The systemd package got a security update in Debian bookworm, which
changed the systemd-coredump kernel sysctl core_pattern value (by
appending « %d»). This is part of the fix for CVE-2025-4598.
This has caused ngcp-system-tests to fail to match the new pattern,
so we need to adapt it for all currently support Debian bookworm
releases.
Ref: https://security-tracker.debian.org/tracker/CVE-2025-4598
Ref: 2eb46dce07
Change-Id: I531f197e47094321d688d425fb7f577b42fd7391
(cherry picked from commit 2abaac7e3c)
We run the *-tap-test Jenkins jobs in a docker environment. To be able
to use jenkins-debian-glue from our own internal repository, we need to
enable the repository in apt's sources.list configuration.
Change-Id: Id9cccd0f7edd15ebffc1fc71e274d6943c77a2c3
For services we use an «enable» key to select whether to enable or
disable a service. The «start» key is unusual and has already caused a
wrong usage in templates in the past. Rename them for uniformity with
the rest of the key naming conventions used.
For DHCP address ranges, namespace the «start» key (alongside «end» and
«lease» renamed from «expire») into a new addr_range map, so that it's
obvious this is not about starting the service, but about the
aforementioned address range setting.
Change-Id: Icff25a273358e69881cc54ccdd9be39a27c5c526
Add checks for stock services that were previously omitted. This makes
sure we can spot any possible regression in the set of listening
addresses.
This includes dnsmasq and nginx ports.
Change-Id: I9a9041cf97df511f4801941e932e97baa797a348
Added exceptions:
.+/prosody/status_checks - this was probably a table manually
created in sipwise system and not existing anywhere else.
.+/billing/test - this was probably a table manually created in
sipwise system and not existing anywhere else.
.+/ngcp/pt_checksums_sp.* - these were tables created by percona
tools created in sipwise and demo system and not existing anywhere
else.
Change-Id: Ie7461754e2e3baea770be5e60e2f1f658f13cfdb
We only support keydb now, and the config knob and migration script
have been removed. Hardcode keydb for the redis flavor we intend to
use, and add checks to make sure the redis service is not running nor
enabled anymore
Change-Id: I1a9ecb7e26346cd23618b464a7f5f420d5ab7263
There's currently a divergence between CE and PRO, where web_int is not
setup by default as a role for the loopback interface on CE systems. We
should thus for now not expect NGINX to be listening there, for the
NGCP Panel admin and csc ports.
In the future we should probably unify this behavior and make CE behave
the same as a PRO, because this seems like a gratuitous divergence.
Fixes: commit d0d8c1eb10
Change-Id: Ib65b9dcf94a34b416d59aad93e19d88cf5a6469c
The exception '.+/accounting/cdr_[0-9]{6}/.+' ignores all elements of a
table (columns, indexes, etc) but not the table itself. It cases error:
=======================
Element: tables/accounting/cdr_202205 is missing in json file
=======================
So fix the regex.
Change-Id: Ie5c23a89e85281b0d2a436cea3b888cad5974c11
Add IPv6 entries for services for which we are currently checking their
IPv4 listening addresses. This makes sure we check for these addresses
and that we do not regress in case other components rely on being able
to access these services through these addresses.
Change-Id: Ifa73e594d8cce862af77317ea88cea5c564dd1c6
These services also listen on the localhost and any address. Add these
explicitly as we might have other components relying on being able
to access these services through them.
Change-Id: I6d234620847ccc88f2c709a20692c6d5b7174229
We switched from heartbeat-2 to corosync/pacemaker long ago, and these
checks that were in place for a transitory period to make sure no odd
services were running when not expected, no longer serve much of a
purpose.
Change-Id: I8be3252278a5876f1a6ac89da0ade3fb63b01a18
We have removed InfluxDB support long ago, and there's been enough time
to clean up any systems involved. Remove these checks that no longer
serve any purpose.
Change-Id: I6de535f0dd571d7d8d006eecd66cb31ff6661db6
As of git rev 511e1f69cc91 in templates (see "MT#58452 monit: Use a Unix socket for the httpd control access"),
monit no longer listens on port 2812 but uses a Unix socket instead.
Fixes:
| not ok 848 - Port: tcp:2812: listening: doesn't match, expect: [true] found: [false]
Change-Id: I9b16aac2ebbf14defdd2713f72c7362ab21d43b8
Print known exceptions only if --debug option is used. No need to flood
output with useless messages.
Change-Id: I4460a370d44dc0f95beb654efc493270f11103d3
Release trunk/mr11.4 was switched to Debian/bookworm where Mariadb 10.11
is used and json/sql files were rebuilt so remove these exceptions.
Change-Id: I9a00e2394eec82a2c2b3ce518df3fa8f731c6e4f
In mariadb 10.6 utf8 was renamed to to utf8mb3:
https://jira.mariadb.org/browse/MDEV-8334
Now json files are built on mariadb 10.5 while on bookworm mariadb 10.11
is used. So until trunk is switched to bookworm we have to skip this
part.
Change-Id: I9a6c61a2250a61676df3dac7ed509442f39dd183
The variable NGCP_HOSTNAME is not defined in /etc/default/ngcp-roles
file so fallback to 'localhost'. The value 'spce' can't be used as there
is no grant for this hostname in mariadb.
Change-Id: I7ee48d00c7615678574bce8194ab29e07774de96
In mariadb 10.6 utf8 was renamed to to utf8mb3:
https://jira.mariadb.org/browse/MDEV-8334
Now json files are built on mariadb 10.5 while on bookworm mariadb 10.11
is used. So until trunk is switched to bookworm we have to skip this
part.
Change-Id: Ia28b9560f516af569c9e76c318d08765af42740f
The reason is partitioning mechanism so the tables are created without
partitioning but then partitions are created by ngcp-cleanup-acc tool
as well as history tables like <table_name>_<date>
So ignore create_options for the list of tables and <table_name>_<date>.
The list of tables are from templates.git:ngcp-cleanup-tools/acc-cleanup.conf
Change-Id: I3a720d7b5b34498abe6805278795825cb1c708c7
Now we have json file with schema description which is etalon one.
Remove comparing schemes between two instances.
Change-Id: I046cc30eed926b06a578c0572132b7e8ae42eb21
On a CE the general.process_handler is always set to 'none'. So we need
to take this into account and mark it as enabled.
Change-Id: Id1347ac027412861a1319a95d1537aaeb778bf6a
The rate-o-mat service can run in active-active or in active-standby
modes. If the service is enabled and on the proxy nodes, the former
mode means the service will be enabled and running on both peers, the
latter will mean it's in the traditional HA mode and thus only running
on the active node.
Change-Id: I020c8a00706135ed5d432bf8b1b8874cf1b2f532
The openssh-server Debian package no longer uses the "ssh" group,
but renamed it to "_ssh" (see git rev 18da782e in
https://salsa.debian.org/ssh-team/openssh.git + Debian's #990456), which
was shipped starting with v1:8.4p1-6.
Debian/bookworm currently ships openssh-server v1:9.0p1-1+b2,
so adjust tests accordingly.
Change-Id: I4f75e94ac32ce9d06a4bc9991fa62b73086e4f45
Guillem Jover
Sipwise Jenkins Builder
Michael Prokop
Mykola Malkov