3e2d7afa05
Due to CVE-2023-5764 conditional statements should not include jinja2 templating anymore and result in warnings/failures This patch replaces Jinja tags with slightly different format that leads to the same result/logic. Change-Id: I049ac770b32152866194190e54f5947fe7589b39
129 lines
4.5 KiB
YAML
129 lines
4.5 KiB
YAML
---
|
|
# Copyright 2018, Rackspace US, Inc.
|
|
#
|
|
# Licensed under the Apache License, Version 2.0 (the "License");
|
|
# you may not use this file except in compliance with the License.
|
|
# You may obtain a copy of the License at
|
|
#
|
|
# http://www.apache.org/licenses/LICENSE-2.0
|
|
#
|
|
# Unless required by applicable law or agreed to in writing, software
|
|
# distributed under the License is distributed on an "AS IS" BASIS,
|
|
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
# See the License for the specific language governing permissions and
|
|
# limitations under the License.
|
|
|
|
# This playbook is meant to run after setup-hosts.
|
|
# To succeed, it expects the setup-hosts playbook to have run successfuly.
|
|
|
|
# Test if the openstack-hosts-setup play was a success.
|
|
# TO BE IMPLEMENTED
|
|
|
|
# Test if security-hardening was a success.
|
|
# TO BE IMPLEMENTED
|
|
|
|
# Test if containers-deploy was a success.
|
|
# Ensure the lxc containers are properly setup
|
|
- name: Ensuring hosts good behavior
|
|
hosts: lxc_hosts
|
|
gather_facts: yes
|
|
tasks:
|
|
- name: Looking for dnsmasq process
|
|
command: pgrep dnsmasq
|
|
changed_when: false
|
|
|
|
- name: Ensuring containers creation, connection and good behavior
|
|
hosts: all_containers
|
|
gather_facts: yes
|
|
tasks:
|
|
- name: Gather additional facts
|
|
setup:
|
|
gather_subset: "!all,network"
|
|
filter: ansible_interfaces
|
|
delegate_to: "{{ physical_host }}"
|
|
delegate_facts: true
|
|
|
|
- name: Ensure the physical host has all the proper interfaces defined
|
|
assert:
|
|
that:
|
|
- item.value.bridge in hostvars[physical_host]['ansible_facts']['interfaces']
|
|
with_dict: "{{ container_networks }}"
|
|
|
|
- name: Check if dns resolution and external connectivity is fine
|
|
get_url:
|
|
url: https://opendev.org/openstack/openstack-ansible/raw/ansible-role-requirements.yml
|
|
dest: /tmp/osa-master-requirements
|
|
mode: "0600"
|
|
environment: "{{ deployment_environment_variables | default({}) }}"
|
|
|
|
# Test extra settings before setup-infrastructure
|
|
- name: Ensure the internal_interfaces are well in the right range
|
|
hosts: localhost
|
|
gather_facts: no
|
|
tasks:
|
|
- name: Check your internal network is using private ips
|
|
assert:
|
|
that:
|
|
- internal_lb_vip_address | ansible.utils.ipaddr('private')
|
|
|
|
# Test openstack_hosts role
|
|
- name: Playbook for role testing
|
|
hosts: localhost
|
|
become: true
|
|
gather_facts: true
|
|
tasks:
|
|
- name: Open modules file
|
|
slurp:
|
|
src: "{{ (ansible_facts['os_family'] | lower == 'debian') | ternary('/etc/modules', '/etc/modules-load.d/openstack-ansible.conf') }}"
|
|
register: modules_file
|
|
|
|
- name: Open sysctl file
|
|
slurp:
|
|
src: /etc/sysctl.conf
|
|
register: sysctl_file
|
|
|
|
- name: Open hosts file
|
|
slurp:
|
|
src: /etc/hosts
|
|
register: hosts_file
|
|
|
|
- name: Open /etc/environment file
|
|
slurp:
|
|
src: /etc/environment
|
|
register: environment_file
|
|
|
|
- name: Read files
|
|
set_fact:
|
|
modules_content: "{{ modules_file.content | b64decode }}"
|
|
sysctl_content: "{{ sysctl_file.content | b64decode }}"
|
|
hosts_content: "{{ hosts_file.content | b64decode }}"
|
|
environment_content: "{{ environment_file.content | b64decode }}"
|
|
|
|
- name: Check for release file
|
|
stat:
|
|
path: /etc/openstack-release
|
|
register: release_file
|
|
|
|
- name: Check for systat file
|
|
stat:
|
|
path: "{{ (ansible_facts['os_family'] | lower == 'debian') | ternary('/etc/default/sysstat', '/etc/sysconfig/sysstat') }}"
|
|
register: systat_file
|
|
|
|
- name: Check for ssh dir
|
|
stat:
|
|
path: "{{ ansible_facts['env']['HOME'] }}/.ssh"
|
|
register: ssh_dir
|
|
|
|
- name: Check role functions
|
|
assert:
|
|
that:
|
|
- "'dm_multipath' in modules_content"
|
|
- "'ebtables' in modules_content"
|
|
- "'vm.swappiness' in sysctl_content"
|
|
- "('172.29.236.100 ' ~ ansible_facts['fqdn'] ~ ' ' ~ ansible_facts['hostname']) in hosts_content"
|
|
- "(hostvars[groups['galera_all'][0]]['management_address'] ~ ' ' ~ hostvars[groups['galera_all'][0]]['ansible_facts']['hostname'] ~ '.openstack.local ' ~ hostvars[groups['galera_all'][0]]['ansible_facts']['hostname'] ~ ((hostvars[groups['galera_all'][0]]['ansible_facts']['hostname'] != groups['galera_all'][0]) | ternary(' ' ~ groups['galera_all'][0], ''))) in hosts_content" # noqa: yaml[line-length]
|
|
- "release_file.stat.exists"
|
|
- "systat_file.stat.exists"
|
|
- "'PATH=\"/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin' in environment_content"
|
|
- "ssh_dir.stat.isdir"
|