mig5/enroll
Archived
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Activity Actions

debug systemd runtime in alma
Some checks failed
CI / test (push) Has been cancelled
Details
Lint / test (push) Has been cancelled
Details
CI / test (almalinux, docker.io/library/almalinux:9, python3.11) (push) Failing after 11m36s
Details
CI / test (debian, docker.io/library/debian:13, python3) (push) Successful in 19m51s
Details

Browse source
This commit is contained in:
Miguel Jacq 2026-06-21 16:37:19 +10:00
parent ce2652a3b3
commit 9d251c1bbc
Signed by: mig5
GPG key ID: 03906B4110AAD3B8
3 changed files with 42 additions and 9 deletions
Download patch file Download diff file Expand all files Collapse all files

15
enroll/ansible.py
View file

@ -1002,7 +1002,9 @@ def _render_grouped_systemd_tasks(var_prefix: str) -> str:
register: _enroll_unit_probes register: _enroll_unit_probes
failed_when: false failed_when: false
changed_when: false changed_when: false
when: item.manage | default(false) when:
- enroll_manage_systemd_runtime | default(true) | bool
- item.manage | default(false)
- name: Ensure grouped unit enablement matches harvest - name: Ensure grouped unit enablement matches harvest
ansible.builtin.systemd: ansible.builtin.systemd:
@ -1011,6 +1013,7 @@ def _render_grouped_systemd_tasks(var_prefix: str) -> str:
no_log: "{{{{ enroll_hide_systemd_status | default(true) | bool }}}}" no_log: "{{{{ enroll_hide_systemd_status | default(true) | bool }}}}"
loop: "{{{{ _enroll_unit_probes.results | default([]) }}}}" loop: "{{{{ _enroll_unit_probes.results | default([]) }}}}"
when: when:
- enroll_manage_systemd_runtime | default(true) | bool
- item.item.manage | default(false) - item.item.manage | default(false)
- not (item.failed | default(false)) - not (item.failed | default(false))
@ -1021,6 +1024,7 @@ def _render_grouped_systemd_tasks(var_prefix: str) -> str:
no_log: "{{{{ enroll_hide_systemd_status | default(true) | bool }}}}" no_log: "{{{{ enroll_hide_systemd_status | default(true) | bool }}}}"
loop: "{{{{ _enroll_unit_probes.results | default([]) }}}}" loop: "{{{{ _enroll_unit_probes.results | default([]) }}}}"
when: when:
- enroll_manage_systemd_runtime | default(true) | bool
- item.item.manage | default(false) - item.item.manage | default(false)
- not (item.failed | default(false)) - not (item.failed | default(false))
""" """
@ -1083,7 +1087,9 @@ def _render_single_systemd_tasks(var_prefix: str) -> str:
register: _unit_probe register: _unit_probe
failed_when: false failed_when: false
changed_when: false changed_when: false
when: {var_prefix}_manage_unit | default(false) when:
- enroll_manage_systemd_runtime | default(true) | bool
- {var_prefix}_manage_unit | default(false)
- name: Ensure unit enablement matches harvest - name: Ensure unit enablement matches harvest
ansible.builtin.systemd: ansible.builtin.systemd:
@ -1091,6 +1097,7 @@ def _render_single_systemd_tasks(var_prefix: str) -> str:
enabled: "{{{{ {var_prefix}_systemd_enabled | bool }}}}" enabled: "{{{{ {var_prefix}_systemd_enabled | bool }}}}"
no_log: "{{{{ enroll_hide_systemd_status | default(true) | bool }}}}" no_log: "{{{{ enroll_hide_systemd_status | default(true) | bool }}}}"
when: when:
- enroll_manage_systemd_runtime | default(true) | bool
- {var_prefix}_manage_unit | default(false) - {var_prefix}_manage_unit | default(false)
- _unit_probe is succeeded - _unit_probe is succeeded
@ -1100,6 +1107,7 @@ def _render_single_systemd_tasks(var_prefix: str) -> str:
state: "{{{{ {var_prefix}_systemd_state }}}}" state: "{{{{ {var_prefix}_systemd_state }}}}"
no_log: "{{{{ enroll_hide_systemd_status | default(true) | bool }}}}" no_log: "{{{{ enroll_hide_systemd_status | default(true) | bool }}}}"
when: when:
- enroll_manage_systemd_runtime | default(true) | bool
- {var_prefix}_manage_unit | default(false) - {var_prefix}_manage_unit | default(false)
- _unit_probe is succeeded - _unit_probe is succeeded
""" """
@ -1142,6 +1150,7 @@ def _single_service_restart_handler_body(var_prefix: str) -> str:
name: "{{{{ {var_prefix}_unit_name }}}}" name: "{{{{ {var_prefix}_unit_name }}}}"
state: restarted state: restarted
when: when:
- enroll_manage_systemd_runtime | default(true) | bool
- {var_prefix}_manage_unit | default(false) - {var_prefix}_manage_unit | default(false)
- ({var_prefix}_systemd_state | default('stopped')) == 'started' - ({var_prefix}_systemd_state | default('stopped')) == 'started'
""" """
@ -1162,6 +1171,7 @@ def _grouped_service_restart_handlers_body(role: AnsibleRole) -> str:
ansible.builtin.service: ansible.builtin.service:
name: {name} name: {name}
state: restarted state: restarted
when: enroll_manage_systemd_runtime | default(true) | bool
""" """
) )
return "\n".join(_task_body(handler) for handler in handlers if _task_body(handler)) return "\n".join(_task_body(handler) for handler in handlers if _task_body(handler))
@ -1580,6 +1590,7 @@ _SYSTEMD_DAEMON_RELOAD_HANDLER = """---
ansible.builtin.systemd: ansible.builtin.systemd:
daemon_reload: true daemon_reload: true
no_log: "{{ enroll_hide_systemd_status | default(true) | bool }}" no_log: "{{ enroll_hide_systemd_status | default(true) | bool }}"
when: enroll_manage_systemd_runtime | default(true) | bool
""" """

23
tests.sh
View file

@ -34,6 +34,7 @@ SALT_JINJATURTLE_DIR="${WORK_DIR}/salt-jinjaturtle"
SALT_NO_JINJATURTLE_DIR="${WORK_DIR}/salt-no-jinjaturtle" SALT_NO_JINJATURTLE_DIR="${WORK_DIR}/salt-no-jinjaturtle"
TEST_FQDN="${ENROLL_TEST_FQDN:-enroll-ci.example.test}" TEST_FQDN="${ENROLL_TEST_FQDN:-enroll-ci.example.test}"
JINJATURTLE_FIXTURE="${WORK_DIR}/enroll-tests-jinjaturtle.ini" JINJATURTLE_FIXTURE="${WORK_DIR}/enroll-tests-jinjaturtle.ini"
ANSIBLE_PLAYBOOK_EXTRA_ARGS=()
cleanup() { cleanup() {
if [[ "${KEEP_WORKDIR}" -eq 0 ]]; then if [[ "${KEEP_WORKDIR}" -eq 0 ]]; then
@ -88,6 +89,19 @@ require_supported_ci_os() {
fi fi
} }
configure_ansible_playbook_extra_args() {
local pid1
pid1="$(ps -p 1 -o comm= 2>/dev/null | tr -d '[:space:]' || true)"
ANSIBLE_PLAYBOOK_EXTRA_ARGS=()
if [[ "${pid1}" != "systemd" ]]; then
section "Setup: Ansible systemd runtime guard"
printf 'PID 1 is %s, not systemd; disabling generated Ansible systemd runtime enforcement for CI noop plays.\n' "${pid1:-unknown}"
ANSIBLE_PLAYBOOK_EXTRA_ARGS=(-e enroll_manage_systemd_runtime=false)
fi
}
os_id() { os_id() {
if [[ -r /etc/os-release ]]; then if [[ -r /etc/os-release ]]; then
# shellcheck disable=SC1091 # shellcheck disable=SC1091
@ -392,7 +406,7 @@ run_ansible_jinjaturtle_variant() {
ansible-galaxy install -r "${out_dir}/requirements.yml" ansible-galaxy install -r "${out_dir}/requirements.yml"
run ansible-lint "${out_dir}" run ansible-lint "${out_dir}"
cd "${out_dir}" cd "${out_dir}"
run ansible-playbook playbook.yml -i "localhost," -c local --check --diff run ansible-playbook playbook.yml -i "localhost," -c local --check --diff "${ANSIBLE_PLAYBOOK_EXTRA_ARGS[@]}"
} }
run_puppet_jinjaturtle_variant() { run_puppet_jinjaturtle_variant() {
@ -450,19 +464,19 @@ run_ansible_noop_tests() {
ansible-galaxy install -r "${ANSIBLE_DIR}/requirements.yml" ansible-galaxy install -r "${ANSIBLE_DIR}/requirements.yml"
run ansible-lint "${ANSIBLE_DIR}" run ansible-lint "${ANSIBLE_DIR}"
cd "${ANSIBLE_DIR}" cd "${ANSIBLE_DIR}"
run ansible-playbook playbook.yml -i "localhost," -c local --check --diff run ansible-playbook playbook.yml -i "localhost," -c local --check --diff "${ANSIBLE_PLAYBOOK_EXTRA_ARGS[@]}"
cd "${PROJECT_ROOT}" cd "${PROJECT_ROOT}"
run poetry run enroll manifest --harvest "${BUNDLE_DIR}" --out "${ANSIBLE_NO_COMMON_DIR}" --target ansible --no-common-roles run poetry run enroll manifest --harvest "${BUNDLE_DIR}" --out "${ANSIBLE_NO_COMMON_DIR}" --target ansible --no-common-roles
ansible-galaxy install -r "${ANSIBLE_NO_COMMON_DIR}/requirements.yml" ansible-galaxy install -r "${ANSIBLE_NO_COMMON_DIR}/requirements.yml"
cd "${ANSIBLE_NO_COMMON_DIR}" cd "${ANSIBLE_NO_COMMON_DIR}"
run ansible-playbook playbook.yml -i "localhost," -c local --check --diff run ansible-playbook playbook.yml -i "localhost," -c local --check --diff "${ANSIBLE_PLAYBOOK_EXTRA_ARGS[@]}"
cd "${PROJECT_ROOT}" cd "${PROJECT_ROOT}"
run poetry run enroll manifest --harvest "${BUNDLE_DIR}" --out "${ANSIBLE_FQDN_DIR}" --target ansible --fqdn "${TEST_FQDN}" run poetry run enroll manifest --harvest "${BUNDLE_DIR}" --out "${ANSIBLE_FQDN_DIR}" --target ansible --fqdn "${TEST_FQDN}"
ansible-galaxy install -r "${ANSIBLE_FQDN_DIR}/requirements.yml" ansible-galaxy install -r "${ANSIBLE_FQDN_DIR}/requirements.yml"
cd "${ANSIBLE_FQDN_DIR}" cd "${ANSIBLE_FQDN_DIR}"
run ansible-playbook "playbooks/${TEST_FQDN}.yml" -i inventory/hosts.ini -c local --limit "${TEST_FQDN}" --check --diff run ansible-playbook "playbooks/${TEST_FQDN}.yml" -i inventory/hosts.ini -c local --limit "${TEST_FQDN}" --check --diff "${ANSIBLE_PLAYBOOK_EXTRA_ARGS[@]}"
} }
run_puppet_noop_tests() { run_puppet_noop_tests() {
@ -507,6 +521,7 @@ main() {
require_supported_ci_os require_supported_ci_os
run_pytests run_pytests
prepare_harvest_fixture prepare_harvest_fixture
configure_ansible_playbook_extra_args
run_ansible_noop_tests run_ansible_noop_tests
run_puppet_noop_tests run_puppet_noop_tests
run_salt_noop_tests run_salt_noop_tests

13
tests/test_manifest.py
View file

@ -266,10 +266,15 @@ def test_manifest_writes_roles_and_playbook_with_clean_when(tmp_path: Path):
tasks = (out / "roles" / "foo" / "tasks" / "main.yml").read_text(encoding="utf-8") tasks = (out / "roles" / "foo" / "tasks" / "main.yml").read_text(encoding="utf-8")
assert "- name: Probe whether systemd unit exists and is manageable" in tasks assert "- name: Probe whether systemd unit exists and is manageable" in tasks
assert 'no_log: "{{ enroll_hide_systemd_status | default(true) | bool }}"' in tasks assert 'no_log: "{{ enroll_hide_systemd_status | default(true) | bool }}"' in tasks
assert "when: foo_manage_unit | default(false)" in tasks assert "enroll_manage_systemd_runtime | default(true) | bool" in tasks
assert ( assert (
"when:\n - foo_manage_unit | default(false)\n - _unit_probe is succeeded\n" "when:\n - enroll_manage_systemd_runtime | default(true) | bool\n"
in tasks " - foo_manage_unit | default(false)\n" in tasks
)
assert (
"when:\n - enroll_manage_systemd_runtime | default(true) | bool\n"
" - foo_manage_unit | default(false)\n"
" - _unit_probe is succeeded\n" in tasks
) )
# Ensure we didn't emit deprecated/broken '{{ }}' delimiters in when: lines. # Ensure we didn't emit deprecated/broken '{{ }}' delimiters in when: lines.
@ -632,6 +637,7 @@ def test_manifest_groups_systemd_units_into_common_role(tmp_path: Path):
tasks = (out / "roles" / "net" / "tasks" / "main.yml").read_text(encoding="utf-8") tasks = (out / "roles" / "net" / "tasks" / "main.yml").read_text(encoding="utf-8")
assert "Ensure grouped unit enablement matches harvest" in tasks assert "Ensure grouped unit enablement matches harvest" in tasks
assert 'no_log: "{{ enroll_hide_systemd_status | default(true) | bool }}"' in tasks assert 'no_log: "{{ enroll_hide_systemd_status | default(true) | bool }}"' in tasks
assert "enroll_manage_systemd_runtime | default(true) | bool" in tasks
assert "Restart managed services" not in tasks assert "Restart managed services" not in tasks
defaults_text = (out / "roles" / "net" / "defaults" / "main.yml").read_text( defaults_text = (out / "roles" / "net" / "defaults" / "main.yml").read_text(
@ -647,6 +653,7 @@ def test_manifest_groups_systemd_units_into_common_role(tmp_path: Path):
encoding="utf-8" encoding="utf-8"
) )
assert "Run systemd daemon-reload" in handlers assert "Run systemd daemon-reload" in handlers
assert "when: enroll_manage_systemd_runtime | default(true) | bool" in handlers
assert "- name: Restart managed service NetworkManager.service" in handlers assert "- name: Restart managed service NetworkManager.service" in handlers
assert "name: NetworkManager.service" in handlers assert "name: NetworkManager.service" in handlers
assert "state: restarted" in handlers assert "state: restarted" in handlers