New validation: verify_package

This validation will run only on RedHat OS family (CentOS, Fedora, ...). It calls the "rpm --verify|-V" command on the selected package, and return its status. Some notes: - if the package isn't installed, it will fail - if the package is present, but doesn't have the %verifyscript scriptlet, it won't fail - "become" is needed, especially if the verification script in the RPM calls some root-only things, such as "semodule" (this is the case for openstack-selinux, for instance) - if you set the validation to verbose, most of the output will be in the stdout - you therefore will have to go through the validation log to get the complete reason Change-Id: I7be310cac60b6729aa3c1a67f731421f85a78d80
2022-06-13 09:48:12 +02:00 · 2022-06-13 09:48:12 +02:00 · 566dc28121
parent c473b46f30
commit 566dc28121
4 changed files with 129 additions and 0 deletions
--- a/validations_common/playbooks/verify-package.yaml
+++ b/validations_common/playbooks/verify-package.yaml
@ -0,0 +1,64 @@
+---
+# This playbook has been generated by the `validation init` CLI.
+#
+# As shown here in this template, the validation playbook requires three
+# top-level directive:
+#   ``hosts``, ``vars -> metadata`` and ``roles``.
+#
+# ``hosts``: specifies which nodes to run the validation on. The options can
+#            be ``all`` (run on all nodes), or you could use the hosts defined
+#            in the inventory.
+# ``vars``: this section serves for storing variables that are going to be
+#           available to the Ansible playbook. The validations API uses the
+#           ``metadata`` section to read each validation's name and description
+#           These values are then reported by the API.
+#
+# The validations can be grouped together by specyfying a ``groups`` metadata.
+# Groups function similar to tags and a validation can thus be part of many
+# groups. To get a full list of the groups available and their description,
+# please run the following command on your Ansible Controller host:
+#
+#    $ validation show group
+#
+# The validations can also be categorized by technical domain and acan belong to
+# one or multiple ``categories``. For example, if your validation checks some
+# networking related configuration, you may want to put ``networking`` as a
+# category.  Note that this section is open and you are free to categorize your
+# validations as you like.
+#
+# The ``products`` section refers to the product on which you would like to run
+# the validation. It's another way to categorized your community validations.
+# Note that, by default, ``community`` is set in the ``products`` section to
+# help you list your validations by filtering by products:
+#
+#    $ validation list --product community
+#
+- hosts: all
+  gather_facts: false
+  vars:
+    metadata:
+      name: Verify package on RedHat os_family
+      description: |
+        This validation will run `rpm --verify' on RedHat OS family and
+        returns the status.
+        If selected package isn't installed, it will fail.
+        If selected package doesn't have the %verify scriptlet, it won't fail.
+      groups:
+        - prep
+        - pre-deploy
+        - pre-ugrade
+        - post-upgrade
+        - pre-system-upgrade
+        - post-system-upgrade
+        - pre-undercloud-upgrade
+        - post-undercloud-upgrade
+        - pre-overcloud-upgrade
+        - post-overcloud-upgrade
+        - pre-update
+        - post-update
+      categories:
+        - package
+      products:
+        - common
+  roles:
+    - verify_package
--- a/validations_common/roles/verify_package/README.md
+++ b/validations_common/roles/verify_package/README.md
@ -0,0 +1,37 @@
+Role Name
+=========
+
+Call `rpm --verify <package>'. Note that this validation only works for
+rhel-based systems, such as Enterprise Linux, CentOS, Fedora and so on.
+
+Requirements
+------------
+
+None
+
+Role Variables
+--------------
+
+`verify_package_pkg`: (str) Package name to verify
+`verify_package_verbose`: (bool) toggle verbose option for rpm
+
+Dependencies
+------------
+
+None
+
+Example Playbook
+----------------
+
+Including an example of how to use your role (for instance, with variables passed in as parameters) is always nice for users too:
+
+    - hosts: servers
+      vars:
+        verify_package_pkg: openstack-selinux
+      roles:
+         - verify_package
+
+License
+-------
+
+BSD
--- a/validations_common/roles/verify_package/defaults/main.yml
+++ b/validations_common/roles/verify_package/defaults/main.yml
@ -0,0 +1,4 @@
+---
+# defaults file for verify_package
+verify_package_pkg: bash
+verify_package_verbose: false
--- a/validations_common/roles/verify_package/tasks/main.yml
+++ b/validations_common/roles/verify_package/tasks/main.yml
@ -0,0 +1,24 @@
+---
+- name: Ensure we have some facts
+  setup:
+    gather_subset: min
+
+- name: "Verify package {{ verify_package_pkg }}"
+  become: true
+  when:
+    - ansible_facts['os_family'] == 'RedHat'
+  register: pkg_verification
+  command: "rpm {{verify_package_verbose|ternary('-v','') }} -V {{ verify_package_pkg }}"
+  failed_when: pkg_verification['rc'] not in [0, 1]
+
+- name: Fail if needed
+  when:
+    - pkg_verification['rc'] != 0
+  fail:
+    msg: "{{ pkg_verification['stderr'] }}"
+
+- name: Fail if we are not on RedHat family system
+  when:
+    - ansible_facts['os_family'] != 'RedHat'
+  fail:
+    msg: "This validation does not support {{ ansible_facts['os_family'] }}!"