share: add privileged container support for CI and system tests

author Hadi Chokr <hadichokr@icloud.com>

Thu, 12 Feb 2026 11:13:46 +0000 (12:13 +0100)

committer Iker Pedrosa <ikerpedrosam@gmail.com>

Mon, 2 Mar 2026 11:55:25 +0000 (12:55 +0100)
author Hadi Chokr <hadichokr@icloud.com>
Thu, 12 Feb 2026 11:13:46 +0000 (12:13 +0100)
committer Iker Pedrosa <ikerpedrosam@gmail.com>
Mon, 2 Mar 2026 11:55:25 +0000 (12:55 +0100)
diff --git a/share/ansible/inventory.ini b/share/ansible/inventory.ini

index 46475c8e40d6098c1750110b7212d414da2dbabe..f7f079acee82d5a596c22fe32eded259842a81ab 100644 (file)
--- a/share/ansible/inventory.ini
+++ b/share/ansible/inventory.ini
@@ -1 +1,2 @@
  builder ansible_connection=containers.podman.podman
+builder-privileged ansible_connection=containers.podman.podman
diff --git a/share/ansible/playbook.yml b/share/ansible/playbook.yml

index 86d1afd8b5e77c4db9aa6eb77e0babdb74f1d334..72e94d2321907559eaef2575abfe27707bffbe93 100644 (file)
--- a/share/ansible/playbook.yml
+++ b/share/ansible/playbook.yml
@@ -1,4 +1,5 @@
-- name: Start build container
+---
+- name: "Start {{ 'privileged' if privileged_mode | default(false) | bool else 'unprivileged' }} build container"
    hosts: localhost
    vars:
      image:
@@ -6,18 +7,28 @@
        alpine: docker.io/library/alpine:latest
        debian: docker.io/library/debian:latest
        opensuse: docker.io/opensuse/tumbleweed:latest
-
+    container_name: "{{ 'builder-privileged' if privileged_mode | default(false) | bool else 'builder' }}"
    roles:
      - role: build_container
+      vars:
+        privileged: "{{ privileged_mode | default(false) | bool }}"
+        name: "{{ container_name }}"
+  post_tasks:
+    - name: Register container as a host
+      ansible.builtin.add_host:
+        name: "{{ container_name }}"
+        groups: build_target
+        ansible_connection: containers.podman.podman
  
  - name: CI run
-  hosts: builder
-  connection: podman
+  hosts: build_target
    gather_facts: false
    roles:
      - role: ci_run
  
-- name: Run system tests
+- name: "Run {{ 'privileged' if privileged_mode | default(false) | bool else 'unprivileged' }} system tests"
    hosts: localhost
    roles:
      - role: run_system_tests
+      vars:
+        mhc: "{{ 'mhc-privileged.yaml' if privileged_mode | default(false) | bool else 'mhc.yaml' }}"
diff --git a/share/ansible/roles/build_container/README.md b/share/ansible/roles/build_container/README.md

index e55598a192e3b2a0d83da7b5df820d9ad66b96cc..14fff9df5a4eca7924a6a5928703cbae3c67d2e9 100644 (file)
--- a/share/ansible/roles/build_container/README.md
+++ b/share/ansible/roles/build_container/README.md
@@ -1,7 +1,7 @@
  Role Name
  =========
  
-Build container images.
+Builds unprivileged and privileged container images.
  
  Role Variables
  --------------
@@ -14,8 +14,9 @@ Example Playbook
  Usage example:
  
      - hosts: localhost
+      become: true
        roles:
-        - role: build_container
+        - role: build_container_privileged
  
  License
  -------
@@ -26,3 +27,4 @@ Author Information
  ------------------
  
  Iker Pedrosa <ipedrosa@redhat.com>
+Hadi Chokr <hadichokr@icloud.com>
diff --git a/share/ansible/roles/build_container/tasks/main.yml b/share/ansible/roles/build_container/tasks/main.yml

index c9a14f07e25e3cc6a89994133dbd620ca8b93ffd..187be5a0883de152ebe534f30839c9fc2fce4184 100644 (file)
--- a/share/ansible/roles/build_container/tasks/main.yml
+++ b/share/ansible/roles/build_container/tasks/main.yml
@@ -1,20 +1,17 @@
----
-# tasks file for build_container
  - name: Pull container image
    containers.podman.podman_image:
      name: '{{ image[distribution] }}'
  
-- name: Create and start container
+- name: "Create and start {{ 'privileged' if privileged | default(false) else 'unprivileged' }} container"
    containers.podman.podman_container:
-    name: builder
+    name: "{{ container_name | default('builder') }}"
      state: started
      image: '{{ image[distribution] }}'
      command: "sleep 1d"
+    privileged: "{{ privileged | default(false) }}"
  
-- name: Create repo
-  ansible.builtin.shell:
-    podman exec builder mkdir -p /usr/local/src
-
-- name: Copy repo
-  ansible.builtin.shell:
-    podman cp ../../ builder:/usr/local/src/shadow
+- name: Prepare source tree
+  ansible.builtin.shell: |
+    podman exec {{ container_name | default('builder') }} rm -rf /usr/local/src/shadow
+    podman exec {{ container_name | default('builder') }} mkdir -p /usr/local/src
+    podman cp ../../ {{ container_name | default('builder') }}:/usr/local/src/shadow
diff --git a/share/ansible/roles/ci_run/tasks/alpine.yml b/share/ansible/roles/ci_run/tasks/alpine.yml

index e6d1ca9916bfeca3cb57f29ff4395531f235ea4a..85c3a56d77c0f8179120065606f946d2611394a9 100644 (file)
--- a/share/ansible/roles/ci_run/tasks/alpine.yml
+++ b/share/ansible/roles/ci_run/tasks/alpine.yml
@@ -9,17 +9,23 @@
        - autoconf
        - automake
        - bash
+      - btrfs-progs
        - build-base
        - cmocka-dev
        - coreutils
+      - cython
        - expect
        - gettext-dev
        - git
        - libbsd-dev
        - libeconf-dev
+      - libssh-dev
        - libtool
        - libxslt
+      - musl-dev
+      - util-linux
        - pkgconf
+      - python3-dev
      state: present
  
  - name: Make sure expect is found
diff --git a/share/ansible/roles/ci_run/tasks/debian.yml b/share/ansible/roles/ci_run/tasks/debian.yml

index cff6fd3450379f6f678aa0355092c4c677bdcf63..0919174770bfa007294c44311b1778f59edbe235 100644 (file)
--- a/share/ansible/roles/ci_run/tasks/debian.yml
+++ b/share/ansible/roles/ci_run/tasks/debian.yml
@@ -9,6 +9,7 @@
  - name: Ensure dependencies are installed
    ansible.builtin.apt:
      name:
+      - btrfs-progs
        - expect
        - gpg
        - libbsd-dev
diff --git a/share/ansible/roles/ci_run/tasks/fedora.yml b/share/ansible/roles/ci_run/tasks/fedora.yml

index 4dbcac86660f8907a19675bdaf0d3830f96276ec..5b48032bbbc6871d71c6d8ed777d35cbf867384e 100644 (file)
--- a/share/ansible/roles/ci_run/tasks/fedora.yml
+++ b/share/ansible/roles/ci_run/tasks/fedora.yml
@@ -7,6 +7,7 @@
    ansible.builtin.dnf:
      use_backend: dnf4
      name:
+      - btrfs-progs
        - dnf-plugins-core
        - expect
        - gawk
diff --git a/share/ansible/roles/ci_run/tasks/opensuse.yml b/share/ansible/roles/ci_run/tasks/opensuse.yml

index 5888f4ebe6b0e69d0cc7673ceff6a63256ac1f7b..aeca69c3c32a886b50137ffb06e2fdfb6acefbb4 100644 (file)
--- a/share/ansible/roles/ci_run/tasks/opensuse.yml
+++ b/share/ansible/roles/ci_run/tasks/opensuse.yml
@@ -8,6 +8,7 @@
      name:
        - autoconf
        - automake
+      - btrfs-progs
        - diffutils
        - expect
        - gawk
diff --git a/share/ansible/roles/run_system_tests/tasks/main.yml b/share/ansible/roles/run_system_tests/tasks/main.yml

index 1b447564fe8a6ab14c381d5ab24d1f6951782bf9..e4898231e3022c66e69cb29352576ccb3da1bafb 100644 (file)
--- a/share/ansible/roles/run_system_tests/tasks/main.yml
+++ b/share/ansible/roles/run_system_tests/tasks/main.yml
@@ -3,12 +3,20 @@
  - name: Prepare environment and run system tests
    ansible.builtin.shell: |
      set -ex
-    pushd ../../tests/system/
+    pushd ../../tests/system
+
+    export PYTHONPATH="$(pwd)/../..:${PYTHONPATH}"
+
      python3 -m venv .venv
      source .venv/bin/activate
-    pip3 install -r ./requirements.txt
+    pip3 install -r requirements.txt
+
      exec 3>&1 1> >(tee pytest.log) 2>&1
-    pytest --mh-config=mhc.yaml --mh-lazy-ssh -vvv
+    pytest \
+      --mh-config={{ mhc }} \
+      --mh-lazy-ssh \
+      -vvv
+
      popd
    args:
      executable: /bin/bash
diff --git a/share/container-build.sh b/share/container-build.sh

index a0d81eccea54020179f904a47818671301703a30..8fab5663441ad0fa1c725812df53e33f2085cbe8 100755 (executable)
--- a/share/container-build.sh
+++ b/share/container-build.sh
@@ -1,15 +1,24 @@
-#! /bin/bash
-
+#!/usr/bin/env bash
  #
  # SPDX-FileCopyrightText:  2023, Iker Pedrosa <ipedrosa@redhat.com>
  # SPDX-FileCopyrightText:  2024, Iker Pedrosa <ipedrosa@redhat.com>
+# SPDX-FileCopyrightText:  2026, Hadi Chokr <hadichokr@icloud.com>
  #
  # SPDX-License-Identifier:  BSD-3-Clause
  #
-
-set -eE
-cd share/ansible/
-ansible-playbook playbook.yml -i inventory.ini -e 'distribution=alpine'
-ansible-playbook playbook.yml -i inventory.ini -e 'distribution=debian'
-ansible-playbook playbook.yml -i inventory.ini -e 'distribution=fedora'
-ansible-playbook playbook.yml -i inventory.ini -e 'distribution=opensuse'
+set -e
+cd "$(dirname "$0")/ansible"
+PRIVILEGED=false
+for arg in "$@"; do
+    case "$arg" in
+        --privileged)
+            PRIVILEGED=true
+            ;;
+    esac
+done
+for distro in alpine debian fedora opensuse; do
+    ansible-playbook playbook.yml \
+        -i inventory.ini \
+        -e "distribution=${distro}" \
+        -e "privileged_mode=${PRIVILEGED}"
+done
author	Hadi Chokr <hadichokr@icloud.com>
	Thu, 12 Feb 2026 11:13:46 +0000 (12:13 +0100)
committer	Iker Pedrosa <ikerpedrosam@gmail.com>
	Mon, 2 Mar 2026 11:55:25 +0000 (12:55 +0100)
share/ansible/inventory.ini		patch \| blob \| blame \| history
share/ansible/playbook.yml		patch \| blob \| blame \| history
share/ansible/roles/build_container/README.md		patch \| blob \| blame \| history
share/ansible/roles/build_container/tasks/main.yml		patch \| blob \| blame \| history
share/ansible/roles/ci_run/tasks/alpine.yml		patch \| blob \| blame \| history
share/ansible/roles/ci_run/tasks/debian.yml		patch \| blob \| blame \| history
share/ansible/roles/ci_run/tasks/fedora.yml		patch \| blob \| blame \| history
share/ansible/roles/ci_run/tasks/opensuse.yml		patch \| blob \| blame \| history
share/ansible/roles/run_system_tests/tasks/main.yml		patch \| blob \| blame \| history
share/container-build.sh		patch \| blob \| blame \| history