From 09b1ff4bc36725fbd0c5022e112eb97f9abdab31 Mon Sep 17 00:00:00 2001
From: "James E. Blair" <jeblair@redhat.com>
Date: Wed, 29 Aug 2018 11:04:07 -0700
Subject: [PATCH] Add system-config-run-eavesdrop

Add a job which runs testinfra for the eavesdrop server.  When we
have a per-hostgroup playbook, we will add it to this job too.

The puppet group is removed from the run-base job because the
groups.yaml file is now used to construct groups (as it does
in production) and will construct the group correctly.

The testinfra iptables module may throw an error if it's run
multiple times simultaneously on the same host.  To avoid this,
stop using parallel execution.

Change-Id: I1a7bab5c14b0da22393ab568000d0921c28675aa
---
 .zuul.yaml                   | 25 +++++++++++++++++--------
 inventory/groups.yaml        |  2 +-
 playbooks/zuul/run-base.yaml | 15 ++++++++-------
 test-requirements.txt        |  3 ---
 testinfra/test_base.py       |  3 +++
 testinfra/test_eavesdrop.py  | 25 +++++++++++++++++++++++++
 tox.ini                      |  2 +-
 7 files changed, 55 insertions(+), 20 deletions(-)
 create mode 100644 testinfra/test_eavesdrop.py

diff --git a/.zuul.yaml b/.zuul.yaml
index 1c1d74b08b..b47d22da3f 100644
--- a/.zuul.yaml
+++ b/.zuul.yaml
@@ -131,14 +131,6 @@
           label: ubuntu-bionic
         - name: centos7
           label: centos-7
-      groups:
-        # We test puppet installation on this group.  Note bionic not
-        # in here as we have no bionic puppeted nodes (yet?)
-        - name: puppet
-          nodes:
-            - trusty
-            - xenial
-            - centos7
     host-vars:
       trusty:
         ansible_python_interpreter: python2
@@ -153,6 +145,21 @@
       - roles/.*
       - testinfra/.*
 
+- job:
+    name: system-config-run-eavesdrop
+    nodeset:
+      nodes:
+        - name: bridge.openstack.org
+          label: ubuntu-bionic
+        - name: eavesdrop01.openstack.org
+          label: ubuntu-xenial
+    pre-run: playbooks/zuul/run-base-pre.yaml
+    run: playbooks/zuul/run-base.yaml
+    files:
+      - .zuul.yaml
+      - playbooks/group_vars/eavesdrop.yaml
+      - testinfra/test_eavesdrop.py
+
 - project:
     templates:
       - system-config-zuul-role-integration
@@ -163,6 +170,7 @@
         - puppet-beaker-rspec-puppet-4-infra-system-config
         - puppet-beaker-rspec-puppet-4-centos-7-infra-system-config
         - system-config-run-base
+        - system-config-run-eavesdrop
     gate:
       jobs:
         - puppet-beaker-rspec-infra-system-config
@@ -170,3 +178,4 @@
         - puppet-beaker-rspec-puppet-4-infra-system-config
         - puppet-beaker-rspec-puppet-4-centos-7-infra-system-config
         - system-config-run-base
+        - system-config-run-eavesdrop
diff --git a/inventory/groups.yaml b/inventory/groups.yaml
index 3e3677356d..3856654e4e 100644
--- a/inventory/groups.yaml
+++ b/inventory/groups.yaml
@@ -32,7 +32,7 @@ groups:
   ns: inventory_hostname.startswith('ns')
   paste: inventory_hostname.startswith('paste')
   pbx: inventory_hostname.startswith('pbx')
-  puppet: not inventory_hostname.startswith('bridge')
+  puppet: not (inventory_hostname.startswith('bridge') or inventory_hostname.startswith('bionic'))
   refstack: inventory_hostname.startswith('refstack')
   review-dev: inventory_hostname is match('review-dev\d+\.openstack\.org')
   review: inventory_hostname is match('review\d+\.openstack\.org')
diff --git a/playbooks/zuul/run-base.yaml b/playbooks/zuul/run-base.yaml
index f1caf79f96..8d76ef9c4e 100644
--- a/playbooks/zuul/run-base.yaml
+++ b/playbooks/zuul/run-base.yaml
@@ -12,17 +12,17 @@
         write_inventory_dest: /etc/ansible/hosts/inventory.yaml
         write_inventory_exclude_hostvars:
           - ansible_user
-    - name: Update ansible.cfg to use job inventory
-      ini_file:
-        path: /etc/ansible/ansible.cfg
-        section: defaults
-        option: inventory
-        value: /etc/ansible/hosts/inventory.yaml
     - name: Set up /opt/system-config repo
       git:
         repo: /home/zuul/src/git.openstack.org/openstack-infra/system-config
         dest: /opt/system-config
         force: yes
+    - name: Update ansible.cfg to use job inventory
+      ini_file:
+        path: /etc/ansible/ansible.cfg
+        section: defaults
+        option: inventory
+        value: /etc/ansible/hosts/inventory.yaml,/opt/system-config/inventory/groups.yaml
     - name: Make host_vars directory
       file:
         path: "/etc/ansible/hosts/host_vars"
@@ -41,6 +41,8 @@
         dest: "/etc/ansible/hosts/{{ item }}"
       loop:
         - group_vars/all.yaml
+    - name: Display group membership
+      command: ansible localhost -m debug -a 'var=groups'
     - name: Run base.yaml
       command: ansible-playbook /home/zuul/src/git.openstack.org/openstack-infra/system-config/playbooks/base.yaml
     - name: Run testinfra to validate configuration
@@ -48,4 +50,3 @@
         name: tox
       vars:
         tox_envlist: testinfra
-        tox_extra_args: testinfra/test_base.py
diff --git a/test-requirements.txt b/test-requirements.txt
index 069a94eccb..3fc01e2228 100644
--- a/test-requirements.txt
+++ b/test-requirements.txt
@@ -8,6 +8,3 @@ ansible-lint
 openstacksdk
 zuul-sphinx>=0.2.3
 testinfra
-# pytest-xdist is a plugin for pytest which allows parallel execution,
-# used by testinfra
-pytest-xdist
diff --git a/testinfra/test_base.py b/testinfra/test_base.py
index 6ecdb76452..e879b50d23 100644
--- a/testinfra/test_base.py
+++ b/testinfra/test_base.py
@@ -15,6 +15,9 @@
 import socket
 
 
+testinfra_hosts = ['all']
+
+
 def get_ips(value, family=None):
     ret = set()
     try:
diff --git a/testinfra/test_eavesdrop.py b/testinfra/test_eavesdrop.py
new file mode 100644
index 0000000000..f2772f40e3
--- /dev/null
+++ b/testinfra/test_eavesdrop.py
@@ -0,0 +1,25 @@
+# Copyright 2018 Red Hat, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+
+
+testinfra_hosts = ['eavesdrop01.openstack.org']
+
+
+def test_eavesdrop(host):
+    rules = host.iptables.rules()
+    rules = [x.strip() for x in rules]
+
+    web = ('-A openstack-INPUT -p tcp -m state --state NEW'
+           ' -m tcp --dport 80 -j ACCEPT')
+    assert web in rules
diff --git a/tox.ini b/tox.ini
index bfbfe6773c..e95ba03521 100644
--- a/tox.ini
+++ b/tox.ini
@@ -32,7 +32,7 @@ deps = -r{toxinidir}/doc/requirements.txt
 commands = sphinx-build -W -E -b html doc/source doc/build/html
 
 [testenv:testinfra]
-commands = py.test -n 5 --junit-xml junit.xml --connection=ansible --ansible-inventory=/etc/ansible/hosts/inventory.yaml --hosts=all -v {posargs}
+commands = py.test --junit-xml junit.xml --connection=ansible --ansible-inventory=/etc/ansible/hosts/inventory.yaml -v testinfra {posargs}
 
 [flake8]
 show-source = True