Skip to content
Test harness for linux system roles
Branch: master
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Type Name Latest commit message Commit time
Failed to load latest commit information.

Integration Tests for Linux System Roles

Build Status Code style: black


The CI system can be controlled with a few commands as comments in pull requests:

  • [citest] - Trigger a re-test for all machines
  • [citest bad] - Trigger a re-test for all machines with an error or failure status
  • [citest pending] - Trigger a re-test for all machines with a pending status
  • [citest commit:<sha1>] - Whitelist a commit to be tested if the submitter is not trusted

It is also possible to whitelist all commits in a PR with the needs-ci tag. However, this should be only used with trusted submitters since they can still change the commits in the PR.


A docker container which runs integration tests for open pull requests on linux system roles repositories. It runs all playbooks test/test_*.yml of the repository against various virtual machines.

To build the container, run

sudo docker build -t linuxsystemroles/test-harness:latest .

Multiple of these containers can be started in parallel. They try to not step on each others feet by synchronizing via GitHub commit statuses.

The test runner needs a config.json in the /config mount, which specifies the repositories to monitor for open pull requests, the cloud images to use, a location where to copy (via ssh) the test results to, and a publicly accessible URL for these results. For example:

  "repositories": [
  "images": [
      "name": "fedora-27",
      "source": "",
      "upload_results": true,
      "setup": "dnf install -yv python2 python2-dnf libselinux-python"
      "name": "fedora-28",
      "source": "",
      "upload_results": true,
      "setup": [
          "name": "Setup",
          "hosts": "all",
          "become": true,
          "gather_facts": false,
          "tasks": [
            {"raw": "dnf install -yv python2 python2-dnf libselinux-python"}
      "name": "centos-6",
      "source": "",
      "upload_results": true
      "name": "centos-7",
      "source": "",
      "upload_results": true
  "results": {
    "destination": "",
    "public_url": ""

The setup key contains either a list of Ansible plays which will be saved as a playbook and executed before the test run, or a single shell command which will be executed using the Ansible raw module (so the two examples above are exactly equivalent).

The container needs a /secrets mount, which must contain these files:

  • github-token: A GitHub access token with public_repo, repo:status and read:org scopes. The read:org permission is required to identify users as members to organiziations in case they set their organization membership to private. Without it, the test harness can still update CI status but might ignore pull requests or command comments unexpectedly.
  • is_rsa and A ssh key with to access the server in results.destination.
  • known_hosts: A ssh known_hosts file which contains the public key of that server.

The test runner writes images into the /cache mount and reuses existing ones.

The container should have access to /dev/kvm/ for fast virtualization.

Running on OpenShift

To run the integration tests in an OpenShift instance, create a new project and add the ServiceAccount, ImageStream, and DeploymentConfig from openshift-objects.yml:

oc new-project linux-system-roles-test
oc create -f openshift-objects.yml

The service account needs to be in the privileged scc. Edit it with

oc edit scc privileged

and add - system:serviceaccount:linux-system-roles:tester under users.

Also, create a config.json and a directory containing the secrets mentioned above, and add ConfigMap and Secrect objects with:

oc create configmap config --from-file=config.json
oc create secret generic secrets --from-file=path/to/secrets

Finally, import the image to trigger a deployment:

oc import-image linux-system-roles-test
You can’t perform that action at this time.