# SPDX-License-Identifier: Apache-2.0
[rstcheck]
-report=warning
+report_level=ERROR
ignore_substitutions=today
ignore: |
deployment.yaml
+ .tox/
rules:
line-length: disable
+ truthy: disable
+ comments-indentation: disable
+ comments: disable
Infrastructure Prerequisites
=============================
-Please refer to Chapter 3 of `Anuket RI-2 Documentation <https://cntt.readthedocs.io/en/latest/ref_impl/cntt-ri2/chapters/chapter03.html>`_
+Please refer to Chapter 3 of `Anuket RI-2 Chapter 03 Documentation <https://cntt.readthedocs.io/projects/ri2/en/latest/chapters/chapter03.html>`_
for detailed information on the server and network specifications.
Additionally, please make note of the following:
Deployment on Baremetal and Provider Infrastructure
===================================================
-Please refer to Chapter 4 of `Anuket RI-2 Documentation <https://cntt.readthedocs.io/en/latest/ref_impl/cntt-ri2/chapters/chapter04.html>`_
+Please refer to Chapter 4 of `Anuket RI-2 Chapter 04 Documentation <https://cntt.readthedocs.io/projects/ri2/en/latest/chapters/chapter04.html>`_
for instructions to get started with the deployment.
Deployment on Virtualized Infrastructure
===========================================
Kuberef is validated by running test cases defined in Anuket RC-2 Cookbook.
-For setting up RC-2 Conformance toolchain, please refer to `Anuket RC-2 Chapter 03 <https://cntt.readthedocs.io/en/latest/ref_cert/RC2/chapters/chapter03.html>`_.
+For setting up RC-2 Conformance toolchain, please refer to `Anuket RC-2 Chapter 03 <https://cntt.readthedocs.io/projects/rc2/en/latest/chapters/chapter03.html>`_.
#-------------------------------------------------------------------------------
if [ "$OS_ID" == "ubuntu" ]; then
- sudo apt update -y
- ansible --version
- RESULT=$?
- if [ $RESULT -ne 0 ]; then
- sudo apt-add-repository --yes --update ppa:ansible/ansible
- sudo apt-get install -y ansible
- fi
-
- yq --version
- RESULT=$?
- if [ $RESULT -ne 0 ]; then
- sudo wget https://github.com/mikefarah/yq/releases/download/3.4.1/yq_linux_amd64 -O /usr/bin/yq
- sudo chmod +x /usr/bin/yq
- fi
-
- virsh --version
- RESULT=$?
- if [ $RESULT -ne 0 ]; then
- sudo apt-get install -y virsh
- fi
-
- jq --version
- RESULT=$?
- if [ $RESULT -ne 0 ]; then
- sudo apt-get install -y jq
- fi
-
- virtualenv --version
- RESULT=$?
- if [ $RESULT -ne 0 ]; then
- sudo apt-get install -y virtualenv
- fi
-
- pip --version
- if [ $RESULT -ne 0 ]; then
- sudo apt-get install -y pip
- fi
+ sudo apt update -y
+ ansible --version
+ RESULT=$?
+ if [ $RESULT -ne 0 ]; then
+ sudo apt-add-repository --yes --update ppa:ansible/ansible
+ sudo apt-get install -y ansible
+ fi
+
+ yq --version
+ RESULT=$?
+ if [ $RESULT -ne 0 ]; then
+ sudo wget https://github.com/mikefarah/yq/releases/download/3.4.1/yq_linux_amd64 -O /usr/bin/yq
+ sudo chmod +x /usr/bin/yq
+ fi
+
+ virsh --version
+ RESULT=$?
+ if [ $RESULT -ne 0 ]; then
+ sudo apt-get install -y virsh
+ fi
+
+ jq --version
+ RESULT=$?
+ if [ $RESULT -ne 0 ]; then
+ sudo apt-get install -y jq
+ fi
+
+ virtualenv --version
+ RESULT=$?
+ if [ $RESULT -ne 0 ]; then
+ sudo apt-get install -y virtualenv
+ fi
+
+ pip --version
+ if [ $RESULT -ne 0 ]; then
+ sudo apt-get install -y pip
+ fi
elif [ "$OS_ID" == "centos" ]; then
- sudo yum update -y
- ansible --version
- RESULT=$?
- if [ $RESULT -ne 0 ]; then
- sudo dnf install epel-release
- sudo dnf install ansible
- fi
-
- yq --version
- RESULT=$?
- if [ $RESULT -ne 0 ]; then
- sudo wget https://github.com/mikefarah/yq/releases/download/3.4.1/yq_linux_amd64 -O /usr/bin/yq
- sudo chmod +x /usr/bin/yq
- fi
-
- virsh --version
- RESULT=$?
- if [ $RESULT -ne 0 ]; then
- sudo yum install -y virsh
- fi
-
- jq --version
- RESULT=$?
- if [ $RESULT -ne 0 ]; then
- sudo yum install -y jq
- fi
-
- virtualenv --version
- RESULT=$?
- if [ $RESULT -ne 0 ]; then
- sudo yum install -y virtualenv
- fi
-
- pip --version
- if [ $RESULT -ne 0 ]; then
- sudo yum install -y pip
- fi
+ sudo yum update -y
+ ansible --version
+ RESULT=$?
+ if [ $RESULT -ne 0 ]; then
+ sudo dnf install epel-release
+ sudo dnf install ansible
+ fi
+
+ yq --version
+ RESULT=$?
+ if [ $RESULT -ne 0 ]; then
+ sudo wget https://github.com/mikefarah/yq/releases/download/3.4.1/yq_linux_amd64 -O /usr/bin/yq
+ sudo chmod +x /usr/bin/yq
+ fi
+
+ virsh --version
+ RESULT=$?
+ if [ $RESULT -ne 0 ]; then
+ sudo yum install -y virsh
+ fi
+
+ jq --version
+ RESULT=$?
+ if [ $RESULT -ne 0 ]; then
+ sudo yum install -y jq
+ fi
+
+ virtualenv --version
+ RESULT=$?
+ if [ $RESULT -ne 0 ]; then
+ sudo yum install -y virtualenv
+ fi
+
+ pip --version
+ if [ $RESULT -ne 0 ]; then
+ sudo yum install -y pip
+ fi
fi
#-------------------------------------------------------------------------------
if [ ! -d "$CURRENTPATH/.venv" ]; then
virtualenv "$CURRENTPATH/.venv"
fi
- # shellcheck disable=SC1090
+ # shellcheck disable=SC1090,SC1091
source "$CURRENTPATH/.venv/bin/activate"
pip install -r "$CURRENTPATH/requirements.txt"
}
disk_rotation:
os: ubuntu1804
interfaces:
- # NOTE (fdegir): The IPs listed below actually belong to the libvirt bridges
- # we create & configure since this is virtual POD and its real IP has nothing
- # to do with the deployment itself.
- # interface connected to admin/pxe network
- - address: 10.1.0.1
- # interface connected to public network
- - address: 10.2.0.1
+ # NOTE (fdegir): The IPs listed below actually belong to the libvirt bridges
+ # we create & configure since this is virtual POD and its real IP has nothing
+ # to do with the deployment itself.
+ # interface connected to admin/pxe network
+ - address: 10.1.0.1
+ # interface connected to public network
+ - address: 10.2.0.1
##############################################################################
nodes:
- name: node1
connection: local
tasks: []
roles:
- - { role: kubespray_install }
+ - {role: kubespray_install}
environment: "{{ proxy_env | d({}) }}"
any_errors_fatal: true
kubelet_node_custom_flags: "{{ kubelet_node_custom_flags_prepare | from_yaml }}"
kube_api_anonymous_auth: true
kube_feature_gates:
- - CPUManager=true # feature gate can be enabled by default, default policy is none in Kubernetes
+ - CPUManager=true # feature gate can be enabled by default, default policy is none in Kubernetes
- TopologyManager={{ topology_manager_enabled | default(true) }}
- RotateKubeletServerCertificate=true
# Kubernetes cluster hardening
# Early check if SELinux is configured properly
- block:
- - name: "Collect packages facts"
- package_facts:
- - debug:
- msg:
- - "Current SELinux status:"
- - "status: {{ ansible_selinux.status | default('') }}"
- - "policy version: {{ ansible_selinux.policyvers | default('') }}"
- - "type: {{ ansible_selinux.type | default('') }}"
- - "mode: {{ ansible_selinux.mode | default('') }}"
- - "config_mode: {{ ansible_selinux.config_mode | default('') }}"
-
- - name: check selinux condition possibly causing system boot failure
- debug:
- msg:
- - "Current SELinux setup might cause the system possibly will not boot up on next reboot."
- - "Please, check SELinux settings and set it up according to the documentation."
- when:
- - "'selinux-policy' not in ansible_facts.packages"
- - "'selinux-policy-targeted' not in ansible_facts.packages"
+ - name: "Collect packages facts"
+ package_facts:
+ - debug:
+ msg:
+ - "Current SELinux status:"
+ - "status: {{ ansible_selinux.status | default('') }}"
+ - "policy version: {{ ansible_selinux.policyvers | default('') }}"
+ - "type: {{ ansible_selinux.type | default('') }}"
+ - "mode: {{ ansible_selinux.mode | default('') }}"
+ - "config_mode: {{ ansible_selinux.config_mode | default('') }}"
+
+ - name: check selinux condition possibly causing system boot failure
+ debug:
+ msg:
+ - "Current SELinux setup might cause the system possibly will not boot up on next reboot."
+ - "Please, check SELinux settings and set it up according to the documentation."
+ when:
+ - "'selinux-policy' not in ansible_facts.packages"
+ - "'selinux-policy-targeted' not in ansible_facts.packages"
when:
- ansible_os_family == "RedHat"
# STORY: "cmk requires isolcpus to be configured"
- block:
- - debug:
- msg:
- - cmk_enabled = {{ cmk_enabled }} (group_vars/all.yml)
- - cmk_use_all_hosts = {{ cmk_use_all_hosts }} (group_vars/all.yml)
- - cmk_hosts_list = {{ cmk_hosts_list | default('') }} (group_vars/all.yml)
- - cmk_shared_num_cores = {{ cmk_shared_num_cores }} (group_vars/all.yml)
- - cmk_exclusive_num_cores = {{ cmk_exclusive_num_cores }} (group_vars/all.yml)
- - isolcpus_enabled = {{ isolcpus_enabled }} (host_vars)
- - isolcpus = {{ isolcpus }} (host_vars)
- - ansible_processor_count = {{ ansible_processor_count }}
- - ansible_processor_cores = {{ ansible_processor_cores }}
- - ansible_processor_threads_per_core = {{ ansible_processor_threads_per_core }}
- - ansible_processor_vcpus = {{ ansible_processor_vcpus }}
- - CPUs Reserved for OS = 0...{{ ansible_processor_count - 1 }}
-# - CPUs Reserved for OS = {{ lookup('sequence','0-{{ ansible_processor_count - 1 }}').split(',') }} # [E207] Nested jinja pattern
-
- - name: Check Intel CMK Config
- assert:
- that: ({{ cmk_enabled }} and {{ isolcpus_enabled }} and "{{ isolcpus }}" | length > 0)
- msg:
- - Incorrect configuration pertaining Intel CMK. Conflicting or improper values detected
- - When Intel CMK is enabled, CPUs isolation ('isolcpus') must be set according to the example file for host_vars. Please correct the configuration
-
- - name: Split isolcpus Groups
- set_fact:
- isolcpus_groups: "{{ isolcpus.split(',') }}"
-
- - debug: msg="isolcpus_groups = {{ isolcpus_groups }}"
-
- - name: Filter isolcpus Ranges
- set_fact:
- isolcpus_ranges: "{{ isolcpus_ranges + [item] }}"
- with_items: "{{ isolcpus_groups }}"
- when: ("-" in item)
-
- - debug: msg="isolcpus_ranges = {{ isolcpus_ranges }}"
-
- - name: Filter isolcpus Discretes
- set_fact:
- isolcpus_discretes: "{{ isolcpus_discretes + [item] }}"
- with_items: "{{ isolcpus_groups }}"
- when: ("-" not in item)
-
- - debug: msg="isolcpus_discretes = {{ isolcpus_discretes }}"
-
- - name: Build isolcpus List
- set_fact:
- isolcpus_list: "{{ isolcpus_list | default([]) | union(isolcpus_discretes) | union([item]) }}"
- with_sequence: "{{ isolcpus_ranges }}"
-
- - debug: msg="isolcpus_list = {{ isolcpus_list }}"
-
- - name: Check isolcpus Total
- assert:
- that: "{{ isolcpus_list | length }} <= ansible_processor_vcpus"
- msg:
- - Incorrect configuration pertaining isolcpus. Conflicting or improper values detected
- - The number of isolcpus {{ isolcpus_list | length }}, exceeds total CPUs on target {{ ansible_processor_vcpus }}. Please correct the configuration
- when: isolcpus is defined
-
- - name: Check isolcpus IDs
- assert:
- that: "item | int <= ansible_processor_vcpus"
- msg:
- - Incorrect configuration pertaining isolcpus. Conflicting or improper values detected
- - The CPU ID {{ item }} set for isolcpus is NOT actually present on target. Please correct the configuration
- with_items: "{{ isolcpus_list }}"
- when: isolcpus is defined
+ - debug:
+ msg:
+ - cmk_enabled = {{ cmk_enabled }} (group_vars/all.yml)
+ - cmk_use_all_hosts = {{ cmk_use_all_hosts }} (group_vars/all.yml)
+ - cmk_hosts_list = {{ cmk_hosts_list | default('') }} (group_vars/all.yml)
+ - cmk_shared_num_cores = {{ cmk_shared_num_cores }} (group_vars/all.yml)
+ - cmk_exclusive_num_cores = {{ cmk_exclusive_num_cores }} (group_vars/all.yml)
+ - isolcpus_enabled = {{ isolcpus_enabled }} (host_vars)
+ - isolcpus = {{ isolcpus }} (host_vars)
+ - ansible_processor_count = {{ ansible_processor_count }}
+ - ansible_processor_cores = {{ ansible_processor_cores }}
+ - ansible_processor_threads_per_core = {{ ansible_processor_threads_per_core }}
+ - ansible_processor_vcpus = {{ ansible_processor_vcpus }}
+ - CPUs Reserved for OS = 0...{{ ansible_processor_count - 1 }}
+# - CPUs Reserved for OS = {{ lookup('sequence','0-{{ ansible_processor_count - 1 }}').split(',') }} # [E207] Nested jinja pattern
+
+ - name: Check Intel CMK Config
+ assert:
+ that: ({{ cmk_enabled }} and {{ isolcpus_enabled }} and "{{ isolcpus }}" | length > 0)
+ msg:
+ - Incorrect configuration pertaining Intel CMK. Conflicting or improper values detected
+ - When Intel CMK is enabled, CPUs isolation ('isolcpus') must be set according to the example file for host_vars. Please correct the configuration
+
+ - name: Split isolcpus Groups
+ set_fact:
+ isolcpus_groups: "{{ isolcpus.split(',') }}"
+
+ - debug: msg="isolcpus_groups = {{ isolcpus_groups }}"
+
+ - name: Filter isolcpus Ranges
+ set_fact:
+ isolcpus_ranges: "{{ isolcpus_ranges + [item] }}"
+ with_items: "{{ isolcpus_groups }}"
+ when: ("-" in item)
+
+ - debug: msg="isolcpus_ranges = {{ isolcpus_ranges }}"
+
+ - name: Filter isolcpus Discretes
+ set_fact:
+ isolcpus_discretes: "{{ isolcpus_discretes + [item] }}"
+ with_items: "{{ isolcpus_groups }}"
+ when: ("-" not in item)
+
+ - debug: msg="isolcpus_discretes = {{ isolcpus_discretes }}"
+
+ - name: Build isolcpus List
+ set_fact:
+ isolcpus_list: "{{ isolcpus_list | default([]) | union(isolcpus_discretes) | union([item]) }}"
+ with_sequence: "{{ isolcpus_ranges }}"
+
+ - debug: msg="isolcpus_list = {{ isolcpus_list }}"
+
+ - name: Check isolcpus Total
+ assert:
+ that: "{{ isolcpus_list | length }} <= ansible_processor_vcpus"
+ msg:
+ - Incorrect configuration pertaining isolcpus. Conflicting or improper values detected
+ - The number of isolcpus {{ isolcpus_list | length }}, exceeds total CPUs on target {{ ansible_processor_vcpus }}. Please correct the configuration
+ when: isolcpus is defined
+
+ - name: Check isolcpus IDs
+ assert:
+ that: "item | int <= ansible_processor_vcpus"
+ msg:
+ - Incorrect configuration pertaining isolcpus. Conflicting or improper values detected
+ - The CPU ID {{ item }} set for isolcpus is NOT actually present on target. Please correct the configuration
+ with_items: "{{ isolcpus_list }}"
+ when: isolcpus is defined
#TODO relationship between cmk shared/exclusive cores and isolcpus
- name: update to the latest kernel and kernel headers on the Red Hat OS family
package:
name:
- - kernel
- - kernel-devel
+ - kernel
+ - kernel-devel
state: latest # noqa 403
notify:
- reboot server
- name: ensure selinux is installed on CentOS/RHEL 7
package:
name:
- - policycoreutils
- - policycoreutils-python
- - selinux-policy
- - selinux-policy-targeted
- - libselinux-utils
- - setools
- - setools-console
- - shtool
- - lshw
+ - policycoreutils
+ - policycoreutils-python
+ - selinux-policy
+ - selinux-policy-targeted
+ - libselinux-utils
+ - setools
+ - setools-console
+ - shtool
+ - lshw
state: present
when:
- ansible_distribution in ["RedHat", "CentOS"]
- name: install command line tools to collect hardware details
package:
name:
- - hwinfo
- - inxi
- - jq
+ - hwinfo
+ - inxi
+ - jq
state: present
when: ansible_distribution in ["RedHat", "CentOS"]
- name: Add kubic yum repo and install updated version of podman
block:
- - name: disable container-tools module
- # noqa 305 - shell is used intentionally here
- shell: dnf -y module disable container-tools
- - name: enable rhcontainerbot/container-selinux repository
- # noqa 305 - shell is used intentionally here
- shell: dnf -y copr enable rhcontainerbot/container-selinux
- - name: Add kubic yum repo
- yum_repository:
- name: devel_kubic_libcontainers_stable
- description: Stable Releases of Upstream github.com/containers packages (CentOS_$releasever)
- baseurl: https://download.opensuse.org/repositories/devel:/kubic:/libcontainers:/stable/CentOS_$releasever/
- gpgcheck: yes
- gpgkey: https://download.opensuse.org/repositories/devel:/kubic:/libcontainers:/stable/CentOS_$releasever/repodata/repomd.xml.key
- keepcache: '0'
- - name: install runc
- dnf:
- name: runc
- state: present
- - name: install podman package
- package:
- name: podman
- state: present
+ - name: disable container-tools module
+ # noqa 305 - shell is used intentionally here
+ shell: dnf -y module disable container-tools
+ - name: enable rhcontainerbot/container-selinux repository
+ # noqa 305 - shell is used intentionally here
+ shell: dnf -y copr enable rhcontainerbot/container-selinux
+ - name: Add kubic yum repo
+ yum_repository:
+ name: devel_kubic_libcontainers_stable
+ description: Stable Releases of Upstream github.com/containers packages (CentOS_$releasever)
+ baseurl: https://download.opensuse.org/repositories/devel:/kubic:/libcontainers:/stable/CentOS_$releasever/
+ gpgcheck: yes
+ gpgkey: https://download.opensuse.org/repositories/devel:/kubic:/libcontainers:/stable/CentOS_$releasever/repodata/repomd.xml.key
+ keepcache: '0'
+ - name: install runc
+ dnf:
+ name: runc
+ state: present
+ - name: install podman package
+ package:
+ name: podman
+ state: present
when:
- ansible_os_family == "RedHat" and ansible_distribution_version >= '8.2'
- '"docker" not in container_runtime'
- name: create /opt/cni/bin
file:
- path: "/opt/cni/bin"
- state: directory
- recurse: yes
- mode: 0755
+ path: "/opt/cni/bin"
+ state: directory
+ recurse: yes
+ mode: 0755
- name: install sriov-cni binary to /opt/cni/bin directory
copy:
loop_control:
loop_var: vf
extended: yes
- when: ansible_loop.index < (item.sriov_numvfs | default(0) | int )
+ when: ansible_loop.index < (item.sriov_numvfs | default(0) | int )
# get a list of VFs PCI addresses and save the configuration
- name: attach VFs driver
#
# SPDX-License-Identifier: Apache-2.0
-# The order of packages is significant, because pip processes them in the order
-# of appearance. Changing the order has an impact on the overall integration
-# process, which may cause wedges in the gate later.
-
-yamllint # LGPLv3
bashate # Apache-2.0
+yamllint # LGPLv3
rstcheck # MIT
-molecule # MIT
-molecule-docker # MIT
-docker # Apache-2.0
-testinfra # Apache-2.0
-ansible-lint # MIT
+sphinx
[tox]
minversion = 3.5
skipsdist = True
-envlist = lint,docs
+envlist = lint,docs,docs-linkcheck
[testenv]
passenv = http_proxy HTTP_PROXY https_proxy HTTPS_PROXY no_proxy NO_PROXY
[testenv:lint]
-deps =
- -r{toxinidir}/test-requirements.txt
+deps = -r{toxinidir}/test-requirements.txt
whitelist_externals = bash
commands = bash -c "find {toxinidir} \
-not -path {toxinidir}/.tox/\* \
-name \*.rst | xargs rstcheck"
[testenv:docs]
-deps = -rdocs/requirements.txt
+deps = -r{toxinidir}/docs/requirements.txt
commands =
sphinx-build -b html -n -d {envtmpdir}/doctrees ./docs/ {toxinidir}/docs/_build/html
echo "Generated docs available in {toxinidir}/docs/_build/html"
whitelist_externals = echo
[testenv:docs-linkcheck]
-deps = -rdocs/requirements.txt
+deps = -r{toxinidir}/docs/requirements.txt
commands = sphinx-build -b linkcheck -d {envtmpdir}/doctrees ./docs/ {toxinidir}/docs/_build/linkcheck