[DPE-4731] Fix folder permissions in snap #227
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Build and Test | |
concurrency: | |
group: ${{ github.workflow }}-${{ github.ref }} | |
cancel-in-progress: true | |
on: | |
workflow_call: | |
pull_request: | |
jobs: | |
build: | |
name: Build Snap | |
runs-on: ubuntu-latest | |
timeout-minutes: 60 | |
outputs: | |
snap-file: ${{ steps.build-snap.outputs.snap }} | |
steps: | |
- name: Checkout repo | |
uses: actions/checkout@v3 | |
with: | |
fetch-depth: 0 | |
- name: Install required dependencies | |
run: | | |
sudo snap install yq | |
- name: Upgrade linux deps | |
run: | | |
sudo apt-get update | |
# install security updates | |
sudo apt-get -s dist-upgrade \ | |
| grep "^Inst" \ | |
| grep -i securi \ | |
| awk -F " " {'print $2'} \ | |
| xargs sudo apt-get install -y | |
sudo apt-get autoremove -y | |
sudo apt-get clean -y | |
sudo snap refresh snapd | |
- id: build-snap | |
name: Build snap | |
uses: snapcore/action-build@v1 | |
with: | |
snapcraft-channel: 7.x/candidate | |
- name: Upload built snap job artifact | |
uses: actions/upload-artifact@v3 | |
with: | |
name: opensearch_snap_amd64 | |
path: "opensearch_*.snap" | |
test: | |
name: Test Snap | |
runs-on: ubuntu-latest | |
timeout-minutes: 15 | |
needs: | |
- build | |
steps: | |
- name: Checkout repo | |
uses: actions/checkout@v3 | |
with: | |
fetch-depth: 0 | |
- name: Upgrade snapd | |
run: | | |
sudo snap refresh snapd | |
- name: Download snap file | |
uses: actions/download-artifact@v3 | |
with: | |
name: opensearch_snap_amd64 | |
path: . | |
- name: Install snap file | |
run: | | |
version="$(cat snap/snapcraft.yaml | yq .version)" | |
sudo snap remove --purge opensearch | |
sudo snap install opensearch_${version}_amd64.snap --dangerous --jailmode | |
- name: Setup the required system configs | |
run: | | |
sudo sysctl -w vm.swappiness=0 | |
sudo sysctl -w vm.max_map_count=262144 | |
sudo sysctl -w net.ipv4.tcp_retries2=5 | |
- name: Connect required interfaces | |
run: | | |
sudo snap connect opensearch:log-observe | |
sudo snap connect opensearch:mount-observe | |
sudo snap connect opensearch:process-control | |
sudo snap connect opensearch:system-observe | |
sudo snap connect opensearch:sys-fs-cgroup-service | |
sudo snap connect opensearch:shmem-perf-analyzer | |
- name: Setup and Start OpenSearch | |
run: | | |
# create the certificates | |
sudo snap run opensearch.setup \ | |
--node-name cm0 \ | |
--node-roles cluster_manager,data \ | |
--tls-priv-key-root-pass root1234 \ | |
--tls-priv-key-admin-pass admin1234 \ | |
--tls-priv-key-node-pass node1234 \ | |
--tls-init-setup yes # this creates the root and admin certs as well. | |
# start opensearch | |
sudo snap start opensearch.daemon | |
# wait a bit for it to fully initialize | |
sleep 40s | |
# create the security index | |
sudo snap run opensearch.security-init --tls-priv-key-admin-pass=admin1234 | |
sleep 15s | |
- name: Ensure the cluster is reachable and node created | |
run: | | |
sudo snap install yq | |
sudo cp /var/snap/opensearch/current/etc/opensearch/certificates/node-cm0.pem ./ | |
cert=./node-cm0.pem | |
# Check node name | |
cluster_resp=$(curl --cacert ${cert} -XGET https://localhost:9200 -u 'admin:admin') | |
echo -e "Cluster Response: \n ${cluster_resp}" | |
node_name=$(echo "${cluster_resp}" | yq -r .name) | |
if [ "${node_name}" != "cm0" ]; then | |
exit 1 | |
fi | |
# Check cluster health | |
health_resp=$(curl --cacert "${cert}" -XGET https://localhost:9200/_cluster/health -u 'admin:admin') | |
echo -e "Cluster Health Response: \n ${health_resp}" | |
cluster_status=$(echo "${health_resp}" | yq -r .status) | |
# TODO: once this https://github.com/opensearch-project/OpenSearch/issues/8862 is fixed | |
# replace the following condition by "${cluster_status}" != "green" | |
if [ "${cluster_status}" == "red" ]; then | |
curl --cacert ${cert} -XGET https://localhost:9200/_cat/shards -u 'admin:admin' | |
exit 1 | |
fi | |
- name: Check if Prometheus Exporter and repository plugins are available | |
env: | |
OPENSEARCH_JAVA_HOME: /snap/opensearch/current/usr/lib/jvm/java-21-openjdk-amd64 | |
OPENSEARCH_BIN: /snap/opensearch/current/usr/share/opensearch/bin | |
OPENSEARCH_PATH_CONF: /var/snap/opensearch/current/etc/opensearch | |
OPENSEARCH_HOME: /var/snap/opensearch/current/usr/share/opensearch | |
OPENSEARCH_LIB: /var/snap/opensearch/current/usr/share/opensearch/lib | |
OPENSEARCH_PATH_CERTS: /var/snap/opensearch/current/etc/opensearch/certificates | |
run: | | |
# Prometheus Exporter appears in plugins listing | |
prometheus_is_there=$(sudo -E "${OPENSEARCH_BIN}"/opensearch-plugin list | grep prometheus-exporter) | |
if [ ! "$prometheus_is_there" ]; then | |
exit 1 | |
fi | |
# repository-s3 appears in plugins listing | |
repository_s3_is_there=$(sudo -E "${OPENSEARCH_BIN}"/opensearch-plugin list | grep repository-s3) | |
if [ ! "$repository_s3_is_there" ]; then | |
exit 1 | |
fi | |
# repository-gcs appears in plugins listing | |
repository_gcs_is_there=$(sudo -E "${OPENSEARCH_BIN}"/opensearch-plugin list | grep repository-gcs) | |
if [ ! "$repository_gcs_is_there" ]; then | |
exit 1 | |
fi | |
# Prometheus exporter can be queried | |
sudo cp /var/snap/opensearch/current/etc/opensearch/certificates/node-cm0.pem ./ | |
cert=./node-cm0.pem | |
resp=$(curl -I --cacert ${cert} -XGET https://localhost:9200/_prometheus/metrics -u 'admin:admin') | |
if [[ "$resp" != *"200 OK"* ]]; then | |
exit 1 | |
fi | |
# Checking that Prometheus configuration is correct | |
prometheus_lines=$(sudo grep prometheus ${OPENSEARCH_PATH_CONF}/opensearch.yml | wc -l) | |
if [ "$prometheus_lines" != "4" ]; then | |
exit 1 | |
fi | |
- name: Check COS logs slot is available | |
run: | | |
snap_slot=$( sudo snap connections opensearch | grep content ) | |
if [ ! "$snap_slot" ]; then | |
exit 1 | |
fi | |
- name: Configure backup plugin | |
env: | |
OPENSEARCH_JAVA_HOME: /snap/opensearch/current/usr/lib/jvm/java-21-openjdk-amd64 | |
OPENSEARCH_BIN: /snap/opensearch/current/usr/share/opensearch/bin | |
OPENSEARCH_PATH_CONF: /var/snap/opensearch/current/etc/opensearch | |
OPENSEARCH_HOME: /var/snap/opensearch/current/usr/share/opensearch | |
OPENSEARCH_LIB: /var/snap/opensearch/current/usr/share/opensearch/lib | |
OPENSEARCH_PATH_CERTS: /var/snap/opensearch/current/etc/opensearch/certificates | |
run: | | |
echo "TEST" | sudo tee -a testkey | |
sudo -E "${OPENSEARCH_BIN}"/opensearch-keystore add-file s3.client.default.access_key ${PWD}/testkey | |
sudo -E "${OPENSEARCH_BIN}"/opensearch-keystore add-file s3.client.default.secret_key ${PWD}/testkey | |
sudo snap restart opensearch.daemon | |
sleep 20s | |
sudo cp /var/snap/opensearch/current/etc/opensearch/certificates/node-cm0.pem ./ | |
cert=./node-cm0.pem | |
cluster_resp=$(curl --cacert ${cert} -XGET https://localhost:9200 -u 'admin:admin') | |
echo -e "Cluster Response: \n ${cluster_resp}" | |
node_name=$(echo "${cluster_resp}" | yq -r .name) | |
if [ "${node_name}" != "cm0" ]; then | |
exit 1 | |
fi | |
- name: Upgrade snap | |
run: | | |
version="$(cat snap/snapcraft.yaml | yq .version)" | |
sudo snap install opensearch_${version}_amd64.snap --dangerous --jailmode | |
if [ "$(ls /var/snap/opensearch/x2)" ]; then | |
echo "Snap upgraded." | |
else | |
exit 1 | |
fi | |
- name: Ensure the cluster is reachable and node created after upgrade | |
run: | | |
# start opensearch after upgrade | |
sudo snap restart opensearch.daemon | |
# Give some time for the service to come back up | |
sleep 20s | |
sudo cp /var/snap/opensearch/current/etc/opensearch/certificates/node-cm0.pem ./ | |
cert=./node-cm0.pem | |
# Check node name | |
cluster_resp=$(curl --cacert ${cert} -XGET https://localhost:9200 -u 'admin:admin') | |
echo -e "Cluster Response: \n ${cluster_resp}" | |
node_name=$(echo "${cluster_resp}" | yq -r .name) | |
if [ "${node_name}" != "cm0" ]; then | |
exit 1 | |
fi | |
# Check cluster health | |
health_resp=$(curl --cacert ${cert} -XGET https://localhost:9200/_cluster/health -u 'admin:admin') | |
echo -e "Cluster Health Response: \n ${health_resp}" | |
# TODO: once this https://github.com/opensearch-project/OpenSearch/issues/8862 is fixed | |
# replace the following condition by "${cluster_status}" != "green" | |
if [ "${cluster_status}" == "red" ]; then | |
curl --cacert ${cert} -XGET https://localhost:9200/_cat/shards -u 'admin:admin' | |
exit 1 | |
fi | |
- name: Remove backup plugin | |
env: | |
OPENSEARCH_JAVA_HOME: /snap/opensearch/current/usr/lib/jvm/java-21-openjdk-amd64 | |
OPENSEARCH_BIN: /snap/opensearch/current/usr/share/opensearch/bin | |
OPENSEARCH_PATH_CONF: /var/snap/opensearch/current/etc/opensearch | |
OPENSEARCH_HOME: /var/snap/opensearch/current/usr/share/opensearch | |
OPENSEARCH_LIB: /var/snap/opensearch/current/usr/share/opensearch/lib | |
OPENSEARCH_PATH_CERTS: /var/snap/opensearch/current/etc/opensearch/certificates | |
run: | | |
sudo -E "${OPENSEARCH_BIN}"/opensearch-plugin remove repository-s3 | |
sudo -E "${OPENSEARCH_BIN}"/opensearch-keystore remove s3.client.default.access_key | |
sudo -E "${OPENSEARCH_BIN}"/opensearch-keystore remove s3.client.default.secret_key |