Don't set capabilities in priviledge mode

When priviledge mode is set, don't add any capabilities as they are included. Use 1.6.4 podman because 2.0.5 rootless doesn't work with systemd [1] Disable Selinux on host. [1] https://github.com/containers/podman/issues/8965 Closes-Bug: #1910970 Note: * tripleo_update_trusted_cas role is only available in master but not in victora or ussuri so removing this role molecule file from cherry-pick. * It also fixes openvswitch package name otherwise it will be blocked, taken from https://review.opendev.org/c/openstack/tripleo-ansible/+/764360 still blocked due to this patch. Change-Id: I73ac1c405e8a3539937a5578bb003cba0b935d94 (cherry picked from commit c90b0ea4e6)
2021-01-14 12:50:11 +02:00 · 2021-01-14 12:50:11 +02:00 · 83c644c9ed
parent 6097af7bfa
commit 83c644c9ed
21 changed files with 17 additions and 44 deletions
--- a/tripleo_ansible/roles/tripleo_image_serve/molecule/default/molecule.yml
+++ b/tripleo_ansible/roles/tripleo_image_serve/molecule/default/molecule.yml
@ -13,8 +13,6 @@ platforms:
    dockerfile: Dockerfile
    pkg_extras: python*setuptools
    command: /sbin/init
-    capabilities:
-      - ALL
    volumes:
      - /etc/ci/mirror_info.sh:/etc/ci/mirror_info.sh:ro
      - /etc/pki/rpm-gpg:/etc/pki/rpm-gpg
--- a/tripleo_ansible/roles/tripleo_image_serve/molecule/legacy_vars/molecule.yml
+++ b/tripleo_ansible/roles/tripleo_image_serve/molecule/legacy_vars/molecule.yml
@ -13,8 +13,6 @@ platforms:
    dockerfile: Dockerfile
    pkg_extras: python*setuptools
    command: /sbin/init
-    capabilities:
-      - ALL
    volumes:
      - /etc/ci/mirror_info.sh:/etc/ci/mirror_info.sh:ro
      - /etc/pki/rpm-gpg:/etc/pki/rpm-gpg
--- a/tripleo_ansible/roles/tripleo_ovs_dpdk/molecule/default/molecule.yml
+++ b/tripleo_ansible/roles/tripleo_ovs_dpdk/molecule/default/molecule.yml
@ -16,8 +16,6 @@ platforms:
      http_proxy: "{{ lookup('env', 'http_proxy') }}"
      https_proxy: "{{ lookup('env', 'https_proxy') }}"
    command: /sbin/init
-    capabilities:
-      - ALL
    volumes:
      - /run/udev:/run/udev:ro
      - /sys/fs/cgroup:/sys/fs/cgroup:ro
@ -36,8 +34,6 @@ platforms:
      http_proxy: "{{ lookup('env', 'http_proxy') }}"
      https_proxy: "{{ lookup('env', 'https_proxy') }}"
    command: /sbin/init
-    capabilities:
-      - ALL
    volumes:
      - /run/udev:/run/udev:ro
      - /sys/fs/cgroup:/sys/fs/cgroup:ro
--- a/tripleo_ansible/roles/tripleo_ovs_dpdk/molecule/default/prepare.yml
+++ b/tripleo_ansible/roles/tripleo_ovs_dpdk/molecule/default/prepare.yml
@ -18,13 +18,15 @@
 - name: Prepare
  hosts: all:localhost
  become: true
+  vars:
+    test_deps_setup_tripleo: true
  roles:
    - role: test_deps
  post_tasks:
    - name: Install ovs
      package:
        name:
-          - openvswitch*
+          - openvswitch
          - libibverbs
        state: present

--- a/tripleo_ansible/roles/tripleo_ovs_dpdk/molecule/positive/molecule.yml
+++ b/tripleo_ansible/roles/tripleo_ovs_dpdk/molecule/positive/molecule.yml
@ -16,8 +16,6 @@ platforms:
      http_proxy: "{{ lookup('env', 'http_proxy') }}"
      https_proxy: "{{ lookup('env', 'https_proxy') }}"
    command: /sbin/init
-    capabilities:
-      - ALL
    volumes:
      - /etc/ci/mirror_info.sh:/etc/ci/mirror_info.sh:ro
    privileged: true
@ -33,8 +31,6 @@ platforms:
      http_proxy: "{{ lookup('env', 'http_proxy') }}"
      https_proxy: "{{ lookup('env', 'https_proxy') }}"
    command: /sbin/init
-    capabilities:
-      - ALL
    volumes:
      - /etc/ci/mirror_info.sh:/etc/ci/mirror_info.sh:ro
    privileged: true
--- a/tripleo_ansible/roles/tripleo_ovs_dpdk/molecule/positive/prepare.yml
+++ b/tripleo_ansible/roles/tripleo_ovs_dpdk/molecule/positive/prepare.yml
@ -18,13 +18,15 @@
 - name: Prepare
  hosts: all:localhost
  become: true
+  vars:
+    test_deps_setup_tripleo: true
  roles:
    - role: test_deps
  post_tasks:
    - name: Install ovs
      package:
        name:
-          - openvswitch*
+          - openvswitch
          - libibverbs
        state: present

--- a/tripleo_ansible/roles/tripleo_packages/molecule/default/molecule.yml
+++ b/tripleo_ansible/roles/tripleo_packages/molecule/default/molecule.yml
@ -13,8 +13,6 @@ platforms:
    dockerfile: Dockerfile
    pkg_extras: python*setuptools
    command: /sbin/init
-    capabilities:
-      - ALL
    volumes:
      - /dev:/dev
      - /lib/modules:/lib/modules
--- a/tripleo_ansible/roles/tripleo_packages/molecule/external_upgrade/molecule.yml
+++ b/tripleo_ansible/roles/tripleo_packages/molecule/external_upgrade/molecule.yml
@ -13,8 +13,6 @@ platforms:
    dockerfile: Dockerfile
    pkg_extras: python*setuptools
    command: /sbin/init
-    capabilities:
-      - ALL
    volumes:
      - /dev:/dev
      - /lib/modules:/lib/modules
--- a/tripleo_ansible/roles/tripleo_packages/molecule/ffu/molecule.yml
+++ b/tripleo_ansible/roles/tripleo_packages/molecule/ffu/molecule.yml
@ -13,8 +13,6 @@ platforms:
    dockerfile: Dockerfile
    pkg_extras: python*setuptools
    command: /sbin/init
-    capabilities:
-      - ALL
    volumes:
      - /dev:/dev
      - /lib/modules:/lib/modules
--- a/tripleo_ansible/roles/tripleo_packages/molecule/update/molecule.yml
+++ b/tripleo_ansible/roles/tripleo_packages/molecule/update/molecule.yml
@ -17,8 +17,6 @@ platforms:
      /bin/mkdir -p /var/run/dbus &&
      /usr/bin/dbus-uuidgen > /var/lib/dbus/machine-id &&
      /usr/bin/dbus-daemon --config-file=/usr/share/dbus-1/system.conf
-    capabilities:
-      - ALL
    volumes:
      - /dev:/dev
      - /lib/modules:/lib/modules
--- a/tripleo_ansible/roles/tripleo_ptp/molecule/default/molecule.yml
+++ b/tripleo_ansible/roles/tripleo_ptp/molecule/default/molecule.yml
@ -13,8 +13,6 @@ platforms:
    dockerfile: Dockerfile
    pkg_extras: python*setuptools cronie rsyslog
    command: /sbin/init
-    capabilities:
-      - ALL
    volumes:
      - /etc/ci/mirror_info.sh:/etc/ci/mirror_info.sh:ro
      - /etc/pki/rpm-gpg:/etc/pki/rpm-gpg
--- a/tripleo_ansible/roles/tripleo_puppet_cache/molecule/default/molecule.yml
+++ b/tripleo_ansible/roles/tripleo_puppet_cache/molecule/default/molecule.yml
@ -12,8 +12,6 @@ platforms:
      url: registry.access.redhat.com
    dockerfile: Dockerfile
    pkg_extras: python*setuptools
-    capabilities:
-      - ALL
    volumes:
      - /etc/ci/mirror_info.sh:/etc/ci/mirror_info.sh:ro
      - /etc/pki/rpm-gpg:/etc/pki/rpm-gpg
--- a/tripleo_ansible/roles/tripleo_redhat_enforce/molecule/default/molecule.yml
+++ b/tripleo_ansible/roles/tripleo_redhat_enforce/molecule/default/molecule.yml
@ -12,8 +12,6 @@ platforms:
      url: registry.access.redhat.com
    dockerfile: Dockerfile
    pkg_extras: python*setuptools
-    capabilities:
-      - ALL
    volumes:
      - /etc/ci/mirror_info.sh:/etc/ci/mirror_info.sh:ro
      - /etc/pki/rpm-gpg:/etc/pki/rpm-gpg
--- a/tripleo_ansible/roles/tripleo_sshd/molecule/banners/molecule.yml
+++ b/tripleo_ansible/roles/tripleo_sshd/molecule/banners/molecule.yml
@ -13,8 +13,6 @@ platforms:
    dockerfile: Dockerfile
    pkg_extras: python*setuptools
    command: /sbin/init
-    capabilities:
-      - ALL
    volumes:
      - /etc/ci/mirror_info.sh:/etc/ci/mirror_info.sh:ro
      - /etc/pki/rpm-gpg:/etc/pki/rpm-gpg
--- a/tripleo_ansible/roles/tripleo_sshd/molecule/default/molecule.yml
+++ b/tripleo_ansible/roles/tripleo_sshd/molecule/default/molecule.yml
@ -13,8 +13,6 @@ platforms:
    dockerfile: Dockerfile
    pkg_extras: python*setuptools
    command: /sbin/init
-    capabilities:
-      - ALL
    volumes:
      - /etc/ci/mirror_info.sh:/etc/ci/mirror_info.sh:ro
      - /etc/pki/rpm-gpg:/etc/pki/rpm-gpg
--- a/tripleo_ansible/roles/tripleo_systemd_wrapper/molecule/default/molecule.yml
+++ b/tripleo_ansible/roles/tripleo_systemd_wrapper/molecule/default/molecule.yml
@ -13,8 +13,6 @@ platforms:
    dockerfile: Dockerfile
    pkg_extras: python*setuptools
    command: /sbin/init
-    capabilities:
-      - ALL
    volumes:
      - /sys/fs/cgroup:/sys/fs/cgroup:ro
      - /etc/ci/mirror_info.sh:/etc/ci/mirror_info.sh:ro
--- a/tripleo_ansible/roles/tripleo_timezone/molecule/default/molecule.yml
+++ b/tripleo_ansible/roles/tripleo_timezone/molecule/default/molecule.yml
@ -13,8 +13,6 @@ platforms:
    dockerfile: Dockerfile
    pkg_extras: python*setuptools
    command: /sbin/init
-    capabilities:
-      - ALL
    volumes:
      - /sys/fs/cgroup:/sys/fs/cgroup:ro
      - /etc/ci/mirror_info.sh:/etc/ci/mirror_info.sh:ro
--- a/tripleo_ansible/roles/tripleo_transfer/molecule/default/molecule.yml
+++ b/tripleo_ansible/roles/tripleo_transfer/molecule/default/molecule.yml
@ -13,8 +13,6 @@ platforms:
    dockerfile: Dockerfile
    pkg_extras: python*setuptools
    command: /sbin/init
-    capabilities:
-      - ALL
    volumes:
      - /sys/fs/cgroup:/sys/fs/cgroup:ro
      - /etc/ci/mirror_info.sh:/etc/ci/mirror_info.sh:ro
@ -35,8 +33,6 @@ platforms:
    dockerfile: Dockerfile
    pkg_extras: python*setuptools
    command: /sbin/init
-    capabilities:
-      - ALL
    volumes:
      - /sys/fs/cgroup:/sys/fs/cgroup:ro
      - /etc/ci/mirror_info.sh:/etc/ci/mirror_info.sh:ro
--- a/tripleo_ansible/roles/tripleo_upgrade_hiera/molecule/default/molecule.yml
+++ b/tripleo_ansible/roles/tripleo_upgrade_hiera/molecule/default/molecule.yml
@ -12,8 +12,6 @@ platforms:
      url: registry.access.redhat.com
    dockerfile: Dockerfile
    pkg_extras: python*setuptools
-    capabilities:
-      - ALL
    volumes:
      - /sys/fs/cgroup:/sys/fs/cgroup:ro
      - /etc/ci/mirror_info.sh:/etc/ci/mirror_info.sh:ro
--- a/tripleo_ansible/roles/tripleo_validations_package/molecule/default/molecule.yml
+++ b/tripleo_ansible/roles/tripleo_validations_package/molecule/default/molecule.yml
@ -12,8 +12,6 @@ platforms:
      url: registry.access.redhat.com
    dockerfile: Dockerfile
    pkg_extras: python*setuptools
-    capabilities:
-      - ALL
    volumes:
      - /sys/fs/cgroup:/sys/fs/cgroup:ro
      - /etc/ci/mirror_info.sh:/etc/ci/mirror_info.sh:ro
--- a/zuul.d/playbooks/pre.yml
+++ b/zuul.d/playbooks/pre.yml
@ -22,6 +22,17 @@
      include_role:
        name: ensure-pip

+    # https://github.com/containers/podman/issues/8965
+    # podman rootless systemd is broken in 2.0.5, so we use 1.6.4
+    - name: Pin container-tools
+      become: true
+      shell: |
+        dnf module disable container-tools:rhel8 -y
+        dnf module enable container-tools:2.0 -y
+      when:
+        - (ansible_os_family | lower) == "redhat"
+        - (ansible_distribution_major_version | int) >= 8
+
    - name: Setup bindep
      pip:
        name: "bindep"