airship
/
drydock
Code Issues Proposed changes

[focal] Python modules sync with Airship project 

- uplifted some python modules
- fixed tox4 requirements
- added focal build node as a default one
- added bindep.txt and bindep role to playbooks and docker image build process
- changes Makefile to reflect GoLang and dependency management changes
- upgraded Helm to v3 for chart build process
- uplifted postgresql version to 14.6
- fixed deprecated falcon.API - replaced with falcon.APP
- fixed upstream docker image publishing process

Change-Id: I307d72bb7680f6f5c71e42ad30666cf786420460
This commit is contained in:
Sergiy Markin 2023-04-07 00:00:12 +00:00
parent 98f3d886d8
commit 415a8b52c5
34 changed files with 2137 additions and 427 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
.gitignore vendored
View File

@ -6,6 +6,9 @@ __pycache__/
# C extensions # C extensions
*.so *.so
# Go
baclient_built
# Distribution / packaging # Distribution / packaging
.Python .Python
build/ build/
@ -108,3 +111,8 @@ ENV/
# Chart artifacts # Chart artifacts
charts/drydock/charts charts/drydock/charts
charts/drydock/requirements.lock charts/drydock/requirements.lock
/charts/*.tgz
/charts/*/charts
/charts/*/requirements.lock
/charts/deps/*/
/*.tgz

2
.readthedocs.yaml
View File

@ -19,7 +19,7 @@ formats:
# Optionally set the version of Python and requirements required to build your docs # Optionally set the version of Python and requirements required to build your docs
python: python:
version: 3.7 version: 3.8
install: install:
- requirements: doc/requirements-doc.txt - requirements: doc/requirements-doc.txt
- requirements: python/requirements-lock.txt - requirements: python/requirements-lock.txt

68
.zuul.yaml
View File

@ -21,18 +21,15 @@
- airship-drydock-omni-test - airship-drydock-omni-test
- airship-drydock-chart-build-gate - airship-drydock-chart-build-gate
- airship-drydock-chart-build-latest-htk - airship-drydock-chart-build-latest-htk
- airship-drydock-docker-build-gate-ubuntu_xenial - airship-drydock-docker-build-gate-ubuntu_focal
- airship-drydock-docker-build-gate-ubuntu_bionic
gate: gate:
jobs: jobs:
- airship-drydock-omni-test - airship-drydock-omni-test
- airship-drydock-chart-build-gate - airship-drydock-chart-build-gate
- airship-drydock-docker-build-gate-ubuntu_xenial - airship-drydock-docker-build-gate-ubuntu_focal
- airship-drydock-docker-build-gate-ubuntu_bionic
post: post:
jobs: jobs:
- airship-drydock-docker-publish-ubuntu_xenial - airship-drydock-docker-publish-ubuntu_focal
- airship-drydock-docker-publish-ubuntu_bionic
- drydock-upload-git-mirror - drydock-upload-git-mirror
- nodeset: - nodeset:
@ -41,6 +38,12 @@
- name: primary - name: primary
label: ubuntu-bionic label: ubuntu-bionic
- nodeset:
name: airship-drydock-single-node-focal
nodes:
- name: primary
label: ubuntu-focal
- job: - job:
name: airship-drydock-omni-test name: airship-drydock-omni-test
description: | description: |
@ -50,7 +53,7 @@
required-projects: required-projects:
- openstack/openstack-helm-infra - openstack/openstack-helm-infra
timeout: 3600 timeout: 3600
nodeset: airship-drydock-single-node nodeset: airship-drydock-single-node-focal
- job: - job:
name: airship-drydock-chart-build-gate name: airship-drydock-chart-build-gate
@ -58,7 +61,7 @@
Builds charts using pinned Helm toolkit. Builds charts using pinned Helm toolkit.
timeout: 900 timeout: 900
run: tools/gate/playbooks/build-charts.yaml run: tools/gate/playbooks/build-charts.yaml
nodeset: airship-drydock-single-node nodeset: airship-drydock-single-node-focal
- job: - job:
name: airship-drydock-chart-build-latest-htk name: airship-drydock-chart-build-latest-htk
@ -67,46 +70,31 @@
timeout: 900 timeout: 900
voting: false voting: false
run: tools/gate/playbooks/build-charts.yaml run: tools/gate/playbooks/build-charts.yaml
nodeset: airship-drydock-single-node nodeset: airship-drydock-single-node-focal
vars: vars:
HTK_COMMIT: master HTK_COMMIT: master
- job: - job:
name: airship-drydock-docker-build-gate-ubuntu_xenial name: airship-drydock-docker-build-gate-ubuntu_focal
timeout: 1800 timeout: 1800
run: tools/gate/playbooks/docker-image-build.yaml run: tools/gate/playbooks/docker-image-build.yaml
nodeset: airship-drydock-single-node nodeset: airship-drydock-single-node-focal
irrelevant-files: irrelevant-files:
- '^doc/.*' - '^doc/.*'
- '^charts/.*' - '^charts/.*'
vars: vars:
publish: false publish: false
distro: ubuntu_xenial distro: ubuntu_focal
tags:
dynamic:
patch_set: true
- job:
name: airship-drydock-docker-build-gate-ubuntu_bionic
timeout: 1800
run: tools/gate/playbooks/docker-image-build.yaml
nodeset: airship-drydock-single-node
irrelevant-files:
- '^doc/.*'
- '^charts/.*'
vars:
publish: false
distro: ubuntu_bionic
tags: tags:
dynamic: dynamic:
patch_set: true patch_set: true
- job: - job:
name: airship-drydock-docker-publish-ubuntu_xenial name: airship-drydock-docker-publish-ubuntu_focal
timeout: 1800 timeout: 1800
run: tools/gate/playbooks/docker-image-build.yaml run: tools/gate/playbooks/docker-image-build.yaml
nodeset: airship-drydock-single-node nodeset: airship-drydock-single-node-focal
secrets: secrets:
- airship_drydock_quay_creds - airship_drydock_quay_creds
irrelevant-files: irrelevant-files:
@ -114,27 +102,7 @@
- '^charts/.*' - '^charts/.*'
vars: vars:
publish: true publish: true
distro: ubuntu_xenial distro: ubuntu_focal
tags:
dynamic:
branch: true
commit: true
static:
- latest
- job:
name: airship-drydock-docker-publish-ubuntu_bionic
timeout: 1800
run: tools/gate/playbooks/docker-image-build.yaml
nodeset: airship-drydock-single-node
secrets:
- airship_drydock_quay_creds
irrelevant-files:
- '^doc/.*'
- '^charts/.*'
vars:
publish: true
distro: ubuntu_bionic
tags: tags:
dynamic: dynamic:
branch: true branch: true

31
Makefile
View File

@ -19,7 +19,7 @@ IMAGE_PREFIX ?= airshipit
IMAGE_TAG ?= dev IMAGE_TAG ?= dev
HELM := $(shell realpath $(BUILD_DIR))/helm HELM := $(shell realpath $(BUILD_DIR))/helm
UBUNTU_BASE_IMAGE ?= UBUNTU_BASE_IMAGE ?=
DISTRO ?= ubuntu_bionic DISTRO ?= ubuntu_focal
PROXY ?= http://proxy.foo.com:8000 PROXY ?= http://proxy.foo.com:8000
NO_PROXY ?= localhost,127.0.0.1,.svc.cluster.local NO_PROXY ?= localhost,127.0.0.1,.svc.cluster.local
USE_PROXY ?= false USE_PROXY ?= false
@ -40,21 +40,16 @@ run_images: run_drydock
# Run tests # Run tests
tests: pep8 security docs unit_tests test_baclient tests: pep8 security docs unit_tests test_baclient
# Install external (not managed by tox/pip) dependencies
external_dep: requirements-host.txt requirements-host-test.txt
sudo ./hostdeps.sh
touch external_dep
# Run unit and Postgres integration tests in coverage mode # Run unit and Postgres integration tests in coverage mode
coverage_test: build_drydock coverage_test: build_drydock
tox -re cover tox -re cover
# Run just unit tests # Run just unit tests
unit_tests: external_dep unit_tests:
tox -re py36 $(TESTS) tox -re py38 $(TESTS)
# Run just DB integration tests # Run just DB integration tests
db_integration_tests: external_dep db_integration_tests:
tox -re integration $(TESTS) tox -re integration $(TESTS)
# Freeze full set of Python requirements # Freeze full set of Python requirements
@ -91,27 +86,27 @@ helm-install:
# Make targets intended for use by the primary targets above. # Make targets intended for use by the primary targets above.
build_drydock: external_dep build_drydock:
export; tools/drydock_image_build.sh export; tools/drydock_image_build.sh
ifeq ($(PUSH_IMAGE), true) ifeq ($(PUSH_IMAGE), true)
docker push $(IMAGE) docker push $(IMAGE)
endif endif
# Make target for building bootaction signal client # Make target for building bootaction signal client
build_baclient: external_dep build_baclient:
sudo ./tools/baclient_build.sh $(shell realpath go) $(shell realpath ${BUILD_DIR}) ./tools/baclient_build.sh $(shell realpath go) $(shell realpath ${BUILD_DIR})
touch ./baclient_built touch ./baclient_built
# Make target for testing bootaction signal client # Make target for testing bootaction signal client
test_baclient: external_dep build_baclient test_baclient: build_baclient
GOPATH=$(shell realpath go) go test -v baclient GOPATH=$(shell realpath go) GO111MODULE=off go test -v baclient
docs: clean drydock_docs docs: clean drydock_docs
security: external_dep security:
tox -e bandit tox -e bandit
drydock_docs: external_dep render_diagrams genpolicy genconfig drydock_docs: render_diagrams genpolicy genconfig
tox -e docs tox -e docs
render_diagrams: render_diagrams:
@ -129,12 +124,14 @@ clean:
rm -rf charts/drydock/charts rm -rf charts/drydock/charts
rm -rf charts/drydock/requirements.lock rm -rf charts/drydock/requirements.lock
pep8: external_dep pep8:
tox -e pep8 tox -e pep8
helm_lint: helm-init helm_lint: helm-init
$(HELM) dep up charts/drydock
$(HELM) lint charts/drydock $(HELM) lint charts/drydock
.PHONY: build_baclient build_drydock charts clean coverage_test \ .PHONY: build_baclient build_drydock charts clean coverage_test \
db_integration_tests docs drydock drydock_docs dry-run genconfig \ db_integration_tests docs drydock drydock_docs dry-run genconfig \
genpolicy helm-init helm-install helm_lint images lint pep8 \ genpolicy helm-init helm-install helm_lint images lint pep8 \

25
bindep.txt Normal file
View File

@ -0,0 +1,25 @@
# These are host packages needed for Drydock
# that don't come on a minimal Ubuntu install
build-essential
curl
git
golang-go
libffi-dev
libkrb5-dev
libpq-dev
libre2-dev
libsasl2-dev
libssl-dev
libvirt-dev
libzmq3-dev
netbase
pkg-config
python3-dev
python3-pip
python3-setuptools
ssh
tox
# PlantUML is used for documentation builds, graphviz is it's soft dependancy
plantuml
graphviz

0
charts/deps/.gitkeep Normal file
View File

2
charts/drydock/requirements.yaml
View File

@ -14,5 +14,5 @@
dependencies: dependencies:
- name: helm-toolkit - name: helm-toolkit
repository: http://localhost:8879/charts repository: file://../deps/helm-toolkit
version: ">= 0.1.0" version: ">= 0.1.0"

2
charts/drydock/values.yaml
View File

@ -35,7 +35,7 @@ images:
ks_user: docker.io/openstackhelm/heat:newton ks_user: docker.io/openstackhelm/heat:newton
ks_service: docker.io/openstackhelm/heat:newton ks_service: docker.io/openstackhelm/heat:newton
ks_endpoints: docker.io/openstackhelm/heat:newton ks_endpoints: docker.io/openstackhelm/heat:newton
drydock_db_init: docker.io/postgres:9.5 drydock_db_init: docker.io/postgres:14.6
drydock_db_cleanup: quay.io/airshipit/drydock:master drydock_db_cleanup: quay.io/airshipit/drydock:master
drydock_db_sync: quay.io/airshipit/drydock:master drydock_db_sync: quay.io/airshipit/drydock:master
pull_policy: "IfNotPresent" pull_policy: "IfNotPresent"

9
doc/requirements-doc.txt
View File

@ -1,4 +1,5 @@
sphinx>=1.6.2 sphinx_rtd_theme==1.2.0
sphinx_rtd_theme==0.2.4 pylibyaml==0.1.0
oslo.versionedobjects oslo_versionedobjects==3.1.0
falcon falcon==3.1.1
keystoneauth1==5.1.2

117
doc/source/_static/drydock.conf.sample
View File

@ -78,7 +78,7 @@
# Domain name containing project (string value) # Domain name containing project (string value)
#project_domain_name = <None> #project_domain_name = <None>
# Trust ID (string value) # ID of the trust to use as a trustee use (string value)
#trust_id = <None> #trust_id = <None>
# Optional domain ID to use with v3 and v2 parameters. It will be used for both # Optional domain ID to use with v3 and v2 parameters. It will be used for both
@ -114,15 +114,35 @@
# Complete "public" Identity API endpoint. This endpoint should not be an # Complete "public" Identity API endpoint. This endpoint should not be an
# "admin" endpoint, as it should be accessible by all end users. Unauthenticated # "admin" endpoint, as it should be accessible by all end users. Unauthenticated
# clients are redirected to this endpoint to authenticate. Although this # clients are redirected to this endpoint to authenticate. Although this
# endpoint should ideally be unversioned, client support in the wild varies. # endpoint should ideally be unversioned, client support in the wild varies. If
# If you're using a versioned v2 endpoint here, then this should *not* be the # you're using a versioned v2 endpoint here, then this should *not* be the same
# same endpoint the service user utilizes for validating tokens, because normal # endpoint the service user utilizes for validating tokens, because normal end
# end users may not be able to reach that endpoint. (string value) # users may not be able to reach that endpoint. (string value)
# Deprecated group/name - [keystone_authtoken]/auth_uri
#www_authenticate_uri = <None>
# DEPRECATED: Complete "public" Identity API endpoint. This endpoint should not
# be an "admin" endpoint, as it should be accessible by all end users.
# Unauthenticated clients are redirected to this endpoint to authenticate.
# Although this endpoint should ideally be unversioned, client support in the
# wild varies. If you're using a versioned v2 endpoint here, then this should
# *not* be the same endpoint the service user utilizes for validating tokens,
# because normal end users may not be able to reach that endpoint. This option
# is deprecated in favor of www_authenticate_uri and will be removed in the S
# release. (string value)
# This option is deprecated for removal since Queens.
# Its value may be silently ignored in the future.
# Reason: The auth_uri option is deprecated in favor of www_authenticate_uri and
# will be removed in the S release.
#auth_uri = <None> #auth_uri = <None>
# API version of the admin Identity API endpoint. (string value) # API version of the Identity API endpoint. (string value)
#auth_version = <None> #auth_version = <None>
# Interface to use for the Identity API endpoint. Valid values are "public",
# "internal" (default) or "admin". (string value)
#interface = internal
# Do not handle authorization requests within the middleware, but delegate the # Do not handle authorization requests within the middleware, but delegate the
# authorization decision to downstream WSGI components. (boolean value) # authorization decision to downstream WSGI components. (boolean value)
#delay_auth_decision = false #delay_auth_decision = false
@ -157,9 +177,6 @@
# The region in which the identity server can be found. (string value) # The region in which the identity server can be found. (string value)
#region_name = <None> #region_name = <None>
# Directory used to cache files related to PKI tokens. (string value)
#signing_dir = <None>
# Optionally specify a list of memcached server(s) to use for caching. If left # Optionally specify a list of memcached server(s) to use for caching. If left
# undefined, tokens will instead be cached in-process. (list value) # undefined, tokens will instead be cached in-process. (list value)
# Deprecated group/name - [keystone_authtoken]/memcache_servers # Deprecated group/name - [keystone_authtoken]/memcache_servers
@ -170,12 +187,6 @@
# -1 to disable caching completely. (integer value) # -1 to disable caching completely. (integer value)
#token_cache_time = 300 #token_cache_time = 300
# Determines the frequency at which the list of revoked tokens is retrieved from
# the Identity service (in seconds). A high number of revocation events combined
# with a low cache duration may significantly reduce performance. Only valid for
# PKI tokens. (integer value)
#revocation_cache_time = 10
# (Optional) If defined, indicate whether token data should be authenticated or # (Optional) If defined, indicate whether token data should be authenticated or
# authenticated and encrypted. If MAC, token data is authenticated (with HMAC) # authenticated and encrypted. If MAC, token data is authenticated (with HMAC)
# in the cache. If ENCRYPT, token data is encrypted and authenticated in the # in the cache. If ENCRYPT, token data is encrypted and authenticated in the
@ -211,9 +222,9 @@
# client connection from the pool. (integer value) # client connection from the pool. (integer value)
#memcache_pool_conn_get_timeout = 10 #memcache_pool_conn_get_timeout = 10
# (Optional) Use the advanced (eventlet safe) memcached client pool. The # (Optional) Use the advanced (eventlet safe) memcached client pool. (boolean
# advanced pool will only work under python 2.x. (boolean value) # value)
#memcache_use_advanced_pool = false #memcache_use_advanced_pool = true
# (Optional) Indicate whether to set the X-Service-Catalog header. If False, # (Optional) Indicate whether to set the X-Service-Catalog header. If False,
# middleware will not ask for service catalog on token validation and will not # middleware will not ask for service catalog on token validation and will not
@ -229,19 +240,23 @@
# value) # value)
#enforce_token_bind = permissive #enforce_token_bind = permissive
# If true, the revocation list will be checked for cached tokens. This requires # A choice of roles that must be present in a service token. Service tokens are
# that PKI tokens are configured on the identity server. (boolean value) # allowed to request that an expired token can be used and so this check should
#check_revocations_for_cached = false # tightly control that only actual services should be sending this token. Roles
# here are applied as an ANY check so any role in this list must be present. For
# backwards compatibility reasons this currently only affects the allow_expired
# check. (list value)
#service_token_roles = service
# Hash algorithms to use for hashing PKI tokens. This may be a single algorithm # For backwards compatibility reasons we must let valid service tokens pass that
# or multiple. The algorithms are those supported by Python standard # don't pass the service_token_roles check as valid. Setting this true will
# hashlib.new(). The hashes will be tried in the order given, so put the # become the default in a future release and should be enabled if possible.
# preferred one first for performance. The result of the first hash will be # (boolean value)
# stored in the cache. This will typically be set to multiple values only while #service_token_roles_required = false
# migrating from a less secure algorithm to a more secure one. Once all the old
# tokens are expired this option should be set to a single value for better # The name or type of the service as it appears in the service catalog. This is
# performance. (list value) # used to validate tokens that have restricted access rules. (string value)
#hash_algorithms = md5 #service_type = <None>
# Authentication type to load (string value) # Authentication type to load (string value)
# Deprecated group/name - [keystone_authtoken]/auth_plugin # Deprecated group/name - [keystone_authtoken]/auth_plugin
@ -335,7 +350,28 @@
# From oslo.policy # From oslo.policy
# #
# The file that defines policies. (string value) # This option controls whether or not to enforce scope when evaluating policies.
# If ``True``, the scope of the token used in the request is compared to the
# ``scope_types`` of the policy being enforced. If the scopes do not match, an
# ``InvalidScope`` exception will be raised. If ``False``, a message will be
# logged informing operators that policies are being invoked with mismatching
# scope. (boolean value)
#enforce_scope = false
# This option controls whether or not to use old deprecated defaults when
# evaluating policies. If ``True``, the old deprecated defaults are not going to
# be evaluated. This means if any existing token is allowed for old defaults but
# is disallowed for new defaults, it will be disallowed. It is encouraged to
# enable this flag along with the ``enforce_scope`` flag so that you can get the
# benefits of new defaults and ``scope_type`` together. If ``False``, the
# deprecated policy check string is logically OR'd with the new policy check
# string, allowing for a graceful upgrade experience between releases with new
# policies, which is the default behavior. (boolean value)
#enforce_new_defaults = false
# The relative or absolute path of a file that maps roles to permissions for a
# given service. Relative paths must be specified in relation to the
# configuration file setting this option. (string value)
#policy_file = policy.json #policy_file = policy.json
# Default rule. Enforced when a requested rule is not found. (string value) # Default rule. Enforced when a requested rule is not found. (string value)
@ -348,6 +384,25 @@
# valued) # valued)
#policy_dirs = policy.d #policy_dirs = policy.d
# Content Type to send and receive data for REST based policy check (string
# value)
# Possible values:
# application/x-www-form-urlencoded - <No description provided>
# application/json - <No description provided>
#remote_content_type = application/x-www-form-urlencoded
# server identity verification for REST based policy check (boolean value)
#remote_ssl_verify_server_crt = false
# Absolute path to ca cert file for REST based policy check (string value)
#remote_ssl_ca_crt_file = <None>
# Absolute path to client cert for REST based policy check (string value)
#remote_ssl_client_crt_file = <None>
# Absolute path client key file REST based policy check (string value)
#remote_ssl_client_key_file = <None>
[plugins] [plugins]

2
doc/source/conf.py
View File

@ -77,7 +77,7 @@ release = u'0.1.0'
# #
# This is also used if you do content translation via gettext catalogs. # This is also used if you do content translation via gettext catalogs.
# Usually you set "language" from the command line for these cases. # Usually you set "language" from the command line for these cases.
language = None language = 'en'
# List of patterns, relative to source directory, that match files and # List of patterns, relative to source directory, that match files and
# directories to ignore when looking for source files. # directories to ignore when looking for source files.

BIN
doc/source/images/architecture.png
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 21 KiB

After

Width:  |  Height:  |  Size: 26 KiB

BIN
doc/source/images/basic_task_sequence.png
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 57 KiB

After

Width:  |  Height:  |  Size: 69 KiB

117
etc/drydock/drydock.conf.sample
View File

@ -78,7 +78,7 @@
# Domain name containing project (string value) # Domain name containing project (string value)
#project_domain_name = <None> #project_domain_name = <None>
# Trust ID (string value) # ID of the trust to use as a trustee use (string value)
#trust_id = <None> #trust_id = <None>
# Optional domain ID to use with v3 and v2 parameters. It will be used for both # Optional domain ID to use with v3 and v2 parameters. It will be used for both
@ -114,15 +114,35 @@
# Complete "public" Identity API endpoint. This endpoint should not be an # Complete "public" Identity API endpoint. This endpoint should not be an
# "admin" endpoint, as it should be accessible by all end users. Unauthenticated # "admin" endpoint, as it should be accessible by all end users. Unauthenticated
# clients are redirected to this endpoint to authenticate. Although this # clients are redirected to this endpoint to authenticate. Although this
# endpoint should ideally be unversioned, client support in the wild varies. # endpoint should ideally be unversioned, client support in the wild varies. If
# If you're using a versioned v2 endpoint here, then this should *not* be the # you're using a versioned v2 endpoint here, then this should *not* be the same
# same endpoint the service user utilizes for validating tokens, because normal # endpoint the service user utilizes for validating tokens, because normal end
# end users may not be able to reach that endpoint. (string value) # users may not be able to reach that endpoint. (string value)
# Deprecated group/name - [keystone_authtoken]/auth_uri
#www_authenticate_uri = <None>
# DEPRECATED: Complete "public" Identity API endpoint. This endpoint should not
# be an "admin" endpoint, as it should be accessible by all end users.
# Unauthenticated clients are redirected to this endpoint to authenticate.
# Although this endpoint should ideally be unversioned, client support in the
# wild varies. If you're using a versioned v2 endpoint here, then this should
# *not* be the same endpoint the service user utilizes for validating tokens,
# because normal end users may not be able to reach that endpoint. This option
# is deprecated in favor of www_authenticate_uri and will be removed in the S
# release. (string value)
# This option is deprecated for removal since Queens.
# Its value may be silently ignored in the future.
# Reason: The auth_uri option is deprecated in favor of www_authenticate_uri and
# will be removed in the S release.
#auth_uri = <None> #auth_uri = <None>
# API version of the admin Identity API endpoint. (string value) # API version of the Identity API endpoint. (string value)
#auth_version = <None> #auth_version = <None>
# Interface to use for the Identity API endpoint. Valid values are "public",
# "internal" (default) or "admin". (string value)
#interface = internal
# Do not handle authorization requests within the middleware, but delegate the # Do not handle authorization requests within the middleware, but delegate the
# authorization decision to downstream WSGI components. (boolean value) # authorization decision to downstream WSGI components. (boolean value)
#delay_auth_decision = false #delay_auth_decision = false
@ -157,9 +177,6 @@
# The region in which the identity server can be found. (string value) # The region in which the identity server can be found. (string value)
#region_name = <None> #region_name = <None>
# Directory used to cache files related to PKI tokens. (string value)
#signing_dir = <None>
# Optionally specify a list of memcached server(s) to use for caching. If left # Optionally specify a list of memcached server(s) to use for caching. If left
# undefined, tokens will instead be cached in-process. (list value) # undefined, tokens will instead be cached in-process. (list value)
# Deprecated group/name - [keystone_authtoken]/memcache_servers # Deprecated group/name - [keystone_authtoken]/memcache_servers
@ -170,12 +187,6 @@
# -1 to disable caching completely. (integer value) # -1 to disable caching completely. (integer value)
#token_cache_time = 300 #token_cache_time = 300
# Determines the frequency at which the list of revoked tokens is retrieved from
# the Identity service (in seconds). A high number of revocation events combined
# with a low cache duration may significantly reduce performance. Only valid for
# PKI tokens. (integer value)
#revocation_cache_time = 10
# (Optional) If defined, indicate whether token data should be authenticated or # (Optional) If defined, indicate whether token data should be authenticated or
# authenticated and encrypted. If MAC, token data is authenticated (with HMAC) # authenticated and encrypted. If MAC, token data is authenticated (with HMAC)
# in the cache. If ENCRYPT, token data is encrypted and authenticated in the # in the cache. If ENCRYPT, token data is encrypted and authenticated in the
@ -211,9 +222,9 @@
# client connection from the pool. (integer value) # client connection from the pool. (integer value)
#memcache_pool_conn_get_timeout = 10 #memcache_pool_conn_get_timeout = 10
# (Optional) Use the advanced (eventlet safe) memcached client pool. The # (Optional) Use the advanced (eventlet safe) memcached client pool. (boolean
# advanced pool will only work under python 2.x. (boolean value) # value)
#memcache_use_advanced_pool = false #memcache_use_advanced_pool = true
# (Optional) Indicate whether to set the X-Service-Catalog header. If False, # (Optional) Indicate whether to set the X-Service-Catalog header. If False,
# middleware will not ask for service catalog on token validation and will not # middleware will not ask for service catalog on token validation and will not
@ -229,19 +240,23 @@
# value) # value)
#enforce_token_bind = permissive #enforce_token_bind = permissive
# If true, the revocation list will be checked for cached tokens. This requires # A choice of roles that must be present in a service token. Service tokens are
# that PKI tokens are configured on the identity server. (boolean value) # allowed to request that an expired token can be used and so this check should
#check_revocations_for_cached = false # tightly control that only actual services should be sending this token. Roles
# here are applied as an ANY check so any role in this list must be present. For
# backwards compatibility reasons this currently only affects the allow_expired
# check. (list value)
#service_token_roles = service
# Hash algorithms to use for hashing PKI tokens. This may be a single algorithm # For backwards compatibility reasons we must let valid service tokens pass that
# or multiple. The algorithms are those supported by Python standard # don't pass the service_token_roles check as valid. Setting this true will
# hashlib.new(). The hashes will be tried in the order given, so put the # become the default in a future release and should be enabled if possible.
# preferred one first for performance. The result of the first hash will be # (boolean value)
# stored in the cache. This will typically be set to multiple values only while #service_token_roles_required = false
# migrating from a less secure algorithm to a more secure one. Once all the old
# tokens are expired this option should be set to a single value for better # The name or type of the service as it appears in the service catalog. This is
# performance. (list value) # used to validate tokens that have restricted access rules. (string value)
#hash_algorithms = md5 #service_type = <None>
# Authentication type to load (string value) # Authentication type to load (string value)
# Deprecated group/name - [keystone_authtoken]/auth_plugin # Deprecated group/name - [keystone_authtoken]/auth_plugin
@ -335,7 +350,28 @@
# From oslo.policy # From oslo.policy
# #
# The file that defines policies. (string value) # This option controls whether or not to enforce scope when evaluating policies.
# If ``True``, the scope of the token used in the request is compared to the
# ``scope_types`` of the policy being enforced. If the scopes do not match, an
# ``InvalidScope`` exception will be raised. If ``False``, a message will be
# logged informing operators that policies are being invoked with mismatching
# scope. (boolean value)
#enforce_scope = false
# This option controls whether or not to use old deprecated defaults when
# evaluating policies. If ``True``, the old deprecated defaults are not going to
# be evaluated. This means if any existing token is allowed for old defaults but
# is disallowed for new defaults, it will be disallowed. It is encouraged to
# enable this flag along with the ``enforce_scope`` flag so that you can get the
# benefits of new defaults and ``scope_type`` together. If ``False``, the
# deprecated policy check string is logically OR'd with the new policy check
# string, allowing for a graceful upgrade experience between releases with new
# policies, which is the default behavior. (boolean value)
#enforce_new_defaults = false
# The relative or absolute path of a file that maps roles to permissions for a
# given service. Relative paths must be specified in relation to the
# configuration file setting this option. (string value)
#policy_file = policy.json #policy_file = policy.json
# Default rule. Enforced when a requested rule is not found. (string value) # Default rule. Enforced when a requested rule is not found. (string value)
@ -348,6 +384,25 @@
# valued) # valued)
#policy_dirs = policy.d #policy_dirs = policy.d
# Content Type to send and receive data for REST based policy check (string
# value)
# Possible values:
# application/x-www-form-urlencoded - <No description provided>
# application/json - <No description provided>
#remote_content_type = application/x-www-form-urlencoded
# server identity verification for REST based policy check (boolean value)
#remote_ssl_verify_server_crt = false
# Absolute path to ca cert file for REST based policy check (string value)
#remote_ssl_ca_crt_file = <None>
# Absolute path to client cert for REST based policy check (string value)
#remote_ssl_client_crt_file = <None>
# Absolute path client key file REST based policy check (string value)
#remote_ssl_client_key_file = <None>
[plugins] [plugins]

1
go/src/baclient/go.mod Normal file
View File

@ -0,0 +1 @@
module baclient

43
hostdeps.sh
View File

@ -1,43 +0,0 @@
#!/bin/bash
# Install host-level package dependencies
# needed for local testing
set -x
if [[ ! -z $(uname -a | grep Ubuntu) ]]
then
apt-get update
installed_pkgs=$(dpkg --get-selections | awk '!/deinstall/ { gsub(/:.*/,"",$1); print $1 }')
set -a added_pkgs
for reqfile in $(ls requirements-host*.txt)
do
for l in $(grep -vE '(^ *#)|(^$)' "${reqfile}")
do
# Do extra magic to support a list of alternative packages separated by '|'
# none of the packages are found, install the first one listed
IFS='|' read -a pkgalts <<< "${l}"
pkgfound=0
for a in "${pkgalts[@]}"
do
if grep -qE "^${a}$" <<< "${installed_pkgs}"
then
pkgfound=1
break
fi
done
if [[ "${pkgfound}" -eq 0 ]]
then
added_pkgs+=("${pkgalts[0]}")
fi
done
done
if [[ ${#added_pkgs[@]} -gt 0 ]]
then
DEBIAN_FRONTEND=noninteractive apt-get \
-o Dpkg::Options::="--force-confdef" \
-o Dpkg::Options::="--force-confold" \
install -y --no-install-recommends "${added_pkgs[@]}"
fi
else
echo "Only support testing on Ubuntu hosts at this time."
fi

56
images/drydock/Dockerfile.ubuntu_xenial → images/drydock/Dockerfile.ubuntu_focal
View File

@ -12,7 +12,7 @@
# See the License for the specific language governing permissions and # See the License for the specific language governing permissions and
# limitations under the License. # limitations under the License.
ARG FROM=ubuntu:16.04 ARG FROM=ubuntu:20.04
FROM ${FROM} AS baclient_builder FROM ${FROM} AS baclient_builder
ARG UBUNTU_REPO=http://archive.ubuntu.com/ubuntu ARG UBUNTU_REPO=http://archive.ubuntu.com/ubuntu
@ -23,16 +23,23 @@ ENV container docker
ENV LC_ALL C.UTF-8 ENV LC_ALL C.UTF-8
ENV LANG C.UTF-8 ENV LANG C.UTF-8
# Copy direct dependency requirements only to build a dependency layer
RUN echo "deb ${UBUNTU_REPO} xenial main restricted universe multiverse" > /etc/apt/sources.list; \
echo "deb ${UBUNTU_REPO} xenial-security main restricted universe multiverse" >> /etc/apt/sources.list; \
echo "deb ${UBUNTU_REPO} xenial-updates main restricted universe multiverse" >> /etc/apt/sources.list; \
cat /etc/apt/sources.list; \
echo "APT::Get::AllowUnauthenticated ${ALLOW_UNAUTHENTICATED};" >> /etc/apt/apt.conf.d/00-local-mirrors;
COPY ./bindep.txt /tmp/drydock/
WORKDIR /tmp/drydock
RUN apt update \
&& apt install -y --allow-downgrades \
python3 \
python3-dev \
python3-pip \
python3-venv \
python3-setuptools \
&& DEBIAN_FRONTEND=noninteractive apt install --no-install-recommends -y tzdata \
&& pip3 install bindep \
&& bindep -f /tmp/drydock/bindep.txt --brief | xargs apt install -y
COPY ./tools/baclient_build.sh /tmp/drydock/ COPY ./tools/baclient_build.sh /tmp/drydock/
COPY ./go /tmp/drydock/go COPY ./go /tmp/drydock/go
WORKDIR /tmp/drydock WORKDIR /tmp/drydock
RUN ./baclient_build.sh /tmp/drydock/go /tmp/drydock/baclient RUN ./baclient_build.sh /tmp/drydock/go /tmp/drydock/baclient
@ -73,29 +80,36 @@ ENV PORT 9000
ENV LC_ALL C.UTF-8 ENV LC_ALL C.UTF-8
ENV LANG C.UTF-8 ENV LANG C.UTF-8
# Copy direct dependency requirements only to build a dependency layer
RUN echo "deb ${UBUNTU_REPO} xenial main restricted universe multiverse" > /etc/apt/sources.list; \
echo "deb ${UBUNTU_REPO} xenial-security main restricted universe multiverse" >> /etc/apt/sources.list; \
echo "deb ${UBUNTU_REPO} xenial-updates main restricted universe multiverse" >> /etc/apt/sources.list; \
cat /etc/apt/sources.list; \
echo "APT::Get::AllowUnauthenticated ${ALLOW_UNAUTHENTICATED};" >> /etc/apt/apt.conf.d/00-local-mirrors;
# COPY ./bindep-python.txt /tmp/drydock/
COPY ./requirements-host.txt /tmp/drydock/
COPY ./hostdeps.sh /tmp/drydock
WORKDIR /tmp/drydock WORKDIR /tmp/drydock
RUN ./hostdeps.sh; \ RUN DEBIAN_FRONTEND=noninteractive \
rm -r /var/lib/apt/lists/* apt update \
&& DEBIAN_FRONTEND=noninteractive \
apt install -y \
--allow-downgrades \
--no-install-recommends \
python3-dev \
python3-pip \
python3-setuptools \
pkg-config \
libvirt-dev \
libssl-dev \
gcc \
ssh\
curl \
netbase \
&& rm -r /var/lib/apt/lists/*
# Install LibYAML # Install LibYAML
ENV LD_LIBRARY_PATH=/usr/local/lib ENV LD_LIBRARY_PATH=/usr/local/lib
COPY --from=baclient_builder /usr/local/lib /usr/local/lib COPY --from=baclient_builder /usr/local/lib /usr/local/lib
COPY --from=baclient_builder /usr/local/include/yaml.h /usr/local/include/yaml.h COPY --from=baclient_builder /usr/local/include/yaml.h /usr/local/include/yaml.h
RUN python3 -m pip install -U 'pip<21.0'
COPY ./python/requirements-lock.txt /tmp/drydock/ COPY ./python/requirements-lock.txt /tmp/drydock/
RUN cat /tmp/drydock/requirements-lock.txt | xargs -d '\n' \ RUN pip3 install \
-l1 pip3 -vv install --no-cache-dir --no-cache-dir \
-r /tmp/drydock/requirements-lock.txt
COPY ./python /tmp/drydock/python COPY ./python /tmp/drydock/python
WORKDIR /tmp/drydock/python WORKDIR /tmp/drydock/python

2
python/drydock_provisioner/control/api.py
View File

@ -45,7 +45,7 @@ def start_api(state_manager=None, ingester=None, orchestrator=None):
part input part input
:param orchestrator: Instance of drydock_provisioner.orchestrator.Orchestrator for managing tasks :param orchestrator: Instance of drydock_provisioner.orchestrator.Orchestrator for managing tasks
""" """
control_api = falcon.API( control_api = falcon.App(
request_type=DrydockRequest, request_type=DrydockRequest,
middleware=[ middleware=[
AuthMiddleware(), AuthMiddleware(),

53
python/requirements-direct.txt
View File

@ -1,29 +1,30 @@
pylibyaml~=0.1 # edited with compartibility with shipyard's apache-airflow 1.10.15
PyYAML~=5.3.1 alembic==1.4.3
pyghmi==1.0.18 Beaker==1.12.0
netaddr
falcon
oslo.versionedobjects==1.23.0
requests
oauthlib
uwsgi==2.0.17.1
pymongo==3.6.1
oslo.config==7.0.0
click==6.7 click==6.7
PasteDeploy==1.5.2 defusedxml===0.6.0
PTable==0.9.2 falcon==3.1.1
keystonemiddleware==4.9.1 iso8601==0.1.13
oslo.policy==1.22.1 jinja2==3.0.3
iso8601==0.1.11 jsonschema==3.2.0
keystoneauth1==3.18.0 keystoneauth1==5.1.1
alembic==0.8.2 keystonemiddleware==10.2.0
sqlalchemy==1.2.8 libvirt-python==9.2.0
netaddr==0.8.0
oauthlib==3.1.0
oslo.config==8.7.1
oslo.policy==3.10.1
oslo.versionedobjects==2.4.0
Paste==3.5.0
PasteDeploy==3.0.1
psycopg2-binary==2.8.4 psycopg2-binary==2.8.4
jsonschema==2.6.0 PTable==0.9.2
jsonschema>=3.0.1<4 pyghmi==1.5.60
jinja2==2.10 pylibyaml==0.1.0
pymongo==3.10.1
PyYAML==5.4.1
redfish==3.1.9
requests==2.23.0
SQLAlchemy==1.2.8
ulid2==0.1.1 ulid2==0.1.1
defusedxml===0.5.0 uWSGI==2.0.21
libvirt-python==3.10.0
beaker==1.9.1
redfish==2.0.1

198
python/requirements-lock.txt
View File

@ -1,82 +1,132 @@
alembic==0.8.2 alabaster==0.7.13
amqp==2.6.0 alembic==1.4.3
Babel==2.6.0 amqp==5.1.1
Beaker==1.9.1 attrs==22.2.0
cachetools==2.1.0 Babel==2.12.1
certifi==2018.8.24 bandit==1.7.5
bcrypt==4.0.1
Beaker==1.12.0
cachetools==5.3.0
certifi==2022.12.7
cffi==1.15.1
chardet==3.0.4 chardet==3.0.4
click==6.7 click==6.7
contextlib2==0.5.5 coverage==7.2.3
debtcollector==1.20.0 cryptography==40.0.1
defusedxml==0.5.0 debtcollector==2.5.0
dnspython==1.15.0 decorator==5.1.1
eventlet==0.24.1 defusedxml==0.6.0
falcon==1.4.1 dnspython==2.3.0
fasteners==0.14.1 docutils==0.19
futurist==1.7.0 dogpile.cache==1.1.8
greenlet==0.4.15 eventlet==0.33.3
idna==2.7 falcon==3.1.1
iso8601==0.1.11 fasteners==0.18
Jinja2==2.10 fixtures==4.0.1
jsonschema>=3.0.1<4 flake8==6.0.0
keystoneauth1==3.18.0 futurist==2.4.1
keystonemiddleware==4.9.1 gitdb==4.0.10
kombu==4.6.11 GitPython==3.1.31
libvirt-python==3.10.0 greenlet==2.0.2
Mako==1.0.7 idna==2.10
MarkupSafe~=1.1.1 imagesize==1.4.1
monotonic==1.5 iniconfig==2.0.0
msgpack==0.5.6 iso8601==0.1.13
netaddr==0.7.19 Jinja2==3.0.3
netifaces==0.10.7 jsonpatch==1.32
oauthlib==2.1.0 jsonpath-rw==1.4.0
oslo.concurrency==3.28.0 jsonpointer==2.3
oslo.config==7.0.0 jsonschema==3.2.0
oslo.context==2.21.0 keystoneauth1==5.1.1
oslo.i18n==3.22.0 keystonemiddleware==10.2.0
oslo.log==3.45.2 kombu==5.2.4
oslo.messaging==8.1.1 libvirt-python==9.2.0
oslo.middleware==3.36.0 Mako==1.2.4
oslo.policy==1.22.1 markdown-it-py==2.2.0
oslo.serialization==2.29.2 MarkupSafe==2.1.2
oslo.service==1.32.0 mccabe==0.7.0
oslo.utils==3.42.1 mdurl==0.1.2
oslo.versionedobjects==1.23.0 mock==5.0.1
Paste==2.0.3 msgpack==1.0.5
PasteDeploy==1.5.2 netaddr==0.8.0
pbr==5.4.5 netifaces==0.11.0
pip==18.0 oauthlib==3.1.0
positional==1.2.1 os-service-types==1.7.0
prettytable==0.7.2 oslo.cache==3.3.1
oslo.concurrency==5.1.1
oslo.config==8.7.1
oslo.context==5.1.1
oslo.i18n==6.0.0
oslo.log==5.2.0
oslo.messaging==14.2.0
oslo.metrics==0.6.0
oslo.middleware==5.1.1
oslo.policy==3.10.1
oslo.serialization==5.1.1
oslo.service==3.1.1
oslo.utils==6.1.0
oslo.versionedobjects==2.4.0
packaging==23.0
Paste==3.5.0
PasteDeploy==3.0.1
pbr==5.11.1
pip==23.0.1
pluggy==1.0.0
ply==3.11
prometheus-client==0.16.0
psycopg2-binary==2.8.4 psycopg2-binary==2.8.4
PTable==0.9.2 PTable==0.9.2
pycadf==2.8.0 py==1.11.0
pycrypto==2.6.1 pycadf==3.1.1
pyghmi==1.0.18 pycodestyle==2.10.0
pycparser==2.21
pyflakes==3.0.1
pyghmi==1.5.60
Pygments==2.14.0
pylibyaml==0.1.0 pylibyaml==0.1.0
pymongo==3.6.1 pymongo==3.10.1
pyparsing==2.2.1 pyparsing==3.0.9
python-dateutil==2.8.1 pyrsistent==0.19.3
python-editor==1.0.3 pytest==6.2.5
python-keystoneclient==3.22.0 pytest-cov==4.0.0
python-mimeparse==1.6.0 pytest-mock==3.10.0
pytz==2018.5 python-dateutil==2.8.2
PyYAML==5.3.1 python-editor==1.0.4
redfish==2.0.1 python-keystoneclient==5.1.0
pytz==2023.3
PyYAML==5.4.1
redfish==3.1.9
repoze.lru==0.7 repoze.lru==0.7
requests==2.22.0 requests==2.23.0
rfc3986==1.2.0 requests-toolbelt==0.10.1
Routes==2.4.1 requests-unixsocket==0.3.0
setuptools==40.4.3 responses==0.23.1
six==1.15.0 rfc3986==2.0.0
rich==13.3.3
Routes==2.5.1
setuptools==56.0.0
six==1.16.0
smmap==5.0.0
snowballstemmer==2.2.0
Sphinx==5.3.0
sphinxcontrib-applehelp==1.0.4
sphinxcontrib-devhelp==1.0.2
sphinxcontrib-htmlhelp==2.0.1
sphinxcontrib-jsmath==1.0.1
sphinxcontrib-qthelp==1.0.3
sphinxcontrib-serializinghtml==1.1.5
SQLAlchemy==1.2.8 SQLAlchemy==1.2.8
statsd==3.3.0 statsd==4.0.1
stevedore==1.29.0 stevedore==5.0.0
tenacity==5.0.2 toml==0.10.2
tomli==2.0.1
types-PyYAML==6.0.12.9
ulid2==0.1.1 ulid2==0.1.1
urllib3==1.25.9 urllib3==1.25.11
uWSGI==2.0.15 uWSGI==2.0.21
vine==1.1.4 vine==5.0.0
WebOb==1.8.2 WebOb==1.8.7
wheel==0.31.1 wheel==0.38.4
wrapt==1.10.11 wrapt==1.15.0
yapf==0.32.0
yappi==1.4.0

22
python/requirements-test.txt
View File

@ -1,13 +1,19 @@
pytest-mock==3.1.0 # tests
pytest click==6.7
falcon==3.1.1
jsonschema==3.2.0
mock==5.0.1
pylibyaml==0.1.0
pymongo==3.10.1
pytest==6.2.5
pytest-cov pytest-cov
responses pytest-mock
mock responses==0.23.1
tox setuptools==56.0.0
oslo.versionedobjects[fixtures]>=1.23.0 ulid2==0.1.1
oslo.config[fixtures]
# tools
yapf yapf
flake8 flake8
bandit>=1.1.0 bandit>=1.1.0
sphinx>=1.6.2 sphinx>=1.6.2
sphinx_rtd_theme==0.2.4

1625
python/requirements-tree.txt Normal file
View File

File diff suppressed because it is too large Load Diff

6
python/tests/postgres/start_postgres.sh
View File

@ -14,11 +14,11 @@ then
sudo docker stop 'psql_integration' sudo docker stop 'psql_integration'
fi fi
sudo docker run --rm -dp 5432:5432 --name 'psql_integration' postgres:9.5 sudo docker run --rm -dp 5432:5432 --name 'psql_integration' postgres:14.6
sleep 15 sleep 15
docker run --rm --net host postgres:9.5 psql -h localhost -c "create user drydock with password 'drydock';" postgres postgres docker run --rm --net host postgres:14.6 psql -h localhost -c "create user drydock with password 'drydock';" postgres postgres
docker run --rm --net host postgres:9.5 psql -h localhost -c "create database drydock;" postgres postgres docker run --rm --net host postgres:14.6 psql -h localhost -c "create database drydock;" postgres postgres
export DRYDOCK_DB_URL="postgresql+psycopg2://drydock:drydock@localhost:5432/drydock" export DRYDOCK_DB_URL="postgresql+psycopg2://drydock:drydock@localhost:5432/drydock"

5
requirements-host-test.txt
View File

@ -1,5 +0,0 @@
# These are host packages needed for Drydock
# that don't come on a minimal Ubuntu install
python-tox
docker.io|docker-ce
plantuml

12
requirements-host.txt
View File

@ -1,12 +0,0 @@
# These are host packages needed for Drydock
# that don't come on a minimal Ubuntu install
libvirt-dev
pkg-config
python3-dev
gcc
netbase
libssl-dev
python3-pip
python3-setuptools
ssh
curl

7
tools/baclient_build.sh
View File

@ -7,12 +7,7 @@ if $(uname -a | grep -q Ubuntu); then
GOPATH=$1 GOPATH=$1
BUILD_DIR=$2 BUILD_DIR=$2
if [[ ! -f ./baclient_built ]]; then if [[ ! -f ./baclient_built ]]; then
apt-get update GO111MODULE=off GOPATH=${GOPATH} go build -v -o ${BUILD_DIR}/baclient baclient
DEBIAN_FRONTEND=noninteractive apt-get \
-o Dpkg::Options::="--force-confdef" \
-o Dpkg::Options::="--force-confold" \
install -y --no-install-recommends golang-go
GOPATH=${GOPATH} go build -o ${BUILD_DIR}/baclient baclient
else else
echo "Baclient library is already built. No action." echo "Baclient library is already built. No action."
fi fi

2
tools/drydock_image_build.sh
View File

@ -3,7 +3,7 @@ set -x
UBUNTU_BASE_IMAGE=${UBUNTU_BASE_IMAGE:-""} UBUNTU_BASE_IMAGE=${UBUNTU_BASE_IMAGE:-""}
UBUNTU_REPO=${UBUNTU_REPO:-""} UBUNTU_REPO=${UBUNTU_REPO:-""}
DISTRO=${DISTRO:-"ubuntu_bionic"} DISTRO=${DISTRO:-"ubuntu_focal"}
TRUSTED_UBUNTU_REPO=${TRUSTED_UBUNTU_REPO:-"no"} TRUSTED_UBUNTU_REPO=${TRUSTED_UBUNTU_REPO:-"no"}
ALLOW_UNATHENTICATED=${ALLOW_UNAUTHENTICATED:-"false"} ALLOW_UNATHENTICATED=${ALLOW_UNAUTHENTICATED:-"false"}
PIP_INDEX_URL=${PIP_INDEX_URL:-""} PIP_INDEX_URL=${PIP_INDEX_URL:-""}

6
tools/drydock_image_run.sh
View File

@ -9,11 +9,11 @@ function start_db {
sudo docker stop 'psql_integration' sudo docker stop 'psql_integration'
fi fi
docker run --rm -dp 5432:5432 --name 'psql_integration' postgres:9.5 docker run --rm -dp 5432:5432 --name 'psql_integration' -e POSTGRES_HOST_AUTH_METHOD=trust postgres:14.6
sleep 15 sleep 15
docker run --rm --net host postgres:9.5 psql -h localhost -c "create user drydock with password 'drydock';" postgres postgres docker run --rm --net host postgres:14.6 psql -h localhost -c "create user drydock with password 'drydock';" postgres postgres
docker run --rm --net host postgres:9.5 psql -h localhost -c "create database drydock;" postgres postgres docker run --rm --net host postgres:14.6 psql -h localhost -c "create database drydock;" postgres postgres
} }
function customize_conf { function customize_conf {

9
tools/gate/playbooks/build-charts.yaml
View File

@ -13,6 +13,15 @@
# limitations under the License. # limitations under the License.
- hosts: primary - hosts: primary
roles:
- bindep
- ensure-docker
- ensure-python
- ensure-pip
tasks: tasks:
- name: Execute the make target to package Helm charts. - name: Execute the make target to package Helm charts.
make: make:

19
tools/gate/playbooks/docker-image-build.yaml
View File

@ -13,6 +13,14 @@
# limitations under the License. # limitations under the License.
- hosts: primary - hosts: primary
roles:
- bindep
- ensure-docker
- ensure-python
- ensure-pip
tasks: tasks:
- name: Debug tag generation inputs - name: Debug tag generation inputs
block: block:
@ -40,18 +48,11 @@
debug: debug:
var: image_tags var: image_tags
- name: Install Docker (Debian) - name: Install Docker python module for ansible docker login
block: block:
- apt:
name: "{{ item }}"
with_items:
- docker.io
- python3-pip
- python3-setuptools
when: ansible_os_family == 'Debian'
- pip: - pip:
name: docker name: docker
version: 2.7.0 version: 4.4.4
executable: pip3 executable: pip3
become: True become: True

22
tools/gate/playbooks/omni_test.yaml
View File

@ -14,6 +14,16 @@
# to minimize Zuul node consumption # to minimize Zuul node consumption
- hosts: primary - hosts: primary
roles:
- bindep
- ensure-docker
- ensure-python
- ensure-pip
tasks: tasks:
- name: Execute the make target for PEP8 linting - name: Execute the make target for PEP8 linting
make: make:
@ -41,12 +51,6 @@
target: test_baclient target: test_baclient
become: true become: true
register: result register: result
- name: Execute the make target for building and running the Drydock Docker image
make:
chdir: "{{ zuul.project.src_dir }}"
target: run_drydock
register: result
become: true
- name: Setup Apparmor - name: Setup Apparmor
shell: | shell: |
set -xe; set -xe;
@ -54,3 +58,9 @@
args: args:
chdir: "{{ zuul.projects['opendev.org/openstack/openstack-helm-infra'].src_dir }}" chdir: "{{ zuul.projects['opendev.org/openstack/openstack-helm-infra'].src_dir }}"
executable: /bin/bash executable: /bin/bash
- name: Execute the make target for building and running the Drydock Docker image
make:
chdir: "{{ zuul.project.src_dir }}"
target: run_drydock
register: result
become: true

2
tools/helm_install.sh
View File

@ -17,7 +17,7 @@
set -x set -x
HELM=$1 HELM=$1
HELM_ARTIFACT_URL=${HELM_ARTIFACT_URL:-"https://get.helm.sh/helm-v2.17.0-linux-amd64.tar.gz"} HELM_ARTIFACT_URL=${HELM_ARTIFACT_URL:-"https://get.helm.sh/helm-v3.6.3-linux-amd64.tar.gz"}
function install_helm_binary { function install_helm_binary {

69
tools/helm_tk.sh
View File

@ -12,65 +12,20 @@
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and # See the License for the specific language governing permissions and
# limitations under the License. # limitations under the License.
#
# Script to setup helm-toolkit and helm dep up the shipyard chart
# set -eux
HELM=$1
HTK_REPO=${HTK_REPO:-"https://github.com/openstack/openstack-helm-infra"} HTK_REPO=${HTK_REPO:-"https://opendev.org/openstack/openstack-helm-infra.git"}
HTK_PATH=${HTK_PATH:-""}
HTK_STABLE_COMMIT=${HTK_COMMIT:-"f4972121bcb41c8d74748917804d2b239ab757f9"} HTK_STABLE_COMMIT=${HTK_COMMIT:-"f4972121bcb41c8d74748917804d2b239ab757f9"}
DEP_UP_LIST=${DEP_UP_LIST:-"drydock"}
BUILD_DIR=${BUILD_DIR:-$(mktemp -d)}
if [[ ! -z $(echo $http_proxy) ]] TMP_DIR=$(mktemp -d)
then
export no_proxy=$no_proxy,127.0.0.1
fi
set -x {
HTK_REPO_DIR=$TMP_DIR/htk
# Use ./helm as we expect this to be run in a already git clone "$HTK_REPO" "$HTK_REPO_DIR"
# configured build directory (cd "$HTK_REPO_DIR" && git reset --hard "${HTK_STABLE_COMMIT}")
cp -r "${HTK_REPO_DIR}/helm-toolkit" charts/deps/
function helm_serve {
if [[ -d "$HOME/.helm" ]]; then
echo ".helm directory found"
else
${HELM} init --client-only --skip-refresh
fi
if [[ -z $(curl --noproxy '*' -s 127.0.0.1:8879 | grep 'Helm Repository') ]]; then
"${HELM}" serve & > /dev/null
while [[ -z $(curl --noproxy '*' -s 127.0.0.1:8879 | grep 'Helm Repository') ]]; do
sleep 1
echo "Waiting for Helm Repository"
done
else
echo "Helm serve already running"
fi
if "${HELM}" repo list | grep -q "^stable" ; then
"${HELM}" repo remove stable
fi
${HELM} repo add local http://localhost:8879/charts
} }
mkdir -p "$BUILD_DIR" rm -rf "${TMP_DIR}"
pushd "$BUILD_DIR"
git clone $HTK_REPO || true
pushd openstack-helm-infra/$HTK_PATH
git reset --hard "${HTK_STABLE_COMMIT}"
helm_serve
# OSH Makefile is bugged, so ensure helm is in the path
if [[ ${HELM} != "helm" ]]
then
export PATH=${PATH}:$(dirname ${HELM})
fi
make helm-toolkit
popd && popd
for c in $DEP_UP_LIST
do
${HELM} dep up charts/$c
done

22
tox.ini
View File

@ -1,32 +1,32 @@
[tox] [tox]
envlist = py36,pep8,bandit envlist = py38,pep8,bandit
setupdir=python/ setupdir=python/
[testenv] [testenv]
setenv = YAMLDIR = {toxinidir}/python/tests/yaml_samples/ setenv = YAMLDIR = {toxinidir}/python/tests/yaml_samples/
passenv = http_proxy,HTTP_PROXY,https_proxy,HTTPS_PROXY,no_proxy,NO_PROXY passenv = http_proxy,HTTP_PROXY,https_proxy,HTTPS_PROXY,no_proxy,NO_PROXY
deps= deps=
-r{toxinidir}/python/requirements-lock.txt -r{toxinidir}/python/requirements-lock.txt
-r{toxinidir}/python/requirements-test.txt
[testenv:venv] [testenv:venv]
basepython=python3
commands = {posargs} commands = {posargs}
[testenv:freeze] [testenv:freeze]
basepython=python3
recreate = True recreate = True
allowlist_externals= allowlist_externals=
rm rm
sh sh
pipdeptree
deps= deps=
-rpython/requirements-direct.txt -rpython/requirements-direct.txt
-rpython/requirements-test.txt
commands= commands=
rm python/requirements-lock.txt rm -f python/requirements-lock.txt
sh -c "pip freeze --all | grep -vE 'drydock-provisioner|pyinotify|pkg-resources==0.0.0' > python/requirements-lock.txt" sh -c "pip freeze --all | grep -vE 'drydock-provisioner|pyinotify|pkg-resources==0.0.0' > python/requirements-lock.txt"
sh -c "pipdeptree > python/requirements-tree.txt"
[testenv:yapf] [testenv:yapf]
basepython=python3
allowlist_externals=find allowlist_externals=find
commands= commands=
yapf -i -r --style=pep8 {toxinidir}/python/setup.py yapf -i -r --style=pep8 {toxinidir}/python/setup.py
@ -35,7 +35,7 @@ commands=
yapf -i -r --style=pep8 {toxinidir}/python/tests yapf -i -r --style=pep8 {toxinidir}/python/tests
find {toxinidir}/python/drydock_provisioner -name '__init__.py' -exec yapf -i --style=pep8 \{\} ; find {toxinidir}/python/drydock_provisioner -name '__init__.py' -exec yapf -i --style=pep8 \{\} ;
[testenv:py36] [testenv:py38]
usedevelop=True usedevelop=True
setenv= setenv=
PYTHONWARNING=all PYTHONWARNING=all
@ -46,7 +46,6 @@ commands=
{toxinidir}/python/tests/unit/{posargs} {toxinidir}/python/tests/unit/{posargs}
[testenv:integration] [testenv:integration]
basepython=python3
passenv=DOCKER_REGISTRY,IMAGE_NAME,IMAGE_PREFIX,IMAGE_TAG passenv=DOCKER_REGISTRY,IMAGE_NAME,IMAGE_PREFIX,IMAGE_TAG
setenv= setenv=
PYTHONWARNING=all PYTHONWARNING=all
@ -57,7 +56,6 @@ commands=
{toxinidir}/python/tests/integration/postgres/{posargs} {toxinidir}/python/tests/integration/postgres/{posargs}
[testenv:cover] [testenv:cover]
basepython=python3
usedevelop=True usedevelop=True
passenv=DOCKER_REGISTRY,IMAGE_NAME,IMAGE_PREFIX,IMAGE_TAG passenv=DOCKER_REGISTRY,IMAGE_NAME,IMAGE_PREFIX,IMAGE_TAG
setenv= setenv=
@ -68,24 +66,20 @@ commands=
{toxinidir}/python/tests/unit/ {toxinidir}/python/tests/integration/postgres {toxinidir}/python/tests/unit/ {toxinidir}/python/tests/integration/postgres
[testenv:genconfig] [testenv:genconfig]
basepython=python3
allowlist_externals=tee allowlist_externals=tee
sh sh
commands = sh -c 'oslo-config-generator --config-file=etc/drydock/drydock-config-generator.conf | tee etc/drydock/drydock.conf.sample doc/source/_static/drydock.conf.sample' commands = sh -c 'oslo-config-generator --config-file=etc/drydock/drydock-config-generator.conf | tee etc/drydock/drydock.conf.sample doc/source/_static/drydock.conf.sample'
[testenv:genpolicy] [testenv:genpolicy]
basepython=python3
allowlist_externals=tee allowlist_externals=tee
sh sh
commands = sh -c 'oslopolicy-sample-generator --config-file etc/drydock/drydock-policy-generator.conf | tee etc/drydock/policy.yaml.sample doc/source/_static/policy.yaml.sample' commands = sh -c 'oslopolicy-sample-generator --config-file etc/drydock/drydock-policy-generator.conf | tee etc/drydock/policy.yaml.sample doc/source/_static/policy.yaml.sample'
[testenv:pep8] [testenv:pep8]
basepython=python3
commands = flake8 \ commands = flake8 \
{posargs} {posargs}
[testenv:bandit] [testenv:bandit]
basepython=python3
commands = bandit -r drydock_provisioner -n 5 commands = bandit -r drydock_provisioner -n 5
[flake8] [flake8]
@ -94,9 +88,9 @@ exclude= venv,.venv,.git,.idea,.tox,*.egg-info,*.eggs,bin,dist,./build/,alembic/
max-line-length=119 max-line-length=119
[testenv:docs] [testenv:docs]
basepython=python3
deps= deps=
-rdoc/requirements-doc.txt -rdoc/requirements-doc.txt
-epython
allowlist_externals=rm allowlist_externals=rm
recreate=true recreate=true
commands = commands =