Add most basic molecule test for ssh connection plugin

Depends-On: https://review.opendev.org/c/openstack/openstack-ansible/+/939274 Change-Id: I89b9935367e62244dac24c584954f06cf97b95ee
2025-01-22 17:58:16 +00:00
parent 7401a10fc6
commit b944baf7fc
6 changed files with 241 additions and 30 deletions
--- a/molecule/default/converge.yml
+++ b/molecule/default/converge.yml
@@ -0,0 +1,31 @@
+# basic smoke test that the builtin and OSA connection plugins
+# can connect to the target
+
+- name: Gather facts from container hosts - builtin ssh plugin
+  hosts: osa_plugins_ssh
+  remote_user: root
+  vars:
+    ansible_connection: ansible.builtin.ssh
+  gather_facts: false
+  tasks:
+
+    - name: Ensure ssh connection is working
+      vars:
+        ansible_connection: local
+        ansible_python_interpreter: "{{ ansible_playbook_python }}"
+      ansible.builtin.wait_for:
+        port: 22
+        host: '{{ (ansible_ssh_host|default(ansible_host))|default(inventory_hostname) }}'
+        search_regex: OpenSSH
+        delay: 5
+
+    - name: gather facts
+      ansible.builtin.setup:
+
+
+- name: Gather facts from container hosts - openstack-ansible ssh plugin
+  hosts: osa_plugins_ssh
+  remote_user: root
+  vars:
+    ansible_connection: openstack.osa.ssh
+  gather_facts: true
--- a/molecule/default/molecule.yml
+++ b/molecule/default/molecule.yml
@@ -0,0 +1,49 @@
+---
+dependency:
+  name: galaxy
+  options:
+    requirements-file: requirements.yml
+    force: true
+
+driver:
+  name: docker
+
+platforms:
+  - name: "osa_plugins-${MOLECULE_SCENARIO_NAME}"
+    image: "${DOCKER_REGISTRY:-quay.io/gotmax23}/${DOCKER_IMAGE_TAG:-ubuntu-systemd:jammy}"
+    command: ${DOCKER_COMMAND:-""}
+    pre_build_image: true
+    privileged: true
+    systemd: true
+    groups:
+      - osa_plugins
+    docker_networks:
+      - name: osa_plugins
+        ipam_config:
+          - subnet: '10.1.0.0/24'
+    networks:
+      - name: osa_plugins
+        ipv4_address: '10.1.0.100'
+
+provisioner:
+  name: ansible
+  lint:
+    name: ansible-lint
+  inventory:
+    group_vars:
+      all:
+        ansible_ssh_private_key_file: '~/.ssh/molecule'
+    hosts:
+      all:
+        children:
+          osa_plugins_ssh:
+            hosts:
+              osa_plugins_ssh-${MOLECULE_SCENARIO_NAME}:
+                ansible_host: 10.1.0.100
+  config_options:
+    defaults:
+      inject_facts_as_vars: false
+      host_key_checking: false
+
+scenario:
+  name: default
--- a/molecule/default/prepare.yml
+++ b/molecule/default/prepare.yml
@@ -0,0 +1,99 @@
+# Copyright 2025, Cleura AB.
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+- name: Generate an SSH key locally
+  hosts: localhost
+  tasks:
+    - name: Generate an OpenSSH keypair
+      community.crypto.openssh_keypair:
+        path: ~/.ssh/molecule
+      register: keypair
+
+- name: Prepare docker containers
+  hosts: osa_plugins
+  vars:
+    sshd_package_name:
+      debian: openssh-server
+      redhat: openssh-server
+    apparmor_package_name:
+      debian: apparmor
+      redhat: ''
+    iproute_package_name:
+      redhat: iproute
+      debian: iproute2
+    iputils_package_name:
+      redhat: iputils
+      debian: iputils-ping
+    ssh_service_name:
+      redhat: sshd
+      debian: ssh
+    install_packages:
+      - "{{ sshd_package_name[ansible_facts['os_family'] | lower] }}"
+      - "{{ apparmor_package_name[ansible_facts['os_family'] | lower] }}"
+      - "{{ iproute_package_name[ansible_facts['os_family'] | lower] }}"
+      - "{{ iputils_package_name[ansible_facts['os_family'] | lower] }}"
+  handlers:
+    - name: Restart sshd service
+      ansible.builtin.systemd:
+        name: "{{ ssh_service_name[ansible_facts['os_family'] | lower] }}"
+        state: restarted
+  tasks:
+    - name: Install required packages
+      ansible.builtin.package:
+        name: "{{ install_packages | select() }}"
+        update_cache: "{{ (ansible_facts['os_family'] | lower == 'debian') | ternary(true, omit) }}"
+
+    - name: Ensure required services are running
+      ansible.builtin.systemd:
+        name: "{{ item }}"
+        state: started
+        enabled: true
+        masked: false
+      with_items:
+        - "{{ ssh_service_name[ansible_facts['os_family'] | lower] }}"
+
+    - name: Ensure PAM is disabled for EL
+      ansible.builtin.lineinfile:
+        path: /etc/ssh/sshd_config.d/50-redhat.conf
+        regexp: "^UsePAM"
+        state: absent
+      notify:
+        - Restart sshd service
+      when:
+        - ansible_facts['os_family'] | lower == 'redhat'
+
+    - name: Ensure root user is not locked
+      ansible.builtin.user:
+        name: root
+        password: '*'
+
+    - name: Adjust apparmor
+      when: ansible_facts['os_family'] | lower == 'debian'
+      block:
+        - name: Teardown existing apparmor profiles
+          ansible.builtin.command: aa-teardown
+          failed_when: false
+          changed_when: false
+
+        - name: Restart apparmor
+          ansible.builtin.systemd:
+            name: apparmor
+            state: restarted
+            enabled: true
+            masked: false
+
+    - name: Set authorized key taken from file
+      ansible.posix.authorized_key:
+        user: root
+        state: present
+        key: "{{ lookup('file', '~/.ssh/molecule.pub') }}"
--- a/requirements.yml
+++ b/requirements.yml
@@ -0,0 +1,44 @@
+roles:
+  - name: apt_package_pinning
+    scm: git
+    src: https://opendev.org/openstack/openstack-ansible-apt_package_pinning
+    version: master
+  - name: systemd_networkd
+    src: https://opendev.org/openstack/ansible-role-systemd_networkd
+    scm: git
+    version: master
+  - name: systemd_service
+    src: https://opendev.org/openstack/ansible-role-systemd_service
+    scm: git
+    version: master
+  - name: systemd_mount
+    src: https://opendev.org/openstack/ansible-role-systemd_mount
+    scm: git
+    version: master
+  - name: lxc_hosts
+    src: https://opendev.org/openstack/openstack-ansible-lxc_hosts
+    scm: git
+    version: master
+  - name: lxc_container_create
+    src: https://opendev.org/openstack/openstack-ansible-lxc_container_create
+    scm: git
+    version: master
+collections:
+  - name: openvswitch.openvswitch
+    source: https://github.com/ansible-collections/openvswitch.openvswitch
+    type: git
+    version: 2.1.1
+  - name:  https://opendev.org/openstack/ansible-config_template
+    type: git
+    version: master
+  - name: https://github.com/ansible-collections/ansible.utils
+    version: main
+    type: git
+  - name: community.general
+    source: https://github.com/ansible-collections/community.general
+    type: git
+    version: 10.2.0
+  - name: community.crypto
+    source: https://github.com/ansible-collections/community.crypto
+    type: git
+    version: 2.22.3
--- a/tox.ini
+++ b/tox.ini
@@ -1,7 +1,7 @@
 [tox]
-minversion = 3.1
+minversion = 4.0
 skipsdist = True
-envlist = docs,linters,functional,func_py3
+envlist = docs,functional,molecule
 ignore_basepython_conflict = True

 [testenv]
@@ -52,36 +52,23 @@ commands =
 commands =
    {posargs}

-[testenv:pep8]
-commands =
-    bash -c "{toxinidir}/tests/common/test-pep8.sh"
-
-[flake8]
-# Ignores the following rules due to how ansible modules work in general
-#     F403 'from ansible.module_utils.basic import *' used;
-#          unable to detect undefined names
-ignore=F403,F405,W503
-
-[testenv:bashate]
-commands =
-    bash -c "{toxinidir}/tests/common/test-bashate.sh"
-
-[testenv:ansible-syntax]
-commands =
-    bash -c "{toxinidir}/tests/common/test-ansible-syntax.sh"
-
-[testenv:ansible-lint]
-commands =
-    bash -c "{toxinidir}/tests/common/test-ansible-lint.sh"
-
 [testenv:functional]
 commands =
    bash -c "{toxinidir}/tests/common/test-ansible-functional.sh"

-[testenv:linters]
+[testenv:molecule]
+# You can use DOCKER_REGISTRY and DOCKER_IMAGE_TAG to switch between
+# tested distros. I.e:
+# DOCKER_IMAGE_TAG=ubuntu-systemd:jammy tox -e molecule
+deps =
+    -c{env:TOX_CONSTRAINTS_FILE:https://releases.openstack.org/constraints/upper/master}
+    -r{env:OSA_TEST_REQUIREMENTS_FILE:https://opendev.org/openstack/openstack-ansible/raw/branch/{env:TEST_BRANCH:master}/test-requirements.txt}
+
 commands =
-    bash -c "{toxinidir}/tests/common/test-ansible-env-prep.sh"
-    {[testenv:pep8]commands}
-    {[testenv:bashate]commands}
-    {[testenv:ansible-lint]commands}
-    {[testenv:ansible-syntax]commands}
+    molecule test
+
+passenv =
+    {[testenv]passenv}
+    DOCKER_REGISTRY
+    DOCKER_IMAGE_TAG
+    DOCKER_COMMAND
--- a/zuul.d/project.yaml
+++ b/zuul.d/project.yaml
@@ -19,6 +19,7 @@
      - publish-openstack-docs-pti
      - build-release-notes-jobs-python3
      - openstack-ansible-role-jobs
+      - openstack-ansible-molecule
      - openstack-ansible-upgrade-infra_lxc-jobs
      - openstack-ansible-deploy-infra_lxc-jobs
    check: