search

Frzk / ansible-role-chrony

Ansible role to manage chrony.
Apache License 2.0
14 stars 8 forks source link

(Molecule) Find a way to run tests in an unprivileged Docker container #6

Open Frzk opened 3 years ago

Frzk commented 3 years ago

All my attempts to run tests in an unprivileged container were unsuccessful. I tried to run with:

capabilities:
  - SYS_ADMIN
  - SYS_TIME
privileged: false

which should be sufficient (?) But we get this result:

TASK [frzk.chrony : Set up timezone] *******************************************
[WARNING]: timedatectl command was found but not usable: Failed to query
server: Connection timed out . using other method.
fatal: [instance]: FAILED! => changed=false 
  msg: |-
    Error message:
    tried to configure name using a file "/etc/sysconfig/clock", but could not write to it

PLAY RECAP *********************************************************************
instance                   : ok=2    changed=0    unreachable=0    failed=1    skipped=0    rescued=0    ignored=0

CRITICAL Ansible return code was 2, command was: ansible-playbook --diff --inventory /home/runner/.cache/molecule/frzk.chrony/default/inventory --skip-tags molecule-notest,notest /home/runner/work/ansible-role-chrony/ansible-role-chrony/frzk.chrony/molecule/default/converge.yml
WARNING  An error occurred during the test sequence action: 'converge'. Cleaning up.

I sadly don't have time to dive into Docker internals and whatever. So we'll run in privileged mode for now. Any help appreciated :-)

Frzk commented 3 years ago

Considering https://github.com/Frzk/ansible-role-chrony/runs/2771707126?check_suite_focus=true, it seems like the given capabilities (SYS_ADMIN + SYS_TIME are not enough).

That might be a good lead.