tests: Rebuild Docker containers

A few changes are bundled in this
 - Ansible 2.10.x and Mitogen 0.3.x are used to build nearly all images
   (Ansile 2.3.x is retained for CentOS 5, because it uses Python 2.4).
 - Tox is used to install/run Ansible, replacing build_docker_images.py
 - A static inventory, identifying containers by name rather than ID.
 - debian-test image is renamed to debian9-test
 - debian9-test image is now based on debian:9
 - centos6-test image is now based on moreati/centos6-vault
   following the same scheme as centos5-test.
 - Images are now uploaded to Amazon Elastic Container Registry (ECR).
   See #809.
 - Debian recommended packages aren't installed (e.g. build-essential)
 - Python 2.x and Python 3.x are installed wherever available.
 - Python Virtualenv is installed wherever available.

Author: moreati

.ci/azure-pipelines.yml

@@ -45,7 +45,7 @@ jobs:
       Mito27Debian_27:
         python.version: '2.7'
         MODE: mitogen
-        DISTRO: debian
+        DISTRO: debian9
 
       #MitoPy27CentOS6_26:
         #python.version: '2.7'
@@ -60,12 +60,12 @@ jobs:
       Mito37Debian_27:
         python.version: '3.7'
         MODE: mitogen
-        DISTRO: debian
+        DISTRO: debian9
 
       Mito39Debian_27:
         python.version: '3.9'
         MODE: mitogen
-        DISTRO: debian
+        DISTRO: debian9
         VER: 2.10.0
 
       #Py26CentOS7:

tests/ansible/integration/become/sudo_nonexistent.yml

@@ -12,8 +12,10 @@
 
     - name: Verify raw module output.
       assert:
-        that: |
-          out.failed and (
-            ('sudo: unknown user: slartibartfast' in out.msg) or
-            ('sudo: unknown user: slartibartfast' in out.module_stderr)
-          )
+        that:
+          - out.failed
+          # sudo-1.8.6p3-29.el6_10.3 on RHEL & CentOS 6.10 (final release)
+          # removed user/group error messages, as defence against CVE-2019-14287.
+          - >-
+            ('sudo: unknown user: slartibartfast' in out.module_stderr | default(out.msg))
+            or (ansible_facts.os_family == 'RedHat' and ansible_facts.distribution_version == '6.10')

tests/image_prep/README.md

@@ -14,10 +14,11 @@ See ../README.md for a (mostly) description of the accounts created.
 
 ## Building the containers
 
-``./build_docker_images.sh``
-
-Requires Ansible 2.3.x.x in order to target CentOS 5
+No single version of Ansible supports every Linux distribution that we target.
+To workaround this [Tox](https://tox.readthedocs.io) is used, to install and
+run multiple versions of Ansible, in Python virtualenvs.
 
+``tox``
 
 ## Preparing an OS X box
 

tests/image_prep/_container_create.yml

@@ -0,0 +1,20 @@
+- name: Start containers
+  hosts: all
+  strategy: mitogen_free
+  gather_facts: false
+  tasks:
+    - name: Fetch container images
+      docker_image:
+        name: "{{ docker_base }}"
+      delegate_to: localhost
+
+    - name: Start containers
+      docker_container:
+        name: "{{ inventory_hostname }}"
+        image: "{{ docker_base }}"
+        command: /bin/bash
+        hostname: "mitogen-{{ inventory_hostname }}"
+        detach: true
+        interactive: true
+        tty: true
+      delegate_to: localhost

tests/image_prep/_container_finalize.yml

@@ -0,0 +1,18 @@
+- name: Prepare images
+  hosts: all
+  strategy: mitogen_free
+  gather_facts: true
+  tasks:
+    - name: Commit containers
+      command: >
+        docker commit
+        --change 'EXPOSE 22'
+        --change 'CMD ["/usr/sbin/sshd", "-D"]'
+        {{ inventory_hostname }}
+        public.ecr.aws/n5z0e8q9/{{ inventory_hostname }}-test
+      delegate_to: localhost
+
+    - name: Stop containers
+      command: >
+        docker rm -f {{ inventory_hostname }}
+      delegate_to: localhost

tests/image_prep/_container_setup.yml

@@ -1,95 +1,75 @@
 
 - hosts: all
-  vars_files:
-  - shared_vars.yml
   strategy: linear
   gather_facts: false
   tasks:
-    - raw: >
-        if ! python -c ''; then
-          if type -p yum; then
-            yum -y install python;
-          else
-            apt-get -y update && apt-get -y install python;
-          fi;
+    - name: Install bootstrap packages
+      raw: |
+        set -o errexit
+        set -o nounset
+        if type -p yum; then
+          yum -y install {{ bootstrap_packages | join(' ') }}
+        else
+          apt-get -y update
+          apt-get -y --no-install-recommends install {{ bootstrap_packages | join(' ') }}
         fi
+      when: bootstrap_packages | length
 
 - hosts: all
-  vars_files:
-  - shared_vars.yml
   strategy: mitogen_free
+  # Resource limitation, my laptop freezes doing every container concurrently
+  serial: 4
   # Can't gather facts before here.
   gather_facts: true
   vars:
     distro: "{{ansible_distribution}}"
-    ver: "{{ansible_distribution_major_version}}"
-
-    packages:
-      common:
-        - openssh-server
-        - rsync
-        - strace
-        - sudo
-      Debian:
-        "9":
-          - libjson-perl
-          - python-virtualenv
-          - locales
-      CentOS:
-        "5":
-        - perl
-        - sudo
-          #- perl-JSON  -- skipped on CentOS 5, packages are a pain.
-        "6":
-          - perl-JSON
-        "7":
-          - perl-JSON
-          - python-virtualenv
-
   tasks:
     - when: ansible_virtualization_type != "docker"
       meta: end_play
 
-    - name: Ensure requisite Debian packages are installed
+    - name: Ensure requisite apt packages are installed
       apt:
-        name: "{{packages.common + packages[distro][ver]}}"
-        state: installed
+        name: "{{ common_packages + packages }}"
+        state: present
+        install_recommends: false
         update_cache: true
-      when: distro == "Debian"
+      when: ansible_pkg_mgr == 'apt'
 
-    - name: Ensure requisite Red Hat packaed are installed
+    - name: Ensure requisite yum packages are installed
       yum:
-        name: "{{packages.common + packages[distro][ver]}}"
-        state: installed
+        name: "{{ common_packages + packages }}"
+        state: present
         update_cache: true
-      when: distro == "CentOS"
-
-    - name: Clean up apt cache
-      command: apt-get clean
-      when: distro == "Debian"
+      when: ansible_pkg_mgr == 'yum'
+
+    - name: Clean up package cache
+      vars:
+        clean_command:
+          apt: apt-get clean
+          yum: yum clean all
+      command: "{{ clean_command[ansible_pkg_mgr] }}"
+      args:
+        warn: false
 
     - name: Clean up apt package lists
       shell: rm -rf {{item}}/*
       with_items:
       - /var/cache/apt
       - /var/lib/apt/lists
-      when: distro == "Debian"
+      when: ansible_pkg_mgr == 'apt'
 
-    - name: Clean up yum cache
-      command: yum clean all
-      when: distro == "CentOS"
 
     - name: Enable UTF-8 locale on Debian
       copy:
         dest: /etc/locale.gen
         content: |
           en_US.UTF-8 UTF-8
           fr_FR.UTF-8 UTF-8
-      when: distro == "Debian"
+      when: ansible_pkg_mgr == 'apt'
 
     - name: Generate UTF-8 locale on Debian
       shell: locale-gen
-      when: distro == "Debian"
+      when: ansible_pkg_mgr == 'apt'
 
     - name: Write Unicode into /etc/environment
       copy:
@@ -115,16 +95,6 @@
           permit :mitogen__group
           permit :root
 
-    - name: Vanilla Ansible needs simplejson on CentOS 5.
-      shell: mkdir -p /usr/lib/python2.4/site-packages/simplejson/
-      when: distro == "CentOS" and ver == "5"
-
-    - name: Vanilla Ansible needs simplejson on CentOS 5.
-      synchronize:
-        dest: /usr/lib/python2.4/site-packages/simplejson/
-        src: ../../ansible_mitogen/compat/simplejson/
-      when: distro == "CentOS" and ver == "5"
-
     - name: Set root user password and shell
       user:
         name: root
@@ -182,8 +152,9 @@
     - name: Install CentOS wheel sudo rule
       lineinfile:
         path: /etc/sudoers
-        line: "%wheel ALL=(ALL) ALL"
-      when: distro == "CentOS"
+        regexp: '#* *%wheel +ALL=(ALL) +ALL'
+        line: "%wheel  ALL=(ALL)       ALL"
+      when: ansible_os_family == 'RedHat'
 
     - name: Enable SSH banner
       lineinfile:

tests/image_prep/_user_accounts.yml

@@ -5,15 +5,11 @@
 #
 
 - hosts: all
-  vars_files:
-  - shared_vars.yml
   gather_facts: true
   strategy: mitogen_free
   become: true
   vars:
     distro: "{{ansible_distribution}}"
-    ver: "{{ansible_distribution_major_version}}"
-
     special_users:
       - has_sudo
       - has_sudo_nopw

tests/image_prep/ansible.cfg

@@ -1,7 +1,11 @@
 
 [defaults]
+deprecation_warnings = false
 strategy_plugins = ../../ansible_mitogen/plugins/strategy
 retry_files_enabled = false
 display_args_to_stdout = True
 no_target_syslog = True
 host_key_checking = False
+
+[inventory]
+unparsed_is_fatal = true

tests/image_prep/build_docker_images.py

@@ -1,3 +1,9 @@
+common_packages:
+  - openssh-server
+  - rsync
+  - strace
+  - sudo
+
 sudo_group:
   MacOSX: admin
   Debian: sudo