Add system-config-run-eavesdrop

Add a job which runs testinfra for the eavesdrop server.  When we
have a per-hostgroup playbook, we will add it to this job too.

The puppet group is removed from the run-base job because the
groups.yaml file is now used to construct groups (as it does
in production) and will construct the group correctly.

The testinfra iptables module may throw an error if it's run
multiple times simultaneously on the same host.  To avoid this,
stop using parallel execution.

Change-Id: I1a7bab5c14b0da22393ab568000d0921c28675aa

.zuul.yaml

@@ -131,14 +131,6 @@
           label: ubuntu-bionic
         - name: centos7
           label: centos-7
-      groups:
-        # We test puppet installation on this group.  Note bionic not
-        # in here as we have no bionic puppeted nodes (yet?)
-        - name: puppet
-          nodes:
-            - trusty
-            - xenial
-            - centos7
     host-vars:
       trusty:
         ansible_python_interpreter: python2
@@ -153,6 +145,21 @@
       - roles/.*
       - testinfra/.*
 
+- job:
+    name: system-config-run-eavesdrop
+    nodeset:
+      nodes:
+        - name: bridge.openstack.org
+          label: ubuntu-bionic
+        - name: eavesdrop01.openstack.org
+          label: ubuntu-xenial
+    pre-run: playbooks/zuul/run-base-pre.yaml
+    run: playbooks/zuul/run-base.yaml
+    files:
+      - .zuul.yaml
+      - playbooks/group_vars/eavesdrop.yaml
+      - testinfra/test_eavesdrop.py
+
 - project:
     templates:
       - system-config-zuul-role-integration
@@ -163,6 +170,7 @@
         - puppet-beaker-rspec-puppet-4-infra-system-config
         - puppet-beaker-rspec-puppet-4-centos-7-infra-system-config
         - system-config-run-base
+        - system-config-run-eavesdrop
     gate:
       jobs:
         - puppet-beaker-rspec-infra-system-config
@@ -170,3 +178,4 @@
         - puppet-beaker-rspec-puppet-4-infra-system-config
         - puppet-beaker-rspec-puppet-4-centos-7-infra-system-config
         - system-config-run-base
+        - system-config-run-eavesdrop

inventory/groups.yaml

@@ -32,7 +32,7 @@ groups:
   ns: inventory_hostname.startswith('ns')
   paste: inventory_hostname.startswith('paste')
   pbx: inventory_hostname.startswith('pbx')
-  puppet: not inventory_hostname.startswith('bridge')
+  puppet: not (inventory_hostname.startswith('bridge') or inventory_hostname.startswith('bionic'))
   refstack: inventory_hostname.startswith('refstack')
   review-dev: inventory_hostname is match('review-dev\d+\.openstack\.org')
   review: inventory_hostname is match('review\d+\.openstack\.org')

playbooks/zuul/run-base.yaml

@@ -12,17 +12,17 @@
         write_inventory_dest: /etc/ansible/hosts/inventory.yaml
         write_inventory_exclude_hostvars:
           - ansible_user
-    - name: Update ansible.cfg to use job inventory
-      ini_file:
-        path: /etc/ansible/ansible.cfg
-        section: defaults
-        option: inventory
-        value: /etc/ansible/hosts/inventory.yaml
     - name: Set up /opt/system-config repo
       git:
         repo: /home/zuul/src/git.openstack.org/openstack-infra/system-config
         dest: /opt/system-config
         force: yes
+    - name: Update ansible.cfg to use job inventory
+      ini_file:
+        path: /etc/ansible/ansible.cfg
+        section: defaults
+        option: inventory
+        value: /etc/ansible/hosts/inventory.yaml,/opt/system-config/inventory/groups.yaml
     - name: Make host_vars directory
       file:
         path: "/etc/ansible/hosts/host_vars"
@@ -41,6 +41,8 @@
         dest: "/etc/ansible/hosts/{{ item }}"
       loop:
         - group_vars/all.yaml
+    - name: Display group membership
+      command: ansible localhost -m debug -a 'var=groups'
     - name: Run base.yaml
       command: ansible-playbook /home/zuul/src/git.openstack.org/openstack-infra/system-config/playbooks/base.yaml
     - name: Run testinfra to validate configuration
@@ -48,4 +50,3 @@
         name: tox
       vars:
         tox_envlist: testinfra
-        tox_extra_args: testinfra/test_base.py

test-requirements.txt

@@ -8,6 +8,3 @@ ansible-lint
 openstacksdk
 zuul-sphinx>=0.2.3
 testinfra
-# pytest-xdist is a plugin for pytest which allows parallel execution,
-# used by testinfra
-pytest-xdist

testinfra/test_base.py

@@ -15,6 +15,9 @@
 import socket
 
 
+testinfra_hosts = ['all']
+
+
 def get_ips(value, family=None):
     ret = set()
     try:

testinfra/test_eavesdrop.py

@@ -0,0 +1,25 @@
+# Copyright 2018 Red Hat, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+
+
+testinfra_hosts = ['eavesdrop01.openstack.org']
+
+
+def test_eavesdrop(host):
+    rules = host.iptables.rules()
+    rules = [x.strip() for x in rules]
+
+    web = ('-A openstack-INPUT -p tcp -m state --state NEW'
+           ' -m tcp --dport 80 -j ACCEPT')
+    assert web in rules

tox.ini

@@ -32,7 +32,7 @@ deps = -r{toxinidir}/doc/requirements.txt
 commands = sphinx-build -W -E -b html doc/source doc/build/html
 
 [testenv:testinfra]
-commands = py.test -n 5 --junit-xml junit.xml --connection=ansible --ansible-inventory=/etc/ansible/hosts/inventory.yaml --hosts=all -v {posargs}
+commands = py.test --junit-xml junit.xml --connection=ansible --ansible-inventory=/etc/ansible/hosts/inventory.yaml -v testinfra {posargs}
 
 [flake8]
 show-source = True