openstack
/
validations-common
Code Issues Proposed changes

Add playbooks 

Signed-off-by: Gael Chamoulaud (Strider) <gchamoul@redhat.com>
This commit is contained in:
Gael Chamoulaud (Strider) 2020-03-09 16:24:30 +01:00
parent 939c865be6
commit 56453eaee8
No known key found for this signature in database
GPG Key ID: 4119D0305C651D66
21 changed files with 192 additions and 217 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
setup.cfg
View File

@ -30,6 +30,7 @@ data_files =
share/validations-common/callback_plugins = validations_common/callback_plugins/*
share/validations-common/lookup_plugins = validations_common/lookup_plugins/*
share/validations-common/library = validations_common/library/*
share/validations-common/playbooks = validations_common/playbooks/*
[build_sphinx]
source-dir = doc/source

12
validations_common/playbooks/512e.yaml Normal file
View File

@ -0,0 +1,12 @@
---
- hosts: all
vars:
metadata:
name: Advanced Format 512e Support
description: >
Detect whether the node disks use Advanced Format.
groups:
- prep
- pre-deployment
roles:
- advanced_format_512e_support

14
validations_common/playbooks/check-cpu.yaml Normal file
View File

@ -0,0 +1,14 @@
---
- hosts: all
gather_facts: true
vars:
metadata:
name: Verify if the server fits the CPU core requirements
description: >
Make sure that the server has enough CPU cores.
groups:
- prep
- pre-introspection
minimal_cpu_count: 8
roles:
- check_cpu

20
validations_common/playbooks/check-disk-space.yaml Normal file
View File

@ -0,0 +1,20 @@
---
- hosts: all
vars:
metadata:
name: Verify server fits the disk space requirements
description: >
Make sure that the root partition on the server node has enough
free space.
groups:
- prep
- pre-introspection
volumes:
- {mount: /var/lib/docker, min_size: 10}
- {mount: /var/lib/config-data, min_size: 3}
- {mount: /var/log, min_size: 3}
- {mount: /usr, min_size: 5}
- {mount: /var, min_size: 20}
- {mount: /, min_size: 25}
roles:
- check_disk_space

12
validations_common/playbooks/check-ftype.yaml Normal file
View File

@ -0,0 +1,12 @@
---
- hosts: all
vars:
metadata:
name: XFS ftype check
description: >
Check if there is at least 1 XFS volume
with ftype=0 in any deployed node.
groups:
- pre-upgrade
roles:
- xfs_check_ftype

13
validations_common/playbooks/check-latest-packages-version.yaml Normal file
View File

@ -0,0 +1,13 @@
---
- hosts: all
gather_facts: true
vars:
metadata:
name: Check if latest version of packages is installed
description: >
Makes sure a list of packages are at its latest version
before starting an upgrade.
groups:
- pre-upgrade
roles:
- check_latest_packages_version

15
validations_common/playbooks/check-ram.yaml Normal file
View File

@ -0,0 +1,15 @@
---
- hosts: all
gather_facts: true
vars:
metadata:
name: Verify the server fits the RAM requirements
description: >
Verify that the server has enough RAM.
groups:
- prep
- pre-introspection
- pre-upgrade
minimal_ram_gb: 24
roles:
- check_ram

13
validations_common/playbooks/check-selinux-mode.yaml Normal file
View File

@ -0,0 +1,13 @@
---
- hosts: all
gather_facts: true
vars:
metadata:
name: SELinux Enforcing Mode Check
description: >
Check if the server is running SELinux in Enforcing mode.
groups:
- prep
- pre-introspection
roles:
- check_selinux_mode

12
validations_common/playbooks/dns.yaml Normal file
View File

@ -0,0 +1,12 @@
---
- hosts: all
vars:
metadata:
name: Verify DNS
description: >
Verify that the DNS resolution works
groups:
- pre-deployment
server_to_lookup: example.com
roles:
- dns

17
validations_common/playbooks/haproxy.yaml Normal file
View File

@ -0,0 +1,17 @@
---
- hosts: all
vars:
metadata:
name: HAProxy configuration
description: Verify the HAProxy configuration has recommended values.
groups:
- post-deployment
config_file: '/var/lib/config-data/puppet-generated/haproxy/etc/haproxy/haproxy.cfg'
global_maxconn_min: 20480
defaults_maxconn_min: 4096
defaults_timeout_queue: '2m'
defaults_timeout_client: '2m'
defaults_timeout_server: '2m'
defaults_timeout_check: '10s'
roles:
- haproxy

12
validations_common/playbooks/no-op.yaml Normal file
View File

@ -0,0 +1,12 @@
---
- hosts: all
vars:
metadata:
name: NO-OP validation
description: >
A simple validation doing nothing in order to test that
the validations framework works.
groups:
- no-op
roles:
- no_op

14
validations_common/playbooks/ntp.yaml Normal file
View File

@ -0,0 +1,14 @@
---
- hosts: overcloud
vars:
metadata:
name: Verify all deployed servers have their clock synchronised
description: >
Each node should have their clocks synchronised.
The deployment should configure and run chronyd. This validation verifies
that it is indeed running and connected to an NTP server on all nodes.
groups:
- post-deployment
roles:
- ntp

16
validations_common/playbooks/service-status.yaml Normal file
View File

@ -0,0 +1,16 @@
---
- hosts: all
vars:
metadata:
name: Ensure services state
description: >
Detect services status on the target host and fails if we find
a failed service.
groups:
- prep
- pre-deployment
- pre-upgrade
- post-deployment
- post-upgrade
roles:
- service_status

21
validations_common/playbooks/validate-selinux.yaml Normal file
View File

@ -0,0 +1,21 @@
---
- hosts: all
vars:
metadata:
name: validate-selinux
description: >-
Ensures we don't have any SELinux denials on the system
groups:
- pre-deployment
- post-deployment
- pre-upgrade
- post-upgrade
validate_selinux_working_dir: /var/log/validations
validate_selinux_audit_source: /var/log/audit/audit.log
validate_selinux_skip_list_dest: "{{ validate_selinux_working_dir }}/denials-skip-list.txt"
validate_selinux_filtered_denials_dest: "{{ validate_selinux_working_dir }}/denials-filtered.log"
validate_selinux_strict: false
validate_selinux_filter: "None"
validate_selinux_skip_list: {}
roles:
- validate_selinux

8
validations_common/roles/check_service_status/defaults/main.yml
View File

@ -1,8 +0,0 @@
---
check_service_list:
- tripleo_nova_compute
- tripleo_heat_engine
- tripleo_ironic_conductor
- tripleo_swift_container_server
- tripleo_swift_object_server
- tripleo_mistral_engine

18
validations_common/roles/check_service_status/tasks/main.yml
View File

@ -1,18 +0,0 @@
---
- name: Check Services are running
command: "/usr/bin/systemctl show {{ item }} --property ActiveState"
become: true
with_items: "{{ check_service_list }}"
register: "check_services"
changed_when: false
ignore_errors: true
- name: Fail if services were not running
fail:
msg: >-
One of the undercloud services was not active.
Please check {{ item.item }} first and then confirm the status of
undercloud services in general before attempting to update or
upgrade the environment.
failed_when: "item.stdout != 'ActiveState=active'"
with_items: "{{ check_services.results }}"

37
validations_common/roles/stonith_exists/molecule/default/Dockerfile.j2
View File

@ -1,37 +0,0 @@
# Molecule managed
# Copyright 2019 Red Hat, Inc.
# All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
{% if item.registry is defined %}
FROM {{ item.registry.url }}/{{ item.image }}
{% else %}
FROM {{ item.image }}
{% endif %}
RUN if [ $(command -v apt-get) ]; then apt-get update && apt-get install -y python sudo bash ca-certificates && apt-get clean; \
elif [ $(command -v dnf) ]; then dnf makecache && dnf --assumeyes install python sudo python-devel python*-dnf bash {{ item.pkg_extras | default('') }} && dnf clean all; \
elif [ $(command -v yum) ]; then yum makecache fast && yum install -y python sudo yum-plugin-ovl python-setuptools bash {{ item.pkg_extras | default('') }} && sed -i 's/plugins=0/plugins=1/g' /etc/yum.conf && yum clean all; \
elif [ $(command -v zypper) ]; then zypper refresh && zypper install -y python sudo bash python-xml {{ item.pkg_extras | default('') }} && zypper clean -a; \
elif [ $(command -v apk) ]; then apk update && apk add --no-cache python sudo bash ca-certificates {{ item.pkg_extras | default('') }}; \
elif [ $(command -v xbps-install) ]; then xbps-install -Syu && xbps-install -y python sudo bash ca-certificates {{ item.pkg_extras | default('') }} && xbps-remove -O; fi
{% for pkg in item.easy_install | default([]) %}
# install pip for centos where there is no python-pip rpm in default repos
RUN easy_install {{ pkg }}
{% endfor %}
CMD ["sh", "-c", "while true; do sleep 10000; done"]

46
validations_common/roles/stonith_exists/molecule/default/molecule.yml
View File

@ -1,46 +0,0 @@
---
driver:
name: docker
log: true
platforms:
- name: centos7
hostname: centos7
image: centos:7
pkg_extras: python-setuptools
easy_install:
- pip
environment: &env
http_proxy: "{{ lookup('env', 'http_proxy') }}"
https_proxy: "{{ lookup('env', 'https_proxy') }}"
- name: fedora28
hostname: fedora28
image: fedora:28
pkg_extras: python*-setuptools
environment:
<<: *env
provisioner:
name: ansible
log: true
env:
ANSIBLE_STDOUT_CALLBACK: yaml
scenario:
test_sequence:
- destroy
- create
- prepare
- converge
- verify
- destroy
lint:
enabled: false
verifier:
name: testinfra
lint:
name: flake8

56
validations_common/roles/stonith_exists/molecule/default/playbook.yml
View File

@ -1,56 +0,0 @@
---
# Copyright 2019 Red Hat, Inc.
# All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
- name: Converge
hosts: all
tasks:
- name: Safe run
include_role:
name: stonith_exists
- name: Fail the validation
block:
- name: Faulty pcs script
copy:
dest: /usr/bin/pcs
mode: 0755
content: |
#!/bin/sh
echo "NO stonith devices configured"
exit 0
- name: Run validation
include_role:
name: stonith_exists
rescue:
- name: Clear host errors
meta: clear_host_errors
- name: Test output
debug:
msg: The validation works! End play
- name: End play
meta: end_play
- name: Fail playbook if reached
fail:
msg: |
The stonith_exists validation didn't properly detect failed
stonith config

30
validations_common/roles/stonith_exists/molecule/default/prepare.yml
View File

@ -1,30 +0,0 @@
---
# Copyright 2019 Red Hat, Inc.
# All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
- name: Prepare
hosts: all
gather_facts: false
tasks:
- name: Populate successful stonith
copy:
dest: /usr/bin/pcs
mode: 0755
content: |
#!/bin/sh
echo "Stonith service configured"
exit 0

22
validations_common/roles/stonith_exists/tasks/main.yml
View File

@ -1,22 +0,0 @@
---
- name: Check if we are in HA cluster environment
become: true
register: pcs_cluster_status
command: pcs cluster status
failed_when: false
changed_when: false
- name: Get all currently configured stonith devices
become: true
command: "pcs stonith"
register: stonith_devices
changed_when: false
when: "pcs_cluster_status.rc == 0"
- name: Verify the stonith device are configured
fail:
msg: "Stonith devices are not configured."
when: >
pcs_cluster_status.rc == 0
and
'NO stonith devices configured' in stonith_devices.stdout