From: Morgan Richomme Date: Mon, 12 Sep 2016 07:39:23 +0000 (+0000) Subject: Merge "Fix security issues reported by the security audit" X-Git-Tag: colorado.1.0~51 X-Git-Url: https://gerrit.opnfv.org/gerrit/gitweb?a=commitdiff_plain;h=3065cdbb3d3b0c69c484e4d2b4c295d8babe1e2c;hp=4b575b7090cf08bf4dd3bd5ea733ccfa36100276;p=releng.git Merge "Fix security issues reported by the security audit" --- diff --git a/jjb/apex/apex-deploy.sh b/jjb/apex/apex-deploy.sh index 4fd7b0069..72fa6f6f0 100755 --- a/jjb/apex/apex-deploy.sh +++ b/jjb/apex/apex-deploy.sh @@ -54,8 +54,8 @@ else fi # source the file so we get OPNFV vars source opnfv.properties - RPM_INSTALL_PATH=$(echo $OPNFV_RPM_URL | sed 's/'"$(basename $OPNFV_RPM_URL)"'//') - RPM_LIST=$RPM_INSTALL_PATH/$(basename $OPNFV_RPM_URL) + RPM_INSTALL_PATH=$(echo "http://"$OPNFV_RPM_URL | sed 's/\/'"$(basename $OPNFV_RPM_URL)"'//') + RPM_LIST=${RPM_INSTALL_PATH}/$(basename $OPNFV_RPM_URL) fi fi diff --git a/jjb/apex/apex.yml b/jjb/apex/apex.yml index 8a5a82f13..89965d77b 100644 --- a/jjb/apex/apex.yml +++ b/jjb/apex/apex.yml @@ -334,6 +334,7 @@ OPNFV_CLEAN=yes git-revision: false block: true + same-node: true - trigger-builds: - project: 'cperf-apex-intel-pod2-daily-{stream}' predefined-parameters: diff --git a/jjb/armband/armband-ci-jobs.yml b/jjb/armband/armband-ci-jobs.yml index f100a46a8..25987328d 100644 --- a/jjb/armband/armband-ci-jobs.yml +++ b/jjb/armband/armband-ci-jobs.yml @@ -90,7 +90,7 @@ properties: - throttle: enabled: true - max-total: 1 + max-total: 4 max-per-node: 1 option: 'project' - build-blocker: @@ -152,12 +152,12 @@ - job-template: name: '{installer}-deploy-{pod}-daily-{stream}' - concurrent: false + concurrent: true properties: - throttle: enabled: true - max-total: 1 + max-total: 4 max-per-node: 1 option: 'project' - build-blocker: diff --git a/jjb/armband/armband-deploy.sh b/jjb/armband/armband-deploy.sh index fb4c1ead5..4041a6b14 100755 --- a/jjb/armband/armband-deploy.sh +++ b/jjb/armband/armband-deploy.sh @@ -62,8 +62,13 @@ fi # releng wants us to use nothing else but opnfv.iso for now. We comply. ISO_FILE=$WORKSPACE/opnfv.iso +# log file name +FUEL_LOG_FILENAME="${JOB_NAME}_${BUILD_NUMBER}.log.tar.gz" + # construct the command -DEPLOY_COMMAND="$WORKSPACE/ci/deploy.sh -l $LAB_NAME -p $POD_NAME -b ${LAB_CONFIG_URL} -s $DEPLOY_SCENARIO -i file://${ISO_FILE} -H -B ${DEFAULT_BRIDGE:-pxebr} -S $TMPDIR" +DEPLOY_COMMAND="$WORKSPACE/ci/deploy.sh -b ${LAB_CONFIG_URL} \ + -l $LAB_NAME -p $POD_NAME -s $DEPLOY_SCENARIO -i file://${ISO_FILE} \ + -H -B ${DEFAULT_BRIDGE:-pxebr} -S $TMPDIR -L $WORKSPACE/$FUEL_LOG_FILENAME" # log info to console echo "Deployment parameters" @@ -83,7 +88,23 @@ echo "$DEPLOY_COMMAND" echo $DEPLOY_COMMAND +exit_code=$? echo echo "--------------------------------------------------------" -echo "Deployment is done successfully!" +echo "Deployment is done!" + +# upload logs for baremetal deployments +# work with virtual deployments is still going on so we skip that for the timebeing +if [[ "$JOB_NAME" =~ "baremetal-daily" ]]; then + echo "Uploading deployment logs" + gsutil cp $WORKSPACE/$FUEL_LOG_FILENAME gs://$GS_URL/logs/$FUEL_LOG_FILENAME > /dev/null 2>&1 + echo "Logs are available as http://$GS_URL/logs/$FUEL_LOG_FILENAME" +fi + +if [[ $exit_code -ne 0 ]]; then + echo "Deployment failed!" + exit $exit_code +else + echo "Deployment is successful!" +fi diff --git a/jjb/doctor/doctor.yml b/jjb/doctor/doctor.yml index 3b407efc9..ead6c00a1 100644 --- a/jjb/doctor/doctor.yml +++ b/jjb/doctor/doctor.yml @@ -3,19 +3,30 @@ project: '{name}' - jobs: - - 'doctor-verify-{stream}' - stream: - master: branch: '{stream}' gs-pathname: '' + docker_tag: 'master' disabled: false - colorado: branch: 'stable/{stream}' gs-pathname: '/{stream}' + docker_tag: 'stable' disabled: false + installer: + - apex: + slave-label: 'ool-virtual1' + + inspector: + - sample + - congress + + jobs: + - 'doctor-verify-{stream}' + - 'doctor-verify-{installer}-{inspector}-{stream}' + - job-template: name: 'doctor-verify-{stream}' @@ -58,3 +69,68 @@ builders: - shell: "[ -e tests/run.sh ] && bash -n ./tests/run.sh" + +- job-template: + name: 'doctor-verify-{installer}-{inspector}-{stream}' + + parameters: + - project-parameter: + project: '{project}' + - gerrit-parameter: + branch: '{branch}' + - string: + name: INSPECTOR_TYPE + default: '{inspector}' + description: 'Doctor inspector type to be used' + - string: + name: INSTALLER_TYPE + default: apex + description: 'OPNFV Installer type' + - string: + name: OS_CREDS + default: /home/jenkins/openstack.creds + description: 'OpenStack credentials' + - '{installer}-defaults' + - '{slave-label}-defaults' + - 'functest-suite-parameter' + - string: + name: DEPLOY_SCENARIO + default: 'os-odl_l2-nofeature-ha' + - string: + name: DOCKER_TAG + default: '{docker_tag}' + description: 'Tag to pull docker image' + - functest-parameter: + gs-pathname: '{gs-pathname}' + + scm: + - gerrit-trigger-scm: + credentials-id: '{ssh-credentials}' + refspec: '$GERRIT_REFSPEC' + choosing-strategy: 'gerrit' + + triggers: + - gerrit: + trigger-on: + - patchset-created-event: + exclude-drafts: 'false' + exclude-trivial-rebase: 'false' + exclude-no-code-change: 'false' + - draft-published-event + - comment-added-contains-event: + comment-contains-value: 'recheck' + - comment-added-contains-event: + comment-contains-value: 'reverify' + projects: + - project-compare-type: 'ANT' + project-pattern: '{project}' + branches: + - branch-compare-type: 'ANT' + branch-pattern: '**/{branch}' + file-paths: + - compare-type: ANT + pattern: 'tests/**' + + builders: + - 'functest-suite-builder': + TESTCASE_OPTIONS: '-e INSPECTOR_TYPE=$INSPECTOR_TYPE -v $WORKSPACE:$HOME/opnfv/repos/doctor' diff --git a/jjb/functest/functest-ci-jobs.yml b/jjb/functest/functest-ci-jobs.yml index 0f0cabab3..7120790d8 100644 --- a/jjb/functest/functest-ci-jobs.yml +++ b/jjb/functest/functest-ci-jobs.yml @@ -264,6 +264,10 @@ - 'vims' - 'multisite' - 'parser' + - string: + name: TESTCASE_OPTIONS + default: '' + description: 'Addtional parameters specific to test case(s)' - parameter: name: functest-parameter parameters: diff --git a/jjb/functest/set-functest-env.sh b/jjb/functest/set-functest-env.sh index b7d745a79..1c77702eb 100755 --- a/jjb/functest/set-functest-env.sh +++ b/jjb/functest/set-functest-env.sh @@ -59,7 +59,9 @@ test -f ${HOME}/opnfv/functest/custom/params_${DOCKER_TAG} && custom_params=$(ca echo "Functest: Pulling image opnfv/functest:${DOCKER_TAG}" docker pull opnfv/functest:$DOCKER_TAG >/dev/null -cmd="sudo docker run --privileged=true -id ${envs} ${labconfig} ${sshkey} ${res_volume} ${custom_params} ${stackrc} opnfv/functest:${DOCKER_TAG} /bin/bash" +cmd="sudo docker run --privileged=true -id ${envs} ${labconfig} ${sshkey} \ + ${res_volume} ${custom_params} ${stackrc} ${TESTCASE_OPTIONS} \ + opnfv/functest:${DOCKER_TAG} /bin/bash" echo "Functest: Running docker run command: ${cmd}" ${cmd} >${redirect} sleep 5 diff --git a/jjb/infra/infra-daily-jobs.yml b/jjb/infra/infra-daily-jobs.yml index a066e7db4..df90c6d13 100644 --- a/jjb/infra/infra-daily-jobs.yml +++ b/jjb/infra/infra-daily-jobs.yml @@ -16,7 +16,7 @@ #-------------------------------- pod: - virtual: - slave-label: infra-virtual + slave-label: infra-virtual-trusty <<: *master #-------------------------------- # phases diff --git a/jjb/infra/openstack-bifrost-verify-jobs.yml b/jjb/infra/openstack-bifrost-verify-jobs.yml new file mode 100644 index 000000000..8afe47cd1 --- /dev/null +++ b/jjb/infra/openstack-bifrost-verify-jobs.yml @@ -0,0 +1,111 @@ +- project: + name: 'openstack-bifrost-verify' + + project: 'releng' +#-------------------------------- +# branches +#-------------------------------- + stream: + - master: + branch: '{stream}' +#-------------------------------- +# distros +# jobs for centos7 and suse can be enabled once the support is there +#-------------------------------- + distro: + - 'trusty': + slave-label: infra-virtual-trusty + disabled: false + - 'centos7': + slave-label: infra-virtual-trusty + disabled: true + - 'suse': + slave-label: infra-virtual-trusty + disabled: true +#-------------------------------- +# jobs +#-------------------------------- + jobs: + - 'openstack-bifrost-verify-{distro}-{stream}' +#-------------------------------- +# job templates +#-------------------------------- +- job-template: + name: 'openstack-bifrost-verify-{distro}-{stream}' + + concurrent: false + + disabled: '{obj:disabled}' + + properties: + - build-blocker: + use-build-blocker: true + blocking-jobs: + - 'infra-os-.*?-daily-.*' + block-level: 'NODE' + + parameters: + - project-parameter: + project: '{project}' + - string: + name: DISTRO + default: '{distro}' + - string: + name: CLEAN_DIB_IMAGES + default: 'true' + - '{slave-label}-defaults' + + scm: + - git-scm: + credentials-id: '{ssh-credentials}' + refspec: '' + branch: '{branch}' + + triggers: + - gerrit: + server-name: 'review.openstack.org' + silent-start: true + skip-vote: + successful: true + failed: true + unstable: true + notbuilt: true + escape-quotes: true + trigger-on: + - patchset-created-event: + exclude-drafts: 'false' + exclude-trivial-rebase: 'false' + exclude-no-code-change: 'false' + - comment-added-contains-event: + comment-contains-value: 'recheck' + projects: + - project-compare-type: 'PLAIN' + project-pattern: 'openstack/bifrost' + branches: + - branch-compare-type: 'ANT' + branch-pattern: '**/master' + forbidden-file-paths: + - compare-type: ANT + pattern: 'doc/**' + - compare-type: ANT + pattern: 'releasenotes/**' + readable-message: true + + builders: + - description-setter: + description: "Built on $NODE_NAME" + - 'openstack-bifrost-verify-builder' + + publishers: + - email: + recipients: fatih.degirmenci@ericsson.com yroblamo@redhat.com mchandras@suse.de jack.morgan@intel.com zhang.jun3g@zte.com.cn +##################################### +# builder macros +##################################### +- builder: + name: 'openstack-bifrost-verify-builder' + builders: + - shell: | + #!/bin/bash + + sudo -E $WORKSPACE/jjb/infra/openstack-bifrost-verify.sh diff --git a/jjb/infra/openstack-bifrost-verify.sh b/jjb/infra/openstack-bifrost-verify.sh new file mode 100755 index 000000000..a4653f921 --- /dev/null +++ b/jjb/infra/openstack-bifrost-verify.sh @@ -0,0 +1,52 @@ +#!/bin/bash +# SPDX-license-identifier: Apache-2.0 +############################################################################## +# Copyright (c) 2016 Ericsson AB and others. +# All rights reserved. This program and the accompanying materials +# are made available under the terms of the Apache License, Version 2.0 +# which accompanies this distribution, and is available at +# http://www.apache.org/licenses/LICENSE-2.0 +############################################################################## +set -o errexit +set -o nounset +set -o pipefail + +# check distro to see if we support it +# we will have centos and suse supported in future +case "$DISTRO" in + trusty) + #start the test + echo "Starting provisioning of 3 VMs" + ;; + *) + echo "Distro $DISTRO is not supported!" + exit 1 +esac + +# remove previously cloned repos +/bin/rm -rf /opt/bifrost /opt/puppet-infracloud /opt/releng + +# clone upstream bifrost repo and checkout the patch to verify +git clone https://git.openstack.org/openstack/bifrost /opt/bifrost +cd /opt/bifrost +git fetch https://git.openstack.org/openstack/bifrost $GERRIT_REFSPEC && git checkout FETCH_HEAD + +# clone puppet-infracloud +git clone https://git.openstack.org/openstack-infra/puppet-infracloud /opt/puppet-infracloud + +# combine opnfv and upstream scripts/playbooks +cp -R $WORKSPACE/prototypes/bifrost/* /opt/bifrost/ + +# cleanup remnants of previous deployment +cd /opt/bifrost +./scripts/destroy-env.sh + +# provision 3 VMs; jumphost, controller, and compute +cd /opt/bifrost +./scripts/test-bifrost-deployment.sh + +# list the provisioned VMs +cd /opt/bifrost +source env-vars +ironic node-list +virsh list diff --git a/jjb/opnfv/slave-params.yml b/jjb/opnfv/slave-params.yml index c7ec6aa9d..b2f17c1e7 100644 --- a/jjb/opnfv/slave-params.yml +++ b/jjb/opnfv/slave-params.yml @@ -240,11 +240,11 @@ default: https://gerrit.opnfv.org/gerrit/$PROJECT description: 'Git URL to use on this Jenkins Slave' - parameter: - name: 'infra-virtual-defaults' + name: 'infra-virtual-trusty-defaults' parameters: - label: name: SLAVE_LABEL - default: 'infra-virtual' + default: 'infra-virtual-trusty' - string: name: GIT_BASE default: https://gerrit.opnfv.org/gerrit/$PROJECT @@ -635,6 +635,24 @@ name: GIT_BASE default: https://gerrit.opnfv.org/gerrit/$PROJECT description: 'Git URL to use on this Jenkins Slave' +- parameter: + name: 'ool-virtual1-defaults' + parameters: + - node: + name: SLAVE_NAME + description: 'Slave name on Jenkins' + allowed-slaves: + - ool-virtual1 + default-slaves: + - ool-virtual1 + - string: + name: GIT_BASE + default: https://gerrit.opnfv.org/gerrit/$PROJECT + description: 'Git URL to use on this Jenkins Slave' + - string: + name: SSH_KEY + default: /root/.ssh/id_rsa + description: 'SSH key to be used' ##################################################### # These slaves are just dummy slaves for sandbox jobs #####################################################