diff --git a/ci/vmcheck-provision.sh b/ci/vmcheck-provision.sh
index 66fc3523..2e69c6e5 100755
--- a/ci/vmcheck-provision.sh
+++ b/ci/vmcheck-provision.sh
@@ -5,4 +5,4 @@ set -xeuo pipefail
 
 dn=$(dirname $0)
 . ${dn}/libbuild.sh
-pkg_install openssh-clients ansible
+pkg_install openssh-clients
diff --git a/tests/common/libvm.sh b/tests/common/libvm.sh
index 829830d0..6566348e 100644
--- a/tests/common/libvm.sh
+++ b/tests/common/libvm.sh
@@ -37,25 +37,27 @@ vm_setup() {
   export SCP="scp ${SSHOPTS}"
 }
 
-vm_ansible_inline() {
-    playbook=$(mktemp -p /tmp 'libvm-ansible.XXXXXX')
-    cat > ${playbook} <<EOF
----
-- hosts: ${VM}
-  gather_facts: no
-  tasks:
-EOF
-    sed -e 's,^,  ,' >> ${playbook}
-    ansible-playbook -vi ${VM}, --ssh-common-args "${SSHOPTS}" ${playbook}
-    rm -f ${playbook}
+# $1 - file to send
+# $2 - destination path
+vm_send() {
+  $SCP ${1} ${VM}:${2}
+}
+
+# $1 - destination path
+vm_send_inline() {
+  f=$(mktemp -p $PWD)
+  cat > ${f}
+  vm_send ${f} ${1}
+  rm -f ${f}
 }
 
 vm_shell_inline() {
-  vm_ansible_inline <<EOF
-- shell: |
-    set -xeuo pipefail
-$(sed -e 's,^,    ,')
-EOF
+  script=$(mktemp -p $PWD)
+  echo "set -xeuo pipefail" > ${script}
+  cat >> ${script}
+  vm_send ${script} /tmp/$(basename ${script})
+  rm -f ${script}
+  vm_cmd bash /tmp/$(basename ${script})
 }
 
 # rsync wrapper that sets up authentication
@@ -133,10 +135,7 @@ EOF
       echo 'gpgcheck=0' >> vmcheck.repo
   fi
 
-  vm_ansible_inline <<EOF
-- file: path=/etc/yum.repos.d state=directory
-- copy: src=$(pwd)/vmcheck.repo dest=/etc/yum.repos.d
-EOF
+  vm_send vmcheck.repo /etc/yum.repos.d
 }
 
 # wait until ssh is available on the vm
@@ -401,9 +400,7 @@ vm_get_journal_cursor() {
 vm_wait_content_after_cursor() {
     from_cursor=$1; shift
     regex=$1; shift
-    vm_ansible_inline <<EOF
-- shell: |
-    set -xeuo pipefail
+    vm_shell_inline <<EOF
     tmpf=\$(mktemp /var/tmp/journal.XXXXXX)
     for x in \$(seq 60); do
       journalctl -u rpm-ostreed --after-cursor "${from_cursor}" > \${tmpf}
@@ -435,6 +432,24 @@ vm_assert_journal_has_content() {
   rm -f tmp-journal.txt
 }
 
+# usage: <podman args> -- <container args>
+vm_run_container() {
+  local podman_args=
+  while [ $# -ne 0 ]; do
+    local arg=$1; shift
+    if [[ $arg == -- ]]; then
+      break
+    fi
+    podman_args="$podman_args $arg"
+  done
+  [ $# -ne 0 ] || fatal "No container args provided"
+  # just automatically always share dnf cache so we don't redownload each time
+  # (use -n so this ssh invocation doesn't consume stdin)
+  vm_cmd -n mkdir -p /var/cache/dnf
+  vm_cmd podman run --rm -v /var/cache/dnf:/var/cache/dnf:z $podman_args \
+    registry.fedoraproject.org/fedora:30 "$@"
+}
+
 # $1 - service name
 # $2 - dir to serve
 # $3 - port to serve on
@@ -443,14 +458,10 @@ vm_start_httpd() {
   local dir=$1; shift
   local port=$1; shift
 
-  # just nuke the service of the same name if it exists and is also transient
-  if vm_cmd systemctl show $name | grep -q UnitFileState=transient; then
-    vm_cmd systemctl stop $name
-  fi
-
-  # CentOS systemd is too old for -p WorkingDirectory
-  vm_cmd systemd-run --unit $name sh -c \
-    "'cd $dir && python3 -m http.server $port'"
+  vm_cmd podman rm -f $name || true
+  vm_run_container --net=host -d --name $name --privileged \
+    -v $dir:/srv --workdir /srv -- \
+    python3 -m http.server $port
 
   # NB: the EXIT trap is used by libtest, but not the ERR trap
   trap "vm_stop_httpd $name" ERR
@@ -463,7 +474,7 @@ vm_start_httpd() {
 # $1 - service name
 vm_stop_httpd() {
   local name=$1; shift
-  vm_cmd systemctl stop $name
+  vm_cmd podman rm -f $name
   set +E
   trap - ERR
 }
@@ -556,8 +567,7 @@ vm_ostreeupdate_prepare_reboot() {
 
 vm_change_update_policy() {
     policy=$1; shift
-    vm_ansible_inline <<EOF
-- shell: |
+    vm_shell_inline <<EOF
     cp /usr/etc/rpm-ostreed.conf /etc
     echo -e "[Daemon]\nAutomaticUpdatePolicy=$policy" > /etc/rpm-ostreed.conf
     rpm-ostree reload
diff --git a/tests/vmcheck/test-cached-rpm-diffs.sh b/tests/vmcheck/test-cached-rpm-diffs.sh
index 298bf3ef..3089792a 100755
--- a/tests/vmcheck/test-cached-rpm-diffs.sh
+++ b/tests/vmcheck/test-cached-rpm-diffs.sh
@@ -68,8 +68,10 @@ run_transaction() {
   sig=$1; shift
   args=$1; shift
   cur=$(vm_get_journal_cursor)
-  # use ansible for this so we don't have to think about hungry quote-eating ssh
-  vm_shell_inline <<EOF
+  vm_run_container --privileged -i -v /var/run/dbus:/var/run/dbus --net=host -- \
+    /bin/bash << EOF
+set -xeuo pipefail
+dnf install -y python3-dbus
 python3 -c '
 import dbus
 addr = dbus.SystemBus().call_blocking(
diff --git a/tests/vmcheck/test-download-only.sh b/tests/vmcheck/test-download-only.sh
index 03d03657..954a92eb 100755
--- a/tests/vmcheck/test-download-only.sh
+++ b/tests/vmcheck/test-download-only.sh
@@ -35,14 +35,11 @@ set -x
 vm_build_rpm_repo_mode skip foobar
 vm_start_httpd vmcheck /var/tmp 8888
 vm_rpmostree cleanup -m
-vm_ansible_inline <<EOF
-- copy:
-    content: |
-      [vmcheck-http]
-      name=vmcheck-http
-      baseurl=http://localhost:8888/vmcheck/yumrepo
-      gpgcheck=0
-    dest: /etc/yum.repos.d/vmcheck-http.repo
+vm_send_inline /etc/yum.repos.d/vmcheck-http.repo <<EOF
+[vmcheck-http]
+name=vmcheck-http
+baseurl=http://localhost:8888/vmcheck/yumrepo
+gpgcheck=0
 EOF
 
 osname=$(vm_get_booted_deployment_info osname)
diff --git a/tests/vmcheck/test-layering-scripts.sh b/tests/vmcheck/test-layering-scripts.sh
index e2b405dd..1ec7fc57 100755
--- a/tests/vmcheck/test-layering-scripts.sh
+++ b/tests/vmcheck/test-layering-scripts.sh
@@ -35,9 +35,16 @@ vm_build_rpm scriptpkg1 \
   pretrans "# http://lists.rpm.org/pipermail/rpm-ecosystem/2016-August/000391.html
             echo pretrans should've been ignored && exit 1" \
   verifyscript "echo verifyscript should've been ignored && exit 1" \
-  post_args "-p /usr/bin/python3" \
-  post 'open("/usr/lib/rpmostreetestinterp", "w").close();
-open("/var/lib/rpm-state/scriptpkg1-stamp", "w").close()' \
+  post_args "-p /usr/bin/bash" \
+  post '
+# default shell is sh, but we requested bash; check that rpm-ostree picks it up
+interp=$(cat /proc/$$/comm)
+if [ "$interp" != "bash" ]; then
+  echo "Expected bash interpreter, got $interp"
+  exit 1
+fi
+touch /usr/lib/rpmostreetestinterp
+touch /var/lib/rpm-state/scriptpkg1-stamp' \
   posttrans "# Firewalld; https://github.com/projectatomic/rpm-ostree/issues/638
              . /etc/os-release || :
              # See https://github.com/projectatomic/rpm-ostree/pull/647
@@ -209,9 +216,8 @@ vm_cmd systemctl restart rpm-ostreed
 echo "ok cancel infinite post via `rpm-ostree cancel`"
 
 # Test rm -rf /!
-vm_ansible_inline <<EOF
-- user:
-    name: testuser
+vm_shell_inline <<EOF
+getent passwd testuser >/dev/null || useradd testuser
 EOF
 vm_cmd touch /home/testuser/somedata /tmp/sometmpfile /var/tmp/sometmpfile
 vm_build_rpm rmrf post "rm --no-preserve-root -rf / &>/dev/null || true"
diff --git a/tests/vmcheck/test-livefs.sh b/tests/vmcheck/test-livefs.sh
index 79704046..8e7085bb 100755
--- a/tests/vmcheck/test-livefs.sh
+++ b/tests/vmcheck/test-livefs.sh
@@ -150,9 +150,7 @@ fi
 vm_cmd test -f /${dummy_file_to_modify}
 generate_upgrade() {
     # Create a modified vmcheck commit
-    vm_ansible_inline <<EOF
-- shell: |
-    set -xeuo pipefail
+    vm_shell_inline <<EOF
       cd /ostree/repo/tmp
       rm vmcheck -rf
       ostree checkout vmcheck vmcheck --fsync=0
diff --git a/tests/vmcheck/test-misc-1.sh b/tests/vmcheck/test-misc-1.sh
index 0f75469c..8a0a58fd 100755
--- a/tests/vmcheck/test-misc-1.sh
+++ b/tests/vmcheck/test-misc-1.sh
@@ -83,11 +83,8 @@ echo "ok error on unknown command"
 # Be sure an unprivileged user exists and that we can SSH into it. This is a bit
 # underhanded, but we need a bona fide user session to verify non-priv status,
 # and logging in through SSH is an easy way to achieve that.
-vm_ansible_inline <<EOF
-- user:
-    name: testuser
-- shell: |
-    set -euo pipefail
+vm_shell_inline <<EOF
+    getent passwd testuser >/dev/null || useradd testuser
     mkdir -pm 0700 /home/testuser/.ssh
     cp -a /root/.ssh/authorized_keys /home/testuser/.ssh
     chown -R testuser:testuser /home/testuser/.ssh
@@ -139,9 +136,7 @@ vm_rpmostree usroverlay
 vm_cmd test -w /usr/bin
 echo "ok usroverlay"
 
-vm_ansible_inline <<EOF
-- shell: |
-    set -xeuo pipefail
+vm_shell_inline <<EOF
     rpm-ostree cleanup -p
     originpath=\$(ostree admin --print-current-dir).origin
     cp -a \${originpath}{,.orig}
diff --git a/tests/vmcheck/test-misc-2.sh b/tests/vmcheck/test-misc-2.sh
index 4345f59e..97824c93 100755
--- a/tests/vmcheck/test-misc-2.sh
+++ b/tests/vmcheck/test-misc-2.sh
@@ -229,14 +229,11 @@ echo "ok /run/ostree-booted in scriptlet container"
 # local repos are always cached, so let's start up an http server for the same
 # vmcheck repo
 vm_start_httpd vmcheck /var/tmp 8888
-vm_ansible_inline <<EOF
-- copy:
-    content: |
-      [vmcheck-http]
-      name=vmcheck-http
-      baseurl=http://localhost:8888/vmcheck/yumrepo
-      gpgcheck=0
-    dest: /etc/yum.repos.d/vmcheck-http.repo
+vm_send_inline /etc/yum.repos.d/vmcheck-http.repo <<EOF
+[vmcheck-http]
+name=vmcheck-http
+baseurl=http://localhost:8888/vmcheck/yumrepo
+gpgcheck=0
 EOF
 
 vm_rpmostree cleanup -rpmb