# Testing & Molecule gotchas Durable, point-of-use knowledge for writing and running role tests (ADR-008). Migrated from `docs/FRICTION.md` by the 2026-06-10 kaizen review. Append here when a testing surprise is worth remembering past the session that hit it. ## nftables / `nft -c` render checks - **`nft -c` rejects `iif ""` when the interface is absent** — `iif` resolves to an interface *index* at load time, so it fails in the Molecule container and would fail identically on any real host before the interface exists (e.g. `wt0` before NetBird is up). Use **`iifname ""`** (string match, no existence requirement, survives the interface coming and going) for any interface that may be absent. - **The render-and-`nft -c` (no-apply) Molecule approach earns its keep** — it caught the `iif`/`iifname` bug deterministically without touching the host kernel. Reuse this pattern (render template → static-check, never apply) for other config-rendering roles. ## Molecule (`community.docker`) - **Molecule's `community.docker` connection uses `ansible_host` as the container name** (`remote_addr`). Setting `ansible_host` as *data* in a scenario's `host_vars` (e.g. to give a resolver a fake IP) breaks the connection → `UNREACHABLE` / "Failed to create temporary directory". Don't override `ansible_host` in Molecule; feed fixture IPs another way (keep fixtures to zone sources and unit-test IP resolution). ## Coverage blind spot: apply-only task paths - **Apply-only task paths have no Level-1 coverage**, so safety bugs hide there. Example: an `nft` auto-rollback snapshot used a bare `nft list ruleset` (no leading `flush ruleset`), so the revert was a silent no-op on first apply and errored on later ones — the whole safety net was dead. Molecule never runs the apply (gated off), so only adversarial review + an isolated-netns round-trip test caught it. → For apply/safety paths Molecule can't exercise, validate out-of-band (a throwaway `--privileged` container with its own netns) and treat a final adversarial review as **mandatory, not optional**.