linux-system-roles · richm · Nov 27, 2023 · Nov 21, 2023
@@ -0,0 +1,3 @@
+*NOTE*: The `*.txt` files are used by `get_ostree_data.sh` to create the lists
+of packages, and to find other system roles used by this role.  DO NOT use them
+directly.
@@ -0,0 +1,132 @@
+#!/bin/bash
+
+set -euo pipefail
+
+ostree_dir="${OSTREE_DIR:-"$(dirname "$(realpath "$0")")"}"
+
+if [ -z "${4:-}" ] || [ "${1:-}" = help ] || [ "${1:-}" = -h ]; then
+    cat <<EOF
+Usage: $0 packages [runtime|testing] DISTRO-MAJOR[.MINOR] [json|yaml|raw|toml]
+The script will use the packages and roles files in $ostree_dir to
+construct the list of packages needed to build the ostree image.  The script
+will output the list of packages in the given format
+- json is a JSON list like ["pkg1","pkg2",....,"pkgN"]
+- yaml is the YAML list format
+- raw is the list of packages, one per line
+- toml is a list of [[packages]] elements as in https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html-single/composing_installing_and_managing_rhel_for_edge_images/index#creating-an-image-builder-blueprint-for-a-rhel-for-edge-image-using-the-command-line-interface_composing-a-rhel-for-edge-image-using-image-builder-command-line
+The DISTRO-MAJOR.MINOR is the same format used by Ansible for distribution e.g. CentOS-8, RedHat-8.9, etc.
+EOF
+    exit 1
+fi
+category="$1"
+pkgtype="$2"
+distro_ver="$3"
+format="$4"
+pkgtypes=("$pkgtype")
+if [ "$pkgtype" = testing ]; then
+    pkgtypes+=(runtime)
+fi
+
+get_rolepath() {
+    local ostree_dir role rolesdir roles_parent_dir coll_path pth
+    ostree_dir="$1"
+    role="$2"
+    roles_parent_dir="$(dirname "$(dirname "$ostree_dir")")"
+    rolesdir="$roles_parent_dir/$role/.ostree"
+    # assumes collection format
+    if [ -d "$rolesdir" ]; then
+        echo "$rolesdir"
+        return 0
+    fi
+    # assumes legacy role format like linux-system-roles.$role/
+    for rolesdir in "$roles_parent_dir"/*-system-roles."$role"/.ostree; do
+        if [ -d "$rolesdir" ]; then
+          echo "$rolesdir"
+          return 0
+        fi
+    done
+    # look elsewhere
+    coll_path="${ANSIBLE_COLLECTIONS_PATH:-}"
+    if [ -z "$coll_path" ]; then
+        coll_path="${ANSIBLE_COLLECTIONS_PATHS:-}"
+    fi
+    if [ -n "${coll_path}" ]; then
+        for pth in ${coll_path//:/ }; do
+            for rolesdir in "$pth"/ansible_collections/*/*_system_roles/roles/"$role"/.ostree; do
+                if [ -d "$rolesdir" ]; then
+                    echo "$rolesdir"
+                    return 0
+                fi
+            done
+        done
+    fi
+    1>&2 echo ERROR - could not find role "$role" - please use ANSIBLE_COLLECTIONS_PATH
+    exit 2
+}
+
+get_packages() {
+    local ostree_dir pkgtype pkgfile rolefile
+    ostree_dir="$1"
+    for pkgtype in "${pkgtypes[@]}"; do
+        for suff in "" "-$distro" "-${distro}-${major_ver}" "-${distro}-${ver}"; do
+            pkgfile="$ostree_dir/packages-${pkgtype}${suff}.txt"
+            if [ -f "$pkgfile" ]; then
+                cat "$pkgfile"
+            fi
+        done
+        rolefile="$ostree_dir/roles-${pkgtype}.txt"
+        if [ -f "$rolefile" ]; then
+            local roles role rolepath
+            roles="$(cat "$rolefile")"
+            for role in $roles; do
+                rolepath="$(get_rolepath "$ostree_dir" "$role")"
+                if [ -z "$rolepath" ]; then
+                    1>&2 echo ERROR - could not find role "$role" - please use ANSIBLE_COLLECTIONS_PATH
+                    exit 2
+                fi
+                get_packages "$rolepath"
+            done
+        fi
+    done | sort -u
+}
+
+format_packages_json() {
+    local comma pkgs pkg
+    comma=""
+    pkgs="["
+    while read -r pkg; do
+        pkgs="${pkgs}${comma}\"${pkg}\""
+        comma=,
+    done
+    pkgs="${pkgs}]"
+    echo "$pkgs"
+}
+
+format_packages_raw() {
+    cat
+}
+
+format_packages_yaml() {
+    while read -r pkg; do
+        echo "- $pkg"
+    done
+}
+
+format_packages_toml() {
+    while read -r pkg; do
+        echo "[[packages]]"
+        echo "name = \"$pkg\""
+        echo "version = \"*\""
+    done
+}
+
+distro="${distro_ver%%-*}"
+ver="${distro_ver##*-}"
+if [[ "$ver" =~ ^([0-9]*) ]]; then
+    major_ver="${BASH_REMATCH[1]}"
+else
+    echo ERROR: cannot parse major version number from version "$ver"
+    exit 1
+fi
+
+"get_$category" "$ostree_dir" | "format_${category}_$format"
@@ -0,0 +1,2 @@
+fapolicyd
+fapolicyd-selinux
@@ -0,0 +1,2 @@
+gcc
+glibc-devel
@@ -0,0 +1 @@
+roles/fapolicyd/.ostree/get_ostree_data.sh shebang!skip
@@ -0,0 +1 @@
+roles/fapolicyd/.ostree/get_ostree_data.sh shebang!skip
@@ -0,0 +1 @@
+roles/fapolicyd/.ostree/get_ostree_data.sh shebang!skip
@@ -0,0 +1 @@
+roles/fapolicyd/.ostree/get_ostree_data.sh shebang!skip
@@ -0,0 +1 @@
+roles/fapolicyd/.ostree/get_ostree_data.sh shebang!skip
@@ -0,0 +1,66 @@
+# rpm-ostree
+
+The role supports running on [rpm-ostree](https://coreos.github.io/rpm-ostree/)
+systems. The primary issue is that the `/usr` filesystem is read-only, and the
+role cannot install packages. Instead, it will just verify that the necessary
+packages and any other `/usr` files are pre-installed. The role will change the
+package manager to one that is compatible with `rpm-ostree` systems.
+
+## Building
+
+To build an ostree image for a particular operating system distribution and
+version, use the script `.ostree/get_ostree_data.sh` to get the list of
+packages. If the role uses other system roles, then the script will include the
+packages for the other roles in the list it outputs.  The list of packages will
+be sorted in alphanumeric order.
+
+Usage:
+
+```bash
+.ostree/get_ostree_data.sh packages runtime DISTRO-VERSION FORMAT
+```
+
+`DISTRO-VERSION` is in the format that Ansible uses for `ansible_distribution`
+and `ansible_distribution_version` - for example, `Fedora-38`, `CentOS-8`,
+`RedHat-9.4`
+
+`FORMAT` is one of `toml`, `json`, `yaml`, `raw`
+
+* `toml` - each package in a TOML `[[packages]]` element
+
+```toml
+[[packages]]
+name = "package-a"
+version = "*"
+[[packages]]
+name = "package-b"
+version = "*"
+...
+```
+
+* `yaml` - a YAML list of packages
+
+```yaml
+- package-a
+- package-b
+...
+```
+
+* `json` - a JSON list of packages
+
+```json
+["package-a","package-b",...]
+```
+
+* `raw` - a plain text list of packages, one per line
+
+```bash
+package-a
+package-b
+...
+```
+
+What format you choose depends on which image builder you are using.  For
+example, if you are using something based on
+[osbuild-composer](https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html-single/composing_installing_and_managing_rhel_for_edge_images/index#creating-an-image-builder-blueprint-for-a-rhel-for-edge-image-using-the-command-line-interface_composing-a-rhel-for-edge-image-using-image-builder-command-line),
+you will probably want to use the `toml` output format.
@@ -1,14 +1,20 @@
 # Fapolicyd
 
-Fapolicyd System Role 
+Fapolicyd System Role
 
 ## Requirements
 
 This role is only supported on RHEL8.1+/CentOS8.1+ and Fedora distributions. Consider reading fapolicyd documentation before setting it up.
 
 ### Collection requirements
 
-None.
+If you want to manage `rpm-ostree` systems with this role, you will need to
+install additional collections.  Please run the following command line to
+install the collection.
+
+```bash
+ansible-galaxy collection install -vv -r meta/collection-requirements.yml
+```
 
 ## Role Variables
 
@@ -53,7 +59,9 @@ Default `[]` - it can take list of files that will be marked as trusted.
     - fapolicyd
 ```
 
+## rpm-ostree
 
+See README-ostree.md
 
 ## License
 

@@ -16,7 +16,7 @@ fapolicyd_setup_trust: "{{ '' if ansible_facts.distribution_version is
 # can be "none", "size", "sha256", "ima"
 # in case of ima, kernel's IMA has to be setup correctly
 fapolicyd_setup_integrity: "{{ '' if ansible_facts.distribution_version is
-                          version('8.3', '<=') else 'none' }}"
+                               version('8.3', '<=') else 'none' }}"
 
 # set permissive mode
 fapolicyd_setup_permissive: false
@@ -25,4 +25,4 @@ fapolicyd_setup_permissive: false
 # list of trusted files
 
 fapolicyd_add_trusted_file: "{{ '' if ansible_facts.distribution_version is
-                            version('8.2', '<=') else [] }}"
+                                version('8.2', '<=') else [] }}"
@@ -0,0 +1,4 @@
+# SPDX-License-Identifier: MIT
+---
+collections:
+  - ansible.posix
@@ -1,18 +1,13 @@
 ---
-- name: Gather needed facts
-  setup:
-    gather_subset:
-      - '!all'
-      - '!min'
-      - distribution_major_version
-  when: ansible_facts.distribution_major_version is not defined
+- name: Set platform/version specific variables
+  include_tasks: set_vars.yml
 
 - name: System check
   fail:
     msg:
-      - Only Red Hat Enterprise Linux >= 8.1 and Fedora is supported
-      - System: "{{ ansible_facts.os_family }}"
-      - Version: "{{ ansible_facts.distribution_version }}"
+      - Only Enterprise Linux >= 8.1 and Fedora are supported
+      - System - {{ ansible_facts.os_family }}
+      - Version - {{ ansible_facts.distribution_version }}
   when: (ansible_facts.os_family != "RedHat") or
     (ansible_facts.distribution_version is version("8.1", "<"))
 
@@ -52,20 +47,22 @@
 - name: Check failed conditions
   fail:
     msg: Multiple failed conditions
-  when: __failed_check_trust is failed or __failed_check_integrity is failed  or
+  when: __failed_check_trust is failed or __failed_check_integrity is failed or
     __failed_check_trusted_file is failed
 
 - name: Install fapolicyd packages
   package:
-    name:
-      - "{{ __fapolicyd_packages }}"
+    name: "{{ __fapolicyd_packages }}"
     state: present
+    use: "{{ (__fapolicyd_is_ostree | d(false)) |
+             ternary('ansible.posix.rhel_rpm_ostree', omit) }}"
 
 - name: Install fapolicyd-selinux packages
   package:
-    name:
-      - "{{ __fapolicyd_selinux_packages }}"
+    name: "{{ __fapolicyd_selinux_packages }}"
     state: present
+    use: "{{ (__fapolicyd_is_ostree | d(false)) |
+             ternary('ansible.posix.rhel_rpm_ostree', omit) }}"
   when: ansible_facts.distribution_version is version("8.3", ">=")
 
 - name: Copy fapolicyd configuration file
@@ -74,13 +71,16 @@
     dest: "{{ __fapolicyd_dir }}/{{ __fapolicyd_conf }}"
     owner: root
     group: fapolicyd
-    mode: '0644'
+    mode: "0644"
+  register: __fapolicy_conf
 
 - name: Run fapolicyd configuration check
   command: fapolicyd-cli --check-config
   check_mode: false
   changed_when: false
-  when: ansible_facts.distribution_version is version("8.6", ">=")
+  when:
+    - ansible_facts.distribution_version is version("8.6", ">=")
+    - __fapolicy_conf is changed
 
 - name: Trustdb cleanup
   command: fapolicyd-cli --file delete /
@@ -102,26 +102,20 @@
     name: "{{ __fapolicyd_services }}"
     state: restarted
     enabled: true
+  when: fapolicyd_setup_enable_service | bool
   ignore_errors: true
   register: __fapolicyd_restart
 
 - name: Check fapolicyd logs
-  command: journalctl -n5 -u "{{ __fapolicyd_services }}"
+  command: journalctl -n5 -u {{ __fapolicyd_services | quote }}
   register: __fapolicyd_results
   changed_when: false
   when: __fapolicyd_restart is failed
+  failed_when: __fapolicyd_restart is failed
 
 - name: Making sure fapolicyd does not run if it was set so
   service:
     name: "{{ __fapolicyd_services }}"
     state: stopped
     enabled: false
   when: not fapolicyd_setup_enable_service
-
-- name: Print fapolicyd logs
-  debug:
-    msg: "{{ __fapolicyd_results.stdout_lines }}"
-  failed_when: true
-  when:
-    - __fapolicyd_restart is failed
-    - __fapolicyd_results.stdout_lines is defined
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1 @@
		roles/fapolicyd/.ostree/get_ostree_data.sh shebang!skip