New validation: verify_package

This validation will run only on RedHat OS family (CentOS, Fedora, ...).
It calls the "rpm --verify|-V" command on the selected package, and
return its status.

Some notes:
- if the package isn't installed, it will fail
- if the package is present, but doesn't have the %verifyscript
  scriptlet, it won't fail
- "become" is needed, especially if the verification script in the RPM
  calls some root-only things, such as "semodule" (this is the case for
  openstack-selinux, for instance)
- if you set the validation to verbose, most of the output will be in
  the stdout - you therefore will have to go through the validation log
  to get the complete reason

Change-Id: I7be310cac60b6729aa3c1a67f731421f85a78d80
This commit is contained in:
Cédric Jeanneret 2022-06-13 09:48:12 +02:00
parent c473b46f30
commit 566dc28121
4 changed files with 129 additions and 0 deletions

View File

@ -0,0 +1,64 @@
---
# This playbook has been generated by the `validation init` CLI.
#
# As shown here in this template, the validation playbook requires three
# top-level directive:
# ``hosts``, ``vars -> metadata`` and ``roles``.
#
# ``hosts``: specifies which nodes to run the validation on. The options can
# be ``all`` (run on all nodes), or you could use the hosts defined
# in the inventory.
# ``vars``: this section serves for storing variables that are going to be
# available to the Ansible playbook. The validations API uses the
# ``metadata`` section to read each validation's name and description
# These values are then reported by the API.
#
# The validations can be grouped together by specyfying a ``groups`` metadata.
# Groups function similar to tags and a validation can thus be part of many
# groups. To get a full list of the groups available and their description,
# please run the following command on your Ansible Controller host:
#
# $ validation show group
#
# The validations can also be categorized by technical domain and acan belong to
# one or multiple ``categories``. For example, if your validation checks some
# networking related configuration, you may want to put ``networking`` as a
# category. Note that this section is open and you are free to categorize your
# validations as you like.
#
# The ``products`` section refers to the product on which you would like to run
# the validation. It's another way to categorized your community validations.
# Note that, by default, ``community`` is set in the ``products`` section to
# help you list your validations by filtering by products:
#
# $ validation list --product community
#
- hosts: all
gather_facts: false
vars:
metadata:
name: Verify package on RedHat os_family
description: |
This validation will run `rpm --verify' on RedHat OS family and
returns the status.
If selected package isn't installed, it will fail.
If selected package doesn't have the %verify scriptlet, it won't fail.
groups:
- prep
- pre-deploy
- pre-ugrade
- post-upgrade
- pre-system-upgrade
- post-system-upgrade
- pre-undercloud-upgrade
- post-undercloud-upgrade
- pre-overcloud-upgrade
- post-overcloud-upgrade
- pre-update
- post-update
categories:
- package
products:
- common
roles:
- verify_package

View File

@ -0,0 +1,37 @@
Role Name
=========
Call `rpm --verify <package>'. Note that this validation only works for
rhel-based systems, such as Enterprise Linux, CentOS, Fedora and so on.
Requirements
------------
None
Role Variables
--------------
`verify_package_pkg`: (str) Package name to verify
`verify_package_verbose`: (bool) toggle verbose option for rpm
Dependencies
------------
None
Example Playbook
----------------
Including an example of how to use your role (for instance, with variables passed in as parameters) is always nice for users too:
- hosts: servers
vars:
verify_package_pkg: openstack-selinux
roles:
- verify_package
License
-------
BSD

View File

@ -0,0 +1,4 @@
---
# defaults file for verify_package
verify_package_pkg: bash
verify_package_verbose: false

View File

@ -0,0 +1,24 @@
---
- name: Ensure we have some facts
setup:
gather_subset: min
- name: "Verify package {{ verify_package_pkg }}"
become: true
when:
- ansible_facts['os_family'] == 'RedHat'
register: pkg_verification
command: "rpm {{verify_package_verbose|ternary('-v','') }} -V {{ verify_package_pkg }}"
failed_when: pkg_verification['rc'] not in [0, 1]
- name: Fail if needed
when:
- pkg_verification['rc'] != 0
fail:
msg: "{{ pkg_verification['stderr'] }}"
- name: Fail if we are not on RedHat family system
when:
- ansible_facts['os_family'] != 'RedHat'
fail:
msg: "This validation does not support {{ ansible_facts['os_family'] }}!"