In commit ddd3277692 we replaced the
previous code using the imported Perl code from Jozef Kutej, to
an implementation based on the goss tool.
The Artistic + GPL-1+ license was due to the imported code, but that is
no longer applicable, so we can safely remove the copyright statement
for Jozef Kutej and switch the license to match what other GPL projects
in NGCP use.
Change-Id: Ia8ac16993b03758a9f23b5021e4236c9a32e5df0
- Update copyright years.
- Update Standards-Version to 4.7.2.
- Remove «Rules-Requires-Root: no» field, which is now the default.
- Remove «Priority: optional» field, which is now the default.
- Remove ancient conffile removal handling.
- Remove boilerplate comments on maintainer script.
- Wrap and sort fields.
- Add spaces around operators in make variables.
Change-Id: Iec97c258472ef106356d1e5b4b72d94585fc750e
Remove checks that made sure prosody was installed, and replace the ones
that are safe to keep to make sure it is no longer installed.
Change-Id: I0c9dcee11e743558522dbb62e1b651081e73f792
With the renamed rtpengine kernel module (from xt_RTPENGINE into
nft_rtpengine), we have three instead of only two matches in the lsmod
output:
[sipwise-lab-trunk] root@sp1:~# lsmod | grep nft_rtpengine
nft_rtpengine 94208 4
nf_tables 380928 13 nft_rtpengine
x_tables 53248 2 nft_rtpengine,ip_tables
Let's check for the exact module name only, since we don't need to check
its dependencies.
Fixes:
| not ok 22 - Command: lsmod | grep -Ec "xt_RTPENGINE|nft_rtpengine": stdout: Expected "object: *bytes.Reader" to have patterns ["/^2$/"] the missing elements were ["/^2$/"]
Change-Id: I5e3be48ac43d82321a31fd2c2f8ae9ce3ce2f598
The systemd package got a security update in Debian trixie, which
changed the systemd-coredump kernel sysctl core_pattern value (by
appending « %d %F»). This is part of the fix for CVE-2025-4598.
This has caused ngcp-system-tests to fail to match the new pattern,
so we need to adapt it for all currently supported Debian trixie
releases.
In addition for Debian trixie, a new enough Linux kernel is required
to benefit from the full security fix.
Ref: https://security-tracker.debian.org/tracker/CVE-2025-4598
Ref: 2eb46dce07
Change-Id: I89e6ff1d084403e6ae4b4eca6f5606b0d2417c01
The systemd package got a security update in Debian bookworm, which
changed the systemd-coredump kernel sysctl core_pattern value (by
appending « %d»). This is part of the fix for CVE-2025-4598.
This has caused ngcp-system-tests to fail to match the new pattern,
so we need to adapt it for all currently support Debian bookworm
releases.
Ref: https://security-tracker.debian.org/tracker/CVE-2025-4598
Ref: 2eb46dce07
Change-Id: I531f197e47094321d688d425fb7f577b42fd7391
TL;DR: Even though we introduced support for Debian/trixie in 2024, we
didn't switch to the provided trixie docker container so far *yet*, but
had to provide an initial jenkins-tap-test-trixie docker container
underneath anyways. Now that this has been reworked, we can finally
really integrate the jenkins-tap-test-trixie environment.
The longer story behind this change:
We added Debian/trixie support in 2024 to our build environments and
Jenkins(-configs). When triggering ngcpcfg-get-code against bookworm,
it reported one failed test, due to:
| # cat reports/source/docs/hacking.txt_mergecheck.tap
| 1..1
| not ok 1 =======
This was already reported and fixed as MT#60909, but it didn't fail the
build (but marks it unstable). Whereas the ngcpcfg-tap-test run against
*trixie* failed hard for us, reporting 9 shellcheck issues.
For mr* release until and including mr9.4* we only ran the legacy
jenkins-tap-test-jessie docker container, invoking:
tap_tool_dispatcher
For newer mr* releases as well as trunk/master builds, we also ran
the jenkins-tap-test-jessie container, but then executed it with:
tap_tool_dispatcher --disable-checkbashism --disable-pep8 --disable-perlcritic
Only if this returns with exit code 0, we also proceeded to execute (also
see jenkins-configs git commit 835e4a8):
tap_tool_dispatcher --disable-shellcheck
But we did *not* run the later command against the
jenkins-tap-test-jessie container, but the actual
"jenkins-tap-test-$distribution". So for example we use
jenkins-tap-test-bookworm when building against bookworm, or
jenkins-tap-test-trixie when building against trixie.
This was meant to preserve some backwards compatibility, to e.g. not
break existing builds with new checks introduced by newer shellcheck
versions.
So far we didn't have such a jenkins-tap-test-trixie docker container,
therefore ngcpcfg-tap-test failed to run the second docker container.
But the results from the *initial* tap_tool_dispatcher execution of
jenkins-tap-test-jessie environment are left behind and reported,
resulting in the 9 shellcheck issues we saw.
Now as of MT#61842 with jenkins-configs git commits
d31c00a975083eb586d7921503a7d7391bc7606b +
986c60fe04bb53b88b7fb854d31b46ea01517ba9 +
650aecd78888aa63ee9e57ab31221cc166fcac4c we switched from
jenkins-tap-test-jessie container to
jenkins-tap-test-$distribution:$ngcp_release usage. For NGCP releases up
to and incl. mr9.4* we continue to rely on the legacy
jenkins-tap-test-jessie approach. For releases mr9.5* up to and incl.
mr13.3*, we use the old approach (as mentioned above) with
jenkins-tap-test-jessie *and*
jenkins-tap-test-$distribution:$ngcp_release. Finally, for master +
releases >mr13.3 we skip those legacy workarounds.
Change-Id: Ie8de99ef518b53a28767122fa5596f5528c75493
We should not repeat the loopback IP in case it appears in the
ha_int_ips. Use a dedicated array to track it, so that we can sort
and filter it.
The duplication has been present for a long time, but with newer goss,
it now fails.
Change-Id: I8f79551f74675607ba803605d8b83949dcf8a599
The key has been renamed in goss starting with the version in Debian
trixie, which now emits a warning such as:
DEPRECATION WARNING: file.contains has been renamed to file.contents
We make the key usage conditional on the release version, where the old
value can be removed once trunk has been switched to trixie.
Change-Id: Ie6ccdd1090c63edbdf135e9260f37c197748ac53
This was in place during the period where trunk was built for both
bullseye and bookworm, which has not been the case for a long time,
and it is dead code now. Remove the old support.
Change-Id: Ic2c4e06a13d03ffa02b01687f2c534099f0e4959
Listing it first makes it easier to know that this is the one that we
need to preserve, and changing from the equality operator to a
greater-or-equal, makes it explicit what the fallback case is about.
Change-Id: Ifb63f9cb1d88fec4c67b51502a88724a009d50e4
apt-key is gone as of apt version 2.9.17, so rely on apt-key
only for Debian bookworm, instead use our own tooling to verify
the key situation on Debian/trixie (v13) and newer.
Migrate our existing checks from templates/140_apt-keys.yaml.tt2
to our new helper script helper/check-apt-keyrings, so we have one
single interface for all those checks.
FTR: the checksums of the sipwise-archive-2015.gpg +
sipwise-autobuilder-2011.gpg keyfiles differ between bookworm and
trixie, because of the way we generate them during package builds
(gnupg for bookworm vs. sequoia starting with trixie).
Situation on bookworm / trunk:
| root@spce:~# gpg /etc/apt/trusted.gpg.d/sipwise-archive-2015.gpg
| gpg: WARNING: no command supplied. Trying to guess what you mean ...
| pub rsa4096 2015-03-05 [SC] [expires: 2029-10-12]
| 68A702B1FD8E422AAAA1ADA3773236EFF411A836
| uid Sipwise GmbH (Sipwise Repository Key) <support@sipwise.com>
| sub rsa4096 2015-03-05 [E] [expires: 2029-10-12]
| root@spce:~# gpg /etc/apt/trusted.gpg.d/sipwise-autobuilder-2011.gpg
| gpg: WARNING: no command supplied. Trying to guess what you mean ...
| pub rsa4096 2011-06-06 [SC]
| F7B8A739CE638D719A078C9859104633EE5E097D
| uid Sipwise autobuilder (Used to sign packages for autobuild) <development@sipwise.com>
| sub rsa4096 2011-06-06 [E]
| root@spce:~# sha256sum /etc/apt/trusted.gpg.d/sipwise-archive-2015.gpg /etc/apt/trusted.gpg.d/sipwise-autobuilder-2011.gpg
| 811f878f5320fc8563a70b166d2c27ec060b4397ca021702f433bc4659336b9b /etc/apt/trusted.gpg.d/sipwise-archive-2015.gpg
| f00aad42a76ddec341fb2c67b45b41e2d1c19d67bd239196cd52488c4b7da4a0 /etc/apt/trusted.gpg.d/sipwise-autobuilder-2011.gpg
Situation on trixie / trunk:
| root@spce:~# gpg /etc/apt/trusted.gpg.d/sipwise-archive-2015.gpg
| gpg: WARNING: no command supplied. Trying to guess what you mean ...
| pub rsa4096 2015-03-05 [SC] [expires: 2029-10-12]
| 68A702B1FD8E422AAAA1ADA3773236EFF411A836
| uid Sipwise GmbH (Sipwise Repository Key) <support@sipwise.com>
| sub rsa4096 2015-03-05 [E] [expires: 2029-10-12]
| root@spce:~# gpg /etc/apt/trusted.gpg.d/sipwise-autobuilder-2011.gpg
| gpg: WARNING: no command supplied. Trying to guess what you mean ...
| pub rsa4096 2011-06-06 [SC]
| F7B8A739CE638D719A078C9859104633EE5E097D
| uid Sipwise autobuilder (Used to sign packages for autobuild) <development@sipwise.com>
| sub rsa4096 2011-06-06 [E]
|
| root@spce:~# sha256sum /etc/apt/trusted.gpg.d/sipwise-archive-2015.gpg /etc/apt/trusted.gpg.d/sipwise-autobuilder-2011.gpg
| 88d92e09810a13b5e749839bca89029fbbe73cca261a3a26712a560cc7b50e47 /etc/apt/trusted.gpg.d/sipwise-archive-2015.gpg
| b64656d5f8fa0a636d46084bda74e16cef502d3d48e8ed101c6386ad8bbcacef /etc/apt/trusted.gpg.d/sipwise-autobuilder-2011.gpg
NOTE: Once we switch our /etc/apt/sources.list* setup to the
deb822.sources format (see sources.list(5) + deb822(5) for details), and
neither our ngcp-archive-keyring nor Debian's debian-archive-keyring no
longer installs any files inside /etc/apt/trusted.gpg.d, we can instead
check for empty /etc/apt/trusted.gpg.d + /etc/apt/keyrings and expected
files inside /usr/share/keyrings.
Change-Id: I0ef7e1d8f0684f94c1e6ae0499f85080cdcd690a
Switch the main key/value service to use the database.key_value.flavor.
Add explicit support for valkey directories and user/group.
Change-Id: Idd21565e66c940c564045ebd02dd148ad3562e9e
There is a more complete check that should already handle the case this
instance was covering, with a non-empty license-key.
This was causing the following parse failure with the new goss version
from Debian trixie:
,---
Error: could not read json data in /etc/ngcp-system-tests/510_init-daemons-ngcp.yaml: yaml: unmarshal errors:
line 115: mapping key "ngcp-license-client.service" already defined at line 31
`---
Reported-by: goss 0.4.9
Change-Id: I7323fbd80e2b13d0bcc280210bdb8010b910c5f1
Fixes:
| Error: could not read json data in /etc/ngcp-system-tests/900_service-ngcp-api.yaml: yaml: unmarshal errors:
| line 61: mapping key "curl --insecure -L http://192.168.211.210/" already defined at line 4
| line 68: mapping key "curl --insecure -L https://192.168.211.210/" already defined at line 11
Merge the identical curl command lines into one single test.
This is being detected by new goss versions from Debian trixie as
errors, and causing the entire ngcp-system-tests run to fail.
Change-Id: If9fb68dd182891ae742a4af07ebe259d914c3c91
These share the same ports depending on the role of the current node, so
to avoid emitting the same duplicate port entries we should turn these
into cascading if/elif.
This is being detected by new goss versions from Debian trixie as
errors, and causing the entire ngcp-system-tests run to fail.
Change-Id: I2898f623e87867a03ef6cfb728a90631f53ffae7
We run the *-tap-test Jenkins jobs in a docker environment. To be able
to use jenkins-debian-glue from our own internal repository, we need to
enable the repository in apt's sources.list configuration.
Change-Id: Id9cccd0f7edd15ebffc1fc71e274d6943c77a2c3
For services we use an «enable» key to select whether to enable or
disable a service. The «start» key is unusual and has already caused a
wrong usage in templates in the past. Rename them for uniformity with
the rest of the key naming conventions used.
For DHCP address ranges, namespace the «start» key (alongside «end» and
«lease» renamed from «expire») into a new addr_range map, so that it's
obvious this is not about starting the service, but about the
aforementioned address range setting.
Change-Id: Icff25a273358e69881cc54ccdd9be39a27c5c526
Add checks for stock services that were previously omitted. This makes
sure we can spot any possible regression in the set of listening
addresses.
This includes dnsmasq and nginx ports.
Change-Id: I9a9041cf97df511f4801941e932e97baa797a348
Added exceptions:
.+/prosody/status_checks - this was probably a table manually
created in sipwise system and not existing anywhere else.
.+/billing/test - this was probably a table manually created in
sipwise system and not existing anywhere else.
.+/ngcp/pt_checksums_sp.* - these were tables created by percona
tools created in sipwise and demo system and not existing anywhere
else.
Change-Id: Ie7461754e2e3baea770be5e60e2f1f658f13cfdb
We only support keydb now, and the config knob and migration script
have been removed. Hardcode keydb for the redis flavor we intend to
use, and add checks to make sure the redis service is not running nor
enabled anymore
Change-Id: I1a9ecb7e26346cd23618b464a7f5f420d5ab7263
There's currently a divergence between CE and PRO, where web_int is not
setup by default as a role for the loopback interface on CE systems. We
should thus for now not expect NGINX to be listening there, for the
NGCP Panel admin and csc ports.
In the future we should probably unify this behavior and make CE behave
the same as a PRO, because this seems like a gratuitous divergence.
Fixes: commit d0d8c1eb10
Change-Id: Ib65b9dcf94a34b416d59aad93e19d88cf5a6469c
The exception '.+/accounting/cdr_[0-9]{6}/.+' ignores all elements of a
table (columns, indexes, etc) but not the table itself. It cases error:
=======================
Element: tables/accounting/cdr_202205 is missing in json file
=======================
So fix the regex.
Change-Id: Ie5c23a89e85281b0d2a436cea3b888cad5974c11
Add IPv6 entries for services for which we are currently checking their
IPv4 listening addresses. This makes sure we check for these addresses
and that we do not regress in case other components rely on being able
to access these services through these addresses.
Change-Id: Ifa73e594d8cce862af77317ea88cea5c564dd1c6
These services also listen on the localhost and any address. Add these
explicitly as we might have other components relying on being able
to access these services through them.
Change-Id: I6d234620847ccc88f2c709a20692c6d5b7174229
We switched from heartbeat-2 to corosync/pacemaker long ago, and these
checks that were in place for a transitory period to make sure no odd
services were running when not expected, no longer serve much of a
purpose.
Change-Id: I8be3252278a5876f1a6ac89da0ade3fb63b01a18
Guillem Jover
Michael Prokop
Richard Fuchs
Sipwise Jenkins Builder
Victor Seva
Mykola Malkov