Add molecule testing for Debian and Centos (#57)

Incorporate molecule framework testing to ensure the podman and setup roles successfully run against various platforms. As of this commit, the testing targets centos:stream8 and debian:11 Other changes: - use ansible/ansible-lint@main for the linting check, and the job is now part of CI workflow. - Various changes to the playbooks to make them idempotent, which is tested in molecule. - Bump meta runtime requires to >=2.13.0
ansible · Sep 11, 2023 · 2671ebb · 2671ebb
1 parent e0e5453
commit 2671ebb
Show file tree

Hide file tree

Showing 18 changed files with 159 additions and 53 deletions.
diff --git a/.github/workflows/ansible-lint.yml b/.github/workflows/ansible-lint.yml
diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
@@ -0,0 +1,39 @@
+---
+
+name: CI
+
+'on':
+  pull_request:
+  push:
+  workflow_dispatch:
+
+jobs:
+  molecule:
+    name: molecule
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v2
+
+      - uses: actions/setup-python@v2
+
+      - name: Install Dependencies
+        run: |
+          pip install -r molecule/requirements.txt
+
+      - name: Run Molecule
+        env:
+          MOLECULE_VERBOSITY: 3
+          PY_COLORS: '1'
+          ANSIBLE_FORCE_COLOR: '1'
+        run: |
+          molecule test
+
+  ansible-lint:
+    name: ansible-lint
+    runs-on: ubuntu-latest
+    steps:
+      # Important: This sets up your GITHUB_WORKSPACE environment variable
+      - uses: actions/checkout@v3
+
+      - name: Run ansible-lint
+        uses: ansible/ansible-lint@main
diff --git a/README.md b/README.md
@@ -28,7 +28,7 @@ This collection has been tested on the following distributions:
 | ---------- | ------- | ---------- |
 | Centos | >=8 | Y |
 | Redhat | >=8 | Y |
-| Ubuntu | >=20 | Y |
+| Debian | >=11 | Y |
 
 # 4. Roles
 

diff --git a/meta/runtime.yml b/meta/runtime.yml
@@ -1,2 +1,2 @@
 ---
-requires_ansible: ">=2.11"
+requires_ansible: ">=2.13.0"
diff --git a/molecule/default/Containerfile.j2 b/molecule/default/Containerfile.j2
@@ -0,0 +1,6 @@
+FROM debian:11
+
+RUN apt-get update && apt-get install -y \
+    init \
+    python3 \
+    && apt-get clean all
diff --git a/molecule/default/converge.yml b/molecule/default/converge.yml
@@ -0,0 +1,17 @@
+---
+- name: Create
+  hosts: all
+  gather_facts: true
+  tasks:
+    - name: Create the receptor user
+      ansible.builtin.user:
+        name: receptor
+        shell: /bin/bash
+
+    - name: Run podman role
+      ansible.builtin.import_role:
+        name: ansible.receptor.podman
+
+    - name: Run setup role
+      ansible.builtin.import_role:
+        name: ansible.receptor.setup
diff --git a/molecule/default/molecule.yml b/molecule/default/molecule.yml
@@ -0,0 +1,44 @@
+dependency:
+  name: galaxy
+  options:
+    requirements-file: requirements.yml
+driver:
+  name: podman
+platforms:
+  - name: molecule-centos
+    image: quay.io/centos/centos:stream8
+    pre_build_image: true
+    systemd: true
+    privileged: true
+    command: "/usr/sbin/init"
+    tmpfs:
+      - /run
+      - /tmp
+    volumes:
+      - /sys/fs/cgroup:/sys/fs/cgroup:ro
+
+  - name: molecule-debian
+    image: debian:11
+    dockerfile: Containerfile.j2
+    pre_build_image: false
+    systemd: true
+    privileged: true
+    command: "/lib/systemd/systemd"
+    tmpfs:
+      - /run
+      - /tmp
+    volumes:
+      - /sys/fs/cgroup:/sys/fs/cgroup:ro
+
+provisioner:
+  name: ansible
+  inventory:
+    host_vars:
+      molecule-centos:
+        podman_user: receptor
+        podman_group: receptor
+        ansible_connection: containers.podman.podman
+      molecule-debian:
+        ansible_connection: containers.podman.podman
+        podman_user: receptor
+        podman_group: receptor
diff --git a/molecule/default/requirements.yml b/molecule/default/requirements.yml
@@ -0,0 +1,2 @@
+collections:
+  - containers.podman
diff --git a/molecule/requirements.txt b/molecule/requirements.txt
@@ -0,0 +1,3 @@
+molecule
+ansible-core
+molecule-plugins[podman]
diff --git a/molecule/requirements.yml b/molecule/requirements.yml
@@ -0,0 +1,2 @@
+collections:
+  - containers.podman
diff --git a/roles/podman/tasks/main.yml b/roles/podman/tasks/main.yml
@@ -1,19 +1,20 @@
 ---
 # Variable configuration.
-- include_tasks: variables.yml
+- name: Include variables
+  ansible.builtin.include_tasks: variables.yml
 
 # Setup/install tasks.
-- include_tasks: "setup-{{ ansible_os_family }}.yml"
+- name: Run OS-specific tasks
+  ansible.builtin.include_tasks: "setup-{{ ansible_os_family }}.yml"
   when: ansible_os_family in ['RedHat', 'Debian']
 
 - name: Create directory for podman runtime config
   ansible.builtin.file:
     path: "~{{ podman_user }}/.config/containers"
     state: directory
-    mode: 0700
+    mode: '0700'
     owner: "{{ podman_user }}"
     group: "{{ podman_group }}"
-    recurse: true
 
 - name: Configure podman default runtime
   ansible.builtin.copy:
@@ -24,7 +25,7 @@
     dest: "~{{ podman_user }}/.config/containers/containers.conf"
     owner: "{{ podman_user }}"
     group: "{{ podman_group }}"
-    mode: 0600
+    mode: '0600'
 
 - name: Create empty mounts config file to avoid permissions error message
   ansible.builtin.copy:
@@ -33,7 +34,7 @@
     force: false
     owner: "{{ podman_user }}"
     group: "{{ podman_group }}"
-    mode: 0600
+    mode: '0600'
 
 - name: Create storage.conf to defer fuse-overlayfs on rootless env
   ansible.builtin.copy:
@@ -46,18 +47,17 @@
     force: true
     owner: "{{ podman_user }}"
     group: "{{ podman_group }}"
-    mode: 0600
+    mode: '0600'
 
 - name: Ensure registries.conf.d exists
   ansible.builtin.file:
     path: /etc/containers/registries.conf.d/
     state: directory
-    recurse: true
-    mode: 0755
+    mode: '0755'
 
 - name: Force fully qualified image names to be provided to podman pull
   ansible.builtin.copy:
     content: |
       unqualified-search-registries = []
     dest: /etc/containers/registries.conf.d/force-fully-qualified-images.conf
-    mode: 0644
+    mode: '0644'
diff --git a/roles/podman/tasks/setup-Debian.yml b/roles/podman/tasks/setup-Debian.yml
@@ -5,7 +5,9 @@
     state: present
 
 # enable linger for podman_user when is not root
-- name: Enable linger for {{ podman_user }} user
+- name: Enable linger for user {{ podman_user }}
   ansible.builtin.command: "loginctl enable-linger {{ podman_user }}"
+  register: result
+  changed_when: result.rc != 0
   when:
     - podman_user != 'root'
diff --git a/roles/setup/handlers/main.yml b/roles/setup/handlers/main.yml
@@ -10,6 +10,7 @@
 - name: Reload Receptor
   ansible.builtin.command: receptorctl --socket {{ receptor_socket_dir }}/{{ receptor_control_filename }} reload
   register: _reload
+  changed_when: _reload.rc != 0
   ignore_errors: true
   failed_when: _reload.rc != 0 or _reload.stdout.startswith("Error:")
   when: _restart is not defined
diff --git a/roles/setup/tasks/main.yml b/roles/setup/tasks/main.yml
@@ -1,25 +1,31 @@
 ---
-- include_tasks: preflight.yml
+- name: Run preflight
+  ansible.builtin.include_tasks: preflight.yml
 
 # Variable configuration.
-- include_tasks: variables.yml
+- name: Include variables
+  ansible.builtin.include_tasks: variables.yml
 
 # Setup/install tasks.
-- include_tasks: "setup-{{ ansible_os_family }}.yml"
+- name: Run OS-specific tasks
+  ansible.builtin.include_tasks: "setup-{{ ansible_os_family }}.yml"
   when: ansible_os_family in ['RedHat', 'Debian']
 
-- include_tasks: python_packages.yml
+- name: Install python packages
+  ansible.builtin.include_tasks: python_packages.yml
 
-- include_tasks: setup-local.yml
+- name: Receptor install local
+  ansible.builtin.include_tasks: setup-local.yml
   when: receptor_install_method == 'local'
 
-- include_tasks: setup-release.yml
+- name: Receptor install release
+  ansible.builtin.include_tasks: setup-release.yml
   when: receptor_install_method == 'release'
 
 - name: Check if receptor was installed correctly
   ansible.builtin.command: "receptor --version"
+  changed_when: false
   register: receptor_version
-  changed_when: receptor_version.rc == 0
   ignore_errors: true
 
 - name: Assert receptor installation
@@ -29,17 +35,22 @@
     fail_msg: "Receptor not installed correctly. Please check the installation or reinstall it with local_receptor: true"
     success_msg: "Receptor installed correctly"
 
-- include_tasks: configure.yml
+- name: Configure receptor socket
+  ansible.builtin.include_tasks: configure.yml
 
-- include_tasks: tls.yml
+- name: TLS files
+  ansible.builtin.include_tasks: tls.yml
   when: receptor_tls
 
-- include_tasks: worksign.yml
+- name: Work signing
+  ansible.builtin.include_tasks: worksign.yml
   when: receptor_sign or receptor_verify
 
-- include_tasks: generate_config.yml
+- name: Generate receptor config
+  ansible.builtin.include_tasks: generate_config.yml
 
-- include_tasks: setup-service.yml
+- name: Setup systemd
+  ansible.builtin.include_tasks: setup-service.yml
   when: receptor_install_method in ['release', 'local']
 
 - name: Start Receptor service

diff --git a/roles/setup/tasks/setup-RedHat.yml b/roles/setup/tasks/setup-RedHat.yml
@@ -14,6 +14,7 @@
 # systemd_receptor.service file, we can just use an overrides
 # file to tweak it.
 - name: Setup systemd overrides
+  when: receptor_install_method == 'package'
   block:
     - name: Ensure systemd override directory exists
       ansible.builtin.file:
@@ -32,7 +33,6 @@
         group: root
       notify:
         - Restart Receptor
-  when: receptor_install_method == 'package'
 
 - name: Install dependencies specific to the node type
   ansible.builtin.dnf:

diff --git a/roles/setup/tasks/setup-release.yml b/roles/setup/tasks/setup-release.yml
@@ -1,9 +1,4 @@
 ---
-- name: Create temp directory for tar gz file
-  ansible.builtin.tempfile:
-    state: directory
-  register: tmpdir
-
 - name: Get latest release of receptor repository
   ansible.builtin.uri:
     url: "https://api.github.com/repos/{{ receptor_github_owner }}/\
@@ -16,25 +11,20 @@
       default(latest_receptor_release.json.tag_name)) }}"
     receptor_arch: "{{ arch_mapping[ansible_architecture] | default(ansible_architecture) }}"
 
-- name: Download receptor from {{ receptor_tag }} release
+- name: Download receptor from release {{ receptor_tag }}
   ansible.builtin.get_url:
     url: "https://github.com/{{ receptor_github_owner }}/\
       {{ receptor_github_repo }}/releases/\
       download/{{ receptor_tag }}/{{ receptor_github_repo }}_\
       {{ receptor_tag | regex_replace('^v', '') }}_{{ ansible_system | lower }}_{{ receptor_arch }}.tar.gz"
-    dest: "{{ tmpdir.path }}"
+    dest: /tmp
     mode: '0644'
 
 - name: Unarchive receptor release
   ansible.builtin.unarchive:
-    src: "/{{ tmpdir.path }}/{{ receptor_github_repo }}_\
+    src: "/tmp/{{ receptor_github_repo }}_\
       {{ receptor_tag | regex_replace('^v', '') }}_{{ ansible_system | lower }}_{{ receptor_arch }}.tar.gz"
     dest: "{{ receptor_install_dir }}"
     remote_src: true
   notify:
     - Restart Receptor
-
-- name: Remove receptor archive
-  ansible.builtin.file:
-    path: "{{ tmpdir.path }}"
-    state: absent
diff --git a/roles/setup/tasks/tls.yml b/roles/setup/tasks/tls.yml
@@ -11,7 +11,7 @@
     - "{{ receptor_tls_ca_dir }}"
 
 - name: Process provided TLS files
-  include_tasks: tls_local.yml
+  ansible.builtin.include_tasks: tls_local.yml
   when: custom_tls_certfile is defined or custom_tls_keyfile is defined
 
 - name: Set TLS file permissions

diff --git a/roles/setup/tasks/worksign.yml b/roles/setup/tasks/worksign.yml
@@ -1,3 +1,4 @@
 ---
-- include_tasks: worksign_local.yml
+- name: Work signing local
+  ansible.builtin.include_tasks: worksign_local.yml
   when: custom_worksign_private_keyfile is defined or custom_worksign_public_keyfile is defined