From e65996b878a9c758d5b41e996776c68cfe686d29 Mon Sep 17 00:00:00 2001 From: Sofer Athlan-Guyot Date: Mon, 20 Apr 2020 17:19:40 +0200 Subject: [PATCH] tripleo_redhat_enforce new role to enforce RHOSP constraints. OSP, the downstream version of tripleo have to enforce some policies for rhel version and subscribed channel. This module hosts hoses requirements, so that we prevent update to wrong rhel release or subscription to wrong channels. Currently it only implements a basic check to the subscribed rhel version. This check has some fail-safe logic to avoid crashing the update on temporary network issue when running subscription-manager. We are avoiding the validation framework as this can be easily disabled and we want this enforcement to be mandatory as this could lead user to unsupported combination of OSP/RHEL. For upstream that change is transparent as the tasks are skipped if the ansible_distribution is not Red Hat. For Red Hat, there will be a mechanism in THT to avoid the check altogether, for instance for CI purposes. For this first check (RHEL/OSP version), downstream patches will add the required values in vars/redhat.yml. Change-Id: I2d1ac92ee6ee8407fb156a2718f94ad3e9220bbe --- .../roles/role-tripleo_redhat_enforce.rst | 66 +++++++++++++++++++ .../tripleo_redhat_enforce/defaults/main.yml | 24 +++++++ .../tripleo_redhat_enforce/meta/main.yml | 42 ++++++++++++ .../molecule/default/Dockerfile | 37 +++++++++++ .../molecule/default/converge.yml | 21 ++++++ .../molecule/default/molecule.yml | 48 ++++++++++++++ .../molecule/default/prepare.yml | 21 ++++++ .../tasks/enforce_release.yml | 45 +++++++++++++ .../tripleo_redhat_enforce/tasks/main.yml | 36 ++++++++++ .../tripleo_redhat_enforce/vars/redhat.yml | 23 +++++++ zuul.d/molecule.yaml | 9 +++ 11 files changed, 372 insertions(+) create mode 100644 doc/source/roles/role-tripleo_redhat_enforce.rst create mode 100644 tripleo_ansible/roles/tripleo_redhat_enforce/defaults/main.yml create mode 100644 tripleo_ansible/roles/tripleo_redhat_enforce/meta/main.yml create mode 100644 tripleo_ansible/roles/tripleo_redhat_enforce/molecule/default/Dockerfile create mode 100644 tripleo_ansible/roles/tripleo_redhat_enforce/molecule/default/converge.yml create mode 100644 tripleo_ansible/roles/tripleo_redhat_enforce/molecule/default/molecule.yml create mode 100644 tripleo_ansible/roles/tripleo_redhat_enforce/molecule/default/prepare.yml create mode 100644 tripleo_ansible/roles/tripleo_redhat_enforce/tasks/enforce_release.yml create mode 100644 tripleo_ansible/roles/tripleo_redhat_enforce/tasks/main.yml create mode 100644 tripleo_ansible/roles/tripleo_redhat_enforce/vars/redhat.yml diff --git a/doc/source/roles/role-tripleo_redhat_enforce.rst b/doc/source/roles/role-tripleo_redhat_enforce.rst new file mode 100644 index 000000000..d340c7251 --- /dev/null +++ b/doc/source/roles/role-tripleo_redhat_enforce.rst @@ -0,0 +1,66 @@ +===================================== +Role - tripleo_redhat_enforce +===================================== + +.. ansibleautoplugin:: + :role: tripleo_ansible/roles/tripleo_redhat_enforce + +Description +~~~~~~~~~~~ + +This role is for OSP, the downstream version of tripleo and shouldn't +be used with other OS as it required the host to be subscribed. + +It enforces policies regarding rhel version and subscribed channel +according to the OSP version used. + +This module hosts those requirements, so that we prevent update to +wrong rhel release or subscription to wrong channels. + +Currently it only implements a basic check to the subscribed rhel +version. + +This check has some fail-safe logic to avoid crashing the update on +temporary network issue when running subscription-manager. + +We are avoiding the validation framework as this can be easily +disabled and we want this enforcement to be mandatory as this could +lead user to unsupported combination of OSP/RHEL. + +For upstream that change is transparent as the tasks are skipped if +the ansible_distribution is not Red Hat. + +Usage +~~~~~ + +Very simple usage, just pass the right parameter for the version you +plan to check. + +Remember this won't have any effects on anything else than a Red Hat +subscribed host. + +.. code-block:: YAML + + - name: Enforce RHOSP rules regarding subscription. + include_role: + name: tripleo_redhat_enforce + vars: + tripleo_redhat_enforce_osp: 16.0 + tripleo_redhat_enforce_os: 8.1 + + +Roles variables +~~~~~~~~~~~~~~~ + ++------------------------------------------------+-----------------------------+-------------------------------+ +| Name | Default Value | Description | ++================================================+=============================+===============================+ +| tripleo_redhat_enforce_debug | false | No used currently | ++------------------------------------------------+-----------------------------+-------------------------------+ +| tripleo_redhat_enforce | true on Red Hat distribution| Set to true to run validation | +| | false everywhere else | | ++------------------------------------------------+-----------------------------+-------------------------------+ +| tripleo_redhat_enforce_osp | OSP version (16.0, 16.1,...)| Version of OSP | ++------------------------------------------------+-----------------------------+-------------------------------+ +| tripleo_redhat_enforce_os | RHEL version (8.1, 8.2, ...)| Version of RHEL | ++------------------------------------------------+-----------------------------+-------------------------------+ diff --git a/tripleo_ansible/roles/tripleo_redhat_enforce/defaults/main.yml b/tripleo_ansible/roles/tripleo_redhat_enforce/defaults/main.yml new file mode 100644 index 000000000..5dd1f8e48 --- /dev/null +++ b/tripleo_ansible/roles/tripleo_redhat_enforce/defaults/main.yml @@ -0,0 +1,24 @@ +--- +# Copyright 2020 Red Hat, Inc. +# All Rights Reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + + +# All variables intended for modification should be placed in this file. + +# All variables within this role should have a prefix of "tripleo_redhat_enforce" +tripleo_redhat_enforce_debug: false +tripleo_redhat_enforce: false +tripleo_redhat_enforce_osp: '' +tripleo_redhat_enforce_os: '' diff --git a/tripleo_ansible/roles/tripleo_redhat_enforce/meta/main.yml b/tripleo_ansible/roles/tripleo_redhat_enforce/meta/main.yml new file mode 100644 index 000000000..94aa0f4ea --- /dev/null +++ b/tripleo_ansible/roles/tripleo_redhat_enforce/meta/main.yml @@ -0,0 +1,42 @@ +--- +# Copyright 2020 Red Hat, Inc. +# All Rights Reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + + +galaxy_info: + author: OpenStack + description: TripleO OpenStack Role -- tripleo_redhat_enforce + company: Red Hat + license: Apache-2.0 + min_ansible_version: 2.7 + # + # Provide a list of supported platforms, and for each platform a list of versions. + # If you don't wish to enumerate all versions for a particular platform, use 'all'. + # To view available platforms and versions (or releases), visit: + # https://galaxy.ansible.com/api/v1/platforms/ + # + platforms: + - name: CentOS + versions: + - 7 + - 8 + + galaxy_tags: + - tripleo + + +# List your role dependencies here, one per line. Be sure to remove the '[]' above, +# if you add dependencies to this list. +dependencies: [] diff --git a/tripleo_ansible/roles/tripleo_redhat_enforce/molecule/default/Dockerfile b/tripleo_ansible/roles/tripleo_redhat_enforce/molecule/default/Dockerfile new file mode 100644 index 000000000..8fc73a838 --- /dev/null +++ b/tripleo_ansible/roles/tripleo_redhat_enforce/molecule/default/Dockerfile @@ -0,0 +1,37 @@ +# Molecule managed +# Copyright 2020 Red Hat, Inc. +# All Rights Reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + + +{% if item.registry is defined %} +FROM {{ item.registry.url }}/{{ item.image }} +{% else %} +FROM {{ item.image }} +{% endif %} + +RUN if [ $(command -v apt-get) ]; then apt-get update && apt-get install -y python sudo bash ca-certificates && apt-get clean; \ + elif [ $(command -v dnf) ]; then dnf makecache && dnf --assumeyes install sudo python*-devel python*-dnf bash {{ item.pkg_extras | default('') }} && dnf clean all; \ + elif [ $(command -v yum) ]; then yum makecache fast && yum install -y python sudo yum-plugin-ovl python-setuptools bash {{ item.pkg_extras | default('') }} && sed -i 's/plugins=0/plugins=1/g' /etc/yum.conf && yum clean all; \ + elif [ $(command -v zypper) ]; then zypper refresh && zypper install -y python sudo bash python-xml {{ item.pkg_extras | default('') }} && zypper clean -a; \ + elif [ $(command -v apk) ]; then apk update && apk add --no-cache python sudo bash ca-certificates {{ item.pkg_extras | default('') }}; \ + elif [ $(command -v xbps-install) ]; then xbps-install -Syu && xbps-install -y python sudo bash ca-certificates {{ item.pkg_extras | default('') }} && xbps-remove -O; fi + +{% for pkg in item.easy_install | default([]) %} +# install pip for centos where there is no python-pip rpm in default repos +RUN easy_install {{ pkg }} +{% endfor %} + + +CMD ["sh", "-c", "while true; do sleep 10000; done"] diff --git a/tripleo_ansible/roles/tripleo_redhat_enforce/molecule/default/converge.yml b/tripleo_ansible/roles/tripleo_redhat_enforce/molecule/default/converge.yml new file mode 100644 index 000000000..b263d07cb --- /dev/null +++ b/tripleo_ansible/roles/tripleo_redhat_enforce/molecule/default/converge.yml @@ -0,0 +1,21 @@ +--- +# Copyright 2020 Red Hat, Inc. +# All Rights Reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + + +- name: Converge + hosts: all + roles: + - role: "tripleo_redhat_enforce" diff --git a/tripleo_ansible/roles/tripleo_redhat_enforce/molecule/default/molecule.yml b/tripleo_ansible/roles/tripleo_redhat_enforce/molecule/default/molecule.yml new file mode 100644 index 000000000..78971ff18 --- /dev/null +++ b/tripleo_ansible/roles/tripleo_redhat_enforce/molecule/default/molecule.yml @@ -0,0 +1,48 @@ +--- +driver: + name: docker + +log: true + +platforms: + - name: centos7 + hostname: centos7 + image: centos:7 + dockerfile: Dockerfile + pkg_extras: python-setuptools + volumes: + - /etc/ci/mirror_info.sh:/etc/ci/mirror_info.sh:ro + easy_install: + - pip + environment: &env + http_proxy: "{{ lookup('env', 'http_proxy') }}" + https_proxy: "{{ lookup('env', 'https_proxy') }}" + + - name: centos8 + hostname: centos8 + image: centos:8 + dockerfile: Dockerfile + pkg_extras: python*-setuptools + volumes: + - /etc/ci/mirror_info.sh:/etc/ci/mirror_info.sh:ro + environment: + <<: *env + +provisioner: + name: ansible + log: true + env: + ANSIBLE_STDOUT_CALLBACK: yaml + +scenario: + test_sequence: + - destroy + - create + - prepare + - converge + - check + - verify + - destroy + +verifier: + name: testinfra diff --git a/tripleo_ansible/roles/tripleo_redhat_enforce/molecule/default/prepare.yml b/tripleo_ansible/roles/tripleo_redhat_enforce/molecule/default/prepare.yml new file mode 100644 index 000000000..27e23e495 --- /dev/null +++ b/tripleo_ansible/roles/tripleo_redhat_enforce/molecule/default/prepare.yml @@ -0,0 +1,21 @@ +--- +# Copyright 2020 Red Hat, Inc. +# All Rights Reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + + +- name: Prepare + hosts: all + roles: + - role: test_deps diff --git a/tripleo_ansible/roles/tripleo_redhat_enforce/tasks/enforce_release.yml b/tripleo_ansible/roles/tripleo_redhat_enforce/tasks/enforce_release.yml new file mode 100644 index 000000000..e97ae56ab --- /dev/null +++ b/tripleo_ansible/roles/tripleo_redhat_enforce/tasks/enforce_release.yml @@ -0,0 +1,45 @@ +--- +# We don't want to get false positive on subscription manager network +# issues, hence the logic in the retries/until. +- name: get current release settings + command: 'subscription-manager release --show' + register: subscribed_release + ignore_errors: true + retries: 5 + delay: 3 + until: ('ConnectionRefusedError' not in subscribed_release.stderr and subscribed_release is failed) or subscribed_release is success + +- name: fails if not registered + fail: + msg: >- + Your environment is not subscribed! + If it is expected, please set SkipRhelEnforcement to true. + For Director the documentation is there + https://access.redhat.com/documentation/en-us/red_hat_openstack_platform/16.0/html-single/ + director_installation_and_usage/index#configuring-the-undercloud-with-environment-files, + for the Overcloud you need to add a new parameter file to your deploy + command with that parameter set. + If this is unexpected, you have to subscribe this node and + ensure that RHEL is pinned to {{ tripleo_redhat_enforce_os }} as + this is the only version supported for {{ tripleo_redhat_enforce_osp }}. + when: + - subscribed_release is failed + - ( 'This system is not yet registered' in subscribed_release.stderr ) + +- name: unknown failure during call to subscription-manager + fail: + msg: >- + Unknow failure during 'subscription-manager release --show': + {{ subscribed_release.stderr }} + when: + - subscribed_release is failed + - ( 'This system is not yet registered' not in subscribed_release.stderr ) + +- name: fails if the release is not correct + fail: + msg: >- + OSP{{ tripleo_redhat_enforce_osp }} is only supported with Red Hat {{ tripleo_redhat_enforce_os }}. + Please make sure to pin rhel to {{ tripleo_redhat_enforce_os }} using: + subscription-manager release --set={{ tripleo_redhat_enforce_os }}. + You can then proceed with the update. + when: tripleo_redhat_enforce_os not in subscribed_release.stdout diff --git a/tripleo_ansible/roles/tripleo_redhat_enforce/tasks/main.yml b/tripleo_ansible/roles/tripleo_redhat_enforce/tasks/main.yml new file mode 100644 index 000000000..c1bfaed39 --- /dev/null +++ b/tripleo_ansible/roles/tripleo_redhat_enforce/tasks/main.yml @@ -0,0 +1,36 @@ +--- +# Copyright 2020 Red Hat, Inc. +# All Rights Reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + + +# "tripleo_redhat_enforce" will search for and load any operating system variable file + +# found within the "vars/" path. If no OS files are found the task +# will skip. + +# Note that using "skip: true" is deprecated, but "errors: ignore" +# fails on 2.8 with include_vars. +- name: Gather variables for each operating system + include_vars: "{{ include_file }}" + when: + - include_file is exists + vars: + include_file: "{{ role_path }}/vars/{{ ansible_distribution | lower }}.yml" + tags: + - always + +- include_tasks: enforce_release.yml + name: Enforce RHEL/OSP version pair + when: tripleo_redhat_enforce|bool diff --git a/tripleo_ansible/roles/tripleo_redhat_enforce/vars/redhat.yml b/tripleo_ansible/roles/tripleo_redhat_enforce/vars/redhat.yml new file mode 100644 index 000000000..310e84845 --- /dev/null +++ b/tripleo_ansible/roles/tripleo_redhat_enforce/vars/redhat.yml @@ -0,0 +1,23 @@ +--- +# Copyright 2020 Red Hat, Inc. +# All Rights Reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + + +# All variables intended for modification should be placed in this file. + +# All variables within this role should have a prefix of "tripleo_redhat_enforce" +tripleo_redhat_enforce: true +tripleo_redhat_enforce_osp: '' +tripleo_redhat_enforce_os: '' diff --git a/zuul.d/molecule.yaml b/zuul.d/molecule.yaml index 39826025e..a7fc095ac 100644 --- a/zuul.d/molecule.yaml +++ b/zuul.d/molecule.yaml @@ -36,6 +36,7 @@ - tripleo-ansible-centos-8-molecule-tripleo_podman - tripleo-ansible-centos-8-molecule-tripleo_ptp - tripleo-ansible-centos-8-molecule-tripleo_puppet_cache + - tripleo-ansible-centos-8-molecule-tripleo_redhat_enforce - tripleo-ansible-centos-8-molecule-tripleo_securetty - tripleo-ansible-centos-8-molecule-tripleo_ssh_known_hosts - tripleo-ansible-centos-8-molecule-tripleo_sshd @@ -80,6 +81,7 @@ - tripleo-ansible-centos-8-molecule-tripleo_podman - tripleo-ansible-centos-8-molecule-tripleo_ptp - tripleo-ansible-centos-8-molecule-tripleo_puppet_cache + - tripleo-ansible-centos-8-molecule-tripleo_redhat_enforce - tripleo-ansible-centos-8-molecule-tripleo_securetty - tripleo-ansible-centos-8-molecule-tripleo_ssh_known_hosts - tripleo-ansible-centos-8-molecule-tripleo_sshd @@ -371,6 +373,13 @@ parent: tripleo-ansible-centos-8-base vars: tripleo_role_name: tripleo_puppet_cache +- job: + files: + - ^tripleo_ansible/roles/tripleo_redhat_enforce/.* + name: tripleo-ansible-centos-8-molecule-tripleo_redhat_enforce + parent: tripleo-ansible-centos-8-base + vars: + tox_envlist: mol-tripleo_redhat_enforce - job: files: - ^tripleo_ansible/roles/tripleo_securetty/.*