The current `dpkg --configure -a` command does not always work if the
package that needs to be configured has a modified conffile which can
require user input to resolve. This change adds flags to make these
lines work as intended in that scenario.
Change-Id: I8f459b0c1c2fc7ecbe1ff478bdb77fd9af31dc90
While working on another change, I discovered conditions
in many test cases that echoed fail messages but did not
actually exit, so the gate could succeed even though some
tests failed. This patchset aims to fix those problems, and
then fix the problems masked by those problems:
1) fix bug in revert function of file permissions module
preventing permissions from being reverted.
2) fix various syntax and logic problems in test script
3) add wait_for_tiller_ready function to avoid race condition
with test script using helm too early
4) add install for ethtool in test script
5) ignore ethtool pod failures (see note #1 in [0])
6) make logging of test results more uniform
7) Fix error message logic in perm.sh
8) Fix case in _shcommon.tpl where error message was not
logged, causing test script to unnecessarily wait for
container timeout
[0]: https://review.opendev.org/676010
Change-Id: I22182d35250c37c96e73d9f5f49abfb2246f2a35
All Airship projects are moving to GitHub issues. This change adds a
GitHub security policy that links to the official Airship vulnerability
management process [0]. When users on GitHub click "New Issue" on this
GitHub repository, they will see an option to report a security
vulnerability, which will direct them to our official policy.
[0] https://airship-docs.readthedocs.io/en/latest/security/vulnerabilities.html
Change-Id: Iaf060dd0085c21f0c4f18f100e3e053b5ceedbed
Signed-off-by: Drew Walters <andrew.walters@att.com>
This adds default AppArmor profile to divingbell.
Also, update to gate script to install ethtool if it is not present.
Change-Id: I7abb13a533b596f4db5fe65fdae5eb7fc57ec00a
This change adds the --no-install-recommends flag to the apt-get
install command portion of _apt.sh.tpl. This will modify Divingbell
to only install direct dependencies of packages instead of following
the default apt behavior, which is to also install recommended packages
Change-Id: I118a72e1e591101b0e2878e088e9fbaa96067d2c
This change adds a whitelist of packages that will be ignored when using
strict mode.
Change-Id: I9138f35a72618100e6094575271f6160336332f4
Signed-off-by: Drew Walters <andrew.walters@att.com>
This patchset makes two changes for strict mode only:
1) Removes the --autoremove flag from the apt-get purge
command line
2) Causes the install stage to call apt-get install on
all packages regardless of whether they're already
installed. This will have the effect of marking all
requested packages as manually installed if they
were previously auto-installed.
Change-Id: Ic1a39205c941973af9d82685180d28457ea2011f
Currently, divingbell-apt will only remove packages that aren't
on the current requested package list when they were previously
installed by divingbell-apt. This patchset adds a "strict" mode
which causes it to remove packages not on the requested package
list regardless of whether divingbell installed them (i.e., it
can remove unwanted packages that were part of the host's base
image).
Change-Id: Ie2ba5d47646bfaaf030cb54673e644ab0e917fd4
This change allows conf.apt.packages to be defined as a map of lists,
allowing for logical grouping and easier substitution when values.yaml
is being assembled from multiple sources.
The existing format (conf.apt.packages as a list) is still supported.
Change-Id: I4d4c09723b2e9ac1f0ecf847e786d991cc6e669a
During the recent Airship Working Committee meeting, the committee
addressed feedback from the Airship confirmation review [0]. One such
item was concerned with copyright footers mistakenly claiming rights to
all Airship documentation.
This change updates the footer to attribute documentation to the
Divingbell authors.
[0] https://etherpad.openstack.org/p/airship-wc-meeting-2019-12-09
Change-Id: I954141c18175a263973d4288c7d559c0419e08dc
Signed-off-by: Drew Walters <andrew.walters@att.com>
blacklistpkgs supports a list of package names only.
This updates the documentation to match the current functionality.
Change-Id: Ic6f586aa89773ea22e9bf54610ea968243583ac5
The patch introduces network policy configuration similar
to openstack-helm services. It allows users to configure
policies depending on the environment.
* Network policies are disabled by default.
* When enabled default policies allow all ingress and
egress traffic (i.e. policy set to {}), this may be
changed in future patch-sets.
Change-Id: I2adb5e652c1da0a1982ab18c498f033910a47cd8
Currently, the APT daemonset allows the installation of new packages or
upgrade of existing packages to a newer version. Sometimes, it may be
desirable to trigger an update for all packages. This change introduces
the ability to trigger a full-system upgrade using the .conf.apt.upgrade
chart value. The new option is disabled by default.
Change-Id: I611422c2093b9dbbae4e2d7cc05ebd726e895c88
Signed-off-by: Drew Walters <andrew.walters@att.com>
Gate enhancements:
1. On certain opendev hardware, it's not possible to change
ethtool tunables, or the expected tunables are unavailable.
Until we have a mechanism to schedule to the right hardware,
we will issue a warning whenever these tests fail instead of
failing the gate.
2. Add a check so that gate script will not run until there are
no other instances of the gate script running on the same node,
as this can cause spurious gate failures.
3. Print gate script tracebacks in the event of gate script faliure
4. Increase check interval for two exec tests that were seen to fail
on one ocassion due to insufficient wait time.
Change-Id: Ifdbb203a1b14242e3801ba10ef7e932931771878
The docs-on-readthedocs template job requires rtd_project_name
parameter, because it's different from the project name.
Change-Id: Ibb2610c9bf997e77803bf10fdb1ee1c5423c6c96
1. There is an ocassional timing issue when container logs are
unavailabile at certain points in the crash loop at the same
time the gate script tries to request them. The gate will now retry
this operation, instead of terminating right away with failure.
2. Re-enable uamlite security context so that useradd operations would
succeed.
3. Change apt pinning tests to use a version of the package that is
available in the apt repo. Upstream repos change, so we should not
pin to an explicit version that will be removed in the future and
break the gate.
4. Update helm version to 2.14.1 to sync with openstack-helm-infra
5. Fix divingbell build script: git --depth=1 incompatible with explicit
non-master commit checkout
6. Enhance overrides test case #7 to test for the issue identified in
[0].
7. Change hostname scheduling to match minikube hostname now configured
by OSH gate, instead of using the node's actual hostname
8. Re-enable gate voting
[0] https://storyboard.openstack.org/#!/story/2005936
Depends-On: https://review.opendev.org/671875/
Change-Id: Iad983ce363711e16ccd54e663c23d30a4a6a1177
The Divingbell Ubuntu job is currently a voting job, even though it does
not run as a gate job on merged changes. Since the OpenDev migration,
the job has failed consistently. New issues have surfaced while
attempting to correct the issue [0].
This change moves the job to non-voting in order to allow the merge of
critical work while the cause of the failures is investigated.
[0] https://review.opendev.org/663392
Change-Id: Ie44bb7f0160acc362af212028cc553ec99090acd
Signed-off-by: Drew Walters <andrew.walters@att.com>
This makes the main container within the apt daemonset run as
privileged, which is required to perform kernel upgrades through it.
It was confirmed that even with all capabilities enabled, an
unprivileged apt is unable to perform the necessary updates to
the boot partition during a kernel upgrade.
Change-Id: I4e996794f24fcfc9d8ced7a58cecd2ceec36f6c5
Previously _uamlite.sh.tpl would fail to render if any user data
had an empty user_sshkeys array. This is because the template would
check to see if the key existed, but not actually make sure that the
array contained within that key had any elements. "first" would be
called against the empty array, which would return nil, and then
the outer eq function call would fail (as it can't be used to
compare nil values).
This patch set adds a default statement after the "first" function,
so that if the array is empty and first returns nil, a default of
"Unmanaged" will be returned, which will end up making the eq
statement evaluate to false, and the code inside the if statement to
not be run.
Change-Id: I52713795284cd1d0961bd430858061f9df9c5f78
Use the common logger for consistent log output for some echo statements
that were not making use of it.
Change-Id: I7fae2a950318f5cd3245a4571dc464009726d4ae
This PS allows to avoid of using assignments which are not supported
in older versions of Helm (GO<1.11).
Change-Id: Ic0dad4d1b60071c4366c63834f1ad7e3a76fdcd8
This commit introduces a non-voting job to lint Helm charts against the
latest version of Helm toolkit from OpenStack-Helm Infra. This job
should serve as an indicator of when it's safe to advance the version of
Helm toolkit used by Airship.
Additionally, this commit modifies all Helm chart lint jobs to run on
each commit, regardless of the files modified by a change. This should
not introduce a noticeable difference in CI runtime, as these jobs
execute quicker than the tox jobs.
Change-Id: Iffbe718f2f8cabaac74910e0c40a13e17e3f0578
A recent change made most Divingbell Daemonsets run as unprivileged containers:
https://review.openstack.org/#/c/639435/
Change-Id: If4e04368a3de3c7de7a3cf64692e5dd1294234b6
