Bugfix: update application credential; clean up lingering resources (#…

…457) * Bugfix: use correct application credential for gx-scs so the entropy test can create instances * Add script to clean up * Replace absolute path by tilde notation Signed-off-by: Matthias Büchse <matthias.buechse@cloudandheat.com>
SovereignCloudStack · Jan 25, 2024 · 31309ca · 31309ca
1 parent 7683564
commit 31309ca
Show file tree

Hide file tree

Showing 8 changed files with 300 additions and 78 deletions.
diff --git a/.zuul.d/config.yaml b/.zuul.d/config.yaml
@@ -22,6 +22,7 @@
 - job:
     name: scs-check-adr-syntax
     parent: base
+    pre-run: playbooks/pre.yaml
     run: playbooks/adr_syntax.yaml
 - job:
     name: scs-check-gx-scs
@@ -31,6 +32,9 @@
        secret: SECRET_STANDARDS
     vars:
       cloud: gx-scs
+    pre-run:
+     - playbooks/pre.yaml
+     - playbooks/pre_cloud.yaml
     run: playbooks/compliance_check.yaml
 - job:
     name: scs-check-gx-scs-main

diff --git a/.zuul.d/secure.yaml b/.zuul.d/secure.yaml
@@ -3,27 +3,27 @@
     name: SECRET_STANDARDS
     data:
       gx_scs_ac_id: !encrypted/pkcs1-oaep
-        - b/SnLk91ZRXkFj22EjOZk+vqqJIDySsGL9WzaR8nZntJOYfhkqVbp5AV9KDuqP/bj9MrR
-          yDc2hdkBesm1d62ynjQ94CjP8p7Lhs45FFyOcxGWQwMairD4YtnFsvKfvYtp3mz13n0gF
-          HOFGycm0CZwO1cETUJFB2O9ekbI9T5iO6PmQiwWbWbT/5EJu8bjAUaLV7ZyGsCZ22FQ8E
-          4dbs+2ShRsckitp7iBDWAzsPzX/aq8xuzoZ9Zf0DlHXuQrqENkx721QygsNLxb4dVC8e1
-          vT8R6Oy0MBGfn667Ob1yfquileryCu+eXmFPzKZwxn2IWpl3IdSYEs0ZSFkd9ZEuA4UIE
-          bolgg0hXSCzxoI9M+b0+FTvNmYQw7u4tFJ6YPLhs9QJHhJVj7oywwrZRumrD0XgPzHQgW
-          RhrL6OS8ChvZ5yjZdRK9L+pDM2MW4kKtKzmXZ5RpoMzNoh8Mkns5YlPrikrkQsYaiq0bx
-          540qoAZl+zL0SiV2Z7t8VdGwEroBDpEIrPfIboBPo9eyRbGUKRk9DqiJ+wqMhkEQ0Lu+T
-          whlE9WShj0BNs4mghjUg5WY9EMmH4IVFTxvbcr2UhfcnGxJJ0I+MfaAP4G8UZ0rRohYgi
-          i8YmbOQ7NCpyRqz0IniDODo2Cz76/NJ5e53nbTuGNBuoFoigwyGqMvI4vkN2Oc=
+        - XbUa6vPaT+ANGdJyKHj0I2Q5iE6y/RItmux52ixruTHhYyiqTx8B9HWwDU61TogBMdKvC
+          o2Cz9+2pj1hdkyQp5+99ARKHCLsOP/7u9E5M/zQ2X1QT+8UCQEEkfjpvLF491qGx50dg2
+          rYWNMDeErD1ELz3HsDiBEnwoQY3+FY/7eUA+5Uk7v0uBUTqHb0m3xyCAjrGV7n6zRf/UR
+          iJKXNDCudyOumr5ROvze3SI0qgn93f8xSoY5Rf3v4eaosfHOBwp/MiBZE4kRnMCwBiDqU
+          nr8HGCA09wo41pAt/iw9xtZp+dJBTaEu11EjO4iGm+LkQe3zaG01CLA1un+ZtfVntaNIj
+          VOJFiQ1qEoNFz6SvEoZ1i1qmJqoD8rhGhWEHj3N+xKUK2Ck46fOusZEXjnrR85Zhfg5wb
+          iGRJef4k9wjwKKR2ezI91e1T8f+1kk6URemP+n3ztYgfl9ZX1NVe8PILpJL3nz6sPaGVA
+          fimN/quRKg+lBgi667GrlDJkOsgKdVAEmIQyVw0IwDpmghHdUX4MvneX9tdWp5fDHz6dn
+          1Y5XxCzIfKy4K55qDS7m2FXWfC2g/BZqaNiLtPIfbAts9GQt4WCL3iFkoCLe3geElcK+v
+          w1kzj9ZzNT/Rhuoe+dvnGN3qZmBc6930KQxJrYB2BHBARpabGUDnyiGHslp94g=
       gx_scs_ac_secret: !encrypted/pkcs1-oaep
-        - ZJiujVLXDgWrPSOU6759BE23gzBGtT33c4ziUDNNFpZzW1Q8PwrrtMCBHbbAey1b8qF88
-          Yp8wk4EMLMNxB9SD+E1wVBAtHRubzFwOj4/4R1kza430BydqHr+8RE3kTVukj8Wv1B2ZC
-          SI1gaKJHhvLIVdmiDncI6MKf4AXC0pERIhg618xYNxmGjQT5vxSSZjvwflfJiFutXa0wa
-          5jFNo29T3TPQH7mA5SMzM2a0AENt/Ccp6/t+UlNLG3v3M1g/P+xednVOI1tdy+CappvHY
-          10u8Eln1L9ZfKKT6ebLLdoYws++numKGgzGkfyS0Ob7gOGaHC3EYyha5y//BqTkGsVmfE
-          8ed+zV9fO2BpaUB1h1rlO76SgXlygw/4r+JmNIbqG4b/KEseQeGL4NwR1wOJfG1LEbdsF
-          xE+zhSf3a3pzjt1q4qL+F4VEzIIJWS7Vn3BZaaKLovRz0iGc8PRnrQyl6arCgtInzbemu
-          mLv1l8bxsHvMEdb3l6wqqNvVPjo8pgZTH+1MK/2H2Zpg62NI6b+AGkqOPYIr6U3xllT23
-          ZLPVpoq1cuvY9Eh3i5OjE7AU7hGcy7cDy7lHSBNYPKv+ZERIneEciApgq6QYEEuf7v7rl
-          wxiW8mQgmQSsly/+7LrcBpwyv0ouHrg1VOx84dhYHEV++I0FDJGJsa/HcZ/8ZQ=
+        - qucDkH00net602D2PcG7f5CaB2ggFAugU75W9TrcUFG2RmPuB7gA1gortagkGqLJxG03A
+          krH6MrG32txTxkrOC4cwiv7gokn84IUFZzJqic3myImfBkpr2rPD4xQOZYw1hWIxojD9Q
+          6Kx2AmdkXfw9Jpp2BrsL4ZZRjYGsVzULSfTzvcs0LqzytMCh0WvPqSZEmh8ICsVZe8hhz
+          DEsGLLLohH7WFWOO3SXp1w2IhLxobKhybg3BwtOAUJHRcx5sPREEXCPDhsGvBYET9srNL
+          wm6yLSV7t/xvjAsAabHouE1iFTijXvfxtXMywTVm9PX3gv63M6lOJwMnQHRqlD17IKR92
+          kiUmTMA2aRycCF4J7iT5x1Znr9+/eEAOX1EAoTpdvnD0qcfqZk+e2mJQLZjhA6WsW7eOT
+          EaJarK2rBEFIYp1QyOJqa8YITGhNGPRjnIBPDGfF6Pq7Sd9z7NQXClwOyCZEnGgjPUixZ
+          Vjo5fBpIjEOLNtA40vx0Agx1Red2eMFA5oLcxiDMBSP4nLiI1QNROSnGc7GYoIT5kyq8k
+          P5Uw261H4un2xvpO9ZBuHEV5mskTiBazTPDwaqU3yZoyGIvdQl2Uo6S3Glnf41YH+k/hN
+          jxzziQB9sT2glnmmzrzZ22xPZg+sTngWS/3svRYV9BXKnMgq8jjR6eIKGYSwyQ=
       pco_prod1_ac_id: !encrypted/pkcs1-oaep
         - jGScb1B/BfnuDdDnfsJoHnVRaeiTAX1fCB3eYBuUx6grQTQ2SorKWeUeVWqznfJJF0Pug
           uE09n6oCwZE3hxzI2VxFA+o4wDBA3azasAs8N3vV+QyFYF5dl+5K1M0xwdkhqAyefw5n8

diff --git a/Tests/cleanup.py b/Tests/cleanup.py
@@ -0,0 +1,216 @@
+#!/usr/bin/env python3
+
+# SPDX-License-Identifier: Apache-2.0
+
+# taken from https://github.com/osism/testbed/blob/main/terraform/scripts/cleanup.py
+# with minor adaptations:
+#  - names really start with the prefix (e.g., PREFIX-net-X instead of net-PREFIX-X)
+#  - collect the original functions inside the class Janitor
+#  - provide command-line interface in addition to environment variables
+#  - prefix log messages with channel (can be useful for counting errors)
+
+import getopt
+import logging
+import os
+import sys
+import time
+
+import openstack
+
+
+logger = logging.getLogger(__name__)
+
+
+def print_usage(file=sys.stderr):
+    """Help output"""
+    print("""Usage: cleanup.py [options]
+This tool cleans the cloud environment CLOUD by removing any resources whose name start with PREFIX.
+Options:
+ [-c/--os-cloud OS_CLOUD] sets cloud environment (default from OS_CLOUD env)
+ [-i/--prefix PREFIX] sets prefix (default from PREFIX env)
+""", end='', file=file)
+
+
+class Janitor:
+    def __init__(self, conn, prefix=""):
+        self.conn = conn
+        self.prefix = prefix
+
+    def disconnect_routers(self):
+        logger.debug("disconnect routers")
+        routers = list(self.conn.network.routers())
+        for router in routers:
+            if not router.name.startswith(self.prefix):
+                continue
+            logger.info(router.name)
+            ports = list(self.conn.network.ports(device_id=router.id))
+            for port in ports:
+                self.conn.network.remove_interface_from_router(router.id, port_id=port["id"])
+
+    def cleanup_routers(self):
+        logger.debug("clean up routers")
+        routers = list(self.conn.network.routers())
+        for router in routers:
+            if not router.name.startswith(self.prefix):
+                continue
+            logger.info(router.name)
+            self.conn.network.remove_gateway_from_router(router)
+            self.conn.network.delete_router(router)
+
+    def cleanup_networks(self):
+        logger.debug("clean up networks")
+        networks = list(self.conn.network.networks(shared=False))
+        for network in networks:
+            if not network.name.startswith(self.prefix):
+                continue
+            logger.info(network.name)
+            self.conn.network.delete_network(network)
+
+    def cleanup_subnets(self):
+        logger.debug("clean up subnets")
+        subnets = list(self.conn.network.subnets())
+        for subnet in subnets:
+            if not subnet.name.startswith(self.prefix):
+                continue
+            logger.info(subnet.name)
+            self.conn.network.delete_subnet(subnet)
+
+    def cleanup_ports(self):
+        logger.debug("clean up ports")
+        # FIXME: We can't filter for device_owner = '' unfortunately
+        ports = list(self.conn.network.ports(status="DOWN"))
+        for port in ports:
+            if port.device_owner:
+                continue
+            logger.info(port.id)
+            self.conn.network.delete_port(port)
+
+    def cleanup_volumes(self):
+        logger.debug("clean up volumes")
+        volumes = list(self.conn.block_storage.volumes())
+        for volume in volumes:
+            if not volume.name.startswith(self.prefix):
+                continue
+            logger.info(volume.name)
+            self.conn.block_storage.delete_volume(volume)
+
+    def cleanup_servers(self):
+        logger.debug("clean up servers")
+        # nova supports regex filtering
+        servers = list(self.conn.compute.servers(name=f"^{self.prefix}"))
+        for server in servers:
+            if not server.name.startswith(self.prefix):
+                continue
+
+            logger.info(server.name)
+            try:
+                self.conn.compute.delete_server(server, force=True)
+            except openstack.exceptions.HttpException:
+                self.conn.compute.delete_server(server)
+
+    def wait_servers_gone(self):
+        logger.debug("wait for servers to be gone")
+        count = 0
+        found = []
+        while count < 100:
+            del found[:]
+            # nova supports regex filtering
+            servers = list(self.conn.compute.servers(name=f"^{self.prefix}"))
+            for server in servers:
+                if server.name.startswith(self.prefix):
+                    found.append(server.name)
+            if not found:
+                break
+            count += 1
+            time.sleep(2)
+
+        if count >= 100:
+            logger.error("timeout waiting for servers to vanish: %s" % found)
+
+    def cleanup_keypairs(self):
+        logger.debug("clean up keypairs")
+        keypairs = list(self.conn.compute.keypairs())
+        for keypair in keypairs:
+            if not keypair.name.startswith(self.prefix):
+                continue
+            logger.info(keypair.name)
+            self.conn.compute.delete_keypair(keypair)
+
+    def cleanup_security_groups(self):
+        logger.debug("clean up security groups")
+        for security_group in self.conn.network.security_groups():
+            if not security_group.name.startswith(self.prefix):
+                continue
+            logger.info(security_group.name)
+            self.conn.network.delete_security_group(security_group)
+
+    def cleanup_floating_ips(self):
+        # Note: FIPs have no name, so we might clean up unrelated
+        #  currently unused FIPs here.
+        logger.debug("clean up floating ips")
+        floating_ips = list(self.conn.search_floating_ips(filters={"attached": False}))
+        for floating_ip in floating_ips:
+            logger.info(floating_ip.floating_ip_address)
+            self.conn.delete_floating_ip(floating_ip.id)
+
+    def cleanup(self):
+        self.cleanup_servers()
+        self.cleanup_keypairs()
+        self.wait_servers_gone()
+        self.cleanup_ports()
+        self.cleanup_volumes()
+        self.disconnect_routers()
+        self.cleanup_subnets()
+        self.cleanup_networks()
+        self.cleanup_security_groups()
+        self.cleanup_floating_ips()
+        self.cleanup_routers()
+
+
+def main(argv):
+    logging.basicConfig(
+        format='%(levelname)s: [%(asctime)s] %(message)s',
+        level=logging.INFO,
+        datefmt="%Y-%m-%d %H:%M:%S",
+    )
+
+    prefix = os.environ.get("PREFIX", None)
+    cloud = os.environ.get("OS_CLOUD")
+
+    try:
+        opts, args = getopt.gnu_getopt(argv, "c:p:h", ["os-cloud=", "prefix=", "help"])
+    except getopt.GetoptError as exc:
+        logger.critical(f"{exc}")
+        print_usage()
+        return 1
+
+    for opt in opts:
+        if opt[0] == "-h" or opt[0] == "--help":
+            print_usage()
+            return 0
+        if opt[0] == "-i" or opt[0] == "--prefix":
+            prefix = opt[1]
+        if opt[0] == "-c" or opt[0] == "--os-cloud":
+            cloud = opt[1]
+
+    if prefix is None:
+        # check for None, because supplying --prefix '' shall be permitted
+        logger.critical("You need to have PREFIX set or pass --prefix=PREFIX.")
+        return 1
+
+    if not cloud:
+        logger.critical("You need to have OS_CLOUD set or pass --os-cloud=CLOUD.")
+        return 1
+
+    with openstack.connect(cloud=cloud) as conn:
+        Janitor(conn, prefix).cleanup()
+
+
+if __name__ == "__main__":
+    try:
+        sys.exit(main(sys.argv[1:]))
+    except SystemExit:
+        raise
+    except BaseException as exc:
+        logger.critical(repr(exc))
+        sys.exit(1)
diff --git a/Tests/iaas/entropy/entropy-check.py b/Tests/iaas/entropy/entropy-check.py
@@ -30,11 +30,13 @@
 
 logger = logging.getLogger(__name__)
 
-NETWORK_NAME = "scs-0101-net"
-ROUTER_NAME = "scs-0101-router"
-SERVER_NAME = "scs-0101-server"
-SECURITY_GROUP_NAME = "scs-0101-group"
-KEYPAIR_NAME = "scs-0101-keypair"
+# prefix ephemeral resources with '_scs-' to rule out any confusion with important resources
+# (this enables us to automatically dispose of any lingering resources should this script be killed)
+NETWORK_NAME = "_scs-0101-net"
+ROUTER_NAME = "_scs-0101-router"
+SERVER_NAME = "_scs-0101-server"
+SECURITY_GROUP_NAME = "_scs-0101-group"
+KEYPAIR_NAME = "_scs-0101-keypair"
 
 IMAGE_ATTRIBUTES = {
     # https://docs.openstack.org/glance/2023.1/admin/useful-image-properties.html#image-property-keys-and-values

diff --git a/playbooks/adr_syntax.yaml b/playbooks/adr_syntax.yaml
@@ -1,37 +1,17 @@
 ---
 - name: Run ADR syntax check tool and test script consistency check tool
   hosts: all
-  roles:
-    - role: ensure-pip  # https://zuul-ci.org/docs/zuul-jobs/latest/python-roles.html#role-ensure-pip
   tasks:
-    - name: Copy ADRs on the node
-      ansible.builtin.copy:
-        src: "../Standards"
-        dest: "~/"
-        mode: 0500
-      no_log: false
-
-    - name: Copy Tests on the node
-      ansible.builtin.copy:
-        src: "../Tests"
-        dest: "~/"
-        mode: 0500
-      no_log: false
-
-    - name: Install dependencies
-      ansible.builtin.pip:
-        requirements: /home/ubuntu/Tests/requirements.txt
-
     - name: Run ADR syntax check script
-      ansible.builtin.command:
-        cmd: python3 /home/ubuntu/Tests/chk_adrs.py /home/ubuntu/Standards
+      ansible.builtin.shell: |
+        python3 ~/Tests/chk_adrs.py ~/Standards
       register: result
       changed_when: true
       failed_when: result.rc != 0
 
     - name: Run test script consistency check script
-      ansible.builtin.command:
-        cmd: python3 /home/ubuntu/Tests/iaas/flavor-naming/check-yaml.py /home/ubuntu/Tests/iaas
+      ansible.builtin.shell: |
+        python3 ~/Tests/iaas/flavor-naming/check-yaml.py ~/Tests/iaas
       register: result
       changed_when: true
       failed_when: result.rc != 0

diff --git a/playbooks/compliance_check.yaml b/playbooks/compliance_check.yaml
@@ -1,37 +1,10 @@
 ---
 - name: Run compliance check tool
   hosts: all
-  roles:
-    - role: ensure-pip  # https://zuul-ci.org/docs/zuul-jobs/latest/python-roles.html#role-ensure-pip
   tasks:
-    - name: Create cloud config dir
-      ansible.builtin.file:
-        path: "~/.config/openstack"
-        state: directory
-        recurse: true
-        mode: "0700"
-
-    - name: Create cloud config file
-      ansible.builtin.template:
-        src: "clouds.yaml.j2"
-        dest: "~/.config/openstack/clouds.yaml"
-        mode: "0600"
-      no_log: true
-
-    - name: Copy Tests on the node
-      ansible.builtin.copy:
-        src: "../Tests"
-        dest: "~/"
-        mode: 0500
-      no_log: false
-
-    - name: Install dependencies
-      ansible.builtin.pip:
-        requirements: /home/ubuntu/Tests/requirements.txt
-
     - name: Run compliance script
-      ansible.builtin.command:
-        cmd: python3 /home/ubuntu/Tests/scs-compliance-check.py /home/ubuntu/Tests/scs-compatible-iaas.yaml -c {{ cloud }} -o {{ cloud }}-iaas.yaml -C
+      ansible.builtin.shell: |
+        python3 ~/Tests/scs-compliance-check.py ~/Tests/scs-compatible-iaas.yaml -c {{ cloud }} -o {{ cloud }}-iaas.yaml -C
       register: result
       changed_when: true
       failed_when: result.rc != 0