From 94bdba8203ecbe7b19e37a18ca15df1ea6398f34 Mon Sep 17 00:00:00 2001 From: Evgeni Golov Date: Mon, 22 Sep 2025 12:44:35 +0200 Subject: [PATCH 1/9] add Debian 13 to the mix --- .github/workflows/test.yml | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index c231f622f..b92771427 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -82,6 +82,11 @@ jobs: security: none database: internal box: centos/stream9 + - certificate_source: default + security: none + database: internal + iop: disabled + box: debian/trixie64 runs-on: ubuntu-24.04 env: FOREMANCTL_BASE_BOX: ${{ matrix.box }} From 2eaa886508141d64fd82d637efe34513415a874d Mon Sep 17 00:00:00 2001 From: Evgeni Golov Date: Thu, 16 Oct 2025 09:42:01 +0200 Subject: [PATCH 2/9] Refresh package cache on Debian during setup-repositories --- .../playbooks/setup-repositories/setup-repositories.yaml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/development/playbooks/setup-repositories/setup-repositories.yaml b/development/playbooks/setup-repositories/setup-repositories.yaml index ad0fd5608..8077c2bcb 100644 --- a/development/playbooks/setup-repositories/setup-repositories.yaml +++ b/development/playbooks/setup-repositories/setup-repositories.yaml @@ -29,3 +29,9 @@ chroot: rhel-10-x86_64 when: - ansible_distribution_major_version == '10' + + - name: Refresh package cache + ansible.builtin.package: + update_cache: true + when: + - ansible_os_family == 'Debian' From 43136b180ea28fa3c0ca3ecc3deea0e608eff8ba Mon Sep 17 00:00:00 2001 From: Evgeni Golov Date: Mon, 22 Sep 2025 14:32:22 +0200 Subject: [PATCH 3/9] Debian needs to install netavark explicitly --- src/roles/pre_install/tasks/main.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/src/roles/pre_install/tasks/main.yaml b/src/roles/pre_install/tasks/main.yaml index e4b576768..55a603752 100644 --- a/src/roles/pre_install/tasks/main.yaml +++ b/src/roles/pre_install/tasks/main.yaml @@ -7,6 +7,7 @@ ansible.builtin.package: name: - podman + - netavark - name: Install other dependencies ansible.builtin.package: From 21271711197c3a9f6f0ec14084980ebef37065c1 Mon Sep 17 00:00:00 2001 From: Evgeni Golov Date: Tue, 23 Sep 2025 07:50:03 +0200 Subject: [PATCH 4/9] python3-libsemanage is called python3-semanage on Debian --- src/roles/pre_install/tasks/main.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/roles/pre_install/tasks/main.yaml b/src/roles/pre_install/tasks/main.yaml index 55a603752..a9fd3753b 100644 --- a/src/roles/pre_install/tasks/main.yaml +++ b/src/roles/pre_install/tasks/main.yaml @@ -14,7 +14,7 @@ name: - bash-completion - python3-cryptography - - python3-libsemanage + - "{{ 'python3-semanage' if ansible_facts['os_family'] == 'Debian' else 'python3-libsemanage' }}" - python3-psycopg2 - python3-requests - python3-requests-oauthlib From bd9d7f994dfe9dee2fb77ddb0fb873fe6c58f35b Mon Sep 17 00:00:00 2001 From: Evgeni Golov Date: Tue, 23 Sep 2025 09:39:16 +0200 Subject: [PATCH 5/9] make httpd role work on Debian --- src/roles/httpd/defaults/main.yml | 2 +- src/roles/httpd/handlers/main.yml | 2 +- .../httpd/tasks/external_auth/cleanup.yml | 4 +- src/roles/httpd/tasks/external_auth/ipa.yml | 12 ++--- src/roles/httpd/tasks/main.yml | 30 ++++++----- src/roles/httpd/tasks/sssd.yml | 2 +- .../httpd/templates/foreman-ssl-vhost.conf.j2 | 6 +-- .../httpd/templates/foreman-vhost.conf.j2 | 6 +-- src/roles/httpd/vars/Debian.yaml | 15 ++++++ src/roles/httpd/vars/RedHat.yaml | 12 +++++ tests/httpd_test.py | 52 ++++++++++++++----- 11 files changed, 100 insertions(+), 43 deletions(-) create mode 100644 src/roles/httpd/vars/Debian.yaml create mode 100644 src/roles/httpd/vars/RedHat.yaml diff --git a/src/roles/httpd/defaults/main.yml b/src/roles/httpd/defaults/main.yml index 7f4f7b35a..7257b174c 100644 --- a/src/roles/httpd/defaults/main.yml +++ b/src/roles/httpd/defaults/main.yml @@ -17,6 +17,6 @@ httpd_listen_backlog: 511 # External authentication configuration httpd_external_authentication: "{{ external_authentication | default(None) }}" httpd_ipa_manage_sssd: true -httpd_ipa_keytab: /etc/httpd/conf/http.keytab +httpd_ipa_keytab: "{{ httpd_etc_path }}/conf/http.keytab" httpd_ipa_pam_service: "{{ external_authentication_pam_service | default('foreman') }}" httpd_ipa_gssapi_local_name: true diff --git a/src/roles/httpd/handlers/main.yml b/src/roles/httpd/handlers/main.yml index 8c4443123..9f9257e7a 100644 --- a/src/roles/httpd/handlers/main.yml +++ b/src/roles/httpd/handlers/main.yml @@ -1,7 +1,7 @@ --- - name: Restart httpd ansible.builtin.systemd: - name: httpd + name: "{{ httpd_service }}" state: restarted - name: Restart sssd diff --git a/src/roles/httpd/tasks/external_auth/cleanup.yml b/src/roles/httpd/tasks/external_auth/cleanup.yml index 11fb4199f..5371ec637 100644 --- a/src/roles/httpd/tasks/external_auth/cleanup.yml +++ b/src/roles/httpd/tasks/external_auth/cleanup.yml @@ -1,7 +1,7 @@ --- - name: Remove external authentication configuration ansible.builtin.file: - path: "/etc/httpd/conf.d/05-{{ item }}.d/external_auth.conf" + path: "{{ httpd_conf_path}}/05-{{ item }}.d/external_auth.conf" state: absent notify: - Restart httpd @@ -11,7 +11,7 @@ - name: Remove Apache module configuration files for IPA authentication ansible.builtin.file: - path: /etc/httpd/conf.modules.d/55-{{ item }}.conf + path: "{{ httpd_modules_path }}/55-{{ item }}.conf" state: absent loop: - authnz_pam diff --git a/src/roles/httpd/tasks/external_auth/ipa.yml b/src/roles/httpd/tasks/external_auth/ipa.yml index a732263f4..63819a6e2 100644 --- a/src/roles/httpd/tasks/external_auth/ipa.yml +++ b/src/roles/httpd/tasks/external_auth/ipa.yml @@ -10,13 +10,13 @@ - name: Create directory for Apache module configuration ansible.builtin.file: - path: /etc/httpd/conf.modules.d + path: "{{ httpd_modules_path }}" state: directory mode: "0755" - name: Load Apache modules for IPA authentication ansible.builtin.copy: - dest: /etc/httpd/conf.modules.d/55-{{ item }}.conf + dest: "{{ httpd_modules_path }}/55-{{ item }}.conf" content: | LoadModule {{ item }}_module modules/mod_{{ item }}.so mode: "0644" @@ -66,13 +66,13 @@ - name: Set keytab file permissions ansible.builtin.file: path: "{{ httpd_ipa_keytab }}" - owner: apache - group: apache + owner: "{{ httpd_user }}" + group: "{{ httpd_group }}" mode: "0600" - name: Create directory for Apache configuration fragments ansible.builtin.file: - path: /etc/httpd/conf.d/05-{{ item }}.d + path: "{{ httpd_conf_path }}/05-{{ item }}.d" state: directory mode: "0755" loop: @@ -82,7 +82,7 @@ - name: Deploy external authentication configuration ansible.builtin.template: src: external_auth.conf.j2 - dest: /etc/httpd/conf.d/05-{{ item }}.d/external_auth.conf + dest: "{{ httpd_conf_path }}/05-{{ item }}.d/external_auth.conf" mode: "0644" notify: - Restart httpd diff --git a/src/roles/httpd/tasks/main.yml b/src/roles/httpd/tasks/main.yml index bbc3d633d..4d543bd75 100644 --- a/src/roles/httpd/tasks/main.yml +++ b/src/roles/httpd/tasks/main.yml @@ -1,9 +1,10 @@ --- +- name: Set OS dependent variables + ansible.builtin.include_vars: "{{ ansible_facts['os_family'] }}.yaml" + - name: Install Apache httpd ansible.builtin.package: - name: - - httpd - - mod_ssl + name: "{{ httpd_packages }}" state: present - name: Set httpd_can_network_connect so Apache can connect to Puma and Gunicorn @@ -13,9 +14,14 @@ persistent: true when: ansible_facts['selinux']['status'] == "enabled" +- name: Enable required modules + community.general.apache2_module: + name: "{{ item }}" + loop: "{{ httpd_modules }}" + - name: Disable welcome page ansible.builtin.file: - path: /etc/httpd/conf.d/welcome.conf + path: "{{ httpd_conf_path }}/welcome.conf" state: absent - name: Create cert directories @@ -31,8 +37,8 @@ ansible.builtin.file: path: "{{ httpd_pub_dir }}" state: directory - group: apache - owner: apache + group: "{{ httpd_group }}" + owner: "{{ httpd_user }}" mode: "0755" - name: Deploy certificates @@ -63,7 +69,7 @@ - name: Configure MPM event module ansible.builtin.template: src: event.conf.j2 - dest: /etc/httpd/conf.modules.d/event.conf + dest: "{{ httpd_modules_path }}/event.conf" mode: "0644" notify: - Restart httpd @@ -79,7 +85,7 @@ - name: Configure foreman vhost ansible.builtin.template: src: foreman-vhost.conf.j2 - dest: /etc/httpd/conf.d/foreman.conf + dest: "{{ httpd_conf_path }}/foreman.conf" mode: "0644" notify: - Restart httpd @@ -87,20 +93,20 @@ - name: Configure foreman-ssl vhost ansible.builtin.template: src: foreman-ssl-vhost.conf.j2 - dest: /etc/httpd/conf.d/foreman-ssl.conf + dest: "{{ httpd_conf_path }}/foreman-ssl.conf" mode: "0644" notify: - Restart httpd - name: Create systemd drop-in directory for httpd ansible.builtin.file: - path: /etc/systemd/system/httpd.service.d + path: /etc/systemd/system/{{ httpd_service }}.service.d state: directory mode: "0755" - name: Add httpd to foreman.target ansible.builtin.copy: - dest: /etc/systemd/system/httpd.service.d/foreman-target.conf + dest: /etc/systemd/system/{{ httpd_service }}.service.d/foreman-target.conf mode: "0644" content: | [Install] @@ -117,6 +123,6 @@ - name: Start Apache httpd ansible.builtin.service: - name: httpd + name: "{{ httpd_service }}" state: started enabled: true diff --git a/src/roles/httpd/tasks/sssd.yml b/src/roles/httpd/tasks/sssd.yml index 3dae192be..60d95a381 100644 --- a/src/roles/httpd/tasks/sssd.yml +++ b/src/roles/httpd/tasks/sssd.yml @@ -39,7 +39,7 @@ path: /etc/sssd/sssd.conf section: ifp option: allowed_uids - value: "root, apache" + value: "root, {{ httpd_user }}" mode: "0600" notify: - Restart sssd diff --git a/src/roles/httpd/templates/foreman-ssl-vhost.conf.j2 b/src/roles/httpd/templates/foreman-ssl-vhost.conf.j2 index dfec667b5..04eb6e61c 100644 --- a/src/roles/httpd/templates/foreman-ssl-vhost.conf.j2 +++ b/src/roles/httpd/templates/foreman-ssl-vhost.conf.j2 @@ -2,12 +2,12 @@ ServerName {{ ansible_facts['fqdn'] }} ## Load additional static includes - IncludeOptional "/etc/httpd/conf.d/05-foreman-ssl.d/*.conf" + IncludeOptional "{{ httpd_conf_path }}/05-foreman-ssl.d/*.conf" ## Logging - ErrorLog "/var/log/httpd/foreman-ssl_error_ssl.log" + ErrorLog "{{ httpd_log_path }}/foreman-ssl_error_ssl.log" ServerSignature Off - CustomLog "/var/log/httpd/foreman-ssl_access_ssl.log" combined + CustomLog "{{ httpd_log_path }}/foreman-ssl_access_ssl.log" combined ## Request header rules ## as per http://httpd.apache.org/docs/2.4/mod/mod_headers.html#requestheader diff --git a/src/roles/httpd/templates/foreman-vhost.conf.j2 b/src/roles/httpd/templates/foreman-vhost.conf.j2 index 8cb520007..537eca627 100644 --- a/src/roles/httpd/templates/foreman-vhost.conf.j2 +++ b/src/roles/httpd/templates/foreman-vhost.conf.j2 @@ -2,12 +2,12 @@ ServerName {{ ansible_facts['fqdn'] }} ## Load additional static includes - IncludeOptional "/etc/httpd/conf.d/05-foreman.d/*.conf" + IncludeOptional "{{ httpd_conf_path }}/05-foreman.d/*.conf" ## Logging - ErrorLog "/var/log/httpd/foreman_error.log" + ErrorLog "{{ httpd_log_path }}/foreman_error.log" ServerSignature Off - CustomLog "/var/log/httpd/foreman_access.log" combined + CustomLog "{{ httpd_log_path }}/foreman_access.log" combined ## Request header rules ## as per http://httpd.apache.org/docs/2.4/mod/mod_headers.html#requestheader diff --git a/src/roles/httpd/vars/Debian.yaml b/src/roles/httpd/vars/Debian.yaml new file mode 100644 index 000000000..c9acc29a8 --- /dev/null +++ b/src/roles/httpd/vars/Debian.yaml @@ -0,0 +1,15 @@ +--- +httpd_packages: + - apache2 +httpd_etc_path: /etc/apache2 +httpd_conf_path: "{{ httpd_etc_path }}/conf-enabled" +httpd_modules_path: "{{ httpd_etc_path }}/mods-enabled" +httpd_service: apache2 +httpd_log_path: /var/log/apache2 +httpd_user: www-data +httpd_group: www-data +httpd_modules: + - ssl + - headers + - proxy + - proxy_http diff --git a/src/roles/httpd/vars/RedHat.yaml b/src/roles/httpd/vars/RedHat.yaml new file mode 100644 index 000000000..d721cbd7f --- /dev/null +++ b/src/roles/httpd/vars/RedHat.yaml @@ -0,0 +1,12 @@ +--- +httpd_packages: + - httpd + - mod_ssl +httpd_etc_path: /etc/httpd +httpd_conf_path: "{{ httpd_etc_path }}/conf.d" +httpd_modules_path: "{{ httpd_etc_path }}/conf.modules.d" +httpd_service: httpd +httpd_log_path: /var/log/httpd +httpd_user: apache +httpd_group: apache +httpd_modules: [] diff --git a/tests/httpd_test.py b/tests/httpd_test.py index c086e683c..d7ab48b7f 100644 --- a/tests/httpd_test.py +++ b/tests/httpd_test.py @@ -1,3 +1,5 @@ +import pytest + HTTP_HOST = 'localhost' HTTP_PORT = 80 HTTPS_PORT = 443 @@ -5,8 +7,30 @@ CURL_CMD = "curl --silent --output /dev/null" -def test_httpd_service(server): - httpd = server.service("httpd") +@pytest.fixture(scope="module") +def httpd_paths(server): + if server.system_info.distribution == 'debian': + base = '/etc/apache2' + conf = f'{base}/conf-enabled' + modules = f'{base}/mods-enabled' + else: + base = '/etc/httpd' + conf = f'{base}/conf.d' + modules = f'{base}/conf.modules.d' + return {'conf': conf, 'modules': modules} + + +@pytest.fixture(scope="module") +def httpd_service(server): + if server.system_info.distribution == 'debian': + service_name = 'apache2' + else: + service_name = 'httpd' + return service_name + + +def test_httpd_service(server, httpd_service): + httpd = server.service(httpd_service) assert httpd.is_running assert httpd.is_enabled @@ -114,39 +138,39 @@ def test_https_foreman_login(server, certificates, server_fqdn): assert cmd.stdout == '200' -def test_httpd_event_conf_exists(server): - event_conf = server.file("/etc/httpd/conf.modules.d/event.conf") +def test_httpd_event_conf_exists(server, httpd_paths): + event_conf = server.file(f"{httpd_paths['modules']}/event.conf") assert event_conf.exists assert event_conf.is_file -def test_httpd_event_conf_contains_server_limit(server): - event_conf = server.file("/etc/httpd/conf.modules.d/event.conf") +def test_httpd_event_conf_contains_server_limit(server, httpd_paths): + event_conf = server.file(f"{httpd_paths['modules']}/event.conf") assert event_conf.contains("ServerLimit") -def test_httpd_event_conf_contains_threads_per_child(server): - event_conf = server.file("/etc/httpd/conf.modules.d/event.conf") +def test_httpd_event_conf_contains_threads_per_child(server, httpd_paths): + event_conf = server.file(f"{httpd_paths['modules']}/event.conf") assert event_conf.contains("ThreadsPerChild") def test_httpd_config_syntax(server): - cmd = server.run("httpd -t") + cmd = server.run("apachectl -t") assert cmd.succeeded -def test_httpd_headers_use_dashes(server): - cmd = server.run("grep -rPn 'RequestHeader\\s+set\\s+\\S*_\\S*\\s' /etc/httpd/conf.d/foreman.conf /etc/httpd/conf.d/foreman-ssl.conf /etc/httpd/conf.d/05-foreman.d/ /etc/httpd/conf.d/05-foreman-ssl.d/ 2>/dev/null") +def test_httpd_headers_use_dashes(server, httpd_paths): + cmd = server.run(f"grep -rPn 'RequestHeader\\s+set\\s+\\S*_\\S*\\s' {httpd_paths['conf']}/foreman.conf {httpd_paths['conf']}/foreman-ssl.conf {httpd_paths['conf']}/05-foreman.d/ {httpd_paths['conf']}/05-foreman-ssl.d/ 2>/dev/null") assert cmd.stdout.strip() == '', f"HTTP header names should use dashes, not underscores:\n{cmd.stdout}" -def test_httpd_foreman_target_config(server): - drop_in = server.file("/etc/systemd/system/httpd.service.d/foreman-target.conf") +def test_httpd_foreman_target_config(server, httpd_service): + drop_in = server.file(f"/etc/systemd/system/{httpd_service}.service.d/foreman-target.conf") assert drop_in.exists assert drop_in.is_file assert drop_in.contains("PartOf=foreman.target") assert drop_in.contains(r"WantedBy=default\.target foreman\.target") - wants_link = server.file("/etc/systemd/system/foreman.target.wants/httpd.service") + wants_link = server.file(f"/etc/systemd/system/foreman.target.wants/{httpd_service}.service") assert wants_link.exists assert wants_link.is_symlink From b5d02582ebbd6334199c700eac2aecf34099cfc0 Mon Sep 17 00:00:00 2001 From: Evgeni Golov Date: Tue, 23 Sep 2025 11:55:18 +0200 Subject: [PATCH 6/9] skip hammer on Debian --- .github/workflows/test.yml | 6 +++++- tests/hammer_test.py | 7 +++++++ 2 files changed, 12 insertions(+), 1 deletion(-) diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index b92771427..8091da4a3 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -148,10 +148,14 @@ jobs: --tuning development \ --content-import-path /custom/import \ --content-export-path /custom/export - - name: Deploy features + - name: Deploy hammer + if: contains(matrix.box, 'centos') run: | ./foremanctl deploy \ --add-feature hammer \ + - name: Deploy features + run: | + ./foremanctl deploy \ --add-feature foreman-proxy \ --add-feature azure-rm \ --add-feature google \ diff --git a/tests/hammer_test.py b/tests/hammer_test.py index 456f0ba62..9f7502c12 100644 --- a/tests/hammer_test.py +++ b/tests/hammer_test.py @@ -1,8 +1,15 @@ +import pytest + + def test_hammer_ping(server): + if server.system_info.distribution == 'debian': + pytest.xfail('Hammer is not properly set up on Debian yet') hammer = server.run("hammer ping") assert hammer.succeeded def test_hammer_organizations_list(server): + if server.system_info.distribution == 'debian': + pytest.xfail('Hammer is not properly set up on Debian yet') hammer = server.run("hammer organization list") assert hammer.succeeded From 9f0d562b7168c58b3934f9cccf5b730287d639b4 Mon Sep 17 00:00:00 2001 From: Evgeni Golov Date: Fri, 27 Feb 2026 13:06:36 +0100 Subject: [PATCH 7/9] disable synced folder, takes time, we don't use it --- Vagrantfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Vagrantfile b/Vagrantfile index da3af4e88..7ae493ba8 100644 --- a/Vagrantfile +++ b/Vagrantfile @@ -1,7 +1,7 @@ DOMAIN = ENV.fetch('VAGRANT_DOMAIN', 'example.com'.freeze) Vagrant.configure("2") do |config| - config.vm.synced_folder ".", "/vagrant" + config.vm.synced_folder ".", "/vagrant", disabled: true config.vm.provision("etc_hosts", type: 'ansible') do |ansible| ansible.playbook = "development/playbooks/etc_host.yml" From d47f01a8864c7af2f27197ceb943d025fefdf38d Mon Sep 17 00:00:00 2001 From: Evgeni Golov Date: Fri, 27 Feb 2026 14:42:42 +0100 Subject: [PATCH 8/9] Debian doesn't ship curl in their box --- development/playbooks/test/test.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/development/playbooks/test/test.yaml b/development/playbooks/test/test.yaml index 9e1050b18..44b099ce6 100644 --- a/development/playbooks/test/test.yaml +++ b/development/playbooks/test/test.yaml @@ -8,6 +8,7 @@ ansible.builtin.package: name: - nmap + - curl - name: Execute tests gather_facts: false From a7faf2e80c2d01c88b02ebad836b8d27aedb9308 Mon Sep 17 00:00:00 2001 From: Evgeni Golov Date: Wed, 24 Jun 2026 19:00:07 +0200 Subject: [PATCH 9/9] Only set Policy on non-Debian This needs Podman 5.6, while Debian ships 5.4. https://github.com/podman-container-tools/podman/commit/439448c2873246e71591df4daddf4dfe2bd04f2e --- src/roles/images/tasks/deploy_image.yaml | 2 +- src/roles/images/tasks/pull.yaml | 2 ++ 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/src/roles/images/tasks/deploy_image.yaml b/src/roles/images/tasks/deploy_image.yaml index 8328a912b..a09e49bc8 100644 --- a/src/roles/images/tasks/deploy_image.yaml +++ b/src/roles/images/tasks/deploy_image.yaml @@ -7,7 +7,7 @@ quadlet_filename: "{{ images_definition.name }}" quadlet_file_mode: "0644" quadlet_options: - - "Policy=missing" + - "{{ 'Policy=missing' if ansible_facts['os_family'] != 'Debian' else '' }}" - | [Service] Environment=REGISTRY_AUTH_FILE={{ images_registry_auth_file }} diff --git a/src/roles/images/tasks/pull.yaml b/src/roles/images/tasks/pull.yaml index cce04beb7..2e8989e90 100644 --- a/src/roles/images/tasks/pull.yaml +++ b/src/roles/images/tasks/pull.yaml @@ -9,6 +9,8 @@ Policy=always mode: "0644" loop: "{{ images_deployed_names | default([]) }}" + when: + - ansible_facts['os_family'] != 'Debian' - name: Run daemon reload ansible.builtin.systemd: