Open iptables ports in registry test job

Open the iptables ports in the same way there are opened in the
production opendev configuration.  Do that in a pre-playbook and
move some tasks into it for retryability.

Change-Id: I992174aa3c7e47f9d2f70605172cd8b9460c53eb

test-playbooks/registry/test-registry-pre.yaml

@@ -0,0 +1,47 @@
+# This happens in the pre-playbook of the opendev-buildset-registry
+# job.  Since we're testing these roles in opendev, we need to do the
+# same here for the builder (and also the intermediate registry,
+# though that obviously happens in configuration management rather
+# than a job).
+- hosts: builder:intermediate-registry
+  name: Set up docker and iptables configuration for registry hosts
+  roles:
+    - install-docker
+  tasks:
+    - name: Open the IPv4 port for the buildset registry
+      become: true
+      iptables:
+        action: insert
+        chain: openstack-INPUT
+        destination_port: '5000:5001'
+        jump: ACCEPT
+        match: tcp
+        ctstate: NEW
+        protocol: tcp
+        ip_version: ipv4
+    - name: Open the IPv6 port for the buildset registry
+      become: true
+      iptables:
+        action: insert
+        chain: openstack-INPUT
+        destination_port: '5000:5001'
+        jump: ACCEPT
+        match: tcp
+        ctstate: NEW
+        protocol: tcp
+        ip_version: ipv6
+
+- hosts: executor
+  name: Set up a simulated executor
+  tasks:
+    - name: Add project atomic PPA
+      become: true
+      apt_repository:
+        repo: ppa:projectatomic/ppa
+    - name: Install packages
+      become: true
+      package:
+        name:
+          - socat
+          - skopeo
+        state: present

test-playbooks/registry/test-registry.yaml

@@ -1,8 +1,3 @@
-- hosts: intermediate-registry:builder
-  name: Install docker on registry and builder hosts
-  roles:
-    - install-docker
-
 # Run the intermediate registry on this host, and also build an image
 # and place it in the registry to simulate an artifact from a previous
 # build which has been passed to this one (so that we can test pulling
@@ -58,17 +53,6 @@
         path: "{{ zuul.executor.work_root }}"
         owner: "{{ ansible_user }}"
         group: "{{ ansible_user }}"
-    - name: Add project atomic PPA
-      become: true
-      apt_repository:
-        repo: ppa:projectatomic/ppa
-    - name: Install packages
-      become: true
-      package:
-        name:
-          - socat
-          - skopeo
-        state: present
     - name: Install the intermediate registry cert
       include_role:
         name: install-registry-cert

zuul-tests.d/container-roles-jobs.yaml

@@ -14,6 +14,7 @@
       - roles/run-buildset-registry/.*
       - roles/use-buildset-registry/.*
       - test-playbooks/registry/.*
+    pre-run: test-playbooks/registry/test-registry-pre.yaml
     run: test-playbooks/registry/test-registry.yaml
     post-run: test-playbooks/registry/test-registry-post.yaml
     nodeset: