Merge pull request #1013 from moreati/issue1011-blacklist-msg

mitogen: Clarify blacklisted import error message

.ci/ci_lib.py

@@ -34,12 +34,12 @@ ANSIBLE_TESTS_HOSTS_DIR = os.path.join(GIT_ROOT, 'tests/ansible/hosts')
 ANSIBLE_TESTS_TEMPLATES_DIR = os.path.join(GIT_ROOT, 'tests/ansible/templates')
 DISTRO_SPECS = os.environ.get(
     'MITOGEN_TEST_DISTRO_SPECS',
-    'centos6 centos8 debian9 debian11 ubuntu1604 ubuntu2004',
+    'alma9-py3 centos5 centos8-py3 debian9 debian12-py3 ubuntu1604 ubuntu2404-py3',
 )
 IMAGE_PREP_DIR = os.path.join(GIT_ROOT, 'tests/image_prep')
 IMAGE_TEMPLATE = os.environ.get(
     'MITOGEN_TEST_IMAGE_TEMPLATE',
-    'ghcr.io/mitogen-hq/%(distro)s-test:2021',
+    'ghcr.io/mitogen-hq/%(distro)s-test:2025.02',
 )
 SUDOERS_DEFAULTS_SRC = './tests/image_prep/files/sudoers_defaults'
 SUDOERS_DEFAULTS_DEST = '/etc/sudoers.d/mitogen_test_defaults'
@@ -156,7 +156,15 @@ def run_batches(batches):
         subprocess.Popen(combine(batch), shell=True)
         for batch in batches
     ]
-    assert [proc.wait() for proc in procs] == [0] * len(procs)
+    for proc in procs:
+        proc.wait()
+        if proc.returncode:
+            print(
+                'proc: pid=%i rc=%i args=%r'
+                % (proc.pid, proc.returncode, proc.args),
+                file=sys.stderr, flush=True,
+            )
+    assert [proc.returncode for proc in procs] == [0] * len(procs)
 
 
 def get_output(s, *args, **kwargs):
@@ -231,7 +239,7 @@ def container_specs(
     [{'distro': 'debian11',
       'family': 'debian',
       'hostname': 'localhost',
-      'image': 'ghcr.io/mitogen-hq/debian11-test:2021',
+      'image': 'ghcr.io/mitogen-hq/debian11-test:2025.02',
       'index': 1,
       'name': 'target-debian11-1',
       'port': 2201,
@@ -239,7 +247,7 @@ def container_specs(
      {'distro': 'centos6',
       'family': 'centos',
       'hostname': 'localhost',
-      'image': 'ghcr.io/mitogen-hq/centos6-test:2021',
+      'image': 'ghcr.io/mitogen-hq/centos6-test:2025.02',
       'index': 2,
       'name': 'target-centos6-2',
       'port': 2202,

.github/workflows/tests.yml

@@ -101,21 +101,21 @@ jobs:
           - tox_env: py313-m_ans-ans8
             python_version: '3.13'
           - tox_env: py314-m_ans-ans9
-            python_version: '3.14.0-rc.3'
+            python_version: '3.14'
           - tox_env: py314-m_ans-ans10
-            python_version: '3.14.0-rc.3'
+            python_version: '3.14'
           - tox_env: py314-m_ans-ans11
-            python_version: '3.14.0-rc.3'
+            python_version: '3.14'
           - tox_env: py314-m_ans-ans12
-            python_version: '3.14.0-rc.3'
+            python_version: '3.14'
+          - tox_env: py314-m_ans-ans13
+            python_version: '3.14'
 
-          - tox_env: py314-m_ans-ans11-s_lin
-            python_version: '3.14.0-rc.3'
-          - tox_env: py314-m_ans-ans12-s_lin
-            python_version: '3.14.0-rc.3'
+          - tox_env: py314-m_ans-ans13-s_lin
+            python_version: '3.14'
 
           - tox_env: py314-m_mtg
-            python_version: '3.14.0-rc.3'
+            python_version: '3.14'
 
     steps:
       - uses: actions/checkout@v4
@@ -153,27 +153,21 @@ jobs:
 
   macos:
     name: macos ${{ matrix.tox_env }}
-    # https://github.com/actions/runner-images/blob/main/images/macos/macos-13-Readme.md
-    runs-on: macos-13
+    # https://github.com/actions/runner-images/blob/main/images/macos/macos-15-Readme.md
+    runs-on: macos-15
     timeout-minutes: 15
 
     strategy:
       fail-fast: false
       matrix:
         include:
-          - tox_env: py314-m_lcl-ans11
-            python_version: '3.14.0-rc.3'
-            sshpass_version: "1.10"
-          - tox_env: py314-m_lcl-ans11-s_lin
-            python_version: '3.14.0-rc.3'
-            sshpass_version: "1.10"
-          - tox_env: py314-m_lcl-ans12
-            python_version: '3.14.0-rc.3'
-          - tox_env: py314-m_lcl-ans12-s_lin
-            python_version: '3.14.0-rc.3'
+          - tox_env: py314-m_lcl-ans13
+            python_version: '3.14'
+          - tox_env: py314-m_lcl-ans13-s_lin
+            python_version: '3.14'
 
           - tox_env: py314-m_mtg
-            python_version: '3.14.0-rc.3'
+            python_version: '3.14'
 
     steps:
       - uses: actions/checkout@v4

.gitignore

@@ -13,6 +13,7 @@ build/
 dist/
 extra/
 tests/ansible/.*.pid
+tests/image_prep/logs
 docs/_build/
 htmlcov/
 *.egg-info

ansible_mitogen/mixins.py

@@ -470,18 +470,7 @@ class ActionModuleMixin(ansible.plugins.action.ActionBase):
         # chicken-and-egg issue, mitogen needs a python to run low_level_execute_command
         # which is required by Ansible's discover_interpreter function
         if self._mitogen_discovering_interpreter:
-            possible_pythons = [
-                '/usr/bin/python',
-                'python3',
-                'python3.7',
-                'python3.6',
-                'python3.5',
-                'python2.7',
-                'python2.6',
-                '/usr/libexec/platform-python',
-                '/usr/bin/python3',
-                'python'
-            ]
+            possible_pythons = self._mitogen_interpreter_candidates
         else:
             # not used, just adding a filler value
             possible_pythons = ['python']
@@ -492,12 +481,15 @@ class ActionModuleMixin(ansible.plugins.action.ActionBase):
                 rc, stdout, stderr = self._connection.exec_command(
                     cmd, in_data, sudoable, mitogen_chdir=chdir,
                 )
-            # TODO: what exception is thrown?
-            except:
+            except BaseException as exc:
                 # we've reached the last python attempted and failed
                 if possible_python == possible_pythons[-1]:
                     raise
                 else:
+                    LOG.debug(
+                        '%r._low_level_execute_command: candidate=%r ignored: %s, %r',
+                        self, possible_python, type(exc), exc,
+                    )
                     continue
 
         stdout_text = to_text(stdout, errors=encoding_errors)

ansible_mitogen/target.py

@@ -40,7 +40,6 @@ import errno
 import grp
 import json
 import logging
-import operator
 import os
 import pty
 import pwd
@@ -66,8 +65,6 @@ if not sys.modules.get(str('__main__')):
 
 import ansible.module_utils.json_utils
 
-from ansible.module_utils.six.moves import reduce
-
 import ansible_mitogen.runner
 
 
@@ -718,7 +715,9 @@ def apply_mode_spec(spec, mode):
             mask = CHMOD_MASKS[ch]
             bits = CHMOD_BITS[ch]
             cur_perm_bits = mode & mask
-            new_perm_bits = reduce(operator.or_, (bits[p] for p in perms), 0)
+            new_perm_bits = 0
+            for perm in perms:
+                new_perm_bits |= bits[perm]
             mode &= ~mask
             if op == '=':
                 mode |= new_perm_bits

ansible_mitogen/transport_config.py

@@ -73,13 +73,21 @@ import ansible.utils.unsafe_proxy
 from ansible.module_utils.six import with_metaclass
 from ansible.module_utils.parsing.convert_bool import boolean
 
+import ansible_mitogen.utils
 import mitogen.core
 
 
 LOG = logging.getLogger(__name__)
 
+if ansible_mitogen.utils.ansible_version[:2] >= (2, 19):
+    _FALLBACK_INTERPRETER = ansible.executor.interpreter_discovery._FALLBACK_INTERPRETER
+elif ansible_mitogen.utils.ansible_version[:2] >= (2, 17):
+    _FALLBACK_INTERPRETER = u'/usr/bin/python3'
+else:
+    _FALLBACK_INTERPRETER = u'/usr/bin/python'
 
-def run_interpreter_discovery_if_necessary(s, task_vars, action, rediscover_python):
+
+def run_interpreter_discovery_if_necessary(s, candidates, task_vars, action, rediscover_python):
     """
     Triggers ansible python interpreter discovery if requested.
     Caches this value the same way Ansible does it.
@@ -107,8 +115,11 @@ def run_interpreter_discovery_if_necessary(s, task_vars, action, rediscover_pyth
             # blow away the discovered_interpreter_config cache and rediscover
             del task_vars['ansible_facts'][discovered_interpreter_config]
 
-        if discovered_interpreter_config not in task_vars['ansible_facts']:
+        try:
+            s = task_vars[u'ansible_facts'][discovered_interpreter_config]
+        except KeyError:
             action._mitogen_discovering_interpreter = True
+            action._mitogen_interpreter_candidates = candidates
             # fake pipelining so discover_interpreter can be happy
             action._connection.has_pipelining = True
             s = ansible.executor.interpreter_discovery.discover_interpreter(
@@ -121,18 +132,17 @@ def run_interpreter_discovery_if_necessary(s, task_vars, action, rediscover_pyth
             # cache discovered interpreter
             task_vars['ansible_facts'][discovered_interpreter_config] = s
             action._connection.has_pipelining = False
-        else:
-            s = task_vars['ansible_facts'][discovered_interpreter_config]
 
         # propagate discovered interpreter as fact
         action._discovered_interpreter_key = discovered_interpreter_config
         action._discovered_interpreter = s
 
     action._mitogen_discovering_interpreter = False
+    action._mitogen_interpreter_candidates = None
     return s
 
 
-def parse_python_path(s, task_vars, action, rediscover_python):
+def parse_python_path(s, candidates, task_vars, action, rediscover_python):
     """
     Given the string set for ansible_python_interpeter, parse it using shell
     syntax and return an appropriate argument vector. If the value detected is
@@ -143,10 +153,9 @@ def parse_python_path(s, task_vars, action, rediscover_python):
         # if python_path doesn't exist, default to `auto` and attempt to discover it
         s = 'auto'
 
-    s = run_interpreter_discovery_if_necessary(s, task_vars, action, rediscover_python)
-    # if unable to determine python_path, fallback to '/usr/bin/python'
+    s = run_interpreter_discovery_if_necessary(s, candidates, task_vars, action, rediscover_python)
     if not s:
-        s = '/usr/bin/python'
+        s = _FALLBACK_INTERPRETER
 
     return ansible.utils.shlex.shlex_split(s)
 
@@ -510,6 +519,9 @@ class PlayContextSpec(Spec):
         interpreter_python = C.config.get_config_value(
             'INTERPRETER_PYTHON', variables=variables,
         )
+        interpreter_python_fallback = C.config.get_config_value(
+            'INTERPRETER_PYTHON_FALLBACK', variables=variables,
+        )
 
         if '{{' in interpreter_python or '{%' in interpreter_python:
             templar = self._connection.templar
@@ -517,6 +529,7 @@ class PlayContextSpec(Spec):
 
         return parse_python_path(
             interpreter_python,
+            candidates=interpreter_python_fallback,
             task_vars=self._task_vars,
             action=self._action,
             rediscover_python=rediscover_python)
@@ -732,11 +745,12 @@ class MitogenViaSpec(Spec):
 
     def python_path(self, rediscover_python=False):
         s = self._host_vars.get('ansible_python_interpreter')
-        # #511, #536: executor/module_common.py::_get_shebang() hard-wires
-        # "/usr/bin/python" as the default interpreter path if no other
-        # interpreter is specified.
+        interpreter_python_fallback = self._host_vars.get(
+            'ansible_interpreter_python_fallback', [],
+        )
         return parse_python_path(
             s,
+            candidates=interpreter_python_fallback,
             task_vars=self._task_vars,
             action=self._action,
             rediscover_python=rediscover_python)

docs/ansible_detailed.rst

@@ -145,6 +145,8 @@ Noteworthy Differences
   +-----------------+ 3.11 - 3.14     |
   | 12              |                 |
   +-----------------+-----------------+
+  | 13              | 3.12 - 3.14     |
+  +-----------------+-----------------+
 
   Verify your installation is running one of these versions by checking
   ``ansible --version`` output.

docs/changelog.rst

@@ -21,6 +21,42 @@ To avail of fixes in an unreleased version, please download a ZIP file
 In progress (unreleased)
 ------------------------
 
+* :gh:issue:`1237` :mod:`mitogen`: Re-declare Python 2.4 compatibility
+* :gh:issue:`1385` :mod:`ansible_mitogen`: Remove a use of
+  ``ansible.module_utils.six``
+* :gh:issue:`1354` docs: Document Ansible 13 (ansible-core 2.20) support
+* :gh:issue:`1354` :mod:`mitogen`: Clarify error message when a module
+  request would be refused by allow or deny listing
+
+
+v0.3.35 (2025-12-01)
+--------------------
+
+* :gh:issue:`1132` :mod:`ansible_mitogen` During intrepreter discovery use
+  Ansible ``INTERPRETER_PYTHON_FALLBACK`` config as list of candidates
+
+
+v0.3.34 (2025-11-27)
+--------------------
+
+* :gh:issue:`1118` CI: Use 2025.02 test images, keeping same OS releases
+* :gh:issue:`1358` CI: Bump deprecated macOS 13 runner to macOS 15
+* :gh:issue:`1118` CI: Add OS release coverage: AlmaLinux 9
+* :gh:issue:`1118` CI: Add OS release coverage: CentOS 5
+* :gh:issue:`1118` CI: Add OS release coverage: Debian 12
+* :gh:issue:`1118` CI: Add OS release coverage: Ubuntu 22.04, Ubuntu 24.04
+* :gh:issue:`1124` :mod:`mitogen`: Log why a module is sent or not sent by
+  :class:`mitogen.master.ModuleResponder`
+* :gh:issue:`1124` :mod:`ansible_mitogen`: Speedup startup by not sending
+  ``__main__`` as a related module
+
+
+v0.3.33 (2025-11-22)
+--------------------
+
+* :gh:issue:`1354` :mod:`ansible_mitogen`: ansible_mitogen: Ansible 13
+  (ansible-core 2.20) support
+
 
 v0.3.32 (2025-11-21)
 --------------------

docs/index.rst

@@ -332,12 +332,16 @@ a large fleet of machines, or to alert the parent of unexpected state changes.
 Compatibility
 #############
 
-Mitogen is compatible with **Python 2.4** released November 2004, making it
+``mitogen.*`` is compatible with Python 2.4 - 2.7 and 3.6 onward; making it
 suitable for managing a fleet of potentially ancient corporate hardware, such
 as Red Hat Enterprise Linux 5, released in 2007.
 
-Every combination of Python 3.x/2.x parent and child should be possible,
-however at present only Python 2.4, 2.6, 2.7 and 3.6 are tested automatically.
+Every combination of Python 3.x/2.x parent and child should be possible.
+Automated testing cannot cover every combination, automated testing tries to
+cover the extemities (e.g. Python 3.14 parent -> Python 2.4 child).
+
+``ansible_mitogen.*`` is compatible with Python 2.7 and 3.6 onward; making it
+suitable for Ansible 2.10 onward.
 
 
 Zero Dependencies

mitogen/__init__.py

@@ -35,7 +35,7 @@ be expected. On the slave, it is built dynamically during startup.
 
 
 #: Library version as a tuple.
-__version__ = (0, 3, 32)
+__version__ = (0, 3, 36, 'dev')
 
 
 #: This is :data:`False` in slave contexts. Previously it was used to prevent

mitogen/core.py

@@ -541,6 +541,7 @@ def is_blacklisted_import(importer, fullname):
     any packages have been whitelisted and `fullname` is not part of one.
 
     NB:
+      - The default whitelist is `['']` which matches any module name.
       - If a package is on both lists, then it is treated as blacklisted.
       - If any package is whitelisted, then all non-whitelisted packages are
         treated as blacklisted.
@@ -1536,9 +1537,8 @@ class Importer(object):
         return importlib.machinery.ModuleSpec(fullname, loader=self)
 
     blacklisted_msg = (
-        '%r is present in the Mitogen importer blacklist, therefore this '
-        'context will not attempt to request it from the master, as the '
-        'request will always be refused.'
+        'A %r request would be refused by the Mitogen master. The module is '
+        'on the deny list (blacklist) or not on the allow list (whitelist).'
     )
     pkg_resources_msg = (
         'pkg_resources is prohibited from importing __main__, as it causes '

mitogen/master.py

@@ -843,6 +843,12 @@ class ModuleFinder(object):
     related modules likely needed by a child context requesting the original
     module.
     """
+
+    # Fullnames of modules that should not be sent as a related module
+    _related_modules_denylist = frozenset({
+        '__main__',
+    })
+
     def __init__(self):
         #: Import machinery is expensive, keep :py:meth`:get_module_source`
         #: results around.
@@ -931,6 +937,34 @@ class ModuleFinder(object):
             fullname, _, _ = str_rpartition(to_text(fullname), u'.')
             yield fullname
 
+    def _reject_related_module(self, requested_fullname, related_fullname):
+        def _log_reject(reason):
+            LOG.debug(
+                '%r: Rejected related module %s of requested module %s: %s',
+                self, related_fullname, requested_fullname, reason,
+            )
+            return reason
+
+        try:
+            related_module = sys.modules[related_fullname]
+        except KeyError:
+            return _log_reject('sys.modules entry absent')
+
+        # Python 2.x "indirection entry"
+        if related_module is None:
+            return _log_reject('sys.modules entry is None')
+
+        if is_stdlib_name(related_fullname):
+            return _log_reject('stdlib module')
+
+        if 'six.moves' in related_fullname:
+            return _log_reject('six.moves avoidence')
+
+        if related_fullname in self._related_modules_denylist:
+            return _log_reject('on denylist')
+
+        return False
+
     def find_related_imports(self, fullname):
         """
         Return a list of non-stdlib modules that are directly imported by
@@ -973,9 +1007,7 @@ class ModuleFinder(object):
             set(
                 mitogen.core.to_text(name)
                 for name in maybe_names
-                if sys.modules.get(name) is not None
-                and not is_stdlib_name(name)
-                and u'six.moves' not in name  # TODO: crap
+                if not self._reject_related_module(fullname, name)
             )
         ))
 
@@ -1138,7 +1170,7 @@ class ModuleResponder(object):
         self._cache[fullname] = tup
         return tup
 
-    def _send_load_module(self, stream, fullname):
+    def _send_load_module(self, stream, fullname, reason):
         if fullname not in stream.protocol.sent_modules:
             tup = self._build_tuple(fullname)
             msg = mitogen.core.Message.pickled(
@@ -1146,8 +1178,10 @@ class ModuleResponder(object):
                 dst_id=stream.protocol.remote_id,
                 handle=mitogen.core.LOAD_MODULE,
             )
-            self._log.debug('sending %s (%.2f KiB) to %s',
-                            fullname, len(msg.data) / 1024.0, stream.name)
+            self._log.debug(
+                'sending %s %s (%.2f KiB) to %s',
+                reason, fullname, len(msg.data) / 1024.0, stream.name,
+            )
             self._router._async_route(msg)
             stream.protocol.sent_modules.add(fullname)
             if tup[2] is not None:
@@ -1178,8 +1212,8 @@ class ModuleResponder(object):
                     # Parent hasn't been sent, so don't load submodule yet.
                     continue
 
-                self._send_load_module(stream, name)
-            self._send_load_module(stream, fullname)
+                self._send_load_module(stream, name, 'related')
+            self._send_load_module(stream, fullname, 'requested')
         except Exception:
             LOG.debug('While importing %r', fullname, exc_info=True)
             self._send_module_load_failed(stream, fullname)

setup.py

@@ -82,7 +82,7 @@ setup(
     license = 'BSD-3-Clause',
     url = 'https://github.com/mitogen-hq/mitogen/',
     packages = find_packages(exclude=['tests', 'examples']),
-    python_requires='>=2.7, !=3.0.*, !=3.1.*, !=3.2.*, !=3.3.*, !=3.4.*, !=3.5.*',
+    python_requires='>=2.4, !=3.0.*, !=3.1.*, !=3.2.*, !=3.3.*, !=3.4.*, !=3.5.*',
     zip_safe = False,
     classifiers = [
         'Environment :: Console',
@@ -91,6 +91,9 @@ setup(
         'Operating System :: MacOS :: MacOS X',
         'Operating System :: POSIX',
         'Programming Language :: Python',
+        'Programming Language :: Python :: 2.4',
+        'Programming Language :: Python :: 2.5',
+        'Programming Language :: Python :: 2.6',
         'Programming Language :: Python :: 2.7',
         'Programming Language :: Python :: 3',
         'Programming Language :: Python :: 3.6',

tests/ansible/ansible.cfg

@@ -76,6 +76,7 @@ ssh_args =
     -o ControlPersist=60s
     -o ForwardAgent=yes
     -o HostKeyAlgorithms=+ssh-rsa
+    -o KexAlgorithms=+diffie-hellman-group1-sha1
     -o PubkeyAcceptedKeyTypes=+ssh-rsa
     -o UserKnownHostsFile=/dev/null
 pipelining = True

tests/ansible/hosts/group_vars/all.yml

@@ -6,6 +6,7 @@
 ansible_version_major_minor: "{{ ansible_version.major }}.{{ ansible_version.minor }}"
 ansible_version_major_minor_patch: "{{ ansible_version.major }}.{{ ansible_version.minor }}.{{ ansible_version.revision | regex_search('^[0-9]+') }}"
 
+become_doas_available: false
 become_unpriv_available: >-
   {#
     Vanilla Ansible >= 4 (ansible-core >= 2.11) can use `setfacl` for
@@ -34,3 +35,11 @@ become_unpriv_available: >-
   -}}
 
 pkg_mgr_python_interpreter: python
+
+virtualenv_create_argv:
+  - virtualenv
+  - -p
+  - "{{ virtualenv_python }}"
+  - "{{ virtualenv_path }}"
+virtualenv_path: /path/intentionally/left/invalid
+virtualenv_python: /path/intentionally/left/invalid

tests/ansible/hosts/group_vars/alma9.yml

@@ -0,0 +1,8 @@
+pkg_mgr_python_interpreter: python3
+
+# Alma Linux 9, RHEL 9, etc. lack a virtualenv package
+virtualenv_create_argv:
+  - "{{ virtualenv_python }}"
+  - -m
+  - venv
+  - "{{ virtualenv_path }}"

tests/ansible/hosts/group_vars/debian11.yml

@@ -1,3 +1,4 @@
+become_doas_available: true
 package_manager_keys:
   - src: debian-archive-bullseye-automatic.gpg  # Debian 11
     dest: /etc/apt/trusted.gpg.d/debian-archive-bullseye-automatic.gpg

tests/ansible/hosts/group_vars/debian12.yml

@@ -0,0 +1,2 @@
+become_doas_available: true
+pkg_mgr_python_interpreter: python3

tests/ansible/hosts/group_vars/debian9.yml

@@ -1,4 +1,6 @@
 package_manager_repos:
   - dest: /etc/apt/sources.list
     content: |
-      deb http://archive.debian.org/debian stretch main contrib non-free
+      deb http://archive.debian.org/debian/ stretch main contrib non-free
+      deb http://archive.debian.org/debian/ stretch-proposed-updates main contrib non-free
+      deb http://archive.debian.org/debian-security stretch/updates main contrib non-free

tests/ansible/hosts/group_vars/ubuntu2204.yml

@@ -0,0 +1,2 @@
+become_doas_available: true
+pkg_mgr_python_interpreter: python3

tests/ansible/hosts/group_vars/ubuntu2404.yml

@@ -0,0 +1,2 @@
+become_doas_available: true
+pkg_mgr_python_interpreter: python3

tests/ansible/integration/become/doas.yml

@@ -15,12 +15,16 @@
       changed_when: false
       check_mode: false
       register: doas_default_user
+      when:
+        - become_doas_available
 
     - assert:
         that:
           - doas_default_user.stdout == 'root'
         fail_msg:
           doas_default_user={{ doas_default_user }}
+      when:
+        - become_doas_available
 
     - name: Test doas -> mitogen__user1
       become: true
@@ -30,6 +34,7 @@
       check_mode: false
       register: doas_mitogen__user1
       when:
+        - become_doas_available
         - become_unpriv_available
 
     - assert:
@@ -38,6 +43,7 @@
         fail_msg:
           doas_mitogen__user1={{ doas_mitogen__user1 }}
       when:
+        - become_doas_available
         - become_unpriv_available
   tags:
     - doas
@@ -61,12 +67,16 @@
       changed_when: false
       check_mode: false
       register: fq_doas_default_user
+      when:
+        - become_doas_available
 
     - assert:
         that:
           - fq_doas_default_user.stdout == 'root'
         fail_msg:
           fq_doas_default_user={{ fq_doas_default_user }}
+      when:
+        - become_doas_available
 
     - name: Test community.general.doas -> mitogen__user1
       become: true
@@ -76,6 +86,7 @@
       check_mode: false
       register: fq_doas_mitogen__user1
       when:
+        - become_doas_available
         - become_unpriv_available
 
     - assert:
@@ -84,6 +95,7 @@
         fail_msg:
           fq_doas_mitogen__user1={{ fq_doas_mitogen__user1 }}
       when:
+        - become_doas_available
         - become_unpriv_available
   tags:
     - doas

tests/ansible/integration/connection_delegation/delegate_to_template.yml

@@ -47,6 +47,7 @@
                 -o, ControlPersist=60s,
                 -o, ForwardAgent=yes,
                 -o, HostKeyAlgorithms=+ssh-rsa,
+                -o, KexAlgorithms=+diffie-hellman-group1-sha1,
                 -o, PubkeyAcceptedKeyTypes=+ssh-rsa,
                 -o, UserKnownHostsFile=/dev/null,
               ],
@@ -75,6 +76,7 @@
                 -o, ControlPersist=60s,
                 -o, ForwardAgent=yes,
                 -o, HostKeyAlgorithms=+ssh-rsa,
+                -o, KexAlgorithms=+diffie-hellman-group1-sha1,
                 -o, PubkeyAcceptedKeyTypes=+ssh-rsa,
                 -o, UserKnownHostsFile=/dev/null,
               ],

tests/ansible/integration/connection_delegation/stack_construction.yml

@@ -84,6 +84,7 @@
                           -o, ControlPersist=60s,
                           -o, ForwardAgent=yes,
                           -o, HostKeyAlgorithms=+ssh-rsa,
+                          -o, KexAlgorithms=+diffie-hellman-group1-sha1,
                           -o, PubkeyAcceptedKeyTypes=+ssh-rsa,
                           -o, UserKnownHostsFile=/dev/null,
                       ],
@@ -128,6 +129,7 @@
                           -o, ControlPersist=60s,
                           -o, ForwardAgent=yes,
                           -o, HostKeyAlgorithms=+ssh-rsa,
+                          -o, KexAlgorithms=+diffie-hellman-group1-sha1,
                           -o, PubkeyAcceptedKeyTypes=+ssh-rsa,
                           -o, UserKnownHostsFile=/dev/null,
                       ],
@@ -183,6 +185,7 @@
                           -o, ControlPersist=60s,
                           -o, ForwardAgent=yes,
                           -o, HostKeyAlgorithms=+ssh-rsa,
+                          -o, KexAlgorithms=+diffie-hellman-group1-sha1,
                           -o, PubkeyAcceptedKeyTypes=+ssh-rsa,
                           -o, UserKnownHostsFile=/dev/null,
                       ],
@@ -227,6 +230,7 @@
                           -o, ControlPersist=60s,
                           -o, ForwardAgent=yes,
                           -o, HostKeyAlgorithms=+ssh-rsa,
+                          -o, KexAlgorithms=+diffie-hellman-group1-sha1,
                           -o, PubkeyAcceptedKeyTypes=+ssh-rsa,
                           -o, UserKnownHostsFile=/dev/null,
                       ],
@@ -255,6 +259,7 @@
                           -o, ControlPersist=60s,
                           -o, ForwardAgent=yes,
                           -o, HostKeyAlgorithms=+ssh-rsa,
+                          -o, KexAlgorithms=+diffie-hellman-group1-sha1,
                           -o, PubkeyAcceptedKeyTypes=+ssh-rsa,
                           -o, UserKnownHostsFile=/dev/null,
                       ],
@@ -309,6 +314,7 @@
                           -o, ControlPersist=60s,
                           -o, ForwardAgent=yes,
                           -o, HostKeyAlgorithms=+ssh-rsa,
+                          -o, KexAlgorithms=+diffie-hellman-group1-sha1,
                           -o, PubkeyAcceptedKeyTypes=+ssh-rsa,
                           -o, UserKnownHostsFile=/dev/null,
                       ],
@@ -354,6 +360,7 @@
                           -o, ControlPersist=60s,
                           -o, ForwardAgent=yes,
                           -o, HostKeyAlgorithms=+ssh-rsa,
+                          -o, KexAlgorithms=+diffie-hellman-group1-sha1,
                           -o, PubkeyAcceptedKeyTypes=+ssh-rsa,
                           -o, UserKnownHostsFile=/dev/null,
                       ],

tests/ansible/integration/interpreter_discovery/ansible_2_8_tests.yml

@@ -1,58 +1,20 @@
 # ripped and ported from https://github.com/ansible/ansible/pull/50163/files, when interpreter discovery was added to ansible
 ---
+- name: integration/interpreter_discovery/ansible_2_8_tests.yml, baseline
+  hosts: test-targets
+  strategy: linear
+  tasks:
+    - meta: clear_facts
+    - name: Discover interpreter, linear, auto
+      vars:
+        ansible_python_interpreter: auto
+      ping:
+      register: linear_auto_result
+
 
 - name: integration/interpreter_discovery/ansible_2_8_tests.yml
   hosts: test-targets
   gather_facts: true
-  vars:
-    DISCOVERED_INTERPRETER_EXPECTED_MAP__ANSIBLE_lt_2_12:
-      centos:
-        '6': /usr/bin/python
-        '7': /usr/bin/python
-        '8': /usr/libexec/platform-python
-      debian:
-        '9': /usr/bin/python
-        '10': /usr/bin/python3
-        '11': /usr/bin/python
-        'NA': /usr/bin/python  # Debian 11, Ansible <= 7 (ansible-core <= 2.14)
-        'bullseye/sid': /usr/bin/python  # Debian 11, Ansible 8 - 9 (ansible-core 2.15 - 2.16)
-      ubuntu:
-        '16': /usr/bin/python3
-        '18': /usr/bin/python3
-        '20': /usr/bin/python3
-
-    DISCOVERED_INTERPRETER_EXPECTED_MAP__ANSIBLE_2_12_to_2_16:
-      centos:
-        '6': /usr/bin/python
-        '7': /usr/bin/python
-        '8': /usr/libexec/platform-python
-      debian:
-        '9': /usr/bin/python
-        '10': /usr/bin/python3
-        '11': /usr/bin/python3.9
-        'NA': /usr/bin/python3.9  # Debian 11, Ansible <= 7 (ansible-core <= 2.14)
-        'bullseye/sid': /usr/bin/python3.9  # Debian 11, Ansible 8 - 9 (ansible-core 2.15 - 2.16)
-      ubuntu:
-        '16': /usr/bin/python3
-        '18': /usr/bin/python3
-        '20': /usr/bin/python3
-
-    DISCOVERED_INTERPRETER_EXPECTED_MAP__ANSIBLE_ge_2_17:
-      debian:
-        '10': /usr/bin/python3.7
-        '11': /usr/bin/python3.9
-        'bullseye/sid': /usr/bin/python3.9
-      ubuntu:
-        '20': /usr/bin/python3.8
-
-    discovered_interpreter_expected: >-
-      {%- if ansible_version_major_minor is version('2.12', '<', strict=True) -%}
-      {{ DISCOVERED_INTERPRETER_EXPECTED_MAP__ANSIBLE_lt_2_12[distro][distro_major] }}
-      {%- elif ansible_version_major_minor is version('2.17', '<', strict=True) -%}
-      {{ DISCOVERED_INTERPRETER_EXPECTED_MAP__ANSIBLE_2_12_to_2_16[distro][distro_major] }}
-      {%- else -%}
-      {{ DISCOVERED_INTERPRETER_EXPECTED_MAP__ANSIBLE_ge_2_17[distro][distro_major] }}
-      {%- endif -%}
   tasks:
     - name: can only run these tests on ansible >= 2.8.0
       block:
@@ -65,12 +27,6 @@
             fail_msg: "'ansible_python_interpreter' appears to be set at a high precedence to {{ ansible_python_interpreter }},
                       which breaks this test."
 
-        - name: snag some facts to validate for later
-          set_fact:
-            distro: '{{ ansible_facts.distribution | lower }}'
-            distro_major: '{{ ansible_facts.distribution_major_version }}'
-            system: '{{ ansible_facts.system }}'
-
         - name: test that python discovery is working and that fact persistence makes it only run once
           block:
           - name: clear facts to force interpreter discovery to run
@@ -215,16 +171,10 @@
           - name: Check discovered interpreter matches expected
             assert:
               that:
-                - auto_out.ansible_facts.discovered_interpreter_python == discovered_interpreter_expected
+                - auto_out.ansible_facts.discovered_interpreter_python == linear_auto_result.ansible_facts.discovered_interpreter_python
               fail_msg: |
-                distro={{ distro }}
-                distro_major= {{ distro_major }}
-                system={{ system }}
                 auto_out={{ auto_out }}
-                discovered_interpreter_expected={{ discovered_interpreter_expected }}
-                ansible_version.full={{ ansible_version.full }}
-            when:
-              - system in ['Linux']
+                linear_auto_result={{ linear_auto_result }}
 
           always:
           - meta: clear_facts

tests/ansible/integration/process/unix_socket_cleanup.yml

@@ -14,7 +14,7 @@
       ANSIBLE_CALLBACK_RESULT_FORMAT=json
       ANSIBLE_LOAD_CALLBACK_PLUGINS=false
       ANSIBLE_STRATEGY=mitogen_linear
-      ANSIBLE_SSH_ARGS="-o HostKeyAlgorithms=+ssh-rsa -o PubkeyAcceptedKeyTypes=+ssh-rsa"
+      ANSIBLE_SSH_ARGS="-o HostKeyAlgorithms=+ssh-rsa -o KexAlgorithms=+diffie-hellman-group1-sha1 -o PubkeyAcceptedKeyTypes=+ssh-rsa"
       ANSIBLE_VERBOSITY="{{ ansible_verbosity }}"
       ansible -m shell -c local -a whoami
       {% for inv in ansible_inventory_sources %}

tests/ansible/integration/ssh/password.yml

@@ -35,7 +35,7 @@
             ssh_no_password_result.msg is search('SSH password was requested, but none specified')
             or ssh_no_password_result.msg is search('SSH password is incorrect')
             or ssh_no_password_result.msg is search('Invalid/incorrect password')
-            or ssh_no_password_result.msg is search('Permission denied \(publickey,password(,keyboard-interactive)?\)')
+            or ssh_no_password_result.msg is search('Permission denied \(publickey(,gssapi-keyex)?(,gssapi-with-mic)?,password(,keyboard-interactive)?\)')
         fail_msg: |
           ssh_no_password_result={{ ssh_no_password_result }}
 
@@ -72,6 +72,6 @@
           - >-
             ssh_wrong_password_result.msg is search('SSH password is incorrect')
             or ssh_wrong_password_result.msg is search('Invalid/incorrect password')
-            or ssh_wrong_password_result.msg is search('Permission denied \(publickey,password(,keyboard-interactive)?\)')
+            or ssh_no_password_result.msg is search('Permission denied \(publickey(,gssapi-keyex)?(,gssapi-with-mic)?,password(,keyboard-interactive)?\)')
         fail_msg: |
           ssh_wrong_password_result={{ ssh_wrong_password_result }}

tests/ansible/integration/ssh/variables.yml

@@ -22,7 +22,7 @@
         ANSIBLE_CALLBACK_RESULT_FORMAT=json
         ANSIBLE_LOAD_CALLBACK_PLUGINS=false
         ANSIBLE_STRATEGY=mitogen_linear
-        ANSIBLE_SSH_ARGS="-o HostKeyAlgorithms=+ssh-rsa -o PubkeyAcceptedKeyTypes=+ssh-rsa"
+        ANSIBLE_SSH_ARGS="-o HostKeyAlgorithms=+ssh-rsa -o KexAlgorithms=+diffie-hellman-group1-sha1 -o PubkeyAcceptedKeyTypes=+ssh-rsa"
         ANSIBLE_VERBOSITY="{{ ansible_verbosity }}"
         ansible -m shell -a whoami
         {% for inv in ansible_inventory_sources %}
@@ -42,7 +42,7 @@
         ANSIBLE_CALLBACK_RESULT_FORMAT=json
         ANSIBLE_LOAD_CALLBACK_PLUGINS=false
         ANSIBLE_STRATEGY=mitogen_linear
-        ANSIBLE_SSH_ARGS="-o HostKeyAlgorithms=+ssh-rsa -o PubkeyAcceptedKeyTypes=+ssh-rsa"
+        ANSIBLE_SSH_ARGS="-o HostKeyAlgorithms=+ssh-rsa -o KexAlgorithms=+diffie-hellman-group1-sha1 -o PubkeyAcceptedKeyTypes=+ssh-rsa"
         ANSIBLE_VERBOSITY="{{ ansible_verbosity }}"
         ansible -m shell -a whoami
         {% for inv in ansible_inventory_sources %}

tests/ansible/regression/issue_122__environment_difference.yml

@@ -8,9 +8,12 @@
 - name: regression/issue_122__environment_difference.yml
   hosts: test-targets
   tasks:
-
-  - script: scripts/print_env.py
-    register: env
-  - debug: msg={{env}}
+    - name: Run print_env.py
+      script:
+        cmd: scripts/print_env.py
+        executable: "{{ ansible_python_interpreter | default(ansible_facts.discovered_interpreter_python) }}"
+      register: print_env_result
+    - debug:
+        var: print_env_result
   tags:
     - issue_122

tests/ansible/regression/issue_152__virtualenv_python_fails.yml

@@ -1,26 +1,29 @@
 - name: regression/issue_152__virtualenv_python_fails.yml
   gather_facts: true
   hosts: test-targets
+  vars:
+    virtualenv_path: /tmp/issue_152_virtualenv
+    virtualenv_python: "{{ ansible_facts.python.executable }}"
   tasks:
     - custom_python_detect_environment:
       register: lout
 
     # Can't use pip module because it can't create virtualenvs, must call it
     # directly.
-    - name: Create /tmp/issue_152_virtualenv
+    - name: Create temporary virtualenv
       environment:
         https_proxy: "{{ lookup('env', 'https_proxy')|default('') }}"
         no_proxy: "{{ lookup('env', 'no_proxy')|default('') }}"
         PATH: "{{ lookup('env', 'PATH') }}"
       command:
-        cmd: virtualenv -p "{{ ansible_facts.python.executable }}" /tmp/issue_152_virtualenv
-        creates: /tmp/issue_152_virtualenv
+        argv: "{{ virtualenv_create_argv }}"
+        creates: "{{ virtualenv_path }}"
       when:
         - lout.python.version.full is version('2.7', '>=', strict=True)
 
     - custom_python_detect_environment:
       vars:
-        ansible_python_interpreter: /tmp/issue_152_virtualenv/bin/python
+        ansible_python_interpreter: "{{ virtualenv_path }}/bin/python"
       register: out
       when:
         - lout.python.version.full is version('2.7', '>=', strict=True)
@@ -28,7 +31,7 @@
     - name: Check virtualenv was used
       # On macOS runners a symlink /tmp -> /private/tmp has been seen
       vars:
-        requested_executable: /tmp/issue_152_virtualenv/bin/python
+        requested_executable: "{{ virtualenv_path }}/bin/python"
         expected_executables:
           - "{{ requested_executable }}"
           - "{{ requested_executable.replace('/tmp', out.fs['/tmp'].resolved) }}"
@@ -40,9 +43,9 @@
       when:
         - lout.python.version.full is version('2.7', '>=', strict=True)
 
-    - name: Cleanup /tmp/issue_152_virtualenv
+    - name: Cleanup temporary virtualenv
       file:
-        path: /tmp/issue_152_virtualenv
+        path: "{{ virtualenv_path }}"
         state: absent
       when:
         - lout.python.version.full is version('2.7', '>=', strict=True)

tests/data/plain_old_module.py

@@ -12,8 +12,12 @@ class MyError(Exception):
 
 def get_sentinel_value():
     # Some proof we're even talking to the mitogen-test Docker image
-    with open('/etc/sentinel', 'rb') as f:
-        return f.read().decode()
+    f = open('/etc/sentinel', 'rb')
+    try:
+        value = f.read().decode()
+    finally:
+        f.close()
+    return value
 
 
 def add(x, y):

tests/image_prep/_container_create.yml

@@ -3,18 +3,30 @@
   strategy: mitogen_free
   gather_facts: false
   tasks:
-    - name: Fetch container images
-      docker_image:
-        name: "{{ docker_base }}"
-      delegate_to: localhost
-
     - name: Start containers
       docker_container:
         name: "{{ inventory_hostname }}"
         image: "{{ docker_base }}"
         command: /bin/bash
         hostname: "mitogen-{{ inventory_hostname }}"
+        etc_hosts:
+          centos-vault-proxy: host-gateway
         detach: true
         interactive: true
         tty: true
       delegate_to: localhost
+
+    - name: Wait for containers
+      # Can't use wait_for_connection yet, not all base images have a python
+      command: >-
+        docker inspect
+        --format "{% raw %}{{.State.Running}}{% endraw %}"
+        "{{ inventory_hostname }}"
+      register: container_inspect_result
+      retries: 5
+      delay: 10
+      until:
+        - container_inspect_result is succeeded
+        - container_inspect_result.stdout == "true"
+      changed_when: false
+      delegate_to: localhost

tests/image_prep/_container_finalize.yml

@@ -1,7 +1,7 @@
 - name: Prepare images
   hosts: all
   strategy: mitogen_free
-  gather_facts: true
+  gather_facts: false
   tasks:
     - name: Commit containers
       command: >
@@ -10,9 +10,11 @@
         --change 'CMD ["/usr/sbin/sshd", "-D"]'
         {{ inventory_hostname }}
         {{ container_image_name }}
+      changed_when: true
       delegate_to: localhost
 
     - name: Stop containers
       command: >
         docker rm -f {{ inventory_hostname }}
+      changed_when: true
       delegate_to: localhost

tests/image_prep/_container_host.yml

@@ -0,0 +1,5 @@
+- name: Setup container host
+  hosts: localhost
+  become: true
+  roles:
+    - role: container_host

tests/image_prep/_container_setup.yml

@@ -2,113 +2,44 @@
   hosts: all
   strategy: linear
   gather_facts: false
-  tasks:
-    - name: Install bootstrap packages
-      raw: |
-        set -o errexit
-        set -o nounset
-        if type -p yum; then
-          yum -y install {{ bootstrap_packages | join(' ') }}
-        else
-          apt-get -y update
-          apt-get -y --no-install-recommends install {{ bootstrap_packages | join(' ') }}
-        fi
-      when: bootstrap_packages | length
+  roles:
+    - role: bootstrap
 
 - name: Setup containers
   hosts: all
   strategy: mitogen_free
-  # Resource limitation, my laptop freezes doing every container concurrently
-  serial: 4
   # Can't gather facts before here.
   gather_facts: true
   vars:
     distro: "{{ansible_distribution}}"
 
-  pre_tasks:
-    - meta: end_play
-      when:
-        - ansible_facts.virtualization_type != "docker"
-
   roles:
     - role: package_manager
+    - role: packages
     - role: sshd
     - role: sshd_container
 
   tasks:
-    - name: Ensure requisite apt packages are installed
-      apt:
-        name: "{{ common_packages + packages }}"
-        state: present
-        install_recommends: false
-        update_cache: true
-      when: ansible_pkg_mgr == 'apt'
-
-    - name: Ensure requisite yum packages are installed
-      yum:
-        name: "{{ common_packages + packages }}"
-        state: present
-        update_cache: true
-      when: ansible_pkg_mgr == 'yum'
-
-    - name: Ensure requisite dnf packages are installed
-      dnf:
-        name: "{{ common_packages + packages }}"
-        state: present
-        update_cache: true
-      when: ansible_pkg_mgr == 'dnf'
-
-    - name: Clean up package cache
-      vars:
-        clean_command:
-          apt: apt-get clean
-          yum: yum clean all
-          dnf: dnf clean all
-      command: "{{ clean_command[ansible_pkg_mgr] }}"
-      args:
-        warn: "{{ False if ansible_version_major_minor is version('2.10', '<=', strict=True) else omit }}"
-
-    - name: Clean up apt package lists
-      shell: rm -rf {{item}}/*
-      with_items:
-      - /var/cache/apt
-      - /var/lib/apt/lists
-      when: ansible_pkg_mgr == 'apt'
-
-    - name: Configure /usr/bin/python
-      command: alternatives --set python /usr/bin/python3.8
-      args:
-        creates: /usr/bin/python
-      when: inventory_hostname in ["centos8"]
-
     - name: Enable UTF-8 locale on Debian
       copy:
         dest: /etc/locale.gen
         content: |
           en_US.UTF-8 UTF-8
           fr_FR.UTF-8 UTF-8
+        mode: u=rw,go=r
       when: ansible_pkg_mgr == 'apt'
 
     - name: Generate UTF-8 locale on Debian
-      shell: locale-gen
+      command:
+        cmd: locale-gen
+      changed_when: true
       when: ansible_pkg_mgr == 'apt'
 
     - name: Write Unicode into /etc/environment
       copy:
         dest: /etc/environment
         content: "UNICODE_SNOWMAN=\u2603\n"
-
-    - name: Install prebuilt 'doas' binary
-      unarchive:
-        dest: /
-        src: ../data/docker/doas-debian.tar.gz
-
-    - name: Make prebuilt 'doas' binary executable
-      file:
-        path: /usr/local/bin/doas
-        mode: 'u=rwxs,go=rx'
-        owner: root
-        group: root
+        mode: u=rw,go=r
 
     - name: Install doas.conf
       copy:
@@ -116,6 +47,7 @@
         content: |
           permit :mitogen__group
           permit :root
+        mode: u=rw,go=
 
     - name: Set root user password and shell
       user:
@@ -127,6 +59,7 @@
       file:
         path: /var/run/sshd
         state: directory
+        mode: u=rwx,go=rx
 
     - name: Generate SSH host key
       command: ssh-keygen -t rsa -f /etc/ssh/ssh_host_rsa_key
@@ -142,6 +75,7 @@
         dest: /etc/sentinel
         content: |
           i-am-mitogen-test-docker-image
+        mode: u=rw,go=r
 
     - name: Ensure /etc/sudoers.d exists
       file:

tests/image_prep/_user_accounts.yml

@@ -181,6 +181,6 @@
           {% endfor %}
         validate: '/usr/sbin/visudo -cf %s'
       when:
-        - ansible_virtualization_type != "docker"
+        - ansible_connection == "local"
   roles:
     - role: user_policies

tests/image_prep/ansible.cfg

@@ -1,12 +1,17 @@
 
 [defaults]
+any_errors_fatal = true
+# Ansible >= 6 (ansible-core >= 2.13)
+callback_result_format = yaml
 deprecation_warnings = false
+duplicate_dict_key = error
+inventory = hosts.ini
 strategy_plugins = ../../ansible_mitogen/plugins/strategy
 retry_files_enabled = false
-display_args_to_stdout = True
 no_target_syslog = True
 host_key_checking = False
-stdout_callback = yaml
 
 [inventory]
-unparsed_is_fatal = true
+any_unparsed_is_failed = true
+host_pattern_mismatch = error
+unparsed_is_failed = true

tests/image_prep/apache_proxy.conf

@@ -0,0 +1,33 @@
+DefaultRuntimeDir ${XDG_RUNTIME_DIR}
+PidFile ${XDG_RUNTIME_DIR}/apache2.pid
+
+LoadModule alias_module /usr/lib/apache2/modules/mod_alias.so
+LoadModule authz_core_module /usr/lib/apache2/modules/mod_authz_core.so
+LoadModule mpm_event_module /usr/lib/apache2/modules/mod_mpm_event.so
+LoadModule proxy_module /usr/lib/apache2/modules/mod_proxy.so
+LoadModule proxy_http_module /usr/lib/apache2/modules/mod_proxy_http.so
+LoadModule rewrite_module /usr/lib/apache2/modules/mod_rewrite.so
+LoadModule ssl_module /usr/lib/apache2/modules/mod_ssl.so
+
+LogFormat "%v:%p %h %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\"" vhost_combined
+
+KeepAlive On
+Listen 8090
+
+<Directory />
+    Require all denied
+    AllowOverride None
+</Directory>
+
+<VirtualHost *:8090>
+    ServerName centos-vault-proxy
+    SSLProxyEngine On
+    CustomLog logs/access.log vhost_combined
+    ProxyPass "/" "https://vault.centos.org/"
+    ProxyPassReverse "https://vault.centos.org/" "/"
+    RedirectMatch "^/(.*)" "http://centos-vault-proxy:8090/$1"
+</VirtualHost>
+
+# /usr/sbin/apache2 -d . -f apache_proxy.conf -D FOREGROUND
+
+# vim: syntax=apache

tests/image_prep/group_vars/all.yml

@@ -1,16 +1,18 @@
 ansible_version_major_minor: "{{ ansible_version.major }}.{{ ansible_version.minor }}"
 
 common_packages:
+  - acl
   - openssh-server
   - rsync
   - strace
   - sudo
 
 container_image_name: "{{ container_registry }}/{{ inventory_hostname }}-test"
-container_registry: public.ecr.aws/n5z0e8q9
+container_registry: ghcr.io/mitogen-hq
 
 sudo_group:
   MacOSX: admin
   Debian: sudo
   Ubuntu: sudo
   CentOS: wheel
+  AlmaLinux: wheel

tests/image_prep/host_vars/alma9.yml

@@ -0,0 +1,6 @@
+bootstrap_packages: [python3]
+docker_base: almalinux:9
+
+packages:
+  - perl-JSON
+  - procps-ng

tests/image_prep/host_vars/centos5.yml

@@ -1,6 +1,36 @@
 bootstrap_packages: [python-simplejson]
 
-docker_base: astj/centos5-vault
+docker_base: centos:5
 
 packages:
   - perl
+package_manager_repos:
+  - dest: /etc/yum.repos.d/CentOS-Base.repo
+    content: |
+      [base]
+      name=CentOS-$releasever - Base
+      baseurl=http://centos-vault-proxy:8090/5.11/os/$basearch/
+      gpgcheck=1
+      gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-5
+
+      [updates]
+      name=CentOS-$releasever - Updates
+      baseurl=http://centos-vault-proxy:8090/5.11/updates/$basearch/
+      gpgcheck=1
+      gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-5
+
+      [extras]
+      name=CentOS-$releasever - Extras
+      baseurl=http://centos-vault-proxy:8090/5.11/extras/$basearch/
+      gpgcheck=1
+      gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-5
+
+  - dest: /etc/yum.repos.d/libselinux.repo
+    content: |
+      [libselinux]
+      name=CentOS-$releasever - libselinux
+      baseurl=http://centos-vault-proxy:8090/5.11/centosplus/$basearch/
+      gpgcheck=1
+      enabled=1
+      gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-5
+      includepkgs=libselinux*

tests/image_prep/host_vars/centos6.yml

@@ -1,6 +1,27 @@
 bootstrap_packages: [python]
 
-docker_base: moreati/centos6-vault
+docker_base: centos:6
 
 packages:
   - perl-JSON
+
+package_manager_repos:
+  - dest: /etc/yum.repos.d/CentOS-Base.repo
+    content: |
+      [base]
+      name=CentOS-$releasever - Base
+      baseurl=http://vault.centos.org/6.10/os/$basearch/
+      gpgcheck=1
+      gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-6
+
+      [updates]
+      name=CentOS-$releasever - Updates
+      baseurl=http://vault.centos.org/6.10/updates/$basearch/
+      gpgcheck=1
+      gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-6
+
+      [extras]
+      name=CentOS-$releasever - Extras
+      baseurl=http://vault.centos.org/6.10/extras/$basearch/
+      gpgcheck=1
+      gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-6

tests/image_prep/host_vars/centos7.yml

@@ -6,3 +6,24 @@ packages:
   - perl-JSON
   - python-virtualenv
   - python3
+
+package_manager_repos:
+  - dest: /etc/yum.repos.d/CentOS-Base.repo
+    content: |
+      [base]
+      name=CentOS-$releasever - Base
+      baseurl=http://vault.centos.org/$contentdir/$releasever/os/$basearch/
+      gpgcheck=1
+      gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-7
+
+      [updates]
+      name=CentOS-$releasever - Updates
+      baseurl=http://vault.centos.org/$contentdir/$releasever/updates/$basearch/
+      gpgcheck=1
+      gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-7
+
+      [extras]
+      name=CentOS-$releasever - Extras
+      baseurl=http://vault.centos.org/$contentdir/$releasever/extras/$basearch/
+      gpgcheck=1
+      gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-7

tests/image_prep/host_vars/centos8.yml

@@ -6,5 +6,29 @@ packages:
   - perl-JSON
   - python2-virtualenv
   - python3-virtualenv
-  - python36
-  - python38
+
+package_manager_repos:
+  - dest: /etc/yum.repos.d/CentOS-Linux-AppStream.repo
+    content: |
+      [appstream]
+      name=CentOS Linux $releasever - AppStream
+      baseurl=http://vault.centos.org/$contentdir/$releasever/AppStream/$basearch/os/
+      enabled=1
+      gpgcheck=1
+      gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-centosofficial
+  - dest: /etc/yum.repos.d/CentOS-Linux-BaseOS.repo
+    content: |
+      [baseos]
+      name=CentOS Linux $releasever - BaseOS
+      baseurl=http://vault.centos.org/$contentdir/$releasever/BaseOS/$basearch/os/
+      enabled=1
+      gpgcheck=1
+      gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-centosofficial
+  - dest: /etc/yum.repos.d/CentOS-Linux-Extras.repo
+    content: |
+      [extras]
+      name=CentOS Linux $releasever - Extras
+      baseurl=http://vault.centos.org/$contentdir/$releasever/extras/$basearch/os/
+      enabled=1
+      gpgcheck=1
+      gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-centosofficial

tests/image_prep/host_vars/debian10.yml

@@ -1,4 +1,4 @@
-bootstrap_packages: [python]
+bootstrap_packages: [python, python-apt]
 
 docker_base: debian:10
 
@@ -9,3 +9,11 @@ packages:
   - python3
   - python3-virtualenv
   - virtualenv
+
+package_manager_repos:
+  - dest: /etc/apt/sources.list
+    content: |
+      deb http://archive.debian.org/debian/ buster main non-free contrib
+      deb http://archive.debian.org/debian/ buster-updates main non-free contrib
+      deb http://archive.debian.org/debian/ buster-proposed-updates main non-free contrib
+      deb http://security.debian.org/ buster/updates main non-free contrib

tests/image_prep/host_vars/debian11.yml

@@ -1,11 +1,18 @@
 bootstrap_packages: [python3, python3-apt]
 
-docker_base: debian:bullseye
+docker_base: debian:11
 
 packages:
+  - doas
   - libjson-perl
   - locales
   - python-is-python3
   - python2
   - python3-virtualenv
   - virtualenv
+
+package_manager_keys:
+  - src: debian-archive-bullseye-automatic.gpg  # Debian 11
+    dest: /etc/apt/trusted.gpg.d/
+  - src: debian-archive-bookworm-automatic.gpg  # Debian 12
+    dest: /etc/apt/trusted.gpg.d/

tests/image_prep/host_vars/debian12.yml

@@ -0,0 +1,8 @@
+bootstrap_packages: [python3, python3-apt]
+docker_base: debian:12
+
+packages:
+  - libjson-perl
+  - locales
+  - opendoas
+  - virtualenv

tests/image_prep/host_vars/debian9.yml

@@ -1,4 +1,4 @@
-bootstrap_packages: [python]
+bootstrap_packages: [python, python-apt]
 
 docker_base: debian:9
 
@@ -9,3 +9,10 @@ packages:
   - python3
   - python3-virtualenv
   - virtualenv
+
+package_manager_repos:
+  - dest: /etc/apt/sources.list
+    content: |
+      deb http://archive.debian.org/debian/ stretch main contrib non-free
+      deb http://archive.debian.org/debian/ stretch-proposed-updates main contrib non-free
+      deb http://archive.debian.org/debian-security stretch/updates main contrib non-free

tests/image_prep/host_vars/ubuntu1604.yml

@@ -1,4 +1,4 @@
-bootstrap_packages: [python]
+bootstrap_packages: [python, python-apt]
 
 docker_base: ubuntu:16.04
 

tests/image_prep/host_vars/ubuntu1804.yml

@@ -1,4 +1,4 @@
-bootstrap_packages: [python]
+bootstrap_packages: [python, python-apt]
 
 docker_base: ubuntu:18.04
 

tests/image_prep/host_vars/ubuntu2004.yml

@@ -1,4 +1,4 @@
-bootstrap_packages: [python3]
+bootstrap_packages: [python3, python3-apt]
 
 docker_base: ubuntu:20.04
 

tests/image_prep/host_vars/ubuntu2204.yml

@@ -0,0 +1,10 @@
+bootstrap_packages: [python3, python3-apt]
+docker_base: ubuntu:22.04
+
+packages:
+  - doas
+  - libjson-perl
+  - locales
+  - python2
+  - python3-virtualenv
+  - virtualenv

tests/image_prep/host_vars/ubuntu2404.yml

@@ -0,0 +1,9 @@
+bootstrap_packages: [python3, python3-apt]
+docker_base: ubuntu:24.04
+
+packages:
+  - libjson-perl
+  - locales
+  - opendoas
+  - python3-virtualenv
+  - virtualenv

tests/image_prep/hosts.ini

@@ -1,4 +1,5 @@
 [all:children]
+alma
 centos
 debian
 ubuntu
@@ -6,6 +7,9 @@ ubuntu
 [all:vars]
 ansible_connection = docker
 
+[alma]
+alma9
+
 [centos]
 centos5
 centos6
@@ -16,8 +20,37 @@ centos8
 debian9
 debian10
 debian11
+debian12
 
 [ubuntu]
 ubuntu1604
 ubuntu1804
 ubuntu2004
+ubuntu2204
+ubuntu2404
+
+[ansible_2_3]
+# Python 2.4 on targets
+centos5
+
+[ansible_5]
+# Python 2.6 on targets
+centos6
+
+[ansible_9]
+# Python 2.7 and/or 3.6 on targets
+centos7
+centos8
+debian9
+debian10
+ubuntu1604
+ubuntu1804
+
+[ansible_11]
+# Python >= 3.8 on targets
+alma9
+debian11
+debian12
+ubuntu2004
+ubuntu2204
+ubuntu2404

tests/image_prep/roles/bootstrap/defaults/main.yml

@@ -0,0 +1,2 @@
+bootstrap_packages: []
+package_manager_repos: []

tests/image_prep/roles/bootstrap/tasks/main.yml

@@ -0,0 +1,3 @@
+- name: Bootstrap
+  raw: "{{ lookup('template', 'bootstrap.sh.j2') }}"
+  changed_when: true

tests/image_prep/roles/bootstrap/templates/bootstrap.sh.j2

@@ -0,0 +1,21 @@
+set -o errexit
+set -o nounset
+
+{% for item in package_manager_repos %}
+cat << "EOF" > "{{ item.dest }}"
+{{ item.content }}
+EOF
+{% endfor %}
+
+{% if bootstrap_packages %}
+if command -v apt-get; then
+  apt-get -y update
+  apt-get -y --no-install-recommends install {{ bootstrap_packages | join(' ') }}
+elif command -v dnf; then
+  dnf -y install {{ bootstrap_packages | join(' ') }}
+elif command -v yum; then
+  yum -y install {{ bootstrap_packages | join(' ') }}
+else
+  exit 42
+fi
+{% endif %}

tests/image_prep/roles/container_host/handlers/main.yml

@@ -0,0 +1,6 @@
+- name: Update GRUB
+  command: update-grub
+  changed_when: true
+
+- name: Reboot
+  reboot:

tests/image_prep/roles/container_host/tasks/main.yml

@@ -0,0 +1,27 @@
+# > If running `docker run --rm -it centos:centos6.7 bash` immediately exits
+# > with status code 139, check to see if your system has disabled vsyscall:
+# > ...
+# > If you do not see a vsyscall mapping, and you need to run a CentOS 6
+# > container, try adding vsyscall=emulated to the kernel options.
+# > -- https://hub.docker.com/_/centos
+
+- name: Check vsyscall enabled
+  command:
+    cmd: grep -c vsyscall /proc/self/maps
+  register: grep_self_maps_result
+  changed_when: false
+  check_mode: false
+  failed_when:
+    # 0 -> match, 1 -> no match, 2 -> error
+    - grep_self_maps_result.rc not in [0, 1]
+
+- name: Enable vsyscall
+  lineinfile:
+    path: /etc/default/grub
+    regexp: '^GRUB_CMDLINE_LINUX_DEFAULT.+'
+    line: GRUB_CMDLINE_LINUX_DEFAULT="quiet vsyscall=emulate"
+  when:
+    - grep_self_maps_result.rc != 0
+  notify:
+    - Update GRUB
+    - Reboot

tests/image_prep/roles/packages/defaults/main.yml

@@ -0,0 +1,14 @@
+common_packages: []
+packages: []
+
+packages_clean_command:
+    apt: apt-get clean
+    dnf: dnf clean all
+    yum: yum clean all
+
+packages_cleanup_directories:
+    apt:
+      - /var/cache/apt
+      - /var/lib/apt/lists
+    dnf: []
+    yum: []

tests/image_prep/roles/packages/tasks/main.yml

@@ -0,0 +1,35 @@
+- name: Ensure requisite apt packages are installed
+  apt:
+    name: "{{ common_packages + packages }}"
+    state: present
+    install_recommends: false
+    update_cache: true
+  when:
+    - ansible_pkg_mgr == 'apt'
+
+- name: Ensure requisite yum packages are installed
+  yum:
+    name: "{{ common_packages + packages }}"
+    state: present
+    update_cache: true
+  when:
+    - ansible_pkg_mgr == 'yum'
+
+- name: Ensure requisite dnf packages are installed
+  dnf:
+    name: "{{ common_packages + packages }}"
+    state: present
+    update_cache: true
+  when:
+    - ansible_pkg_mgr == 'dnf'
+
+- name: Clean up package cache
+  command:
+    cmd: "{{ packages_clean_command[ansible_pkg_mgr] }}"
+  changed_when: true
+
+- name: Clean up package directories
+  shell:
+    rm -rf {{ item }}/*
+  with_items: "{{ packages_cleanup_directories }}"
+  changed_when: true

tests/image_prep/roles/sshd_container/handlers/main.yml

@@ -1,2 +1,4 @@
 - name: Restart sshd
-  meta: noop
+  command: "true"
+  changed_when: false
+  check_mode: false

tests/image_prep/setup.yml

@@ -1,6 +1,17 @@
 #!/usr/bin/env ansible-playbook
 
-- include_playbook: _container_create.yml
-- include_playbook: _container_setup.yml
-- include_playbook: _user_accounts.yml
-- include_playbook: _container_finalize.yml
+- name: Get base images
+  hosts: all
+  # strategy: mitogen_free
+  gather_facts: false
+  tasks:
+    - name: Fetch container base images
+      docker_image:
+        name: "{{ docker_base }}"
+        source: pull  # Added in Ansible 2.8, required circa 2.12
+      delegate_to: localhost
+
+- import_playbook: _container_create.yml
+- import_playbook: _container_setup.yml
+- import_playbook: _user_accounts.yml
+- import_playbook: _container_finalize.yml

tests/image_prep/setup_ansible2.3.yml

@@ -0,0 +1,15 @@
+#!/usr/bin/env ansible-playbook
+
+- name: Get base images
+  hosts: all
+  gather_facts: false
+  tasks:
+    - name: Fetch container base images
+      docker_image:
+        name: "{{ docker_base }}"
+      delegate_to: localhost
+
+- include: _container_create.yml
+- include: _container_setup.yml
+- include: _user_accounts.yml
+- include: _container_finalize.yml

tests/image_prep/tox.ini

@@ -1,7 +1,9 @@
 [tox]
 envlist =
     ansible2.3,
-    ansible2.10,
+    ansible5
+    ansible9
+    ansible11
 skipsdist = true
 
 [testenv]
@@ -13,17 +15,47 @@ basepython = python2
 deps =
     ansible>=2.3,<2.4
     docker-py>=1.7.0
-    mitogen>=0.2.10rc1,<0.3
+    mitogen~=0.2.0
 install_command =
     python -m pip --no-python-version-warning install {opts} {packages}
 commands =
-    ./setup.yml -i hosts.ini -l 'localhost,centos5' {posargs}
+    ansible-playbook -l 'localhost,ansible_2_3' setup_ansible2.3.yml
 
-[testenv:ansible2.10]
+[testenv:ansible5]
 basepython = python3
 deps =
-    ansible>=2.10,<2.11
+    ansible~=5.0
     docker>=1.8.0
-    mitogen>=0.3.0rc1,<0.4
+    mitogen~=0.3.0
+    passlib
+setenv =
+    ANSIBLE_PYTHON_INTERPRETER=auto_silent
+    ANSIBLE_STDOUT_CALLBACK=yaml
+commands =
+    ansible-playbook -l 'localhost,ansible_5' setup.yml
+
+[testenv:ansible9]
+basepython = python3
+deps =
+    ansible~=9.0
+    docker>=1.8.0
+    mitogen~=0.3.0
+    passlib
+setenv =
+    ANSIBLE_PYTHON_INTERPRETER=auto_silent
+    ANSIBLE_STDOUT_CALLBACK=yaml
+commands =
+    ansible-playbook -l 'localhost,ansible_9' setup.yml
+
+[testenv:ansible11]
+basepython = python3
+deps =
+    ansible~=11.0
+    docker>=1.8.0
+    mitogen~=0.3.0
+    passlib
+setenv =
+    ANSIBLE_PYTHON_INTERPRETER=auto_silent
+    ANSIBLE_STDOUT_CALLBACK=yaml
 commands =
-    ./setup.yml -i hosts.ini  -l '!centos5' {posargs}
+    ansible-playbook -l 'localhost,ansible_11' setup.yml

tests/responder_test.py

@@ -198,21 +198,3 @@ class ForwardTest(testlib.RouterMixin, testlib.TestCase):
         self.assertEqual(2+os_fork, self.router.responder.good_load_module_count)
         self.assertLess(10000, self.router.responder.good_load_module_size)
         self.assertGreater(40000, self.router.responder.good_load_module_size)
-
-
-class BlacklistTest(testlib.TestCase):
-    @unittest.skip('implement me')
-    def test_whitelist_no_blacklist(self):
-        assert 0
-
-    @unittest.skip('implement me')
-    def test_whitelist_has_blacklist(self):
-        assert 0
-
-    @unittest.skip('implement me')
-    def test_blacklist_no_whitelist(self):
-        assert 0
-
-    @unittest.skip('implement me')
-    def test_blacklist_has_whitelist(self):
-        assert 0

tests/testlib.py

@@ -53,11 +53,11 @@ LOG = logging.getLogger(__name__)
 
 DISTRO_SPECS = os.environ.get(
     'MITOGEN_TEST_DISTRO_SPECS',
-    'centos6 centos8 debian9 debian11 ubuntu1604 ubuntu2004',
+    'alma9-py3 centos5 centos8-py3 debian9 debian12-py3 ubuntu1604 ubuntu2404-py3',
 )
 IMAGE_TEMPLATE = os.environ.get(
     'MITOGEN_TEST_IMAGE_TEMPLATE',
-    'ghcr.io/mitogen-hq/%(distro)s-test:2021',
+    'ghcr.io/mitogen-hq/%(distro)s-test:2025.02',
 )
 
 TESTS_DIR =                     os.path.join(os.path.dirname(__file__))
@@ -725,6 +725,7 @@ class DockerMixin(RouterMixin):
             #   - tests/testlib.py
             'ssh_args': [
                 '-o', 'HostKeyAlgorithms +ssh-rsa',
+                '-o', 'KexAlgorithms +diffie-hellman-group1-sha1',
                 '-o', 'PubkeyAcceptedKeyTypes +ssh-rsa',
             ],
             'python_path': self.dockerized_ssh.python_path,

tox.ini

@@ -6,17 +6,17 @@
 
 # Py   A cntrllr  A target   coverage   Django     Jinja2     pip        psutil     pytest     tox        virtualenv
 # ==== ========== ========== ========== ========== ========== ========== ========== ========== ========== ==========
-# 2.4             2.3?       <= 3.7.1   <= 1.3.7              <= 1.1     <= 2.1.3              <= 1.4     <= 1.8
-# 2.5                        <= 3.7.1   <= 1.4.22             <= 1.3.1   <= 2.1.3   <= 2.8.7   <= 1.6.1   <= 1.9.1
+# 2.4             <= 2.3³    <= 3.7.1   <= 1.3.7              <= 1.1     <= 2.1.3              <= 1.4     <= 1.8
+# 2.5             <= 2.3³    <= 3.7.1   <= 1.4.22             <= 1.3.1   <= 2.1.3   <= 2.8.7   <= 1.6.1   <= 1.9.1
 # 2.6  <= 2.6.20  <= 2.12    <= 4.5.4   <= 1.6.11  <= 2.10.3  <= 9.0.3   <= 5.9.0   <= 3.2.5   <= 2.9.1   <= 15.2.0
 # 2.7  <= 2.11    <= 2.16    <= 5.5     <= 1.11.29 <= 2.11.3  <= 20                 <= 4.6.11  <= 3.28    <= 20.15²
 # 3.5  <= 2.11    <= 2.15    <= 5.5     <= 2.2.28  <= 2.11.3  <= 20      <= 5.9.5   <= 6.1.0   <= 3.28    <= 20.15²
 # 3.6  <= 2.11    <= 2.16    <= 6.2     <= 3.2.20  <= 3.0.3   <= 21                 <= 7.0.1   <= 3.28    <= 20.17²
 # 3.7  <= 2.12    <= 2.17    <= 7.2.7   <= 3.2.20                                   <= 7.4.4   <= 4.8.0   <= 20.26.6²
-# 3.8  <= 2.12
+# 3.8  <= 2.12    <= 2.19
 # 3.9  <= 2.15
 # 3.10 <= 2.17
-# 3.11
+# 3.11 <= 2.19
 # 3.12            >= 2.13¹
 #
 # Notes
@@ -35,6 +35,8 @@
 #    Virtualenv <= 20.21.1 supports creating virtualenvs with any *target* Python.
 #    Virtualenv >= 20.22 supports creating virtualenvs with target Python >= 3.7.
 #    https://virtualenv.pypa.io/en/latest/#compatibility
+#
+# 3. https://docs.ansible.com/ansible/2.7/dev_guide/developing_python_3.html#minimum-version-of-python-3-x-and-python-2-x
 
 # Ansible            Dependency
 # ================== ======================
@@ -50,6 +52,7 @@
 # ansible == 10.x    ansible-core ~= 2.17.0
 # ansible == 11.x    ansible-core ~= 2.18.0
 # ansible == 12.x    ansible-core ~= 2.19.0
+# ansible == 13.x    ansible-core ~= 2.20.0
 
 # See also
 # - https://docs.ansible.com/ansible/devel/reference_appendices/release_and_maintenance.html#ansible-core-support-matrix
@@ -60,7 +63,7 @@ envlist =
     py{27,36}-m_ans-ans{2.10,3,4}
     py{311}-m_ans-ans{2.10,3-5}
     py{313}-m_ans-ans{6-9}
-    py{314}-m_ans-ans{10-12}
+    py{314}-m_ans-ans{10-13}
     py{27,36,314}-m_mtg
     report,
 
@@ -93,6 +96,7 @@ deps =
     ans10: ansible~=10.0
     ans11: ansible~=11.0
     ans12: ansible~=12.0
+    ans13: ansible~=13.0
 install_command =
     python -m pip --no-python-version-warning --disable-pip-version-check install {opts} {packages}
 commands_pre =
@@ -115,31 +119,22 @@ setenv =
     PIP_CONSTRAINT={toxinidir}/tests/constraints.txt
     # Superceded in Ansible >= 6 (ansible-core >= 2.13) by result_format=yaml
     # Deprecated in Ansible 12 (ansible-core 2.19)
+    # Removed in Ansible 13 (ansible-core 2.20)
     ans{2.10,3,4,5}: ANSIBLE_STDOUT_CALLBACK=yaml
     # Print warning on the first occurence at each module:linenno in Mitogen. Available Python 2.7, 3.2+.
     PYTHONWARNINGS=default:::ansible_mitogen,default:::mitogen
+    ans{2.10,3,4,5}: MITOGEN_TEST_DISTRO_SPECS=alma9-py3 centos6 centos8-py3 debian9 debian12-py3 ubuntu1604 ubuntu2204-py3
     # Ansible 6 - 8 (ansible-core 2.13 - 2.15) require Python 2.7 or >= 3.5 on targets
-    ans{6,7,8}: MITOGEN_TEST_DISTRO_SPECS=centos7 centos8 debian9 debian10 debian11 ubuntu1604 ubuntu1804 ubuntu2004
+    ans{6,7,8}: MITOGEN_TEST_DISTRO_SPECS=alma9-py3 centos7 centos8-py3 debian9 debian10 debian12-py3 ubuntu1604 ubuntu1804 ubuntu2404-py3
     # Ansible 9 (ansible-core 2.16) requires Python 2.7 or >= 3.6 on targets
-    ans9: MITOGEN_TEST_DISTRO_SPECS=centos7 centos8 debian9 debian10 debian11 ubuntu1804 ubuntu2004
+    ans9: MITOGEN_TEST_DISTRO_SPECS=alma9-py3 centos7 centos8-py3 debian9 debian10 debian12-py3 ubuntu1804 ubuntu2404-py3
     # Ansible 10 (ansible-core 2.17) requires Python >= 3.7 on targets
-    ans10: MITOGEN_TEST_DISTRO_SPECS=debian10-py3 debian11-py3 ubuntu2004-py3
+    ans10: MITOGEN_TEST_DISTRO_SPECS=alma9-py3 debian10-py3 debian12-py3 ubuntu2404-py3
     # Ansible 11 (ansible-core 2.18) requires Python >= 3.8 on targets
-    ans11: MITOGEN_TEST_DISTRO_SPECS=debian11-py3 ubuntu2004-py3
-    ans12: MITOGEN_TEST_DISTRO_SPECS=debian11-py3 ubuntu2004-py3
-    distros_centos: MITOGEN_TEST_DISTRO_SPECS=centos6 centos7 centos8
-    distros_centos5: MITOGEN_TEST_DISTRO_SPECS=centos5
-    distros_centos6: MITOGEN_TEST_DISTRO_SPECS=centos6
-    distros_centos7: MITOGEN_TEST_DISTRO_SPECS=centos7
-    distros_centos8: MITOGEN_TEST_DISTRO_SPECS=centos8
-    distros_debian: MITOGEN_TEST_DISTRO_SPECS=debian9 debian10 debian11
-    distros_debian9: MITOGEN_TEST_DISTRO_SPECS=debian9
-    distros_debian10: MITOGEN_TEST_DISTRO_SPECS=debian10
-    distros_debian11: MITOGEN_TEST_DISTRO_SPECS=debian11
-    distros_ubuntu: MITOGEN_TEST_DISTRO_SPECS=ubuntu1604 ubuntu1804 ubuntu2004
-    distros_ubuntu1604: MITOGEN_TEST_DISTRO_SPECS=ubuntu1604
-    distros_ubuntu1804: MITOGEN_TEST_DISTRO_SPECS=ubuntu1804
-    distros_ubuntu2004: MITOGEN_TEST_DISTRO_SPECS=ubuntu2004
+    ans11: MITOGEN_TEST_DISTRO_SPECS=alma9-py3 debian12-py3 ubuntu2004-py3
+    ans12: MITOGEN_TEST_DISTRO_SPECS=alma9-py3 debian12-py3 ubuntu2404-py3
+    # Ansible 13 (ansible-core 2.20) requires Python >= 3.9 on targets
+    ans13: MITOGEN_TEST_DISTRO_SPECS=alma9-py3 debian12-py3 ubuntu2404-py3
     m_ans: MODE=ansible
     m_ans: ANSIBLE_SKIP_TAGS=resource_intensive
     m_ans: ANSIBLE_CALLBACK_WHITELIST=profile_tasks