From 3ed9daed623936894cb4eecfcd35973fe4d247d3 Mon Sep 17 00:00:00 2001
From: Rich Megginson <rmeggins@redhat.com>
Date: Fri, 25 Oct 2024 11:54:35 -0600
Subject: [PATCH] system roles 1.23.0-4

Resolves: RHEL-58460 : podman - redhat.rhel_system_roles.podman fails to configure and run containers with podman rootless using different username and groupname.
fix issue with podman error removing kube specs on 8.8 and 9.2 managed nodes - covered by tests_basic.yml
https://github.com/linux-system-roles/podman/pull/186
fix issue with missing grubby testing on el8 ostree
https://github.com/linux-system-roles/podman/pull/187
fix issue with podman not working on 8.8/9.2
https://github.com/linux-system-roles/podman/pull/188

(cherry picked from commit 0a5df90210d55c6d10f2d8333997932cb5f1305f)
---
 ...ot-found-errors-when-removing-kube-s.patch | 68 ++++++++++++++
 ...ed-grubby-for-el8-testing-for-ostree.patch | 33 +++++++
 ...rk-on-el-8.8-and-el-9.2-and-podman-v.patch | 89 +++++++++++++++++++
 rhel-system-roles.spec                        | 17 +++-
 4 files changed, 206 insertions(+), 1 deletion(-)
 create mode 100644 0116-fix-ignore-pod-not-found-errors-when-removing-kube-s.patch
 create mode 100644 0117-test-need-grubby-for-el8-testing-for-ostree.patch
 create mode 100644 0118-fix-make-role-work-on-el-8.8-and-el-9.2-and-podman-v.patch

diff --git a/0116-fix-ignore-pod-not-found-errors-when-removing-kube-s.patch b/0116-fix-ignore-pod-not-found-errors-when-removing-kube-s.patch
new file mode 100644
index 0000000..b571616
--- /dev/null
+++ b/0116-fix-ignore-pod-not-found-errors-when-removing-kube-s.patch
@@ -0,0 +1,68 @@
+From e2040d110ac24ec044973674afc8269ab9ef7c11 Mon Sep 17 00:00:00 2001
+From: Rich Megginson <rmeggins@redhat.com>
+Date: Fri, 25 Oct 2024 08:55:27 -0600
+Subject: [PATCH 116/117] fix: ignore pod not found errors when removing kube
+ specs
+
+Cause: The module uses the `podman kube play --done` command to remove
+the pod specified by the kube spec, but does not check if the pod has
+already been removed.  That is, it is not idempotent.  The command
+gives an error if the pod is not found.  This only happens with
+podman 4.4.1 on EL8.8 and EL9.2.
+
+Consequence: The podman role gives an error that the pod specified
+by the kube spec cannot be found when removing.
+
+Fix: The role ignores the 'pod not found' error when removing
+a kube spec.
+
+Result: The role does not give an error when removing a kube
+spec.
+
+NOTE: This has been fixed in the containers.podman.podman_play
+module upstream but has not yet been released.
+https://github.com/containers/ansible-podman-collections/pull/863/files#diff-6672fb7f52e2bec3450c2dd7ed9a4385accd9bab8429ea6eecf4d56447f5a1b8R304
+
+Signed-off-by: Rich Megginson <rmeggins@redhat.com>
+(cherry picked from commit 3edc125005c5912926add1539be96cf3b990bb96)
+---
+ tasks/cleanup_kube_spec.yml | 13 +++++++++++++
+ 1 file changed, 13 insertions(+)
+
+diff --git a/tasks/cleanup_kube_spec.yml b/tasks/cleanup_kube_spec.yml
+index b6b47bd..36610e6 100644
+--- a/tasks/cleanup_kube_spec.yml
++++ b/tasks/cleanup_kube_spec.yml
+@@ -30,6 +30,11 @@
+     path: "{{ __podman_kube_file }}"
+   register: __podman_kube_file_stat
+ 
++# NOTE: removing kube specs is not idempotent and will give an error on
++# RHEL 8.8 and 9.2 - seems ok on other platforms - this was fixed in the
++# module but is not released yet (as of 20241024)
++# https://github.com/containers/ansible-podman-collections/pull/863/files#diff-6672fb7f52e2bec3450c2dd7ed9a4385accd9bab8429ea6eecf4d56447f5a1b8R304
++# remove this hack when the fix is available
+ - name: Remove pod/containers
+   containers.podman.podman_play: "{{ __podman_kube_spec |
+     combine({'kube_file': __podman_kube_file}) }}"
+@@ -38,9 +43,17 @@
+   become: "{{ __podman_rootless | ternary(true, omit) }}"
+   become_user: "{{ __podman_rootless | ternary(__podman_user, omit) }}"
+   register: __podman_removed
++  failed_when:
++    - __podman_removed is failed
++    - not __podman_removed.msg is search(__err_msg)
++    - not __is_affected_platform
+   when:
+     - not __podman_rootless or __podman_xdg_stat.stat.exists
+     - __podman_kube_file_stat.stat.exists
++  vars:
++    __err_msg: Failed to delete .* with {{ __podman_kube_file }}
++    __is_affected_platform: "{{ ansible_facts['distribution'] == 'RedHat' and
++      ansible_facts['distribution_version'] in ['8.8', '9.2'] }}"
+ 
+ - name: Remove kubernetes yaml file
+   file:
+-- 
+2.47.0
+
diff --git a/0117-test-need-grubby-for-el8-testing-for-ostree.patch b/0117-test-need-grubby-for-el8-testing-for-ostree.patch
new file mode 100644
index 0000000..c594d5f
--- /dev/null
+++ b/0117-test-need-grubby-for-el8-testing-for-ostree.patch
@@ -0,0 +1,33 @@
+From f5d7e3088a8662798ced2294ca9059799b7e1c33 Mon Sep 17 00:00:00 2001
+From: Rich Megginson <rmeggins@redhat.com>
+Date: Fri, 25 Oct 2024 11:12:08 -0600
+Subject: [PATCH 117/117] test: need grubby for el8 testing for ostree
+
+EL8 tests need grubby for ostree building
+
+Signed-off-by: Rich Megginson <rmeggins@redhat.com>
+(cherry picked from commit 881a03569b6dbebaf9fc9720ffe85039d1d0b72d)
+---
+ .ostree/packages-testing-CentOS-8.txt | 1 +
+ .ostree/packages-testing-RedHat-8.txt | 1 +
+ 2 files changed, 2 insertions(+)
+ create mode 100644 .ostree/packages-testing-CentOS-8.txt
+ create mode 100644 .ostree/packages-testing-RedHat-8.txt
+
+diff --git a/.ostree/packages-testing-CentOS-8.txt b/.ostree/packages-testing-CentOS-8.txt
+new file mode 100644
+index 0000000..ae5e93e
+--- /dev/null
++++ b/.ostree/packages-testing-CentOS-8.txt
+@@ -0,0 +1 @@
++grubby
+diff --git a/.ostree/packages-testing-RedHat-8.txt b/.ostree/packages-testing-RedHat-8.txt
+new file mode 100644
+index 0000000..ae5e93e
+--- /dev/null
++++ b/.ostree/packages-testing-RedHat-8.txt
+@@ -0,0 +1 @@
++grubby
+-- 
+2.47.0
+
diff --git a/0118-fix-make-role-work-on-el-8.8-and-el-9.2-and-podman-v.patch b/0118-fix-make-role-work-on-el-8.8-and-el-9.2-and-podman-v.patch
new file mode 100644
index 0000000..81ee56a
--- /dev/null
+++ b/0118-fix-make-role-work-on-el-8.8-and-el-9.2-and-podman-v.patch
@@ -0,0 +1,89 @@
+From e8961d4e5ca7765e97d76a76e4741825e697aa8d Mon Sep 17 00:00:00 2001
+From: Rich Megginson <rmeggins@redhat.com>
+Date: Mon, 28 Oct 2024 10:27:59 -0600
+Subject: [PATCH] fix: make role work on el 8.8 and el 9.2 and podman version
+ less than 4.7.0
+
+Cause: Role was using podman and loginctl features not supported on el 8.8/9.2
+and podman versions less than 4.7.0.  NetworkName and VolumeName not supported
+until podman 4.7.0.  loginctl -P not supported in el 8.8/9.2.
+
+Consequence: The role would give failures when managing el 8.8/9.2 machines.
+
+Fix: Do not test with NetworkName and VolumeName when podman version is less
+than 4.7.0.  Use loginctl --value -p instead of -P which will work on all
+versions.
+
+Result: The role can manage el 8.8/9.2 machines.
+
+Signed-off-by: Rich Megginson <rmeggins@redhat.com>
+(cherry picked from commit f16c3fb3c884cf3af446d19aeda86f27dafd1d1e)
+---
+ tasks/cancel_linger.yml                                     | 4 ++--
+ .../quadlet-basic.network.j2}                               | 2 ++
+ tests/tests_quadlet_basic.yml                               | 6 +++---
+ 3 files changed, 7 insertions(+), 5 deletions(-)
+ rename tests/{files/quadlet-basic.network => templates/quadlet-basic.network.j2} (62%)
+
+diff --git a/tasks/cancel_linger.yml b/tasks/cancel_linger.yml
+index 00d38c2..9eb67ff 100644
+--- a/tasks/cancel_linger.yml
++++ b/tasks/cancel_linger.yml
+@@ -63,7 +63,7 @@
+     removes: /var/lib/systemd/linger/{{ __podman_linger_user }}
+ 
+ - name: Wait for user session to exit closing state  # noqa no-handler
+-  command: loginctl show-user -P State {{ __podman_linger_user | quote }}
++  command: loginctl show-user --value -p State {{ __podman_linger_user | quote }}
+   register: __user_state
+   changed_when: false
+   until: __user_state.stdout != "closing"
+@@ -82,7 +82,7 @@
+         state: stopped
+ 
+     - name: Wait for user session to exit closing state
+-      command: loginctl show-user -P State {{ __podman_linger_user | quote }}
++      command: loginctl show-user --value -p State {{ __podman_linger_user | quote }}
+       changed_when: false
+       register: __user_state
+       until: __user_state.stderr is match(__pat) or
+diff --git a/tests/files/quadlet-basic.network b/tests/templates/quadlet-basic.network.j2
+similarity index 62%
+rename from tests/files/quadlet-basic.network
+rename to tests/templates/quadlet-basic.network.j2
+index 5b002ba..3419e3d 100644
+--- a/tests/files/quadlet-basic.network
++++ b/tests/templates/quadlet-basic.network.j2
+@@ -2,4 +2,6 @@
+ Subnet=192.168.29.0/24
+ Gateway=192.168.29.1
+ Label=app=wordpress
++{% if podman_version is version("4.7.0", ">=") %}
+ NetworkName=quadlet-basic-name
++{% endif %}
+diff --git a/tests/tests_quadlet_basic.yml b/tests/tests_quadlet_basic.yml
+index 5a06864..9563a60 100644
+--- a/tests/tests_quadlet_basic.yml
++++ b/tests/tests_quadlet_basic.yml
+@@ -19,15 +19,15 @@
+         state: present
+         data: "{{ __json_secret_data | string }}"
+     __podman_quadlet_specs:
+-      - file_src: files/quadlet-basic.network
++      - template_src: templates/quadlet-basic.network.j2
+         state: started
+       - name: quadlet-basic-unused-network
+         type: network
+         Network: {}
+       - name: quadlet-basic-mysql
+         type: volume
+-        Volume:
+-          VolumeName: quadlet-basic-mysql-name
++        Volume: "{{ {} if podman_version is version('4.7.0', '<')
++          else {'VolumeName': 'quadlet-basic-mysql-name'} }}"
+       - name: quadlet-basic-unused-volume
+         type: volume
+         Volume: {}
+-- 
+2.47.0
+
diff --git a/rhel-system-roles.spec b/rhel-system-roles.spec
index a59ddcb..005ba36 100644
--- a/rhel-system-roles.spec
+++ b/rhel-system-roles.spec
@@ -19,7 +19,7 @@ Name: linux-system-roles
 Url: https://github.com/linux-system-roles
 Summary: Set of interfaces for unified system management
 Version: 1.23.0
-Release: 3%{?dist}
+Release: 4%{?dist}
 
 License: GPLv3+ and MIT and BSD and Python
 %global _pkglicensedir %{_licensedir}/%{name}
@@ -237,6 +237,9 @@ Patch112: 0112-fix-Ensure-user-linger-is-closed-on-EL10.patch
 Patch113: 0113-test-skip-quadlet-tests-on-non-x86_64.patch
 Patch114: 0114-fix-subgid-maps-user-to-gids-not-group-to-gids.patch
 Patch115: 0115-fix-Cannot-remove-volumes-from-kube-yaml-need-to-con.patch
+Patch116: 0116-fix-ignore-pod-not-found-errors-when-removing-kube-s.patch
+Patch117: 0117-test-need-grubby-for-el8-testing-for-ostree.patch
+Patch118: 0118-fix-make-role-work-on-el-8.8-and-el-9.2-and-podman-v.patch
 
 # Includes with definitions/tags that differ between RHEL and Fedora
 Source1001: extrasources.inc
@@ -396,6 +399,9 @@ cd %{rolename21}
 %patch113 -p1
 %patch114 -p1
 %patch115 -p1
+%patch116 -p1
+%patch117 -p1
+%patch118 -p1
 cd ..
 
 # vendoring build steps, if any
@@ -739,6 +745,15 @@ find %{buildroot}%{ansible_roles_dir} -mindepth 1 -maxdepth 1 | \
 %endif
 
 %changelog
+* Fri Oct 25 2024 Rich Megginson <rmeggins@redhat.com> - 1.23.0-4
+- Resolves: RHEL-58460 : podman - redhat.rhel_system_roles.podman fails to configure and run containers with podman rootless using different username and groupname. [rhel-9.4.z]
+- fix issue with podman error removing kube specs on 8.8 and 9.2 managed nodes - covered by tests_basic.yml
+- https://github.com/linux-system-roles/podman/pull/186
+- fix issue with missing grubby testing on el8 ostree
+- https://github.com/linux-system-roles/podman/pull/187
+- fix issue with podman not working on 8.8/9.2
+- https://github.com/linux-system-roles/podman/pull/188
+
 * Wed Sep 11 2024 Rich Megginson <rmeggins@redhat.com> - 1.23.0-3
 - Resolves: RHEL-58465 :  - package rhel-system-roles.noarch does not provide docs for ansible-doc [rhel-8.10.z]
 - Resolves: RHEL-58494 : ad_integration - fix: Sets domain name lower case in realmd.conf section header [rhel-8.10.z]