diff --git a/.gitignore b/.gitignore index eee7758..6cf1566 100644 --- a/.gitignore +++ b/.gitignore @@ -1,3 +1,4 @@ __pycache__/ .molecule/ *.pyc +.vscode diff --git a/.travis.yml b/.travis.yml index d434b0b..5a6e44c 100644 --- a/.travis.yml +++ b/.travis.yml @@ -1,5 +1,4 @@ --- -# Travis template for an EGI-styled role language: python python: - '2.7' @@ -8,17 +7,15 @@ services: - docker env: global: - md_ignore: R1 # Which markdownlint rules to ignore + - md_ignore: R1 + - secure: lybPFj+6L9iy5n7FAZY07jQ3Ni+kN8SsnQ3n47AjS3onfIT7/DHWcpu8dt2Lq3vXw1y+ezI/mONxOHyq9X0M08d28JXVIRNdzZ+FuNnw0bonD/F84ENVUxN+TNQ78q9vhp1HbnV14uf9mANGqNns08Qx5qO3FRqtdj4Httn9XBku6FWxPBWAKxNwpwNR0EWm+PBptzKsPrttpOPZyXB+hJvyc/9TkfLi2Dg1kO8M2W0lU+YF4RkHZcNY6nnf+m+jHeizpsXpmZ78lpplbkmvaJIfpyBig1QelV8e5z12l7AohB3FBwWfBbF8eT0nE1MC4MvhJj4r1Cy1jIdDJ4mlAj8wE7enz/nyAPmHAeYN3Rg+kj3/MuktvSW6CDZyLZ+QiqhZv4ZdfM6dDl3sTdPePSiPmr8Nk2RJXVEbKLGLo/IBX4lUifteGxtFLBewPa5eiKkK7LxGNHMzeJSpJvnwMAvtMJjlq7OWh0AmTPW6m1bHvY5OaMcD3Ycs0i/38SR6NZnNRCCLAsyp9Ur3KuB9+hfL73C3ZfQTzpcX9hIxew+sNuNPI25RWCQJg8GPajmGleKDOdTMbwvcrAUi8/awwW2bPjzeAL/acrhQRHNoDMQMjE8qPju7JPel5RNah4BYUTXSXw6u7YyCKHMYJiw7Sz0Rf6eL3sO1sLpBatyIk1Y= matrix: - SCENARIO='default' before_install: install: - - pip install -r requirements.txt # The packages necessary for running the tests. + - pip install -r requirements.txt before_script: - - > # Lint all the markdown files - for file in `find . -maxdepth 2 -name "*.md"` ; do - markdownlint --ignore $md_ignore $file ; - done + - for file in `find . -maxdepth 2 -name "*.md"` ; do markdownlint --ignore $md_ignore $file ; done script: - molecule lint -s $SCENARIO - molecule dependency -s $SCENARIO @@ -28,14 +25,15 @@ script: - molecule verify -s $SCENARIO - cd $TRAVIS_BUILD_DIR after_success: + - docker commit `docker ps |grep "centos:7" |awk {'print $1'}` quay.io/egi/wn + - docker login -u="egi+packerbot" -p="$QUAY_PASSWORD" quay.io + - docker push quay.io/egi/wn after_failure: before_deploy: deploy: after_deploy: after_script: -# Add your notifications here. -# Use travis encrypt to add api tokens. notifications: - # slack: - # secure: - webhooks: "https://galaxy.ansible.com/api/v1/notifications/" + webhooks: https://galaxy.ansible.com/api/v1/notifications/ + slack: + secure: EV6OdjBScBWcSHZ4M+o0X9uNafREEu/2Yj2b/rmf2ATqgpPNOtBqW01cLWzDbyOh2x4GyYA8xukfhAGF4ppa2XVETvMTSc3IrXeMsNJamgOWbAo6mg2DIf7DubE3sYCLtx7OCw6KaBNG0U24noboB8ChxuhT4PpzmLilC/l/7EFEtYwkZ3NB5TGC9DgZpCbYj5INHYSTkSDDXz333+RBb+i1aMOkWPJrG/2ORMxqEER70V4JTGp9DNDZzykuppBiDU/mvEpAkuDxfMQufOKUeZGpdfadczrJFi8BXFJWf83ef1ioTSSN2fjoBCgrYcAll1018792Q6roQM1IM56A2FMikEnFBBws1GbjM/UYRZ2fl3mCrOMUtQI4WCyyNdjs/3QXviv9dHHWirvPfe1Eu29ARWJ4fyArsaPbV+py2rAqdbxuMBItPXnJU3CUXfyCcIgwsOwgy7ErJnHcZY/nxAV4j7FYCbub+/+QVlg6d1+iy1HIAPBQ0brxKK4D0sp9mg6qbTjAtLp7L8wAT/mVPBfoZksttDMirO95FbU7HAifkKpBlZFlUJV/1QdV6Sqf/pt70zuRwx/puYAWL4ah6rmA0bkpxgtnX3f2ft0vpQKjtoWF5QxhIOUDsL//ptz6c/5Og7hjYEUarkdlqRmG2LKcvIBHONLeMXrdH0EPOFo= diff --git a/AUTHORS.md b/AUTHORS.md index c0d9182..c19fb66 100644 --- a/AUTHORS.md +++ b/AUTHORS.md @@ -2,3 +2,7 @@ - Bruce Becker @brucellino - Baptiste Grenier @gwarf + +# Contributors + +- Maarten Litmaath (@maarten-litmaath) (Reviewer) \ No newline at end of file diff --git a/README.md b/README.md index b975cc0..15179b8 100644 --- a/README.md +++ b/README.md @@ -1,7 +1,8 @@ -# Ansible Worker Node Provisioning role +# Ansible Worker Node Provisioning role [![Build Status](https://travis-ci.org/EGI-Foundation/ansible-role-wn.svg?branch=master)](https://travis-ci.org/EGI-Foundation/ansible-role-wn) [![Maintainability](https://api.codeclimate.com/v1/badges/d6a249676a9d0a1894aa/maintainability)](https://codeclimate.com/github/EGI-Foundation/ansible-role-wn/maintainability) + This is an Ansible role for the provisioning of a UMD worker node. -It ensures that the relevant repositories are installed and configured. +It ensures that the relevant repositories are installed and configured and that the worker-node metapackage is installed. ## Requirements @@ -16,6 +17,7 @@ None yet. This role uses the following roles as dependencies: - EGI-Foundation.umd +- EGI-Foundation.voms-client ## Example Playbook @@ -23,6 +25,7 @@ This role uses the following roles as dependencies: - hosts: worker-nodes roles: - { role: EGI-Foundation.umd, release: 4} + - { role: EGI-Foundation.voms-client } - { role: EGI-foundation.wn } ``` diff --git a/defaults/main.yml b/defaults/main.yml index 9bc7ecd..f8238ce 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -6,3 +6,12 @@ metapackage: name: emi-wn '7': name: wn + +prerequisites: + redhat: + '6': + - ntpdate + - ntp + '7': + - ntpdate + - ntp diff --git a/molecule/default/list-redhat-6.txt b/molecule/default/list-redhat-6.txt new file mode 100644 index 0000000..aa0b0a9 --- /dev/null +++ b/molecule/default/list-redhat-6.txt @@ -0,0 +1,66 @@ +a1_grid_env +c-ares +cleanup-grid-accounts +dcache-srmclient +dcap +dcap-devel +dcap-libs +dcap-tunnel-gsi +dcap-tunnel-krb +dcap-tunnel-ssl +dcap-tunnel-telnet +dpm +dpm-devel +dpm-libs +dpm-perl +dpm-python +emi-version +emi.amga.amga-cli +emi.saga-adapter.context-cpp +emi.saga-adapter.isn-cpp +emi.saga-adapter.sd-cpp +fetch-crl +gfal +gfal-python +gfal2-all +gfal2-devel +gfal2-doc +gfal2-python +gfal2-util +gfalFS +ginfo +glite-jobid-api-c +glite-lb-client +glite-lb-client-progs +glite-lb-common +glite-lbjp-common-gss +glite-lbjp-common-trio +glite-service-discovery-api-c +glite-wms-brokerinfo-access +glite-wn-info +glite-yaim-clients +glite-yaim-core +globus-gass-copy-progs +globus-proxy-utils +gridsite-libs +jclassads +lcg-info +lcg-infosites +lcg-ManageVOTag +lcg-tags +lcg-util +lcg-util-libs +lcg-util-python +lcgdm-devel +lcgdm-devel(x86-32) +lcgdm-libs +lfc +lfc-devel +lfc-libs +lfc-perl +lfc-python +openldap-clients +python-ldap +uberftp +voms-clients3 +voms-devel \ No newline at end of file diff --git a/molecule/default/list-redhat-7.txt b/molecule/default/list-redhat-7.txt new file mode 100644 index 0000000..65f1b22 --- /dev/null +++ b/molecule/default/list-redhat-7.txt @@ -0,0 +1,42 @@ +c-ares +cleanup-grid-accounts +cvmfs +dcache-srmclient +dcap +dcap-devel +dcap-libs +dcap-tunnel-gsi +dcap-tunnel-krb +dcap-tunnel-ssl +dcap-tunnel-telnet +dpm +dpm-devel +dpm-perl +dpm-python +fetch-crl +gfal2-all +gfal2-python +gfal2-util +gfalFS +gfal2-all +gfal2-doc +gfal2-devel +ginfo +lcg-info +lcg-ManageVOTag +lcg-tags +lcgdm-devel +globus-gass-copy-progs +globus-proxy-utils +glite-yaim-core +gridsite-libs +lcg-infosites +lfc +lfc-devel +lfc-perl +openldap-clients +python-ldap +uberftp +voms-clients-java +voms-devel +xrootd-client \ No newline at end of file diff --git a/molecule/default/molecule.yml b/molecule/default/molecule.yml index b4b6aef..ccda95f 100644 --- a/molecule/default/molecule.yml +++ b/molecule/default/molecule.yml @@ -6,9 +6,9 @@ driver: lint: name: yamllint platforms: - - name: centos7 + - name: wn-centos7 image: centos:7 - - name: centos6 + - name: wn-centos6 image: centos:6 provisioner: name: ansible diff --git a/molecule/default/packages-redhat-6.txt b/molecule/default/packages-redhat-6.txt new file mode 100644 index 0000000..a698027 --- /dev/null +++ b/molecule/default/packages-redhat-6.txt @@ -0,0 +1,26 @@ +a1_grid_env +libdpm +emi-version +emi.amga.amga-cli +emi.saga-adapter.context-cpp +emi.saga-adapter.isn-cpp +emi.saga-adapter.sd-cpp +gfal +gfal-python +glite-jobid-api-c +glite-lb-client +glite-lb-common +glite-lb-client-progs +glite-lbjp-common-gss +glite-lbjp-common-trio +glite-service-discovery-api-c +glite-wms-brokerinfo-access +glite-wn-info +glite-yaim-clients +jclassads +lcgdm-devel +lcgdm-libs +lcg-util +liblfc +lcg-util-libs +lcg-util-python \ No newline at end of file diff --git a/molecule/default/packages-redhat-7.txt b/molecule/default/packages-redhat-7.txt new file mode 100644 index 0000000..82c7c3b --- /dev/null +++ b/molecule/default/packages-redhat-7.txt @@ -0,0 +1,44 @@ +c-ares +cleanup-grid-accounts +cvmfs +dcache-srmclient +dcap +dcap-devel +dcap-libs +dcap-tunnel-gsi +dcap-tunnel-krb +dcap-tunnel-ssl +dcap-tunnel-telnet +dpm +dpm-libs +dpm-devel +dpm-perl +dpm-python +fetch-crl +gfal2-all +gfal2-python +gfal2-util +gfalFS +gfal2-all +gfal2-doc +gfal2-devel +ginfo +lcg-info +lcg-ManageVOTag +lcg-tags +lcgdm-devel +globus-gass-copy-progs +globus-proxy-utils +glite-yaim-core +gridsite-libs +lcg-infosites +lfc +lfc-devel +lfc-perl +lfc-libs +openldap-clients +python-ldap +uberftp +voms-clients-java +voms-devel +xrootd-client \ No newline at end of file diff --git a/molecule/default/playbook.yml b/molecule/default/playbook.yml index 14cc18c..ced523c 100644 --- a/molecule/default/playbook.yml +++ b/molecule/default/playbook.yml @@ -2,5 +2,6 @@ - name: Converge hosts: all roles: - - {role: brucellino.umd, release: 4} - - role: ansible-role-wn + - {role: EGI-Foundation.umd, release: 4, tags: "UMD" } + - {role: EGI-Foundation.voms-client, tags: "VOMS" } + - {role: ansible-role-wn, tags: "wn"} diff --git a/molecule/default/requirements.yml b/molecule/default/requirements.yml index d9215fb..8ae9ea7 100644 --- a/molecule/default/requirements.yml +++ b/molecule/default/requirements.yml @@ -1,2 +1,3 @@ --- -- brucellino.umd +- EGI-Foundation.umd +- EGI-Foundation.voms-client diff --git a/molecule/default/tests/test_QC_DIST.py b/molecule/default/tests/test_QC_DIST.py new file mode 100644 index 0000000..52d576c --- /dev/null +++ b/molecule/default/tests/test_QC_DIST.py @@ -0,0 +1,35 @@ +import os +import testinfra.utils.ansible_runner +import pytest +# See http://egi-qc.github.io/#INSTALLATION +# Packages must install without issues in a machine configured without any +# external repositories (valid repositories are the standard OS repo, UMD repo +# and EPEL repo for RH based distros) +# Packages must follow the OS policies (name of packages, use of filesystem +# hierarchy, init scripts, ...). For any detected issue, open a ticket. +# Packages must be signed (or the repository where they are fetched from is +# signed for Debian-based distros) + +testinfra_hosts = testinfra.utils.ansible_runner.AnsibleRunner( + os.environ['MOLECULE_INVENTORY_FILE']).get_hosts('all') + + +def packages(distro, release): + listfile_name = "list-" + distro + '-' + release + ".txt" + listfile = open(listfile_name, "r") + packages = listfile.read().splitlines() + return packages + + +@pytest.mark.parametrize("pkg", packages("redhat", "6")) +def test_packages6(host, pkg): + if (host.system_info.distribution == 'redhat' and + host.system_info.distribution.release.startswith(6)): + assert host.package(pkg).is_installed + + +@pytest.mark.parametrize("pkg", packages("redhat", "7")) +def test_packages7(host, pkg): + if (host.system_info.distribution == "redhat" and + host.system_info.distribution.release.startswith(7)): + assert host.package(pkg).is_installed diff --git a/molecule/default/tests/test_package_vunls.py b/molecule/default/tests/test_package_vunls.py new file mode 100644 index 0000000..0d09bd0 --- /dev/null +++ b/molecule/default/tests/test_package_vunls.py @@ -0,0 +1,18 @@ +import os +import testinfra.utils.ansible_runner +import pytest +testinfra_hosts = testinfra.utils.ansible_runner.AnsibleRunner( + os.environ['MOLECULE_INVENTORY_FILE']).get_hosts('all') +# The vulnerability scanner on Quay gives us intelligence on which +# vulnerabilities are exposed by packages included in these images. +# We therefore keep track of those and test to see whether the installed +# version is greater than the one reported as fixing the vulnerability + + +@pytest.mark.parametrize('name,version', [ + ("gnupg2", "2.0.22-5.el7_5"), + ("python", "2.7.5-69.el7_5"), + ("python-libs", "2.7.5-69.el7_5")]) +def test_vulnerable_packages(host, name, version): + p = host.package(name) + assert p.release >= version diff --git a/molecule/default/tests/test_packages.py b/molecule/default/tests/test_packages.py deleted file mode 100644 index cee1457..0000000 --- a/molecule/default/tests/test_packages.py +++ /dev/null @@ -1,93 +0,0 @@ -import os -import pytest -import testinfra.utils.ansible_runner - -testinfra_hosts = testinfra.utils.ansible_runner.AnsibleRunner( - os.environ['MOLECULE_INVENTORY_FILE']).get_hosts('all') - - -@pytest.mark.parametrize("name", [ - "c-ares", - "cleanup-grid-accounts", - "cvmfs", - "dcache-srmclient", - "dcap", - "dcap-devel", - "dcap-libs", - "dcap-tunnel-gsi", - "dcap-tunnel-krb", - "dcap-tunnel-ssl", - "dcap-tunnel-telnet", - "dpm", - "dpm-libs", - "dpm-devel", - "dpm-perl", - "dpm-python", - "fetch-crl", - "gfal2-all", - "gfal2-python", - "gfal2-util", - "gfalFS", - "gfal2-all", - "gfal2-doc", - "gfal2-devel", - "ginfo", - "lcg-info", - "lcg-ManageVOTag", - "lcg-tags", - "lcgdm-devel", - "globus-gass-copy-progs", - "globus-proxy-utils", - "glite-yaim-core", - "gridsite-libs", - "lcg-infosites", - "lfc", - "lfc-devel", - "lfc-perl", - "lfc-libs", - "openldap-clients", - "python-ldap", - "uberftp", - "voms-clients-java", - "voms-devel", - "xrootd-client"]) -def test_dependencies_centos7(host, name): - if (host.system_info.distribution == 'redhat' and - host.system_info.distribution.release.startswith(7)): - p = host.package(name) - assert p.is_installed - - -@pytest.mark.parametrize("name", [ - "a1_grid_env", - "libdpm.so.1", - "emi-version", - "emi.amga.amga-cli", - "emi.saga-adapter.context-cpp", - "emi.saga-adapter.isn-cpp", - "emi.saga-adapter.sd-cpp", - "gfal", - "gfal-python", - "glite-jobid-api-c", - "glite-lb-client", - "glite-lb-common", - "glite-lb-client-progs", - "glite-lbjp-common-gss", - "glite-lbjp-common-trio", - "glite-service-discovery-api-c", - "glite-wms-brokerinfo-access", - "glite-wn-info", - "glite-yaim-clients", - "jclassads", - "lcgdm-devel", - "lcgdm-libs", - "lcg-util", - "liblfc.so.1", - "lcg-util-libs", - "lcg-util-python" -]) -def test_dependencies_centos6(host, name): - if (host.system_info.distribution == 'redhat' and - host.system_info.distribution.release.startswith(6)): - p = host.package(name) - assert p.is_installed diff --git a/requirements.txt b/requirements.txt index b1a93d4..4937d79 100644 --- a/requirements.txt +++ b/requirements.txt @@ -1,3 +1,4 @@ molecule pymarkdownlint -docker-py \ No newline at end of file +docker +jmespath \ No newline at end of file diff --git a/tasks/install.yml b/tasks/install.yml new file mode 100644 index 0000000..4da63d2 --- /dev/null +++ b/tasks/install.yml @@ -0,0 +1,12 @@ +--- +# package install tasks for WN +- name: Ensure wn package is present + package: + name: "{{ metapackage[ansible_os_family|lower][ansible_distribution_major_version]['name']}}" + state: present + +- name: Ensure other packages are present + package: + name: "{{ item }}" + state: present + loop: "{{ prerequisites[ansible_os_family | lower ][ansible_distribution_major_version]}}" diff --git a/tasks/main.yml b/tasks/main.yml index be5067b..1aafa92 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -1,6 +1,4 @@ --- # tasks file for ansible-wn-role -- name: Ensure wn package is present - package: - name: "{{ metapackage[ansible_os_family|lower][ansible_distribution_major_version]['name']}}" - state: present +- import_tasks: install.yml +# Add grid accounts