298354d2e3
There are a number of updates we make for Ubuntu Noble in this commit.
1. Remove python2-dev from bindep for Noble as Noble appears to have no
python2 runtime options.
2. Add libjpeg-dev to bindep for noble because Pillow doesn't build
python3.12 wheels for Pillow<10 which we currently depend on. This
means we need to build from source and that depends on libjpeg-dev.
3. We remove double bracket wrappers from ansible vars in ansible
assertion blocks. Having them results in errors like:
Conditional is marked as unsafe, and cannot be evaluated.
4. We update rust testing to explicitly install pkg-config before
building python cryptography. This tool is required to build
cryptography from source and is no longer being pulled in either
by the base images or build-essential meta pacakge.
5. Add an Ubuntu-24.04 tasks file for the ensure-skopeo roles so that
we try to install skopeo using distro packages or build from source
and don't use Kubic which only has packages for old Ubuntu releases.
Change-Id: I388710ce40dc757ada4de819a9c3c59fc32fb07a
45 lines
1.5 KiB
YAML
45 lines
1.5 KiB
YAML
- name: Test the multi-node-firewall role
|
|
hosts: all
|
|
roles:
|
|
- multi-node-firewall
|
|
post_tasks:
|
|
- name: switch and peer nodes should be in the ipv4 firewall
|
|
become: yes
|
|
command: iptables-save
|
|
changed_when: false
|
|
failed_when: false
|
|
register: iptables_rules
|
|
|
|
- name: Validate ipv4 private firewall configuration
|
|
assert:
|
|
that:
|
|
- "'-A INPUT -s ' + hostvars[item]['nodepool']['private_ipv4'] + '/32 -j ACCEPT' in iptables_rules.stdout"
|
|
with_items: "{{ groups['all'] }}"
|
|
when:
|
|
- hostvars[item]['nodepool']['private_ipv4']
|
|
|
|
- name: Validate ipv4 public firewall configuration
|
|
assert:
|
|
that:
|
|
- "'-A INPUT -s ' + hostvars[item]['nodepool']['public_ipv4'] + '/32 -j ACCEPT' in iptables_rules.stdout"
|
|
with_items: "{{ groups['all'] }}"
|
|
when:
|
|
- hostvars[item]['nodepool']['public_ipv4']
|
|
|
|
# ipv6_addresses is set by the multi-node-firewall role
|
|
- name: check ipv6_addresses
|
|
when: ipv6_addresses | length > 0
|
|
block:
|
|
- name: switch and peer nodes should be in the ipv6 firewall
|
|
become: yes
|
|
command: ip6tables-save
|
|
changed_when: false
|
|
failed_when: false
|
|
register: ip6tables_rules
|
|
|
|
- name: Validate ipv6 firewall configuration
|
|
assert:
|
|
that:
|
|
- "'-A INPUT -s ' + hostvars[item]['nodepool']['public_ipv6'] + '/128 -j ACCEPT' in ip6tables_rules.stdout"
|
|
with_items: "{{ groups['all'] }}"
|