Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add ansible-lint CI #1368

Open
wants to merge 18 commits into
base: stackhpc/2024.1
Choose a base branch
from
Open
Show file tree
Hide file tree
Changes from 5 commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
7 changes: 7 additions & 0 deletions .ansible-lint-ignore
Original file line number Diff line number Diff line change
@@ -0,0 +1,7 @@
# This file contains ignores rule violations for ansible-lint
Alex-Welsh marked this conversation as resolved.
Show resolved Hide resolved
etc/kayobe/ansible/vault-deploy-barbican.yml fqcn[action-core]
etc/kayobe/ansible/vault-generate-backend-tls.yml fqcn[action-core]
etc/kayobe/ansible/vault-generate-internal-tls.yml fqcn[action-core]
etc/kayobe/ansible/vault-generate-test-external-tls.yml fqcn[action-core]
etc/kayobe/ansible/rabbitmq-reset.yml command-instead-of-module
etc/kayobe/ansible/ubuntu-upgrade.yml syntax-check[missing-file]
37 changes: 37 additions & 0 deletions .github/workflows/stackhpc-pull-request.yml
Original file line number Diff line number Diff line change
Expand Up @@ -61,6 +61,43 @@ jobs:
- name: Run Tox ${{ matrix.environment }} 🧪
run: tox -e ${{ matrix.environment }}

lint:
runs-on: ubuntu-22.04
permissions: {}
strategy:
fail-fast: false
matrix:
include:
# NOTE(upgrade): Keep these in sync with Kayobe's supported Ansible and Python versions (see release notes).
- ansible: "2.16"
python: "3.12"
- ansible: "2.15"
python: "3.10"
name: Ansible ${{ matrix.ansible }} lint with Python ${{ matrix.python }}
if: github.repository == 'stackhpc/stackhpc-kayobe-config'
steps:
- name: GitHub Checkout 🛎
uses: actions/checkout@v3

- name: Setup Python ${{ matrix.python-version }} 🐍
uses: actions/setup-python@v4
with:
python-version: ${{ matrix.python }}

- name: Install dependencies 📦
run: |
python -m pip install --upgrade pip
pip install ansible-core==${{ matrix.ansible }}.* ansible-lint -r requirements.txt

- name: Install Ansible Galaxy collections and roles
run: |
ansible-galaxy collection install -r etc/kayobe/ansible/requirements.yml
ansible-galaxy role install -r etc/kayobe/ansible/requirements.yml

- name: Linting code 🧪
run: |
ansible-lint -v --force-color -x no-changed-when,risky-file-permissions,run-once,name[template],package-latest,yaml,role-name[path] etc/kayobe/ansible/.

# A skipped job is treated as success when used as a required status check.
# The registered required status checks refer to the name of the job in the
# called reusable workflow rather than the jobs in this file. The following
Expand Down
24 changes: 12 additions & 12 deletions etc/kayobe/ansible/advise-run.yml
Original file line number Diff line number Diff line change
@@ -1,47 +1,47 @@
---
- name: ADVise run
hosts: localhost
gather_facts: no
gather_facts: false
tags:
- advise
vars:
venv: "~/venvs/advise-review"
venv: ~/venvs/advise-review
input_dir: "{{ lookup('env', 'PWD') }}/overcloud-introspection-data"
output_dir: "{{ lookup('env', 'PWD') }}/review"
advise_pattern: ".*.eval" # Uses regex
advise_pattern: .*.eval # Uses regex
tasks:
- name: Install dependencies
pip:
ansible.builtin.pip:
virtualenv: "{{ venv }}"
name:
- git+https://github.com/stackhpc/ADVise
state: latest
virtualenv_command: "python3 -m venv"
virtualenv_command: python3 -m venv

- name: Create data directory
file:
path: '{{ output_dir }}/data'
ansible.builtin.file:
path: "{{ output_dir }}/data"
state: directory

- name: Extract data
shell:
ansible.builtin.shell:
cmd: >
{{ venv }}/bin/m2-extract {{ input_dir }}/*.json --output_dir {{ output_dir }}/data
- name: Create review directory
file:
path: '{{ output_dir }}/results'
ansible.builtin.file:
path: "{{ output_dir }}/results"
state: directory

- name: Process data
shell:
ansible.builtin.shell:
cmd: >
{{ venv }}/bin/advise-process
-I ipmi
-p '{{ output_dir }}/data/extra-hardware/{{ advise_pattern }}'
-o '{{ output_dir }}'
- name: Visualise data
command: >
ansible.builtin.command: >
{{ venv }}/bin/advise-visualise
--output_dir '{{ output_dir }}'
13 changes: 7 additions & 6 deletions etc/kayobe/ansible/build-ofed-rocky.yml
Original file line number Diff line number Diff line change
Expand Up @@ -6,8 +6,8 @@
tasks:
- name: Check whether noexec is enabled for /var/tmp
ansible.builtin.lineinfile:
path: "/etc/fstab"
regexp: "noexec"
path: /etc/fstab
regexp: noexec
state: absent
changed_when: false
check_mode: true
Expand Down Expand Up @@ -42,7 +42,8 @@

- name: Add DOCA host repository package
ansible.builtin.dnf:
name: https://developer.nvidia.com/downloads/networking/secure/doca-sdk/DOCA_2.8/doca-host-2.8.0-204000_{{ stackhpc_pulp_doca_ofed_version }}_rhel9{{ stackhpc_pulp_repo_rocky_9_minor_version }}.x86_64.rpm
name: "https://developer.nvidia.com/downloads/networking/secure/doca-sdk/DOCA_2.8/doca-host-2.8.0-204000_\
Alex-Welsh marked this conversation as resolved.
Show resolved Hide resolved
{{ stackhpc_pulp_doca_ofed_version }}_rhel9{{ stackhpc_pulp_repo_rocky_9_minor_version }}.x86_64.rpm"
disable_gpg_check: true

- name: Install DOCA extra packages
Expand All @@ -53,13 +54,13 @@
ansible.builtin.file:
path: /home/cloud-user/ofed
state: directory
mode: 0777
mode: "0777"

- name: Set build directory
ansible.builtin.replace:
path: /opt/mellanox/doca/tools/doca-kernel-support
regexp: 'TMP_DIR=\$1'
replace: 'TMP_DIR=/home/cloud-user/ofed'
regexp: TMP_DIR=\$1
replace: TMP_DIR=/home/cloud-user/ofed

- name: Build OFED kernel modules
ansible.builtin.shell:
Expand Down
3 changes: 2 additions & 1 deletion etc/kayobe/ansible/cephadm-commands-post.yml
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,8 @@
- cephadm
- cephadm-commands
tasks:
- import_role:
- name: Apply Cephadm role
Alex-Welsh marked this conversation as resolved.
Show resolved Hide resolved
ansible.builtin.import_role:
name: stackhpc.cephadm.commands
vars:
cephadm_commands: "{{ cephadm_commands_post | default([]) }}"
3 changes: 2 additions & 1 deletion etc/kayobe/ansible/cephadm-commands-pre.yml
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,8 @@
- cephadm
- cephadm-commands
tasks:
- import_role:
- name: Apply Cephadm role
Alex-Welsh marked this conversation as resolved.
Show resolved Hide resolved
ansible.builtin.import_role:
name: stackhpc.cephadm.commands
vars:
cephadm_commands: "{{ cephadm_commands_pre | default([]) }}"
3 changes: 2 additions & 1 deletion etc/kayobe/ansible/cephadm-crush-rules.yml
Original file line number Diff line number Diff line change
Expand Up @@ -7,5 +7,6 @@
- cephadm
- cephadm-crush-rules
tasks:
- import_role:
- name: Apply Cephadm crush rule role
ansible.builtin.import_role:
name: stackhpc.cephadm.crush_rules
3 changes: 2 additions & 1 deletion etc/kayobe/ansible/cephadm-deploy.yml
Original file line number Diff line number Diff line change
Expand Up @@ -7,5 +7,6 @@
- cephadm
- cephadm-deploy
tasks:
- import_role:
- name: Apply Cephadm role
ansible.builtin.import_role:
name: stackhpc.cephadm.cephadm
3 changes: 2 additions & 1 deletion etc/kayobe/ansible/cephadm-ec-profiles.yml
Original file line number Diff line number Diff line change
Expand Up @@ -7,5 +7,6 @@
- cephadm
- cephadm-ec-profiles
tasks:
- import_role:
- name: Apply Cephadm EC profiles role
ansible.builtin.import_role:
name: stackhpc.cephadm.ec_profiles
10 changes: 5 additions & 5 deletions etc/kayobe/ansible/cephadm-gather-keys.yml
Original file line number Diff line number Diff line change
Expand Up @@ -32,13 +32,13 @@
loop: "{{ kolla_ceph_services | selectattr('required') | map(attribute='keys') | flatten | unique }}"

- name: Generate ceph.conf
command: "cephadm shell -- ceph config generate-minimal-conf"
ansible.builtin.command: cephadm shell -- ceph config generate-minimal-conf
become: true
register: cephadm_ceph_conf
changed_when: false

- name: Ensure Kolla config directories are present
file:
ansible.builtin.file:
state: directory
path: "{{ kayobe_env_config_path }}/kolla/config/{{ kolla_service_to_key_dir[item.name] }}"
loop: "{{ kolla_ceph_services | selectattr('required') }}"
Expand All @@ -51,7 +51,7 @@
key_info: "{{ cephadm_key_info.results | selectattr('item', 'equalto', item.1) | first }}"
cephadm_key: "{{ key_info.stdout }}"
cephadm_user: "{{ item.1 }}"
copy:
ansible.builtin.copy:
# Include a trailing newline.
content: |
{{ cephadm_key }}
Expand All @@ -63,7 +63,7 @@
notify: Please add and commit the Kayobe configuration

- name: Save ceph.conf to Kayobe configuration
copy:
ansible.builtin.copy:
# Include a trailing newline.
# Kolla Ansible's merge_configs module does not like the leading tabs in ceph.conf.
content: |
Expand All @@ -77,7 +77,7 @@

handlers:
- name: Please add and commit the Kayobe configuration
debug:
ansible.builtin.debug:
msg: >-
Please add and commit the Ceph configuration files and keys in Kayobe
configuration. Remember to encrypt the keys using Ansible Vault.
3 changes: 2 additions & 1 deletion etc/kayobe/ansible/cephadm-keys.yml
Original file line number Diff line number Diff line change
Expand Up @@ -7,5 +7,6 @@
- cephadm
- cephadm-keys
tasks:
- import_role:
- name: Apply Cephadm keys role
ansible.builtin.import_role:
name: stackhpc.cephadm.keys
3 changes: 2 additions & 1 deletion etc/kayobe/ansible/cephadm-pools.yml
Original file line number Diff line number Diff line change
Expand Up @@ -7,5 +7,6 @@
- cephadm
- cephadm-keys
tasks:
- import_role:
- name: Apply Cephadm pools role
ansible.builtin.import_role:
name: stackhpc.cephadm.pools
21 changes: 14 additions & 7 deletions etc/kayobe/ansible/cephadm.yml
Original file line number Diff line number Diff line change
@@ -1,9 +1,16 @@
---
# Deploy Ceph via Cephadm. Create EC profiles, CRUSH rules, pools and keys.
- import_playbook: cephadm-deploy.yml
- import_playbook: cephadm-commands-pre.yml
- import_playbook: cephadm-ec-profiles.yml
- import_playbook: cephadm-crush-rules.yml
- import_playbook: cephadm-pools.yml
- import_playbook: cephadm-keys.yml
- import_playbook: cephadm-commands-post.yml
- name: Import Cephadm deploy playbook
import_playbook: cephadm-deploy.yml
- name: Import Cephadm commands pre playbook
import_playbook: cephadm-commands-pre.yml
- name: Import Cephadm ec profiles playbook
Alex-Welsh marked this conversation as resolved.
Show resolved Hide resolved
import_playbook: cephadm-ec-profiles.yml
- name: Import Cephadm crush rules playbook
import_playbook: cephadm-crush-rules.yml
- name: Import Cephadm pools playbook
import_playbook: cephadm-pools.yml
- name: Import Cephadm keys playbook
import_playbook: cephadm-keys.yml
- name: Import Cephadm commands post playbook
import_playbook: cephadm-commands-post.yml
Alex-Welsh marked this conversation as resolved.
Show resolved Hide resolved
7 changes: 4 additions & 3 deletions etc/kayobe/ansible/check-tags.yml
Original file line number Diff line number Diff line change
Expand Up @@ -7,18 +7,19 @@
gather_facts: false
tasks:
- name: Query images and tags
command:
ansible.builtin.command:
cmd: >-
{{ kayobe_config_path }}/../../tools/kolla-images.py list-tags
register: kolla_images_result
changed_when: false

- name: Set a fact about images and tags
set_fact:
ansible.builtin.set_fact:
kolla_images: "{{ kolla_images_result.stdout | from_yaml }}"

# Use state=read and allow_missing=false to check for missing tags in test pulp.
- import_role:
- name: Check for missing tags
ansible.builtin.import_role:
name: stackhpc.pulp.pulp_container_content
vars:
pulp_container_content: >-
Expand Down
13 changes: 7 additions & 6 deletions etc/kayobe/ansible/cis.yml
Original file line number Diff line number Diff line change
@@ -1,5 +1,4 @@
---

- name: Security hardening
hosts: cis-hardening
become: true
Expand All @@ -9,14 +8,14 @@
# TODO: Remove this when Red Hat FIPS policy has been updated to allow ed25519 keys.
# https://gitlab.com/gitlab-org/gitlab/-/issues/367429#note_1840422075
- name: Assert that we are using a supported SSH key
assert:
ansible.builtin.assert:
that:
- ssh_key_type != 'ed25519'
fail_msg: FIPS policy does not currently support ed25519 SSH keys on RHEL family systems
when: ansible_facts.os_family == 'RedHat'

- name: Ensure the cron package is installed on ubuntu
package:
ansible.builtin.package:
name: cron
state: present
when: ansible_facts.distribution == 'Ubuntu'
Expand All @@ -25,17 +24,19 @@
# This is to workaround an issue where we set the expiry to 365 days on kayobe
# service accounts in a previous iteration of the CIS benchmark hardening
# defaults. This should restore the defaults and can eventually be removed.
command: chage -m 0 -M 99999 -W 7 -I -1 {{ item }}
ansible.builtin.command: chage -m 0 -M 99999 -W 7 -I -1 {{ item }}
become: true
changed_when: false
with_items:
- "{{ kayobe_ansible_user }}"
- "{{ kolla_ansible_user }}"

- include_role:
- name: Run CIS hardening role (RHEL 9)
ansible.builtin.include_role:
name: ansible-lockdown.rhel9_cis
when: ansible_facts.os_family == 'RedHat' and ansible_facts.distribution_major_version == '9'

- include_role:
- name: Run CIS hardening role (Ubuntu 22)
ansible.builtin.include_role:
name: ansible-lockdown.ubuntu22_cis
when: ansible_facts.distribution == 'Ubuntu' and ansible_facts.distribution_major_version == '22'
Loading
Loading