Merge commit '6cf6f69751e4533eb4f77d2e277c5989571357a5' into release-v0.3.17

pull/1191/head
Alex Willmer 2 weeks ago
commit 35cc81b074

@ -41,7 +41,7 @@ with ci_lib.Fold('docker_setup'):
with ci_lib.Fold('job_setup'): with ci_lib.Fold('job_setup'):
os.chdir(TESTS_DIR) os.chdir(TESTS_DIR)
os.chmod('../data/docker/mitogen__has_sudo_pubkey.key', int('0600', 7)) os.chmod('../data/docker/mitogen__has_sudo_pubkey.key', int('0600', 8))
ci_lib.run("mkdir %s", HOSTS_DIR) ci_lib.run("mkdir %s", HOSTS_DIR)
for path in glob.glob(TESTS_DIR + '/hosts/*'): for path in glob.glob(TESTS_DIR + '/hosts/*'):

@ -51,6 +51,9 @@ with ci_lib.Fold('machine_prep'):
subprocess.check_call('sudo chmod 700 ~root/.ssh', shell=True) subprocess.check_call('sudo chmod 700 ~root/.ssh', shell=True)
subprocess.check_call('sudo chmod 600 ~root/.ssh/authorized_keys', shell=True) subprocess.check_call('sudo chmod 600 ~root/.ssh/authorized_keys', shell=True)
os.chdir(IMAGE_PREP_DIR)
ci_lib.run("ansible-playbook -c local -i localhost, macos_localhost.yml")
if os.path.expanduser('~mitogen__user1') == '~mitogen__user1': if os.path.expanduser('~mitogen__user1') == '~mitogen__user1':
os.chdir(IMAGE_PREP_DIR) os.chdir(IMAGE_PREP_DIR)
ci_lib.run("ansible-playbook -c local -i localhost, _user_accounts.yml") ci_lib.run("ansible-playbook -c local -i localhost, _user_accounts.yml")

@ -442,18 +442,22 @@ class PlayContextSpec(Spec):
raise raise
LOG.info( LOG.info(
'Used PlayContext fallback for plugin=%r, option=%r', 'Used fallback=PlayContext.%s for plugin=%r, option=%r',
self._connection, name, name, self._connection, name,
) )
return getattr(self._play_context, name) return getattr(self._play_context, name)
def _connection_option(self, name, fallback_attr=None):
def _connection_option(self, name):
try: try:
return self._connection.get_option(name, hostvars=self._task_vars) return self._connection.get_option(name, hostvars=self._task_vars)
except KeyError: except KeyError:
LOG.debug('Used PlayContext fallback for option=%r', name) if fallback_attr is None:
return getattr(self._play_context, name) fallback_attr = name
LOG.info(
'Used fallback=PlayContext.%s for plugin=%r, option=%r',
fallback_attr, self._connection, name,
)
return getattr(self._play_context, fallback_attr)
def transport(self): def transport(self):
return self._transport return self._transport
@ -462,7 +466,7 @@ class PlayContextSpec(Spec):
return self._inventory_name return self._inventory_name
def remote_addr(self): def remote_addr(self):
return self._play_context.remote_addr return self._connection_option('host', fallback_attr='remote_addr')
def remote_user(self): def remote_user(self):
return self._connection_option('remote_user') return self._connection_option('remote_user')
@ -500,15 +504,10 @@ class PlayContextSpec(Spec):
rediscover_python=rediscover_python) rediscover_python=rediscover_python)
def host_key_checking(self): def host_key_checking(self):
def candidates(): return self._connection_option('host_key_checking')
yield self._connection.get_task_var('ansible_ssh_host_key_checking')
yield self._connection.get_task_var('ansible_host_key_checking')
yield C.HOST_KEY_CHECKING
val = next((v for v in candidates() if v is not None), True)
return boolean(val)
def private_key_file(self): def private_key_file(self):
return self._play_context.private_key_file return self._connection_option('private_key_file')
def ssh_executable(self): def ssh_executable(self):
return self._connection_option('ssh_executable') return self._connection_option('ssh_executable')

@ -18,6 +18,20 @@ To avail of fixes in an unreleased version, please download a ZIP file
`directly from GitHub <https://github.com/mitogen-hq/mitogen/>`_. `directly from GitHub <https://github.com/mitogen-hq/mitogen/>`_.
v0.3.17 (2024-11-07)
--------------------
* :gh:issue:`1182` CI: Fix incorrect world readable/writable file permissions
on SSH key ``mitogen__has_sudo_pubkey.key`` during Ansible tests.
* :gh:issue:`1083` :mod:`ansible_mitogen`: Templated SSH private key file
(e.g. ``ansible_private_key_file``).
* :gh:issue:`1083` :mod:`ansible_mitogen`: Templated SSH host key checking
(e.g. ``ansible_host_key_checking``, ``ansible_ssh_host_key_checking``).
* :gh:issue:`1083` :mod:`ansible_mitogen`: Templated host address
(e.g. ``ansible_host``, ``ansible_ssh_host``)
* :gh:issue:`1184` Test templated SSH host key checking in task vars
v0.3.16 (2024-11-05) v0.3.16 (2024-11-05)
-------------------- --------------------

@ -35,7 +35,7 @@ be expected. On the slave, it is built dynamically during startup.
#: Library version as a tuple. #: Library version as a tuple.
__version__ = (0, 3, 16) __version__ = (0, 3, 17)
#: This is :data:`False` in slave contexts. Previously it was used to prevent #: This is :data:`False` in slave contexts. Previously it was used to prevent

@ -22,9 +22,6 @@ ssh_args_canary_file=/tmp/ssh_args_by_inv_{{ inventory_hostname }}
[tt_targets_bare] [tt_targets_bare]
tt-bare tt-bare
[tt_targets_bare:vars]
ansible_host=localhost
[tt_become_bare] [tt_become_bare]
tt-become-bare tt-become-bare
@ -43,10 +40,10 @@ ansible_host=localhost
ansible_user="{{ lookup('pipe', 'whoami') }}" ansible_user="{{ lookup('pipe', 'whoami') }}"
[tt_targets_inventory] [tt_targets_inventory]
tt-password ansible_password="{{ 'has_sudo_nopw_password' | trim }}" ansible_user=mitogen__has_sudo_nopw tt-host ansible_host="{{ 'localhost' | trim }}" ansible_password=has_sudo_nopw_password ansible_user=mitogen__has_sudo_nopw
tt-port ansible_password=has_sudo_nopw_password ansible_port="{{ 22 | int }}" ansible_user=mitogen__has_sudo_nopw tt-host-key-checking ansible_host=localhost ansible_host_key_checking="{{ 'false' | trim }}" ansible_password=has_sudo_nopw_password ansible_user=mitogen__has_sudo_nopw
tt-remote-user ansible_password=has_sudo_nopw_password ansible_user="{{ 'mitogen__has_sudo_nopw' | trim }}" tt-password ansible_host=localhost ansible_password="{{ 'has_sudo_nopw_password' | trim }}" ansible_user=mitogen__has_sudo_nopw
tt-ssh-executable ansible_password=has_sudo_nopw_password ansible_ssh_executable="{{ 'ssh' | trim }}" ansible_user=mitogen__has_sudo_nopw tt-port ansible_host=localhost ansible_password=has_sudo_nopw_password ansible_port="{{ 22 | int }}" ansible_user=mitogen__has_sudo_nopw
tt-private-key-file ansible_host=localhost ansible_private_key_file="{{ git_basedir }}/tests/data/docker/mitogen__has_sudo_pubkey.key" ansible_user=mitogen__has_sudo_pubkey
[tt_targets_inventory:vars] tt-remote-user ansible_host=localhost ansible_password=has_sudo_nopw_password ansible_user="{{ 'mitogen__has_sudo_nopw' | trim }}"
ansible_host=localhost tt-ssh-executable ansible_host=localhost ansible_password=has_sudo_nopw_password ansible_ssh_executable="{{ 'ssh' | trim }}" ansible_user=mitogen__has_sudo_nopw

@ -2,6 +2,7 @@
hosts: tt_targets_bare hosts: tt_targets_bare
gather_facts: false gather_facts: false
vars: vars:
ansible_host: "{{ hostvars[groups['test-targets'][0]].host | default('localhost') }}"
ansible_password: "{{ 'has_sudo_nopw_password' | trim }}" ansible_password: "{{ 'has_sudo_nopw_password' | trim }}"
ansible_port: "{{ hostvars[groups['test-targets'][0]].ansible_port | default(22) }}" ansible_port: "{{ hostvars[groups['test-targets'][0]].ansible_port | default(22) }}"
ansible_ssh_common_args: >- ansible_ssh_common_args: >-

@ -3,6 +3,7 @@
gather_facts: false gather_facts: false
remote_user: "{{ 'mitogen__has_sudo_nopw' | trim }}" remote_user: "{{ 'mitogen__has_sudo_nopw' | trim }}"
vars: vars:
ansible_host: "{{ hostvars[groups['test-targets'][0]].host | default('localhost') }}"
ansible_password: has_sudo_nopw_password ansible_password: has_sudo_nopw_password
ansible_port: "{{ hostvars[groups['test-targets'][0]].ansible_port | default(22) }}" ansible_port: "{{ hostvars[groups['test-targets'][0]].ansible_port | default(22) }}"
tasks: tasks:

@ -2,6 +2,8 @@
hosts: tt_targets_bare hosts: tt_targets_bare
gather_facts: false gather_facts: false
vars: vars:
ansible_host: "{{ hostvars[groups['test-targets'][0]].host | default('localhost') }}"
ansible_host_key_checking: "{{ 'false' | trim }}"
ansible_password: "{{ 'has_sudo_nopw_password' | trim }}" ansible_password: "{{ 'has_sudo_nopw_password' | trim }}"
ansible_port: "{{ hostvars[groups['test-targets'][0]].ansible_port | default(22) }}" ansible_port: "{{ hostvars[groups['test-targets'][0]].ansible_port | default(22) }}"
ansible_ssh_executable: "{{ 'ssh' | trim }}" ansible_ssh_executable: "{{ 'ssh' | trim }}"
@ -9,5 +11,26 @@
tasks: tasks:
- meta: reset_connection - meta: reset_connection
- name: Templated variables in play - name: Templated variables in play, password authentication
ping:
- name: integration/ssh/templated_by_play_taskvar.yml
hosts: tt_targets_bare
gather_facts: false
vars:
ansible_host: "{{ hostvars[groups['test-targets'][0]].host | default('localhost') }}"
ansible_host_key_checking: "{{ 'false' | trim }}"
ansible_private_key_file: "{{ git_basedir }}/tests/data/docker/mitogen__has_sudo_pubkey.key"
ansible_port: "{{ hostvars[groups['test-targets'][0]].ansible_port | default(22) }}"
ansible_ssh_executable: "{{ 'ssh' | trim }}"
ansible_user: "{{ 'mitogen__has_sudo_pubkey' | trim }}"
tasks:
- meta: end_play
when:
# https://github.com/ansible/ansible/issues/84238
- not is_mitogen
- ansible_version.full is version('2.19', '<', strict=True)
- meta: reset_connection
- name: Templated variables in play, key authentication
ping: ping:

@ -5,6 +5,7 @@
# https://github.com/mitogen-hq/mitogen/issues/1132 # https://github.com/mitogen-hq/mitogen/issues/1132
remote_user: "{{ 'mitogen__has_sudo_nopw' | trim }}" remote_user: "{{ 'mitogen__has_sudo_nopw' | trim }}"
vars: vars:
ansible_host: "{{ hostvars[groups['test-targets'][0]].host | default('localhost') }}"
ansible_password: has_sudo_nopw_password ansible_password: has_sudo_nopw_password
ansible_port: "{{ hostvars[groups['test-targets'][0]].ansible_port | default(22) }}" ansible_port: "{{ hostvars[groups['test-targets'][0]].ansible_port | default(22) }}"
tasks: tasks:
@ -19,6 +20,7 @@
delegate_to: "{{ groups.tt_targets_bare[0] }}" delegate_to: "{{ groups.tt_targets_bare[0] }}"
remote_user: "{{ 'mitogen__has_sudo_nopw' | trim }}" remote_user: "{{ 'mitogen__has_sudo_nopw' | trim }}"
vars: vars:
ansible_host: "{{ hostvars[groups['test-targets'][0]].host | default('localhost') }}"
ansible_password: has_sudo_nopw_password ansible_password: has_sudo_nopw_password
ansible_port: "{{ hostvars[groups['test-targets'][0]].ansible_port | default(22) }}" ansible_port: "{{ hostvars[groups['test-targets'][0]].ansible_port | default(22) }}"
ping: ping:

@ -13,11 +13,6 @@
-o "ControlPath /tmp/mitogen-ansible-test-{{18446744073709551615|random}}" -o "ControlPath /tmp/mitogen-ansible-test-{{18446744073709551615|random}}"
tasks: tasks:
- name: setup ansible_ssh_private_key_file
shell: chmod 0600 ../data/docker/mitogen__has_sudo_pubkey.key
args:
chdir: ../..
- name: ansible_user, ansible_ssh_private_key_file - name: ansible_user, ansible_ssh_private_key_file
shell: > shell: >
ANSIBLE_ANY_ERRORS_FATAL=false ANSIBLE_ANY_ERRORS_FATAL=false
@ -34,6 +29,7 @@
args: args:
chdir: ../.. chdir: ../..
register: out register: out
changed_when: false
- name: ansible_user, wrong ansible_ssh_private_key_file - name: ansible_user, wrong ansible_ssh_private_key_file
shell: > shell: >
@ -52,6 +48,7 @@
args: args:
chdir: ../.. chdir: ../..
register: out register: out
changed_when: false
ignore_errors: true ignore_errors: true
- assert: - assert:

@ -44,7 +44,6 @@ ssh_args_canary_file=/tmp/ssh_args_by_inv_{{ '{{' }} inventory_hostname {{ '}}'
tt-bare tt-bare
[tt_targets_bare:vars] [tt_targets_bare:vars]
ansible_host={{ tt.hostname }}
ansible_python_interpreter={{ tt.python_path }} ansible_python_interpreter={{ tt.python_path }}
[tt_become_bare] [tt_become_bare]
@ -71,11 +70,10 @@ ansible_python_interpreter={{ tt.python_path }}
ansible_user=mitogen__has_sudo_nopw ansible_user=mitogen__has_sudo_nopw
[tt_targets_inventory] [tt_targets_inventory]
tt-password ansible_password="{{ '{{' }} 'has_sudo_nopw_password' | trim {{ '}}' }}" ansible_port={{ tt.port }} ansible_user=mitogen__has_sudo_nopw tt-host ansible_host="{{ '{{' }} '{{ tt.hostname }}' | trim {{ '}}' }}" ansible_password=has_sudo_nopw_password ansible_port={{ tt.port }} ansible_python_interpreter={{ tt.python_path }} ansible_user=mitogen__has_sudo_nopw
tt-port ansible_password=has_sudo_nopw_password ansible_port="{{ '{{' }} {{ tt.port }} | int {{ '}}' }}" ansible_user=mitogen__has_sudo_nopw tt-host-key-checking ansible_host={{ tt.hostname }} ansible_host_key_checking="{{ '{{' }} 'false' | trim {{ '}}' }}" ansible_password=has_sudo_nopw_password ansible_port={{ tt.port }} ansible_python_interpreter={{ tt.python_path }} ansible_user=mitogen__has_sudo_nopw
tt-remote-user ansible_password=has_sudo_nopw_password ansible_port={{ tt.port }} ansible_user="{{ '{{' }} 'mitogen__has_sudo_nopw' | trim {{ '}}' }}" tt-password ansible_host={{ tt.hostname }} ansible_password="{{ '{{' }} 'has_sudo_nopw_password' | trim {{ '}}' }}" ansible_port={{ tt.port }} ansible_python_interpreter={{ tt.python_path }} ansible_user=mitogen__has_sudo_nopw
tt-ssh-executable ansible_password=has_sudo_nopw_password ansible_port={{ tt.port }} ansible_ssh_executable="{{ '{{' }} 'ssh' | trim {{ '}}' }}" ansible_user=mitogen__has_sudo_nopw tt-port ansible_host={{ tt.hostname }} ansible_password=has_sudo_nopw_password ansible_port="{{ '{{' }} {{ tt.port }} | int {{ '}}' }}" ansible_python_interpreter={{ tt.python_path }} ansible_user=mitogen__has_sudo_nopw
tt-private-key-file ansible_host={{ tt.hostname }} ansible_port={{ tt.port }} ansible_private_key_file="{{ '{{' }} git_basedir {{ '}}' }}/tests/data/docker/mitogen__has_sudo_pubkey.key" ansible_python_interpreter={{ tt.python_path }} ansible_user=mitogen__has_sudo_pubkey
[tt_targets_inventory:vars] tt-remote-user ansible_host={{ tt.hostname }} ansible_password=has_sudo_nopw_password ansible_port={{ tt.port }} ansible_python_interpreter={{ tt.python_path }} ansible_user="{{ '{{' }} 'mitogen__has_sudo_nopw' | trim {{ '}}' }}"
ansible_host={{ tt.hostname }} tt-ssh-executable ansible_host={{ tt.hostname }} ansible_password=has_sudo_nopw_password ansible_port={{ tt.port }} ansible_python_interpreter={{ tt.python_path }} ansible_ssh_executable="{{ '{{' }} 'ssh' | trim {{ '}}' }}" ansible_user=mitogen__has_sudo_nopw
ansible_python_interpreter={{ tt.python_path }}

@ -23,10 +23,16 @@
gather_facts: true gather_facts: true
vars: vars:
distro: "{{ansible_distribution}}" distro: "{{ansible_distribution}}"
tasks:
- when: ansible_virtualization_type != "docker"
meta: end_play
pre_tasks:
- meta: end_play
when:
- ansible_facts.virtualization_type != "docker"
roles:
- role: sshd
tasks:
- name: Ensure requisite apt packages are installed - name: Ensure requisite apt packages are installed
apt: apt:
name: "{{ common_packages + packages }}" name: "{{ common_packages + packages }}"
@ -134,10 +140,6 @@
content: | content: |
i-am-mitogen-test-docker-image i-am-mitogen-test-docker-image
- copy:
dest: /etc/ssh/banner.txt
src: ../data/docker/ssh_login_banner.txt
- name: Ensure /etc/sudoers.d exists - name: Ensure /etc/sudoers.d exists
file: file:
state: directory state: directory
@ -169,17 +171,6 @@
line: "%wheel ALL=(ALL) ALL" line: "%wheel ALL=(ALL) ALL"
when: ansible_os_family == 'RedHat' when: ansible_os_family == 'RedHat'
- name: Enable SSH banner
lineinfile:
path: /etc/ssh/sshd_config
line: Banner /etc/ssh/banner.txt
- name: Allow remote SSH root login
lineinfile:
path: /etc/ssh/sshd_config
line: PermitRootLogin yes
regexp: '.*PermitRootLogin.*'
- name: Allow remote SSH root login - name: Allow remote SSH root login
lineinfile: lineinfile:
path: /etc/pam.d/sshd path: /etc/pam.d/sshd

@ -0,0 +1,7 @@
- name: Configure macOS
hosts: all
gather_facts: true
strategy: mitogen_free
become: true
roles:
- role: sshd

@ -0,0 +1,3 @@
sshd_config_file: /etc/ssh/sshd_config
sshd_config__max_auth_tries: 50

@ -0,0 +1,31 @@
- name: Create login banner
copy:
src: banner.txt
dest: /etc/ssh/banner.txt
mode: u=rw,go=r
- name: Configure sshd_config
lineinfile:
path: "{{ sshd_config_file }}"
line: "{{ item.line }}"
regexp: "{{ item.regexp }}"
loop:
- line: Banner /etc/ssh/banner.txt
regexp: '^#? *Banner.*'
- line: MaxAuthTries {{ sshd_config__max_auth_tries }}
regexp: '^#? *MaxAuthTries.*'
- line: PermitRootLogin yes
regexp: '.*PermitRootLogin.*'
loop_control:
label: "{{ item.line }}"
register: configure_sshd_result
- name: Restart sshd
shell: |
launchctl unload /System/Library/LaunchDaemons/ssh.plist
wait 5
launchctl load -w /System/Library/LaunchDaemons/ssh.plist
changed_when: true
when:
- ansible_facts.distribution == "MacOSX"
- configure_sshd_result is changed
Loading…
Cancel
Save