unattended_upgrades: Update molecule tests to catch missing become directives

Normo · Normo · commit 3231e2670ea5 · 2025-11-07T14:35:12.000+01:00
Update the molecule test scenario to verify that the unattended_upgrades role works correctly without playbook-level privilege escalation. This ensures all tasks that require root privileges have explicit `become: true` directives. Related to #510 Signed-off-by: Norman Ziegner <n.ziegner@hzdr.de>
diff --git a/molecule/unattended_upgrades/Dockerfile.j2 b/molecule/unattended_upgrades/Dockerfile.j2
@@ -0,0 +1,23 @@
+# SPDX-FileCopyrightText: Helmholtz-Zentrum Dresden-Rossendorf (HZDR)
+#
+# SPDX-License-Identifier: Apache-2.0
+
+# Dockerfile for testing privilege escalation with non-root user
+# This ensures the role properly uses 'become: true' directives
+
+FROM {{ item.image }}
+
+# Create ansible user with sudo permissions
+ENV ANSIBLE_USER=ansible \
+    SUDO_GROUP=sudo \
+    DEBIAN_FRONTEND=noninteractive
+
+# Create non-root user with sudo access
+RUN set -xe \
+    && groupadd -r ${ANSIBLE_USER} \
+    && useradd -m -g ${ANSIBLE_USER} ${ANSIBLE_USER} \
+    && usermod -aG ${SUDO_GROUP} ${ANSIBLE_USER} \
+    && sed -i "/^%${SUDO_GROUP}/s/ALL\$/NOPASSWD:ALL/g" /etc/sudoers
+
+# NOTE: Do not switch to non-root user here - systemd must run as root
+# Ansible will connect as the ansible user via ansible_user inventory variable
diff --git a/molecule/unattended_upgrades/converge.yml b/molecule/unattended_upgrades/converge.yml
@@ -7,6 +7,7 @@
 # Play to create and provision instance.
 - name: "Converge"
   hosts: "all"
+  become: false
   tasks:
     - name: "Include unattended_upgrades role"
       ansible.builtin.include_role:
diff --git a/molecule/unattended_upgrades/molecule.yml b/molecule/unattended_upgrades/molecule.yml
@@ -11,14 +11,16 @@ driver:
 platforms:
   - name: "instance1"
     image: "${MOLECULE_IMAGE:-ghcr.io/hifis-net/ubuntu-systemd:24.04}"
-    pre_build_image: true
+    pre_build_image: false
+    dockerfile: "Dockerfile.j2"
     privileged: true
     override_command: false
     systemd: true
     tty: true
   - name: "instance2"
     image: "${MOLECULE_IMAGE:-ghcr.io/hifis-net/ubuntu-systemd:24.04}"
-    pre_build_image: true
+    pre_build_image: false
+    dockerfile: "Dockerfile.j2"
     privileged: true
     override_command: false
     systemd: true
@@ -31,6 +33,7 @@ provisioner:
     hosts:
       all:
         vars:
+          ansible_user: "ansible"
           ubuntu_defaults:
             - 'Unattended-Upgrade::Allowed-Origins:: "${distro_id}:${distro_codename}";'
             - 'Unattended-Upgrade::Allowed-Origins:: "${distro_id}:${distro_codename}-security";'
diff --git a/molecule/unattended_upgrades/prepare.yml b/molecule/unattended_upgrades/prepare.yml
@@ -7,6 +7,7 @@
 # Play to install dependencies.
 - name: "Prepare"
   hosts: "all"
+  become: true
   tasks:
     - name: "Install dependencies"
       ansible.builtin.apt:
diff --git a/molecule/unattended_upgrades/verify.yml b/molecule/unattended_upgrades/verify.yml
@@ -60,12 +60,14 @@
           with_items: "{{ debian_defaults }}"
 
     - name: "Dry run unattended-upgrades"
+      become: true
       ansible.builtin.command: "/usr/bin/unattended-upgrades --dry-run"
       register: "dry_run"
       failed_when: "dry_run.rc != 0"
       changed_when: false
 
     - name: "Verify custom apt-daily timers"  # noqa command-instead-of-shell
+      become: true
       when: "unattended_systemd_timer_override"
       ansible.builtin.shell:
         cmd: "{{ item }}"
