From 969820a7f355b795df1cd05ebaf5a42b4c151a89 Mon Sep 17 00:00:00 2001
From: Matt Crees <mattc@stackhpc.com>
Date: Thu, 19 Sep 2024 13:10:00 +0100
Subject: [PATCH 1/2] Prevent accidental downgrades of RabbitMQ

As version-check.yml is added to deploy.yml, we must make sure the
tasks are only run when the rabbitmq container exists.

Change-Id: Iaa31bae739110094affb5e402ed9ac40b153ac3d
(cherry picked from commit f5ad7829c3a327d367be1ce807d2867f254fab2a)
---
 ansible/roles/rabbitmq/tasks/deploy.yml       |   2 +
 .../roles/rabbitmq/tasks/version-check.yml    | 121 ++++++++++--------
 ...itmq-catch-downgrade-1005c7475a97bf19.yaml |   5 +
 3 files changed, 78 insertions(+), 50 deletions(-)
 create mode 100644 releasenotes/notes/rabbitmq-catch-downgrade-1005c7475a97bf19.yaml

diff --git a/ansible/roles/rabbitmq/tasks/deploy.yml b/ansible/roles/rabbitmq/tasks/deploy.yml
index 7be978c440..5686a515c2 100644
--- a/ansible/roles/rabbitmq/tasks/deploy.yml
+++ b/ansible/roles/rabbitmq/tasks/deploy.yml
@@ -1,4 +1,6 @@
 ---
+- import_tasks: version-check.yml
+
 - include_tasks: remove-ha-all-policy.yml
   when:
     - not om_enable_rabbitmq_high_availability | bool
diff --git a/ansible/roles/rabbitmq/tasks/version-check.yml b/ansible/roles/rabbitmq/tasks/version-check.yml
index 25d196202f..11cb93cd39 100644
--- a/ansible/roles/rabbitmq/tasks/version-check.yml
+++ b/ansible/roles/rabbitmq/tasks/version-check.yml
@@ -1,59 +1,80 @@
 ---
 - block:
-    - name: Get current RabbitMQ version
-      vars:
-        service_name: "rabbitmq"
-        service: "{{ rabbitmq_services[service_name] }}"
+    - name: Get container facts
       become: true
-      command: "{{ kolla_container_engine }} exec {{ service.container_name }} rabbitmqctl --version"
-      register: rabbitmq_version_current
-      changed_when: false
+      kolla_container_facts:
+        container_engine: "{{ kolla_container_engine }}"
+        name:
+          - "{{ service.container_name }}"
+      register: container_facts
 
-    - name: Get new RabbitMQ version
-      become: true
-      vars:
-        rabbitmq_container: "{{ rabbitmq_services['rabbitmq'] }}"
-      kolla_container:
-        action: "start_container"
-        command: "rabbitmqctl --version"
-        detach: false
-        environment:
-          KOLLA_CONFIG_STRATEGY: "{{ config_strategy }}"
-        image: "{{ rabbitmq_container.image }}"
-        name: "rabbitmq_version_check"
-        restart_policy: oneshot
-        volumes: "{{ rabbitmq_default_volumes + rabbitmq_extra_volumes }}"
-      register: rabbitmq_version_new
-      failed_when: false
-      check_mode: false
+    - block:
+        - name: Get current RabbitMQ version
+          become: true
+          command: "{{ kolla_container_engine }} exec {{ service.container_name }} rabbitmqctl --version"
+          register: rabbitmq_version_current
+          changed_when: false
+
+        - name: Get new RabbitMQ version
+          become: true
+          vars:
+            rabbitmq_container: "{{ rabbitmq_services['rabbitmq'] }}"
+          kolla_container:
+            action: "start_container"
+            command: "rabbitmqctl --version"
+            container_engine: "{{ kolla_container_engine }}"
+            detach: false
+            environment:
+              KOLLA_CONFIG_STRATEGY: "{{ config_strategy }}"
+            image: "{{ rabbitmq_container.image }}"
+            name: "rabbitmq_version_check"
+            restart_policy: oneshot
+            volumes: "{{ rabbitmq_default_volumes + rabbitmq_extra_volumes }}"
+          register: rabbitmq_version_new
+          failed_when: false
+          check_mode: false
+
+        # As an example, when the new RabbitMQ version is 3.13.6:
+        # new_major_version = 3
+        # new_minor_version = 13
+        # new_version = 3.13
+        # And if the current RabbitMQ version is 3.11.28:
+        # upgrade_version = 3.12
+        - name: Check if running RabbitMQ is at most one version behind
+          vars:
+            current_version_major: "{{ rabbitmq_version_current.stdout | regex_search('^[0-9]+') }}"
+            current_version_minor: "{{ rabbitmq_version_current.stdout | regex_search('(?<=.)[^.].') }}"
+            current_version: "{{ rabbitmq_version_current.stdout | regex_replace('.[^.]+$', '') }}"
+            new_version_major: "{{ rabbitmq_version_new.stdout | regex_search('^[0-9]+') }}"
+            new_version_minor: "{{ rabbitmq_version_new.stdout | regex_search('(?<=.)[^.].') }}"
+            new_version: "{{ rabbitmq_version_new.stdout | regex_replace('.[^.]+$', '') }}"
+            # Note: this assumes 3.13 will be the last release before 4.0.
+            upgrade_version: "{{ '4.0' if current_version == '3.13' else current_version_major + '.' + (current_version_minor | int + 1) | string }}"
+          assert:
+            that: (current_version_major == new_version_major and
+                  new_version_minor | int - current_version_minor | int <= 1) or
+                  (new_version | float == 4.0 and current_version | float == 3.13)
+            fail_msg: >
+              Looks like you're trying to run a skip-release upgrade!
+              RabbitMQ must be at most one version behind the target release version ({{ rabbitmq_version_new.stdout | trim }}) to run this upgrade.
+              You are running {{ rabbitmq_version_current.stdout }}.
+              Please first upgrade to {{ upgrade_version }} with the command ``kolla-ansible rabbitmq-upgrade {{ upgrade_version }}``.
+              See these docs for more details: https://docs.openstack.org/kolla-ansible/latest/reference/message-queues/rabbitmq.html#slurp
+
+        - name: Catch when RabbitMQ is being downgraded
+          assert:
+            that: rabbitmq_version_current.stdout is version(rabbitmq_version_new.stdout | trim, 'le', version_type='semver')
+            fail_msg: >
+              Looks like you're about to downgrade RabbitMQ from version {{ rabbitmq_version_current.stdout }} to version {{ rabbitmq_version_new.stdout | trim }}.
+              If you're absolutely certain you want to do this, please skip the tag `rabbitmq-version-check`.
+              Otherwise, see these docs for how to pin the version of RabbitMQ:
+              https://docs.openstack.org/kolla-ansible/latest/reference/message-queues/rabbitmq.html#rabbitmq-versions
 
-    # As an example, when the new RabbitMQ version is 3.13.6:
-    # new_major_version = 3
-    # new_minor_version = 13
-    # new_version = 3.13
-    # And if the current RabbitMQ version is 3.11.28:
-    # upgrade_version = 3.12
-    - name: Check if running RabbitMQ is at most one version behind
-      vars:
-        current_version_major: "{{ rabbitmq_version_current.stdout | regex_search('^[0-9]+') }}"
-        current_version_minor: "{{ rabbitmq_version_current.stdout | regex_search('(?<=.)[^.].') }}"
-        current_version: "{{ rabbitmq_version_current.stdout | regex_replace('.[^.]+$', '') }}"
-        new_version_major: "{{ rabbitmq_version_new.stdout | regex_search('^[0-9]+') }}"
-        new_version_minor: "{{ rabbitmq_version_new.stdout | regex_search('(?<=.)[^.].') }}"
-        new_version: "{{ rabbitmq_version_new.stdout | regex_replace('.[^.]+$', '') }}"
-        # Note: this assumes 3.13 will be the last release before 4.0.
-        upgrade_version: "{{ '4.0' if current_version == '3.13' else current_version_major + '.' + (current_version_minor | int + 1) | string }}"
-      assert:
-        that: (current_version_major == new_version_major and
-              new_version_minor | int - current_version_minor | int <= 1) or
-              (new_version | float == 4.0 and current_version | float == 3.13)
-        fail_msg: >
-          Looks like you're trying to run a skip-release upgrade!
-          RabbitMQ must be at most one version behind the target release version ({{ rabbitmq_version_new.stdout | trim }}) to run this upgrade.
-          You are running {{ rabbitmq_version_current.stdout }}.
-          Please first upgrade to {{ upgrade_version }} with the command ``kolla-ansible rabbitmq-upgrade {{ upgrade_version }}``.
-          See these docs for more details: https://docs.openstack.org/kolla-ansible/latest/reference/message-queues/rabbitmq.html#slurp
+      when: container_facts[service.container_name] is defined
 
   delegate_to: "{{ groups[role_rabbitmq_groups] | first }}"
   run_once: true
   tags: rabbitmq-version-check
+  vars:
+    service_name: "rabbitmq"
+    service: "{{ rabbitmq_services[service_name] }}"
diff --git a/releasenotes/notes/rabbitmq-catch-downgrade-1005c7475a97bf19.yaml b/releasenotes/notes/rabbitmq-catch-downgrade-1005c7475a97bf19.yaml
new file mode 100644
index 0000000000..b5c82ef7ad
--- /dev/null
+++ b/releasenotes/notes/rabbitmq-catch-downgrade-1005c7475a97bf19.yaml
@@ -0,0 +1,5 @@
+---
+fixes:
+  - |
+    Adds a check to stop deploying/upgrading the RabbitMQ containers if it
+    will result in downgrading the version of RabbitMQ running.

From a463354a118ffaf0527b206e1de97e9c817d7c87 Mon Sep 17 00:00:00 2001
From: Michal Nasiadka <mnasiadka@gmail.com>
Date: Fri, 6 Dec 2024 11:02:16 +0100
Subject: [PATCH 2/2] [2024.1 and older] CI: Fix exclude paths for ansible-lint

in 2024.2 and newer it was part of [1]

[1]: https://review.opendev.org/c/openstack/kolla-ansible/+/934021

Change-Id: I655b5beddda946ee434bf738c00e57c98e743d86
---
 tox.ini | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/tox.ini b/tox.ini
index 34095f1d40..19ec36e3a6 100644
--- a/tox.ini
+++ b/tox.ini
@@ -154,7 +154,7 @@ setenv = {[testenv:linters]setenv}
 deps = {[testenv:linters]deps}
 commands =
   python {toxinidir}/tools/validate-all-file.py
-  ansible-lint -p --exclude {toxinidir}/tests --exclude {toxinidir}/roles --exclude {toxinidir}/etc
+  ansible-lint -p --exclude tests --exclude roles --exclude etc
 
 [testenv:yamllint]
 deps = {[testenv:linters]deps}