diff --git a/enroll/ansible.py b/enroll/ansible.py index 4b5ec7b..9794de3 100644 --- a/enroll/ansible.py +++ b/enroll/ansible.py @@ -1002,7 +1002,9 @@ def _render_grouped_systemd_tasks(var_prefix: str) -> str: register: _enroll_unit_probes failed_when: false changed_when: false - when: item.manage | default(false) + when: + - enroll_manage_systemd_runtime | default(true) | bool + - item.manage | default(false) - name: Ensure grouped unit enablement matches harvest ansible.builtin.systemd: @@ -1011,6 +1013,7 @@ def _render_grouped_systemd_tasks(var_prefix: str) -> str: no_log: "{{{{ enroll_hide_systemd_status | default(true) | bool }}}}" loop: "{{{{ _enroll_unit_probes.results | default([]) }}}}" when: + - enroll_manage_systemd_runtime | default(true) | bool - item.item.manage | default(false) - not (item.failed | default(false)) @@ -1021,6 +1024,7 @@ def _render_grouped_systemd_tasks(var_prefix: str) -> str: no_log: "{{{{ enroll_hide_systemd_status | default(true) | bool }}}}" loop: "{{{{ _enroll_unit_probes.results | default([]) }}}}" when: + - enroll_manage_systemd_runtime | default(true) | bool - item.item.manage | default(false) - not (item.failed | default(false)) """ @@ -1083,7 +1087,9 @@ def _render_single_systemd_tasks(var_prefix: str) -> str: register: _unit_probe failed_when: false changed_when: false - when: {var_prefix}_manage_unit | default(false) + when: + - enroll_manage_systemd_runtime | default(true) | bool + - {var_prefix}_manage_unit | default(false) - name: Ensure unit enablement matches harvest ansible.builtin.systemd: @@ -1091,6 +1097,7 @@ def _render_single_systemd_tasks(var_prefix: str) -> str: enabled: "{{{{ {var_prefix}_systemd_enabled | bool }}}}" no_log: "{{{{ enroll_hide_systemd_status | default(true) | bool }}}}" when: + - enroll_manage_systemd_runtime | default(true) | bool - {var_prefix}_manage_unit | default(false) - _unit_probe is succeeded @@ -1100,6 +1107,7 @@ def _render_single_systemd_tasks(var_prefix: str) -> str: state: "{{{{ {var_prefix}_systemd_state }}}}" no_log: "{{{{ enroll_hide_systemd_status | default(true) | bool }}}}" when: + - enroll_manage_systemd_runtime | default(true) | bool - {var_prefix}_manage_unit | default(false) - _unit_probe is succeeded """ @@ -1142,6 +1150,7 @@ def _single_service_restart_handler_body(var_prefix: str) -> str: name: "{{{{ {var_prefix}_unit_name }}}}" state: restarted when: + - enroll_manage_systemd_runtime | default(true) | bool - {var_prefix}_manage_unit | default(false) - ({var_prefix}_systemd_state | default('stopped')) == 'started' """ @@ -1162,6 +1171,7 @@ def _grouped_service_restart_handlers_body(role: AnsibleRole) -> str: ansible.builtin.service: name: {name} state: restarted + when: enroll_manage_systemd_runtime | default(true) | bool """ ) return "\n".join(_task_body(handler) for handler in handlers if _task_body(handler)) @@ -1580,6 +1590,7 @@ _SYSTEMD_DAEMON_RELOAD_HANDLER = """--- ansible.builtin.systemd: daemon_reload: true no_log: "{{ enroll_hide_systemd_status | default(true) | bool }}" + when: enroll_manage_systemd_runtime | default(true) | bool """ diff --git a/tests.sh b/tests.sh index 4130af3..4e2b98b 100755 --- a/tests.sh +++ b/tests.sh @@ -34,6 +34,7 @@ SALT_JINJATURTLE_DIR="${WORK_DIR}/salt-jinjaturtle" SALT_NO_JINJATURTLE_DIR="${WORK_DIR}/salt-no-jinjaturtle" TEST_FQDN="${ENROLL_TEST_FQDN:-enroll-ci.example.test}" JINJATURTLE_FIXTURE="${WORK_DIR}/enroll-tests-jinjaturtle.ini" +ANSIBLE_PLAYBOOK_EXTRA_ARGS=() cleanup() { if [[ "${KEEP_WORKDIR}" -eq 0 ]]; then @@ -88,6 +89,19 @@ require_supported_ci_os() { fi } + +configure_ansible_playbook_extra_args() { + local pid1 + pid1="$(ps -p 1 -o comm= 2>/dev/null | tr -d '[:space:]' || true)" + + ANSIBLE_PLAYBOOK_EXTRA_ARGS=() + if [[ "${pid1}" != "systemd" ]]; then + section "Setup: Ansible systemd runtime guard" + printf 'PID 1 is %s, not systemd; disabling generated Ansible systemd runtime enforcement for CI noop plays.\n' "${pid1:-unknown}" + ANSIBLE_PLAYBOOK_EXTRA_ARGS=(-e enroll_manage_systemd_runtime=false) + fi +} + os_id() { if [[ -r /etc/os-release ]]; then # shellcheck disable=SC1091 @@ -392,7 +406,7 @@ run_ansible_jinjaturtle_variant() { ansible-galaxy install -r "${out_dir}/requirements.yml" run ansible-lint "${out_dir}" cd "${out_dir}" - run ansible-playbook playbook.yml -i "localhost," -c local --check --diff + run ansible-playbook playbook.yml -i "localhost," -c local --check --diff "${ANSIBLE_PLAYBOOK_EXTRA_ARGS[@]}" } run_puppet_jinjaturtle_variant() { @@ -450,19 +464,19 @@ run_ansible_noop_tests() { ansible-galaxy install -r "${ANSIBLE_DIR}/requirements.yml" run ansible-lint "${ANSIBLE_DIR}" cd "${ANSIBLE_DIR}" - run ansible-playbook playbook.yml -i "localhost," -c local --check --diff + run ansible-playbook playbook.yml -i "localhost," -c local --check --diff "${ANSIBLE_PLAYBOOK_EXTRA_ARGS[@]}" cd "${PROJECT_ROOT}" run poetry run enroll manifest --harvest "${BUNDLE_DIR}" --out "${ANSIBLE_NO_COMMON_DIR}" --target ansible --no-common-roles ansible-galaxy install -r "${ANSIBLE_NO_COMMON_DIR}/requirements.yml" cd "${ANSIBLE_NO_COMMON_DIR}" - run ansible-playbook playbook.yml -i "localhost," -c local --check --diff + run ansible-playbook playbook.yml -i "localhost," -c local --check --diff "${ANSIBLE_PLAYBOOK_EXTRA_ARGS[@]}" cd "${PROJECT_ROOT}" run poetry run enroll manifest --harvest "${BUNDLE_DIR}" --out "${ANSIBLE_FQDN_DIR}" --target ansible --fqdn "${TEST_FQDN}" ansible-galaxy install -r "${ANSIBLE_FQDN_DIR}/requirements.yml" cd "${ANSIBLE_FQDN_DIR}" - run ansible-playbook "playbooks/${TEST_FQDN}.yml" -i inventory/hosts.ini -c local --limit "${TEST_FQDN}" --check --diff + run ansible-playbook "playbooks/${TEST_FQDN}.yml" -i inventory/hosts.ini -c local --limit "${TEST_FQDN}" --check --diff "${ANSIBLE_PLAYBOOK_EXTRA_ARGS[@]}" } run_puppet_noop_tests() { @@ -507,6 +521,7 @@ main() { require_supported_ci_os run_pytests prepare_harvest_fixture + configure_ansible_playbook_extra_args run_ansible_noop_tests run_puppet_noop_tests run_salt_noop_tests diff --git a/tests/test_manifest.py b/tests/test_manifest.py index cc6d045..dba3d24 100644 --- a/tests/test_manifest.py +++ b/tests/test_manifest.py @@ -266,10 +266,15 @@ def test_manifest_writes_roles_and_playbook_with_clean_when(tmp_path: Path): tasks = (out / "roles" / "foo" / "tasks" / "main.yml").read_text(encoding="utf-8") assert "- name: Probe whether systemd unit exists and is manageable" in tasks assert 'no_log: "{{ enroll_hide_systemd_status | default(true) | bool }}"' in tasks - assert "when: foo_manage_unit | default(false)" in tasks + assert "enroll_manage_systemd_runtime | default(true) | bool" in tasks assert ( - "when:\n - foo_manage_unit | default(false)\n - _unit_probe is succeeded\n" - in tasks + "when:\n - enroll_manage_systemd_runtime | default(true) | bool\n" + " - foo_manage_unit | default(false)\n" in tasks + ) + assert ( + "when:\n - enroll_manage_systemd_runtime | default(true) | bool\n" + " - foo_manage_unit | default(false)\n" + " - _unit_probe is succeeded\n" in tasks ) # Ensure we didn't emit deprecated/broken '{{ }}' delimiters in when: lines. @@ -632,6 +637,7 @@ def test_manifest_groups_systemd_units_into_common_role(tmp_path: Path): tasks = (out / "roles" / "net" / "tasks" / "main.yml").read_text(encoding="utf-8") assert "Ensure grouped unit enablement matches harvest" in tasks assert 'no_log: "{{ enroll_hide_systemd_status | default(true) | bool }}"' in tasks + assert "enroll_manage_systemd_runtime | default(true) | bool" in tasks assert "Restart managed services" not in tasks defaults_text = (out / "roles" / "net" / "defaults" / "main.yml").read_text( @@ -647,6 +653,7 @@ def test_manifest_groups_systemd_units_into_common_role(tmp_path: Path): encoding="utf-8" ) assert "Run systemd daemon-reload" in handlers + assert "when: enroll_manage_systemd_runtime | default(true) | bool" in handlers assert "- name: Restart managed service NetworkManager.service" in handlers assert "name: NetworkManager.service" in handlers assert "state: restarted" in handlers