feat: Support this role in container builds

[martinpitt]

Feature: Support running the cockpit role during container builds.

Reason: This is particularly useful for building bootc derivative OSes.

Result: The role now works during container builds. The bootc container scenarios run in CI, which ensures that the role works in buildah build environment. This allows us to officially support this role for image mode builds.

Do not enable the role for system containers (the container) flag. That currently fails due to SELinux not working properly there, and needs to be looked at separately if desired.

Detect if the system is booted (with systemd), and skip all runtime operations and checks if not. Also use firewall-offline-cmd which works also in non-booted environments -- we are only/primarily interested in the persistent firewall config anyway.

Do full bootc end-to-end validation in tests_tangd_custom_port, which is one of the most complex ones (combining nbde_server, firewall, and selinux roles). Run the first scenario with custom port for that.

See https://issues.redhat.com/browse/RHEL-78157

---

Note that the QEMU Fedora 42 test will fail, as the role hasn't been adjusted to Ansible 2.19 yet (see #187). The bootc Fedora 42 test will pass, as it still uses Ansible 2.17 (we should probably update it to 2.19 as well, but that will happen separately).

Summary by Sourcery

Enable official support for container-based builds by detecting non-booted environments, skipping runtime operations, and updating tests and documentation to validate role behavior in Buildah scenarios

New Features:

• Support running the nbde_server role during container builds by detecting non-booted environments and skipping runtime operations
• Use firewall-offline-cmd for persistent firewall configuration in offline contexts

Enhancements:

• Add detection of systemd boot state to conditionally execute tasks and service operations
• Guard daemon reload and service state changes behind a booted flag to avoid failures in container environments

Documentation:

• Clarify in README that service state is ignored for non-booted hosts like container builds

Tests:

• Extend bootc end-to-end tests to run in buildah container builds and perform a single image/verify cycle
• Add conditional logic in tests for service state and port checks based on booted flag

Chores:

• Add "containerbuild" tag to role metadata

[sourcery-ai]

Reviewer's Guide

Enable the nbde_server role to run during container-image builds by detecting systemd boot state to skip runtime tasks on non-booted hosts, switching to offline firewall commands, integrating Bootc end-to-end validation via buildah, and updating documentation and metadata for container build support.

Sequence diagram for nbde_server role execution in container build environment

sequenceDiagram
    participant User
    participant Ansible
    participant nbde_server_role
    participant SystemdChecker
    participant FirewallManager
    User->>Ansible: Run playbook in container build
    Ansible->>nbde_server_role: Execute role tasks
    nbde_server_role->>SystemdChecker: Check if system is booted
    SystemdChecker-->>nbde_server_role: Return boot state (not booted)
    nbde_server_role->>FirewallManager: Use firewall-offline-cmd
    nbde_server_role-->>Ansible: Skip runtime/service tasks
    Ansible-->>User: Build completes with persistent config

Loading

Class diagram for nbde_server role boot state detection and service management

classDiagram
    class nbde_server {
        +bool __nbde_server_is_ostree
        +bool __nbde_server_is_booted
        +void set_vars()
        +void main_tang()
    }
    class SystemdChecker {
        +command: systemctl is-system-running
        +bool check_systemd_installed()
        +bool is_system_booted()
    }
    class FirewallManager {
        +void use_firewall_offline_cmd()
    }
    nbde_server --|> SystemdChecker : uses
    nbde_server --|> FirewallManager : uses

Loading

File-Level Changes

Change	Details	Files
Detect system boot state and guard runtime tasks based on booted status	Add systemctl-based __nbde_server_is_booted fact in set_vars Guard daemon reload, service and state checks on __nbde_server_is_booted Skip port checks and service assertions in tests when not booted	tasks/set_vars.yml tasks/main-tang.yml tests/tests_tangd_custom_port.yml tests/tests_nbde_server_service_state.yml tests/tasks/verify-role-results.yml
Switch to using firewall-offline-cmd for persistent firewall configuration	Replace firewall-cmd calls with firewall-offline-cmd in tests Ensure persistent firewall queries in container build scenarios	tests/tests_tangd_custom_port.yml tests/tests_nbde_server_service_state.yml tests/tasks/verify-role-results.yml
Add Bootc container build support and end-to-end validation via buildah	Delegate QEMU image builds to localhost under buildah connection Use __bootc_validation flag to skip or end validation early Tag metadata to signify container build support	tests/tests_tangd_custom_port.yml meta/main.yml
Update documentation and metadata for container build mode	Clarify in README that service state is ignored on non-booted hosts Fix ansible-galaxy install command syntax Add 'containerbuild' tag in galaxy metadata	README.md meta/main.yml

---

Tips and commands

Interacting with Sourcery

• Trigger a new review: Comment @sourcery-ai review on the pull request.
• Continue discussions: Reply directly to Sourcery's review comments.
• Generate a GitHub issue from a review comment: Ask Sourcery to create an
  issue from a review comment by replying to it. You can also reply to a
  review comment with @sourcery-ai issue to create an issue from it.
• Generate a pull request title: Write @sourcery-ai anywhere in the pull
  request title to generate a title at any time. You can also comment
  @sourcery-ai title on the pull request to (re-)generate the title at any time.
• Generate a pull request summary: Write @sourcery-ai summary anywhere in
  the pull request body to generate a PR summary at any time exactly where you
  want it. You can also comment @sourcery-ai summary on the pull request to
  (re-)generate the summary at any time.
• Generate reviewer's guide: Comment @sourcery-ai guide on the pull
  request to (re-)generate the reviewer's guide at any time.
• Resolve all Sourcery comments: Comment @sourcery-ai resolve on the
  pull request to resolve all Sourcery comments. Useful if you've already
  addressed all the comments and don't want to see them anymore.
• Dismiss all Sourcery reviews: Comment @sourcery-ai dismiss on the pull
  request to dismiss all existing Sourcery reviews. Especially useful if you
  want to start fresh with a new review - don't forget to comment
  @sourcery-ai review to trigger a new review!

Customizing Your Experience

Access your dashboard to:

• Enable or disable review features such as the Sourcery-generated pull request
  summary, the reviewer's guide, and others.
• Change the review language.
• Add, remove or edit custom review instructions.
• Adjust other review settings.

Getting Help

• Contact our support team for questions or feedback.
• Visit our documentation for detailed guides and information.
• Keep in touch with the Sourcery team by following us on X/Twitter, LinkedIn or GitHub.

[sourcery-ai]

Hey @martinpitt - I've reviewed your changes and they look great!

---

Sourcery is free for open source - if you like our reviews please consider sharing them ✨

• X
• Mastodon
• LinkedIn
• Facebook

_{Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.}

[martinpitt]

[citest]

[martinpitt]

Gateway timeouts, similar to my sudo PR. Retrying.

[martinpitt]

[citest]

[martinpitt]

As green as expected now. I had a quick look at the Ansible 2.19 failures, but many of them are in selinux. I think Rich is just doing a release.

[richm]

As green as expected now. I had a quick look at the Ansible 2.19 failures, but many of them are in selinux. I think Rich is just doing a release.

I don't see any selinux issues. The new version has been published to galaxy and should be used now.

I see issues related to the use of ansible_managed and constructs such as when: "{{ item }} ...." which should now be written to remove the quotes - when: item ....

[richm]

As green as expected now. I had a quick look at the Ansible 2.19 failures, but many of them are in selinux. I think Rich is just doing a release.

I don't see any selinux issues. The new version has been published to galaxy and should be used now.

I see issues related to the use of ansible_managed and constructs such as when: "{{ item }} ...." which should now be written to remove the quotes - when: item ....

Which are not related to this PR

[richm]

With these changes, the tests all pass on 2.19:

--- a/tests/tasks/check_header.yml
+++ b/tests/tasks/check_header.yml
@@ -9,8 +9,8 @@
 - name: Check for presence of ansible managed header, fingerprint
   assert:
     that:
-      - ansible_managed in content
+      - __ansible_managed in content
       - __fingerprint in content
   vars:
     content: "{{ (__file_content | d(__content)).content | b64decode }}"
-    ansible_managed: "{{ lookup('template', 'get_ansible_managed.j2') }}"
+    __ansible_managed: "{{ lookup('template', 'get_ansible_managed.j2') }}"

and

--- a/tests/tests_default_vars.yml
+++ b/tests/tests_default_vars.yml
@@ -8,16 +8,20 @@
           include_role:
             name: linux-system-roles.nbde_server
             public: true
+
         - name: Assert that the role declares all parameters in defaults
           assert:
-            that: "{{ item }} is defined"
-          loop:
-            - nbde_server_provider
-            - nbde_server_deploy_keys
-            - nbde_server_fetch_keys
-            - nbde_server_rotate_keys
-            - nbde_server_keys_dir
+            that: nbde_server_vars | length == nbde_server_vars_vals | length
+          vars:
+            nbde_server_vars:
+              - nbde_server_provider
+              - nbde_server_deploy_keys
+              - nbde_server_fetch_keys
+              - nbde_server_rotate_keys
+              - nbde_server_keys_dir
+            nbde_server_vars_vals: "{{ lookup('vars', *nbde_server_vars) }}"
           when: ansible_version.full is version_compare('2.9', '>=')
+
       always:
         - name: Cleanup
           tags: tests::cleanup

[martinpitt]

@richm thanks! I pushed an extra commit with these changes with your name (credit where credit is due..). If this still fails, feel free to push to my fork (you should be able to).

[richm]

[citest]