Compare commits
No commits in common. "d1941c987e20b43159659950088dd9b4e67bff85" and "4933186d31af6712a9cd034192aa64da0b5c5347" have entirely different histories.
d1941c987e
...
4933186d31
10 changed files with 24 additions and 90 deletions
|
|
@ -16,5 +16,3 @@ integration_test__users:
|
||||||
- claude
|
- claude
|
||||||
# Where the golden image + overlays live (outside the repo).
|
# Where the golden image + overlays live (outside the repo).
|
||||||
integration_test__cache_dir: "/var/lib/boma-integration"
|
integration_test__cache_dir: "/var/lib/boma-integration"
|
||||||
# nftables drop-in dir — must match base__firewall_dropin_dir (base role default: /etc/nftables.d)
|
|
||||||
integration_test__nftables_dropin_dir: /etc/nftables.d
|
|
||||||
|
|
|
||||||
|
|
@ -1,15 +1 @@
|
||||||
---
|
---
|
||||||
- name: Reload nftables
|
|
||||||
ansible.builtin.service:
|
|
||||||
name: nftables
|
|
||||||
state: reloaded
|
|
||||||
listen: "integration_test | reload nftables"
|
|
||||||
register: _nft_reload
|
|
||||||
# nftables is absent from the Molecule Docker container; ignore "not found" errors there.
|
|
||||||
# On real hosts where base has applied nftables, failures propagate normally.
|
|
||||||
failed_when:
|
|
||||||
- _nft_reload.failed
|
|
||||||
- >-
|
|
||||||
'Could not find the requested service nftables' not in (_nft_reload.msg | default(''))
|
|
||||||
and 'nftables.service not found' not in (_nft_reload.msg | default(''))
|
|
||||||
and 'Unit nftables.service not found' not in (_nft_reload.msg | default(''))
|
|
||||||
|
|
|
||||||
|
|
@ -1,14 +1,7 @@
|
||||||
---
|
---
|
||||||
# KVM/libvirt APT packages cannot be installed in the Docker Molecule container
|
|
||||||
# (no internet; KVM unusable in a container). This converge exercises only the
|
|
||||||
# nftables drop-in rendering via tasks_from, which IS meaningful in a container.
|
|
||||||
# The full role (packages/libvirt) is exercised by make test-integration.
|
|
||||||
- name: Converge
|
- name: Converge
|
||||||
hosts: all
|
hosts: all
|
||||||
become: true
|
become: true
|
||||||
gather_facts: true
|
gather_facts: true
|
||||||
tasks:
|
roles:
|
||||||
- name: Include integration_test firewall tasks
|
- role: integration_test
|
||||||
ansible.builtin.include_role:
|
|
||||||
name: integration_test
|
|
||||||
tasks_from: firewall.yml
|
|
||||||
|
|
|
||||||
|
|
@ -1,14 +0,0 @@
|
||||||
---
|
|
||||||
# The Molecule Docker image ships with /var/lib/apt/lists/ cleared to minimise size.
|
|
||||||
# KVM/libvirt packages cannot be installed in a container; converge only runs the
|
|
||||||
# `firewall` tag. Pre-create /etc/nftables.d so the drop-in template task succeeds.
|
|
||||||
- name: Prepare
|
|
||||||
hosts: all
|
|
||||||
become: true
|
|
||||||
gather_facts: false
|
|
||||||
tasks:
|
|
||||||
- name: Create nftables drop-in dir (normally created by the config task)
|
|
||||||
ansible.builtin.file:
|
|
||||||
path: /etc/nftables.d
|
|
||||||
state: directory
|
|
||||||
mode: "0755"
|
|
||||||
|
|
@ -1,18 +1,25 @@
|
||||||
---
|
---
|
||||||
# Package-install and cache-dir tasks are skipped (converge runs `firewall` tag only;
|
|
||||||
# KVM/libvirt packages cannot be fetched in the Docker container). This scenario
|
|
||||||
# verifies the nftables drop-in renders correctly.
|
|
||||||
- name: Verify
|
- name: Verify
|
||||||
hosts: all
|
hosts: all
|
||||||
become: true
|
become: true
|
||||||
gather_facts: false
|
gather_facts: false
|
||||||
tasks:
|
tasks:
|
||||||
- name: Read the libvirt bridge nftables drop-in
|
- name: Gather package facts
|
||||||
ansible.builtin.slurp:
|
ansible.builtin.package_facts:
|
||||||
src: /etc/nftables.d/10-libvirt-boma.nft
|
- name: Assert the substrate packages are installed
|
||||||
register: _dropin
|
|
||||||
- name: Assert drop-in contains virbr-boma accept rule
|
|
||||||
ansible.builtin.assert:
|
ansible.builtin.assert:
|
||||||
that:
|
that:
|
||||||
- "'virbr-boma' in (_dropin.content | b64decode)"
|
- "'qemu-system-x86' in ansible_facts.packages"
|
||||||
- "'accept' in (_dropin.content | b64decode)"
|
- "'qemu-utils' in ansible_facts.packages"
|
||||||
|
- "'libvirt-daemon-system' in ansible_facts.packages"
|
||||||
|
- "'libvirt-clients' in ansible_facts.packages"
|
||||||
|
- "'virt-install' in ansible_facts.packages"
|
||||||
|
- "'cloud-image-utils' in ansible_facts.packages"
|
||||||
|
- "'genisoimage' in ansible_facts.packages"
|
||||||
|
- name: Cache dir exists
|
||||||
|
ansible.builtin.stat:
|
||||||
|
path: /var/lib/boma-integration
|
||||||
|
register: _cache
|
||||||
|
- name: Assert cache dir
|
||||||
|
ansible.builtin.assert:
|
||||||
|
that: [_cache.stat.isdir]
|
||||||
|
|
|
||||||
|
|
@ -1,8 +0,0 @@
|
||||||
---
|
|
||||||
- name: Install the libvirt bridge nftables drop-in (virbr-boma input allow)
|
|
||||||
ansible.builtin.template:
|
|
||||||
src: 10-libvirt-boma.nft.j2
|
|
||||||
dest: "{{ integration_test__nftables_dropin_dir }}/10-libvirt-boma.nft"
|
|
||||||
mode: "0644"
|
|
||||||
notify: "integration_test | reload nftables"
|
|
||||||
tags: [firewall]
|
|
||||||
|
|
@ -30,6 +30,3 @@
|
||||||
group: libvirt
|
group: libvirt
|
||||||
mode: "2775"
|
mode: "2775"
|
||||||
tags: [config]
|
tags: [config]
|
||||||
|
|
||||||
- name: Import firewall tasks
|
|
||||||
ansible.builtin.import_tasks: firewall.yml
|
|
||||||
|
|
|
||||||
|
|
@ -1,12 +0,0 @@
|
||||||
# {{ ansible_managed }}
|
|
||||||
# Allow DHCP/DNS traffic arriving on the libvirt integration bridge to pass base's
|
|
||||||
# inet filter input default-deny chain (ADR-025). nftables multi-table semantics mean
|
|
||||||
# libvirt's own `ip filter` table accept is not enough — base's `inet filter` input
|
|
||||||
# policy drop kills bridge traffic first without this drop-in.
|
|
||||||
#
|
|
||||||
# Bridge name "virbr-boma" must match NET_XML in scripts/integration-vm.py.
|
|
||||||
table inet filter {
|
|
||||||
chain input {
|
|
||||||
iifname "virbr-boma" accept
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
@ -243,14 +243,9 @@ def up(host, name=None, mem_mib=DEFAULT_MEM_MIB, vcpus=DEFAULT_VCPUS):
|
||||||
|
|
||||||
|
|
||||||
def wait_for_ip(name, timeout=120):
|
def wait_for_ip(name, timeout=120):
|
||||||
# Try --source lease first (fastest when leaseshelper works), then fall back to
|
|
||||||
# --source arp (reads the host neighbour/ARP table — no privileged helper needed,
|
|
||||||
# populated once the VM sends traffic). Both sources produce identical output that
|
|
||||||
# parse_lease_ip handles, so this removes the leaseshelper/suid dependency.
|
|
||||||
end = time.time() + timeout
|
end = time.time() + timeout
|
||||||
while time.time() < end:
|
while time.time() < end:
|
||||||
for source in ("lease", "arp"):
|
out = sh(["virsh", "domifaddr", name, "--source", "lease"],
|
||||||
out = sh(["virsh", "domifaddr", name, "--source", source],
|
|
||||||
check=False, capture=True).stdout
|
check=False, capture=True).stdout
|
||||||
ip = parse_lease_ip(out)
|
ip = parse_lease_ip(out)
|
||||||
if ip:
|
if ip:
|
||||||
|
|
|
||||||
|
|
@ -32,14 +32,6 @@ def test_parse_lease_ip_extracts_ipv4():
|
||||||
def test_parse_lease_ip_none_when_absent():
|
def test_parse_lease_ip_none_when_absent():
|
||||||
assert ivm.parse_lease_ip("no leases\n") is None
|
assert ivm.parse_lease_ip("no leases\n") is None
|
||||||
|
|
||||||
def test_parse_lease_ip_arp_source():
|
|
||||||
# virsh domifaddr --source arp output format is identical to --source lease;
|
|
||||||
# this test proves parse_lease_ip handles it so the arp fallback in wait_for_ip works.
|
|
||||||
out = (" Name MAC address Protocol Address\n"
|
|
||||||
"-------------------------------------------------------------------\n"
|
|
||||||
" vnet0 52:54:00:de:ad:be ipv4 192.168.150.73/24\n")
|
|
||||||
assert ivm.parse_lease_ip(out) == "192.168.150.73"
|
|
||||||
|
|
||||||
|
|
||||||
def test_meta_data_has_instance_and_hostname():
|
def test_meta_data_has_instance_and_hostname():
|
||||||
md = ivm.render_meta_data("iid-askari-x", "boma-it-askari-x")
|
md = ivm.render_meta_data("iid-askari-x", "boma-it-askari-x")
|
||||||
|
|
|
||||||
Loading…
Add table
Reference in a new issue