container discovery work and exclusions taken from rhel8cis

[uk-bolly]

thanks to @ztmr

Describe the Issue Some tasks are checking ansible_connection and ansible_virtualization_type to be docker. This fails in Podman containers.

Expected Behavior The tasks not meant to work in container environments should be skipped in both Docker and Podman containers. Both Docker and Podman should behave the same way, no hardcoding for one or the other.

Actual Behavior Tasks that are not expected to work in containerized environments are failing. Mostly those related to kernel, drivers, filesystems, etc.

Control(s) Affected

$ ack docker -l tasks/
tasks/section_4/cis_4.1.1.x.yml
tasks/section_1/cis_1.1.1.x.yml

Environment (please complete the following information):

• Ansible Version: 5.6.0
• Host Python Version: 3.9.x
• Ansible Server Python Version: 3.9.x
• Using branch: tested with main, but the same code is in develop as well
• Additional Details: not related to any runtime versions, it is the code of this role itself.

$ molecule --version
molecule 3.6.1 using python 3.9 
    ansible:2.12.4
    delegated:3.6.1 from molecule
    podman:2.0.0 from molecule_podman requiring collections: containers.podman>=1.7.0 ansible.posix>=1.3.0
$ pip show ansible | grep Version
Version: 5.6.0

Additional Notes The same problem applies to RHEL7-CIS role. Do you want me to create the same issue in there as well?

Possible Solution Use rhel[7|8]cis_system_is_container variable only.

Consider auto-detecting a reasonable default value based on (some or all of) the following:

• ansible_virtualization_tech_guest contains container (and docker or podman)
• ansible_virtualization_type is docker or podman
• lookup('env', 'container') is podman
• /run/.containerenv or /.dockerenv exists, but probably already used to set ansible_virtualization_*

It should be OK to do this detection outside of this role just by passing the right value for *_is_container though. We're doing the same with system_is_ec2 anyway...