boma/docs/testing/gotchas.md

37 lines
2.1 KiB
Markdown
Raw Normal View History

# Testing & Molecule gotchas
Durable, point-of-use knowledge for writing and running role tests (ADR-008).
Migrated from `docs/FRICTION.md` by the 2026-06-10 kaizen review. Append here when a
testing surprise is worth remembering past the session that hit it.
## nftables / `nft -c` render checks
- **`nft -c` rejects `iif "<name>"` when the interface is absent** — `iif` resolves to
an interface *index* at load time, so it fails in the Molecule container and would
fail identically on any real host before the interface exists (e.g. `wt0` before
NetBird is up). Use **`iifname "<name>"`** (string match, no existence requirement,
survives the interface coming and going) for any interface that may be absent.
- **The render-and-`nft -c` (no-apply) Molecule approach earns its keep** — it caught
the `iif`/`iifname` bug deterministically without touching the host kernel. Reuse
this pattern (render template → static-check, never apply) for other config-rendering
roles.
## Molecule (`community.docker`)
- **Molecule's `community.docker` connection uses `ansible_host` as the container name**
(`remote_addr`). Setting `ansible_host` as *data* in a scenario's `host_vars` (e.g. to
give a resolver a fake IP) breaks the connection → `UNREACHABLE` / "Failed to create
temporary directory". Don't override `ansible_host` in Molecule; feed fixture IPs
another way (keep fixtures to zone sources and unit-test IP resolution).
## Coverage blind spot: apply-only task paths
- **Apply-only task paths have no Level-1 coverage**, so safety bugs hide there. Example:
an `nft` auto-rollback snapshot used a bare `nft list ruleset` (no leading
`flush ruleset`), so the revert was a silent no-op on first apply and errored on later
ones — the whole safety net was dead. Molecule never runs the apply (gated off), so
only adversarial review + an isolated-netns round-trip test caught it. → For
apply/safety paths Molecule can't exercise, validate out-of-band (a throwaway
`--privileged` container with its own netns) and treat a final adversarial review as
**mandatory, not optional**.