ansible.module_utils.basic import AnsibleModule
from yaml import safe_load as yaml_safe_load
DOCUMENTATION = '''
---
module: haproxy_conf
short_description: Gather the HAProxy config
description:
- Gather the HAProxy config
options:
path:
required: true
description:
- file path to the config file
type: str
author: "Tomas Sedovic"
'''
EXAMPLES = '''
- hosts: webservers
tasks:
- name: Gather the HAProxy config
haproxy_conf: path=/etc/haproxy/haproxy.cfg
'''
# ConfigParser chokes on both mariadb and haproxy files. Luckily They have
# a syntax approaching ini config file so they are relatively easy to parse.
# This generic ini style config parser is not perfect -- it can ignore some
# valid options -- but good enough for our use case.
def generic_ini_style_conf_parser(file_path, section_regex, option_regex):
config = {}
current_section = None
with open(file_path) as config_file:
for line in config_file:
match_section = re.match(section_regex, line)
if match_section:
current_section = match_section.group(1)
config[current_section] = {}
match_option = re.match(option_regex, line)
if match_option and current_section:
option = re.sub(r'\s+', ' ', match_option.group(1))
config[current_section][option] = match_option.group(2)
return config
def parse_haproxy_conf(file_path):
section_regex = r'^(\w+)'
option_regex = r'^(?:\s+)(\w+(?:\s+\w+)*?)\s+([\w/]*)$'
return generic_ini_style_conf_parser(file_path, section_regex,
option_regex)
def main():
module = AnsibleModule(
argument_spec=yaml_safe_load(DOCUMENTATION)['options']
)
haproxy_conf_path = module.params.get('path')
try:
config = parse_haproxy_conf(haproxy_conf_path)
except IOError:
module.fail_json(msg="Could not open the haproxy conf file at: '%s'" %
haproxy_conf_path)
module.exit_json(changed=False, ansible_facts={u'haproxy_conf': config})
if __name__ == '__main__':
main()

64
library/hiera.py Normal file
View File

@ -0,0 +1,64 @@
#!/usr/bin/env python
# Copyright 2016 Red Hat, Inc.
# All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
import subprocess
from ansible.module_utils.basic import AnsibleModule
from yaml import safe_load as yaml_safe_load
DOCUMENTATION = '''
---
module: hiera
short_description: Get data from hiera
description:
- Get data from hiera
options:
name:
required: true
description:
- Name to lookup
type: str
author: "Martin Andre (@mandre)"
'''
EXAMPLES = '''
- hosts: webservers
tasks:
- name: Lookup foo
hiera: name=foo
'''
def main():
module = AnsibleModule(
argument_spec=yaml_safe_load(DOCUMENTATION)['options']
)
name = module.params.get('name')
cmd = ['/usr/bin/hiera', '-c', '/etc/puppet/hiera.yaml', name]
result = subprocess.check_output(cmd, universal_newlines=True).rstrip()
if result == 'nil':
module.fail_json(msg="Failed to retrieve hiera data for {}"
.format(name))
module.exit_json(changed=False,
ansible_facts={name: result})
if __name__ == '__main__':
main()

166
library/validations_read_ini.py Normal file
View File

@ -0,0 +1,166 @@
#!/usr/bin/env python
# -*- coding: utf-8 -*-
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
# implied.
# See the License for the specific language governing permissions and
# limitations under the License.
# Ansible module to read a value from an Ini file.
# Usage:
# - validations_read_ini: path=/path/to/file.ini section=default key=something
# register: my_ini
#
# This will read the `path/to/file.ini` file and read the `Hello!` value under:
# [default]
# something = Hello!
#
# You can register the result and use it later with `{{ my_ini.value }}`
try:
import configparser as ConfigParser
except ImportError:
import ConfigParser
from enum import Enum
import os
from ansible.module_utils.basic import AnsibleModule
from yaml import safe_load as yaml_safe_load
# Possible return values
class ReturnValue(Enum):
OK = 0
INVALID_FORMAT = 1
KEY_NOT_FOUND = 2
def check_file(path, ignore_missing):
'''Validate entered path'''
if not (os.path.exists(path) and os.path.isfile(path)):
return "Could not open the ini file: '{}'".format(path)
else:
return ''
def get_result(path, section, key, default=None):
'''Get value based on section and key'''
msg = ''
value = None
config = ConfigParser.SafeConfigParser()
try:
config.read(path)
except Exception:
msg = "The file '{}' is not in a valid INI format.".format(path)
ret = ReturnValue.INVALID_FORMAT
return (ret, msg, value)
try:
value = config.get(section, key)
msg = ("The key '{}' under the section '{}' in file {} "
"has the value: '{}'").format(key, section, path, value)
ret = ReturnValue.OK
return (ret, msg, value)
except ConfigParser.Error:
if default:
msg = ("There is no key '{}' under section '{}' in file {}. Using"
" default value '{}'".format(key, section, path, default))
ret = ReturnValue.OK
value = default
else:
value = None
msg = "There is no key '{}' under the section '{}' in file {}.".format(
key, section, path)
ret = ReturnValue.KEY_NOT_FOUND
return (ret, msg, value)
DOCUMENTATION = '''
---
module: validations_read_ini
short_description: Get data from an ini file
description:
- Get data from an ini file
options:
path:
required: true
description:
- File path
type: str
section:
required: true
description:
- Section to look up
type: str
key:
required: true
description:
- Section key to look up
type: str
default:
required: false
description:
- Default value if key isn't found
ignore_missing_file:
required: false
description:
- Flag if a missing file should be ignored
type: bool
author: "Tomas Sedovic"
'''
EXAMPLES = '''
- hosts: webservers
tasks:
- name: Lookup bar value
validations_read_ini: path=config.ini section=foo key=bar ignore_missing_file=True
'''
def main():
module = AnsibleModule(
argument_spec=yaml_safe_load(DOCUMENTATION)['options']
)
ini_file_path = module.params.get('path')
ignore_missing = module.params.get('ignore_missing_file')
# Check that file exists
msg = check_file(ini_file_path, ignore_missing)
if msg != '':
# Opening file failed
if ignore_missing:
module.exit_json(msg=msg, changed=False, value=None)
else:
module.fail_json(msg=msg)
else:
# Try to parse the result from ini file
section = module.params.get('section')
key = module.params.get('key')
default = module.params.get('default')
ret, msg, value = get_result(ini_file_path, section, key, default)
if ret == ReturnValue.INVALID_FORMAT:
module.fail_json(msg=msg)
elif ret == ReturnValue.KEY_NOT_FOUND:
module.exit_json(msg=msg, changed=False, value=None)
elif ret == ReturnValue.OK:
module.exit_json(msg=msg, changed=False, value=value)
if __name__ == '__main__':
main()

55
library/warn.py Normal file
View File

@ -0,0 +1,55 @@
#!/usr/bin/env python
# Copyright 2017 Red Hat, Inc.
# All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
from ansible.module_utils.basic import AnsibleModule
from yaml import safe_load as yaml_safe_load
DOCUMENTATION = '''
---
module: warn
short_description: Add warning to playbook output
description:
- Add warning to playbook output
options:
msg:
required: true
description:
- The warning text
type: str
author: "Martin Andre (@mandre)"
'''
EXAMPLES = '''
- hosts: webservers
tasks:
- name: Output warning message
warn: msg="Warning!"
'''
def main():
module = AnsibleModule(
argument_spec=yaml_safe_load(DOCUMENTATION)['options']
)
msg = module.params.get('msg')
module.exit_json(changed=False,
warnings=[msg])
if __name__ == '__main__':
main()

37
roles/advanced_format_512e_support/molecule/default/Dockerfile.j2 Normal file
View File

@ -0,0 +1,37 @@
# Molecule managed
# Copyright 2019 Red Hat, Inc.
# All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
{% if item.registry is defined %}
FROM {{ item.registry.url }}/{{ item.image }}
{% else %}
FROM {{ item.image }}
{% endif %}
RUN if [ $(command -v apt-get) ]; then apt-get update && apt-get install -y python sudo bash ca-certificates && apt-get clean; \
elif [ $(command -v dnf) ]; then dnf makecache && dnf --assumeyes install python sudo python-devel python*-dnf bash {{ item.pkg_extras | default('') }} && dnf clean all; \
elif [ $(command -v yum) ]; then yum makecache fast && yum install -y python sudo yum-plugin-ovl python-setuptools bash {{ item.pkg_extras | default('') }} && sed -i 's/plugins=0/plugins=1/g' /etc/yum.conf && yum clean all; \
elif [ $(command -v zypper) ]; then zypper refresh && zypper install -y python sudo bash python-xml {{ item.pkg_extras | default('') }} && zypper clean -a; \
elif [ $(command -v apk) ]; then apk update && apk add --no-cache python sudo bash ca-certificates {{ item.pkg_extras | default('') }}; \
elif [ $(command -v xbps-install) ]; then xbps-install -Syu && xbps-install -y python sudo bash ca-certificates {{ item.pkg_extras | default('') }} && xbps-remove -O; fi
{% for pkg in item.easy_install | default([]) %}
# install pip for centos where there is no python-pip rpm in default repos
RUN easy_install {{ pkg }}
{% endfor %}
CMD ["sh", "-c", "while true; do sleep 10000; done"]

47
roles/advanced_format_512e_support/molecule/default/molecule.yml Normal file
View File

@ -0,0 +1,47 @@
---
driver:
name: docker
log: true
platforms:
- name: centos7
hostname: centos7
image: centos:7
pkg_extras: python-setuptools python-enum34 python-netaddr ruby epel-release PyYAML
easy_install:
- pip
environment: &env
http_proxy: "{{ lookup('env', 'http_proxy') }}"
https_proxy: "{{ lookup('env', 'https_proxy') }}"
- name: fedora28
hostname: fedora28
image: fedora:28
pkg_extras: python*-setuptools python*-enum python*-netaddr ruby PyYAML
environment:
<<: *env
provisioner:
name: ansible
log: true
env:
ANSIBLE_STDOUT_CALLBACK: yaml
ANSIBLE_LIBRARY: "../../../../library"
scenario:
test_sequence:
- destroy
- create
- prepare
- converge
- verify
- destroy
lint:
enabled: false
verifier:
name: testinfra
lint:
name: flake8

26
roles/advanced_format_512e_support/molecule/default/playbook.yml Normal file
View File

@ -0,0 +1,26 @@
---
# Copyright 2019 Red Hat, Inc.
# All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
- name: Converge
hosts: all
gather_facts: false
tasks:
- name: Warn developers about the lack of molecule testing
fail:
msg: >-
This role needs molecule tests!

10
roles/advanced_format_512e_support/tasks/main.yml Normal file
View File

@ -0,0 +1,10 @@
---
- name: List the available drives
register: drive_list
command: "ls /sys/class/block/"
changed_when: false
- name: Detect whether the drive uses Advanced Format
advanced_format: drive={{ item }}
when: item is match("^sd.$")
with_items: "{{ drive_list.stdout_lines }}"

9
roles/advanced_format_512e_support/vars/main.yml Normal file
View File

@ -0,0 +1,9 @@
---
metadata:
name: Advanced Format 512e Support
description: >
Detect whether the undercloud disks use Advanced Format. If they do,
the overcloud images may fail to upload to Glance.
groups:
- prep
- pre-deployment

10
roles/check_latest_packages_version/defaults/main.yml Normal file
View File

@ -0,0 +1,10 @@
---
tripleoclient: >-
{%- if ansible_distribution == 'RedHat' and ansible_distribution_major_version == '8' -%}
python3-tripleoclient
{%- else -%}
python2-tripleoclient
{%- endif -%}
packages:
- "{{ tripleoclient }}"

37
roles/check_latest_packages_version/molecule/default/Dockerfile.j2 Normal file
View File

@ -0,0 +1,37 @@
# Molecule managed
# Copyright 2019 Red Hat, Inc.
# All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
{% if item.registry is defined %}
FROM {{ item.registry.url }}/{{ item.image }}
{% else %}
FROM {{ item.image }}
{% endif %}
RUN if [ $(command -v apt-get) ]; then apt-get update && apt-get install -y python sudo bash ca-certificates && apt-get clean; \
elif [ $(command -v dnf) ]; then dnf makecache && dnf --assumeyes install python sudo python-devel python*-dnf bash {{ item.pkg_extras | default('') }} && dnf clean all; \
elif [ $(command -v yum) ]; then yum makecache fast && yum install -y python sudo yum-plugin-ovl python-setuptools bash {{ item.pkg_extras | default('') }} && sed -i 's/plugins=0/plugins=1/g' /etc/yum.conf && yum clean all; \
elif [ $(command -v zypper) ]; then zypper refresh && zypper install -y python sudo bash python-xml {{ item.pkg_extras | default('') }} && zypper clean -a; \
elif [ $(command -v apk) ]; then apk update && apk add --no-cache python sudo bash ca-certificates {{ item.pkg_extras | default('') }}; \
elif [ $(command -v xbps-install) ]; then xbps-install -Syu && xbps-install -y python sudo bash ca-certificates {{ item.pkg_extras | default('') }} && xbps-remove -O; fi
{% for pkg in item.easy_install | default([]) %}
# install pip for centos where there is no python-pip rpm in default repos
RUN easy_install {{ pkg }}
{% endfor %}
CMD ["sh", "-c", "while true; do sleep 10000; done"]

47
roles/check_latest_packages_version/molecule/default/molecule.yml Normal file
View File

@ -0,0 +1,47 @@
---
driver:
name: docker
log: true
platforms:
- name: centos7
hostname: centos7
image: centos:7
pkg_extras: python-setuptools PyYAML
easy_install:
- pip
environment: &env
http_proxy: "{{ lookup('env', 'http_proxy') }}"
https_proxy: "{{ lookup('env', 'https_proxy') }}"
- name: fedora28
hostname: fedora28
image: fedora:28
pkg_extras: python*-setuptools PyYAML
environment:
<<: *env
provisioner:
name: ansible
log: true
env:
ANSIBLE_STDOUT_CALLBACK: yaml
ANSIBLE_LIBRARY: "../../../../library"
scenario:
test_sequence:
- destroy
- create
- prepare
- converge
- verify
- destroy
lint:
enabled: false
verifier:
name: testinfra
lint:
name: flake8

51
roles/check_latest_packages_version/molecule/default/playbook.yml Normal file
View File

@ -0,0 +1,51 @@
---
# Copyright 2019 Red Hat, Inc.
# All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
- name: Converge
hosts: all
tasks:
- name: Validate No Available Update for patch rpm
include_role:
name: check_latest_packages_version
vars:
packages:
- patch
- name: Working Detection of Update for Pam package
block:
- include_role:
name: check_latest_packages_version
vars:
packages:
- pam
rescue:
- name: Clear host errors
meta: clear_host_errors
- debug:
msg: The validation works! End the playbook run
- name: End play
meta: end_play
- name: Fail the test
fail:
msg: |
The check_latest_packages_version role should have detected
that packages have available updates.

25
roles/check_latest_packages_version/molecule/default/prepare.yml Normal file
View File

@ -0,0 +1,25 @@
---
# Copyright 2019 Red Hat, Inc.
# All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
- name: Prepare
hosts: all
gather_facts: false
tasks:
- name: install patch rpm
package:
name: patch

16
roles/check_latest_packages_version/tasks/main.yml Normal file
View File

@ -0,0 +1,16 @@
---
- name: Get available updates for packages
check_package_update:
package: "{{ item }}"
pkg_mgr: "{{ ansible_pkg_mgr }}"
with_items: "{{ packages }}"
register: updates
- name: Check if current version is the latest one
fail:
msg: >-
A newer version of the {{ item.name }} package is
available: {{ item.new_version }}-{{ item.new_release }}
(currently {{ item.current_version }}-{{ item.current_release }})
with_items: "{{ updates.results }}"
when: item.new_version

8
roles/check_latest_packages_version/vars/main.yml Normal file
View File

@ -0,0 +1,8 @@
---
metadata:
name: Check if latest version of packages is installed
description: >
Makes sure python-tripleoclient is at its latest version
before starting an upgrade.
groups:
- pre-upgrade

2
roles/dns/defaults/main.yml Normal file
View File

@ -0,0 +1,2 @@
---
server_to_lookup: example.com

37
roles/dns/molecule/default/Dockerfile.j2 Normal file
View File

@ -0,0 +1,37 @@
# Molecule managed
# Copyright 2019 Red Hat, Inc.
# All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
{% if item.registry is defined %}
FROM {{ item.registry.url }}/{{ item.image }}
{% else %}
FROM {{ item.image }}
{% endif %}
RUN if [ $(command -v apt-get) ]; then apt-get update && apt-get install -y python sudo bash ca-certificates && apt-get clean; \
elif [ $(command -v dnf) ]; then dnf makecache && dnf --assumeyes install python sudo python-devel python*-dnf bash {{ item.pkg_extras | default('') }} && dnf clean all; \
elif [ $(command -v yum) ]; then yum makecache fast && yum install -y python sudo yum-plugin-ovl python-setuptools bash {{ item.pkg_extras | default('') }} && sed -i 's/plugins=0/plugins=1/g' /etc/yum.conf && yum clean all; \
elif [ $(command -v zypper) ]; then zypper refresh && zypper install -y python sudo bash python-xml {{ item.pkg_extras | default('') }} && zypper clean -a; \
elif [ $(command -v apk) ]; then apk update && apk add --no-cache python sudo bash ca-certificates {{ item.pkg_extras | default('') }}; \
elif [ $(command -v xbps-install) ]; then xbps-install -Syu && xbps-install -y python sudo bash ca-certificates {{ item.pkg_extras | default('') }} && xbps-remove -O; fi
{% for pkg in item.easy_install | default([]) %}
# install pip for centos where there is no python-pip rpm in default repos
RUN easy_install {{ pkg }}
{% endfor %}
CMD ["sh", "-c", "while true; do sleep 10000; done"]

46
roles/dns/molecule/default/molecule.yml Normal file
View File

@ -0,0 +1,46 @@
---
driver:
name: docker
log: true
platforms:
- name: centos7
hostname: centos7
image: centos:7
pkg_extras: python-setuptools
easy_install:
- pip
environment: &env
http_proxy: "{{ lookup('env', 'http_proxy') }}"
https_proxy: "{{ lookup('env', 'https_proxy') }}"
- name: fedora28
hostname: fedora28
image: fedora:28
pkg_extras: python*-setuptools
environment:
<<: *env
provisioner:
name: ansible
log: true
env:
ANSIBLE_STDOUT_CALLBACK: yaml
scenario:
test_sequence:
- destroy
- create
- prepare
- converge
- verify
- destroy
lint:
enabled: false
verifier:
name: testinfra
lint:
name: flake8

47
roles/dns/molecule/default/playbook.yml Normal file
View File

@ -0,0 +1,47 @@
---
# Copyright 2019 Red Hat, Inc.
# All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
- name: Converge
hosts: all
tasks:
- name: Should get a success
include_role:
name: dns
vars:
server_to_lookup: www.redhat.com
- name: Should properly fail
block:
- include_role:
name: dns
vars:
server_to_lookup: role.dns.domain.do-not.exists
rescue:
- name: Clear host errors
meta: clear_host_errors
- debug:
msg: The validation works! End the playbook run
- name: End play
meta: end_play
- name: Fail the test
fail:
msg: |
The dns role should have detected a faulty DNS configuration

4
roles/dns/tasks/main.yml Normal file
View File

@ -0,0 +1,4 @@
---
- name: Ensure DNS resolution works
command: "getent hosts {{ server_to_lookup }}"
changed_when: false

7
roles/dns/vars/main.yml Normal file
View File

@ -0,0 +1,7 @@
---
metadata:
name: Verify DNS
description: >
Verify that the DNS resolution works
groups:
- pre-deployment

42
roles/haproxy/README.md Normal file
View File

@ -0,0 +1,42 @@
haproxy
=======
An Ansible role to check if the HAProxy configuration has recommended values.
Requirements
------------
This role requires an Up and Running Overcloud
Role Variables
--------------
- config_file: '/var/lib/config-data/puppet-generated/haproxy/etc/haproxy/haproxy.cfg'
- global_maxconn_min: 20480
- defaults_maxconn_min: 4096
- defaults_timeout_queue: '2m'
- defaults_timeout_client: '2m'
- defaults_timeout_server: '2m'
- defaults_timeout_check: '10s'
Dependencies
------------
No dependencies
Example Playbook
----------------
- hosts: undercloud
roles:
- { role: haproxy }
License
-------
Apache
Author Information
------------------
Red Hat TripleO Validations Team.

8
roles/haproxy/defaults/main.yml Normal file
View File

@ -0,0 +1,8 @@
---
haproxy_config_file: '/var/lib/config-data/puppet-generated/haproxy/etc/haproxy/haproxy.cfg'
global_maxconn_min: 20480
defaults_maxconn_min: 4096
defaults_timeout_queue: '2m'
defaults_timeout_client: '2m'
defaults_timeout_server: '2m'
defaults_timeout_check: '10s'

36
roles/haproxy/molecule/default/Dockerfile.j2 Normal file
View File

@ -0,0 +1,36 @@
# Molecule managed
# Copyright 2019 Red Hat, Inc.
# All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
{% if item.registry is defined %}
FROM {{ item.registry.url }}/{{ item.image }}
{% else %}
FROM {{ item.image }}
{% endif %}
RUN if [ $(command -v apt-get) ]; then apt-get update && apt-get install -y python sudo bash ca-certificates && apt-get clean; \
elif [ $(command -v dnf) ]; then dnf makecache && dnf --assumeyes install python sudo python-devel python*-dnf bash {{ item.pkg_extras | default('') }} && dnf clean all; \
elif [ $(command -v yum) ]; then yum makecache fast && yum install -y python sudo yum-plugin-ovl python-setuptools bash {{ item.pkg_extras | default('') }} && sed -i 's/plugins=0/plugins=1/g' /etc/yum.conf && yum clean all; \
elif [ $(command -v zypper) ]; then zypper refresh && zypper install -y python sudo bash python-xml {{ item.pkg_extras | default('') }} && zypper clean -a; \
elif [ $(command -v apk) ]; then apk update && apk add --no-cache python sudo bash ca-certificates {{ item.pkg_extras | default('') }}; \
elif [ $(command -v xbps-install) ]; then xbps-install -Syu && xbps-install -y python sudo bash ca-certificates {{ item.pkg_extras | default('') }} && xbps-remove -O; fi
{% for pkg in item.easy_install | default([]) %}
# install pip for centos where there is no python-pip rpm in default repos
RUN easy_install {{ pkg }}
{% endfor %}
CMD ["sh", "-c", "while true; do sleep 10000; done"]

47
roles/haproxy/molecule/default/molecule.yml Normal file
View File

@ -0,0 +1,47 @@
---
driver:
name: docker
log: true
platforms:
- name: centos7
hostname: centos7
image: centos:7
pkg_extras: python-setuptools haproxy PyYAML
easy_install:
- pip
environment: &env
http_proxy: "{{ lookup('env', 'http_proxy') }}"
https_proxy: "{{ lookup('env', 'https_proxy') }}"
- name: fedora28
hostname: fedora28
image: fedora:28
pkg_extras: python*-setuptools haproxy PyYAML
environment:
<<: *env
provisioner:
name: ansible
log: true
env:
ANSIBLE_STDOUT_CALLBACK: yaml
ANSIBLE_LIBRARY: "../../../../library"
scenario:
test_sequence:
- destroy
- create
- prepare
- converge
- verify
- destroy
lint:
enabled: true
verifier:
name: testinfra
lint:
name: flake8

71
roles/haproxy/molecule/default/playbook.yml Normal file
View File

@ -0,0 +1,71 @@
---
# Copyright 2019 Red Hat, Inc.
# All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
- name: Converge
hosts: all
gather_facts: false
vars:
haproxy_config_file: /haproxy.cfg
tasks:
- name: create haproxy config file
copy:
dest: /haproxy.cfg
content: |
# This file managed by Puppet
global
daemon
group haproxy
log /dev/log local0
maxconn 100
pidfile /var/run/haproxy.pid
ssl-default-bind-ciphers !SSLv2:kEECDH:kRSA:kEDH:kPSK:+3DES:!aNULL:!eNULL:!MD5:!EXP:!RC4:!SEED:!IDEA:!DES
ssl-default-bind-options no-sslv3 no-tlsv10
stats socket /var/lib/haproxy/stats mode 600 level user
stats timeout 1s
user haproxy
defaults
log global
maxconn 100
mode tcp
retries 1
timeout http-request 1s
timeout queue 1s
timeout connect 1s
timeout client 1s
timeout server 1s
timeout check 1s
- block:
- include_role:
name: haproxy
rescue:
- name: Clear host errors
meta: clear_host_errors
- debug:
msg: The validation works! End the playbook run
- name: End play
meta: end_play
- name: Fail the test
fail:
msg: |
The haproxy role should have detected issues within haproxy
configuration file!

51
roles/haproxy/tasks/main.yml Normal file
View File

@ -0,0 +1,51 @@
---
- name: Gather the HAProxy config
become: true
haproxy_conf:
path: "{{ haproxy_config_file }}"
- name: Verify global maxconn
fail:
msg: >-
The 'global maxconn' value '{{ haproxy_conf.global.maxconn }}'
must be greater than {{ global_maxconn_min }}
failed_when: haproxy_conf.global.maxconn|int < global_maxconn_min
- name: Verify defaults maxconn
fail:
msg: >-
The 'defaults maxconn' value '{{ haproxy_conf.defaults.maxconn }}'
must be greater than {{ defaults_maxconn_min }}
failed_when: haproxy_conf.defaults.maxconn|int < defaults_maxconn_min
- name: Verify defaults timeout queue
fail:
msg: >-
The 'timeout queue' option in 'defaults' is
'{{ haproxy_conf.defaults['timeout queue'] }}',
but must be set to {{ defaults_timeout_queue }}
failed_when: "haproxy_conf.defaults['timeout queue'] != defaults_timeout_queue"
- name: Verify defaults timeout client
fail:
msg: >-
The 'timeout client' option in 'defaults' is
'{{ haproxy_conf.defaults['timeout client'] }}',
but must be set to {{ defaults_timeout_client }}
failed_when: "haproxy_conf.defaults['timeout client'] != defaults_timeout_client"
- name: Verify defaults timeout server
fail:
msg: >-
The 'timeout server' option in 'defaults' is
'{{ haproxy_conf.defaults['timeout server'] }}',
but must be set to {{ defaults_timeout_server }}
failed_when: "haproxy_conf.defaults['timeout server'] != defaults_timeout_server"
- name: Verify defaults timeout check
fail:
msg: >-
The 'timeout check' option in 'defaults' is
'{{ haproxy_conf.defaults['timeout check'] }}',
but must be set to {{ defaults_timeout_check }}
failed_when: "haproxy_conf.defaults['timeout check'] != defaults_timeout_check"

6
roles/haproxy/vars/main.yml Normal file
View File

@ -0,0 +1,6 @@
---
metadata:
name: HAProxy configuration
description: Verify the HAProxy configuration has recommended values.
groups:
- post-deployment

4
roles/no_op/tasks/main.yml Normal file
View File

@ -0,0 +1,4 @@
---
- name: Run a no-op validation everywhere
debug:
msg: "This is a no-op action for testing that the validations framework runs"

8
roles/no_op/vars/main.yml Normal file
View File

@ -0,0 +1,8 @@
---
metadata:
name: NO-OP validation
description: >
A simple validation doing nothing in order to test that
the validations framework works.
groups:
- no-op

37
roles/ntp/molecule/default/Dockerfile.j2 Normal file
View File

@ -0,0 +1,37 @@
# Molecule managed
# Copyright 2019 Red Hat, Inc.
# All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
{% if item.registry is defined %}
FROM {{ item.registry.url }}/{{ item.image }}
{% else %}
FROM {{ item.image }}
{% endif %}
RUN if [ $(command -v apt-get) ]; then apt-get update && apt-get install -y python sudo bash ca-certificates && apt-get clean; \
elif [ $(command -v dnf) ]; then dnf makecache && dnf --assumeyes install python sudo python-devel python*-dnf bash {{ item.pkg_extras | default('') }} && dnf clean all; \
elif [ $(command -v yum) ]; then yum makecache fast && yum install -y python sudo yum-plugin-ovl python-setuptools bash {{ item.pkg_extras | default('') }} && sed -i 's/plugins=0/plugins=1/g' /etc/yum.conf && yum clean all; \
elif [ $(command -v zypper) ]; then zypper refresh && zypper install -y python sudo bash python-xml {{ item.pkg_extras | default('') }} && zypper clean -a; \
elif [ $(command -v apk) ]; then apk update && apk add --no-cache python sudo bash ca-certificates {{ item.pkg_extras | default('') }}; \
elif [ $(command -v xbps-install) ]; then xbps-install -Syu && xbps-install -y python sudo bash ca-certificates {{ item.pkg_extras | default('') }} && xbps-remove -O; fi
{% for pkg in item.easy_install | default([]) %}
# install pip for centos where there is no python-pip rpm in default repos
RUN easy_install {{ pkg }}
{% endfor %}
CMD ["sh", "-c", "while true; do sleep 10000; done"]

47
roles/ntp/molecule/default/molecule.yml Normal file
View File

@ -0,0 +1,47 @@
---
driver:
name: docker
log: true
platforms:
- name: centos7
hostname: centos7
image: centos:7
pkg_extras: python-setuptools python-enum34 python-netaddr ruby epel-release PyYAML
easy_install:
- pip
environment: &env
http_proxy: "{{ lookup('env', 'http_proxy') }}"
https_proxy: "{{ lookup('env', 'https_proxy') }}"
- name: fedora28
hostname: fedora28
image: fedora:28
pkg_extras: python*-setuptools python*-enum python*-netaddr ruby PyYAML
environment:
<<: *env
provisioner:
name: ansible
log: true
env:
ANSIBLE_STDOUT_CALLBACK: yaml
ANSIBLE_LIBRARY: "../../../../library"
scenario:
test_sequence:
- destroy
- create
- prepare
- converge
- verify
- destroy
lint:
enabled: false
verifier:
name: testinfra
lint:
name: flake8

26
roles/ntp/molecule/default/playbook.yml Normal file
View File

@ -0,0 +1,26 @@
---
# Copyright 2019 Red Hat, Inc.
# All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
- name: Converge
hosts: all
gather_facts: false
tasks:
- name: Warn developers about the lack of molecule testing
fail:
msg: >-
This role needs molecule tests!

26
roles/ntp/tasks/main.yml Normal file
View File

@ -0,0 +1,26 @@
---
- name: Get if chrony is enabled
become: true
hiera:
name: "chrony_enabled"
- when: chrony_enabled|bool
block:
- name: Populate service facts
service_facts: # needed to make yaml happy
- name: Fail if chronyd service is not running
fail:
msg: "Chronyd service is not running"
when: "ansible_facts.services['chronyd.service'].state != 'running'"
- name: Run chronyc
become: true
command: chronyc -a 'burst 4/4'
changed_when: false
# ntpstat returns 0 if synchronised and non-zero otherwise:
- name: Run ntpstat
command: ntpstat
changed_when: false
when: not chrony_enabled|bool

10
roles/ntp/vars/main.yml Normal file
View File

@ -0,0 +1,10 @@
---
metadata:
name: Verify all deployed nodes have their clock synchronised
description: >
Each overcloud node should have their clocks synchronised.
The deployment should configure and run chronyd. This validation verifies
that it is indeed running and connected to an NTP server on all nodes.
groups:
- post-deployment

2
roles/service_status/defaults/main.yaml Normal file
View File

@ -0,0 +1,2 @@
---
service_status_podman_opt: ''

37
roles/service_status/molecule/default/Dockerfile.j2 Normal file
View File

@ -0,0 +1,37 @@
# Molecule managed
# Copyright 2019 Red Hat, Inc.
# All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
{% if item.registry is defined %}
FROM {{ item.registry.url }}/{{ item.image }}
{% else %}
FROM {{ item.image }}
{% endif %}
RUN if [ $(command -v apt-get) ]; then apt-get update && apt-get install -y python sudo bash ca-certificates && apt-get clean; \
elif [ $(command -v dnf) ]; then dnf makecache && dnf --assumeyes install python sudo python-devel python*-dnf bash {{ item.pkg_extras | default('') }} && dnf clean all; \
elif [ $(command -v yum) ]; then yum makecache fast && yum install -y python sudo yum-plugin-ovl python-setuptools bash {{ item.pkg_extras | default('') }} && sed -i 's/plugins=0/plugins=1/g' /etc/yum.conf && yum clean all; \
elif [ $(command -v zypper) ]; then zypper refresh && zypper install -y python sudo bash python-xml {{ item.pkg_extras | default('') }} && zypper clean -a; \
elif [ $(command -v apk) ]; then apk update && apk add --no-cache python sudo bash ca-certificates {{ item.pkg_extras | default('') }}; \
elif [ $(command -v xbps-install) ]; then xbps-install -Syu && xbps-install -y python sudo bash ca-certificates {{ item.pkg_extras | default('') }} && xbps-remove -O; fi
{% for pkg in item.easy_install | default([]) %}
# install pip for centos where there is no python-pip rpm in default repos
RUN easy_install {{ pkg }}
{% endfor %}
CMD ["sh", "-c", "while true; do sleep 10000; done"]

49
roles/service_status/molecule/default/molecule.yml Normal file
View File

@ -0,0 +1,49 @@
---
driver:
name: docker
log: true
platforms:
- name: centos7
hostname: centos7
image: centos:7
pkg_extras: python-setuptools python-enum34 python-netaddr ruby epel-release PyYAML
easy_install:
- pip
command: /sbin/init
environment: &env
http_proxy: "{{ lookup('env', 'http_proxy') }}"
https_proxy: "{{ lookup('env', 'https_proxy') }}"
- name: fedora28
hostname: fedora28
image: fedora:28
command: /sbin/init
pkg_extras: python*-setuptools python*-enum python*-netaddr ruby PyYAML
environment:
<<: *env
provisioner:
name: ansible
log: true
env:
ANSIBLE_STDOUT_CALLBACK: yaml
ANSIBLE_LIBRARY: "../../../../library"
scenario:
test_sequence:
- destroy
- create
- prepare
- converge
- verify
- destroy
lint:
enabled: false
verifier:
name: testinfra
lint:
name: flake8

25
roles/service_status/molecule/default/playbook.yml Normal file
View File

@ -0,0 +1,25 @@
---
# Copyright 2019 Red Hat, Inc.
# All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
- name: Converge
hosts: all
gather_facts: false
tasks:
- name: Full check with defaults
include_role:
name: service_status

37
roles/service_status/molecule/docker/Dockerfile.j2 Normal file
View File

@ -0,0 +1,37 @@
# Molecule managed
# Copyright 2019 Red Hat, Inc.
# All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
{% if item.registry is defined %}
FROM {{ item.registry.url }}/{{ item.image }}
{% else %}
FROM {{ item.image }}
{% endif %}
RUN if [ $(command -v apt-get) ]; then apt-get update && apt-get install -y python sudo bash ca-certificates && apt-get clean; \
elif [ $(command -v dnf) ]; then dnf makecache && dnf --assumeyes install python sudo python-devel python*-dnf bash {{ item.pkg_extras | default('') }} && dnf clean all; \
elif [ $(command -v yum) ]; then yum makecache fast && yum install -y python sudo yum-plugin-ovl python-setuptools bash {{ item.pkg_extras | default('') }} && sed -i 's/plugins=0/plugins=1/g' /etc/yum.conf && yum clean all; \
elif [ $(command -v zypper) ]; then zypper refresh && zypper install -y python sudo bash python-xml {{ item.pkg_extras | default('') }} && zypper clean -a; \
elif [ $(command -v apk) ]; then apk update && apk add --no-cache python sudo bash ca-certificates {{ item.pkg_extras | default('') }}; \
elif [ $(command -v xbps-install) ]; then xbps-install -Syu && xbps-install -y python sudo bash ca-certificates {{ item.pkg_extras | default('') }} && xbps-remove -O; fi
{% for pkg in item.easy_install | default([]) %}
# install pip for centos where there is no python-pip rpm in default repos
RUN easy_install {{ pkg }}
{% endfor %}
CMD ["sh", "-c", "while true; do sleep 10000; done"]

61
roles/service_status/molecule/docker/molecule.yml Normal file
View File

@ -0,0 +1,61 @@
---
driver:
name: docker
log: true
platforms:
- name: centos7
hostname: centos7
image: centos:7
pkg_extras: python-setuptools python-enum34 python-netaddr ruby epel-release PyYAML
easy_install:
- pip
command: /sbin/init
capabilities:
- SYS_ADMIN
privileged: true
volumes:
- /var/run/docker.sock:/var/run/docker.sock
- /sys/fs/cgroup:/sys/fs/cgroup:ro
environment: &env
http_proxy: "{{ lookup('env', 'http_proxy') }}"
https_proxy: "{{ lookup('env', 'https_proxy') }}"
- name: fedora28
hostname: fedora28
image: fedora:28
command: /sbin/init
capabilities:
- SYS_ADMIN
privileged: true
volumes:
- /var/run/docker.sock:/var/run/docker.sock
- /sys/fs/cgroup:/sys/fs/cgroup:ro
pkg_extras: python*-setuptools python*-enum python*-netaddr ruby PyYAML python*-libselinux
environment:
<<: *env
provisioner:
name: ansible
log: true
env:
ANSIBLE_STDOUT_CALLBACK: yaml
ANSIBLE_LIBRARY: "../../../../library"
scenario:
test_sequence:
- destroy
- create
- prepare
- converge
- verify
- destroy
lint:
enabled: false
verifier:
name: testinfra
lint:
name: flake8

59
roles/service_status/molecule/docker/playbook.yml Normal file
View File

@ -0,0 +1,59 @@
---
# Copyright 2019 Red Hat, Inc.
# All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
- name: Converge
hosts: all
gather_facts: false
become: true
tasks:
- name: "Check containers - docker version, no service"
include_role:
name: service_status
tasks_from: containers.yaml
- name: "Check containers - docker version, with service"
block:
- name: Activate docker service
service:
name: docker
state: started
enabled: true
- name: Catch failure
block:
- name: Run check
include_role:
name: service_status
tasks_from: containers.yaml
rescue:
- name: Clear host errors
meta: clear_host_errors
- name: Test output
debug:
msg: |
Success finding broken containers
- name: End play
meta: end_play
- name: Fail if this point is reached
fail:
msg: |
Did not find broken containers

65
roles/service_status/molecule/docker/prepare.yml Normal file
View File

@ -0,0 +1,65 @@
---
# Copyright 2019 Red Hat, Inc.
# All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
- name: Prepare
hosts: all
gather_facts: false
tasks:
- name: install docker
package:
name: docker
- name: fake docker exe
copy:
dest: /usr/bin/docker
mode: 0755
content: |
#!/bin/sh
echo 'thirsty_goldwasser Exited (0) 12 seconds ago'
echo 'fedora28 Exited (255) 7 hours ago'
echo 'centos7 Exited (255) 7 hours ago'
- name: docker unit override basedir
file:
path: /etc/systemd/system/docker.service.d
state: directory
- name: fake docker unit
copy:
dest: /etc/systemd/system/docker.service.d/override.conf
content: |
[Unit]
After=network.target
Wants=
Requires=
[Service]
Type=simple
ExecStart=
ExecStart=/usr/bin/fake
Restart=
- name: fake docker exec for unit
copy:
dest: /usr/bin/fake
mode: 0755
content: |
#!/bin/sh
while true; do
sleep 5;
done

37
roles/service_status/molecule/podman/Dockerfile.j2 Normal file
View File

@ -0,0 +1,37 @@
# Molecule managed
# Copyright 2019 Red Hat, Inc.
# All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
{% if item.registry is defined %}
FROM {{ item.registry.url }}/{{ item.image }}
{% else %}
FROM {{ item.image }}
{% endif %}
RUN if [ $(command -v apt-get) ]; then apt-get update && apt-get install -y python sudo bash ca-certificates && apt-get clean; \
elif [ $(command -v dnf) ]; then dnf makecache && dnf --assumeyes install python sudo python-devel python*-dnf bash {{ item.pkg_extras | default('') }} && dnf clean all; \
elif [ $(command -v yum) ]; then yum makecache fast && yum install -y python sudo yum-plugin-ovl python-setuptools bash {{ item.pkg_extras | default('') }} && sed -i 's/plugins=0/plugins=1/g' /etc/yum.conf && yum clean all; \
elif [ $(command -v zypper) ]; then zypper refresh && zypper install -y python sudo bash python-xml {{ item.pkg_extras | default('') }} && zypper clean -a; \
elif [ $(command -v apk) ]; then apk update && apk add --no-cache python sudo bash ca-certificates {{ item.pkg_extras | default('') }}; \
elif [ $(command -v xbps-install) ]; then xbps-install -Syu && xbps-install -y python sudo bash ca-certificates {{ item.pkg_extras | default('') }} && xbps-remove -O; fi
{% for pkg in item.easy_install | default([]) %}
# install pip for centos where there is no python-pip rpm in default repos
RUN easy_install {{ pkg }}
{% endfor %}
CMD ["sh", "-c", "while true; do sleep 10000; done"]

BIN
roles/service_status/molecule/podman/bolt_state.db Normal file
View File

Binary file not shown.

49
roles/service_status/molecule/podman/molecule.yml Normal file
View File

@ -0,0 +1,49 @@
---
driver:
name: docker
log: true
platforms:
- name: centos7
hostname: centos7
image: centos:7
pkg_extras: python-setuptools python-enum34 python-netaddr ruby epel-release PyYAML
easy_install:
- pip
command: /sbin/init
environment: &env
http_proxy: "{{ lookup('env', 'http_proxy') }}"
https_proxy: "{{ lookup('env', 'https_proxy') }}"
- name: fedora28
hostname: fedora28
image: fedora:28
command: /sbin/init
pkg_extras: python*-setuptools python*-enum python*-netaddr ruby PyYAML
environment:
<<: *env
provisioner:
name: ansible
log: true
env:
ANSIBLE_STDOUT_CALLBACK: yaml
ANSIBLE_LIBRARY: "../../../../library"
scenario:
test_sequence:
- destroy
- create
- prepare
- converge
- verify
- destroy
lint:
enabled: false
verifier:
name: testinfra
lint:
name: flake8

46
roles/service_status/molecule/podman/playbook.yml Normal file
View File

@ -0,0 +1,46 @@
---
# Copyright 2019 Red Hat, Inc.
# All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
- name: Converge
hosts: all
gather_facts: false
vars:
service_status_podman_opt: '--storage-driver=vfs'
tasks:
- name: Check podman container state
block:
- name: Detect failed podman containers
include_role:
name: service_status
tasks_from: containers.yaml
rescue:
- name: Clear host errors
meta: clear_host_errors
- name: Test output
debug:
msg: |
Properly detected failed container
- name: End play now
meta: end_play
- name: Fail if we get to this point
fail:
msg: |
Did not detect failed container

39
roles/service_status/molecule/podman/prepare.yml Normal file
View File

@ -0,0 +1,39 @@
---
# Copyright 2019 Red Hat, Inc.
# All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
- name: Prepare
hosts: all
gather_facts: false
tasks:
- name: install podman
package:
name: podman
- name: Create libpod arbo
file:
path: '/var/lib/containers/{{ item }}'
state: directory
loop:
- storage
- storage/libpod
- name: Insert failed container DB
copy:
src: ./bolt_state.db
dest: /var/lib/containers/storage/libpod/bolt_state.db
setype: container_var_lib_t

37
roles/service_status/molecule/systemd/Dockerfile.j2 Normal file
View File

@ -0,0 +1,37 @@
# Molecule managed
# Copyright 2019 Red Hat, Inc.
# All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
{% if item.registry is defined %}
FROM {{ item.registry.url }}/{{ item.image }}
{% else %}
FROM {{ item.image }}
{% endif %}
RUN if [ $(command -v apt-get) ]; then apt-get update && apt-get install -y python sudo bash ca-certificates && apt-get clean; \
elif [ $(command -v dnf) ]; then dnf makecache && dnf --assumeyes install python sudo python-devel python*-dnf bash {{ item.pkg_extras | default('') }} && dnf clean all; \
elif [ $(command -v yum) ]; then yum makecache fast && yum install -y python sudo yum-plugin-ovl python-setuptools bash {{ item.pkg_extras | default('') }} && sed -i 's/plugins=0/plugins=1/g' /etc/yum.conf && yum clean all; \
elif [ $(command -v zypper) ]; then zypper refresh && zypper install -y python sudo bash python-xml {{ item.pkg_extras | default('') }} && zypper clean -a; \
elif [ $(command -v apk) ]; then apk update && apk add --no-cache python sudo bash ca-certificates {{ item.pkg_extras | default('') }}; \
elif [ $(command -v xbps-install) ]; then xbps-install -Syu && xbps-install -y python sudo bash ca-certificates {{ item.pkg_extras | default('') }} && xbps-remove -O; fi
{% for pkg in item.easy_install | default([]) %}
# install pip for centos where there is no python-pip rpm in default repos
RUN easy_install {{ pkg }}
{% endfor %}
CMD ["sh", "-c", "while true; do sleep 10000; done"]

49
roles/service_status/molecule/systemd/molecule.yml Normal file
View File

@ -0,0 +1,49 @@
---
driver:
name: docker
log: true
platforms:
- name: centos7
hostname: centos7
image: centos:7
pkg_extras: python-setuptools python-enum34 python-netaddr ruby epel-release PyYAML
easy_install:
- pip
command: /sbin/init
environment: &env
http_proxy: "{{ lookup('env', 'http_proxy') }}"
https_proxy: "{{ lookup('env', 'https_proxy') }}"
- name: fedora28
hostname: fedora28
image: fedora:28
command: /sbin/init
pkg_extras: python*-setuptools python*-enum python*-netaddr ruby PyYAML
environment:
<<: *env
provisioner:
name: ansible
log: true
env:
ANSIBLE_STDOUT_CALLBACK: yaml
ANSIBLE_LIBRARY: "../../../../library"
scenario:
test_sequence:
- destroy
- create
- prepare
- converge
- verify
- destroy
lint:
enabled: false
verifier:
name: testinfra
lint:
name: flake8

44
roles/service_status/molecule/systemd/playbook.yml Normal file
View File

@ -0,0 +1,44 @@
---
# Copyright 2019 Red Hat, Inc.
# All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
- name: Converge
hosts: all
gather_facts: false
tasks:
- name: Check service
block:
- name: Run validation
include_role:
name: service_status
tasks_from: systemd.yaml
rescue:
- name: Clear errors
meta: clear_host_errors
- name: Test output
debug:
msg: |
Successfully detected failed unit
- name: End play
meta: end_play
- name: Fail if this point is reached
fail:
msg: |
Did not detect failed unit

39
roles/service_status/molecule/systemd/prepare.yml Normal file
View File

@ -0,0 +1,39 @@
---
# Copyright 2019 Red Hat, Inc.
# All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
- name: Prepare
hosts: all
gather_facts: false
tasks:
- name: Create fake, failing unit
copy:
dest: /etc/systemd/system/tripleo_failed-unit.service
content: |
[Unit]
After=network.target
[Service]
Type=simple
ExecStart=/usr/bin/false
- name: Enable and start broken thing
ignore_errors: true
service:
name: tripleo_failed-unit
state: started
enabled: true

59
roles/service_status/tasks/containers.yaml Normal file
View File

@ -0,0 +1,59 @@
---
- name: Gather package facts
package_facts:
manager: auto
- name: Is docker running
systemd:
name: docker
register: docker_svc
when: ansible_facts.packages['docker'] is defined
- name: Do we have podman
stat:
path: /usr/bin/podman
register: podman_stat
- name: Podman related block
when: podman_stat.stat.exists
block:
- name: Get failed containers for podman
become: true
shell: |
podman {{ service_status_podman_opt }} ps -a --filter 'status=exited' --format {{ "'{{ .Names }} {{ .Status }}'" }}
register: failed_podman
- name: Fail if we detect failed podman container
fail:
msg: |
Failed container detected.
On CI, please check the following locations
/var/log/extras/failed_containers.log
/var/log/extras/podman
when: item is not match(".* Exited \(0\) .* ago")
loop: "{{ failed_podman.stdout_lines }}"
- name: Docker related block
when:
- ansible_facts.packages['docker'] is defined
- docker_svc.status['SubState'] == 'running'
block:
- name: Get failed containers from docker
become: true
shell: >
{% raw %}
docker ps -a --filter 'status=exited' --format '{{ .Names }} {{ .Status }}'
{% endraw %}
register: failed_docker
- name: Fail if we detect failed docker container
fail:
msg: |
Failed container detected.
On CI, please check the following locations
/var/log/extras/failed_containers.log
/var/log/extras/docker
when:
- failed_docker is defined
- item is not match(".* Exited \(0\) .* ago")
loop: "{{ failed_docker.stdout_lines }}"

3
roles/service_status/tasks/main.yaml Normal file
View File

@ -0,0 +1,3 @@
---
- include_tasks: containers.yaml
- include_tasks: systemd.yaml

13
roles/service_status/tasks/systemd.yaml Normal file
View File

@ -0,0 +1,13 @@
---
- name: Get failed services from Systemd
shell: >
systemctl list-units --failed --plain --no-legend --no-pager "tripleo_*"
register: systemd_state
changed_when: false
- name: Fails if we find failed systemd units
assert:
that:
- systemd_state.stdout_lines|length == 0
fail_msg: "The following services failed {{ systemd_state.stdout_lines }}"
success_msg: "All tripleo units are working fine"

37
roles/stonith_exists/molecule/default/Dockerfile.j2 Normal file
View File

@ -0,0 +1,37 @@
# Molecule managed
# Copyright 2019 Red Hat, Inc.
# All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
{% if item.registry is defined %}
FROM {{ item.registry.url }}/{{ item.image }}
{% else %}
FROM {{ item.image }}
{% endif %}
RUN if [ $(command -v apt-get) ]; then apt-get update && apt-get install -y python sudo bash ca-certificates && apt-get clean; \
elif [ $(command -v dnf) ]; then dnf makecache && dnf --assumeyes install python sudo python-devel python*-dnf bash {{ item.pkg_extras | default('') }} && dnf clean all; \
elif [ $(command -v yum) ]; then yum makecache fast && yum install -y python sudo yum-plugin-ovl python-setuptools bash {{ item.pkg_extras | default('') }} && sed -i 's/plugins=0/plugins=1/g' /etc/yum.conf && yum clean all; \
elif [ $(command -v zypper) ]; then zypper refresh && zypper install -y python sudo bash python-xml {{ item.pkg_extras | default('') }} && zypper clean -a; \
elif [ $(command -v apk) ]; then apk update && apk add --no-cache python sudo bash ca-certificates {{ item.pkg_extras | default('') }}; \
elif [ $(command -v xbps-install) ]; then xbps-install -Syu && xbps-install -y python sudo bash ca-certificates {{ item.pkg_extras | default('') }} && xbps-remove -O; fi
{% for pkg in item.easy_install | default([]) %}
# install pip for centos where there is no python-pip rpm in default repos
RUN easy_install {{ pkg }}
{% endfor %}
CMD ["sh", "-c", "while true; do sleep 10000; done"]

46
roles/stonith_exists/molecule/default/molecule.yml Normal file
View File

@ -0,0 +1,46 @@
---
driver:
name: docker
log: true
platforms:
- name: centos7
hostname: centos7
image: centos:7
pkg_extras: python-setuptools
easy_install:
- pip
environment: &env
http_proxy: "{{ lookup('env', 'http_proxy') }}"
https_proxy: "{{ lookup('env', 'https_proxy') }}"
- name: fedora28
hostname: fedora28
image: fedora:28
pkg_extras: python*-setuptools
environment:
<<: *env
provisioner:
name: ansible
log: true
env:
ANSIBLE_STDOUT_CALLBACK: yaml
scenario:
test_sequence:
- destroy
- create
- prepare
- converge
- verify
- destroy
lint:
enabled: false
verifier:
name: testinfra
lint:
name: flake8

56
roles/stonith_exists/molecule/default/playbook.yml Normal file
View File

@ -0,0 +1,56 @@
---
# Copyright 2019 Red Hat, Inc.
# All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
- name: Converge
hosts: all
tasks:
- name: Safe run
include_role:
name: stonith_exists
- name: Fail the validation
block:
- name: Faulty pcs script
copy:
dest: /usr/bin/pcs
mode: 0755
content: |
#!/bin/sh
echo "NO stonith devices configured"
exit 0
- name: Run validation
include_role:
name: stonith_exists
rescue:
- name: Clear host errors
meta: clear_host_errors
- name: Test output
debug:
msg: The validation works! End play
- name: End play
meta: end_play
- name: Fail playbook if reached
fail:
msg: |
The stonith_exists validation didn't properly detect failed
stonith config

30
roles/stonith_exists/molecule/default/prepare.yml Normal file
View File

@ -0,0 +1,30 @@
---
# Copyright 2019 Red Hat, Inc.
# All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
- name: Prepare
hosts: all
gather_facts: false
tasks:
- name: Populate successful stonith
copy:
dest: /usr/bin/pcs
mode: 0755
content: |
#!/bin/sh
echo "Stonith service configured"
exit 0

22
roles/stonith_exists/tasks/main.yml Normal file
View File

@ -0,0 +1,22 @@
---
- name: Check if we are in HA cluster environment
become: true
register: pcs_cluster_status
command: pcs cluster status
failed_when: false
changed_when: false
- name: Get all currently configured stonith devices
become: true
command: "pcs stonith"
register: stonith_devices
changed_when: false
when: "pcs_cluster_status.rc == 0"
- name: Verify the stonith device are configured
fail:
msg: "Stonith devices are not configured."
when: >
pcs_cluster_status.rc == 0
and
'NO stonith devices configured' in stonith_devices.stdout

11
roles/stonith_exists/vars/main.yml Normal file
View File

@ -0,0 +1,11 @@
---
metadata:
name: Validate stonith devices
description: >
Verify that stonith devices are configured for your OpenStack Platform HA cluster.
We don't configure stonith device with TripleO Installer. Because the hardware
configuration may be differ in each environment and requires different fence agents.
How to configure fencing please read
https://access.redhat.com/documentation/en/red-hat-openstack-platform/8/paged/director-installation-and-usage/86-fencing-the-controller-nodes
groups:
- post-deployment

36
roles/undercloud_cpu/README.md Normal file
View File

@ -0,0 +1,36 @@
Undercloud-cpu
==============
An Ansible role to check if the Undercloud fits the CPU core requirements
Requirements
------------
This role could be used before or/and after the Undercloud installation.
Role Variables
--------------
- min_undercloud_cpu_count: <8> -- Minimal number of CPU core
Dependencies
------------
No dependencies.
Example Playbook
----------------
- hosts: undercloud
roles:
- { role: undercloud-cpu, min_undercloud_cpu_count: 42 }
License
-------
Apache 2.0
Author Information
------------------
Red Hat TripleO Validations Team

3
roles/undercloud_cpu/defaults/main.yml Normal file
View File

@ -0,0 +1,3 @@
---
min_undercloud_cpu_count: 8

37
roles/undercloud_cpu/molecule/default/Dockerfile.j2 Normal file
View File

@ -0,0 +1,37 @@
# Molecule managed
# Copyright 2019 Red Hat, Inc.
# All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
{% if item.registry is defined %}
FROM {{ item.registry.url }}/{{ item.image }}
{% else %}
FROM {{ item.image }}
{% endif %}
RUN if [ $(command -v apt-get) ]; then apt-get update && apt-get install -y python sudo bash ca-certificates && apt-get clean; \
elif [ $(command -v dnf) ]; then dnf makecache && dnf --assumeyes install python sudo python-devel python*-dnf bash {{ item.pkg_extras | default('') }} && dnf clean all; \
elif [ $(command -v yum) ]; then yum makecache fast && yum install -y python sudo yum-plugin-ovl python-setuptools bash {{ item.pkg_extras | default('') }} && sed -i 's/plugins=0/plugins=1/g' /etc/yum.conf && yum clean all; \
elif [ $(command -v zypper) ]; then zypper refresh && zypper install -y python sudo bash python-xml {{ item.pkg_extras | default('') }} && zypper clean -a; \
elif [ $(command -v apk) ]; then apk update && apk add --no-cache python sudo bash ca-certificates {{ item.pkg_extras | default('') }}; \
elif [ $(command -v xbps-install) ]; then xbps-install -Syu && xbps-install -y python sudo bash ca-certificates {{ item.pkg_extras | default('') }} && xbps-remove -O; fi
{% for pkg in item.easy_install | default([]) %}
# install pip for centos where there is no python-pip rpm in default repos
RUN easy_install {{ pkg }}
{% endfor %}
CMD ["sh", "-c", "while true; do sleep 10000; done"]

46
roles/undercloud_cpu/molecule/default/molecule.yml Normal file
View File

@ -0,0 +1,46 @@
---
driver:
name: docker
log: true
platforms:
- name: centos7
hostname: centos7
image: centos:7
pkg_extras: python-setuptools
easy_install:
- pip
environment: &env
http_proxy: "{{ lookup('env', 'http_proxy') }}"
https_proxy: "{{ lookup('env', 'https_proxy') }}"
- name: fedora28
hostname: fedora28
image: fedora:28
pkg_extras: python*-setuptools
environment:
<<: *env
provisioner:
name: ansible
log: true
env:
ANSIBLE_STDOUT_CALLBACK: yaml
scenario:
test_sequence:
- destroy
- create
- prepare
- converge
- verify
- destroy
lint:
enabled: false
verifier:
name: testinfra
lint:
name: flake8

42
roles/undercloud_cpu/molecule/default/playbook.yml Normal file
View File

@ -0,0 +1,42 @@
---
# Copyright 2019 Red Hat, Inc.
# All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
- name: Converge
hosts: all
vars:
min_undercloud_cpu_count: 100
tasks:
- block:
- include_role:
name: undercloud_cpu
rescue:
- name: Clear host errors
meta: clear_host_errors
- debug:
msg: The validation works! End the playbook run
- name: End play
meta: end_play
- name: Fail the test
fail:
msg: |
The undercloud_cpu role should have detected that there is not
enough CPU

7
roles/undercloud_cpu/tasks/main.yml Normal file
View File

@ -0,0 +1,7 @@
---
- name: Verify the number of CPU cores
fail:
msg: >-
There are {{ ansible_processor_vcpus }} cores in the system,
but there should be at least {{ min_undercloud_cpu_count }}
failed_when: "ansible_processor_vcpus|int < min_undercloud_cpu_count|int"

10
roles/undercloud_cpu/vars/main.yaml Normal file
View File

@ -0,0 +1,10 @@
---
metadata:
name: Verify undercloud fits the CPU core requirements
description: >
Make sure that the undercloud has enough CPU cores.
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux_OpenStack_Platform/7/html/Director_Installation_and_Usage/sect-Undercloud_Requirements.html
groups:
- prep
- pre-introspection

36
roles/undercloud_disk_space/README.md Normal file
View File

@ -0,0 +1,36 @@
Undercloud-disk-space
=====================
An Ansible role to verify if the Undercloud fits the disk space requirements.
Requirements
------------
This role could be used before or/and after the Undercloud installation.
Role Variables
--------------
- Volumes: a dictionary of mount points and their minimum sizes
Dependencies
------------
No Dependencies
Example Playbook
----------------
- hosts: servers
roles:
- { role: undercloud-disk-space}
License
-------
Apache
Author Information
------------------
Red Hat TripleO Validation Team

8
roles/undercloud_disk_space/defaults/main.yml Normal file
View File

@ -0,0 +1,8 @@
---
volumes:
- {mount: /var/lib/docker, min_size: 10}
- {mount: /var/lib/config-data, min_size: 3}
- {mount: /var/log, min_size: 3}
- {mount: /usr, min_size: 5}
- {mount: /var, min_size: 20}
- {mount: /, min_size: 25}

37
roles/undercloud_disk_space/molecule/default/Dockerfile.j2 Normal file
View File

@ -0,0 +1,37 @@
# Molecule managed
# Copyright 2019 Red Hat, Inc.
# All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
{% if item.registry is defined %}
FROM {{ item.registry.url }}/{{ item.image }}
{% else %}
FROM {{ item.image }}
{% endif %}
RUN if [ $(command -v apt-get) ]; then apt-get update && apt-get install -y python sudo bash ca-certificates && apt-get clean; \
elif [ $(command -v dnf) ]; then dnf makecache && dnf --assumeyes install python sudo python-devel python*-dnf bash {{ item.pkg_extras | default('') }} && dnf clean all; \
elif [ $(command -v yum) ]; then yum makecache fast && yum install -y python sudo yum-plugin-ovl python-setuptools bash {{ item.pkg_extras | default('') }} && sed -i 's/plugins=0/plugins=1/g' /etc/yum.conf && yum clean all; \
elif [ $(command -v zypper) ]; then zypper refresh && zypper install -y python sudo bash python-xml {{ item.pkg_extras | default('') }} && zypper clean -a; \
elif [ $(command -v apk) ]; then apk update && apk add --no-cache python sudo bash ca-certificates {{ item.pkg_extras | default('') }}; \
elif [ $(command -v xbps-install) ]; then xbps-install -Syu && xbps-install -y python sudo bash ca-certificates {{ item.pkg_extras | default('') }} && xbps-remove -O; fi
{% for pkg in item.easy_install | default([]) %}
# install pip for centos where there is no python-pip rpm in default repos
RUN easy_install {{ pkg }}
{% endfor %}
CMD ["sh", "-c", "while true; do sleep 10000; done"]

46
roles/undercloud_disk_space/molecule/default/molecule.yml Normal file
View File

@ -0,0 +1,46 @@
---
driver:
name: docker
log: true
platforms:
- name: centos7
hostname: centos7
image: centos:7
pkg_extras: python-setuptools
easy_install:
- pip
environment: &env
http_proxy: "{{ lookup('env', 'http_proxy') }}"
https_proxy: "{{ lookup('env', 'https_proxy') }}"
- name: fedora28
hostname: fedora28
image: fedora:28
pkg_extras: python*-setuptools
environment:
<<: *env
provisioner:
name: ansible
log: true
env:
ANSIBLE_STDOUT_CALLBACK: yaml
scenario:
test_sequence:
- destroy
- create
- prepare
- converge
- verify
- destroy
lint:
enabled: false
verifier:
name: testinfra
lint:
name: flake8

44
roles/undercloud_disk_space/molecule/default/playbook.yml Normal file
View File

@ -0,0 +1,44 @@
---
# Copyright 2019 Red Hat, Inc.
# All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
- name: Converge
hosts: all
gather_facts: false
vars:
volumes:
- {mount: /var, min_size: 20}
- {mount: /, min_size: 150}
tasks:
- block:
- include_role:
name: undercloud_disk_space
rescue:
- name: Clear host errors
meta: clear_host_errors
- debug:
msg: The validation works! End the playbook run
- name: End play
meta: end_play
- name: Fail the test
fail:
msg: |
The validation did not detect a too small disk space

39
roles/undercloud_disk_space/tasks/main.yml Normal file
View File

@ -0,0 +1,39 @@
---
- name: Set a constant defining number of Bytes in 1 GB
set_fact:
const_bytes_in_gb: 1073741824
- name: Stat volume directories
stat:
path: "{{ item.mount }}"
with_items: "{{ volumes }}"
register: volumes_stat
- name: Initialize existing_volumes to an empty array
set_fact:
existing_volumes="{{ [] }}"
- name: Filter out non-existing volumes
set_fact:
existing_volumes: "{{ existing_volumes +[item.item] }}"
with_items: "{{ volumes_stat.results }}"
when: item.stat.exists
loop_control:
label: "{{ item.item.mount }}"
- name: Loop on volumes and gather available space
shell: df -B1 {{ item.mount }} --output=avail | sed 1d
register: volume_size
with_items: "{{ existing_volumes }}"
changed_when: false
- name: Fail if any of the volumes are too small
fail:
msg: >
Minimum free space required for {{ item.item.mount }}: {{ item.item.min_size }}G
- current free space: {{ (item.stdout|int / const_bytes_in_gb|int) |round(1) }}G
when: >
item.stdout|int / const_bytes_in_gb|int < item.item.min_size|int
with_items: "{{ volume_size.results }}"
loop_control:
label: "{{ item.item.mount }}"

11
roles/undercloud_disk_space/vars/main.yaml Normal file
View File

@ -0,0 +1,11 @@
---
metadata:
name: Verify undercloud fits the disk space requirements
description: >
Make sure that the root partition on the undercloud node has enough
free space.
http://tripleo.org/install/environments/baremetal.html#minimum-system-requirements
groups:
- prep
- pre-introspection

36
roles/undercloud_ram/README.md Normal file
View File

@ -0,0 +1,36 @@
Undercloud-ram
==============
An Ansible role to check if the Undercloud fits the RAM requirements
Requirements
------------
This role could be used before or/and after the Undercloud installation
Role Variables
--------------
- min_undercloud_ram_gb: <24> -- Minimal amount of RAM in GB
Dependencies
------------
No dependencies.
Example Playbook
----------------
- hosts: undercloud
roles:
- { role: undercloud-ram, min_undercloud_ram_gb: 24 }
License
-------
Apache
Author Information
------------------
Red Hat TripleO Validations Team

3
roles/undercloud_ram/defaults/main.yml Normal file
View File

@ -0,0 +1,3 @@
---
min_undercloud_ram_gb: 24

37
roles/undercloud_ram/molecule/default/Dockerfile.j2 Normal file
View File

@ -0,0 +1,37 @@
# Molecule managed
# Copyright 2019 Red Hat, Inc.
# All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
{% if item.registry is defined %}
FROM {{ item.registry.url }}/{{ item.image }}
{% else %}
FROM {{ item.image }}
{% endif %}
RUN if [ $(command -v apt-get) ]; then apt-get update && apt-get install -y python sudo bash ca-certificates && apt-get clean; \
elif [ $(command -v dnf) ]; then dnf makecache && dnf --assumeyes install python sudo python-devel python*-dnf bash {{ item.pkg_extras | default('') }} && dnf clean all; \
elif [ $(command -v yum) ]; then yum makecache fast && yum install -y python sudo yum-plugin-ovl python-setuptools bash {{ item.pkg_extras | default('') }} && sed -i 's/plugins=0/plugins=1/g' /etc/yum.conf && yum clean all; \
elif [ $(command -v zypper) ]; then zypper refresh && zypper install -y python sudo bash python-xml {{ item.pkg_extras | default('') }} && zypper clean -a; \
elif [ $(command -v apk) ]; then apk update && apk add --no-cache python sudo bash ca-certificates {{ item.pkg_extras | default('') }}; \
elif [ $(command -v xbps-install) ]; then xbps-install -Syu && xbps-install -y python sudo bash ca-certificates {{ item.pkg_extras | default('') }} && xbps-remove -O; fi
{% for pkg in item.easy_install | default([]) %}
# install pip for centos where there is no python-pip rpm in default repos
RUN easy_install {{ pkg }}
{% endfor %}
CMD ["sh", "-c", "while true; do sleep 10000; done"]

46
roles/undercloud_ram/molecule/default/molecule.yml Normal file
View File

@ -0,0 +1,46 @@
---
driver:
name: docker
log: true
platforms:
- name: centos7
hostname: centos7
image: centos:7
pkg_extras: python-setuptools
easy_install:
- pip
environment: &env
http_proxy: "{{ lookup('env', 'http_proxy') }}"
https_proxy: "{{ lookup('env', 'https_proxy') }}"
- name: fedora28
hostname: fedora28
image: fedora:28
pkg_extras: python*-setuptools
environment:
<<: *env
provisioner:
name: ansible
log: true
env:
ANSIBLE_STDOUT_CALLBACK: yaml
scenario:
test_sequence:
- destroy
- create
- prepare
- converge
- verify
- destroy
lint:
enabled: false
verifier:
name: testinfra
lint:
name: flake8

42
roles/undercloud_ram/molecule/default/playbook.yml Normal file
View File

@ -0,0 +1,42 @@
---
# Copyright 2019 Red Hat, Inc.
# All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
- name: Converge
hosts: all
vars:
min_undercloud_ram_gb: 1000000
tasks:
- block:
- include_role:
name: undercloud_ram
rescue:
- name: Clear host errors
meta: clear_host_errors
- debug:
msg: The validation works! End the playbook run
- name: End play
meta: end_play
- name: Fail the test
fail:
msg: |
The undercloud_ram role should have detected that there is not
enough RAM

9
roles/undercloud_ram/tasks/main.yml Normal file
View File

@ -0,0 +1,9 @@
---
- name: Verify the RAM requirements
fail:
msg: >-
The RAM on the undercloud node is {{ ansible_memtotal_mb }} MB,
the minimal recommended value is
{{ min_undercloud_ram_gb|int * 1024 }} MB.
# NOTE(shadower): converting GB to MB
failed_when: "(ansible_memtotal_mb) < min_undercloud_ram_gb|int * 1024"

11
roles/undercloud_ram/vars/main.yaml Normal file
View File

@ -0,0 +1,11 @@
---
metadata:
name: Verify the undercloud fits the RAM requirements
description: >
Verify that the undercloud has enough RAM.
https://access.redhat.com/documentation/en-us/red_hat_openstack_platform/14/html/director_installation_and_usage/planning-your-undercloud#determining-environment-scale
groups:
- prep
- pre-introspection
- pre-upgrade

37
roles/undercloud_selinux_mode/README.md Normal file
View File

@ -0,0 +1,37 @@
Undercloud-selinux-mode
=======================
An Ansible role to check the Undercloud SELinux Enforcing mode
Requirements
------------
This role could be used before or/and after the Undercloud installation
Role Variables
--------------
None
Dependencies
------------
No dependencies.
Example Playbook
----------------
- hosts: undercloud
roles:
- { role: undercloud-selinux-mode }
License
-------
Apache
Author Information
------------------
Red Hat TripleO Validations Team

37
roles/undercloud_selinux_mode/molecule/default/Dockerfile.j2 Normal file
View File

@ -0,0 +1,37 @@
# Molecule managed
# Copyright 2019 Red Hat, Inc.
# All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
{% if item.registry is defined %}
FROM {{ item.registry.url }}/{{ item.image }}
{% else %}
FROM {{ item.image }}
{% endif %}
RUN if [ $(command -v apt-get) ]; then apt-get update && apt-get install -y python sudo bash ca-certificates && apt-get clean; \
elif [ $(command -v dnf) ]; then dnf makecache && dnf --assumeyes install python sudo python-devel python*-dnf bash {{ item.pkg_extras | default('') }} && dnf clean all; \
elif [ $(command -v yum) ]; then yum makecache fast && yum install -y python sudo yum-plugin-ovl python-setuptools bash {{ item.pkg_extras | default('') }} && sed -i 's/plugins=0/plugins=1/g' /etc/yum.conf && yum clean all; \
elif [ $(command -v zypper) ]; then zypper refresh && zypper install -y python sudo bash python-xml {{ item.pkg_extras | default('') }} && zypper clean -a; \
elif [ $(command -v apk) ]; then apk update && apk add --no-cache python sudo bash ca-certificates {{ item.pkg_extras | default('') }}; \
elif [ $(command -v xbps-install) ]; then xbps-install -Syu && xbps-install -y python sudo bash ca-certificates {{ item.pkg_extras | default('') }} && xbps-remove -O; fi
{% for pkg in item.easy_install | default([]) %}
# install pip for centos where there is no python-pip rpm in default repos
RUN easy_install {{ pkg }}
{% endfor %}
CMD ["sh", "-c", "while true; do sleep 10000; done"]

47
roles/undercloud_selinux_mode/molecule/default/molecule.yml Normal file
View File

@ -0,0 +1,47 @@
---
driver:
name: docker
log: true
platforms:
- name: centos7
hostname: centos7
image: centos:7
pkg_extras: python-setuptools python-enum34 python-netaddr ruby epel-release PyYAML
easy_install:
- pip
environment: &env
http_proxy: "{{ lookup('env', 'http_proxy') }}"
https_proxy: "{{ lookup('env', 'https_proxy') }}"
- name: fedora28
hostname: fedora28
image: fedora:28
pkg_extras: python*-setuptools python*-enum python*-netaddr ruby PyYAML
environment:
<<: *env
provisioner:
name: ansible
log: true
env:
ANSIBLE_STDOUT_CALLBACK: yaml
ANSIBLE_LIBRARY: "../../../../library"
scenario:
test_sequence:
- destroy
- create
- prepare
- converge
- verify
- destroy
lint:
enabled: false
verifier:
name: testinfra
lint:
name: flake8

26
roles/undercloud_selinux_mode/molecule/default/playbook.yml Normal file
View File

@ -0,0 +1,26 @@
---
# Copyright 2019 Red Hat, Inc.
# All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
- name: Converge
hosts: all
gather_facts: false
tasks:
- name: Warn developers about the lack of molecule testing
fail:
msg: >-
This role needs molecule tests!

24
roles/undercloud_selinux_mode/tasks/main.yml Normal file
View File

@ -0,0 +1,24 @@
---
- name: Get current SELinux mode
command: getenforce
become: true
register: sestatus
changed_when: false
- name: Fail if SELinux is not in Enforced mode (RHEL)
fail:
msg: >-
SELinux is running in {{ sestatus.stdout }} mode on the Undercloud.
Ensure that SELinux is enabled and running in Enforcing mode.
when:
- "sestatus.stdout != 'Enforcing'"
- "ansible_distribution == 'RedHat'"
- name: Warn if SELinux is not in Enforced mode (CentOS)
warn:
msg: >-
SELinux is running in {{ sestatus.stdout }} mode on the Undercloud.
Ensure that SELinux is enabled and running in Enforcing mode.
when:
- "sestatus.stdout != 'Enforcing'"
- "ansible_distribution == 'CentOS'"

8
roles/undercloud_selinux_mode/vars/main.yml Normal file
View File

@ -0,0 +1,8 @@
---
metadata:
name: Undercloud SELinux Enforcing Mode Check
description: >
Check if the Undercloud is running SELinux in Enforcing mode.
groups:
- prep
- pre-introspection

38
roles/undercloud_service_status/README.md Normal file
View File

@ -0,0 +1,38 @@
Undercloud-service-status
=========================
An Ansible role to verify the Undercloud services states before running an
Update or Upgrade.
Requirements
------------
This role needs to be run against an installed Undercloud.
Role Variables
--------------
- undercloud_service_list: A list of services actually coming from the tripleo-ansible-inventory
Dependencies
------------
No dependencies.
Example Playbook
----------------
- hosts: undercloud
roles:
- { role: undercloud-service-status }
License
-------
Apache
Author Information
------------------
Red Hat TripleO Validations Team.

8
roles/undercloud_service_status/defaults/main.yml Normal file
View File

@ -0,0 +1,8 @@
---
undercloud_service_list:
- tripleo_nova_compute
- tripleo_heat_engine
- tripleo_ironic_conductor
- tripleo_swift_container_server
- tripleo_swift_object_server
- tripleo_mistral_engine

18
roles/undercloud_service_status/tasks/main.yml Normal file
View File

@ -0,0 +1,18 @@
---
- name: Check Services are running
command: "/usr/bin/systemctl show {{ item }} --property ActiveState"
become: true
with_items: "{{ undercloud_service_list }}"
register: "check_services"
changed_when: false
ignore_errors: true
- name: Fail if services were not running
fail:
msg: >-
One of the undercloud services was not active.
Please check {{ item.item }} first and then confirm the status of
undercloud services in general before attempting to update or
upgrade the environment.
failed_when: "item.stdout != 'ActiveState=active'"
with_items: "{{ check_services.results }}"

8
roles/undercloud_service_status/vars/main.yaml Normal file
View File

@ -0,0 +1,8 @@
---
metadata:
name: Verify undercloud services state before running update or upgrade
description: >
Check undercloud status before running a stack update - especially minor update and major upgrade.
groups:
- post-upgrade
- pre-upgrade

27
roles/validate_selinux/defaults/main.yml Normal file
View File

@ -0,0 +1,27 @@
---
# Copyright 2019 Red Hat, Inc.
# All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
# All variables intended for modification should place placed in this file.
# All variables within this role should have a prefix of "validate_selinux"
validate_selinux_working_dir: /var/log/validations
validate_selinux_audit_source: /var/log/audit/audit.log
validate_selinux_skip_list_dest: "{{ validate_selinux_working_dir }}/denials-skip-list.txt"
validate_selinux_filtered_denials_dest: "{{ validate_selinux_working_dir }}/denials-filtered.log"
validate_selinux_strict: false
validate_selinux_filter: "None"
validate_selinux_skip_list: {}

15
roles/validate_selinux/handlers/main.yml Normal file
View File

@ -0,0 +1,15 @@
---
# Copyright 2019 Red Hat, Inc.
# All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.

37
roles/validate_selinux/molecule/default/Dockerfile Normal file
View File

@ -0,0 +1,37 @@
# Molecule managed
# Copyright 2019 Red Hat, Inc.
# All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
{% if item.registry is defined %}
FROM {{ item.registry.url }}/{{ item.image }}
{% else %}
FROM {{ item.image }}
{% endif %}
RUN if [ $(command -v apt-get) ]; then apt-get update && apt-get install -y python sudo bash ca-certificates && apt-get clean; \
elif [ $(command -v dnf) ]; then dnf makecache && dnf --assumeyes install python sudo python-devel python*-dnf bash {{ item.pkg_extras | default('') }} && dnf clean all; \
elif [ $(command -v yum) ]; then yum makecache fast && yum install -y python sudo yum-plugin-ovl python-setuptools bash {{ item.pkg_extras | default('') }} && sed -i 's/plugins=0/plugins=1/g' /etc/yum.conf && yum clean all; \
elif [ $(command -v zypper) ]; then zypper refresh && zypper install -y python sudo bash python-xml {{ item.pkg_extras | default('') }} && zypper clean -a; \
elif [ $(command -v apk) ]; then apk update && apk add --no-cache python sudo bash ca-certificates {{ item.pkg_extras | default('') }}; \
elif [ $(command -v xbps-install) ]; then xbps-install -Syu && xbps-install -y python sudo bash ca-certificates {{ item.pkg_extras | default('') }} && xbps-remove -O; fi
{% for pkg in item.easy_install | default([]) %}
# install pip for centos where there is no python-pip rpm in default repos
RUN easy_install {{ pkg }}
{% endfor %}
CMD ["sh", "-c", "while true; do sleep 10000; done"]

49
roles/validate_selinux/molecule/default/molecule.yml Normal file
View File

@ -0,0 +1,49 @@
---
driver:
name: docker
log: true
platforms:
- name: centos7
hostname: centos7
image: centos:7
dockerfile: Dockerfile
pkg_extras: python-setuptools
easy_install:
- pip
environment: &env
http_proxy: "{{ lookup('env', 'http_proxy') }}"
https_proxy: "{{ lookup('env', 'https_proxy') }}"
- name: fedora28
hostname: fedora28
image: fedora:28
dockerfile: Dockerfile
pkg_extras: python*-setuptools
environment:
<<: *env
provisioner:
name: ansible
log: true
env:
ANSIBLE_STDOUT_CALLBACK: yaml
ANSIBLE_LIBRARY: "../../../../library"
scenario:
test_sequence:
- destroy
- create
- prepare
- converge
- verify
- destroy
lint:
enabled: false
verifier:
name: testinfra
lint:
name: flake8

63
roles/validate_selinux/molecule/default/playbook.yml Normal file
View File

@ -0,0 +1,63 @@
---
# Copyright 2019 Red Hat, Inc.
# All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
- name: Converge
hosts: all
gather_facts: false
vars:
validate_selinux_working_dir: '/tmp'
tasks:
- name: Simple run without filter against clean auditlog
include_role:
name: validate_selinux
vars:
validate_selinux_audit_source: '/var/log/audit-clean.log'
- name: Run with filter against unclean auditlog
include_role:
name: validate_selinux
vars:
validate_selinux_audit_source: '/var/log/audit-unclean.log'
validate_selinux_skip_list:
- entry: 'tcontext=system_u:system_r:init_t'
comment: 'This one is a real-life entry'
- entry: 'tcontext=system_u:system_r:system_dbusd_t'
comment: 'This one is another real-life entry'
- name: Run without filter against unclean auditlog
block:
- name: Run role
include_role:
name: validate_selinux
vars:
validate_selinux_audit_source: '/var/log/audit-unclean.log'
validate_selinux_strict: true
rescue:
- name: Clear host error
meta: clear_host_errors
- name: Status message
debug:
msg: 'Successfully detected denials issue!'
- name: End play
meta: end_play
- name: Fail if we get to this place
fail:
msg: 'Unit test failed: did not detect untracked denials!'

60
roles/validate_selinux/molecule/default/prepare.yml Normal file
View File

@ -0,0 +1,60 @@
---
# Copyright 2019 Red Hat, Inc.
# All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
- name: Prepare
hosts: all
gather_facts: false
tasks:
- name: Populate fake clean auditlog
copy:
dest: /var/log/audit-clean.log
owner: root
mode: 0600
group: root
# yamllint disable rule:line-length
content: |
type=SERVICE_START msg=audit(1575877870.934:286): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=sssd-kcm comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'UID="root" AUID="unset"
type=SERVICE_STOP msg=audit(1575878320.981:287): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=sssd-kcm comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'UID="root" AUID="unset"
type=USER_ACCT msg=audit(1575878471.739:288): pid=4430 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_cronjob_t:s0-s0:c0.c1023 msg='op=PAM:accounting grantors=pam_unix,pam_localuser acct="root" exe="/usr/bin/sudo" hostname=? addr=? terminal=? res=success'UID="root" AUID="unset"
type=USER_CMD msg=audit(1575878471.740:289): pid=4430 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_cronjob_t:s0-s0:c0.c1023 msg='cwd="/root" cmd=626F7267202D2D696E666F20637265617465202D2D636F6D7072657373696F6E206C7A34202D2D6578636C7564652D636163686573202D2D6578636C756465202A2F2A2E6C6F636B202D2D6578636C756465202A2F2E746F78202D2D6578636C756465202A2F2E737465737472202D2D6578636C756465202A2F727562792D76656E646F72202D2D6578636C756465202A2F7A75756C2F202D2D6578636C756465202A2F73736866732F202D2D6578636C756465202A2F2E6C6F63616C2F7368617265202F6D656469612F6261636B7570732F7268656C3A3A31306130393963382D316135612D313165612D613663622D386331363435366466626265202F686F6D652F636A65616E6E6572 exe="/usr/bin/sudo" terminal=? res=success'UID="root" AUID="unset"
type=USER_ACCT msg=audit(1575878554.296:294): pid=4445 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_cronjob_t:s0-s0:c0.c1023 msg='op=PAM:accounting grantors=pam_unix,pam_localuser acct="root" exe="/usr/bin/sudo" hostname=? addr=? terminal=? res=success'UID="root" AUID="unset"
type=USER_CMD msg=audit(1575878554.296:295): pid=4445 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_cronjob_t:s0-s0:c0.c1023 msg='cwd="/root" cmd=626F7267206C697374202F6D656469612F6261636B7570732F7268656C exe="/usr/bin/sudo" terminal=? res=success'UID="root" AUID="unset"
type=USER_ACCT msg=audit(1575878555.032:300): pid=4449 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_cronjob_t:s0-s0:c0.c1023 msg='op=PAM:accounting grantors=pam_unix,pam_localuser acct="root" exe="/usr/bin/sudo" hostname=? addr=? terminal=? res=success'UID="root" AUID="unset"
type=USER_CMD msg=audit(1575878555.032:301): pid=4449 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_cronjob_t:s0-s0:c0.c1023 msg='cwd="/root" cmd=626F7267207072756E65202D70202D2D6B6565702D77697468696E203277202D2D7374617473202F6D656469612F6261636B7570732F7268656C exe="/usr/bin/sudo" terminal=? res=success'UID="root" AUID="unset"
type=SERVICE_START msg=audit(1575878869.915:306): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=fprintd comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'UID="root" AUID="unset"
type=SERVICE_STOP msg=audit(1575878900.615:312): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=fprintd comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'UID="root" AUID="unset"
# yamllint enable rule:line-length
- name: Populate unclean auditlog
copy:
dest: /var/log/audit-unclean.log
owner: root
mode: 0600
group: root
# yamllint disable rule:line-length
content: |
type=AVC msg=audit(1575534183.234:4933): avc: denied { write } for pid=11266 comm="iptables" path="pipe:[231496]" dev="pipefs" ino=231496 scontext=system_u:system_r:iptables_t:s0 tcontext=system_u:system_r:certmonger_t:s0 tclass=fifo_file permissive=1
type=AVC msg=audit(1575534183.342:4934): avc: denied { write } for pid=11284 comm="iptables" path="pipe:[231496]" dev="pipefs" ino=231496 scontext=system_u:system_r:iptables_t:s0 tcontext=system_u:system_r:certmonger_t:s0 tclass=fifo_file permissive=1
type=USER_AVC msg=audit(1575535009.861:5275): pid=1397 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for msgtype=method_call interface=org.freedesktop.DBus member=Hello dest=org.freedesktop.DBus spid=38869 scontext=system_u:system_r:container_t:s0:c313,c573 tcontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tclass=dbus permissive=1 exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'UID="dbus" AUID="unset" SAUID="dbus"
type=USER_AVC msg=audit(1575535009.861:5276): pid=1397 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for msgtype=method_call interface=org.freedesktop.systemd1.Manager member=GetDynamicUsers dest=org.freedesktop.systemd1 spid=38869 tpid=1 scontext=system_u:system_r:container_t:s0:c313,c573 tcontext=system_u:system_r:init_t:s0 tclass=dbus permissive=1 exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'UID="dbus" AUID="unset" SAUID="dbus"
type=USER_AVC msg=audit(1575535009.862:5277): pid=1397 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for msgtype=method_return dest=:1.1198 spid=1 tpid=38869 scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:container_t:s0:c313,c573 tclass=dbus permissive=1 exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'UID="dbus" AUID="unset" SAUID="dbus"
type=USER_AVC msg=audit(1575535013.340:5290): pid=1397 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for msgtype=method_call interface=org.freedesktop.DBus member=Hello dest=org.freedesktop.DBus spid=39132 scontext=system_u:system_r:container_t:s0:c192,c917 tcontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tclass=dbus permissive=1 exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'UID="dbus" AUID="unset" SAUID="dbus"
type=USER_AVC msg=audit(1575535013.341:5291): pid=1397 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for msgtype=method_call interface=org.freedesktop.systemd1.Manager member=GetDynamicUsers dest=org.freedesktop.systemd1 spid=39132 tpid=1 scontext=system_u:system_r:container_t:s0:c192,c917 tcontext=system_u:system_r:init_t:s0 tclass=dbus permissive=1 exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'UID="dbus" AUID="unset" SAUID="dbus"
type=USER_AVC msg=audit(1575535013.342:5292): pid=1397 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for msgtype=method_return dest=:1.1209 spid=1 tpid=39132 scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:container_t:s0:c192,c917 tclass=dbus permissive=1 exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'UID="dbus" AUID="unset" SAUID="dbus"
type=USER_AVC msg=audit(1575535028.912:5307): pid=1397 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for msgtype=method_call interface=org.freedesktop.DBus member=Hello dest=org.freedesktop.DBus spid=39430 scontext=system_u:system_r:container_t:s0:c776,c848 tcontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tclass=dbus permissive=1 exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'UID="dbus" AUID="unset" SAUID="dbus"
type=USER_AVC msg=audit(1575535028.913:5308): pid=1397 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for msgtype=method_call interface=org.freedesktop.systemd1.Manager member=GetDynamicUsers dest=org.freedesktop.systemd1 spid=39430 tpid=1 scontext=system_u:system_r:container_t:s0:c776,c848 tcontext=system_u:system_r:init_t:s0 tclass=dbus permissive=1 exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'UID="dbus" AUID="unset" SAUID="dbus"

15
roles/validate_selinux/molecule/default/verify.yml Normal file
View File

@ -0,0 +1,15 @@
---
# Copyright 2019 Red Hat, Inc.
# All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.

Some files were not shown because too many files have changed in this diff Show More