diff --git a/.github/dependabot.yml b/.github/dependabot.yml index e112ceb..d2da113 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -19,8 +19,15 @@ updates: - dependency-name: hashicorp/setup-terraform - dependency-name: mxschmitt/action-tmate - dependency-name: step-security/harden-runner +<<<<<<< HEAD # Managed by cisagov/skeleton-ansible-role - dependency-name: github/codeql-action +======= + # # Managed by cisagov/skeleton-ansible-role + # - dependency-name: docker/setup-buildx-action + # - dependency-name: docker/setup-qemu-action + # - dependency-name: github/codeql-action +>>>>>>> 9e3015cd6965dedb779cafd71c27889a1cc16efc package-ecosystem: github-actions schedule: interval: weekly diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index b57fa87..3b88a29 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -168,12 +168,30 @@ jobs: uses: mxschmitt/action-tmate@v3 if: env.RUN_TMATE test: + name: >- + test (${{ matrix.scenario }}) - + ${{ matrix.platform }}-${{ matrix.architecture }} needs: - diagnostics runs-on: ubuntu-latest strategy: fail-fast: false matrix: + architecture: + - amd64 + - arm64 + platform: + - amazonlinux2023-systemd + - debian10-systemd + - debian11-systemd + - debian12-systemd + - debian13-systemd + - fedora39-systemd + - fedora40-systemd + - kali-systemd + - ubuntu-20-systemd + - ubuntu-22-systemd + - ubuntu-24-systemd scenario: - default steps: @@ -204,8 +222,15 @@ jobs: run: | python -m pip install --upgrade pip pip install --upgrade --requirement requirements-test.txt + - name: Set up QEMU + uses: docker/setup-qemu-action@v3 + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@v3 - name: Run molecule tests - run: molecule test --scenario-name ${{ matrix.scenario }} + run: >- + molecule test + --platform-name ${{ matrix.platform }}-${{ matrix.architecture }} + --scenario-name ${{ matrix.scenario }} - name: Setup tmate debug session uses: mxschmitt/action-tmate@v3 if: env.RUN_TMATE diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 48846e6..9f40b54 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -125,8 +125,9 @@ repos: rev: 1.7.7 hooks: - id: bandit - # Bandit complains about the use of assert() in tests - exclude: molecule/(default|systemd_enabled)/tests + # Bandit complains about the use of assert() in tests. This should cover + # the tests/ subdirectory for any molecule scenario. + exclude: molecule/[^/]+/tests args: - --config=.bandit.yml - repo: https://github.com/psf/black-pre-commit-mirror diff --git a/meta/main.yml b/meta/main.yml index 81195d1..382dd0f 100644 --- a/meta/main.yml +++ b/meta/main.yml @@ -10,8 +10,13 @@ galaxy_info: company: CISA Cyber Assessments description: Disable NUMA globally galaxy_tags: +<<<<<<< HEAD - numa license: CC0 +======= + - skeleton + license: CC0-1.0 +>>>>>>> 9e3015cd6965dedb779cafd71c27889a1cc16efc # With the release of version 2.10, Ansible finally correctly # identifies Kali Linux as being the Kali distribution of the Debian # OS family. This simplifies a lot of things for roles that support @@ -31,8 +36,8 @@ galaxy_info: - trixie - name: Fedora versions: - - "38" - "39" + - "40" - name: Kali versions: - "2023" @@ -40,5 +45,10 @@ galaxy_info: versions: - focal - jammy +<<<<<<< HEAD role_name: disable_numa +======= + - noble + role_name: skeleton +>>>>>>> 9e3015cd6965dedb779cafd71c27889a1cc16efc standalone: true diff --git a/molecule/default/externally-managed-python.yml b/molecule/default/externally-managed-python.yml new file mode 100644 index 0000000..ce43622 --- /dev/null +++ b/molecule/default/externally-managed-python.yml @@ -0,0 +1,49 @@ +--- +# This is in place to restore a destructive action in geerlingguy's Ansible +# Docker images that we use for testing. The change is fine for the intended +# purpose of the images but not for how we use them. +- name: Ensure Python is marked as externally managed if appropriate + hosts: all + become: true + become_method: ansible.builtin.sudo + tasks: + - name: Ensure Python is marked as externally managed + when: + - ansible_distribution in ["Debian", "Ubuntu"] + - ansible_distribution_release not in ["bullseye", "buster", "focal", "jammy"] + block: + - name: Gather package facts + ansible.builtin.package_facts: + manager: auto + + - name: Ensure the EXTERNALLY-MANAGED file is present if Python 3 is installed + when: '"python3" in ansible_facts.packages' + block: + # This gets a unique list of installed Python packages in the form of major.minor + # by taking the list of installed Python packages and: + # 1. Extracting the version from each package's information + # 2. Removing any version information after the major.minor version + # 3. Ensuring there are no duplicates + # + # NOTE: + # Since the value of python_versions is a multiline string, the regex expressions used in + # the regex_replace filter must use single backslashes for special sequences. If the value + # of python_versions were to be changed from a multiline string, the special sequences + # must be modified to use double backslashes instead. This is due to how the YAML is + # processed when Ansible reads the playbook. + - name: Extract version information about installed Python packages + ansible.builtin.set_fact: + python_versions: >- + {{ + ansible_facts.packages["python3"] + | map(attribute="version") + | map("regex_replace", "^(\d+\.\d+)\.\d+.*$", "\1") + | unique + }} + + - name: Restore EXTERNALLY-MANAGED file for Python + ansible.builtin.template: + dest: /usr/lib/python{{ item }}/EXTERNALLY-MANAGED + mode: 0644 + src: EXTERNALLY-MANAGED.j2 + loop: "{{ python_versions }}" diff --git a/molecule/default/molecule.yml b/molecule/default/molecule.yml index b4b3c96..20b8324 100644 --- a/molecule/default/molecule.yml +++ b/molecule/default/molecule.yml @@ -7,52 +7,97 @@ platforms: - cgroupns_mode: host command: /lib/systemd/systemd image: docker.io/geerlingguy/docker-amazonlinux2023-ansible:latest - name: amazonlinux2023-systemd + name: amazonlinux2023-systemd-amd64 platform: amd64 pre_build_image: true privileged: true volumes: - /sys/fs/cgroup:/sys/fs/cgroup:rw + - cgroupns_mode: host + command: /lib/systemd/systemd + image: docker.io/geerlingguy/docker-amazonlinux2023-ansible:latest + name: amazonlinux2023-systemd-arm64 + platform: arm64 + pre_build_image: true + privileged: true + volumes: + - /sys/fs/cgroup:/sys/fs/cgroup:rw - cgroupns_mode: host command: /lib/systemd/systemd image: docker.io/geerlingguy/docker-debian10-ansible:latest - name: debian10-systemd + name: debian10-systemd-amd64 platform: amd64 pre_build_image: true privileged: true volumes: - /sys/fs/cgroup:/sys/fs/cgroup:rw + - cgroupns_mode: host + command: /lib/systemd/systemd + image: docker.io/geerlingguy/docker-debian10-ansible:latest + name: debian10-systemd-arm64 + platform: arm64 + pre_build_image: true + privileged: true + volumes: + - /sys/fs/cgroup:/sys/fs/cgroup:rw - cgroupns_mode: host command: /lib/systemd/systemd image: docker.io/geerlingguy/docker-debian11-ansible:latest - name: debian11-systemd + name: debian11-systemd-amd64 platform: amd64 pre_build_image: true privileged: true volumes: - /sys/fs/cgroup:/sys/fs/cgroup:rw + - cgroupns_mode: host + command: /lib/systemd/systemd + image: docker.io/geerlingguy/docker-debian11-ansible:latest + name: debian11-systemd-arm64 + platform: arm64 + pre_build_image: true + privileged: true + volumes: + - /sys/fs/cgroup:/sys/fs/cgroup:rw - cgroupns_mode: host command: /lib/systemd/systemd image: docker.io/geerlingguy/docker-debian12-ansible:latest - name: debian12-systemd + name: debian12-systemd-amd64 platform: amd64 pre_build_image: true privileged: true volumes: - /sys/fs/cgroup:/sys/fs/cgroup:rw + - cgroupns_mode: host + command: /lib/systemd/systemd + image: docker.io/geerlingguy/docker-debian12-ansible:latest + name: debian12-systemd-arm64 + platform: arm64 + pre_build_image: true + privileged: true + volumes: + - /sys/fs/cgroup:/sys/fs/cgroup:rw - cgroupns_mode: host command: /lib/systemd/systemd image: docker.io/cisagov/docker-debian13-ansible:latest - name: debian13-systemd + name: debian13-systemd-amd64 platform: amd64 pre_build_image: true privileged: true volumes: - /sys/fs/cgroup:/sys/fs/cgroup:rw + - cgroupns_mode: host + command: /lib/systemd/systemd + image: docker.io/cisagov/docker-debian13-ansible:latest + name: debian13-systemd-arm64 + platform: arm64 + pre_build_image: true + privileged: true + volumes: + - /sys/fs/cgroup:/sys/fs/cgroup:rw - cgroupns_mode: host command: /lib/systemd/systemd image: docker.io/cisagov/docker-kali-ansible:latest - name: kali-systemd + name: kali-systemd-amd64 platform: amd64 pre_build_image: true privileged: true @@ -60,8 +105,17 @@ platforms: - /sys/fs/cgroup:/sys/fs/cgroup:rw - cgroupns_mode: host command: /lib/systemd/systemd - image: docker.io/geerlingguy/docker-fedora38-ansible:latest - name: fedora38-systemd + image: docker.io/cisagov/docker-kali-ansible:latest + name: kali-systemd-arm64 + platform: arm64 + pre_build_image: true + privileged: true + volumes: + - /sys/fs/cgroup:/sys/fs/cgroup:rw + - cgroupns_mode: host + command: /lib/systemd/systemd + image: docker.io/geerlingguy/docker-fedora39-ansible:latest + name: fedora39-systemd-amd64 platform: amd64 pre_build_image: true privileged: true @@ -70,30 +124,84 @@ platforms: - cgroupns_mode: host command: /lib/systemd/systemd image: docker.io/geerlingguy/docker-fedora39-ansible:latest - name: fedora39-systemd + name: fedora39-systemd-arm64 + platform: arm64 + pre_build_image: true + privileged: true + volumes: + - /sys/fs/cgroup:/sys/fs/cgroup:rw + - cgroupns_mode: host + command: /lib/systemd/systemd + image: docker.io/geerlingguy/docker-fedora40-ansible:latest + name: fedora40-systemd-amd64 platform: amd64 pre_build_image: true privileged: true volumes: - /sys/fs/cgroup:/sys/fs/cgroup:rw + - cgroupns_mode: host + command: /lib/systemd/systemd + image: docker.io/geerlingguy/docker-fedora40-ansible:latest + name: fedora40-systemd-arm64 + platform: arm64 + pre_build_image: true + privileged: true + volumes: + - /sys/fs/cgroup:/sys/fs/cgroup:rw - cgroupns_mode: host command: /lib/systemd/systemd image: docker.io/geerlingguy/docker-ubuntu2004-ansible:latest - name: ubuntu-20-systemd + name: ubuntu-20-systemd-amd64 platform: amd64 pre_build_image: true privileged: true volumes: - /sys/fs/cgroup:/sys/fs/cgroup:rw + - cgroupns_mode: host + command: /lib/systemd/systemd + image: docker.io/geerlingguy/docker-ubuntu2004-ansible:latest + name: ubuntu-20-systemd-arm64 + platform: arm64 + pre_build_image: true + privileged: true + volumes: + - /sys/fs/cgroup:/sys/fs/cgroup:rw - cgroupns_mode: host command: /lib/systemd/systemd image: docker.io/geerlingguy/docker-ubuntu2204-ansible:latest - name: ubuntu-22-systemd + name: ubuntu-22-systemd-amd64 platform: amd64 pre_build_image: true privileged: true volumes: - /sys/fs/cgroup:/sys/fs/cgroup:rw + - cgroupns_mode: host + command: /lib/systemd/systemd + image: docker.io/geerlingguy/docker-ubuntu2204-ansible:latest + name: ubuntu-22-systemd-arm64 + platform: arm64 + pre_build_image: true + privileged: true + volumes: + - /sys/fs/cgroup:/sys/fs/cgroup:rw + - cgroupns_mode: host + command: /lib/systemd/systemd + image: docker.io/geerlingguy/docker-ubuntu2404-ansible:latest + name: ubuntu-24-systemd-amd64 + platform: amd64 + pre_build_image: true + privileged: true + volumes: + - /sys/fs/cgroup:/sys/fs/cgroup:rw + - cgroupns_mode: host + command: /lib/systemd/systemd + image: docker.io/geerlingguy/docker-ubuntu2404-ansible:latest + name: ubuntu-24-systemd-arm64 + platform: arm64 + pre_build_image: true + privileged: true + volumes: + - /sys/fs/cgroup:/sys/fs/cgroup:rw scenario: name: default verifier: diff --git a/molecule/default/prepare.yml b/molecule/default/prepare.yml index d3eb8f5..26bca50 100644 --- a/molecule/default/prepare.yml +++ b/molecule/default/prepare.yml @@ -1,3 +1,6 @@ --- - name: Import upgrade playbook ansible.builtin.import_playbook: upgrade.yml + +- name: Import externally-managed-python playbook + ansible.builtin.import_playbook: externally-managed-python.yml diff --git a/molecule/default/requirements.yml b/molecule/default/requirements.yml index d5927d8..1854da0 100644 --- a/molecule/default/requirements.yml +++ b/molecule/default/requirements.yml @@ -1,3 +1,11 @@ --- -- name: upgrade - src: https://github.com/cisagov/ansible-role-upgrade +# This is necessary to ensure a version of this collection that is compatible +# with version 2.32.0+ of the Python requests library. This should be removed when +# it is no longer required per https://github.com/cisagov/skeleton-ansible-role/issues/195 +collections: + - name: community.docker + version: ">=3.10.2" + +roles: + - name: upgrade + src: https://github.com/cisagov/ansible-role-upgrade diff --git a/molecule/default/templates/EXTERNALLY-MANAGED.j2 b/molecule/default/templates/EXTERNALLY-MANAGED.j2 new file mode 100644 index 0000000..e2ee56f --- /dev/null +++ b/molecule/default/templates/EXTERNALLY-MANAGED.j2 @@ -0,0 +1,15 @@ +[externally-managed] +Error=To install Python packages system-wide, try apt install + python3-xyz, where xyz is the package you are trying to + install. + + If you wish to install a non-Debian-packaged Python package, + create a virtual environment using python3 -m venv path/to/venv. + Then use path/to/venv/bin/python and path/to/venv/bin/pip. Make + sure you have python3-full installed. + + If you wish to install a non-Debian packaged Python application, + it may be easiest to use pipx install xyz, which will manage a + virtual environment for you. Make sure you have pipx installed. + + See /usr/share/doc/python{{ item }}/README.venv for more information. diff --git a/requirements-test.txt b/requirements-test.txt index 09f58a0..d680733 100644 --- a/requirements-test.txt +++ b/requirements-test.txt @@ -13,16 +13,16 @@ # jumping to another major version without testing, since there are # often breaking changes across major versions. This is the reason # for the upper bound. -ansible>=8,<10 -# TODO: Remove this pin when possible. See -# cisagov/skeleton-ansible-role#178 for more details. -# -# ansible-core 2.16.3 and later suffer from the bug discussed in +ansible>=9,<10 +# ansible-core 2.16.3 through 2.16.6 suffer from the bug discussed in # ansible/ansible#82702, which breaks any symlinked files in vars, # tasks, etc. for any Ansible role installed via ansible-galaxy. +# Hence we never want to install those versions. # -# See also cisagov/skeleton-packer#312. -ansible-core<2.16.3 +# Note that any changes made to this dependency must also be made in +# requirements.txt in cisagov/skeleton-packer and +# .pre-commit-config.yaml in cisagov/skeleton-generic. +ansible-core>=2.16.7 # With the release of molecule v5 there were some breaking changes so # we need to pin at v5 or newer. However, v5.0.0 had an internal # dependency issue so we must use the bugfix release as the actual diff --git a/update_molecule_images.sh b/update_molecule_images.sh index 2c8cccc..f7fc267 100755 --- a/update_molecule_images.sh +++ b/update_molecule_images.sh @@ -45,4 +45,4 @@ check_dependencies # Note that we can't use --max-args in place of -n in the xargs # command since the version of xargs distributed with macOS does not # support it. -yq '.platforms[].image' < "$source_file" | xargs -n 1 docker pull +yq '.platforms[] | "\(.platform) \(.image)"' < "$source_file" | xargs -n 2 docker pull --platform