feat: Support this role in container builds

[martinpitt]

Feature: Support running the cockpit role during container builds.

Reason: This is particularly useful for building bootc derivative OSes.

Result: These flags enable running the bootc container scenarios in CI, which ensures that the role works in buildah build environment. This allows us to officially support this role for image mode builds.

Do not enable the role for system containers (the container) flag. That currently fails due to SELinux not working properly there, and needs to be looked at separately if desired.

https://issues.redhat.com/browse/RHEL-88423

Skip the certmonger tests for non-booted environments, as certmonger requires a running system by design (these are a case for running the role in a deployed system). Also skip the firewall managed related checks for the time being, until the firewall role works during container builds (https://issues.redhat.com/browse/RHEL-88425).

• Review/land ci: Add container integration test for rpm and bootc sudo#52 as the initial PR for this machinery
• ci: Update to tox-lsr 3.7.0 #213
• fix: Ignore extra lines in dnf repoquery parsing #214
• adjust firewall rule for bootc tests

[martinpitt]

The initial run failed due to a runcontainer.sh bug, fixed in linux-system-roles/tox-lsr#189. Re-running. Now it locally fails in the "right" way:

TASK [linux-system-roles.cockpit : Ensure Cockpit Web Console is started/stopped and enabled/disabled] ***********************************
fatal: [sut]: FAILED! => {"changed": false, "msg": "Service is in unknown state", "status": {}}

This now happens in CI as well.

[martinpitt]

In classic rpm mode, tests_port2 fails without a "fatal:". This makes the log harder to evaluate.

It fails due to

TASK [fedora.linux_system_roles.selinux : Set an SELinux label on a port] ****************************************************************
task path: /var/home/martin/upstream/lsr/cockpit/.tox/ansible_collections/fedora/linux_system_roles/roles/selinux/tasks/main.yml:87
redirecting (type: connection) ansible.builtin.podman to containers.podman.podman
An exception occurred during task execution. To see the full traceback, use -vvv. The error was: ValueError: SELinux policy is not managed or store cannot be accessed.
failed: [sut] (item={'ports': 443, 'proto': 'tcp', 'setype': 'websm_port_t', 'state': 'present', 'local': 'true'}) => {"__selinux_item": {"local": "true", "ports": 443, "proto": "tcp", "setype": "websm_port_t", "state": "present"}, "ansible_loop_var": "__selinux_item", "changed": false, "msg": "ValueError: SELinux policy is not managed or store cannot be accessed.\n"}

I fixed that in an extra commit here, I sent it to linux-system-roles/.github#103 as well.

Beyond that I'll ignore that error. Running the classic rpm OSes in containers is nice while I develop runcontainer.sh, to ensure I don't break anything existing. But it's more of a "nice to have" by itself, so at the moment I think I won't actually land these in production, and concentrate on the bootc ones.

[martinpitt]

Better! Some tests pass. packages_full and port fail in the firewalld rule, so I suppose that will be my next target. The certificate tests still need work.

Update: I added a tests::booted tag for skipping tests in a buildah environment, and updated linux-system-roles/tox-lsr#189 accordingly.