feat: Ubuntu noble

[mattwillsher]

Enhancement:

• Added Ubuntu 24.04/Noble support
• Removed CentOS 6 & 8 tests due to them being EOL
• Fix a bunch of test issues

Reason:

Result:

Issue Tracker Tickets (Jira or BZ if any):

[mattwillsher]

Hi @Jakuje

Current failure is down to the sockets systemd unit file. Ubuntu 24.04 default is:

[Unit]
Description=OpenBSD Secure Shell server socket
Before=sockets.target ssh.service
ConditionPathExists=!/etc/ssh/sshd_not_to_be_run

[Socket]
ListenStream=22
Accept=no
FreeBind=yes

[Install]
WantedBy=sockets.target
RequiredBy=ssh.service

Our template is

[Unit]
Description=OpenBSD Secure Shell server socket
Documentation=man:sshd(8) man:sshd_config(5)
{% if __sshd_socket_accept %}
Conflicts={{ sshd_service }}.service
{% else %}
Before=sockets.target
{% endif %}

[Socket]
ListenStream=22
{% if __sshd_socket_accept %}
Accept=yes
{% else %}
Accept=no
{% endif %}

[Install]
WantedBy=sockets.target

Options I can see are:

• Add conditions for Ubuntu 24.04 to the template
• Convert code to clone vendor provided sshd.socket and use lineinfile to replace the ones we want to control
• Generate a systemd override file rather than shadowing the entire file - I've only had a cursory look at this, so maybe this isn't a viable option?

What are your thoughts?

(P.S. No more PRs. the misspelling of noble on the branch was annoying me and source branch can't be changed on a PR)

[Jakuje]

Hi @Jakuje

Current failure is down to the sockets systemd unit file. Ubuntu 24.04 default is:

Thank you for having a look into this!

[Unit]
Description=OpenBSD Secure Shell server socket
Before=sockets.target ssh.service
ConditionPathExists=!/etc/ssh/sshd_not_to_be_run

[Socket]
ListenStream=22
Accept=no
FreeBind=yes

[Install]
WantedBy=sockets.target
RequiredBy=ssh.service

I am wondering how it even works ... Its already some time since I was maintaining the OpenSSH, but this sounds like both ssh.service and ssh.socket is enabled which in the past caused random failures (whether systemd or openssh got hold of the port 22 first). But this seems to be solved by ordering the socket first with RequiredBy and also the FreeBind which will allow binding to the addresses that are not up yet ...

Our template is

[Unit]
Description=OpenBSD Secure Shell server socket
Documentation=man:sshd(8) man:sshd_config(5)
{% if __sshd_socket_accept %}
Conflicts={{ sshd_service }}.service
{% else %}
Before=sockets.target
{% endif %}

[Socket]
ListenStream=22
{% if __sshd_socket_accept %}
Accept=yes
{% else %}
Accept=no
{% endif %}

[Install]
WantedBy=sockets.target

Options I can see are:

* Add conditions for Ubuntu 24.04 to the template

I think that would be preferred. If I see right, we need ConditionPathExists, RequiredBy, FreeBind as well as adjusting the Before.

* Convert code to clone vendor provided sshd.socket and use lineinfile to replace the ones we want to control

This could do as we are writing the files in /etc/ and the systemd has the package-installed service files in /usr/lib/systemd/system/ssh.service. But we would have to depend on these being intact on the target system, which is something I wanted to avoid by keeping the results independent on the potentially/partially broken systems.

* Generate a systemd override file rather than shadowing the entire file - I've only had a cursory look at this, so maybe this isn't a viable option?

The override works ok when we want to modify some features in existing service, but if we want to set up separate sshd service with different name and different configuration, we still need to generate the full unit file anyway (I think). So we would need to have to implement both options anyway.

[Jakuje]

Regarding the CentOS 8, I got roles-ansible/check-ansible-centos-centos8-action#7 merged so it should keep working with the archive repositories. Certainly not for production use, but it should be good enough for CI use.

Your PR for the ubuntu was also merged to the actions so you can revert that / drop that patch too when you will be doing next changes.

[mattwillsher]

@Jakuje I think this is about there. I've disable the tests for the [email protected] as 24.04 doesn't have the file in it's package. Please review.

[Jakuje]

lgtm!