Commit Graph

1068 Commits (0526f8e167ffce2b8810a718e4ac893153c3625e)

Author SHA1 Message Date
Alex Willmer 7e5b064139 ansible_mitogen: Support templated become passwords 4 weeks ago
Alex Willmer 8a34b925a4 tests: Re-enable become/sudo tests, fix them on macOS runners
The tasks in tests/imageprep/_user_accounts.yml that create users did not
specify a primary group for those users - this left the decision to Ansible's
user module, and/or the underlying OS. In Ansible 9+ (ansible-core 2.16+ the
user module defaults to primary group "staff." Earlier don't supply a default,
which releases probably results in a primary group nameed "None" (due to
stringifying the Python singleton of the same name), or whatever the macOS
Directory Services has for no data/NULL.

The invalid GID 4294967295 (MAX_UINT32 == 2**32-1) in the sudo error probably
enters the mix via something similar to sudo CVE-2019-14287.

Fixes #692

See
- https://github.com/ansible/ansible/pull/79999
- https://github.com/ansible/ansible/commit/c69c83c962f987c78af98da0746527df
- https://www.sudo.ws/security/advisories/minus_1_uid/

> Bruce Wayne : [confused]  Am I meant to understand any of that?
> Lucius Fox : Not at all, I just wanted you to know how hard it was.
> -- Batman Begins
4 weeks ago
Alex Willmer cdfaf31ebc ansible_mitogen: Template ssh_*_args connection options
This expands support to setting them in Play scoped variables. Task scoped
variables are also very likely to work, but untested for now.

refs #905
4 weeks ago
Alex Willmer bf6607e27e ansible_mitogen: Support templated become_user
This reads the become username from the `become_user` attribute of the play
context, to the `"become_user"` option of the loaded become plugin. This has
been supported by vanilla Ansible since Ansible 2.10 (ansible-base 2.10).

To support this I've also switched from using the `play_context.become` (a
bool), to `connection.become` (an instance of the appropriate) become plugin.

New tests have been added, modelled on those for templated connection
parameters (see #1147, #1153, #1159).

See
- 480b106d65

refs #1083

Co-authored-by: mordek <m.pirog@bonasoft.pl>
1 month ago
Alex Willmer e9bddf0c03 CI: Use templated ansible_user for localhost Ansible tests
refs #1022, #1116
1 month ago
Alex Willmer 28e08ef94c ci: Reduce number of Jobs by parameterizing Mitogen Docker SSH tests
This reduces the number of jobs from 48 to 24. The Mitogen part of the test
suite has been parameterized on the Linux container targets to be run against.
Both the Ansible tests & Mitogen tests now use the same source of truth to
control which targets to use: environment variable MITOGEN_TEST_DISTRO_SPECS.
This replaces the two mutually exclusive env vars DISTRO and DISTROS. I've
also removed vestgial traces of an unused env var MITOGEN_TEST_DISTRO.

Parameterization adapted from
https://eli.thegreenplace.net/2014/04/02/dynamically-generating-python-test-cases

refs #1058, #1059
1 month ago
Alex Willmer 9859e44ee8 tests: Standardise on DockerizedSshDaemon.host & .port 1 month ago
Alex Willmer 5e816be12c tests: Templated connection keywords with delegated_to 1 month ago
Alex Willmer 5d6a185242 tests: Templated "remote_user" provided as Ansible playbook keyword
The password is provided as a variable because there is no corresponding
keyword. I get the impression that keywords are considered a legacy mechanism,
so most (new) options are only overridable by variables.

The port is proved as a variable for now, to test remote_name in isolation.
1 month ago
Alex Willmer 9cdd51cf5b Declare Python 3.13 support
No code changes needed, that I could find.
1 month ago
Alex Willmer 77a01ff8d6 ansible_mitogen: Support templated SSH port
fixes #978
2 months ago
Alex Willmer 14cb8be7e5 ansible_mitogen: Test templated connection user (e.g. ansible_user) 2 months ago
Alex Willmer 0e9c890637 tests: Remove unused physical_hosts variable 2 months ago
Alex Willmer 1773c9aba6 trivia: Fix trailing whitespace 2 months ago
Alex Willmer 8362d61462 CI: Remove Azure DevOps pipelines (replaced by GitHub Actions)
fixes #1138
2 months ago
Alex Willmer 3504bea3bb tests: Ignore inventory files of inactive tests & benchmarks
These targets are not used by any active tests, and the large numbers of hosts
multiply the size of the taskvars disctionary in memory to many (10s) MiB.

refs #1058
2 months ago
Alex Willmer 6accc87da1 tests: Improve Ansible fail_msg formatting
By switching to block style (`|`) with clip (no `-` or `+`) the failure
messages don't require quoting and gain a single trailing newline. This causes
Ansible to print them as block style, when using the yaml stdout callback
plugin. As a result the values have one less layer of quoting and quote
escaping, making them much easier to read.
2 months ago
Alex Willmer 551690ee1d ansible_mitogen: Handle templated connection passwords and ansible_ssh_password
This switches `ansible_mitogen.transport_config.PlayContextSpec.password()` to
Ansible's plugin option framework. As a result
- The relatively recent `ansible_ssh_password` variable is now respected.
- The SSH connection password can be templated and specified as a play
  variable. Task variables will probably also work, but testing was blocked
  by #1132.

There is a chance this change will cause a regression in another connection
plugin (e.g. mitogen_docker), but nothing turned up in the test suite.
I intend ot migrate other connection configuration to
`ansible_mitogen.transport_config.PlayContextSpec._connect_option()`, the next
candidate is the remote port.

fixes #1106
2 months ago
Alex Willmer 3bdd3e237a tests: Coverage of support for ansible_ssh_password variable 2 months ago
Alex Willmer 27214517a7 tests: Use a subprocess to check discovered python == running
This replaces the use of `os.path.realpath()` which gave incorrect results on
macOS - depending on the exact Python build, Python version, macOS version,
installation method, and phase of the moon.

realpath information kept around to aid debugging.
2 months ago
Alex Willmer c6c8bfb690 tests: Skip vanilla Ansible on Linux unpriviliged -> unprivileged become
CI containers lack the necessary `setfacl` command. This has not previously
been noticed because no vanilla Ansible jobs were being run on Linux, only on
macOS.

refs #1118
2 months ago
Alex Willmer 8b92e09655 ci: Extract container registry location into variables
Preperation for migrating from Azure DevOps with Amazon Elastic Container
Registry (AWS ECR), to GitHub Actions with GitHub Container Registry (GHCR).

DebOps tests are not currently being run, the updates to .ci/debops*.py are
best effort only.
2 months ago
Alex Willmer 0e7eefbc70 tests: Remove unused import 2 months ago
Alex Willmer b1fd6038bf ansible_mitogen: Remove Python 2.4 and 2.5 backward compatibility fallbacks
Because ansible_mitogen >= 0.3 supports Ansible >= 2.10 and Ansible 2.10
requires supports Python >= 2.7 on controllers and Python >= 2.6 on targets
these are dead weight.

See
- https://docs.ansible.com/ansible/latest/reference_appendices/release_and_maintenance.html#ansible-core-support-matrix
- tox.ini
2 months ago
Alex Willmer c6cf08ab39 mitogen: Consolidate back compatibility fallbacks and polyfills in mitogen.core
This saves some bytes on the wire ad simplifies reasoning about the code.
2 months ago
Alex Willmer d032c591c2 tests: Retry container process check during teardown
I'm about 75% sure the check is an unavoidable race condition, see
https://github.com/mitogen-hq/mitogen/issues/694#issuecomment-2338001694. If
it occurs again, then reopen the issue.

Fixes #694
2 months ago
Alex Willmer 315204271e tests: Don't suppress output while testing unix Listener
It's not noisy, and it has been hiding an error I wasn't aware of.
2 months ago
Alex Willmer 598de81143 mitogen: Fix subprocess ResourceWarning
Python 3.x emits `ResourceWarning`s if certains resources aren't correctly
closed. Due to the way Mitogen has been terminating child processes this has
been occurring.

```
test_dev_tty_open_succeeds
(create_child_test.TtyCreateChildTest.test_dev_tty_open_succeeds) ...
/opt/hostedtoolcache/Python/3.12.5/x64/lib/python3.12/subprocess.py:1127:
ResourceWarning: subprocess 3313 is still running
  _warn("subprocess %s is still running" % self.pid,
ResourceWarning: Enable tracemalloc to get the object allocation traceback
ok
```

During garbage collection subprocess.Popen() objects emit
ResourceWarning("subprocess 123 is still running")
if proc.returncode hasn't been set. Typically calling proc.wait() does so,
once the sub-process has exited. Calling os.waitpid(proc.pid, 0) also waits
for the sub-process to exit, but it doesn't update proc.returncode, so the
ResourceWarning is still emitted.

This change exposes `subprocess.Popen` methods on
`mitogen.parent.PopenProcess`, so that the returncode can be set.

See https://gist.github.com/moreati/b8d157ff82cb15234bece4033accc5e5
2 months ago
Alex Willmer 7238403392 tests: Add missing logging import 2 months ago
Alex Willmer 7c92b8ef2b tests: Shutdown contexts on completion
This should terminate any child processes and connections.
2 months ago
Alex Willmer 7d9eebdb9a tests: Close file object in six_brokenpkg 2 months ago
Alex Willmer 79ed797bad tests: Test templating of ansible_ssh_common_args et al
refs #905
3 months ago
Alex Willmer f3097b5743 ci: Template Ansible test-targets inventory with Jinja2 3 months ago
Alex Willmer 46c9f772d8 tests: Simplify Ansible ssh password tests, test priority
This
- Removes the indirection of calling ansible in a sub-shell
- Includes vanilla Ansible, which was previously skipped
- Tests whether ansible_ssh_pass overrides ansible_password, as it should

As a one off I've the new tests against vanilla Ansible 2.10 through Ansible
10, to confirm the baseline priorities have remained unchanged all releases
currently supported by Mitogen 0.3.x.
3 months ago
Alex Willmer 5af6534a70 tests: Test AnsibleUnsafeText when copying files larger SMALL_FILE_LIMIT
The bug was fixed in a previous commit by Jonathan Rosser. This adds testing.
The bug is only triggered when the copy module is used inside a `with_items:`
loop and the destination filename has an extension. A `loop:` loop is not
sufficient.

refs #1110
3 months ago
Alex Willmer ce1accedbc tests: Refactor Ansible copy integration tests to be loop driven
This is in anticipation of #1110, which only exhibits inside a with_items:
loop. For this refactor `loop:` is used, to confirm the refactored tests are
still correct. A subsequent commit will change them to with_items.

The content of the files and their SHA1 checksums are unchanged.
3 months ago
Alex Willmer 5ab872f289 ansible_mitogen: Add regression test for ActionModuleMixin._remote_chmod()
Adapted from Jonathon's reproducer in #1087.
3 months ago
Alex Willmer 357fe38766 Ansible 10 (ansible-core 2.17) support
Notably
- Python 2.7 and 3.6 are no longer supported by Ansible on targets
- The yum module has been removed, and redirected to dnf
- _INTERPRETER_PYTHON_DISTRO_MAP has been neutered. Interpreter discovery
  always favours specific `python3.<x>` interpreters in decending version
  order, then generic `python3` or `python`.
- Add the ability for an action plugin to call self._execute_module(*,
  ignore_unknown_opts=True) to execute a module with options that may not be
  supported for the version being called.

https://docs.ansible.com/ansible/devel/porting_guides/porting_guide_10.html
https://github.com/ansible-community/ansible-build-data/blob/main/10/CHANGELOG-v10.md
https://github.com/ansible/ansible/blob/stable-2.17/changelogs/CHANGELOG-v2.17.rst

fixes #1074, refs #1082

Co-authored-by: Claude Becker <becker@phys.ethz.ch>
3 months ago
Alex Willmer 85b1b4070a tests: Respect configured or detected Python more often
Relying on the virtualenv default or hardcoding "python" results in a Python
2.x virtualenv on some targets (e.g. debian10-test). This caused a failure
when testing with Ansible >= 10 (ansible-core >= 2.17), which have dropped
Python 2.x support.

refs #1074
3 months ago
Alex Willmer 863f923f14 tests: Bypass interpreter discovery on non-existant connection delegation targets
By setting ansible_python_interpreter for these fictious hosts we avoid
Ansible trying and failing to connect to them in a attempt to populate
ansible_facts.discovered_interpreter_python. This speeds up these tests by
avoiding a timeout.

It is also a necessary pre-requisite for Ansible 10 (ansible-core 2.17). In
that release no hardcoded fallback is used, failure to determine a valid
Python interpreter is a fatal error.

refs #1074
3 months ago
Alex Willmer 40695f413b ansible_mitogen: Respect ansible_facts.discovered_interpreter_python more
fixes #1097
3 months ago
Alex Willmer fe435bb7d0 CI: Workaround "No module named 'setuptools.command.test'"
Pip 72 was released yesterday (2024-07-28), dropping `setup.py test` support.
hdrhistogram 0.6.1 requires it to install.

For now constrain Pip to earlier releases, so our tests can be run.

refs #1090
4 months ago
Alex Willmer 924dbd6f0c CI: Migrate macOS integration tests to macOS 12, drop Python 2.7 jobs
macOS 11 is not longer an available runner on Azure Devops. The minimum is now
macOS 12. This runner does not have Python 2.7 installed, so running them
would require a custom install - which I'm declaring too much effort for too
little gain.

refs #1090
4 months ago
Alex Willmer f5a8840668 CI: Use archived RPMs on CentOS 8
CentOS 8 has reached EOL. Packages are no longer mirrored or maintained. A
historic snapshot of the packages is kept on vault.centos.org.

refs #1088, #1090
4 months ago
Alex Willmer 7079a07a15 tests: Fix duplicate local task executions
integration/ssh/timeouts.yml is noteworthy. It was an accidental N**2 in time
-  executing num hosts * num hosts tasks.
6 months ago
Alex Willmer 65c8a42c13 tests: Use same verbosity when re-executing Ansible inside a playbook 6 months ago
Alex Willmer 05d98e5b49 tests: Speed up ssh timeout tests 6 months ago
Alex Willmer 60f868290d
tests: Remove --limit when running Ansible localhost CI
Some tests were being incorrectly excluded. Including those that use
`add_host`.
refs #1066, #1069
7 months ago
Alex Willmer d2eefc06aa
tests: Add regression for add_host with host_key_checking
refs #1066
7 months ago
Alex Willmer 8c93973f98 tests: Use Android portal to check get_url
Should have higher uptime, and make us less of a burden. Refs #1058
7 months ago