The controller's fixup_perms2 uses filesystem acls to make the temporary
file for copy readable by an unprivileged become user. On Python3, the
acls are then copied to the destination filename so we have to remove
them from there.
We can't remove them prior to the copy because we may not have
permission to read the file if the acls are not present. We can't
remove them in atomic_move() because the move function shouldn't know
anything about controller features. We may want to generalize this into
a helper function, though.
Fixes#44412
Co-authored-by: Toshio Kuratomi <a.badger@gmail.com>
(cherry picked from commit d15812fabf)
* nxos_igmp_snooping: group-timeout fails when igmp snooping disabled
group-timeout config will be rejected by the device if `ip igmp snooping` is disabled.
* raise a failure for this condition
* reorder the command list so that group-timeout is always last
* SA fixes
* SA fixes
* only call gt_dependency if gt
(cherry picked from commit 8c33ba3ecd)
* network.py:ActionModule:run: does not honor _handle_src_option failures
PR #50301 moved template error handling out of run() and into its
own method in `_handle_src_option`; however, after the change run()
ignores the return value so any errors are ignored.
Reproduceable with `nxos_config/tests/common/src_invalid.yaml`
Verified fix with `nxos_config/tests/common/src_*` tests.
Ref:
71113ee291 (diff-7477bf046013758366cc85b06f90709aR43)
* nxos_config/tests/common/src_basic: Updated to test with src
This test was not actually testing with `src:` as it should have.
* Revert 412d7e change to plugins/action/network.py
PR #52912 fixed this already.
* nxos_config: fix src_invalid test
(cherry picked from commit d69239c440)
* nxos_interfaces_ospf: fix passive-interface states & check_mode
This fix addresses issues #41704 and #45343.
The crux of the problem is that `passive-interface` should have been treated as a tri-state value instead of a boolean.
The `no` form of the command disables the passive state on an interface (allows it to form adjacencies and send routing updates). It's essentially an override for `passive-interface default` which enables passive state on all OSPF interfaces.\*
This `no` config will be present in `running-config`.
\**See `router ospf` configuration.*
Since both enable and disable states are explicit configs, the proper way to remove either of these is with the `default` syntax.
Passive-interface config syntax:
```
ip ospf passive-interface # enable (nvgens)
no ip ospf passive-interface # disable (nvgens)
default ip ospf passive-interface # default (removes config, does not nvgen)
```
Code changes:
* `passive_interface` param changed from boolean to string, restricted to `true`,`false`,`default`.
* Several passive-interface specific checks were added because the existing module logic tends to test for true or false and doesn't handle the None case.
* Fixed `check_mode`.
Sanity verified on: N9K,N7K,N3K,N6K
* Fix doc header
* Unit tests for passive-interface
* doc fix#2
* Fix indent for SA
* Remove 'default' keyword, restore bool behavior
* remove changes to sanity
(cherry picked from commit 20fb77c49b)
* The test was setting `lsa max` value to 2222 but the default `lsa hold` value is 5000.
* `hold` must be less than `max` or else the device raises a clierror, so I just added a lower non-default `hold` value to satisfy the cli.
(cherry picked from commit c1e9f594d2)
The N7K is another platform that raises an error when trying to remove
an RP w/prefix-list specified. These tests are now skipped for N7K.
(cherry picked from commit c5de2233d0)
* Fixed another problem where `group-timeout` was processed before `ip igmp snooping` was enabled
* `sanity` playbook:
* N6K: `show ip igmp snooping | json` succeeds on the device but doesn't return any data in body; added a skip to the sanity playbook to keep it out of CI
* Added a setup task to do initial cleanup on the device
(cherry picked from commit 07774b4ccf)
Basic passwords are rejected by the nxos device unless `no password strength-check`
is configured. This change just makes the password meet the minimum strength checks.
(cherry picked from commit 591e0ffb69)
Test yaml fixes for n3048:
* 3048 does not support bidir option
* 3048 cannot remove rp-address if prefix-list/route-map is present
* yes: no ip pim rp-address x.x.x.x
* no: no ip pim rp-address x.x.x.x prefix-list foo
* no: no ip pim rp-address x.x.x.x route-map bar
This test now passes on N9k/N7k/N6k/N3k.
(cherry picked from commit ea0ef3b2e1)
* nxos_hsrp: fix 'sh_preempt': <unknown enum:>
Some older nxos images fail to set this attr value. This fix checks for
unknown enum and issues a second (unstructured) call to the device to get
the data.
* add whitespace for pep8
(cherry picked from commit 5dc65d0dfc)
* Fix 'defaults' option in the nxos_config module
Nxos get_config is allways called with the 'all' option.
* Fix flag's calculation
* Add tests
* nxos_config: the 'backup' option take into account the value of 'defaults' option
If 'defaults' option is true, the running-config backup is done with the all
keyword.
(cherry picked from commit 87a01df6ad)
When using before and after in combination, the opposite behavior was induced. This PR makes the the replacement happen between the specified patterns as intended.
* Added integration tests
* Add changelog, porting guide entry, and minor doc fixes.
(cherry picked from commit cf69ec5db0)
Co-authored-by: Evan Kaufman <evan.kaufman@gmail.com>
* Add write helper.
* Adjust modules (except openssl_certificate).
* Adding tests for mode (with openssl_privatekey).
* Add openssl_certificate support.
* Never, ever remove the output file before actually trying to generate new content for it.
Removal is only allowed when state=absent, or when the object has been regenerated and the result needs to be written to that place.
* Add changelog.
* Extend test.
(cherry picked from commit d7a273273a)
* Add documentation for tags and network access
* Documentation changes from dag and sam
* Change examples to include proper YAML and not dict
* Update lib/ansible/modules/network/meraki/meraki_admin.py
Co-Authored-By: kbreit <kevin.breit@kevinbreit.net>
(cherry picked from commit bcbcd209f4)
The tests need to be updated to support newer ansible-runner releases.
(cherry picked from commit 777b726e4f)
Co-authored-by: Matt Clay <matt@mystile.com>
This is a backport of #48833 for stable-2.7.
The compose, groups, and keyed_groups functionality of the openstack
inventory plugin was broken:
- the plugin was not passing the correct variables to the
Constructable methods for compose and groups
- the plugin was simply never calling the appropriate method for
implementing keyed_groups
This commit fixes both issues.
(cherry picked from commit 5a9c767662)
This reverts commit 05772233ad.
I mistakenly merged this before it hit devel. The devel change was
modified to change this in a different place. Reverting so that we can
make that fix properly.
* [stable-2.7] Correctly count processors on ARM systems. (#52884)
- Add unit tests for Linux CPU info
- Add cpuinfo output from several systems for unit tests
Co-authored-by: Abhijeet Kasurde <akasurde@redhat.com>
(cherry picked from commit 55306906cf)
Co-authored-by: Sam Doran <sdoran@redhat.com>
* Add changelog
* Revert "allow caller to deal with timeout (#49449)"
This reverts commit 63279823a7.
Flawed on many levels
* Adds poor API to a public function
* Papers over the fact that the public function is doing something bad
by catching exceptions it cannot handle in the first place
* Papers over the real cause of the issue which is a bug in the timeout
decorator
* Doesn't reraise properly
* Catches the wrong exception
Fixes#49824Fixes#49817
* Make the timeout decorator properly raise an exception outside of the function's scope
signal handlers which raise exceptions will never work well because the
exception can be raised anywhere in the called code. This leads to
exception race conditions where the exceptions could end up being
hanlded by unintended pieces of the called code.
The timeout decorator was using just that idiom. It was especially bad
because the decorator syntactically occurs outside of the called code
but because of the signal handler, the exception was being raised inside
of the called code.
This change uses a thread instead of a signal to manage the timeout in
parallel to the execution of the decorated function. Since raising of
the exception happens inside of the decorator, now, instead of inside of
a signal handler, the timeout exception is raised from outside of the
called code as expected which makes reasoning about where exceptions are
to be expected intuitive again.
Fixes#43884
* Add a common case test.
Adding an integration test driven from our unittests. Most of the time
we'll timeout in run_command which is running things in a subprocess.
Create a test for that specific case in case anything funky comes up
between threading and execve.
* Don't use OSError-based TimeoutError as a base class
Unlike most standard exceptions, OSError has a specific parameter list
with specific meanings. Instead follow the example of other stdlib
functions, concurrent.futures and multiprocessing and define a separate
TimeoutException.
* Add comment and docstring to point out that this is not hte Python3 TimeoutError
(cherry picked from commit bd072fe83a)
* win_reboot - Fix rc validation when using psrp and add extra docs (#53711)
* win_reboot - Fix rc validation when using psrp and add extra docs
* Revert boot time command and fix docs
(cherry picked from commit 3d23e47c53)
* win_reboot - fix broken tests after recent commit (#53722)
(cherry picked from commit d9795bad98)
* [stable-2.7] Ensure Clear Linux parsing is actually parsing a Clear Linux host and all others fall back to NA (#53298)
Fixes a bug where parse_distribution_file_ClearLinux() was called on CoreOS (and probably many other distros) and it returned True since it successfully parses the distribution file. Since this file exists on many Linux distributions and they are a very similar format, add an additional check to make sure it is Clear Linux.
Change the order in which distribution files are processed so NA is last. This prevents a match on CoreOS hosts since they also have /etc/os-release and the called matching function for NA is very general and will match CoreOS.
* Add changelog
* Add unit tests
Only add tests for Clear Linux parsing since that was the cause of this issue.
(cherry picked from commit 1d91e03119)
Co-authored-by: Sam Doran <sdoran@redhat.com>
* Use different import for 2.7
* Output warnings from docker daemon on container create and update.
* Accept warning for blkio_weight instead of idempotency.
* Value quoting.
* Avoid loop variable conflict.
* Add changelog.
* Make one test case faster.
* Add 'Docker warning: ' prefix.
* Add a generalized warning reporting function.
(cherry picked from commit 3117900b1e)
Martin Krizek