feat: support for ostree systems

Feature: Allow running and testing the role with ostree managed nodes. Reason: We have users who want to use the role to manage ostree systems. Result: Users can use the role to manage ostree managed nodes. Signed-off-by: Rich Megginson <rmeggins@redhat.com>
2024-11-09 13:23:28 +01:00 · 2023-11-17 06:44:54 -07:00 · 2023-11-17 06:44:54 -07:00 · 4543f0c679
commit 4543f0c679
parent e54fca52c7
24 changed files with 343 additions and 1 deletions
--- a/.ostree/README.md
+++ b/.ostree/README.md
@ -0,0 +1,5 @@
 *NOTE*: The `*.txt` files are used by `get_ostree_data.sh` to create the lists
 of packages, and to find other system roles used by this role.  DO NOT use them
 directly.
 The script `meta/make_ostree_packages_files` is used to generate these files.
--- a/.ostree/get_ostree_data.sh
+++ b/.ostree/get_ostree_data.sh
@ -0,0 +1,132 @@
 #!/bin/bash
 set -euo pipefail
 ostree_dir="${OSTREE_DIR:-"$(dirname "$(realpath "$0")")"}"
 if [ -z "${4:-}" ] || [ "${1:-}" = help ] || [ "${1:-}" = -h ]; then
    cat <<EOF
 Usage: $0 packages [runtime|testing] DISTRO-MAJOR[.MINOR] [json|yaml|raw|toml]
 The script will use the packages and roles files in $ostree_dir to
 construct the list of packages needed to build the ostree image.  The script
 will output the list of packages in the given format
 - json is a JSON list like ["pkg1","pkg2",....,"pkgN"]
 - yaml is the YAML list format
 - raw is the list of packages, one per line
 - toml is a list of [[packages]] elements as in https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html-single/composing_installing_and_managing_rhel_for_edge_images/index#creating-an-image-builder-blueprint-for-a-rhel-for-edge-image-using-the-command-line-interface_composing-a-rhel-for-edge-image-using-image-builder-command-line
 The DISTRO-MAJOR.MINOR is the same format used by Ansible for distribution e.g. CentOS-8, RedHat-8.9, etc.
 EOF
    exit 1
 fi
 category="$1"
 pkgtype="$2"
 distro_ver="$3"
 format="$4"
 pkgtypes=("$pkgtype")
 if [ "$pkgtype" = testing ]; then
    pkgtypes+=(runtime)
 fi
 get_rolepath() {
    local ostree_dir role rolesdir roles_parent_dir coll_path pth
    ostree_dir="$1"
    role="$2"
    roles_parent_dir="$(dirname "$(dirname "$ostree_dir")")"
    rolesdir="$roles_parent_dir/$role/.ostree"
    # assumes collection format
    if [ -d "$rolesdir" ]; then
        echo "$rolesdir"
        return 0
    fi
    # assumes legacy role format like linux-system-roles.$role/
    for rolesdir in "$roles_parent_dir"/*-system-roles."$role"/.ostree; do
        if [ -d "$rolesdir" ]; then
          echo "$rolesdir"
          return 0
        fi
    done
    # look elsewhere
    coll_path="${ANSIBLE_COLLECTIONS_PATH:-}"
    if [ -z "$coll_path" ]; then
        coll_path="${ANSIBLE_COLLECTIONS_PATHS:-}"
    fi
    if [ -n "${coll_path}" ]; then
        for pth in ${coll_path//:/ }; do
            for rolesdir in "$pth"/ansible_collections/*/*_system_roles/roles/"$role"/.ostree; do
                if [ -d "$rolesdir" ]; then
                    echo "$rolesdir"
                    return 0
                fi
            done
        done
    fi
    1>&2 echo ERROR - could not find role "$role" - please use ANSIBLE_COLLECTIONS_PATH
    exit 2
 }
 get_packages() {
    local ostree_dir pkgtype pkgfile rolefile
    ostree_dir="$1"
    for pkgtype in "${pkgtypes[@]}"; do
        for suff in "" "-$distro" "-${distro}-${major_ver}" "-${distro}-${ver}"; do
            pkgfile="$ostree_dir/packages-${pkgtype}${suff}.txt"
            if [ -f "$pkgfile" ]; then
                cat "$pkgfile"
            fi
        done
        rolefile="$ostree_dir/roles-${pkgtype}.txt"
        if [ -f "$rolefile" ]; then
            local roles role rolepath
            roles="$(cat "$rolefile")"
            for role in $roles; do
                rolepath="$(get_rolepath "$ostree_dir" "$role")"
                if [ -z "$rolepath" ]; then
                    1>&2 echo ERROR - could not find role "$role" - please use ANSIBLE_COLLECTIONS_PATH
                    exit 2
                fi
                get_packages "$rolepath"
            done
        fi
    done | sort -u
 }
 format_packages_json() {
    local comma pkgs pkg
    comma=""
    pkgs="["
    while read -r pkg; do
        pkgs="${pkgs}${comma}\"${pkg}\""
        comma=,
    done
    pkgs="${pkgs}]"
    echo "$pkgs"
 }
 format_packages_raw() {
    cat
 }
 format_packages_yaml() {
    while read -r pkg; do
        echo "- $pkg"
    done
 }
 format_packages_toml() {
    while read -r pkg; do
        echo "[[packages]]"
        echo "name = \"$pkg\""
        echo "version = \"*\""
    done
 }
 distro="${distro_ver%%-*}"
 ver="${distro_ver##*-}"
 if [[ "$ver" =~ ^([0-9]*) ]]; then
    major_ver="${BASH_REMATCH[1]}"
 else
    echo ERROR: cannot parse major version number from version "$ver"
    exit 1
 fi
 "get_$category" "$ostree_dir" | "format_${category}_$format"
--- a/.ostree/packages-runtime-CentOS-6.txt
+++ b/.ostree/packages-runtime-CentOS-6.txt
@ -0,0 +1,2 @@
 openssh
 openssh-server
--- a/.ostree/packages-runtime-CentOS-7.txt
+++ b/.ostree/packages-runtime-CentOS-7.txt
@ -0,0 +1,2 @@
 openssh
 openssh-server
--- a/.ostree/packages-runtime-CentOS-8.txt
+++ b/.ostree/packages-runtime-CentOS-8.txt
@ -0,0 +1,2 @@
 openssh
 openssh-server
--- a/.ostree/packages-runtime-CentOS-9.txt
+++ b/.ostree/packages-runtime-CentOS-9.txt
@ -0,0 +1,2 @@
 openssh
 openssh-server
--- a/.ostree/packages-runtime-Fedora.txt
+++ b/.ostree/packages-runtime-Fedora.txt
@ -0,0 +1,2 @@
 openssh
 openssh-server
--- a/.ostree/packages-runtime-RedHat-6.txt
+++ b/.ostree/packages-runtime-RedHat-6.txt
@ -0,0 +1,2 @@
 openssh
 openssh-server
--- a/.ostree/packages-runtime-RedHat-7.txt
+++ b/.ostree/packages-runtime-RedHat-7.txt
@ -0,0 +1,2 @@
 openssh
 openssh-server
--- a/.ostree/packages-runtime-RedHat-8.txt
+++ b/.ostree/packages-runtime-RedHat-8.txt
@ -0,0 +1,2 @@
 openssh
 openssh-server
--- a/.ostree/packages-runtime-RedHat-9.txt
+++ b/.ostree/packages-runtime-RedHat-9.txt
@ -0,0 +1,2 @@
 openssh
 openssh-server
--- a/.ostree/packages-testing-CentOS.txt
+++ b/.ostree/packages-testing-CentOS.txt
@ -0,0 +1 @@
 man-db
--- a/.ostree/packages-testing-Fedora.txt
+++ b/.ostree/packages-testing-Fedora.txt
@ -0,0 +1 @@
 man-db
--- a/.ostree/packages-testing-RedHat.txt
+++ b/.ostree/packages-testing-RedHat.txt
@ -0,0 +1 @@
 man-db
--- a/.ostree/packages-testing.txt
+++ b/.ostree/packages-testing.txt
@ -0,0 +1,2 @@
 bash
 openssh-server
--- a/.ostree/roles-runtime.txt
+++ b/.ostree/roles-runtime.txt
@ -0,0 +1,2 @@
 firewall
 selinux
--- a/README-ostree.md
+++ b/README-ostree.md
@ -0,0 +1,66 @@
 # rpm-ostree
 The role supports running on [rpm-ostree](https://coreos.github.io/rpm-ostree/)
 systems. The primary issue is that the `/usr` filesystem is read-only, and the
 role cannot install packages. Instead, it will just verify that the necessary
 packages and any other `/usr` files are pre-installed. The role will change the
 package manager to one that is compatible with `rpm-ostree` systems.
 ## Building
 To build an ostree image for a particular operating system distribution and
 version, use the script `.ostree/get_ostree_data.sh` to get the list of
 packages. If the role uses other system roles, then the script will include the
 packages for the other roles in the list it outputs.  The list of packages will
 be sorted in alphanumeric order.
 Usage:
 ```bash
 .ostree/get_ostree_data.sh packages runtime DISTRO-VERSION FORMAT
 ```
 `DISTRO-VERSION` is in the format that Ansible uses for `ansible_distribution`
 and `ansible_distribution_version` - for example, `Fedora-38`, `CentOS-8`,
 `RedHat-9.4`
 `FORMAT` is one of `toml`, `json`, `yaml`, `raw`
 * `toml` - each package in a TOML `[[packages]]` element
 ```toml
 [[packages]]
 name = "package-a"
 version = "*"
 [[packages]]
 name = "package-b"
 version = "*"
 ...
 ```
 * `yaml` - a YAML list of packages
 ```yaml
 - package-a
 - package-b
 ...
 ```
 * `json` - a JSON list of packages
 ```json
 ["package-a","package-b",...]
 ```
 * `raw` - a plain text list of packages, one per line
 ```bash
 package-a
 package-b
 ...
 ```
 What format you choose depends on which image builder you are using.  For
 example, if you are using something based on
 [osbuild-composer](https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html-single/composing_installing_and_managing_rhel_for_edge_images/index#creating-an-image-builder-blueprint-for-a-rhel-for-edge-image-using-the-command-line-interface_composing-a-rhel-for-edge-image-using-image-builder-command-line),
 you will probably want to use the `toml` output format.
--- a/README.md
+++ b/README.md
@ -51,6 +51,7 @@ If you want to use advanced functionality of this role that can configure
 firewall and selinux for you, which is mostly useful when custom port is used,
 the role requires additional collections which are specified in
 `meta/collection-requirements.yml`. These are not automatically installed.
 If you want to manage `rpm-ostree` systems, additional collections are required.
 You must install them like this:
 ```bash
@ -58,7 +59,8 @@ ansible-galaxy install -vv -r meta/collection-requirements.yml
 ```
 For more information, see `sshd_manage_firewall` and `sshd_manage_selinux`
-options below. These roles are supported only on Red Hat based Linux.
+options below, and the `rpm-ostree` section.  This additional functionality is
 supported only on Red Hat based Linux.
 ## Role variables
@ -455,6 +457,10 @@ to the `options_body` and/or `options_match`.
 To regenerate the templates, from within the `meta/` directory run:
 `./make_option_lists`
 ## rpm-ostree
 See README-ostree.md
 ## License
 LGPLv3
--- a/meta/collection-requirements.yml
+++ b/meta/collection-requirements.yml
@ -1,3 +1,4 @@
 ---
 collections:
  - name: ansible.posix
  - name: fedora.linux_system_roles
--- a/meta/make_ostree_packages_files
+++ b/meta/make_ostree_packages_files
@ -0,0 +1,48 @@
 #!/bin/bash
 set -euo pipefail
 declare -A os_family=( [RedHat]=RedHat [CentOS]=RedHat [Fedora]=RedHat
                       [AlmaLinux]=RedHat [Rocky]=RedHat [OracleLinux]=RedHat )
 for file in vars/*.yml; do
    if [ "$file" = vars/main.yml ]; then
        continue
    fi
    # get platform and optional version
    if [[ "$file" =~ vars/([^_]+)_([0-9]+).yml$ ]]; then
        platform="${BASH_REMATCH[1]}"
        version="${BASH_REMATCH[2]}"
        packages_file=".ostree/packages-runtime-${platform}-${version}.txt"
    elif [[ "$file" =~ vars/([^_.]+).yml$ ]]; then
        platform="${BASH_REMATCH[1]}"
        packages_file=".ostree/packages-runtime-${platform}.txt"
    else
        echo ERROR: cannot parse "$file"
        exit 1
    fi
    # only os_family == RedHat is supported
    if [ "${os_family[$platform]:-}" = RedHat ]; then
        : # proceed - fall through
    else
        echo platform "$platform" not supported for ostree
        continue
    fi
    # parse packages from file
    printit=0
    while read -r item pkg; do
        if [[ "$item" =~ ^__sshd_packages: ]]; then
            printit=1
        elif [ "$printit" = 1 ]; then
            if [ "$item" = "-" ] && [ -n "$pkg" ]; then
                echo "$pkg"
            else
                break
            fi
        fi
    done < "$file" | sort > "$packages_file"
    # remove empty files
    if [ ! -s "$packages_file" ]; then
        rm -f "$packages_file"
    fi
 done
--- a/tasks/install.yml
+++ b/tasks/install.yml
@ -8,6 +8,8 @@
  ansible.builtin.package:
    name: "{{ sshd_packages }}"
    state: present
    use: "{{ (__sshd_is_ostree | d(false)) |
      ternary('ansible.posix.rhel_rpm_ostree', omit) }}"
 - name: Sysconfig configuration
  ansible.builtin.template:
--- a/tasks/variables.yml
+++ b/tasks/variables.yml
@ -5,6 +5,18 @@
  when: not ansible_facts.keys() | list |
    intersect(__sshd_required_facts) == __sshd_required_facts
 - name: Determine if system is ostree and set flag
  when: not __sshd_is_ostree is defined
  block:
    - name: Check if system is ostree
      ansible.builtin.stat:
        path: /run/ostree-booted
      register: __ostree_booted_stat
    - name: Set flag to indicate system is ostree
      ansible.builtin.set_fact:
        __sshd_is_ostree: "{{ __ostree_booted_stat.stat.exists }}"
 - name: Set OS dependent variables
  ansible.builtin.include_vars: "{{ lookup('first_found', params) }}"
  vars:
--- a/tests/tasks/setup.yml
+++ b/tests/tasks/setup.yml
@ -5,10 +5,35 @@
  when:
    - ansible_facts['distribution'] == 'Debian'
 - name: Determine if system is ostree and set flag
  when: not __sshd_is_ostree is defined
  block:
    - name: Check if system is ostree
      ansible.builtin.stat:
        path: /run/ostree-booted
      register: __ostree_booted_stat
    - name: Set flag to indicate system is ostree
      ansible.builtin.set_fact:
        __sshd_is_ostree: "{{ __ostree_booted_stat.stat.exists }}"
 - name: Ensure test users exist on ostree systems
  ansible.builtin.shell: |
    if ! grep -q ^nobody /etc/passwd && grep -q ^nobody /usr/lib/passwd; then
      grep ^nobody /usr/lib/passwd >> /etc/passwd
    fi
    if ! grep -q ^nobody /etc/group && grep -q ^nobody /usr/lib/group; then
      grep ^nobody /usr/lib/group >> /etc/group
    fi
  when: __sshd_is_ostree | d(false)
  changed_when: true
 - name: Make sure openssh is installed before creating backup
  ansible.builtin.package:
    name: openssh-server
    state: present
    use: "{{ (__sshd_is_ostree | d(false)) |
      ternary('ansible.posix.rhel_rpm_ostree', omit) }}"
 - name: Make sure openssh has runtime directory on debian
  ansible.builtin.file:
--- a/tests/tests_all_options.yml
+++ b/tests/tests_all_options.yml
@ -28,11 +28,13 @@
        state: absent
      when:
        - ansible_facts['os_family'] == "RedHat"
        - not __sshd_is_ostree | d(false)
    - name: Reinstall manual pages for openssh-server on RHEL
      ansible.builtin.command: "{{ pkg_mgr | quote }} reinstall -y openssh-server"
      when:
        - ansible_facts['os_family'] == "RedHat"
        - not __sshd_is_ostree | d(false)
      changed_when: true
    - name: Unminimize image on Debian. It looks like there is no simpler way to get manual pages
@ -49,17 +51,35 @@
          - openssh-doc
          - bash
        state: present
        use: "{{ (__sshd_is_ostree | d(false)) |
          ternary('ansible.posix.rhel_rpm_ostree', omit) }}"
      when:
        - ansible_facts['distribution'] == "Alpine"
    - name: Make sure manual pages and bash are installed on RedHat 7+
      ansible.builtin.package:
        name:
          - man-db
          - bash
        state: present
        use: "{{ (__sshd_is_ostree | d(false)) |
          ternary('ansible.posix.rhel_rpm_ostree', omit) }}"
      when:
        - ansible_facts['os_family'] == "RedHat"
        - ansible_facts['distribution_major_version'] | int > 6
    - name: Make sure manual pages and bash are installed elsewhere
      ansible.builtin.package:
        name:
          - man
          - bash
        state: present
        use: "{{ (__sshd_is_ostree | d(false)) |
          ternary('ansible.posix.rhel_rpm_ostree', omit) }}"
      when:
        - ansible_facts['distribution'] != "Alpine"
        - ansible_facts['os_family'] != "RedHat" or
          ansible_facts['distribution_major_version'] | int == 6
    - name: Get list of options from manual page
      ansible.builtin.shell: >-