From 298354d2e3bd12d0dd2f1f3eb0be61c1b6538c42 Mon Sep 17 00:00:00 2001
From: Clark Boylan <clark.boylan@gmail.com>
Date: Thu, 23 May 2024 08:50:55 -0700
Subject: [PATCH] Ombibus set of fixups for Ubuntu Noble

There are a number of updates we make for Ubuntu Noble in this commit.

1. Remove python2-dev from bindep for Noble as Noble appears to have no
   python2 runtime options.
2. Add libjpeg-dev to bindep for noble because Pillow doesn't build
   python3.12 wheels for Pillow<10 which we currently depend on. This
   means we need to build from source and that depends on libjpeg-dev.
3. We remove double bracket wrappers from ansible vars in ansible
   assertion blocks. Having them results in errors like:
     Conditional is marked as unsafe, and cannot be evaluated.
4. We update rust testing to explicitly install pkg-config before
   building python cryptography. This tool is required to build
   cryptography from source and is no longer being pulled in either
   by the base images or build-essential meta pacakge.
5. Add an Ubuntu-24.04 tasks file for the ensure-skopeo roles so that
   we try to install skopeo using distro packages or build from source
   and don't use Kubic which only has packages for old Ubuntu releases.

Change-Id: I388710ce40dc757ada4de819a9c3c59fc32fb07a
---
 bindep.txt                                    |  5 +-
 roles/ensure-skopeo/tasks/Ubuntu-24.04.yaml   | 49 +++++++++++++++++++
 test-playbooks/ensure-nox.yaml                |  4 +-
 test-playbooks/ensure-tox.yaml                |  4 +-
 .../multinode/multi-node-firewall.yaml        |  6 +--
 .../multinode/persistent-firewall.yaml        |  8 +--
 test-playbooks/rust/ensure-rust.yaml          |  5 ++
 7 files changed, 69 insertions(+), 12 deletions(-)
 create mode 100644 roles/ensure-skopeo/tasks/Ubuntu-24.04.yaml

diff --git a/bindep.txt b/bindep.txt
index b0f784e1d..b9dfdcfb5 100644
--- a/bindep.txt
+++ b/bindep.txt
@@ -7,5 +7,8 @@ python3-dev [test platform:dpkg platform:apk]
 # Required for subprocess32
 python2-devel [test platform:fedora]
 python-devel [test platform:rpm !platform:fedora !platform:centos-8 !platform:rhel-8]
-python-dev [test platform:dpkg platform:apk !platform:ubuntu-jammy !platform:debian-bookworm]
+python-dev [test platform:dpkg platform:apk !platform:ubuntu-jammy !platform:ubuntu-noble !platform:debian-bookworm]
 python2-dev [test platform:ubuntu-jammy]
+
+# Required for sphinx testing on Noble for Pillow wheel builds
+libjpeg-dev [doc platform:ubuntu-noble]
diff --git a/roles/ensure-skopeo/tasks/Ubuntu-24.04.yaml b/roles/ensure-skopeo/tasks/Ubuntu-24.04.yaml
new file mode 100644
index 000000000..a95fd24c4
--- /dev/null
+++ b/roles/ensure-skopeo/tasks/Ubuntu-24.04.yaml
@@ -0,0 +1,49 @@
+- name: Install skopeo from packages
+  when: not ensure_skopeo_install_from_upstream
+  package:
+    name:
+      - skopeo
+      - uidmap
+    state: present
+  become: yes
+
+- name: Install skopeo from upstream
+  when: ensure_skopeo_install_from_upstream
+  block:
+
+    - name: Install dependencies
+      become: yes
+      package:
+        name:
+          - libgpgme-dev
+          - libassuan-dev
+          - libbtrfs-dev
+          - libdevmapper-dev
+          - pkg-config
+          - build-essential
+          - golang
+        state: present
+
+    - name: Clone upstream source
+      git:
+        repo: https://github.com/containers/skopeo
+        dest: '{{ ansible_user_dir }}/skopeo'
+        version: '{{ ensure_skopeo_install_from_upstream_version }}'
+
+    - name: Build skopeo
+      command: 'make bin/skopeo'
+      args:
+        chdir: '{{ ansible_user_dir }}/skopeo'
+
+    - name: Install binary
+      become: yes
+      copy:
+        src: '{{ ansible_user_dir}}/skopeo/bin/skopeo'
+        dest: '/usr/local/bin/skopeo'
+        owner: root
+        group: root
+        mode: '0755'
+        remote_src: yes
+
+    - name: Test binary
+      command: '/usr/local/bin/skopeo --version'
diff --git a/test-playbooks/ensure-nox.yaml b/test-playbooks/ensure-nox.yaml
index f89c184d9..805f9e95e 100644
--- a/test-playbooks/ensure-nox.yaml
+++ b/test-playbooks/ensure-nox.yaml
@@ -27,7 +27,7 @@
     - name: Verify nox_executable is set
       assert:
         that:
-          - nox_executable == "{{ ansible_user_dir }}/.local/nox/bin/nox"
+          - nox_executable == ansible_user_dir + '/.local/nox/bin/nox'
     - name: Verify nox is installed
       command: "{{ nox_executable }} --version"
       register: result
@@ -48,4 +48,4 @@
     - name: Verify nox_executable is set to the virtualenv nox
       assert:
         that:
-          - nox_executable == '{{ ansible_user_dir }}/nox-venv/bin/nox'
+          - nox_executable == ansible_user_dir + '/nox-venv/bin/nox'
diff --git a/test-playbooks/ensure-tox.yaml b/test-playbooks/ensure-tox.yaml
index 46ea17d8e..a5306794c 100644
--- a/test-playbooks/ensure-tox.yaml
+++ b/test-playbooks/ensure-tox.yaml
@@ -27,7 +27,7 @@
     - name: Verify tox_executable is set
       assert:
         that:
-          - tox_executable == "{{ ansible_user_dir }}/.local/tox/bin/tox"
+          - tox_executable == ansible_user_dir + '/.local/tox/bin/tox'
     - name: Verify tox is installed
       command: "{{ tox_executable }} --version"
       register: result
@@ -48,4 +48,4 @@
     - name: Verify tox_executable is set to the virtualenv tox
       assert:
         that:
-          - tox_executable == '{{ ansible_user_dir }}/tox-venv/bin/tox'
+          - tox_executable == ansible_user_dir + '/tox-venv/bin/tox'
diff --git a/test-playbooks/multinode/multi-node-firewall.yaml b/test-playbooks/multinode/multi-node-firewall.yaml
index c98d2cdab..6cba85b6a 100644
--- a/test-playbooks/multinode/multi-node-firewall.yaml
+++ b/test-playbooks/multinode/multi-node-firewall.yaml
@@ -13,7 +13,7 @@
     - name: Validate ipv4 private firewall configuration
       assert:
         that:
-          - "'-A INPUT -s {{ hostvars[item]['nodepool']['private_ipv4'] }}/32 -j ACCEPT' in iptables_rules.stdout"
+          - "'-A INPUT -s ' + hostvars[item]['nodepool']['private_ipv4'] + '/32 -j ACCEPT' in iptables_rules.stdout"
       with_items: "{{ groups['all'] }}"
       when:
         - hostvars[item]['nodepool']['private_ipv4']
@@ -21,7 +21,7 @@
     - name: Validate ipv4 public firewall configuration
       assert:
         that:
-          - "'-A INPUT -s {{ hostvars[item]['nodepool']['public_ipv4'] }}/32 -j ACCEPT' in iptables_rules.stdout"
+          - "'-A INPUT -s ' + hostvars[item]['nodepool']['public_ipv4'] + '/32 -j ACCEPT' in iptables_rules.stdout"
       with_items: "{{ groups['all'] }}"
       when:
         - hostvars[item]['nodepool']['public_ipv4']
@@ -40,5 +40,5 @@
         - name: Validate ipv6 firewall configuration
           assert:
             that:
-              - "'-A INPUT -s {{ hostvars[item]['nodepool']['public_ipv6'] }}/128 -j ACCEPT' in ip6tables_rules.stdout"
+              - "'-A INPUT -s ' + hostvars[item]['nodepool']['public_ipv6'] + '/128 -j ACCEPT' in ip6tables_rules.stdout"
           with_items: "{{ groups['all'] }}"
diff --git a/test-playbooks/multinode/persistent-firewall.yaml b/test-playbooks/multinode/persistent-firewall.yaml
index 51ff9e0e0..d193b2e9c 100644
--- a/test-playbooks/multinode/persistent-firewall.yaml
+++ b/test-playbooks/multinode/persistent-firewall.yaml
@@ -59,7 +59,7 @@
     - name: Validate ipv4 private firewall configuration
       assert:
         that:
-          - "'-A INPUT -s {{ hostvars[item]['nodepool']['private_ipv4'] }}/32 -j ACCEPT' in iptables_rules.stdout"
+          - "'-A INPUT -s ' + hostvars[item]['nodepool']['private_ipv4'] + '/32 -j ACCEPT' in iptables_rules.stdout"
       with_items: "{{ groups['all'] }}"
       when:
         - hostvars[item]['nodepool']['private_ipv4']
@@ -67,7 +67,7 @@
     - name: Validate ipv4 public firewall configuration
       assert:
         that:
-          - "'-A INPUT -s {{ hostvars[item]['nodepool']['public_ipv4'] }}/32 -j ACCEPT' in iptables_rules.stdout"
+          - "'-A INPUT -s ' + hostvars[item]['nodepool']['public_ipv4'] + '/32 -j ACCEPT' in iptables_rules.stdout"
       with_items: "{{ groups['all'] }}"
       when:
         - hostvars[item]['nodepool']['public_ipv4']
@@ -75,7 +75,7 @@
     - name: Validate ipv4 bridge firewall configuration
       assert:
         that:
-          - "'-A INPUT -s {{ bridge_address_prefix }}.0/{{ bridge_address_subnet }} -d {{ bridge_address_prefix }}.0/{{ bridge_address_subnet }} -j ACCEPT' in iptables_rules.stdout"
+          - "'-A INPUT -s ' + bridge_address_prefix + '.0/' + bridge_address_subnet | string + ' -d ' + bridge_address_prefix + '.0/' + bridge_address_subnet | string + ' -j ACCEPT' in iptables_rules.stdout"
       with_items: "{{ groups['all'] }}"
 
     # ipv6_addresses is set by the multi-node-firewall role
@@ -92,5 +92,5 @@
         - name: Validate ipv6 firewall configuration
           assert:
             that:
-              - "'-A INPUT -s {{ hostvars[item]['nodepool']['public_ipv6'] }}/128 -j ACCEPT' in ip6tables_rules.stdout"
+              - "'-A INPUT -s ' + hostvars[item]['nodepool']['public_ipv6'] + '/128 -j ACCEPT' in ip6tables_rules.stdout"
           with_items: "{{ groups['all'] }}"
diff --git a/test-playbooks/rust/ensure-rust.yaml b/test-playbooks/rust/ensure-rust.yaml
index 26bb42254..59d988fa1 100644
--- a/test-playbooks/rust/ensure-rust.yaml
+++ b/test-playbooks/rust/ensure-rust.yaml
@@ -35,6 +35,8 @@
             state: present
           loop:
             - build-essential
+            # pkg-config appears to be explicitly needed on Ubuntu Noble
+            - pkg-config
             - libssl-dev
             - libffi-dev
             - python3-dev
@@ -44,4 +46,7 @@
           shell: |
             python3 -m venv ./venv
             ./venv/bin/pip install --upgrade pip
+            # Python cryptography relies on a working Rust toolchain to build
+            # from source. We set the --no-binary flag to ensure cryptography
+            # is built rather than installed via an upstream wheel
             ./venv/bin/pip install cryptography --no-binary cryptography