zuul/zuul-jobs
Code Issues Proposed changes

Ombibus set of fixups for Ubuntu Noble

Browse Source 
There are a number of updates we make for Ubuntu Noble in this commit.

1. Remove python2-dev from bindep for Noble as Noble appears to have no
   python2 runtime options.
2. Add libjpeg-dev to bindep for noble because Pillow doesn't build
   python3.12 wheels for Pillow<10 which we currently depend on. This
   means we need to build from source and that depends on libjpeg-dev.
3. We remove double bracket wrappers from ansible vars in ansible
   assertion blocks. Having them results in errors like:
     Conditional is marked as unsafe, and cannot be evaluated.
4. We update rust testing to explicitly install pkg-config before
   building python cryptography. This tool is required to build
   cryptography from source and is no longer being pulled in either
   by the base images or build-essential meta pacakge.
5. Add an Ubuntu-24.04 tasks file for the ensure-skopeo roles so that
   we try to install skopeo using distro packages or build from source
   and don't use Kubic which only has packages for old Ubuntu releases.

Change-Id: I388710ce40dc757ada4de819a9c3c59fc32fb07a
This commit is contained in:
Clark Boylan 2024-05-23 08:50:55 -07:00
parent bb9c303fab
commit 298354d2e3
7 changed files with 69 additions and 12 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
bindep.txt
View File

@ -7,5 +7,8 @@ python3-dev [test platform:dpkg platform:apk]
# Required for subprocess32
python2-devel [test platform:fedora]
python-devel [test platform:rpm !platform:fedora !platform:centos-8 !platform:rhel-8]
python-dev [test platform:dpkg platform:apk !platform:ubuntu-jammy !platform:debian-bookworm]
python-dev [test platform:dpkg platform:apk !platform:ubuntu-jammy !platform:ubuntu-noble !platform:debian-bookworm]
python2-dev [test platform:ubuntu-jammy]
# Required for sphinx testing on Noble for Pillow wheel builds
libjpeg-dev [doc platform:ubuntu-noble]

49
roles/ensure-skopeo/tasks/Ubuntu-24.04.yaml Normal file
View File

@ -0,0 +1,49 @@
- name: Install skopeo from packages
when: not ensure_skopeo_install_from_upstream
package:
name:
- skopeo
- uidmap
state: present
become: yes
- name: Install skopeo from upstream
when: ensure_skopeo_install_from_upstream
block:
- name: Install dependencies
become: yes
package:
name:
- libgpgme-dev
- libassuan-dev
- libbtrfs-dev
- libdevmapper-dev
- pkg-config
- build-essential
- golang
state: present
- name: Clone upstream source
git:
repo: https://github.com/containers/skopeo
dest: '{{ ansible_user_dir }}/skopeo'
version: '{{ ensure_skopeo_install_from_upstream_version }}'
- name: Build skopeo
command: 'make bin/skopeo'
args:
chdir: '{{ ansible_user_dir }}/skopeo'
- name: Install binary
become: yes
copy:
src: '{{ ansible_user_dir}}/skopeo/bin/skopeo'
dest: '/usr/local/bin/skopeo'
owner: root
group: root
mode: '0755'
remote_src: yes
- name: Test binary
command: '/usr/local/bin/skopeo --version'

4
test-playbooks/ensure-nox.yaml
View File

@ -27,7 +27,7 @@
- name: Verify nox_executable is set
assert:
that:
- nox_executable == "{{ ansible_user_dir }}/.local/nox/bin/nox"
- nox_executable == ansible_user_dir + '/.local/nox/bin/nox'
- name: Verify nox is installed
command: "{{ nox_executable }} --version"
register: result
@ -48,4 +48,4 @@
- name: Verify nox_executable is set to the virtualenv nox
assert:
that:
- nox_executable == '{{ ansible_user_dir }}/nox-venv/bin/nox'
- nox_executable == ansible_user_dir + '/nox-venv/bin/nox'

4
test-playbooks/ensure-tox.yaml
View File

@ -27,7 +27,7 @@
- name: Verify tox_executable is set
assert:
that:
- tox_executable == "{{ ansible_user_dir }}/.local/tox/bin/tox"
- tox_executable == ansible_user_dir + '/.local/tox/bin/tox'
- name: Verify tox is installed
command: "{{ tox_executable }} --version"
register: result
@ -48,4 +48,4 @@
- name: Verify tox_executable is set to the virtualenv tox
assert:
that:
- tox_executable == '{{ ansible_user_dir }}/tox-venv/bin/tox'
- tox_executable == ansible_user_dir + '/tox-venv/bin/tox'

6
test-playbooks/multinode/multi-node-firewall.yaml
View File

@ -13,7 +13,7 @@
- name: Validate ipv4 private firewall configuration
assert:
that:
- "'-A INPUT -s {{ hostvars[item]['nodepool']['private_ipv4'] }}/32 -j ACCEPT' in iptables_rules.stdout"
- "'-A INPUT -s ' + hostvars[item]['nodepool']['private_ipv4'] + '/32 -j ACCEPT' in iptables_rules.stdout"
with_items: "{{ groups['all'] }}"
when:
- hostvars[item]['nodepool']['private_ipv4']
@ -21,7 +21,7 @@
- name: Validate ipv4 public firewall configuration
assert:
that:
- "'-A INPUT -s {{ hostvars[item]['nodepool']['public_ipv4'] }}/32 -j ACCEPT' in iptables_rules.stdout"
- "'-A INPUT -s ' + hostvars[item]['nodepool']['public_ipv4'] + '/32 -j ACCEPT' in iptables_rules.stdout"
with_items: "{{ groups['all'] }}"
when:
- hostvars[item]['nodepool']['public_ipv4']
@ -40,5 +40,5 @@
- name: Validate ipv6 firewall configuration
assert:
that:
- "'-A INPUT -s {{ hostvars[item]['nodepool']['public_ipv6'] }}/128 -j ACCEPT' in ip6tables_rules.stdout"
- "'-A INPUT -s ' + hostvars[item]['nodepool']['public_ipv6'] + '/128 -j ACCEPT' in ip6tables_rules.stdout"
with_items: "{{ groups['all'] }}"

8
test-playbooks/multinode/persistent-firewall.yaml
View File

@ -59,7 +59,7 @@
- name: Validate ipv4 private firewall configuration
assert:
that:
- "'-A INPUT -s {{ hostvars[item]['nodepool']['private_ipv4'] }}/32 -j ACCEPT' in iptables_rules.stdout"
- "'-A INPUT -s ' + hostvars[item]['nodepool']['private_ipv4'] + '/32 -j ACCEPT' in iptables_rules.stdout"
with_items: "{{ groups['all'] }}"
when:
- hostvars[item]['nodepool']['private_ipv4']
@ -67,7 +67,7 @@
- name: Validate ipv4 public firewall configuration
assert:
that:
- "'-A INPUT -s {{ hostvars[item]['nodepool']['public_ipv4'] }}/32 -j ACCEPT' in iptables_rules.stdout"
- "'-A INPUT -s ' + hostvars[item]['nodepool']['public_ipv4'] + '/32 -j ACCEPT' in iptables_rules.stdout"
with_items: "{{ groups['all'] }}"
when:
- hostvars[item]['nodepool']['public_ipv4']
@ -75,7 +75,7 @@
- name: Validate ipv4 bridge firewall configuration
assert:
that:
- "'-A INPUT -s {{ bridge_address_prefix }}.0/{{ bridge_address_subnet }} -d {{ bridge_address_prefix }}.0/{{ bridge_address_subnet }} -j ACCEPT' in iptables_rules.stdout"
- "'-A INPUT -s ' + bridge_address_prefix + '.0/' + bridge_address_subnet | string + ' -d ' + bridge_address_prefix + '.0/' + bridge_address_subnet | string + ' -j ACCEPT' in iptables_rules.stdout"
with_items: "{{ groups['all'] }}"
# ipv6_addresses is set by the multi-node-firewall role
@ -92,5 +92,5 @@
- name: Validate ipv6 firewall configuration
assert:
that:
- "'-A INPUT -s {{ hostvars[item]['nodepool']['public_ipv6'] }}/128 -j ACCEPT' in ip6tables_rules.stdout"
- "'-A INPUT -s ' + hostvars[item]['nodepool']['public_ipv6'] + '/128 -j ACCEPT' in ip6tables_rules.stdout"
with_items: "{{ groups['all'] }}"

5
test-playbooks/rust/ensure-rust.yaml
View File

@ -35,6 +35,8 @@
state: present
loop:
- build-essential
# pkg-config appears to be explicitly needed on Ubuntu Noble
- pkg-config
- libssl-dev
- libffi-dev
- python3-dev
@ -44,4 +46,7 @@
shell: |
python3 -m venv ./venv
./venv/bin/pip install --upgrade pip
# Python cryptography relies on a working Rust toolchain to build
# from source. We set the --no-binary flag to ensure cryptography
# is built rather than installed via an upstream wheel
./venv/bin/pip install cryptography --no-binary cryptography