ansible-test - Replace Ubuntu 22.04 with 26.04 (#86894)

* ansible-test - Replace Ubuntu 22.04 with 26.04

* Remove obsolete AppArmor work-around

* Fix connection_local integration test

Co-authored-by: Brian Coca <bcoca@users.noreply.github.com>

* Fix apt integration test

Co-authored-by: Brian Coca <bcoca@users.noreply.github.com>

* Skip apt_repository test on Ubuntu 26.04+

The module is deprecated, but it still tested on Ubuntu 24.04.

* Fix apt test

---------

Co-authored-by: Brian Coca <bcoca@users.noreply.github.com>

.azure-pipelines/azure-pipelines.yml

@@ -138,6 +138,8 @@ stages:
               test: rhel/10.1
             - name: Ubuntu 24.04
               test: ubuntu/24.04
+            - name: Ubuntu 26.04
+              test: ubuntu/26.04
           groups:
             - 6
   - stage: Remote_Targeted
@@ -161,10 +163,10 @@ stages:
               test: alpine323
             - name: Fedora 44
               test: fedora44
-            - name: Ubuntu 22.04
-              test: ubuntu2204
             - name: Ubuntu 24.04
               test: ubuntu2404
+            - name: Ubuntu 26.04
+              test: ubuntu2604
           groups:
             - 1
             - 2
@@ -178,6 +180,8 @@ stages:
               test: fedora44
             - name: Ubuntu 24.04
               test: ubuntu2404
+            - name: Ubuntu 26.04
+              test: ubuntu2604
           groups:
             - 3
             - 4

changelogs/fragments/ansible-test-ubuntu-2604.yml

@@ -0,0 +1,2 @@
+minor_changes:
+  - ansible-test - Replace Ubuntu 22.04 container and remote with 26.04.

test/integration/targets/ansible-test-container/runme.py

@@ -179,10 +179,13 @@ def get_test_scenarios() -> list[TestScenario]:
             # See: https://access.redhat.com/solutions/6816771
             enable_sha1 = os_release.id == 'rhel' and os_release.version_id.startswith('9.') and container_name == 'centos6'
 
-            # Starting with Fedora 40, use of /usr/sbin/unix-chkpwd fails under Ubuntu 24.04 due to AppArmor.
-            # This prevents SSH logins from completing due to unix-chkpwd failing to look up the user with getpwnam.
-            # Disabling the 'unix-chkpwd' profile works around the issue, but does not solve the underlying problem.
-            disable_apparmor_profile_unix_chkpwd = engine == 'podman' and os_release.id == 'ubuntu' and container_name.startswith('fedora')
+            # The AppArmor policy for pasta on Ubuntu 26.04 prevents podman from stopping containers.
+            # Attempting to do so fails with an error like:
+            # rootless netns: kill network process: permission denied
+            # AppArmor denials such as the following show up in dmesg output:
+            # [ 1606.740536] audit: type=1400 audit(1777052086.084:226): apparmor="DENIED" operation="signal" class="signal" profile="pasta" pid=28252
+            #   comm="podman" requested_mask="receive" denied_mask="receive" signal=term peer="podman"
+            disable_apparmor_profile_pasta = engine == 'podman' and os_release.id == 'ubuntu' and os_release.version_id == '26.04'
 
             cgroup_version = get_docker_info(engine).cgroup_version
 
@@ -237,7 +240,7 @@ def get_test_scenarios() -> list[TestScenario]:
                         enable_sha1=enable_sha1,
                         debug_systemd=debug_systemd,
                         probe_cgroups=probe_cgroups,
-                        disable_apparmor_profile_unix_chkpwd=disable_apparmor_profile_unix_chkpwd,
+                        disable_apparmor_profile_pasta=disable_apparmor_profile_pasta,
                     )
                 )
 
@@ -332,9 +335,9 @@ def run_test(scenario: TestScenario) -> TestResult:
         if scenario.enable_sha1:
             run_command('update-crypto-policies', '--set', 'DEFAULT:SHA1')
 
-        if scenario.disable_apparmor_profile_unix_chkpwd:
-            os.symlink('/etc/apparmor.d/unix-chkpwd', '/etc/apparmor.d/disable/unix-chkpwd')
-            run_command('apparmor_parser', '-R', '/etc/apparmor.d/unix-chkpwd')
+        if scenario.disable_apparmor_profile_pasta:
+            os.symlink('/etc/apparmor.d/usr.bin.pasta', '/etc/apparmor.d/disable/usr.bin.pasta')
+            run_command('apparmor_parser', '-R', '/etc/apparmor.d/usr.bin.pasta')
 
         for test_command in test_commands:
             def run_test_command() -> SubprocessResult:
@@ -358,9 +361,9 @@ def run_test(scenario: TestScenario) -> TestResult:
         message = str(ex)
         display.error(f'{scenario} {message}')
     finally:
-        if scenario.disable_apparmor_profile_unix_chkpwd:
-            os.unlink('/etc/apparmor.d/disable/unix-chkpwd')
-            run_command('apparmor_parser', '/etc/apparmor.d/unix-chkpwd')
+        if scenario.disable_apparmor_profile_pasta:
+            os.unlink('/etc/apparmor.d/disable/usr.bin.pasta')
+            run_command('apparmor_parser', '/etc/apparmor.d/usr.bin.pasta')
 
         if scenario.enable_sha1:
             run_command('update-crypto-policies', '--set', 'DEFAULT')
@@ -621,7 +624,7 @@ class TestScenario:
     enable_sha1: bool
     debug_systemd: bool
     probe_cgroups: bool
-    disable_apparmor_profile_unix_chkpwd: bool
+    disable_apparmor_profile_pasta: bool
 
     @property
     def tags(self) -> tuple[str, ...]:
@@ -642,8 +645,8 @@ class TestScenario:
         if self.enable_sha1:
             tags.append('sha1: enabled')
 
-        if self.disable_apparmor_profile_unix_chkpwd:
-            tags.append('apparmor(unix-chkpwd): disabled')
+        if self.disable_apparmor_profile_pasta:
+            tags.append('apparmor(pasta): disabled')
 
         return tuple(tags)
 
@@ -1065,7 +1068,7 @@ class AptBootstrapper(Bootstrapper):
         if cls.install_podman():
             # NOTE: Install crun to make it available to podman, otherwise installing docker.io can cause podman to use runc instead.
             # Using podman rootless requires the `newuidmap` and `slirp4netns` commands.
-            packages.extend(('podman', 'crun', 'uidmap', 'slirp4netns'))
+            packages.extend(('podman', 'crun', 'uidmap', 'slirp4netns', 'passt'))
 
         run_command('apt-get', 'install', *packages, '-y', '--no-install-recommends', env=apt_env)
 

test/integration/targets/apt/tasks/apt.yml

@@ -385,11 +385,17 @@
   ignore_errors: yes
   register: apt_result
 
+- name: hello-traditional was removed in newer versions, but we can build if needed.
+  include_tasks: hello-traditional.yml
+  when:
+    - apt_result is failed
+    - '"No package matching" in apt_result.msg'
+
 - name: verify failure of installing hello-traditional, because it is required to remove hello to install.
   assert:
     that:
       - apt_result is failed
-      - '"Packages need to be removed but remove is disabled." in apt_result.msg'
+      - '"Packages need to be removed but remove is disabled." in apt_result.msg or "Conflicts with the installed package" in apt_result.msg'
 
 - name: uninstall hello with apt
   apt:

test/integration/targets/apt/tasks/hello-traditional.yml

@@ -0,0 +1,55 @@
+- name: create hello-traditional from hello, cleanup not needed, OUTPUT_DIR gets cleared
+  vars:
+    outdir: '{{lookup("env", "OUTPUT_DIR")}}'
+    workdir: '{{outdir}}/hello-traditional'
+    control: '{{workdir}}/DEBIAN/control'
+  block:
+    - name: ensure we have our dirs
+      file:
+        path: '{{item}}'
+        state: directory
+      loop:
+        - '{{outdir}}'
+        - '{{workdir}}'
+        - '{{workdir}}/DEBIAN'
+
+    - name: download deb
+      shell:
+        cmd: apt download hello
+        chdir: '{{outdir}}'
+
+    - name: extract files and metafiles
+      shell: '{{" ".join(["dpkg-deb", "-" + item.flag, outdir + "/hello_*.deb", workdir + item.dest])}}'
+      loop:
+        - flag: e
+          dest: /DEBIAN/
+        - flag: x
+          dest: /
+
+    - name: in case conflict didn't exist
+      lineinfile:
+        path: '{{control}}'
+        regexp: '^Conflicts: hello'
+        line: 'Conflicts: hello'
+
+    - name: modify into hello-traditional, conflicting!!!
+      replace:
+        path: '{{control}}'
+        regexp: '{{item.old}}'
+        replace: '{{item.new}}'
+      loop:
+        - old: '^Package: hello$'
+          new: 'Package: hello-traditional'
+        - old: '^Conflicts: hello-traditional$'
+          new: 'Conflicts: hello'
+
+    - name: build hello
+      shell: dpkg-deb -b {{workdir}} {{outdir}}/hello-traditional.deb
+
+    - name: Try again, now try installing hello-traditional, that conflicts with hello
+      apt:
+        deb: '{{outdir}}/hello-traditional.deb'
+        state: present
+        fail_on_autoremove: yes
+      ignore_errors: yes
+      register: apt_result

test/integration/targets/apt/vars/Ubuntu-26.yml

@@ -0,0 +1 @@
+multiarch_test_pkg: libunistring5

test/integration/targets/apt_repository/tasks/main.yml

@@ -16,6 +16,10 @@
 # You should have received a copy of the GNU General Public License
 # along with Ansible.  If not, see <http://www.gnu.org/licenses/>.
 
+- name: skip test on unsupported platforms
+  meta: end_play
+  when: ansible_distribution == 'Ubuntu' and ansible_distribution_version is version('26.04', '>=')
+
 - import_tasks: 'apt.yml'
   when: ansible_distribution in ('Ubuntu')
 

test/integration/targets/connection_local/test_become_password_handling.yml

@@ -159,7 +159,7 @@
       - assert:
           that:
             - missing_required_password is failed
-            - missing_required_password.msg is contains "password is required"
+            - missing_required_password.msg is contains "password is required" or missing_required_password.msg is contains "interactive authentication is required"
 
       - name: verify duplicate password prompts are handled (due to incorrect password)
         raw: echo hi mom

test/lib/ansible_test/_data/completion/docker.txt

@@ -3,5 +3,5 @@ default image=quay.io/ansible/default-test-container:v2.22-0 python=3.14,3.9,3.1
 default image=quay.io/ansible/ansible-core-test-container:v2.22-0 python=3.14,3.9,3.10,3.11,3.12,3.13,3.15 powershell=7.6 context=ansible-core
 alpine323 image=quay.io/ansible/alpine-test-container:3.23-v2.22-0 python=3.12 cgroup=none audit=none alias=alpine
 fedora44 image=quay.io/ansible/fedora-test-container:44-v2.22-1 python=3.14 cgroup=v2-only alias=fedora
-ubuntu2204 image=quay.io/ansible/ubuntu-test-container:22.04-v2.22-0 python=3.10
-ubuntu2404 image=quay.io/ansible/ubuntu-test-container:24.04-v2.22-0 python=3.12 alias=ubuntu
+ubuntu2404 image=quay.io/ansible/ubuntu-test-container:24.04-v2.22-0 python=3.12
+ubuntu2604 image=quay.io/ansible/ubuntu-test-container:26.04-v2.22-2 python=3.14 alias=ubuntu

test/lib/ansible_test/_data/completion/remote.txt

@@ -11,6 +11,6 @@ rhel/8.10 python=3.12 become=sudo provider=aws arch=x86_64 alias=rhel/8
 rhel/9.7 python=3.9,3.12 become=sudo provider=aws arch=x86_64 alias=rhel/9
 rhel/10.1 python=3.12 become=sudo provider=aws arch=x86_64 alias=rhel/10,rhel/latest
 rhel become=sudo provider=aws arch=x86_64
-ubuntu/22.04 python=3.10 become=sudo provider=aws arch=x86_64
-ubuntu/24.04 python=3.12 become=sudo provider=aws arch=x86_64 alias=ubuntu/latest
+ubuntu/24.04 python=3.12 become=sudo provider=aws arch=x86_64
+ubuntu/26.04 python=3.14 become=sudo provider=aws arch=x86_64 alias=ubuntu/latest
 ubuntu become=sudo provider=aws arch=x86_64