From 771490a42e57012a759b2b85c57e752c979b9a4c Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Sat, 20 Apr 2024 04:01:47 -0400 Subject: [PATCH 01/20] Update the bandit configuration in pre-commit We removed the systemd_enabled scenario in cisagov/skeleton-ansible-role#175 but we missed updating the `exclude` directive for the `bandit` hook. Instead of just removing the unused scenario the regex is instead updated to match the `tests` subdirectory for any molecule scenario. --- .pre-commit-config.yaml | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 48846e6..9f40b54 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -125,8 +125,9 @@ repos: rev: 1.7.7 hooks: - id: bandit - # Bandit complains about the use of assert() in tests - exclude: molecule/(default|systemd_enabled)/tests + # Bandit complains about the use of assert() in tests. This should cover + # the tests/ subdirectory for any molecule scenario. + exclude: molecule/[^/]+/tests args: - --config=.bandit.yml - repo: https://github.com/psf/black-pre-commit-mirror From 33947a63ae470d65a4678e1b9669102d3795fc1b Mon Sep 17 00:00:00 2001 From: Jeremy Frasier Date: Mon, 22 Apr 2024 13:44:11 -0400 Subject: [PATCH 02/20] Change the license so that it is an SPDX string This is what is expected by Ansible Galaxy: https://docs.ansible.com/ansible/latest/dev_guide/collections_galaxy_meta.html --- meta/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/meta/main.yml b/meta/main.yml index f7f30e7..383000a 100644 --- a/meta/main.yml +++ b/meta/main.yml @@ -11,7 +11,7 @@ galaxy_info: description: Skeleton Ansible role galaxy_tags: - skeleton - license: CC0 + license: CC0-1.0 # With the release of version 2.10, Ansible finally correctly # identifies Kali Linux as being the Kali distribution of the Debian # OS family. This simplifies a lot of things for roles that support From c000a6d307a7618aec651019480680e98494c604 Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Wed, 29 May 2024 12:38:56 -0400 Subject: [PATCH 03/20] Add `community.docker` as a requirement for molecule testing We explicitly add the `community.docker` collection with a minimum version as a requirement to the molecule configuration. This will allow us to ensure that a version of this collection that is compatible with 2.32.0 and newer of the Python requests library is installed. --- molecule/default/requirements.yml | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) diff --git a/molecule/default/requirements.yml b/molecule/default/requirements.yml index d5927d8..1854da0 100644 --- a/molecule/default/requirements.yml +++ b/molecule/default/requirements.yml @@ -1,3 +1,11 @@ --- -- name: upgrade - src: https://github.com/cisagov/ansible-role-upgrade +# This is necessary to ensure a version of this collection that is compatible +# with version 2.32.0+ of the Python requests library. This should be removed when +# it is no longer required per https://github.com/cisagov/skeleton-ansible-role/issues/195 +collections: + - name: community.docker + version: ">=3.10.2" + +roles: + - name: upgrade + src: https://github.com/cisagov/ansible-role-upgrade From 670748b0d53042bab6da53ef08bdebfa5260e389 Mon Sep 17 00:00:00 2001 From: Jeremy Frasier Date: Tue, 21 May 2024 11:29:18 -0400 Subject: [PATCH 04/20] Modify the ansible-core pin to ensure a good version is used We can do this because new versions of ansible-core (2.16.7 and 2.17.0) have been released that do not suffer from the bug discussed in ansible/ansible#82702. This bug broke any symlinked files in vars, tasks, etc. for any Ansible role installed via ansible-galaxy. All versions later than ansible-core 2.16.7 and 2.17.0 should function as expected. --- requirements-test.txt | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/requirements-test.txt b/requirements-test.txt index 09f58a0..e74b270 100644 --- a/requirements-test.txt +++ b/requirements-test.txt @@ -14,15 +14,15 @@ # often breaking changes across major versions. This is the reason # for the upper bound. ansible>=8,<10 -# TODO: Remove this pin when possible. See -# cisagov/skeleton-ansible-role#178 for more details. -# -# ansible-core 2.16.3 and later suffer from the bug discussed in +# ansible-core 2.16.3 through 2.16.6 suffer from the bug discussed in # ansible/ansible#82702, which breaks any symlinked files in vars, # tasks, etc. for any Ansible role installed via ansible-galaxy. +# Hence we never want to install those versions. # -# See also cisagov/skeleton-packer#312. -ansible-core<2.16.3 +# Note that any changes made to this dependency must also be made in +# requirements.txt in cisagov/skeleton-packer and +# .pre-commit-config.yaml in cisagov/skeleton-generic. +ansible-core>=2.16.7 # With the release of molecule v5 there were some breaking changes so # we need to pin at v5 or newer. However, v5.0.0 had an internal # dependency issue so we must use the bugfix release as the actual From db61055ffcef2121aee0c24dc0b74110844274b1 Mon Sep 17 00:00:00 2001 From: Shane Frasier Date: Fri, 31 May 2024 17:14:37 -0400 Subject: [PATCH 05/20] Update ansible pin With the updated ansible-core pin we can support ansible 9. Co-authored-by: Nick <50747025+mcdonnnj@users.noreply.github.com> --- requirements-test.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements-test.txt b/requirements-test.txt index e74b270..d680733 100644 --- a/requirements-test.txt +++ b/requirements-test.txt @@ -13,7 +13,7 @@ # jumping to another major version without testing, since there are # often breaking changes across major versions. This is the reason # for the upper bound. -ansible>=8,<10 +ansible>=9,<10 # ansible-core 2.16.3 through 2.16.6 suffer from the bug discussed in # ansible/ansible#82702, which breaks any symlinked files in vars, # tasks, etc. for any Ansible role installed via ansible-galaxy. From fc7b883cee53770e7de04c05889b350d65b094ca Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Fri, 26 Apr 2024 17:30:44 -0400 Subject: [PATCH 06/20] Restore externally managed Python environment indicator In SystemD-enabled Docker images sources from geerlingguy he has made the decision to remove the indicator for an externally managed Python environment if the host is configured with one. This impacts Debian Bookworm and Trixie, as well as Ubuntu 24.04 (Noble Numbat), and as far as we know any future versions of these distributions. This will help ensure that our Ansible role testing is done against images that reflect how a host will be configured when used to create AMIs. --- .../default/externally-managed-python.yml | 31 +++++++++++++++++++ molecule/default/prepare.yml | 3 ++ .../default/templates/EXTERNALLY-MANAGED.j2 | 15 +++++++++ molecule/default/vars/Debian.yml | 2 ++ molecule/default/vars/Ubuntu.yml | 2 ++ 5 files changed, 53 insertions(+) create mode 100644 molecule/default/externally-managed-python.yml create mode 100644 molecule/default/templates/EXTERNALLY-MANAGED.j2 create mode 100644 molecule/default/vars/Debian.yml create mode 100644 molecule/default/vars/Ubuntu.yml diff --git a/molecule/default/externally-managed-python.yml b/molecule/default/externally-managed-python.yml new file mode 100644 index 0000000..41b915e --- /dev/null +++ b/molecule/default/externally-managed-python.yml @@ -0,0 +1,31 @@ +--- +# This is in place to restore a destructive action in geerlingguy's Ansible +# Docker images that we use for testing. The change is fine for the intended +# purpose of the images but not for how we use them. +- name: Ensure Python is marked as externally managed if appropriate + hosts: all + become: true + become_method: ansible.builtin.sudo + tasks: + - name: Ensure Python is marked as externally managed + when: + - ansible_os_family == "Debian" + - ansible_distribution != "Kali" + - ansible_distribution_release not in ["bullseye", "buster", "focal", "jammy"] + block: + - name: Load var file with Python version based on the OS type + ansible.builtin.include_vars: "{{ lookup('first_found', params) }}" + vars: + params: + files: + - "{{ ansible_distribution }}_{{ ansible_distribution_release }}.yml" + - "{{ ansible_distribution }}.yml" + - "{{ ansible_os_family }}.yml" + paths: + - "vars" + + - name: Restore EXTERNALLY-MANAGED file for Python + ansible.builtin.template: + dest: /usr/lib/python{{ python_version }}/EXTERNALLY-MANAGED + mode: 0644 + src: EXTERNALLY-MANAGED.j2 diff --git a/molecule/default/prepare.yml b/molecule/default/prepare.yml index d3eb8f5..26bca50 100644 --- a/molecule/default/prepare.yml +++ b/molecule/default/prepare.yml @@ -1,3 +1,6 @@ --- - name: Import upgrade playbook ansible.builtin.import_playbook: upgrade.yml + +- name: Import externally-managed-python playbook + ansible.builtin.import_playbook: externally-managed-python.yml diff --git a/molecule/default/templates/EXTERNALLY-MANAGED.j2 b/molecule/default/templates/EXTERNALLY-MANAGED.j2 new file mode 100644 index 0000000..df806f8 --- /dev/null +++ b/molecule/default/templates/EXTERNALLY-MANAGED.j2 @@ -0,0 +1,15 @@ +[externally-managed] +Error=To install Python packages system-wide, try apt install + python3-xyz, where xyz is the package you are trying to + install. + + If you wish to install a non-Debian-packaged Python package, + create a virtual environment using python3 -m venv path/to/venv. + Then use path/to/venv/bin/python and path/to/venv/bin/pip. Make + sure you have python3-full installed. + + If you wish to install a non-Debian packaged Python application, + it may be easiest to use pipx install xyz, which will manage a + virtual environment for you. Make sure you have pipx installed. + + See /usr/share/doc/python{{ python_version }}/README.venv for more information. diff --git a/molecule/default/vars/Debian.yml b/molecule/default/vars/Debian.yml new file mode 100644 index 0000000..154e841 --- /dev/null +++ b/molecule/default/vars/Debian.yml @@ -0,0 +1,2 @@ +--- +python_version: "3.11" diff --git a/molecule/default/vars/Ubuntu.yml b/molecule/default/vars/Ubuntu.yml new file mode 100644 index 0000000..8fb3904 --- /dev/null +++ b/molecule/default/vars/Ubuntu.yml @@ -0,0 +1,2 @@ +--- +python_version: "3.12" From 4958184745368b4f4f91bdff01f356da2c20d121 Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Wed, 1 May 2024 12:56:50 -0400 Subject: [PATCH 07/20] Determine Python version on host dynamically Remove the hard-coded values used in to restore the externally managed Python environment file. Instead check that Python 3 is installed and derive the major.minor version of the Python 3 package that is on the host. Co-authored-by: dav3r Co-authored-by: Shane Frasier --- .../default/externally-managed-python.yml | 47 +++++++++++++------ .../default/templates/EXTERNALLY-MANAGED.j2 | 2 +- molecule/default/vars/Debian.yml | 2 - molecule/default/vars/Ubuntu.yml | 2 - 4 files changed, 33 insertions(+), 20 deletions(-) delete mode 100644 molecule/default/vars/Debian.yml delete mode 100644 molecule/default/vars/Ubuntu.yml diff --git a/molecule/default/externally-managed-python.yml b/molecule/default/externally-managed-python.yml index 41b915e..f0ec5f0 100644 --- a/molecule/default/externally-managed-python.yml +++ b/molecule/default/externally-managed-python.yml @@ -13,19 +13,36 @@ - ansible_distribution != "Kali" - ansible_distribution_release not in ["bullseye", "buster", "focal", "jammy"] block: - - name: Load var file with Python version based on the OS type - ansible.builtin.include_vars: "{{ lookup('first_found', params) }}" - vars: - params: - files: - - "{{ ansible_distribution }}_{{ ansible_distribution_release }}.yml" - - "{{ ansible_distribution }}.yml" - - "{{ ansible_os_family }}.yml" - paths: - - "vars" + - name: Gather package facts + ansible.builtin.package_facts: + manager: auto - - name: Restore EXTERNALLY-MANAGED file for Python - ansible.builtin.template: - dest: /usr/lib/python{{ python_version }}/EXTERNALLY-MANAGED - mode: 0644 - src: EXTERNALLY-MANAGED.j2 + - name: Ensure the EXTERNALLY-MANAGED file is present if Python 3 is installed + when: '"python3" in ansible_facts.packages' + block: + # This gets a list of unique list of installed Python packages in the form of major.minor + # by taking the list of installed Python packages and: + # 1. Extracting the version from each package's information + # 2. Removing any version information after the major.minor version + # 3. Ensuring there are no duplicates + # + # NOTE: + # The regex expressions used in the regex_replace filter must use double backslashes if + # the value of python_versions is changed from a multiline string. This is due to how the + # YAML is processed when Ansible reads the playbook. + - name: Extract version information about installed Python packages + ansible.builtin.set_fact: + python_versions: >- + {{ + ansible_facts.packages["python3"] + | map(attribute="version") + | map("regex_replace", "^(\d+\.\d+)\.\d+.*$", "\1") + | unique + }} + + - name: Restore EXTERNALLY-MANAGED file for Python + ansible.builtin.template: + dest: /usr/lib/python{{ item }}/EXTERNALLY-MANAGED + mode: 0644 + src: EXTERNALLY-MANAGED.j2 + loop: "{{ python_versions }}" diff --git a/molecule/default/templates/EXTERNALLY-MANAGED.j2 b/molecule/default/templates/EXTERNALLY-MANAGED.j2 index df806f8..e2ee56f 100644 --- a/molecule/default/templates/EXTERNALLY-MANAGED.j2 +++ b/molecule/default/templates/EXTERNALLY-MANAGED.j2 @@ -12,4 +12,4 @@ Error=To install Python packages system-wide, try apt install it may be easiest to use pipx install xyz, which will manage a virtual environment for you. Make sure you have pipx installed. - See /usr/share/doc/python{{ python_version }}/README.venv for more information. + See /usr/share/doc/python{{ item }}/README.venv for more information. diff --git a/molecule/default/vars/Debian.yml b/molecule/default/vars/Debian.yml deleted file mode 100644 index 154e841..0000000 --- a/molecule/default/vars/Debian.yml +++ /dev/null @@ -1,2 +0,0 @@ ---- -python_version: "3.11" diff --git a/molecule/default/vars/Ubuntu.yml b/molecule/default/vars/Ubuntu.yml deleted file mode 100644 index 8fb3904..0000000 --- a/molecule/default/vars/Ubuntu.yml +++ /dev/null @@ -1,2 +0,0 @@ ---- -python_version: "3.12" From 4e1659e8e363725c3f95da5eb4a00d89eef769f8 Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Wed, 1 May 2024 13:20:35 -0400 Subject: [PATCH 08/20] Streamline logic checking for applicable host platforms In the playbook that restores the externally managed Python environment file we can just check for supported distributions instead of checking for Debian-based and then excluding distributions (like Kali). --- molecule/default/externally-managed-python.yml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/molecule/default/externally-managed-python.yml b/molecule/default/externally-managed-python.yml index f0ec5f0..c9c7bcf 100644 --- a/molecule/default/externally-managed-python.yml +++ b/molecule/default/externally-managed-python.yml @@ -9,8 +9,7 @@ tasks: - name: Ensure Python is marked as externally managed when: - - ansible_os_family == "Debian" - - ansible_distribution != "Kali" + - ansible_distribution in ["Debian", "Ubuntu"] - ansible_distribution_release not in ["bullseye", "buster", "focal", "jammy"] block: - name: Gather package facts From b967e9de158b4ae3db3755e1535ad4934b5ae0ef Mon Sep 17 00:00:00 2001 From: Nick <50747025+mcdonnnj@users.noreply.github.com> Date: Tue, 21 May 2024 03:10:22 -0400 Subject: [PATCH 09/20] Fix typo in comment Co-authored-by: dav3r --- molecule/default/externally-managed-python.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/molecule/default/externally-managed-python.yml b/molecule/default/externally-managed-python.yml index c9c7bcf..54bec7b 100644 --- a/molecule/default/externally-managed-python.yml +++ b/molecule/default/externally-managed-python.yml @@ -19,7 +19,7 @@ - name: Ensure the EXTERNALLY-MANAGED file is present if Python 3 is installed when: '"python3" in ansible_facts.packages' block: - # This gets a list of unique list of installed Python packages in the form of major.minor + # This gets a unique list of installed Python packages in the form of major.minor # by taking the list of installed Python packages and: # 1. Extracting the version from each package's information # 2. Removing any version information after the major.minor version From b25f1fca4d821fbdafd7ee71026aad9ef3ad745f Mon Sep 17 00:00:00 2001 From: Nick <50747025+mcdonnnj@users.noreply.github.com> Date: Tue, 21 May 2024 03:13:50 -0400 Subject: [PATCH 10/20] Improve explanatory comment Improve the comment that explains the backslash usage in a YAML multiline string used to define a regex pattern. Co-authored-by: dav3r --- molecule/default/externally-managed-python.yml | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/molecule/default/externally-managed-python.yml b/molecule/default/externally-managed-python.yml index 54bec7b..ce43622 100644 --- a/molecule/default/externally-managed-python.yml +++ b/molecule/default/externally-managed-python.yml @@ -26,9 +26,11 @@ # 3. Ensuring there are no duplicates # # NOTE: - # The regex expressions used in the regex_replace filter must use double backslashes if - # the value of python_versions is changed from a multiline string. This is due to how the - # YAML is processed when Ansible reads the playbook. + # Since the value of python_versions is a multiline string, the regex expressions used in + # the regex_replace filter must use single backslashes for special sequences. If the value + # of python_versions were to be changed from a multiline string, the special sequences + # must be modified to use double backslashes instead. This is due to how the YAML is + # processed when Ansible reads the playbook. - name: Extract version information about installed Python packages ansible.builtin.set_fact: python_versions: >- From 706151e5948e9727f3d17bb741c616d690d8cd51 Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Fri, 26 Apr 2024 13:56:38 -0400 Subject: [PATCH 11/20] Add support for Ubuntu 24.04 (Noble Numbat) --- meta/main.yml | 1 + molecule/default/molecule.yml | 9 +++++++++ 2 files changed, 10 insertions(+) diff --git a/meta/main.yml b/meta/main.yml index f7f30e7..9226b97 100644 --- a/meta/main.yml +++ b/meta/main.yml @@ -40,5 +40,6 @@ galaxy_info: versions: - focal - jammy + - noble role_name: skeleton standalone: true diff --git a/molecule/default/molecule.yml b/molecule/default/molecule.yml index b4b3c96..7e4cc90 100644 --- a/molecule/default/molecule.yml +++ b/molecule/default/molecule.yml @@ -94,6 +94,15 @@ platforms: privileged: true volumes: - /sys/fs/cgroup:/sys/fs/cgroup:rw + - cgroupns_mode: host + command: /lib/systemd/systemd + image: docker.io/geerlingguy/docker-ubuntu2404-ansible:latest + name: ubuntu-24-systemd + platform: amd64 + pre_build_image: true + privileged: true + volumes: + - /sys/fs/cgroup:/sys/fs/cgroup:rw scenario: name: default verifier: From e7d3969e84c32e69c05996f44dbe92a6b3591c4e Mon Sep 17 00:00:00 2001 From: Jeremy Frasier Date: Fri, 26 Apr 2024 14:41:19 -0400 Subject: [PATCH 12/20] Add support for Fedora 40 Remove support for Fedora 38 as it is now EOL. --- meta/main.yml | 2 +- molecule/default/molecule.yml | 8 ++++---- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/meta/main.yml b/meta/main.yml index f7f30e7..14e29ba 100644 --- a/meta/main.yml +++ b/meta/main.yml @@ -31,8 +31,8 @@ galaxy_info: - trixie - name: Fedora versions: - - "38" - "39" + - "40" - name: Kali versions: - "2023" diff --git a/molecule/default/molecule.yml b/molecule/default/molecule.yml index b4b3c96..71ce996 100644 --- a/molecule/default/molecule.yml +++ b/molecule/default/molecule.yml @@ -60,8 +60,8 @@ platforms: - /sys/fs/cgroup:/sys/fs/cgroup:rw - cgroupns_mode: host command: /lib/systemd/systemd - image: docker.io/geerlingguy/docker-fedora38-ansible:latest - name: fedora38-systemd + image: docker.io/geerlingguy/docker-fedora39-ansible:latest + name: fedora39-systemd platform: amd64 pre_build_image: true privileged: true @@ -69,8 +69,8 @@ platforms: - /sys/fs/cgroup:/sys/fs/cgroup:rw - cgroupns_mode: host command: /lib/systemd/systemd - image: docker.io/geerlingguy/docker-fedora39-ansible:latest - name: fedora39-systemd + image: docker.io/geerlingguy/docker-fedora40-ansible:latest + name: fedora40-systemd platform: amd64 pre_build_image: true privileged: true From 581a55c994c542a3cd6996bb0b933f778fdde155 Mon Sep 17 00:00:00 2001 From: Jeremy Frasier Date: Mon, 22 Apr 2024 11:57:10 -0400 Subject: [PATCH 13/20] Add GH actions to setup QEMU and buildx This idea was stolen from felddy/reusable-workflows. --- .github/workflows/build.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index b57fa87..e3cce0b 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -204,6 +204,10 @@ jobs: run: | python -m pip install --upgrade pip pip install --upgrade --requirement requirements-test.txt + - name: Set up QEMU + uses: docker/setup-qemu-action@v3 + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@v3 - name: Run molecule tests run: molecule test --scenario-name ${{ matrix.scenario }} - name: Setup tmate debug session From 5759b776bb0e245c457c72d7115d34e3fa88e530 Mon Sep 17 00:00:00 2001 From: Jeremy Frasier Date: Mon, 22 Apr 2024 12:17:44 -0400 Subject: [PATCH 14/20] Add Molecule testing support for aarch where possible --- .github/workflows/build.yml | 29 +++++++- molecule/default/molecule.yml | 124 +++++++++++++++++++++++++++++++--- 2 files changed, 141 insertions(+), 12 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index e3cce0b..a9ad548 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -174,6 +174,30 @@ jobs: strategy: fail-fast: false matrix: + architecture: + - aarch64 + - amd64 + exclude: + # The Docker images we use for these platforms do not + # support aarch64. + - architecture: aarch64 + platform: amazonlinux2023-systemd + - architecture: aarch64 + platform: fedora39-systemd + - architecture: aarch64 + platform: fedora40-systemd + platform: + - amazonlinux2023-systemd + - debian10-systemd + - debian11-systemd + - debian12-systemd + - debian13-systemd + - kali-systemd + - fedora39-systemd + - fedora40-systemd + - ubuntu-20-systemd + - ubuntu-22-systemd + - ubuntu-24-systemd scenario: - default steps: @@ -209,7 +233,10 @@ jobs: - name: Set up Docker Buildx uses: docker/setup-buildx-action@v3 - name: Run molecule tests - run: molecule test --scenario-name ${{ matrix.scenario }} + run: >- + molecule test + --platform-name ${{ matrix.platform }}-${{ matrix.architecture }} + --scenario-name ${{ matrix.scenario }} - name: Setup tmate debug session uses: mxschmitt/action-tmate@v3 if: env.RUN_TMATE diff --git a/molecule/default/molecule.yml b/molecule/default/molecule.yml index 8e47275..ec5bdcb 100644 --- a/molecule/default/molecule.yml +++ b/molecule/default/molecule.yml @@ -7,102 +7,204 @@ platforms: - cgroupns_mode: host command: /lib/systemd/systemd image: docker.io/geerlingguy/docker-amazonlinux2023-ansible:latest - name: amazonlinux2023-systemd + name: amazonlinux2023-systemd-amd64 platform: amd64 pre_build_image: true privileged: true volumes: - /sys/fs/cgroup:/sys/fs/cgroup:rw + # There is no aarch64 version of this Docker image. + # - cgroupns_mode: host + # command: /lib/systemd/systemd + # image: docker.io/geerlingguy/docker-amazonlinux2023-ansible:latest + # name: amazonlinux2023-systemd-aarch64 + # platform: aarch64 + # pre_build_image: true + # privileged: true + # volumes: + # - /sys/fs/cgroup:/sys/fs/cgroup:rw - cgroupns_mode: host command: /lib/systemd/systemd image: docker.io/geerlingguy/docker-debian10-ansible:latest - name: debian10-systemd + name: debian10-systemd-amd64 platform: amd64 pre_build_image: true privileged: true volumes: - /sys/fs/cgroup:/sys/fs/cgroup:rw + - cgroupns_mode: host + command: /lib/systemd/systemd + image: docker.io/geerlingguy/docker-debian10-ansible:latest + name: debian10-systemd-aarch64 + platform: aarch64 + pre_build_image: true + privileged: true + volumes: + - /sys/fs/cgroup:/sys/fs/cgroup:rw - cgroupns_mode: host command: /lib/systemd/systemd image: docker.io/geerlingguy/docker-debian11-ansible:latest - name: debian11-systemd + name: debian11-systemd-amd64 platform: amd64 pre_build_image: true privileged: true volumes: - /sys/fs/cgroup:/sys/fs/cgroup:rw + - cgroupns_mode: host + command: /lib/systemd/systemd + image: docker.io/geerlingguy/docker-debian11-ansible:latest + name: debian11-systemd-aarch64 + platform: aarch64 + pre_build_image: true + privileged: true + volumes: + - /sys/fs/cgroup:/sys/fs/cgroup:rw - cgroupns_mode: host command: /lib/systemd/systemd image: docker.io/geerlingguy/docker-debian12-ansible:latest - name: debian12-systemd + name: debian12-systemd-amd64 platform: amd64 pre_build_image: true privileged: true volumes: - /sys/fs/cgroup:/sys/fs/cgroup:rw + - cgroupns_mode: host + command: /lib/systemd/systemd + image: docker.io/geerlingguy/docker-debian12-ansible:latest + name: debian12-systemd-aarch64 + platform: aarch64 + pre_build_image: true + privileged: true + volumes: + - /sys/fs/cgroup:/sys/fs/cgroup:rw - cgroupns_mode: host command: /lib/systemd/systemd image: docker.io/cisagov/docker-debian13-ansible:latest - name: debian13-systemd + name: debian13-systemd-amd64 platform: amd64 pre_build_image: true privileged: true volumes: - /sys/fs/cgroup:/sys/fs/cgroup:rw + - cgroupns_mode: host + command: /lib/systemd/systemd + image: docker.io/cisagov/docker-debian13-ansible:latest + name: debian13-systemd-aarch64 + platform: aarch64 + pre_build_image: true + privileged: true + volumes: + - /sys/fs/cgroup:/sys/fs/cgroup:rw - cgroupns_mode: host command: /lib/systemd/systemd image: docker.io/cisagov/docker-kali-ansible:latest - name: kali-systemd + name: kali-systemd-amd64 platform: amd64 pre_build_image: true privileged: true volumes: - /sys/fs/cgroup:/sys/fs/cgroup:rw + - cgroupns_mode: host + command: /lib/systemd/systemd + image: docker.io/cisagov/docker-kali-ansible:latest + name: kali-systemd-aarch64 + platform: aarch64 + pre_build_image: true + privileged: true + volumes: + - /sys/fs/cgroup:/sys/fs/cgroup:rw - cgroupns_mode: host command: /lib/systemd/systemd image: docker.io/geerlingguy/docker-fedora39-ansible:latest - name: fedora39-systemd + name: fedora39-systemd-amd64 platform: amd64 pre_build_image: true privileged: true volumes: - /sys/fs/cgroup:/sys/fs/cgroup:rw + # There is no aarch64 version of this Docker image. + # - cgroupns_mode: host + # command: /lib/systemd/systemd + # image: docker.io/geerlingguy/docker-fedora39-ansible:latest + # name: fedora39-systemd-aarch64 + # platform: aarch64 + # pre_build_image: true + # privileged: true + # volumes: + # - /sys/fs/cgroup:/sys/fs/cgroup:rw - cgroupns_mode: host command: /lib/systemd/systemd image: docker.io/geerlingguy/docker-fedora40-ansible:latest - name: fedora40-systemd + name: fedora40-systemd-amd64 platform: amd64 pre_build_image: true privileged: true volumes: - /sys/fs/cgroup:/sys/fs/cgroup:rw + # There is no aarch64 version of this Docker image. + # - cgroupns_mode: host + # command: /lib/systemd/systemd + # image: docker.io/geerlingguy/docker-fedora40-ansible:latest + # name: fedora40-systemd-aarch64 + # platform: aarch64 + # pre_build_image: true + # privileged: true + # volumes: + # - /sys/fs/cgroup:/sys/fs/cgroup:rw - cgroupns_mode: host command: /lib/systemd/systemd image: docker.io/geerlingguy/docker-ubuntu2004-ansible:latest - name: ubuntu-20-systemd + name: ubuntu-20-systemd-amd64 platform: amd64 pre_build_image: true privileged: true volumes: - /sys/fs/cgroup:/sys/fs/cgroup:rw + - cgroupns_mode: host + command: /lib/systemd/systemd + image: docker.io/geerlingguy/docker-ubuntu2004-ansible:latest + name: ubuntu-20-systemd-aarch64 + platform: aarch64 + pre_build_image: true + privileged: true + volumes: + - /sys/fs/cgroup:/sys/fs/cgroup:rw - cgroupns_mode: host command: /lib/systemd/systemd image: docker.io/geerlingguy/docker-ubuntu2204-ansible:latest - name: ubuntu-22-systemd + name: ubuntu-22-systemd-amd64 platform: amd64 pre_build_image: true privileged: true volumes: - /sys/fs/cgroup:/sys/fs/cgroup:rw + - cgroupns_mode: host + command: /lib/systemd/systemd + image: docker.io/geerlingguy/docker-ubuntu2204-ansible:latest + name: ubuntu-22-systemd-aarch64 + platform: aarch64 + pre_build_image: true + privileged: true + volumes: + - /sys/fs/cgroup:/sys/fs/cgroup:rw - cgroupns_mode: host command: /lib/systemd/systemd image: docker.io/geerlingguy/docker-ubuntu2404-ansible:latest - name: ubuntu-24-systemd + name: ubuntu-24-systemd-amd64 platform: amd64 pre_build_image: true privileged: true volumes: - /sys/fs/cgroup:/sys/fs/cgroup:rw + - cgroupns_mode: host + command: /lib/systemd/systemd + image: docker.io/geerlingguy/docker-ubuntu2404-ansible:latest + name: ubuntu-24-systemd-aarch64 + platform: aarch64 + pre_build_image: true + privileged: true + volumes: + - /sys/fs/cgroup:/sys/fs/cgroup:rw scenario: name: default verifier: From 234ac0387b533627b40e0d5e0cc6a3eb14ab86d1 Mon Sep 17 00:00:00 2001 From: Shane Frasier Date: Mon, 22 Apr 2024 16:08:22 -0400 Subject: [PATCH 15/20] Alphabetize platforms Co-authored-by: dav3r --- .github/workflows/build.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index a9ad548..e79e643 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -192,9 +192,9 @@ jobs: - debian11-systemd - debian12-systemd - debian13-systemd - - kali-systemd - fedora39-systemd - fedora40-systemd + - kali-systemd - ubuntu-20-systemd - ubuntu-22-systemd - ubuntu-24-systemd From 77f62e3687bcf27b319e865b8f99868fde40f9c0 Mon Sep 17 00:00:00 2001 From: Jeremy Frasier Date: Sat, 27 Apr 2024 16:15:14 -0400 Subject: [PATCH 16/20] Add support for the aarch64 platform for Fedora 39, Fedora 40, and AL2023 These platforms can now be included because the following PRs have been merged: - geerlingguy/docker-fedora39-ansible#2 - geerlingguy/docker-fedora40-ansible#1 - geerlingguy/docker-amazonlinux2023-ansible#4 --- .github/workflows/build.yml | 9 ------ molecule/default/molecule.yml | 57 +++++++++++++++++------------------ 2 files changed, 27 insertions(+), 39 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index e79e643..22f1c43 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -177,15 +177,6 @@ jobs: architecture: - aarch64 - amd64 - exclude: - # The Docker images we use for these platforms do not - # support aarch64. - - architecture: aarch64 - platform: amazonlinux2023-systemd - - architecture: aarch64 - platform: fedora39-systemd - - architecture: aarch64 - platform: fedora40-systemd platform: - amazonlinux2023-systemd - debian10-systemd diff --git a/molecule/default/molecule.yml b/molecule/default/molecule.yml index ec5bdcb..19df511 100644 --- a/molecule/default/molecule.yml +++ b/molecule/default/molecule.yml @@ -13,16 +13,15 @@ platforms: privileged: true volumes: - /sys/fs/cgroup:/sys/fs/cgroup:rw - # There is no aarch64 version of this Docker image. - # - cgroupns_mode: host - # command: /lib/systemd/systemd - # image: docker.io/geerlingguy/docker-amazonlinux2023-ansible:latest - # name: amazonlinux2023-systemd-aarch64 - # platform: aarch64 - # pre_build_image: true - # privileged: true - # volumes: - # - /sys/fs/cgroup:/sys/fs/cgroup:rw + - cgroupns_mode: host + command: /lib/systemd/systemd + image: docker.io/geerlingguy/docker-amazonlinux2023-ansible:latest + name: amazonlinux2023-systemd-aarch64 + platform: aarch64 + pre_build_image: true + privileged: true + volumes: + - /sys/fs/cgroup:/sys/fs/cgroup:rw - cgroupns_mode: host command: /lib/systemd/systemd image: docker.io/geerlingguy/docker-debian10-ansible:latest @@ -122,16 +121,15 @@ platforms: privileged: true volumes: - /sys/fs/cgroup:/sys/fs/cgroup:rw - # There is no aarch64 version of this Docker image. - # - cgroupns_mode: host - # command: /lib/systemd/systemd - # image: docker.io/geerlingguy/docker-fedora39-ansible:latest - # name: fedora39-systemd-aarch64 - # platform: aarch64 - # pre_build_image: true - # privileged: true - # volumes: - # - /sys/fs/cgroup:/sys/fs/cgroup:rw + - cgroupns_mode: host + command: /lib/systemd/systemd + image: docker.io/geerlingguy/docker-fedora39-ansible:latest + name: fedora39-systemd-aarch64 + platform: aarch64 + pre_build_image: true + privileged: true + volumes: + - /sys/fs/cgroup:/sys/fs/cgroup:rw - cgroupns_mode: host command: /lib/systemd/systemd image: docker.io/geerlingguy/docker-fedora40-ansible:latest @@ -141,16 +139,15 @@ platforms: privileged: true volumes: - /sys/fs/cgroup:/sys/fs/cgroup:rw - # There is no aarch64 version of this Docker image. - # - cgroupns_mode: host - # command: /lib/systemd/systemd - # image: docker.io/geerlingguy/docker-fedora40-ansible:latest - # name: fedora40-systemd-aarch64 - # platform: aarch64 - # pre_build_image: true - # privileged: true - # volumes: - # - /sys/fs/cgroup:/sys/fs/cgroup:rw + - cgroupns_mode: host + command: /lib/systemd/systemd + image: docker.io/geerlingguy/docker-fedora40-ansible:latest + name: fedora40-systemd-aarch64 + platform: aarch64 + pre_build_image: true + privileged: true + volumes: + - /sys/fs/cgroup:/sys/fs/cgroup:rw - cgroupns_mode: host command: /lib/systemd/systemd image: docker.io/geerlingguy/docker-ubuntu2004-ansible:latest From 6158bae37a986ff9604b2b52ef42169832d369ea Mon Sep 17 00:00:00 2001 From: Jeremy Frasier Date: Fri, 31 May 2024 14:41:06 -0400 Subject: [PATCH 17/20] Prefer the name arm64 to aarch64 Co-authored-by: Nick <50747025+mcdonnnj@users.noreply.github.com> --- .github/workflows/build.yml | 2 +- molecule/default/molecule.yml | 44 +++++++++++++++++------------------ 2 files changed, 23 insertions(+), 23 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 22f1c43..1cf405b 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -175,8 +175,8 @@ jobs: fail-fast: false matrix: architecture: - - aarch64 - amd64 + - arm64 platform: - amazonlinux2023-systemd - debian10-systemd diff --git a/molecule/default/molecule.yml b/molecule/default/molecule.yml index 19df511..20b8324 100644 --- a/molecule/default/molecule.yml +++ b/molecule/default/molecule.yml @@ -16,8 +16,8 @@ platforms: - cgroupns_mode: host command: /lib/systemd/systemd image: docker.io/geerlingguy/docker-amazonlinux2023-ansible:latest - name: amazonlinux2023-systemd-aarch64 - platform: aarch64 + name: amazonlinux2023-systemd-arm64 + platform: arm64 pre_build_image: true privileged: true volumes: @@ -34,8 +34,8 @@ platforms: - cgroupns_mode: host command: /lib/systemd/systemd image: docker.io/geerlingguy/docker-debian10-ansible:latest - name: debian10-systemd-aarch64 - platform: aarch64 + name: debian10-systemd-arm64 + platform: arm64 pre_build_image: true privileged: true volumes: @@ -52,8 +52,8 @@ platforms: - cgroupns_mode: host command: /lib/systemd/systemd image: docker.io/geerlingguy/docker-debian11-ansible:latest - name: debian11-systemd-aarch64 - platform: aarch64 + name: debian11-systemd-arm64 + platform: arm64 pre_build_image: true privileged: true volumes: @@ -70,8 +70,8 @@ platforms: - cgroupns_mode: host command: /lib/systemd/systemd image: docker.io/geerlingguy/docker-debian12-ansible:latest - name: debian12-systemd-aarch64 - platform: aarch64 + name: debian12-systemd-arm64 + platform: arm64 pre_build_image: true privileged: true volumes: @@ -88,8 +88,8 @@ platforms: - cgroupns_mode: host command: /lib/systemd/systemd image: docker.io/cisagov/docker-debian13-ansible:latest - name: debian13-systemd-aarch64 - platform: aarch64 + name: debian13-systemd-arm64 + platform: arm64 pre_build_image: true privileged: true volumes: @@ -106,8 +106,8 @@ platforms: - cgroupns_mode: host command: /lib/systemd/systemd image: docker.io/cisagov/docker-kali-ansible:latest - name: kali-systemd-aarch64 - platform: aarch64 + name: kali-systemd-arm64 + platform: arm64 pre_build_image: true privileged: true volumes: @@ -124,8 +124,8 @@ platforms: - cgroupns_mode: host command: /lib/systemd/systemd image: docker.io/geerlingguy/docker-fedora39-ansible:latest - name: fedora39-systemd-aarch64 - platform: aarch64 + name: fedora39-systemd-arm64 + platform: arm64 pre_build_image: true privileged: true volumes: @@ -142,8 +142,8 @@ platforms: - cgroupns_mode: host command: /lib/systemd/systemd image: docker.io/geerlingguy/docker-fedora40-ansible:latest - name: fedora40-systemd-aarch64 - platform: aarch64 + name: fedora40-systemd-arm64 + platform: arm64 pre_build_image: true privileged: true volumes: @@ -160,8 +160,8 @@ platforms: - cgroupns_mode: host command: /lib/systemd/systemd image: docker.io/geerlingguy/docker-ubuntu2004-ansible:latest - name: ubuntu-20-systemd-aarch64 - platform: aarch64 + name: ubuntu-20-systemd-arm64 + platform: arm64 pre_build_image: true privileged: true volumes: @@ -178,8 +178,8 @@ platforms: - cgroupns_mode: host command: /lib/systemd/systemd image: docker.io/geerlingguy/docker-ubuntu2204-ansible:latest - name: ubuntu-22-systemd-aarch64 - platform: aarch64 + name: ubuntu-22-systemd-arm64 + platform: arm64 pre_build_image: true privileged: true volumes: @@ -196,8 +196,8 @@ platforms: - cgroupns_mode: host command: /lib/systemd/systemd image: docker.io/geerlingguy/docker-ubuntu2404-ansible:latest - name: ubuntu-24-systemd-aarch64 - platform: aarch64 + name: ubuntu-24-systemd-arm64 + platform: arm64 pre_build_image: true privileged: true volumes: From 357a701ba723f1161e1e953b87147ee8d48826b8 Mon Sep 17 00:00:00 2001 From: Jeremy Frasier Date: Fri, 31 May 2024 14:42:35 -0400 Subject: [PATCH 18/20] Assign a name to the test job in the build GHA workflow This helps keep the job name in line with the molecule configuration. Co-authored-by: Nick <50747025+mcdonnnj@users.noreply.github.com> --- .github/workflows/build.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 1cf405b..3b88a29 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -168,6 +168,9 @@ jobs: uses: mxschmitt/action-tmate@v3 if: env.RUN_TMATE test: + name: >- + test (${{ matrix.scenario }}) - + ${{ matrix.platform }}-${{ matrix.architecture }} needs: - diagnostics runs-on: ubuntu-latest From 4d2653d8d53ae6591d45705bfcfb573f0dfb8240 Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Fri, 31 May 2024 16:10:05 -0400 Subject: [PATCH 19/20] Update the `update_molecule_images.sh` helper script Adjust the script to pull down platform specific images instead of just the image of the running system's platform. This will ensure that all images needed by the molecule configuration are retrieved regardless of the system platform. --- update_molecule_images.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/update_molecule_images.sh b/update_molecule_images.sh index 2c8cccc..f7fc267 100755 --- a/update_molecule_images.sh +++ b/update_molecule_images.sh @@ -45,4 +45,4 @@ check_dependencies # Note that we can't use --max-args in place of -n in the xargs # command since the version of xargs distributed with macOS does not # support it. -yq '.platforms[].image' < "$source_file" | xargs -n 1 docker pull +yq '.platforms[] | "\(.platform) \(.image)"' < "$source_file" | xargs -n 2 docker pull --platform From ba48f714c14ffdb240f21ac1497dc88be5006c58 Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Sat, 1 Jun 2024 23:34:00 -0400 Subject: [PATCH 20/20] Add new dependabot ignore directives Adds commented out ignore statements for the following new Action dependencies added to the `test` job: - docker/setup-buildx-action - docker/setup-qemu-action Once uncommented in downstream repositories this will ensure that these dependencies are managed in a centralized place. --- .github/dependabot.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/dependabot.yml b/.github/dependabot.yml index 986c3cb..d219c14 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -20,6 +20,8 @@ updates: - dependency-name: mxschmitt/action-tmate - dependency-name: step-security/harden-runner # # Managed by cisagov/skeleton-ansible-role + # - dependency-name: docker/setup-buildx-action + # - dependency-name: docker/setup-qemu-action # - dependency-name: github/codeql-action package-ecosystem: github-actions schedule: