Merge ~gabrielcocenza/juju-lint:subordinate-docs into juju-lint:master
- Git
- lp:~gabrielcocenza/juju-lint
- subordinate-docs
- Merge into master
Proposed by
Gabriel Cocenza
Status: | Work in progress |
---|---|
Proposed branch: | ~gabrielcocenza/juju-lint:subordinate-docs |
Merge into: | juju-lint:master |
Prerequisite: | ~gabrielcocenza/juju-lint:bug/1965762 |
Diff against target: |
301 lines (+212/-37) 3 files modified
README.md (+18/-37) docs/space-checks.md (+31/-0) docs/subordinates.md (+163/-0) |
Related bugs: |
Reviewer | Review Type | Date Requested | Status |
---|---|---|---|
Juju Lint maintainers | Pending | ||
Review via email: mp+423708@code.launchpad.net |
Commit message
Update documentation
Co-authored-by: Arif Ali <email address hidden>
Description of the change
To post a comment you must log in.
Revision history for this message
🤖 Canonical IS Merge Bot (canonical-is-mergebot) wrote : | # |
Unmerged commits
- 305a860... by Gabriel Cocenza
-
Update documentation
Co-authored-by: Arif Ali <email address hidden>
- 8419d92... by Gabriel Cocenza
-
check if subordinate units are related with other apps in the bundle.
- added new rules (check-relations and enforce-juju-info) into the
subordinate rules file.
- added nrpe in the conftest to test subordinate relation rules.
- added description for tests that were missing and failing lint.
Preview Diff
[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1 | diff --git a/README.md b/README.md |
2 | index a99f87c..8a0ba50 100644 |
3 | --- a/README.md |
4 | +++ b/README.md |
5 | @@ -1,6 +1,11 @@ |
6 | -= Juju Lint = |
7 | +# Juju Lint |
8 | |
9 | -== Introduction == |
10 | +## Install |
11 | +```shell |
12 | +sudo snap install juju-lint --classic |
13 | +``` |
14 | + |
15 | +## Introduction |
16 | |
17 | This is intended to be run against a yaml or json dump of Juju status, a YAML |
18 | dump of a juju bundle, or a remote cloud or clouds via SSH. |
19 | @@ -39,7 +44,7 @@ To use a different rules file: |
20 | |
21 | For all other options, consult `juju-lint --help` |
22 | |
23 | -== Example == |
24 | +## Example |
25 | |
26 | A typical use case is linting an openstack cloud: |
27 | |
28 | @@ -49,56 +54,32 @@ A typical use case is linting an openstack cloud: |
29 | -t openstack juju-status.json |
30 | juju-lint -c /snap/juju-lint/current/contrib/openstack-focal-ovn.yaml \ |
31 | -t openstack bundle.yaml |
32 | - |
33 | -== Rules File == |
34 | +## Rules File |
35 | |
36 | For an example of a rules file, see `example-lint-rules.yaml`. |
37 | |
38 | Supported top-level options for your rules file: |
39 | |
40 | - 1. `subordinates` - required subordinates. |
41 | + 1. [subordinates](docs/subordinates.md) - required subordinates. |
42 | 2. `known charms` - all primary charms should be in this list. |
43 | 3. `operations [mandatory|optional|subordinate]` |
44 | 4. `openstack [mandatory|optional|subordinate]` |
45 | 5. `config` - application configuration auditing |
46 | 6. `[openstack|kubernetes] config` - config auditing for specific cloud types. |
47 | - 7. `space checks` - enforce/ignore checks for relation binding space |
48 | + 7. [space checks](docs/space-checks.md) - enforce/ignore checks for relation binding space |
49 | mismatches. |
50 | 8. `!include <relative path>` - Extension to yaml to include files. |
51 | |
52 | -=== Space checks === |
53 | - |
54 | -All relations defined within a bundle, except for cross-model relationships, |
55 | -will be checked for mismatches of their space bindings. |
56 | - |
57 | -By default, mismatches are logged as warnings as they are not necessarily |
58 | -critical problems. If applications can route to each other despite the |
59 | -mismatch, there may be no real issue here, and it may be appropriate to ignore |
60 | -certain issues. On the other hand, these mismatches may cause problems ranging |
61 | -from impaired throughput due to using suboptimal interfaces to breakages due to |
62 | -not being able to route between the related units. |
63 | - |
64 | -The following options are available to either log such mismatches as errors or |
65 | -to ignore them entirely: |
66 | - |
67 | - 1. `enforce endpoints` - A list of <charm>:<endpoint> strings. If a mismatch |
68 | - matches one of these endpoints, it will be flagged as an error. |
69 | - 2. `enforce relations` - A list of two-item <charm>:<endpoint> string lists, |
70 | - representing the two linked endpoints of a relation. If a mismatch |
71 | - matches one of these relations, it will be flagged as an error. |
72 | - 1. `ignore endpoints` - A list of <charm>:<endpoint> strings. If a mismatch |
73 | - matches one of these endpoints, it will be ignored. |
74 | - 1. `ignore relations` - A list of two-item <charm>:<endpoint> string lists, |
75 | - representing the two linked endpoints of a relation. If a mismatch |
76 | - matches one of these relations, it will be ignored. |
77 | +There are some rules files that are ready to be used and they can be found at: |
78 | |
79 | -In the case of a mismatch matching both enforce and ignore rules, the enforce |
80 | -rule will "win" and it will be flagged as an error. |
81 | +``` |
82 | +/snap/juju-lint/current/contrib/ |
83 | +``` |
84 | |
85 | -Note that all the above checks use charm names rather than application names |
86 | -in their endpoint strings. |
87 | +## Documentation |
88 | +Documentation is available at the [docs](docs) folder. |
89 | |
90 | -== License == |
91 | +## License |
92 | |
93 | Copyright 2020 Canonical Limited. |
94 | License granted by Canonical Limited. |
95 | diff --git a/docs/space-checks.md b/docs/space-checks.md |
96 | new file mode 100644 |
97 | index 0000000..3afdc92 |
98 | --- /dev/null |
99 | +++ b/docs/space-checks.md |
100 | @@ -0,0 +1,31 @@ |
101 | +# Space checks |
102 | + |
103 | +All relations defined within a bundle, except for cross-model relationships, |
104 | +will be checked for mismatches of their space bindings. |
105 | + |
106 | +By default, mismatches are logged as warnings as they are not necessarily |
107 | +critical problems. If applications can route to each other despite the |
108 | +mismatch, there may be no real issue here, and it may be appropriate to ignore |
109 | +certain issues. On the other hand, these mismatches may cause problems ranging |
110 | +from impaired throughput due to using suboptimal interfaces to breakages due to |
111 | +not being able to route between the related units. |
112 | + |
113 | +The following options are available to either log such mismatches as errors or |
114 | +to ignore them entirely: |
115 | + |
116 | + 1. `enforce endpoints` - A list of <charm>:<endpoint> strings. If a mismatch |
117 | + matches one of these endpoints, it will be flagged as an error. |
118 | + 2. `enforce relations` - A list of two-item <charm>:<endpoint> string lists, |
119 | + representing the two linked endpoints of a relation. If a mismatch |
120 | + matches one of these relations, it will be flagged as an error. |
121 | + 1. `ignore endpoints` - A list of <charm>:<endpoint> strings. If a mismatch |
122 | + matches one of these endpoints, it will be ignored. |
123 | + 1. `ignore relations` - A list of two-item <charm>:<endpoint> string lists, |
124 | + representing the two linked endpoints of a relation. If a mismatch |
125 | + matches one of these relations, it will be ignored. |
126 | + |
127 | +In the case of a mismatch matching both enforce and ignore rules, the enforce |
128 | +rule will "win" and it will be flagged as an error. |
129 | + |
130 | +Note that all the above checks use charm names rather than application names |
131 | +in their endpoint strings. |
132 | \ No newline at end of file |
133 | diff --git a/docs/subordinates.md b/docs/subordinates.md |
134 | new file mode 100644 |
135 | index 0000000..1f0aa4a |
136 | --- /dev/null |
137 | +++ b/docs/subordinates.md |
138 | @@ -0,0 +1,163 @@ |
139 | +# Subordinates |
140 | + |
141 | +The purpose of the subordinates section is to check which subordinates are available on each of the deployed applications. |
142 | + |
143 | +Below is an example of what the subordinates attribute can look like |
144 | + |
145 | +```yaml |
146 | +subordinates: |
147 | + telegraf: |
148 | + where: all except prometheus |
149 | + landscape-client: |
150 | + where: all except landscape-server |
151 | + filebeat: |
152 | + where: all except graylog |
153 | + canonical-livepatch: |
154 | + where: host only |
155 | + nrpe: |
156 | + where: container aware |
157 | + host-suffixes: [host, physical, guest] |
158 | + container-suffixes: [lxd, container] |
159 | + exceptions: [nagios] |
160 | + check-relations: [ |
161 | + ["*:nrpe-external-master", "nrpe:nrpe-external-master"], |
162 | + ["nagios:monitors", "nrpe:monitors"], |
163 | + ] |
164 | + enforce-juju-info : true |
165 | + ntp: |
166 | + where: host only |
167 | + thruk-agent: |
168 | + where: on nagios |
169 | + hw-health: |
170 | + where: metal only |
171 | + local-users: |
172 | + where: all or nothing |
173 | +``` |
174 | + |
175 | +## where |
176 | + |
177 | +In the `where` option we specify generally where to find the subordinates. |
178 | + |
179 | +In the above example we have 9 subordinates that we are looking at. Below we'll go through each of them, and explain all the options |
180 | + |
181 | +### all except \<app\> |
182 | + |
183 | +3 applications have tha same option, i.e. `telegraf`, `landscape-client` and `filebeat`, and these use the `where: all except ...` option. Below is the one from `telegraf` |
184 | + |
185 | +```yaml |
186 | +telegraf: |
187 | + where: all except prometheus |
188 | +``` |
189 | + |
190 | +This option is suggesting that we should find the `telagraf` subordinate charm under all the applications except for the `prometheus` applications |
191 | + |
192 | +### host only |
193 | + |
194 | +We have one subordinate charm, that is using this option, namely `ntp` as shown below |
195 | + |
196 | +```yaml |
197 | +ntp: |
198 | + where: host only |
199 | +``` |
200 | + |
201 | +In this instance the option will check that the `ntp` charm is available on all the hosts that are not containers. |
202 | + |
203 | +This is useful in this scenario, as running `ntp` on a container does not make sense, as the time for a container is directly taken from the underlying hypervisor. Also in this scenario, the ntp charm will not be able to change the time so wouldn't make sense. |
204 | + |
205 | +### metal only |
206 | +We have one subordinate charm, that is using this option, namely `hw-health` as shown below |
207 | + |
208 | +```yaml |
209 | +hw-health: |
210 | + where: metal only |
211 | +``` |
212 | + |
213 | +In this instance the option will check that the `hw-health` charm is available on all the machines that are running on bare-metal. |
214 | + |
215 | +This is useful in this scenario, as running `hw-health` on a container or on a vm does not make sense because the charm only work for |
216 | +bare-metal installations on specific hardware. |
217 | + |
218 | + |
219 | +### on \<app\> |
220 | + |
221 | +We have one subordinate charm, that is using this option, namely `thruk-agent` as shown below |
222 | + |
223 | +```yaml |
224 | +thruk-agent: |
225 | + where: on nagios |
226 | +``` |
227 | + |
228 | +This option checks that this particular subordinate charm is on a specific application. So in this scenario, the tool will chck that the `thruk-agent` is only on the `nagios` application |
229 | + |
230 | +### container aware |
231 | + |
232 | +We have one subordinate charm in our example that is using this option, namely `nrpe` as shown below |
233 | + |
234 | +```yaml |
235 | + nrpe: |
236 | + where: container aware |
237 | + host-suffixes: [host, physical, guest] |
238 | + container-suffixes: [lxd, container] |
239 | + exceptions: [nagios] |
240 | + check-relations: [ |
241 | + ["*:nrpe-external-master", "nrpe:nrpe-external-master"], |
242 | + ["nagios:monitors", "nrpe:monitors"], |
243 | + ] |
244 | + enforce-juju-info : true |
245 | +``` |
246 | + |
247 | +As can be seen, this specific option has many other variables that we need to look at. The purpose of this option is to check the name of the subordinate charm that is linked, and that `nrpe` is in the name of the subordinate |
248 | + |
249 | +The `host-suffixes` and `container-suffixes` options are designed to look for the name of the subordinate with the relevant fixes, whether is a physical server, vm or a container. `host-suffixes` currently caters for physical and kvms, and `container-suffixes` for lxc containers. If however if neither of these options are found then the longer option of searching through is used, so could take longer |
250 | + |
251 | +Another option is `exceptions`, this is where the relevant subordinate will not be present. In the above scenario, we don't run nrpe on the nagios server, as that has the capability of monitoring itself and therefore is not required |
252 | + |
253 | +### all |
254 | + |
255 | +This option will suggest that all the applications will have this particular subordinate |
256 | + |
257 | +### all or nothing |
258 | + |
259 | +We have one subordinate charm in our example that is using this option, namely `local-users` as shown below: |
260 | + |
261 | +```yaml |
262 | +local-users: |
263 | + where: all or nothing |
264 | +``` |
265 | + |
266 | +This option will check whether if all the applications will have this particular subordinate or none will have it. |
267 | + |
268 | +## check-relations and enforce-juju-info |
269 | + |
270 | +Those options are used to check if subordinate units are related with other applications in the bundle. We have one subordinate charm in our example that is using this option, namely `nrpe` as shown below: |
271 | + |
272 | +```yaml |
273 | + nrpe: |
274 | + where: container aware |
275 | + host-suffixes: [host, physical, guest] |
276 | + container-suffixes: [lxd, container] |
277 | + exceptions: [nagios] |
278 | + check-relations: [ |
279 | + ["*:nrpe-external-master", "nrpe:nrpe-external-master"], |
280 | + ["nagios:monitors", "nrpe:monitors"], |
281 | + ] |
282 | + enforce-juju-info : true |
283 | +``` |
284 | + |
285 | +`check-relations` should be passed as a List of Lists. Each element should have this pattern: |
286 | + |
287 | +``` |
288 | +[<CHARM>:<INTERFACE>, <SUBORDINATE_CHARM>:<SUBORDINATE_INTERFACE>] |
289 | +``` |
290 | + |
291 | +If you want to add a rule that is the same for several charms, you can use `*` instead of making an exhaustive list. |
292 | + |
293 | +In the example above, the first element is using `*` meaning that it will check for `nrpe-external-master` endpoint on all applications in the bundle. If this endpoint exists in the charm, it will check if it's related to the subordinate. |
294 | + |
295 | +The second element in the example will check if the app `nagios` is related with `nrpe` using the `monitors` interface. |
296 | + |
297 | +Nrpe should relate preferably using the `nrpe-external-master` interface in this example, but in some cases that is not possible (e.g: ubuntu with nrpe). If you want to guarantee that a relation is happening you can set `enforce-juju-info` to `true`. This will check if the app is related using the less specific interface `juju-info`. |
298 | + |
299 | +If `enforce-juju-info` is set to `false` the only relations that will be checked are the ones inside `check-relations`. |
300 | + |
301 | +**Note:** In case that a charm has a more specific endpoint to relate with the subordinate and it's using `juju-info` an alert will happen. |
This merge proposal is being monitored by mergebot. Change the status to Approved to merge.