This adds roles that, similar to add-build-sshkey, create a per-build
WinRM certificate, install it on remote windows nodes, and then switch
to using the certificate in Ansible for authentication. A second role
is included which can clean up the cert which is useful for static
nodes.
Since winrm certificates must be acessible within the bubblewrap
container, these roles can be used to restrict the system-wide winrm
cert to trusted playbooks while untrusted playbooks will only have access
to the per-build cert (with appropriate configuration of the executor).
Change-Id: I4efe25594c2f543886a000aa02fb0a38683a43cb
The input to encrypt files may be a list of paths so our validation has
to evaluate and state each list entry separately. Without this we fail
beacuse the list of paths is treated like a single path and that does
not stat resulting in early failure.
Change-Id: Ibe3f6b162c3adad928708464ea03ddded2f4c683
Change I8e7bc38c68c224795630b90a1b989098a7661491 switched the
"Validate input file" task to use a path stat, but when a list of
files is passed into encrypt_file this fails because the list is
treated as a string. Switch back to the more naive "is undefined"
check until it can be properly redone with a loop or similar and
appropriate tests added.
Change-Id: I83e665bc890aec42462776e0079457bb4506552f
In neutron-multinode jobs where we use ovs/ovn from source,
we want to use multi-node-bridge role only for bridge
configuration but not for ovs installation. In the job
we install ovn and openvswitch before calling this role to
configure the bridges.
Adding a role var 'install_ovs' to allow skipping ovs
installation and service start, it's default to true so
no change in current behavior of the role.
It's an alternative approach to [1].
[1] https://review.opendev.org/c/zuul/zuul-jobs/+/762650
Related-Bug: #1904117
Change-Id: I64942679520681bdf7f953c0a3c7fc0d13e77856
The value of python_version is float by default.
The existing comparison will only work for strings.
This commit changes it to work in both cases.
Change-Id: Ib13c33f38b611a38525d2803474b4ae1e05413f7
Our wheel mirrors contain pluggy-1.0.0-py2.py3-none-any.whl which pip
sees as a sign to install it under py2.7 although the wheel is only
meant for >=py3.6. Add a cap to the test command to install some older
version instead.
Signed-off-by: Dr. Jens Harbott <harbott@osism.tech>
Change-Id: I32d2c29988f92124e7dcdf462b2dd07cfd68b4d2
I think this package is technically optional because you can run as
non-root without it. But since this is a generic role that is just
supposed to give you a working podman, include it.
Somehow we forgot to remove the podman centos-8 (not stream) job in
previous cleanups; remove it here.
Change-Id: I0a87545d29a5ea49a2d9d98c09467c89e7232d4b
I74b9de7092f182c942a58ac7a46b9fbd791889de hit a common ansible gotcha
where it likes to strip the trailing newline after a {% endif %}.
This has resulted in invalid lines in our sources.list.
Unfortunately we miss this because it still exits with 0. Add a
simple test looking for warning output.
Change-Id: I46d393a5e67d10a52c4dcca803176ff368a4b5bd
If a key is in our existing keyring has an expiry date (or, has
expired), always import the provided value again as it may be
refreshing the value.
Add an expiring key to test the matching; although on an ephemeral
node we're importing always anyway.
Also update the file test to a stat -- this is better than a weird
error from gpg later.
Change-Id: I8e7bc38c68c224795630b90a1b989098a7661491
This commit adds the patch package to the list of python build
dependencies for pyenv. This is not always necessary, but some python
versions (for example 3.7.12) require a patch to be applied before
installing and the process fails if the patch package is not installed.
Change-Id: I605fc1c9255e98692a6a901cfc509b7fdb873ae1
Out-of-the-box installs of centos-8 do not enable the PowerTools
or HighAvailability repositories. Debian/Ubuntu do not enable
the backports repository by default.
Having these repos enabled by default in CI has led to merging
broken code for OpenStack deployment tooling which is attempting
to also manage the presence/absence of these repositories. It
is challenging to remove these repositories on the running node
because the repo URL (rather than just the name) is required as
input to the apt_repository and yum_repository ansible modules.
This patch adds a role default variable to configure-mirrors to
allow a job to opt out of these extra repositories. The default
is set to 'True' to allow existing jobs to work as before.
Change-Id: I74b9de7092f182c942a58ac7a46b9fbd791889de
This commit introduces a conditional for RPM package name
when running on a recent CentOS/RHEL system.
Change-Id: I716cc97a8dace02c874d2e39dc90d6a42808ebf6
Change I98c3da5b02a4ac7fb9d7bd8e00170762e77b9f40 caused a regression,
because previously virtualenv would be pulling the latest pip, whereas
"pip -m venv" is using the system-vendored pip, which is older.
Upgrade pip to the latest in the sphinx environment to maintain the
status-quo.
Change-Id: I1004c2727379f73eafc8b32a3e14842200ad342c
It looks like 9-stream don't want to support virtualenv. Fail the
ensure-virtualenv role on this platform, and account for this in
testing.
People should use ensure-pip and venv which is portable everywhere.
Change-Id: Ifae93c1eeb96792aa26a624574d595d77cb58c4b
All our platforms are Python 3 now, so we can simplify this. We can
remove the virtualenv dependency as ensure-pip installs venv and sets
variables for us to use it when making a virtualenv.
Change-Id: I98c3da5b02a4ac7fb9d7bd8e00170762e77b9f40
Recent release of pip removed support for Python 3.6 [1]
Configure default url for pip, depending on supported
Python version.
[1]: https://pip.pypa.io/en/stable/news/#v22-0
Change-Id: I01faeba1dff864de31b3bbf9ddbe0a4d454fdbe9
After removing Centos 8 repositories [1], the repository has been
set to buildlogs server, which provides testing packages.
This commit is switching back repository to mirror.centos.org once we
have openvswitch in centos network and AFS mirrors.
[1] https://www.centos.org/centos-linux-eol/
Change-Id: I6e0dd26312c593a5c7fe5525a733be8e26faec9d
CentOS Linux 8 repos have been removed from centos mirrors. We were
using that repo to install OVS in multi-node from train repo.
This patch is moving multi-node rolo to install ovs from the RDO testing
repo for train until we have it pushed to the official mirrors for CS8.
Change-Id: Id57e8e90903a0d468c6d3094fbbaf4840a368e2a
on RHEL-9 there is no iptables package, we need to install
iptables-nft package here.
In CentOS Stream-9 and Fedora-34 onwards iptables-nft package
is available.[1]
But we also need to support other distros, so we are introducing
iptables_packages var and distro specific var files (having different
name) for installing iptables package.
[1]. https://pkgs.org/download/iptables-nft
Signed-off-by: Chandan Kumar (raukadah) <chkumar@redhat.com>
Change-Id: I8d5d3182996fc1e83b7f4f7eb99cf4c347d6ef1f
This commit extends the installation of Python interpreter
from system packages to also support RPM packages (assuming
the playbook is run in an environment with proper repositories).
Also the obsolete note about supporting only Debian distribution
is removed, as the `ensure-python` role already supports other
platforms (via pyenv and stow).
Change-Id: Id6ef8ec3537952348e0a7b233bd26b57613da327
CentOS 8 EOL'd at the end of 2021. OpenDev is beginning the process of
removing the image and starting with some job cleanups like the job
cleanups in this change. Users can use CentOS 8 Stream or some other
RHEL alike.
Change-Id: I9dab417b28a0503e1409e70953ed275f2c6f8c30
Older ansible-lint didn't pin the 'rich' dep and that dep updated and
broke ansible-lint. Newer ansible-lint fixed this. Update ansible-lint
to get around this problem.
Change-Id: Ic798398ab68239d4f13cb806a92038fd4946d25a
To match change I2870450ffd02f55509fcc1297d050b09deafbfb9 in Zuul.
This does not use the versioning feature due to the nature of this repo.
This also corrects a reference which is now an error.
Change-Id: Ia1d31df932b447f11bc588925de9974d4f6dfc7d
When processing subunit streams we attempt to discover where the
(s)testr commands are located. For some reason the output of our scripts
that do this very occasionally emit a newline before the command path.
When this happens we were using the blank line as the command path which
fails as that empty command results in our command arguments being
interpreted as the command path.
Attempt to address this by trimming the stdout instead of taking the
first line. This should remove the leading and trailing newlines and
give us only the command itself.
Change-Id: Id651e019cf3d0b7ab37fdf9df04be249ea7f7af6
OpenDev doesn't currently have an image built for tumblweed. Rather than
try and fix this image up and get it running again OpenDev has proposed
it simply be removed. In preparation for that and to avoid running jobs
for a system that doesn't currently have an image we remove the jobs
here.
It was hoped that tumbleweed would be a good forward looking platform
but it seems to need a lot more care than we are able to give it.
Additionally Zuul is probably the major consumer of the platform and it
doesn't see much consumption by other projects.
Change-Id: Iad351b6da1f08183bc4c49c049c303a9491af844
This reverts commit 10ee6ebf016fa00c9eb8cd15a09832982b08fe48.
Reason for revert: log url get broken
Change-Id: Ifb8db77c2534a92bbb19fde1bfbf31562ed04daf