openstack
/
tripleo-ansible
Code Issues Proposed changes

tripleo_redhat_enforce new role to enforce RHOSP constraints. 

OSP, the downstream version of tripleo have to enforce some policies
for rhel version and subscribed channel.

This module hosts hoses requirements, so that we prevent update to
wrong rhel release or subscription to wrong channels.

Currently it only implements a basic check to the subscribed rhel
version.

This check has some fail-safe logic to avoid crashing the update on
temporary network issue when running subscription-manager.

We are avoiding the validation framework as this can be easily
disabled and we want this enforcement to be mandatory as this could
lead user to unsupported combination of OSP/RHEL.

For upstream that change is transparent as the tasks are skipped if
the ansible_distribution is not Red Hat.

For Red Hat, there will be a mechanism in THT to avoid the check
altogether, for instance for CI purposes.

For this first check (RHEL/OSP version), downstream patches will add
the required values in vars/redhat.yml.

Change-Id: I2d1ac92ee6ee8407fb156a2718f94ad3e9220bbe
This commit is contained in:
Sofer Athlan-Guyot 2020-04-20 17:19:40 +02:00
parent 7b0929a899
commit e65996b878
11 changed files with 372 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

66
doc/source/roles/role-tripleo_redhat_enforce.rst Normal file
View File

@ -0,0 +1,66 @@
=====================================
Role - tripleo_redhat_enforce
=====================================
.. ansibleautoplugin::
:role: tripleo_ansible/roles/tripleo_redhat_enforce
Description
~~~~~~~~~~~
This role is for OSP, the downstream version of tripleo and shouldn't
be used with other OS as it required the host to be subscribed.
It enforces policies regarding rhel version and subscribed channel
according to the OSP version used.
This module hosts those requirements, so that we prevent update to
wrong rhel release or subscription to wrong channels.
Currently it only implements a basic check to the subscribed rhel
version.
This check has some fail-safe logic to avoid crashing the update on
temporary network issue when running subscription-manager.
We are avoiding the validation framework as this can be easily
disabled and we want this enforcement to be mandatory as this could
lead user to unsupported combination of OSP/RHEL.
For upstream that change is transparent as the tasks are skipped if
the ansible_distribution is not Red Hat.
Usage
~~~~~
Very simple usage, just pass the right parameter for the version you
plan to check.
Remember this won't have any effects on anything else than a Red Hat
subscribed host.
.. code-block:: YAML
- name: Enforce RHOSP rules regarding subscription.
include_role:
name: tripleo_redhat_enforce
vars:
tripleo_redhat_enforce_osp: 16.0
tripleo_redhat_enforce_os: 8.1
Roles variables
~~~~~~~~~~~~~~~
+------------------------------------------------+-----------------------------+-------------------------------+
| Name | Default Value | Description |
+================================================+=============================+===============================+
| tripleo_redhat_enforce_debug | false | No used currently |
+------------------------------------------------+-----------------------------+-------------------------------+
| tripleo_redhat_enforce | true on Red Hat distribution| Set to true to run validation |
| | false everywhere else | |
+------------------------------------------------+-----------------------------+-------------------------------+
| tripleo_redhat_enforce_osp | OSP version (16.0, 16.1,...)| Version of OSP |
+------------------------------------------------+-----------------------------+-------------------------------+
| tripleo_redhat_enforce_os | RHEL version (8.1, 8.2, ...)| Version of RHEL |
+------------------------------------------------+-----------------------------+-------------------------------+

24
tripleo_ansible/roles/tripleo_redhat_enforce/defaults/main.yml Normal file
View File

@ -0,0 +1,24 @@
---
# Copyright 2020 Red Hat, Inc.
# All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
# All variables intended for modification should be placed in this file.
# All variables within this role should have a prefix of "tripleo_redhat_enforce"
tripleo_redhat_enforce_debug: false
tripleo_redhat_enforce: false
tripleo_redhat_enforce_osp: ''
tripleo_redhat_enforce_os: ''

42
tripleo_ansible/roles/tripleo_redhat_enforce/meta/main.yml Normal file
View File

@ -0,0 +1,42 @@
---
# Copyright 2020 Red Hat, Inc.
# All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
galaxy_info:
author: OpenStack
description: TripleO OpenStack Role -- tripleo_redhat_enforce
company: Red Hat
license: Apache-2.0
min_ansible_version: 2.7
#
# Provide a list of supported platforms, and for each platform a list of versions.
# If you don't wish to enumerate all versions for a particular platform, use 'all'.
# To view available platforms and versions (or releases), visit:
# https://galaxy.ansible.com/api/v1/platforms/
#
platforms:
- name: CentOS
versions:
- 7
- 8
galaxy_tags:
- tripleo
# List your role dependencies here, one per line. Be sure to remove the '[]' above,
# if you add dependencies to this list.
dependencies: []

37
tripleo_ansible/roles/tripleo_redhat_enforce/molecule/default/Dockerfile Normal file
View File

@ -0,0 +1,37 @@
# Molecule managed
# Copyright 2020 Red Hat, Inc.
# All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
{% if item.registry is defined %}
FROM {{ item.registry.url }}/{{ item.image }}
{% else %}
FROM {{ item.image }}
{% endif %}
RUN if [ $(command -v apt-get) ]; then apt-get update && apt-get install -y python sudo bash ca-certificates && apt-get clean; \
elif [ $(command -v dnf) ]; then dnf makecache && dnf --assumeyes install sudo python*-devel python*-dnf bash {{ item.pkg_extras | default('') }} && dnf clean all; \
elif [ $(command -v yum) ]; then yum makecache fast && yum install -y python sudo yum-plugin-ovl python-setuptools bash {{ item.pkg_extras | default('') }} && sed -i 's/plugins=0/plugins=1/g' /etc/yum.conf && yum clean all; \
elif [ $(command -v zypper) ]; then zypper refresh && zypper install -y python sudo bash python-xml {{ item.pkg_extras | default('') }} && zypper clean -a; \
elif [ $(command -v apk) ]; then apk update && apk add --no-cache python sudo bash ca-certificates {{ item.pkg_extras | default('') }}; \
elif [ $(command -v xbps-install) ]; then xbps-install -Syu && xbps-install -y python sudo bash ca-certificates {{ item.pkg_extras | default('') }} && xbps-remove -O; fi
{% for pkg in item.easy_install | default([]) %}
# install pip for centos where there is no python-pip rpm in default repos
RUN easy_install {{ pkg }}
{% endfor %}
CMD ["sh", "-c", "while true; do sleep 10000; done"]

21
tripleo_ansible/roles/tripleo_redhat_enforce/molecule/default/converge.yml Normal file
View File

@ -0,0 +1,21 @@
---
# Copyright 2020 Red Hat, Inc.
# All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
- name: Converge
hosts: all
roles:
- role: "tripleo_redhat_enforce"

48
tripleo_ansible/roles/tripleo_redhat_enforce/molecule/default/molecule.yml Normal file
View File

@ -0,0 +1,48 @@
---
driver:
name: docker
log: true
platforms:
- name: centos7
hostname: centos7
image: centos:7
dockerfile: Dockerfile
pkg_extras: python-setuptools
volumes:
- /etc/ci/mirror_info.sh:/etc/ci/mirror_info.sh:ro
easy_install:
- pip
environment: &env
http_proxy: "{{ lookup('env', 'http_proxy') }}"
https_proxy: "{{ lookup('env', 'https_proxy') }}"
- name: centos8
hostname: centos8
image: centos:8
dockerfile: Dockerfile
pkg_extras: python*-setuptools
volumes:
- /etc/ci/mirror_info.sh:/etc/ci/mirror_info.sh:ro
environment:
<<: *env
provisioner:
name: ansible
log: true
env:
ANSIBLE_STDOUT_CALLBACK: yaml
scenario:
test_sequence:
- destroy
- create
- prepare
- converge
- check
- verify
- destroy
verifier:
name: testinfra

21
tripleo_ansible/roles/tripleo_redhat_enforce/molecule/default/prepare.yml Normal file
View File

@ -0,0 +1,21 @@
---
# Copyright 2020 Red Hat, Inc.
# All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
- name: Prepare
hosts: all
roles:
- role: test_deps

45
tripleo_ansible/roles/tripleo_redhat_enforce/tasks/enforce_release.yml Normal file
View File

@ -0,0 +1,45 @@
---
# We don't want to get false positive on subscription manager network
# issues, hence the logic in the retries/until.
- name: get current release settings
command: 'subscription-manager release --show'
register: subscribed_release
ignore_errors: true
retries: 5
delay: 3
until: ('ConnectionRefusedError' not in subscribed_release.stderr and subscribed_release is failed) or subscribed_release is success
- name: fails if not registered
fail:
msg: >-
Your environment is not subscribed!
If it is expected, please set SkipRhelEnforcement to true.
For Director the documentation is there
https://access.redhat.com/documentation/en-us/red_hat_openstack_platform/16.0/html-single/
director_installation_and_usage/index#configuring-the-undercloud-with-environment-files,
for the Overcloud you need to add a new parameter file to your deploy
command with that parameter set.
If this is unexpected, you have to subscribe this node and
ensure that RHEL is pinned to {{ tripleo_redhat_enforce_os }} as
this is the only version supported for {{ tripleo_redhat_enforce_osp }}.
when:
- subscribed_release is failed
- ( 'This system is not yet registered' in subscribed_release.stderr )
- name: unknown failure during call to subscription-manager
fail:
msg: >-
Unknow failure during 'subscription-manager release --show':
{{ subscribed_release.stderr }}
when:
- subscribed_release is failed
- ( 'This system is not yet registered' not in subscribed_release.stderr )
- name: fails if the release is not correct
fail:
msg: >-
OSP{{ tripleo_redhat_enforce_osp }} is only supported with Red Hat {{ tripleo_redhat_enforce_os }}.
Please make sure to pin rhel to {{ tripleo_redhat_enforce_os }} using:
subscription-manager release --set={{ tripleo_redhat_enforce_os }}.
You can then proceed with the update.
when: tripleo_redhat_enforce_os not in subscribed_release.stdout

36
tripleo_ansible/roles/tripleo_redhat_enforce/tasks/main.yml Normal file
View File

@ -0,0 +1,36 @@
---
# Copyright 2020 Red Hat, Inc.
# All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
# "tripleo_redhat_enforce" will search for and load any operating system variable file
# found within the "vars/" path. If no OS files are found the task
# will skip.
# Note that using "skip: true" is deprecated, but "errors: ignore"
# fails on 2.8 with include_vars.
- name: Gather variables for each operating system
include_vars: "{{ include_file }}"
when:
- include_file is exists
vars:
include_file: "{{ role_path }}/vars/{{ ansible_distribution | lower }}.yml"
tags:
- always
- include_tasks: enforce_release.yml
name: Enforce RHEL/OSP version pair
when: tripleo_redhat_enforce|bool

23
tripleo_ansible/roles/tripleo_redhat_enforce/vars/redhat.yml Normal file
View File

@ -0,0 +1,23 @@
---
# Copyright 2020 Red Hat, Inc.
# All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
# All variables intended for modification should be placed in this file.
# All variables within this role should have a prefix of "tripleo_redhat_enforce"
tripleo_redhat_enforce: true
tripleo_redhat_enforce_osp: ''
tripleo_redhat_enforce_os: ''

9
zuul.d/molecule.yaml
View File

@ -36,6 +36,7 @@
- tripleo-ansible-centos-8-molecule-tripleo_podman
- tripleo-ansible-centos-8-molecule-tripleo_ptp
- tripleo-ansible-centos-8-molecule-tripleo_puppet_cache
- tripleo-ansible-centos-8-molecule-tripleo_redhat_enforce
- tripleo-ansible-centos-8-molecule-tripleo_securetty
- tripleo-ansible-centos-8-molecule-tripleo_ssh_known_hosts
- tripleo-ansible-centos-8-molecule-tripleo_sshd
@ -80,6 +81,7 @@
- tripleo-ansible-centos-8-molecule-tripleo_podman
- tripleo-ansible-centos-8-molecule-tripleo_ptp
- tripleo-ansible-centos-8-molecule-tripleo_puppet_cache
- tripleo-ansible-centos-8-molecule-tripleo_redhat_enforce
- tripleo-ansible-centos-8-molecule-tripleo_securetty
- tripleo-ansible-centos-8-molecule-tripleo_ssh_known_hosts
- tripleo-ansible-centos-8-molecule-tripleo_sshd
@ -371,6 +373,13 @@
parent: tripleo-ansible-centos-8-base
vars:
tripleo_role_name: tripleo_puppet_cache
- job:
files:
- ^tripleo_ansible/roles/tripleo_redhat_enforce/.*
name: tripleo-ansible-centos-8-molecule-tripleo_redhat_enforce
parent: tripleo-ansible-centos-8-base
vars:
tox_envlist: mol-tripleo_redhat_enforce
- job:
files:
- ^tripleo_ansible/roles/tripleo_securetty/.*