#!/bin/bash # # functions - puppet-openstack-integration specific functions # # Install external Puppet modules with r10k # Uses the following variables: # # - ``SCRIPT_DIR`` must be set to script path # - ``GEM_BIN_DIR`` must be set to Gem bin directory install_external() { PUPPETFILE=${SCRIPT_DIR}/Puppetfile1 r10k -v DEBUG puppetfile install } # Install Puppet OpenStack modules with zuul-cloner # Uses the following variables: # # - ``PUPPETFILE_DIR`` must be set to Puppet modules directory # - ``SCRIPT_DIR`` must be set to script path # - ``ZUUL_BRANCH`` must be set to Zuul branch. Fallback to 'master'. # - ``CEPH_VERSION`` can be set to override Ceph version. install_openstack() { # Periodic jobs run without ref on master ZUUL_BRANCH=${ZUUL_BRANCH:-master} if [ "$ZUUL_PROJECT" != "openstack/puppet-ceph" ] && [ -n "$CEPH_VERSION" ]; then if [ "$CEPH_VERSION" == "nautilus" ]; then ZUUL_BRANCH="master" else ZUUL_BRANCH="stable/$CEPH_VERSION" fi fi cat > clonemap.yaml <> ${SCRIPT_DIR}/Puppetfile1 install_external install_openstack else cat ${SCRIPT_DIR}/Puppetfile_unit >> ${SCRIPT_DIR}/Puppetfile install_all fi } # Write out basic hiera configuration # # Uses the following variables: # - ``SCRIPT_DIR`` must be set to the dir that contains a /hiera folder to use # - ``HIERA_CONFIG`` must be set to the hiera config file location # configure_hiera() { cat <$HIERA_CONFIG --- version: 5 defaults: datadir: ${SCRIPT_DIR}/hiera data_hash: yaml_data hierarchy: - name: "OS specific" path: "%{::operatingsystem}.yaml" - name: "OS family specific" path: "%{::osfamily}.yaml" - name: "Common" path: "common.yaml" EOF } is_fedora() { if [ -f /etc/os-release ]; then source /etc/os-release test "$ID" = "fedora" -o "$ID" = "centos" else return 1 fi } uses_debs() { # check if apt-get is installed, valid for debian based type "apt-get" 2>/dev/null } if type "dnf" 2>/dev/null;then export YUM=dnf else export YUM=yum fi print_header() { if [ -n "$(set | grep xtrace)" ]; then set +x local enable_xtrace='yes' fi local msg=$1 printf '%.0s-' {1..80}; echo printf '| %-76s |\n' "${msg}" printf '%.0s-' {1..80}; echo if [ -n "${enable_xtrace}" ]; then set -x fi } install_puppet() { if uses_debs; then print_header 'Setup (Debian based)' if [ "${MANAGE_REPOS}" == "true" ] ; then if [ $PUPPET_MAJ_VERSION == 4 ]; then local PUPPET_APT_POOL="PC1" else local PUPPET_APT_POOL="puppet${PUPPET_MAJ_VERSION}" fi PUPPET_CODENAME=$(lsb_release -s -c) if [ $PUPPET_CODENAME == "bionic" ]; then # For some reason this directory does not exist in Bionic $SUDO mkdir -p /etc/apt/sources.list.d fi echo "deb ${NODEPOOL_PUPPETLABS_MIRROR} ${PUPPET_CODENAME} ${PUPPET_APT_POOL}" | $SUDO tee /etc/apt/sources.list.d/puppetlabs.list $SUDO apt-key add files/GPG-KEY-puppetlabs $SUDO apt-key add files/GPG-KEY-ceph $SUDO apt-get update fi $SUDO apt-get install -y ${PUPPET_PKG} elif is_fedora; then print_header 'Setup (RedHat based)' # EPEL does not work fine with RDO, we need to make sure EPEL is really disabled if rpm --quiet -q epel-release; then $SUDO rpm -e epel-release fi if [ "${MANAGE_REPOS}" == "true" ] ; then if [ $PUPPET_MAJ_VERSION == 4 ]; then local PUPPET_YUM_SUFFIX="/el/7/PC1/x86_64/" else local PUPPET_YUM_SUFFIX="/puppet${PUPPET_MAJ_VERSION}/el/7/x86_64/" fi $SUDO rpm --import files/GPG-KEY-puppetlabs $SUDO rpm --import files/GPG-KEY-puppet $SUDO bash -c "cat << EOF > /etc/yum.repos.d/puppetlabs.repo [puppetlabs-products] name=Puppet Labs Products El 7 - x86_64 baseurl=${NODEPOOL_PUPPETLABS_MIRROR}${PUPPET_YUM_SUFFIX} gpgkey=file:///etc/pki/rpm-gpg/GPG-KEY-puppetlabs file:///etc/pki/rpm-gpg/GPG-KEY-puppet enabled=1 gpgcheck=1 EOF" fi $SUDO $YUM install -y ${PUPPET_PKG} fi } function run_puppet() { local manifest=$1 $SUDO $PUPPET_FULL_PATH apply $PUPPET_ARGS fixtures/${manifest}.pp local res=$? return $res } function catch_selinux_alerts() { if is_fedora; then $SUDO sealert -a /var/log/audit/audit.log if $SUDO grep -iq 'type=AVC' /var/log/audit/audit.log; then echo "AVC detected in /var/log/audit/audit.log" # TODO: figure why latest rabbitmq deployed with SSL tries to write in SSL pem file. # https://bugzilla.redhat.com/show_bug.cgi?id=1341738 if $SUDO grep -iqE 'denied.*system_r:rabbitmq_t' /var/log/audit/audit.log; then echo "non-critical RabbitMQ AVC, ignoring it now." # FIXME(ykarel) catch_selinux_alerts not work with non ssl scenarios(no rabbitmq alert), # currently running all scenarios without ssl in Fedora, and scenario-py3 in CentOS/Fedora, # because glance,nova,mistral py3 has issues when running with eventlet + ssl: # glance https://bugs.launchpad.net/glance/+bug/1769006 # nova https://bugs.launchpad.net/nova/+bug/1808975 # mistral https://bugs.launchpad.net/mistral/+bug/1808953 elif [ -f /etc/fedora-release -o "$SCENARIO" = "scenario-py3" ]; then echo "non ssl scenario, ignoring it now." else echo "Please file a bug on https://bugzilla.redhat.com/enter_bug.cgi?product=Red%20Hat%20OpenStack&component=openstack-selinux showing sealert output." exit 1 fi else echo 'No AVC detected in /var/log/audit/audit.log' fi fi } function timestamp_puppet_log() { $SUDO mv ${WORKSPACE}/puppet.log ${WORKSPACE}/puppet-$(date +%Y%m%d_%H%M%S).log } function catch_puppet_failures() { $SUDO grep -wiE '(Error|\(err\))' ${WORKSPACE}/puppet.log }