diff options
author | Matt Clay <matt@mystile.com> | 2024-06-25 17:42:51 +0200 |
---|---|---|
committer | GitHub <noreply@github.com> | 2024-06-25 17:42:51 +0200 |
commit | 8f1fddb161559c0ff1ee92263d8229c6d5d7355c (patch) | |
tree | c40f1a28e7a6d195d11339343819a46a907b4f6f /test | |
parent | linear strategy, show templated task name on start (#83473) (diff) | |
download | ansible-8f1fddb161559c0ff1ee92263d8229c6d5d7355c.tar.xz ansible-8f1fddb161559c0ff1ee92263d8229c6d5d7355c.zip |
Enable Ubuntu 24.04 group 6 in CI (#83466)
* Enable Ubuntu 24.04 group 6 in CI
* Disable rootfull Podman on Ubuntu
* Disable unix-chkpwd AppArmor profile on Ubuntu for Fedora 40 tests
* Document AppArmor and rootfull issues
Diffstat (limited to 'test')
-rwxr-xr-x | test/integration/targets/ansible-test-container/runme.py | 25 |
1 files changed, 23 insertions, 2 deletions
diff --git a/test/integration/targets/ansible-test-container/runme.py b/test/integration/targets/ansible-test-container/runme.py index b29e18344d..98e78d97e8 100755 --- a/test/integration/targets/ansible-test-container/runme.py +++ b/test/integration/targets/ansible-test-container/runme.py @@ -181,6 +181,11 @@ def get_test_scenarios() -> list[TestScenario]: # See: https://access.redhat.com/solutions/6816771 enable_sha1 = os_release.id == 'rhel' and os_release.version_id.startswith('9.') and container_name == 'centos6' + # Starting with Fedora 40, use of /usr/sbin/unix-chkpwd fails under Ubuntu 24.04 due to AppArmor. + # This prevents SSH logins from completing due to unix-chkpwd failing to look up the user with getpwnam. + # Disabling the 'unix-chkpwd' profile works around the issue, but does not solve the underlying problem. + disable_apparmor_profile_unix_chkpwd = engine == 'podman' and os_release.id == 'ubuntu' and container_name == 'fedora40' + cgroup_version = get_docker_info(engine).cgroup_version user_scenarios = [ @@ -189,14 +194,17 @@ def get_test_scenarios() -> list[TestScenario]: ] if engine == 'podman': - user_scenarios.append(UserScenario(ssh=ROOT_USER)) + if os_release.id not in ('ubuntu',): + # rootfull podman is not supported by all systems + user_scenarios.append(UserScenario(ssh=ROOT_USER)) # TODO: test podman remote on Alpine and Ubuntu hosts # TODO: combine remote with ssh using different unprivileged users if os_release.id not in ('alpine', 'ubuntu'): user_scenarios.append(UserScenario(remote=unprivileged_user)) - if LOGINUID_MISMATCH: + if LOGINUID_MISMATCH and os_release.id not in ('ubuntu',): + # rootfull podman is not supported by all systems user_scenarios.append(UserScenario()) for user_scenario in user_scenarios: @@ -225,6 +233,7 @@ def get_test_scenarios() -> list[TestScenario]: enable_sha1=enable_sha1, debug_systemd=debug_systemd, probe_cgroups=probe_cgroups, + disable_apparmor_profile_unix_chkpwd=disable_apparmor_profile_unix_chkpwd, ) ) @@ -319,6 +328,10 @@ def run_test(scenario: TestScenario) -> TestResult: if scenario.enable_sha1: run_command('update-crypto-policies', '--set', 'DEFAULT:SHA1') + if scenario.disable_apparmor_profile_unix_chkpwd: + os.symlink('/etc/apparmor.d/unix-chkpwd', '/etc/apparmor.d/disable/unix-chkpwd') + run_command('apparmor_parser', '-R', '/etc/apparmor.d/unix-chkpwd') + for test_command in test_commands: def run_test_command() -> SubprocessResult: if os_release.id == 'alpine' and scenario.user_scenario.actual.name != 'root': @@ -341,6 +354,10 @@ def run_test(scenario: TestScenario) -> TestResult: message = str(ex) display.error(f'{scenario} {message}') finally: + if scenario.disable_apparmor_profile_unix_chkpwd: + os.unlink('/etc/apparmor.d/disable/unix-chkpwd') + run_command('apparmor_parser', '/etc/apparmor.d/unix-chkpwd') + if scenario.enable_sha1: run_command('update-crypto-policies', '--set', 'DEFAULT') @@ -600,6 +617,7 @@ class TestScenario: enable_sha1: bool debug_systemd: bool probe_cgroups: bool + disable_apparmor_profile_unix_chkpwd: bool @property def tags(self) -> tuple[str, ...]: @@ -620,6 +638,9 @@ class TestScenario: if self.enable_sha1: tags.append('sha1: enabled') + if self.disable_apparmor_profile_unix_chkpwd: + tags.append('apparmor(unix-chkpwd): disabled') + return tuple(tags) @property |