Fix use of changed_when (#15)

* Update pre-commit hooks * Update requirements * Set `tmpfs` for centos7 scenario * Set `VOLUME` in Dockerfile * Add pre-task for checking systemd status * Run workflow on `ubuntu-latest` * Check `firewall_default_zone` return code in `changed_when` * Try without `tmpfs` * Update action versions * Try setting `volumes` and `cgroupns_mode` * Add a prepare playbook * Add default scenario * Remove centos7 and rocky8 scenarios * Set docker image in gha workflow
UCL-MIRSG · Sep 7, 2023 · f63f0c6 · f63f0c6
1 parent 5579a79
commit f63f0c6
Show file tree

Hide file tree

Showing 15 changed files with 97 additions and 118 deletions.
diff --git a/.github/workflows/checks.yml b/.github/workflows/checks.yml
@@ -7,10 +7,10 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: checkout source
-        uses: actions/checkout@v2
+        uses: actions/checkout@v4
 
       - name: set up python
-        uses: actions/setup-python@v2
+        uses: actions/setup-python@v3
         with:
           python-version: 3.9
 

diff --git a/.github/workflows/molecule.yml b/.github/workflows/molecule.yml
@@ -3,17 +3,17 @@ name: Molecule Test
 on: [push, pull_request]
 jobs:
   molecule:
-    runs-on: ubuntu-20.04
+    runs-on: ubuntu-latest
     strategy:
       max-parallel: 4
       matrix:
-        scenario:
-          - centos7
-          - rocky8
+        image:
+          - centos:7
+          - rockylinux:8
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
       - name: Set up Python 3.9
-        uses: actions/setup-python@v2
+        uses: actions/setup-python@v3
         with:
           python-version: 3.9
       - name: Install dependencies
@@ -23,7 +23,8 @@ jobs:
           python3 -m pip install -r .github/workflows/requirements.txt
       - name: Test with molecule
         run: |
-          molecule test --scenario-name ${{ matrix.scenario }}
+          molecule test
         env:
           PY_COLORS: "1"
           ANSIBLE_FORCE_COLOR: "1"
+          MOLECULE_DOCKER_IMAGE: ${{ matrix.image }}
diff --git a/.github/workflows/requirements.txt b/.github/workflows/requirements.txt
@@ -1,4 +1,5 @@
-ansible-lint==6.10.0
-molecule==4.0.4
-molecule-docker==2.1.0
-yamllint==1.28.0
+ansible-lint
+molecule
+molecule-plugins[docker]
+yamllint
+requests==2.29.0
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
@@ -1,6 +1,6 @@
 repos:
   - repo: https://github.com/pre-commit/pre-commit-hooks
-    rev: v4.3.0
+    rev: v4.4.0
     hooks:
       - id: check-added-large-files
       - id: check-case-conflict
@@ -14,22 +14,22 @@ repos:
         args: [--fix=lf]
       - id: trailing-whitespace
   - repo: https://github.com/Lucas-C/pre-commit-hooks
-    rev: v1.3.0
+    rev: v1.5.4
     hooks:
       - id: forbid-tabs
   - repo: https://github.com/pre-commit/mirrors-prettier
-    rev: v2.7.1
+    rev: v3.0.3
     hooks:
       - id: prettier
   - repo: https://github.com/sirosen/check-jsonschema
-    rev: 0.17.1
+    rev: 0.26.3
     hooks:
       - id: check-github-workflows
   - repo: https://github.com/shellcheck-py/shellcheck-py
-    rev: v0.8.0.4
+    rev: v0.9.0.5
     hooks:
       - id: shellcheck
   - repo: https://github.com/ansible-community/ansible-lint.git
-    rev: v6.3.0
+    rev: v6.18.0
     hooks:
       - id: ansible-lint
diff --git a/molecule/centos7/Dockerfile.j2 b/molecule/centos7/Dockerfile.j2
diff --git a/molecule/centos7/molecule.yml b/molecule/centos7/molecule.yml
diff --git a/molecule/default/Dockerfile.j2 b/molecule/default/Dockerfile.j2
@@ -0,0 +1,19 @@
+FROM {{ item.image }}
+
+ENV container=docker
+
+RUN (cd /lib/systemd/system/sysinit.target.wants/; for i in *; do [ $i == \
+systemd-tmpfiles-setup.service ] || rm -f $i; done); \
+rm -f /lib/systemd/system/multi-user.target.wants/*;\
+rm -f /etc/systemd/system/*.wants/*;\
+rm -f /lib/systemd/system/local-fs.target.wants/*; \
+rm -f /lib/systemd/system/sockets.target.wants/*udev*; \
+rm -f /lib/systemd/system/sockets.target.wants/*initctl*; \
+rm -f /lib/systemd/system/basic.target.wants/*;\
+rm -f /lib/systemd/system/anaconda.target.wants/*;
+
+RUN if [ $(command -v dnf) ]; then dnf makecache && dnf --assumeyes install /usr/bin/python3 /usr/bin/python3-config /usr/bin/dnf-3 sudo bash iproute && dnf clean all; \
+    elif [ $(command -v yum) ]; then yum makecache fast && yum install -y /usr/bin/python /usr/bin/python2-config sudo yum-plugin-ovl bash iproute initscripts && sed -i 's/plugins=0/plugins=1/g' /etc/yum.conf && yum clean all; fi
+
+VOLUME ["/sys/fs/cgroup"]
+CMD ["/usr/sbin/init"]
diff --git a/molecule/default/converge.yml b/molecule/default/converge.yml
@@ -0,0 +1,20 @@
+---
+- name: Converge
+  hosts: all
+  gather_facts: true
+  pre_tasks:
+    - name: Wait for systemd to complete initialization. # noqa command-instead-of-module
+      ansible.builtin.command: systemctl is-system-running
+      register: systemctl_status
+      until: >
+        'running' in systemctl_status.stdout or
+        'degraded' in systemctl_status.stdout
+      retries: 30
+      delay: 5
+      when: ansible_service_mgr == 'systemd'
+      changed_when: false
+      failed_when: systemctl_status.rc > 1
+  tasks:
+    - name: "Include ansible-role-firewalld"
+      ansible.builtin.include_role:
+        name: "ansible-role-firewalld"
diff --git a/molecule/rocky8/molecule.yml → molecule/default/molecule.yml b/molecule/rocky8/molecule.yml → molecule/default/molecule.yml
@@ -1,46 +1,54 @@
 ---
 dependency:
   name: galaxy
+
 driver:
   name: docker
-lint: |
-  set -e
-  yamllint .
-  ansible-lint
+
 platforms:
   - name: firewall_db
-    image: rockylinux:8
+    image: ${MOLECULE_DOCKER_IMAGE:-centos:7}
     image_version: latest
     command: ""
+    pre_build_image: false
+    privileged: true
     volumes:
       - /sys/fs/cgroup:/sys/fs/cgroup:rw
     cgroupns_mode: host
-    pre_build_image: false
-    privileged: true
     groups:
       - db
       - docker
+
   - name: firewall_web
-    image: rockylinux:8
+    image: ${MOLECULE_DOCKER_IMAGE:-centos:7}
     image_version: latest
     command: ""
+    pre_build_image: false
+    privileged: true
     volumes:
       - /sys/fs/cgroup:/sys/fs/cgroup:rw
     cgroupns_mode: host
-    pre_build_image: false
-    privileged: true
     groups:
       - docker
       - web
+
 provisioner:
   name: ansible
   lint:
     name: ansible-lint
   log: true
-  playbooks:
-    converge: ../resources/converge.yml
   inventory:
     links:
       group_vars: ../resources/inventory/group_vars/
+  playbooks:
+    prepare: prepare.yml
+    converge: converge.yml
+    verify: verify.yml
+
+lint: |
+  set -e
+  yamllint .
+  ansible-lint
+
 verifier:
   name: ansible
diff --git a/molecule/default/prepare.yml b/molecule/default/prepare.yml
@@ -0,0 +1,15 @@
+---
+- name: Prepare
+  hosts: all
+  gather_facts: true
+  tasks:
+    - name: Install firewalld
+      ansible.builtin.package:
+        name: firewalld
+        state: present
+
+    - name: Change firewalld backend to iptables
+      ansible.builtin.lineinfile:
+        path: /etc/firewalld/firewalld.conf
+        regexp: "^FirewallBackend="
+        line: FirewallBackend=iptables
diff --git a/molecule/resources/verify.yml → molecule/default/verify.yml b/molecule/resources/verify.yml → molecule/default/verify.yml
diff --git a/molecule/resources/Dockerfile.j2 b/molecule/resources/Dockerfile.j2
diff --git a/molecule/resources/converge.yml b/molecule/resources/converge.yml
diff --git a/molecule/rocky8/Dockerfile.j2 b/molecule/rocky8/Dockerfile.j2
diff --git a/tasks/main.yml b/tasks/main.yml
@@ -66,7 +66,7 @@
     set -o pipefail
     firewall-cmd --get-default-zone | grep -i {% if allow_public_access %}public{% else %}drop{% endif %}
   register: firewall_default_zone
-  changed_when: false
+  changed_when: firewall_default_zone.rc != 0
   failed_when: false
 
 - name: Allow or drop default connections
@@ -75,4 +75,4 @@
     firewall-cmd
     --set-default-zone={% if allow_public_access %}public{% else %}drop{% endif %}
   when: firewall_default_zone.rc != 0
-  changed_when: false
+  changed_when: firewall_default_zone.rc != 0