gitlab-runner: Add explicit become directives

Normo · Normo · commit dd79bd4354b8 · 2025-11-25T12:29:35.000+01:00
Signed-off-by: Norman Ziegner &lt;n.ziegner@hzdr.de&gt;
diff --git a/molecule/gitlab_runner/converge.yml b/molecule/gitlab_runner/converge.yml
@@ -7,6 +7,11 @@
 - name: "Converge"
   hosts: "all"
   become: false
+  vars:
+    # Override to disable docker dependency during converge phase
+    # Docker is already installed in prepare.yml for instances that need it
+    # This allows us to test explicit become directives without the dependency interfering
+    gitlab_runner_install_docker: false
   tasks:
     - name: "Include gitlab_runner role"
       ansible.builtin.include_role:
diff --git a/molecule/gitlab_runner/prepare.yml b/molecule/gitlab_runner/prepare.yml
@@ -38,3 +38,14 @@
           community.general.alternatives:
             name: "ip6tables"
             path: "/usr/sbin/ip6tables-legacy"
+
+- name: "Install Docker for instances that need it"
+  hosts: "all"
+  become: true
+  tasks:
+    - name: "Include geerlingguy.docker role"
+      when: "gitlab_runner_install_docker | default(false)"
+      ansible.builtin.include_role:
+        name: "geerlingguy.docker"
+      vars:
+        docker_install_compose: false
diff --git a/molecule/gitlab_runner/verify.yml b/molecule/gitlab_runner/verify.yml
@@ -6,6 +6,7 @@
 ---
 - name: "Verify"
   hosts: "all"
+  become: true
   tasks:
     - name: "Gather package facts"
       ansible.builtin.package_facts:
@@ -41,7 +42,6 @@
       failed_when: "'0.16.2-gitlab.25' not in machine_version.stdout"
 
     - name: "Identify installed fleeting plugins"
-      become: true
       ansible.builtin.command: "gitlab-runner fleeting list"
       register: "fleeting_cmd"
       changed_when: false
@@ -65,7 +65,6 @@
         - "gitlab_runner_version is defined"
 
     - name: "Assert that ignition.json file was created"
-      become: true
       ansible.builtin.stat:
         path: "/etc/gitlab-runner/ignition.json"
       register: "ignition"
@@ -75,14 +74,12 @@
       when: "gitlab_runner_ssh_public_key | default('') | length == 0 or gitlab_runner_ssh_public_key | default('') | length == 0"
       block:
         - name: "Assert that SSH key pair was created"
-          become: true
           ansible.builtin.stat:
             path: "/etc/gitlab-runner/gitlab_runner_key"
           register: "ssh_key"
           failed_when: "not ssh_key.stat.isreg or ssh_key.stat.mode != '0600'"
 
         - name: "Read generated SSH public key"
-          become: true
           ansible.builtin.command: "cat /etc/gitlab-runner/gitlab_runner_key.pub"
           register: "generated_pub_key"
           changed_when: false
@@ -99,7 +96,6 @@
         - "gitlab_runner_ssh_private_key | default('') | length > 0"
 
     - name: "Read flatcar linux config"
-      become: true
       ansible.builtin.command: "cat /etc/gitlab-runner/ignition.json"
       register: "flatcar_linux_config"
       changed_when: false
@@ -114,7 +110,6 @@
         gitlab_runner_authentication_token: "{{ lookup('env', 'AUTHENTICATION_TOKEN') }}"
 
     - name: "Assert that the runner was registered successfully"
-      become: true
       ansible.builtin.command: "gitlab-runner list"
       changed_when: false
       register: "runners"
@@ -123,7 +118,6 @@
       when: "gitlab_runner_authentication_token | length > 0"
 
     - name: "Assert that the verify command is successful"
-      become: true
       ansible.builtin.command: "gitlab-runner verify"
       changed_when: false
       register: "runners_verify"
@@ -138,7 +132,6 @@
       failed_when: '"# TYPE gitlab_runner_version_info" not in metrics.content'
 
     - name: "Unregister GitLab-Runner"
-      become: true
       ansible.builtin.command: "gitlab-runner unregister --all-runners"
       changed_when: false
       # Do not verify runner registration in forks
diff --git a/roles/gitlab_runner/handlers/main.yml b/roles/gitlab_runner/handlers/main.yml
@@ -6,10 +6,12 @@
 ---
 
 - name: "Transpile the flatcar linux configuration"
+  become: true
   ansible.builtin.command: "butane -o /etc/gitlab-runner/ignition.json /etc/gitlab-runner/butane-config.bu"
   changed_when: true
 
 - name: "Restart GitLab-Runner"
+  become: true
   ansible.builtin.service:
     name: "gitlab-runner"
     state: "restarted"
diff --git a/roles/gitlab_runner/tasks/configuration.yml b/roles/gitlab_runner/tasks/configuration.yml
@@ -10,6 +10,7 @@
     - "gitlab_runner_ssh_private_key | default('') | length > 0"
   block:
     - name: "Place SSH public key on the host for communicating with Runners."
+      become: true
       ansible.builtin.copy:
         src: "{{ gitlab_runner_ssh_public_key }}"
         dest: "{{ gitlab_runner_ssh_public_key_path }}"
@@ -18,6 +19,7 @@
         mode: "0644"
 
     - name: "Place SSH private key on the host for communicating with Runners."
+      become: true
       ansible.builtin.copy:
         src: "{{ gitlab_runner_ssh_private_key }}"
         dest: "{{ gitlab_runner_ssh_private_key_path }}"
@@ -26,20 +28,23 @@
         mode: "0600"
 
 - name: "Create SSH key pair for communicating with Runners."
+  become: true
   community.crypto.openssh_keypair:  # noqa: args[module]
     path: "{{ gitlab_runner_ssh_private_key_path }}"
     type: "{{ gitlab_runner_ssh_key_type | default('ed25519') }}"
   register: "__gitlab_runner_ssh_keypair"
   when: "not __gitlab_runner_is_initial_dryrun"  # skip if run for the first time in check mode
 
 - name: "Download and install container-linux-config-transpiler"
+  become: true
   ansible.builtin.get_url:
     url: "{{ gitlab_runner_transpiler_binary_url }}"
     dest: "/usr/local/bin/butane"
     mode: "0755"
     checksum: "{{ gitlab_runner_transpiler_binary_checksum }}"
 
 - name: "Place the container linux configuration on the host"
+  become: true
   ansible.builtin.template:
     src: "{{ gitlab_runner_butane_config_template }}"
     dest: "/etc/gitlab-runner/butane-config.bu"
@@ -52,6 +57,7 @@
     - "Transpile the flatcar linux configuration"
 
 - name: "Check if ignition.json is available and create it in any case"
+  become: true
   when: "not __flatcar_config_task.changed"  # noqa no-handler
   ansible.builtin.stat:
     path: "/etc/gitlab-runner/ignition.json"
@@ -77,11 +83,13 @@
       check_mode: false
 
     - name: "Dry-run of transpile the flatcar linux configuration"
+      become: true
       ansible.builtin.command: "butane -o {{ (__temp_directory.path, 'ignition.json') | path_join }} /etc/gitlab-runner/butane-config.bu"
       changed_when: false
       check_mode: false
 
     - name: "Stat temporary ignition.json file"
+      become: true
       ansible.builtin.stat:
         path: "{{ (__temp_directory.path, 'ignition.json') | path_join }}"
       register: "__temp_ignition_stats"
diff --git a/roles/gitlab_runner/tasks/docker-machine-init.yml b/roles/gitlab_runner/tasks/docker-machine-init.yml
@@ -5,6 +5,7 @@
 
 ---
 - name: "Check if docker-machine initialization is necessary"
+  become: true
   ansible.builtin.stat:
     path: "/root/.docker/machine/certs/ca.pem"
   register: "__docker_machine_config"
@@ -17,6 +18,7 @@
         __machine_options: "--{{ gitlab_runner.machine_options | join(' --') }}"
 
     - name: "Create a VM once via docker-machine"
+      become: true
       when: "not ansible_check_mode"
       ansible.builtin.command: "docker-machine create -d {{ gitlab_runner.machine_driver }} {{ __machine_options }} test"
       register: "__creation_cmd"
@@ -25,6 +27,7 @@
 
   always:
     - name: "Remove the VM"
+      become: true
       when: "not ansible_check_mode"
       ansible.builtin.command: "docker-machine rm -y --force test"
       register: "__removal_cmd"
diff --git a/roles/gitlab_runner/tasks/install.autoscaler-plugin.yml b/roles/gitlab_runner/tasks/install.autoscaler-plugin.yml
@@ -31,6 +31,7 @@
       changed_when: false
 
     - name: "Download fleeting-plugin-openstack"
+      become: true
       ansible.builtin.get_url:
         url: "{{ gitlab_runner_autoscaler_plugin_url }}"
         dest: "{{ (__tempdir_fleeting_plugin.path, 'fleeting-plugin-openstack.tar.gz') | path_join }}"
@@ -41,6 +42,7 @@
       check_mode: false
 
     - name: "Extract fleeting-plugin-openstack binary"
+      become: true
       ansible.builtin.unarchive:
         src: "{{ (__tempdir_fleeting_plugin.path, 'fleeting-plugin-openstack.tar.gz') | path_join }}"
         dest: "/usr/local/bin/"
@@ -61,6 +63,7 @@
       changed_when: false
 
 - name: "Place clouds.yaml template"
+  become: true
   ansible.builtin.template:
     src: "clouds.yaml.j2"
     dest: "/etc/gitlab-runner/clouds.yaml"
diff --git a/roles/gitlab_runner/tasks/install.debianlike.yml b/roles/gitlab_runner/tasks/install.debianlike.yml
@@ -6,6 +6,7 @@
 ---
 
 - name: "Install GitLab-Runner dependencies"
+  become: true
   ansible.builtin.apt:
     pkg:
       - "debian-archive-keyring"
@@ -20,6 +21,7 @@
 
   block:
     - name: "Add packages repository packages.gitlab.com/runner/gitlab-runner"
+      become: true
       ansible.builtin.deb822_repository:
         name: "gitlab-runner"
         types: "deb"
@@ -31,6 +33,7 @@
         enabled: true
 
     - name: "Use APT pinning for Debian os"
+      become: true
       ansible.builtin.template:
         src: "pin-gitlab-runner.pref.j2"
         dest: "/etc/apt/preferences.d/pin-gitlab-runner.pref"
@@ -40,6 +43,7 @@
       when: "ansible_facts.distribution == 'Debian'"
 
     - name: "Install gitlab-runner-helper-images with downgrade option"
+      become: true
       ansible.builtin.apt:
         name: "{{ gitlab_runner_helper_images_package_name }}"
         state: "present"
@@ -50,6 +54,7 @@
         - "gitlab_runner_version is version('17.7.0', 'ge') or gitlab_runner_version | length == 0"
 
     - name: "Install gitlab-runner with downgrade option"
+      become: true
       ansible.builtin.apt:
         name: "{{ gitlab_runner_package_name }}"
         state: "present"
@@ -69,12 +74,14 @@
   block:
 
     - name: "Install gitlab-runner-helper-images from a .deb file"
+      become: true
       ansible.builtin.apt:
         deb: "{{ gitlab_runner_helper_images_deb_file }}"
         allow_downgrade: true
       when: "gitlab_runner_version is version('17.7.0', 'ge') or gitlab_runner_version | length == 0"
 
     - name: "Install gitlab-runner from a .deb file"
+      become: true
       ansible.builtin.apt:
         deb: "{{ gitlab_runner_deb_file }}"
         allow_downgrade: true
diff --git a/roles/gitlab_runner/tasks/install.docker-machine.yml b/roles/gitlab_runner/tasks/install.docker-machine.yml
@@ -5,6 +5,7 @@
 
 ---
 - name: "Download and install docker-machine binary"
+  become: true
   ansible.builtin.get_url:
     url: "{{ gitlab_runner_docker_machine_binary_url }}"
     dest: "/usr/local/bin/docker-machine"
diff --git a/roles/gitlab_runner/tasks/main.yml b/roles/gitlab_runner/tasks/main.yml
@@ -48,6 +48,7 @@
     loop_var: "gitlab_runner"
 
 - name: "Slurp ignition json"
+  become: true
   ansible.builtin.slurp:
     src: "/etc/gitlab-runner/ignition.json"
   register: "__ignition_json"
@@ -56,6 +57,7 @@
     - "not __gitlab_runner_is_initial_dryrun"
 
 - name: "Template config file"
+  become: true
   ansible.builtin.template:
     src: "config.toml.j2"
     dest: "{{ gitlab_runner_config_path }}"
@@ -69,6 +71,7 @@
   when: "not __gitlab_runner_is_initial_dryrun"
 
 - name: "Start GitLab-Runner"
+  become: true
   ansible.builtin.service:
     name: "gitlab-runner"
     state: "started"
