Merge pull request #801 from openstack-k8s-operators/update/kpatch

Enable kpatch support for update

.github/workflows/molecule.yaml

@@ -44,7 +44,6 @@ jobs:
         - edpm_timezone
         - edpm_telemetry
         - edpm_telemetry_logging
-        - edpm_update
         - edpm_users
         - env_data
         - edpm_pre_adoption_validation

roles/edpm_update/defaults/main.yml

@@ -17,6 +17,9 @@
 
 # All variables intended for modification should be placed in this file.
 
+# Toggle to enable/disable kpatch usage
+edpm_update_enable_kpatch: false
+
 # Toggle to enable/disable packages updates
 edpm_update_enable_packages_update: true
 

roles/edpm_update/molecule/default/molecule.yml

@@ -4,35 +4,24 @@ dependency:
   options:
     role-file: collections.yml
 driver:
-  name: podman
+  name: delegated
+  options:
+    managed: false
+    ansible_connection_options:
+      ansible_connection: local
 platforms:
-- command: /sbin/init
-  dockerfile: Containerfile.j2
-  image: ${EDPM_ANSIBLE_MOLECULE_IMAGE:-"ubi9/ubi-init"}
-  name: instance
-  privileged: true
-  registry:
-    url: ${EDPM_ANSIBLE_MOLECULE_REGISTRY:-"registry.access.redhat.com"}
-  ulimits:
-  - host
+  - name: edpm-0.localdomain
+    groups:
+      - compute
 provisioner:
   log: true
   name: ansible
-  inventory:
-    hosts:
-      all:
-        hosts:
-          instance:
-            canonical_hostname: edpm-0.localdomain
+
 scenario:
   test_sequence:
-  - dependency
-  - destroy
-  - create
-  - prepare
-  - converge
-  - verify
-  - cleanup
-  - destroy
+    - prepare
+    - converge
+    - cleanup
+    - destroy
 verifier:
   name: ansible

roles/edpm_update/molecule/default/prepare.yml

@@ -14,6 +14,13 @@
 # License for the specific language governing permissions and limitations
 # under the License.
 
+- name: Prepare test_deps
+  hosts: all
+  gather_facts: false
+  roles:
+    - role: ../../../../molecule/common/test_deps
+      test_deps_setup_edpm: true
+      test_deps_setup_stream: true
 
 - name: Prepare
   hosts: all

roles/edpm_update/molecule/kpatch/converge.yml

@@ -0,0 +1,57 @@
+---
+# Copyright 2024 Red Hat, Inc.
+# All Rights Reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+
+
+- name: Converge
+  hosts: all
+  gather_facts: false
+  tasks:
+    - name: "Call edpm_update role"
+      ansible.builtin.include_role:
+        name: osp.edpm.edpm_update
+      vars:
+        edpm_update_enable_containers_update: false
+        edpm_service_types: []
+        edpm_update_enable_kpatch: true
+
+    # We have to run the verifications in this play to
+    # ensure we have access to the internally changed
+    # facts.
+    - name: Conduct some verifications
+      block:
+        - name: Ensure kernel related packages are excluded
+          ansible.builtin.assert:
+            that:
+              - _exclude_packages is defined
+              - "'kernel' in _exclude_packages"
+              - "'kernel-core' in _exclude_packages"
+
+        - name: Gather all installed packages
+          ansible.builtin.package_facts:
+
+        - name: Check service status if we have kpatch-patch installed
+          when:
+            - ansible_facts.packages["kpatch-patch"] is defined
+          block:
+            - name: Gather services
+              ansible.builtin.service_facts:
+
+            - name: Ensure kpatch.service is running
+              ansible.builtin.assert:
+                that:
+                  - ansible_facts.services['kpatch.service'] is defined
+                  - ansible_facts.services['kpatch.service'].state == 'running'
+                  - ansible_facts.services['kpatch.service'].status == 'enabled'

roles/edpm_update/molecule/kpatch/molecule.yml

@@ -0,0 +1,27 @@
+---
+dependency:
+  name: galaxy
+  options:
+    role-file: collections.yml
+driver:
+  name: delegated
+  options:
+    managed: false
+    ansible_connection_options:
+      ansible_connection: local
+platforms:
+  - name: edpm-0.localdomain
+    groups:
+      - compute
+provisioner:
+  log: true
+  name: ansible
+
+scenario:
+  test_sequence:
+    - prepare
+    - converge
+    - cleanup
+    - destroy
+verifier:
+  name: ansible

roles/edpm_update/molecule/kpatch/prepare.yml

@@ -0,0 +1,18 @@
+---
+# Copyright 2024 Red Hat, Inc.
+# All Rights Reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+
+- name: Run prepare playbook
+  ansible.builtin.import_playbook: ../default/prepare.yml

roles/edpm_update/tasks/kpatch.yml

@@ -0,0 +1,29 @@
+---
+- name: Ensure we know about kernel version
+  when:
+    - ansible_facts['kernel'] is undefined
+  ansible.builtin.setup:
+    gather_subset:
+      - '!all,!min'
+      - 'kernel'
+
+- name: Ensure kpatch package is installed
+  become: true
+  ansible.builtin.package:
+    name: kpatch
+    state: present
+
+- name: Install kpatch-patch if available  # noqa: package-latest
+  failed_when: false
+  become: true
+  ansible.builtin.package:
+    name: "kpatch-patch = {{ ansible_facts['kernel'] }}"
+    state: latest
+
+- name: Ensure further update stages will not update kernel
+  vars:
+    _kernel:
+      - kernel
+      - kernel-core
+  ansible.builtin.set_fact:
+    _exclude_packages: "{{ edpm_update_exclude_packages + _kernel }}"

roles/edpm_update/tasks/main.yml

@@ -17,6 +17,10 @@
 
 # "edpm_update" will search for and load any operating system variable file
 
+- name: Apply kernel patch via kpatch
+  ansible.builtin.include_tasks: kpatch.yml
+  when: edpm_update_enable_kpatch
+
 - name: Update packages
   ansible.builtin.include_tasks: packages.yml
   when: edpm_update_enable_packages_update

roles/edpm_update/tasks/packages.yml

@@ -9,9 +9,13 @@
 
 - name: Ensure openvswitch is excluded from bulk update
   ansible.builtin.set_fact:
-    edpm_update_exclude_packages: "{{ edpm_update_exclude_packages + ['openvswitch'] }}"
-  when:
-    "'openvswitch' not in edpm_update_exclude_packages"
+    _exclude_packages: >-
+      {{
+        _exclude_packages | default([]) +
+        edpm_update_exclude_packages +
+        ['openvswitch'] |
+        ansible.builtin.unique
+      }}
   tags:
     - edpm_update
 
@@ -21,6 +25,6 @@
     name: "*"
     state: latest
     update_cache: true
-    exclude: "{{ edpm_update_exclude_packages }}"
+    exclude: "{{ _exclude_packages }}"
   tags:
     - edpm_update

zuul.d/jobs.yaml

@@ -76,6 +76,11 @@
     parent: edpm-ansible-molecule-base
     vars:
       TEST_RUN: edpm_telemetry_power_monitoring
+- job:
+    name: edpm-ansible-molecule-edpm_update
+    parent: edpm-ansible-molecule-base
+    vars:
+      TEST_RUN: edpm_update
 - job:
     name: edpm-ansible-tempest-multinode
     parent: openstack-operator-tempest-multinode

zuul.d/projects.yaml

@@ -19,6 +19,7 @@
         - edpm-ansible-molecule-edpm_tripleo_cleanup
         - edpm-ansible-molecule-edpm_tuned
         - edpm-ansible-molecule-edpm_telemetry_power_monitoring
+        - edpm-ansible-molecule-edpm_update
         - openstack-k8s-operators-content-provider
         - adoption-standalone-to-crc-ceph-provider:
             dependencies:
@@ -56,3 +57,4 @@
               - ^roles/edpm_telemetry/*
               - ^roles/edpm_pre_adoption_validation/*
               - ^roles/edpm_tripleo_cleanup/*
+              - ^roles/edpm_update/*