ci: add SUSE/openSUSE support and fix test compatibility

README.md

@@ -11,6 +11,7 @@ supported by ansible. The role was tested on:
 
 * RHEL/CentOS 6, 7, 8, 9, 10
 * Fedora
+* SUSE/openSUSE
 * Debian
 * Ubuntu
 

meta/main.yml

@@ -44,6 +44,7 @@ galaxy_info:
     - el9
     - el10
     - fedora
+    - leap
     - networking
     - openssh
     - redhat

tests/tasks/setup.yml

@@ -20,7 +20,7 @@
   vars:
     __ssh_test_packages: >-
       {{
-        "openssh-clients" if ansible_facts['os_family'] == 'RedHat'
+        "openssh-clients" if ansible_facts['os_family'] in ['RedHat', 'Suse']
         else "openssh-client"
       }}
   package:
@@ -41,7 +41,8 @@
     main_ssh_config_name: 00-ansible.conf
     main_ssh_config_path: /etc/ssh/ssh_config.d/
   when:
-    - (ansible_facts['os_family'] == 'RedHat'
+    - ansible_facts['os_family'] == 'Suse' or
+      (ansible_facts['os_family'] == 'RedHat'
         and ansible_facts['distribution_major_version'] | int >= 8) or
       (ansible_facts['distribution'] == 'Ubuntu'
         and ansible_facts['distribution_major_version'] | int >= 20)

tests/tests_additional_packages.yml

@@ -9,6 +9,8 @@
         openssh-ldap
       {% elif ansible_facts['os_family'] == 'RedHat' %}
         openssh-keycat
+      {% elif ansible_facts['os_family'] == 'Suse' %}
+        openssh-helpers
       {% else %}
         openssh-tests
       {% endif %}

tests/tests_all_options.yml

@@ -22,7 +22,7 @@
       set_fact:
         ssh_test_package: openssh-client
       when: >
-        ansible_facts['os_family'] != 'RedHat'
+        ansible_facts['os_family'] not in ['RedHat', 'Suse']
 
     - name: Determine if system is ostree and set flag
       when: not __ssh_is_ostree is defined
@@ -67,6 +67,16 @@
         use: "{{ (__ssh_is_ostree | d(false)) |
                  ternary('ansible.posix.rhel_rpm_ostree', omit) }}"
 
+    - name: Check if ssh_config man page is available
+      command: man -w ssh_config
+      register: __ssh_man_check
+      failed_when: false
+      changed_when: false
+
+    - name: Skip if ssh_config man page is not available
+      meta: end_host
+      when: __ssh_man_check.rc != 0
+
     - name: Get list of options from manual page
       shell: >-
         set -o pipefail && man ssh_config \

tests/tests_custom_drop_in.yml

@@ -10,7 +10,8 @@
     - name: Skip if the system does not support drop in directory
       meta: end_host
       when:
-        - ansible_facts['distribution'] != 'Fedora' and
+        - ansible_facts['os_family'] != 'Suse' and
+          ansible_facts['distribution'] != 'Fedora' and
           not (ansible_facts['distribution'] in ['RedHat','CentOS'] and
                ansible_facts['distribution_version'] | int >= 8) and
           not (ansible_facts['distribution'] in ['Ubuntu'] and

tests/tests_global_config_mode.yml

@@ -6,6 +6,10 @@
     __ssh_test_backup_files:
       - /etc/ssh/ssh_config.d/00-ansible.conf
       - /etc/ssh/ssh_config
+        # SUSE Minimal VM images do not have the daemon user
+    __ssh_test_owner: >-
+      {{ 'nobody' if ansible_facts['os_family'] == 'Suse'
+         else 'daemon' }}
 
   tasks:
     - name: Backup configuration files
@@ -19,8 +23,8 @@
           Compression: true
           GSSAPIAuthentication: false
         # bad example
-        ssh_config_owner: daemon
-        ssh_config_group: daemon
+        ssh_config_owner: "{{ __ssh_test_owner }}"
+        ssh_config_group: "{{ __ssh_test_owner }}"
         ssh_config_mode: 600
 
     - name: Verify the configuration file was created with right content
@@ -46,8 +50,8 @@
           assert:
             that:
               - config_mode.stat.exists
-              - config_mode.stat.gr_name == 'daemon'
-              - config_mode.stat.pw_name == 'daemon'
+              - config_mode.stat.gr_name == __ssh_test_owner
+              - config_mode.stat.pw_name == __ssh_test_owner
               - config_mode.stat.mode == '0600'
 
     - name: Restore configuration files

tests/tests_global_drop_in.yml

@@ -11,7 +11,8 @@
     - name: Skip if the system does not support drop in directory
       meta: end_host
       when:
-        - ansible_facts['distribution'] != 'Fedora' and
+        - ansible_facts['os_family'] != 'Suse' and
+          ansible_facts['distribution'] != 'Fedora' and
           not (ansible_facts['distribution'] in ['RedHat','CentOS'] and
                ansible_facts['distribution_version'] | int >= 8)
 
@@ -56,10 +57,16 @@
               - "'Include' not in config.content | b64decode"
               - "'SendEnv' not in config.content | b64decode"
 
+        - name: Check if main configuration file exists
+          stat:
+            path: "/etc/ssh/ssh_config"
+          register: global_config_stat
+
         - name: Download the main configuration file too
           slurp:
             src: "/etc/ssh/ssh_config"
           register: global_config
+          when: global_config_stat.stat.exists
 
         - name: Verify the options are NOT in the global configuration file
           assert:
@@ -69,6 +76,7 @@
               - "'User somebody' not in content"
           vars:
             content: "{{ global_config.content | b64decode }}"
+          when: global_config_stat.stat.exists
 
         - name: Verify the file has default sensible permissions
           assert:

tests/tests_global_drop_in_role.yml

@@ -29,7 +29,8 @@
     - name: Skip if the system does not support drop in directory
       meta: end_host
       when:
-        - ansible_facts['distribution'] != 'Fedora' and
+        - ansible_facts['os_family'] != 'Suse' and
+          ansible_facts['distribution'] != 'Fedora' and
           not (ansible_facts['distribution'] in ['RedHat','CentOS'] and
                ansible_facts['distribution_version'] | int >= 8)
 
@@ -59,10 +60,16 @@
               - "'Include' not in config.content | b64decode"
               - "'SendEnv' not in config.content | b64decode"
 
+        - name: Check if main configuration file exists
+          stat:
+            path: "/etc/ssh/ssh_config"
+          register: global_config_stat
+
         - name: Download the main configuration file too
           slurp:
             src: "/etc/ssh/ssh_config"
           register: global_config
+          when: global_config_stat.stat.exists
 
         - name: Verify the options are NOT in the global configuration file
           assert:
@@ -72,6 +79,7 @@
               - "'User somebody' not in content"
           vars:
             content: "{{ global_config.content | b64decode }}"
+          when: global_config_stat.stat.exists
 
         - name: Verify the file has default sensible permissions
           assert:

tests/tests_no_skip_defaults.yml

@@ -9,7 +9,8 @@
     __ssh_test_option: >-
       {% if ansible_facts['os_family'] in ['Ubuntu', 'Debian'] %}
         HashKnownHosts yes
-      {% elif ansible_facts['distribution'] == 'Fedora' or
+      {% elif ansible_facts['os_family'] == 'Suse' or
+           ansible_facts['distribution'] == 'Fedora' or
            (ansible_facts['distribution'] in ['RedHat', 'CentOS'] and
             ansible_facts['distribution_version'] | int >= 8) %}
         Include /etc/ssh/ssh_config.d/*.conf

tests/tests_regenerate_defaults.yml

@@ -13,6 +13,15 @@
         - ansible_facts['distribution'] in ['CentOS', 'RedHat'] and
           ansible_facts['distribution_version'] | int < 7
 
+    # SUSE uses /usr/etc/ssh/ssh_config as vendor config with settings
+    # beyond what __ssh_defaults provides (ForwardX11Trusted, SendEnv,
+    # etc). The role cannot regenerate the vendor config identically,
+    # and should use drop-in configs on SUSE instead.
+    - name: SUSE vendor config cannot be regenerated by the role
+      meta: end_host
+      when:
+        - ansible_facts['os_family'] == 'Suse'
+
     - name: Backup configuration files
       include_tasks: tasks/backup.yml
 

tests/tests_user_config.yml

@@ -118,10 +118,16 @@
             - ansible_facts['distribution'] not in ['CentOS', 'RedHat'] or
               ansible_facts['distribution_version'] | int > 6
 
+        - name: Check if global configuration file exists
+          stat:
+            path: /etc/ssh/ssh_config
+          register: global_config_stat
+
         - name: Download the global configuration files too
           slurp:
             src: /etc/ssh/ssh_config
           register: global_config
+          when: global_config_stat.stat.exists
 
         - name: Verify the options are NOT in the global configuration file
           assert:
@@ -132,6 +138,7 @@
               - "'User somebody' not in content"
           vars:
             content: "{{ global_config.content | b64decode }}"
+          when: global_config_stat.stat.exists
 
     - name: Restore configuration files
       include_tasks: tasks/restore.yml