The recent update of ptyprocess to 0.7.0 is incompatible with Python 2.6 and
is causing test failures.
* Add setup_pexpect role to expect test
(cherry picked from commit 003a9e890d)
Co-authored-by: Sam Doooran <sdoran@redhat.com>
Change:
- `udev` is provided by `systemd-udev`, which our `state=present` check
doesn't match. For now, work around this so we don't end up trying to
upgrade all of systemd.
- In the future, we should discuss if the `yum` module does the right
thing here.
Test Plan:
- Locally in docker
- CI
Signed-off-by: Rick Elrod <rick@elrod.me>
(cherry picked from commit 8eaa7423d4)
* Pull image from Quay to avoid Dockerhub limits
CI tests are failing in certain situations due to the new Docker Hub limits on anonymous pulls. Switch
to pulling an equivalent image from Quay.io.
* Use images in Quay that we control for CI
* Use images from a single test repo on Quay with tags
* Use correct hello-world image
* More image cleanup
* Fix bad replacement
* A few more alpine images
* Adjust expected output to match what the playbook sets it to
Change:
- The repo we were testing with no longer seems to exist. Point to one
that does.
Test Plan:
- local test in docker
- CI
Signed-off-by: Rick Elrod <rick@elrod.me>
Change:
- This enables the inventory_kubevirt_conformance test to pass again on
freebsd.
- This was due to a google-auth version bump. The dep chain looks like
this: openshift -> kubernetes -> google-auth -> aiohttp -> multidict
Test Plan:
- ansible-test integration inventory_kubevirt_conformance --remote
freebsd/12.0
Signed-off-by: Rick Elrod <rick@elrod.me>
Change:
- This isn't a direct backport of #71949 because in stable-2.8,
setup_docker doesn't use handlers like more modern branches to clean
up after itself.
- Instead, here we just make sure the docker packages are gone before
the podman test runs.
Test Plan:
- CI
- ci_complete
Signed-off-by: Rick Elrod <rick@elrod.me>
Change:
- The docker-ce.repo file for centos does not work on RHEL since it uses
$releasever and on RHEL that is, e.g., "7Server".
- Instead, set up the repo manually.
- Additionally, the docker centos8 repo no longer has old versions, so
we use the (only) version in the repo instead.
Test Plan:
- CI
Signed-off-by: Rick Elrod <rick@elrod.me>
(cherry picked from commit 31ddca4c0d)
(cherry picked from commit 651c0a2d03)
The file test will no longer attempt to test attributes if `lsattr -vd` does not work on the system under test.
(cherry picked from commit 17765cd4e8)
Co-authored-by: Matt Clay <mclay@redhat.com>
The stat time granularity on macOS is one second. We recently upgraded
to faster macOS hosts, so some tests that run closely together to see if
something changed will have the same timestamp intermittently.
A recent update to cffi that was yanked is still being installed on our
Mac OS X 10.11 test image since the version of pip there is very old and
does not ignore yanked packages.
Pin the version of pyOpenSSL and its dependencies to fix this and avoid
future spontaneous failures..
(cherry picked from commit 65cdb86c8a)
Co-authored-by: Sam Doran <sdoran@redhat.com>
* Add types.py from devel to support backport.
* [stable-2.9] Backport ansible-test CI provider support. (#71614)
* Add encoding.py from devel to support backports.
* Add io.py from devel to support backports.
* Update ansible-test support for CI providers. (#69522)
Refactored CI provider code to simplify multiple provider support and addition of new providers.
(cherry picked from commit d8e0aadc0d)
* Add Shippable request signing to ansible-test. (#69526)
(cherry picked from commit e7c2eb519b)
* ansible-test local change detection: use --base-branch if specified (#69508)
(cherry picked from commit 43acd61901)
* Add Azure Pipelines support to ansible-test.
(cherry picked from commit 8ffaed00f8)
* Update ansible-test remote endpoint handling. (#71413)
* Request ansible-core-ci resources by provider.
* Remove obsolete us-east-2 CI endpoint.
* Add new --remote-endpoint option.
* Add warning for --remote-aws-region option.
* Update service endpoints.
* Allow non-standard remote stages.
* Add changelog fragment.
(cherry picked from commit d099591964)
* Fix ansible-test coverage traceback. (#71446)
* Add integration test for ansible-test coverage.
* Fix ansible-test coverage traceback.
* Fix coverage reporting on Python 2.6.
(cherry picked from commit f5b6df14ab)
* Use new endpoint for Parallels based instances.
(cherry picked from commit 98febab975)
* Add pause to avoid same mtime in test.
(cherry picked from commit 3d769f3a76)
Co-authored-by: Felix Fontein <felix@fontein.de>
(cherry picked from commit 417e408f59)
Change:
- By default the dnf API does not gpg-verify packages. This is a feature
that is executed in its CLI code. It never made it into Ansible's
usage of the API, so packages were previously not verified.
- This fixes CVE-2020-14365.
Test Plan:
- New integration tests
Signed-off-by: Rick Elrod <rick@elrod.me>
Change:
- Uses `hg serve` instead of a bitbucket repo for hg tests
- bitbucket no longer serves hg
Backport of #71398
Test Plan:
- CI, fixed integration tests
Signed-off-by: Rick Elrod <rick@elrod.me>
* [stable-2.8] Change default file permissions so they are not world readable (#70221)
* Change default file permissions so they are not world readable
CVE-2020-1736
Set the default permissions for files we create with atomic_move() to 0o0660. Track
which files we create that did not exist and warn if the module supports 'mode'
and it was not specified and the module did not call set_mode_if_different(). This allows the user to take action and specify a mode rather than using the defaults.
A code audit is needed to find all instances of modules that call atomic_move()
but do not call set_mode_if_different(). The findings need to be documented in
a changelog since we are not warning. Warning in those instances would be frustrating
to the user since they have no way to change the module code.
- use a set for storing list of created files
- just check the argument spac and params rather than using another property
- improve the warning message to include the default permissions.
(cherry picked from commit 5260527c4a)
Co-authored-by: Sam Doran <sdoran@redhat.com>
* Fix service test
* Fix lamdba_policy test
* Fix aws_lamdba test
* Fix warning for new default permissions when mode is not specified (#70976)
Follow up to #70221
Related to #67794
CVE-2020-1736
When set_mode_if_different() is called with mode of 'None', ensure we issue
a warning about the change in default permissions.
Add integration tests to ensure the warning works properly.
* Fix tests
- actually use custom module 🤦♂️
- verify file permission on created files
- use remote_tmp_dir so we're ready for split controller
- improve test module so we can skip the call to set_fs_attributes_if_different()
- fix tests for CentOS 6
(cherry picked from commit dc79528cc6)
* Use new category in changelog fragments
The repository names seem to have changed and no longer have the "rhui-" prefix.
(cherry picked from commit 6ac4439a6a)
Co-authored-by: Sam Doran <sdoran@redhat.com>
A recent updated to psutil, which is a dependency of ansible-runner, fails
to install on older versions of pip.
Commit with the breaking change:
135628639b
(cherry picked from commit 9d27d7c8b1)
Co-authored-by: Sam Doran <sdoran@redhat.com>
Fixes#66549
The inefficiency improvement
https://github.com/ansible/ansible/pull/63713 introduced a bug where
`enablerepo` was not being honored if combined with
`disablerepo="*"`. This fixes that issue.
Signed-off-by: Adam Miller <admiller@redhat.com>
Co-authored-by: Adam Miller <admiller@redhat.com>
* [stable-2.8] Pin Docker version at 19.03.1
(cherry picked from commit fe941a4045)
Co-authored-by: Sam Doran <sdoran@redhat.com>
* [stable-2.8] Pin docker-ce-cli version in tests (#69620)
Installing docker-ce has a dependency of docker-ce-cli. If the version of docker-ci-cli is not specified, it installs the latest version.
(cherry picked from commit 889da811d7)
Change:
We were only testing dnf on RHEL previously.
Test on CentOS 8 as well.
Test Plan:
Ran locally in docker.
Signed-off-by: Rick Elrod <rick@elrod.me>
Change:
Extend the logic for custom error handling in the dnf module, so that on
newer DNF (such as DNF that ships with modern Fedora 31 container
images, and ships with RHEL 8.2) we report errors consistently with
older DNF.
Test Plan:
Ran dnf integration tests against an old Fedora 31 container image and a
brand new Fedora 32 container image; tess passed on both.
Signed-off-by: Rick Elrod <rick@elrod.me>
* fixed fetch traversal from slurp
* ignore slurp result for dest
* fixed naming when source is relative
* added tests with fake slurp
* moved existing role tests into runme.sh
* normalized on action excepts
* moved dest transform down to when needed
* added is_subpath check
fixes#67793
CVE-2019-3828
(cherry picked from commit ba87c225cd)
* prevent ansible_facts injection (#68431)
- also only replace when needed
- switched from replace to index
- added test to verify bogus_facts are not accepted
CVE-2020-10684
(cherry picked from commit a9d2ceafe4)
* added to ignore
* fix vault tmpe file handling
* use local temp dir instead of system temp
* ensure each worker clears dataloader temp files
* added test for dangling temp files
* added notes to data loader
CVE-2020-10685
(cherry picked from commit 6452a82452)
* subversion module - provide password securely with svn command line option --password-from-stdin when possible, and provide a warning otherwise.
* Update lib/ansible/modules/source_control/subversion.py.
* Add a test.
Co-authored-by: Sam Doran <sdoran@redhat.com>
(cherry picked from commit d91658ec0c)
* acl: fix module failure if there're spaces in a path (#63280)
* Make acl module to work with whitespaces in path
* Added a changelog fragment
* Add quotes to changelog fragment
(cherry picked from commit 504d76e956)
* Fix tests
* Actually inspect the paths and prevent escape
* Add integration tests
* Generate zip files for use in integration test
* Adjust error message
(cherry picked from commit d30c57ab22)
Sam Doooran