kolla-ansible/tests/run.yml
Mark Goddard 8c4ab41ffa Check configuration file permissions in CI
Typically, non-executable files should have 660 or 600 and executable
files and directories should have 770. All should be owned by the
'config_owner_user' and 'config_owner_group' variables.

This change adds a script to check the owner and permissions of config
files under /etc/kolla, and runs it at the end of CI jobs.

Change-Id: Icdbabf36e284b9030017a0dc07b9dc81a37758ab
Related-Bug: #1821579
2019-04-03 08:48:00 +00:00

304 lines
11 KiB
YAML

---
- hosts: all
vars:
kolla_ansible_local_src_dir: "{{ zuul.executor.work_root }}/src/{{ zuul.project.canonical_hostname }}/openstack/kolla-ansible"
tasks:
- name: Prepare disks for Ceph or LVM
script: "setup_disks.sh {{ disk_type }}"
when: scenario in ["ceph", "cinder-lvm"]
become: true
vars:
disk_type: "{{ ceph_storetype if scenario == 'ceph' else 'cinder-lvm' }}"
ceph_storetype: "{{ hostvars[inventory_hostname].get('ceph_osd_storetype') }}"
- hosts: primary
vars:
kolla_inventory_path: "/etc/kolla/inventory"
logs_dir: "/tmp/logs"
kolla_ansible_src_dir: "{{ ansible_env.PWD }}/src/{{ zuul.project.canonical_hostname }}/openstack/kolla-ansible"
kolla_ansible_local_src_dir: "{{ zuul.executor.work_root }}/src/{{ zuul.project.canonical_hostname }}/openstack/kolla-ansible"
need_build_image: false
tasks:
# FIXME: in multi node env, api_interface may be different on each node.
- name: detect api_interface_name variable
vars:
ansible_interface_name: "ansible_{{ item.replace('-', '_') }}"
api_interface_address: "{{ hostvars[inventory_hostname]['nodepool']['private_ipv4'] }}"
set_fact:
api_interface_name: "{{ item }}"
api_interface_address: "{{ api_interface_address }}"
when:
- hostvars[inventory_hostname][ansible_interface_name]['ipv4'] is defined
- hostvars[inventory_hostname][ansible_interface_name]['ipv4']['address'] == api_interface_address
with_items: "{{ ansible_interfaces }}"
- name: detect whether need build images
set_fact:
need_build_image: true
when:
- item.project.short_name == "kolla"
- item.branch == zuul.branch
with_items: "{{ zuul['items'] }}"
# NOTE(mgoddard): This only affects the remote copy of the repo, not the
# one on the executor.
- name: checkout the previous kolla-ansible branch
command:
cmd: "git checkout stable/{{ previous_release | lower }}"
chdir: "{{ kolla_ansible_src_dir }}"
when: scenario == "upgrade"
- name: ensure /etc/kolla exists
file:
path: "/etc/kolla"
state: "directory"
mode: 0777
become: true
# Use the initial repo to generate config files. For upgrade jobs, this
# repo is only available on the remote node, so use the remote-template
# role.
- name: generate configuration files
include_role:
role: remote-template
vars:
is_previous_release: "{{ scenario == 'upgrade' }}"
infra_dockerhub_mirror: "http://{{ zuul_site_mirror_fqdn }}:8082/"
# Role variables.
remote_template_src: "{{ kolla_ansible_src_dir }}/{{ item.src }}"
remote_template_dest: "{{ item.dest }}"
remote_template_become: "{{ item.become | default(false) }}"
with_items:
# Docker daemon.json
- src: "tests/templates/docker_daemon.json.j2"
dest: "/etc/docker/daemon.json"
become: true
# Ansible inventory
- src: "tests/templates/inventory.j2"
dest: "{{ kolla_inventory_path }}"
# globals.yml
- src: "tests/templates/globals-default.j2"
dest: /etc/kolla/globals.yml
# nova-compute.conf
- src: "tests/templates/nova-compute-overrides.j2"
dest: /etc/kolla/config/nova/nova-compute.conf
when: scenario != "bifrost"
# ceph.conf
- src: "tests/templates/ceph-overrides.j2"
dest: /etc/kolla/config/ceph.conf
when: scenario == "ceph"
# bifrost/dib.yml
- src: "tests/templates/bifrost-dib-overrides.j2"
dest: /etc/kolla/config/bifrost/dib.yml
when: scenario == "bifrost"
when: item.when | default(true)
- name: install kolla-ansible requirements
pip:
requirements: "{{ kolla_ansible_src_dir }}/requirements.txt"
become: true
- name: copy passwords.yml file
copy:
src: "{{ kolla_ansible_src_dir }}/etc/kolla/passwords.yml"
dest: /etc/kolla/passwords.yml
remote_src: true
- name: generate passwords
shell: "{{ kolla_ansible_src_dir }}/tools/generate_passwords.py"
- name: slurp kolla passwords
slurp:
src: /etc/kolla/passwords.yml
register: passwords_yml
- name: write out kolla SSH private key
copy:
content: "{{ (passwords_yml.content | b64decode | from_yaml).kolla_ssh_key.private_key }}"
dest: ~/.ssh/id_rsa_kolla
mode: 0600
- name: authorise kolla public key for zuul user
authorized_key:
user: "{{ ansible_env.USER }}"
key: "{{ (passwords_yml.content | b64decode | from_yaml).kolla_ssh_key.public_key }}"
# Delegate to each host in turn. If more tasks require execution on all
# hosts in future, break out into a separate play.
with_inventory_hostnames:
- all
delegate_to: "{{ item }}"
# NOTE(mgoddard): We are using the script module here and later to ensure
# we use the local copy of these scripts, rather than the one on the remote
# host, which could be checked out to a previous release (in an upgrade
# job).
- name: Run setup_gate.sh script
script:
cmd: ../tools/setup_gate.sh
executable: /bin/bash
chdir: "{{ kolla_ansible_src_dir }}"
environment:
BASE_DISTRO: "{{ base_distro }}"
INSTALL_TYPE: "{{ install_type }}"
BUILD_IMAGE: "{{ need_build_image }}"
TAG: "change_{{ zuul.change }}"
KOLLA_SRC_DIR: "{{ ansible_env.HOME }}/src/git.openstack.org/openstack/kolla"
ACTION: "{{ scenario }}"
# At this point we have generated all necessary configuration, and are
# ready to deploy the control plane services. Control flow now depends on
# the scenario being exercised.
# Deploy control plane. For upgrade jobs this is the previous release.
- block:
- name: Run deploy.sh script
script:
cmd: deploy.sh
executable: /bin/bash
chdir: "{{ kolla_ansible_src_dir }}"
environment:
ACTION: "{{ scenario }}"
- name: Run test-openstack.sh script
script:
cmd: test-openstack.sh
executable: /bin/bash
chdir: "{{ kolla_ansible_src_dir }}"
environment:
ACTION: "{{ scenario }}"
when: scenario not in ['scenario_nfv']
- name: Run test-scenario-nfv.sh script
script:
cmd: test-scenario-nfv.sh
executable: /bin/bash
chdir: "{{ kolla_ansible_src_dir }}"
when: scenario == "scenario_nfv"
- name: Run reconfigure.sh script
script:
cmd: reconfigure.sh
executable: /bin/bash
chdir: "{{ kolla_ansible_src_dir }}"
environment:
ACTION: "{{ scenario }}"
when: scenario != "upgrade"
when: scenario != "bifrost"
# Upgrade: update config.
- block:
- name: Run check-failure.sh script
script:
cmd: check-failure.sh
executable: /bin/bash
chdir: "{{ kolla_ansible_src_dir }}"
# NOTE(mgoddard): This only affects the remote copy of the repo, not the
# one on the executor.
- name: checkout the current kolla-ansible branch
command:
cmd: "git checkout {{ zuul.branch }}"
chdir: "{{ kolla_ansible_src_dir }}"
# Use the new kolla-ansible repo to generate config files.
# This is the branch checked out on the executor, so we can use
# template directly rather than the remote-template role.
- name: Generate configuration files
template:
src: "{{ kolla_ansible_local_src_dir }}/{{ item.src }}"
dest: "{{ item.dest }}"
vars:
is_previous_release: false
with_items:
# Ansible inventory
- src: "tests/templates/inventory.j2"
dest: "{{ kolla_inventory_path }}"
# globals.yml
- src: "tests/templates/globals-default.j2"
dest: /etc/kolla/globals.yml
# nova-compute.conf
- src: "tests/templates/nova-compute-overrides.j2"
dest: /etc/kolla/config/nova/nova-compute.conf
# ceph.conf
- src: "tests/templates/ceph-overrides.j2"
dest: /etc/kolla/config/ceph.conf
when: "'ceph' in scenario"
when: item.when | default(true)
- name: upgrade kolla-ansible requirements
pip:
requirements: "{{ kolla_ansible_src_dir }}/requirements.txt"
become: true
# Update passwords.yml to include any new passwords added in this
# release.
- name: move passwords.yml to passwords.yml.old
command: mv /etc/kolla/passwords.yml /etc/kolla/passwords.yml.old
- name: copy passwords.yml file
copy:
src: "{{ kolla_ansible_src_dir }}/etc/kolla/passwords.yml"
dest: /etc/kolla/passwords.yml
remote_src: true
- name: generate new passwords
shell: "{{ kolla_ansible_src_dir }}/tools/generate_passwords.py"
- name: merge old and new passwords
shell: >-
{{ kolla_ansible_src_dir }}/tools/merge_passwords.py
--old /etc/kolla/passwords.yml.old
--new /etc/kolla/passwords.yml
--final /etc/kolla/passwords.yml
# Perform an upgrade to the in-development code.
- name: Run upgrade.sh script
shell:
cmd: tests/upgrade.sh
executable: /bin/bash
chdir: "{{ kolla_ansible_src_dir }}"
environment:
ACTION: "{{ scenario }}"
- name: Run test-openstack.sh script
shell:
cmd: tests/test-openstack.sh
executable: /bin/bash
chdir: "{{ kolla_ansible_src_dir }}"
environment:
ACTION: "{{ scenario }}"
when: scenario == "upgrade"
# Bifrost testing.
- block:
- name: Run deploy-bifrost.sh script
shell:
cmd: tests/deploy-bifrost.sh
executable: /bin/bash
chdir: "{{ kolla_ansible_src_dir }}"
- name: Run test-bifrost.sh script
shell:
cmd: tests/test-bifrost.sh
executable: /bin/bash
chdir: "{{ kolla_ansible_src_dir }}"
- name: Run upgrade-bifrost.sh script
shell:
cmd: tests/upgrade-bifrost.sh
executable: /bin/bash
chdir: "{{ kolla_ansible_src_dir }}"
when: scenario == "bifrost"
- name: Run check-failure.sh script
shell:
cmd: tests/check-failure.sh
executable: /bin/bash
chdir: "{{ kolla_ansible_src_dir }}"
- name: Run check-config.sh script
shell:
cmd: tests/check-config.sh
executable: /bin/bash
chdir: "{{ kolla_ansible_src_dir }}"