34713f3b52
The sudoers files as installed with openstack-tripleo-common package is much too permissive. It contains several lines for the mistral user that have wildcards that allow directory traversal with ".." which grants full passwordless root access to the validations user. Change-Id: I34073671c8f97d7bfbe1030ed52e6627a07dacfb Related-Bug: 1705709 |
||
---|---|---|
container-images | ||
contrib | ||
doc/source | ||
heat_docker_agent | ||
image-yaml | ||
playbooks | ||
releasenotes | ||
scripts | ||
tools | ||
tripleo_common | ||
undercloud_heat_plugins | ||
workbooks | ||
.coveragerc | ||
.gitignore | ||
.gitreview | ||
.mailmap | ||
.testr.conf | ||
CONTRIBUTING.rst | ||
HACKING.rst | ||
LICENSE | ||
MANIFEST.in | ||
README.rst | ||
babel.cfg | ||
requirements.txt | ||
setup.cfg | ||
setup.py | ||
sudoers | ||
test-requirements.txt | ||
tox.ini |
README.rst
Team and repository tags
tripleo-common
A common library for TripleO workflows.
- Free software: Apache license
- Documentation: http://docs.openstack.org/developer/tripleo-common
- Source: http://git.openstack.org/cgit/openstack/tripleo-common
- Bugs: http://bugs.launchpad.net/tripleo-common
Action Development
When developing new actions, you will checkout a copy of tripleo-common to an undercloud machine and add actions as needed. To test the actions they need to be installed and selected services need to be restarted. Use the following code to accomplish these tasks. :
sudo rm -Rf /usr/lib/python2.7/site-packages/tripleo_common*
sudo python setup.py install
sudo cp /usr/share/tripleo-common/sudoers /etc/sudoers.d/tripleo-common
sudo systemctl restart openstack-mistral-executor
sudo systemctl restart openstack-mistral-engine
# this loads the actions via entrypoints
sudo mistral-db-manage populate
# make sure the new actions got loaded
mistral action-list | grep tripleo
Validations
Prerequisites
If you haven't installed the undercloud with the
enable_validations
set to true, you will have to prepare
your undercloud to run the validations:
$ sudo pip install git+https://git.openstack.org/openstack/tripleo-validations
$ sudo yum install ansible
$ sudo useradd validations
Finally you need to generate an SSH keypair for the validation user and copy it to the overcloud's authorized_keys files:
$ mistral execution-create tripleo.validations.v1.copy_ssh_key
Running validations using the mistral workflow
Create a context.json file containing the arguments passed to the workflow:
{
"validation_names": ["512e", "rabbitmq-limits"]
}
Run the tripleo.validations.v1.run_validations
workflow
with mistral client:
mistral execution-create tripleo.validations.v1.run_validations context.json
Running groups of validations
Create a context.json file containing the arguments passed to the workflow:
{
"group_names": ["network", "post-deployment"]
}
Run the tripleo.validations.v1.run_groups
workflow with
mistral client:
mistral execution-create tripleo.validations.v1.run_groups context.json