Merge pull request #378 from mikedep333/verification_tests

Verification tests

CHANGES/6586.removal

@@ -0,0 +1 @@
+Remove the systemd sandboxing features from the pulpcore-api systemd unit file. This was preventing pulpcore-api from starting on containers running systemd (due to namespace capabilities), such as our molecule tests & CI.

CHANGES/7272.dev

@@ -0,0 +1 @@
+Add verification that Pulp is running at the end of pulp_installer CI, via inspec.

molecule/packages-dynamic/verify.yml

@@ -0,0 +1 @@
+../scenario_resources/verify.yml

molecule/packages-static/verify.yml

@@ -0,0 +1 @@
+../scenario_resources/verify.yml

molecule/packages-upgrade/verify.yml

@@ -0,0 +1 @@
+../scenario_resources/verify.yml

molecule/release-dynamic/verify.yml

@@ -0,0 +1 @@
+../scenario_resources/verify.yml

molecule/release-static/verify.yml

@@ -0,0 +1 @@
+../scenario_resources/verify.yml

molecule/release-upgrade/verify.yml

@@ -0,0 +1 @@
+../scenario_resources/verify.yml

molecule/scenario_resources/tests/test_default.rb

@@ -2,40 +2,34 @@
   its('owner') { should eq 'root' }
 end
 
-['pulpcore-resource-manager', 'pulpcore-worker@1', 'pulpcore-worker@2'].each do |pservice|
+['pulpcore-api','pulpcore-content','pulpcore-resource-manager', 'pulpcore-worker@1', 'pulpcore-worker@2'].each do |pservice|
   describe service(pservice) do
     it { should be_running }
     it { should be_enabled }
   end
 end
 
-'pulpcore-webserver' do |webserver|
-  describe port(80) do
-    it { should be_listening }
-  end
-
-  describe port(443) do
-    it { should be_listening }
-  end
+describe port(80) do
+  it { should be_listening }
+end
 
-  describe http('http://localhost/pulp/api/v3/status',
-                 ssl_verify: false) do
-      its('status') { should eq 301 }
-    end
-  end
+describe port(443) do
+  it { should be_listening }
+end
 
-  describe http('http://localhost/pulp/api/v3/status',
-                 ssl_verify: false, max_redirects: 1) do
-      its('status') { should eq 200 }
-      its('body') { should match /database_connection/ }
-    end
-  end
+describe http('http://localhost/pulp/api/v3/status/',
+               ssl_verify: false) do
+    its('status') { should eq 301 }
+end
 
-  describe http('https://localhost/pulp/api/v3/status',
-                 ssl_verify: false) do
-      its('status') { should eq 200 }
-      its('body') { should match /database_connection/ }
-    end
-  end
+describe http('http://localhost/pulp/api/v3/status/',
+               ssl_verify: false, max_redirects: 1) do
+    its('status') { should eq 200 }
+    its('body') { should match /database_connection/ }
+end
 
+describe http('https://localhost/pulp/api/v3/status/',
+               ssl_verify: false) do
+    its('status') { should eq 200 }
+    its('body') { should match /database_connection/ }
 end

molecule/scenario_resources/verify.yml

@@ -7,28 +7,50 @@
   hosts: all
   become: true
   vars:
-    inspec_download_url: "https://packages.chef.io/files/stable/inspec/2.1.43/el/7/inspec-2.1.43-1.el7.x86_64.rpm"
+    inspec_bin: /opt/inspec/bin/inspec
     inspec_download_source_dir: /usr/local/src
-    inspec_download_sha256sum: bf36072724322fcca708467e5fc1973e838f605d655d72a2ba17f3365b39cd08
+    inspec_test_directory: /tmp/molecule/inspec
+  tasks:
+    - name: Setting variables (CentOS / RHEL / Fedora)
+      set_fact:
+        # Version 3.9.3 is the last version under the Apache 2.0 rather than the inspec EULA.
+        # Rather than evaluate whether we (Pulp Project) should use the inspec EULA versions,
+        # let's just use this version.
+        # Note: 4.3.2 is technically before the relicense was announced and has the Apache 2.0 license in
+        # the RPM metadata and in its contents on disk, but it prompts you to accept the EULA when you
+        # first run it.
+        inspec_download_url: "https://packages.chef.io/files/stable/inspec/3.9.3/el/7/inspec-3.9.3-1.el7.x86_64.rpm"
+        inspec_download_sha256sum: 4d54d12899c2eeaae4812cd13b8dfcae01ec1fd4a44f00cab77e31a57aea502b
+      # Tested by Pulp with EL7, EL8 & Fedora 31, but let's try to run against future releases as well.
+      # when: ansible_os_family == "RedHat" and ansible_distribution_major_version >= "7"
+      when: ansible_os_family == "RedHat"
 
-    inspec_package_name: "{{ inspec_download_url.split('/')[-1] }}"
-    inspec_bin: /opt/inspec/bin/inspec
+    - name: Setting variables (Debian 9 / 10 / Ubuntu 18.04)
+      set_fact:
+        inspec_download_url: "https://packages.chef.io/files/stable/inspec/3.9.3/ubuntu/18.04/inspec_3.9.3-1_amd64.deb"
+        inspec_download_sha256sum: 757dd2366a3932adc5fcc9382b30d77de6cc33152585f4c9f94f8918d9d349a7
+      # Tested by Pulp with Debian 10. molecule-inspec said inspec 2 (for Ubuntu 18.04) would work with Debian 9 also.
+      # when: ansible_os_family == "Debian" and (ansible_distribution_major_version in ["9","10"] or ansible_distribution_version == "18.04")
+      when: ansible_os_family == "Debian"
 
-    inspec_test_directory: "/tmp/molecule/inspec"
-  tasks:
     - name: Download Inspec
       get_url:
         url: "{{ inspec_download_url }}"
         dest: "{{ inspec_download_source_dir }}"
         sha256sum: "{{ inspec_download_sha256sum }}"
         mode: 0755
 
-    - name: Install Inspec
-      package:
-        name: "{{ inspec_download_source_dir }}/{{ inspec_package_name }}"
-        state: latest
-      tags:
-        - skip_ansible_lint
+    - name: Install Inspec (apt)
+      apt:
+        deb: "{{ inspec_download_source_dir }}/{{ inspec_download_url.split('/')[-1] }}"
+        state: present
+      when: ansible_pkg_mgr == "apt"
+
+    - name: Install Inspec (yum)
+      yum:
+        name: "{{ inspec_download_source_dir }}/{{ inspec_download_url.split('/')[-1] }}"
+        state: present
+      when: ansible_pkg_mgr in ["yum","dnf"]
 
     - name: Create Molecule directory for test files
       file:
@@ -39,20 +61,16 @@
       copy:
         src: "{{ item }}"
         dest: "{{ inspec_test_directory }}/{{ item | basename }}"
+      register: copy_inspec_tests
       with_fileglob:
-        - "{{ playbook_dir }}/tests/test_*.rb"
-
-    - name: Register test files
-      shell: "ls {{ inspec_test_directory }}/test_*.rb"
-      register: test_files
-      changed_when: false
+        - "{{ lookup('env', 'MOLECULE_VERIFIER_TEST_DIRECTORY') }}/test_*.rb"
 
     - name: Execute Inspec tests
-      command: "{{ inspec_bin }} exec {{ item }}"
+      command: "{{ inspec_bin }} exec {{ item.dest }}"
       register: test_results
-      with_items: "{{ test_files.stdout_lines }}"
+      with_items: "{{ copy_inspec_tests.results }}"
+      changed_when: test_results.changed
       ignore_errors: true
-      changed_when: true
 
     - name: Display details about the Inspec results
       debug:

molecule/source-dynamic/verify.yml

@@ -0,0 +1 @@
+../scenario_resources/verify.yml

molecule/source-static/verify.yml

@@ -0,0 +1 @@
+../scenario_resources/verify.yml

molecule/source-upgrade/verify.yml

@@ -0,0 +1 @@
+../scenario_resources/verify.yml

roles/pulp_api/templates/pulpcore-api.service.j2

@@ -18,9 +18,6 @@ ExecStart={{ pulp_install_dir }}/bin/gunicorn pulpcore.app.wsgi:application \
           --bind '{{ pulp_api_bind }}' \
           --workers {{ pulp_api_workers }} \
           --access-logfile -
-ProtectSystem=full
-PrivateTmp=yes
-PrivateDevices=yes
 
 # This provides reconnect support for PostgreSQL and Redis. Without reconnect support, if either
 # is not available at startup or becomes disconnected, this process will die and not respawn.