From f5ad7829c3a327d367be1ce807d2867f254fab2a Mon Sep 17 00:00:00 2001 From: Matt Crees Date: Thu, 19 Sep 2024 13:10:00 +0100 Subject: [PATCH] Prevent accidental downgrades of RabbitMQ As version-check.yml is added to deploy.yml, we must make sure the tasks are only run when the rabbitmq container exists. Change-Id: Iaa31bae739110094affb5e402ed9ac40b153ac3d --- ansible/roles/rabbitmq/tasks/deploy.yml | 2 + .../roles/rabbitmq/tasks/version-check.yml | 122 +++++++++++------- ...itmq-catch-downgrade-1005c7475a97bf19.yaml | 5 + 3 files changed, 79 insertions(+), 50 deletions(-) create mode 100644 releasenotes/notes/rabbitmq-catch-downgrade-1005c7475a97bf19.yaml diff --git a/ansible/roles/rabbitmq/tasks/deploy.yml b/ansible/roles/rabbitmq/tasks/deploy.yml index 7be978c440..5686a515c2 100644 --- a/ansible/roles/rabbitmq/tasks/deploy.yml +++ b/ansible/roles/rabbitmq/tasks/deploy.yml @@ -1,4 +1,6 @@ --- +- import_tasks: version-check.yml + - include_tasks: remove-ha-all-policy.yml when: - not om_enable_rabbitmq_high_availability | bool diff --git a/ansible/roles/rabbitmq/tasks/version-check.yml b/ansible/roles/rabbitmq/tasks/version-check.yml index 25d196202f..22fe9475d5 100644 --- a/ansible/roles/rabbitmq/tasks/version-check.yml +++ b/ansible/roles/rabbitmq/tasks/version-check.yml @@ -1,59 +1,81 @@ --- - block: - - name: Get current RabbitMQ version - vars: - service_name: "rabbitmq" - service: "{{ rabbitmq_services[service_name] }}" + - name: Get container facts become: true - command: "{{ kolla_container_engine }} exec {{ service.container_name }} rabbitmqctl --version" - register: rabbitmq_version_current - changed_when: false + kolla_container_facts: + action: get_containers + container_engine: "{{ kolla_container_engine }}" + name: + - "{{ service.container_name }}" + register: container_facts - - name: Get new RabbitMQ version - become: true - vars: - rabbitmq_container: "{{ rabbitmq_services['rabbitmq'] }}" - kolla_container: - action: "start_container" - command: "rabbitmqctl --version" - detach: false - environment: - KOLLA_CONFIG_STRATEGY: "{{ config_strategy }}" - image: "{{ rabbitmq_container.image }}" - name: "rabbitmq_version_check" - restart_policy: oneshot - volumes: "{{ rabbitmq_default_volumes + rabbitmq_extra_volumes }}" - register: rabbitmq_version_new - failed_when: false - check_mode: false + - block: + - name: Get current RabbitMQ version + become: true + command: "{{ kolla_container_engine }} exec {{ service.container_name }} rabbitmqctl --version" + register: rabbitmq_version_current + changed_when: false - # As an example, when the new RabbitMQ version is 3.13.6: - # new_major_version = 3 - # new_minor_version = 13 - # new_version = 3.13 - # And if the current RabbitMQ version is 3.11.28: - # upgrade_version = 3.12 - - name: Check if running RabbitMQ is at most one version behind - vars: - current_version_major: "{{ rabbitmq_version_current.stdout | regex_search('^[0-9]+') }}" - current_version_minor: "{{ rabbitmq_version_current.stdout | regex_search('(?<=.)[^.].') }}" - current_version: "{{ rabbitmq_version_current.stdout | regex_replace('.[^.]+$', '') }}" - new_version_major: "{{ rabbitmq_version_new.stdout | regex_search('^[0-9]+') }}" - new_version_minor: "{{ rabbitmq_version_new.stdout | regex_search('(?<=.)[^.].') }}" - new_version: "{{ rabbitmq_version_new.stdout | regex_replace('.[^.]+$', '') }}" - # Note: this assumes 3.13 will be the last release before 4.0. - upgrade_version: "{{ '4.0' if current_version == '3.13' else current_version_major + '.' + (current_version_minor | int + 1) | string }}" - assert: - that: (current_version_major == new_version_major and - new_version_minor | int - current_version_minor | int <= 1) or - (new_version | float == 4.0 and current_version | float == 3.13) - fail_msg: > - Looks like you're trying to run a skip-release upgrade! - RabbitMQ must be at most one version behind the target release version ({{ rabbitmq_version_new.stdout | trim }}) to run this upgrade. - You are running {{ rabbitmq_version_current.stdout }}. - Please first upgrade to {{ upgrade_version }} with the command ``kolla-ansible rabbitmq-upgrade {{ upgrade_version }}``. - See these docs for more details: https://docs.openstack.org/kolla-ansible/latest/reference/message-queues/rabbitmq.html#slurp + - name: Get new RabbitMQ version + become: true + vars: + rabbitmq_container: "{{ rabbitmq_services['rabbitmq'] }}" + kolla_container: + action: "start_container" + command: "rabbitmqctl --version" + container_engine: "{{ kolla_container_engine }}" + detach: false + environment: + KOLLA_CONFIG_STRATEGY: "{{ config_strategy }}" + image: "{{ rabbitmq_container.image }}" + name: "rabbitmq_version_check" + restart_policy: oneshot + volumes: "{{ rabbitmq_default_volumes + rabbitmq_extra_volumes }}" + register: rabbitmq_version_new + failed_when: false + check_mode: false + + # As an example, when the new RabbitMQ version is 3.13.6: + # new_major_version = 3 + # new_minor_version = 13 + # new_version = 3.13 + # And if the current RabbitMQ version is 3.11.28: + # upgrade_version = 3.12 + - name: Check if running RabbitMQ is at most one version behind + vars: + current_version_major: "{{ rabbitmq_version_current.stdout | regex_search('^[0-9]+') }}" + current_version_minor: "{{ rabbitmq_version_current.stdout | regex_search('(?<=.)[^.].') }}" + current_version: "{{ rabbitmq_version_current.stdout | regex_replace('.[^.]+$', '') }}" + new_version_major: "{{ rabbitmq_version_new.stdout | regex_search('^[0-9]+') }}" + new_version_minor: "{{ rabbitmq_version_new.stdout | regex_search('(?<=.)[^.].') }}" + new_version: "{{ rabbitmq_version_new.stdout | regex_replace('.[^.]+$', '') }}" + # Note: this assumes 3.13 will be the last release before 4.0. + upgrade_version: "{{ '4.0' if current_version == '3.13' else current_version_major + '.' + (current_version_minor | int + 1) | string }}" + assert: + that: (current_version_major == new_version_major and + new_version_minor | int - current_version_minor | int <= 1) or + (new_version | float == 4.0 and current_version | float == 3.13) + fail_msg: > + Looks like you're trying to run a skip-release upgrade! + RabbitMQ must be at most one version behind the target release version ({{ rabbitmq_version_new.stdout | trim }}) to run this upgrade. + You are running {{ rabbitmq_version_current.stdout }}. + Please first upgrade to {{ upgrade_version }} with the command ``kolla-ansible rabbitmq-upgrade {{ upgrade_version }}``. + See these docs for more details: https://docs.openstack.org/kolla-ansible/latest/reference/message-queues/rabbitmq.html#slurp + + - name: Catch when RabbitMQ is being downgraded + assert: + that: rabbitmq_version_current.stdout is version(rabbitmq_version_new.stdout | trim, 'le', version_type='semver') + fail_msg: > + Looks like you're about to downgrade RabbitMQ from version {{ rabbitmq_version_current.stdout }} to version {{ rabbitmq_version_new.stdout | trim }}. + If you're absolutely certain you want to do this, please skip the tag `rabbitmq-version-check`. + Otherwise, see these docs for how to pin the version of RabbitMQ: + https://docs.openstack.org/kolla-ansible/latest/reference/message-queues/rabbitmq.html#rabbitmq-versions + + when: container_facts[service.container_name] is defined delegate_to: "{{ groups[role_rabbitmq_groups] | first }}" run_once: true tags: rabbitmq-version-check + vars: + service_name: "rabbitmq" + service: "{{ rabbitmq_services[service_name] }}" diff --git a/releasenotes/notes/rabbitmq-catch-downgrade-1005c7475a97bf19.yaml b/releasenotes/notes/rabbitmq-catch-downgrade-1005c7475a97bf19.yaml new file mode 100644 index 0000000000..b5c82ef7ad --- /dev/null +++ b/releasenotes/notes/rabbitmq-catch-downgrade-1005c7475a97bf19.yaml @@ -0,0 +1,5 @@ +--- +fixes: + - | + Adds a check to stop deploying/upgrading the RabbitMQ containers if it + will result in downgrading the version of RabbitMQ running.