-
Notifications
You must be signed in to change notification settings - Fork 8
269 lines (228 loc) · 10.1 KB
/
ci.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
name: Build and Test
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true
on:
workflow_call:
pull_request:
jobs:
build:
name: Build Snap
runs-on: ubuntu-latest
timeout-minutes: 60
outputs:
snap-file: ${{ steps.build-snap.outputs.snap }}
steps:
- name: Checkout repo
uses: actions/checkout@v3
with:
fetch-depth: 0
- name: Install required dependencies
run: |
sudo snap install yq
- name: Upgrade linux deps
run: |
sudo apt-get update
# install security updates
sudo apt-get -s dist-upgrade \
| grep "^Inst" \
| grep -i securi \
| awk -F " " {'print $2'} \
| xargs sudo apt-get install -y
sudo apt-get autoremove -y
sudo apt-get clean -y
sudo snap refresh snapd
- id: build-snap
name: Build snap
uses: snapcore/action-build@v1
with:
snapcraft-channel: 7.x/candidate
- name: Upload built snap job artifact
uses: actions/upload-artifact@v3
with:
name: opensearch_snap_amd64
path: "opensearch_*.snap"
test:
name: Test Snap
runs-on: ubuntu-latest
timeout-minutes: 15
needs:
- build
steps:
- name: Checkout repo
uses: actions/checkout@v3
with:
fetch-depth: 0
- name: Upgrade snapd
run: |
sudo snap refresh snapd
- name: Download snap file
uses: actions/download-artifact@v3
with:
name: opensearch_snap_amd64
path: .
- name: Install snap file
run: |
version="$(cat snap/snapcraft.yaml | yq .version)"
sudo snap remove --purge opensearch
sudo snap install opensearch_${version}_amd64.snap --dangerous --jailmode
- name: Setup the required system configs
run: |
sudo sysctl -w vm.swappiness=0
sudo sysctl -w vm.max_map_count=262144
sudo sysctl -w net.ipv4.tcp_retries2=5
- name: Connect required interfaces
run: |
sudo snap connect opensearch:log-observe
sudo snap connect opensearch:mount-observe
sudo snap connect opensearch:process-control
sudo snap connect opensearch:system-observe
sudo snap connect opensearch:sys-fs-cgroup-service
sudo snap connect opensearch:shmem-perf-analyzer
- name: Setup and Start OpenSearch
run: |
# create the certificates
sudo snap run opensearch.setup \
--node-name cm0 \
--node-roles cluster_manager,data \
--tls-priv-key-root-pass root1234 \
--tls-priv-key-admin-pass admin1234 \
--tls-priv-key-node-pass node1234 \
--tls-init-setup yes # this creates the root and admin certs as well.
# start opensearch
sudo snap start opensearch.daemon
# wait a bit for it to fully initialize
sleep 15s
# create the security index
sudo snap run opensearch.security-init --tls-priv-key-admin-pass=admin1234
- name: Ensure the cluster is reachable and node created
run: |
sudo snap install yq
sudo cp /var/snap/opensearch/current/etc/opensearch/certificates/node-cm0.pem ./
cert=./node-cm0.pem
# Check node name
cluster_resp=$(curl --cacert ${cert} -XGET https://localhost:9200 -u 'admin:admin')
echo -e "Cluster Response: \n ${cluster_resp}"
node_name=$(echo "${cluster_resp}" | yq -r .name)
if [ "${node_name}" != "cm0" ]; then
exit 1
fi
# Check cluster health
health_resp=$(curl --cacert "${cert}" -XGET https://localhost:9200/_cluster/health -u 'admin:admin')
echo -e "Cluster Health Response: \n ${health_resp}"
cluster_status=$(echo "${health_resp}" | yq -r .status)
# TODO: once this https://github.com/opensearch-project/OpenSearch/issues/8862 is fixed
# replace the following condition by "${cluster_status}" != "green"
if [ "${cluster_status}" == "red" ]; then
curl --cacert ${cert} -XGET https://localhost:9200/_cat/shards -u 'admin:admin'
exit 1
fi
- name: Check if Prometheus Exporter and repository plugins are available
env:
OPENSEARCH_JAVA_HOME: /snap/opensearch/current/usr/lib/jvm/java-17-openjdk-amd64
OPENSEARCH_BIN: /snap/opensearch/current/usr/share/opensearch/bin
OPENSEARCH_PATH_CONF: /var/snap/opensearch/current/etc/opensearch
OPENSEARCH_HOME: /var/snap/opensearch/current/usr/share/opensearch
OPENSEARCH_LIB: /var/snap/opensearch/current/usr/share/opensearch/lib
OPENSEARCH_PATH_CERTS: /var/snap/opensearch/current/etc/opensearch/certificates
run: |
# Prometheus Exporter appears in plugins listing
prometheus_is_there=$(sudo -E "${OPENSEARCH_BIN}"/opensearch-plugin list | grep prometheus-exporter)
if [ ! "$prometheus_is_there" ]; then
exit 1
fi
# repository-s3 appears in plugins listing
repository_s3_is_there=$(sudo -E "${OPENSEARCH_BIN}"/opensearch-plugin list | grep repository-s3)
if [ ! "$repository_s3_is_there" ]; then
exit 1
fi
# repository-gcs appears in plugins listing
repository_gcs_is_there=$(sudo -E "${OPENSEARCH_BIN}"/opensearch-plugin list | grep repository-gcs)
if [ ! "$repository_gcs_is_there" ]; then
exit 1
fi
# Prometheus exporter can be queried
sudo cp /var/snap/opensearch/current/etc/opensearch/certificates/node-cm0.pem ./
cert=./node-cm0.pem
resp=$(curl -I --cacert ${cert} -XGET https://localhost:9200/_prometheus/metrics -u 'admin:admin')
if [[ "$resp" != *"200 OK"* ]]; then
exit 1
fi
# Checking that Prometheus configuration is correct
prometheus_lines=$(sudo grep prometheus ${OPENSEARCH_PATH_CONF}/opensearch.yml | wc -l)
if [ "$prometheus_lines" != "4" ]; then
exit 1
fi
- name: Check COS logs slot is available
run: |
snap_slot=$( sudo snap connections opensearch | grep content )
if [ ! "$snap_slot" ]; then
exit 1
fi
- name: Configure backup plugin
env:
OPENSEARCH_JAVA_HOME: /snap/opensearch/current/usr/lib/jvm/java-17-openjdk-amd64
OPENSEARCH_BIN: /snap/opensearch/current/usr/share/opensearch/bin
OPENSEARCH_PATH_CONF: /var/snap/opensearch/current/etc/opensearch
OPENSEARCH_HOME: /var/snap/opensearch/current/usr/share/opensearch
OPENSEARCH_LIB: /var/snap/opensearch/current/usr/share/opensearch/lib
OPENSEARCH_PATH_CERTS: /var/snap/opensearch/current/etc/opensearch/certificates
run: |
echo "TEST" | sudo tee -a testkey
sudo -E "${OPENSEARCH_BIN}"/opensearch-keystore add-file s3.client.default.access_key ${PWD}/testkey
sudo -E "${OPENSEARCH_BIN}"/opensearch-keystore add-file s3.client.default.secret_key ${PWD}/testkey
sudo snap restart opensearch.daemon
sleep 20s
sudo cp /var/snap/opensearch/current/etc/opensearch/certificates/node-cm0.pem ./
cert=./node-cm0.pem
cluster_resp=$(curl --cacert ${cert} -XGET https://localhost:9200 -u 'admin:admin')
echo -e "Cluster Response: \n ${cluster_resp}"
node_name=$(echo "${cluster_resp}" | yq -r .name)
if [ "${node_name}" != "cm0" ]; then
exit 1
fi
- name: Upgrade snap
run: |
version="$(cat snap/snapcraft.yaml | yq .version)"
sudo snap install opensearch_${version}_amd64.snap --dangerous --jailmode
if [ "$(ls /var/snap/opensearch/x2)" ]; then
echo "Snap upgraded."
else
exit 1
fi
- name: Ensure the cluster is reachable and node created after upgrade
run: |
# start opensearch after upgrade
sudo snap restart opensearch.daemon
# Give some time for the service to come back up
sleep 20s
sudo cp /var/snap/opensearch/current/etc/opensearch/certificates/node-cm0.pem ./
cert=./node-cm0.pem
# Check node name
cluster_resp=$(curl --cacert ${cert} -XGET https://localhost:9200 -u 'admin:admin')
echo -e "Cluster Response: \n ${cluster_resp}"
node_name=$(echo "${cluster_resp}" | yq -r .name)
if [ "${node_name}" != "cm0" ]; then
exit 1
fi
# Check cluster health
health_resp=$(curl --cacert ${cert} -XGET https://localhost:9200/_cluster/health -u 'admin:admin')
echo -e "Cluster Health Response: \n ${health_resp}"
# TODO: once this https://github.com/opensearch-project/OpenSearch/issues/8862 is fixed
# replace the following condition by "${cluster_status}" != "green"
if [ "${cluster_status}" == "red" ]; then
curl --cacert ${cert} -XGET https://localhost:9200/_cat/shards -u 'admin:admin'
exit 1
fi
- name: Remove backup plugin
env:
OPENSEARCH_JAVA_HOME: /snap/opensearch/current/usr/lib/jvm/java-17-openjdk-amd64
OPENSEARCH_BIN: /snap/opensearch/current/usr/share/opensearch/bin
OPENSEARCH_PATH_CONF: /var/snap/opensearch/current/etc/opensearch
OPENSEARCH_HOME: /var/snap/opensearch/current/usr/share/opensearch
OPENSEARCH_LIB: /var/snap/opensearch/current/usr/share/opensearch/lib
OPENSEARCH_PATH_CERTS: /var/snap/opensearch/current/etc/opensearch/certificates
run: |
sudo -E "${OPENSEARCH_BIN}"/opensearch-plugin remove repository-s3
sudo -E "${OPENSEARCH_BIN}"/opensearch-keystore remove s3.client.default.access_key
sudo -E "${OPENSEARCH_BIN}"/opensearch-keystore remove s3.client.default.secret_key