fix: Skip runtime operations in non-systemd environments

Cause: Both the actual role and the tests were previously assuming that
the system was booted with systemd and could run services. But this is
not the case when running the role during container builds.

Consequence: The role did not work during bootc container builds.

Fix: Detect if the system is booted (with systemd), and skip all runtime
operations and checks if not.

Result: The role now works during container builds.

Call our firewall modules with `online: false` to select their
`firewall-offline-cmd` modes when not booted.

Add a new "online" parameter to get_files_checksums.sh that skips the
reload when offline.

Adjust tests_firewall_fact.yml to ensure that "detailed" mode fact
collection fails in container mode (as that is currently unsupported,
see previous commit).

https://issues.redhat.com/browse/RHEL-88425

Author: martinpitt

README.md

@@ -628,6 +628,9 @@ A list of PCI devices with their IDs can be retrieved using `lcpci -nn`.
 For more information on PCI device IDs, see the linux man page at:
 <https://man7.org/linux/man-pages/man5/pci.ids.5.html>
 
+This option requires running the role on the actual target machine, i.e. it is
+not supported during container builds.
+
 ### icmp_block
 
 String or list of ICMP type strings to block.  The ICMP type names needs to be

files/get_files_checksums.sh

@@ -7,6 +7,7 @@ firewall_conf_root="${2:-/etc/firewalld}"
 remove="${3:-false}"
 package="${4:-}"
 firewall_usr_lib="${5:-}"
+booted="${6:-}"
 
 listfile=$(mktemp)
 firewallconf=$(mktemp)
@@ -66,7 +67,7 @@ fc.filename=sys.argv[1] # Change target firewalld.conf write target
 fc.write() # update firewalld.conf
 ' "$orig_conf" 2>/dev/null
     fi
-    if [ -s "$listfile" ] ; then
+    if [ -s "$listfile" ] && [ -n "$booted" ] ; then
         firewall-cmd --reload > /dev/null
     fi
 fi

library/firewall_lib.py

@@ -1503,6 +1503,9 @@ def get_interface_pci():
 
 
 def parse_pci_id(module, item):
+    if not module.params["online"]:
+        module.fail_json(msg="interface_pci_id is not supported in offline mode.")
+
     if PCI_REGEX.search(item):
         global pci_ids
         if not pci_ids:

tasks/firewalld.yml

@@ -6,7 +6,7 @@
     difference(ansible_facts.keys() | list) | length > 0
 
 - name: Determine if system is ostree and set flag
-  when: not __firewall_is_ostree is defined
+  when: __firewall_is_ostree is not defined
   block:
     - name: Check if system is ostree
       stat:
@@ -29,6 +29,26 @@
       set_fact:
         __firewall_is_transactional: "{{ __transactional_update_stat.stat.exists }}"
 
+- name: Determine if system is booted with systemd
+  when: __firewall_is_booted is not defined
+  block:
+    - name: Run systemctl
+      # noqa command-instead-of-module
+      command: systemctl is-system-running
+      register: __is_system_running
+      changed_when: false
+      failed_when: false
+
+    - name: Require installed systemd
+      fail:
+        msg: "Error: This role requires systemd to be installed."
+      when: '"No such file or directory" in __is_system_running.msg | d("")'
+
+    - name: Set flag to indicate that systemd runtime operations are available
+      set_fact:
+        # see https://www.man7.org/linux/man-pages/man1/systemctl.1.html#:~:text=is-system-running%20output
+        __firewall_is_booted: "{{ __is_system_running.stdout != 'offline' }}"
+
 - name: Install firewalld
   package:
     name: "{{ __firewall_packages_base }}"

tasks/main.yml

@@ -14,7 +14,7 @@
 - name: Attempt to stop and disable conflicting services
   service:
     name: "{{ item.item }}"
-    state: stopped
+    state: "{{ 'stopped' if __firewall_is_booted else omit }}"
     enabled: false
   loop: "{{ __firewall_conflicting_services_status.results }}"
   when:
@@ -30,8 +30,8 @@
 - name: Enable and start firewalld service
   service:
     name: "{{ __firewall_service }}"
-    state: started
     enabled: true
+    state: "{{ 'started' if __firewall_is_booted else omit }}"
 
 - name: Check if previous replaced is defined
   set_fact:
@@ -54,6 +54,7 @@
           {{ ansible_check_mode | ternary('false', 'true') }}
           {{ __firewall_package_with_conf | quote }}
           {{ __firewall_usr_lib_dir | quote }}
+          {{ "booted" if __firewall_is_booted else "" }}
       register: __firewall_config_files_before
       changed_when: false
       check_mode: false
@@ -111,10 +112,11 @@
     protocol: "{{ item.protocol | default(omit) }}"
     helper_module: "{{ item.helper_module | default(omit) }}"
     permanent: "{{ item.permanent | default(True) }}"
-    runtime: "{{ item.runtime | default(True) }}"
+    runtime: "{{ item.runtime | default(__firewall_is_booted) }}"
     state: "{{ item.state | default(omit) }}"
     includes: "{{ item.includes | default(omit) }}"
     __report_changed: "{{ __firewall_report_changed }}"
+    online: "{{ __firewall_is_booted }}"
   loop: "{{ firewall is mapping | ternary([firewall], firewall) |
     map('dict2items') | map('difference', __previous) |
     map('difference', __detailed) | select |
@@ -136,6 +138,7 @@
             value: replaced
       firewall_lib_facts:
         detailed: "{{ item.detailed | default(False) }}"
+        online: "{{ __firewall_is_booted }}"
       loop: "{{ fw | map('dict2items') | map('difference', __previous) |
         select | map('items2dict') | list }}"
       register: __firewalld_facts
@@ -151,6 +154,7 @@
   block:
     - name: Gather firewall config if no arguments
       firewall_lib_facts:
+        online: "{{ __firewall_is_booted }}"
         detailed: false
       register: __firewalld_facts
 
@@ -170,6 +174,7 @@
           {{ __firewall_firewalld_dir | quote }} false
           {{ __firewall_package_with_conf | quote }}
           {{ __firewall_usr_lib_dir | quote }}
+          {{ __firewall_is_booted | quote }}
       register: __firewall_config_files_after
       changed_when: false