Don't set capabilities in priviledge mode

When priviledge mode is set, don't add any capabilities as they are included. Use 1.6.4 podman because 2.0.5 rootless doesn't work with systemd [1] Disable Selinux on host. [1] https://github.com/containers/podman/issues/8965 Closes-Bug: #1910970 Change-Id: I73ac1c405e8a3539937a5578bb003cba0b935d94
8 months ago · c90b0ea4e6
20 changed files with 11 additions and 46 deletions
--- a/tripleo_ansible/roles/tripleo_image_serve/molecule/default/molecule.yml
+++ b/tripleo_ansible/roles/tripleo_image_serve/molecule/default/molecule.yml
@ -13,8 +13,6 @@ platforms:
    dockerfile: Dockerfile
    pkg_extras: python*setuptools
    command: /sbin/init
-    capabilities:
-      - ALL
    volumes:
      - /etc/ci/mirror_info.sh:/etc/ci/mirror_info.sh:ro
      - /etc/pki/rpm-gpg:/etc/pki/rpm-gpg
--- a/tripleo_ansible/roles/tripleo_image_serve/molecule/legacy_vars/molecule.yml
+++ b/tripleo_ansible/roles/tripleo_image_serve/molecule/legacy_vars/molecule.yml
@ -13,8 +13,6 @@ platforms:
    dockerfile: Dockerfile
    pkg_extras: python*setuptools
    command: /sbin/init
-    capabilities:
-      - ALL
    volumes:
      - /etc/ci/mirror_info.sh:/etc/ci/mirror_info.sh:ro
      - /etc/pki/rpm-gpg:/etc/pki/rpm-gpg
--- a/tripleo_ansible/roles/tripleo_ovs_dpdk/molecule/default/molecule.yml
+++ b/tripleo_ansible/roles/tripleo_ovs_dpdk/molecule/default/molecule.yml
@ -16,8 +16,6 @@ platforms:
      http_proxy: "{{ lookup('env', 'http_proxy') }}"
      https_proxy: "{{ lookup('env', 'https_proxy') }}"
    command: /sbin/init
-    capabilities:
-      - ALL
    volumes:
      - /run/udev:/run/udev:ro
      - /sys/fs/cgroup:/sys/fs/cgroup:ro
@ -36,8 +34,6 @@ platforms:
      http_proxy: "{{ lookup('env', 'http_proxy') }}"
      https_proxy: "{{ lookup('env', 'https_proxy') }}"
    command: /sbin/init
-    capabilities:
-      - ALL
    volumes:
      - /run/udev:/run/udev:ro
      - /sys/fs/cgroup:/sys/fs/cgroup:ro
--- a/tripleo_ansible/roles/tripleo_ovs_dpdk/molecule/positive/molecule.yml
+++ b/tripleo_ansible/roles/tripleo_ovs_dpdk/molecule/positive/molecule.yml
@ -16,8 +16,6 @@ platforms:
      http_proxy: "{{ lookup('env', 'http_proxy') }}"
      https_proxy: "{{ lookup('env', 'https_proxy') }}"
    command: /sbin/init
-    capabilities:
-      - ALL
    volumes:
      - /etc/ci/mirror_info.sh:/etc/ci/mirror_info.sh:ro
    privileged: true
@ -33,8 +31,6 @@ platforms:
      http_proxy: "{{ lookup('env', 'http_proxy') }}"
      https_proxy: "{{ lookup('env', 'https_proxy') }}"
    command: /sbin/init
-    capabilities:
-      - ALL
    volumes:
      - /etc/ci/mirror_info.sh:/etc/ci/mirror_info.sh:ro
    privileged: true
--- a/tripleo_ansible/roles/tripleo_packages/molecule/default/molecule.yml
+++ b/tripleo_ansible/roles/tripleo_packages/molecule/default/molecule.yml
@ -13,8 +13,6 @@ platforms:
    dockerfile: Dockerfile
    pkg_extras: python*setuptools
    command: /sbin/init
-    capabilities:
-      - ALL
    volumes:
      - /dev:/dev
      - /lib/modules:/lib/modules
--- a/tripleo_ansible/roles/tripleo_packages/molecule/external_upgrade/molecule.yml
+++ b/tripleo_ansible/roles/tripleo_packages/molecule/external_upgrade/molecule.yml
@ -13,8 +13,6 @@ platforms:
    dockerfile: Dockerfile
    pkg_extras: python*setuptools
    command: /sbin/init
-    capabilities:
-      - ALL
    volumes:
      - /dev:/dev
      - /lib/modules:/lib/modules
--- a/tripleo_ansible/roles/tripleo_packages/molecule/ffu/molecule.yml
+++ b/tripleo_ansible/roles/tripleo_packages/molecule/ffu/molecule.yml
@ -13,8 +13,6 @@ platforms:
    dockerfile: Dockerfile
    pkg_extras: python*setuptools
    command: /sbin/init
-    capabilities:
-      - ALL
    volumes:
      - /dev:/dev
      - /lib/modules:/lib/modules
--- a/tripleo_ansible/roles/tripleo_packages/molecule/update/molecule.yml
+++ b/tripleo_ansible/roles/tripleo_packages/molecule/update/molecule.yml
@ -17,8 +17,6 @@ platforms:
      /bin/mkdir -p /var/run/dbus &&
      /usr/bin/dbus-uuidgen > /var/lib/dbus/machine-id &&
      /usr/bin/dbus-daemon --config-file=/usr/share/dbus-1/system.conf
-    capabilities:
-      - ALL
    volumes:
      - /dev:/dev
      - /lib/modules:/lib/modules
--- a/tripleo_ansible/roles/tripleo_ptp/molecule/default/molecule.yml
+++ b/tripleo_ansible/roles/tripleo_ptp/molecule/default/molecule.yml
@ -13,8 +13,6 @@ platforms:
    dockerfile: Dockerfile
    pkg_extras: python*setuptools cronie rsyslog
    command: /sbin/init
-    capabilities:
-      - ALL
    volumes:
      - /etc/ci/mirror_info.sh:/etc/ci/mirror_info.sh:ro
      - /etc/pki/rpm-gpg:/etc/pki/rpm-gpg
--- a/tripleo_ansible/roles/tripleo_puppet_cache/molecule/default/molecule.yml
+++ b/tripleo_ansible/roles/tripleo_puppet_cache/molecule/default/molecule.yml
@ -12,8 +12,6 @@ platforms:
      url: registry.access.redhat.com
    dockerfile: Dockerfile
    pkg_extras: python*setuptools
-    capabilities:
-      - ALL
    volumes:
      - /etc/ci/mirror_info.sh:/etc/ci/mirror_info.sh:ro
      - /etc/pki/rpm-gpg:/etc/pki/rpm-gpg
--- a/tripleo_ansible/roles/tripleo_redhat_enforce/molecule/default/molecule.yml
+++ b/tripleo_ansible/roles/tripleo_redhat_enforce/molecule/default/molecule.yml
@ -12,8 +12,6 @@ platforms:
      url: registry.access.redhat.com
    dockerfile: Dockerfile
    pkg_extras: python*setuptools
-    capabilities:
-      - ALL
    volumes:
      - /etc/ci/mirror_info.sh:/etc/ci/mirror_info.sh:ro
      - /etc/pki/rpm-gpg:/etc/pki/rpm-gpg
--- a/tripleo_ansible/roles/tripleo_sshd/molecule/banners/molecule.yml
+++ b/tripleo_ansible/roles/tripleo_sshd/molecule/banners/molecule.yml
@ -13,8 +13,6 @@ platforms:
    dockerfile: Dockerfile
    pkg_extras: python*setuptools
    command: /sbin/init
-    capabilities:
-      - ALL
    volumes:
      - /etc/ci/mirror_info.sh:/etc/ci/mirror_info.sh:ro
      - /etc/pki/rpm-gpg:/etc/pki/rpm-gpg
--- a/tripleo_ansible/roles/tripleo_sshd/molecule/default/molecule.yml
+++ b/tripleo_ansible/roles/tripleo_sshd/molecule/default/molecule.yml
@ -13,8 +13,6 @@ platforms:
    dockerfile: Dockerfile
    pkg_extras: python*setuptools
    command: /sbin/init
-    capabilities:
-      - ALL
    volumes:
      - /etc/ci/mirror_info.sh:/etc/ci/mirror_info.sh:ro
      - /etc/pki/rpm-gpg:/etc/pki/rpm-gpg
--- a/tripleo_ansible/roles/tripleo_systemd_wrapper/molecule/default/molecule.yml
+++ b/tripleo_ansible/roles/tripleo_systemd_wrapper/molecule/default/molecule.yml
@ -13,8 +13,6 @@ platforms:
    dockerfile: Dockerfile
    pkg_extras: python*setuptools
    command: /sbin/init
-    capabilities:
-      - ALL
    volumes:
      - /sys/fs/cgroup:/sys/fs/cgroup:ro
      - /etc/ci/mirror_info.sh:/etc/ci/mirror_info.sh:ro
--- a/tripleo_ansible/roles/tripleo_timezone/molecule/default/molecule.yml
+++ b/tripleo_ansible/roles/tripleo_timezone/molecule/default/molecule.yml
@ -13,8 +13,6 @@ platforms:
    dockerfile: Dockerfile
    pkg_extras: python*setuptools
    command: /sbin/init
-    capabilities:
-      - ALL
    volumes:
      - /sys/fs/cgroup:/sys/fs/cgroup:ro
      - /etc/ci/mirror_info.sh:/etc/ci/mirror_info.sh:ro
--- a/tripleo_ansible/roles/tripleo_transfer/molecule/default/molecule.yml
+++ b/tripleo_ansible/roles/tripleo_transfer/molecule/default/molecule.yml
@ -13,8 +13,6 @@ platforms:
    dockerfile: Dockerfile
    pkg_extras: python*setuptools
    command: /sbin/init
-    capabilities:
-      - ALL
    volumes:
      - /sys/fs/cgroup:/sys/fs/cgroup:ro
      - /etc/ci/mirror_info.sh:/etc/ci/mirror_info.sh:ro
@ -35,8 +33,6 @@ platforms:
    dockerfile: Dockerfile
    pkg_extras: python*setuptools
    command: /sbin/init
-    capabilities:
-      - ALL
    volumes:
      - /sys/fs/cgroup:/sys/fs/cgroup:ro
      - /etc/ci/mirror_info.sh:/etc/ci/mirror_info.sh:ro
--- a/tripleo_ansible/roles/tripleo_update_trusted_cas/molecule/default/molecule.yml
+++ b/tripleo_ansible/roles/tripleo_update_trusted_cas/molecule/default/molecule.yml
@ -16,8 +16,6 @@ platforms:
      http_proxy: "{{ lookup('env', 'http_proxy') }}"
      https_proxy: "{{ lookup('env', 'https_proxy') }}"
    command: /sbin/init
-    capabilities:
-      - ALL
    volumes:
      - /etc/ci/mirror_info.sh:/etc/ci/mirror_info.sh:ro
    privileged: true
@ -33,8 +31,6 @@ platforms:
      http_proxy: "{{ lookup('env', 'http_proxy') }}"
      https_proxy: "{{ lookup('env', 'https_proxy') }}"
    command: /sbin/init
-    capabilities:
-      - ALL
    volumes:
      - /etc/ci/mirror_info.sh:/etc/ci/mirror_info.sh:ro
    privileged: true
--- a/tripleo_ansible/roles/tripleo_upgrade_hiera/molecule/default/molecule.yml
+++ b/tripleo_ansible/roles/tripleo_upgrade_hiera/molecule/default/molecule.yml
@ -12,8 +12,6 @@ platforms:
      url: registry.access.redhat.com
    dockerfile: Dockerfile
    pkg_extras: python*setuptools
-    capabilities:
-      - ALL
    volumes:
      - /sys/fs/cgroup:/sys/fs/cgroup:ro
      - /etc/ci/mirror_info.sh:/etc/ci/mirror_info.sh:ro
--- a/tripleo_ansible/roles/tripleo_validations_package/molecule/default/molecule.yml
+++ b/tripleo_ansible/roles/tripleo_validations_package/molecule/default/molecule.yml
@ -12,8 +12,6 @@ platforms:
      url: registry.access.redhat.com
    dockerfile: Dockerfile
    pkg_extras: python*setuptools
-    capabilities:
-      - ALL
    volumes:
      - /sys/fs/cgroup:/sys/fs/cgroup:ro
      - /etc/ci/mirror_info.sh:/etc/ci/mirror_info.sh:ro
--- a/zuul.d/playbooks/pre.yml
+++ b/zuul.d/playbooks/pre.yml
@ -15,6 +15,17 @@
      include_role:
        name: ensure-pip

+    # https://github.com/containers/podman/issues/8965
+    # podman rootless systemd is broken in 2.0.5, so we use 1.6.4
+    - name: Pin container-tools
+      become: true
+      shell: |
+        dnf module disable container-tools:rhel8 -y
+        dnf module enable container-tools:2.0 -y
+      when:
+        - (ansible_os_family | lower) == "redhat"
+        - (ansible_distribution_major_version | int) >= 8
+
    - name: Setup bindep
      pip:
        name: "bindep"