tripleo-redhat-enforce new role to enforce RHOSP constraints.
OSP, the downstream version of tripleo have to enforce some policies
for rhel version and subscribed channel.
This module hosts those requirements, so that we prevent update to
wrong rhel release or subscription to wrong channels.
Currently it only implements a basic check to the subscribed rhel
version.
This check has some fail-safe logic to avoid crashing the update on
temporary network issue when running subscription-manager.
We are avoiding the validation framework as this can be easily
disabled and we want this enforcement to be mandatory as this could
lead user to unsupported combination of OSP/RHEL.
For upstream that change is transparent as the tasks are skipped if
the ansible_distribution is not Red Hat.
For Red Hat, there will be a mechanism in THT to avoid the check
altogether, for instance for CI purposes.
For this first check (RHEL/OSP version), downstream patches will add
the required values in vars/redhat.yml.
Note about the backport, there is a role naming change relative to
master, we use "-" instead of "_" in train for the role directory.
The role directory has to be renamed. Documentation is pointing
to molecule/playbook.yml and not molecule/converge.yml.
Change-Id: I2d1ac92ee6ee8407fb156a2718f94ad3e9220bbe
(cherry picked from commit e65996b878
)
This commit is contained in:
parent
4daef5fbac
commit
0769f42169
66
doc/source/roles/role-tripleo-redhat-enforce.rst
Normal file
66
doc/source/roles/role-tripleo-redhat-enforce.rst
Normal file
@ -0,0 +1,66 @@
|
||||
=====================================
|
||||
Role - tripleo-redhat-enforce
|
||||
=====================================
|
||||
|
||||
.. ansibleautoplugin::
|
||||
:role: tripleo_ansible/roles/tripleo-redhat-enforce
|
||||
|
||||
Description
|
||||
~~~~~~~~~~~
|
||||
|
||||
This role is for OSP, the downstream version of tripleo and shouldn't
|
||||
be used with other OS as it required the host to be subscribed.
|
||||
|
||||
It enforces policies regarding rhel version and subscribed channel
|
||||
according to the OSP version used.
|
||||
|
||||
This module hosts those requirements, so that we prevent update to
|
||||
wrong rhel release or subscription to wrong channels.
|
||||
|
||||
Currently it only implements a basic check to the subscribed rhel
|
||||
version.
|
||||
|
||||
This check has some fail-safe logic to avoid crashing the update on
|
||||
temporary network issue when running subscription-manager.
|
||||
|
||||
We are avoiding the validation framework as this can be easily
|
||||
disabled and we want this enforcement to be mandatory as this could
|
||||
lead user to unsupported combination of OSP/RHEL.
|
||||
|
||||
For upstream that change is transparent as the tasks are skipped if
|
||||
the ansible_distribution is not Red Hat.
|
||||
|
||||
Usage
|
||||
~~~~~
|
||||
|
||||
Very simple usage, just pass the right parameter for the version you
|
||||
plan to check.
|
||||
|
||||
Remember this won't have any effects on anything else than a Red Hat
|
||||
subscribed host.
|
||||
|
||||
.. code-block:: YAML
|
||||
|
||||
- name: Enforce RHOSP rules regarding subscription.
|
||||
include_role:
|
||||
name: tripleo-redhat-enforce
|
||||
vars:
|
||||
tripleo_redhat_enforce_osp: 16.0
|
||||
tripleo_redhat_enforce_os: 8.1
|
||||
|
||||
|
||||
Roles variables
|
||||
~~~~~~~~~~~~~~~
|
||||
|
||||
+------------------------------------------------+-----------------------------+-------------------------------+
|
||||
| Name | Default Value | Description |
|
||||
+================================================+=============================+===============================+
|
||||
| tripleo_redhat_enforce_debug | false | No used currently |
|
||||
+------------------------------------------------+-----------------------------+-------------------------------+
|
||||
| tripleo_redhat_enforce | true on Red Hat distribution| Set to true to run validation |
|
||||
| | false everywhere else | |
|
||||
+------------------------------------------------+-----------------------------+-------------------------------+
|
||||
| tripleo_redhat_enforce_osp | OSP version (16.0, 16.1,...)| Version of OSP |
|
||||
+------------------------------------------------+-----------------------------+-------------------------------+
|
||||
| tripleo_redhat_enforce_os | RHEL version (8.1, 8.2, ...)| Version of RHEL |
|
||||
+------------------------------------------------+-----------------------------+-------------------------------+
|
@ -0,0 +1,24 @@
|
||||
---
|
||||
# Copyright 2020 Red Hat, Inc.
|
||||
# All Rights Reserved.
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||
# not use this file except in compliance with the License. You may obtain
|
||||
# a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
||||
# License for the specific language governing permissions and limitations
|
||||
# under the License.
|
||||
|
||||
|
||||
# All variables intended for modification should be placed in this file.
|
||||
|
||||
# All variables within this role should have a prefix of "tripleo_redhat_enforce"
|
||||
tripleo_redhat_enforce_debug: false
|
||||
tripleo_redhat_enforce: false
|
||||
tripleo_redhat_enforce_osp: ''
|
||||
tripleo_redhat_enforce_os: ''
|
42
tripleo_ansible/roles/tripleo-redhat-enforce/meta/main.yml
Normal file
42
tripleo_ansible/roles/tripleo-redhat-enforce/meta/main.yml
Normal file
@ -0,0 +1,42 @@
|
||||
---
|
||||
# Copyright 2020 Red Hat, Inc.
|
||||
# All Rights Reserved.
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||
# not use this file except in compliance with the License. You may obtain
|
||||
# a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
||||
# License for the specific language governing permissions and limitations
|
||||
# under the License.
|
||||
|
||||
|
||||
galaxy_info:
|
||||
author: OpenStack
|
||||
description: TripleO OpenStack Role -- tripleo-redhat-enforce
|
||||
company: Red Hat
|
||||
license: Apache-2.0
|
||||
min_ansible_version: 2.7
|
||||
#
|
||||
# Provide a list of supported platforms, and for each platform a list of versions.
|
||||
# If you don't wish to enumerate all versions for a particular platform, use 'all'.
|
||||
# To view available platforms and versions (or releases), visit:
|
||||
# https://galaxy.ansible.com/api/v1/platforms/
|
||||
#
|
||||
platforms:
|
||||
- name: CentOS
|
||||
versions:
|
||||
- 7
|
||||
- 8
|
||||
|
||||
galaxy_tags:
|
||||
- tripleo
|
||||
|
||||
|
||||
# List your role dependencies here, one per line. Be sure to remove the '[]' above,
|
||||
# if you add dependencies to this list.
|
||||
dependencies: []
|
@ -0,0 +1,37 @@
|
||||
# Molecule managed
|
||||
# Copyright 2020 Red Hat, Inc.
|
||||
# All Rights Reserved.
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||
# not use this file except in compliance with the License. You may obtain
|
||||
# a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
||||
# License for the specific language governing permissions and limitations
|
||||
# under the License.
|
||||
|
||||
|
||||
{% if item.registry is defined %}
|
||||
FROM {{ item.registry.url }}/{{ item.image }}
|
||||
{% else %}
|
||||
FROM {{ item.image }}
|
||||
{% endif %}
|
||||
|
||||
RUN if [ $(command -v apt-get) ]; then apt-get update && apt-get install -y python sudo bash ca-certificates && apt-get clean; \
|
||||
elif [ $(command -v dnf) ]; then dnf makecache && dnf --assumeyes install sudo python*-devel python*-dnf bash {{ item.pkg_extras | default('') }} && dnf clean all; \
|
||||
elif [ $(command -v yum) ]; then yum makecache fast && yum install -y python sudo yum-plugin-ovl python-setuptools bash {{ item.pkg_extras | default('') }} && sed -i 's/plugins=0/plugins=1/g' /etc/yum.conf && yum clean all; \
|
||||
elif [ $(command -v zypper) ]; then zypper refresh && zypper install -y python sudo bash python-xml {{ item.pkg_extras | default('') }} && zypper clean -a; \
|
||||
elif [ $(command -v apk) ]; then apk update && apk add --no-cache python sudo bash ca-certificates {{ item.pkg_extras | default('') }}; \
|
||||
elif [ $(command -v xbps-install) ]; then xbps-install -Syu && xbps-install -y python sudo bash ca-certificates {{ item.pkg_extras | default('') }} && xbps-remove -O; fi
|
||||
|
||||
{% for pkg in item.easy_install | default([]) %}
|
||||
# install pip for centos where there is no python-pip rpm in default repos
|
||||
RUN easy_install {{ pkg }}
|
||||
{% endfor %}
|
||||
|
||||
|
||||
CMD ["sh", "-c", "while true; do sleep 10000; done"]
|
@ -0,0 +1,48 @@
|
||||
---
|
||||
driver:
|
||||
name: docker
|
||||
|
||||
log: true
|
||||
|
||||
platforms:
|
||||
- name: centos7
|
||||
hostname: centos7
|
||||
image: centos:7
|
||||
dockerfile: Dockerfile
|
||||
pkg_extras: python-setuptools
|
||||
volumes:
|
||||
- /etc/ci/mirror_info.sh:/etc/ci/mirror_info.sh:ro
|
||||
easy_install:
|
||||
- pip
|
||||
environment: &env
|
||||
http_proxy: "{{ lookup('env', 'http_proxy') }}"
|
||||
https_proxy: "{{ lookup('env', 'https_proxy') }}"
|
||||
|
||||
- name: centos8
|
||||
hostname: centos8
|
||||
image: centos:8
|
||||
dockerfile: Dockerfile
|
||||
pkg_extras: python*-setuptools
|
||||
volumes:
|
||||
- /etc/ci/mirror_info.sh:/etc/ci/mirror_info.sh:ro
|
||||
environment:
|
||||
<<: *env
|
||||
|
||||
provisioner:
|
||||
name: ansible
|
||||
log: true
|
||||
env:
|
||||
ANSIBLE_STDOUT_CALLBACK: yaml
|
||||
|
||||
scenario:
|
||||
test_sequence:
|
||||
- destroy
|
||||
- create
|
||||
- prepare
|
||||
- converge
|
||||
- check
|
||||
- verify
|
||||
- destroy
|
||||
|
||||
verifier:
|
||||
name: testinfra
|
@ -0,0 +1,21 @@
|
||||
---
|
||||
# Copyright 2020 Red Hat, Inc.
|
||||
# All Rights Reserved.
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||
# not use this file except in compliance with the License. You may obtain
|
||||
# a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
||||
# License for the specific language governing permissions and limitations
|
||||
# under the License.
|
||||
|
||||
|
||||
- name: Converge
|
||||
hosts: all
|
||||
roles:
|
||||
- role: "tripleo-redhat-enforce"
|
@ -0,0 +1,21 @@
|
||||
---
|
||||
# Copyright 2020 Red Hat, Inc.
|
||||
# All Rights Reserved.
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||
# not use this file except in compliance with the License. You may obtain
|
||||
# a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
||||
# License for the specific language governing permissions and limitations
|
||||
# under the License.
|
||||
|
||||
|
||||
- name: Prepare
|
||||
hosts: all
|
||||
roles:
|
||||
- role: test_deps
|
@ -0,0 +1,45 @@
|
||||
---
|
||||
# We don't want to get false positive on subscription manager network
|
||||
# issues, hence the logic in the retries/until.
|
||||
- name: get current release settings
|
||||
command: 'subscription-manager release --show'
|
||||
register: subscribed_release
|
||||
ignore_errors: true
|
||||
retries: 5
|
||||
delay: 3
|
||||
until: ('ConnectionRefusedError' not in subscribed_release.stderr and subscribed_release is failed) or subscribed_release is success
|
||||
|
||||
- name: fails if not registered
|
||||
fail:
|
||||
msg: >-
|
||||
Your environment is not subscribed!
|
||||
If it is expected, please set SkipRhelEnforcement to true.
|
||||
For Director the documentation is there
|
||||
https://access.redhat.com/documentation/en-us/red_hat_openstack_platform/16.0/html-single/
|
||||
director_installation_and_usage/index#configuring-the-undercloud-with-environment-files,
|
||||
for the Overcloud you need to add a new parameter file to your deploy
|
||||
command with that parameter set.
|
||||
If this is unexpected, you have to subscribe this node and
|
||||
ensure that RHEL is pinned to {{ tripleo_redhat_enforce_os }} as
|
||||
this is the only version supported for {{ tripleo_redhat_enforce_osp }}.
|
||||
when:
|
||||
- subscribed_release is failed
|
||||
- ( 'This system is not yet registered' in subscribed_release.stderr )
|
||||
|
||||
- name: unknown failure during call to subscription-manager
|
||||
fail:
|
||||
msg: >-
|
||||
Unknow failure during 'subscription-manager release --show':
|
||||
{{ subscribed_release.stderr }}
|
||||
when:
|
||||
- subscribed_release is failed
|
||||
- ( 'This system is not yet registered' not in subscribed_release.stderr )
|
||||
|
||||
- name: fails if the release is not correct
|
||||
fail:
|
||||
msg: >-
|
||||
OSP{{ tripleo_redhat_enforce_osp }} is only supported with Red Hat {{ tripleo_redhat_enforce_os }}.
|
||||
Please make sure to pin rhel to {{ tripleo_redhat_enforce_os }} using:
|
||||
subscription-manager release --set={{ tripleo_redhat_enforce_os }}.
|
||||
You can then proceed with the update.
|
||||
when: tripleo_redhat_enforce_os not in subscribed_release.stdout
|
36
tripleo_ansible/roles/tripleo-redhat-enforce/tasks/main.yml
Normal file
36
tripleo_ansible/roles/tripleo-redhat-enforce/tasks/main.yml
Normal file
@ -0,0 +1,36 @@
|
||||
---
|
||||
# Copyright 2020 Red Hat, Inc.
|
||||
# All Rights Reserved.
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||
# not use this file except in compliance with the License. You may obtain
|
||||
# a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
||||
# License for the specific language governing permissions and limitations
|
||||
# under the License.
|
||||
|
||||
|
||||
# "tripleo_redhat_enforce" will search for and load any operating system variable file
|
||||
|
||||
# found within the "vars/" path. If no OS files are found the task
|
||||
# will skip.
|
||||
|
||||
# Note that using "skip: true" is deprecated, but "errors: ignore"
|
||||
# fails on 2.8 with include_vars.
|
||||
- name: Gather variables for each operating system
|
||||
include_vars: "{{ include_file }}"
|
||||
when:
|
||||
- include_file is exists
|
||||
vars:
|
||||
include_file: "{{ role_path }}/vars/{{ ansible_distribution | lower }}.yml"
|
||||
tags:
|
||||
- always
|
||||
|
||||
- include_tasks: enforce_release.yml
|
||||
name: Enforce RHEL/OSP version pair
|
||||
when: tripleo_redhat_enforce|bool
|
23
tripleo_ansible/roles/tripleo-redhat-enforce/vars/redhat.yml
Normal file
23
tripleo_ansible/roles/tripleo-redhat-enforce/vars/redhat.yml
Normal file
@ -0,0 +1,23 @@
|
||||
---
|
||||
# Copyright 2020 Red Hat, Inc.
|
||||
# All Rights Reserved.
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||
# not use this file except in compliance with the License. You may obtain
|
||||
# a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
||||
# License for the specific language governing permissions and limitations
|
||||
# under the License.
|
||||
|
||||
|
||||
# All variables intended for modification should be placed in this file.
|
||||
|
||||
# All variables within this role should have a prefix of "tripleo_redhat_enforce"
|
||||
tripleo_redhat_enforce: true
|
||||
tripleo_redhat_enforce_osp: ''
|
||||
tripleo_redhat_enforce_os: ''
|
@ -28,6 +28,7 @@
|
||||
- tripleo-ansible-centos-7-molecule-tripleo-kernel
|
||||
- tripleo-ansible-centos-7-molecule-tripleo-container-image-prepare
|
||||
- tripleo-ansible-centos-7-molecule-tripleo-firewall
|
||||
- tripleo-ansible-centos-8-molecule-tripleo-redhat-enforce
|
||||
- tripleo-ansible-centos-7-molecule-tripleo-securetty
|
||||
- tripleo-ansible-centos-7-molecule-tripleo-cellv2
|
||||
- tripleo-ansible-centos-7-molecule-tripleo-clients-install
|
||||
@ -70,6 +71,7 @@
|
||||
- tripleo-ansible-centos-7-molecule-tripleo-kernel
|
||||
- tripleo-ansible-centos-7-molecule-tripleo-container-image-prepare
|
||||
- tripleo-ansible-centos-7-molecule-tripleo-firewall
|
||||
- tripleo-ansible-centos-8-molecule-tripleo-redhat-enforce
|
||||
- tripleo-ansible-centos-7-molecule-tripleo-securetty
|
||||
- tripleo-ansible-centos-7-molecule-tripleo-cellv2
|
||||
- tripleo-ansible-centos-7-molecule-tripleo-clients-install
|
||||
@ -304,6 +306,13 @@
|
||||
parent: tripleo-ansible-centos-7-base
|
||||
vars:
|
||||
tripleo_role_name: tripleo-validations-package
|
||||
- job:
|
||||
files:
|
||||
- ^tripleo_ansible/roles/tripleo-redhat-enforce/.*
|
||||
name: tripleo-ansible-centos-8-molecule-tripleo-redhat-enforce
|
||||
parent: tripleo-ansible-centos-8-base
|
||||
vars:
|
||||
tox_envlist: tripleo-redhat-enforce
|
||||
- job:
|
||||
files:
|
||||
- ^tripleo_ansible/roles/tripleo-ovs-dpdk/.*
|
||||
|
Loading…
Reference in New Issue
Block a user