sjat
d1941c987e
Adds a nftables drop-in (10-libvirt-boma.nft) to base's drop-in dir that allows traffic on iifname "virbr-boma" in the inet filter input chain. Fixes DHCP/DNS being dropped by base's default-deny INPUT policy for VMs on the libvirt integration bridge. Mirrors docker_host's drop-in pattern. Molecule scenario updated to exercise only the firewall tasks (package install unavailable in the no-internet Docker container) via include_role tasks_from; verify asserts the drop-in renders the virbr-boma accept rule. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
14 lines
545 B
YAML
14 lines
545 B
YAML
---
|
|
# KVM/libvirt APT packages cannot be installed in the Docker Molecule container
|
|
# (no internet; KVM unusable in a container). This converge exercises only the
|
|
# nftables drop-in rendering via tasks_from, which IS meaningful in a container.
|
|
# The full role (packages/libvirt) is exercised by make test-integration.
|
|
- name: Converge
|
|
hosts: all
|
|
become: true
|
|
gather_facts: true
|
|
tasks:
|
|
- name: Include integration_test firewall tasks
|
|
ansible.builtin.include_role:
|
|
name: integration_test
|
|
tasks_from: firewall.yml
|