feat: Support this role in container builds

README.md

@@ -20,7 +20,7 @@ See below
 The role requires additional collections which are specified in `meta/collection-requirements.yml`.  These are not automatically installed.  You must install them like this:
 
 ```bash
-ansible-galaxy install -vv -r meta/collection-requirements.yml`
+ansible-galaxy install -vv -r meta/collection-requirements.yml
 ```
 
 ## Role Variables
@@ -30,7 +30,7 @@ These are the variables that can be passed to the role:
 | **Variable** | **Default** | **Description** |
 |----------|-------------|------|
 | `nbde_server_provider` | `tang` | identifies the provider for `nbde_server` role. We currently support `tang` as an `nbde_server` provider, meaning that the `nbde_server` role is currently able to provision/deploy tang servers.
-| `nbde_server_service_state` | `started` | indicates the state the nbde_server should be. It can be either `started` (default) or `stopped`. `started` means the server is accepting connections, whereas `stopped` means it is not accepting connections.
+| `nbde_server_service_state` | `started` | indicates the state the nbde_server should be. It can be either `started` (default) or `stopped`. `started` means the server is accepting connections, whereas `stopped` means it is not accepting connections. Ignored for non-booted hosts like container builds, then the service is always started at boot.
 | `nbde_server_rotate_keys`| `false` | indicates whether we should rotate existing keys -- if any -- , then create new keys. Default behavior (`false`) is to create new keys, if there are none, and don't touch the keys, if they exist. If set to `true`, existing keys will be rotated and new keys will be created.
 |`nbde_server_fetch_keys`| `false` | indicates whether we should fetch keys to the control node, in which case they will be placed in `nbde_server_keys_dir`. You **must** set `nbde_server_keys_dir` to use `nbde_server_fetch_keys`.
 |`nbde_server_deploy_keys`| `false` |indicates whether we should deploy the keys located in `nbde_server_keys_dir` directory to the remote hosts. You **must** set `nbde_server_keys_dir` to use `nbde_server_deploy_keys`.

meta/main.yml

@@ -18,6 +18,7 @@ galaxy_info:
   galaxy_tags:
     - centos
     - clevis
+    - containerbuild
     - el7
     - el8
     - el9

tasks/main-tang.yml

@@ -36,7 +36,9 @@
 - name: Reload the daemons so the new changes take effect
   systemd:
     daemon_reload: true
-  when: __nbde_server_port_changed | d(false) | bool
+  when:
+    - __nbde_server_port_changed | d(false) | bool
+    - __nbde_server_is_booted | bool
 
 - name: Ensure required services are enabled and at the right state
   service:
@@ -45,8 +47,8 @@
     enabled: true
   loop: "{{ __nbde_server_services }}"
   vars:
-    __state: "{{ nbde_server_service_state if
-      nbde_server_service_state != 'started' else
+    __state: "{{ omit if not __nbde_server_is_booted else
+      nbde_server_service_state if nbde_server_service_state != 'started' else
       'restarted' if __nbde_server_port_changed else
       'started' }}"
 

tasks/set_vars.yml

@@ -6,7 +6,7 @@
     difference(ansible_facts.keys() | list) | length > 0
 
 - name: Determine if system is ostree and set flag
-  when: not __nbde_server_is_ostree is defined
+  when: __nbde_server_is_ostree is not defined
   block:
     - name: Check if system is ostree
       stat:
@@ -17,6 +17,27 @@
       set_fact:
         __nbde_server_is_ostree: "{{ __ostree_booted_stat.stat.exists }}"
 
+- name: Determine if system is booted with systemd
+  when: __nbde_server_is_booted is not defined
+  block:
+    - name: Run systemctl
+      # noqa command-instead-of-module
+      command: systemctl is-system-running
+      register: __is_system_running
+      changed_when: false
+      check_mode: false
+      failed_when: false
+
+    - name: Require installed systemd
+      fail:
+        msg: "Error: This role requires systemd to be installed."
+      when: '"No such file or directory" in __is_system_running.msg | d("")'
+
+    - name: Set flag to indicate that systemd runtime operations are available
+      set_fact:
+        # see https://www.man7.org/linux/man-pages/man1/systemctl.1.html#:~:text=is-system-running%20output
+        __nbde_server_is_booted: "{{ __is_system_running.stdout != 'offline' }}"
+
 - name: Set platform/version specific variables
   include_vars: "{{ lookup('first_found', ffparams) }}"
   vars:

tests/tasks/check_header.yml

@@ -9,8 +9,8 @@
 - name: Check for presence of ansible managed header, fingerprint
   assert:
     that:
-      - ansible_managed in content
+      - __ansible_managed in content
       - __fingerprint in content
   vars:
     content: "{{ (__file_content | d(__content)).content | b64decode }}"
-    ansible_managed: "{{ lookup('template', 'get_ansible_managed.j2') }}"
+    __ansible_managed: "{{ lookup('template', 'get_ansible_managed.j2') }}"

tests/tasks/verify-role-results.yml

@@ -16,7 +16,7 @@
   service:
     name: "{{ item }}"
     enabled: true
-    state: started
+    state: "{{ 'started' if __nbde_server_is_booted else omit }}"
   check_mode: true
   register: nbde_server_services_state
   loop: "{{ __nbde_server_services }}"

tests/tests_default_vars.yml

@@ -8,16 +8,20 @@
           include_role:
             name: linux-system-roles.nbde_server
             public: true
+
         - name: Assert that the role declares all parameters in defaults
           assert:
-            that: "{{ item }} is defined"
-          loop:
-            - nbde_server_provider
-            - nbde_server_deploy_keys
-            - nbde_server_fetch_keys
-            - nbde_server_rotate_keys
-            - nbde_server_keys_dir
+            that: nbde_server_vars | length == nbde_server_vars_vals | length
+          vars:
+            nbde_server_vars:
+              - nbde_server_provider
+              - nbde_server_deploy_keys
+              - nbde_server_fetch_keys
+              - nbde_server_rotate_keys
+              - nbde_server_keys_dir
+            nbde_server_vars_vals: "{{ lookup('vars', *nbde_server_vars) }}"
           when: ansible_version.full is version_compare('2.9', '>=')
+
       always:
         - name: Cleanup
           tags: tests::cleanup

tests/tests_nbde_server_service_state.yml

@@ -18,7 +18,7 @@
           service:
             name: "{{ item }}"
             enabled: true
-            state: started
+            state: "{{ 'started' if __nbde_server_is_booted else omit }}"
           register: nbde_server_state
           check_mode: true
           loop: "{{ __nbde_server_services }}"
@@ -39,7 +39,7 @@
           service:
             name: "{{ item }}"
             enabled: true
-            state: stopped
+            state: "{{ 'stopped' if __nbde_server_is_booted else omit }}"
           register: nbde_server_state
           check_mode: true
           loop: "{{ __nbde_server_services }}"
@@ -60,7 +60,7 @@
           service:
             name: "{{ item }}"
             enabled: true
-            state: started
+            state: "{{ 'started' if __nbde_server_is_booted else omit }}"
           register: nbde_server_state
           check_mode: true
           loop: "{{ __nbde_server_services }}"

tests/tests_tangd_custom_port.yml

@@ -13,13 +13,29 @@
           include_role:
             name: linux-system-roles.nbde_server
             public: true
+          when: not __bootc_validation | d(false)
+
+        # role does not run during bootc QEMU validation, thus some vars are undefined
+        - name: Set __nbde_server_is_booted for bootc validation tests
+          set_fact:
+            __nbde_server_is_booted: true
+            # see vars/main.yml
+            __nbde_server_tangd_socket_file_path: /etc/systemd/system/tangd.socket.d/override.conf
+          when: __bootc_validation | d(false)
 
         - name: Ensure iproute package for ss command
           package:
             name: iproute
             state: present
             use: "{{ (__nbde_server_is_ostree | d(false)) |
                     ternary('ansible.posix.rhel_rpm_ostree', omit) }}"
+          when: not __bootc_validation | d(false)
+
+        - name: Create QEMU deployment during bootc end-to-end test
+          delegate_to: localhost
+          command: "{{ lsr_scriptdir }}/bootc-buildah-qcow.sh {{ ansible_host }}"
+          changed_when: true
+          when: ansible_connection == "buildah"
 
         - name: Check if port is open
           shell:
@@ -31,6 +47,7 @@
           failed_when: not __open_ports_output.stdout is
             search(':' ~ (nbde_server_port | string) ~ '$')
           changed_when: false
+          when: __nbde_server_is_booted | bool
 
         - name: Check if port TCP is open
           shell:
@@ -41,10 +58,11 @@
           register: __open_ports_output
           failed_when: __open_ports_output.stdout != "tcp"
           changed_when: false
+          when: __nbde_server_is_booted | bool
 
         - name: Check if port is opened in firewall
           command: >-
-            firewall-cmd --zone {{ nbde_server_firewall_zone }} --query-port
+            firewall-offline-cmd --zone {{ nbde_server_firewall_zone }} --query-port
             {{ nbde_server_port }}/tcp
           register: __firewall_output
           changed_when: false
@@ -55,6 +73,12 @@
             __file: "{{ __nbde_server_tangd_socket_file_path }}"
             __fingerprint: "system_role:nbde_server"
 
+        # do just one image/verify cycle for the bootc end-to-end test
+        - name: Skip remaining steps in bootc end-to-end validation
+          meta: end_play
+          when: __bootc_validation | d(false)
+
+
         - name: Install with default port and firewall zone
           include_role:
             name: linux-system-roles.nbde_server
@@ -74,6 +98,7 @@
           failed_when: not __open_ports_output.stdout is
             search(':80$')
           changed_when: false
+          when: __nbde_server_is_booted | bool
 
         - name: Check if port TCP is open
           shell:
@@ -83,10 +108,11 @@
           register: __open_ports_output
           failed_when: __open_ports_output.stdout != "tcp"
           changed_when: false
+          when: __nbde_server_is_booted | bool
 
         - name: Check if port is opened in firewall
           command: >-
-            firewall-cmd --zone {{ nbde_server_firewall_zone }} --query-port
+            firewall-offline-cmd --zone {{ nbde_server_firewall_zone }} --query-port
             80/tcp
           register: __firewall_output
           changed_when: false