Open
Conversation
pablomh
force-pushed
the
rootless_iop
branch
2 times, most recently
from
035eddb to
cbc1e95
Compare
Bumps [actions/upload-artifact](https://github.com/actions/upload-artifact) from 6 to 7. - [Release notes](https://github.com/actions/upload-artifact/releases) - [Commits](actions/upload-artifact@v6...v7) --- updated-dependencies: - dependency-name: actions/upload-artifact dependency-version: '7' dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com>
Bumps [actions/download-artifact](https://github.com/actions/download-artifact) from 7 to 8. - [Release notes](https://github.com/actions/download-artifact/releases) - [Commits](actions/download-artifact@v7...v8) --- updated-dependencies: - dependency-name: actions/download-artifact dependency-version: '8' dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com>
pablomh
force-pushed
the
rootless_iop
branch
2 times, most recently
from
be6b045 to
001b48d
Compare
pablomh
force-pushed
the
rootless_iop
branch
10 times, most recently
from
0f0491a to
ce555bc
Compare
Otherwise the presense of entries in /etc/hosts depends on when the machine was exactly booted
pablomh
force-pushed
the
rootless_iop
branch
2 times, most recently
from
ddd9adc to
a33a757
Compare
pablomh
force-pushed
the
rootless_iop
branch
2 times, most recently
from
6cb95a9 to
ab1d3c0
Compare
Provides automated migration from existing rootful Foreman deployments to rootless mode, preserving all data and configuration. Key features: - Stop and backup rootful deployment - Transfer volume ownership using podman unshare - Remove rootful systemd units and Quadlets - Deploy rootless configuration - Verify services are running correctly - Generate migration report with rollback instructions Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
Updates all deployment playbooks to include rootless_user role and configure proper execution context. Key changes: - Add rootless_user role to deployment sequence - Update pull-images playbook for rootless context - Configure development playbooks for rootless mode - Ensure proper ordering of rootless setup Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
Allow Python 3.9 to open text/x-python files in /var/tmp/ to fix Ansible module execution issues with fapolicyd enabled.
Updates all test fixtures and assertions to work with rootless container deployment. Key changes: - Add user fixture to provide foremanctl_user context - Update service status checks to query user systemd - Modify container inspection to use rootless Podman - Adjust path expectations for user-scoped resources - Update test helpers for XDG_RUNTIME_DIR context Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
Updates GitHub Actions workflow to pass rootless user context to tests and use proper systemctl invocation for user services. Key changes: - Pass --user=foremanctl to pytest for rootless test context - Use systemctl --machine=foremanctl@ --user for service control - Ensure tests run against rootless deployment Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
These packages provide the network stack, DNS resolution, and improved port forwarding required for custom networks in rootless Podman deployments. - netavark: Modern network stack for Podman 4+ - aardvark-dns: DNS server for container name resolution - passt: High-performance port forwarding alternative to slirp4netns
Tests verify: - Network packages installation (netavark, aardvark-dns, pasta) - Podman using netavark backend - Rootless user can create private networks - DNS resolution between containers via aardvark-dns
Provides a reusable role to create custom Podman networks in rootless deployments. Supports configuration of: - Network driver and topology - Custom subnets and gateways - DNS servers - Internal-only networks - IPv6 support - Network options and labels Networks enable container-to-container communication via DNS names provided by aardvark-dns.
Tests verify: - Network creation via the role - Network properties (driver, DNS enabled) - Container-to-container connectivity using DNS names - Multi-network container support - Network isolation between separate networks - Custom subnet and gateway configuration All tests are designed for rootless mode and handle cleanup.
Signed-off-by: Eric D. Helms <ericdhelms@gmail.com>
Signed-off-by: Eric D. Helms <ericdhelms@gmail.com>
Signed-off-by: Eric D. Helms <ericdhelms@gmail.com>
Signed-off-by: Eric D. Helms <ericdhelms@gmail.com>
Signed-off-by: Eric D. Helms <ericdhelms@gmail.com>
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Use runuser -l {user} -s /bin/bash to run commands as the rootless user
from tests. This avoids the CWD inheritance problem of sudo (which fails
when the caller CWD is /root, inaccessible to the rootless user) while
correctly propagating the inner command exit code -- unlike machinectl
shell, which always exits 0.
XDG_RUNTIME_DIR is set explicitly so rootless podman can locate its socket.
runuser is provided by util-linux, which is always installed on RHEL.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Test that iop-core-network has the expected properties (internal=true, isolate=true) and that containers on it cannot reach containers on other Podman networks, verifying the isolate=true nftables enforcement. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Ansible become_user to an unprivileged user requires setfacl to set permissions on its temporary files. CentOS 10 ships a version that does not accept the A+user ACL format Ansible uses, causing the task to fail. Run the task as root (the playbook connection user) and set owner/group explicitly instead, which sidesteps the ACL requirement entirely. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
CentOS 10 ships a version of the ACL tools that does not accept the A+user:...:allow format that Ansible uses to grant become_user targets read access to its temporary files, causing all tasks with become_user to fail. Enabling pipelining makes Ansible send task code via stdin instead of writing temp files, which eliminates the need for setfacl/ACLs entirely. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
CentOS 10 no longer installs the acl package by default. Without it, setfacl is unavailable and Ansible falls back to calling chmod with ACL-format arguments it does not understand, causing all become_user tasks to fail with 'chmod: invalid mode: A+user:...:rx:allow'. Installing acl restores setfacl availability and the standard privilege escalation path. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
foreman-selinux packages are not yet available for EL10. Skip the install on EL10 until the Foreman project publishes EL10 packages. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
5 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
No description provided.