Browse Source

Add multi-node integration jobs

Change-Id: I4a81f292acf993c8ab25c7cc36fddf704c485c6c
changes/67/668767/23
James E. Blair 1 month ago
parent
commit
4a76106743

+ 54
- 0
test-playbooks/multinode/multi-node-bridge.yaml View File

@@ -0,0 +1,54 @@
1
+- name: Test the multi-node-bridge role
2
+  hosts:
3
+    - switch
4
+    - peers
5
+  roles:
6
+    - multi-node-bridge
7
+  post_tasks:
8
+    - become: yes
9
+      block:
10
+        - name: openvswitch should be installed
11
+          package:
12
+            name: "{{ ovs_package }}"
13
+            state: installed
14
+          register: ovs_installed
15
+
16
+        - name: openvswitch should be running
17
+          service:
18
+            name: "{{ ovs_service }}"
19
+            state: started
20
+            enabled: yes
21
+          register: ovs_running
22
+
23
+        - name: bridge should exist
24
+          openvswitch_bridge:
25
+            bridge: "{{ bridge_name }}"
26
+          register: ovs_bridge
27
+
28
+        - name: port should exist
29
+          command: ovs-vsctl show
30
+          changed_when: false
31
+          register: ovs_port
32
+
33
+        - name: switch should be reachable
34
+          command: ping -c 4 {{ bridge_address_prefix }}.{{ bridge_address_offset }}
35
+          changed_when: false
36
+          failed_when: false
37
+          register: ovs_ping_switch
38
+
39
+        - name: peer should be reachable
40
+          command: ping -c 4 {{ bridge_address_prefix }}.{{ bridge_address_offset + 1 }}
41
+          changed_when: false
42
+          failed_when: false
43
+          register: ovs_ping_peer
44
+
45
+        - name: assert test results
46
+          assert:
47
+            that:
48
+              - ovs_installed is not changed
49
+              - ovs_running is not changed
50
+              - ovs_bridge is not changed
51
+              - ovs_port.rc == 0
52
+              - "'Port \"br-infra_' in ovs_port.stdout"
53
+              - ovs_ping_switch.rc == 0
54
+              - ovs_ping_peer.rc == 0

+ 43
- 0
test-playbooks/multinode/multi-node-firewall.yaml View File

@@ -0,0 +1,43 @@
1
+- name: Test the multi-node-firewall role
2
+  hosts: all
3
+  roles:
4
+    - multi-node-firewall
5
+  post_tasks:
6
+    - name: switch and peer nodes should be in the ipv4 firewall
7
+      become: yes
8
+      command: iptables-save
9
+      changed_when: false
10
+      failed_when: false
11
+      register: iptables_rules
12
+
13
+    - name: Validate ipv4 private firewall configuration
14
+      assert:
15
+        that:
16
+          - "'-A INPUT -s {{ hostvars[item]['nodepool']['private_ipv4'] }}/32 -j ACCEPT' in iptables_rules.stdout"
17
+      with_items: "{{ groups['all'] }}"
18
+      when:
19
+        - hostvars[item]['nodepool']['private_ipv4']
20
+
21
+    - name: Validate ipv4 public firewall configuration
22
+      assert:
23
+        that:
24
+          - "'-A INPUT -s {{ hostvars[item]['nodepool']['public_ipv4'] }}/32 -j ACCEPT' in iptables_rules.stdout"
25
+      with_items: "{{ groups['all'] }}"
26
+      when:
27
+        - hostvars[item]['nodepool']['public_ipv4']
28
+
29
+    # ipv6_addresses is set by the multi-node-firewall role
30
+    - when: ipv6_addresses | length > 0
31
+      block:
32
+        - name: switch and peer nodes should be in the ipv6 firewall
33
+          become: yes
34
+          command: ip6tables-save
35
+          changed_when: false
36
+          failed_when: false
37
+          register: ip6tables_rules
38
+
39
+        - name: Validate ipv6 firewall configuration
40
+          assert:
41
+            that:
42
+              - "'-A INPUT -s {{ hostvars[item]['nodepool']['public_ipv6'] }}/128 -j ACCEPT' in ip6tables_rules.stdout"
43
+          with_items: "{{ groups['all'] }}"

+ 25
- 0
test-playbooks/multinode/multi-node-hosts-file.yaml View File

@@ -0,0 +1,25 @@
1
+- name: Test the multi-node-hosts-file role
2
+  hosts: all
3
+  roles:
4
+    - multi-node-hosts-file
5
+  post_tasks:
6
+    - name: lookup hosts file
7
+      command: cat /etc/hosts
8
+      register: hosts_file
9
+
10
+    - name: Set up the list of hosts and addresses
11
+      set_fact:
12
+        host_addresses: >
13
+          {% set hosts = [] -%}
14
+          {% for host, vars in hostvars.items() -%}
15
+          {% set _ = hosts.append({'host': host, 'address': vars['nodepool']['private_ipv4']}) -%}
16
+          {% endfor -%}
17
+          {{- hosts -}}
18
+
19
+    - name: assert that hosts are in the hosts file
20
+      vars:
21
+        line: "{{ item.address }} {{ item.host }}"
22
+      assert:
23
+        that:
24
+          - "line in hosts_file.stdout"
25
+      with_list: "{{ host_addresses }}"

+ 31
- 0
test-playbooks/multinode/multi-node-known-hosts.yaml View File

@@ -0,0 +1,31 @@
1
+- name: Test the multi-node-known-hosts role
2
+  hosts: all
3
+  roles:
4
+    - multi-node-known-hosts
5
+  post_tasks:
6
+    - name: lookup known_hosts file
7
+      command: cat ~/.ssh/known_hosts
8
+      register: known_hosts
9
+
10
+    - name: Set up host addresses
11
+      set_fact:
12
+        host_addresses: >
13
+          {% set hosts = [] -%}
14
+          {% for host, vars in hostvars.items() -%}
15
+          {% if vars['nodepool']['private_ipv4'] != '' -%}
16
+            {% set _ = hosts.append(vars['nodepool']['private_ipv4']) -%}
17
+          {% endif -%}
18
+          {% if vars['nodepool']['public_ipv4'] != '' -%}
19
+            {% set _ = hosts.append(vars['nodepool']['public_ipv4']) -%}
20
+          {% endif -%}
21
+          {% if vars['nodepool']['public_ipv6'] != '' -%}
22
+            {% set _ = hosts.append(vars['nodepool']['public_ipv6']) -%}
23
+          {% endif -%}
24
+          {% endfor -%}
25
+          {{- hosts | sort | unique -}}
26
+
27
+    - name: assert that hosts are in known_hosts
28
+      assert:
29
+        that:
30
+          - "item in known_hosts.stdout"
31
+      with_items: "{{ host_addresses }}"

+ 10
- 0
test-playbooks/multinode/multinode.yaml View File

@@ -0,0 +1,10 @@
1
+# Roles that are part of the 'multinode' job
2
+
3
+# If you add new tests, also update the files section in jobs
4
+# base-integration and multinode-integration in zuul.d/jobs.yaml.
5
+
6
+- include: multi-node-known-hosts.yaml
7
+- include: multi-node-hosts-file.yaml
8
+- include: multi-node-firewall.yaml
9
+- include: multi-node-bridge.yaml
10
+- include: persistent-firewall.yaml

+ 2
- 0
test-playbooks/multinode/multinode_firewall_persistence_vars/Debian.yaml View File

@@ -0,0 +1,2 @@
1
+iptables_service:
2
+  - netfilter-persistent

+ 3
- 0
test-playbooks/multinode/multinode_firewall_persistence_vars/Gentoo.yaml View File

@@ -0,0 +1,3 @@
1
+iptables_service:
2
+  - iptables-restore
3
+  - ip6tables-restore

+ 21
- 0
test-playbooks/multinode/multinode_firewall_persistence_vars/README.rst View File

@@ -0,0 +1,21 @@
1
+multinode_firewall_persistence_vars
2
+===================================
3
+
4
+This directory is meant to contain distribution specific variables used in
5
+integration tests for the ``multinode_firewall_persistence`` role.
6
+
7
+The behavior of the ``with_first_found`` lookup used with the ``include_vars``
8
+module will make it search for the ``vars`` directory in the "usual" order of
9
+precedence which means if there is a ``vars`` directory inside the playbook
10
+directory, it will search there first.
11
+
12
+This can result in one of two issues:
13
+
14
+1. If you try to prepend ``{{ role_path }}`` to workaround this issue with the
15
+   variable file paths, Zuul will deny the lookup if you are running an
16
+   untrusted playbook because the role was prepared in a trusted location and
17
+   Ansible is trying to search outside the work root as a result.
18
+2. The variables included are the wrong ones -- the ones from
19
+   ``playbooks/vars`` are loaded instead of ``path/to/<role>/vars``
20
+
21
+This is why this directory is called ``multinode_firewall_persistence_vars``.

+ 3
- 0
test-playbooks/multinode/multinode_firewall_persistence_vars/RedHat.yaml View File

@@ -0,0 +1,3 @@
1
+iptables_service:
2
+  - iptables
3
+  - ip6tables

+ 2
- 0
test-playbooks/multinode/multinode_firewall_persistence_vars/Suse.yaml View File

@@ -0,0 +1,2 @@
1
+iptables_service:
2
+  - SuSEfirewall2

+ 2
- 0
test-playbooks/multinode/multinode_firewall_persistence_vars/Ubuntu_trusty.yaml View File

@@ -0,0 +1,2 @@
1
+iptables_service:
2
+  - iptables-persistent

+ 0
- 0
test-playbooks/multinode/multinode_firewall_persistence_vars/default.yaml View File


+ 80
- 0
test-playbooks/multinode/persistent-firewall.yaml View File

@@ -0,0 +1,80 @@
1
+- name: Test the persistent-firewall role
2
+  hosts: all
3
+  roles:
4
+    # We're including multi-node-bridge a second time with the toggle for
5
+    # enabling firewall rules for the bridge network subnet
6
+    # By this time, multi-node-firewall has already ran, we don't need to run
7
+    # it again -- we're testing here that both are persisted properly.
8
+    - { role: multi-node-bridge, bridge_authorize_internal_traffic: true }
9
+  post_tasks:
10
+    # NOTE (dmsimard): Using with_first_found and include_vars can yield
11
+    # unexpected results, see multinode_firewall_persistence_vars/README.rst
12
+    - name: Include OS-specific variables
13
+      include_vars: "{{ item }}"
14
+      with_first_found:
15
+        - "multinode_firewall_persistence_vars/{{ ansible_distribution }}_{{ ansible_distribution_release }}.yaml"
16
+        - "multinode_firewall_persistence_vars/{{ ansible_distribution }}.yaml"
17
+        - "multinode_firewall_persistence_vars/{{ ansible_os_family }}.yaml"
18
+        - "multinode_firewall_persistence_vars/default.yaml"
19
+
20
+    - name: Flush iptables rules
21
+      become: yes
22
+      command: "{{ item }}"
23
+      with_items:
24
+        - iptables --flush
25
+        - ip6tables --flush
26
+
27
+    # NOTE (dmsimard): We're using with_items here because RedHat and Gentoo
28
+    # need to restart both iptables and ip6tables.
29
+    - name: Restart iptables
30
+      become: yes
31
+      service:
32
+        name: "{{ item }}"
33
+        state: restarted
34
+      when: iptables_service is defined
35
+      with_items: "{{ iptables_service }}"
36
+
37
+    - name: switch and peer nodes should be in the ipv4 firewall
38
+      become: yes
39
+      command: iptables-save
40
+      changed_when: false
41
+      failed_when: false
42
+      register: iptables_rules
43
+
44
+    - name: Validate ipv4 private firewall configuration
45
+      assert:
46
+        that:
47
+          - "'-A INPUT -s {{ hostvars[item]['nodepool']['private_ipv4'] }}/32 -j ACCEPT' in iptables_rules.stdout"
48
+      with_items: "{{ groups['all'] }}"
49
+      when:
50
+        - hostvars[item]['nodepool']['private_ipv4']
51
+
52
+    - name: Validate ipv4 public firewall configuration
53
+      assert:
54
+        that:
55
+          - "'-A INPUT -s {{ hostvars[item]['nodepool']['public_ipv4'] }}/32 -j ACCEPT' in iptables_rules.stdout"
56
+      with_items: "{{ groups['all'] }}"
57
+      when:
58
+        - hostvars[item]['nodepool']['public_ipv4']
59
+
60
+    - name: Validate ipv4 bridge firewall configuration
61
+      assert:
62
+        that:
63
+          - "'-A INPUT -s {{ bridge_address_prefix }}.0/{{ bridge_address_subnet }} -d {{ bridge_address_prefix }}.0/{{ bridge_address_subnet }} -j ACCEPT' in iptables_rules.stdout"
64
+      with_items: "{{ groups['all'] }}"
65
+
66
+    # ipv6_addresses is set by the multi-node-firewall role
67
+    - when: ipv6_addresses | length > 0
68
+      block:
69
+        - name: switch and peer nodes should be in the ipv6 firewall
70
+          become: yes
71
+          command: ip6tables-save
72
+          changed_when: false
73
+          failed_when: false
74
+          register: ip6tables_rules
75
+
76
+        - name: Validate ipv6 firewall configuration
77
+          assert:
78
+            that:
79
+              - "'-A INPUT -s {{ hostvars[item]['nodepool']['public_ipv6'] }}/128 -j ACCEPT' in ip6tables_rules.stdout"
80
+          with_items: "{{ groups['all'] }}"

+ 178
- 0
zuul-tests.d/general-roles-jobs.yaml View File

@@ -83,6 +83,176 @@
83 83
     tags: auto-generated
84 84
     nodeset: ubuntu-xenial
85 85
 
86
+- job:
87
+    name: zuul-jobs-test-multinode-roles
88
+    description: |
89
+      Tests multinode setup roles
90
+
91
+      These roles are tested together in this job because they
92
+      interact with each other.
93
+    tags: all-platforms-multinode
94
+    abstract: true
95
+    run: test-playbooks/multinode/multinode.yaml
96
+    files:
97
+      - ^roles/multi-node-bridge/.*
98
+      - ^roles/multi-node-firewall/.*
99
+      - ^roles/persistent-firewall/.*
100
+      - ^roles/multi-node-hosts-file/.*
101
+      - ^roles/multi-node-known-hosts/.*
102
+      - ^test-playbooks/multinode/.*
103
+
104
+- job:
105
+    name: zuul-jobs-test-multinode-roles-centos-7
106
+    description: Tests multinode setup roles on centos-7
107
+    parent: zuul-jobs-test-multinode-roles
108
+    tags: auto-generated
109
+    nodeset:
110
+      nodes:
111
+        - name: primary
112
+          label: centos-7
113
+        - name: secondary
114
+          label: centos-7
115
+      groups:
116
+        - name: switch
117
+          nodes:
118
+            - primary
119
+        - name: peers
120
+          nodes:
121
+            - secondary
122
+
123
+- job:
124
+    name: zuul-jobs-test-multinode-roles-debian-stable
125
+    description: Tests multinode setup roles on debian-stable
126
+    parent: zuul-jobs-test-multinode-roles
127
+    tags: auto-generated
128
+    nodeset:
129
+      nodes:
130
+        - name: primary
131
+          label: debian-stretch
132
+        - name: secondary
133
+          label: debian-stretch
134
+      groups:
135
+        - name: switch
136
+          nodes:
137
+            - primary
138
+        - name: peers
139
+          nodes:
140
+            - secondary
141
+
142
+- job:
143
+    name: zuul-jobs-test-multinode-roles-fedora-latest
144
+    description: Tests multinode setup roles on fedora-latest
145
+    parent: zuul-jobs-test-multinode-roles
146
+    tags: auto-generated
147
+    nodeset:
148
+      nodes:
149
+        - name: primary
150
+          label: fedora-29
151
+        - name: secondary
152
+          label: fedora-29
153
+      groups:
154
+        - name: switch
155
+          nodes:
156
+            - primary
157
+        - name: peers
158
+          nodes:
159
+            - secondary
160
+
161
+- job:
162
+    name: zuul-jobs-test-multinode-roles-opensuse-15
163
+    description: Tests multinode setup roles on opensuse-15
164
+    parent: zuul-jobs-test-multinode-roles
165
+    tags: auto-generated
166
+    nodeset:
167
+      nodes:
168
+        - name: primary
169
+          label: opensuse-15
170
+        - name: secondary
171
+          label: opensuse-15
172
+      groups:
173
+        - name: switch
174
+          nodes:
175
+            - primary
176
+        - name: peers
177
+          nodes:
178
+            - secondary
179
+
180
+- job:
181
+    name: zuul-jobs-test-multinode-roles-opensuse-tumbleweed
182
+    description: Tests multinode setup roles on opensuse-tumbleweed
183
+    parent: zuul-jobs-test-multinode-roles
184
+    tags: auto-generated
185
+    nodeset:
186
+      nodes:
187
+        - name: primary
188
+          label: opensuse-tumbleweed
189
+        - name: secondary
190
+          label: opensuse-tumbleweed
191
+      groups:
192
+        - name: switch
193
+          nodes:
194
+            - primary
195
+        - name: peers
196
+          nodes:
197
+            - secondary
198
+
199
+- job:
200
+    name: zuul-jobs-test-multinode-roles-ubuntu-bionic
201
+    description: Tests multinode setup roles on ubuntu-bionic
202
+    parent: zuul-jobs-test-multinode-roles
203
+    tags: auto-generated
204
+    nodeset:
205
+      nodes:
206
+        - name: primary
207
+          label: ubuntu-bionic
208
+        - name: secondary
209
+          label: ubuntu-bionic
210
+      groups:
211
+        - name: switch
212
+          nodes:
213
+            - primary
214
+        - name: peers
215
+          nodes:
216
+            - secondary
217
+
218
+- job:
219
+    name: zuul-jobs-test-multinode-roles-ubuntu-trusty
220
+    description: Tests multinode setup roles on ubuntu-trusty
221
+    parent: zuul-jobs-test-multinode-roles
222
+    tags: auto-generated
223
+    nodeset:
224
+      nodes:
225
+        - name: primary
226
+          label: ubuntu-trusty
227
+        - name: secondary
228
+          label: ubuntu-trusty
229
+      groups:
230
+        - name: switch
231
+          nodes:
232
+            - primary
233
+        - name: peers
234
+          nodes:
235
+            - secondary
236
+
237
+- job:
238
+    name: zuul-jobs-test-multinode-roles-ubuntu-xenial
239
+    description: Tests multinode setup roles on ubuntu-xenial
240
+    parent: zuul-jobs-test-multinode-roles
241
+    tags: auto-generated
242
+    nodeset:
243
+      nodes:
244
+        - name: primary
245
+          label: ubuntu-xenial
246
+        - name: secondary
247
+          label: ubuntu-xenial
248
+      groups:
249
+        - name: switch
250
+          nodes:
251
+            - primary
252
+        - name: peers
253
+          nodes:
254
+            - secondary
255
+
86 256
 - job:
87 257
     name: zuul-jobs-test-upload-git-mirror
88 258
     description: Test the upload-git-mirror role
@@ -102,6 +272,14 @@
102 272
         - zuul-jobs-test-base-roles-ubuntu-bionic
103 273
         - zuul-jobs-test-base-roles-ubuntu-trusty
104 274
         - zuul-jobs-test-base-roles-ubuntu-xenial
275
+        - zuul-jobs-test-multinode-roles-centos-7
276
+        - zuul-jobs-test-multinode-roles-debian-stable
277
+        - zuul-jobs-test-multinode-roles-fedora-latest
278
+        - zuul-jobs-test-multinode-roles-opensuse-15
279
+        - zuul-jobs-test-multinode-roles-opensuse-tumbleweed
280
+        - zuul-jobs-test-multinode-roles-ubuntu-bionic
281
+        - zuul-jobs-test-multinode-roles-ubuntu-trusty
282
+        - zuul-jobs-test-multinode-roles-ubuntu-xenial
105 283
         - zuul-jobs-test-upload-git-mirror
106 284
     gate:
107 285
       jobs: *id001

+ 0
- 14
zuul-tests.d/project.yaml View File

@@ -7,24 +7,10 @@
7 7
       - build-tox-docs
8 8
     check:
9 9
       jobs:
10
-        - openstack-infra-multinode-integration-centos-7
11
-        - openstack-infra-multinode-integration-debian-stable
12
-        - openstack-infra-multinode-integration-fedora-latest
13
-        - openstack-infra-multinode-integration-ubuntu-bionic
14
-        - openstack-infra-multinode-integration-ubuntu-trusty
15
-        - openstack-infra-multinode-integration-ubuntu-xenial
16
-        - openstack-infra-multinode-integration-opensuse423
17 10
         - tox-py27
18 11
         - tox-py35
19 12
     gate:
20 13
       jobs:
21
-        - openstack-infra-multinode-integration-centos-7
22
-        - openstack-infra-multinode-integration-debian-stable
23
-        - openstack-infra-multinode-integration-fedora-latest
24
-        - openstack-infra-multinode-integration-ubuntu-bionic
25
-        - openstack-infra-multinode-integration-ubuntu-trusty
26
-        - openstack-infra-multinode-integration-ubuntu-xenial
27
-        - openstack-infra-multinode-integration-opensuse423
28 14
         - tox-py27
29 15
         - tox-py35
30 16
     post:

Loading…
Cancel
Save