From 6fede426a4b31c02bd93cf9077a7338be008646f Mon Sep 17 00:00:00 2001 From: Seth Foster Date: Wed, 6 Sep 2023 11:50:02 -0400 Subject: [PATCH] Add molecule testing Incorporate molecule framework testing to ensure the podman and setup roles successfully run against various platforms. As of this commit, the testing targets centos:stream8 and debian:11 Other changes: - use ansible/ansible-lint@main for the linting check, and the job is now part of CI workflow. - Various changes to the playbooks to make them idempotent, which is tested in molecule. - Bump meta runtime requires to >=2.13.0 --- .github/workflows/ansible-lint.yml | 12 -------- .github/workflows/ci.yaml | 39 +++++++++++++++++++++++++ README.md | 2 +- meta/runtime.yml | 2 +- molecule/default/Containerfile.j2 | 6 ++++ molecule/default/converge.yml | 17 +++++++++++ molecule/default/molecule.yml | 44 +++++++++++++++++++++++++++++ molecule/default/requirements.yml | 2 ++ molecule/requirements.txt | 3 ++ molecule/requirements.yml | 2 ++ roles/podman/tasks/main.yml | 20 ++++++------- roles/podman/tasks/setup-Debian.yml | 4 ++- roles/setup/handlers/main.yml | 1 + roles/setup/tasks/main.yml | 35 +++++++++++++++-------- roles/setup/tasks/setup-RedHat.yml | 2 +- roles/setup/tasks/setup-release.yml | 16 ++--------- roles/setup/tasks/tls.yml | 2 +- roles/setup/tasks/worksign.yml | 3 +- 18 files changed, 159 insertions(+), 53 deletions(-) delete mode 100644 .github/workflows/ansible-lint.yml create mode 100644 .github/workflows/ci.yaml create mode 100644 molecule/default/Containerfile.j2 create mode 100644 molecule/default/converge.yml create mode 100644 molecule/default/molecule.yml create mode 100644 molecule/default/requirements.yml create mode 100644 molecule/requirements.txt create mode 100644 molecule/requirements.yml diff --git a/.github/workflows/ansible-lint.yml b/.github/workflows/ansible-lint.yml deleted file mode 100644 index 363c4d8..0000000 --- a/.github/workflows/ansible-lint.yml +++ /dev/null @@ -1,12 +0,0 @@ -"on": [push, pull_request] - -jobs: - build: - runs-on: ubuntu-latest - - steps: - # Important: This sets up your GITHUB_WORKSPACE environment variable - - uses: actions/checkout@v3 - - - name: Run ansible-lint - uses: ansible-community/ansible-lint-action@v6.5.2 diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml new file mode 100644 index 0000000..41a7b4d --- /dev/null +++ b/.github/workflows/ci.yaml @@ -0,0 +1,39 @@ +--- + +name: CI + +'on': + pull_request: + push: + workflow_dispatch: + +jobs: + molecule: + name: molecule + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v2 + + - uses: actions/setup-python@v2 + + - name: Install Dependencies + run: | + pip install -r molecule/requirements.txt + + - name: Run Molecule + env: + MOLECULE_VERBOSITY: 3 + PY_COLORS: '1' + ANSIBLE_FORCE_COLOR: '1' + run: | + molecule test + + ansible-lint: + name: ansible-lint + runs-on: ubuntu-latest + steps: + # Important: This sets up your GITHUB_WORKSPACE environment variable + - uses: actions/checkout@v3 + + - name: Run ansible-lint + uses: ansible/ansible-lint@main diff --git a/README.md b/README.md index 90601e6..d895b5d 100644 --- a/README.md +++ b/README.md @@ -28,7 +28,7 @@ This collection has been tested on the following distributions: | ---------- | ------- | ---------- | | Centos | >=8 | Y | | Redhat | >=8 | Y | -| Ubuntu | >=20 | Y | +| Debian | >=11 | Y | # 4. Roles diff --git a/meta/runtime.yml b/meta/runtime.yml index 03c25c9..6fe2c97 100644 --- a/meta/runtime.yml +++ b/meta/runtime.yml @@ -1,2 +1,2 @@ --- -requires_ansible: ">=2.11" +requires_ansible: ">=2.13.0" diff --git a/molecule/default/Containerfile.j2 b/molecule/default/Containerfile.j2 new file mode 100644 index 0000000..e391ee4 --- /dev/null +++ b/molecule/default/Containerfile.j2 @@ -0,0 +1,6 @@ +FROM debian:11 + +RUN apt-get update && apt-get install -y \ + init \ + python3 \ + && apt-get clean all diff --git a/molecule/default/converge.yml b/molecule/default/converge.yml new file mode 100644 index 0000000..e65949a --- /dev/null +++ b/molecule/default/converge.yml @@ -0,0 +1,17 @@ +--- +- name: Create + hosts: all + gather_facts: true + tasks: + - name: Create the receptor user + ansible.builtin.user: + name: receptor + shell: /bin/bash + + - name: Run podman role + ansible.builtin.import_role: + name: ansible.receptor.podman + + - name: Run setup role + ansible.builtin.import_role: + name: ansible.receptor.setup diff --git a/molecule/default/molecule.yml b/molecule/default/molecule.yml new file mode 100644 index 0000000..2853d7b --- /dev/null +++ b/molecule/default/molecule.yml @@ -0,0 +1,44 @@ +dependency: + name: galaxy + options: + requirements-file: requirements.yml +driver: + name: podman +platforms: + - name: molecule-centos + image: quay.io/centos/centos:stream8 + pre_build_image: true + systemd: true + privileged: true + command: "/usr/sbin/init" + tmpfs: + - /run + - /tmp + volumes: + - /sys/fs/cgroup:/sys/fs/cgroup:ro + + - name: molecule-debian + image: debian:11 + dockerfile: Containerfile.j2 + pre_build_image: false + systemd: true + privileged: true + command: "/lib/systemd/systemd" + tmpfs: + - /run + - /tmp + volumes: + - /sys/fs/cgroup:/sys/fs/cgroup:ro + +provisioner: + name: ansible + inventory: + host_vars: + molecule-centos: + podman_user: receptor + podman_group: receptor + ansible_connection: containers.podman.podman + molecule-debian: + ansible_connection: containers.podman.podman + podman_user: receptor + podman_group: receptor diff --git a/molecule/default/requirements.yml b/molecule/default/requirements.yml new file mode 100644 index 0000000..6c36796 --- /dev/null +++ b/molecule/default/requirements.yml @@ -0,0 +1,2 @@ +collections: + - containers.podman diff --git a/molecule/requirements.txt b/molecule/requirements.txt new file mode 100644 index 0000000..ea45703 --- /dev/null +++ b/molecule/requirements.txt @@ -0,0 +1,3 @@ +molecule +ansible-core +molecule-plugins[podman] diff --git a/molecule/requirements.yml b/molecule/requirements.yml new file mode 100644 index 0000000..6c36796 --- /dev/null +++ b/molecule/requirements.yml @@ -0,0 +1,2 @@ +collections: + - containers.podman diff --git a/roles/podman/tasks/main.yml b/roles/podman/tasks/main.yml index c1e1cb4..de782b9 100644 --- a/roles/podman/tasks/main.yml +++ b/roles/podman/tasks/main.yml @@ -1,19 +1,20 @@ --- # Variable configuration. -- include_tasks: variables.yml +- name: Include variables + ansible.builtin.include_tasks: variables.yml # Setup/install tasks. -- include_tasks: "setup-{{ ansible_os_family }}.yml" +- name: Run OS-specific tasks + ansible.builtin.include_tasks: "setup-{{ ansible_os_family }}.yml" when: ansible_os_family in ['RedHat', 'Debian'] - name: Create directory for podman runtime config ansible.builtin.file: path: "~{{ podman_user }}/.config/containers" state: directory - mode: 0700 + mode: '0700' owner: "{{ podman_user }}" group: "{{ podman_group }}" - recurse: true - name: Configure podman default runtime ansible.builtin.copy: @@ -24,7 +25,7 @@ dest: "~{{ podman_user }}/.config/containers/containers.conf" owner: "{{ podman_user }}" group: "{{ podman_group }}" - mode: 0600 + mode: '0600' - name: Create empty mounts config file to avoid permissions error message ansible.builtin.copy: @@ -33,7 +34,7 @@ force: false owner: "{{ podman_user }}" group: "{{ podman_group }}" - mode: 0600 + mode: '0600' - name: Create storage.conf to defer fuse-overlayfs on rootless env ansible.builtin.copy: @@ -46,18 +47,17 @@ force: true owner: "{{ podman_user }}" group: "{{ podman_group }}" - mode: 0600 + mode: '0600' - name: Ensure registries.conf.d exists ansible.builtin.file: path: /etc/containers/registries.conf.d/ state: directory - recurse: true - mode: 0755 + mode: '0755' - name: Force fully qualified image names to be provided to podman pull ansible.builtin.copy: content: | unqualified-search-registries = [] dest: /etc/containers/registries.conf.d/force-fully-qualified-images.conf - mode: 0644 + mode: '0644' diff --git a/roles/podman/tasks/setup-Debian.yml b/roles/podman/tasks/setup-Debian.yml index f749535..3644e71 100644 --- a/roles/podman/tasks/setup-Debian.yml +++ b/roles/podman/tasks/setup-Debian.yml @@ -5,7 +5,9 @@ state: present # enable linger for podman_user when is not root -- name: Enable linger for {{ podman_user }} user +- name: Enable linger for user {{ podman_user }} ansible.builtin.command: "loginctl enable-linger {{ podman_user }}" + register: result + changed_when: result.rc != 0 when: - podman_user != 'root' diff --git a/roles/setup/handlers/main.yml b/roles/setup/handlers/main.yml index 3bc5763..f511326 100644 --- a/roles/setup/handlers/main.yml +++ b/roles/setup/handlers/main.yml @@ -10,6 +10,7 @@ - name: Reload Receptor ansible.builtin.command: receptorctl --socket {{ receptor_socket_dir }}/{{ receptor_control_filename }} reload register: _reload + changed_when: _reload.rc != 0 ignore_errors: true failed_when: _reload.rc != 0 or _reload.stdout.startswith("Error:") when: _restart is not defined diff --git a/roles/setup/tasks/main.yml b/roles/setup/tasks/main.yml index 3bcde57..c4b8448 100644 --- a/roles/setup/tasks/main.yml +++ b/roles/setup/tasks/main.yml @@ -1,25 +1,31 @@ --- -- include_tasks: preflight.yml +- name: Run preflight + ansible.builtin.include_tasks: preflight.yml # Variable configuration. -- include_tasks: variables.yml +- name: Include variables + ansible.builtin.include_tasks: variables.yml # Setup/install tasks. -- include_tasks: "setup-{{ ansible_os_family }}.yml" +- name: Run OS-specific tasks + ansible.builtin.include_tasks: "setup-{{ ansible_os_family }}.yml" when: ansible_os_family in ['RedHat', 'Debian'] -- include_tasks: python_packages.yml +- name: Install python packages + ansible.builtin.include_tasks: python_packages.yml -- include_tasks: setup-local.yml +- name: Receptor install local + ansible.builtin.include_tasks: setup-local.yml when: receptor_install_method == 'local' -- include_tasks: setup-release.yml +- name: Receptor install release + ansible.builtin.include_tasks: setup-release.yml when: receptor_install_method == 'release' - name: Check if receptor was installed correctly ansible.builtin.command: "receptor --version" + changed_when: false register: receptor_version - changed_when: receptor_version.rc == 0 ignore_errors: true - name: Assert receptor installation @@ -29,17 +35,22 @@ fail_msg: "Receptor not installed correctly. Please check the installation or reinstall it with local_receptor: true" success_msg: "Receptor installed correctly" -- include_tasks: configure.yml +- name: Configure receptor socket + ansible.builtin.include_tasks: configure.yml -- include_tasks: tls.yml +- name: TLS files + ansible.builtin.include_tasks: tls.yml when: receptor_tls -- include_tasks: worksign.yml +- name: Work signing + ansible.builtin.include_tasks: worksign.yml when: receptor_sign or receptor_verify -- include_tasks: generate_config.yml +- name: Generate receptor config + ansible.builtin.include_tasks: generate_config.yml -- include_tasks: setup-service.yml +- name: Setup systemd + ansible.builtin.include_tasks: setup-service.yml when: receptor_install_method in ['release', 'local'] - name: Start Receptor service diff --git a/roles/setup/tasks/setup-RedHat.yml b/roles/setup/tasks/setup-RedHat.yml index c212cdb..441ed55 100644 --- a/roles/setup/tasks/setup-RedHat.yml +++ b/roles/setup/tasks/setup-RedHat.yml @@ -14,6 +14,7 @@ # systemd_receptor.service file, we can just use an overrides # file to tweak it. - name: Setup systemd overrides + when: receptor_install_method == 'package' block: - name: Ensure systemd override directory exists ansible.builtin.file: @@ -32,7 +33,6 @@ group: root notify: - Restart Receptor - when: receptor_install_method == 'package' - name: Install dependencies specific to the node type ansible.builtin.dnf: diff --git a/roles/setup/tasks/setup-release.yml b/roles/setup/tasks/setup-release.yml index ddbe89c..79fa807 100644 --- a/roles/setup/tasks/setup-release.yml +++ b/roles/setup/tasks/setup-release.yml @@ -1,9 +1,4 @@ --- -- name: Create temp directory for tar gz file - ansible.builtin.tempfile: - state: directory - register: tmpdir - - name: Get latest release of receptor repository ansible.builtin.uri: url: "https://api.github.com/repos/{{ receptor_github_owner }}/\ @@ -16,25 +11,20 @@ default(latest_receptor_release.json.tag_name)) }}" receptor_arch: "{{ arch_mapping[ansible_architecture] | default(ansible_architecture) }}" -- name: Download receptor from {{ receptor_tag }} release +- name: Download receptor from release {{ receptor_tag }} ansible.builtin.get_url: url: "https://github.com/{{ receptor_github_owner }}/\ {{ receptor_github_repo }}/releases/\ download/{{ receptor_tag }}/{{ receptor_github_repo }}_\ {{ receptor_tag | regex_replace('^v', '') }}_{{ ansible_system | lower }}_{{ receptor_arch }}.tar.gz" - dest: "{{ tmpdir.path }}" + dest: /tmp mode: '0644' - name: Unarchive receptor release ansible.builtin.unarchive: - src: "/{{ tmpdir.path }}/{{ receptor_github_repo }}_\ + src: "/tmp/{{ receptor_github_repo }}_\ {{ receptor_tag | regex_replace('^v', '') }}_{{ ansible_system | lower }}_{{ receptor_arch }}.tar.gz" dest: "{{ receptor_install_dir }}" remote_src: true notify: - Restart Receptor - -- name: Remove receptor archive - ansible.builtin.file: - path: "{{ tmpdir.path }}" - state: absent diff --git a/roles/setup/tasks/tls.yml b/roles/setup/tasks/tls.yml index fbe99fb..bc2254b 100644 --- a/roles/setup/tasks/tls.yml +++ b/roles/setup/tasks/tls.yml @@ -11,7 +11,7 @@ - "{{ receptor_tls_ca_dir }}" - name: Process provided TLS files - include_tasks: tls_local.yml + ansible.builtin.include_tasks: tls_local.yml when: custom_tls_certfile is defined or custom_tls_keyfile is defined - name: Set TLS file permissions diff --git a/roles/setup/tasks/worksign.yml b/roles/setup/tasks/worksign.yml index cd8c1b7..a4e72b9 100644 --- a/roles/setup/tasks/worksign.yml +++ b/roles/setup/tasks/worksign.yml @@ -1,3 +1,4 @@ --- -- include_tasks: worksign_local.yml +- name: Work signing local + ansible.builtin.include_tasks: worksign_local.yml when: custom_worksign_private_keyfile is defined or custom_worksign_public_keyfile is defined