From 8d055a0aa9cc460d156f5a4d7276e20ddda255aa Mon Sep 17 00:00:00 2001 From: Sergiy Markin Date: Wed, 5 Jul 2023 20:04:25 +0000 Subject: [PATCH] Deckhand updates This PS makes the following changes: - uses deploy-k8s.sh from treasuremap - makes sure the airskiff-deploy playbook is using 80Gb partition if available - adds available security updates to docker images Change-Id: I0f330cb15ec32b12703f0bc6620b3f3c797a25bb --- .zuul.yaml | 76 +++++++++---------- charts/deckhand/values.yaml | 2 +- images/deckhand/Dockerfile.ubuntu_bionic | 2 +- images/deckhand/Dockerfile.ubuntu_focal | 2 +- tools/gate/playbooks/airskiff-deploy.yaml | 59 ++++++++++++-- tools/gate/playbooks/docker-image-build.yaml | 7 ++ tools/gate/playbooks/git-config.yaml | 2 +- .../run-integration-tests-docker.yaml | 2 + .../tasks/deploy-keystone-dependencies.yaml | 2 +- .../tasks/install-test-requirements.yaml | 7 -- .../tasks/integration-tests.yaml | 10 +++ tools/gate/scripts/020-deploy-postgresql.sh | 2 +- tools/helm_install.sh | 2 +- tools/helm_tk.sh | 2 +- tools/integration-tests.sh | 56 +++++++------- 15 files changed, 149 insertions(+), 84 deletions(-) diff --git a/.zuul.yaml b/.zuul.yaml index 468988e4..e0ed510d 100644 --- a/.zuul.yaml +++ b/.zuul.yaml @@ -60,9 +60,9 @@ jobs: - deckhand-upload-git-mirror - deckhand-docker-publish-ubuntu_focal - - deckhand-docker-tag-ubuntu_focal + # - deckhand-docker-tag-ubuntu_focal - deckhand-docker-publish-ubuntu_bionic - - deckhand-docker-tag-ubuntu_bionic + # - deckhand-docker-tag-ubuntu_bionic - nodeset: @@ -300,7 +300,7 @@ - airship/treasuremap vars: CLONE_DECKHAND: false - OSH_INFRA_COMMIT: 8e96a91ffae745b952c053923aa177e615b49b74 + OSH_INFRA_COMMIT: 443ff3e3e340c94c5cbb214d1e2a8b2a3937541d DECKHAND_IMAGE_DISTRO: ubuntu_focal distro: ubuntu_focal irrelevant-files: @@ -324,7 +324,7 @@ - airship/treasuremap vars: CLONE_DECKHAND: false - OSH_INFRA_COMMIT: 8e96a91ffae745b952c053923aa177e615b49b74 + OSH_INFRA_COMMIT: 443ff3e3e340c94c5cbb214d1e2a8b2a3937541d DECKHAND_IMAGE_DISTRO: ubuntu_bionic distro: ubuntu_focal irrelevant-files: @@ -335,7 +335,7 @@ - job: name: deckhand-docker-build-gate-ubuntu_focal - timeout: 1800 + timeout: 3600 run: tools/gate/playbooks/docker-image-build.yaml nodeset: deckhand-single-node-focal irrelevant-files: &non-code-files-template @@ -354,7 +354,7 @@ - job: name: deckhand-docker-build-gate-ubuntu_bionic - timeout: 1800 + timeout: 3600 run: tools/gate/playbooks/docker-image-build.yaml nodeset: deckhand-single-node irrelevant-files: *non-code-files-template @@ -371,7 +371,7 @@ Runs on every merge, unless files in a dictionary below are changed. Builds and publishes container ubuntu images on quay.io with a set of tags listed in vars section. Waits in Zuul queue for a node (VM) assignment. - timeout: 1800 + timeout: 3600 run: tools/gate/playbooks/docker-image-build.yaml nodeset: deckhand-single-node-focal secrets: @@ -393,7 +393,7 @@ Runs on every merge, unless files in a dictionary below are changed. Builds and publishes container ubuntu images on quay.io with a set of tags listed in vars section. Waits in Zuul queue for a node (VM) assignment. - timeout: 1800 + timeout: 3600 run: tools/gate/playbooks/docker-image-build.yaml nodeset: deckhand-single-node secrets: @@ -409,37 +409,37 @@ static: - latest -- job: - name: deckhand-docker-tag-ubuntu_focal - description: | - Runs on every merge when files in a dictionalry below are changed, and - adds git commit id tag onto the ubuntu container image published on quay.io, - which has `latest` tag set. Does not wait in queue for a node (VM) - assignment, runs almost immediately. - timeout: 1800 - run: tools/gate/playbooks/docker-image-tag.yaml - nodeset: - nodes: [] - secrets: - - airship_deckhand_quay_creds - vars: - distro: ubuntu_focal +# - job: +# name: deckhand-docker-tag-ubuntu_focal +# description: | +# Runs on every merge when files in a dictionalry below are changed, and +# adds git commit id tag onto the ubuntu container image published on quay.io, +# which has `latest` tag set. Does not wait in queue for a node (VM) +# assignment, runs almost immediately. +# timeout: 3600 +# run: tools/gate/playbooks/docker-image-tag.yaml +# nodeset: +# nodes: [] +# secrets: +# - airship_deckhand_quay_creds +# vars: +# distro: ubuntu_focal -- job: - name: deckhand-docker-tag-ubuntu_bionic - description: | - Runs on every merge when files in a dictionalry below are changed, and - adds git commit id tag onto the ubuntu container image published on quay.io, - which has `latest` tag set. Does not wait in queue for a node (VM) - assignment, runs almost immediately. - timeout: 1800 - run: tools/gate/playbooks/docker-image-tag.yaml - nodeset: - nodes: [] - secrets: - - airship_deckhand_quay_creds - vars: - distro: ubuntu_bionic +# - job: +# name: deckhand-docker-tag-ubuntu_bionic +# description: | +# Runs on every merge when files in a dictionalry below are changed, and +# adds git commit id tag onto the ubuntu container image published on quay.io, +# which has `latest` tag set. Does not wait in queue for a node (VM) +# assignment, runs almost immediately. +# timeout: 3600 +# run: tools/gate/playbooks/docker-image-tag.yaml +# nodeset: +# nodes: [] +# secrets: +# - airship_deckhand_quay_creds +# vars: +# distro: ubuntu_bionic diff --git a/charts/deckhand/values.yaml b/charts/deckhand/values.yaml index 88a406be..8f6115ae 100644 --- a/charts/deckhand/values.yaml +++ b/charts/deckhand/values.yaml @@ -29,7 +29,7 @@ images: tags: deckhand: quay.io/airshipit/deckhand:latestlatest-ubuntu_focal dep_check: quay.io/airshipit/kubernetes-entrypoint:v1.0.0 - db_init: docker.io/postgres:14.6 + db_init: docker.io/postgres:14.8 db_sync: quay.io/airshipit/deckhand:latest-ubuntu_focal image_repo_sync: docker.io/docker:23.0.3 ks_endpoints: docker.io/openstackhelm/heat:wallaby-ubuntu_focal diff --git a/images/deckhand/Dockerfile.ubuntu_bionic b/images/deckhand/Dockerfile.ubuntu_bionic index f8950868..9f7aee37 100644 --- a/images/deckhand/Dockerfile.ubuntu_bionic +++ b/images/deckhand/Dockerfile.ubuntu_bionic @@ -30,7 +30,7 @@ ENV PORT 9000 EXPOSE $PORT RUN set -x && \ - apt-get -qq update && \ + apt-get update && apt-get upgrade -y && \ apt-get -y install \ automake \ ca-certificates \ diff --git a/images/deckhand/Dockerfile.ubuntu_focal b/images/deckhand/Dockerfile.ubuntu_focal index 2fd0e54c..65e69302 100644 --- a/images/deckhand/Dockerfile.ubuntu_focal +++ b/images/deckhand/Dockerfile.ubuntu_focal @@ -30,7 +30,7 @@ ENV PORT 9000 EXPOSE $PORT RUN set -x && \ - apt-get -qq update && \ + apt-get update && apt-get upgrade -y && \ apt-get -y install \ automake \ ca-certificates \ diff --git a/tools/gate/playbooks/airskiff-deploy.yaml b/tools/gate/playbooks/airskiff-deploy.yaml index 5abd1384..e9425622 100644 --- a/tools/gate/playbooks/airskiff-deploy.yaml +++ b/tools/gate/playbooks/airskiff-deploy.yaml @@ -16,11 +16,19 @@ roles: - clear-firewall - bindep + - ensure-docker - disable-systemd-resolved - install-test-requirements tasks: + - name: Install Packaging python module for airship + block: + - pip: + name: packaging + executable: pip3 + become: True + - name: Clone Required Repositories shell: | export CLONE_DECKHAND={{ CLONE_DECKHAND }} @@ -37,6 +45,17 @@ - name: Deploy Kubernetes with Minikube shell: | + set -ex + sudo fdisk --list + df -h + sudo mkdir -p /opt/ext_vol + BIG_VOLUME=$(sudo fdisk -l 2>&1 | grep -E 80G | grep Linux | awk '{print $1}') + if ! mount | grep "${BIG_VOLUME}" + then + sudo mkfs.ext4 "${BIG_VOLUME}" + sudo mount "${BIG_VOLUME}" /opt/ext_vol + df -h + fi ./tools/deployment/airskiff/developer/010-deploy-k8s.sh args: chdir: "{{ zuul.projects['opendev.org/airship/treasuremap'].src_dir }}" @@ -46,15 +65,33 @@ set -ex export DISTRO={{ DECKHAND_IMAGE_DISTRO }} make images - if test "${DISTRO}" = 'ubuntu_bionic' - then - # this trick is needed to use bionic image instead of focal in airskiff deployment test - docker tag quay.io/airshipit/deckhand:latest-ubuntu_bionic quay.io/airshipit/deckhand:latest-ubuntu_focal - fi + docker system prune --force args: chdir: "{{ zuul.project.src_dir }}" become: yes + - name: Use locally built images in manifests + shell: | + set -ex + export DISTRO={{ DECKHAND_IMAGE_DISTRO }} + docker rm registry --force || true + docker run -d -p 5000:5000 --restart=always --name registry registry:2 + if test "${DISTRO}" = 'ubuntu_bionic' + then + docker tag quay.io/airshipit/deckhand:latest-ubuntu_bionic localhost:5000/deckhand:latest-ubuntu_bionic + docker push localhost:5000/deckhand:latest-ubuntu_bionic + sed -i "s#quay.io/airshipit/deckhand:latest-ubuntu_focal#localhost:5000/deckhand:latest-ubuntu_bionic#g" ./site/airskiff/software/config/versions.yaml + sed -i "s#quay.io/airshipit/deckhand:latest-ubuntu_focal#localhost:5000/deckhand:latest-ubuntu_bionic#g" ./global/software/config/versions.yaml + else + docker tag quay.io/airshipit/deckhand:latest-ubuntu_focal localhost:5000/deckhand:latest-ubuntu_focal + docker push localhost:5000/deckhand:latest-ubuntu_focal + sed -i "s#quay.io/airshipit/deckhand:latest-ubuntu_focal#localhost:5000/deckhand:latest-ubuntu_focal#g" ./site/airskiff/software/config/versions.yaml + sed -i "s#quay.io/airshipit/deckhand:latest-ubuntu_focal#localhost:5000/deckhand:latest-ubuntu_focal#g" ./global/software/config/versions.yaml + fi + args: + chdir: "{{ zuul.projects['opendev.org/airship/treasuremap'].src_dir }}" + become: yes + - name: Build all charts locally shell: | set -ex @@ -63,6 +100,18 @@ chdir: "{{ zuul.projects['opendev.org/airship/treasuremap'].src_dir }}" become: yes + - name: Start artifactory + shell: | + set -ex + # start http server with artifacts + docker rm artifacts --force || true + docker run --name artifacts -p 8282:80 -v $(pwd)/../artifacts:/usr/share/nginx/html -d nginx + sleep 10 + curl --verbose -I http://control-plane.minikube.internal:8282/memcached.tgz + args: + chdir: "{{ zuul.projects['opendev.org/airship/treasuremap'].src_dir }}" + become: yes + - name: Deploy Airship components using Armada shell: | mkdir -p ~/.kube diff --git a/tools/gate/playbooks/docker-image-build.yaml b/tools/gate/playbooks/docker-image-build.yaml index 0a4847f0..e075c6a4 100644 --- a/tools/gate/playbooks/docker-image-build.yaml +++ b/tools/gate/playbooks/docker-image-build.yaml @@ -54,6 +54,13 @@ executable: pip3 become: True + - name: Install tox python module for ansible docker login + block: + - pip: + name: tox + version: 3.28.0 + executable: pip3 + become: True - name: Make images when: not publish diff --git a/tools/gate/playbooks/git-config.yaml b/tools/gate/playbooks/git-config.yaml index d4a118e5..5c044f70 100644 --- a/tools/gate/playbooks/git-config.yaml +++ b/tools/gate/playbooks/git-config.yaml @@ -16,7 +16,7 @@ tasks: - name: Git config shell: | - set -xe; + set -xe tee .git/config << EOF [remote "origin"] url = https://opendev.org/airship/treasuremap.git diff --git a/tools/gate/playbooks/run-integration-tests-docker.yaml b/tools/gate/playbooks/run-integration-tests-docker.yaml index 8cb7b11d..4a3b0664 100644 --- a/tools/gate/playbooks/run-integration-tests-docker.yaml +++ b/tools/gate/playbooks/run-integration-tests-docker.yaml @@ -16,10 +16,12 @@ vars_files: - vars.yaml roles: + - clear-firewall - bindep - ensure-docker - ensure-python - ensure-pip + - disable-systemd-resolved - install-test-requirements - build-images - deploy-keystone-dependencies diff --git a/tools/gate/roles/deploy-keystone-dependencies/tasks/deploy-keystone-dependencies.yaml b/tools/gate/roles/deploy-keystone-dependencies/tasks/deploy-keystone-dependencies.yaml index 00c57dd1..330ba26e 100644 --- a/tools/gate/roles/deploy-keystone-dependencies/tasks/deploy-keystone-dependencies.yaml +++ b/tools/gate/roles/deploy-keystone-dependencies/tasks/deploy-keystone-dependencies.yaml @@ -82,4 +82,4 @@ set -xe; ./tools/deployment/component/keystone/keystone.sh args: - chdir: "{{ zuul.project.src_dir }}/{{ zuul_osh_relative_path | default('') }}" + chdir: "{{ zuul.project.src_dir }}/{{ zuul_osh_relative_path | default('') }}" \ No newline at end of file diff --git a/tools/gate/roles/install-test-requirements/tasks/install-test-requirements.yaml b/tools/gate/roles/install-test-requirements/tasks/install-test-requirements.yaml index 309ad7ea..bc967f6b 100644 --- a/tools/gate/roles/install-test-requirements/tasks/install-test-requirements.yaml +++ b/tools/gate/roles/install-test-requirements/tasks/install-test-requirements.yaml @@ -12,13 +12,6 @@ # See the License for the specific language governing permissions and # limitations under the License. -- name: Set modprobe br_netfilter - shell: | - set -xe; - sudo modprobe br_netfilter - sudo sysctl net.bridge.bridge-nf-call-iptables=1 - sudo sysctl net.bridge.bridge-nf-call-ip6tables=1 - - name: Install pip3 and gabbi shell: | set -xe; diff --git a/tools/gate/roles/run-integration-tests/tasks/integration-tests.yaml b/tools/gate/roles/run-integration-tests/tasks/integration-tests.yaml index 7df8c180..edc7d7ed 100644 --- a/tools/gate/roles/run-integration-tests/tasks/integration-tests.yaml +++ b/tools/gate/roles/run-integration-tests/tasks/integration-tests.yaml @@ -62,6 +62,16 @@ else sudo -E -H pip3 install -r requirements-frozen.txt fi + sudo fdisk --list + df -h + sudo mkdir -p /opt/ext_vol + BIG_VOLUME=$(sudo fdisk -l 2>&1 | grep -E 80G | grep Linux | awk '{print $1}') + if ! mount | grep "${BIG_VOLUME}" + then + sudo mkfs.ext4 "${BIG_VOLUME}" + sudo mount "${BIG_VOLUME}" /opt/ext_vol + df -h + fi pifpaf run postgresql -- ./tools/integration-tests.sh args: chdir: "{{ zuul.project.src_dir }}" diff --git a/tools/gate/scripts/020-deploy-postgresql.sh b/tools/gate/scripts/020-deploy-postgresql.sh index a902842a..3afe2ce7 100755 --- a/tools/gate/scripts/020-deploy-postgresql.sh +++ b/tools/gate/scripts/020-deploy-postgresql.sh @@ -23,7 +23,7 @@ POSTGRES_ID=$( -e POSTGRES_DB=deckhand \ -e POSTGRES_USER=deckhand \ -e POSTGRES_PASSWORD=password \ - postgres:14.6 + postgres:14.8 ) POSTGRES_IP=$( diff --git a/tools/helm_install.sh b/tools/helm_install.sh index d2bbb0e4..81eddd2b 100755 --- a/tools/helm_install.sh +++ b/tools/helm_install.sh @@ -17,7 +17,7 @@ set -x HELM=$1 -HELM_ARTIFACT_URL=${HELM_ARTIFACT_URL:-"https://get.helm.sh/helm-v3.11.1-linux-amd64.tar.gz"} +HELM_ARTIFACT_URL=${HELM_ARTIFACT_URL:-"https://get.helm.sh/helm-v3.12.2-linux-amd64.tar.gz"} function install_helm_binary { diff --git a/tools/helm_tk.sh b/tools/helm_tk.sh index 34a0aa9d..56dabed6 100755 --- a/tools/helm_tk.sh +++ b/tools/helm_tk.sh @@ -17,7 +17,7 @@ set -eux HTK_REPO=${HTK_REPO:-"https://opendev.org/openstack/openstack-helm-infra.git"} -HTK_STABLE_COMMIT=${HTK_COMMIT:-"f4972121bcb41c8d74748917804d2b239ab757f9"} +HTK_STABLE_COMMIT=${HTK_COMMIT:-"443ff3e3e340c94c5cbb214d1e2a8b2a3937541d"} TMP_DIR=$(mktemp -d) diff --git a/tools/integration-tests.sh b/tools/integration-tests.sh index 5a0718cc..0910ba9c 100755 --- a/tools/integration-tests.sh +++ b/tools/integration-tests.sh @@ -13,8 +13,18 @@ set -xe CURRENT_DIR="$(pwd)" -: ${OSH_INFRA_PATH:="../openstack-helm-infra"} -: ${OSH_PATH:="../openstack-helm"} +: "${OSH_INFRA_PATH:="../openstack-helm-infra"}" +: "${OSH_PATH:="../openstack-helm"}" +: "${TM_PATH:="../treasuremap"}" + +export MAKE_CHARTS_OPENSTACK_HELM="${MAKE_CHARTS_OPENSTACK_HELM:-true}" +export MAKE_CHARTS_OSH_INFRA="${MAKE_CHARTS_OSH_INFRA:-true}" +export MAKE_CHARTS_ARMADA="${MAKE_CHARTS_ARMADA:-false}" +export MAKE_CHARTS_DECKHAND="${MAKE_CHARTS_DECKHAND:-false}" +export MAKE_CHARTS_SHIPYARD="${MAKE_CHARTS_SHIPYARD:-false}" +export MAKE_CHARTS_MAAS="${MAKE_CHARTS_MAAS:-false}" +export MAKE_CHARTS_PORTHOLE="${MAKE_CHARTS_PORTHOLE:-false}" +export MAKE_CHARTS_PROMENADE="${MAKE_CHARTS_PROMENADE:-false}" function deploy_barbican { @@ -46,34 +56,28 @@ function deploy_osh_keystone_barbican { git clone https://git.openstack.org/openstack/openstack-helm.git ../openstack-helm fi - cd ${OSH_INFRA_PATH} - # git reset --hard ${BARBICAN_STABLE_COMMIT} + if [ ! -d "$TM_PATH" ]; then + git clone https://git.openstack.org/airship/treasuremap.git ../treasuremap + pushd ../treasuremap + git checkout v1.9 + popd + fi + + cd "${TM_PATH}" # Deploy required packages - ./tools/deployment/common/000-install-packages.sh - ./tools/deployment/common/001-setup-apparmor-profiles.sh - # - cd ${OSH_PATH} - # git reset --hard ${BARBICAN_STABLE_COMMIT} - # Deploy required packages - ./tools/deployment/common/install-packages.sh + ./tools/deployment/airskiff/developer/009-setup-apparmor.sh # # Deploy Kubernetes - sudo modprobe br_netfilter - ./tools/deployment/common/deploy-k8s.sh + ./tools/deployment/airskiff/developer/010-deploy-k8s.sh + # + # Make charts + ./tools/deployment/airskiff/developer/015-make-all-charts.sh + # + # Deploy docker-based openstack client + ./tools/deployment/airskiff/developer/020-setup-client.sh - cd ${CURRENT_DIR} - # remove systemd-resolved local stub dns from resolv.conf - sudo sed -i.bkp '/^nameserver.*127.0.0.1/d - w /dev/stdout' /etc/resolv.conf - # add external nameservers - echo "nameserver 8.8.8.8" | sudo tee -a /etc/resolv.conf - echo "nameserver 8.8.4.4" | sudo tee -a /etc/resolv.conf - cat /etc/resolv.conf - - cd ${OSH_PATH} - # Setup clients on the host and assemble the charts - ./tools/deployment/common/setup-client.sh + cd "${OSH_PATH}" # Deploy the ingress controller ./tools/deployment/component/common/ingress.sh # Deploy NFS Provisioner @@ -102,7 +106,7 @@ function deploy_deckhand { interfaces=("admin" "public" "internal") deckhand_endpoint="http://127.0.0.1:9000" - if [ -z "$( openstack service list --format value 2>/dev/null | grep deckhand )" ]; then + if [ -z "$( openstack_client openstack service list --format value 2>/dev/null | grep deckhand )" ]; then openstack service create --enable --name deckhand deckhand 2>/dev/null fi