ci: Add container integration test for rpm and bootc

[martinpitt]

Generalize qemu-kvm-integration-tests.yml to run some "container-*" environments as well. For "classic rpm" OSes that does not give us too much beyond making sure that the container tests actually work (developers might use them locally, after all). 90% of the logic (setup, compatibility check, status updates, etc.) is the same, so it's not economic to duplicate all of that into a new workflow.

Add Fedora/CentOS *-bootc scenarios: These check that our role works during a bootc container build, without any systemd, processes, or other runtime environment. tox-lsr added support for this in linux-system-roles/tox-lsr#188.

However, as most roles don't currently work in that environment, introduce and check a new containerbuild tag in meta/main.yml. We'll add this to roles as we adjust them.

Similarly, as not every role works in a running container (e.g. due to assuming SELinux), check a new container tag in their tests.

Issue Tracker Tickets (Jira or BZ if any): https://issues.redhat.com/browse/RHEL-85652

---

• Test this with failing tests, to check log parsing and artifact attachments: extra commit which breaks tests, failed test run
• Land ci: Update to tox-lsr 3.7.0 #53, then rebase
• Add CentOS 9/10 bootc container linux-system-roles.github.io#121
• Add Fedora bootc containers linux-system-roles.github.io#122
• Send fix for missing python3-libdnf5 in Fedora bootc base containers: https://gitlab.com/fedora/bootc/base-images/-/merge_requests/167
• Work around missing p-libdnf5 in tox-lsr, until the above MR lands: runcontainer: Add python3-libdnf5 workaround for Fedora bootc images, Skip containers.podman installation if it already exists tox-lsr#189
• Add mechanism to skip tests which cover scenarios which are unsupportable in a container build (done: tags::booted)
• Add fedora bootc test scenario
• Test this against role with a service: feat: Support this role in container builds cockpit#212 and feat: Support this role in container builds logging#444 and ci: Add container integration test for rpm and bootc firewall#264
• Add and check a containerbuild tag, so that we can start introducing these tests to all roles and allow us to fix them individually.
• Once everything is ready, file PR against .github.git: ci: Bump tox-lsr to 3.7.1, add container integration test for rpm and bootc .github#105

[codecov]

Codecov Report

All modified and coverable lines are covered by tests ✅

Please upload report for BASE (main@21d8d60). Learn more about missing BASE report.

Additional details and impacted files

@@           Coverage Diff           @@
##             main      #52   +/-   ##
=======================================
  Coverage        ?   52.31%           
=======================================
  Files           ?        1           
  Lines           ?      346           
  Branches        ?        0           
=======================================
  Hits            ?      181           
  Misses          ?      165           
  Partials        ?        0           

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[richm]

nice! refactoring this will allow us to do per-role tags in the future

[martinpitt]

The current version (commit b9aa6ac) is all green, but with a tear in my eye I'll re-disable the "classic rpm" container scenarios. They work fine here, but already caused some (easily fixable) trouble in the firewall role, and some serious (SELinux) trouble in cockpit. It would be nice to cover/fix them and fix lsr for containers, but (1) let's wait for customers to actually ask for that, and (2) we have too much work ongoing already ("pick your battles").

[martinpitt]

Or actually, let's add a new tag for "certified to work in a container"! Then we can selectively enable it for rules where it works.

[martinpitt]

I am happy with this now. I also sent it to linux-system-roles/firewall#264 and linux-system-roles/cockpit#212 to test them against a more complex scenarios. In particular, firewall only supports the "container" tag, while cockpit only supports the "containerbuild" tag (not not quite yet, but working on it 🔨 )

So this is ready for a round of reviews. Once we are all happy with this, I'll sync the other two PRs and send it to .github.git - we can mass-deploy this now and then selectively work on enabling the container and containerbuild scenarios.