From 64f915a5c7bdf7f730dcca627190ff2448aa9c56 Mon Sep 17 00:00:00 2001
From: Rich Megginson <rmeggins@redhat.com>
Date: Wed, 4 Oct 2023 14:01:51 -0600
Subject: [PATCH] feat: support for ostree systems

Feature: Allow running and testing the role with ostree managed nodes.

Reason: We have users who want to use the role to manage ostree
systems.

Result: Users can use the role to manage ostree managed nodes.

Signed-off-by: Rich Megginson <rmeggins@redhat.com>
---
 .ansible-lint                           |   2 +
 .ostree/README.md                       |   3 +
 .ostree/get_ostree_data.sh              | 123 ++++++++++++++++++++++++
 .ostree/packages-runtime-CentOS-7.txt   |   1 +
 .ostree/packages-runtime-CentOS-8.txt   |   1 +
 .ostree/packages-runtime-Fedora.txt     |   1 +
 .ostree/packages-runtime-RedHat-7.txt   |   1 +
 .ostree/packages-runtime-RedHat-8.txt   |   1 +
 .ostree/packages-runtime-RedHat-9.txt   |   1 +
 .ostree/packages-runtime.txt            |  12 +++
 .ostree/packages-testing-CentOS-7.txt   |   1 +
 .ostree/packages-testing-CentOS-8.txt   |   1 +
 .ostree/packages-testing-Fedora.txt     |   1 +
 .ostree/packages-testing-RedHat-7.txt   |   1 +
 .ostree/packages-testing-RedHat-8.txt   |   1 +
 .ostree/packages-testing-RedHat-9.txt   |   1 +
 .ostree/packages-testing.txt            |  12 +++
 .ostree/roles-runtime.txt               |   3 +
 .ostree/roles-testing.txt               |   1 +
 .sanity-ansible-ignore-2.12.txt         |   1 +
 .sanity-ansible-ignore-2.13.txt         |   1 +
 .sanity-ansible-ignore-2.14.txt         |   1 +
 .sanity-ansible-ignore-2.15.txt         |   1 +
 .sanity-ansible-ignore-2.9.txt          |   1 +
 README-ostree.md                        |  66 +++++++++++++
 README.md                               |  14 ++-
 defaults/main.yml                       |   2 +-
 meta/collection-requirements.yml        |   2 +
 roles/rsyslog/tasks/main_core.yml       |  51 +++++++---
 roles/rsyslog/tasks/set_vars.yml        |  18 ++++
 roles/rsyslog/templates/rsyslog.conf.j2 |   9 ++
 roles/rsyslog/vars/main.yml             |   4 +-
 tests/tasks/create_tests_certs.yml      |  60 ------------
 tests/tasks/test_logger.yml             |  34 ++++---
 tests/tests_enabled.yml                 |   4 +-
 tests/tests_purge_reset.yml             |  21 +++-
 36 files changed, 365 insertions(+), 93 deletions(-)
 create mode 100644 .ostree/README.md
 create mode 100755 .ostree/get_ostree_data.sh
 create mode 100644 .ostree/packages-runtime-CentOS-7.txt
 create mode 100644 .ostree/packages-runtime-CentOS-8.txt
 create mode 100644 .ostree/packages-runtime-Fedora.txt
 create mode 100644 .ostree/packages-runtime-RedHat-7.txt
 create mode 100644 .ostree/packages-runtime-RedHat-8.txt
 create mode 100644 .ostree/packages-runtime-RedHat-9.txt
 create mode 100644 .ostree/packages-runtime.txt
 create mode 100644 .ostree/packages-testing-CentOS-7.txt
 create mode 100644 .ostree/packages-testing-CentOS-8.txt
 create mode 100644 .ostree/packages-testing-Fedora.txt
 create mode 100644 .ostree/packages-testing-RedHat-7.txt
 create mode 100644 .ostree/packages-testing-RedHat-8.txt
 create mode 100644 .ostree/packages-testing-RedHat-9.txt
 create mode 100644 .ostree/packages-testing.txt
 create mode 100644 .ostree/roles-runtime.txt
 create mode 100644 .ostree/roles-testing.txt
 create mode 100644 .sanity-ansible-ignore-2.12.txt
 create mode 100644 .sanity-ansible-ignore-2.13.txt
 create mode 100644 .sanity-ansible-ignore-2.14.txt
 create mode 100644 .sanity-ansible-ignore-2.15.txt
 create mode 100644 .sanity-ansible-ignore-2.9.txt
 create mode 100644 README-ostree.md
 delete mode 100644 tests/tasks/create_tests_certs.yml

diff --git a/.ansible-lint b/.ansible-lint
index 96e17227..4d6ee007 100644
--- a/.ansible-lint
+++ b/.ansible-lint
@@ -22,3 +22,5 @@ exclude_paths:
   - examples/roles/
 mock_roles:
   - linux-system-roles.logging
+mock_modules:
+  - ansible.utils.update_fact
diff --git a/.ostree/README.md b/.ostree/README.md
new file mode 100644
index 00000000..f5e6931b
--- /dev/null
+++ b/.ostree/README.md
@@ -0,0 +1,3 @@
+*NOTE*: The `*.txt` files are used by `get_ostree_data.sh` to create the lists
+of packages, and to find other system roles used by this role.  DO NOT use them
+directly.
diff --git a/.ostree/get_ostree_data.sh b/.ostree/get_ostree_data.sh
new file mode 100755
index 00000000..7c325241
--- /dev/null
+++ b/.ostree/get_ostree_data.sh
@@ -0,0 +1,123 @@
+#!/bin/bash
+
+set -euo pipefail
+
+role_collection_dir="${ROLE_COLLECTION_DIR:-fedora/linux_system_roles}"
+ostree_dir="${OSTREE_DIR:-"$(dirname "$(realpath "$0")")"}"
+
+if [ -z "${4:-}" ] || [ "${1:-}" = help ] || [ "${1:-}" = -h ]; then
+    cat <<EOF
+Usage: $0 packages [runtime|testing] DISTRO-MAJOR[.MINOR] [json|yaml|raw|toml]
+The script will use the packages and roles files in $ostree_dir to
+construct the list of packages needed to build the ostree image.  The script
+will output the list of packages in the given format
+- json is a JSON list like ["pkg1","pkg2",....,"pkgN"]
+- yaml is the YAML list format
+- raw is the list of packages, one per line
+- toml is a list of [[packages]] elements as in https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html-single/composing_installing_and_managing_rhel_for_edge_images/index#creating-an-image-builder-blueprint-for-a-rhel-for-edge-image-using-the-command-line-interface_composing-a-rhel-for-edge-image-using-image-builder-command-line
+The DISTRO-MAJOR.MINOR is the same format used by Ansible for distribution e.g. CentOS-8, RedHat-8.9, etc.
+EOF
+    exit 1
+fi
+category="$1"
+pkgtype="$2"
+distro_ver="$3"
+format="$4"
+pkgtypes=("$pkgtype")
+if [ "$pkgtype" = testing ]; then
+    pkgtypes+=(runtime)
+fi
+
+get_rolepath() {
+    local ostree_dir role rolesdir roles_parent_dir
+    ostree_dir="$1"
+    role="$2"
+    roles_parent_dir="$(dirname "$(dirname "$ostree_dir")")"
+    rolesdir="$roles_parent_dir/$role/.ostree"
+    # assumes collection format
+    if [ -d "$rolesdir" ]; then
+        echo "$rolesdir"
+        return 0
+    fi
+    # assumes legacy role format like linux-system-roles.$role/
+    for rolesdir in "$roles_parent_dir"/*-system-roles."$role"/.ostree; do
+        if [ -d "$rolesdir" ]; then
+          echo "$rolesdir"
+          return 0
+        fi
+    done
+    # look elsewhere
+    if [ -n "${ANSIBLE_COLLECTIONS_PATHS:-}" ]; then
+        for pth in ${ANSIBLE_COLLECTIONS_PATHS//:/ }; do
+            rolesdir="$pth/ansible_collections/$role_collection_dir/roles/$role/.ostree"
+            if [ -d "$rolesdir" ]; then
+                echo "$rolesdir"
+                return 0
+            fi
+        done
+    fi
+    return 1
+}
+
+get_packages() {
+    local ostree_dir pkgtype pkgfile rolefile
+    ostree_dir="$1"
+    for pkgtype in "${pkgtypes[@]}"; do
+        for suff in "" "-$distro" "-${distro}-${major_ver}" "-${distro}-${ver}"; do
+            pkgfile="$ostree_dir/packages-${pkgtype}${suff}.txt"
+            if [ -f "$pkgfile" ]; then
+                cat "$pkgfile"
+            fi
+        done
+        rolefile="$ostree_dir/roles-${pkgtype}.txt"
+        if [ -f "$rolefile" ]; then
+            local roles role rolepath
+            roles="$(cat "$rolefile")"
+            for role in $roles; do
+                rolepath="$(get_rolepath "$ostree_dir" "$role")"
+                get_packages "$rolepath"
+            done
+        fi
+    done | sort -u
+}
+
+format_packages_json() {
+    local comma pkgs pkg
+    comma=""
+    pkgs="["
+    while read -r pkg; do
+        pkgs="${pkgs}${comma}\"${pkg}\""
+        comma=,
+    done
+    pkgs="${pkgs}]"
+    echo "$pkgs"
+}
+
+format_packages_raw() {
+    cat
+}
+
+format_packages_yaml() {
+    while read -r pkg; do
+        echo "- $pkg"
+    done
+}
+
+format_packages_toml() {
+    while read -r pkg; do
+        echo "[[packages]]"
+        echo "name = \"$pkg\""
+        echo "version = \"*\""
+    done
+}
+
+distro="${distro_ver%%-*}"
+ver="${distro_ver##*-}"
+if [[ "$ver" =~ ^([0-9]*) ]]; then
+    major_ver="${BASH_REMATCH[1]}"
+else
+    echo ERROR: cannot parse major version number from version "$ver"
+    exit 1
+fi
+
+"get_$category" "$ostree_dir" | "format_${category}_$format"
diff --git a/.ostree/packages-runtime-CentOS-7.txt b/.ostree/packages-runtime-CentOS-7.txt
new file mode 100644
index 00000000..bae53550
--- /dev/null
+++ b/.ostree/packages-runtime-CentOS-7.txt
@@ -0,0 +1 @@
+policycoreutils-python
diff --git a/.ostree/packages-runtime-CentOS-8.txt b/.ostree/packages-runtime-CentOS-8.txt
new file mode 100644
index 00000000..8ce61d7a
--- /dev/null
+++ b/.ostree/packages-runtime-CentOS-8.txt
@@ -0,0 +1 @@
+policycoreutils-python-utils
diff --git a/.ostree/packages-runtime-Fedora.txt b/.ostree/packages-runtime-Fedora.txt
new file mode 100644
index 00000000..8ce61d7a
--- /dev/null
+++ b/.ostree/packages-runtime-Fedora.txt
@@ -0,0 +1 @@
+policycoreutils-python-utils
diff --git a/.ostree/packages-runtime-RedHat-7.txt b/.ostree/packages-runtime-RedHat-7.txt
new file mode 100644
index 00000000..bae53550
--- /dev/null
+++ b/.ostree/packages-runtime-RedHat-7.txt
@@ -0,0 +1 @@
+policycoreutils-python
diff --git a/.ostree/packages-runtime-RedHat-8.txt b/.ostree/packages-runtime-RedHat-8.txt
new file mode 100644
index 00000000..8ce61d7a
--- /dev/null
+++ b/.ostree/packages-runtime-RedHat-8.txt
@@ -0,0 +1 @@
+policycoreutils-python-utils
diff --git a/.ostree/packages-runtime-RedHat-9.txt b/.ostree/packages-runtime-RedHat-9.txt
new file mode 100644
index 00000000..8ce61d7a
--- /dev/null
+++ b/.ostree/packages-runtime-RedHat-9.txt
@@ -0,0 +1 @@
+policycoreutils-python-utils
diff --git a/.ostree/packages-runtime.txt b/.ostree/packages-runtime.txt
new file mode 100644
index 00000000..927549b4
--- /dev/null
+++ b/.ostree/packages-runtime.txt
@@ -0,0 +1,12 @@
+ca-certificates
+iproute
+libestr
+libfastjson
+liblognorm
+librelp
+rsyslog
+rsyslog-elasticsearch
+rsyslog-gnutls
+rsyslog-mmjsonparse
+rsyslog-mmnormalize
+rsyslog-relp
diff --git a/.ostree/packages-testing-CentOS-7.txt b/.ostree/packages-testing-CentOS-7.txt
new file mode 100644
index 00000000..bae53550
--- /dev/null
+++ b/.ostree/packages-testing-CentOS-7.txt
@@ -0,0 +1 @@
+policycoreutils-python
diff --git a/.ostree/packages-testing-CentOS-8.txt b/.ostree/packages-testing-CentOS-8.txt
new file mode 100644
index 00000000..8ce61d7a
--- /dev/null
+++ b/.ostree/packages-testing-CentOS-8.txt
@@ -0,0 +1 @@
+policycoreutils-python-utils
diff --git a/.ostree/packages-testing-Fedora.txt b/.ostree/packages-testing-Fedora.txt
new file mode 100644
index 00000000..8ce61d7a
--- /dev/null
+++ b/.ostree/packages-testing-Fedora.txt
@@ -0,0 +1 @@
+policycoreutils-python-utils
diff --git a/.ostree/packages-testing-RedHat-7.txt b/.ostree/packages-testing-RedHat-7.txt
new file mode 100644
index 00000000..bae53550
--- /dev/null
+++ b/.ostree/packages-testing-RedHat-7.txt
@@ -0,0 +1 @@
+policycoreutils-python
diff --git a/.ostree/packages-testing-RedHat-8.txt b/.ostree/packages-testing-RedHat-8.txt
new file mode 100644
index 00000000..8ce61d7a
--- /dev/null
+++ b/.ostree/packages-testing-RedHat-8.txt
@@ -0,0 +1 @@
+policycoreutils-python-utils
diff --git a/.ostree/packages-testing-RedHat-9.txt b/.ostree/packages-testing-RedHat-9.txt
new file mode 100644
index 00000000..8ce61d7a
--- /dev/null
+++ b/.ostree/packages-testing-RedHat-9.txt
@@ -0,0 +1 @@
+policycoreutils-python-utils
diff --git a/.ostree/packages-testing.txt b/.ostree/packages-testing.txt
new file mode 100644
index 00000000..5965535d
--- /dev/null
+++ b/.ostree/packages-testing.txt
@@ -0,0 +1,12 @@
+ca-certificates
+libestr
+libfastjson
+liblognorm
+librelp
+lsof
+rsyslog
+rsyslog-elasticsearch
+rsyslog-gnutls
+rsyslog-mmjsonparse
+rsyslog-mmnormalize
+rsyslog-relp
diff --git a/.ostree/roles-runtime.txt b/.ostree/roles-runtime.txt
new file mode 100644
index 00000000..3bfffc9b
--- /dev/null
+++ b/.ostree/roles-runtime.txt
@@ -0,0 +1,3 @@
+certificate
+firewall
+selinux
diff --git a/.ostree/roles-testing.txt b/.ostree/roles-testing.txt
new file mode 100644
index 00000000..a651b206
--- /dev/null
+++ b/.ostree/roles-testing.txt
@@ -0,0 +1 @@
+selinux
diff --git a/.sanity-ansible-ignore-2.12.txt b/.sanity-ansible-ignore-2.12.txt
new file mode 100644
index 00000000..04f05340
--- /dev/null
+++ b/.sanity-ansible-ignore-2.12.txt
@@ -0,0 +1 @@
+roles/logging/.ostree/get_ostree_data.sh shebang!skip
diff --git a/.sanity-ansible-ignore-2.13.txt b/.sanity-ansible-ignore-2.13.txt
new file mode 100644
index 00000000..04f05340
--- /dev/null
+++ b/.sanity-ansible-ignore-2.13.txt
@@ -0,0 +1 @@
+roles/logging/.ostree/get_ostree_data.sh shebang!skip
diff --git a/.sanity-ansible-ignore-2.14.txt b/.sanity-ansible-ignore-2.14.txt
new file mode 100644
index 00000000..04f05340
--- /dev/null
+++ b/.sanity-ansible-ignore-2.14.txt
@@ -0,0 +1 @@
+roles/logging/.ostree/get_ostree_data.sh shebang!skip
diff --git a/.sanity-ansible-ignore-2.15.txt b/.sanity-ansible-ignore-2.15.txt
new file mode 100644
index 00000000..04f05340
--- /dev/null
+++ b/.sanity-ansible-ignore-2.15.txt
@@ -0,0 +1 @@
+roles/logging/.ostree/get_ostree_data.sh shebang!skip
diff --git a/.sanity-ansible-ignore-2.9.txt b/.sanity-ansible-ignore-2.9.txt
new file mode 100644
index 00000000..04f05340
--- /dev/null
+++ b/.sanity-ansible-ignore-2.9.txt
@@ -0,0 +1 @@
+roles/logging/.ostree/get_ostree_data.sh shebang!skip
diff --git a/README-ostree.md b/README-ostree.md
new file mode 100644
index 00000000..a9f0185b
--- /dev/null
+++ b/README-ostree.md
@@ -0,0 +1,66 @@
+# rpm-ostree
+
+The role supports running on [rpm-ostree](https://coreos.github.io/rpm-ostree/)
+systems. The primary issue is that the `/usr` filesystem is read-only, and the
+role cannot install packages. Instead, it will just verify that the necessary
+packages and any other `/usr` files are pre-installed. The role will change the
+package manager to one that is compatible with `rpm-ostree` systems.
+
+## Building
+
+To build an ostree image for a particular operating system distribution and
+version, use the script `.ostree/get_ostree_data.sh` to get the list of
+packages. If the role uses other system roles, then the script will include the
+packages for the other roles in the list it outputs.  The list of packages will
+be sorted in alphanumeric order.
+
+Usage:
+
+```bash
+.ostree/get_ostree_data.sh packages runtime DISTRO-VERSION FORMAT
+```
+
+`DISTRO-VERSION` is in the format that Ansible uses for `ansible_distribution`
+and `ansible_distribution_version` - for example, `Fedora-38`, `CentOS-8`,
+`RedHat-9.4`
+
+`FORMAT` is one of `toml`, `json`, `yaml`, `raw`
+
+* `toml` - each package in a TOML `[[packages]]` element
+
+```toml
+[[packages]]
+name = "package-a"
+version = "*"
+[[packages]]
+name = "package-b"
+version = "*"
+...
+```
+
+* `yaml` - a YAML list of packages
+
+```yaml
+- package-a
+- package-b
+...
+```
+
+* `json` - a JSON list of packages
+
+```json
+["package-a","package-b",...]
+```
+
+* `raw` - a plain text list of packages, one per line
+
+```bash
+package-a
+package-b
+...
+```
+
+What format you choose depends on which image builder you are using.  For
+example, if you are using something based on
+[osbuild-composer](https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html-single/composing_installing_and_managing_rhel_for_edge_images/index#creating-an-image-builder-blueprint-for-a-rhel-for-edge-image-using-the-command-line-interface_composing-a-rhel-for-edge-image-using-image-builder-command-line),
+you will probably want to use the `toml` output format.
diff --git a/README.md b/README.md
index 9fe02dd2..26429e01 100644
--- a/README.md
+++ b/README.md
@@ -25,7 +25,11 @@ If the `logging` is a role from the `fedora.linux_system_roles`
 collection or from the Fedora RPM package, the requirement is already
 satisfied.
 
-Otherwise, please run the following command line to install the collection.
+The role requires external collections for management of `rpm-ostree` nodes.
+These are listed in the `meta/collection-requirements.yml`.  You do not need
+them if you do not want to manage `rpm-ostree` systems.
+
+If you need to install additional collections based on the above, please run:
 
 ```bash
 ansible-galaxy collection install -r meta/collection-requirements.yml
@@ -421,7 +425,9 @@ These variables are set in the same level of the `logging_inputs`, `logging_outp
   If `/etc/rsyslog.conf` was modified, and you use `logging_purge_confs: true`,
   and you are not providing any `logging_inputs`, then the `rsyslog` package
   will be uninstalled and reinstalled in order to revert back to the original
-  system default configuration.
+  system default configuration.  On `ostree` systems, this does not work, so a minimal
+  rsyslog.conf will be used, which is *not* the same as the default rsyslog.conf provided
+  by the rpm package.  So please use caution if you use this option on `ostree` systems.
 * `logging_system_log_dir`: Directory where the local log output files are placed. Default to `/var/log`.
 * `logging_manage_firewall`: If set to `true` and ports are found in the logging role
   parameters, configure the firewall for the ports using the firewall role.
@@ -922,3 +928,7 @@ syslogd_port_t        udp   514, 601, 20514
 ## Tests
 
 tests/README.md - This documentation shows how to execute CI tests in the tests directory as well as how to debug when the test fails.
+
+## rpm-ostree
+
+See README-ostree.md
diff --git a/defaults/main.yml b/defaults/main.yml
index 81b41e04..e16f6bae 100644
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -113,7 +113,7 @@ __logging_required_facts:
   - distribution_major_version
   - distribution_version
   - os_family
-  - default_ipv4
+  - default_ipv4  # requires the iproute package for the ip command
 
 # the subsets of ansible_facts that need to be gathered in case any of the
 # facts in required_facts is missing; see the documentation of
diff --git a/meta/collection-requirements.yml b/meta/collection-requirements.yml
index d2b6e5bc..e22fbe02 100644
--- a/meta/collection-requirements.yml
+++ b/meta/collection-requirements.yml
@@ -1,4 +1,6 @@
 # SPDX-License-Identifier: MIT
 ---
 collections:
+  - ansible.posix
+  - ansible.utils
   - fedora.linux_system_roles
diff --git a/roles/rsyslog/tasks/main_core.yml b/roles/rsyslog/tasks/main_core.yml
index 2045ff2c..bba6f57a 100644
--- a/roles/rsyslog/tasks/main_core.yml
+++ b/roles/rsyslog/tasks/main_core.yml
@@ -4,9 +4,12 @@
 # if inputs are given and rsyslog_enabled is true, rsyslog.conf will be
 # overwritten, so no need to reinstall package
 - name: Reinstall package to restore rsyslog config if purging
+  vars:
+    ostree_pkg_mgr: ansible.posix.rhel_rpm_ostree
   when:
     - logging_purge_confs | bool | d(false)
     - not (rsyslog_inputs and __rsyslog_enabled | bool)
+    - not ansible_facts.pkg_mgr | d() == ostree_pkg_mgr
   block:
     # it is assumed that the only packages providing config files that might
     # be modified are the base packages - if this is not so, then additional
@@ -100,21 +103,6 @@
         group: 'root'
         mode: '0755'
 
-    - name: Get mode of rsyslog.conf if it exists
-      stat:
-        path: /etc/rsyslog.conf
-      register: __rsyslog_register_stat_conf
-
-    - name: Generate main rsyslog configuration
-      template:
-        src: 'rsyslog.conf.j2'
-        dest: '/etc/rsyslog.conf'
-        mode: "{{ __rsyslog_register_stat_conf.stat.mode | d('0700') }}"
-      when:
-        - __rsyslog_enabled | bool
-        - rsyslog_inputs | d([])
-      notify: Restart rsyslogd
-
     - name: Generate global rule to add to __rsyslog_common_rules
       vars:
         __rsyslog_global_common_rule:
@@ -394,3 +382,36 @@
   when:
     - __rsyslog_failed_validation | d(false)
     - rsyslog_in_image | default(false) | bool
+
+- name: Create or recreate main config file
+  vars:
+    ostree_pkg_mgr: ansible.posix.rhel_rpm_ostree
+    is_ostree: "{{ ansible_facts.pkg_mgr | d() == ostree_pkg_mgr }}"
+    __rsyslog_generate_conf: "{{ is_ostree |
+      ternary(true,
+              __rsyslog_enabled and rsyslog_inputs | d([]) | length > 0) }}"
+  when: __rsyslog_generate_conf | bool
+  block:
+    - name: See if there are any config files
+      find:
+        paths: "{{ __rsyslog_config_dir }}"
+        patterns: "*.conf"
+      register: __rsyslog_find_result
+      when: is_ostree | bool
+
+    - name: Get mode of rsyslog.conf if it exists
+      stat:
+        path: /etc/rsyslog.conf
+      register: __rsyslog_register_stat_conf
+      when: __rsyslog_generate_conf | bool
+
+    - name: Generate main rsyslog configuration
+      template:
+        src: 'rsyslog.conf.j2'
+        dest: '/etc/rsyslog.conf'
+        mode: "{{ __rsyslog_register_stat_conf.stat.mode | d('0700') }}"
+      notify: Restart rsyslogd
+      when: __rsyslog_generate_conf | bool
+      vars:
+        __rsyslog_has_config_files: "{{ __rsyslog_find_result.matched > 0
+          if is_ostree else true }}"
diff --git a/roles/rsyslog/tasks/set_vars.yml b/roles/rsyslog/tasks/set_vars.yml
index d6be3aaf..dbc28524 100644
--- a/roles/rsyslog/tasks/set_vars.yml
+++ b/roles/rsyslog/tasks/set_vars.yml
@@ -7,6 +7,24 @@
   when: __logging_required_facts |
     difference(ansible_facts.keys() | list) | length > 0
 
+- name: Ensure correct package manager for ostree systems
+  vars:
+    ostree_pkg_mgr: ansible.posix.rhel_rpm_ostree
+    ostree_booted_file: /run/ostree-booted
+  when: ansible_facts.pkg_mgr | d("") != ostree_pkg_mgr
+  block:
+    - name: Check if system is ostree
+      stat:
+        path: "{{ ostree_booted_file }}"
+      register: __ostree_booted_stat
+
+    - name: Set package manager to use for ostree
+      ansible.utils.update_fact:
+        updates:
+          - path: ansible_facts.pkg_mgr
+            value: "{{ ostree_pkg_mgr }}"
+      when: __ostree_booted_stat.stat.exists
+
 - name: Set platform/version specific variables
   include_vars: "{{ item }}"
   loop:
diff --git a/roles/rsyslog/templates/rsyslog.conf.j2 b/roles/rsyslog/templates/rsyslog.conf.j2
index 3f988c74..a288cb58 100644
--- a/roles/rsyslog/templates/rsyslog.conf.j2
+++ b/roles/rsyslog/templates/rsyslog.conf.j2
@@ -3,4 +3,13 @@
 #
 # Include all config files in {{ __rsyslog_config_dir }}
 #
+{# it is an error to include files if the directory is empty #}
+{% if __rsyslog_has_config_files %}
 $IncludeConfig {{ __rsyslog_config_dir }}/*.conf
+{% else %}
+{# must have something or rsyslog will fail to start #}
+{# this will be overwritten the next time rsyslog is configured #}
+{# with actual files #}
+# Everybody gets emergency messages
+*.emerg                                                 :omusrmsg:*
+{% endif %}
diff --git a/roles/rsyslog/vars/main.yml b/roles/rsyslog/vars/main.yml
index ecae4b18..938b81a3 100644
--- a/roles/rsyslog/vars/main.yml
+++ b/roles/rsyslog/vars/main.yml
@@ -3,7 +3,9 @@
 # __rsyslog_base_packages
 #
 # List of default rpm packages to install.
-__rsyslog_base_packages: ['rsyslog']
+# NOTE: iproute is needed for the ip command which
+# is needed for the default_ipv4 fact
+__rsyslog_base_packages: ['iproute', 'rsyslog']
 
 # rsyslog configuration directory
 __rsyslog_config_dir: /etc/rsyslog.d
diff --git a/tests/tasks/create_tests_certs.yml b/tests/tasks/create_tests_certs.yml
deleted file mode 100644
index f5f8be60..00000000
--- a/tests/tasks/create_tests_certs.yml
+++ /dev/null
@@ -1,60 +0,0 @@
----
-- name: Ensure openssl exists
-  package:
-    name:
-      - openssl
-    state: present
-
-- name: Ensure /etc/pki/CA exists
-  file:
-    path: /etc/pki/CA
-    state: directory
-    mode: 0755
-
-- name: Ensure /etc/pki/CA exists
-  file:
-    path: /etc/pki/CA/certs
-    state: directory
-    mode: 0755
-
-- name: Ensure /etc/pki/CA exists
-  file:
-    path: /etc/pki/CA/private
-    state: directory
-    mode: 0755
-
-- name: Generate a self signed CA cert and the CA key
-  command: >-
-    openssl req -x509 -newkey rsa:2048 -nodes
-    -keyout "{{ __test_ca_key }}" -out "{{ __test_ca_cert }}"
-    -subj "/CN=test-ca/OU=system-roles/DC=fedora/DC=org"
-  changed_when: false
-
-- name: Verify CA cert
-  command: >-
-    openssl x509 -text -in "{{ __test_ca_cert }}" -noout
-  changed_when: false
-
-- name: Generate a server/client key
-  command: openssl genrsa -out "{{ __test_key }}"
-  changed_when: false
-
-- name: Generate a server Certificate Signing Request
-  command: >-
-    openssl req -new -key "{{ __test_key }}"
-    -out "{{ __test_cert_csr }}"
-    -subj "/C=US/O=Fedora/DC=fedora/CN=logging.fedora.org"
-  changed_when: false
-
-- name: "Generate a server/client cert using the key,
-  and signed by the self signed CA"
-  command: >-
-    openssl x509 -req -in "{{ __test_cert_csr }}"
-    -CA "{{ __test_ca_cert }}" -CAkey "{{ __test_ca_key }}"
-    -CAcreateserial -out "{{ __test_cert }}"
-  changed_when: false
-
-- name: Verify the server/client cert
-  command: >-
-    openssl x509 -text -in "{{ __test_cert }}" -noout
-  changed_when: false
diff --git a/tests/tasks/test_logger.yml b/tests/tasks/test_logger.yml
index 239bf5fa..1964f641 100644
--- a/tests/tasks/test_logger.yml
+++ b/tests/tasks/test_logger.yml
@@ -1,18 +1,18 @@
 ---
-- name: Run logger to generate a test log message
-  vars:
-    __logging_tag: "testTag{{ __logging_index }}"
-    __logging_message: "testMessage{{ __logging_index }}"
-  command: "/bin/logger -i -p local6.info -t {{ __logging_tag }}
-    {{ __logging_message }}"
-  changed_when: false
-
 - name: Check test log and check for errors
+  vars:
+    __logging_message: testMessage{{ __logging_index }}
+    __logging_tag: testTag{{ __logging_index }}
   block:
+    - name: Run logger to generate a test log message
+      command: >-
+        /bin/logger -i -p local6.info -t {{ __logging_tag | quote }}
+        {{ __logging_message | quote }}
+      changed_when: false
+
     - name: Check the test log message in {{ __default_system_log }}
-      vars:
-        __logging_message: "testMessage{{ __logging_index }}"
-      command: /bin/grep "{{ __logging_message }}" "{{ __logging_file }}"
+      command: >-
+        /bin/grep {{ __logging_message | quote }} {{ __logging_file | quote }}
       register: __result
       until: __result is success
       retries: 60
@@ -20,7 +20,17 @@
       changed_when: false
   rescue:
     - name: See what's in logging file if the test fails
-      command: tail -100 {{ __logging_file }}
+      command: tail -100 {{ __logging_file | quote }}
+      changed_when: false
+
+    - name: Collect system information upon failure
+      shell: |
+        echo ############
+        journalctl -u rsyslog
+        echo ############
+        cat /etc/rsyslog.conf
+        echo ############
+        ls -alrtF /etc/rsyslog.d
       changed_when: false
 
     - name: Fail if the message was not printed
diff --git a/tests/tests_enabled.yml b/tests/tests_enabled.yml
index ef555865..64cd1374 100644
--- a/tests/tests_enabled.yml
+++ b/tests/tests_enabled.yml
@@ -40,8 +40,10 @@
 
     - name: Ensure config file size and counts
       vars:
+        ostree_pkg_mgr: ansible.posix.rhel_rpm_ostree
         __conf_count: 0
-        __conf_size: more
+        __conf_size: "{{ 'less' if ansible_facts.pkg_mgr | d() == ostree_pkg_mgr
+          else 'more' }}"
         __conf_files: []
         __check_systemctl_status: true
       include_tasks: tasks/check_daemon_config_files.yml
diff --git a/tests/tests_purge_reset.yml b/tests/tests_purge_reset.yml
index d07d1db1..ca98f239 100644
--- a/tests/tests_purge_reset.yml
+++ b/tests/tests_purge_reset.yml
@@ -6,7 +6,25 @@
   hosts: all
   vars:
     __test_default_files_conf: /etc/rsyslog.d/30-output-files-default_files.conf
+    ostree_pkg_mgr: ansible.posix.rhel_rpm_ostree
   tasks:
+    - name: Ensure correct package manager for ostree systems
+      vars:
+        ostree_booted_file: /run/ostree-booted
+      when: ansible_facts.pkg_mgr | d("") != ostree_pkg_mgr
+      block:
+        - name: Check if system is ostree
+          stat:
+            path: "{{ ostree_booted_file }}"
+          register: __ostree_booted_stat
+
+        - name: Set package manager to use for ostree
+          ansible.utils.update_fact:
+            updates:
+              - path: ansible_facts.pkg_mgr
+                value: "{{ ostree_pkg_mgr }}"
+          when: __ostree_booted_stat.stat.exists
+
     - name: Ensure rsyslog is installed
       package:
         name: rsyslog
@@ -100,7 +118,8 @@
     - name: Ensure config file size and counts
       vars:
         __conf_count: 0
-        __conf_size: more
+        __conf_size: "{{ 'less' if ansible_facts.pkg_mgr | d() == ostree_pkg_mgr
+          else 'more' }}"
         __check_systemctl_status: true
       include_tasks: tasks/check_daemon_config_files.yml