Update ansible-prostgres role

Deprecate Fedora 28
Add Debian Buster to roles meta data.

Use the upstream version of postgres role from galaxy:
* Remove stale debian postgresql workarounds

Fix molecule tests:
* Reenable tests on Centos7
* Enable tests on Fedora 30
* Install langpack on fedora
* Make containers unprivileged.
* Hotfix systemd unit for redis on debian in unprivileged containers
* Add NET capabilities for iptables operation

fixes #5473
https://pulp.plan.io/issues/5473

README.md

@@ -15,8 +15,8 @@ must have Python 3 and Ansible installed.
 The [managed node](https://docs.ansible.com/ansible/2.5/network/getting_started/basic_concepts.html#managed-nodes)
 must be one of these currently supported operating systems:
 * CentOS 7
+* Debian Buster
 * Fedora 29 or later
-* Fedora 28 (deprecated)
 
 Variables
 ---------

molecule/default/debian-redis-server.service

@@ -0,0 +1 @@
+../scenario_resources/debian-redis-server.service

molecule/default/molecule.yml

@@ -6,18 +6,30 @@ driver:
   name: docker
 lint:
   name: yamllint
+# This is ignored by molecule, but can be reused in yaml
+.platform_base: &platform_base
+  privileged: False
+  volumes:
+    - /sys/fs/cgroup:/sys/fs/cgroup:ro
+  tmpfs:
+    - /tmp
+    - /run
+    - /run/lock
+  capabilities:
+    - NET_ADMIN
+    - NET_RAW
 platforms:
-  - name: debian-10
+  - <<: *platform_base
+    name: centos-7
+    image: centos:7
+    command: /sbin/init
+  - <<: *platform_base
+    name: debian-10
     image: debian:buster
-    privileged: True
-    volumes:
-      - /sys/fs/cgroup:/sys/fs/cgroup:ro
     command: /sbin/init
-  - name: fedora-28
-    image: fedora:28
-    privileged: True
-    volumes:
-      - /sys/fs/cgroup:/sys/fs/cgroup:ro
+  - <<: *platform_base
+    name: fedora-30
+    image: fedora:30
     command: /usr/sbin/init
 provisioner:
   name: ansible

molecule/default/prepare.yml

@@ -0,0 +1,8 @@
+---
+- hosts: all
+  tasks:
+    - name: Hot patch redis-server service for docker operation (Debian)
+      copy:
+        src: debian-redis-server.service
+        dest: /etc/systemd/system/redis-server.service
+      when: ansible_distribution == "Debian"

molecule/scenario_resources/Dockerfile.j2

@@ -1,21 +1,17 @@
 # Molecule managed
 
+# This Dockerfile prepares the image for {{ item.image }} to be used in molecule tests for the
+# ansible-pulp role. The main process should be systemd, to mimic an installation where services
+# can be installed and controlled. Systemd seems to be able to detect that it is being run in a
+# container context, and starts very little services. There is no need to delete any files from
+# /{etc,lib}/systemd/*.
+
 FROM {{ item.image }}
 
 ENV container docker
 
-{% if item.name.startswith('centos') or item.name.startswith('fedora') %}
-RUN (cd /lib/systemd/system/sysinit.target.wants/; for i in *; do [ $i == systemd-tmpfiles-setup.service ] || rm -f $i; done); \
-rm -f /lib/systemd/system/multi-user.target.wants/*;\
-rm -f /etc/systemd/system/*.wants/*;\
-rm -f /lib/systemd/system/local-fs.target.wants/*; \
-rm -f /lib/systemd/system/sockets.target.wants/*udev*; \
-rm -f /lib/systemd/system/sockets.target.wants/*initctl*; \
-rm -f /lib/systemd/system/basic.target.wants/*;\
-rm -f /lib/systemd/system/anaconda.target.wants/*;
-{% endif %}
+{% if item.name.startswith('centos') -%}
 
-{% if item.name.startswith('centos') %}
 RUN yum install -y epel-release ;\
 yum makecache fast ;\
 yum update -y ;\
@@ -33,7 +29,8 @@ yum install -y \
   ;\
 sed -i 's/plugins=0/plugins=1/g' /etc/yum.conf ;\
 yum clean all
-{% elif item.name.startswith('debian') %}
+{% elif item.name.startswith('debian') -%}
+
 ENV LC_ALL C
 ENV DEBIAN_FRONTEND noninteractive
 
@@ -46,13 +43,6 @@ apt-get -y install \
   &&\
 rm /sbin/modprobe &&\
 ln -s /bin/true /sbin/modprobe &&\
-rm -f /lib/systemd/system/multi-user.target.wants/* \
-  /etc/systemd/system/*.wants/* \
-  /lib/systemd/system/local-fs.target.wants/* \
-  /lib/systemd/system/sockets.target.wants/*udev* \
-  /lib/systemd/system/sockets.target.wants/*initctl* \
-  /lib/systemd/system/sysinit.target.wants/systemd-tmpfiles-setup* \
-  /lib/systemd/system/systemd-update-utmp* &&\
 apt-get -y install \
   bash \
   firewalld \
@@ -64,13 +54,15 @@ apt-get -y install \
 apt-get clean &&\
 rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/* &&\
 systemctl enable firewalld
-{% elif item.name.startswith('fedora') %}
+{% elif item.name.startswith('fedora') -%}
+
 RUN dnf makecache ;\
 dnf --assumeyes install \
   bash \
   firewalld \
   iptables \
   jemalloc \
+  glibc-langpack-en \
   python3 \
   python3-dnf \
   python3-firewall \
@@ -79,11 +71,12 @@ dnf --assumeyes install \
   which \
   ;\
 dnf clean all
-{% endif %}
+{%- endif %}
 
 # Disable requiretty.
 RUN sed -i -e 's/^\(Defaults\s*requiretty\)/#--- \1/'  /etc/sudoers
 
-VOLUME ["/sys/fs/cgroup", "/tmp", "/run"]
+# systemd uses this as a termination signal; we want to shutdown the containers nicely...
+STOPSIGNAL SIGRTMIN+3
 
 CMD ["{{ item.command }}"]

molecule/scenario_resources/debian-redis-server.service

@@ -0,0 +1,19 @@
+[Unit]
+Description=Advanced key-value store
+After=network.target
+Documentation=http://redis.io/documentation, man:redis-server(1)
+
+[Service]
+Type=notify
+ExecStart=/usr/bin/redis-server /etc/redis/redis.conf --supervised systemd
+ExecStop=/bin/kill -s TERM $MAINPID
+User=redis
+Group=redis
+RuntimeDirectory=redis
+RuntimeDirectoryMode=0755
+
+LimitNOFILE=65535
+
+[Install]
+WantedBy=multi-user.target
+Alias=redis.service

molecule/scenario_resources/host_vars/centos-7

@@ -0,0 +1 @@
+pulp_configure_firewall: none

molecule/scenario_resources/host_vars/fedora-29

@@ -1 +1,2 @@
 ansible_python_interpreter: /usr/bin/python3
+pulp_configure_firewall: none

molecule/scenario_resources/host_vars/fedora-28 → molecule/scenario_resources/host_vars/fedora-30

@@ -1 +1,2 @@
 ansible_python_interpreter: /usr/bin/python3
+pulp_configure_firewall: none

molecule/source/debian-redis-server.service

@@ -0,0 +1 @@
+../scenario_resources/debian-redis-server.service

molecule/source/molecule.yml

@@ -6,18 +6,26 @@ driver:
   name: docker
 lint:
   name: yamllint
+# This is ignored by molecule, but can be reused in yaml
+.platform_base: &platform_base
+  privileged: False
+  volumes:
+    - /sys/fs/cgroup:/sys/fs/cgroup:ro
+  tmpfs:
+    - /tmp
+    - /run
+    - /run/lock
+  capabilities:
+    - NET_ADMIN
+    - NET_RAW
 platforms:
-  - name: debian-10
+  - <<: *platform_base
+    name: debian-10
     image: debian:buster
-    privileged: True
-    volumes:
-      - /sys/fs/cgroup:/sys/fs/cgroup:ro
     command: /sbin/init
-  - name: fedora-28
-    image: fedora:28
-    privileged: True
-    volumes:
-      - /sys/fs/cgroup:/sys/fs/cgroup:ro
+  - <<: *platform_base
+    name: fedora-30
+    image: fedora:30
     command: /usr/sbin/init
 provisioner:
   name: ansible

molecule/source/prepare.yml

@@ -1,7 +1,6 @@
 ---
 - hosts:
-    - debian-10
-    - fedora-28
+    - all
   tasks:
     - name: Install required packages
       package:
@@ -41,3 +40,9 @@
         mode: 0777
         recurse: true
       become: true
+
+    - name: Hot patch redis-server service for docker operation (Debian)
+      copy:
+        src: debian-redis-server.service
+        dest: /etc/systemd/system/redis-server.service
+      when: ansible_distribution == "Debian"

requirements.yml

@@ -1,8 +1,2 @@
 ---
-# Upstream is slow to accept pull requests.
-# Still waiting on the original " Add Fedora support" pull request from ehelms.
-#
-# https://github.com/geerlingguy/ansible-role-postgresql/compare/master...dralley:master
-- src: https://github.com/dralley/ansible-role-postgresql
-  version: master
-  name: geerlingguy.postgresql
+- src: geerlingguy.postgresql

roles/pulp-content/meta/main.yml

@@ -5,7 +5,11 @@ galaxy_info:
   company: Red Hat
   min_ansible_version: 2.4
   platforms:
+    - name: Debian
+      versions:
+        - buster
     - name: Fedora
       versions:
-        - 28
+        - 29
+        - 30
   license: GPL-3.0

roles/pulp-database/meta/main.yml

@@ -7,12 +7,13 @@ galaxy_info:
   company: Red Hat
   min_ansible_version: 2.2
   platforms:
+    - name: Debian
+      versions:
+        - buster
     - name: Fedora
       versions:
-        - all
-  # - name: Debian
-  #   versions:
-  #     - stretch
+        - 29
+        - 30
   galaxy_tags:
     - pulp
 dependencies:

roles/pulp-redis/meta/main.yml

@@ -5,8 +5,12 @@ galaxy_info:
   company: Red Hat
   min_ansible_version: 2.4
   platforms:
+    - name: Debian
+      versions:
+        - buster
     - name: Fedora
       versions:
-        - 28
+        - 29
+        - 30
   license: GPL-3.0
 dependencies: []

roles/pulp-resource-manager/meta/main.yml

@@ -5,9 +5,13 @@ galaxy_info:
   company: Red Hat
   min_ansible_version: 2.4
   platforms:
+    - name: Debian
+      versions:
+        - buster
     - name: Fedora
       versions:
-        - 28
+        - 29
+        - 30
   license: GPL-3.0
 
 # Depend on pulp-redis for RQ.

roles/pulp-webserver/meta/main.yml

@@ -5,9 +5,13 @@ galaxy_info:
   company: Red Hat
   min_ansible_version: 2.4
   platforms:
+    - name: Debian
+      versions:
+        - Buster
     - name: Fedora
       versions:
-        - 28
+        - 29
+        - 30
   license: GPL-3.0
 dependencies:
   - role: pulp

roles/pulp-webserver/tasks/apache.yml

@@ -15,11 +15,6 @@
   set_fact:
     pulp_webserver_static_dir: '{{ result.files[0].path }}/rest_framework'
 
-- name: Set default firewall
-  set_fact:
-    pulp_configure_firewall: 'firewalld'
-  when: pulp_configure_firewall == 'auto'
-
 - block:
 
     - name: Install Apache
@@ -39,25 +34,4 @@
         enabled: true
         daemon_reload: true
 
-    - name: Install firewalld
-      package:
-        name: firewalld
-        state: present
-      when: pulp_configure_firewall == 'firewalld'
-
-    - name: Start and enable firewalld
-      systemd:
-        name: firewalld
-        state: started
-        enabled: true
-      when: pulp_configure_firewall == 'firewalld'
-
-    - name: Accept connections on port 80
-      firewalld:
-        service: http
-        permanent: true
-        immediate: true
-        state: enabled
-      when: pulp_configure_firewall == 'firewalld'
-
   become: true