mig5/enroll
Archived
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Activity Actions

Fix the almalinux tests - skip jinjaturtle and systemd in CI
All checks were successful
CI / test (push) Successful in 46s
Details
CI / test (almalinux, docker.io/library/almalinux:9, python3.11) (push) Successful in 11m26s
Details
CI / test (debian, docker.io/library/debian:13, python3) (push) Successful in 20m24s
Details
Lint / test (push) Successful in 45s
Details

Browse source
This commit is contained in:
Miguel Jacq 2026-06-21 16:37:19 +10:00
parent ce2652a3b3
commit 6ee8c60e64
Signed by: mig5
GPG key ID: 03906B4110AAD3B8
4 changed files with 62 additions and 36 deletions
Download patch file Download diff file Expand all files Collapse all files

4
.forgejo/workflows/ci.yml
View file

@ -34,7 +34,7 @@ jobs:
mkdir -m 755 -p /etc/apt/keyrings mkdir -m 755 -p /etc/apt/keyrings
apt-get update apt-get update
DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends \ DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends \
ca-certificates curl gnupg git tar gzip findutils bash nodejs \ ca-certificates curl gnupg git tar gzip findutils bash nodejs procps \
ansible ansible-lint python3 python3-venv python3-pip pipx systemctl python3-apt jq python3-jsonschema \ ansible ansible-lint python3 python3-venv python3-pip pipx systemctl python3-apt jq python3-jsonschema \
puppet hiera puppet hiera
curl -fsSL https://packages.broadcom.com/artifactory/api/security/keypair/SaltProjectKey/public | gpg --dearmor | tee /etc/apt/keyrings/salt-archive-keyring.pgp > /dev/null curl -fsSL https://packages.broadcom.com/artifactory/api/security/keypair/SaltProjectKey/public | gpg --dearmor | tee /etc/apt/keyrings/salt-archive-keyring.pgp > /dev/null
@ -46,7 +46,7 @@ jobs:
almalinux) almalinux)
dnf -y upgrade --refresh dnf -y upgrade --refresh
dnf -y install \ dnf -y install \
ca-certificates curl-minimal gnupg2 git tar gzip findutils bash which jq nodejs \ ca-certificates curl-minimal gnupg2 git tar gzip findutils bash which jq nodejs procps-ng \
dnf-plugins-core epel-release dnf-plugins-core epel-release
dnf -y config-manager --set-enabled crb || true dnf -y config-manager --set-enabled crb || true
curl -fsSL https://github.com/saltstack/salt-install-guide/releases/latest/download/salt.repo > /etc/yum.repos.d/salt.repo curl -fsSL https://github.com/saltstack/salt-install-guide/releases/latest/download/salt.repo > /etc/yum.repos.d/salt.repo

15
enroll/ansible.py
View file

@ -1002,7 +1002,9 @@ def _render_grouped_systemd_tasks(var_prefix: str) -> str:
register: _enroll_unit_probes register: _enroll_unit_probes
failed_when: false failed_when: false
changed_when: false changed_when: false
when: item.manage | default(false) when:
- enroll_manage_systemd_runtime | default(true) | bool
- item.manage | default(false)
- name: Ensure grouped unit enablement matches harvest - name: Ensure grouped unit enablement matches harvest
ansible.builtin.systemd: ansible.builtin.systemd:
@ -1011,6 +1013,7 @@ def _render_grouped_systemd_tasks(var_prefix: str) -> str:
no_log: "{{{{ enroll_hide_systemd_status | default(true) | bool }}}}" no_log: "{{{{ enroll_hide_systemd_status | default(true) | bool }}}}"
loop: "{{{{ _enroll_unit_probes.results | default([]) }}}}" loop: "{{{{ _enroll_unit_probes.results | default([]) }}}}"
when: when:
- enroll_manage_systemd_runtime | default(true) | bool
- item.item.manage | default(false) - item.item.manage | default(false)
- not (item.failed | default(false)) - not (item.failed | default(false))
@ -1021,6 +1024,7 @@ def _render_grouped_systemd_tasks(var_prefix: str) -> str:
no_log: "{{{{ enroll_hide_systemd_status | default(true) | bool }}}}" no_log: "{{{{ enroll_hide_systemd_status | default(true) | bool }}}}"
loop: "{{{{ _enroll_unit_probes.results | default([]) }}}}" loop: "{{{{ _enroll_unit_probes.results | default([]) }}}}"
when: when:
- enroll_manage_systemd_runtime | default(true) | bool
- item.item.manage | default(false) - item.item.manage | default(false)
- not (item.failed | default(false)) - not (item.failed | default(false))
""" """
@ -1083,7 +1087,9 @@ def _render_single_systemd_tasks(var_prefix: str) -> str:
register: _unit_probe register: _unit_probe
failed_when: false failed_when: false
changed_when: false changed_when: false
when: {var_prefix}_manage_unit | default(false) when:
- enroll_manage_systemd_runtime | default(true) | bool
- {var_prefix}_manage_unit | default(false)
- name: Ensure unit enablement matches harvest - name: Ensure unit enablement matches harvest
ansible.builtin.systemd: ansible.builtin.systemd:
@ -1091,6 +1097,7 @@ def _render_single_systemd_tasks(var_prefix: str) -> str:
enabled: "{{{{ {var_prefix}_systemd_enabled | bool }}}}" enabled: "{{{{ {var_prefix}_systemd_enabled | bool }}}}"
no_log: "{{{{ enroll_hide_systemd_status | default(true) | bool }}}}" no_log: "{{{{ enroll_hide_systemd_status | default(true) | bool }}}}"
when: when:
- enroll_manage_systemd_runtime | default(true) | bool
- {var_prefix}_manage_unit | default(false) - {var_prefix}_manage_unit | default(false)
- _unit_probe is succeeded - _unit_probe is succeeded
@ -1100,6 +1107,7 @@ def _render_single_systemd_tasks(var_prefix: str) -> str:
state: "{{{{ {var_prefix}_systemd_state }}}}" state: "{{{{ {var_prefix}_systemd_state }}}}"
no_log: "{{{{ enroll_hide_systemd_status | default(true) | bool }}}}" no_log: "{{{{ enroll_hide_systemd_status | default(true) | bool }}}}"
when: when:
- enroll_manage_systemd_runtime | default(true) | bool
- {var_prefix}_manage_unit | default(false) - {var_prefix}_manage_unit | default(false)
- _unit_probe is succeeded - _unit_probe is succeeded
""" """
@ -1142,6 +1150,7 @@ def _single_service_restart_handler_body(var_prefix: str) -> str:
name: "{{{{ {var_prefix}_unit_name }}}}" name: "{{{{ {var_prefix}_unit_name }}}}"
state: restarted state: restarted
when: when:
- enroll_manage_systemd_runtime | default(true) | bool
- {var_prefix}_manage_unit | default(false) - {var_prefix}_manage_unit | default(false)
- ({var_prefix}_systemd_state | default('stopped')) == 'started' - ({var_prefix}_systemd_state | default('stopped')) == 'started'
""" """
@ -1162,6 +1171,7 @@ def _grouped_service_restart_handlers_body(role: AnsibleRole) -> str:
ansible.builtin.service: ansible.builtin.service:
name: {name} name: {name}
state: restarted state: restarted
when: enroll_manage_systemd_runtime | default(true) | bool
""" """
) )
return "\n".join(_task_body(handler) for handler in handlers if _task_body(handler)) return "\n".join(_task_body(handler) for handler in handlers if _task_body(handler))
@ -1580,6 +1590,7 @@ _SYSTEMD_DAEMON_RELOAD_HANDLER = """---
ansible.builtin.systemd: ansible.builtin.systemd:
daemon_reload: true daemon_reload: true
no_log: "{{ enroll_hide_systemd_status | default(true) | bool }}" no_log: "{{ enroll_hide_systemd_status | default(true) | bool }}"
when: enroll_manage_systemd_runtime | default(true) | bool
""" """

66
tests.sh
View file

@ -34,6 +34,7 @@ SALT_JINJATURTLE_DIR="${WORK_DIR}/salt-jinjaturtle"
SALT_NO_JINJATURTLE_DIR="${WORK_DIR}/salt-no-jinjaturtle" SALT_NO_JINJATURTLE_DIR="${WORK_DIR}/salt-no-jinjaturtle"
TEST_FQDN="${ENROLL_TEST_FQDN:-enroll-ci.example.test}" TEST_FQDN="${ENROLL_TEST_FQDN:-enroll-ci.example.test}"
JINJATURTLE_FIXTURE="${WORK_DIR}/enroll-tests-jinjaturtle.ini" JINJATURTLE_FIXTURE="${WORK_DIR}/enroll-tests-jinjaturtle.ini"
ANSIBLE_PLAYBOOK_EXTRA_ARGS=()
cleanup() { cleanup() {
if [[ "${KEEP_WORKDIR}" -eq 0 ]]; then if [[ "${KEEP_WORKDIR}" -eq 0 ]]; then
@ -88,6 +89,29 @@ require_supported_ci_os() {
fi fi
} }
pid1_comm() {
if [[ -r /proc/1/comm ]]; then
tr -d '[:space:]' </proc/1/comm || true
return
fi
if command -v ps >/dev/null 2>&1; then
ps -p 1 -o comm= 2>/dev/null | tr -d '[:space:]' || true
fi
}
configure_ansible_playbook_extra_args() {
local pid1
pid1="$(pid1_comm)"
ANSIBLE_PLAYBOOK_EXTRA_ARGS=()
if [[ "${pid1}" != "systemd" ]]; then
section "Setup: Ansible systemd runtime guard"
printf 'PID 1 is %s, not systemd; disabling generated Ansible systemd runtime enforcement for CI noop plays.\n' "${pid1:-unknown}"
ANSIBLE_PLAYBOOK_EXTRA_ARGS=(-e enroll_manage_systemd_runtime=false)
fi
}
os_id() { os_id() {
if [[ -r /etc/os-release ]]; then if [[ -r /etc/os-release ]]; then
# shellcheck disable=SC1091 # shellcheck disable=SC1091
@ -244,29 +268,6 @@ ensure_puppet_repo() {
DNF_UPDATED= DNF_UPDATED=
} }
ensure_mig5_rpm_repo() {
if ! is_rpm_family; then
return
fi
if [[ -e /etc/yum.repos.d/mig5.repo ]]; then
return
fi
section "Setup: mig5 dnf repository"
pkg_install ca-certificates curl
run rpm --import https://mig5.net/static/mig5.asc
cat >/etc/yum.repos.d/mig5.repo <<'EOF'
[mig5]
name=mig5 Repository
baseurl=https://rpm.mig5.net/$releasever/rpm/$basearch
enabled=1
gpgcheck=1
repo_gpgcheck=1
gpgkey=https://mig5.net/static/mig5.asc
EOF
run dnf -y upgrade --refresh
DNF_UPDATED=1
}
ensure_jinjaturtle() { ensure_jinjaturtle() {
section "Setup: JinjaTurtle package" section "Setup: JinjaTurtle package"
if command -v jinjaturtle >/dev/null 2>&1; then if command -v jinjaturtle >/dev/null 2>&1; then
@ -286,8 +287,8 @@ ensure_jinjaturtle() {
APT_UPDATED=1 APT_UPDATED=1
run env DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends jinjaturtle run env DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends jinjaturtle
elif is_rpm_family; then elif is_rpm_family; then
ensure_mig5_rpm_repo printf 'Skipping JinjaTurtle package integration on RPM-family CI;\n'
pkg_install jinjaturtle return
else else
fail "Unsupported OS for JinjaTurtle package install: $(os_id)." fail "Unsupported OS for JinjaTurtle package install: $(os_id)."
fi fi
@ -392,7 +393,7 @@ run_ansible_jinjaturtle_variant() {
ansible-galaxy install -r "${out_dir}/requirements.yml" ansible-galaxy install -r "${out_dir}/requirements.yml"
run ansible-lint "${out_dir}" run ansible-lint "${out_dir}"
cd "${out_dir}" cd "${out_dir}"
run ansible-playbook playbook.yml -i "localhost," -c local --check --diff run ansible-playbook playbook.yml -i "localhost," -c local --check --diff "${ANSIBLE_PLAYBOOK_EXTRA_ARGS[@]}"
} }
run_puppet_jinjaturtle_variant() { run_puppet_jinjaturtle_variant() {
@ -424,6 +425,12 @@ run_salt_jinjaturtle_variant() {
} }
run_jinjaturtle_manifest_tests() { run_jinjaturtle_manifest_tests() {
if is_rpm_family ; then
section "JinjaTurtle integration matrix"
printf 'Skipping JinjaTurtle package integration on RPM-family CI;\n'
return
fi
ensure_jinjaturtle ensure_jinjaturtle
require_cmd jinjaturtle "Install JinjaTurtle before running the JinjaTurtle integration matrix." require_cmd jinjaturtle "Install JinjaTurtle before running the JinjaTurtle integration matrix."
@ -450,19 +457,19 @@ run_ansible_noop_tests() {
ansible-galaxy install -r "${ANSIBLE_DIR}/requirements.yml" ansible-galaxy install -r "${ANSIBLE_DIR}/requirements.yml"
run ansible-lint "${ANSIBLE_DIR}" run ansible-lint "${ANSIBLE_DIR}"
cd "${ANSIBLE_DIR}" cd "${ANSIBLE_DIR}"
run ansible-playbook playbook.yml -i "localhost," -c local --check --diff run ansible-playbook playbook.yml -i "localhost," -c local --check --diff "${ANSIBLE_PLAYBOOK_EXTRA_ARGS[@]}"
cd "${PROJECT_ROOT}" cd "${PROJECT_ROOT}"
run poetry run enroll manifest --harvest "${BUNDLE_DIR}" --out "${ANSIBLE_NO_COMMON_DIR}" --target ansible --no-common-roles run poetry run enroll manifest --harvest "${BUNDLE_DIR}" --out "${ANSIBLE_NO_COMMON_DIR}" --target ansible --no-common-roles
ansible-galaxy install -r "${ANSIBLE_NO_COMMON_DIR}/requirements.yml" ansible-galaxy install -r "${ANSIBLE_NO_COMMON_DIR}/requirements.yml"
cd "${ANSIBLE_NO_COMMON_DIR}" cd "${ANSIBLE_NO_COMMON_DIR}"
run ansible-playbook playbook.yml -i "localhost," -c local --check --diff run ansible-playbook playbook.yml -i "localhost," -c local --check --diff "${ANSIBLE_PLAYBOOK_EXTRA_ARGS[@]}"
cd "${PROJECT_ROOT}" cd "${PROJECT_ROOT}"
run poetry run enroll manifest --harvest "${BUNDLE_DIR}" --out "${ANSIBLE_FQDN_DIR}" --target ansible --fqdn "${TEST_FQDN}" run poetry run enroll manifest --harvest "${BUNDLE_DIR}" --out "${ANSIBLE_FQDN_DIR}" --target ansible --fqdn "${TEST_FQDN}"
ansible-galaxy install -r "${ANSIBLE_FQDN_DIR}/requirements.yml" ansible-galaxy install -r "${ANSIBLE_FQDN_DIR}/requirements.yml"
cd "${ANSIBLE_FQDN_DIR}" cd "${ANSIBLE_FQDN_DIR}"
run ansible-playbook "playbooks/${TEST_FQDN}.yml" -i inventory/hosts.ini -c local --limit "${TEST_FQDN}" --check --diff run ansible-playbook "playbooks/${TEST_FQDN}.yml" -i inventory/hosts.ini -c local --limit "${TEST_FQDN}" --check --diff "${ANSIBLE_PLAYBOOK_EXTRA_ARGS[@]}"
} }
run_puppet_noop_tests() { run_puppet_noop_tests() {
@ -507,6 +514,7 @@ main() {
require_supported_ci_os require_supported_ci_os
run_pytests run_pytests
prepare_harvest_fixture prepare_harvest_fixture
configure_ansible_playbook_extra_args
run_ansible_noop_tests run_ansible_noop_tests
run_puppet_noop_tests run_puppet_noop_tests
run_salt_noop_tests run_salt_noop_tests

13
tests/test_manifest.py
View file

@ -266,10 +266,15 @@ def test_manifest_writes_roles_and_playbook_with_clean_when(tmp_path: Path):
tasks = (out / "roles" / "foo" / "tasks" / "main.yml").read_text(encoding="utf-8") tasks = (out / "roles" / "foo" / "tasks" / "main.yml").read_text(encoding="utf-8")
assert "- name: Probe whether systemd unit exists and is manageable" in tasks assert "- name: Probe whether systemd unit exists and is manageable" in tasks
assert 'no_log: "{{ enroll_hide_systemd_status | default(true) | bool }}"' in tasks assert 'no_log: "{{ enroll_hide_systemd_status | default(true) | bool }}"' in tasks
assert "when: foo_manage_unit | default(false)" in tasks assert "enroll_manage_systemd_runtime | default(true) | bool" in tasks
assert ( assert (
"when:\n - foo_manage_unit | default(false)\n - _unit_probe is succeeded\n" "when:\n - enroll_manage_systemd_runtime | default(true) | bool\n"
in tasks " - foo_manage_unit | default(false)\n" in tasks
)
assert (
"when:\n - enroll_manage_systemd_runtime | default(true) | bool\n"
" - foo_manage_unit | default(false)\n"
" - _unit_probe is succeeded\n" in tasks
) )
# Ensure we didn't emit deprecated/broken '{{ }}' delimiters in when: lines. # Ensure we didn't emit deprecated/broken '{{ }}' delimiters in when: lines.
@ -632,6 +637,7 @@ def test_manifest_groups_systemd_units_into_common_role(tmp_path: Path):
tasks = (out / "roles" / "net" / "tasks" / "main.yml").read_text(encoding="utf-8") tasks = (out / "roles" / "net" / "tasks" / "main.yml").read_text(encoding="utf-8")
assert "Ensure grouped unit enablement matches harvest" in tasks assert "Ensure grouped unit enablement matches harvest" in tasks
assert 'no_log: "{{ enroll_hide_systemd_status | default(true) | bool }}"' in tasks assert 'no_log: "{{ enroll_hide_systemd_status | default(true) | bool }}"' in tasks
assert "enroll_manage_systemd_runtime | default(true) | bool" in tasks
assert "Restart managed services" not in tasks assert "Restart managed services" not in tasks
defaults_text = (out / "roles" / "net" / "defaults" / "main.yml").read_text( defaults_text = (out / "roles" / "net" / "defaults" / "main.yml").read_text(
@ -647,6 +653,7 @@ def test_manifest_groups_systemd_units_into_common_role(tmp_path: Path):
encoding="utf-8" encoding="utf-8"
) )
assert "Run systemd daemon-reload" in handlers assert "Run systemd daemon-reload" in handlers
assert "when: enroll_manage_systemd_runtime | default(true) | bool" in handlers
assert "- name: Restart managed service NetworkManager.service" in handlers assert "- name: Restart managed service NetworkManager.service" in handlers
assert "name: NetworkManager.service" in handlers assert "name: NetworkManager.service" in handlers
assert "state: restarted" in handlers assert "state: restarted" in handlers