Local automated upgrade testing #3075
Conversation
Codecov Report
@@ Coverage Diff @@
## develop #3075 +/- ##
========================================
Coverage 85.79% 85.79%
========================================
Files 34 34
Lines 2154 2154
Branches 238 238
========================================
Hits 1848 1848
Misses 250 250
Partials 56 56Continue to review full report at Codecov.
|
ghost
added
|
In the test instructions there should also be |
|
@msheiny at this stage I'm not doing a proper review, just discovering the great work you did 💯. And dumping a few inconsequential remarks on the way ;-) Both |
That is a very good point. I managed to get some of that upstreamed to molecule... I need to do the rest of the tweaks. |
Nice ! URL ? |
molecule/upgrade_test/playbook.yml
Outdated
| state: running | ||
| tags: always | ||
|
|
||
| - name: Ensure tor is running |
|
|
The Retrying with 0.5.2 debs, rebuilding now... |
|
Even with 0.5.2 debs, still seeing: |
msheiny
force-pushed
the
LocalAutomatedBuild
branch
from
ca952d6 to
f250640
Compare
|
Rebased on |
Trying to reproduce now... Just to clarify, this is on the |
|
@conorsch can you get me more data on that error? I'm not able to recreate locally... |
|
@kushaldas can you take a look at |
| subprocess.check_call(sysprep_cmd.split()) | ||
|
|
||
| def vagrant_metadata(self, img_location): | ||
| # type: (str) -> dict |
There was a problem hiding this comment.
This is actually wrong. We will have to install mypy_extensions and use TypedDict for the return type of the function.
There was a problem hiding this comment.
Good to know, @kushaldas. Currently the typelint check isn't running against this file. Even adding it locally to the Makefile target, I don't see any errors reported.
|
Is this what I should do to get packages for both versions under test?
|
@dachary can you clarify your question ? I don't quite understand. I'm assuming you are referring to the upgrade_test scenario .. in that case you don't really need |
I'm confused about which version I should run |
There was a problem hiding this comment.
Took another pass through. We need yet another rebase here, @msheiny, so if you'd be so kind....
Left some in-line comments requesting clarification and some tidying up of the names. Still struggling to run the package scenario; the upgrade scenario is comparatively much more reliable for me.
Makefile
Outdated
| @@ -138,6 +138,15 @@ libvirt-share: ## Configure ACLs to allow RWX for libvirt VM (e.g. Admin Worksta | |||
| @find "$(PWD)" -type d -and -user $$USER -exec setfacl -m u:libvirt-qemu:rwx {} + | |||
| @find "$(PWD)" -type f -and -user $$USER -exec setfacl -m u:libvirt-qemu:rw {} + | |||
|
|
|||
| .PHONY: vagrant_package | |||
| vagrant_package: ## Package up a vagrant box of the last stable SD release | |||
There was a problem hiding this comment.
Nit: can we call this vagrant-package? It's more consistent with the existing names for makefile targets:
$ make help | perl -lanE 'print $F[0]' | grep '[-_]' -o | sort | uniq -c
1 _
19 -
I'll ask for similar stylistic changes throughout.
| # Unfortunately since we need to prompt the user for sudo creds.. | ||
| # I had to break the actual vagrant package logic outside of molecule | ||
| molecule/vagrant_packager/package.py && \ | ||
| molecule destroy -s vagrant_packager |
There was a problem hiding this comment.
Ha, I ran into a similar problem over in freedomofpress/ansible-role-grsecurity-build#31, with vars_prompt failing to run in non-interactive mode. I wouldn't hesitate to put logic this simple directly in the Makefile, but no objections here.
| ] | ||
| } | ||
| ] | ||
| } |
There was a problem hiding this comment.
We should rebuild for 0.6 final now that it's released, no?
There was a problem hiding this comment.
yeppp going to have to rebuild for that
| # https://github.com/ansible/ansible/issues/20885 | ||
| content: "{{ instance_conf | to_json | from_json | molecule_to_yaml | molecule_header }}" | ||
| dest: "{{ molecule_instance_config }}" | ||
| when: server.changed | bool |
There was a problem hiding this comment.
Comment indicates the workaround is necessary for Ansible v2.2, but we're on v2.4.2.0 now. Still necessary?
There was a problem hiding this comment.
that code is part of the skeleton from molecule ... theres a lot of refactoring that can be done upstream to be honest in the skeleton files. ive been too lazy to make a PR against it for that though ... so we can only blame this @msheiny guy
| # LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING | ||
| # FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER | ||
| # DEALINGS IN THE SOFTWARE. | ||
|
|
There was a problem hiding this comment.
This is a gigantic file, and it was introduced as part of a beefy commit with no explanation about why it's here:
$ git show 542c2cbd2e6d27e0bcd0f58cb472cb7dda9ce3f1 --name-status
commit 542c2cbd2e6d27e0bcd0f58cb472cb7dda9ce3f1
Author: Michael Sheinberg <[email protected]>
Date: Mon Feb 26 16:42:28 2018 -0500
Add scenario for vagrant builder
M .gitignore
A molecule/vagrant_packager/ansible-override-vars.yml
A molecule/vagrant_packager/box_files/Vagrantfile.app-staging
A molecule/vagrant_packager/box_files/Vagrantfile.mon-staging
A molecule/vagrant_packager/box_files/vagrant_app-staging.yml
A molecule/vagrant_packager/box_files/vagrant_mon-staging.yml
A molecule/vagrant_packager/build/.gitignore
A molecule/vagrant_packager/create.yml
A molecule/vagrant_packager/destroy.yml
A molecule/vagrant_packager/library/molecule_vagrant.py
A molecule/vagrant_packager/molecule.yml
A molecule/vagrant_packager/package.py
A molecule/vagrant_packager/playbook.yml
A molecule/vagrant_packager/prepare.yml
A molecule/vagrant_packager/reboot_and_wait.yml
A molecule/vagrant_packager/sd_clone.yml
A molecule/vagrant_packager/side_effect.yml
I assume it contains a patch of some kind—perhaps already included in upstream?—but at the very least the commit message should explain the motivation to include, and ideally also parameters that would suffice for removal later.
There was a problem hiding this comment.
got an incoming commit to address this -- you are right i should have been more explicit though about why it was needed. long story short, upstream was missing functionality so i was waiting for my changes and others to get pulled in
| subprocess.check_call(sysprep_cmd.split()) | ||
|
|
||
| def vagrant_metadata(self, img_location): | ||
| # type: (str) -> dict |
There was a problem hiding this comment.
Good to know, @kushaldas. Currently the typelint check isn't running against this file. Even adding it locally to the Makefile target, I don't see any errors reported.
Makefile
Outdated
| .PHONY: translate | ||
| translate: ## Update POT translation files from sources | ||
| @cd securedrop ; ./manage.py translate-messages --extract-update | ||
| @cd securedrop ; ./manage.py translate-desktop --extract-update |
There was a problem hiding this comment.
Nit: should probably use && rather than ; here.
There was a problem hiding this comment.
ummmmm i dont remember touching this section 😕 maybe it was a merge-conflict that i fixed while rebasing
| # LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING | ||
| # FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER | ||
| # DEALINGS IN THE SOFTWARE. | ||
|
|
There was a problem hiding this comment.
This PR introduces two nearly identical libs with no explanation. Run diff -y --suppress-common-lines molecule/vagrant_packager/library/molecule_vagrant.py molecule/upgrade_test/library/molecule_vagrant.py for a comparison.
- Can we remove one of them?
- Can we remove both of them?
- If not, can we get comments explaining the necessity of this duplication?
molecule/upgrade_test/molecule.yml
Outdated
| side_effect: side_effect.yml | ||
|
|
||
| scenario: | ||
| name: upgrade_test |
There was a problem hiding this comment.
Nit: can we call this scenario "upgrade"? It'd be more consistent with the naming strategy implicit in Molecule scenarios; e.g. I want to be able to run molecule test -s upgrade, rather than molecule test -s upgrade_test.
Yes, @msheiny—and I'm still able to reproduce:
|
This is super annoying that I have to keep messing with this option. I suspect its a weird KVM + vagrant issue 🤷 Don't have time to dig deeper and this fixes it along with my fork of upstream molecule vagrant module. Both changes of which, I have open PRs to try to get merged in so we dont have to maintain this divergence.
Was only set to 30 days. Had to recreate and resign fake apt.freedom.press test cert.
msheiny
force-pushed
the
LocalAutomatedBuild
branch
from
37edb45 to
472aa4c
Compare
Our unique changes that were added to support suppressing NFS were recently merged upstream in molecule 2.13: * ansible/molecule#1235 * ansible/molecule#1233
msheiny
force-pushed
the
LocalAutomatedBuild
branch
2 times, most recently
from
0ab9386 to
8a298dd
Compare
|
heyyyyy @conorsch this PR is getting really huge and unwieldy ... everytime I rebase I'm hitting more weird conflicts that I then have to go in and fix ... discovering some really weird issues that are out of scope for this PR (see this last commit Sorry to nudge ya here but can you give another go through when you have some downtime? Keep in mind this PR really only affects CI and a local dev environment edge-case for specific Linux users so I kindly ask that you keep review pegged to the the The sooner I can get this in I can also start working on the server-side story to try and get this running in CI ❤️ |
|
Taking another look, @msheiny. Might ping you for some real-time collab if I run into any snags during re-review. |
|
ping @conorsch i slightly updated the testing steps here. There is another scenario to test proxy thru to apt-test |
|
Ran through the entire workflow again today. The upgrade flow is quite sound. Built local debs from the Still could not run the After doing so, encountered the same error, reported above during prior reviews: @msheiny, let's sync on the error above tomorrow in real time to debug. The effort should be timeboxed, though: if we can't solve it to our mutual satisfaction within an hour, I propose we separate out the package logic and work on it separately. The upgrade logic is highly valuable, and should be merged soon to unblock others on the QA workflow. The package logic is less critical, given that it need only be run once per release. |
I really don't want to do this. The package logic only affects you and me at the moment. No one else is going to be running it (not even CI). This is very similar to the condition when we initially merged the docker logic when it was undocumented and had failing tests. Sometimes its easier to keep merging undocumented and isolated components early as possible and continue to iterate and improve. I believe this is one of those scenarios. It's been really painful to continue to rebase this PR. I keep finding unrelated bugs and having to fix them and it has really snow-balled into a huge ordeal. I'd strongly prefer to merge as is, assuming you do not find any issues with the upgrade testing component. |
Seems that with the latest molecule bump, the relative pathing calculation has changed in respect to the ansible host/group vars directories. Previously it was checking from the ephemeral dir, now its from the scenario dir.
Not sure why this wasnt needed before :| This will soon be obsolete as soon as we are testing against post 0.7 (which includes the ssh over local net features).
Especially want to make sure we avoid vagrant images and additional build folders
Also added `.python3` temp folder to the ignore list
These are out of scope on this PR for me to address and for the sake of brevity I'm going to exclude them for now since they are not recent changes.
This applies strictly to the upgrade test scenario, if you have an environment variable `QA_APTTEST` set to yes/true then your upgrade test will be getting packages from apt-test instead of from local apt packages.
In the bump of molecule we also brought up the version of testinfra which introduced a bug in detecting open udp ports. They switched to using `ss` instead of `netstat` when its available. I took the path of least resistance, opened a bug report, and made a hacky work-around using `lsof`. Bug report -> pytest-dev/pytest-testinfra#311
msheiny
force-pushed
the
LocalAutomatedBuild
branch
from
3f7eb02 to
aa396fb
Compare
Rebased and added a fix for that issue you saw ;) |
With the bump to molecule, the ephemeral directory spot has changed. For now, lets utilize the old directory space since its already git/docker ignored. We just need to ensure that we intentionally create that directory. There was also a change in how the vagrant boxes are named. The `.molecule` prefix is gone and replaced with the scenario name.
Without this SSHd will not be listening on all interfaces upon reboot
msheiny
force-pushed
the
LocalAutomatedBuild
branch
from
fd03c60 to
4800743
Compare
|
Spent some time with the one-and-only @msheiny debugging the vagrant-package workflow today. The failure related to chowning to the ossec user, reported several times above, turned out to be caused by the entire Once we clarified that issue, I was able to confirm working end-to-end scenario flows for both Thanks for your patient assistance on this, @msheiny. Let's get it in! |
Status
Ready for review
Description of Changes
Changes proposed in this pull request:
Fixes first check-box in #3018
Add two scenarios:
vagrant_packager-- builds two vagrant boxes ready for redistributionupgrade--- fires up boxes from the first scenario (pulled from s3), and chucks all locally built deps to a local apt server.Testing
How should the reviewer test this PR?
Caveat- this PR testing will only work under a system with libvirt/kvm. There is another ticket to also add support for virtualbox.Packager testing:
make vagrant-package- be prepared to enter a sudo password about 20 min in .molecule/vagrant_packager/push.ymldont run that now... but glance it over :)Upgrade testing (local deb packages):
make build-debs- make you sure have a version of debian packages that are higher than0.6if thebuild/directory. If you don't, running this command should give you0.7.0~rc1molecule converge -s upgradeto get.0.6SD servers up. You'll get passed an onion address at the end. Navigate to that in a web-browser and note the version at the bottom.molecule side-effect -s upgrade- Navigate back to the onion address and confirm version has bumped.Upgrade testing (apt-test proxy):
molecule converge -s upgradeto get.0.6SD servers up.molecule login -s upgrade --host app-staging- To get a shell onto the app serversudo apt-get update(confirm no ERRORS , you'll see a warning about duplicate repos but thats not an error and is a diff issue)apt-cache policy securedrop-config(same terminal ^^) and you should see all the packages pulled in from aboveQA_APTTEST=yes molecule converge -s upgrade -- --diff -t apt2 -> 4again. This time you should see versions of securedrop-config pulled in from apt-test (this should have a few versions back and look like below):Deployment
Any special considerations for deployment? Consider both:
None - This only affects developer upgrade testing environment.
Checklist
If you made changes to the app code:
None
If you made changes to the system configuration:
None
If you made changes to documentation:
None