According to the Ansible team, support for listing platforms in
role `meta/main.yml` files is being removed.
Instead, they recommend using `galaxy_tags`
https://github.com/ansible/ansible/blob/stable-2.17/changelogs/CHANGELOG-v2.17.rst
"Remove the galaxy_info field platforms from the role templates"
https://github.com/ansible/ansible/issues/82453
Many roles already have tags such as "rhel", "redhat", "centos", and "fedora".
I propose that we ensure all of the system roles have these tags.
Some of our roles support Suse, Debian, Ubuntu, and others.
We should add tags for those e.g. the ssh role already has tags for "debian" and "ubuntu".
In addition - for each version listed under `platforms.EL` - add a tag like `elN`.
Q: Why not use a delimiter between the platform and the version e.g. `el-10`?
This is not allowed by ansible-lint:
```
meta-no-tags: Tags must contain lowercase letters and digits only., invalid: 'el-10'
meta/main.yml:1
```
So we cannot use uppercase letters either.
Q: Why not use our own meta/main.yml field?
No other fields are allowed by ansible-lint:
```
syntax-check[specific]: 'myfield' is not a valid attribute for a RoleMetadata
```
Q: Why not use some other field?
There are no other applicable or suitable fields.
Q: What happens when we want to support versions like `N.M`?
Use the word "dot" instead of "." e.g. `el10dot3`.
Similarly - use "dash" instead of "-".
We do not need tags such as `fedoraall`.
The `fedora` tag implies that the role works on all supported versions of fedora.
Otherwise, use tags such as `fedora40` if the role only supports specific versions.
Teaming support is dropped in EL10. Provide an error to users who attempt
to use teaming and suggest that they use bonding instead. Skip teaming
tests on EL10.
Signed-off-by: Rich Megginson <rmeggins@redhat.com>
Improve the name text for skipped ostree tests to explain
why the test is skipped.
Add tests/tasks/ostree_systems_check.yml for use by test
playbooks that may be skipped on ostree systems.
Signed-off-by: Rich Megginson <rmeggins@redhat.com>
If updates for network packages are available and wireless or team
connections are specified, NetworkManager must be restarted, the role
requires user's consent to restart NetworkManager. Otherwise, there
might be property conflicts between NetworkManager daemon and plugin, or
NetworkManager plugin is not taking effect.
`update_cache` is enabled in the module tasks to check if updates for
network packages are available due to wireless or team interfaces, in
that case, NetworkManager needs user's explicit consent to be restarted
after the network package updates. And using `state: latest` for
checking the network package updates because we have to guarantee that
NetworkManager and its plugin have the same and most recent version for
configuring the network connections settings in the backend. It is
worthwhile to mention that we have both tasks using dnf and yum module
for checking available updates for network packages. Because checking
package cache update is not supported in Ansible package module, Fedora
and RHEL8+ use DNF package manager by default, RHEL7 uses yum package
manager by default.
This commit will address the situation that users forget to explicitly
specify `network_allow_restart: true` when specifying wireless or team
connections.
Signed-off-by: Wen Liang <liangwen12year@gmail.com>
Improve bond test failure debugging
* put test setup into block/always so that cleanup happens for setup failures
* trace shell commands so that we can determine exactly which command failed
* add error reporting so that when certain commands fail, we can determine the error code
Signed-off-by: Rich Megginson <rmeggins@redhat.com>
Without purging the DNS testing config at the end
`tests_network_state.yml`, the managed hosts can not properly resolve
certain hosts (e.g. mirrors.fedoraproject.org, mirrors.centos.org )
in the package installation task of other tests.
Signed-off-by: Wen Liang <liangwen12year@gmail.com>
In order to guarantee each test is cleaned up properly in the end, it
is important to add a post-test check to each test checking that:
- Routes and DNS are restored.
- Network connectivity to certain hosts are preserved.
Signed-off-by: Wen Liang <liangwen12year@gmail.com>
Sometimes the rpm download returns a 403, which is likely caused by
too many parallel jobs attempt the download from the same controller in
too short a period of time, so the epel server throttles additional
downloads - use a retry here to mitigate.
Signed-off-by: Wen Liang <liangwen12year@gmail.com>
Baseos CI runs different wireless tests in a sequence, the mock wifi
needs to be cleaned up properly at the end of each wireless test,
otherwise, it will cause the failure during the setup of mock wifi
for the next wireless test.
Signed-off-by: Wen Liang <liangwen12year@gmail.com>
It is useful and common practice to configure the routes with blackhole,
prohibit, and unreachable route types when users have BGP routing
setups.
Notice that this feature is only for nm provider using
`network_connections` variable. Configuring blackhole, prohibit, and
unreachable route types is also supported by using `network_state` since
nmstate version 2.2.20 (the setting name is `route-type`).
Resolves: https://issues.redhat.com/browse/RHEL-19579
Signed-off-by: Wen Liang <liangwen12year@gmail.com>
The old ansible-community ansible-lint is deprecated. There is a
new ansible-lint github action. The new ansible-lint has several checks
related to ansible-test and the ignore files. Many of our ignore settings
are not allowed any more and are required to be fixed or addressed in the
Ansible preferred way.
The python imports have to be wrapped in a try/except ImportError, and
where possible, an error must be returned from the module explaining
what was not able to be imported.
The module documentation must comply with the Ansible standards. One
aspect of this is the `version_added` must be a valid ansible-core
version in X.Y.Z format. Note that this version isn't really used
anywhere, so it doesn't matter for users of the role, it is purely
an `ansible-test` and import gating issue.
The result of this is that the .sanity files can be reduced to the
bare minimum which will greatly reduce the maintenance burden of
those files, make it easier to support newer versions of Ansible,
and make it easier to import the system roles collection into Galaxy
and Automation Hub.
The latest Ansible repo gating tests run ansible-lint against
the collection format instead of against individual roles.
We have to convert the role to collection format before running
ansible-test.
Role developers can run this locally using
`tox -e collection,ansible-lint-collection`
See https://github.com/linux-system-roles/tox-lsr/pull/125
Add `---` doc start to .markdownlint.yaml
The file `examples/down_profile+delete_interface.yml`
was not used and was causing ansible-lint errors.
ansible-lint enforces the order of keywords in plays - `name`,
then `hosts`, then `vars`, then `tasks`.
Signed-off-by: Rich Megginson <rmeggins@redhat.com>
Use the `#!/usr/bin/env bash` shebang which is ansible-test friendly.
This means we can remove get_ostree_data.sh from the .sanity* files.
This also means we can remove the .sanity* files if we do not need
them otherwise. Fix other shell scripts to use the friendly shebang
and remove from the .sanity* files.
Rename `pth` to `path` in honor of nscott
Signed-off-by: Rich Megginson <rmeggins@redhat.com>
Some variables used in the module code are not meaningful at all, which
might be hard to read and understand. Therefore, replace them with
meaningful variables.
Signed-off-by: Wen Liang <liangwen12year@gmail.com>
Since the merge of nmstate commit 'nm dns: Support appending static DNS
before dynamic DNS' (https://github.com/nmstate/nmstate/pull/2438),
nmstate treats interface with `auto-dns: true` as valid to store DNS
and tries to use NetworkManager global DNS as much as possible. However,
in NM, `dns=systemd-resolved` does not support global DNS configuration,
because systemd-resolved only supports per-interface DNS servers (via
the D-Bus API). Therefore, write and validate the DNS configuration in
/run/NetworkManager/no-stub-resolv.conf, which contains the original
DNS settings pushed to the DNS plugin.
Signed-off-by: Wen Liang <liangwen12year@gmail.com>
The dependency on `ansible.utils.update_fact` is causing issue with
some users who now must install that collection in order to run
the role, even if they do not care about ostree.
The fix is to stop trying to set `ansible_facts.pkg_mgr`, and instead
force the use of the ostree package manager with the `package:` module
`use:` option. The strategy is - on ostree systems, set the flag
`__$ROLENAME_is_ostree` if the system is an ostree system. The flag
will either be undefined or `false` on non-ostree systems.
Then, change every invocation of the `package:` module like this:
```yaml
- name: Ensure required packages are present
package:
name: "{{ __$ROLENAME_packages }}"
state: present
use: "{{ (__$ROLENAME_is_ostree | d(false)) |
ternary('ansible.posix.rhel_rpm_ostree', omit) }}"
```
This should ensure that the `use:` parameter is not used if the system
is non-ostree. The goal is to make the ostree support as unobtrusive
as possible for non-ostree systems.
The user can also set `__$ROLENAME_is_ostree: true` in the inventory or play
if the user knows that ostree is being used and wants to skip the check.
Or, the user is concerned about the performance hit for ostree detection
on non-ostree systems, and sets `__$ROLENAME_is_ostree: false` to skip
the check.
The flag `__$ROLENAME_is_ostree` can also be used in the role or tests to
include or exclude tasks from being run on ostree systems.
This fix also improves error reporting in the `get_ostree_data.sh` script
when included roles cannot be found.
Signed-off-by: Rich Megginson <rmeggins@redhat.com>
`from 0.0.0.0/0` means from all IPv4 addresses, `from ::/0` means from
all IPv6 addresses. In NM, if `from` property is not specified in a
routing rule, NM still appends `from 0.0.0.0/0` or `from ::/0` to the
rule. NM also allows to specify `to 0.0.0.0/0` or `to ::/0` in a
routing rule, but the connection profiles will only show the `from`
setting for the rule.
Signed-off-by: Wen Liang <liangwen12year@gmail.com>
Since the root cause of the bond tests failure is already found and
fixed (by the commit 'fix: Add dhcp client package dependency for
initscripts provider'). Therefore, remove the bond tests tag `expfail`
and enable the bond tests in the downstream testing.
Signed-off-by: Wen Liang <liangwen12year@gmail.com>
`yum-config-manager` is provided by the yum-utils package, thus, install
the package as the dependency before using `yum-config-manager`.
Signed-off-by: Wen Liang <liangwen12year@gmail.com>
To avoid hard coded interface name used all over the place in
`tests_infiniband.yml`, specify a variable to hold the infiniband
interface name instead.
Signed-off-by: Wen Liang <liangwen12year@gmail.com>
reason: The administrator wants to suppress the AAAA queries made by
the stub resolver, including AAAA lookups triggered by NSS-based
interfaces such as getaddrinfo. Only the DNS lookups are affected.
result: The administrator is able to suppress AAAA queries made by the
stub resolver.
Signed-off-by: Wen Liang <liangwen12year@gmail.com>
reason: The user wants to ignore automatically configured name servers and
search domains (e.g. dns record from DHCP), and only use the name
servers and search domains specified in the `dns` and `dns_search`
properties.
result: The user is able to ignore automatically configured name servers
and search domains.
Notice that there are two settings here distinguished by the address
families, which aims to be compatible with NetworkManager
(`ipv4.ignore-auto-dns` and `ipv6.ignore-auto-dns`)and Nmstate (setting
`auto-dns` on `ipv4` or `ipv6` section). Also, the users can get auto
DNS from DHCPv4, DHCPv6, modem etc, and they may want to ignore auto
DNS on Ipv4 but not on IPv6, in this case, it is better to have two
settings distinguished by the address families.
Signed-off-by: Wen Liang <liangwen12year@gmail.com>
Rather than having to maintain .yamllint.yml with a list of files
exempt from yamllint line-length checking, either fix the code
to abide by the line length restriction, or put the yamllint
exceptions in-line in the code.
Signed-off-by: Rich Megginson <rmeggins@redhat.com>
Use standard Ansible spacing for braces and brackets. This
allows us to remove those rule exceptions from .yamllint.yml
Signed-off-by: Rich Megginson <rmeggins@redhat.com>
The test `tests_switch_provider.yml` fails to run with
`ANSIBLE_GATHERING=explicit` with the error described below. Therefore,
include the task 'el_repo_setup.yml' before running the test which
supports gathering the minimum subset of facts required.
```
TASK [set fact to use initscripts network_provider]
task path: /tmp/tmp.Q6nP8W4iPS/rhel_system_roles/tests/network/playbooks/tests_switch_provider.yml:8
fatal: [/tmp/tmp.Q6nP8W4iPS/RHEL_8_8_TESTING.qcow2]: FAILED! => {}
MSG:
The conditional check 'ansible_distribution in ['CentOS', 'RedHat'] and
ansible_distribution_major_version in ['7', '8']' failed. The error
was: error while evaluating conditional (ansible_distribution in
['CentOS', 'RedHat'] and ansible_distribution_major_version in
['7', '8']): 'ansible_distribution' is undefined.
```
Signed-off-by: Wen Liang <liangwen12year@gmail.com>
More name[casing] warnings are discovered by ansible-lint,
this may be due to the upgrade of ansible-lint.
Signed-off-by: Wen Liang <liangwen12year@gmail.com>
ansible-lint is confused by the use of `when:` with `lsr_assert_when`.
It thinks the `when` string should be evaluated as a Jinja expression
but it is really just a plain string. To make this more friendly to
ansible-lint, use `condition:` instead of `when:` with
`lsr_assert_when`.
Signed-off-by: Rich Megginson <rmeggins@redhat.com>
In some test playbooks, the `ignore_errors: true` can not be replaced
by `changed_when: false`, because `changed_when` is not a valid
attribute for a IncludeRole.
Signed-off-by: Wen Liang <liangwen12year@gmail.com>
Jinja templates should only be at the end of 'name'. This helps with
the identification of tasks inside the source code when they fail.
Signed-off-by: Wen Liang <liangwen12year@gmail.com>
