feat: support for ostree systems

.ansible-lint

@@ -4,3 +4,5 @@ exclude_paths:
   - .markdownlint.yaml
 skip_list:
   - var-naming[no-role-prefix]
+mock_modules:
+  - ansible.utils.update_fact

.ostree/README.md

@@ -0,0 +1,5 @@
+*NOTE*: The `*.txt` files are used by `get_ostree_data.sh` to create the lists
+of packages, and to find other system roles used by this role.  DO NOT use them
+directly.
+
+The script `meta/make_ostree_packages_files` is used to generate these files.

.ostree/get_ostree_data.sh

@@ -0,0 +1,123 @@
+#!/bin/bash
+
+set -euo pipefail
+
+role_collection_dir="${ROLE_COLLECTION_DIR:-fedora/linux_system_roles}"
+ostree_dir="${OSTREE_DIR:-"$(dirname "$(realpath "$0")")"}"
+
+if [ -z "${4:-}" ] || [ "${1:-}" = help ] || [ "${1:-}" = -h ]; then
+    cat <<EOF
+Usage: $0 packages [runtime|testing] DISTRO-MAJOR[.MINOR] [json|yaml|raw|toml]
+The script will use the packages and roles files in $ostree_dir to
+construct the list of packages needed to build the ostree image.  The script
+will output the list of packages in the given format
+- json is a JSON list like ["pkg1","pkg2",....,"pkgN"]
+- yaml is the YAML list format
+- raw is the list of packages, one per line
+- toml is a list of [[packages]] elements as in https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html-single/composing_installing_and_managing_rhel_for_edge_images/index#creating-an-image-builder-blueprint-for-a-rhel-for-edge-image-using-the-command-line-interface_composing-a-rhel-for-edge-image-using-image-builder-command-line
+The DISTRO-MAJOR.MINOR is the same format used by Ansible for distribution e.g. CentOS-8, RedHat-8.9, etc.
+EOF
+    exit 1
+fi
+category="$1"
+pkgtype="$2"
+distro_ver="$3"
+format="$4"
+pkgtypes=("$pkgtype")
+if [ "$pkgtype" = testing ]; then
+    pkgtypes+=(runtime)
+fi
+
+get_rolepath() {
+    local ostree_dir role rolesdir roles_parent_dir
+    ostree_dir="$1"
+    role="$2"
+    roles_parent_dir="$(dirname "$(dirname "$ostree_dir")")"
+    rolesdir="$roles_parent_dir/$role/.ostree"
+    # assumes collection format
+    if [ -d "$rolesdir" ]; then
+        echo "$rolesdir"
+        return 0
+    fi
+    # assumes legacy role format like linux-system-roles.$role/
+    for rolesdir in "$roles_parent_dir"/*-system-roles."$role"/.ostree; do
+        if [ -d "$rolesdir" ]; then
+          echo "$rolesdir"
+          return 0
+        fi
+    done
+    # look elsewhere
+    if [ -n "${ANSIBLE_COLLECTIONS_PATHS:-}" ]; then
+        for pth in ${ANSIBLE_COLLECTIONS_PATHS//:/ }; do
+            rolesdir="$pth/ansible_collections/$role_collection_dir/roles/$role/.ostree"
+            if [ -d "$rolesdir" ]; then
+                echo "$rolesdir"
+                return 0
+            fi
+        done
+    fi
+    return 1
+}
+
+get_packages() {
+    local ostree_dir pkgtype pkgfile rolefile
+    ostree_dir="$1"
+    for pkgtype in "${pkgtypes[@]}"; do
+        for suff in "" "-$distro" "-${distro}-${major_ver}" "-${distro}-${ver}"; do
+            pkgfile="$ostree_dir/packages-${pkgtype}${suff}.txt"
+            if [ -f "$pkgfile" ]; then
+                cat "$pkgfile"
+            fi
+        done
+        rolefile="$ostree_dir/roles-${pkgtype}.txt"
+        if [ -f "$rolefile" ]; then
+            local roles role rolepath
+            roles="$(cat "$rolefile")"
+            for role in $roles; do
+                rolepath="$(get_rolepath "$ostree_dir" "$role")"
+                get_packages "$rolepath"
+            done
+        fi
+    done | sort -u
+}
+
+format_packages_json() {
+    local comma pkgs pkg
+    comma=""
+    pkgs="["
+    while read -r pkg; do
+        pkgs="${pkgs}${comma}\"${pkg}\""
+        comma=,
+    done
+    pkgs="${pkgs}]"
+    echo "$pkgs"
+}
+
+format_packages_raw() {
+    cat
+}
+
+format_packages_yaml() {
+    while read -r pkg; do
+        echo "- $pkg"
+    done
+}
+
+format_packages_toml() {
+    while read -r pkg; do
+        echo "[[packages]]"
+        echo "name = \"$pkg\""
+        echo "version = \"*\""
+    done
+}
+
+distro="${distro_ver%%-*}"
+ver="${distro_ver##*-}"
+if [[ "$ver" =~ ^([0-9]*) ]]; then
+    major_ver="${BASH_REMATCH[1]}"
+else
+    echo ERROR: cannot parse major version number from version "$ver"
+    exit 1
+fi
+
+"get_$category" "$ostree_dir" | "format_${category}_$format"

.ostree/packages-runtime-Alpine.txt

@@ -0,0 +1 @@
+openssh

.ostree/packages-runtime-Amazon.txt

@@ -0,0 +1,2 @@
+openssh
+openssh-server

.ostree/packages-runtime-Arch Linux.txt

@@ -0,0 +1 @@
+openssh

.ostree/packages-runtime-Archlinux.txt

@@ -0,0 +1 @@
+openssh

.ostree/packages-runtime-CentOS-6.txt

@@ -0,0 +1,2 @@
+openssh
+openssh-server

.ostree/packages-runtime-CentOS-7.txt

@@ -0,0 +1,2 @@
+openssh
+openssh-server

.ostree/packages-runtime-CentOS-8.txt

@@ -0,0 +1,2 @@
+openssh
+openssh-server

.ostree/packages-runtime-CentOS-9.txt

@@ -0,0 +1,2 @@
+openssh
+openssh-server

.ostree/packages-runtime-Debian-10.txt

@@ -0,0 +1,2 @@
+openssh-server
+openssh-sftp-server

.ostree/packages-runtime-Debian-11.txt

@@ -0,0 +1,2 @@
+openssh-server
+openssh-sftp-server

.ostree/packages-runtime-Debian-12.txt

@@ -0,0 +1,2 @@
+openssh-server
+openssh-sftp-server

.ostree/packages-runtime-Debian-7.txt

@@ -0,0 +1 @@
+openssh-server

.ostree/packages-runtime-Debian-8.txt

@@ -0,0 +1,2 @@
+openssh-server
+openssh-sftp-server

.ostree/packages-runtime-Debian-9.txt

@@ -0,0 +1,2 @@
+openssh-server
+openssh-sftp-server

.ostree/packages-runtime-Fedora.txt

@@ -0,0 +1,2 @@
+openssh
+openssh-server

.ostree/packages-runtime-Gentoo.txt

@@ -0,0 +1 @@
+net-misc/openssh

.ostree/packages-runtime-OpenWrt.txt

@@ -0,0 +1,2 @@
+openssh-server
+openssh-sftp-server

.ostree/packages-runtime-RedHat-6.txt

@@ -0,0 +1,2 @@
+openssh
+openssh-server

.ostree/packages-runtime-RedHat-7.txt

@@ -0,0 +1,2 @@
+openssh
+openssh-server

.ostree/packages-runtime-RedHat-8.txt

@@ -0,0 +1,2 @@
+openssh
+openssh-server

.ostree/packages-runtime-RedHat-9.txt

@@ -0,0 +1,2 @@
+openssh
+openssh-server

.ostree/packages-runtime-Suse.txt

@@ -0,0 +1 @@
+openssh

.ostree/packages-runtime-Ubuntu-12.txt

@@ -0,0 +1 @@
+openssh-server

.ostree/packages-runtime-Ubuntu-14.txt

@@ -0,0 +1,2 @@
+openssh-server
+openssh-sftp-server

.ostree/packages-runtime-Ubuntu-16.txt

@@ -0,0 +1,2 @@
+openssh-server
+openssh-sftp-server

.ostree/packages-runtime-Ubuntu-18.txt

@@ -0,0 +1,2 @@
+openssh-server
+openssh-sftp-server

.ostree/packages-runtime-Ubuntu-20.txt

@@ -0,0 +1,2 @@
+openssh-server
+openssh-sftp-server

.ostree/packages-runtime-Ubuntu-22.txt

@@ -0,0 +1,2 @@
+openssh-server
+openssh-sftp-server

.ostree/packages-runtime-openSUSE Leap-15.txt

@@ -0,0 +1 @@
+openssh

.ostree/packages-testing-Alpine.txt

@@ -0,0 +1,3 @@
+mandoc
+man-pages
+openssh-doc

.ostree/packages-testing-Amazon.txt

@@ -0,0 +1 @@
+man

.ostree/packages-testing-Arch Linux.txt

@@ -0,0 +1 @@
+man

.ostree/packages-testing-Archlinux.txt

@@ -0,0 +1 @@
+man

.ostree/packages-testing-CentOS.txt

@@ -0,0 +1 @@
+man-db

.ostree/packages-testing-Debian.txt

@@ -0,0 +1 @@
+man

.ostree/packages-testing-Fedora.txt

@@ -0,0 +1 @@
+man-db

.ostree/packages-testing-Gentoo.txt

@@ -0,0 +1 @@
+man

.ostree/packages-testing-OpenWrt.txt

@@ -0,0 +1 @@
+man

.ostree/packages-testing-RedHat.txt

@@ -0,0 +1 @@
+man-db

.ostree/packages-testing-Suse.txt

@@ -0,0 +1 @@
+man

.ostree/packages-testing-Ubuntu.txt

@@ -0,0 +1 @@
+man

.ostree/packages-testing-openSUSE Leap.txt

@@ -0,0 +1 @@
+man

.ostree/packages-testing.txt

@@ -0,0 +1,2 @@
+bash
+openssh-server

.ostree/roles-runtime.txt

@@ -0,0 +1,2 @@
+firewall
+selinux

README-ostree.md

@@ -0,0 +1,66 @@
+# rpm-ostree
+
+The role supports running on [rpm-ostree](https://coreos.github.io/rpm-ostree/)
+systems. The primary issue is that the `/usr` filesystem is read-only, and the
+role cannot install packages. Instead, it will just verify that the necessary
+packages and any other `/usr` files are pre-installed. The role will change the
+package manager to one that is compatible with `rpm-ostree` systems.
+
+## Building
+
+To build an ostree image for a particular operating system distribution and
+version, use the script `.ostree/get_ostree_data.sh` to get the list of
+packages. If the role uses other system roles, then the script will include the
+packages for the other roles in the list it outputs.  The list of packages will
+be sorted in alphanumeric order.
+
+Usage:
+
+```bash
+.ostree/get_ostree_data.sh packages runtime DISTRO-VERSION FORMAT
+```
+
+`DISTRO-VERSION` is in the format that Ansible uses for `ansible_distribution`
+and `ansible_distribution_version` - for example, `Fedora-38`, `CentOS-8`,
+`RedHat-9.4`
+
+`FORMAT` is one of `toml`, `json`, `yaml`, `raw`
+
+* `toml` - each package in a TOML `[[packages]]` element
+
+```toml
+[[packages]]
+name = "package-a"
+version = "*"
+[[packages]]
+name = "package-b"
+version = "*"
+...
+```
+
+* `yaml` - a YAML list of packages
+
+```yaml
+- package-a
+- package-b
+...
+```
+
+* `json` - a JSON list of packages
+
+```json
+["package-a","package-b",...]
+```
+
+* `raw` - a plain text list of packages, one per line
+
+```bash
+package-a
+package-b
+...
+```
+
+What format you choose depends on which image builder you are using.  For
+example, if you are using something based on
+[osbuild-composer](https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html-single/composing_installing_and_managing_rhel_for_edge_images/index#creating-an-image-builder-blueprint-for-a-rhel-for-edge-image-using-the-command-line-interface_composing-a-rhel-for-edge-image-using-image-builder-command-line),
+you will probably want to use the `toml` output format.

README.md

@@ -51,14 +51,16 @@ If you want to use advanced functionality of this role that can configure
 firewall and selinux for you, which is mostly useful when custom port is used,
 the role requires additional collections which are specified in
 `meta/collection-requirements.yml`. These are not automatically installed.
+If you want to manage `rpm-ostree` systems, additional collections are required.
 You must install them like this:
 
 ```bash
 ansible-galaxy install -vv -r meta/collection-requirements.yml
 ```
 
 For more information, see `sshd_manage_firewall` and `sshd_manage_selinux`
-options below. These roles are supported only on Red Hat based Linux.
+options below, and the `rpm-ostree` section.  This additional functionality is
+supported only on Red Hat based Linux.
 
 ## Role variables
 
@@ -455,6 +457,10 @@ to the `options_body` and/or `options_match`.
 To regenerate the templates, from within the `meta/` directory run:
 `./make_option_lists`
 
+## rpm-ostree
+
+See README-ostree.md
+
 ## License
 
 LGPLv3

meta/collection-requirements.yml

@@ -1,3 +1,5 @@
 ---
 collections:
+  - name: ansible.posix
+  - name: ansible.utils
   - name: fedora.linux_system_roles

meta/make_ostree_packages_files

@@ -0,0 +1,38 @@
+#!/bin/bash
+
+set -euo pipefail
+
+for file in vars/*.yml; do
+    if [ "$file" = vars/main.yml ]; then
+        continue
+    fi
+    # get platform and optional version
+    if [[ "$file" =~ vars/([^_]+)_([0-9]+).yml$ ]]; then
+        platform="${BASH_REMATCH[1]}"
+        version="${BASH_REMATCH[2]}"
+        packages_file=".ostree/packages-runtime-${platform}-${version}.txt"
+    elif [[ "$file" =~ vars/([^_.]+).yml$ ]]; then
+        platform="${BASH_REMATCH[1]}"
+        packages_file=".ostree/packages-runtime-${platform}.txt"
+    else
+        echo ERROR: cannot parse "$file"
+        exit 1
+    fi
+    # parse packages from file
+    printit=0
+    while read -r item pkg; do
+        if [[ "$item" =~ ^__sshd_packages: ]]; then
+            printit=1
+        elif [ "$printit" = 1 ]; then
+            if [ "$item" = "-" ] && [ -n "$pkg" ]; then
+                echo "$pkg"
+            else
+                break
+            fi
+        fi
+    done < "$file" | sort > "$packages_file"
+    # remove empty files
+    if [ ! -s "$packages_file" ]; then
+        rm -f "$packages_file"
+    fi
+done