Skip to content

Commit

Permalink
feat: support for ostree systems
Browse files Browse the repository at this point in the history
Feature: Allow running and testing the role with ostree managed nodes.

Reason: We have users who want to use the role to manage ostree
systems.

Result: Users can use the role to manage ostree managed nodes.

Signed-off-by: Rich Megginson <[email protected]>
  • Loading branch information
richm committed Oct 12, 2023
1 parent f127824 commit f656132
Show file tree
Hide file tree
Showing 33 changed files with 327 additions and 116 deletions.
3 changes: 3 additions & 0 deletions .ostree/README.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
*NOTE*: The `*.txt` files are used by `get_ostree_data.sh` to create the lists
of packages, and to find other system roles used by this role. DO NOT use them
directly.
113 changes: 113 additions & 0 deletions .ostree/get_ostree_data.sh
Original file line number Diff line number Diff line change
@@ -0,0 +1,113 @@
#!/bin/bash

set -euo pipefail

role_collection_dir="${ROLE_COLLECTION_DIR:-fedora/linux_system_roles}"
ostree_dir="${OSTREE_DIR:-"$(dirname "$(realpath "$0")")"}"

if [ -z "${4:-}" ] || [ "${1:-}" = help ] || [ "${1:-}" = -h ]; then
cat <<EOF
Usage: $0 packages [runtime|testing] DISTRO-MAJOR[.MINOR] [json|yaml|raw|toml]
The script will use the packages and roles files in $ostree_dir to
construct the list of packages needed to build the ostree image. The script
will output the list of packages in the given format
- json is a JSON list like ["pkg1","pkg2",....,"pkgN"]
- yaml is the YAML list format
- raw is the list of packages, one per line
- toml is a list of [[packages]] elements as in https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html-single/composing_installing_and_managing_rhel_for_edge_images/index#creating-an-image-builder-blueprint-for-a-rhel-for-edge-image-using-the-command-line-interface_composing-a-rhel-for-edge-image-using-image-builder-command-line
The DISTRO-MAJOR.MINOR is the same format used by Ansible for distribution e.g. CentOS-8, RedHat-8.9, etc.
EOF
exit 1
fi
category="$1"
pkgtype="$2"
distro_ver="$3"
format="$4"
pkgtypes=("$pkgtype")
if [ "$pkgtype" = testing ]; then
pkgtypes+=(runtime)
fi

get_rolepath() {
local ostree_dir role rolesdir
ostree_dir="$1"
role="$2"
rolesdir="$(dirname "$(dirname "$ostree_dir")")/$role/.ostree"
if [ -d "$rolesdir" ]; then
echo "$rolesdir"
return 0
fi
if [ -n "${ANSIBLE_COLLECTIONS_PATHS:-}" ]; then
for pth in ${ANSIBLE_COLLECTIONS_PATHS//:/ }; do
rolesdir="$pth/ansible_collections/$role_collection_dir/roles/$role/.ostree"
if [ -d "$rolesdir" ]; then
echo "$rolesdir"
return 0
fi
done
fi
return 1
}

get_packages() {
local ostree_dir pkgtype pkgfile rolefile
ostree_dir="$1"
for pkgtype in "${pkgtypes[@]}"; do
for suff in "" "-$distro" "-${distro}-${major_ver}" "-${distro}-${ver}"; do
pkgfile="$ostree_dir/packages-${pkgtype}${suff}.txt"
if [ -f "$pkgfile" ]; then
cat "$pkgfile"
fi
done
rolefile="$ostree_dir/roles-${pkgtype}.txt"
if [ -f "$rolefile" ]; then
local roles role rolepath
roles="$(cat "$rolefile")"
for role in $roles; do
rolepath="$(get_rolepath "$ostree_dir" "$role")"
get_packages "$rolepath"
done
fi
done | sort -u
}

format_packages_json() {
local comma pkgs pkg
comma=""
pkgs="["
while read -r pkg; do
pkgs="${pkgs}${comma}\"${pkg}\""
comma=,
done
pkgs="${pkgs}]"
echo "$pkgs"
}

format_packages_raw() {
cat
}

format_packages_yaml() {
while read -r pkg; do
echo "- $pkg"
done
}

format_packages_toml() {
while read -r pkg; do
echo "[[packages]]"
echo "name = \"$pkg\""
echo "version = \"*\""
done
}

distro="${distro_ver%%-*}"
ver="${distro_ver##*-}"
if [[ "$ver" =~ ^([0-9]*) ]]; then
major_ver="${BASH_REMATCH[1]}"
else
echo ERROR: cannot parse major version number from version "$ver"
exit 1
fi

"get_$category" "$ostree_dir" | "format_${category}_$format"
2 changes: 2 additions & 0 deletions .ostree/packages-runtime-CentOS-7.txt
Original file line number Diff line number Diff line change
@@ -0,0 +1,2 @@
libselinux-python
policycoreutils-python
3 changes: 3 additions & 0 deletions .ostree/packages-runtime-CentOS-8.txt
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
policycoreutils-python-utils
python3-libselinux
python3-policycoreutils
3 changes: 3 additions & 0 deletions .ostree/packages-runtime-CentOS-9.txt
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
policycoreutils-python-utils
python3-libselinux
python3-policycoreutils
3 changes: 3 additions & 0 deletions .ostree/packages-runtime-Fedora.txt
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
policycoreutils-python-utils
python3-libselinux
python3-policycoreutils
2 changes: 2 additions & 0 deletions .ostree/packages-runtime-RedHat-6.txt
Original file line number Diff line number Diff line change
@@ -0,0 +1,2 @@
libselinux-python
policycoreutils-python
2 changes: 2 additions & 0 deletions .ostree/packages-runtime-RedHat-7.txt
Original file line number Diff line number Diff line change
@@ -0,0 +1,2 @@
libselinux-python
policycoreutils-python
3 changes: 3 additions & 0 deletions .ostree/packages-runtime-RedHat-8.txt
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
policycoreutils-python-utils
python3-libselinux
python3-policycoreutils
3 changes: 3 additions & 0 deletions .ostree/packages-runtime-RedHat-9.txt
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
policycoreutils-python-utils
python3-libselinux
python3-policycoreutils
Empty file added .ostree/packages-runtime.txt
Empty file.
1 change: 1 addition & 0 deletions .ostree/packages-testing-CentOS-7.txt
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
policycoreutils-python
1 change: 1 addition & 0 deletions .ostree/packages-testing-CentOS-8.txt
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
policycoreutils-python-utils
1 change: 1 addition & 0 deletions .ostree/packages-testing-CentOS-9.txt
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
policycoreutils-python-utils
1 change: 1 addition & 0 deletions .ostree/packages-testing-Fedora.txt
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
policycoreutils-python-utils
1 change: 1 addition & 0 deletions .ostree/packages-testing-RedHat-7.txt
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
policycoreutils-python
1 change: 1 addition & 0 deletions .ostree/packages-testing-RedHat-8.txt
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
policycoreutils-python-utils
1 change: 1 addition & 0 deletions .ostree/packages-testing-RedHat-9.txt
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
policycoreutils-python-utils
Empty file added .ostree/packages-testing.txt
Empty file.
1 change: 1 addition & 0 deletions .sanity-ansible-ignore-2.12.txt
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
roles/selinux/.ostree/get_ostree_data.sh shebang!skip
1 change: 1 addition & 0 deletions .sanity-ansible-ignore-2.13.txt
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
roles/selinux/.ostree/get_ostree_data.sh shebang!skip
1 change: 1 addition & 0 deletions .sanity-ansible-ignore-2.14.txt
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
roles/selinux/.ostree/get_ostree_data.sh shebang!skip
1 change: 1 addition & 0 deletions .sanity-ansible-ignore-2.15.txt
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
roles/selinux/.ostree/get_ostree_data.sh shebang!skip
1 change: 1 addition & 0 deletions .sanity-ansible-ignore-2.9.txt
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
roles/selinux/.ostree/get_ostree_data.sh shebang!skip
66 changes: 66 additions & 0 deletions README-ostree.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,66 @@
# rpm-ostree

The role supports running on [rpm-ostree](https://coreos.github.io/rpm-ostree/)
systems. The primary issue is that the `/usr` filesystem is read-only, and the
role cannot install packages. Instead, it will just verify that the necessary
packages and any other `/usr` files are pre-installed. The role will change the
package manager to one that is compatible with `rpm-ostree` systems.

## Building

To build an ostree image for a particular operating system distribution and
version, use the script `.ostree/get_ostree_data.sh` to get the list of
packages. If the role uses other system roles, then the script will include the
packages for the other roles in the list it outputs. The list of packages will
be sorted in alphanumeric order.

Usage:

```bash
.ostree/get_ostree_data.sh packages runtime DISTRO-VERSION FORMAT
```

`DISTRO-VERSION` is in the format that Ansible uses for `ansible_distribution`
and `ansible_distribution_version` - for example, `Fedora-38`, `CentOS-8`,
`RedHat-9.4`

`FORMAT` is one of `toml`, `json`, `yaml`, `raw`

* `toml` - each package in a TOML `[[packages]]` element

```toml
[[packages]]
name = "package-a"
version = "*"
[[packages]]
name = "package-b"
version = "*"
...
```

* `yaml` - a YAML list of packages

```yaml
- package-a
- package-b
...
```

* `json` - a JSON list of packages

```json
["package-a","package-b",...]
```

* `raw` - a plain text list of packages, one per line

```bash
package-a
package-b
...
```

What format you choose depends on which image builder you are using. For
example, if you are using something based on
[osbuild-composer](https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html-single/composing_installing_and_managing_rhel_for_edge_images/index#creating-an-image-builder-blueprint-for-a-rhel-for-edge-image-using-the-command-line-interface_composing-a-rhel-for-edge-image-using-image-builder-command-line),
you will probably want to use the `toml` output format.
14 changes: 8 additions & 6 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -17,19 +17,17 @@ Essentially provide mechanisms to manage local customizations:

## Requirements

See below

### Collection requirements

The role requires some SELinux modules. If you are using `ansible-core`, you
must get these from the `ansible.posix` and `community.general` collections.
Use the file `meta/collection-requirements.yml` to install these:
The role requires external collections. Use the following command to install
them:

```bash
ansible-galaxy collection install -vv -r meta/collection-requirements.yml
```

If you are using Ansible Engine 2.9, or are using an Ansible bundle which
includes these collections/modules, you should have to do nothing.

## Modules provided by this repository

### selinux_modules_facts
Expand Down Expand Up @@ -231,3 +229,7 @@ on Red Hat Enterprise Linux 6

The general usage is demonstrated in
[selinux-playbook.yml](examples/selinux-playbook.yml) playbook.

## rpm-ostree

See README-ostree.md
1 change: 1 addition & 0 deletions meta/collection-requirements.yml
Original file line number Diff line number Diff line change
@@ -1,4 +1,5 @@
---
collections:
- name: ansible.posix
- name: ansible.utils
- name: community.general
60 changes: 60 additions & 0 deletions tasks/ensure_selinux_packages.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,60 @@
---
- name: Ensure correct package manager for ostree systems
vars:
ostree_pkg_mgr: ansible.posix.rhel_rpm_ostree
ostree_booted_file: /run/ostree-booted
when: ansible_facts.pkg_mgr | d("") != ostree_pkg_mgr
block:
- name: Check if system is ostree
stat:
path: "{{ ostree_booted_file }}"
register: __ostree_booted_stat

- name: Set package manager to use for ostree
ansible.utils.update_fact:
updates:
- path: ansible_facts.pkg_mgr
value: "{{ ostree_pkg_mgr }}"
when: __ostree_booted_stat.stat.exists

- name: Install SELinux python2 tools
package:
name:
- libselinux-python
- policycoreutils-python
state: present
when: ansible_python_version is version('3', '<')

- name: Install SELinux python3 tools
package:
name:
- python3-libselinux
- python3-policycoreutils
state: present
when:
- ansible_python_version is version('3', '>=')
- ansible_os_family == "RedHat"

- name: Install SELinux python3 tools
package:
name:
- python3-selinux
- python3-policycoreutils
state: present
when:
- ansible_python_version is version('3', '>=')
- ansible_os_family == "Suse"

- name: Install SELinux tool semanage
package:
name:
- policycoreutils-python-utils
state: present
when: ansible_distribution == "Fedora" or
(ansible_distribution_major_version | int > 7 and
ansible_distribution in ["CentOS", "RedHat", "Rocky"])

- name: Refresh facts
setup:
filter: ansible_selinux
when: not __selinux_setup_snapshot | d(false)
43 changes: 2 additions & 41 deletions tasks/set_facts_packages.yml
Original file line number Diff line number Diff line change
Expand Up @@ -5,44 +5,5 @@
when: __selinux_required_facts |
difference(ansible_facts.keys() | list) | length > 0

- name: Install SELinux python2 tools
package:
name:
- libselinux-python
- policycoreutils-python
state: present
when: ansible_python_version is version('3', '<')

- name: Install SELinux python3 tools
package:
name:
- python3-libselinux
- python3-policycoreutils
state: present
when:
- ansible_python_version is version('3', '>=')
- ansible_os_family == "RedHat"

- name: Install SELinux python3 tools
package:
name:
- python3-selinux
- python3-policycoreutils
state: present
when:
- ansible_python_version is version('3', '>=')
- ansible_os_family == "Suse"

- name: Refresh facts
setup:
filter: ansible_selinux
when: not __selinux_setup_snapshot | d(false)

- name: Install SELinux tool semanage
package:
name:
- policycoreutils-python-utils
state: present
when: ansible_distribution == "Fedora" or
(ansible_distribution_major_version | int > 7 and
ansible_distribution in ["CentOS", "RedHat", "Rocky"])
- name: Ensure SELinux packages
include_tasks: ensure_selinux_packages.yml
Loading

0 comments on commit f656132

Please sign in to comment.