The tasks in tests/imageprep/_user_accounts.yml that create users did not
specify a primary group for those users - this left the decision to Ansible's
user module, and/or the underlying OS. In Ansible 9+ (ansible-core 2.16+ the
user module defaults to primary group "staff." Earlier don't supply a default,
which releases probably results in a primary group nameed "None" (due to
stringifying the Python singleton of the same name), or whatever the macOS
Directory Services has for no data/NULL.
The invalid GID 4294967295 (MAX_UINT32 == 2**32-1) in the sudo error probably
enters the mix via something similar to sudo CVE-2019-14287.
Fixes#692
See
- https://github.com/ansible/ansible/pull/79999
- https://github.com/ansible/ansible/commit/c69c83c962f987c78af98da0746527df
- https://www.sudo.ws/security/advisories/minus_1_uid/
> Bruce Wayne : [confused] Am I meant to understand any of that?
> Lucius Fox : Not at all, I just wanted you to know how hard it was.
> -- Batman Begins
A few changes are bundled in this
- Ansible 2.10.x and Mitogen 0.3.x are used to build nearly all images
(Ansile 2.3.x is retained for CentOS 5, because it uses Python 2.4).
- Tox is used to install/run Ansible, replacing build_docker_images.py
- A static inventory, identifying containers by name rather than ID.
- debian-test image is renamed to debian9-test
- debian9-test image is now based on debian:9
- centos6-test image is now based on moreati/centos6-vault
following the same scheme as centos5-test.
- Images are now uploaded to Amazon Elastic Container Registry (ECR).
See #809.
- Debian recommended packages aren't installed (e.g. build-essential)
- Python 2.x and Python 3.x are installed wherever available.
- Python Virtualenv is installed wherever available.
Alex Willmer