run.sh: run playbooks in the seed container#596
Open
ideaship wants to merge 4 commits into
Open
Conversation
Add a seed-container execution path to run.sh, selected by a SEED_CONTAINER tri-state flag. By default (auto) the playbook runs inside the osism/seed container whenever a container engine is up, falling back to the existing local venv path otherwise; true forces the container (failing fast if the engine command is missing) and false forces the local path. An invalid value fails fast. The container branch assembles the engine command from SEED_CONTAINER_REGISTRY/IMAGE:TAG (an empty registry drops the leading segment), honours SEED_CONTAINER_PULL and SEED_CONTAINER_MOUNT_OPTS, forwards the selected ANSIBLE_* and MANAGER_VERSION variables only when set, and defaults ANSIBLE_VAULT_PASSWORD_FILE to the repo's .vault_pass when the caller did not set it. It then execs the engine, never reaching the local preamble. Assisted-by: Claude:claude-opus-4-8 Signed-off-by: Roger Luethi <luethi@osism.tech>
Add src/test-seed.sh, a command-assembly test harness for the
seed-container path of run.sh. No container engine or image is needed:
CONTAINER_ENGINE is pointed at a recording stub that prints its run argv
so each test can assert exactly what run.sh would have executed. The stub
answers an info subcommand with ${STUB_INFO_RC:-0} so the auto-mode
engine probe is testable, and stdin is redirected from /dev/null so the
interactive-TTY check is reliably false in CI.
Cases cover the mode decision (auto/true/false and invalid values),
image-reference assembly, environment forwarding, vault defaulting, and
the pull and mount-option knobs.
Wire the harness into tox as a new seed environment that runs
bash src/test-seed.sh.
Assisted-by: Claude:claude-opus-4-8
Signed-off-by: Roger Luethi <luethi@osism.tech>
Add a cfg-generics-tox-seed job that runs the tox seed environment, and add it to the check and periodic-daily pipelines so the seed-container command-assembly tests gate every change alongside the existing tox jobs. Assisted-by: Claude:claude-opus-4-8 Signed-off-by: Roger Luethi <luethi@osism.tech>
The check-shell-syntax Zuul job failed on src/test-seed.sh: shellcheck
flagged twelve SC2015 findings ("Note that A && B || C is not
if-then-else. C may run when A is true.") and exits non-zero on any
finding, failing the job.
Every flagged line uses the `cond && ok || ko "..."` assertion idiom.
This is safe here: `ok` is a plain arithmetic assignment that always
returns 0, so the `ko` branch runs only when `cond` is false. The
failure mode SC2015 warns about -- C running because B failed while A
was true -- cannot occur, making the findings false positives.
Add a file-level `# shellcheck disable=SC2015` directive, preceded by a
comment explaining why the idiom is correct, rather than rewriting the
concise one-line assertions as if/then/else blocks. shellcheck now exits
0 and the suite still reports PASS=45 FAIL=0.
Assisted-by: Claude:claude-opus-4-8
Signed-off-by: Roger Luethi <luethi@osism.tech>
This was referenced Jun 22, 2026
Merged
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What
Add an optional seed-container execution path to the manager
environments/manager/run.sh, so playbooks can run inside theosism/seedcontainer instead of the local venv. Behaviour is selectedby a
SEED_CONTAINERtri-state flag:auto(default) — run in the container when a container engine is up,otherwise fall back to the existing local venv path
true— force the container (fail fast if the engine is missing)false— force the local venv pathThe container branch assembles the engine command from
SEED_CONTAINER_REGISTRY/IMAGE:TAG(an empty registry drops the leadingsegment), honours
SEED_CONTAINER_PULLandSEED_CONTAINER_MOUNT_OPTS,forwards selected
ANSIBLE_*/MANAGER_VERSIONvariables only whenset, and defaults
ANSIBLE_VAULT_PASSWORD_FILEto the repo's.vault_passwhen the caller did not set it.Tests & CI
src/test-seed.sh— a command-assembly test harness that pointsCONTAINER_ENGINEat a recording stub and asserts the exact argvrun.shwould have executed. No container engine or image required.Covers mode decision, image-reference assembly, env forwarding, vault
defaulting, and the pull/mount knobs (45 cases).
tox -e seedenvironment runs the harness.cfg-generics-tox-seedZuul job runs it in thecheckandperiodic-dailypipelines.Related
run.shpath: Add multi-release seed container (runtime collection-set selection) container-images#935SEED_CONTAINERpath: deploy-guide: document the seed container osism.github.io#1003🤖 Generated with Claude Code