Merge pull request #1366 from moreati/release-v0.3.32

Release v0.3.32

.ci/ci_lib.py

@@ -34,12 +34,12 @@ ANSIBLE_TESTS_HOSTS_DIR = os.path.join(GIT_ROOT, 'tests/ansible/hosts')
 ANSIBLE_TESTS_TEMPLATES_DIR = os.path.join(GIT_ROOT, 'tests/ansible/templates')
 DISTRO_SPECS = os.environ.get(
     'MITOGEN_TEST_DISTRO_SPECS',
-    'alma9-py3 centos5 centos8-py3 debian9 debian12-py3 ubuntu1604 ubuntu2404-py3',
+    'centos6 centos8 debian9 debian11 ubuntu1604 ubuntu2004',
 )
 IMAGE_PREP_DIR = os.path.join(GIT_ROOT, 'tests/image_prep')
 IMAGE_TEMPLATE = os.environ.get(
     'MITOGEN_TEST_IMAGE_TEMPLATE',
-    'ghcr.io/mitogen-hq/%(distro)s-test:2025.02',
+    'ghcr.io/mitogen-hq/%(distro)s-test:2021',
 )
 SUDOERS_DEFAULTS_SRC = './tests/image_prep/files/sudoers_defaults'
 SUDOERS_DEFAULTS_DEST = '/etc/sudoers.d/mitogen_test_defaults'
@@ -156,15 +156,7 @@ def run_batches(batches):
         subprocess.Popen(combine(batch), shell=True)
         for batch in batches
     ]
-    for proc in procs:
+    assert [proc.wait() for proc in procs] == [0] * len(procs)
-        proc.wait()
-        if proc.returncode:
-            print(
-                'proc: pid=%i rc=%i args=%r'
-                % (proc.pid, proc.returncode, proc.args),
-                file=sys.stderr, flush=True,
-            )
-    assert [proc.returncode for proc in procs] == [0] * len(procs)
 
 
 def get_output(s, *args, **kwargs):
@@ -239,7 +231,7 @@ def container_specs(
     [{'distro': 'debian11',
       'family': 'debian',
       'hostname': 'localhost',
-      'image': 'ghcr.io/mitogen-hq/debian11-test:2025.02',
+      'image': 'ghcr.io/mitogen-hq/debian11-test:2021',
       'index': 1,
       'name': 'target-debian11-1',
       'port': 2201,
@@ -247,7 +239,7 @@ def container_specs(
      {'distro': 'centos6',
       'family': 'centos',
       'hostname': 'localhost',
-      'image': 'ghcr.io/mitogen-hq/centos6-test:2025.02',
+      'image': 'ghcr.io/mitogen-hq/centos6-test:2021',
       'index': 2,
       'name': 'target-centos6-2',
       'port': 2202,

.github/workflows/tests.yml

@@ -101,21 +101,21 @@ jobs:
           - tox_env: py313-m_ans-ans8
             python_version: '3.13'
           - tox_env: py314-m_ans-ans9
-            python_version: '3.14'
+            python_version: '3.14.0-rc.3'
           - tox_env: py314-m_ans-ans10
-            python_version: '3.14'
+            python_version: '3.14.0-rc.3'
           - tox_env: py314-m_ans-ans11
-            python_version: '3.14'
+            python_version: '3.14.0-rc.3'
           - tox_env: py314-m_ans-ans12
-            python_version: '3.14'
+            python_version: '3.14.0-rc.3'
-          - tox_env: py314-m_ans-ans13
-            python_version: '3.14'
 
-          - tox_env: py314-m_ans-ans13-s_lin
+          - tox_env: py314-m_ans-ans11-s_lin
-            python_version: '3.14'
+            python_version: '3.14.0-rc.3'
+          - tox_env: py314-m_ans-ans12-s_lin
+            python_version: '3.14.0-rc.3'
 
           - tox_env: py314-m_mtg
-            python_version: '3.14'
+            python_version: '3.14.0-rc.3'
 
     steps:
       - uses: actions/checkout@v4
@@ -153,21 +153,27 @@ jobs:
 
   macos:
     name: macos ${{ matrix.tox_env }}
-    # https://github.com/actions/runner-images/blob/main/images/macos/macos-15-Readme.md
+    # https://github.com/actions/runner-images/blob/main/images/macos/macos-13-Readme.md
-    runs-on: macos-15
+    runs-on: macos-13
     timeout-minutes: 15
 
     strategy:
       fail-fast: false
       matrix:
         include:
-          - tox_env: py314-m_lcl-ans13
+          - tox_env: py314-m_lcl-ans11
-            python_version: '3.14'
+            python_version: '3.14.0-rc.3'
-          - tox_env: py314-m_lcl-ans13-s_lin
+            sshpass_version: "1.10"
-            python_version: '3.14'
+          - tox_env: py314-m_lcl-ans11-s_lin
+            python_version: '3.14.0-rc.3'
+            sshpass_version: "1.10"
+          - tox_env: py314-m_lcl-ans12
+            python_version: '3.14.0-rc.3'
+          - tox_env: py314-m_lcl-ans12-s_lin
+            python_version: '3.14.0-rc.3'
 
           - tox_env: py314-m_mtg
-            python_version: '3.14'
+            python_version: '3.14.0-rc.3'
 
     steps:
       - uses: actions/checkout@v4

.gitignore

@@ -13,7 +13,6 @@ build/
 dist/
 extra/
 tests/ansible/.*.pid
-tests/image_prep/logs
 docs/_build/
 htmlcov/
 *.egg-info

ansible_mitogen/mixins.py

@@ -470,7 +470,18 @@ class ActionModuleMixin(ansible.plugins.action.ActionBase):
         # chicken-and-egg issue, mitogen needs a python to run low_level_execute_command
         # which is required by Ansible's discover_interpreter function
         if self._mitogen_discovering_interpreter:
-            possible_pythons = self._mitogen_interpreter_candidates
+            possible_pythons = [
+                '/usr/bin/python',
+                'python3',
+                'python3.7',
+                'python3.6',
+                'python3.5',
+                'python2.7',
+                'python2.6',
+                '/usr/libexec/platform-python',
+                '/usr/bin/python3',
+                'python'
+            ]
         else:
             # not used, just adding a filler value
             possible_pythons = ['python']
@@ -481,15 +492,12 @@ class ActionModuleMixin(ansible.plugins.action.ActionBase):
                 rc, stdout, stderr = self._connection.exec_command(
                     cmd, in_data, sudoable, mitogen_chdir=chdir,
                 )
-            except BaseException as exc:
+            # TODO: what exception is thrown?
+            except:
                 # we've reached the last python attempted and failed
                 if possible_python == possible_pythons[-1]:
                     raise
                 else:
-                    LOG.debug(
-                        '%r._low_level_execute_command: candidate=%r ignored: %s, %r',
-                        self, possible_python, type(exc), exc,
-                    )
                     continue
 
         stdout_text = to_text(stdout, errors=encoding_errors)

ansible_mitogen/target.py

@@ -40,6 +40,7 @@ import errno
 import grp
 import json
 import logging
+import operator
 import os
 import pty
 import pwd
@@ -65,6 +66,8 @@ if not sys.modules.get(str('__main__')):
 
 import ansible.module_utils.json_utils
 
+from ansible.module_utils.six.moves import reduce
+
 import ansible_mitogen.runner
 
 
@@ -715,9 +718,7 @@ def apply_mode_spec(spec, mode):
             mask = CHMOD_MASKS[ch]
             bits = CHMOD_BITS[ch]
             cur_perm_bits = mode & mask
-            new_perm_bits = 0
+            new_perm_bits = reduce(operator.or_, (bits[p] for p in perms), 0)
-            for perm in perms:
-                new_perm_bits |= bits[perm]
             mode &= ~mask
             if op == '=':
                 mode |= new_perm_bits

ansible_mitogen/transport_config.py

@@ -73,21 +73,13 @@ import ansible.utils.unsafe_proxy
 from ansible.module_utils.six import with_metaclass
 from ansible.module_utils.parsing.convert_bool import boolean
 
-import ansible_mitogen.utils
 import mitogen.core
 
 
 LOG = logging.getLogger(__name__)
 
-if ansible_mitogen.utils.ansible_version[:2] >= (2, 19):
-    _FALLBACK_INTERPRETER = ansible.executor.interpreter_discovery._FALLBACK_INTERPRETER
-elif ansible_mitogen.utils.ansible_version[:2] >= (2, 17):
-    _FALLBACK_INTERPRETER = u'/usr/bin/python3'
-else:
-    _FALLBACK_INTERPRETER = u'/usr/bin/python'
 
-
+def run_interpreter_discovery_if_necessary(s, task_vars, action, rediscover_python):
-def run_interpreter_discovery_if_necessary(s, candidates, task_vars, action, rediscover_python):
     """
     Triggers ansible python interpreter discovery if requested.
     Caches this value the same way Ansible does it.
@@ -115,11 +107,8 @@ def run_interpreter_discovery_if_necessary(s, candidates, task_vars, action, red
             # blow away the discovered_interpreter_config cache and rediscover
             del task_vars['ansible_facts'][discovered_interpreter_config]
 
-        try:
+        if discovered_interpreter_config not in task_vars['ansible_facts']:
-            s = task_vars[u'ansible_facts'][discovered_interpreter_config]
-        except KeyError:
             action._mitogen_discovering_interpreter = True
-            action._mitogen_interpreter_candidates = candidates
             # fake pipelining so discover_interpreter can be happy
             action._connection.has_pipelining = True
             s = ansible.executor.interpreter_discovery.discover_interpreter(
@@ -132,17 +121,18 @@ def run_interpreter_discovery_if_necessary(s, candidates, task_vars, action, red
             # cache discovered interpreter
             task_vars['ansible_facts'][discovered_interpreter_config] = s
             action._connection.has_pipelining = False
+        else:
+            s = task_vars['ansible_facts'][discovered_interpreter_config]
 
         # propagate discovered interpreter as fact
         action._discovered_interpreter_key = discovered_interpreter_config
         action._discovered_interpreter = s
 
     action._mitogen_discovering_interpreter = False
-    action._mitogen_interpreter_candidates = None
     return s
 
 
-def parse_python_path(s, candidates, task_vars, action, rediscover_python):
+def parse_python_path(s, task_vars, action, rediscover_python):
     """
     Given the string set for ansible_python_interpeter, parse it using shell
     syntax and return an appropriate argument vector. If the value detected is
@@ -153,9 +143,10 @@ def parse_python_path(s, candidates, task_vars, action, rediscover_python):
         # if python_path doesn't exist, default to `auto` and attempt to discover it
         s = 'auto'
 
-    s = run_interpreter_discovery_if_necessary(s, candidates, task_vars, action, rediscover_python)
+    s = run_interpreter_discovery_if_necessary(s, task_vars, action, rediscover_python)
+    # if unable to determine python_path, fallback to '/usr/bin/python'
     if not s:
-        s = _FALLBACK_INTERPRETER
+        s = '/usr/bin/python'
 
     return ansible.utils.shlex.shlex_split(s)
 
@@ -519,9 +510,6 @@ class PlayContextSpec(Spec):
         interpreter_python = C.config.get_config_value(
             'INTERPRETER_PYTHON', variables=variables,
         )
-        interpreter_python_fallback = C.config.get_config_value(
-            'INTERPRETER_PYTHON_FALLBACK', variables=variables,
-        )
 
         if '{{' in interpreter_python or '{%' in interpreter_python:
             templar = self._connection.templar
@@ -529,7 +517,6 @@ class PlayContextSpec(Spec):
 
         return parse_python_path(
             interpreter_python,
-            candidates=interpreter_python_fallback,
             task_vars=self._task_vars,
             action=self._action,
             rediscover_python=rediscover_python)
@@ -745,12 +732,11 @@ class MitogenViaSpec(Spec):
 
     def python_path(self, rediscover_python=False):
         s = self._host_vars.get('ansible_python_interpreter')
-        interpreter_python_fallback = self._host_vars.get(
+        # #511, #536: executor/module_common.py::_get_shebang() hard-wires
-            'ansible_interpreter_python_fallback', [],
+        # "/usr/bin/python" as the default interpreter path if no other
-        )
+        # interpreter is specified.
         return parse_python_path(
             s,
-            candidates=interpreter_python_fallback,
             task_vars=self._task_vars,
             action=self._action,
             rediscover_python=rediscover_python)

docs/ansible_detailed.rst

@@ -145,8 +145,6 @@ Noteworthy Differences
   +-----------------+ 3.11 - 3.14     |
   | 12              |                 |
   +-----------------+-----------------+
-  | 13              | 3.12 - 3.14     |
-  +-----------------+-----------------+
 
   Verify your installation is running one of these versions by checking
   ``ansible --version`` output.

docs/changelog.rst

@@ -18,46 +18,6 @@ To avail of fixes in an unreleased version, please download a ZIP file
 `directly from GitHub <https://github.com/mitogen-hq/mitogen/>`_.
 
 
-In progress (unreleased)
-------------------------
-
-* :gh:issue:`1237` :mod:`mitogen`: Re-declare Python 2.4 compatibility
-* :gh:issue:`1385` :mod:`ansible_mitogen`: Remove a use of
-  ``ansible.module_utils.six``
-* :gh:issue:`1354` docs: Document Ansible 13 (ansible-core 2.20) support
-* :gh:issue:`1354` :mod:`mitogen`: Clarify error message when a module
-  request would be refused by allow or deny listing
-
-
-v0.3.35 (2025-12-01)
---------------------
-
-* :gh:issue:`1132` :mod:`ansible_mitogen` During intrepreter discovery use
-  Ansible ``INTERPRETER_PYTHON_FALLBACK`` config as list of candidates
-
-
-v0.3.34 (2025-11-27)
---------------------
-
-* :gh:issue:`1118` CI: Use 2025.02 test images, keeping same OS releases
-* :gh:issue:`1358` CI: Bump deprecated macOS 13 runner to macOS 15
-* :gh:issue:`1118` CI: Add OS release coverage: AlmaLinux 9
-* :gh:issue:`1118` CI: Add OS release coverage: CentOS 5
-* :gh:issue:`1118` CI: Add OS release coverage: Debian 12
-* :gh:issue:`1118` CI: Add OS release coverage: Ubuntu 22.04, Ubuntu 24.04
-* :gh:issue:`1124` :mod:`mitogen`: Log why a module is sent or not sent by
-  :class:`mitogen.master.ModuleResponder`
-* :gh:issue:`1124` :mod:`ansible_mitogen`: Speedup startup by not sending
-  ``__main__`` as a related module
-
-
-v0.3.33 (2025-11-22)
---------------------
-
-* :gh:issue:`1354` :mod:`ansible_mitogen`: ansible_mitogen: Ansible 13
-  (ansible-core 2.20) support
-
-
 v0.3.32 (2025-11-21)
 --------------------
 
@@ -448,7 +408,7 @@ v0.3.1 (unreleased)
 * :gh:issue:`878` Kubectl connector fixed with Ansible 2.10 and above
 
 
-v0.3.0 (2021-11-24)
+v0.3.0 (2021-10-28)
 -------------------
 
 This release separates itself from the v0.2.X releases. Ansible's API changed too much to support backwards compatibility so from now on, v0.2.X releases will be for Ansible < 2.10 and v0.3.X will be for Ansible 2.10+.
@@ -461,7 +421,7 @@ This release separates itself from the v0.2.X releases. Ansible's API changed to
 * :gh:issue:`847` Removed historic Continuous Integration reverse shell
 
 
-v0.2.10 (2021-11-24)
+v0.2.10 (2021-10-28)
 --------------------
 
 * :gh:issue:`597` mitogen does not support Ansible 2.8 Python interpreter detection
@@ -476,6 +436,7 @@ v0.2.10 (2021-11-24)
   :py:meth:`ansible.plugins.callback.CallbackBase.v2_runner_on_start`
 * :gh:issue:`775` Test with Python 3.9
 * :gh:issue:`775` Add msvcrt to the default module deny list
+* :gh:issue:`847` Removed historic Continuous Integration reverse shell
 
 
 v0.2.9 (2019-11-02)

docs/index.rst

@@ -332,16 +332,12 @@ a large fleet of machines, or to alert the parent of unexpected state changes.
 Compatibility
 #############
 
-``mitogen.*`` is compatible with Python 2.4 - 2.7 and 3.6 onward; making it
+Mitogen is compatible with **Python 2.4** released November 2004, making it
 suitable for managing a fleet of potentially ancient corporate hardware, such
 as Red Hat Enterprise Linux 5, released in 2007.
 
-Every combination of Python 3.x/2.x parent and child should be possible.
+Every combination of Python 3.x/2.x parent and child should be possible,
-Automated testing cannot cover every combination, automated testing tries to
+however at present only Python 2.4, 2.6, 2.7 and 3.6 are tested automatically.
-cover the extemities (e.g. Python 3.14 parent -> Python 2.4 child).
-
-``ansible_mitogen.*`` is compatible with Python 2.7 and 3.6 onward; making it
-suitable for Ansible 2.10 onward.
 
 
 Zero Dependencies

docs/svg-boxify.py

@@ -0,0 +1,13 @@
+
+# Add viewBox attr to SVGs lacking it, so IE scales properly.
+
+import lxml.etree
+import glob
+
+
+for name in glob.glob('images/*.svg') + glob.glob('images/ansible/*.svg'):
+    doc = lxml.etree.parse(open(name))
+    svg = doc.getroot()
+    if 'viewBox' not in svg.attrib:
+        svg.attrib['viewBox'] = '0 0 %(width)s %(height)s' % svg.attrib
+        open(name, 'w').write(lxml.etree.tostring(svg, xml_declaration=True, encoding='UTF-8'))

mitogen/__init__.py

@@ -35,7 +35,7 @@ be expected. On the slave, it is built dynamically during startup.
 
 
 #: Library version as a tuple.
-__version__ = (0, 3, 36, 'dev')
+__version__ = (0, 3, 32)
 
 
 #: This is :data:`False` in slave contexts. Previously it was used to prevent

mitogen/core.py

@@ -541,7 +541,6 @@ def is_blacklisted_import(importer, fullname):
     any packages have been whitelisted and `fullname` is not part of one.
 
     NB:
-      - The default whitelist is `['']` which matches any module name.
       - If a package is on both lists, then it is treated as blacklisted.
       - If any package is whitelisted, then all non-whitelisted packages are
         treated as blacklisted.
@@ -1537,8 +1536,9 @@ class Importer(object):
         return importlib.machinery.ModuleSpec(fullname, loader=self)
 
     blacklisted_msg = (
-        'A %r request would be refused by the Mitogen master. The module is '
+        '%r is present in the Mitogen importer blacklist, therefore this '
-        'on the deny list (blacklist) or not on the allow list (whitelist).'
+        'context will not attempt to request it from the master, as the '
+        'request will always be refused.'
     )
     pkg_resources_msg = (
         'pkg_resources is prohibited from importing __main__, as it causes '

mitogen/master.py

@@ -843,12 +843,6 @@ class ModuleFinder(object):
     related modules likely needed by a child context requesting the original
     module.
     """
-
-    # Fullnames of modules that should not be sent as a related module
-    _related_modules_denylist = frozenset({
-        '__main__',
-    })
-
     def __init__(self):
         #: Import machinery is expensive, keep :py:meth`:get_module_source`
         #: results around.
@@ -937,34 +931,6 @@ class ModuleFinder(object):
             fullname, _, _ = str_rpartition(to_text(fullname), u'.')
             yield fullname
 
-    def _reject_related_module(self, requested_fullname, related_fullname):
-        def _log_reject(reason):
-            LOG.debug(
-                '%r: Rejected related module %s of requested module %s: %s',
-                self, related_fullname, requested_fullname, reason,
-            )
-            return reason
-
-        try:
-            related_module = sys.modules[related_fullname]
-        except KeyError:
-            return _log_reject('sys.modules entry absent')
-
-        # Python 2.x "indirection entry"
-        if related_module is None:
-            return _log_reject('sys.modules entry is None')
-
-        if is_stdlib_name(related_fullname):
-            return _log_reject('stdlib module')
-
-        if 'six.moves' in related_fullname:
-            return _log_reject('six.moves avoidence')
-
-        if related_fullname in self._related_modules_denylist:
-            return _log_reject('on denylist')
-
-        return False
-
     def find_related_imports(self, fullname):
         """
         Return a list of non-stdlib modules that are directly imported by
@@ -1007,7 +973,9 @@ class ModuleFinder(object):
             set(
                 mitogen.core.to_text(name)
                 for name in maybe_names
-                if not self._reject_related_module(fullname, name)
+                if sys.modules.get(name) is not None
+                and not is_stdlib_name(name)
+                and u'six.moves' not in name  # TODO: crap
             )
         ))
 
@@ -1170,7 +1138,7 @@ class ModuleResponder(object):
         self._cache[fullname] = tup
         return tup
 
-    def _send_load_module(self, stream, fullname, reason):
+    def _send_load_module(self, stream, fullname):
         if fullname not in stream.protocol.sent_modules:
             tup = self._build_tuple(fullname)
             msg = mitogen.core.Message.pickled(
@@ -1178,10 +1146,8 @@ class ModuleResponder(object):
                 dst_id=stream.protocol.remote_id,
                 handle=mitogen.core.LOAD_MODULE,
             )
-            self._log.debug(
+            self._log.debug('sending %s (%.2f KiB) to %s',
-                'sending %s %s (%.2f KiB) to %s',
+                            fullname, len(msg.data) / 1024.0, stream.name)
-                reason, fullname, len(msg.data) / 1024.0, stream.name,
-            )
             self._router._async_route(msg)
             stream.protocol.sent_modules.add(fullname)
             if tup[2] is not None:
@@ -1212,8 +1178,8 @@ class ModuleResponder(object):
                     # Parent hasn't been sent, so don't load submodule yet.
                     continue
 
-                self._send_load_module(stream, name, 'related')
+                self._send_load_module(stream, name)
-            self._send_load_module(stream, fullname, 'requested')
+            self._send_load_module(stream, fullname)
         except Exception:
             LOG.debug('While importing %r', fullname, exc_info=True)
             self._send_module_load_failed(stream, fullname)

setup.py

@@ -82,7 +82,7 @@ setup(
     license = 'BSD-3-Clause',
     url = 'https://github.com/mitogen-hq/mitogen/',
     packages = find_packages(exclude=['tests', 'examples']),
-    python_requires='>=2.4, !=3.0.*, !=3.1.*, !=3.2.*, !=3.3.*, !=3.4.*, !=3.5.*',
+    python_requires='>=2.7, !=3.0.*, !=3.1.*, !=3.2.*, !=3.3.*, !=3.4.*, !=3.5.*',
     zip_safe = False,
     classifiers = [
         'Environment :: Console',
@@ -91,9 +91,6 @@ setup(
         'Operating System :: MacOS :: MacOS X',
         'Operating System :: POSIX',
         'Programming Language :: Python',
-        'Programming Language :: Python :: 2.4',
-        'Programming Language :: Python :: 2.5',
-        'Programming Language :: Python :: 2.6',
         'Programming Language :: Python :: 2.7',
         'Programming Language :: Python :: 3',
         'Programming Language :: Python :: 3.6',

tests/ansible/ansible.cfg

@@ -76,7 +76,6 @@ ssh_args =
     -o ControlPersist=60s
     -o ForwardAgent=yes
     -o HostKeyAlgorithms=+ssh-rsa
-    -o KexAlgorithms=+diffie-hellman-group1-sha1
     -o PubkeyAcceptedKeyTypes=+ssh-rsa
     -o UserKnownHostsFile=/dev/null
 pipelining = True

tests/ansible/hosts/group_vars/all.yml

@@ -6,7 +6,6 @@
 ansible_version_major_minor: "{{ ansible_version.major }}.{{ ansible_version.minor }}"
 ansible_version_major_minor_patch: "{{ ansible_version.major }}.{{ ansible_version.minor }}.{{ ansible_version.revision | regex_search('^[0-9]+') }}"
 
-become_doas_available: false
 become_unpriv_available: >-
   {#
     Vanilla Ansible >= 4 (ansible-core >= 2.11) can use `setfacl` for
@@ -35,11 +34,3 @@ become_unpriv_available: >-
   -}}
 
 pkg_mgr_python_interpreter: python
-
-virtualenv_create_argv:
-  - virtualenv
-  - -p
-  - "{{ virtualenv_python }}"
-  - "{{ virtualenv_path }}"
-virtualenv_path: /path/intentionally/left/invalid
-virtualenv_python: /path/intentionally/left/invalid

tests/ansible/hosts/group_vars/alma9.yml

@@ -1,8 +0,0 @@
-pkg_mgr_python_interpreter: python3
-
-# Alma Linux 9, RHEL 9, etc. lack a virtualenv package
-virtualenv_create_argv:
-  - "{{ virtualenv_python }}"
-  - -m
-  - venv
-  - "{{ virtualenv_path }}"

tests/ansible/hosts/group_vars/debian11.yml

@@ -1,4 +1,3 @@
-become_doas_available: true
 package_manager_keys:
   - src: debian-archive-bullseye-automatic.gpg  # Debian 11
     dest: /etc/apt/trusted.gpg.d/debian-archive-bullseye-automatic.gpg

tests/ansible/hosts/group_vars/debian12.yml

@@ -1,2 +0,0 @@
-become_doas_available: true
-pkg_mgr_python_interpreter: python3

tests/ansible/hosts/group_vars/debian9.yml

@@ -1,6 +1,4 @@
 package_manager_repos:
   - dest: /etc/apt/sources.list
     content: |
-      deb http://archive.debian.org/debian/ stretch main contrib non-free
+      deb http://archive.debian.org/debian stretch main contrib non-free
-      deb http://archive.debian.org/debian/ stretch-proposed-updates main contrib non-free
-      deb http://archive.debian.org/debian-security stretch/updates main contrib non-free

tests/ansible/hosts/group_vars/ubuntu2204.yml

@@ -1,2 +0,0 @@
-become_doas_available: true
-pkg_mgr_python_interpreter: python3

tests/ansible/hosts/group_vars/ubuntu2404.yml

@@ -1,2 +0,0 @@
-become_doas_available: true
-pkg_mgr_python_interpreter: python3

tests/ansible/integration/become/doas.yml

@@ -15,16 +15,12 @@
       changed_when: false
       check_mode: false
       register: doas_default_user
-      when:
-        - become_doas_available
 
     - assert:
         that:
           - doas_default_user.stdout == 'root'
         fail_msg:
           doas_default_user={{ doas_default_user }}
-      when:
-        - become_doas_available
 
     - name: Test doas -> mitogen__user1
       become: true
@@ -34,7 +30,6 @@
       check_mode: false
       register: doas_mitogen__user1
       when:
-        - become_doas_available
         - become_unpriv_available
 
     - assert:
@@ -43,7 +38,6 @@
         fail_msg:
           doas_mitogen__user1={{ doas_mitogen__user1 }}
       when:
-        - become_doas_available
         - become_unpriv_available
   tags:
     - doas
@@ -67,16 +61,12 @@
       changed_when: false
       check_mode: false
       register: fq_doas_default_user
-      when:
-        - become_doas_available
 
     - assert:
         that:
           - fq_doas_default_user.stdout == 'root'
         fail_msg:
           fq_doas_default_user={{ fq_doas_default_user }}
-      when:
-        - become_doas_available
 
     - name: Test community.general.doas -> mitogen__user1
       become: true
@@ -86,7 +76,6 @@
       check_mode: false
       register: fq_doas_mitogen__user1
       when:
-        - become_doas_available
         - become_unpriv_available
 
     - assert:
@@ -95,7 +84,6 @@
         fail_msg:
           fq_doas_mitogen__user1={{ fq_doas_mitogen__user1 }}
       when:
-        - become_doas_available
         - become_unpriv_available
   tags:
     - doas

tests/ansible/integration/connection_delegation/delegate_to_template.yml

@@ -47,7 +47,6 @@
                 -o, ControlPersist=60s,
                 -o, ForwardAgent=yes,
                 -o, HostKeyAlgorithms=+ssh-rsa,
-                -o, KexAlgorithms=+diffie-hellman-group1-sha1,
                 -o, PubkeyAcceptedKeyTypes=+ssh-rsa,
                 -o, UserKnownHostsFile=/dev/null,
               ],
@@ -76,7 +75,6 @@
                 -o, ControlPersist=60s,
                 -o, ForwardAgent=yes,
                 -o, HostKeyAlgorithms=+ssh-rsa,
-                -o, KexAlgorithms=+diffie-hellman-group1-sha1,
                 -o, PubkeyAcceptedKeyTypes=+ssh-rsa,
                 -o, UserKnownHostsFile=/dev/null,
               ],

tests/ansible/integration/connection_delegation/stack_construction.yml

@@ -84,7 +84,6 @@
                           -o, ControlPersist=60s,
                           -o, ForwardAgent=yes,
                           -o, HostKeyAlgorithms=+ssh-rsa,
-                          -o, KexAlgorithms=+diffie-hellman-group1-sha1,
                           -o, PubkeyAcceptedKeyTypes=+ssh-rsa,
                           -o, UserKnownHostsFile=/dev/null,
                       ],
@@ -129,7 +128,6 @@
                           -o, ControlPersist=60s,
                           -o, ForwardAgent=yes,
                           -o, HostKeyAlgorithms=+ssh-rsa,
-                          -o, KexAlgorithms=+diffie-hellman-group1-sha1,
                           -o, PubkeyAcceptedKeyTypes=+ssh-rsa,
                           -o, UserKnownHostsFile=/dev/null,
                       ],
@@ -185,7 +183,6 @@
                           -o, ControlPersist=60s,
                           -o, ForwardAgent=yes,
                           -o, HostKeyAlgorithms=+ssh-rsa,
-                          -o, KexAlgorithms=+diffie-hellman-group1-sha1,
                           -o, PubkeyAcceptedKeyTypes=+ssh-rsa,
                           -o, UserKnownHostsFile=/dev/null,
                       ],
@@ -230,7 +227,6 @@
                           -o, ControlPersist=60s,
                           -o, ForwardAgent=yes,
                           -o, HostKeyAlgorithms=+ssh-rsa,
-                          -o, KexAlgorithms=+diffie-hellman-group1-sha1,
                           -o, PubkeyAcceptedKeyTypes=+ssh-rsa,
                           -o, UserKnownHostsFile=/dev/null,
                       ],
@@ -259,7 +255,6 @@
                           -o, ControlPersist=60s,
                           -o, ForwardAgent=yes,
                           -o, HostKeyAlgorithms=+ssh-rsa,
-                          -o, KexAlgorithms=+diffie-hellman-group1-sha1,
                           -o, PubkeyAcceptedKeyTypes=+ssh-rsa,
                           -o, UserKnownHostsFile=/dev/null,
                       ],
@@ -314,7 +309,6 @@
                           -o, ControlPersist=60s,
                           -o, ForwardAgent=yes,
                           -o, HostKeyAlgorithms=+ssh-rsa,
-                          -o, KexAlgorithms=+diffie-hellman-group1-sha1,
                           -o, PubkeyAcceptedKeyTypes=+ssh-rsa,
                           -o, UserKnownHostsFile=/dev/null,
                       ],
@@ -360,7 +354,6 @@
                           -o, ControlPersist=60s,
                           -o, ForwardAgent=yes,
                           -o, HostKeyAlgorithms=+ssh-rsa,
-                          -o, KexAlgorithms=+diffie-hellman-group1-sha1,
                           -o, PubkeyAcceptedKeyTypes=+ssh-rsa,
                           -o, UserKnownHostsFile=/dev/null,
                       ],

tests/ansible/integration/interpreter_discovery/ansible_2_8_tests.yml

@@ -1,20 +1,58 @@
 # ripped and ported from https://github.com/ansible/ansible/pull/50163/files, when interpreter discovery was added to ansible
 ---
-- name: integration/interpreter_discovery/ansible_2_8_tests.yml, baseline
-  hosts: test-targets
-  strategy: linear
-  tasks:
-    - meta: clear_facts
-    - name: Discover interpreter, linear, auto
-      vars:
-        ansible_python_interpreter: auto
-      ping:
-      register: linear_auto_result
-
 
 - name: integration/interpreter_discovery/ansible_2_8_tests.yml
   hosts: test-targets
   gather_facts: true
+  vars:
+    DISCOVERED_INTERPRETER_EXPECTED_MAP__ANSIBLE_lt_2_12:
+      centos:
+        '6': /usr/bin/python
+        '7': /usr/bin/python
+        '8': /usr/libexec/platform-python
+      debian:
+        '9': /usr/bin/python
+        '10': /usr/bin/python3
+        '11': /usr/bin/python
+        'NA': /usr/bin/python  # Debian 11, Ansible <= 7 (ansible-core <= 2.14)
+        'bullseye/sid': /usr/bin/python  # Debian 11, Ansible 8 - 9 (ansible-core 2.15 - 2.16)
+      ubuntu:
+        '16': /usr/bin/python3
+        '18': /usr/bin/python3
+        '20': /usr/bin/python3
+
+    DISCOVERED_INTERPRETER_EXPECTED_MAP__ANSIBLE_2_12_to_2_16:
+      centos:
+        '6': /usr/bin/python
+        '7': /usr/bin/python
+        '8': /usr/libexec/platform-python
+      debian:
+        '9': /usr/bin/python
+        '10': /usr/bin/python3
+        '11': /usr/bin/python3.9
+        'NA': /usr/bin/python3.9  # Debian 11, Ansible <= 7 (ansible-core <= 2.14)
+        'bullseye/sid': /usr/bin/python3.9  # Debian 11, Ansible 8 - 9 (ansible-core 2.15 - 2.16)
+      ubuntu:
+        '16': /usr/bin/python3
+        '18': /usr/bin/python3
+        '20': /usr/bin/python3
+
+    DISCOVERED_INTERPRETER_EXPECTED_MAP__ANSIBLE_ge_2_17:
+      debian:
+        '10': /usr/bin/python3.7
+        '11': /usr/bin/python3.9
+        'bullseye/sid': /usr/bin/python3.9
+      ubuntu:
+        '20': /usr/bin/python3.8
+
+    discovered_interpreter_expected: >-
+      {%- if ansible_version_major_minor is version('2.12', '<', strict=True) -%}
+      {{ DISCOVERED_INTERPRETER_EXPECTED_MAP__ANSIBLE_lt_2_12[distro][distro_major] }}
+      {%- elif ansible_version_major_minor is version('2.17', '<', strict=True) -%}
+      {{ DISCOVERED_INTERPRETER_EXPECTED_MAP__ANSIBLE_2_12_to_2_16[distro][distro_major] }}
+      {%- else -%}
+      {{ DISCOVERED_INTERPRETER_EXPECTED_MAP__ANSIBLE_ge_2_17[distro][distro_major] }}
+      {%- endif -%}
   tasks:
     - name: can only run these tests on ansible >= 2.8.0
       block:
@@ -27,6 +65,12 @@
             fail_msg: "'ansible_python_interpreter' appears to be set at a high precedence to {{ ansible_python_interpreter }},
                       which breaks this test."
 
+        - name: snag some facts to validate for later
+          set_fact:
+            distro: '{{ ansible_facts.distribution | lower }}'
+            distro_major: '{{ ansible_facts.distribution_major_version }}'
+            system: '{{ ansible_facts.system }}'
+
         - name: test that python discovery is working and that fact persistence makes it only run once
           block:
           - name: clear facts to force interpreter discovery to run
@@ -171,10 +215,16 @@
           - name: Check discovered interpreter matches expected
             assert:
               that:
-                - auto_out.ansible_facts.discovered_interpreter_python == linear_auto_result.ansible_facts.discovered_interpreter_python
+                - auto_out.ansible_facts.discovered_interpreter_python == discovered_interpreter_expected
               fail_msg: |
+                distro={{ distro }}
+                distro_major= {{ distro_major }}
+                system={{ system }}
                 auto_out={{ auto_out }}
-                linear_auto_result={{ linear_auto_result }}
+                discovered_interpreter_expected={{ discovered_interpreter_expected }}
+                ansible_version.full={{ ansible_version.full }}
+            when:
+              - system in ['Linux']
 
           always:
           - meta: clear_facts

tests/ansible/integration/process/unix_socket_cleanup.yml

@@ -14,7 +14,7 @@
       ANSIBLE_CALLBACK_RESULT_FORMAT=json
       ANSIBLE_LOAD_CALLBACK_PLUGINS=false
       ANSIBLE_STRATEGY=mitogen_linear
-      ANSIBLE_SSH_ARGS="-o HostKeyAlgorithms=+ssh-rsa -o KexAlgorithms=+diffie-hellman-group1-sha1 -o PubkeyAcceptedKeyTypes=+ssh-rsa"
+      ANSIBLE_SSH_ARGS="-o HostKeyAlgorithms=+ssh-rsa -o PubkeyAcceptedKeyTypes=+ssh-rsa"
       ANSIBLE_VERBOSITY="{{ ansible_verbosity }}"
       ansible -m shell -c local -a whoami
       {% for inv in ansible_inventory_sources %}

tests/ansible/integration/ssh/password.yml

@@ -35,7 +35,7 @@
             ssh_no_password_result.msg is search('SSH password was requested, but none specified')
             or ssh_no_password_result.msg is search('SSH password is incorrect')
             or ssh_no_password_result.msg is search('Invalid/incorrect password')
-            or ssh_no_password_result.msg is search('Permission denied \(publickey(,gssapi-keyex)?(,gssapi-with-mic)?,password(,keyboard-interactive)?\)')
+            or ssh_no_password_result.msg is search('Permission denied \(publickey,password(,keyboard-interactive)?\)')
         fail_msg: |
           ssh_no_password_result={{ ssh_no_password_result }}
 
@@ -72,6 +72,6 @@
           - >-
             ssh_wrong_password_result.msg is search('SSH password is incorrect')
             or ssh_wrong_password_result.msg is search('Invalid/incorrect password')
-            or ssh_no_password_result.msg is search('Permission denied \(publickey(,gssapi-keyex)?(,gssapi-with-mic)?,password(,keyboard-interactive)?\)')
+            or ssh_wrong_password_result.msg is search('Permission denied \(publickey,password(,keyboard-interactive)?\)')
         fail_msg: |
           ssh_wrong_password_result={{ ssh_wrong_password_result }}

tests/ansible/integration/ssh/variables.yml

@@ -22,7 +22,7 @@
         ANSIBLE_CALLBACK_RESULT_FORMAT=json
         ANSIBLE_LOAD_CALLBACK_PLUGINS=false
         ANSIBLE_STRATEGY=mitogen_linear
-        ANSIBLE_SSH_ARGS="-o HostKeyAlgorithms=+ssh-rsa -o KexAlgorithms=+diffie-hellman-group1-sha1 -o PubkeyAcceptedKeyTypes=+ssh-rsa"
+        ANSIBLE_SSH_ARGS="-o HostKeyAlgorithms=+ssh-rsa -o PubkeyAcceptedKeyTypes=+ssh-rsa"
         ANSIBLE_VERBOSITY="{{ ansible_verbosity }}"
         ansible -m shell -a whoami
         {% for inv in ansible_inventory_sources %}
@@ -42,7 +42,7 @@
         ANSIBLE_CALLBACK_RESULT_FORMAT=json
         ANSIBLE_LOAD_CALLBACK_PLUGINS=false
         ANSIBLE_STRATEGY=mitogen_linear
-        ANSIBLE_SSH_ARGS="-o HostKeyAlgorithms=+ssh-rsa -o KexAlgorithms=+diffie-hellman-group1-sha1 -o PubkeyAcceptedKeyTypes=+ssh-rsa"
+        ANSIBLE_SSH_ARGS="-o HostKeyAlgorithms=+ssh-rsa -o PubkeyAcceptedKeyTypes=+ssh-rsa"
         ANSIBLE_VERBOSITY="{{ ansible_verbosity }}"
         ansible -m shell -a whoami
         {% for inv in ansible_inventory_sources %}

tests/ansible/regression/issue_122__environment_difference.yml

@@ -8,12 +8,9 @@
 - name: regression/issue_122__environment_difference.yml
   hosts: test-targets
   tasks:
-    - name: Run print_env.py
+
-      script:
+  - script: scripts/print_env.py
-        cmd: scripts/print_env.py
+    register: env
-        executable: "{{ ansible_python_interpreter | default(ansible_facts.discovered_interpreter_python) }}"
+  - debug: msg={{env}}
-      register: print_env_result
-    - debug:
-        var: print_env_result
   tags:
     - issue_122

tests/ansible/regression/issue_152__virtualenv_python_fails.yml

@@ -1,29 +1,26 @@
 - name: regression/issue_152__virtualenv_python_fails.yml
   gather_facts: true
   hosts: test-targets
-  vars:
-    virtualenv_path: /tmp/issue_152_virtualenv
-    virtualenv_python: "{{ ansible_facts.python.executable }}"
   tasks:
     - custom_python_detect_environment:
       register: lout
 
     # Can't use pip module because it can't create virtualenvs, must call it
     # directly.
-    - name: Create temporary virtualenv
+    - name: Create /tmp/issue_152_virtualenv
       environment:
         https_proxy: "{{ lookup('env', 'https_proxy')|default('') }}"
         no_proxy: "{{ lookup('env', 'no_proxy')|default('') }}"
         PATH: "{{ lookup('env', 'PATH') }}"
       command:
-        argv: "{{ virtualenv_create_argv }}"
+        cmd: virtualenv -p "{{ ansible_facts.python.executable }}" /tmp/issue_152_virtualenv
-        creates: "{{ virtualenv_path }}"
+        creates: /tmp/issue_152_virtualenv
       when:
         - lout.python.version.full is version('2.7', '>=', strict=True)
 
     - custom_python_detect_environment:
       vars:
-        ansible_python_interpreter: "{{ virtualenv_path }}/bin/python"
+        ansible_python_interpreter: /tmp/issue_152_virtualenv/bin/python
       register: out
       when:
         - lout.python.version.full is version('2.7', '>=', strict=True)
@@ -31,7 +28,7 @@
     - name: Check virtualenv was used
       # On macOS runners a symlink /tmp -> /private/tmp has been seen
       vars:
-        requested_executable: "{{ virtualenv_path }}/bin/python"
+        requested_executable: /tmp/issue_152_virtualenv/bin/python
         expected_executables:
           - "{{ requested_executable }}"
           - "{{ requested_executable.replace('/tmp', out.fs['/tmp'].resolved) }}"
@@ -43,9 +40,9 @@
       when:
         - lout.python.version.full is version('2.7', '>=', strict=True)
 
-    - name: Cleanup temporary virtualenv
+    - name: Cleanup /tmp/issue_152_virtualenv
       file:
-        path: "{{ virtualenv_path }}"
+        path: /tmp/issue_152_virtualenv
         state: absent
       when:
         - lout.python.version.full is version('2.7', '>=', strict=True)

tests/data/plain_old_module.py

@@ -12,12 +12,8 @@ class MyError(Exception):
 
 def get_sentinel_value():
     # Some proof we're even talking to the mitogen-test Docker image
-    f = open('/etc/sentinel', 'rb')
+    with open('/etc/sentinel', 'rb') as f:
-    try:
+        return f.read().decode()
-        value = f.read().decode()
-    finally:
-        f.close()
-    return value
 
 
 def add(x, y):

tests/image_prep/_container_create.yml

@@ -3,30 +3,18 @@
   strategy: mitogen_free
   gather_facts: false
   tasks:
+    - name: Fetch container images
+      docker_image:
+        name: "{{ docker_base }}"
+      delegate_to: localhost
+
     - name: Start containers
       docker_container:
         name: "{{ inventory_hostname }}"
         image: "{{ docker_base }}"
         command: /bin/bash
         hostname: "mitogen-{{ inventory_hostname }}"
-        etc_hosts:
-          centos-vault-proxy: host-gateway
         detach: true
         interactive: true
         tty: true
       delegate_to: localhost
-
-    - name: Wait for containers
-      # Can't use wait_for_connection yet, not all base images have a python
-      command: >-
-        docker inspect
-        --format "{% raw %}{{.State.Running}}{% endraw %}"
-        "{{ inventory_hostname }}"
-      register: container_inspect_result
-      retries: 5
-      delay: 10
-      until:
-        - container_inspect_result is succeeded
-        - container_inspect_result.stdout == "true"
-      changed_when: false
-      delegate_to: localhost

tests/image_prep/_container_finalize.yml

@@ -1,7 +1,7 @@
 - name: Prepare images
   hosts: all
   strategy: mitogen_free
-  gather_facts: false
+  gather_facts: true
   tasks:
     - name: Commit containers
       command: >
@@ -10,11 +10,9 @@
         --change 'CMD ["/usr/sbin/sshd", "-D"]'
         {{ inventory_hostname }}
         {{ container_image_name }}
-      changed_when: true
       delegate_to: localhost
 
     - name: Stop containers
       command: >
         docker rm -f {{ inventory_hostname }}
-      changed_when: true
       delegate_to: localhost

tests/image_prep/_container_host.yml

@@ -1,5 +0,0 @@
-- name: Setup container host
-  hosts: localhost
-  become: true
-  roles:
-    - role: container_host

tests/image_prep/_container_setup.yml

@@ -2,44 +2,113 @@
   hosts: all
   strategy: linear
   gather_facts: false
-  roles:
+  tasks:
-    - role: bootstrap
+    - name: Install bootstrap packages
+      raw: |
+        set -o errexit
+        set -o nounset
+        if type -p yum; then
+          yum -y install {{ bootstrap_packages | join(' ') }}
+        else
+          apt-get -y update
+          apt-get -y --no-install-recommends install {{ bootstrap_packages | join(' ') }}
+        fi
+      when: bootstrap_packages | length
 
 - name: Setup containers
   hosts: all
   strategy: mitogen_free
+  # Resource limitation, my laptop freezes doing every container concurrently
+  serial: 4
   # Can't gather facts before here.
   gather_facts: true
   vars:
     distro: "{{ansible_distribution}}"
 
+  pre_tasks:
+    - meta: end_play
+      when:
+        - ansible_facts.virtualization_type != "docker"
+
   roles:
     - role: package_manager
-    - role: packages
     - role: sshd
     - role: sshd_container
 
   tasks:
+    - name: Ensure requisite apt packages are installed
+      apt:
+        name: "{{ common_packages + packages }}"
+        state: present
+        install_recommends: false
+        update_cache: true
+      when: ansible_pkg_mgr == 'apt'
+
+    - name: Ensure requisite yum packages are installed
+      yum:
+        name: "{{ common_packages + packages }}"
+        state: present
+        update_cache: true
+      when: ansible_pkg_mgr == 'yum'
+
+    - name: Ensure requisite dnf packages are installed
+      dnf:
+        name: "{{ common_packages + packages }}"
+        state: present
+        update_cache: true
+      when: ansible_pkg_mgr == 'dnf'
+
+    - name: Clean up package cache
+      vars:
+        clean_command:
+          apt: apt-get clean
+          yum: yum clean all
+          dnf: dnf clean all
+      command: "{{ clean_command[ansible_pkg_mgr] }}"
+      args:
+        warn: "{{ False if ansible_version_major_minor is version('2.10', '<=', strict=True) else omit }}"
+
+    - name: Clean up apt package lists
+      shell: rm -rf {{item}}/*
+      with_items:
+      - /var/cache/apt
+      - /var/lib/apt/lists
+      when: ansible_pkg_mgr == 'apt'
+
+    - name: Configure /usr/bin/python
+      command: alternatives --set python /usr/bin/python3.8
+      args:
+        creates: /usr/bin/python
+      when: inventory_hostname in ["centos8"]
+
     - name: Enable UTF-8 locale on Debian
       copy:
         dest: /etc/locale.gen
         content: |
           en_US.UTF-8 UTF-8
           fr_FR.UTF-8 UTF-8
-        mode: u=rw,go=r
       when: ansible_pkg_mgr == 'apt'
 
     - name: Generate UTF-8 locale on Debian
-      command:
+      shell: locale-gen
-        cmd: locale-gen
-      changed_when: true
       when: ansible_pkg_mgr == 'apt'
 
     - name: Write Unicode into /etc/environment
       copy:
         dest: /etc/environment
         content: "UNICODE_SNOWMAN=\u2603\n"
-        mode: u=rw,go=r
+
+    - name: Install prebuilt 'doas' binary
+      unarchive:
+        dest: /
+        src: ../data/docker/doas-debian.tar.gz
+
+    - name: Make prebuilt 'doas' binary executable
+      file:
+        path: /usr/local/bin/doas
+        mode: 'u=rwxs,go=rx'
+        owner: root
+        group: root
 
     - name: Install doas.conf
       copy:
@@ -47,7 +116,6 @@
         content: |
           permit :mitogen__group
           permit :root
-        mode: u=rw,go=
 
     - name: Set root user password and shell
       user:
@@ -59,7 +127,6 @@
       file:
         path: /var/run/sshd
         state: directory
-        mode: u=rwx,go=rx
 
     - name: Generate SSH host key
       command: ssh-keygen -t rsa -f /etc/ssh/ssh_host_rsa_key
@@ -75,7 +142,6 @@
         dest: /etc/sentinel
         content: |
           i-am-mitogen-test-docker-image
-        mode: u=rw,go=r
 
     - name: Ensure /etc/sudoers.d exists
       file:

tests/image_prep/_user_accounts.yml

@@ -181,6 +181,6 @@
           {% endfor %}
         validate: '/usr/sbin/visudo -cf %s'
       when:
-        - ansible_connection == "local"
+        - ansible_virtualization_type != "docker"
   roles:
     - role: user_policies

tests/image_prep/ansible.cfg

@@ -1,17 +1,12 @@
 
 [defaults]
-any_errors_fatal = true
-# Ansible >= 6 (ansible-core >= 2.13)
-callback_result_format = yaml
 deprecation_warnings = false
-duplicate_dict_key = error
-inventory = hosts.ini
 strategy_plugins = ../../ansible_mitogen/plugins/strategy
 retry_files_enabled = false
+display_args_to_stdout = True
 no_target_syslog = True
 host_key_checking = False
+stdout_callback = yaml
 
 [inventory]
-any_unparsed_is_failed = true
+unparsed_is_fatal = true
-host_pattern_mismatch = error
-unparsed_is_failed = true

tests/image_prep/apache_proxy.conf

@@ -1,33 +0,0 @@
-DefaultRuntimeDir ${XDG_RUNTIME_DIR}
-PidFile ${XDG_RUNTIME_DIR}/apache2.pid
-
-LoadModule alias_module /usr/lib/apache2/modules/mod_alias.so
-LoadModule authz_core_module /usr/lib/apache2/modules/mod_authz_core.so
-LoadModule mpm_event_module /usr/lib/apache2/modules/mod_mpm_event.so
-LoadModule proxy_module /usr/lib/apache2/modules/mod_proxy.so
-LoadModule proxy_http_module /usr/lib/apache2/modules/mod_proxy_http.so
-LoadModule rewrite_module /usr/lib/apache2/modules/mod_rewrite.so
-LoadModule ssl_module /usr/lib/apache2/modules/mod_ssl.so
-
-LogFormat "%v:%p %h %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\"" vhost_combined
-
-KeepAlive On
-Listen 8090
-
-<Directory />
-    Require all denied
-    AllowOverride None
-</Directory>
-
-<VirtualHost *:8090>
-    ServerName centos-vault-proxy
-    SSLProxyEngine On
-    CustomLog logs/access.log vhost_combined
-    ProxyPass "/" "https://vault.centos.org/"
-    ProxyPassReverse "https://vault.centos.org/" "/"
-    RedirectMatch "^/(.*)" "http://centos-vault-proxy:8090/$1"
-</VirtualHost>
-
-# /usr/sbin/apache2 -d . -f apache_proxy.conf -D FOREGROUND
-
-# vim: syntax=apache

tests/image_prep/group_vars/all.yml

@@ -1,18 +1,16 @@
 ansible_version_major_minor: "{{ ansible_version.major }}.{{ ansible_version.minor }}"
 
 common_packages:
-  - acl
   - openssh-server
   - rsync
   - strace
   - sudo
 
 container_image_name: "{{ container_registry }}/{{ inventory_hostname }}-test"
-container_registry: ghcr.io/mitogen-hq
+container_registry: public.ecr.aws/n5z0e8q9
 
 sudo_group:
   MacOSX: admin
   Debian: sudo
   Ubuntu: sudo
   CentOS: wheel
-  AlmaLinux: wheel

tests/image_prep/host_vars/alma9.yml

@@ -1,6 +0,0 @@
-bootstrap_packages: [python3]
-docker_base: almalinux:9
-
-packages:
-  - perl-JSON
-  - procps-ng

tests/image_prep/host_vars/centos5.yml

@@ -1,36 +1,6 @@
 bootstrap_packages: [python-simplejson]
 
-docker_base: centos:5
+docker_base: astj/centos5-vault
 
 packages:
   - perl
-package_manager_repos:
-  - dest: /etc/yum.repos.d/CentOS-Base.repo
-    content: |
-      [base]
-      name=CentOS-$releasever - Base
-      baseurl=http://centos-vault-proxy:8090/5.11/os/$basearch/
-      gpgcheck=1
-      gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-5
-
-      [updates]
-      name=CentOS-$releasever - Updates
-      baseurl=http://centos-vault-proxy:8090/5.11/updates/$basearch/
-      gpgcheck=1
-      gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-5
-
-      [extras]
-      name=CentOS-$releasever - Extras
-      baseurl=http://centos-vault-proxy:8090/5.11/extras/$basearch/
-      gpgcheck=1
-      gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-5
-
-  - dest: /etc/yum.repos.d/libselinux.repo
-    content: |
-      [libselinux]
-      name=CentOS-$releasever - libselinux
-      baseurl=http://centos-vault-proxy:8090/5.11/centosplus/$basearch/
-      gpgcheck=1
-      enabled=1
-      gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-5
-      includepkgs=libselinux*

tests/image_prep/host_vars/centos6.yml

@@ -1,27 +1,6 @@
 bootstrap_packages: [python]
 
-docker_base: centos:6
+docker_base: moreati/centos6-vault
 
 packages:
   - perl-JSON
-
-package_manager_repos:
-  - dest: /etc/yum.repos.d/CentOS-Base.repo
-    content: |
-      [base]
-      name=CentOS-$releasever - Base
-      baseurl=http://vault.centos.org/6.10/os/$basearch/
-      gpgcheck=1
-      gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-6
-
-      [updates]
-      name=CentOS-$releasever - Updates
-      baseurl=http://vault.centos.org/6.10/updates/$basearch/
-      gpgcheck=1
-      gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-6
-
-      [extras]
-      name=CentOS-$releasever - Extras
-      baseurl=http://vault.centos.org/6.10/extras/$basearch/
-      gpgcheck=1
-      gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-6

tests/image_prep/host_vars/centos7.yml

@@ -6,24 +6,3 @@ packages:
   - perl-JSON
   - python-virtualenv
   - python3
-
-package_manager_repos:
-  - dest: /etc/yum.repos.d/CentOS-Base.repo
-    content: |
-      [base]
-      name=CentOS-$releasever - Base
-      baseurl=http://vault.centos.org/$contentdir/$releasever/os/$basearch/
-      gpgcheck=1
-      gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-7
-
-      [updates]
-      name=CentOS-$releasever - Updates
-      baseurl=http://vault.centos.org/$contentdir/$releasever/updates/$basearch/
-      gpgcheck=1
-      gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-7
-
-      [extras]
-      name=CentOS-$releasever - Extras
-      baseurl=http://vault.centos.org/$contentdir/$releasever/extras/$basearch/
-      gpgcheck=1
-      gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-7

tests/image_prep/host_vars/centos8.yml

@@ -6,29 +6,5 @@ packages:
   - perl-JSON
   - python2-virtualenv
   - python3-virtualenv
-
+  - python36
-package_manager_repos:
+  - python38
-  - dest: /etc/yum.repos.d/CentOS-Linux-AppStream.repo
-    content: |
-      [appstream]
-      name=CentOS Linux $releasever - AppStream
-      baseurl=http://vault.centos.org/$contentdir/$releasever/AppStream/$basearch/os/
-      enabled=1
-      gpgcheck=1
-      gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-centosofficial
-  - dest: /etc/yum.repos.d/CentOS-Linux-BaseOS.repo
-    content: |
-      [baseos]
-      name=CentOS Linux $releasever - BaseOS
-      baseurl=http://vault.centos.org/$contentdir/$releasever/BaseOS/$basearch/os/
-      enabled=1
-      gpgcheck=1
-      gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-centosofficial
-  - dest: /etc/yum.repos.d/CentOS-Linux-Extras.repo
-    content: |
-      [extras]
-      name=CentOS Linux $releasever - Extras
-      baseurl=http://vault.centos.org/$contentdir/$releasever/extras/$basearch/os/
-      enabled=1
-      gpgcheck=1
-      gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-centosofficial

tests/image_prep/host_vars/debian10.yml

@@ -1,4 +1,4 @@
-bootstrap_packages: [python, python-apt]
+bootstrap_packages: [python]
 
 docker_base: debian:10
 
@@ -9,11 +9,3 @@ packages:
   - python3
   - python3-virtualenv
   - virtualenv
-
-package_manager_repos:
-  - dest: /etc/apt/sources.list
-    content: |
-      deb http://archive.debian.org/debian/ buster main non-free contrib
-      deb http://archive.debian.org/debian/ buster-updates main non-free contrib
-      deb http://archive.debian.org/debian/ buster-proposed-updates main non-free contrib
-      deb http://security.debian.org/ buster/updates main non-free contrib

tests/image_prep/host_vars/debian11.yml

@@ -1,18 +1,11 @@
 bootstrap_packages: [python3, python3-apt]
 
-docker_base: debian:11
+docker_base: debian:bullseye
 
 packages:
-  - doas
   - libjson-perl
   - locales
   - python-is-python3
   - python2
   - python3-virtualenv
   - virtualenv
-
-package_manager_keys:
-  - src: debian-archive-bullseye-automatic.gpg  # Debian 11
-    dest: /etc/apt/trusted.gpg.d/
-  - src: debian-archive-bookworm-automatic.gpg  # Debian 12
-    dest: /etc/apt/trusted.gpg.d/

tests/image_prep/host_vars/debian12.yml

@@ -1,8 +0,0 @@
-bootstrap_packages: [python3, python3-apt]
-docker_base: debian:12
-
-packages:
-  - libjson-perl
-  - locales
-  - opendoas
-  - virtualenv

tests/image_prep/host_vars/debian9.yml

@@ -1,4 +1,4 @@
-bootstrap_packages: [python, python-apt]
+bootstrap_packages: [python]
 
 docker_base: debian:9
 
@@ -9,10 +9,3 @@ packages:
   - python3
   - python3-virtualenv
   - virtualenv
-
-package_manager_repos:
-  - dest: /etc/apt/sources.list
-    content: |
-      deb http://archive.debian.org/debian/ stretch main contrib non-free
-      deb http://archive.debian.org/debian/ stretch-proposed-updates main contrib non-free
-      deb http://archive.debian.org/debian-security stretch/updates main contrib non-free

tests/image_prep/host_vars/ubuntu1604.yml

@@ -1,4 +1,4 @@
-bootstrap_packages: [python, python-apt]
+bootstrap_packages: [python]
 
 docker_base: ubuntu:16.04
 

tests/image_prep/host_vars/ubuntu1804.yml

@@ -1,4 +1,4 @@
-bootstrap_packages: [python, python-apt]
+bootstrap_packages: [python]
 
 docker_base: ubuntu:18.04
 

tests/image_prep/host_vars/ubuntu2004.yml

@@ -1,4 +1,4 @@
-bootstrap_packages: [python3, python3-apt]
+bootstrap_packages: [python3]
 
 docker_base: ubuntu:20.04
 

tests/image_prep/host_vars/ubuntu2204.yml

@@ -1,10 +0,0 @@
-bootstrap_packages: [python3, python3-apt]
-docker_base: ubuntu:22.04
-
-packages:
-  - doas
-  - libjson-perl
-  - locales
-  - python2
-  - python3-virtualenv
-  - virtualenv

tests/image_prep/host_vars/ubuntu2404.yml

@@ -1,9 +0,0 @@
-bootstrap_packages: [python3, python3-apt]
-docker_base: ubuntu:24.04
-
-packages:
-  - libjson-perl
-  - locales
-  - opendoas
-  - python3-virtualenv
-  - virtualenv

tests/image_prep/hosts.ini

@@ -1,5 +1,4 @@
 [all:children]
-alma
 centos
 debian
 ubuntu
@@ -7,9 +6,6 @@ ubuntu
 [all:vars]
 ansible_connection = docker
 
-[alma]
-alma9
-
 [centos]
 centos5
 centos6
@@ -20,37 +16,8 @@ centos8
 debian9
 debian10
 debian11
-debian12
 
 [ubuntu]
 ubuntu1604
 ubuntu1804
 ubuntu2004
-ubuntu2204
-ubuntu2404
-
-[ansible_2_3]
-# Python 2.4 on targets
-centos5
-
-[ansible_5]
-# Python 2.6 on targets
-centos6
-
-[ansible_9]
-# Python 2.7 and/or 3.6 on targets
-centos7
-centos8
-debian9
-debian10
-ubuntu1604
-ubuntu1804
-
-[ansible_11]
-# Python >= 3.8 on targets
-alma9
-debian11
-debian12
-ubuntu2004
-ubuntu2204
-ubuntu2404

tests/image_prep/roles/bootstrap/defaults/main.yml

@@ -1,2 +0,0 @@
-bootstrap_packages: []
-package_manager_repos: []

tests/image_prep/roles/bootstrap/tasks/main.yml

@@ -1,3 +0,0 @@
-- name: Bootstrap
-  raw: "{{ lookup('template', 'bootstrap.sh.j2') }}"
-  changed_when: true

tests/image_prep/roles/bootstrap/templates/bootstrap.sh.j2

@@ -1,21 +0,0 @@
-set -o errexit
-set -o nounset
-
-{% for item in package_manager_repos %}
-cat << "EOF" > "{{ item.dest }}"
-{{ item.content }}
-EOF
-{% endfor %}
-
-{% if bootstrap_packages %}
-if command -v apt-get; then
-  apt-get -y update
-  apt-get -y --no-install-recommends install {{ bootstrap_packages | join(' ') }}
-elif command -v dnf; then
-  dnf -y install {{ bootstrap_packages | join(' ') }}
-elif command -v yum; then
-  yum -y install {{ bootstrap_packages | join(' ') }}
-else
-  exit 42
-fi
-{% endif %}

tests/image_prep/roles/container_host/handlers/main.yml

@@ -1,6 +0,0 @@
-- name: Update GRUB
-  command: update-grub
-  changed_when: true
-
-- name: Reboot
-  reboot:

tests/image_prep/roles/container_host/tasks/main.yml

@@ -1,27 +0,0 @@
-# > If running `docker run --rm -it centos:centos6.7 bash` immediately exits
-# > with status code 139, check to see if your system has disabled vsyscall:
-# > ...
-# > If you do not see a vsyscall mapping, and you need to run a CentOS 6
-# > container, try adding vsyscall=emulated to the kernel options.
-# > -- https://hub.docker.com/_/centos
-
-- name: Check vsyscall enabled
-  command:
-    cmd: grep -c vsyscall /proc/self/maps
-  register: grep_self_maps_result
-  changed_when: false
-  check_mode: false
-  failed_when:
-    # 0 -> match, 1 -> no match, 2 -> error
-    - grep_self_maps_result.rc not in [0, 1]
-
-- name: Enable vsyscall
-  lineinfile:
-    path: /etc/default/grub
-    regexp: '^GRUB_CMDLINE_LINUX_DEFAULT.+'
-    line: GRUB_CMDLINE_LINUX_DEFAULT="quiet vsyscall=emulate"
-  when:
-    - grep_self_maps_result.rc != 0
-  notify:
-    - Update GRUB
-    - Reboot

tests/image_prep/roles/packages/defaults/main.yml

@@ -1,14 +0,0 @@
-common_packages: []
-packages: []
-
-packages_clean_command:
-    apt: apt-get clean
-    dnf: dnf clean all
-    yum: yum clean all
-
-packages_cleanup_directories:
-    apt:
-      - /var/cache/apt
-      - /var/lib/apt/lists
-    dnf: []
-    yum: []

tests/image_prep/roles/packages/tasks/main.yml

@@ -1,35 +0,0 @@
-- name: Ensure requisite apt packages are installed
-  apt:
-    name: "{{ common_packages + packages }}"
-    state: present
-    install_recommends: false
-    update_cache: true
-  when:
-    - ansible_pkg_mgr == 'apt'
-
-- name: Ensure requisite yum packages are installed
-  yum:
-    name: "{{ common_packages + packages }}"
-    state: present
-    update_cache: true
-  when:
-    - ansible_pkg_mgr == 'yum'
-
-- name: Ensure requisite dnf packages are installed
-  dnf:
-    name: "{{ common_packages + packages }}"
-    state: present
-    update_cache: true
-  when:
-    - ansible_pkg_mgr == 'dnf'
-
-- name: Clean up package cache
-  command:
-    cmd: "{{ packages_clean_command[ansible_pkg_mgr] }}"
-  changed_when: true
-
-- name: Clean up package directories
-  shell:
-    rm -rf {{ item }}/*
-  with_items: "{{ packages_cleanup_directories }}"
-  changed_when: true

tests/image_prep/roles/sshd_container/handlers/main.yml

@@ -1,4 +1,2 @@
 - name: Restart sshd
-  command: "true"
+  meta: noop
-  changed_when: false
-  check_mode: false

tests/image_prep/setup.yml

@@ -1,17 +1,6 @@
 #!/usr/bin/env ansible-playbook
 
-- name: Get base images
+- include_playbook: _container_create.yml
-  hosts: all
+- include_playbook: _container_setup.yml
-  # strategy: mitogen_free
+- include_playbook: _user_accounts.yml
-  gather_facts: false
+- include_playbook: _container_finalize.yml
-  tasks:
-    - name: Fetch container base images
-      docker_image:
-        name: "{{ docker_base }}"
-        source: pull  # Added in Ansible 2.8, required circa 2.12
-      delegate_to: localhost
-
-- import_playbook: _container_create.yml
-- import_playbook: _container_setup.yml
-- import_playbook: _user_accounts.yml
-- import_playbook: _container_finalize.yml

tests/image_prep/setup_ansible2.3.yml

@@ -1,15 +0,0 @@
-#!/usr/bin/env ansible-playbook
-
-- name: Get base images
-  hosts: all
-  gather_facts: false
-  tasks:
-    - name: Fetch container base images
-      docker_image:
-        name: "{{ docker_base }}"
-      delegate_to: localhost
-
-- include: _container_create.yml
-- include: _container_setup.yml
-- include: _user_accounts.yml
-- include: _container_finalize.yml

tests/image_prep/tox.ini

@@ -1,9 +1,7 @@
 [tox]
 envlist =
     ansible2.3,
-    ansible5
+    ansible2.10,
-    ansible9
-    ansible11
 skipsdist = true
 
 [testenv]
@@ -15,47 +13,17 @@ basepython = python2
 deps =
     ansible>=2.3,<2.4
     docker-py>=1.7.0
-    mitogen~=0.2.0
+    mitogen>=0.2.10rc1,<0.3
 install_command =
     python -m pip --no-python-version-warning install {opts} {packages}
 commands =
-    ansible-playbook -l 'localhost,ansible_2_3' setup_ansible2.3.yml
+    ./setup.yml -i hosts.ini -l 'localhost,centos5' {posargs}
 
-[testenv:ansible5]
+[testenv:ansible2.10]
 basepython = python3
 deps =
-    ansible~=5.0
+    ansible>=2.10,<2.11
     docker>=1.8.0
-    mitogen~=0.3.0
+    mitogen>=0.3.0rc1,<0.4
-    passlib
-setenv =
-    ANSIBLE_PYTHON_INTERPRETER=auto_silent
-    ANSIBLE_STDOUT_CALLBACK=yaml
-commands =
-    ansible-playbook -l 'localhost,ansible_5' setup.yml
-
-[testenv:ansible9]
-basepython = python3
-deps =
-    ansible~=9.0
-    docker>=1.8.0
-    mitogen~=0.3.0
-    passlib
-setenv =
-    ANSIBLE_PYTHON_INTERPRETER=auto_silent
-    ANSIBLE_STDOUT_CALLBACK=yaml
-commands =
-    ansible-playbook -l 'localhost,ansible_9' setup.yml
-
-[testenv:ansible11]
-basepython = python3
-deps =
-    ansible~=11.0
-    docker>=1.8.0
-    mitogen~=0.3.0
-    passlib
-setenv =
-    ANSIBLE_PYTHON_INTERPRETER=auto_silent
-    ANSIBLE_STDOUT_CALLBACK=yaml
 commands =
-    ansible-playbook -l 'localhost,ansible_11' setup.yml
+    ./setup.yml -i hosts.ini  -l '!centos5' {posargs}

tests/responder_test.py

@@ -198,3 +198,21 @@ class ForwardTest(testlib.RouterMixin, testlib.TestCase):
         self.assertEqual(2+os_fork, self.router.responder.good_load_module_count)
         self.assertLess(10000, self.router.responder.good_load_module_size)
         self.assertGreater(40000, self.router.responder.good_load_module_size)
+
+
+class BlacklistTest(testlib.TestCase):
+    @unittest.skip('implement me')
+    def test_whitelist_no_blacklist(self):
+        assert 0
+
+    @unittest.skip('implement me')
+    def test_whitelist_has_blacklist(self):
+        assert 0
+
+    @unittest.skip('implement me')
+    def test_blacklist_no_whitelist(self):
+        assert 0
+
+    @unittest.skip('implement me')
+    def test_blacklist_has_whitelist(self):
+        assert 0

tests/testlib.py

@@ -53,11 +53,11 @@ LOG = logging.getLogger(__name__)
 
 DISTRO_SPECS = os.environ.get(
     'MITOGEN_TEST_DISTRO_SPECS',
-    'alma9-py3 centos5 centos8-py3 debian9 debian12-py3 ubuntu1604 ubuntu2404-py3',
+    'centos6 centos8 debian9 debian11 ubuntu1604 ubuntu2004',
 )
 IMAGE_TEMPLATE = os.environ.get(
     'MITOGEN_TEST_IMAGE_TEMPLATE',
-    'ghcr.io/mitogen-hq/%(distro)s-test:2025.02',
+    'ghcr.io/mitogen-hq/%(distro)s-test:2021',
 )
 
 TESTS_DIR =                     os.path.join(os.path.dirname(__file__))
@@ -725,7 +725,6 @@ class DockerMixin(RouterMixin):
             #   - tests/testlib.py
             'ssh_args': [
                 '-o', 'HostKeyAlgorithms +ssh-rsa',
-                '-o', 'KexAlgorithms +diffie-hellman-group1-sha1',
                 '-o', 'PubkeyAcceptedKeyTypes +ssh-rsa',
             ],
             'python_path': self.dockerized_ssh.python_path,

tox.ini

@@ -6,17 +6,17 @@
 
 # Py   A cntrllr  A target   coverage   Django     Jinja2     pip        psutil     pytest     tox        virtualenv
 # ==== ========== ========== ========== ========== ========== ========== ========== ========== ========== ==========
-# 2.4             <= 2.3³    <= 3.7.1   <= 1.3.7              <= 1.1     <= 2.1.3              <= 1.4     <= 1.8
+# 2.4             2.3?       <= 3.7.1   <= 1.3.7              <= 1.1     <= 2.1.3              <= 1.4     <= 1.8
-# 2.5             <= 2.3³    <= 3.7.1   <= 1.4.22             <= 1.3.1   <= 2.1.3   <= 2.8.7   <= 1.6.1   <= 1.9.1
+# 2.5                        <= 3.7.1   <= 1.4.22             <= 1.3.1   <= 2.1.3   <= 2.8.7   <= 1.6.1   <= 1.9.1
 # 2.6  <= 2.6.20  <= 2.12    <= 4.5.4   <= 1.6.11  <= 2.10.3  <= 9.0.3   <= 5.9.0   <= 3.2.5   <= 2.9.1   <= 15.2.0
 # 2.7  <= 2.11    <= 2.16    <= 5.5     <= 1.11.29 <= 2.11.3  <= 20                 <= 4.6.11  <= 3.28    <= 20.15²
 # 3.5  <= 2.11    <= 2.15    <= 5.5     <= 2.2.28  <= 2.11.3  <= 20      <= 5.9.5   <= 6.1.0   <= 3.28    <= 20.15²
 # 3.6  <= 2.11    <= 2.16    <= 6.2     <= 3.2.20  <= 3.0.3   <= 21                 <= 7.0.1   <= 3.28    <= 20.17²
 # 3.7  <= 2.12    <= 2.17    <= 7.2.7   <= 3.2.20                                   <= 7.4.4   <= 4.8.0   <= 20.26.6²
-# 3.8  <= 2.12    <= 2.19
+# 3.8  <= 2.12
 # 3.9  <= 2.15
 # 3.10 <= 2.17
-# 3.11 <= 2.19
+# 3.11
 # 3.12            >= 2.13¹
 #
 # Notes
@@ -35,8 +35,6 @@
 #    Virtualenv <= 20.21.1 supports creating virtualenvs with any *target* Python.
 #    Virtualenv >= 20.22 supports creating virtualenvs with target Python >= 3.7.
 #    https://virtualenv.pypa.io/en/latest/#compatibility
-#
-# 3. https://docs.ansible.com/ansible/2.7/dev_guide/developing_python_3.html#minimum-version-of-python-3-x-and-python-2-x
 
 # Ansible            Dependency
 # ================== ======================
@@ -52,7 +50,6 @@
 # ansible == 10.x    ansible-core ~= 2.17.0
 # ansible == 11.x    ansible-core ~= 2.18.0
 # ansible == 12.x    ansible-core ~= 2.19.0
-# ansible == 13.x    ansible-core ~= 2.20.0
 
 # See also
 # - https://docs.ansible.com/ansible/devel/reference_appendices/release_and_maintenance.html#ansible-core-support-matrix
@@ -63,7 +60,7 @@ envlist =
     py{27,36}-m_ans-ans{2.10,3,4}
     py{311}-m_ans-ans{2.10,3-5}
     py{313}-m_ans-ans{6-9}
-    py{314}-m_ans-ans{10-13}
+    py{314}-m_ans-ans{10-12}
     py{27,36,314}-m_mtg
     report,
 
@@ -96,7 +93,6 @@ deps =
     ans10: ansible~=10.0
     ans11: ansible~=11.0
     ans12: ansible~=12.0
-    ans13: ansible~=13.0
 install_command =
     python -m pip --no-python-version-warning --disable-pip-version-check install {opts} {packages}
 commands_pre =
@@ -119,22 +115,31 @@ setenv =
     PIP_CONSTRAINT={toxinidir}/tests/constraints.txt
     # Superceded in Ansible >= 6 (ansible-core >= 2.13) by result_format=yaml
     # Deprecated in Ansible 12 (ansible-core 2.19)
-    # Removed in Ansible 13 (ansible-core 2.20)
     ans{2.10,3,4,5}: ANSIBLE_STDOUT_CALLBACK=yaml
     # Print warning on the first occurence at each module:linenno in Mitogen. Available Python 2.7, 3.2+.
     PYTHONWARNINGS=default:::ansible_mitogen,default:::mitogen
-    ans{2.10,3,4,5}: MITOGEN_TEST_DISTRO_SPECS=alma9-py3 centos6 centos8-py3 debian9 debian12-py3 ubuntu1604 ubuntu2204-py3
     # Ansible 6 - 8 (ansible-core 2.13 - 2.15) require Python 2.7 or >= 3.5 on targets
-    ans{6,7,8}: MITOGEN_TEST_DISTRO_SPECS=alma9-py3 centos7 centos8-py3 debian9 debian10 debian12-py3 ubuntu1604 ubuntu1804 ubuntu2404-py3
+    ans{6,7,8}: MITOGEN_TEST_DISTRO_SPECS=centos7 centos8 debian9 debian10 debian11 ubuntu1604 ubuntu1804 ubuntu2004
     # Ansible 9 (ansible-core 2.16) requires Python 2.7 or >= 3.6 on targets
-    ans9: MITOGEN_TEST_DISTRO_SPECS=alma9-py3 centos7 centos8-py3 debian9 debian10 debian12-py3 ubuntu1804 ubuntu2404-py3
+    ans9: MITOGEN_TEST_DISTRO_SPECS=centos7 centos8 debian9 debian10 debian11 ubuntu1804 ubuntu2004
     # Ansible 10 (ansible-core 2.17) requires Python >= 3.7 on targets
-    ans10: MITOGEN_TEST_DISTRO_SPECS=alma9-py3 debian10-py3 debian12-py3 ubuntu2404-py3
+    ans10: MITOGEN_TEST_DISTRO_SPECS=debian10-py3 debian11-py3 ubuntu2004-py3
     # Ansible 11 (ansible-core 2.18) requires Python >= 3.8 on targets
-    ans11: MITOGEN_TEST_DISTRO_SPECS=alma9-py3 debian12-py3 ubuntu2004-py3
+    ans11: MITOGEN_TEST_DISTRO_SPECS=debian11-py3 ubuntu2004-py3
-    ans12: MITOGEN_TEST_DISTRO_SPECS=alma9-py3 debian12-py3 ubuntu2404-py3
+    ans12: MITOGEN_TEST_DISTRO_SPECS=debian11-py3 ubuntu2004-py3
-    # Ansible 13 (ansible-core 2.20) requires Python >= 3.9 on targets
+    distros_centos: MITOGEN_TEST_DISTRO_SPECS=centos6 centos7 centos8
-    ans13: MITOGEN_TEST_DISTRO_SPECS=alma9-py3 debian12-py3 ubuntu2404-py3
+    distros_centos5: MITOGEN_TEST_DISTRO_SPECS=centos5
+    distros_centos6: MITOGEN_TEST_DISTRO_SPECS=centos6
+    distros_centos7: MITOGEN_TEST_DISTRO_SPECS=centos7
+    distros_centos8: MITOGEN_TEST_DISTRO_SPECS=centos8
+    distros_debian: MITOGEN_TEST_DISTRO_SPECS=debian9 debian10 debian11
+    distros_debian9: MITOGEN_TEST_DISTRO_SPECS=debian9
+    distros_debian10: MITOGEN_TEST_DISTRO_SPECS=debian10
+    distros_debian11: MITOGEN_TEST_DISTRO_SPECS=debian11
+    distros_ubuntu: MITOGEN_TEST_DISTRO_SPECS=ubuntu1604 ubuntu1804 ubuntu2004
+    distros_ubuntu1604: MITOGEN_TEST_DISTRO_SPECS=ubuntu1604
+    distros_ubuntu1804: MITOGEN_TEST_DISTRO_SPECS=ubuntu1804
+    distros_ubuntu2004: MITOGEN_TEST_DISTRO_SPECS=ubuntu2004
     m_ans: MODE=ansible
     m_ans: ANSIBLE_SKIP_TAGS=resource_intensive
     m_ans: ANSIBLE_CALLBACK_WHITELIST=profile_tasks