[stable-2.12] ansible-test - Improve container management.

.azure-pipelines/azure-pipelines.yml

@@ -105,6 +105,23 @@ stages:
             - 3
             - 4
             - 5
+      - template: templates/matrix.yml  # context/controller (ansible-test container management)
+        parameters:
+          targets:
+            - name: Alpine 3.16
+              test: alpine/3.16
+            - name: Fedora 36
+              test: fedora/36
+            - name: RHEL 8.4
+              test: rhel/8.4
+            - name: RHEL 9.0
+              test: rhel/9.0
+            - name: Ubuntu 20.04
+              test: ubuntu/20.04
+            - name: Ubuntu 22.04
+              test: ubuntu/22.04
+          groups:
+            - 6
   - stage: Docker
     dependsOn: []
     jobs:

changelogs/fragments/77472-ansible-test-network-disconnect-warning.yml

@@ -0,0 +1,3 @@
+bugfixes:
+- ansible-test - Don't fail if network cannot be disconnected
+  (https://github.com/ansible/ansible/pull/77472)

changelogs/fragments/ansible-test-code-cleanup.yml

@@ -1,2 +1,4 @@
 minor_changes:
   - ansible-test - Minor code cleanup.
+  - ansible-test - Miscellaneous code cleanup and type hint fixes.
+  - ansible-test - Remove unused Python 2.x compatibility code.

changelogs/fragments/ansible-test-collection-identifier.yml

@@ -0,0 +1,2 @@
+minor_changes:
+  - ansible-test - Stop early with an error if the current working directory contains an invalid collection namespace or name.

changelogs/fragments/ansible-test-container-management.yml

@@ -0,0 +1,70 @@
+major_changes:
+  - ansible-test - Docker and Podman are now supported on hosts with cgroup v2 unified. 
+                   Previously only cgroup v1 and cgroup v2 hybrid were supported.
+  - ansible-test - Docker Desktop on WSL2 is now supported (additional configuration required).
+  - ansible-test - Podman on WSL2 is now supported.
+  - ansible-test - Podman now works on container hosts without systemd.
+                   Previously only some containers worked, while others required rootfull or rootless Podman,
+                   but would not work with both. Some containers did not work at all.
+  - ansible-test - When additional cgroup setup is required on the container host, this will be automatically detected.
+                   Instructions on how to configure the host will be provided in the error message shown.
+minor_changes:
+  - ansible-test - When using Podman, ansible-test will detect if the loginuid used in containers is incorrect.
+                   When this occurs a warning is displayed and the container is run with the AUDIT_CONTROL capability.
+                   Previously containers would fail under this situation, with no useful warnings or errors given.
+  - ansible-test - Failure to connect to a container over SSH now results in a clear error.
+                   Previously tests would be attempted even after initial connection attempts failed.
+  - ansible-test - Warnings are now shown when using containers that were built with VOLUME instructions.
+  - ansible-test - Unit tests now support network disconnect by default when running under Podman.
+                   Previously this feature only worked by default under Docker.
+  - ansible-test - Additional log details are shown when containers fail to start or SSH connections to containers fail.
+  - ansible-test - Containers included with ansible-test no longer disable seccomp by default.
+  - ansible-test - A new ``cgroup`` option is available when running custom containers.
+                   This option can be used to indicate a container requires cgroup v1 or that it does not use cgroup.
+                   The default behavior assumes the container works with cgroup v2 (as well as v1).
+  - ansible-test - A new ``audit`` option is available when running custom containers.
+                   This option can be used to indicate whether a container requires the AUDIT_WRITE capability.
+                   The default is ``required``, which most containers will need when using Podman.
+                   If necessary, the ``none`` option can be used to opt-out of the capability.
+                   This has no effect on Docker, which always provides the capability.
+  - ansible-test - More details are provided about an instance when provisioning fails.
+  - ansible-test - Connection failures to remote provisioned hosts now show failure details as a warning.
+  - ansible-test - When setting the max open files for containers, the container host's limit will be checked.
+                   If the host limit is lower than the preferred value, it will be used and a warning will be shown.
+  - ansible-test - Use ``stop --time 0`` followed by ``rm`` to remove ephemeral containers instead of ``rm -f``.
+                   This speeds up teardown of ephemeral containers.
+  - ansible-test - Reduce the polling limit for SSHD startup in containers from 60 retries to 10.
+                   The one second delay between retries remains in place.
+  - ansible-test - Integration tests can be excluded from retries triggered by the ``--retry-on-error`` option by
+                   adding the ``retry/never`` alias. This is useful for tests that cannot pass on a retry or are too
+                   slow to make retries useful.
+  - ansible-test - The ``ansible-test env`` command now detects and reports the container ID if running in a container.
+  - ansible-test - SSH connections from OpenSSH 8.8+ to CentOS 6 containers now work without additional configuration.
+                   However, clients older than OpenSSH 7.0 can no longer connect to CentOS 6 containers as a result.
+                   The container must have ``centos6`` in the image name for this work-around to be applied.
+  - ansible-test - SSH shell connections from OpenSSH 8.8+ to ansible-test provisioned network instances now work without additional configuration.
+                   However, clients older than OpenSSH 7.0 can no longer open shell sessions for ansible-test provisioned network instances as a result.
+bugfixes:
+  - ansible-test - Multiple containers now work under Podman without specifying the ``--docker-network`` option.
+  - ansible-test - Prevent concurrent / repeat pulls of the same container image.
+  - ansible-test - Prevent concurrent / repeat inspections of the same container image.
+  - ansible-test - Prevent concurrent execution of cached methods.
+  - ansible-test - Handle server errors when executing the ``docker info`` command.
+  - ansible-test - Show the exception type when reporting errors during instance provisioning.
+  - ansible-test - Pass the ``XDG_RUNTIME_DIR`` environment variable through to container commands.
+  - ansible-test - Connection attempts to managed remote instances no longer abort on ``Permission denied`` errors.
+  - ansible-test - Detection for running in a Podman or Docker container has been fixed to detect more scenarios.
+                   The new detection relies on ``/proc/self/mountinfo`` instead of ``/proc/self/cpuset``.
+                   Detection now works with custom cgroups and private cgroup namespaces.
+  - ansible-test - Avoid using ``exec`` after container startup when possible.
+                   This improves container startup performance and avoids intermittent startup issues with some old containers.
+known_issues:
+  - ansible-test - Using Docker on systems with SELinux may require setting SELinux to permissive mode.
+                   Podman should work with SELinux in enforcing mode.
+  - ansible-test - Additional configuration may be required for certain container host and container combinations.
+                   Further details are available in the testing documentation.
+  - ansible-test - Systems with Podman networking issues may be unable to run containers, when previously the issue
+                   went unreported. Correct the networking issues to continue using ``ansible-test`` with Podman.
+  - ansible-test - Custom containers with ``VOLUME`` instructions may be unable to start, when previously the containers
+                   started correctly. Remove the ``VOLUME`` instructions to resolve the issue. Containers with this
+                   condition will cause ``ansible-test`` to emit a warning.

changelogs/fragments/ansible-test-container-tmpfs.yml

@@ -0,0 +1,5 @@
+bugfixes:
+  - ansible-test - Test containers are now run with the ``--tmpfs`` option for ``/tmp``, ``/run`` and ``/run/lock``.
+                   This allows use of containers built without the ``VOLUME`` instruction.
+                   Additionally, containers with those volumes defined no longer create anonymous volumes for them.
+                   This avoids leaving behind volumes on the container host after the container is stopped and deleted.

changelogs/fragments/ansible-test-content-config.yml

@@ -0,0 +1,3 @@
+bugfixes:
+  - "ansible-test - Test configuration for collections is now parsed only once, prior to delegation.
+                    Fixes issue: https://github.com/ansible/ansible/issues/78334"

changelogs/fragments/ansible-test-docker-ulimit.yml

@@ -0,0 +1,2 @@
+minor_changes:
+  - ansible-test - Change the maximum number of open files in a test container from the default to ``10240``.

changelogs/fragments/ansible-test-fix-type-hints.yml

@@ -0,0 +1,2 @@
+bugfixes:
+  - ansible-test - Fix type hints.

changelogs/fragments/ansible-test-fix-typo-validate-modules.yaml

@@ -0,0 +1,2 @@
+bugfixes:
+  - ansible-test - fix a typo in validate-modules.

changelogs/fragments/ansible-test-fix-warning-msg.yml

@@ -0,0 +1,2 @@
+bugfixes:
+  - ansible-test - fix warning message about failing to run an image to include the image name

changelogs/fragments/ansible-test-generalize-become.yml

@@ -0,0 +1,2 @@
+minor_changes:
+  - ansible-test - Become support for remote instance provisioning is no longer tied to a fixed list of platforms.

changelogs/fragments/ansible-test-help-cwd.yml

@@ -0,0 +1,5 @@
+minor_changes:
+  - ansible-test - The ``--help`` option is now available when an unsupported cwd is in use.
+  - ansible-test - The ``--help`` output now shows the same instructions about cwd as would be shown in error messages if the cwd is unsupported.
+  - ansible-test - Add ``--version`` support to show the ansible-core version.
+  - ansible-test - The explanation about cwd usage has been improved to explain more clearly what is required.

changelogs/fragments/ansible-test-integration-targets-filter.yml

@@ -0,0 +1,4 @@
+bugfixes:
+  - ansible-test - Allow disabled, unsupported, unstable and destructive integration test targets to be selected using their respective prefixes.
+  - ansible-test - Allow unstable tests to run when targeted changes are made and the ``--allow-unstable-changed`` option is specified
+                   (resolves https://github.com/ansible/ansible/issues/74213).

changelogs/fragments/ansible-test-maxfd.yaml

@@ -0,0 +1,2 @@
+minor_changes:
+  - ansible-test - Remove obsolete ``MAXFD`` display.

changelogs/fragments/ansible-test-more-remotes.yml

@@ -0,0 +1,5 @@
+minor_changes:
+  - ansible-test - Add support for provisioning remotes which require ``doas`` for become.
+  - ansible-test - Add support for provisioning Ubuntu 20.04 remote instances.
+  - ansible-test - Add support for provisioning Alpine 3.16 remote instances.
+  - ansible-test - Add support for provisioning Fedora 36 remote instances.

changelogs/fragments/ansible-test-multi-arch-remotes.yml

@@ -0,0 +1,2 @@
+minor_changes:
+  - ansible-test - Add support for multi-arch remotes.

changelogs/fragments/ansible-test-paramiko-constraint.yaml

@@ -0,0 +1,3 @@
+bugfixes:
+  - ansible-test - Limit ``paramiko`` installation to versions before 2.9.0.
+    This is required to maintain support for systems which do not support RSA SHA-2 algorithms.

changelogs/fragments/ansible-test-plugin-loading.yml

@@ -0,0 +1,2 @@
+bugfixes:
+  - ansible-test - Fix plugin loading.

changelogs/fragments/ansible-test-podman-create-retry.yml

@@ -0,0 +1,3 @@
+bugfixes:
+  - ansible-test - Always remove containers after failing to create/run them.
+                   This avoids leaving behind created containers when using podman.

changelogs/fragments/ansible-test-podman-remote.yaml

@@ -0,0 +1,3 @@
+minor_changes:
+- ansible-test - Add support for running container tests with ``podman remote``
+  (https://github.com/ansible/ansible/pull/75753)

changelogs/fragments/ansible-test-podman-support-containers.yaml

@@ -0,0 +1,2 @@
+bugfixes:
+  - ansible-test - fixed support container failures (eg http-test-container) under podman

changelogs/fragments/ansible-test-pypi-proxy-fix.yml

@@ -0,0 +1,4 @@
+bugfixes:
+  - ansible-test - Perform PyPI proxy configuration after instances are ready and bootstrapping has been completed.
+                   Only target instances are affected, as controller instances were already handled this way.
+                   This avoids proxy configuration errors when target instances are not yet ready for use.

changelogs/fragments/ansible-test-remote-acl.yml

@@ -0,0 +1,5 @@
+minor_changes:
+  - ansible-test - Remote FreeBSD instances now have ACLs enabled on the root filesystem.
+  - ansible-test - Remote Fedora instances now have the ``acl`` package installed.
+  - ansible-test - Remote Ubuntu instances now have the ``acl`` package installed.
+  - ansible-test - Remote Alpine instances now have the ``acl`` package installed.

changelogs/fragments/ansible-test-remote-become.yml

@@ -0,0 +1,3 @@
+minor_changes:
+  - ansible-test - Alpine remotes now use ``sudo`` for tests, using ``doas`` only for bootstrapping.
+  - ansible-test - FreeBSD remotes now use ``sudo`` for tests, using ``su`` only for bootstrapping.

changelogs/fragments/ansible-test-remote-completion-validation.yml

@@ -0,0 +1,2 @@
+bugfixes:
+  - ansible-test - Fix internal validation of remote completion configuration.

changelogs/fragments/ansible-test-remove-aix-provisioning.yaml

@@ -0,0 +1,2 @@
+minor_changes:
+  - ansible-test - Remove support for provisioning remote AIX instances.

changelogs/fragments/ansible-test-self-change-classification.yml

@@ -0,0 +1,2 @@
+bugfixes:
+  - ansible-test - Fix change detection for ansible-test's own integration tests.

changelogs/fragments/ansible-test-shell-features.yml

@@ -0,0 +1,7 @@
+minor_changes:
+  - ansible-test - Add support for running non-interactive commands with ``ansible-test shell``.
+  - ansible-test - Add support for exporting inventory with ``ansible-test shell --export {path}``.
+  - ansible-test - The ``shell`` command can be used outside a collection if no controller delegation is required.
+  - ansible-test - Improve consistency of output messages by using stdout or stderr for most output, but not both.
+bugfixes:
+  - ansible-test - Sanity test output with the ``--lint`` option is no longer mixed in with bootstrapping output.

changelogs/fragments/ansible-test-subprocess-isolation.yml

@@ -0,0 +1,10 @@
+bugfixes:
+  - ansible-test - Subprocesses are now isolated from the stdin, stdout and stderr of ansible-test.
+                   This avoids issues with subprocesses tampering with the file descriptors, such as SSH making them non-blocking.
+                   As a result of this change, subprocess output from unit and integration tests on stderr now go to stdout.
+  - ansible-test - Subprocesses no longer have access to the TTY ansible-test is connected to, if any.
+                   This maintains consistent behavior between local testing and CI systems, which typically do not provide a TTY.
+                   Tests which require a TTY should use pexpect or another mechanism to create a PTY.
+minor_changes:
+  - ansible-test - Blocking mode is now enforced for stdin, stdout and stderr.
+                   If any of these are non-blocking then ansible-test will exit during startup with an error.

changelogs/fragments/ansible-test-target-options.yml

@@ -0,0 +1,2 @@
+bugfixes:
+  - ansible-test - Prevent ``--target-`` prefixed options for the ``shell`` command from being combined with legacy environment options.

changelogs/fragments/ansible-test-tty-output-handling.yml

@@ -0,0 +1,7 @@
+bugfixes:
+  - ansible-test - The ``shell`` command no longer requests a TTY when using delegation unless an interactive shell is being used.
+                   An interactive shell is the default behavior when no command is given to pass to the shell.
+  - ansible-test - The ``shell`` command no longer redirects all output to stdout when running a provided command.
+                   Any command output written to stderr will be mixed with the stderr output from ansible-test.
+  - ansible-test - Delegation for commands which generate output for programmatic consumption no longer redirect all output to stdout.
+                   The affected commands and options are ``shell``, ``sanity --lint``, ``sanity --list-tests``, ``integration --list-targets``, ``coverage analyze``

changelogs/fragments/ansible-test-ubuntu-bootstrap-fix.yml

@@ -0,0 +1,2 @@
+bugfixes:
+  - ansible-test - Fix bootstrapping of Python 3.9 on Ubuntu 20.04 remotes.

changelogs/fragments/ansible-test-ubuntu-remote.yml

@@ -0,0 +1,2 @@
+minor_changes:
+  - ansible-test - Add support for Ubuntu VMs using the ``--remote`` option.

changelogs/fragments/ansible-test-verify-executables.yml

@@ -0,0 +1,6 @@
+bugfixes:
+  - ansible-test - Temporary executables are now verified as executable after creation.
+                   Without this check, path injected scripts may not be found,
+                   typically on systems with ``/tmp`` mounted using the "noexec" option.
+                   This can manifest as a missing Python interpreter, or use of the wrong Python interpreter, as well
+                   as other error conditions.

changelogs/fragments/ansible-test-windows-default.yaml

@@ -0,0 +1,2 @@
+bugfixes:
+  - ansible-test - Add default entry for Windows remotes to be used with unknown versions.

changelogs/fragments/ansible_test.yml

@@ -0,0 +1,3 @@
+---
+minor_changes:
+- ansible-test - handle JSON decode error gracefully in podman environment.

docs/docsite/rst/dev_guide/testing/sanity/integration-aliases.rst

@@ -96,6 +96,7 @@ There are several other aliases available as well:
 
 - ``destructive`` - Requires ``--allow-destructive`` to run without ``--docker`` or ``--remote``.
 - ``hidden`` - Target is ignored. Usable as a dependency. Automatic for ``setup_`` and ``prepare_`` prefixed targets.
+- ``retry/never`` - Target is excluded from retries enabled by the ``--retry-on-error`` option.
 
 Unstable
 --------