Merge remote-tracking branch 'upstream/master' into docs-master

docs-master
Alex Willmer 3 weeks ago
commit 175f70c8a2

@ -41,7 +41,7 @@ with ci_lib.Fold('docker_setup'):
with ci_lib.Fold('job_setup'):
os.chdir(TESTS_DIR)
os.chmod('../data/docker/mitogen__has_sudo_pubkey.key', int('0600', 7))
os.chmod('../data/docker/mitogen__has_sudo_pubkey.key', int('0600', 8))
ci_lib.run("mkdir %s", HOSTS_DIR)
for path in glob.glob(TESTS_DIR + '/hosts/*'):

@ -51,6 +51,9 @@ with ci_lib.Fold('machine_prep'):
subprocess.check_call('sudo chmod 700 ~root/.ssh', shell=True)
subprocess.check_call('sudo chmod 600 ~root/.ssh/authorized_keys', shell=True)
os.chdir(IMAGE_PREP_DIR)
ci_lib.run("ansible-playbook -c local -i localhost, macos_localhost.yml")
if os.path.expanduser('~mitogen__user1') == '~mitogen__user1':
os.chdir(IMAGE_PREP_DIR)
ci_lib.run("ansible-playbook -c local -i localhost, _user_accounts.yml")

@ -442,18 +442,22 @@ class PlayContextSpec(Spec):
raise
LOG.info(
'Used PlayContext fallback for plugin=%r, option=%r',
self._connection, name,
'Used fallback=PlayContext.%s for plugin=%r, option=%r',
name, self._connection, name,
)
return getattr(self._play_context, name)
def _connection_option(self, name):
def _connection_option(self, name, fallback_attr=None):
try:
return self._connection.get_option(name, hostvars=self._task_vars)
except KeyError:
LOG.debug('Used PlayContext fallback for option=%r', name)
return getattr(self._play_context, name)
if fallback_attr is None:
fallback_attr = name
LOG.info(
'Used fallback=PlayContext.%s for plugin=%r, option=%r',
fallback_attr, self._connection, name,
)
return getattr(self._play_context, fallback_attr)
def transport(self):
return self._transport
@ -462,7 +466,7 @@ class PlayContextSpec(Spec):
return self._inventory_name
def remote_addr(self):
return self._play_context.remote_addr
return self._connection_option('host', fallback_attr='remote_addr')
def remote_user(self):
return self._connection_option('remote_user')
@ -500,15 +504,10 @@ class PlayContextSpec(Spec):
rediscover_python=rediscover_python)
def host_key_checking(self):
def candidates():
yield self._connection.get_task_var('ansible_ssh_host_key_checking')
yield self._connection.get_task_var('ansible_host_key_checking')
yield C.HOST_KEY_CHECKING
val = next((v for v in candidates() if v is not None), True)
return boolean(val)
return self._connection_option('host_key_checking')
def private_key_file(self):
return self._play_context.private_key_file
return self._connection_option('private_key_file')
def ssh_executable(self):
return self._connection_option('ssh_executable')

@ -23,6 +23,20 @@ In progress (unreleased)
v0.3.17 (2024-11-07)
--------------------
* :gh:issue:`1182` CI: Fix incorrect world readable/writable file permissions
on SSH key ``mitogen__has_sudo_pubkey.key`` during Ansible tests.
* :gh:issue:`1083` :mod:`ansible_mitogen`: Templated SSH private key file
(e.g. ``ansible_private_key_file``).
* :gh:issue:`1083` :mod:`ansible_mitogen`: Templated SSH host key checking
(e.g. ``ansible_host_key_checking``, ``ansible_ssh_host_key_checking``).
* :gh:issue:`1083` :mod:`ansible_mitogen`: Templated host address
(e.g. ``ansible_host``, ``ansible_ssh_host``)
* :gh:issue:`1184` Test templated SSH host key checking in task vars
v0.3.16 (2024-11-05)
--------------------

@ -35,7 +35,7 @@ be expected. On the slave, it is built dynamically during startup.
#: Library version as a tuple.
__version__ = (0, 3, 17, 'dev')
__version__ = (0, 3, 18, 'dev')
#: This is :data:`False` in slave contexts. Previously it was used to prevent

@ -22,9 +22,6 @@ ssh_args_canary_file=/tmp/ssh_args_by_inv_{{ inventory_hostname }}
[tt_targets_bare]
tt-bare
[tt_targets_bare:vars]
ansible_host=localhost
[tt_become_bare]
tt-become-bare
@ -43,10 +40,10 @@ ansible_host=localhost
ansible_user="{{ lookup('pipe', 'whoami') }}"
[tt_targets_inventory]
tt-password ansible_password="{{ 'has_sudo_nopw_password' | trim }}" ansible_user=mitogen__has_sudo_nopw
tt-port ansible_password=has_sudo_nopw_password ansible_port="{{ 22 | int }}" ansible_user=mitogen__has_sudo_nopw
tt-remote-user ansible_password=has_sudo_nopw_password ansible_user="{{ 'mitogen__has_sudo_nopw' | trim }}"
tt-ssh-executable ansible_password=has_sudo_nopw_password ansible_ssh_executable="{{ 'ssh' | trim }}" ansible_user=mitogen__has_sudo_nopw
[tt_targets_inventory:vars]
ansible_host=localhost
tt-host ansible_host="{{ 'localhost' | trim }}" ansible_password=has_sudo_nopw_password ansible_user=mitogen__has_sudo_nopw
tt-host-key-checking ansible_host=localhost ansible_host_key_checking="{{ 'false' | trim }}" ansible_password=has_sudo_nopw_password ansible_user=mitogen__has_sudo_nopw
tt-password ansible_host=localhost ansible_password="{{ 'has_sudo_nopw_password' | trim }}" ansible_user=mitogen__has_sudo_nopw
tt-port ansible_host=localhost ansible_password=has_sudo_nopw_password ansible_port="{{ 22 | int }}" ansible_user=mitogen__has_sudo_nopw
tt-private-key-file ansible_host=localhost ansible_private_key_file="{{ git_basedir }}/tests/data/docker/mitogen__has_sudo_pubkey.key" ansible_user=mitogen__has_sudo_pubkey
tt-remote-user ansible_host=localhost ansible_password=has_sudo_nopw_password ansible_user="{{ 'mitogen__has_sudo_nopw' | trim }}"
tt-ssh-executable ansible_host=localhost ansible_password=has_sudo_nopw_password ansible_ssh_executable="{{ 'ssh' | trim }}" ansible_user=mitogen__has_sudo_nopw

@ -2,6 +2,7 @@
hosts: tt_targets_bare
gather_facts: false
vars:
ansible_host: "{{ hostvars[groups['test-targets'][0]].host | default('localhost') }}"
ansible_password: "{{ 'has_sudo_nopw_password' | trim }}"
ansible_port: "{{ hostvars[groups['test-targets'][0]].ansible_port | default(22) }}"
ansible_ssh_common_args: >-

@ -3,6 +3,7 @@
gather_facts: false
remote_user: "{{ 'mitogen__has_sudo_nopw' | trim }}"
vars:
ansible_host: "{{ hostvars[groups['test-targets'][0]].host | default('localhost') }}"
ansible_password: has_sudo_nopw_password
ansible_port: "{{ hostvars[groups['test-targets'][0]].ansible_port | default(22) }}"
tasks:

@ -2,6 +2,8 @@
hosts: tt_targets_bare
gather_facts: false
vars:
ansible_host: "{{ hostvars[groups['test-targets'][0]].host | default('localhost') }}"
ansible_host_key_checking: "{{ 'false' | trim }}"
ansible_password: "{{ 'has_sudo_nopw_password' | trim }}"
ansible_port: "{{ hostvars[groups['test-targets'][0]].ansible_port | default(22) }}"
ansible_ssh_executable: "{{ 'ssh' | trim }}"
@ -9,5 +11,26 @@
tasks:
- meta: reset_connection
- name: Templated variables in play
- name: Templated variables in play, password authentication
ping:
- name: integration/ssh/templated_by_play_taskvar.yml
hosts: tt_targets_bare
gather_facts: false
vars:
ansible_host: "{{ hostvars[groups['test-targets'][0]].host | default('localhost') }}"
ansible_host_key_checking: "{{ 'false' | trim }}"
ansible_private_key_file: "{{ git_basedir }}/tests/data/docker/mitogen__has_sudo_pubkey.key"
ansible_port: "{{ hostvars[groups['test-targets'][0]].ansible_port | default(22) }}"
ansible_ssh_executable: "{{ 'ssh' | trim }}"
ansible_user: "{{ 'mitogen__has_sudo_pubkey' | trim }}"
tasks:
- meta: end_play
when:
# https://github.com/ansible/ansible/issues/84238
- not is_mitogen
- ansible_version.full is version('2.19', '<', strict=True)
- meta: reset_connection
- name: Templated variables in play, key authentication
ping:

@ -5,6 +5,7 @@
# https://github.com/mitogen-hq/mitogen/issues/1132
remote_user: "{{ 'mitogen__has_sudo_nopw' | trim }}"
vars:
ansible_host: "{{ hostvars[groups['test-targets'][0]].host | default('localhost') }}"
ansible_password: has_sudo_nopw_password
ansible_port: "{{ hostvars[groups['test-targets'][0]].ansible_port | default(22) }}"
tasks:
@ -19,6 +20,7 @@
delegate_to: "{{ groups.tt_targets_bare[0] }}"
remote_user: "{{ 'mitogen__has_sudo_nopw' | trim }}"
vars:
ansible_host: "{{ hostvars[groups['test-targets'][0]].host | default('localhost') }}"
ansible_password: has_sudo_nopw_password
ansible_port: "{{ hostvars[groups['test-targets'][0]].ansible_port | default(22) }}"
ping:

@ -13,11 +13,6 @@
-o "ControlPath /tmp/mitogen-ansible-test-{{18446744073709551615|random}}"
tasks:
- name: setup ansible_ssh_private_key_file
shell: chmod 0600 ../data/docker/mitogen__has_sudo_pubkey.key
args:
chdir: ../..
- name: ansible_user, ansible_ssh_private_key_file
shell: >
ANSIBLE_ANY_ERRORS_FATAL=false
@ -34,6 +29,7 @@
args:
chdir: ../..
register: out
changed_when: false
- name: ansible_user, wrong ansible_ssh_private_key_file
shell: >
@ -52,6 +48,7 @@
args:
chdir: ../..
register: out
changed_when: false
ignore_errors: true
- assert:

@ -44,7 +44,6 @@ ssh_args_canary_file=/tmp/ssh_args_by_inv_{{ '{{' }} inventory_hostname {{ '}}'
tt-bare
[tt_targets_bare:vars]
ansible_host={{ tt.hostname }}
ansible_python_interpreter={{ tt.python_path }}
[tt_become_bare]
@ -71,11 +70,10 @@ ansible_python_interpreter={{ tt.python_path }}
ansible_user=mitogen__has_sudo_nopw
[tt_targets_inventory]
tt-password ansible_password="{{ '{{' }} 'has_sudo_nopw_password' | trim {{ '}}' }}" ansible_port={{ tt.port }} ansible_user=mitogen__has_sudo_nopw
tt-port ansible_password=has_sudo_nopw_password ansible_port="{{ '{{' }} {{ tt.port }} | int {{ '}}' }}" ansible_user=mitogen__has_sudo_nopw
tt-remote-user ansible_password=has_sudo_nopw_password ansible_port={{ tt.port }} ansible_user="{{ '{{' }} 'mitogen__has_sudo_nopw' | trim {{ '}}' }}"
tt-ssh-executable ansible_password=has_sudo_nopw_password ansible_port={{ tt.port }} ansible_ssh_executable="{{ '{{' }} 'ssh' | trim {{ '}}' }}" ansible_user=mitogen__has_sudo_nopw
[tt_targets_inventory:vars]
ansible_host={{ tt.hostname }}
ansible_python_interpreter={{ tt.python_path }}
tt-host ansible_host="{{ '{{' }} '{{ tt.hostname }}' | trim {{ '}}' }}" ansible_password=has_sudo_nopw_password ansible_port={{ tt.port }} ansible_python_interpreter={{ tt.python_path }} ansible_user=mitogen__has_sudo_nopw
tt-host-key-checking ansible_host={{ tt.hostname }} ansible_host_key_checking="{{ '{{' }} 'false' | trim {{ '}}' }}" ansible_password=has_sudo_nopw_password ansible_port={{ tt.port }} ansible_python_interpreter={{ tt.python_path }} ansible_user=mitogen__has_sudo_nopw
tt-password ansible_host={{ tt.hostname }} ansible_password="{{ '{{' }} 'has_sudo_nopw_password' | trim {{ '}}' }}" ansible_port={{ tt.port }} ansible_python_interpreter={{ tt.python_path }} ansible_user=mitogen__has_sudo_nopw
tt-port ansible_host={{ tt.hostname }} ansible_password=has_sudo_nopw_password ansible_port="{{ '{{' }} {{ tt.port }} | int {{ '}}' }}" ansible_python_interpreter={{ tt.python_path }} ansible_user=mitogen__has_sudo_nopw
tt-private-key-file ansible_host={{ tt.hostname }} ansible_port={{ tt.port }} ansible_private_key_file="{{ '{{' }} git_basedir {{ '}}' }}/tests/data/docker/mitogen__has_sudo_pubkey.key" ansible_python_interpreter={{ tt.python_path }} ansible_user=mitogen__has_sudo_pubkey
tt-remote-user ansible_host={{ tt.hostname }} ansible_password=has_sudo_nopw_password ansible_port={{ tt.port }} ansible_python_interpreter={{ tt.python_path }} ansible_user="{{ '{{' }} 'mitogen__has_sudo_nopw' | trim {{ '}}' }}"
tt-ssh-executable ansible_host={{ tt.hostname }} ansible_password=has_sudo_nopw_password ansible_port={{ tt.port }} ansible_python_interpreter={{ tt.python_path }} ansible_ssh_executable="{{ '{{' }} 'ssh' | trim {{ '}}' }}" ansible_user=mitogen__has_sudo_nopw

@ -23,10 +23,16 @@
gather_facts: true
vars:
distro: "{{ansible_distribution}}"
tasks:
- when: ansible_virtualization_type != "docker"
meta: end_play
pre_tasks:
- meta: end_play
when:
- ansible_facts.virtualization_type != "docker"
roles:
- role: sshd
tasks:
- name: Ensure requisite apt packages are installed
apt:
name: "{{ common_packages + packages }}"
@ -134,10 +140,6 @@
content: |
i-am-mitogen-test-docker-image
- copy:
dest: /etc/ssh/banner.txt
src: ../data/docker/ssh_login_banner.txt
- name: Ensure /etc/sudoers.d exists
file:
state: directory
@ -169,17 +171,6 @@
line: "%wheel ALL=(ALL) ALL"
when: ansible_os_family == 'RedHat'
- name: Enable SSH banner
lineinfile:
path: /etc/ssh/sshd_config
line: Banner /etc/ssh/banner.txt
- name: Allow remote SSH root login
lineinfile:
path: /etc/ssh/sshd_config
line: PermitRootLogin yes
regexp: '.*PermitRootLogin.*'
- name: Allow remote SSH root login
lineinfile:
path: /etc/pam.d/sshd

@ -0,0 +1,7 @@
- name: Configure macOS
hosts: all
gather_facts: true
strategy: mitogen_free
become: true
roles:
- role: sshd

@ -0,0 +1,3 @@
sshd_config_file: /etc/ssh/sshd_config
sshd_config__max_auth_tries: 50

@ -0,0 +1,31 @@
- name: Create login banner
copy:
src: banner.txt
dest: /etc/ssh/banner.txt
mode: u=rw,go=r
- name: Configure sshd_config
lineinfile:
path: "{{ sshd_config_file }}"
line: "{{ item.line }}"
regexp: "{{ item.regexp }}"
loop:
- line: Banner /etc/ssh/banner.txt
regexp: '^#? *Banner.*'
- line: MaxAuthTries {{ sshd_config__max_auth_tries }}
regexp: '^#? *MaxAuthTries.*'
- line: PermitRootLogin yes
regexp: '.*PermitRootLogin.*'
loop_control:
label: "{{ item.line }}"
register: configure_sshd_result
- name: Restart sshd
shell: |
launchctl unload /System/Library/LaunchDaemons/ssh.plist
wait 5
launchctl load -w /System/Library/LaunchDaemons/ssh.plist
changed_when: true
when:
- ansible_facts.distribution == "MacOSX"
- configure_sshd_result is changed
Loading…
Cancel
Save