ansible-test - Add RHEL 10.0 remote (#85189)

* ansible-test - Add RHEL 10.0 remote * Update tests for RHEL 10 * Fix iptables test * Rework rpm_key integration test (cherry picked from commit 53b0f1645b)
7 months ago · 424327c293
parent cc0ef95ce8
commit 424327c293
15 changed files with 218 additions and 126 deletions
--- a/.azure-pipelines/azure-pipelines.yml
+++ b/.azure-pipelines/azure-pipelines.yml
@ -94,6 +94,8 @@ stages:
              test: rhel/9.5@3.9
            - name: RHEL 9.5 py312
              test: rhel/9.5@3.12
+            - name: RHEL 10.0
+              test: rhel/10.0
            - name: FreeBSD 13.5
              test: freebsd/13.5
            - name: FreeBSD 14.2
@ -108,6 +110,8 @@ stages:
              test: macos/15.3
            - name: RHEL 9.5
              test: rhel/9.5
+            - name: RHEL 10.0
+              test: rhel/10.0
            - name: FreeBSD 13.5
              test: freebsd/13.5
            - name: FreeBSD 14.2
@ -125,6 +129,8 @@ stages:
              test: fedora/41
            - name: RHEL 9.5
              test: rhel/9.5
+            - name: RHEL 10.0
+              test: rhel/10.0
            - name: Ubuntu 24.04
              test: ubuntu/24.04
          groups:
--- a/changelogs/fragments/ansible-test-rhel-10.yml
+++ b/changelogs/fragments/ansible-test-rhel-10.yml
@ -0,0 +1,2 @@
+minor_changes:
+  - ansible-test - Add RHEL 10.0 as a remote platform for testing.
--- a/test/integration/targets/copy/tasks/acls.yml
+++ b/test/integration/targets/copy/tasks/acls.yml
@ -3,6 +3,13 @@
    apt:
      name: acl
    when: ansible_distribution in ('Ubuntu')
+    register: setup_acl
+
+  - name: Install the acl package on RedHat
+    dnf:
+      name: acl
+    when: ansible_distribution in ('RedHat')
+    register: setup_acl

  - block:
    - name: Testing ACLs
@ -30,6 +37,18 @@
        - "'other::r--' in acls.stdout_lines"

  always:
+    - name: Remove the acl package on Ubuntu
+      apt:
+        name: acl
+        state: absent
+      when: setup_acl is changed and ansible_distribution in ('Ubuntu')
+
+    - name: Remove the acl package on RedHat
+      dnf:
+        name: acl
+        state: absent
+      when: setup_acl is changed and ansible_distribution in ('RedHat')
+
    - name: Clean up
      file:
        path: "~/test.txt"
--- a/test/integration/targets/iptables/tasks/main.yml
+++ b/test/integration/targets/iptables/tasks/main.yml
@ -32,5 +32,7 @@
  package:
    name: iptables
    state: present
+    # prevent attempts to upgrade the kernel and install kernel modules for a non-running kernel version
+    exclude: "{{ 'kernel-core' if ansible_distribution == 'RedHat' else omit }}"

 - import_tasks: chain_management.yml
--- a/test/integration/targets/lineinfile/tasks/acls.yml
+++ b/test/integration/targets/lineinfile/tasks/acls.yml
@ -5,6 +5,12 @@
    when: ansible_distribution in ('Ubuntu')
    register: setup_acl

+  - name: Install the acl package on RedHat
+    dnf:
+      name: acl
+    when: ansible_distribution in ('RedHat')
+    register: setup_acl
+
  - name: Create file
    copy:
      content: "TEST"
@ -46,7 +52,13 @@
      apt:
        name: acl
        state: absent
-      when: setup_acl is changed
+      when: setup_acl is changed and ansible_distribution in ('Ubuntu')
+
+    - name: Remove the acl package on RedHat
+      dnf:
+        name: acl
+        state: absent
+      when: setup_acl is changed and ansible_distribution in ('RedHat')

    - name: Clean up
      file:
--- a/test/integration/targets/prepare_http_tests/tasks/default.yml
+++ b/test/integration/targets/prepare_http_tests/tasks/default.yml
@ -1,5 +1,5 @@
 - name: RedHat - Enable the dynamic CA configuration feature
-  command: update-ca-trust force-enable
+  command: update-ca-trust
  when: ansible_os_family == 'RedHat' and ansible_distribution != "Fedora"

 - name: RedHat - Retrieve test cacert
--- a/test/integration/targets/rpm_key/aliases
+++ b/test/integration/targets/rpm_key/aliases
@ -1,2 +1,3 @@
 destructive
 shippable/posix/group1
+needs/root
--- a/test/integration/targets/rpm_key/defaults/main.yaml
+++ b/test/integration/targets/rpm_key/defaults/main.yaml
--- a/test/integration/targets/rpm_key/tasks/main.yaml
+++ b/test/integration/targets/rpm_key/tasks/main.yaml
@ -1,2 +1,34 @@
- - include_tasks: 'rpm_key.yaml'
-   when: ansible_os_family == "RedHat"
+ - when: ansible_os_family == "RedHat"
+   block:
+
+   - name: List the installed GPG keys
+     shell: rpm -q gpg-pubkey | sort
+     register: list_of_pubkeys
+
+   - name: Retrieve the installed GPG keys
+     command: rpm -q --qf %{description} gpg-pubkey
+     register: pubkeys
+
+   - name: Save the retrieved GPG keys to a file
+     copy:
+       content: "{{ pubkeys['stdout'] }}"
+       dest: "{{ remote_tmp_dir + '/pubkeys' }}"
+       mode: 0600
+
+   - include_tasks: rpm_key.yaml
+
+   always:
+
+   - name: Remove all GPG keys from key ring
+     shell: rpm -q gpg-pubkey | xargs rpm -e
+
+   - name: Restore the previously installed GPG keys
+     command: rpm --import {{ (remote_tmp_dir + '/pubkeys') | quote }}
+
+   - name: List the installed GPG keys
+     shell: rpm -q gpg-pubkey | sort
+     register: new_list_of_pubkeys
+
+   - name: Verify the GPG keys have been restored
+     assert:
+       that: list_of_pubkeys["stdout"] == new_list_of_pubkeys["stdout"]
--- a/test/integration/targets/rpm_key/tasks/rpm_key.yaml
+++ b/test/integration/targets/rpm_key/tasks/rpm_key.yaml
@ -1,158 +1,137 @@
---
-#
-# Save initial state
-#
- name: Retrieve a list of gpg keys are installed for package checking
-  shell: 'rpm -q gpg-pubkey | sort'
-  register: list_of_pubkeys
-
- name: Retrieve the gpg keys used to verify packages
-  command: 'rpm -q --qf %{description} gpg-pubkey'
-  register: pubkeys
-
- name: Save gpg keys to a file
-  copy:
-    content: "{{ pubkeys['stdout'] }}\n"
-    dest: '{{ remote_tmp_dir }}/pubkeys'
-    mode: 0600
-
-#
-# Tests start
-#
- name: download EPEL GPG key
+- name: Download test key
  get_url:
-    url: https://ci-files.testing.ansible.com/test/integration/targets/rpm_key/RPM-GPG-KEY-EPEL-7
-    dest: /tmp/RPM-GPG-KEY-EPEL-7
+    url: "{{ test_key_url }}"
+    dest: "{{ test_key_path }}"

- name: download sl rpm
+- name: Download test RPM
  get_url:
-    url: https://ci-files.testing.ansible.com/test/integration/targets/rpm_key/sl-5.02-1.el7.x86_64.rpm
-    dest: /tmp/sl.rpm
+    url: "{{ test_rpm_url }}"
+    dest: "{{ test_rpm_path }}"

- name: remove EPEL GPG key from keyring
+- name: Remove test key from keyring
  rpm_key:
    state: absent
-    key: /tmp/RPM-GPG-KEY-EPEL-7
+    key: "{{ test_key_path }}"

- name: check GPG signature of sl. Should fail
-  shell: "rpm --checksig /tmp/sl.rpm"
-  register: sl_check
+- name: Verify checking signature of RPM fails
+  shell: rpm --checksig {{ test_rpm_path | quote }}
+  register: checksig
  ignore_errors: yes

- name: confirm that signature check failed
+- name: Confirm that signature check failed
  assert:
    that:
-      - "'MISSING KEYS' in sl_check.stdout or 'SIGNATURES NOT OK' in sl_check.stdout"
-      - "sl_check.failed"
+      - checksig.stdout is contains 'SIGNATURES NOT OK'
+      - checksig.failed

- name: remove EPEL GPG key from keyring (idempotent)
+- name: Remove test key from keyring (idempotent)
  rpm_key:
    state: absent
-    key: /tmp/RPM-GPG-KEY-EPEL-7
+    key: "{{ test_key_path }}"
  register: idempotent_test

- name: check idempotence
+- name: Check idempotence
  assert:
-    that: "not idempotent_test.changed"
+    that: idempotent_test is not changed

- name: add EPEL GPG key to key ring
+- name: Add test key to key ring
  rpm_key:
    state: present
-    key: /tmp/RPM-GPG-KEY-EPEL-7
+    key: "{{ test_key_path }}"

- name: add EPEL GPG key to key ring (idempotent)
+- name: Add test key to key ring (idempotent)
  rpm_key:
    state: present
-    key: /tmp/RPM-GPG-KEY-EPEL-7
+    key: "{{ test_key_path }}"
  register: key_idempotence

- name: verify idempotence
+- name: Verify idempotence
  assert:
-    that: "not key_idempotence.changed"
+    that: key_idempotence is not changed

- name: check GPG signature of sl. Should return okay
-  shell: "rpm --checksig /tmp/sl.rpm"
-  register: sl_check
+- name: Check signature of RPM
+  shell: rpm --checksig {{ test_rpm_path | quote }}
+  register: checksig

- name: confirm that signature check succeeded
+- name: Confirm that signature check succeeded
  assert:
-    that: "'rsa sha1 (md5) pgp md5 OK' in sl_check.stdout or 'digests signatures OK' in sl_check.stdout"
+    that: checksig.stdout is contains 'digests signatures OK'

- name: remove GPG key from url
+- name: Remove test key via url
  rpm_key:
    state: absent
-    key: https://ci-files.testing.ansible.com/test/integration/targets/rpm_key/RPM-GPG-KEY-EPEL-7
+    key: "{{ test_key_url }}"

 - name: Confirm key is missing
-  shell: "rpm --checksig /tmp/sl.rpm"
-  register: sl_check
+  shell: rpm --checksig {{ test_rpm_path | quote }}
+  register: checksig
  ignore_errors: yes

- name: confirm that signature check failed
+- name: Confirm that signature check failed
  assert:
    that:
-      - "'MISSING KEYS' in sl_check.stdout or 'SIGNATURES NOT OK' in sl_check.stdout"
-      - "sl_check.failed"
+      - checksig.stdout is contains 'SIGNATURES NOT OK'
+      - checksig.failed

- name: add GPG key from url
+- name: Add test key from url
  rpm_key:
    state: present
-    key: https://ci-files.testing.ansible.com/test/integration/targets/rpm_key/RPM-GPG-KEY-EPEL-7
+    key: "{{ test_key_url }}"

- name: check GPG signature of sl. Should return okay
-  shell: "rpm --checksig /tmp/sl.rpm"
-  register: sl_check
+- name: Check signature of RPM
+  shell: rpm --checksig {{ test_rpm_path | quote }}
+  register: checksig

- name: confirm that signature check succeeded
+- name: Confirm that signature check succeeded
  assert:
-    that: "'rsa sha1 (md5) pgp md5 OK' in sl_check.stdout or 'digests signatures OK' in sl_check.stdout"
+    that: checksig.stdout is contains 'digests signatures OK'

- name: remove all keys from key ring
-  shell: "rpm -q  gpg-pubkey | xargs rpm -e"
+- name: Remove all keys from key ring
+  shell: rpm -q gpg-pubkey | xargs rpm -e

- name: add very first key on system
+- name: Add very first key on system
  rpm_key:
    state: present
-    key: https://ci-files.testing.ansible.com/test/integration/targets/rpm_key/RPM-GPG-KEY-EPEL-7
+    key: "{{ test_key_url }}"

- name: check GPG signature of sl. Should return okay
-  shell: "rpm --checksig /tmp/sl.rpm"
-  register: sl_check
+- name: Check GPG signature of RPM
+  shell: rpm --checksig {{ test_rpm_path | quote }}
+  register: checksig

- name: confirm that signature check succeeded
+- name: Confirm that signature check succeeded
  assert:
-    that: "'rsa sha1 (md5) pgp md5 OK' in sl_check.stdout or 'digests signatures OK' in sl_check.stdout"
+    that: checksig.stdout is contains 'digests signatures OK'

- name: get keyid
-  shell: "rpm -q gpg-pubkey | head -n 1 | xargs rpm -q --qf %{version}"
+- name: Get keyid
+  shell: rpm -q gpg-pubkey | head -n 1 | xargs rpm -q --qf %{version}
  register: key_id

- name: remove GPG key using keyid
+- name: Remove test key using keyid
  rpm_key:
    state: absent
    key: "{{ key_id.stdout }}"
  register: remove_keyid
-  failed_when: remove_keyid.changed == false
+  failed_when: not remove_keyid.changed

- name: remove GPG key using keyid (idempotent)
+- name: Remove test key using keyid (idempotent)
  rpm_key:
    state: absent
    key: "{{ key_id.stdout }}"
  register: key_id_idempotence

- name: verify idempotent (key_id)
+- name: Verify idempotent (key_id)
  assert:
-    that: "not key_id_idempotence.changed"
+    that: key_id_idempotence is not changed

- name: add very first key on system again
+- name: Add very first key on system again
  rpm_key:
    state: present
-    key: https://ci-files.testing.ansible.com/test/integration/targets/rpm_key/RPM-GPG-KEY-EPEL-7
+    key: "{{ test_key_url }}"

 - name: Issue 20325 - Verify fingerprint of key, invalid fingerprint - EXPECTED FAILURE
  rpm_key:
-    key: https://ci-files.testing.ansible.com/test/integration/targets/rpm_key/RPM-GPG-KEY.dag
-    fingerprint: 1111 1111 1111 1111 1111 1111 1111 1111 1111 1111
+    key: "{{ sub_key_url }}"
+    fingerprint: "{{ invalid_fingerprint }}"
  register: result
  failed_when: result is success

@ -161,12 +140,12 @@
    that:
       - result is success
       - result is not changed
-       - "'does not match any key fingerprints' in result.msg"
+       - result.msg is contains 'does not match any key fingerprints'

 - name: Issue 20325 - Verify fingerprint of key, valid fingerprint
  rpm_key:
-    key: https://ci-files.testing.ansible.com/test/integration/targets/rpm_key/RPM-GPG-KEY.dag
-    fingerprint: EBC6 E12C 62B1 C734 026B 2122 A20E 5214 6B8D 79E6
+    key: "{{ sub_key_url }}"
+    fingerprint: "{{ primary_fingerprint }}"
  register: result

 - name: Issue 20325 - Assert Verify fingerprint of key, valid fingerprint
@ -177,8 +156,8 @@

 - name: Issue 20325 - Verify fingerprint of key, valid fingerprint - Idempotent check
  rpm_key:
-    key: https://ci-files.testing.ansible.com/test/integration/targets/rpm_key/RPM-GPG-KEY.dag
-    fingerprint: EBC6 E12C 62B1 C734 026B 2122 A20E 5214 6B8D 79E6
+    key: "{{ sub_key_url }}"
+    fingerprint: "{{ primary_fingerprint }}"
  register: result

 - name: Issue 20325 - Assert Verify fingerprint of key, valid fingerprint - Idempotent check
@ -188,13 +167,14 @@
      - result is not changed

 # Reset to test subkey validation
- name: remove all keys from key ring
-  shell: "rpm -q  gpg-pubkey | xargs rpm -e"
+
+- name: Remove all keys from key ring
+  shell: rpm -q gpg-pubkey | xargs rpm -e

 - name: Verify fingerprint of subkey, valid fingerprint
  rpm_key:
-    key: https://ci-files.testing.ansible.com/test/integration/targets/rpm_key/RPM-GPG-KEY.dag
-    fingerprint: 19B7 913E 6284 8E3F 4D78 D6B4 ECD9 1AB2 2EB6 8D86
+    key: "{{ sub_key_url }}"
+    fingerprint: "{{ sub_key_fingerprint }}"
  register: result

 - name: Assert Verify fingerprint of key, valid fingerprint
@ -205,8 +185,8 @@

 - name: Verify fingerprint of subkey, valid fingerprint - Idempotent check
  rpm_key:
-    key: https://ci-files.testing.ansible.com/test/integration/targets/rpm_key/RPM-GPG-KEY.dag
-    fingerprint: 19B7 913E 6284 8E3F 4D78 D6B4 ECD9 1AB2 2EB6 8D86
+    key: "{{ sub_key_url }}"
+    fingerprint: "{{ sub_key_fingerprint }}"
  register: result

 - name: Assert Verify fingerprint of subkey, valid fingerprint - Idempotent check
@ -216,15 +196,16 @@
      - result is not changed

 # Reset to test multi-key validation
- name: remove all keys from key ring
-  shell: "rpm -q  gpg-pubkey | xargs rpm -e"
+
+- name: Remove all keys from key ring
+  shell: rpm -q gpg-pubkey | xargs rpm -e

 - name: Verify fingerprint of primary and subkey, valid fingerprint
  rpm_key:
-    key: https://ci-files.testing.ansible.com/test/integration/targets/rpm_key/RPM-GPG-KEY.dag
+    key: "{{ sub_key_url }}"
    fingerprint:
-      - 19B7 913E 6284 8E3F 4D78 D6B4 ECD9 1AB2 2EB6 8D86
-      - EBC6 E12C 62B1 C734 026B 2122 A20E 5214 6B8D 79E6
+      - "{{ primary_fingerprint }}"
+      - "{{ sub_key_fingerprint }}"
  register: result

 - name: Assert Verify fingerprint of primary and subkey, valid fingerprint
@ -235,10 +216,10 @@

 - name: Verify fingerprint of primary and subkey, valid fingerprint - Idempotent check
  rpm_key:
-    key: https://ci-files.testing.ansible.com/test/integration/targets/rpm_key/RPM-GPG-KEY.dag
+    key: "{{ sub_key_url }}"
    fingerprint:
-      - 19B7 913E 6284 8E3F 4D78 D6B4 ECD9 1AB2 2EB6 8D86
-      - EBC6 E12C 62B1 C734 026B 2122 A20E 5214 6B8D 79E6
+      - "{{ primary_fingerprint }}"
+      - "{{ sub_key_fingerprint }}"
  register: result

 - name: Assert Verify fingerprint of primary and subkey, valid fingerprint - Idempotent check
@ -246,22 +227,3 @@
    that:
      - result is success
      - result is not changed
-
-
-#
-# Cleanup
-#
- name: remove all keys from key ring
-  shell: "rpm -q  gpg-pubkey | xargs rpm -e"
-
- name: Restore the gpg keys normally installed on the system
-  command: 'rpm --import {{ remote_tmp_dir }}/pubkeys'
-
- name: Retrieve a list of gpg keys are installed for package checking
-  shell: 'rpm -q gpg-pubkey | sort'
-  register: new_list_of_pubkeys
-
- name: Confirm that we've restored all the pubkeys
-  assert:
-    that:
-      - 'list_of_pubkeys["stdout"] == new_list_of_pubkeys["stdout"]'
--- a/test/integration/targets/rpm_key/vars/main.yml
+++ b/test/integration/targets/rpm_key/vars/main.yml
@ -0,0 +1,8 @@
+test_key_url: https://ci-files.testing.ansible.com/test/integration/targets/rpm_key/RPM-GPG-KEY-EPEL-10
+test_key_path: "{{ remote_tmp_dir + '/RPM-GPG-KEY-EPEL-10' }}"
+test_rpm_url: https://ci-files.testing.ansible.com/test/integration/targets/rpm_key/scitokens-cpp-devel-1.1.3-2.el10_1.x86_64.rpm
+test_rpm_path: "{{ remote_tmp_dir + '/test.rpm' }}"
+sub_key_url: https://ci-files.testing.ansible.com/test/integration/targets/rpm_key/openbao-gpg-pub-20240618.asc
+invalid_fingerprint: 1111 1111 1111 1111 1111 1111 1111 1111 1111 1111
+primary_fingerprint: 66D1 5FDD 8728 7219 C8E1 5478 D200 CD70 2853 E6D0
+sub_key_fingerprint: E617 DCD4 065C 2AFC 0B2C F7A7 BA8B C08C 0F69 1F94
--- a/test/integration/targets/setup_paramiko/install-RedHat-10-python-3.yml
+++ b/test/integration/targets/setup_paramiko/install-RedHat-10-python-3.yml
@ -0,0 +1,9 @@
+- name: Setup remote constraints
+  include_tasks: setup-remote-constraints.yml
+- name: Install Paramiko for Python 3 on RHEL 10
+  pip: # no python3-paramiko package exists for RHEL 10
+    name: paramiko
+    extra_args: "-c {{ remote_constraints }}"
+
+- name: Drop the crypto-policy to LEGACY for these tests
+  command: update-crypto-policies --set LEGACY
--- a/test/integration/targets/setup_paramiko/uninstall-RedHat-10-python-3.yml
+++ b/test/integration/targets/setup_paramiko/uninstall-RedHat-10-python-3.yml
@ -0,0 +1,7 @@
+- name: Uninstall Paramiko for Python 3 on RHEL 10
+  pip: # no python3-paramiko package exists for RHEL 10
+    name: paramiko
+    state: absent
+
+- name: Revert the crypto-policy back to DEFAULT
+  command: update-crypto-policies --set DEFAULT
--- a/test/lib/ansible_test/_data/completion/remote.txt
+++ b/test/lib/ansible_test/_data/completion/remote.txt
@ -8,6 +8,7 @@ freebsd python_dir=/usr/local/bin become=su_sudo provider=aws arch=x86_64
 macos/15.3 python=3.13 python_dir=/usr/local/bin become=sudo provider=parallels arch=x86_64
 macos python_dir=/usr/local/bin become=sudo provider=parallels arch=x86_64
 rhel/9.5 python=3.9,3.12 become=sudo provider=aws arch=x86_64
+rhel/10.0 python=3.12 become=sudo provider=aws arch=x86_64
 rhel become=sudo provider=aws arch=x86_64
 ubuntu/22.04 python=3.10 become=sudo provider=aws arch=x86_64
 ubuntu/24.04 python=3.12 become=sudo provider=aws arch=x86_64
--- a/test/lib/ansible_test/_util/target/setup/bootstrap.sh
+++ b/test/lib/ansible_test/_util/target/setup/bootstrap.sh
@ -281,10 +281,41 @@ bootstrap_remote_rhel_9()
    done
 }

+bootstrap_remote_rhel_10()
+{
+    py_pkg_prefix="python3"
+
+    packages="
+        gcc
+        ${py_pkg_prefix}-devel
+        ${py_pkg_prefix}-pip
+        "
+
+    if [ "${controller}" ]; then
+        packages="
+            ${packages}
+            ${py_pkg_prefix}-cryptography
+            ${py_pkg_prefix}-jinja2
+            ${py_pkg_prefix}-packaging
+            ${py_pkg_prefix}-pyyaml
+            ${py_pkg_prefix}-resolvelib
+            "
+    fi
+
+    while true; do
+        # shellcheck disable=SC2086
+        dnf install -q -y ${packages} \
+        && break
+        echo "Failed to install packages. Sleeping before trying again..."
+        sleep 10
+    done
+}
+
 bootstrap_remote_rhel()
 {
    case "${platform_version}" in
        9.*) bootstrap_remote_rhel_9 ;;
+        10.*) bootstrap_remote_rhel_10 ;;
    esac
 }