To receive notifications about scheduled maintenance, please subscribe to the mailing-list gitlab-operations@sympa.ethz.ch. You can subscribe to the mailing-list at https://sympa.ethz.ch

Commit 468c49fb authored by Bengt Giger's avatar Bengt Giger
Browse files

Added system_update_manager

parent c6f343c1
Pipeline #88552 failed
......@@ -23,6 +23,9 @@ timeservice-chrony-test:
stage: tests
tags:
- docker
rules:
changes:
- roles/timeservice
script:
- cd roles/timeservice;
molecule test;
......@@ -31,6 +34,8 @@ timeservice-ntp-test:
stage: tests
tags:
- docker
changes:
- roles/timeservice
script:
- cd roles/timeservice;
molecule test -s ntp;
......@@ -40,6 +45,8 @@ private_subnet_client-test:
stage: tests
tags:
- k8s-runner
changes:
- roles/private_subnet_client
variables:
DOCKER_HOST: tcp://localhost:2375
script:
......@@ -51,8 +58,59 @@ console_configuration-test:
stage: tests
tags:
- k8s-runner
changes:
- roles/console_configuration
variables:
DOCKER_HOST: tcp://localhost:2375
script:
- cd roles/console_configuration;
molecule test;
# Test system_update_manager on Kubernetes
system_update_manager-test:
stage: tests
tags:
- k8s-runner
changes:
- roles/system_update_manager
variables:
DOCKER_HOST: tcp://localhost:2375
script:
- cd roles/system_update_manager;
molecule test;
system_update_manager-test:
stage: tests
tags:
- k8s-runner
changes:
- roles/system_update_manager
variables:
DOCKER_HOST: tcp://localhost:2375
script:
- cd roles/system_update_manager;
molecule test -s increase;
system_update_manager-test:
stage: tests
tags:
- k8s-runner
changes:
- roles/system_update_manager
variables:
DOCKER_HOST: tcp://localhost:2375
script:
- cd roles/system_update_manager;
molecule test -s decrease;
system_update_manager-test:
stage: tests
tags:
- k8s-runner
changes:
- roles/system_update_manager
variables:
DOCKER_HOST: tcp://localhost:2375
script:
- cd roles/system_update_manager;
molecule test -s remove;
[![pipeline status](https://gitlab.ethz.ch/ansible-community/collections/system_configuratoin/badges/master/pipeline.svg)](https://gitlab.ethz.ch/ansible-community/collections/system_configuration)
# Ansible Collection - ethz.system_configuration
Documentation for the collection.
Collection of configurations specific for ETH Zurich:
- private_subnet_client: set HTTP proxy for OS and Docker service
- console_configuration: configure system console for Swiss keyboards (and others)
- timeservice: timezone, `chrony` and `ntp` settings for Zurich
- system_update_manager: Install OS updates, reboot system if necessary
\ No newline at end of file
[![pipeline status](https://gitlab.ethz.ch/ansible-community/collections/console_configuration/badges/master/pipeline.svg)](https://gitlab.ethz.ch/ansible-community/collections/console_configuration)
console_configuration
Ansible Collection - console_configuration
=========
Set some basic console properties.
......
[![pipeline status](https://gitlab.ethz.ch/ansible-community/collections/private_subnet_client/badges/master/pipeline.svg)](https://gitlab.ethz.ch/ansible-community/collections/private_subnet_client)
# Ansible Collection - ethz.private_subnet_client
Proxy Configuration for Private Subnet Clients
......
---
# Based on ansible-lint config
extends: default
rules:
braces:
max-spaces-inside: 1
level: error
brackets:
max-spaces-inside: 1
level: error
colons:
max-spaces-after: -1
level: error
commas:
max-spaces-after: -1
level: error
comments: disable
comments-indentation: disable
document-start: disable
empty-lines:
max: 3
level: error
hyphens:
level: error
indentation: disable
key-duplicates: enable
line-length: disable
new-line-at-end-of-file: disable
new-lines:
type: unix
trailing-spaces: disable
truthy: disable
System Update Manager
=========
Update systems once or regularly with the standard system package manager,
and maintain the package exclusion list.
Distributions tested with Molecule:
- CentOS 7/8
- Debian 10 Buster
- Ubuntu 20.04
Role Variables
--------------
- system_update_manager_excluded: list of packages to be excluded from updates
- system_update_manager_forceupdate: perform an upgrade now
- system_update_manager_autoreboot: determine if the system has to be rebooted, and perform reboot
- system_update_manager_cronjob: install a update job to cron
- system_update_manager_cron_schedule: schedule in cron format, i.e. `"0 3 * * *"`
- system_update_manager_cron_force_reboot: add an automatic reboot after updates triggered by cron
---
# List of packages to exclude from update
system_update_manager_excluded: []
# Run a full system update during Ansible run
system_update_manager_forceupdate: false
# Automatic reboot if required after update
system_update_manager_autoreboot: false
# Cronjob configuration
system_update_manager_cronjob: false
system_update_manager_cron_schedule: "0 3 * * *"
# See OS specific definitions in vars/*
system_update_manager_cron_command: "{{ __system_update_manager_update_command }}"
# Reboot if necessary
system_update_manager_cron_force_reboot: true
# See OS specific definitions in vars/*
system_update_manager_cron_checkreboot: "{{ __system_update_manager_cron_checkreboot }}"
# Variable placeholder definition, do not change
system_update_manager_reboot_required: false
---
# handlers file for update-exclusion-manager
---
- name: Converge
hosts: all
vars:
system_update_manager_excluded: ['nano']
tasks:
- name: "Include system-update-manager"
include_role:
name: "system-update-manager"
---
dependency:
name: galaxy
driver:
name: docker
lint: |
set -e
yamllint -c molecule/yaml-lint.yml .
ansible-lint tasks
platforms:
- name: EL7
image: geerlingguy/docker-centos7-ansible:latest
command: ""
volumes:
- /sys/fs/cgroup:/sys/fs/cgroup:ro
privileged: true
pre_build_image: true
- name: EL8
image: geerlingguy/docker-centos8-ansible:latest
command: ""
volumes:
- /sys/fs/cgroup:/sys/fs/cgroup:ro
privileged: true
pre_build_image: true
- name: Debian10
image: geerlingguy/docker-debian10-ansible:latest
command: ""
volumes:
- /sys/fs/cgroup:/sys/fs/cgroup:ro
privileged: true
pre_build_image: true
- name: Ubuntu2004
image: geerlingguy/docker-ubuntu2004-ansible:latest
command: ""
volumes:
- /sys/fs/cgroup:/sys/fs/cgroup:ro
privileged: true
pre_build_image: true
provisioner:
name: ansible
verifier:
name: ansible
---
- name: Prepare
hosts: all
tasks:
- name: Update apt cache
apt:
update_cache: true
when: ansible_os_family == "Debian"
- name: Install optionals packages for exclusion test
package:
name:
- nano
- name: Ensure /etc/cron.d exists (missing in Docker image)
file:
path: /etc/cron.d
state: directory
- name: Exclude test packages (apt)
command: apt-mark hold nano sudo
when: ansible_os_family == "Debian"
- name: Exclude test packages (EL7)
block:
- set_fact:
yumconf: /etc/yum.conf
when: ansible_distribution_major_version == "7"
- set_fact:
yumconf: /etc/dnf/dnf.conf
when: ansible_distribution_major_version >= "8"
- name: Set excludes
ini_file:
path: "{{ yumconf }}"
section: main
option: exclude
unsafe_writes: true
value: "nano sudo"
when: ansible_os_family == "RedHat"
---
# This is an example playbook to execute Ansible tests.
- name: Verify
hosts: all
tasks:
- name: Test Debian specific results
block:
- name: Get excluded packages
command: "apt-mark showhold"
register: debian_packages
- name: apt-mark shows excluded packages
assert:
that: debian_packages.stdout == "nano"
when: ansible_os_family == "Debian"
- name: Test Redhat specific results
block:
- name: Get excluded packages
command: cat /etc/yum.conf
register: yum_conf
- name: yum.conf contains excluded packages
assert:
that: '"exclude = nano" is in yum_conf.stdout'
- name: yum.conf contains excluded packages
assert:
that: '"sudo" is not in yum_conf.stdout'
when: ansible_os_family == "RedHat"
*******
Docker driver installation guide
*******
Requirements
============
* Docker Engine
Install
=======
Please refer to the `Virtual environment`_ documentation for installation best
practices. If not using a virtual environment, please consider passing the
widely recommended `'--user' flag`_ when invoking ``pip``.
.. _Virtual environment: https://virtualenv.pypa.io/en/latest/
.. _'--user' flag: https://packaging.python.org/tutorials/installing-packages/#installing-to-the-user-site
.. code-block:: bash
$ python3 -m pip install 'molecule[docker]'
---
- name: Converge
hosts: all
vars:
- system_update_manager_excluded: ['nano', 'sudo']
- system_update_manager_cronjob: true
tasks:
- name: "Include system_update_manager"
include_role:
name: "system_update_manager"
---
dependency:
name: galaxy
driver:
name: docker
lint: |
set -e
yamllint -c molecule/yaml-lint.yml .
ansible-lint tasks
platforms:
- name: el7
image: geerlingguy/docker-centos7-ansible:latest
command: ""
volumes:
- /sys/fs/cgroup:/sys/fs/cgroup:ro
privileged: true
pre_build_image: true
- name: el8
image: geerlingguy/docker-centos8-ansible:latest
command: ""
volumes:
- /sys/fs/cgroup:/sys/fs/cgroup:ro
privileged: true
pre_build_image: true
- name: debian10
image: geerlingguy/docker-debian10-ansible:latest
command: ""
volumes:
- /sys/fs/cgroup:/sys/fs/cgroup:ro
privileged: true
pre_build_image: true
- name: ubuntu2004
image: geerlingguy/docker-ubuntu2004-ansible:latest
command: ""
volumes:
- /sys/fs/cgroup:/sys/fs/cgroup:ro
privileged: true
pre_build_image: true
provisioner:
name: ansible
playbooks:
prepare: ../prepare.yml
verifier:
name: ansible
---
# This is an example playbook to execute Ansible tests.
- name: Verify
hosts: all
tasks:
- name: Test Debian specific results
block:
- name: Get excluded packages
command: "apt-mark showhold"
register: debian_packages
- name: apt-mark shows excluded packages
assert:
that: debian_packages.stdout == "nano\nsudo"
- name: Read crontab contents
command: cat /etc/cron.d/update_manager
register: crontab_content
- name: crontab contains reboot test
assert:
that: '"reboot-required" is in crontab_content.stdout'
when: ansible_os_family == "Debian"
- name: Test Redhat specific results
block:
- name: Get excluded packages
command: cat /etc/yum.conf
register: yum_conf
- name: yum.conf contains excluded packages
assert:
that: '"exclude = nano sudo" is in yum_conf.stdout'
- name: Read crontab contents
command: cat /etc/cron.d/update_manager
register: crontab_content
- name: crontab contains reboot test
assert:
that: '"tracer" is in crontab_content.stdout'
when: ansible_os_family == "RedHat"
---
- name: Converge
hosts: all
vars:
system_update_manager_excluded: ['nano', 'sudo']
tasks:
- name: "Include system-update-manager"
include_role:
name: "system-update-manager"
---
dependency:
name: galaxy
driver:
name: docker
lint: |
set -e
yamllint -c molecule/yaml-lint.yml .
ansible-lint tasks
platforms:
- name: EL7
image: geerlingguy/docker-centos7-ansible:latest
command: ""
volumes:
- /sys/fs/cgroup:/sys/fs/cgroup:ro
privileged: true
pre_build_image: true
- name: EL8
image: geerlingguy/docker-centos8-ansible:latest
command: ""
volumes:
- /sys/fs/cgroup:/sys/fs/cgroup:ro
privileged: true
pre_build_image: true
- name: Debian10
image: geerlingguy/docker-debian10-ansible:latest
command: ""
volumes:
- /sys/fs/cgroup:/sys/fs/cgroup:ro
privileged: true
pre_build_image: true
- name: Ubuntu2004
image: geerlingguy/docker-ubuntu2004-ansible:latest
command: ""
volumes:
- /sys/fs/cgroup:/sys/fs/cgroup:ro
privileged: true
pre_build_image: true
provisioner:
name: ansible
verifier:
name: ansible
---
- name: Prepare
hosts: all
tasks:
- name: Update apt cache
apt:
update_cache: true
when: ansible_os_family == "Debian"
- name: Install optionals packages for exclusion test
package:
name:
- nano
- name: Ensure /etc/cron.d exists (missing in Docker image)
file:
path: /etc/cron.d
state: directory
---
# This is an example playbook to execute Ansible tests.
- name: Verify
hosts: all
tasks:
- name: Test Debian specific results
block:
- name: Get excluded packages
command: "apt-mark showhold"
register: debian_packages
- name: apt-mark shows excluded packages
assert:
that: debian_packages.stdout == "nano\nsudo"
when: ansible_os_family == "Debian"
- name: Test Redhat specific results
block:
- name: Get excluded packages
command: cat /etc/yum.conf
register: yum_conf
- name: yum.conf contains excluded packages
assert:
that: '"exclude = nano sudo" is in yum_conf.stdout'
when: ansible_os_family == "RedHat"
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment