Various changes to make convergence test work

- Ensure that rootwrap files are appropriately secured.
 - Implement sudoers to make rootwrap work.
 - Restructure tests to reduce duplication.

tasks/designate_post_install.yml

@@ -17,8 +17,8 @@
   config_template:
     src: "{{ item.src }}"
     dest: "{{ item.dest }}"
-    owner: "{{ designate_system_user_name }}"
-    group: "{{ designate_system_group_name }}"
+    owner: "{{ item.owner|default(designate_system_user_name) }}"
+    group: "{{ item.group|default(designate_system_group_name) }}"
     mode: "0644"
     config_overrides: "{{ item.config_overrides }}"
     config_type: "{{ item.config_type }}"
@@ -48,12 +48,10 @@
 
 - name: Copy designate rootwrap filter config
   copy:
-    src: "{{ item.src }}"
-    dest: "{{ item.dest }}"
+    src: "rootwrap.d/bind9.filters"
+    dest: "/etc/designate/rootwrap.d/bind9.filters"
     owner: "root"
     group: "root"
-  with_items:
-    - { src: "rootwrap.d/bind9.filters", dest: "/etc/designate/rootwrap.d/bind9.filters" }
   notify: Restart designate services
   tags:
     - designate-config

tasks/designate_pre_install.yml

@@ -43,6 +43,8 @@
   with_items:
     - { path: "/etc/designate" }
     - { path: "/etc/designate/rootwrap.d" }
+    - { path: "/etc/designate/rootwrap.d", owner: "root", group: "root" }
+    - { path: "/etc/sudoers.d", mode: "0750", owner: "root", group: "root" }
     - { path: "{{ designate_system_user_home }}" }
     - { path: "{{ designate_system_user_home }}/.ssh", mode: "0700" }
     - { path: "/var/cache/designate", mode: "0700" }
@@ -89,6 +91,17 @@
     - designate-dirs
     - designate-logs
 
+- name: Drop sudoers file
+  template:
+    src: "sudoers.j2"
+    dest: "/etc/sudoers.d/{{ designate_system_user_name }}_sudoers"
+    mode: "0440"
+    owner: "root"
+    group: "root"
+  tags:
+    - sudoers
+    - designate-sudoers
+
 - include: designate_messaging_setup.yml
-  when: >
-    inventory_hostname == groups['designate_all'][0]
+  when:
+    - inventory_hostname == groups['designate_all'][0]

templates/sudoers.j2

@@ -0,0 +1,6 @@
+# {{ ansible_managed }}
+
+Defaults:{{ designate_system_user_name }} !requiretty
+Defaults:{{ designate_system_user_name }} secure_path="{{ designate_bin }}:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
+
+{{ designate_system_user_name }} ALL = (root) NOPASSWD: {{ designate_bin }}/{{ designate_service_name }}-rootwrap

tests/inventory

@@ -1,35 +1,2 @@
 [all]
 localhost ansible_connection=local ansible_become=True
-
-[rabbitmq_all:children]
-infra1
-
-[galera_all:children]
-infra1
-
-[designate_all:children]
-designate_api
-
-[designate_api:children]
-openstack1
-
-[designate_central:children]
-openstack1
-
-[designate_mdns:children]
-openstack1
-
-[designate_pool_manager:children]
-openstack1
-
-[designate_sink:children]
-openstack1
-
-[keystone_all:children]
-openstack1
-
-[infra1]
-10.100.100.101
-
-[openstack1]
-10.100.100.102

tests/test-include-inventory.yml

@@ -0,0 +1,46 @@
+---
+# Copyright 2016, Rackspace US, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# Inventory is being pre-loaded using a post tasks instead of through a dynamic
+#  inventory system. While this is not a usual method for deployment it's being
+#  done for functional testing.
+
+- name: Create container hosts
+  add_host:
+    groups: "{{ item.groups }}"
+    hostname: "{{ item.name }}"
+    inventory_hostname: "{{ item.name }}"
+    ansible_ssh_host: "{{ item.address }}"
+    ansible_become: true
+    properties:
+      service_name: "{{ item.service }}"
+    container_networks:
+      management_address:
+        address: "{{ item.address }}"
+        bridge: "lxcbr0"
+        interface: "eth1"
+        netmask: "255.255.252.0"
+        type: "veth"
+    physical_host: localhost
+    container_name: "{{ item.name }}"
+  with_items:
+    - name: "infra1"
+      service: "infra1"
+      address: "10.100.100.101"
+      groups: "all,all_containers,rabbitmq_all,galera_all,service_all"
+    - name: "openstack1"
+      service: "openstack1"
+      address: "10.100.100.102"
+      groups: "all,all_containers,keystone_all,designate_all,designate_api,designate_central,designate_pool_manager,designate_mdns,designate_sink"

tests/test-install-designate.yml

@@ -13,44 +13,18 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
+- name: Prepare the inventory
+  hosts: localhost
+  connection: local
+  become: yes
+  tasks:
+    - include: test-include-inventory.yml
+
 - name: Playbook for deploying designate
   hosts: designate_all
   user: root
   gather_facts: true
   roles:
     - role: "{{ rolename | basename }}"
-  vars:
-    debug: True
-    external_lb_vip_address: 10.100.100.102
-    internal_lb_vip_address: 10.100.100.102
-    designate_galera_address: 10.100.100.101
-    designate_container_mysql_password: "SuperSecrete"
-    designate_pool_manager_galera_address: 10.100.100.101
-    designate_pool_manager_container_mysql_password: "SuperSecrete"
-    galera_client_drop_config_file: false
-    galera_root_password: "secrete"
-    designate_rabbitmq_password: "secrete"
-    designate_rabbitmq_userid: designate
-    designate_rabbitmq_vhost: /designate
-    rabbitmq_servers: 10.100.100.101
-    rabbitmq_use_ssl: False
-    rabbitmq_port: 5672
-    keystone_auth_admin_token: "SuperSecreteTestToken"
-    keystone_auth_admin_password: "SuperSecretePassword"
-    keystone_service_adminuri_insecure: false
-    keystone_service_internaluri_insecure: false
-    keystone_service_internaluri: "http://{{ internal_lb_vip_address }}:5000"
-    keystone_service_internalurl: "{{ keystone_service_internaluri }}/v3"
-    keystone_service_adminuri: "http://{{ internal_lb_vip_address }}:35357"
-    keystone_service_adminurl: "{{ keystone_service_adminuri }}/v3"
-    designate_venv_tag: "testing"
-    designate_developer_mode: true
-    designate_git_install_branch: 4df88d7b28a05cb3556573ce4f1c7c66abf944bb # HEAD of "master" as of 17.01.2016
-    designate_requirements_git_install_branch: 332278d456e06870150835564342570ec9d5f5a0 # HEAD of "master" as of 17.01.2016
-    designate_service_password: "secrete"
-    designate_profiler_hmac_key: "secrete"
-    openrc_os_auth_url: "{{ keystone_service_internalurl }}"
-    openrc_os_password: "{{ keystone_auth_admin_password }}"
-    openrc_os_domain_name: "Default"
-    memcached_servers: 127.0.0.1
-    memcached_encryption_key: "secrete"
+  vars_files:
+    - test-vars.yml

tests/test-install-infra.yml

@@ -13,6 +13,13 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
+- name: Prepare the inventory
+  hosts: localhost
+  connection: local
+  become: yes
+  tasks:
+    - include: test-include-inventory.yml
+
 - name: Playbook for deploying infra services
   hosts: service_all
   user: root

tests/test-install-keystone.yml

@@ -13,6 +13,13 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
+- name: Prepare the inventory
+  hosts: localhost
+  connection: local
+  become: yes
+  tasks:
+    - include: test-include-inventory.yml
+
 - name: Playbook for deploying keystone
   hosts: keystone_all
   user: root
@@ -61,23 +68,5 @@
       when: inventory_hostname == groups['keystone_all'][0]
   roles:
     - role: os_keystone
-  vars:
-    external_lb_vip_address: 10.100.100.102
-    internal_lb_vip_address: 10.100.100.102
-    keystone_galera_address: 10.100.100.101
-    keystone_galera_database: keystone
-    keystone_venv_tag: "testing"
-    keystone_developer_mode: true
-    keystone_git_install_branch: a55128044f763f5cfe2fdc57c738eaca97636448 # HEAD of "master" as of 17.01.2016
-    keystone_requirements_git_install_branch: 332278d456e06870150835564342570ec9d5f5a0 # HEAD of "master" as of 17.01.2016
-    keystone_auth_admin_token: "SuperSecreteTestToken"
-    keystone_auth_admin_password: "SuperSecretePassword"
-    keystone_service_password: "secrete"
-    keystone_rabbitmq_password: "secrete"
-    keystone_container_mysql_password: "SuperSecrete"
-    keystone_rabbitmq_port: 5671
-    keystone_rabbitmq_userid: keystone
-    keystone_rabbitmq_vhost: /keystone
-    keystone_rabbitmq_servers: 10.100.100.101
-    keystone_rabbitmq_use_ssl: true
-    galera_client_drop_config_file: false
+  vars_files:
+    - test-vars.yml

tests/test-prepare-containers.yml

@@ -13,6 +13,13 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
+- name: Prepare the inventory
+  hosts: localhost
+  connection: local
+  become: yes
+  tasks:
+    - include: test-include-inventory.yml
+
 - name: Playbook for creating containers
   hosts: all_containers
   connection: local

tests/test-prepare-host.yml

@@ -42,6 +42,7 @@
           name: "trusty.tgz"
           sha256sum: "56c6a6e132ea7d10be2f3e8104f47136ccf408b30e362133f0dc4a0a9adb4d0c"
           chroot_path: trusty/rootfs-amd64
+    - role: "openstack_openrc"
   post_tasks:
     - name: Install pip packages
       pip:
@@ -53,4 +54,8 @@
       retries: 5
       delay: 2
       with_items:
+        - lxc-python2
         - python-openstackclient
+        - python-designateclient
+  vars_files:
+    - test-vars.yml

tests/test-vars.yml

@@ -0,0 +1,62 @@
+---
+# Copyright 2016, Rackspace US, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+debug: True
+external_lb_vip_address: 10.100.100.102
+internal_lb_vip_address: 10.100.100.102
+galera_client_drop_config_file: false
+galera_root_password: "secrete"
+rabbitmq_servers: 10.100.100.101
+rabbitmq_use_ssl: False
+rabbitmq_port: 5672
+memcached_servers: 127.0.0.1
+memcached_encryption_key: "secrete"
+keystone_venv_tag: "testing"
+keystone_developer_mode: true
+keystone_git_install_branch: a55128044f763f5cfe2fdc57c738eaca97636448 # HEAD of "master" as of 17.01.2016
+keystone_requirements_git_install_branch: 332278d456e06870150835564342570ec9d5f5a0 # HEAD of "master" as of 17.01.2016
+keystone_service_password: "secrete"
+keystone_galera_address: 10.100.100.101
+keystone_galera_database: keystone
+keystone_container_mysql_password: "SuperSecrete"
+keystone_auth_admin_token: "SuperSecreteTestToken"
+keystone_auth_admin_password: "SuperSecretePassword"
+keystone_service_adminuri_insecure: false
+keystone_service_internaluri_insecure: false
+keystone_service_internaluri: "http://{{ internal_lb_vip_address }}:5000"
+keystone_service_internalurl: "{{ keystone_service_internaluri }}/v3"
+keystone_service_adminuri: "http://{{ internal_lb_vip_address }}:35357"
+keystone_service_adminurl: "{{ keystone_service_adminuri }}/v3"
+keystone_rabbitmq_vhost: /keystone
+keystone_rabbitmq_userid: keystone
+keystone_rabbitmq_password: "secrete"
+keystone_rabbitmq_use_ssl: false
+keystone_rabbitmq_port: 5672
+keystone_rabbitmq_servers: 10.100.100.101
+openrc_os_auth_url: "{{ keystone_service_internalurl }}"
+openrc_os_password: "{{ keystone_auth_admin_password }}"
+openrc_os_domain_name: "Default"
+designate_venv_tag: "testing"
+designate_developer_mode: true
+designate_git_install_branch: 4df88d7b28a05cb3556573ce4f1c7c66abf944bb # HEAD of "master" as of 17.01.2016
+designate_requirements_git_install_branch: 332278d456e06870150835564342570ec9d5f5a0 # HEAD of "master" as of 17.01.2016
+designate_service_password: "secrete"
+designate_galera_address: 10.100.100.101
+designate_container_mysql_password: "SuperSecrete"
+designate_pool_manager_galera_address: 10.100.100.101
+designate_pool_manager_container_mysql_password: "SuperSecrete"
+designate_rabbitmq_password: "secrete"
+designate_rabbitmq_userid: designate
+designate_rabbitmq_vhost: /designate

vars/main.yml

@@ -1,3 +0,0 @@
----
-# vars file for os_designate/
-