Import Self-Signed Cert for Chrome/Edge/Chromium on Mac

May 16, 2020

With the latest versions of Chrome, Edge, or Chromium, it’s no longer possible to load pages with self-signed certs and they provide a NET::ERR_CERT_INVALID error.

ERR_CERT_INVALID

When you go to the “Advanced” button it does not allow you to ignore and proceed.

To work around this you can download the certificate. Then import it into the trusted certificate store.

I used OpenSSL to download the certificate, but there are other options. Here are the commands I used.

server=myserver.com

openssl s_client -connect ${server}:443 \

-showcerts </dev/null 2>/dev/null|\

openssl x509 -outform PEM >${server}.pem

sudo security add-trusted-cert -d -r trustAsRoot \

-p ssl -k /Library/Keychains/System.keychain ${server}.pem

This will add your certificate to the System Keychain and trust it as an SSL certificate.

If you get an the error:

1	SecTrustSettingsSetTrustSettings: One or more parameters passed to a function were not valid.

try replacing

1	-r trustAsRoot

1	-r trustRoot

Ansible Collections: Testing only what’s changed

Eric Anderson

May 11, 2020

Previously

When testing roles before GitHub Actions, it was assumed that you’d only have one repository for each role. But with the addition of collections, that is no longer the case. Your collection can now have multiple roles, modules, and often you do not need to test everything when a role or a set of modules has changed.

Using GitHub Actions, there’s a way to do this.

Now with GitHub Actions

Using GitHub Actions and workflow, we can configure what actions will trigger a test (workflow) run. In my example, which I do use on all of my collections, I set only on Pull Request and Push will the tests be triggered.

on:

push:

paths:

- 'roles/zabbix_agent/**'

- 'molecule/zabbix_agent/**'

- '.github/workflows/zabbix_agent.yml'

pull_request:

paths:

- 'roles/zabbix_agent/**'

- 'molecule/zabbix_agent/**'

- '.github/workflows/zabbix_agent.yml'

jobs:

zabbix_agent:

runs-on: ubuntu-18.04

env:

PY_COLORS: 1

ANSIBLE_FORCE_COLOR: 1

strategy:

fail-fast: false

...

So if you notice in the example, configured my test to run on both push and pull_request. Unfortunately, GitHub Actions doesn’t support anchors yet so I couldn’t use them.

Why did I choose those paths?

'roles/zabbix_agent/**' – sets GitHub actions to watch all the files underneath the role zabbix_agent

'molecule/zabbix_agent/**' – watches all the files part of the molecule testing for zabbix_agent

'.github/workflows/zabbix_agent.yml' – the file that runs the GitHub Action workflow itself

The code here helps ensure that only when a file used for testing or executing this role is modified will it run and ensures that you don’t waste a lot of testing time on GitHub Actions so other tests can run on other repositories. You can find more options here https://help.github.com/en/actions/reference/workflow-syntax-for-github-actions#on

Using a Dockerfile Repo for Molecule Dockerfiles

Eric Anderson

May 10, 2020

I’d like to share with you another design in testing your Ansible collections, modules, playbooks, and roles. Molecule used to include a file name Dockerfile.j2. This template, in the past, created your docker container on execution. It’s since moved away from that and now only uses the base image you provide it via molecule.yml. In some cases, you need more than what the base image offers, and you may not want to create docker images and upload them to Docker Hub, or Quay.io. I wanted a solution and test that didn’t require people to download my docker images from Docker Hub.

Dockerfile.j2 with lots of Jinja

I prefer building my images using Dockerfile each time I test. It’s relatively quick and ensures that my host is testing against the latest packages that are installed by the Dockerfile.

However, I have lots of roles, and this means each role had at least one Dockerfile, and the Dockerfiles were precisely the same. A simple change to one Dockerfile usually said I needed to update all of the others. What if I need systemd installed? SystemD is different on many operating systems, different files needed, as well as various install commands. Well, I initially started building a more complicated Dockerfile.j2,which used the platform values from Molecule. But then after adding CentOS, Debian, Ubuntu, Fedora, and many of their different versions, it got complicated.

100

101

102

103

104

105

106

107

108

109

110

111

# Molecule managed

{% if item.registry is defined %}

FROM {{ item.registry.url }}/{{ item.image }}

{% else %}

FROM {{ item.image }}

{% endif %}

ENV container=docker

{# Initial Package Installs and Container Prep #}

{% if item.image.split(':', 1)[0] in ["ubuntu"] %}

RUN apt-get update \

&& apt-get install -y --no-install-recommends \

locales software-properties-common rsyslog systemd systemd-cron sudo \

iproute2

RUN sed -i 's/^$$ModLoad imklog$/#\1/' /etc/rsyslog.conf

{% elif item.image.split(':', 1)[0] in ["debian"] %}

RUN apt-get update \

&& apt-get install -y --no-install-recommends \

sudo systemd systemd-sysv \

build-essential wget

{% elif item.image.split(':', 1)[0] in ["centos"] %}

{% if item.image in ["centos:7"] %}

RUN yum makecache fast && yum -y install deltarpm \

{% elif item.image in ["centos:8"] %}

RUN yum makecache --timer \

{% endif %}

&& yum -y install epel-release \

&& yum -y update \

&& yum -y install sudo which

{% endif %}

{# Install of Python2 #}

{% if item.image in ["ubuntu:16.04"] %}

RUN apt-get update \

&& apt-get install -y --no-install-recommends python-setuptools wget \

&& wget https://bootstrap.pypa.io/get-pip.py \

&& python get-pip.py

{% elif item.image in ["debian:9"] %}

RUN apt-get update \

&& apt-get install -y --no-install-recommends libffi-dev libssl-dev \

python-pip python-dev python-setuptools python-wheel

{% elif item.image in ["centos:7"] %}

RUN yum -y install python-pip

{% endif %}

{# Install of Python3 #}

{% if item.image in ["ubuntu:18.04", "ubuntu:20.04", "debian:10"] %}

RUN apt-get update \

&& apt-get install -y --no-install-recommends \

apt-utils python3-setuptools python3-pip

{% endif %}

{% if item.image in ["centos:8"] %}

RUN yum -y install hostname python3 python3-pip

{% endif %}

{# Steps for cleanup #}

{% if item.image.split(':', 1)[0] in ["ubuntu", "debian"] %}

RUN rm -Rf /var/lib/apt/lists/* \

&& rm -Rf /usr/share/doc && rm -Rf /usr/share/man \

&& apt-get clean

{% elif item.image.split(':', 1)[0] in ["centos"] %}

RUN yum clean all

{% endif %}

{# Steps for clenaup of systemd #}

{% if item.image in ["centos:7", "centos:8", "debian:9"] %}

RUN (cd /lib/systemd/system/sysinit.target.wants/; for i in *; do [ $i == \

systemd-tmpfiles-setup.service ] || rm -f $i; done); \

rm -f /lib/systemd/system/multi-user.target.wants/*;\

rm -f /etc/systemd/system/*.wants/*;\

rm -f /lib/systemd/system/local-fs.target.wants/*; \

rm -f /lib/systemd/system/sockets.target.wants/*udev*; \

rm -f /lib/systemd/system/sockets.target.wants/*initctl*; \

rm -f /lib/systemd/system/basic.target.wants/*;\

rm -f /lib/systemd/system/anaconda.target.wants/*; \

mkdir -p /run/systemd/system

{% endif %}

{% if item.image in ["ubuntu:18.04", "ubuntu:20.04"] %}

# Remove unnecessary getty and udev targets that result in high CPU usage when using

# multiple containers with Molecule (https://github.com/ansible/molecule/issues/1104)

RUN rm -f /lib/systemd/system/systemd*udev* \

&& rm -f /lib/systemd/system/getty.target

{% endif %}

{% if item.image in ["centos:7", "centos:8"] %}

# Disable requiretty.

RUN sed -i -e 's/^$Defaults\s*requiretty$/#--- \1/' /etc/sudoers

{% endif %}

{% if item.image.split(':', 1)[0] not in ["centos", "debian"] %}

# Fix potential UTF-8 errors with ansible-test.

RUN locale-gen en_US.UTF-8

{% endif %}

# Install Ansible inventory file.

RUN mkdir -p /etc/ansible

RUN echo "[local]\nlocalhost ansible_connection=local" > /etc/ansible/hosts

{% if item.image in ["centos:7", "centos:8", "debian:9", "debian:10"] %}

VOLUME ["/sys/fs/cgroup"]

{% elif item.image in ["ubuntu:16.04", "ubuntu:18.04", "ubuntu:20.04"] %}

VOLUME ["/sys/fs/cgroup", "/tmp", "/run"]

{% endif %}

{% if item.image in ["centos:7", "centos:8"] %}

CMD ["/usr/sbin/init"]

{% elif item.image in ["ubuntu:16.04", "ubuntu:18.04", "ubuntu:20.04", "debian:9", "debian:10"] %}

CMD ["/lib/systemd/systemd"]

{% endif %}

It was overly complicated, and I was losing track of the if/then statements, “Which OS should run which commands?” and many other questions. I gave up. It’s not maintainable. Especially when there have been PR’s adding support for SUSE, and ArchLinux, so now I need to add those to my tests. Three words. OUT OF HAND. So I had to change how I tested. I’m not going to duplicate a Dockerfile that’s this complicated, 10+ times per collection. Maybe I can do file links? That worked, but then I had to manage the same files in each of my Roles/Collections. Again, not scalable. I wanted something easy to do and easy to maintain and add new OS support when needed. Then a couple of things hit me.

Molecule Uses Ansible (obviously)
Ansible has Lookup Filters

URL Lookup for Dockerfile.j2

What if I could do a URL lookup against a GitHub repository that allows me to manage the same Dockerfiles for SystemD and Ansible dependencies on all of my roles. So, I deleted all the contents of Dockerfile.j2 and replaced it with this:

{{ lookup('url', 'https://raw.githubusercontent.com/ericsysmin/docker-ansible-images/master/' ~ item.image ~ '/Dockerfile', split_lines=False) }}

So each time Molecule runs, it connects to this file, grabs the Dockerfile, and then uses it to build each docker container used by Molecule. Now I can centrally manage all of my Dockerfile files, and simplify my Dockerfiles by removing all of the if/then statements, and other logic. This does require that your system running Molecule requires internet access to the file location, if it fails, the Molecule execution will also fail.

Now in each of my roles, throughout my collections and standalone, I can modify by Dockerfiles and manage them from one location just as if I decided to produce Docker images from these Dockerfiles and then share them on Docker Hub or Quay.io.

Ansible Collections: Automating the Release Process to Galaxy

Eric Anderson

May 2, 2020

Since we are moving to Ansible Collections, some things are changing. Now when you create your collection and update your collection Ansible Galaxy will no longer automatically discover your collection via a Webhook. Now for Galaxy to know about your collection you have to upload a tar.gz file that containers the result of the ansible-galaxy collection build command.

However, many of us may still want to automate that process, and with @geerlingguy‘s help I was able to fully automate the release process, not from just tagging a release, but creating a release as we would before. So how does this work?

Creating the Build Directory

First, we need to create the build/ directory and include a couple of files.

build

├── galaxy_deploy.yml

└── templates

└── galaxy.yml.j2

Instead of having a galaxy.yml file in our root, we will need to generate the file when we execute the playbook.

This is the galaxy_deploy.yml playbook.

---

- hosts: localhost

connection: local

gather_facts: false

vars:

# This should be set via the command line at runtime.

tag: "{{ github_tag.split('/')[-1] }}"

pre_tasks:

- name: Ensure the ANSIBLE_GALAXY_TOKEN environment variable is set.

fail:

msg: ANSIBLE_GALAXY_TOKEN is not set.

when: "lookup('env','ANSIBLE_GALAXY_TOKEN') | length == 0"

- name: Ensure the ~/.ansible directory exists.

file:

path: ~/.ansible

state: directory

- name: Write the Galaxy token to ~/.ansible/galaxy_token

copy:

content: |

token: {{ lookup('env','ANSIBLE_GALAXY_TOKEN') }}

dest: ~/.ansible/galaxy_token

tasks:

- name: Template out the galaxy.yml file.

template:

src: templates/galaxy.yml.j2

dest: ../galaxy.yml

- name: Build the collection. # noqa 503

command: >

ansible-galaxy collection build

chdir=../

when: galaxy_yml.changed

- name: Publish the collection. # noqa 503

command: >

ansible-galaxy collection publish ./ericsysmin-system-{{ tag }}.tar.gz

chdir=../

when: galaxy_yml.changed

You’ll then need to create a build/templates folder, and create the galaxy.yml.j2 file within the templates folder.

Edit the values to fit your Ansible Collection, the only var I use is {{ tag }} which will be used later on.

### REQUIRED

# The namespace of the collection. This can be a company/brand/organization or product namespace under which all

# content lives. May only contain alphanumeric lowercase characters and underscores. Namespaces cannot start with

# underscores or numbers and cannot contain consecutive underscores

namespace: ericsysmin

# The name of the collection. Has the same character restrictions as 'namespace'

# The version of the collection. Must be compatible with semantic versioning

version: "{{ tag }}"

# The path to the Markdown (.md) readme file. This path is relative to the root of the collection

readme: README.md

# A list of the collection's content authors. Can be just the name or in the format 'Full Name <email> (url)

# @nicks:irc/im.site#channel'

authors:

- Eric Anderson (https://ericsysmin.com)

### OPTIONAL but strongly recommended

# A short summary description of the collection

description: Collection of System Administration Roles

# Either a single license or a list of licenses for content inside of a collection. Ansible Galaxy currently only

# accepts L(SPDX,https://spdx.org/licenses/) licenses. This key is mutually exclusive with 'license_file'

# license:

# - GPL-2.0-or-later

# The path to the license file for the collection. This path is relative to the root of the collection. This key is

# mutually exclusive with 'license'

license_file: 'LICENSE'

# A list of tags you want to associate with the collection for indexing/searching. A tag name has the same character

# requirements as 'namespace' and 'name'

tags:

- system

- chrony

- epel

- logrotate

- ntp

- remi_repo

- selinux

- rhel

- ubuntu

# Collections that this collection requires to be installed for it to be usable. The key of the dict is the

# collection label 'namespace.name'. The value is a version range

# L(specifiers,https://python-semanticversion.readthedocs.io/en/latest/#requirement-specification). Multiple version

# range specifiers can be set and are separated by ','

dependencies: {}

# The URL of the originating SCM repository

repository: https://github.com/ericsysmin/ansible-collection-system

# The URL to any online docs

documentation: https://github.com/ericsysmin/ansible-collection-system

# The URL to the homepage of the collection/project

homepage: https://github.com/ericsysmin/ansible-collection-system

# The URL to the collection issue tracker

issues: https://github.com/ericsysmin/ansible-collection-system/issues

Ok, so now that we’ve created the build components now we need to do the automation part of this. I chose to use GitHub Actions again, as they are the recommended path for the repositories sitting at https://github.com/ansible-collections.

Configuring the GitHub Action Workflow

In your .github/workflows/ folder you’ll need to create a release workflow. To do this I used the following GitHub Actions Workflow YAML. I called it release.yml , and it sits at .github/workflows/release.yml this is an example of what you can use.

on:

release:

types:

- created

jobs:

release:

runs-on: ubuntu-18.04

env:

ANSIBLE_GALAXY_TOKEN: ${{ secrets.ANSIBLE_GALAXY_TOKEN }}

ANSIBLE_FORCE_COLOR: 1

steps:

- name: Check out code

uses: actions/checkout@v1

- name: Set up Python 3.8

uses: actions/setup-python@v1

with:

python-version: 3.8

- name: Install dependencies

run: |

python -m pip install --upgrade pip

pip install ansible

- name: Run role test

run: >-

ansible-playbook -i 'localhost,' build/galaxy_deploy.yml -e "github_tag=${{ github.ref }}"

Using the on value we are able to set the workflow to only execute when a release is created in GitHub. This will ensure we have a GitHub ref to be used against the playbook. It will also sync your Ansible Galaxy release with GitHub release actions.

on:

release:

types:

- created

If you noticed we have a key here that provides our Ansible Galaxy token ${{ secrets.ANSIBLE_GALAXY_TOKEN }} for us to use this token we need to get it from Ansible Galaxy, and add it to our repository secrets. You can find your key here https://galaxy.ansible.com/me/preferences under API Key.

Ansible Galaxy Preferences Page

Within the GitHub repo go to the Settings -> Secrets.
GitHub Settings Page

Then when on that page we will add a new secret and name it ANSIBLE_GALAXY_TOKEN

GitHub Secrets Page

Now when the Workflow runs it will grab this secret from your GitHub and be able to authenticate to Ansible Galaxy.

This section tells GitHub Actions to only run this workflow when a release is created. That is done in the GitHub UI, just like you did in the past to release a new version of a role.

steps:

- name: Check out code

uses: actions/checkout@v1

- name: Set up Python 3.8

uses: actions/setup-python@v1

with:

python-version: 3.8

- name: Install dependencies

run: |

python -m pip install --upgrade pip

pip install ansible

- name: Run role test

run: >-

ansible-playbook -i 'localhost,' build/galaxy_deploy.yml -e "github_tag=${{ github.ref }}"

This section:

checks out the code
configures python 3.8 on the host
installs the latest version of python pip
installs ansible
then runs the playbook with the github.ref value from the GitHub Release action

Once this is done you will have the release version uploaded automatically to your Ansible Galaxy account.

Ansible Collections: Role Tests with Molecule

Eric Anderson

April 30, 2020

As many of you know or are finding out, Ansible is moving to Collections. But what does that mean? Well, it’s been a long time waiting but Collections provide a way to namespace modules, roles, and playbooks that can all be combined in a single package for you to consume. It also allows businesses, partners, and contributors to update modules without adhering to the Ansible core release cycle. So, if AWS updates their API, then the modules that go with those will be instantly accessible, or at least faster than we used to wait for core releases to get those modules. But what does this mean for roles?

Move to FQCN (Fully Qualified Collection Name)

As many of us our finding out we are needing to move our roles to the collection design. However, now we need to figure out how to test them with the new design and using the Collection Namespaces aka FQCN (Fully Qualified Collection Name) So what we used to write

---

- hosts: localhost

connection: local

vars:

some_var: var_value1

tasks:

- include_role:

vars:

param: some_var

Will now end up something like this

---

- hosts: localhost

connection: local

vars:

some_var: var_value1

tasks:

- include_role:

vars: param: some_var

We also are going to have a new folder structure using ansible_collections/namespace/collection_name

Luckily the molecule team and all of its contributors ensured that collections are recognized and supported. And I will cover how we can test this with GitHub Actions (which happen to also be the preferred way at this moment to test your collections on the official Ansible-Collections Github https://github.com/ansible-collections.

Single Command Testing

Example with multiple role tests in one collection molecule test.

---

- name: Converge

hosts: all

pre_tasks:

- name: Update package cache

package: update_cache=yes

changed_when: false

until: task_result is success

retries: 10

delay: 2

- name: create containerd folder

file:

path: /etc/systemd/system/containerd.service.d

state: directory

when: ansible_service_mgr == "systemd"

- name: override file for containerd

copy:

src: files/override.conf

dest: /etc/systemd/system/containerd.service.d/override.conf

when: ansible_service_mgr == "systemd"

roles:

- role: ericsysmin.system.selinux

when: ansible_os_family == "RedHat"

- role: ericsysmin.system.chrony

- role: ericsysmin.system.epel

when: ansible_os_family == "RedHat"

- role: ericsysmin.system.logrotate

- role: ericsysmin.system.remi_repo

when: ansible_os_family == "RedHat"

As you see, in this format I had to make sure RedHat specific roles don’t get run on non-RedHat systems. But then this tests every role together and doesn’t easily allow me to scale to even more operating systems. It will get long, and crazy with lots of when statements, and each time you add a role, you’ll have to edit this one and ensure the environment configuration is correct for all of the roles. It was at this point I realized maybe I should move away from Travis-CI, and also was encouraged to by the Ansible team. Gundalow and others recommended moving to GitHub Actions which are the preferred method now in the community. So I explored that option.

I also at this time decided to move away from the monolithic “default” scenario and instead divide scenarios based on roles. This is what I moved to.

molecule

├── chrony

│ ├── Dockerfile.j2

│ ├── converge.yml

│ ├── files

│ │ └── override.conf

│ ├── molecule.yml

│ ├── tests

│ │ └── test_default.py

│ └── verify.yml

├── default

│ ├── Dockerfile.j2

│ ├── converge.yml

│ ├── files

│ │ └── override.conf

│ ├── molecule.yml

│ ├── tests

│ │ └── test_default.py

│ └── verify.yml

├── epel

│ ├── Dockerfile.j2

│ ├── converge.yml

│ ├── files

│ │ └── override.conf

│ ├── molecule.yml

│ ├── tests

│ │ └── test_default.py

│ └── verify.yml

├── logrotate

│ ├── Dockerfile.j2

│ ├── converge.yml

│ ├── files

│ │ └── override.conf

│ ├── molecule.yml

│ ├── tests

│ │ └── test_default.py

│ └── verify.yml

├── ntp

│ ├── Dockerfile.j2

│ ├── converge.yml

│ ├── files

│ │ └── override.conf

│ ├── molecule.yml

│ ├── tests

│ │ └── test_default.py

│ └── verify.yml

├── remi_repo

│ ├── Dockerfile.j2

│ ├── converge.yml

│ ├── files

│ │ └── override.conf

│ ├── molecule.yml

│ ├── tests

│ │ └── test_default.py

│ └── verify.yml

└── selinux

├── Dockerfile.j2

├── converge.yml

├── files

│ └── override.conf

├── molecule.yml

├── tests

│ └── test_default.py

└── verify.yml

Now I was able to individually ensure each environment was correct. That includes each roles’ dependencies, etc, and that it doesn’t affect the others. It prevented any form of cross-contamination on testing, and what’s expected in requirements. This fixed one of my issues I had with testing, however, it did add a bit of complexity, but each one is almost identical so I could easily copy and paste one of these to help build tests for the new role.

Matrix Testing with GitHub Actions

When I started testing how I would do this using Github Actions I explored using Matrix workflows. That looked something like this (which was really awesome because I couldn’t do it in Travis-CI…I don’t know if I can go back to Travis-CI because apparently for me GitHub tests are much faster.)

on: ["push", "pull_request"]

jobs:

logrotate:

runs-on: ubuntu-18.04

env:

PY_COLORS: 1 # allows molecule colors to be passed to GitHub Actions

ANSIBLE_FORCE_COLOR: 1 # allows ansible colors to be passed to GitHub Actions

strategy:

fail-fast: true

matrix:

molecule_distro:

- distro: centos:7

command: /usr/sbin/init # needed to ensure systemd is started on each to ensure proper service module testing

- distro: centos:8

command: /usr/sbin/init

- distro: ubuntu:16.04

command: /sbin/init

- distro: ubuntu:18.04

command: /lib/systemd/systemd

- distro: ubuntu:20.04

command: /lib/systemd/systemd

- distro: debian:9

command: /lib/systemd/systemd

collection_role:

- logrotate

- chrony

- epel

- ntp

steps:

- name: Check out code

uses: actions/checkout@v1

with:

path: ansible_collections/ericsysmin/system

- name: Set up Python 3.8

uses: actions/setup-python@v1

with:

python-version: 3.8

- name: Install dependencies

run: |

sudo apt install docker

python -m pip install --upgrade pip

pip install molecule yamllint ansible-lint docker

- name: Run role test

run: >-

molecule --version &&

ansible --version &&

MOLECULE_COMMAND=${{ matrix.molecule_distro.command }}

MOLECULE_DISTRO=${{ matrix.molecule_distro.distro }}

molecule --debug test -s ${{ matrix.collection_role }}

However, here’s the issue with this…each commit no matter where it’s made will trigger the matrix to execute meaning 4 x 6 tests! Even though I modified 1 role. Also, EPEL doesn’t work on Ubuntu or Debian. So then I’d have to use a lot of these exclude statements:

jobs:

logrotate:

runs-on: ubuntu-18.04

env:

PY_COLORS: 1 # allows molecule colors to be passed to GitHub Actions

ANSIBLE_FORCE_COLOR: 1 # allows ansible colors to be passed to GitHub Actions

strategy:

fail-fast: true

matrix:

molecule_distro:

- distro: centos:7

command: /usr/sbin/init

- distro: centos:8

command: /usr/sbin/init

- distro: ubuntu:16.04

command: /sbin/init

- distro: ubuntu:18.04

command: /lib/systemd/systemd

- distro: ubuntu:20.04

command: /lib/systemd/systemd

- distro: debian:9

command: /lib/systemd/systemd

collection_role:

- logrotate

- chrony

- epel

- ntp

exclude:

- {"molecule_distro": {"distro": "ubuntu:16.04"}, "collection_role":"epel"}

- {"molecule_distro": {"distro": "ubuntu:18.04"}, "collection_role":"epel"}

- {"molecule_distro": {"distro": "ubuntu:20.04"}, "collection_role":"epel"}

Of course, that’s not scalable. So, I gave it a bit of thought. Why don’t we treat each role for what it is? It’s a separate role. Editing Role1 shouldn’t affect Role2 or even need to test Role2 in this situation. So I decided to create multiple workflows. Using GitHub Workflows I created the following structure.

.github

└── workflows

├── chrony.yml

├── epel.yml

├── logrotate.yml

├── ntp.yml

├── remi_repo.yml

└── selinux.yml

Each workflow is specific to each role, and each one looks similar. This is the template I used.

on: ["push", "pull_request"]

jobs:

molecule:

runs-on: ubuntu-18.04

env:

PY_COLORS: 1 # allows molecule colors to be passed to GitHub Actions

ANSIBLE_FORCE_COLOR: 1 # allows ansible colors to be passed to GitHub Actions

strategy:

fail-fast: true

matrix:

molecule_distro:

- distro: centos:7

command: /usr/sbin/init

- distro: centos:8

command: /usr/sbin/init

collection_role:

- role_name

steps:

- name: Check out code

uses: actions/checkout@v1

with:

path: ansible_collections/ericsysmin/system

- name: Set up Python 3.8

uses: actions/setup-python@v1

with:

python-version: 3.8

- name: Install dependencies

run: |

sudo apt install docker

python -m pip install --upgrade pip

pip install molecule yamllint ansible-lint docker

- name: Run role test

run: >-

molecule --version &&

ansible --version &&

MOLECULE_COMMAND=${{ matrix.molecule_distro.command }}

MOLECULE_DISTRO=${{ matrix.molecule_distro.distro }}

molecule --debug test -s ${{ matrix.collection_role }}

You can change the operating systems if you want, this is just one of the examples I had. I solved the issue with the cross-contamination I had earlier, as well as made the tests easier to verify and check, as well as independent test state icons for the README.md. But I still had an issue. If I make a change to Role1, Role2 still builds…not desired and wastes build time against GitHub Actions.

Luckily in GitHub Actions, we can do include, or exclude paths on the trigger. So I replaced this section on: ["push", "pull_request"] with

on:

push:

paths:

- 'roles/role_name/**'

- 'molecule/role_name/**

- '.github/workflows/role_name.yml'

pull_request:

paths:

- 'roles/role_name/**'

- 'molecule/role_name/**

- '.github/workflows/role_name.yml'

So now the role only executes when the items specific to that role are edited. Saving me possibly money, and build time so other jobs in my GitHub can execute.

Now my completed .github/workflow/chrony.yml looks like this:

on:

push:

paths:

- 'roles/chrony/**'

- '.github/workflows/chrony.yml'

pull_request:

paths:

- 'roles/chrony/**'

- '.github/workflows/chrony.yml'

jobs:

molecule:

runs-on: ubuntu-18.04

env:

PY_COLORS: 1 # allows molecule colors to be passed to GitHub Actions

ANSIBLE_FORCE_COLOR: 1 # allows ansible colors to be passed to GitHub Actions

strategy:

fail-fast: true

matrix:

molecule_distro:

- distro: centos:7

command: /usr/sbin/init

- distro: centos:8

command: /usr/sbin/init

collection_role:

- chrony

steps:

- name: Check out code

uses: actions/checkout@v1

with:

path: ansible_collections/ericsysmin/system

- name: Set up Python 3.8

uses: actions/setup-python@v1

with:

python-version: 3.8

- name: Install dependencies

run: |

sudo apt install docker

python -m pip install --upgrade pip

pip install molecule yamllint ansible-lint docker

- name: Run role test

run: >-

molecule --version &&

ansible --version &&

MOLECULE_COMMAND=${{ matrix.molecule_distro.command }}

MOLECULE_DISTRO=${{ matrix.molecule_distro.distro }}

molecule --debug test -s ${{ matrix.collection_role }}

Since these changes have been made now I am able to ensure that all of my roles are independently tested each time they are edited without treating everything as one giant repo and having tests run for 10+ minutes each as all of my roles execute. Now they are all tested in parallel, and against their own supported operating systems.

To see a copy of the repository used for this you can see https://github.com/ericsysmin/ansible-collection-system which you are free to clone, modify, change, use a reference. I did make changes to the Dockerfile because I do not host my own docker images, and don’t plan to. I highly suggested taking a look at my molecule/role_name/Dockerfile.j2 files to get an idea on what I did to get services to work. My changes to Dockerfile.j2 are based on Multi-distribution Ansible testing with Molecule on Travis-CI, and check out molecule/role_name/molecule.yml to see how I pass through the parameters.

If you have questions please feel free to comment.

Import Self-Signed Cert for Chrome/Edge/Chromium on Mac

Share:

Ansible Collections: Testing only what’s changed

Previously

Now with GitHub Actions

Share:

Using a Dockerfile Repo for Molecule Dockerfiles

Dockerfile.j2 with lots of Jinja

URL Lookup for Dockerfile.j2

Share:

Ansible Collections: Automating the Release Process to Galaxy

Creating the Build Directory

Configuring the GitHub Action Workflow

Share:

Ansible Collections: Role Tests with Molecule

Move to FQCN (Fully Qualified Collection Name)

Single Command Testing

Matrix Testing with GitHub Actions

Share: