We no longer need to run the prometheus-haproxy-exporter, as we can rely
on the built-in Prometheus support from haproxy itself.
Change-Id: Ib3b90ff3fada6f3c3458bb5f95c646900eee6b8e
For PRO/Carrier where this setting makes most sense, the
systemd-timesyncd service does not provide accurate nor reliable
fallback.
Having to support both implementations when we are required to support a
proper one, which will be the default going forward means more testing
surface for not much benefit, so we switch completely.
Change-Id: Id07c3dace842215b544ac89a01845541bdef04a1
We need the latest ngcp-archive-keyring version, addressing the SHA-1
situation with our repository key. To get that, we refreshed our base
image sipwise-trixie, but need to ensure that we refresh all the docker
images building on top of it.
While at it, update the ENV syntax to avoid the deprecation warning.
Change-Id: If22d4083c03a6fdf6fc15e406db73a8fa38ae092
We have updated the autobuild OpenPGP, so we need to sync the checksums
so that the tests do not fail.
Change-Id: I12ffb0c7c010e14929bc02423cb3d0470800dccb
In commit ddd3277692 we replaced the
previous code using the imported Perl code from Jozef Kutej, to
an implementation based on the goss tool.
The Artistic + GPL-1+ license was due to the imported code, but that is
no longer applicable, so we can safely remove the copyright statement
for Jozef Kutej and switch the license to match what other GPL projects
in NGCP use.
Change-Id: Ia8ac16993b03758a9f23b5021e4236c9a32e5df0
- Update copyright years.
- Update Standards-Version to 4.7.2.
- Remove «Rules-Requires-Root: no» field, which is now the default.
- Remove «Priority: optional» field, which is now the default.
- Remove ancient conffile removal handling.
- Remove boilerplate comments on maintainer script.
- Wrap and sort fields.
- Add spaces around operators in make variables.
Change-Id: Iec97c258472ef106356d1e5b4b72d94585fc750e
Remove checks that made sure prosody was installed, and replace the ones
that are safe to keep to make sure it is no longer installed.
Change-Id: I0c9dcee11e743558522dbb62e1b651081e73f792
With the renamed rtpengine kernel module (from xt_RTPENGINE into
nft_rtpengine), we have three instead of only two matches in the lsmod
output:
[sipwise-lab-trunk] root@sp1:~# lsmod | grep nft_rtpengine
nft_rtpengine 94208 4
nf_tables 380928 13 nft_rtpengine
x_tables 53248 2 nft_rtpengine,ip_tables
Let's check for the exact module name only, since we don't need to check
its dependencies.
Fixes:
| not ok 22 - Command: lsmod | grep -Ec "xt_RTPENGINE|nft_rtpengine": stdout: Expected "object: *bytes.Reader" to have patterns ["/^2$/"] the missing elements were ["/^2$/"]
Change-Id: I5e3be48ac43d82321a31fd2c2f8ae9ce3ce2f598
The systemd package got a security update in Debian trixie, which
changed the systemd-coredump kernel sysctl core_pattern value (by
appending « %d %F»). This is part of the fix for CVE-2025-4598.
This has caused ngcp-system-tests to fail to match the new pattern,
so we need to adapt it for all currently supported Debian trixie
releases.
In addition for Debian trixie, a new enough Linux kernel is required
to benefit from the full security fix.
Ref: https://security-tracker.debian.org/tracker/CVE-2025-4598
Ref: 2eb46dce07
Change-Id: I89e6ff1d084403e6ae4b4eca6f5606b0d2417c01
The systemd package got a security update in Debian bookworm, which
changed the systemd-coredump kernel sysctl core_pattern value (by
appending « %d»). This is part of the fix for CVE-2025-4598.
This has caused ngcp-system-tests to fail to match the new pattern,
so we need to adapt it for all currently support Debian bookworm
releases.
Ref: https://security-tracker.debian.org/tracker/CVE-2025-4598
Ref: 2eb46dce07
Change-Id: I531f197e47094321d688d425fb7f577b42fd7391
TL;DR: Even though we introduced support for Debian/trixie in 2024, we
didn't switch to the provided trixie docker container so far *yet*, but
had to provide an initial jenkins-tap-test-trixie docker container
underneath anyways. Now that this has been reworked, we can finally
really integrate the jenkins-tap-test-trixie environment.
The longer story behind this change:
We added Debian/trixie support in 2024 to our build environments and
Jenkins(-configs). When triggering ngcpcfg-get-code against bookworm,
it reported one failed test, due to:
| # cat reports/source/docs/hacking.txt_mergecheck.tap
| 1..1
| not ok 1 =======
This was already reported and fixed as MT#60909, but it didn't fail the
build (but marks it unstable). Whereas the ngcpcfg-tap-test run against
*trixie* failed hard for us, reporting 9 shellcheck issues.
For mr* release until and including mr9.4* we only ran the legacy
jenkins-tap-test-jessie docker container, invoking:
tap_tool_dispatcher
For newer mr* releases as well as trunk/master builds, we also ran
the jenkins-tap-test-jessie container, but then executed it with:
tap_tool_dispatcher --disable-checkbashism --disable-pep8 --disable-perlcritic
Only if this returns with exit code 0, we also proceeded to execute (also
see jenkins-configs git commit 835e4a8):
tap_tool_dispatcher --disable-shellcheck
But we did *not* run the later command against the
jenkins-tap-test-jessie container, but the actual
"jenkins-tap-test-$distribution". So for example we use
jenkins-tap-test-bookworm when building against bookworm, or
jenkins-tap-test-trixie when building against trixie.
This was meant to preserve some backwards compatibility, to e.g. not
break existing builds with new checks introduced by newer shellcheck
versions.
So far we didn't have such a jenkins-tap-test-trixie docker container,
therefore ngcpcfg-tap-test failed to run the second docker container.
But the results from the *initial* tap_tool_dispatcher execution of
jenkins-tap-test-jessie environment are left behind and reported,
resulting in the 9 shellcheck issues we saw.
Now as of MT#61842 with jenkins-configs git commits
d31c00a975083eb586d7921503a7d7391bc7606b +
986c60fe04bb53b88b7fb854d31b46ea01517ba9 +
650aecd78888aa63ee9e57ab31221cc166fcac4c we switched from
jenkins-tap-test-jessie container to
jenkins-tap-test-$distribution:$ngcp_release usage. For NGCP releases up
to and incl. mr9.4* we continue to rely on the legacy
jenkins-tap-test-jessie approach. For releases mr9.5* up to and incl.
mr13.3*, we use the old approach (as mentioned above) with
jenkins-tap-test-jessie *and*
jenkins-tap-test-$distribution:$ngcp_release. Finally, for master +
releases >mr13.3 we skip those legacy workarounds.
Change-Id: Ie8de99ef518b53a28767122fa5596f5528c75493
We should not repeat the loopback IP in case it appears in the
ha_int_ips. Use a dedicated array to track it, so that we can sort
and filter it.
The duplication has been present for a long time, but with newer goss,
it now fails.
Change-Id: I8f79551f74675607ba803605d8b83949dcf8a599
The key has been renamed in goss starting with the version in Debian
trixie, which now emits a warning such as:
DEPRECATION WARNING: file.contains has been renamed to file.contents
We make the key usage conditional on the release version, where the old
value can be removed once trunk has been switched to trixie.
Change-Id: Ie6ccdd1090c63edbdf135e9260f37c197748ac53
This was in place during the period where trunk was built for both
bullseye and bookworm, which has not been the case for a long time,
and it is dead code now. Remove the old support.
Change-Id: Ic2c4e06a13d03ffa02b01687f2c534099f0e4959
Listing it first makes it easier to know that this is the one that we
need to preserve, and changing from the equality operator to a
greater-or-equal, makes it explicit what the fallback case is about.
Change-Id: Ifb63f9cb1d88fec4c67b51502a88724a009d50e4
apt-key is gone as of apt version 2.9.17, so rely on apt-key
only for Debian bookworm, instead use our own tooling to verify
the key situation on Debian/trixie (v13) and newer.
Migrate our existing checks from templates/140_apt-keys.yaml.tt2
to our new helper script helper/check-apt-keyrings, so we have one
single interface for all those checks.
FTR: the checksums of the sipwise-archive-2015.gpg +
sipwise-autobuilder-2011.gpg keyfiles differ between bookworm and
trixie, because of the way we generate them during package builds
(gnupg for bookworm vs. sequoia starting with trixie).
Situation on bookworm / trunk:
| root@spce:~# gpg /etc/apt/trusted.gpg.d/sipwise-archive-2015.gpg
| gpg: WARNING: no command supplied. Trying to guess what you mean ...
| pub rsa4096 2015-03-05 [SC] [expires: 2029-10-12]
| 68A702B1FD8E422AAAA1ADA3773236EFF411A836
| uid Sipwise GmbH (Sipwise Repository Key) <support@sipwise.com>
| sub rsa4096 2015-03-05 [E] [expires: 2029-10-12]
| root@spce:~# gpg /etc/apt/trusted.gpg.d/sipwise-autobuilder-2011.gpg
| gpg: WARNING: no command supplied. Trying to guess what you mean ...
| pub rsa4096 2011-06-06 [SC]
| F7B8A739CE638D719A078C9859104633EE5E097D
| uid Sipwise autobuilder (Used to sign packages for autobuild) <development@sipwise.com>
| sub rsa4096 2011-06-06 [E]
| root@spce:~# sha256sum /etc/apt/trusted.gpg.d/sipwise-archive-2015.gpg /etc/apt/trusted.gpg.d/sipwise-autobuilder-2011.gpg
| 811f878f5320fc8563a70b166d2c27ec060b4397ca021702f433bc4659336b9b /etc/apt/trusted.gpg.d/sipwise-archive-2015.gpg
| f00aad42a76ddec341fb2c67b45b41e2d1c19d67bd239196cd52488c4b7da4a0 /etc/apt/trusted.gpg.d/sipwise-autobuilder-2011.gpg
Situation on trixie / trunk:
| root@spce:~# gpg /etc/apt/trusted.gpg.d/sipwise-archive-2015.gpg
| gpg: WARNING: no command supplied. Trying to guess what you mean ...
| pub rsa4096 2015-03-05 [SC] [expires: 2029-10-12]
| 68A702B1FD8E422AAAA1ADA3773236EFF411A836
| uid Sipwise GmbH (Sipwise Repository Key) <support@sipwise.com>
| sub rsa4096 2015-03-05 [E] [expires: 2029-10-12]
| root@spce:~# gpg /etc/apt/trusted.gpg.d/sipwise-autobuilder-2011.gpg
| gpg: WARNING: no command supplied. Trying to guess what you mean ...
| pub rsa4096 2011-06-06 [SC]
| F7B8A739CE638D719A078C9859104633EE5E097D
| uid Sipwise autobuilder (Used to sign packages for autobuild) <development@sipwise.com>
| sub rsa4096 2011-06-06 [E]
|
| root@spce:~# sha256sum /etc/apt/trusted.gpg.d/sipwise-archive-2015.gpg /etc/apt/trusted.gpg.d/sipwise-autobuilder-2011.gpg
| 88d92e09810a13b5e749839bca89029fbbe73cca261a3a26712a560cc7b50e47 /etc/apt/trusted.gpg.d/sipwise-archive-2015.gpg
| b64656d5f8fa0a636d46084bda74e16cef502d3d48e8ed101c6386ad8bbcacef /etc/apt/trusted.gpg.d/sipwise-autobuilder-2011.gpg
NOTE: Once we switch our /etc/apt/sources.list* setup to the
deb822.sources format (see sources.list(5) + deb822(5) for details), and
neither our ngcp-archive-keyring nor Debian's debian-archive-keyring no
longer installs any files inside /etc/apt/trusted.gpg.d, we can instead
check for empty /etc/apt/trusted.gpg.d + /etc/apt/keyrings and expected
files inside /usr/share/keyrings.
Change-Id: I0ef7e1d8f0684f94c1e6ae0499f85080cdcd690a
Switch the main key/value service to use the database.key_value.flavor.
Add explicit support for valkey directories and user/group.
Change-Id: Idd21565e66c940c564045ebd02dd148ad3562e9e
There is a more complete check that should already handle the case this
instance was covering, with a non-empty license-key.
This was causing the following parse failure with the new goss version
from Debian trixie:
,---
Error: could not read json data in /etc/ngcp-system-tests/510_init-daemons-ngcp.yaml: yaml: unmarshal errors:
line 115: mapping key "ngcp-license-client.service" already defined at line 31
`---
Reported-by: goss 0.4.9
Change-Id: I7323fbd80e2b13d0bcc280210bdb8010b910c5f1
Fixes:
| Error: could not read json data in /etc/ngcp-system-tests/900_service-ngcp-api.yaml: yaml: unmarshal errors:
| line 61: mapping key "curl --insecure -L http://192.168.211.210/" already defined at line 4
| line 68: mapping key "curl --insecure -L https://192.168.211.210/" already defined at line 11
Merge the identical curl command lines into one single test.
This is being detected by new goss versions from Debian trixie as
errors, and causing the entire ngcp-system-tests run to fail.
Change-Id: If9fb68dd182891ae742a4af07ebe259d914c3c91
These share the same ports depending on the role of the current node, so
to avoid emitting the same duplicate port entries we should turn these
into cascading if/elif.
This is being detected by new goss versions from Debian trixie as
errors, and causing the entire ngcp-system-tests run to fail.
Change-Id: I2898f623e87867a03ef6cfb728a90631f53ffae7
We run the *-tap-test Jenkins jobs in a docker environment. To be able
to use jenkins-debian-glue from our own internal repository, we need to
enable the repository in apt's sources.list configuration.
Change-Id: Id9cccd0f7edd15ebffc1fc71e274d6943c77a2c3
For services we use an «enable» key to select whether to enable or
disable a service. The «start» key is unusual and has already caused a
wrong usage in templates in the past. Rename them for uniformity with
the rest of the key naming conventions used.
For DHCP address ranges, namespace the «start» key (alongside «end» and
«lease» renamed from «expire») into a new addr_range map, so that it's
obvious this is not about starting the service, but about the
aforementioned address range setting.
Change-Id: Icff25a273358e69881cc54ccdd9be39a27c5c526
Guillem Jover
Sipwise Jenkins Builder
Marco Capetta
Michael Prokop
Richard Fuchs
Victor Seva
Mykola Malkov