ansible-test - Add RHEL 10.0 remote (#85189) (#85195)

* ansible-test - Add RHEL 10.0 remote

* Update tests for RHEL 10
* Fix iptables test
* Rework rpm_key integration test

(cherry picked from commit 53b0f1645b)

.azure-pipelines/azure-pipelines.yml

@@ -90,6 +90,8 @@ stages:
               test: rhel/9.4@3.9
             - name: RHEL 9.4 py312
               test: rhel/9.4@3.12
+            - name: RHEL 10.0
+              test: rhel/10.0
             - name: FreeBSD 13.3
               test: freebsd/13.3
             - name: FreeBSD 14.1
@@ -104,6 +106,8 @@ stages:
               test: macos/14.3
             - name: RHEL 9.4
               test: rhel/9.4
+            - name: RHEL 10.0
+              test: rhel/10.0
             - name: FreeBSD 13.3
               test: freebsd/13.3
             - name: FreeBSD 14.1
@@ -121,6 +125,8 @@ stages:
               test: fedora/40
             - name: RHEL 9.4
               test: rhel/9.4
+            - name: RHEL 10.0
+              test: rhel/10.0
             - name: Ubuntu 24.04
               test: ubuntu/24.04
           groups:

changelogs/fragments/ansible-test-rhel-10.yml

@@ -0,0 +1,2 @@
+minor_changes:
+  - ansible-test - Add RHEL 10.0 as a remote platform for testing.

test/integration/targets/copy/tasks/acls.yml

@@ -3,6 +3,13 @@
     apt:
       name: acl
     when: ansible_distribution in ('Ubuntu')
+    register: setup_acl
+
+  - name: Install the acl package on RedHat
+    dnf:
+      name: acl
+    when: ansible_distribution in ('RedHat')
+    register: setup_acl
 
   - block:
     - name: Testing ACLs
@@ -30,6 +37,18 @@
         - "'other::r--' in acls.stdout_lines"
 
   always:
+    - name: Remove the acl package on Ubuntu
+      apt:
+        name: acl
+        state: absent
+      when: setup_acl is changed and ansible_distribution in ('Ubuntu')
+
+    - name: Remove the acl package on RedHat
+      dnf:
+        name: acl
+        state: absent
+      when: setup_acl is changed and ansible_distribution in ('RedHat')
+
     - name: Clean up
       file:
         path: "~/test.txt"

test/integration/targets/iptables/tasks/main.yml

@@ -32,5 +32,7 @@
   package:
     name: iptables
     state: present
+    # prevent attempts to upgrade the kernel and install kernel modules for a non-running kernel version
+    exclude: "{{ 'kernel-core' if ansible_distribution == 'RedHat' else omit }}"
 
 - import_tasks: chain_management.yml

test/integration/targets/lineinfile/tasks/acls.yml

@@ -5,6 +5,12 @@
     when: ansible_distribution in ('Ubuntu')
     register: setup_acl
 
+  - name: Install the acl package on RedHat
+    dnf:
+      name: acl
+    when: ansible_distribution in ('RedHat')
+    register: setup_acl
+
   - name: Create file
     copy:
       content: "TEST"
@@ -46,7 +52,13 @@
       apt:
         name: acl
         state: absent
-      when: setup_acl is changed
+      when: setup_acl is changed and ansible_distribution in ('Ubuntu')
+
+    - name: Remove the acl package on RedHat
+      dnf:
+        name: acl
+        state: absent
+      when: setup_acl is changed and ansible_distribution in ('RedHat')
 
     - name: Clean up
       file:

test/integration/targets/prepare_http_tests/tasks/default.yml

@@ -1,5 +1,5 @@
 - name: RedHat - Enable the dynamic CA configuration feature
-  command: update-ca-trust force-enable
+  command: update-ca-trust
   when: ansible_os_family == 'RedHat' and ansible_distribution != "Fedora"
 
 - name: RedHat - Retrieve test cacert

test/integration/targets/rpm_key/aliases

@@ -1,2 +1,3 @@
 destructive
 shippable/posix/group1
+needs/root

test/integration/targets/rpm_key/tasks/main.yaml

@@ -1,2 +1,34 @@
- - include_tasks: 'rpm_key.yaml'
+ - when: ansible_os_family == "RedHat"
-   when: ansible_os_family == "RedHat"
+   block:
+
+   - name: List the installed GPG keys
+     shell: rpm -q gpg-pubkey | sort
+     register: list_of_pubkeys
+
+   - name: Retrieve the installed GPG keys
+     command: rpm -q --qf %{description} gpg-pubkey
+     register: pubkeys
+
+   - name: Save the retrieved GPG keys to a file
+     copy:
+       content: "{{ pubkeys['stdout'] }}"
+       dest: "{{ remote_tmp_dir + '/pubkeys' }}"
+       mode: 0600
+
+   - include_tasks: rpm_key.yaml
+
+   always:
+
+   - name: Remove all GPG keys from key ring
+     shell: rpm -q gpg-pubkey | xargs rpm -e
+
+   - name: Restore the previously installed GPG keys
+     command: rpm --import {{ (remote_tmp_dir + '/pubkeys') | quote }}
+
+   - name: List the installed GPG keys
+     shell: rpm -q gpg-pubkey | sort
+     register: new_list_of_pubkeys
+
+   - name: Verify the GPG keys have been restored
+     assert:
+       that: list_of_pubkeys["stdout"] == new_list_of_pubkeys["stdout"]

test/integration/targets/rpm_key/tasks/rpm_key.yaml

@@ -1,158 +1,137 @@
----
+- name: Download test key
-#
-# Save initial state
-#
-- name: Retrieve a list of gpg keys are installed for package checking
-  shell: 'rpm -q gpg-pubkey | sort'
-  register: list_of_pubkeys
-
-- name: Retrieve the gpg keys used to verify packages
-  command: 'rpm -q --qf %{description} gpg-pubkey'
-  register: pubkeys
-
-- name: Save gpg keys to a file
-  copy:
-    content: "{{ pubkeys['stdout'] }}\n"
-    dest: '{{ remote_tmp_dir }}/pubkeys'
-    mode: 0600
-
-#
-# Tests start
-#
-- name: download EPEL GPG key
   get_url:
-    url: https://ci-files.testing.ansible.com/test/integration/targets/rpm_key/RPM-GPG-KEY-EPEL-7
+    url: "{{ test_key_url }}"
-    dest: /tmp/RPM-GPG-KEY-EPEL-7
+    dest: "{{ test_key_path }}"
 
-- name: download sl rpm
+- name: Download test RPM
   get_url:
-    url: https://ci-files.testing.ansible.com/test/integration/targets/rpm_key/sl-5.02-1.el7.x86_64.rpm
+    url: "{{ test_rpm_url }}"
-    dest: /tmp/sl.rpm
+    dest: "{{ test_rpm_path }}"
 
-- name: remove EPEL GPG key from keyring
+- name: Remove test key from keyring
   rpm_key:
     state: absent
-    key: /tmp/RPM-GPG-KEY-EPEL-7
+    key: "{{ test_key_path }}"
 
-- name: check GPG signature of sl. Should fail
+- name: Verify checking signature of RPM fails
-  shell: "rpm --checksig /tmp/sl.rpm"
+  shell: rpm --checksig {{ test_rpm_path | quote }}
-  register: sl_check
+  register: checksig
   ignore_errors: yes
 
-- name: confirm that signature check failed
+- name: Confirm that signature check failed
   assert:
     that:
-      - "'MISSING KEYS' in sl_check.stdout or 'SIGNATURES NOT OK' in sl_check.stdout"
+      - checksig.stdout is contains 'SIGNATURES NOT OK'
-      - "sl_check.failed"
+      - checksig.failed
 
-- name: remove EPEL GPG key from keyring (idempotent)
+- name: Remove test key from keyring (idempotent)
   rpm_key:
     state: absent
-    key: /tmp/RPM-GPG-KEY-EPEL-7
+    key: "{{ test_key_path }}"
   register: idempotent_test
 
-- name: check idempotence
+- name: Check idempotence
   assert:
-    that: "not idempotent_test.changed"
+    that: idempotent_test is not changed
 
-- name: add EPEL GPG key to key ring
+- name: Add test key to key ring
   rpm_key:
     state: present
-    key: /tmp/RPM-GPG-KEY-EPEL-7
+    key: "{{ test_key_path }}"
 
-- name: add EPEL GPG key to key ring (idempotent)
+- name: Add test key to key ring (idempotent)
   rpm_key:
     state: present
-    key: /tmp/RPM-GPG-KEY-EPEL-7
+    key: "{{ test_key_path }}"
   register: key_idempotence
 
-- name: verify idempotence
+- name: Verify idempotence
   assert:
-    that: "not key_idempotence.changed"
+    that: key_idempotence is not changed
 
-- name: check GPG signature of sl. Should return okay
+- name: Check signature of RPM
-  shell: "rpm --checksig /tmp/sl.rpm"
+  shell: rpm --checksig {{ test_rpm_path | quote }}
-  register: sl_check
+  register: checksig
 
-- name: confirm that signature check succeeded
+- name: Confirm that signature check succeeded
   assert:
-    that: "'rsa sha1 (md5) pgp md5 OK' in sl_check.stdout or 'digests signatures OK' in sl_check.stdout"
+    that: checksig.stdout is contains 'digests signatures OK'
 
-- name: remove GPG key from url
+- name: Remove test key via url
   rpm_key:
     state: absent
-    key: https://ci-files.testing.ansible.com/test/integration/targets/rpm_key/RPM-GPG-KEY-EPEL-7
+    key: "{{ test_key_url }}"
 
 - name: Confirm key is missing
-  shell: "rpm --checksig /tmp/sl.rpm"
+  shell: rpm --checksig {{ test_rpm_path | quote }}
-  register: sl_check
+  register: checksig
   ignore_errors: yes
 
-- name: confirm that signature check failed
+- name: Confirm that signature check failed
   assert:
     that:
-      - "'MISSING KEYS' in sl_check.stdout or 'SIGNATURES NOT OK' in sl_check.stdout"
+      - checksig.stdout is contains 'SIGNATURES NOT OK'
-      - "sl_check.failed"
+      - checksig.failed
 
-- name: add GPG key from url
+- name: Add test key from url
   rpm_key:
     state: present
-    key: https://ci-files.testing.ansible.com/test/integration/targets/rpm_key/RPM-GPG-KEY-EPEL-7
+    key: "{{ test_key_url }}"
 
-- name: check GPG signature of sl. Should return okay
+- name: Check signature of RPM
-  shell: "rpm --checksig /tmp/sl.rpm"
+  shell: rpm --checksig {{ test_rpm_path | quote }}
-  register: sl_check
+  register: checksig
 
-- name: confirm that signature check succeeded
+- name: Confirm that signature check succeeded
   assert:
-    that: "'rsa sha1 (md5) pgp md5 OK' in sl_check.stdout or 'digests signatures OK' in sl_check.stdout"
+    that: checksig.stdout is contains 'digests signatures OK'
 
-- name: remove all keys from key ring
+- name: Remove all keys from key ring
-  shell: "rpm -q  gpg-pubkey | xargs rpm -e"
+  shell: rpm -q gpg-pubkey | xargs rpm -e
 
-- name: add very first key on system
+- name: Add very first key on system
   rpm_key:
     state: present
-    key: https://ci-files.testing.ansible.com/test/integration/targets/rpm_key/RPM-GPG-KEY-EPEL-7
+    key: "{{ test_key_url }}"
 
-- name: check GPG signature of sl. Should return okay
+- name: Check GPG signature of RPM
-  shell: "rpm --checksig /tmp/sl.rpm"
+  shell: rpm --checksig {{ test_rpm_path | quote }}
-  register: sl_check
+  register: checksig
 
-- name: confirm that signature check succeeded
+- name: Confirm that signature check succeeded
   assert:
-    that: "'rsa sha1 (md5) pgp md5 OK' in sl_check.stdout or 'digests signatures OK' in sl_check.stdout"
+    that: checksig.stdout is contains 'digests signatures OK'
 
-- name: get keyid
+- name: Get keyid
-  shell: "rpm -q gpg-pubkey | head -n 1 | xargs rpm -q --qf %{version}"
+  shell: rpm -q gpg-pubkey | head -n 1 | xargs rpm -q --qf %{version}
   register: key_id
 
-- name: remove GPG key using keyid
+- name: Remove test key using keyid
   rpm_key:
     state: absent
     key: "{{ key_id.stdout }}"
   register: remove_keyid
-  failed_when: remove_keyid.changed == false
+  failed_when: not remove_keyid.changed
 
-- name: remove GPG key using keyid (idempotent)
+- name: Remove test key using keyid (idempotent)
   rpm_key:
     state: absent
     key: "{{ key_id.stdout }}"
   register: key_id_idempotence
 
-- name: verify idempotent (key_id)
+- name: Verify idempotent (key_id)
   assert:
-    that: "not key_id_idempotence.changed"
+    that: key_id_idempotence is not changed
 
-- name: add very first key on system again
+- name: Add very first key on system again
   rpm_key:
     state: present
-    key: https://ci-files.testing.ansible.com/test/integration/targets/rpm_key/RPM-GPG-KEY-EPEL-7
+    key: "{{ test_key_url }}"
 
 - name: Issue 20325 - Verify fingerprint of key, invalid fingerprint - EXPECTED FAILURE
   rpm_key:
-    key: https://ci-files.testing.ansible.com/test/integration/targets/rpm_key/RPM-GPG-KEY.dag
+    key: "{{ sub_key_url }}"
-    fingerprint: 1111 1111 1111 1111 1111 1111 1111 1111 1111 1111
+    fingerprint: "{{ invalid_fingerprint }}"
   register: result
   failed_when: result is success
 
@@ -161,12 +140,12 @@
     that:
        - result is success
        - result is not changed
-       - "'does not match any key fingerprints' in result.msg"
+       - result.msg is contains 'does not match any key fingerprints'
 
 - name: Issue 20325 - Verify fingerprint of key, valid fingerprint
   rpm_key:
-    key: https://ci-files.testing.ansible.com/test/integration/targets/rpm_key/RPM-GPG-KEY.dag
+    key: "{{ sub_key_url }}"
-    fingerprint: EBC6 E12C 62B1 C734 026B 2122 A20E 5214 6B8D 79E6
+    fingerprint: "{{ primary_fingerprint }}"
   register: result
 
 - name: Issue 20325 - Assert Verify fingerprint of key, valid fingerprint
@@ -177,8 +156,8 @@
 
 - name: Issue 20325 - Verify fingerprint of key, valid fingerprint - Idempotent check
   rpm_key:
-    key: https://ci-files.testing.ansible.com/test/integration/targets/rpm_key/RPM-GPG-KEY.dag
+    key: "{{ sub_key_url }}"
-    fingerprint: EBC6 E12C 62B1 C734 026B 2122 A20E 5214 6B8D 79E6
+    fingerprint: "{{ primary_fingerprint }}"
   register: result
 
 - name: Issue 20325 - Assert Verify fingerprint of key, valid fingerprint - Idempotent check
@@ -188,13 +167,14 @@
       - result is not changed
 
 # Reset to test subkey validation
-- name: remove all keys from key ring
+
-  shell: "rpm -q  gpg-pubkey | xargs rpm -e"
+- name: Remove all keys from key ring
+  shell: rpm -q gpg-pubkey | xargs rpm -e
 
 - name: Verify fingerprint of subkey, valid fingerprint
   rpm_key:
-    key: https://ci-files.testing.ansible.com/test/integration/targets/rpm_key/RPM-GPG-KEY.dag
+    key: "{{ sub_key_url }}"
-    fingerprint: 19B7 913E 6284 8E3F 4D78 D6B4 ECD9 1AB2 2EB6 8D86
+    fingerprint: "{{ sub_key_fingerprint }}"
   register: result
 
 - name: Assert Verify fingerprint of key, valid fingerprint
@@ -205,8 +185,8 @@
 
 - name: Verify fingerprint of subkey, valid fingerprint - Idempotent check
   rpm_key:
-    key: https://ci-files.testing.ansible.com/test/integration/targets/rpm_key/RPM-GPG-KEY.dag
+    key: "{{ sub_key_url }}"
-    fingerprint: 19B7 913E 6284 8E3F 4D78 D6B4 ECD9 1AB2 2EB6 8D86
+    fingerprint: "{{ sub_key_fingerprint }}"
   register: result
 
 - name: Assert Verify fingerprint of subkey, valid fingerprint - Idempotent check
@@ -216,15 +196,16 @@
       - result is not changed
 
 # Reset to test multi-key validation
-- name: remove all keys from key ring
+
-  shell: "rpm -q  gpg-pubkey | xargs rpm -e"
+- name: Remove all keys from key ring
+  shell: rpm -q gpg-pubkey | xargs rpm -e
 
 - name: Verify fingerprint of primary and subkey, valid fingerprint
   rpm_key:
-    key: https://ci-files.testing.ansible.com/test/integration/targets/rpm_key/RPM-GPG-KEY.dag
+    key: "{{ sub_key_url }}"
     fingerprint:
-      - 19B7 913E 6284 8E3F 4D78 D6B4 ECD9 1AB2 2EB6 8D86
+      - "{{ primary_fingerprint }}"
-      - EBC6 E12C 62B1 C734 026B 2122 A20E 5214 6B8D 79E6
+      - "{{ sub_key_fingerprint }}"
   register: result
 
 - name: Assert Verify fingerprint of primary and subkey, valid fingerprint
@@ -235,10 +216,10 @@
 
 - name: Verify fingerprint of primary and subkey, valid fingerprint - Idempotent check
   rpm_key:
-    key: https://ci-files.testing.ansible.com/test/integration/targets/rpm_key/RPM-GPG-KEY.dag
+    key: "{{ sub_key_url }}"
     fingerprint:
-      - 19B7 913E 6284 8E3F 4D78 D6B4 ECD9 1AB2 2EB6 8D86
+      - "{{ primary_fingerprint }}"
-      - EBC6 E12C 62B1 C734 026B 2122 A20E 5214 6B8D 79E6
+      - "{{ sub_key_fingerprint }}"
   register: result
 
 - name: Assert Verify fingerprint of primary and subkey, valid fingerprint - Idempotent check
@@ -246,22 +227,3 @@
     that:
       - result is success
       - result is not changed
-
-
-#
-# Cleanup
-#
-- name: remove all keys from key ring
-  shell: "rpm -q  gpg-pubkey | xargs rpm -e"
-
-- name: Restore the gpg keys normally installed on the system
-  command: 'rpm --import {{ remote_tmp_dir }}/pubkeys'
-
-- name: Retrieve a list of gpg keys are installed for package checking
-  shell: 'rpm -q gpg-pubkey | sort'
-  register: new_list_of_pubkeys
-
-- name: Confirm that we've restored all the pubkeys
-  assert:
-    that:
-      - 'list_of_pubkeys["stdout"] == new_list_of_pubkeys["stdout"]'

test/integration/targets/rpm_key/vars/main.yml

@@ -0,0 +1,8 @@
+test_key_url: https://ci-files.testing.ansible.com/test/integration/targets/rpm_key/RPM-GPG-KEY-EPEL-10
+test_key_path: "{{ remote_tmp_dir + '/RPM-GPG-KEY-EPEL-10' }}"
+test_rpm_url: https://ci-files.testing.ansible.com/test/integration/targets/rpm_key/scitokens-cpp-devel-1.1.3-2.el10_1.x86_64.rpm
+test_rpm_path: "{{ remote_tmp_dir + '/test.rpm' }}"
+sub_key_url: https://ci-files.testing.ansible.com/test/integration/targets/rpm_key/openbao-gpg-pub-20240618.asc
+invalid_fingerprint: 1111 1111 1111 1111 1111 1111 1111 1111 1111 1111
+primary_fingerprint: 66D1 5FDD 8728 7219 C8E1 5478 D200 CD70 2853 E6D0
+sub_key_fingerprint: E617 DCD4 065C 2AFC 0B2C F7A7 BA8B C08C 0F69 1F94

test/integration/targets/setup_paramiko/install-RedHat-10-python-3.yml

@@ -0,0 +1,9 @@
+- name: Setup remote constraints
+  include_tasks: setup-remote-constraints.yml
+- name: Install Paramiko for Python 3 on RHEL 10
+  pip: # no python3-paramiko package exists for RHEL 10
+    name: paramiko
+    extra_args: "-c {{ remote_constraints }}"
+
+- name: Drop the crypto-policy to LEGACY for these tests
+  command: update-crypto-policies --set LEGACY

test/integration/targets/setup_paramiko/uninstall-RedHat-10-python-3.yml

@@ -0,0 +1,7 @@
+- name: Uninstall Paramiko for Python 3 on RHEL 10
+  pip: # no python3-paramiko package exists for RHEL 10
+    name: paramiko
+    state: absent
+
+- name: Revert the crypto-policy back to DEFAULT
+  command: update-crypto-policies --set DEFAULT

test/lib/ansible_test/_data/completion/remote.txt

@@ -8,6 +8,7 @@ freebsd python_dir=/usr/local/bin become=su_sudo provider=aws arch=x86_64
 macos/14.3 python=3.11 python_dir=/usr/local/bin become=sudo provider=parallels arch=x86_64
 macos python_dir=/usr/local/bin become=sudo provider=parallels arch=x86_64
 rhel/9.4 python=3.9,3.12 become=sudo provider=aws arch=x86_64
+rhel/10.0 python=3.12 become=sudo provider=aws arch=x86_64
 rhel become=sudo provider=aws arch=x86_64
 ubuntu/22.04 python=3.10 become=sudo provider=aws arch=x86_64
 ubuntu/24.04 python=3.12 become=sudo provider=aws arch=x86_64

test/lib/ansible_test/_util/target/setup/bootstrap.sh

@@ -292,10 +292,41 @@ bootstrap_remote_rhel_9()
     done
 }
 
+bootstrap_remote_rhel_10()
+{
+    py_pkg_prefix="python3"
+
+    packages="
+        gcc
+        ${py_pkg_prefix}-devel
+        ${py_pkg_prefix}-pip
+        "
+
+    if [ "${controller}" ]; then
+        packages="
+            ${packages}
+            ${py_pkg_prefix}-cryptography
+            ${py_pkg_prefix}-jinja2
+            ${py_pkg_prefix}-packaging
+            ${py_pkg_prefix}-pyyaml
+            ${py_pkg_prefix}-resolvelib
+            "
+    fi
+
+    while true; do
+        # shellcheck disable=SC2086
+        dnf install -q -y ${packages} \
+        && break
+        echo "Failed to install packages. Sleeping before trying again..."
+        sleep 10
+    done
+}
+
 bootstrap_remote_rhel()
 {
     case "${platform_version}" in
         9.*) bootstrap_remote_rhel_9 ;;
+        10.*) bootstrap_remote_rhel_10 ;;
     esac
 }