Commit Graph

44 Commits (88eb64745e1a9ce6be67fb0f65fee35f7f43ad75)

Author SHA1 Message Date
Alex Willmer 3a1b5ec620 CI: Increase sshd MaxAuthRetries to 50 on macOS runners
refs #1186
3 weeks ago
Alex Willmer 8cfcb66cda CI: Refactor sshd configuration into a role
Prep for applying it to macOS 13 GitHub runners.

refs #1186
3 weeks ago
Alex Willmer 8a34b925a4 tests: Re-enable become/sudo tests, fix them on macOS runners
The tasks in tests/imageprep/_user_accounts.yml that create users did not
specify a primary group for those users - this left the decision to Ansible's
user module, and/or the underlying OS. In Ansible 9+ (ansible-core 2.16+ the
user module defaults to primary group "staff." Earlier don't supply a default,
which releases probably results in a primary group nameed "None" (due to
stringifying the Python singleton of the same name), or whatever the macOS
Directory Services has for no data/NULL.

The invalid GID 4294967295 (MAX_UINT32 == 2**32-1) in the sudo error probably
enters the mix via something similar to sudo CVE-2019-14287.

Fixes #692

See
- https://github.com/ansible/ansible/pull/79999
- https://github.com/ansible/ansible/commit/c69c83c962f987c78af98da0746527df
- https://www.sudo.ws/security/advisories/minus_1_uid/

> Bruce Wayne : [confused]  Am I meant to understand any of that?
> Lucius Fox : Not at all, I just wanted you to know how hard it was.
> -- Batman Begins
1 month ago
Alex Willmer 1773c9aba6 trivia: Fix trailing whitespace 2 months ago
Alex Willmer 8b92e09655 ci: Extract container registry location into variables
Preperation for migrating from Azure DevOps with Amazon Elastic Container
Registry (AWS ECR), to GitHub Actions with GitHub Container Registry (GHCR).

DebOps tests are not currently being run, the updates to .ci/debops*.py are
best effort only.
2 months ago
Alex Willmer 45c42d386a tests: Replace uses of ``include:``, unify skipping of mitogen only tests
The tag mitogen_only is only informational for now. It may be possible to use
it with ANSIBLE_SKIP_TAGS in the future.
8 months ago
Alex Willmer b822f20007 ansible_mitogen: Handle AnsibleUnsafeText et al in Ansible >= 7
Follwing fixes in Ansible 7-9 for CVE-2023-5764 cating `AnsibleUnsafeBytes` &
`AnsibleUnsafeText` to `bytes()` or `str()` requires special handling. The
handling is Ansible specific, so it shouldn't go in the mitogen package but
rather the ansible_mitogen package.

`ansible_mitogen.utils.unsafe.cast()` is most like `mitogen.utils.cast()`.
During development it began as `ansible_mitogen.utils.unsafe.unwrap_var()`,
closer to an inverse of `ansible.utils.unsafe_procy.wrap_var()`. Future
enhancements may move in this direction.

refs #977, refs #1046

See also
- https://github.com/advisories/GHSA-7j69-qfc3-2fq9
- https://github.com/ansible/ansible/pull/82293
- https://github.com/mitogen-hq/mitogen/wiki/AnsibleUnsafe-notes
8 months ago
Alex Willmer a6c89751f9 tests: Cleanup ansible-lint errors & warnings in user creation playbook
Task " Install slow profile for one account" removed because it duplicates
earlier work.
9 months ago
Alex Willmer 8b574f234d tests: Report Ansible controller parameters before image prep & user creation 9 months ago
Alex Willmer ac7505d624 tests: Add centos 8; debian 10, 11; ubuntu 16.04, 18.04, 20.04 test images 4 years ago
Alex Willmer 6bf58c3cfb tests: Don't add local user to Docker containers 4 years ago
Alex Willmer a8e8cf91cb tests: Rebuild Docker containers
A few changes are bundled in this
 - Ansible 2.10.x and Mitogen 0.3.x are used to build nearly all images
   (Ansile 2.3.x is retained for CentOS 5, because it uses Python 2.4).
 - Tox is used to install/run Ansible, replacing build_docker_images.py
 - A static inventory, identifying containers by name rather than ID.
 - debian-test image is renamed to debian9-test
 - debian9-test image is now based on debian:9
 - centos6-test image is now based on moreati/centos6-vault
   following the same scheme as centos5-test.
 - Images are now uploaded to Amazon Elastic Container Registry (ECR).
   See #809.
 - Debian recommended packages aren't installed (e.g. build-essential)
 - Python 2.x and Python 3.x are installed wherever available.
 - Python Virtualenv is installed wherever available.
4 years ago
Steven Robertson 72e6abf6db attempt at fixing 'sudo runas gid invalid value' since the sudo command looks correct 5 years ago
David Wilson e4321f81a0 issue #600: /etc/environment may be non-ASCII in an unknown encoding 5 years ago
David Wilson ebb4a7ca6a issue #543: dumb fix for file vs. stat :( 5 years ago
David Wilson f3915b5f40 issue #543: disable host key checking 5 years ago
David Wilson 0741876392 issue #543: Hide Mitogen test users from gdm 5 years ago
David Wilson 0e55bb3eb7 image_prep: ensure Mac users can SSH without manual intervention 5 years ago
David Wilson 501cfca82b issue #543: make localhost_ansible_tests run locally 5 years ago
David Wilson 87440ec6f7 [stream-refactor] Debian Docker container image initctl 5 years ago
David Wilson 2f950b3bda [stream-refactor] allow doas_test to succeed on CentOS
Unlike on Debian, some environment variables that tickle
getpass.getuser() are being inherited. So use getuid() instead.

Also install the doas binary on CentOS. CI was changed (I believe) to
shrink the configuration matrix, and now these tests run on CentOS too.
5 years ago
David Wilson f0065d76d8 [stream-refactor] add descriptive task names to _container_prep 5 years ago
David Wilson 4524f03a48 issue #271: add mitogen__permdenied user to Docker image. 5 years ago
David Wilson d8dc5420ce tests: install OpenBSD doas port in Debian image.
To allow fancy new improved doas_test.
5 years ago
David Wilson 60fe3fd6f5 issue #429: enable en_US locale to unbreak debops test. 6 years ago
David Wilson 7531af3ee0 issue #499: fix another mind-numbingly stupid vanilla inconsistency 6 years ago
David Wilson 960e505f07 issue #429: install i18n-related bits in test images. 6 years ago
David Wilson b0ec398755 issue #477: CentOS 5 image requires perl installed too. 6 years ago
David Wilson 9377fed96b issue #477: install simplejson for vanilla tests. 6 years ago
David Wilson d9efeb950a issue #477: import updated Python build scripts
Now using Docker to get correct libc.
6 years ago
David Wilson ffb1b842db issue #477: import build script for Python 2.4.6. 6 years ago
David Wilson 572db1a385 issue #477: build a CentOS 5/Py2.4 container + playbook compat fixes. 6 years ago
David Wilson b29c8eaf2a tests: allow passing -vvv to build_docker_images. 6 years ago
David Wilson 816da64df5 tests: show task args in image_prep 6 years ago
David Wilson 174b685d16 tests: CentOS 6 lacks %wheel in sudo by default. 6 years ago
David Wilson d1b7c232bf tests: image_prep needs sudo 6 years ago
David Wilson e45e5d3e06 tests: Document Python versions in build_docker_images.py 6 years ago
David Wilson 6dddef0c45 Make image_prep work on Ubuntu. 6 years ago
David Wilson 3113bf6228 tests: fix debops tests (py-apt broken if /var/lbi/apt missing) 6 years ago
David Wilson 06ae59702c tests: rationalize matrix and rewrite ansible_tests
Now all distros run in parallel.
6 years ago
David Wilson d39efd9f54 tests: add new users for conndel tests. 6 years ago
David Wilson e48e32cd0c tests: image_prep fixes. 6 years ago
David Wilson e1306bb03d tests: build Docker images in parallel 6 years ago
David Wilson a192935daf tests: merge build_docker_images.py with osx_setup.yml
Hooray!
6 years ago