feat: Generate remediation vars and playbook from the analysis role#361
feat: Generate remediation vars and playbook from the analysis role#361spetrosi wants to merge 5 commits intoredhat-cop:mainfrom
Conversation
|
@swapdisk @djdanielsson please review, this brings some integration between the analysis role results and remediations to call. The risk is that customers would run remediation without thinking, which might break their systems. I tried to make it clear that it's user's responsibility to view what remediations do before running them. |
spetrosi
requested review from
PeterMocary and
richm
and removed request for
PeterMocary
spetrosi
force-pushed
the
analysis-report
branch
3 times, most recently
from
02cbee9 to
a38a270
Compare
|
[citest] |
spetrosi
force-pushed
the
analysis-report
branch
from
a38a270 to
8f02479
Compare
|
[citest] |
spetrosi
force-pushed
the
analysis-report
branch
from
8f02479 to
e3c8d6b
Compare
|
[citest] |
| ansible.builtin.slurp: | ||
| src: "{{ leapp_result_filename }}" | ||
| register: results_txt | ||
| no_log: true |
There was a problem hiding this comment.
I think these no_log should be a var in case something goes wrong the user to disable them to see the output
There was a problem hiding this comment.
Look at the example output in this log: https://dl.fedoraproject.org/pub/alt/linuxsystemroles/logs/tf_infra.leapp-349_RHEL-9.7.0-Nightly-2.17_20260212-083641/artifacts/leapp-tests_upgrade_custom_9to10-ANSIBLE-2.17-test_playbooks-SUCCESS.log
I hid the output that is not readable and makes it hard to read what ansible returns.
The output of the slurp module is completely unreadable, while some set_fact outputs are kinda readable, but still too much text. In the case where you run the role against >1 host it pollutes the terminal.
Now pre-upgrade reports are copied to the controller, users can open them and view.
|
Does it make sense to copy ripu.log from managed nodes to controller too? |
spetrosi
force-pushed
the
analysis-report
branch
from
e3c8d6b to
00e7bf6
Compare
|
[citest] |
Analysis role generates hostvars files for each node that runs pre-upgrade. It reads pre-upgrade reports and matches found inhibitors to available remediations provided by the `remediation` role. `analysis` role creates the directory `host_vars` in the path from which you run your analysis playbook. It generates variable files that set the `leapp_remediation_todo` variable with available remediations for existing inhibitors, based on each node's pre-upgrade report. The role also generates a `remediate.yml` playbook that you can run to run remediation for all nodes.
spetrosi
force-pushed
the
analysis-report
branch
from
00e7bf6 to
8a2bc86
Compare
| - name: copy_reports_to_controller | Copy report files to the controller | ||
| ansible.builtin.fetch: | ||
| src: "{{ item.src }}" | ||
| dest: "{{ reports_directory }}/{{ leapp_result_basename }}.{{ inventory_hostname }}.{{ item.ext }}" |
There was a problem hiding this comment.
since you have inventory_hostname in the dest, you might want to use flat: true - https://docs.ansible.com/projects/ansible/latest/collections/ansible/builtin/fetch_module.html#parameter-flat
There was a problem hiding this comment.
Yeah I figured it out, preparing a fix
| state: absent | ||
| delegate_to: localhost | ||
| loop: | ||
| - "{{ playbook_dir }}/host_vars/{{ inventory_hostname }}.yml" |
There was a problem hiding this comment.
you can't remove this file if there was already one created by the user
There was a problem hiding this comment.
I won't create those files, doesn't hurt to keep them, and users might search for them even after the run the role.
spetrosi
force-pushed
the
analysis-report
branch
from
5ed667c to
2e62924
Compare
* Add leapp_workdir_controller to analysis and upgrade to select where to store logs on controller * Add leapp_copy_reports defaulting to true to upgrade too * Get rid of RIPU wording, it's confusing, use Ansible leapp logs instead. * Move copy_reports_to_controller to common to be used by analysis and upgrade * In create_remediation_hostvars do delegate_to: localhost on a block level as Rich suggested. * Move logs to a timestamped directory on controller. All logs to a single directory per run, under which there is a separate dir for each node. * Remove handlers from common. Handlers run in a different environment and don't have access to variables, and it was impossible to save to timestamp. Instead, add task files to be called in the beginning and in the end of the run. * Remove tasks from common/tasks/main.yml. For clarity, use only tasks files in the common role. * Use include_role instead of import_role as it's more robust. * Do not remove generated hostvars and remediation playbook after role finishes. It doesn't hurt to keep them for users to be able to access even after they are not needed.
spetrosi
force-pushed
the
analysis-report
branch
from
2e62924 to
dc32237
Compare
| leapp_system_roles_collection: "{{ infra_leapp_upgrade_system_roles_collection | default('fedora.linux_system_roles') }}" | ||
|
|
||
| # Directory to store leapp pre-upgrade reports and remediation hostvars | ||
| leapp_workdir_controller: "{{ playbook_dir }}" |
There was a problem hiding this comment.
@djdanielsson how will this work when using AAP with an EE? Where does the "controller" store local files in this case?
|
After an upgrade tree of copied from managed nodes files looks like this: |
|
[citest] |
Add a cleanup task to common to be reused
|
[citest] |
|
[citest] |
|
|
||
| # Note: We cannot use ansible.builtin.import_playbook here because import_playbook | ||
| # can only be used at the playbook level, not in task files. Therefore, we execute | ||
| # the generated playbook using ansible-playbook command with the same intontory |
There was a problem hiding this comment.
| # the generated playbook using ansible-playbook command with the same intontory | |
| # the generated playbook using ansible-playbook command with the same inventory |
| - "{{ playbook_dir }}/remediate.yml" | ||
|
|
||
| # Note: We cannot use ansible.builtin.import_playbook here because import_playbook | ||
| # can only be used at the playbook level, not in task files. Therefore, we execute |
There was a problem hiding this comment.
I suppose you could generate both the remediate playbook and a remediate_tasks tasks file - that way, the user could use the remediate playbook separately if desired, and this code could directly execute the tasks file. It's generally not good to execute ansible-playbook from within ansible-playbook, although a case could be made.
3 participants
Analysis role generates hostvars files for each node that runs pre-upgrade.
It reads pre-upgrade reports and matches found inhibitors to available remediations provided by the
remediationrole.analysisrole creates the directoryhost_varsin the path from which you run your analysis playbook.It generates variable files that set the
leapp_remediation_todovariable with available remediations for existing inhibitors, based on each node's pre-upgrade report.The role also generates a
remediate.ymlplaybook that you can run to run remediation for all nodes.