Cause: The user is trying to specify the routing table to use by the name of
a built-in routing table defined in /usr/share/iproute2/rt_tables such as `main`.
Consequence: The network role gives an error:
"cannot find route table main in `/etc/iproute2/rt_tables` or `/etc/iproute2/rt_tables.d/`"
The workaround is that the user must specify the table by number instead of name e.g
`table: 254` instead of `table: main`
Fix: Look for table mappings in /usr/share/iproute2/rt_tables as well as the other
paths.
Result: The user can use built-in route table names.
Signed-off-by: Rich Megginson <rmeggins@redhat.com>
This is mainly needed on el7 - NetworkManager is installed by default, or
somewhere else, on el8 and later.
Additionally, if the NetworkManager-server-config package is installed, then
the secondary interface will not be active, so ensure it is active.
Signed-off-by: Rich Megginson <rmeggins@redhat.com>
https://issues.redhat.com/browse/RHEL-87511
The `system_ca_certs: true` flag in NM tells wpa_supplicant to load the
legacy single‑file CA bundle (historically at /etc/pki/tls/cert.pem).
Under CentOS Stream 9 (and RHEL 8), that path existed (either as a file
or a symlink to the bundle), so the default “system” loading worked.
On CentOS Stream 10 (RHEL 10), Red Hat switched to a hashed directory
trust store and removed `/etc/pki/tls/cert.pem` to optimize OpenSSL
performance as indicated in
https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/10-beta/html/10.0_beta_release_notes/removed-features
and https://issues.redhat.com/browse/RHEL-50293. wpa_supplicant's
"system_ca_certs" code still tries the old cert.pem path, sees
"No such file or directory" and aborts the TLS setup:
```
OpenSSL: tls_connection_ca_cert - Failed to load root certificates - No such file or directory
EAP‑TLS: Failed to initialize SSL.
```
Hence `system_ca_certs: true` silently fails on Stream 10 because
there is no longer a single‑file CA bundle at that location.
The new ansible-lint does not like variables in play names.
Signed-off-by: Rich Megginson <rmeggins@redhat.com>
Implement the tests_ethernet FIXMEs for actually validating the `nmcli`
state and generated on-disk profiles. Do the latter separately in
anticipation of future support for offline (bootc build) mode.
This needs some conditionals, as NetworkManager before RHEL 9 uses the
initscripts config backend.
Signed-off-by: Martin Pitt <mpitt@redhat.com>
Simplify the cumbersome assertion.
Drop the ancient Fedora releases from the __NM_capath_ignored_NVRs list.
Signed-off-by: Martin Pitt <mpitt@redhat.com>
The big problem was trying to use `vars` with `import_playbook`.
We do not need to use `import_playbook` when `include_tasks` will
work. Perhaps the original author of these tests thought that
the play `roles` keyword was the only way to invoke roles, so
that had to be "called" using an `import_playbook`?
Use `include_tasks` instead of `import_playbook`, and move some
of those "tasks" playbooks to be tasks files in tests/tasks.
Use `include_role` instead of `import_role`.
Do not set variables using `set_fact` if they have already been
set at the appropriate scope using `vars`.
"Modernize" the code somewhat.
Improve formatting.
Work around an Ansible bug https://github.com/ansible/ansible/issues/85394
Fix ansible-lint and ansible-test issues related newer versions of
those tools.
Signed-off-by: Rich Megginson <rmeggins@redhat.com>
In some cases, the interface given in MAC_ADDR_MATCH_INTERFACE can be an
alias or altname. The test cannot use the altname, it must use the "real"
interface name.
For example, on some systems, if `MAC_ADDR_MATCH_INTERFACE=enX1`, the test
will fail because it is an altname for `ens4`:
```
+ ip addr show enX1
3: ens4: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
link/ether 52:54:00:12:34:57 brd ff:ff:ff:ff:ff:ff
altname enp0s4
altname enx525400123457
altname enX1
```
The test will now parse the output of `ip addr show $name` to get the real interface name.
Also, improve the fallback method to look for common secondary interface names
such as eth1 and ens4 in case MAC_ADDR_MATCH_INTERFACE is not one of these.
Signed-off-by: Rich Megginson <rmeggins@redhat.com>
When running tests with a qemu managed node, the dhcp
used by qemu interferes with the dhcp used in the test, which
can cause the test to hang. Exclude the qemu interfaces from
using the test dhcp. Note that this only affects the qemu tests -
testing farm and other tests with "real" machines will have a
different mac address - the mac addresses used below are specific
to qemu virtual devices.
Also, just in case tests still timeout, add a tests/ansible.cfg
with a 240 second task timeout to ensure any hung tasks are killed.
This will cause the playbook to exit with an error.
Signed-off-by: Rich Megginson <rmeggins@redhat.com>
Some systems do not use the `ethN` interface naming scheme, and
use `ensN` instead. The test wants to use `eth1` as the second
interface. If this does not exist, try `ens4` instead.
Some of our tests now run on an ubuntu control node (localhost)
and use `shell` to execute commands there. Ansible requires
the use of `pipefail`. The default shell on ubuntu is not
bash and does not have `pipefail`.
Signed-off-by: Rich Megginson <rmeggins@redhat.com>
The validation was incorrectly checking for routing rule attributes at the top-level
NM module instead of the NM.IPRoutingRule class. This was causing validation failures
because:
libnm's API has two core aspects:
1. NMConnection/NMSetting types for handling connection profiles
2. NMClient as a cache of D-Bus objects
The suppress_prefixlength and uid_range attributes are not part of the top-level NM
module but belong to NM.IPRoutingRule. Updated the validation to properly check for:
- set_suppress_prefixlength instead of NM_IP_ROUTING_RULE_ATTR_SUPPRESS_PREFIXLENGTH
- set_uid_range instead of NM_IP_ROUTING_RULE_ATTR_UID_RANGE_START
This aligns with the correct API usage and fixes the validation errors.
Resolves: https://issues.redhat.com/browse/RHEL-85872
Signed-off-by: Wen Liang <liangwen12year@gmail.com>
When a user provides both an interface name and a MAC address, the
current validation process retrieves sysfs link info separately using
the interface name and the MAC address, then compares the results. If
the information doesn't match, an error is raised.
However, this approach may trigger false alarms because retrieving the
link info by MAC might return the link info that only matches the
current MAC instead of the permanent MAC. Since the interface name is
unique within the kernel, a more robust validation method is to fetch
the MAC address using the interface name and then compare it directly
with the user-provided MAC address.
Resolves: https://issues.redhat.com/browse/RHEL-84362
Signed-off-by: Wen Liang <liangwen12year@gmail.com>
The link_info_find() function previously allowed searching for links by
MAC address, but this introduced ambiguity and could cause false alarms
in certain cases (e.g. retrieving the link info by MAC might return the
link info that only matches the current MAC instead of the permanent
MAC). To ensure reliable behavior, this function should accept and match
the link info only by interface name.
To address the issues, the following changes were made:
- Removed MAC address matching logic to eliminate ambiguity.
- Simplified the function to only check ifname, making it more
predictable.
- Updated all callers to adapt to this change, ensuring correctness.
- When a profile is tied to an interface via mac only, the validation of
the existence of interface will now be delegated to NetworkManager
instead.
Resolves: https://issues.redhat.com/browse/RHEL-84197
Signed-off-by: Wen Liang <liangwen12year@gmail.com>
The tests should not install anything from outside of the distribution
unless absolutely necessary, like the copr repos.
All of the EPEL dependencies have been removed or replaced
with coprs.
We do not need to install pytest from pip since it is available
as `pytest-3` from `python3-pytest`.
We do not need `git` or `rsync` in the tests.
Signed-off-by: Rich Megginson <rmeggins@redhat.com>
* You can ignore words inline by adding a comment like `# codespell:ignore word`.
* You can ignore words by adding them to the `.codespell_ignores` file.
* You can ignore files and directories by adding them with `skip = ` to the `.codespellrc` file.
Signed-off-by: Sergei Petrosian <spetrosi@redhat.com>
Add support for the `wait_ip` property, the system will consider
connection activated only when specific IP stack is configured.
This enables flexibility in scenarios such as
IPv6-only networks, where the overall network configuration can still
succeed when IPv4 configuration fails but IPv6 completes successfully.
The `wait_ip` can be configured with the following possible values:
* "any": System will consider interface activated when any IP stack is
configured.
* "ipv4": System will wait IPv4 been configured.
* "ipv6": System will wait IPv6 been configured.
* "ipv4+ipv6": System will wait both IPv4 and IPv6 been configured.
Resolves: https://issues.redhat.com/browse/RHEL-63026
Signed-off-by: Wen Liang <wenliang@redhat.com>
We have a lot of requests to support Rocky and Alma in various system roles. The
first part of adding support is adding `vars/` files for these platforms. In
almost every case, for a given major version N, the vars file RedHat_N.yml can
be used for CentOS, Rocky, and Alma. Rather than making a copy of the
RedHat_N.yml file, just use a symlink to reduce size and maintenance burden, and
standardize this across all system roles for consistency.
NOTE: There is no Alma or Rocky version 7 or less.
NOTE: OracleLinux is not a strict clone, so we are not going to do this for
OracleLinux at this time. Support for OracleLinux will need to be done in
separate PRs. For more information, see
https://github.com/linux-system-roles/cockpit/issues/130
**Question**: Why not just use `ansible_facts["os_family"] == "RedHat"`?
**Answer**: This is what Ansible uses as the RedHat os_family:
1e6ffc1d02/lib/ansible/module_utils/facts/system/distribution.py (L511)
There are a lot of distributions in there. I know that Fedora is not a clone of
RHEL, but it is very closely related. Most of the others are not clones, and it
would generally not work to replace ansible_distribution in ['CentOS', 'Fedora',
'RedHat'] with ansible_facts['os_family'] == 'RedHat' (but it would probably
work in specific cases with specific distributions). For example, OracleLinux
is in there, and we know that doesn't generally work. The only ones we can be
pretty sure about are `RedHat`, `CentOS`, `Fedora`, `AlmaLinux`, and `Rocky`.
**Question**: Does my role really need this because it should already work on
RHEL clones?
**Answer**: Maybe not - but:
* it doesn't hurt anything
* it's there if we need it in the future
* the role will be inconsistent with the other system roles if we don't have this
**Question**: Why do I need the `tests/vars/rh_distros_vars.yml` file? Doesn't
the test load the vars from the role?
**Answer**: No, the test does not load the vars from the role until the role is
included, and many tests use version and distribution before including the role.
**Question**: Do we need to change the code now to use the new variables?
**Answer**: No, not now, in subsequent PRs, hopefully by Alma and Rocky users.
Note that there may be more work to be done to the role to fully support Rocky
and Alma. Many roles have conditionals like this:
```yaml
some_var: "{{ 'some value' if ansible_distribution in ['CentOS', 'RedHat'] else 'other value' }}"
another_var: "{{ 'some value' if ansible_distribution in ['CentOS', 'Fedora', 'RedHat'] else 'other value' }}"
...
- name: Do something
when: ansible_distribution in ['CentOS', 'RedHat']
...
- name: Do something else
when: ansible_distribution in ['CentOS', 'Fedora', 'RedHat']
...
```
Adding Rocky and AlmaLinux to these conditionals will have to be done
separately. In order to simplify the task, some new variables are being
introduced:
```yaml
__$rolename_rh_distros:
- AlmaLinux
- CentOS
- RedHat
- Rocky
__$rolename_rh_distros_fedora: "{{ __$rolename_rh_distros + ['Fedora'] }}"
__$rolename_is_rh_distro: "{{ ansible_distribution in __$rolename_rh_distros }}"
__$rolename_is_rh_distro_fedora: "{{ ansible_distribution in __$rolename_rh_distros_fedora }}"
```
Then the conditionals can be rewritten as:
```yaml
some_var: "{{ 'some value' if __$rolename_is_rh_distro else 'other value' }}"
another_var: "{{ 'some value' if __$rolename_is_rh_distro_fedora else 'other value' }}"
...
- name: Do something
when: __$rolename_is_rh_distro | bool
...
- name: Do something else
when: __$rolename_is_rh_distro_fedora | bool
...
```
For tests - tests that use such conditionals will need to use `vars_files` or
`include_vars` to load the variables that are defined in
`tests/vars/rh_distros_vars.yml`:
```yaml
vars_files:
- vars/rh_distros_vars.yml
```
We don't currently have CI testing for Rocky or Alma, so someone wanting to run
tests on those platforms would need to change the test code to use these.
Signed-off-by: Rich Megginson <rmeggins@redhat.com>
There is no fine-grained control over the number of retries for
automatically reconnecting a network connection in the role. This
limitation can be problematic for certain use cases where extending the
retry process is critical, particularly in environments with unstable
networks. Introduce support for the `autoconnect_retries` property in nm
provider of `network_connections` variable. This feature allows users to
configure how many times NetworkManager will attempt to reconnect a
connection after a autoconnect failure, providing more control over
network stability and performance.
Resolves: https://issues.redhat.com/browse/RHEL-61599
Signed-off-by: Wen Liang <liangwen12year@gmail.com>
If firewall is active, the dhcp services do not work. Change the test
to add and remove the dhcp services if firewall is active.
Signed-off-by: Rich Megginson <rmeggins@redhat.com>
Something has changed in python, similar to the change between
el8 and el9, that causes the test to fail on f39 and later, so
skip it.
Signed-off-by: Rich Megginson <rmeggins@redhat.com>
Enhancement: Add the optional route source parameter for the nm provider
Reason: In a scenario where you have a machine with multiple public IP
addresses, typically due to a multi-WAN setup, the src parameter in the
context of routes allows you to specify which source IP address should
be used when sending packets via a specific route. This is crucial when
you want to ensure that outbound traffic uses a specific IP address tied
to a particular network interface, especially when dealing with multiple
WAN connections.
Result: Adding support for the src parameter in routes results in a
more powerful and flexible network configuration capability, especially
important in environments with multiple network interfaces or multiple
IP addresses, it provides better control over traffic routing.
Resolves: https://issues.redhat.com/browse/RHEL-3252
Signed-off-by: Wen Liang <liangwen12year@gmail.com>
Do not use templating in `when:`, `that:`, `until:`. These
are evaluated as Jinja statements. In cases where the string
used is long or awkward to generate in-line, use an
intermediate var for the value.
Use a unique loop var instead of `item` in cases where a loop
may be called in a nested context.
Fix some formatting.
Signed-off-by: Rich Megginson <rmeggins@redhat.com>
The team plugin test does not clean up properly causing the following team
test to fail. The fix is to use the network standard run_test.yml interface
to ensure proper preconditions and cleanup for the team plugin test.
Signed-off-by: Rich Megginson <rmeggins@redhat.com>
According to the Ansible team, support for listing platforms in
role `meta/main.yml` files is being removed.
Instead, they recommend using `galaxy_tags`
https://github.com/ansible/ansible/blob/stable-2.17/changelogs/CHANGELOG-v2.17.rst
"Remove the galaxy_info field platforms from the role templates"
https://github.com/ansible/ansible/issues/82453
Many roles already have tags such as "rhel", "redhat", "centos", and "fedora".
I propose that we ensure all of the system roles have these tags.
Some of our roles support Suse, Debian, Ubuntu, and others.
We should add tags for those e.g. the ssh role already has tags for "debian" and "ubuntu".
In addition - for each version listed under `platforms.EL` - add a tag like `elN`.
Q: Why not use a delimiter between the platform and the version e.g. `el-10`?
This is not allowed by ansible-lint:
```
meta-no-tags: Tags must contain lowercase letters and digits only., invalid: 'el-10'
meta/main.yml:1
```
So we cannot use uppercase letters either.
Q: Why not use our own meta/main.yml field?
No other fields are allowed by ansible-lint:
```
syntax-check[specific]: 'myfield' is not a valid attribute for a RoleMetadata
```
Q: Why not use some other field?
There are no other applicable or suitable fields.
Q: What happens when we want to support versions like `N.M`?
Use the word "dot" instead of "." e.g. `el10dot3`.
Similarly - use "dash" instead of "-".
We do not need tags such as `fedoraall`.
The `fedora` tag implies that the role works on all supported versions of fedora.
Otherwise, use tags such as `fedora40` if the role only supports specific versions.
Teaming support is dropped in EL10. Provide an error to users who attempt
to use teaming and suggest that they use bonding instead. Skip teaming
tests on EL10.
Signed-off-by: Rich Megginson <rmeggins@redhat.com>
Improve the name text for skipped ostree tests to explain
why the test is skipped.
Add tests/tasks/ostree_systems_check.yml for use by test
playbooks that may be skipped on ostree systems.
Signed-off-by: Rich Megginson <rmeggins@redhat.com>
If updates for network packages are available and wireless or team
connections are specified, NetworkManager must be restarted, the role
requires user's consent to restart NetworkManager. Otherwise, there
might be property conflicts between NetworkManager daemon and plugin, or
NetworkManager plugin is not taking effect.
`update_cache` is enabled in the module tasks to check if updates for
network packages are available due to wireless or team interfaces, in
that case, NetworkManager needs user's explicit consent to be restarted
after the network package updates. And using `state: latest` for
checking the network package updates because we have to guarantee that
NetworkManager and its plugin have the same and most recent version for
configuring the network connections settings in the backend. It is
worthwhile to mention that we have both tasks using dnf and yum module
for checking available updates for network packages. Because checking
package cache update is not supported in Ansible package module, Fedora
and RHEL8+ use DNF package manager by default, RHEL7 uses yum package
manager by default.
This commit will address the situation that users forget to explicitly
specify `network_allow_restart: true` when specifying wireless or team
connections.
Signed-off-by: Wen Liang <liangwen12year@gmail.com>
Improve bond test failure debugging
* put test setup into block/always so that cleanup happens for setup failures
* trace shell commands so that we can determine exactly which command failed
* add error reporting so that when certain commands fail, we can determine the error code
Signed-off-by: Rich Megginson <rmeggins@redhat.com>
Without purging the DNS testing config at the end
`tests_network_state.yml`, the managed hosts can not properly resolve
certain hosts (e.g. mirrors.fedoraproject.org, mirrors.centos.org )
in the package installation task of other tests.
Signed-off-by: Wen Liang <liangwen12year@gmail.com>
In order to guarantee each test is cleaned up properly in the end, it
is important to add a post-test check to each test checking that:
- Routes and DNS are restored.
- Network connectivity to certain hosts are preserved.
Signed-off-by: Wen Liang <liangwen12year@gmail.com>
Sometimes the rpm download returns a 403, which is likely caused by
too many parallel jobs attempt the download from the same controller in
too short a period of time, so the epel server throttles additional
downloads - use a retry here to mitigate.
Signed-off-by: Wen Liang <liangwen12year@gmail.com>
Baseos CI runs different wireless tests in a sequence, the mock wifi
needs to be cleaned up properly at the end of each wireless test,
otherwise, it will cause the failure during the setup of mock wifi
for the next wireless test.
Signed-off-by: Wen Liang <liangwen12year@gmail.com>
It is useful and common practice to configure the routes with blackhole,
prohibit, and unreachable route types when users have BGP routing
setups.
Notice that this feature is only for nm provider using
`network_connections` variable. Configuring blackhole, prohibit, and
unreachable route types is also supported by using `network_state` since
nmstate version 2.2.20 (the setting name is `route-type`).
Resolves: https://issues.redhat.com/browse/RHEL-19579
Signed-off-by: Wen Liang <liangwen12year@gmail.com>
The old ansible-community ansible-lint is deprecated. There is a
new ansible-lint github action. The new ansible-lint has several checks
related to ansible-test and the ignore files. Many of our ignore settings
are not allowed any more and are required to be fixed or addressed in the
Ansible preferred way.
The python imports have to be wrapped in a try/except ImportError, and
where possible, an error must be returned from the module explaining
what was not able to be imported.
The module documentation must comply with the Ansible standards. One
aspect of this is the `version_added` must be a valid ansible-core
version in X.Y.Z format. Note that this version isn't really used
anywhere, so it doesn't matter for users of the role, it is purely
an `ansible-test` and import gating issue.
The result of this is that the .sanity files can be reduced to the
bare minimum which will greatly reduce the maintenance burden of
those files, make it easier to support newer versions of Ansible,
and make it easier to import the system roles collection into Galaxy
and Automation Hub.
The latest Ansible repo gating tests run ansible-lint against
the collection format instead of against individual roles.
We have to convert the role to collection format before running
ansible-test.
Role developers can run this locally using
`tox -e collection,ansible-lint-collection`
See https://github.com/linux-system-roles/tox-lsr/pull/125
Add `---` doc start to .markdownlint.yaml
The file `examples/down_profile+delete_interface.yml`
was not used and was causing ansible-lint errors.
ansible-lint enforces the order of keywords in plays - `name`,
then `hosts`, then `vars`, then `tasks`.
Signed-off-by: Rich Megginson <rmeggins@redhat.com>
Use the `#!/usr/bin/env bash` shebang which is ansible-test friendly.
This means we can remove get_ostree_data.sh from the .sanity* files.
This also means we can remove the .sanity* files if we do not need
them otherwise. Fix other shell scripts to use the friendly shebang
and remove from the .sanity* files.
Rename `pth` to `path` in honor of nscott
Signed-off-by: Rich Megginson <rmeggins@redhat.com>
Some variables used in the module code are not meaningful at all, which
might be hard to read and understand. Therefore, replace them with
meaningful variables.
Signed-off-by: Wen Liang <liangwen12year@gmail.com>
