Remove checks that made sure prosody was installed, and replace the ones
that are safe to keep to make sure it is no longer installed.
Change-Id: I0c9dcee11e743558522dbb62e1b651081e73f792
With the renamed rtpengine kernel module (from xt_RTPENGINE into
nft_rtpengine), we have three instead of only two matches in the lsmod
output:
[sipwise-lab-trunk] root@sp1:~# lsmod | grep nft_rtpengine
nft_rtpengine 94208 4
nf_tables 380928 13 nft_rtpengine
x_tables 53248 2 nft_rtpengine,ip_tables
Let's check for the exact module name only, since we don't need to check
its dependencies.
Fixes:
| not ok 22 - Command: lsmod | grep -Ec "xt_RTPENGINE|nft_rtpengine": stdout: Expected "object: *bytes.Reader" to have patterns ["/^2$/"] the missing elements were ["/^2$/"]
Change-Id: I5e3be48ac43d82321a31fd2c2f8ae9ce3ce2f598
The systemd package got a security update in Debian trixie, which
changed the systemd-coredump kernel sysctl core_pattern value (by
appending « %d %F»). This is part of the fix for CVE-2025-4598.
This has caused ngcp-system-tests to fail to match the new pattern,
so we need to adapt it for all currently supported Debian trixie
releases.
In addition for Debian trixie, a new enough Linux kernel is required
to benefit from the full security fix.
Ref: https://security-tracker.debian.org/tracker/CVE-2025-4598
Ref: 2eb46dce07
Change-Id: I89e6ff1d084403e6ae4b4eca6f5606b0d2417c01
The systemd package got a security update in Debian bookworm, which
changed the systemd-coredump kernel sysctl core_pattern value (by
appending « %d»). This is part of the fix for CVE-2025-4598.
This has caused ngcp-system-tests to fail to match the new pattern,
so we need to adapt it for all currently support Debian bookworm
releases.
Ref: https://security-tracker.debian.org/tracker/CVE-2025-4598
Ref: 2eb46dce07
Change-Id: I531f197e47094321d688d425fb7f577b42fd7391
We should not repeat the loopback IP in case it appears in the
ha_int_ips. Use a dedicated array to track it, so that we can sort
and filter it.
The duplication has been present for a long time, but with newer goss,
it now fails.
Change-Id: I8f79551f74675607ba803605d8b83949dcf8a599
The key has been renamed in goss starting with the version in Debian
trixie, which now emits a warning such as:
DEPRECATION WARNING: file.contains has been renamed to file.contents
We make the key usage conditional on the release version, where the old
value can be removed once trunk has been switched to trixie.
Change-Id: Ie6ccdd1090c63edbdf135e9260f37c197748ac53
This was in place during the period where trunk was built for both
bullseye and bookworm, which has not been the case for a long time,
and it is dead code now. Remove the old support.
Change-Id: Ic2c4e06a13d03ffa02b01687f2c534099f0e4959
Listing it first makes it easier to know that this is the one that we
need to preserve, and changing from the equality operator to a
greater-or-equal, makes it explicit what the fallback case is about.
Change-Id: Ifb63f9cb1d88fec4c67b51502a88724a009d50e4
apt-key is gone as of apt version 2.9.17, so rely on apt-key
only for Debian bookworm, instead use our own tooling to verify
the key situation on Debian/trixie (v13) and newer.
Migrate our existing checks from templates/140_apt-keys.yaml.tt2
to our new helper script helper/check-apt-keyrings, so we have one
single interface for all those checks.
FTR: the checksums of the sipwise-archive-2015.gpg +
sipwise-autobuilder-2011.gpg keyfiles differ between bookworm and
trixie, because of the way we generate them during package builds
(gnupg for bookworm vs. sequoia starting with trixie).
Situation on bookworm / trunk:
| root@spce:~# gpg /etc/apt/trusted.gpg.d/sipwise-archive-2015.gpg
| gpg: WARNING: no command supplied. Trying to guess what you mean ...
| pub rsa4096 2015-03-05 [SC] [expires: 2029-10-12]
| 68A702B1FD8E422AAAA1ADA3773236EFF411A836
| uid Sipwise GmbH (Sipwise Repository Key) <support@sipwise.com>
| sub rsa4096 2015-03-05 [E] [expires: 2029-10-12]
| root@spce:~# gpg /etc/apt/trusted.gpg.d/sipwise-autobuilder-2011.gpg
| gpg: WARNING: no command supplied. Trying to guess what you mean ...
| pub rsa4096 2011-06-06 [SC]
| F7B8A739CE638D719A078C9859104633EE5E097D
| uid Sipwise autobuilder (Used to sign packages for autobuild) <development@sipwise.com>
| sub rsa4096 2011-06-06 [E]
| root@spce:~# sha256sum /etc/apt/trusted.gpg.d/sipwise-archive-2015.gpg /etc/apt/trusted.gpg.d/sipwise-autobuilder-2011.gpg
| 811f878f5320fc8563a70b166d2c27ec060b4397ca021702f433bc4659336b9b /etc/apt/trusted.gpg.d/sipwise-archive-2015.gpg
| f00aad42a76ddec341fb2c67b45b41e2d1c19d67bd239196cd52488c4b7da4a0 /etc/apt/trusted.gpg.d/sipwise-autobuilder-2011.gpg
Situation on trixie / trunk:
| root@spce:~# gpg /etc/apt/trusted.gpg.d/sipwise-archive-2015.gpg
| gpg: WARNING: no command supplied. Trying to guess what you mean ...
| pub rsa4096 2015-03-05 [SC] [expires: 2029-10-12]
| 68A702B1FD8E422AAAA1ADA3773236EFF411A836
| uid Sipwise GmbH (Sipwise Repository Key) <support@sipwise.com>
| sub rsa4096 2015-03-05 [E] [expires: 2029-10-12]
| root@spce:~# gpg /etc/apt/trusted.gpg.d/sipwise-autobuilder-2011.gpg
| gpg: WARNING: no command supplied. Trying to guess what you mean ...
| pub rsa4096 2011-06-06 [SC]
| F7B8A739CE638D719A078C9859104633EE5E097D
| uid Sipwise autobuilder (Used to sign packages for autobuild) <development@sipwise.com>
| sub rsa4096 2011-06-06 [E]
|
| root@spce:~# sha256sum /etc/apt/trusted.gpg.d/sipwise-archive-2015.gpg /etc/apt/trusted.gpg.d/sipwise-autobuilder-2011.gpg
| 88d92e09810a13b5e749839bca89029fbbe73cca261a3a26712a560cc7b50e47 /etc/apt/trusted.gpg.d/sipwise-archive-2015.gpg
| b64656d5f8fa0a636d46084bda74e16cef502d3d48e8ed101c6386ad8bbcacef /etc/apt/trusted.gpg.d/sipwise-autobuilder-2011.gpg
NOTE: Once we switch our /etc/apt/sources.list* setup to the
deb822.sources format (see sources.list(5) + deb822(5) for details), and
neither our ngcp-archive-keyring nor Debian's debian-archive-keyring no
longer installs any files inside /etc/apt/trusted.gpg.d, we can instead
check for empty /etc/apt/trusted.gpg.d + /etc/apt/keyrings and expected
files inside /usr/share/keyrings.
Change-Id: I0ef7e1d8f0684f94c1e6ae0499f85080cdcd690a
Switch the main key/value service to use the database.key_value.flavor.
Add explicit support for valkey directories and user/group.
Change-Id: Idd21565e66c940c564045ebd02dd148ad3562e9e
There is a more complete check that should already handle the case this
instance was covering, with a non-empty license-key.
This was causing the following parse failure with the new goss version
from Debian trixie:
,---
Error: could not read json data in /etc/ngcp-system-tests/510_init-daemons-ngcp.yaml: yaml: unmarshal errors:
line 115: mapping key "ngcp-license-client.service" already defined at line 31
`---
Reported-by: goss 0.4.9
Change-Id: I7323fbd80e2b13d0bcc280210bdb8010b910c5f1
Fixes:
| Error: could not read json data in /etc/ngcp-system-tests/900_service-ngcp-api.yaml: yaml: unmarshal errors:
| line 61: mapping key "curl --insecure -L http://192.168.211.210/" already defined at line 4
| line 68: mapping key "curl --insecure -L https://192.168.211.210/" already defined at line 11
Merge the identical curl command lines into one single test.
This is being detected by new goss versions from Debian trixie as
errors, and causing the entire ngcp-system-tests run to fail.
Change-Id: If9fb68dd182891ae742a4af07ebe259d914c3c91
These share the same ports depending on the role of the current node, so
to avoid emitting the same duplicate port entries we should turn these
into cascading if/elif.
This is being detected by new goss versions from Debian trixie as
errors, and causing the entire ngcp-system-tests run to fail.
Change-Id: I2898f623e87867a03ef6cfb728a90631f53ffae7
For services we use an «enable» key to select whether to enable or
disable a service. The «start» key is unusual and has already caused a
wrong usage in templates in the past. Rename them for uniformity with
the rest of the key naming conventions used.
For DHCP address ranges, namespace the «start» key (alongside «end» and
«lease» renamed from «expire») into a new addr_range map, so that it's
obvious this is not about starting the service, but about the
aforementioned address range setting.
Change-Id: Icff25a273358e69881cc54ccdd9be39a27c5c526
Add checks for stock services that were previously omitted. This makes
sure we can spot any possible regression in the set of listening
addresses.
This includes dnsmasq and nginx ports.
Change-Id: I9a9041cf97df511f4801941e932e97baa797a348
We only support keydb now, and the config knob and migration script
have been removed. Hardcode keydb for the redis flavor we intend to
use, and add checks to make sure the redis service is not running nor
enabled anymore
Change-Id: I1a9ecb7e26346cd23618b464a7f5f420d5ab7263
There's currently a divergence between CE and PRO, where web_int is not
setup by default as a role for the loopback interface on CE systems. We
should thus for now not expect NGINX to be listening there, for the
NGCP Panel admin and csc ports.
In the future we should probably unify this behavior and make CE behave
the same as a PRO, because this seems like a gratuitous divergence.
Fixes: commit d0d8c1eb10
Change-Id: Ib65b9dcf94a34b416d59aad93e19d88cf5a6469c
Add IPv6 entries for services for which we are currently checking their
IPv4 listening addresses. This makes sure we check for these addresses
and that we do not regress in case other components rely on being able
to access these services through these addresses.
Change-Id: Ifa73e594d8cce862af77317ea88cea5c564dd1c6
These services also listen on the localhost and any address. Add these
explicitly as we might have other components relying on being able
to access these services through them.
Change-Id: I6d234620847ccc88f2c709a20692c6d5b7174229
We switched from heartbeat-2 to corosync/pacemaker long ago, and these
checks that were in place for a transitory period to make sure no odd
services were running when not expected, no longer serve much of a
purpose.
Change-Id: I8be3252278a5876f1a6ac89da0ade3fb63b01a18
We have removed InfluxDB support long ago, and there's been enough time
to clean up any systems involved. Remove these checks that no longer
serve any purpose.
Change-Id: I6de535f0dd571d7d8d006eecd66cb31ff6661db6
As of git rev 511e1f69cc91 in templates (see "MT#58452 monit: Use a Unix socket for the httpd control access"),
monit no longer listens on port 2812 but uses a Unix socket instead.
Fixes:
| not ok 848 - Port: tcp:2812: listening: doesn't match, expect: [true] found: [false]
Change-Id: I9b16aac2ebbf14defdd2713f72c7362ab21d43b8
On a CE the general.process_handler is always set to 'none'. So we need
to take this into account and mark it as enabled.
Change-Id: Id1347ac027412861a1319a95d1537aaeb778bf6a
The rate-o-mat service can run in active-active or in active-standby
modes. If the service is enabled and on the proxy nodes, the former
mode means the service will be enabled and running on both peers, the
latter will mean it's in the traditional HA mode and thus only running
on the active node.
Change-Id: I020c8a00706135ed5d432bf8b1b8874cf1b2f532
The openssh-server Debian package no longer uses the "ssh" group,
but renamed it to "_ssh" (see git rev 18da782e in
https://salsa.debian.org/ssh-team/openssh.git + Debian's #990456), which
was shipped starting with v1:8.4p1-6.
Debian/bookworm currently ships openssh-server v1:9.0p1-1+b2,
so adjust tests accordingly.
Change-Id: I4f75e94ac32ce9d06a4bc9991fa62b73086e4f45
It's an often error after upgrade that this file is missing.
It happens because right after reboot there is no such file and it's not
created by logrotate because we use missingok, notifempty option for
it.
So make it optional.
Change-Id: I4ee18e8ba5e93d19e4b80fd3fcf8197d144f1ea3
grep 3.8 deprecated support for egrep + fgrep, and now prints a warning on stderr:
| egrep: warning: egrep is obsolescent; using grep -E
| fgrep: warning: fgrep is obsolescent; using grep -F
Change-Id: Iae561f2dc592a24359832a80fde4d6d7cfea97d0
The old obsolete metrics got removed in commit
8a99fc1809, but these had been replaced by
newer entries in the sipTable. Use those so that we can keep detecting
regressions or misbehavior.
Change-Id: I41c21f7dd47bb5f9a6a584672836c9dd5c176380
These OIDs had been obsoleted for a while and have now been removed in
Iddf81e4fcfd1e6bac0c478c01074ab220a49c96a.
Change-Id: Ib88d965495609ed2766639975280bc16bf45aa6b
These are now conditional on a config knob. We should not expect them to
be present of they are disabled.
Change-Id: I2ebc68db597db0fbccf9f990ceab101589a8e914
The configuration files specific to the ngcpcfg tool should not be
mixed with the site specific configuration, as that's rather confusing,
more so when the actual ngcpcfg configuration contains references to the
location of the ngcp-config dir itself, which makes it self-referential.
Change-Id: I25bee17e69e9c302d40b1bb55f73a1e88e505a8d
We check that when the pathname exists it is a symlink. We will perform
further consistency checks from «ngcpcfg check».
Change-Id: I3850d9cf23fd77b926d08ae47a6969cac1790cf0
Guillem Jover
Michael Prokop
Richard Fuchs
Victor Seva
Mykola Malkov