diff --git a/setup.cfg b/setup.cfg index 51a85e0..89f4176 100644 --- a/setup.cfg +++ b/setup.cfg @@ -30,6 +30,7 @@ data_files = share/validations-common/callback_plugins = validations_common/callback_plugins/* share/validations-common/lookup_plugins = validations_common/lookup_plugins/* share/validations-common/library = validations_common/library/* + share/validations-common/playbooks = validations_common/playbooks/* [build_sphinx] source-dir = doc/source diff --git a/validations_common/playbooks/512e.yaml b/validations_common/playbooks/512e.yaml new file mode 100644 index 0000000..6e8b0f8 --- /dev/null +++ b/validations_common/playbooks/512e.yaml @@ -0,0 +1,12 @@ +--- +- hosts: all + vars: + metadata: + name: Advanced Format 512e Support + description: > + Detect whether the node disks use Advanced Format. + groups: + - prep + - pre-deployment + roles: + - advanced_format_512e_support diff --git a/validations_common/playbooks/check-cpu.yaml b/validations_common/playbooks/check-cpu.yaml new file mode 100644 index 0000000..ea2d40f --- /dev/null +++ b/validations_common/playbooks/check-cpu.yaml @@ -0,0 +1,14 @@ +--- +- hosts: all + gather_facts: true + vars: + metadata: + name: Verify if the server fits the CPU core requirements + description: > + Make sure that the server has enough CPU cores. + groups: + - prep + - pre-introspection + minimal_cpu_count: 8 + roles: + - check_cpu diff --git a/validations_common/playbooks/check-disk-space.yaml b/validations_common/playbooks/check-disk-space.yaml new file mode 100644 index 0000000..af2f980 --- /dev/null +++ b/validations_common/playbooks/check-disk-space.yaml @@ -0,0 +1,20 @@ +--- +- hosts: all + vars: + metadata: + name: Verify server fits the disk space requirements + description: > + Make sure that the root partition on the server node has enough + free space. + groups: + - prep + - pre-introspection + volumes: + - {mount: /var/lib/docker, min_size: 10} + - {mount: /var/lib/config-data, min_size: 3} + - {mount: /var/log, min_size: 3} + - {mount: /usr, min_size: 5} + - {mount: /var, min_size: 20} + - {mount: /, min_size: 25} + roles: + - check_disk_space diff --git a/validations_common/playbooks/check-ftype.yaml b/validations_common/playbooks/check-ftype.yaml new file mode 100644 index 0000000..d758d30 --- /dev/null +++ b/validations_common/playbooks/check-ftype.yaml @@ -0,0 +1,12 @@ +--- +- hosts: all + vars: + metadata: + name: XFS ftype check + description: > + Check if there is at least 1 XFS volume + with ftype=0 in any deployed node. + groups: + - pre-upgrade + roles: + - xfs_check_ftype diff --git a/validations_common/playbooks/check-latest-packages-version.yaml b/validations_common/playbooks/check-latest-packages-version.yaml new file mode 100644 index 0000000..881628b --- /dev/null +++ b/validations_common/playbooks/check-latest-packages-version.yaml @@ -0,0 +1,13 @@ +--- +- hosts: all + gather_facts: true + vars: + metadata: + name: Check if latest version of packages is installed + description: > + Makes sure a list of packages are at its latest version + before starting an upgrade. + groups: + - pre-upgrade + roles: + - check_latest_packages_version diff --git a/validations_common/playbooks/check-ram.yaml b/validations_common/playbooks/check-ram.yaml new file mode 100644 index 0000000..fe32cdd --- /dev/null +++ b/validations_common/playbooks/check-ram.yaml @@ -0,0 +1,15 @@ +--- +- hosts: all + gather_facts: true + vars: + metadata: + name: Verify the server fits the RAM requirements + description: > + Verify that the server has enough RAM. + groups: + - prep + - pre-introspection + - pre-upgrade + minimal_ram_gb: 24 + roles: + - check_ram diff --git a/validations_common/playbooks/check-selinux-mode.yaml b/validations_common/playbooks/check-selinux-mode.yaml new file mode 100644 index 0000000..0bfcda4 --- /dev/null +++ b/validations_common/playbooks/check-selinux-mode.yaml @@ -0,0 +1,13 @@ +--- +- hosts: all + gather_facts: true + vars: + metadata: + name: SELinux Enforcing Mode Check + description: > + Check if the server is running SELinux in Enforcing mode. + groups: + - prep + - pre-introspection + roles: + - check_selinux_mode diff --git a/validations_common/playbooks/dns.yaml b/validations_common/playbooks/dns.yaml new file mode 100644 index 0000000..6c361e6 --- /dev/null +++ b/validations_common/playbooks/dns.yaml @@ -0,0 +1,12 @@ +--- +- hosts: all + vars: + metadata: + name: Verify DNS + description: > + Verify that the DNS resolution works + groups: + - pre-deployment + server_to_lookup: example.com + roles: + - dns diff --git a/validations_common/playbooks/haproxy.yaml b/validations_common/playbooks/haproxy.yaml new file mode 100644 index 0000000..e194dfd --- /dev/null +++ b/validations_common/playbooks/haproxy.yaml @@ -0,0 +1,17 @@ +--- +- hosts: all + vars: + metadata: + name: HAProxy configuration + description: Verify the HAProxy configuration has recommended values. + groups: + - post-deployment + config_file: '/var/lib/config-data/puppet-generated/haproxy/etc/haproxy/haproxy.cfg' + global_maxconn_min: 20480 + defaults_maxconn_min: 4096 + defaults_timeout_queue: '2m' + defaults_timeout_client: '2m' + defaults_timeout_server: '2m' + defaults_timeout_check: '10s' + roles: + - haproxy diff --git a/validations_common/playbooks/no-op.yaml b/validations_common/playbooks/no-op.yaml new file mode 100644 index 0000000..ca1dcd3 --- /dev/null +++ b/validations_common/playbooks/no-op.yaml @@ -0,0 +1,12 @@ +--- +- hosts: all + vars: + metadata: + name: NO-OP validation + description: > + A simple validation doing nothing in order to test that + the validations framework works. + groups: + - no-op + roles: + - no_op diff --git a/validations_common/playbooks/ntp.yaml b/validations_common/playbooks/ntp.yaml new file mode 100644 index 0000000..1932185 --- /dev/null +++ b/validations_common/playbooks/ntp.yaml @@ -0,0 +1,14 @@ +--- +- hosts: overcloud + vars: + metadata: + name: Verify all deployed servers have their clock synchronised + description: > + Each node should have their clocks synchronised. + + The deployment should configure and run chronyd. This validation verifies + that it is indeed running and connected to an NTP server on all nodes. + groups: + - post-deployment + roles: + - ntp diff --git a/validations_common/playbooks/service-status.yaml b/validations_common/playbooks/service-status.yaml new file mode 100644 index 0000000..738b726 --- /dev/null +++ b/validations_common/playbooks/service-status.yaml @@ -0,0 +1,16 @@ +--- +- hosts: all + vars: + metadata: + name: Ensure services state + description: > + Detect services status on the target host and fails if we find + a failed service. + groups: + - prep + - pre-deployment + - pre-upgrade + - post-deployment + - post-upgrade + roles: + - service_status diff --git a/validations_common/playbooks/validate-selinux.yaml b/validations_common/playbooks/validate-selinux.yaml new file mode 100644 index 0000000..cf29390 --- /dev/null +++ b/validations_common/playbooks/validate-selinux.yaml @@ -0,0 +1,21 @@ +--- +- hosts: all + vars: + metadata: + name: validate-selinux + description: >- + Ensures we don't have any SELinux denials on the system + groups: + - pre-deployment + - post-deployment + - pre-upgrade + - post-upgrade + validate_selinux_working_dir: /var/log/validations + validate_selinux_audit_source: /var/log/audit/audit.log + validate_selinux_skip_list_dest: "{{ validate_selinux_working_dir }}/denials-skip-list.txt" + validate_selinux_filtered_denials_dest: "{{ validate_selinux_working_dir }}/denials-filtered.log" + validate_selinux_strict: false + validate_selinux_filter: "None" + validate_selinux_skip_list: {} + roles: + - validate_selinux diff --git a/validations_common/roles/check_service_status/defaults/main.yml b/validations_common/roles/check_service_status/defaults/main.yml deleted file mode 100644 index 837e33c..0000000 --- a/validations_common/roles/check_service_status/defaults/main.yml +++ /dev/null @@ -1,8 +0,0 @@ ---- -check_service_list: - - tripleo_nova_compute - - tripleo_heat_engine - - tripleo_ironic_conductor - - tripleo_swift_container_server - - tripleo_swift_object_server - - tripleo_mistral_engine diff --git a/validations_common/roles/check_service_status/tasks/main.yml b/validations_common/roles/check_service_status/tasks/main.yml deleted file mode 100644 index cb48cd4..0000000 --- a/validations_common/roles/check_service_status/tasks/main.yml +++ /dev/null @@ -1,18 +0,0 @@ ---- -- name: Check Services are running - command: "/usr/bin/systemctl show {{ item }} --property ActiveState" - become: true - with_items: "{{ check_service_list }}" - register: "check_services" - changed_when: false - ignore_errors: true - -- name: Fail if services were not running - fail: - msg: >- - One of the undercloud services was not active. - Please check {{ item.item }} first and then confirm the status of - undercloud services in general before attempting to update or - upgrade the environment. - failed_when: "item.stdout != 'ActiveState=active'" - with_items: "{{ check_services.results }}" diff --git a/validations_common/roles/stonith_exists/molecule/default/Dockerfile.j2 b/validations_common/roles/stonith_exists/molecule/default/Dockerfile.j2 deleted file mode 100644 index 1b91a0e..0000000 --- a/validations_common/roles/stonith_exists/molecule/default/Dockerfile.j2 +++ /dev/null @@ -1,37 +0,0 @@ -# Molecule managed -# Copyright 2019 Red Hat, Inc. -# All Rights Reserved. -# -# Licensed under the Apache License, Version 2.0 (the "License"); you may -# not use this file except in compliance with the License. You may obtain -# a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT -# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the -# License for the specific language governing permissions and limitations -# under the License. - - -{% if item.registry is defined %} -FROM {{ item.registry.url }}/{{ item.image }} -{% else %} -FROM {{ item.image }} -{% endif %} - -RUN if [ $(command -v apt-get) ]; then apt-get update && apt-get install -y python sudo bash ca-certificates && apt-get clean; \ - elif [ $(command -v dnf) ]; then dnf makecache && dnf --assumeyes install python sudo python-devel python*-dnf bash {{ item.pkg_extras | default('') }} && dnf clean all; \ - elif [ $(command -v yum) ]; then yum makecache fast && yum install -y python sudo yum-plugin-ovl python-setuptools bash {{ item.pkg_extras | default('') }} && sed -i 's/plugins=0/plugins=1/g' /etc/yum.conf && yum clean all; \ - elif [ $(command -v zypper) ]; then zypper refresh && zypper install -y python sudo bash python-xml {{ item.pkg_extras | default('') }} && zypper clean -a; \ - elif [ $(command -v apk) ]; then apk update && apk add --no-cache python sudo bash ca-certificates {{ item.pkg_extras | default('') }}; \ - elif [ $(command -v xbps-install) ]; then xbps-install -Syu && xbps-install -y python sudo bash ca-certificates {{ item.pkg_extras | default('') }} && xbps-remove -O; fi - -{% for pkg in item.easy_install | default([]) %} -# install pip for centos where there is no python-pip rpm in default repos -RUN easy_install {{ pkg }} -{% endfor %} - - -CMD ["sh", "-c", "while true; do sleep 10000; done"] diff --git a/validations_common/roles/stonith_exists/molecule/default/molecule.yml b/validations_common/roles/stonith_exists/molecule/default/molecule.yml deleted file mode 100644 index 5eb59c2..0000000 --- a/validations_common/roles/stonith_exists/molecule/default/molecule.yml +++ /dev/null @@ -1,46 +0,0 @@ ---- -driver: - name: docker - -log: true - -platforms: - - name: centos7 - hostname: centos7 - image: centos:7 - pkg_extras: python-setuptools - easy_install: - - pip - environment: &env - http_proxy: "{{ lookup('env', 'http_proxy') }}" - https_proxy: "{{ lookup('env', 'https_proxy') }}" - - - name: fedora28 - hostname: fedora28 - image: fedora:28 - pkg_extras: python*-setuptools - environment: - <<: *env - -provisioner: - name: ansible - log: true - env: - ANSIBLE_STDOUT_CALLBACK: yaml - -scenario: - test_sequence: - - destroy - - create - - prepare - - converge - - verify - - destroy - -lint: - enabled: false - -verifier: - name: testinfra - lint: - name: flake8 diff --git a/validations_common/roles/stonith_exists/molecule/default/playbook.yml b/validations_common/roles/stonith_exists/molecule/default/playbook.yml deleted file mode 100644 index aefd9ff..0000000 --- a/validations_common/roles/stonith_exists/molecule/default/playbook.yml +++ /dev/null @@ -1,56 +0,0 @@ ---- -# Copyright 2019 Red Hat, Inc. -# All Rights Reserved. -# -# Licensed under the Apache License, Version 2.0 (the "License"); you may -# not use this file except in compliance with the License. You may obtain -# a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT -# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the -# License for the specific language governing permissions and limitations -# under the License. - - -- name: Converge - hosts: all - - tasks: - - name: Safe run - include_role: - name: stonith_exists - - - name: Fail the validation - block: - - name: Faulty pcs script - copy: - dest: /usr/bin/pcs - mode: 0755 - content: | - #!/bin/sh - echo "NO stonith devices configured" - exit 0 - - - name: Run validation - include_role: - name: stonith_exists - - rescue: - - name: Clear host errors - meta: clear_host_errors - - - name: Test output - debug: - msg: The validation works! End play - - - name: End play - meta: end_play - - - name: Fail playbook if reached - fail: - msg: | - The stonith_exists validation didn't properly detect failed - stonith config diff --git a/validations_common/roles/stonith_exists/molecule/default/prepare.yml b/validations_common/roles/stonith_exists/molecule/default/prepare.yml deleted file mode 100644 index eba0c86..0000000 --- a/validations_common/roles/stonith_exists/molecule/default/prepare.yml +++ /dev/null @@ -1,30 +0,0 @@ ---- -# Copyright 2019 Red Hat, Inc. -# All Rights Reserved. -# -# Licensed under the Apache License, Version 2.0 (the "License"); you may -# not use this file except in compliance with the License. You may obtain -# a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT -# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the -# License for the specific language governing permissions and limitations -# under the License. - - -- name: Prepare - hosts: all - gather_facts: false - - tasks: - - name: Populate successful stonith - copy: - dest: /usr/bin/pcs - mode: 0755 - content: | - #!/bin/sh - echo "Stonith service configured" - exit 0 diff --git a/validations_common/roles/stonith_exists/tasks/main.yml b/validations_common/roles/stonith_exists/tasks/main.yml deleted file mode 100644 index 4277134..0000000 --- a/validations_common/roles/stonith_exists/tasks/main.yml +++ /dev/null @@ -1,22 +0,0 @@ ---- -- name: Check if we are in HA cluster environment - become: true - register: pcs_cluster_status - command: pcs cluster status - failed_when: false - changed_when: false - -- name: Get all currently configured stonith devices - become: true - command: "pcs stonith" - register: stonith_devices - changed_when: false - when: "pcs_cluster_status.rc == 0" - -- name: Verify the stonith device are configured - fail: - msg: "Stonith devices are not configured." - when: > - pcs_cluster_status.rc == 0 - and - 'NO stonith devices configured' in stonith_devices.stdout