cmueller/ansible
1
0
Fork 0
Code Issues Pull requests Projects Releases Wiki Activity
ansible/docs/docsite/rst/dev_guide/testing_integration.rst
Will Thames 316e7939d6 [cloud] Improve aws testing and use {{ region }} var (#26892) 
* Protect AWS credentials from accidental commits

* Improve documentation for IAM policies

* Update ELB tests to be multi region

Allow AZs to reflect the region in which the tests are run.

This will not work for regions with fewer than three AZs,
but those are relatively rare
2017-11-09 11:56:31 -05:00

9.8 KiB
Raw Blame History

Integration tests

Topics

The Ansible integration Test system.

Tests for playbooks, by playbooks.

Some tests may require credentials. Credentials may be specified with credentials.yml.

Some tests may require root.

Quick Start

It is highly recommended that you install and activate the argcomplete python package. It provides tab completion in bash for the ansible-test test runner.

Configuration

Making your own version of integration_config.yml can allow for setting some tunable parameters to help run the tests better in your environment. Some tests (e.g. cloud) will only run when access credentials are provided. For more information about supported credentials, refer to credentials.template.

Prerequisites

The tests will assume things like hg, svn, and git are installed and in path. Some tests (such as those for Amazon Web Services) need separate definitions, which will be covered later in this document.

(Complete list pending)

Non-destructive Tests

These tests will modify files in subdirectories, but will not do things that install or remove packages or things outside of those test subdirectories. They will also not reconfigure or bounce system services.

Note

Running integration tests within Docker

To protect your system from any potential changes caused by integration tests, and to ensure the a sensible set of dependencies are available we recommend that you always run integration tests with the --docker option. See the list of supported docker images for options.

Note

Avoiding pulling new Docker images

Use the --docker-no-pull option to avoid pulling the latest container image. This is required when using custom local images that are not available for download.

Run as follows for all POSIX platform tests executed by our CI system:

test/runner/ansible-test integration --docker fedora25 -v posix/ci/

You can select specific tests as well, such as for individual modules:

test/runner/ansible-test integration -v ping

By installing argcomplete you can obtain a full list by doing:

test/runner/ansible-test integration <tab><tab>

Destructive Tests

These tests are allowed to install and remove some trivial packages. You will likely want to devote these to a virtual environment, such as Docker. They won't reformat your filesystem:

test/runner/ansible-test integration --docker fedora25 -v destructive/

Windows Tests

These tests exercise the winrm connection plugin and Windows modules. You'll need to define an inventory with a remote Windows 2008 or 2012 Server to use for testing, and enable PowerShell Remoting to continue.

Running these tests may result in changes to your Windows host, so don't run them against a production/critical Windows environment.

Enable PowerShell Remoting (run on the Windows host via Remote Desktop):

Enable-PSRemoting -Force

Define Windows inventory:

cp inventory.winrm.template inventory.winrm
${EDITOR:-vi} inventory.winrm

Run the Windows tests executed by our CI system:

test/runner/ansible-test windows-integration -v windows/ci/

Tests in Docker containers

If you have a Linux system with Docker installed, running integration tests using the same Docker containers used by the Ansible continuous integration (CI) system is recommended.

Note

Docker on non-Linux

Using Docker Engine to run Docker on a non-Linux host (such as macOS) is not recommended. Some tests may fail, depending on the image used for testing. Using the --docker-privileged option may resolve the issue.

Running Integration Tests

To run all CI integration test targets for POSIX platforms in a Ubuntu 16.04 container:

test/runner/ansible-test integration -v posix/ci/ --docker

You can also run specific tests or select a different Linux distribution. For example, to run tests for the ping module on a Ubuntu 14.04 container:

test/runner/ansible-test integration -v ping --docker ubuntu1404

Container Images

Python 2

Most container images are for testing with Python 2:

  • centos6
  • centos7
  • fedora24
  • fedora25
  • opensuse42.1
  • opensuse42.2
  • ubuntu1204
  • ubuntu1404
  • ubuntu1604

Python 3

To test with Python 3 use the following images:

  • ubuntu1604py3

Legacy Cloud Tests

Some of the cloud tests run as normal integration tests, and others run as legacy tests; see the testing_integration_legacy page for more information.

Other configuration for Cloud Tests

In order to run some tests, you must provide access credentials in a file named cloud-config-aws.yml or cloud-config-cs.ini in the test/integration directory. Corresponding .template files are available for for syntax help. The newer AWS tests now use the file test/integration/cloud-config-aws.yml

IAM policies for AWS

Ansible needs fairly wide ranging powers to run the tests in an AWS account. This rights can be provided to a dedicated user. These need to be configured before running the test.

testing-policies

hacking/aws_config/testing_policies contains a set of policies that are required for all existing AWS module tests. The hacking/aws_config/setup_iam.yml playbook can be used to add all of those policies to an IAM group (using -e iam_group=GROUP_NAME. Once the group is created, you'll need to create a user and make the user a member of the group. The policies are designed to minimize the rights of that user. Please note that while this policy does limit the user to one region, this does not fully restrict the user (primarily due to the limitations of the Amazon ARN notation). The user will still have wide privileges for viewing account definitions, and will also able to manage some resources that are not related to testing (for example, AWS lambdas with different names). Tests should not be run in a primary production account in any case.

Other Definitions required

Apart from installing the policy and giving it to the user identity running the tests, a lambda role ansible_integration_tests has to be created which has lambda basic execution privileges.

Network Tests

This page details the specifics around testing Ansible Networking modules.

Important

Network testing requirements for Ansible 2.4

Starting with Ansible 2.4, all network modules MUST include corresponding unit tests to defend functionality. The unit tests must be added in the same PR that includes the new network module, or extends functionality. Integration tests, although not required, are a welcome addition. How to do this is explained in the rest of this document.

Network integration tests can be ran by doing:

cd test/integration
ANSIBLE_ROLES_PATH=targets ansible-playbook network-all.yaml

Note

  • To run the network tests you will need a number of test machines and suitably configured inventory file. A sample is included in test/integration/inventory.network
  • As with the rest of the integration tests, they can be found grouped by module in test/integration/targets/MODULENAME/

To filter a set of test cases set limit_to to the name of the group, generally this is the name of the module:

ANSIBLE_ROLES_PATH=targets ansible-playbook -i inventory.network network-all.yaml -e "limit_to=eos_command"

To filter a singular test case set the tags options to eapi or cli, set limit_to to the test group, and test_cases to the name of the test:

ANSIBLE_ROLES_PATH=targets ansible-playbook -i inventory.network network-all.yaml --tags="cli" -e "limit_to=eos_command test_case=notequal"

Writing network integration tests

Test cases are added to roles based on the module being testing. Test cases should include both cli and API test cases. Cli test cases should be added to test/integration/targets/modulename/tests/cli and API tests should be added to test/integration/targets/modulename/tests/eapi, or nxapi.

In addition to positive testing, negative tests are required to ensure user friendly warnings & errors are generated, rather than backtraces, for example:

  • name: test invalid subset (foobar) eos_facts: provider: "{{ cli }}" gather_subset: - "foobar" register: result ignore_errors: true
  • assert:
    that:
    # Failures shouldn't return changes - "result.changed == false" # It's a failure - "result.failed == true" # Sensible Failure message
    • "'Subset must be one of' in result.msg"

Conventions

  • Each test case should generally follow the pattern:

    setup —> test —> assert —> test again (idempotent) —> assert —> teardown (if needed) -> done

    This keeps test playbooks from becoming monolithic and difficult to troubleshoot.

  • Include a name for each task that is not an assertion. (It's OK to add names to assertions too. But to make it easy to identify the broken task within a failed test, at least provide a helpful name for each task.)

  • Files containing test cases must end in .yaml

Adding a new Network Platform

A top level playbook is required such as ansible/test/integration/eos.yaml which needs to be references by ansible/test/integration/network-all.yaml

Where to find out more

If you'd like to know more about the plans for improving testing Ansible then why not join the Testing Working Group.