rpmbuild.yml: don't run mock as root

ondrejbudai · croissanne · commit f1e84492fc23 · 2025-10-22T13:49:28.000+02:00
osbuild/osbuild@a52e256 introduced running osbuild's test in the %check phase of an rpm build. A lot of osbuild's tests are gated on $UID == 0 (i.e. running as root). Thus, if $UID != 0, then a lot of tests are intentionally skipped. RPM building setups (koji, mockbuild.sh in this repository) usually run mock as a non-root user, thus the tests get skipped. However, this script actually runs mock as root, and thus these tests don't get skipped, causing a lot of failures because there are missing tools in the buildroot, some rootful tests require networking, or they cannot run in an environment missing certain privileges. This commit changes the playbook to run tasks as root only when they require it (subscription-manager, dnf). Mock is no longer run as root, aligning the rpm building process to what's common in other setups.
diff --git a/tools/appsre-ansible/rpmbuild.yml b/tools/appsre-ansible/rpmbuild.yml
@@ -1,6 +1,5 @@
 ---
 - name: Build osbuild rpms
-  become: yes
   remote_user: ec2-user
   hosts: rpmbuilder
   gather_facts: no
@@ -15,6 +14,7 @@
     ansible.builtin.setup:
 
   - name: Add EPEL
+    become: yes
     dnf:
       state: present
       name: https://dl.fedoraproject.org/pub/epel/epel-release-latest-9.noarch.rpm
@@ -35,6 +35,7 @@
 
   # RHEL mock templates don't work on RHUI, they use the CDN repos
   - name: Subscribe
+    become: yes
     register: result
     retries: 5
     until: result is success
@@ -43,6 +44,7 @@
       org_id: "{{ RH_ORG_ID }}"
 
   - name: Upgrade all packages
+    become: yes
     package:
       name: "*"
       state: latest
@@ -96,6 +98,7 @@
       dest: /home/ec2-user/osbuild.spec
 
   - name: Install build tools
+    become: yes
     retries: 5
     delay: 20
     register: result
@@ -107,6 +110,17 @@
         - createrepo_c
       state: present
 
+  - name: Add ec2-user to mock group
+    become: yes
+    ansible.builtin.user:
+      name: "{{ ansible_user }}"
+      groups:
+        - mock
+      append: yes
+
+  - name: Reset connection to ensure the user is in the mock group
+    ansible.builtin.meta: reset_connection
+
   - name: Make osbuild srpm
     retries: 5
     delay: 20
@@ -178,6 +192,7 @@
       dest: /osbuild-composer/templates/packer/ansible/roles/common/files/rpmbuild/{{ ansible_architecture }}
 
   - name: Unregister
+    become: yes
     retries: 5
     delay: 20
     register: result
