From 7d02efc69bd44952338582f8bffb804c4b5f47b5 Mon Sep 17 00:00:00 2001 From: Martin Pitt Date: Wed, 18 Jun 2025 13:38:27 +0200 Subject: [PATCH 1/3] fix: Fix galaxy install command in README Remove the spurious backtick. --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index c727a84a..63686d02 100644 --- a/README.md +++ b/README.md @@ -20,7 +20,7 @@ See below The role requires additional collections which are specified in `meta/collection-requirements.yml`. These are not automatically installed. You must install them like this: ```bash -ansible-galaxy install -vv -r meta/collection-requirements.yml` +ansible-galaxy install -vv -r meta/collection-requirements.yml ``` ## Role Variables From cbcd692a6485eb92ba73f80bfcd2829173d72b28 Mon Sep 17 00:00:00 2001 From: Martin Pitt Date: Wed, 18 Jun 2025 13:46:04 +0200 Subject: [PATCH 2/3] feat: Support this role in container builds Feature: Support running the cockpit role during container builds. Reason: This is particularly useful for building bootc derivative OSes. Result: The role now works during container builds. The bootc container scenarios run in CI, which ensures that the role works in buildah build environment. This allows us to officially support this role for image mode builds. Do *not* enable the role for system containers (the `container`) flag. That currently fails due to SELinux not working properly there, and needs to be looked at separately if desired. Detect if the system is booted (with systemd), and skip all runtime operations and checks if not. Also use `firewall-offline-cmd` which works also in non-booted environments -- we are only/primarily interested in the persistent firewall config anyway. Do full bootc end-to-end validation in tests_tangd_custom_port, which is one of the most complex ones (combining nbde_server, firewall, and selinux roles). Run the first scenario with custom port for that. See https://issues.redhat.com/browse/RHEL-78157 --- README.md | 2 +- meta/main.yml | 1 + tasks/main-tang.yml | 8 +++--- tasks/set_vars.yml | 23 ++++++++++++++++- tests/tasks/verify-role-results.yml | 2 +- tests/tests_nbde_server_service_state.yml | 6 ++--- tests/tests_tangd_custom_port.yml | 30 +++++++++++++++++++++-- 7 files changed, 61 insertions(+), 11 deletions(-) diff --git a/README.md b/README.md index 63686d02..cf5de0e9 100644 --- a/README.md +++ b/README.md @@ -30,7 +30,7 @@ These are the variables that can be passed to the role: | **Variable** | **Default** | **Description** | |----------|-------------|------| | `nbde_server_provider` | `tang` | identifies the provider for `nbde_server` role. We currently support `tang` as an `nbde_server` provider, meaning that the `nbde_server` role is currently able to provision/deploy tang servers. -| `nbde_server_service_state` | `started` | indicates the state the nbde_server should be. It can be either `started` (default) or `stopped`. `started` means the server is accepting connections, whereas `stopped` means it is not accepting connections. +| `nbde_server_service_state` | `started` | indicates the state the nbde_server should be. It can be either `started` (default) or `stopped`. `started` means the server is accepting connections, whereas `stopped` means it is not accepting connections. Ignored for non-booted hosts like container builds, then the service is always started at boot. | `nbde_server_rotate_keys`| `false` | indicates whether we should rotate existing keys -- if any -- , then create new keys. Default behavior (`false`) is to create new keys, if there are none, and don't touch the keys, if they exist. If set to `true`, existing keys will be rotated and new keys will be created. |`nbde_server_fetch_keys`| `false` | indicates whether we should fetch keys to the control node, in which case they will be placed in `nbde_server_keys_dir`. You **must** set `nbde_server_keys_dir` to use `nbde_server_fetch_keys`. |`nbde_server_deploy_keys`| `false` |indicates whether we should deploy the keys located in `nbde_server_keys_dir` directory to the remote hosts. You **must** set `nbde_server_keys_dir` to use `nbde_server_deploy_keys`. diff --git a/meta/main.yml b/meta/main.yml index ddb9d728..739db98c 100644 --- a/meta/main.yml +++ b/meta/main.yml @@ -18,6 +18,7 @@ galaxy_info: galaxy_tags: - centos - clevis + - containerbuild - el7 - el8 - el9 diff --git a/tasks/main-tang.yml b/tasks/main-tang.yml index cbf599bd..329a6f8b 100644 --- a/tasks/main-tang.yml +++ b/tasks/main-tang.yml @@ -36,7 +36,9 @@ - name: Reload the daemons so the new changes take effect systemd: daemon_reload: true - when: __nbde_server_port_changed | d(false) | bool + when: + - __nbde_server_port_changed | d(false) | bool + - __nbde_server_is_booted | bool - name: Ensure required services are enabled and at the right state service: @@ -45,8 +47,8 @@ enabled: true loop: "{{ __nbde_server_services }}" vars: - __state: "{{ nbde_server_service_state if - nbde_server_service_state != 'started' else + __state: "{{ omit if not __nbde_server_is_booted else + nbde_server_service_state if nbde_server_service_state != 'started' else 'restarted' if __nbde_server_port_changed else 'started' }}" diff --git a/tasks/set_vars.yml b/tasks/set_vars.yml index 0b8b85aa..e406c0d7 100644 --- a/tasks/set_vars.yml +++ b/tasks/set_vars.yml @@ -6,7 +6,7 @@ difference(ansible_facts.keys() | list) | length > 0 - name: Determine if system is ostree and set flag - when: not __nbde_server_is_ostree is defined + when: __nbde_server_is_ostree is not defined block: - name: Check if system is ostree stat: @@ -17,6 +17,27 @@ set_fact: __nbde_server_is_ostree: "{{ __ostree_booted_stat.stat.exists }}" +- name: Determine if system is booted with systemd + when: __nbde_server_is_booted is not defined + block: + - name: Run systemctl + # noqa command-instead-of-module + command: systemctl is-system-running + register: __is_system_running + changed_when: false + check_mode: false + failed_when: false + + - name: Require installed systemd + fail: + msg: "Error: This role requires systemd to be installed." + when: '"No such file or directory" in __is_system_running.msg | d("")' + + - name: Set flag to indicate that systemd runtime operations are available + set_fact: + # see https://www.man7.org/linux/man-pages/man1/systemctl.1.html#:~:text=is-system-running%20output + __nbde_server_is_booted: "{{ __is_system_running.stdout != 'offline' }}" + - name: Set platform/version specific variables include_vars: "{{ lookup('first_found', ffparams) }}" vars: diff --git a/tests/tasks/verify-role-results.yml b/tests/tasks/verify-role-results.yml index 4501d4ba..2e1dcb00 100644 --- a/tests/tasks/verify-role-results.yml +++ b/tests/tasks/verify-role-results.yml @@ -16,7 +16,7 @@ service: name: "{{ item }}" enabled: true - state: started + state: "{{ 'started' if __nbde_server_is_booted else omit }}" check_mode: true register: nbde_server_services_state loop: "{{ __nbde_server_services }}" diff --git a/tests/tests_nbde_server_service_state.yml b/tests/tests_nbde_server_service_state.yml index 531c765d..6b333420 100644 --- a/tests/tests_nbde_server_service_state.yml +++ b/tests/tests_nbde_server_service_state.yml @@ -18,7 +18,7 @@ service: name: "{{ item }}" enabled: true - state: started + state: "{{ 'started' if __nbde_server_is_booted else omit }}" register: nbde_server_state check_mode: true loop: "{{ __nbde_server_services }}" @@ -39,7 +39,7 @@ service: name: "{{ item }}" enabled: true - state: stopped + state: "{{ 'stopped' if __nbde_server_is_booted else omit }}" register: nbde_server_state check_mode: true loop: "{{ __nbde_server_services }}" @@ -60,7 +60,7 @@ service: name: "{{ item }}" enabled: true - state: started + state: "{{ 'started' if __nbde_server_is_booted else omit }}" register: nbde_server_state check_mode: true loop: "{{ __nbde_server_services }}" diff --git a/tests/tests_tangd_custom_port.yml b/tests/tests_tangd_custom_port.yml index a55cddec..683e634a 100644 --- a/tests/tests_tangd_custom_port.yml +++ b/tests/tests_tangd_custom_port.yml @@ -13,6 +13,15 @@ include_role: name: linux-system-roles.nbde_server public: true + when: not __bootc_validation | d(false) + + # role does not run during bootc QEMU validation, thus some vars are undefined + - name: Set __nbde_server_is_booted for bootc validation tests + set_fact: + __nbde_server_is_booted: true + # see vars/main.yml + __nbde_server_tangd_socket_file_path: /etc/systemd/system/tangd.socket.d/override.conf + when: __bootc_validation | d(false) - name: Ensure iproute package for ss command package: @@ -20,6 +29,13 @@ state: present use: "{{ (__nbde_server_is_ostree | d(false)) | ternary('ansible.posix.rhel_rpm_ostree', omit) }}" + when: not __bootc_validation | d(false) + + - name: Create QEMU deployment during bootc end-to-end test + delegate_to: localhost + command: "{{ lsr_scriptdir }}/bootc-buildah-qcow.sh {{ ansible_host }}" + changed_when: true + when: ansible_connection == "buildah" - name: Check if port is open shell: @@ -31,6 +47,7 @@ failed_when: not __open_ports_output.stdout is search(':' ~ (nbde_server_port | string) ~ '$') changed_when: false + when: __nbde_server_is_booted | bool - name: Check if port TCP is open shell: @@ -41,10 +58,11 @@ register: __open_ports_output failed_when: __open_ports_output.stdout != "tcp" changed_when: false + when: __nbde_server_is_booted | bool - name: Check if port is opened in firewall command: >- - firewall-cmd --zone {{ nbde_server_firewall_zone }} --query-port + firewall-offline-cmd --zone {{ nbde_server_firewall_zone }} --query-port {{ nbde_server_port }}/tcp register: __firewall_output changed_when: false @@ -55,6 +73,12 @@ __file: "{{ __nbde_server_tangd_socket_file_path }}" __fingerprint: "system_role:nbde_server" + # do just one image/verify cycle for the bootc end-to-end test + - name: Skip remaining steps in bootc end-to-end validation + meta: end_play + when: __bootc_validation | d(false) + + - name: Install with default port and firewall zone include_role: name: linux-system-roles.nbde_server @@ -74,6 +98,7 @@ failed_when: not __open_ports_output.stdout is search(':80$') changed_when: false + when: __nbde_server_is_booted | bool - name: Check if port TCP is open shell: @@ -83,10 +108,11 @@ register: __open_ports_output failed_when: __open_ports_output.stdout != "tcp" changed_when: false + when: __nbde_server_is_booted | bool - name: Check if port is opened in firewall command: >- - firewall-cmd --zone {{ nbde_server_firewall_zone }} --query-port + firewall-offline-cmd --zone {{ nbde_server_firewall_zone }} --query-port 80/tcp register: __firewall_output changed_when: false From 1c6846140842bf13646e031aeff5cfb2608156d6 Mon Sep 17 00:00:00 2001 From: Rich Megginson Date: Wed, 18 Jun 2025 22:31:01 +0200 Subject: [PATCH 3/3] tests: Adjust for Ansible 2.19 - Avoid `ansible_managed` variable, it's an internal constant. - Eliminate jinja templates in conditions. --- tests/tasks/check_header.yml | 4 ++-- tests/tests_default_vars.yml | 18 +++++++++++------- 2 files changed, 13 insertions(+), 9 deletions(-) diff --git a/tests/tasks/check_header.yml b/tests/tasks/check_header.yml index 607320f0..efcac838 100644 --- a/tests/tasks/check_header.yml +++ b/tests/tasks/check_header.yml @@ -9,8 +9,8 @@ - name: Check for presence of ansible managed header, fingerprint assert: that: - - ansible_managed in content + - __ansible_managed in content - __fingerprint in content vars: content: "{{ (__file_content | d(__content)).content | b64decode }}" - ansible_managed: "{{ lookup('template', 'get_ansible_managed.j2') }}" + __ansible_managed: "{{ lookup('template', 'get_ansible_managed.j2') }}" diff --git a/tests/tests_default_vars.yml b/tests/tests_default_vars.yml index d72be960..cf1ba836 100644 --- a/tests/tests_default_vars.yml +++ b/tests/tests_default_vars.yml @@ -8,16 +8,20 @@ include_role: name: linux-system-roles.nbde_server public: true + - name: Assert that the role declares all parameters in defaults assert: - that: "{{ item }} is defined" - loop: - - nbde_server_provider - - nbde_server_deploy_keys - - nbde_server_fetch_keys - - nbde_server_rotate_keys - - nbde_server_keys_dir + that: nbde_server_vars | length == nbde_server_vars_vals | length + vars: + nbde_server_vars: + - nbde_server_provider + - nbde_server_deploy_keys + - nbde_server_fetch_keys + - nbde_server_rotate_keys + - nbde_server_keys_dir + nbde_server_vars_vals: "{{ lookup('vars', *nbde_server_vars) }}" when: ansible_version.full is version_compare('2.9', '>=') + always: - name: Cleanup tags: tests::cleanup