Ansible 6 is EOL and Ansible 9 is available. Remove 6 and add 9.
This is usually done in two changes, but this time it's in one
since we can just rotate the 6 around to make it a 9.
command.py has been updated for ansible 9.
Change-Id: I537667f66ba321d057b6637aa4885e48c8b96f04
This adds support for Ansible 5. As mentioned in the reno, only
the major version is specified; that corresponds to major.minor in
Ansible core, so is approximately equivalent to our current regime.
The command module is updated to be based on the current code in
ansible core 2.12.4 (corresponding to community 5.6.0). The previous
version is un-symlinked and copied to the 2.8 and 2.8 directories
for easy deletion as they age out.
The new command module has corrected a code path we used to test
that the zuul_stream module handles python exceptions in modules,
so instead we now take advantage of the ability to load
playbook-adjacent modules to add a test fixture module that always
raises an exception. The zuul stream functional test validation is
adjusted to match the new values.
Similarly, in test_command in the remote tests, we relied on that
behavior, but there is already a test for module exceptions in
test_module_exception, so that check is simply removed.
Among our Ansible version tests, we occasionally had tests which
exercised 2.8 but not 2.9 because it is the default and is otherwise
tested. This change adds explicit tests for 2.9 even if they are
redundant in order to make future Ansible version updates easier and
more mechanical (we don't need to remember to add 2.9 later when
we change the default).
This is our first version of Ansible where the value of
job.ansible-version could be interpreted as an integer, so the
configloader is updated to handle that possibility transparently,
as it already does for floating point values.
Change-Id: I694b979077d7944b4b365dbd8c72aba3f9807329
These tests verify the behavior of the restricted Ansible modules which
are being removed, and are therefore no longer necessary.
Change-Id: I5a171739b9e993af605aee981cb59f520bc1c6ba
The uri module could potentially be used to expose files within the
bubblewrap context either through its src or dest parameters or its url
parameter. In the case of src and dest we use zuuls utilility functions
to filter out invalid srcs and dests. In the case of url we have been
relying on an ansible bug that prevents request responses without a
status code from completing successfully due to an unchecked type
coercion.
This change adds our own check to url schemes and restricts it to http,
https, and ftp so that if ansible fixes their bugs zuul will continue to
do the right thing.
Then we add testing for all of the cases talked about above.
Change-Id: I527a4082c1ec5556e4c8347ff08b2e89ce0edaaa
Task: #40940
Ansible 2.7 is in security fix only maintenance mode since quite some
time and will be end of life soon. It further blocks upgrade of zuul
to Python 2.8 due to incompatibilities. Thus drop support.
Change-Id: I13802db3314450ad149fdadacd1e2e70dd8468ef
Depends-On: https://review.opendev.org/727345
Zuul was designed to block local code execution in untrusted
environments to not only rely on bwrap to contain a job. This got
broken since the creation of a command plugin that injects the
zuul_job_id which is required for log streaming. However this plugin
doesn't do a check if the task is a localhost task. Further it is
required in trusted and untrusted environments due to log
streaming. Thus we need to fork this plugin and restrict the variant
that is used in untrusted environments.
We do this by moving actiongeneral/command.py back to action/*. We
further introduce a new catecory actiontrusted which gets the
unrestricted version of this plugin.
Change-Id: If81cc46bcae466f4c071badf09a8a88469ae6779
Story: 2007935
Task: 40391
We lately saw increasing rates of failed tests in the remote
tests. Some of them are failing with timeout waiting zuul to
settle. Therefore increase the wait timeout for the zuul stream and
action modules tests.
Change-Id: Ia7b03405e8199aa6c3d2c737244ba26161986783
With release 2.8 Ansible has dropped support for version 2.5 as it is
EOL.
Change-Id: I0a43b1b9d94925f3b6e7266434fb698e665dd42c
Signed-off-by: Paul Belanger <pabelanger@redhat.com>
Ansible has released 2.9 and now Zuul also supports it.
Change-Id: Iabf2d6278ba8d88e17403a4adae5521eb3e7019b
Signed-off-by: Paul Belanger <pabelanger@redhat.com>
This code had a bug -- it didn't build the full path.
This code was not tested.
These two things are related.
Change-Id: I7881fb30017cedc12435e0fcbfda321bdf20d611
Ansible has released 2.8 and now zuul also supports it. We've had to
update zuul_console to deal with new tasks stats, along with
gather_facts also now being exposed directly to the job.
Change-Id: Ifa4be7cf408b1f05b0f985fa0c9a5e3947858078
Signed-off-by: Paul Belanger <pabelanger@redhat.com>
Currently the default ansible version is selected by the version of
zuul itself. However we want to make this configurable per deployment
(zuul.conf), tenant and job.
Change-Id: Iccbb124ac7f7a8260c730fbc109ccfc1dec09f8b
The raw module had not been restricted to remote nodes so jobs could
run arbitrary code on the executor.
Change-Id: I1b37eac65ef59ca749f55117a678c38969e86ead
When using add_host on localhost (zuul-executor) we also need to add the
ssh known_host entry, otherwise when a play tries to use the new host
ansible will fail to connect since we try to validate SSH host keys by
default.
Change-Id: Ifc99f57085ab4e4ed022e411db77965673c6dbcf
Signed-off-by: Paul Belanger <pabelanger@redhat.com>
Today we expect zuul_return to be run on localhost (zuul-executor).
With that in mind, convert to an action plugin so it only runs on a
zuul-executor.
Change-Id: I236360563c812ee628f78ac062e9ae6cc183aee4
Signed-off-by: Paul Belanger <pabelanger@redhat.com>
Our filtering for the synchronize ansible module didn't account for
using delegate_to. We now fix this and add some test coverage for
validation.
Change-Id: I33b1fe259454ec32e783d2ffe6aa5e6b73f6fea0
Signed-off-by: Paul Belanger <pabelanger@redhat.com>
Increase our testing of the synchronize ansible module.
Change-Id: If7786d4bb7e3dad59255eb941a9bc0d41601f4cd
Signed-off-by: Paul Belanger <pabelanger@redhat.com>
Recent failures of the shell module during Ansible 2.5 testing shows
that we have a test hole there.
Change-Id: I5a63a99ad140b832b0b16e839d4fc2b63bd5cd1b
Currently we don't check some modules for delegation to
localhost. This would make it possible to overwrite any data which is
writable within the bwrap context. Further the script module allows
arbitrary code execution when delegated to localhost.
The following modules are affected:
* assemble: add safe path check
* copy: add safe path check
* patch: add safe path check
* script: block completely
* template: add safe path check
* unarchive: add tests, fixed by safe path check of copy
Change-Id: I2360219f50e6a28bb134468ead08ec72148ad192
Story: 2001681
Currently it is possible to bypass safe path checks by utilising
modules that can operate on directories instead of files like
assemble. This can be done by putting symlinks into a directory the
module is allowed to access.
This can be fixed by walking the whole sub tree and checking the paths
instead of just checking the path itself.
Change-Id: Iaa4efcf0737e47429339e9afd66eecf4e38fd8ea
In tox-remote we also should check if the job failed because of the
safe path validation and not just to a random ansible error. Otherwise
a broken test case could hide a security issue from us.
Change-Id: Ibea5368a2bf8c76d6b1b47d07371c0f06c055c10
In ansible find_needle is used for finding source files. This must be
allowed also for roles from trusted repos.
Change-Id: I0491bc08ba1869849a562bd5047253e60c40c7d7
We need to test things which are allowed and not allowed. Further this
adds test cases for the security issue which is fixed in the previous
change.
Change-Id: I0b243d21bf626d35eacf83e0bd5c59d19509aaae
We need tests that really use ansible against a remote node. Our
current ansible tests are not sufficient for this goal as they run
against localhost. For being able to test restrictions in untrusted
jobs we need tests that run ansible via ssh against a remote node.
This adds a new tox-remote job and a new class of tests that run via
ssh against the interface ip of the test node.
Co-Authored-By: James E. Blair <jeblair@redhat.com>
Change-Id: Iacf670d992bb051560a0c46c313beaa6721489c4
James E. Blair